Epic Goal

Be specific about TLS termination for the default Argo CD instance that we ship with the GitOps operator.

The default instance currently uses passthrough when you don’t set a value, and we would like to start setting `reencrypt` for customers on the default instance.

Why is this important?

• Good security practice
• The current behaviour is a surprise to users who have set up OCP to use their own custom CA for signing - they end up with a self-signed cert on their default Argo CD instance that they were not expecting. 

Scenarios

1. See customer description of issue on the original RFE: https://issues.redhat.com/browse/RFE-4045

Acceptance Criteria (Mandatory)

• CI - MUST be running successfully with tests automated
• Release Technical Enablement:
• Let CEE folks know that this change is happening

• The default Argo CD instance that we ship with the GitOps operator sets the route TLS termination to `reencrypt`
• When the default OCP ingress router cert has been changed, TLS connections to the default Argo CD instance should receive the set OCP ingress router cert instead of the self-signed Argo CD cert
• Documentation covering the default Argo CD instance mentions that we set the TLS termination to `reencrypt` from whichever version this is released in

Done Checklist

• Acceptance criteria are met
• Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
• User Journey automation is delivered
• Support and SRE teams are provided with enough skills to support the feature in production environment