add ability to configure mTLS on LBC webhook

[zac-nixon]

Description

Gives users the ability to configure mTLS on the LBC webhooks.

Tested out by mounting the kube ca cm to my lbc pod:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "99"
  creationTimestamp: "2025-02-28T01:02:16Z"
  generation: 106
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: aws-load-balancer-controller
  name: aws-load-balancer-controller
  namespace: kube-system
  resourceVersion: "68805587"
  uid: 55a962c1-b96a-4e70-8406-3951f2a566d5
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/name: aws-load-balancer-controller
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/name: aws-load-balancer-controller
    spec:
      containers:
      - args:
        - --aws-vpc-id=vpc-02c95a92410c1c1f2
        - --aws-region=us-east-1
        - --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true
        - --cluster-name=awslbc-loadtest
        - --ingress-class=alb
        - --kube-ca-pem-filepath=/tmp/kube-ca/ca.crt
        image: 565768096483.dkr.ecr.us-west-2.amazonaws.com/nixozach/lbc:webhooksecurity
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 2
          httpGet:
            path: /healthz
            port: 61779
            scheme: HTTP
          initialDelaySeconds: 30
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 10
        name: controller
        ports:
        - containerPort: 9443
          name: webhook-server
          protocol: TCP
        resources:
          limits:
            cpu: 200m
            memory: 500Mi
          requests:
            cpu: 100m
            memory: 200Mi
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
        - mountPath: /tmp/kube-ca
          name: kube-ca
          readOnly: true
      dnsPolicy: ClusterFirst
      priorityClassName: system-cluster-critical
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1337
      serviceAccount: aws-load-balancer-controller
      serviceAccountName: aws-load-balancer-controller
      terminationGracePeriodSeconds: 10
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: aws-load-balancer-webhook-tls
      - configMap:
          defaultMode: 420
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
        name: kube-ca

Verified that when Kube API is not configured to present cert, the webhook fails:

nixozach@80a997300bd5 aws-load-balancer-controller % kubectl -n gateway-alb edit targetgroupbinding k8s-gatewaya-httpapp1-f236bc82bb
error: targetgroupbindings.elbv2.k8s.aws "k8s-gatewaya-httpapp1-f236bc82bb" could not be patched: Internal error occurred: failed calling webhook "mtargetgroupbinding.elbv2.k8s.aws": failed to call webhook: Post "https://aws-load-balancer-webhook-service.kube-system.svc:443/mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding?timeout=10s": remote error: tls: certificate required
You can run `kubectl replace -f /var/folders/hd/jy9f_glx0kdbg9_55bs9pxrm0000gq/T/kubectl-edit-1028163434.yaml` to try this update again.

When Kube API is configured to present cert, the webhook passes:

nixozach@80a997300bd5 aws-load-balancer-controller % kubectl -n gateway-alb edit targetgroupbinding k8s-gatewaya-httpapp1-f236bc82bb
targetgroupbinding.elbv2.k8s.aws/k8s-gatewaya-httpapp1-f236bc82bb edited

When no cert is configured with the LBC, things work either way (cert or no cert):

nixozach@80a997300bd5 aws-load-balancer-controller % kubectl -n gateway-alb edit targetgroupbinding k8s-gatewaya-httpapp1-f236bc82bb
targetgroupbinding.elbv2.k8s.aws/k8s-gatewaya-httpapp1-f236bc82bb edited

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: zac-nixon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [zac-nixon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shuqz]

forget to delete?

[shuqz]

do we have a request for this flag? i am curious when users want to configure it on webhook

[shuqz]

/approved

[shraddhabang]

/lgtm
/approved