feat(backend): enable SSL by default for backend create

[acme]

Change summary

Make --use-ssl default to true when creating backends to provide better security defaults.

Add a --no-use-ssl flag.

Update documentation and tests.

All Submissions:

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

New Feature Submissions:

• Does your submission pass tests?

Changes to Core Features:

• Have you written new tests for your core changes, as applicable?
• Have you successfully run tests with your changes locally?

User Impact

• What is the user impact of this change?

Are there any considerations that need to be addressed for release?

Well, it is a breaking change.

[kpfleming]

Unfortunately we can't make a change like this without labeling it as a breaking change, because it could break a customer's existing workflows which are not prepared for the new backend to have TLS enabled. While it would certainly be better, it's not a transparent change.

In addition we've had multiple internal discussions about the lack of consistency in this area, as the behavior is different when using the API directly, using the Control Panel, using the CLI, using the Terraform provider, etc. There will need to be a decision made about what the proper defaults should be across all of our interfaces before we can changes the defaults in any of them. That's not a topic to be discussed and decided here, though :-)

[kpfleming]

Ahh, I see you did label this is a breaking change, so thank you for that. The rest of my comment still applies though - before we can deliver a change like this we'll need to be prepared with customer communications describing why it was necessary, and that will require coordination across the other customer-visible interfaces too.

[acme]

I considered renaming "ssl" to "tls" outside of scope for the pull request, but I'd like that too.

[acme]

This issue came up in a customer workshop.

[philippschulte]

Thanks for the great work on this PR — the code changes look solid and everything is in good shape technically, so I'm approving this.

That said, we’ll need to hold off on merging for now. As noted, even though this change is clearly labeled as a breaking change (thank you for that!), it could still disrupt customer workflows that aren’t prepared for TLS to be enabled by default. While it's definitely a step in the right direction, it’s not a transparent change and requires broader coordination.

We’ve also had ongoing internal discussions about the lack of consistency across our interfaces — including the API, CLI, Control Panel, and Terraform provider. Before we change the default behavior in any one of them, we need a decision on what the defaults should be across all of them.

Finally, we’ll need to prepare customer communications explaining the rationale for this change, so we’re aligned across all customer-facing touchpoints.

Looking forward to getting this merged once those pieces are in place!