[Security] Check if druid.client.https.validateHostnames can be turned of

[sbernauer]

Affected version

nightly

Current and expected behavior

Currently we set druid.client.https.validateHostnames and druid.server.https.validateHostnames to false which imposes a security risk.
We should get rid of it.
Context:

druid-operator/rust/crd/src/security.rs

Lines 330 to 336 in d4477a5

	// This is required because the server will send its pod ip which is not in the SANs of the certificates
	// TODO TEST TEST TEST!
	// Awful!
	config.insert(
	Self::CLIENT_HTTPS_VALIDATE_HOST_NAMES.to_string(),
	Some("false".to_string()),
	);

Possible solution

No idea, needs testing

Additional context

No response

Environment

No response

Would you like to work on fixing this bug?

None

[maltesander]

We only know the Pod IP after the Pod has been created and the secrets are mounted already.

I do not see a "smart" workaround for this in the foreseeable future.

[sbernauer]

Maybe we can get the services to talk to each other via DNS names ;)

[lfrancke]

If only we had a solution for that...