Implement a validation webhook

In case some ingress have a syntax error in the snippet configuration,
the freshly generated configuration will not be reloaded to prevent tearing down existing rules.
Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster.
To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses.
In case the generated configuration is not validated by nginx, deny the insertion of the ingress.

In case certificates are mounted using kubernetes secrets, when those
changes, keys are automatically updated in the container volume, and the
controller reloads it using the filewatcher.

Related changes:

- Update vendors
- Extract useful functions to check configuration with an additional ingress
- Update documentation for validating webhook
- Add validating webhook examples
- Add a metric for each syntax check success and errors
- Add more certificate generation examples

internal/net/ssl/ssl_test.go

@@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	cryptorand "crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -29,10 +30,15 @@ import (
 	"fmt"
 	"math"
 	"math/big"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"sync"
 	"testing"
 	"time"
 
 	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/kubernetes/pkg/util/filesystem"
 
 	"k8s.io/ingress-nginx/internal/file"
 )
@@ -366,3 +372,87 @@ func encodeCertPEM(cert *x509.Certificate) []byte {
 	}
 	return pem.EncodeToMemory(&block)
 }
+
+func fakeCertificate(t *testing.T, fs filesystem.Filesystem) []byte {
+	cert, key := getFakeHostSSLCert("localhost")
+	fd, err := fs.Create("/key.crt")
+	if err != nil {
+		t.Errorf("failed to write test key: %v", err)
+	}
+	fd.Write(cert)
+	fd, err = fs.Create("/key.key")
+	if err != nil {
+		t.Errorf("failed to write test key: %v", err)
+	}
+	fd.Write(key)
+	return cert
+}
+
+func dialTestServer(port string, rootCertificates ...[]byte) error {
+	roots := x509.NewCertPool()
+	for _, cert := range rootCertificates {
+		ok := roots.AppendCertsFromPEM(cert)
+		if !ok {
+			return fmt.Errorf("failed to add root certificate")
+		}
+	}
+	resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{
+		RootCAs: roots,
+	})
+	if err != nil {
+		return err
+	}
+	if resp.Handshake() != nil {
+		return fmt.Errorf("TLS handshake should succeed: %v", err)
+	}
+	return nil
+}
+
+func TestTLSKeyReloader(t *testing.T) {
+	fs := filesystem.NewFakeFs()
+	cert := fakeCertificate(t, fs)
+
+	watcher := TLSListener{
+		certificatePath: "/key.crt",
+		keyPath:         "/key.key",
+		fs:              fs,
+		lock:            sync.Mutex{},
+	}
+	watcher.load()
+
+	s := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	s.Config.TLSConfig = watcher.TLSConfig()
+	s.Listener = tls.NewListener(s.Listener, s.Config.TLSConfig)
+	go s.Start()
+	defer s.Close()
+	port := strings.Split(s.Listener.Addr().String(), ":")[1]
+
+	t.Run("without the trusted certificate", func(t *testing.T) {
+		if dialTestServer(port) == nil {
+			t.Errorf("TLS dial should fail")
+		}
+	})
+
+	t.Run("with the certificate trustes as root certificate", func(t *testing.T) {
+		if err := dialTestServer(port, cert); err != nil {
+			t.Errorf("TLS dial should succeed, got error: %v", err)
+		}
+	})
+
+	t.Run("with a new certificate", func(t *testing.T) {
+		newCert := fakeCertificate(t, fs)
+		t.Run("when the certificate is not reloaded", func(t *testing.T) {
+			if dialTestServer(port, newCert) == nil {
+				t.Errorf("TLS dial should fail")
+			}
+		})
+		// simulate watch.NewFileWatcher to call the load function
+		watcher.load()
+		t.Run("when the certificate is reloaded", func(t *testing.T) {
+			if err := dialTestServer(port, newCert); err != nil {
+				t.Errorf("TLS dial should succeed, got error: %v", err)
+			}
+		})
+	})
+
+}