webhook: validate certificateRefs when `tls` is set and `mode` is Terminate

[mlavacca]

What would you like to be added:

The TLSModeType documentation states:

gateway-api/apis/v1beta1/gateway_types.go

Lines 290 to 305 in 006a257

	// Mode defines the TLS behavior for the TLS session initiated by the client.
	// There are two possible modes:
	//
	// - Terminate: The TLS session between the downstream client
	// and the Gateway is terminated at the Gateway. This mode requires
	// certificateRefs to be set and contain at least one element.
	// - Passthrough: The TLS session is NOT terminated by the Gateway. This
	// implies that the Gateway can't decipher the TLS stream except for
	// the ClientHello message of the TLS protocol.
	// CertificateRefs field is ignored in this mode.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:default=Terminate
	Mode *TLSModeType `json:"mode,omitempty"`

In particular, when the TLSConfig is set, and the TLSModeType is terminate, the certificateRefs field must always be set and contain at least one reference to an object.
To ensure this condition, the Gateway validation should be improved to ensure that such a condition is always verified.

Why this is needed:

When the TLSModeType is set to terminate, there is always the need for a valid certificate to terminate the TLS connection.

[gyohuangxin]

I'd like to implement it.
/assign