architecture for external network access to EOS, and use of X509 authn (server hostcert and key)
Similar to #74 we would need to inject host certs and keys as secrets into the MGM (and/or FST?) pods.
That being said TLS is something normally handled by k8s ingress. And we will also need ingress anyway for external traffic to reach EOS in k8s. How is this normally done with EOS on k8s? @ebocchi
Standard k8s ingress only supports layer 7 (HTTP); I am not sure if HTTP TPC involves anything special that would preclude that from working. That being said most k8s ingress implementations have extensions to support layer 4 TCP ingress (e.g. we use Traefik which has IngressRouteTCP) which would be needed for xrootd.
The question then is if TLS termination on top of EOS would work, or does EOS need to know its own hostcert and key... I am not sure how this would fit together.