consistently fallback to default certificate when TLS is configured

[ElvinEfendi]

What this PR does / why we need it:
Currently having TLS configured in an Ingress Spec does not guarantee that Nginx will be configured using SSL endpoint. Whenever TLS configured we first check the following three edge cases:

1. We extract secret name, and if the secret name is empty we then fallback using default certificate and configure Nginx with HTTPS endpoint
2. Otherwise we continue to check local SSL store and if there is no corresponding secret we don't configure SSLCert for the given server. This means the controller configures Nginx using HTTP endpoint only
3. If secret name is present and there corresponding secret in the SSL store, we match the hostname with the one in the certificate if it does not match, we again do not configure SSLCert for the server. This again means the controller configures Nginx using HTTP endpoint only

If everything is good we then use the configured certificate and configure Nginx with HTTPS endpoint.

As you can see there's inconsistency here. One option to resolve this inconsistency would be to make the edge case 1. to behave as other two, a.k.a always fallback to configuring HTTP endpoint only even though user has TLS Spec configured in their Ingress manifest. In my understanding doing this would be breaking the protocol between user and the ingress controller - what I mean is as a user when I include TLS Spec in my Ingress manifest I expect to have my server configured with HTTPS endpoint and have HTTP requests redirected to that endpoint (unless I explicitly opt-out). And I'd also expect the controller to follow the notion of default certificate it has and when there's an issue with the configured certificate (one of the three edge cases above) fallback to using the default certificate.
Another problem with this option is that we won't be able to handle certificate updates dynamically (#2965). Because with this option when user fixes their certificate (i.e edge case 2: user creates the missing secret) we would have to update Nginx configuration and include listen 443 ssl ... directive and others. Which means there's no way we can avoid reload.

Given above, this PR suggests to change the way controller handles edge cases 2. and 3. With this PR in all the edge cases where we can not successfully configure certificate we fallback to using default certificate. This solves all the issues mentioned above.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

[ElvinEfendi]

/assign @aledbf
/assign @antoineco

[aledbf]

/lgtm

[ElvinEfendi]

/hold

[codecov-io]

Codecov Report

Merging #2972 into master will decrease coverage by 0.05%.
The diff coverage is 0%.

@@            Coverage Diff             @@
##           master    #2972      +/-   ##
==========================================
- Coverage   47.58%   47.52%   -0.06%     
==========================================
  Files          77       77              
  Lines        5634     5639       +5     
==========================================
- Hits         2681     2680       -1     
- Misses       2600     2607       +7     
+ Partials      353      352       -1

Impacted Files	Coverage Δ
internal/ingress/controller/controller.go	2.18% <0%> (-0.02%)	⬇️
internal/watch/file_watcher.go	80.76% <0%> (-3.85%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7436b77...702fb9b. Read the comment docs.

[ElvinEfendi]

/hold cancel

[aledbf]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ElvinEfendi,aledbf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment