[Enhancement] include Ambassador Host tlsSecret in Secret freezing

[MarkSymsCtx]

We use Ambassador as our ingress controller and an automated CI deployment system for managing/pushing updates to the Kubernetes cluster. After a recent update to the TLS certs for Ambassador we found that it didn't pick up the new secret. It looks like this piece of config doesn't get picked up by kubetpl render as it uses a tlsSecret key to reference the secret rather than the normal secretName.

See https://www.getambassador.io/docs/edge-stack/latest/topics/running/host-crd/#tlssecret-enables-tls-termination

If this functionality could be added it would be great.

[MarkSymsCtx]

I'm not sure if this patch is all that would be required?

diff --git a/engine/processor/freeze.go b/engine/processor/freeze.go
index 01de63d..06003e8 100644
--- a/engine/processor/freeze.go
+++ b/engine/processor/freeze.go
@@ -24,6 +24,7 @@ const (
 	kindReplicationController = "ReplicationController"
 	kindStatefulSet           = "StatefulSet"
 	kindCronJob               = "CronJob"
+	kindHostCrd               = "Host"
 )
 
 type frozenObjectRef struct {
@@ -75,6 +76,9 @@ func init() {
 	}
 	configMap[kindCronJob] = mapWithPrefix(configMap[kindPod], "spec.jobTemplate.spec.template.")
 	secret[kindCronJob] = mapWithPrefix(secret[kindPod], "spec.jobTemplate.spec.template.")
+	secret[kindHostCrd] = []string{
+		"spec.tlsSecret[*].name"
+	}
 	pathsToRewrite = map[kind]map[kind][]string{
 		kindConfigMap: configMap,
 		kindSecret:    secret,