Clean up propagated parameter/workspace validation

[lbernick]

Currently, some validation logic for parameters and workspaces can be done in the admission webhook, but due to param/workspace propagation, some of it must happen in the reconciler. Currently, we get around this by skipping some forms of validation if sentinel values are injected into the context. Instead, we should split validation into parts that must happen in the reconciler, and parts that can happen in the webhook, and call validation logic in the appropriate place.

This work blocks #6616.

[chitrangpatel]

/assign

[pritidesai]

Thanks @lbernick, one question. My knowledge is outdated at this point in terms of validation. But at some point in the past, we had discussed about validating specifications once instead of validating them in every reconcile cycle. Have we thought about exploring that route?

#4562

[lbernick]

Thanks @pritidesai, I think this issue isn't intended to have any functional changes, it's just intended to make the codebase more readable and unblock #6616. I'm trying to make it easier to tell what validation is happening at various points by getting rid of the sentinel values that indicate which forms of validation to do.

We could definitely explore validating only once per reconcile loop-- I think #6616 or #6645 is the best place for that conversation.