Create a system for managing allowed cleartext connections

[boswelja]

It's relatively common for users of TrueNAS to just never set up any HTTPS certificates, which means they continue to use the default, untrusted certificate. We need to set up a mechanism for allowing users to connect to these instances.

Since the app is likely dealing with sensitive data, we need to be pretty careful here. The system should NOT allow ANY cleartext traffic that hasn't previously been authorized.

To keep the relative scope of the issue down, this ticket should only include the logic behind the system, not any of the UI or hooks for user control (we can do this once we've got a solid system in place).

The scope of this ticket includes:

• A new (core) module
• A Ktor plugin that can block requests to hosts that are cleartext but are not permitted
  • Websocket support is a requirement (ws/wss)
  • HTTP support is optional, but a nice-to-have
• A means of adding, listing and removing arbitrary hosts from the allowlist
  • The Ktor plugin should always use the updated list, meaning we don't need to create a whole new networking client when a host is added/removed
• Tests to confirm the plugin behavior

To be decided:

• If the user allows an insecure websocket connection, should that also allow insecure HTTP connections to the same host?