Right now, there are two settings to enable TLS-E - one on the control plane and one on the dataplane nodeset.  There is, however, no correlation between the two - which means that customers could potentially enable TLS-E on one side, but not the other.

Note that by default, we expect TLS-E to be enabled by default on both sides.

We need some mechanism to validate that the two settings are consistent - that is, we want tleEnabled to be set on the dataplane nodeset if and only if it is set on the control plane.

—

We can retrieve value of the `OpenStackControlPlaneSpec.TLSSection.TLSIngressConfig.Enabled` and compare it with value of the `TLSEnabled` in nodeset.
Mismatch would lead to nodeset rejection.

Discussion:

Control plane will have to be selected. Either by name, label, resource from control plane, or field in nodeset, otherwise defaulting to the namespace.

PR:

[-https://github.com/openstack-k8s-operators/openstack-operator/pull/853-]