refactor: use one http.Server

[diafour]

Background

Ports Shell-operator starts different tcp listeners:

• port 9115 for operator metrics and liveness probe
• port --hook-metrics-listen-port for hook metrics
• port 9680 for validating and mutating webhooks
• port 9681 for conversion webhooks

There is an issue when shell-operator runs in the private cluster in GKE or in other clouds: control-plane nodes allow to connect to regular nodes only by 443 and 10250 ports. (See this discussion for more details https://github.com/external-secrets/external-secrets/pull/1982)

There is no reason to have different ports for metrics and webhooks. May be it is required for kube-rbac-proxy, but it supports different auth parameters for different paths.

Services for webhooks

There are separate settings for admission and conversion webhooks:

• service name
• server certificate and key
• CA and client CA

These settings are needed only for different listeners.

Solution

1. Keep only one http server for metrics and for webhooks. (Debug server should be different, it listens on unix socket).
2. Change default listen-port from 9115 to 10250.
3. Add documentation about default port, why it is 10250 and when it should be changed, e.g. when using hostNetwork: true.
4. Remove --hook-metrics-listen-port option.
5. Merge CONVERSION_WEBHOOK_* and VALIDATING_WEBHOOK_* settings into one set of WEBHOOK_* settings.
6. Change default directory for certificates to /webhook-certs
7. Use one Service for all webhooks
8. Add additonal prefix for webhook paths if needed.
9. Change webhook examples