feat: tlspolicy enforced condition

[KevFan]

Description

Closes: #572

Add enforced condition for TLSPolicy. This is based on whether the underlying Issuer and Certificates are in a Ready state.

Verification

Happy path is integration tested but if you want to verify manually

• Checkout this branch
• Deploy

make local-setup

• Deploy policy

kubectl apply -n istio-system -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: istio-ingressgateway
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    hostname: '*.toys.io'
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: toys
        kind: Secret
    allowedRoutes:
      namespaces:
        from: All    
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: kuadrant.io/v1alpha1
kind: TLSPolicy
metadata:
  name: gw-tls
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: istio-ingressgateway
  issuerRef:
    group: cert-manager.io
    kind: Issuer
    name: selfsigned-issuer
EOF

• Check that the TLSPolicy has an enforced condition

kubectl get tlspolicy -A -o yaml | yq '.items[].status'

• Check that there is a new column for the enforced condition

kubectl get tlspolicy -A -o wide 

[maleck13]

Changes look good.
I am starting to wonder if we need an enforced status per listener though. Doesn't need to be part of this PR

[KevFan]

Not sure if this is what we want but there's no error if len(expectedCerificates) == 0 since this is already allowed at:

• kuadrant-operator/controllers/tlspolicy_certmanager_certificates.go

  Lines 115 to 119 in bca5130

  	err := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(i), l, gateway).ToAggregate()
  	if err != nil {
  	log.Info("Skipped a listener block: " + err.Error())
  	continue
  	}

• kuadrant-operator/controllers/tlspolicy_certmanager_certificates.go

  Lines 36 to 39 in bca5130

  	expectedCertificates := r.expectedCertificatesForGateway(ctx, gw.Gateway, tlsPolicy)
  	if err := r.createOrUpdateGatewayCertificates(ctx, expectedCertificates); err != nil {
  	return fmt.Errorf("error creating and updating expected certificates for gateway %v: %w", gw.Gateway.Name, err)
  	}

so I've kept it the same. In this case a TLSPolicy is still marked as enforced: true even if there are no Certificates created

[maleck13]

I think that is ok. If there are no expected certificates then we have done everything we can to enforce