Implement annotation validation (#9673)

* Add validation to all annotations

* Add annotation validation for fcgi

* Fix reviews and fcgi e2e

* Add flag to disable cross namespace validation

* Add risk, flag for validation, tests

* Add missing formating

* Enable validation by default on tests

* Test validation flag

* remove ajp from list

* Finalize validation changes

* Add validations to CI

* Update helm docs

* Fix code review

* Use a better name for annotation risk

internal/ingress/controller/store/store_test.go

@@ -1414,18 +1414,31 @@ func TestUpdateSecretIngressMap(t *testing.T) {
 	t.Run("with annotation in namespace/name format", func(t *testing.T) {
 		ing := ingTpl.DeepCopy()
 		ing.ObjectMeta.SetAnnotations(map[string]string{
-			parser.GetAnnotationWithPrefix("auth-secret"): "otherns/auth",
+			parser.GetAnnotationWithPrefix("auth-secret"): "testns/auth",
 		})
 		if err := s.listers.Ingress.Update(ing); err != nil {
 			t.Errorf("error updating the Ingress: %v", err)
 		}
 		s.updateSecretIngressMap(ing)
 
-		if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("otherns/auth")) {
+		if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("testns/auth")) {
 			t.Errorf("Expected \"otherns/auth\" to be the only referenced Secret (got %d)", l)
 		}
 	})
 
+	t.Run("with annotation in namespace/name format should not be supported", func(t *testing.T) {
+		ing := ingTpl.DeepCopy()
+		ing.ObjectMeta.SetAnnotations(map[string]string{
+			parser.GetAnnotationWithPrefix("auth-secret"): "anotherns/auth",
+		})
+		s.listers.Ingress.Update(ing)
+		s.updateSecretIngressMap(ing)
+
+		if l := s.secretIngressMap.Len(); l != 0 {
+			t.Errorf("Expected \"otherns/auth\" to be denied as it contains a different namespace (got %d)", l)
+		}
+	})
+
 	t.Run("with annotation in invalid format", func(t *testing.T) {
 		ing := ingTpl.DeepCopy()
 		ing.ObjectMeta.SetAnnotations(map[string]string{