Support multiple Gateway Listener certificateRefs

[rainest]

Per https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayTLSConfig

A single CertificateRef to a Kubernetes Secret has “Core” support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific.

#2580 only implements the core requirement, and rejects configurations with multiple certificates.

Kong certificate entities can hold two certificates, and will select the served certificate based on client algorithm support (ECDSA or RSA): https://docs.konghq.com/gateway/latest/admin-api/#add-certificate

Acceptance criteria

To support this for Gateway APIs, we would need to:

• Increase the certificateRef limit to 2.
• If two certificates are present, verify that they use different signature algorithms (Kong will reject them if they do not).
• Verify that all certificates use the same CN and SAN sets. Kong does not require this (it probably should) but the Gateway spec requires that implementations serve the cert with the longest SNI-SAN match (e.g. you would serve the cert with foo.example.com instead of *.example.com for foo.example.com) across all certificates. Since we must instead choose the certificate based on algorithm first, we can't meet that part of the spec and need to instead ensure it's irrelevant.
• For Listeners with 2 certificateRefs, create a Kong certificate with one certificate and key in cert and key and the other in cert_alt and key_alt.

[scseanchow]

@rainest is this extended support, does it make sense for us to push this out to a further milestone?

[rainest]

Yes, per the spec this is extended. Core only requires supporting a single certificate. The main reason for us to add it is because there's an existing Kong feature we can take advantage of with multiple.