Pass the decrypted mTLS client certificate key to Elastic Defend

[AndersonQ]

Elastic Defend currently does not support passphrase-protected private keys for mTLS communication with Fleet Server. To enable secure communication between Elastic Defend and Fleet Server when using passphrase-protected keys, the elastic-agent should decrypt the private key and pass the decrypted key to Elastic Defend. This should be done without requiring Elastic Defend to implement support for passphrase handling. Instead, leverage the existing fleet.ssl.* configuration block within Elastic Defend to provide the decrypted key directly. They are following the Filebeat ssl configuration as a spec: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#client-key

Acceptance Criteria:

• The Elastic Agent injects the decrypted private key into the fleet.ssl.key configuration setting within Elastic Defend's configuration.
• Unit tests verify that the decrypted key is correctly injected into the Elastic Defend configuration.
  • extend the TestEndpointSignedComponentModifier to include a check for the mTLS client certificate key decryption.
• Integration tests: Out of scope for this ticket as it's require Improve test proxy/mock fleet server to proxy HTTPS connections #4903 to be done first.

Additional Notes:

• This issue is blocked until Add support for CLI flag for mTLS client certificate key passphrase #5489 is completed.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[cmacknz]

FYI @nfritts, no work from endpoint should be required here since it appears that endpoint already accepts client certificates and keys for mTLS.