Enable TLS for transport encryption

[lfrancke]

Description

As a user of SDP I want the traffic between OpenPolicyAgent (OPA) and its clients to be encrypted.

Value

We want the SDP platform to be as secure as possible by default and design and in addition this will be a requirement of the Cyber Resilience Act.
Therefore as many transport connections should be encrypted as possible.
This will also lead to fewer explanations and exceptions with customers where we have to explain any unencrypted connection.

Dependencies

This requires the Secret Operator to provide the necessary certificates for OPA itself and all authorizers communicating with OPA will need to have a CA bundle to verify the connection and the server certificate.

Tasks

Tasks

Preview Give feedback

1. OPA Operator needs to support enabling TLS for OPA, this should be enabled by default if possible, HTTP ports should be disabled
2. Documentation needs to be updated to explain that the connection is encrypted and how to change any settings
3. All authorizers need to be updated to work with a TLS enabled OPA
4. Demos/Integration tests need to be updated to use this functionality

Acceptance Criteria

• Connections to OPA are encrypted using TLS (by default if possible, disabling should be a concious decision)
• All authorizers verify the authenticity of the server certificate

(Information Security) Risk Assessment

This will strictly make our product more secure and helps us with regulations such as the Cyber Resilience Act.

Release Notes

Traffic between OpenPolicyAgent (OPA) and clients is now encrypted using TLS with the support of our secret-operator.
Clients (our authorizers) verify the authenticity of the server certificates.

Remarks

See the OPA docs on this and read them prior to implementing anything.