feat(restrict-ingress): incorporate ingress-hostname-conflict

[frazs]

Incorporates ingress-hostname-conflict into restrict-hostnames while expanding its functionality such that:

• Conflicts within a namespace are permitted
• Cross-namespace hostname conflicts are also caught between VirtualServices as well as across Ingresses and VirtualServices
• The allowed-hosts annotation can be used to permit any such cross-namespace conflicts for one or more particular hostpaths
• The namespaces and names of the conflicting resources are reported
  • Would there be any security concern with that? Someone who has the rights to create an Ingress or a VirtualService in any namespace could use this to discover the namespaces and names of Ingresses and VirtualServices corresponding to any hostname on that cluster. I am not sure whether that counts as sensitive information.
  • If so, it is trivial to change this to report only the namespace, or to only report that there is a conflict and suggest using a different hostname. When using a different hostname is not feasible, this could make knowing what is conflicting or who to contact to resolve the conflict more difficult, though that is likely an edge-case.

Mostly tested on InfraTest, but lacked time for the allowed-hosts label test (although that works in opa test and should be consistent with existing use of that function). Out of an abundance of caution, because I am new to Gatekeeper and about to leave for a week, on InfraTest I have not yet deleted the ingress-hostname-conflict template (which had earlier been modified to allow conflicts in the same namespace, but will not recognize allowed-hosts) or its constraints.

This is my first policy and test, and I think I might still have some redundancies in the rego or test castes. Please feel free to suggest any improvements.

[justbert]

PS, LGTM!