Add TLS Termination options for COS and COS Lite in Terraform

[MichaelThamm]

Similar to:

• feat: COS Lite TF module TLS integrations #40
• feat: COS certificates integrations (e-2-e TLS) #60

We need to implement TLS termination for our TF product modules (COS and COS Lite). References to get you started:

• Add TLS relations to cos terraform module observability#273 (comment)
• COS Lite bundle TLS overlay
• TLS testing and bundles

Context

• https://charmhub.io/topics/security-with-x-509-certificates

Requirements

• Determine if we want to update use_tls to be internal_tls and/or external_tls/tls_termination

Issue description

Traefik can receive a cert from config or via relation (we need an identifier accessible by TF to know when traefik has a cert)
- We need a mechanism where Grafana trusts the CA that signed Traefik because we use ingress URL for datasource:

• Swap Traefik certificates relation with receive-ca-cert: ref.

unit_data grafana/0 grafana-source
{
  "alertmanager/0": {
    "in-scope": true,
    "data": {
      "egress-subnets": "10.152.183.217/32",
      "grafana_source_host": "https://192.168.88.12/tls-alertmanager",
      "ingress-address": "10.152.183.217",
      "private-address": "10.152.183.217"
    }
  }
}
{
  "loki/0": {
    "in-scope": true,
    "data": {
      "egress-subnets": "10.152.183.162/32",
      "grafana_source_host": "https://192.168.88.12/tls-loki-0",
      "ingress-address": "10.152.183.162",
      "private-address": "10.152.183.162"
    }
  }
}
{
  "prometheus/0": {
    "in-scope": true,
    "data": {
      "egress-subnets": "10.152.183.199/32",
      "grafana_source_host": "https://192.168.88.12/tls-prometheus-0",
      "ingress-address": "10.152.183.199",
      "private-address": "10.152.183.199"
    }
  }
}