TLS Enabled by Default (CRDs)

[NickLarsenNZ]

There is a general consensus within the team that TLS should be enabled by default. This was discussed at the February 2024 on-site.

Issues with the current TLS structure:

• TLS is disabled by default We want it enabled by default, and it will soon become a requirement under the CRA. See: Tls struct
• Confusion There is too much confusion around what specifying null means (TLS disabled, or TLS default, which happens to currently be disabled. There shouldn't be so much guesswork, and the suggestion of adding an explicit enabled flag came up (which defaults to true). See the comment Cloudflare left on their similar piece of code

[!NOTE] I have written the following as if it's all agreed on, but maybe there is still need for discussion.

There will be breaking changes for two reasons:

• The default will change from TLS off to TLS on (trusting WbPKI by default)
• The structure will change, at least by adding an enabled flag, leading to other structural changes for it to make sense.

### Epic Checklist
- [x] Has a title and brief description
- [ ] Is split into tasks which themselves don't have to be refined yet. It is not necessary to already create all issues but an Epic should always have a concrete next step that can be done. Each task should take about one week of work _at most_

### General tasks
- [ ] CRD changes made in operator-rs to add an `enabled` flag
- [ ] https://github.com/stackabletech/opa-operator/issues/517
- [ ] Enable only TLS >=1.2 and disable weak ciphers by default

### Product specific tasks
- [ ] Airflow
- [ ] Druid
- [ ] HBase
- [ ] Hadoop HDFS
- [ ] Hive
- [ ] Kafka
- [ ] NiFi
- [ ] Spark
- [ ] Superset
- [ ] Trino
- [ ] ZooKeeper
- [ ] Commons
- [ ] Listener
- [ ] OPA
- [ ] Secret
- [ ] EDC
- [ ] Hello World