Decision: TLS Support

[labrenbe]

Description

The security plugin for OpenSearch allows configuring TLS on internal communication (transport) and on the REST API (http).
TLS for the internal communication should always be enabled as this enables mTLS between OpenSearch nodes and increases security significantly. TLS on the REST API can be made optional.

Part of #55.

Option 1: Follow the naming in other operators (e.g. Kafka, NiFi)

spec:
  clusterConfig:
    tls:
      serverSecretClass: tls # optional
      internalSecretClass: opensearch-internal-tls

The actual CRD would look like this:

clusterConfig:
  default:
    tls:
      serverSecretClass: tls
      internalSecretClass: tls
  properties:
    tls:
      default:
        serverSecretClass: tls
        internalSecretClass: tls
      properties:
        serverSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          nullable: true
          type: string
        internalSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          type: string
      type: object

Option 2: Follow the OpenSearch naming for exposed ports

spec:
  clusterConfig:
    tls:
      httpSecretClass: tls # optional
      transportSecretClass: opensearch-transport-tls

The actual CRD would look like this:

clusterConfig:
  default:
    tls:
      httpSecretClass: tls
      transportSecretClass: tls
  properties:
    tls:
      default:
        httpSecretClass: tls
        transportSecretClass: tls
      properties:
        httpSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          nullable: true
          type: string
        transportSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          type: string
      type: object

[sbernauer]

Option 1 accepted in daily (if the names aren't perfect, we can later on change them across the platform)

[NickLarsenNZ]

Retroactive comment.

I tend to prefer using the products nomenclature, but their naming is terrible. Like they use "transport" to indicate the internal comms, but the term transport can apply to both.

As for option 1, I like that it mentions "internal" which makes far more sense than "transport". But then "server" for the other is just as confusing as "transport" in the other.

But we've now discussed it and chosen the best of a bad bunch of options.