Added support for upstream verification for TCPProxy

[tsaarni]

This PR adds support for upstream verification for TCPProxy.

As discussed in #4373 (comment) the API has always allowed setting httpproxy.spec.tcpproxy.services.validation but it has been ignored by the implementation.

Updates #4373

[codecov]

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (9eb2838) 78.82% compared to head (9450ff5) 78.81%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6079      +/-   ##
==========================================
- Coverage   78.82%   78.81%   -0.02%     
==========================================
  Files         138      138              
  Lines       19766    19790      +24     
==========================================
+ Hits        15581    15597      +16     
- Misses       3878     3884       +6     
- Partials      307      309       +2     

Files	Coverage Δ
internal/dag/httpproxy_processor.go	91.51% <91.17%> (-0.42%)	⬇️

[skriss]

Thanks @tsaarni, looks pretty good to me

[skriss]

LGTM, but GitHub is unhappy with the PR, may need a rebase or just a kick.

[sunjayBhatia]

maybe a refactor for the future, but since we only really have one fixture for cert content, we end up asserting on the same value everywhere ([]byte(featuretests.CERTIFICATE)), would be good to maybe at least use the field from caSecret for readability? (looks like sec2 in the other test below?)

[tsaarni]

👍 While adding the test I was reminded that I would have preferred to remove the hardcoded test certificates & private keys from the code. I'll check if I could simplify this.

[tsaarni]

I've updated the tests so that they use the field from CA secret, though this will be bit simpler if we merge #6100 as it will allow passing the secret itself.

[tsaarni]

Now updated according to #6100

[sunjayBhatia]

just one nit on the featuretests, otherwise LGTM