Clarify cli flags for TLS config for fleet-server, ES and the gent itself

[AndersonQ]

Describe the enhancement:

Clarify each cli flag used to configure TLS on the elastic agent install/enroll subcommand.

Describe a specific use case for the enhancement or feature:

The Elastic Agent can configure TLS for up to 4 different "connections":

• for the Agent communicating with Fleet Server or a Proxy
• for the Agent communicating with the Artifacts API
• Fleet Server communicating with Elasticsearch
• Fleet Server communicating with the Elastic Agent (when using mTLS)

The current wording for each cli flag isn't clear enough as we see users mixing them up.
Specially the --certificate-authorities and --ca-sha256 as they do not have a prefix referring to their use such as --fleet-server-es-ca and other do.

What is the definition of done?

The help for the enroll flags clearly states which service will use the setting and for what. Not having more cases like:

--fleet-server-es-ca string      Path to certificate authority to use with communicate with elasticsearch

where the user needs to join the cli flag itself with its discretion to understand --fleet-server-es-ca is the Path to certificate authority for Fleet Server to use to communicate with Elasticsearch

Proposed new messages:

--fleet-server-es     Start and run a Fleet Server alongside this Elastic Agent connecting to the provided Elasticsearch
--fleet-server-es-ca     Path to certificate authority for Fleet Server to use to communicate with Elasticsearch
--fleet-server-es-ca-trusted-fingerprint     Elasticsearch certificate authority's SHA256 fingerprint for Fleet Server to use
--fleet-server-es-insecure     Disables validation of Elasticsearch certificates for Fleet Server
--fleet-server-es-cert     Client certificate for Fleet Server to use when connecting to Elasticsearch
--fleet-server-es-cert-key     Client private key for Fleet Server to use when connecting to Elasticsearch
--fleet-server-service-token     Service token for Fleet Server to use for communication with Elasticsearch
--fleet-server-service-token-path     Filepath for the service token secret file used by Fleet Server for communication with Elasticsearch
--fleet-server-cert     Certificate for Fleet Server to use for exposed HTTPS endpoint
--fleet-server-cert-key     Private key for the certificate used by Fleet Server for exposed HTTPS endpoint
--fleet-server-cert-key-passphrase     Path for private key passphrase file used to decrypt Fleet Server certificate key
--fleet-server-client-auth     Fleet Server mTLS client authentication for connecting Elastic Agents. Must be one of [none, optional, required]
--header     Headers used by Fleet Server when communicating with Elasticsearch
--certificate-authorities     Comma-separated list of root certificates for server verification used by Elastic Agent and Fleet Server
--ca-sha256     Comma-separated list of certificate authority hash pins for server verification used by Elastic Agent and Fleet Server
--elastic-agent-cert     Elastic Agent client certificate to use with Fleet Server during mTLS authentication
--elastic-agent-cert-key     Elastic Agent client private key to use with Fleet Server during mTLS authentication
--insecure     Allow insecure connection made by the Elastic Agent. It's also required to use a Fleet Server on a HTTP endpoint
--staging     Configures Elastic Agent to download artifacts from a staging build
--proxy-url     Configures the proxy URL: when bootstrapping Fleet Server, it's the proxy used by Fleet Server to connect to Elasticsearch; when enrolling the Elastic Agent to Fleet Server, it's the proxy used by the Elastic Agent to connect to Fleet Server
--proxy-disabled     Disable proxy support including environment variables: when bootstrapping Fleet Server, it's the proxy used by Fleet Server to connect to Elasticsearch; when enrolling the Elastic Agent to Fleet Server, it's the proxy used by the Elastic Agent to connect to Fleet Server
--proxy-header     Proxy headers used with CONNECT request: when bootstrapping Fleet Server, it's the proxy used by Fleet Server to connect to Elasticsearch; when enrolling the Elastic Agent to Fleet Server, it's the proxy used by the Elastic Agent to connect to Fleet Server
--fleet-server-timeout     When bootstrapping Fleet Server, timeout waiting for Fleet Server to be ready to start enrollment

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[nimarezainia]

@pierrehilbert this doesn't seem a huge lift specially since Andreson has described it very well. Can we make this change to the cli helper in the next sprint?