implement an admission webhook server

[hbagdi]

Co-authored-by: Christopher M. Luciano cmluciano@isovalent.com

What type of PR is this?

/kind feature
What this PR does / why we need it:

This PR introduces a new admission webhook server that will be used for advanced validation functionality.
Which issue(s) this PR fixes:

Fixes #349

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hbagdi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hbagdi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hbagdi]

The scope of this PR is to get this merged into mainline and then work on documentation, otherwise the scope of this work keeps on increasing and it gets very hard to actually land in the mainline. I had to invest significant amount of time reworking major area over #506 to get this working again.

How can a reviewer test this out?

Bad HTTPRoute: https://gist.github.com/hbagdi/b7d7cfde79610133846edf2644530e6c, create a local file out of the gist.

make crd
kubectl apply -f admission_webhook.yaml
kubectl apply -f certificate_config.yaml 
# you might have to restart the admission-server pod sometimes, the ordering is not there yet
kubectl apply -f path/to/bad-httproute.yaml
# this should show the right error, if you get an error for TLS, make sure the jobs in gateway-api namespace are completed and restart the server pod

[robscott]

This is very cool, thanks for all the work on this @hbagdi and @cmluciano! Excited to see this getting so close.

[robscott]

Tested this out in a new cluster and it worked flawlessly, nicely done!

[hbagdi]

@cmluciano @robscott I simplified the code to make the behavior across Create and Update operation exactly same. I don't think we have a case (yet) that requires validation to be different for update and create. Does that feel right?

@bowei @danehans Since this is an initial PR for some code that is going to grow in future, can you also review this?

[robscott]

LGTM, adding a hold until we can get an official image published.

/hold

[hbagdi]

@robscott I removed the docker image reference to TODO.
I considered adding in a comment or some documentation around 'this is still a work in progress' but couldn't find a suitable place for it.
Since we don't document the webhook server anywhere, I don't expect any users to run into it. Some contributors to this project might run into it and that would be a good place to have more conversations and seek contribution.

I'm open to adding more here if necessary.
If we can get another review and get this merged in, that would be helpful.

[robscott]

Thanks @hbagdi! I think this is good to go no so we can unblock the follow up PRs. Removing the hold and will leave the final LGTM for @danehans.

/hold cancel

[robscott]

/cc @danehans

[danehans]

@hbagdi I think it would be helpful include an xref the issue/pr in this TODO comment. Is it #621?

[danehans]

Why a new line for the returned types?

[cmluciano]

One comment about testing v1beta1 submissions but otherwise lgtm. Thank you for carrying this forward :D

[cmluciano]

Do we still need to accept this if we use only setup webhook v1 validation

[hbagdi]

Updated to v1 only.

[danehans]

/lgtm