SSL as default for all Endpoints

[ALutz273]

🐛 Description

ai-services endpoints are not SSL-encrypted by default. However, there is currently no enforcement that a valid SSL certificate — either a self-signed certificate or a user-provided custom certificate — is explicitly configured and validated before the service becomes operational.

As a result, deployments can run without any confirmed certificate management in place. In production environments, this is a security gap: the operator may be unaware that no certificate has been configured, leading to either unintended behavior or an unclear trust chain.

This issue requests that SSL certificate configuration be enforced as part of the bootstrap lifecycle, with a hard requirement to either supply a custom certificate or fall back to an auto-generated self-signed certificate.

---

✅ Expected Behavior

• During bootstrap configure, the operator must explicitly choose one of:
  • Custom certificate: provide a certificate/key pair via --ssl-cert and --ssl-key flags.
  • Self-signed certificate: auto-generated if no certificate is supplied, with the operator informed clearly (CN/SAN configurable).
• During bootstrap validate, the presence and basic validity of the configured certificate must be checked. If no certificate is found, the command must exit non-zero with a clear, actionable error message.
• Certificate status must be surfaced in application ps --runtime <runtime> -o wide output (e.g., a TLS column indicating custom, self-signed, or MISSING).

---

❌ Actual Behavior

• bootstrap configure and bootstrap validate complete successfully without any SSL certificate being configured.
• No warning or error is raised regarding missing or unconfirmed certificate configuration.
• There is no visibility into the current certificate status via application ps.

---

🔁 Steps to Reproduce

1. Deploy ai-services without providing any SSL certificate.
2. Run bootstrap and validate:

   ai-services bootstrap configure --runtime <runtime>
   ai-services bootstrap validate --runtime <runtime>

3. Observe: both commands exit 0 with no certificate-related warnings or errors.
4. Run:

   ai-services application ps --runtime <runtime> -o wide

5. Observe: no TLS/certificate status is shown in the output.

---

🖥 Environment Info

• RHEL Version: [output of cat /etc/redhat-release]
• AI Services Version: [output of ai-services version]

---

🧪 Diagnostic Commands & Output

Please run the following commands and paste their output:

ai-services bootstrap configure --runtime <runtime>
ai-services bootstrap validate --runtime <runtime>
ai-services application ps --runtime <runtime> -o wide

---

📸 Screenshots / Logs

Attach pod logs or screenshots if available.
If reporting an issue for an unhealthy or misbehaving pod, attach logs for the specific pod(s):

ai-services application logs --pod <podName>

---

📎 Additional Context

Proposed Implementation

bootstrap configure

Add two optional flags:

Flag	Description
--ssl-cert <path>	Path to a PEM-encoded certificate file
--ssl-key <path>	Path to the corresponding private key file

If neither flag is provided, auto-generate a self-signed certificate (RSA 4096 / ECDSA P-256) and store it in the service's configuration directory. Log a clearly visible warning:

[WARN] No SSL certificate provided. A self-signed certificate has been generated.
       For production use, supply a certificate via --ssl-cert / --ssl-key.
       Certificate stored at: /etc/ai-services/tls/

bootstrap validate

Add a TLS certificate check that verifies:

• Certificate file exists and is readable.
• Certificate is not expired.
• Private key matches the certificate.
• SAN/CN matches the configured hostname (if deterministic at bootstrap time).

Exit non-zero and print a descriptive error if any check fails:

[ERROR] TLS validation failed: no certificate configured.
        Run 'ai-services bootstrap configure --runtime <runtime> --ssl-cert <path> --ssl-key <path>'
        or re-run without flags to generate a self-signed certificate.

application ps -o wide

Extend the wide output with a TLS column:

NAME          STATUS    RUNTIME   TLS
my-app        Running   spyre     custom
other-app     Running   cpu       self-signed
broken-app    Running   spyre     MISSING

Security Baseline

This change aligns with current security requirements where all service-to-service and client-to-service communication must be encrypted with a verifiable certificate — even in non-production environments where self-signed certificates are acceptable.