fix: validation for certificates

[kkk777-7]

What this PR does / why we need it:

Fix CA certificate validation.

Currently, CA certificate validation only check first block.
So, if user stores the CA bundle in Secret and first block is invalid (e.g. expired certificate), CA certificate validation fails.
This behavior causes #7608.

Fixed:
Support validating all block. and invalid block is exclude.
If no valid certificates exist, return ListenerError with InvalidCertificateRef condition.
If valid certificates exist and invalid certificates exist, return ListenerError with PartiallyInvalidCertificateRef condition.

Related PR

#7909

Tests

• If no valid certificates exist in Secret, return 500 response.
  • https://github.com/envoyproxy/gateway/blob/96bc26c381419d22514ecfd5fa813348da958eeb/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-invalid.out.yaml
• If one valid certificate exists and one invalid certificate exists, don't return 500 response and only contains valid certificate in xdsIR
  • https://github.com/envoyproxy/gateway/blob/96bc26c381419d22514ecfd5fa813348da958eeb/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle.out.yaml
• If both valid certificates exist, contains both valid certificates in xdsIR
  • https://github.com/envoyproxy/gateway/blob/96bc26c381419d22514ecfd5fa813348da958eeb/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-cert-bundle-both-valid.out.yaml

Which issue(s) this PR fixes:

Fixes #7608

Release Notes: Yes

Related and Reference Issue

kubernetes/ingress-nginx#4234 (comment)

[codecov]

Codecov Report

❌ Patch coverage is 82.08955% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.87%. Comparing base (b8d986c) to head (621b57d).

Files with missing lines	Patch %	Lines
internal/gatewayapi/tls.go	78.57%	10 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7734      +/-   ##
==========================================
+ Coverage   72.81%   72.87%   +0.06%     
==========================================
  Files         237      237              
  Lines       35623    35669      +46     
==========================================
+ Hits        25938    25993      +55     
+ Misses       7834     7830       -4     
+ Partials     1851     1846       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kkk777-7]

should we handle multiple pems for certificate bundles?

[rudrakhp]

We are not returning the expired cert errors here if there is a valid cert. IMO we should return the error and log it as warning if validData is non empty.

[arkodg]

+1

[kkk777-7]

thanks @rudrakhp @arkodg , I've updated the logic.

if no valid certs exist, returns custom error with InvalidCertificateRef Reason,
and if valid and invalid certs exist, returns custom error with PartiallyInvalidCertificateRef Reason.

[kkk777-7]

@rudrakhp
thanks for your comments! and sorry for delay response.
currently, I'm handling another issue which is related to this. #7909

I’d appreciate it if I could address 7909 first, then I’ll handle this.

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	621b57d
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/697089b6eb65710008d2ded1
😎 Deploy Preview	https://deploy-preview-7734--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[kkk777-7]

hi @rudrakhp , @arkodg , @zhaohuabing , please review it when you have a moment.

[zirain]

@kkk777-7 can you fix the conflict?

[kkk777-7]

/retest