Elasticsearch: auto-TLS via cert-manager

[munnerz]

It should be possible to easily enable TLS on an Elasticsearch cluster.

Initially, an implementation that relies upon cert-manager for signing certificates in its simplest form (e.g. a Certificate resource is created per replica) will be the target:

API Changes

We will need to add a new field structure to elasticsearchclusters.spec.tls

kind: ElasticsearchCluster
metadata:
  name: my-staging-cluster
...
spec:
  tls:
    enabled: true
    issuerRef:
      name: my-staging-cluster-ca
      kind: Issuer

Initially, only the 'CA' based cert-manager issuer will be supported: https://github.com/jetstack/cert-manager/blob/master/docs/user-guides/ca-based-issuer.md
This may change in future once discussion around generalising the Certificate resource type has been resolved: cert-manager/cert-manager#265

Controller changes

navigator-controller will need updating to:

1. generate a CA/signing keypair for each cluster
   • can be done in navigator-controller initially
   • eventually can be moved into a 'selfsigned' cert-manager Issuer: Add 'selfsigned' issuer cert-manager/cert-manager#84 Support 'IsCA' flag on Certificate resource cert-manager/cert-manager#85
2. create an Issuer to sign certificates from this CA
3. pass the issuerRef as a CLI arg to each Pilot

Pilot changes

if tls is enabled:

1. create/retrieve Certificate resource for this pilot
2. grab generated Secret resource containing keypair
3. inject them into FS and appropriately configure node for serving

Open questions

1. (may be more of a general cert-manager problem): should each Pilot be generating its own private key and then creating a CSR for this, instead of storing the private key in the k8s apiserver? This provides a stronger auth model. We'll need to investigate how we can make cert-manager support this.

2. certificate rotation should be handled by Pilot too

3. TLS requires x-pack. How do we more generally support x-pack only features in ES? ref Support X-Pack security #200

/kind feature
/cc @mattbates @wallrj

[dippynark]

@munnerz LGTM - except I don't think issuerRef should appear as a field on the ElasticsearchCluster resource as it leans towards a specific implementation. The tls stanza should only have an enabled field - perhaps an annotation would be the best way for users to set the method for certificate creation (e.g. cert-manager/self-signed) and the name of the Issuer to use/create if cert-manager is to be used

[wallrj]

Part of: #362