🫐 Allow to disable internal Operator CAs: `default`, and `external`

[c4milo]

What would you like to be added?

We would like for the Redpanda cluster to only use our own CAs. However, we still want the operator to mount CA certs in the trust store of every listener, when using our self-signed issuer.

Why is this needed?

Better security posture.

[alejandroEsc]

I believe this is possible today and described in the docs: https://docs.redpanda.com/current/manage/kubernetes/security/tls/k-secrets/

If you believe there are missing parts here please let's discuss.

[c4milo]

Can I do it without losing the truststore CA certs set per listener?

[chrisseto]

Oh boy, I think it is technically possible to make this setup work but IMO it really doesn't make sense to those familiar with PKI/TLS.

From what I'm gathering the caEnabled field means "There is a ca.crt containing a PEM encoded CA for this certificate within the secret that's referenced by secretRef.

If you set caEnabled to true and point secretRef to a secret that contains ca.crt, tls.crt, and tls.key you should be able to configure what you're looking for. Though there might be some issues with the client certs, I'm not 100% certain of that and I suspect that caEnabled might mean multiple things across the chart.

I think we could make this MUCH more clear if we removed caEnabled in favor of a CA corev1.SecretRef. For backwards compatibility, we can appropriately fill out the CA field if caEnabled is true.

[c4milo]

The main need with respect to truststores is that we can actually mount in redpanda a truststore per listener, populated with our (cloud) and customer-provided CA certs. While also being able to provide cert-manager issuer refs.

[c4milo]

In other words, we like the convenience of being able to pass cert-manager CAs, but also want to be able to configure truststores in Redpanda AND do not want the operator installing its own CAs.