In certain cases, the status service needs to be usable over plaintext HTTP because certain load balancers are going to be difficult/impossible to configure to use SSL certs/keys that from Puppet's CA. However, our services typically talk HTTPS, and we want the status service to be exposed on the same jetty instance that the rest of the services are running on. To that end, we need a proxy service that is configured with either a base URL or host+port, and a SSL cert, key, and CA cert, which can be exposed over plain HTTP and which will make HTTPS to the normal jetty instance to get the status information and return it to the client.
This probably also needs to be limited in-scope to only proxying endpoints that are known to be safe to expose over plain HTTP (eg, the status endpoint(s)).
It probably makes sense for this to be a separate TK service entirely, since I imagine many use-cases of the status service don't want this behavior, and in-fact it's got the potential to be pretty dangerous if things go wrong (i.e., exposing data over HTTP), so it seems desirable to be able to disable it completely.
Risk Assessment: N/A; New Feature. Testing handled in