fix: restore warn behavior for ApisixTls with missing secrets

When ApisixTls references secrets that do not exist yet, the webhook
should warn (not deny). The ADC validator calls PrepareApisixTlsForValidation
which in turn calls validateSecret, which returns NotFound and causes
admission denial - breaking the original warn-on-missing-secret behavior.

Fix: skip ADC validation when collectWarnings already detected missing
secrets. The translator cannot load cert/key material in that case, so
ADC validation would always fail anyway. The existing warnings are
sufficient to inform the user.

Also fix initErr fail-open: a validator initialization failure should
allow admission (return warnings, nil) rather than hard-deny every write.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Foo Bar

internal/webhook/v1/apisixtls_webhook.go

@@ -80,8 +80,11 @@ func (v *ApisixTlsCustomValidator) ValidateCreate(ctx context.Context, obj runti
 	}
 
 	warnings := v.collectWarnings(ctx, tls)
-	if v.initErr != nil {
-		return warnings, v.initErr
+	// Skip ADC validation when secrets are missing: the translator cannot
+	// load cert/key material, so validation would always fail. The missing-
+	// secret warnings are sufficient to inform the user.
+	if v.initErr != nil || len(warnings) > 0 {
+		return warnings, nil
 	}
 
 	return warnings, v.adcValidator.Validate(ctx, tls)
@@ -104,8 +107,8 @@ func (v *ApisixTlsCustomValidator) ValidateUpdate(ctx context.Context, oldObj, n
 	}
 
 	warnings := v.collectWarnings(ctx, tls)
-	if v.initErr != nil {
-		return warnings, v.initErr
+	if v.initErr != nil || len(warnings) > 0 {
+		return warnings, nil
 	}
 
 	return warnings, v.adcValidator.Validate(ctx, tls)