Can't use a TLSContext to configure origination without a secret

[LukeShu]

Describe the bug TLSContexts are deprecated for TLS termination (which requires a secret), but are still the only way to provide advanced configuration for TLS origination (which does not require a secret) beyond "turn it on" such as specifying the TLS version to use, or what hostname to send in SNI. However, the validator checks that the TLSContext has secret, and discards it otherwise. This means that even if I don't want Emissary to use a client cert, I have to provide one anyway.

To Reproduce

1. apply

   apiVersion: getambassador.io/v2
   kind: TLSContext
   metadata:
   name: my-tlsclient
   spec:
   sni: my-funny-name

2. observe that Emissary discards the TLSContext, saying

   2022-09-01 03:27:43 diagd 1.14.4-dev.26+g2b01994c2 [P19TAEW] DEBUG: my-tlsclient.default.1: <RichStatus BAD error='TLSContext myt-tlsclient has no certificate information at all?' hostname='tcpmappingtlsoriginationcontexttest' version='1.14.4-dev.26+g2b01994c2'>

3. Observe that it does not originate TLS when speaking to the upstream.

Expected behavior I expected it to originate TLS with the given SNI information.

Versions (please complete the following information):

• Ambassador: Tip of release/v1.14
• Kubernetes environment: Kubeception, with a 1.18.7 cluster

Additional context I only tested with 1.14, but it looks like that code is unchanged on master.

[dethi]

I'm impacted by this too. This was previously working (see previous issue and fix https://github.com/emissary-ingress/emissary/issues/1708).