[Feature Request] Security plugin integration for grpc-transport plugin

[finnegancarroll]

Is your feature request related to a problem? Please describe

Implement security features and integrate with OpenSearch security plugin for production readiness of experimental gRPC transport. It should be the case that security settings for existing http transport maps cleanly onto newly introduced grpc-transport, providing configurable TLS for this new transport implementation.

Security Requirements

TLS/Certificate Management

• Enable selection of a experimental-secure-transport-grpc aux transport type from the transport-grpc plugin.
• Provide a distinct namespace for aux transport security settings within security plugin
  In keeping with previous transport settings: https://opensearch.org/docs/latest/security/configuration/tls/
  Aux transports should have keystore and truststore configurable under the plugins.security.ssl.aux prefix.
• Allow users to enable experimental-secure-transport-grpc SSL only TLS.
• Enable experimental-secure-transport-grpc handling of pemkey/keystore configurations from security plugin.
• Enable experimental-secure-transport-grpc handling of pemtrust/trustore configurations from security plugin.

Reach goals:

• Enable hot reloading of SSL context/engine for aux transports.
• Enable separate client/server role configurations for aux transports which plan to make node-to-node requests.

Roadmap

• Add additional aux transport type experimental-secure-transport-grpc to gRPC plugin.
  Enable TLS for Netty4GrpcServerTransport #17796
• Add plugins.security.ssl.aux keystore and truststore settings to security plugin.
  TLS support for auxiliary transports security#5375
• Enable SSL only TLS for new transport type.
  TLS support for auxiliary transports security#5375
• Enable mTLS for new transport type.
  TLS support for auxiliary transports security#5375
• Allow distinct security configurations per aux transport.
  [Feature Request] Separation of auxiliary transport SSL configurations #17795
• Enable hot reloading of SSL context/engine for aux transports.
  Moving to separate issue: [FEATURE] Enable hot reload of gRPC certificates security#5531

Authentication/Authorization

*Authorization is not covered by this issue and will need to be handled in a follow up when API structure is known for this plugin *

Related component

Plugins

Describe alternatives you've considered

Leaving the grpc-transport unsecured.

Additional context

No response

[krisfreedain]

Catch All Triage - 1, 2, 3