TLS Enabled by Default (CRDs)

[NickLarsenNZ]

There is a general consensus within the team that TLS should be enabled by default. This was discussed at the February 2024 on-site.

Issues with the current TLS structure:

• TLS is disabled by default
  We want it enabled by default, and it will soon become a requirement under the CRA.
  See: Tls struct
• Confusion
  There is too much confusion around what specifying null means (TLS disabled, or TLS default, which happens to currently be disabled. There shouldn't be so much guesswork, and the suggestion of adding an explicit enabled flag came up (which defaults to true).
  See the comment Cloudflare left on their similar piece of code

Note

I have written the following as if it's all agreed on, but maybe there is still need for discussion.

There will be breaking changes for two reasons:

• The default will change from TLS off to TLS on (trusting WbPKI by default)
• The structure will change, at least by adding an enabled flag, leading to other structural changes for it to make sense.

Epic Checklist

Beta Give feedback

1. Has a title and brief description
2. Is split into tasks which themselves don't have to be refined yet. It is not necessary to already create all issues but an Epic should always have a concrete next step that can be done. Each task should take about one week of work at most

General tasks

Beta Give feedback

1. CRD changes made in operator-rs to add an enabled flag
2. User Info Fetcher: Enable TLS with WebPKI trust by default opa-operator#517
   +0
3. Enable only TLS >=1.2 and disable weak ciphers by default

Product specific tasks

Beta Give feedback

1. Airflow
2. Druid
3. HBase
4. Hadoop HDFS
5. Hive
6. Kafka
7. NiFi
8. Spark
9. Superset
10. Trino
11. ZooKeeper
12. Commons
13. Listener
14. OPA
15. Secret
16. EDC
17. Hello World