Run more tests with admission webhook (validation) enabled

[programmer04]

Is there an existing issue for this?

• [X] I have searched the existing issues

Problem Statement

Currently, the admission webhook is tested in the integration suite in isolation in files:

• gateway_webhook_test.go
• httproute_webhook_test.go
• etc.

But tests that apply actual configurations (e.g. routing traffic based on Ingress configuration, etc.) and test their correctness don't have webhook enabled. Every valid configuration should not be blocked by webhook too. On the other hand, due to the nature of K8s, the admission webhook may be not configured/removed thus KIC should cope with invalid configurations too (the webhook should be able to reject as many as possible). It has to be tested.

Furthermore, validation webhook needs to be configured in a cluster for particular objects with validatingwebhookconfigurations.admissionregistration.k8s K8s object that is defined in custom rarely used script in repo and Helm chart. It can be easily overlooked, e.g. it happened for HTTPRoute and Ingress, fixed in the below PRs

• https://github.com/Kong/kubernetes-ingress-controller/pull/4733
• https://github.com/Kong/charts/pull/886
• https://github.com/Kong/charts/pull/887

Proposed Solution

Treat admission webhook enabled as the default configuration for KIC, and run as much as possible test with it enabled.

Additional information

It's been discovered during the work on

• https://github.com/Kong/kubernetes-ingress-controller/pull/4608

that implemented (and covered with tests) features used to be rejected by admission webhook as not implemented yet. Another complementary issue has been created too

• https://github.com/Kong/kubernetes-ingress-controller/issues/4676

Acceptance Criteria

• [ ] All tests that expect to have valid configuration should go through webhook
• [ ] Invalid configs should be tested both with webhook enabled (config is rejected and not applied) and disabled (config is applied, KIC handles it)