nodePublishSecretRef support for authentication as requesting pod

[mitsutaka]

Is your feature request related to a problem? Please describe.
The current implementation requires ClusterRole to request ServiceAccount token to the API server. The CSI driver already has an implementation that gets the ServiceAccount token of nodePublishSecretRef through MountRequest. It may not be preferred in some environments for providers to require Cluster-wide privileges as a design. It also makes sense to access the API server within secrets-store-csi-driver and the provider should be simplified. We've already understand that each method has pros and cons according to the original discussion.

Describe the solution you'd like
Add option to read the secret of MountRequest gRPC call and use token as Kubernetes Auth method JWT.

Describe alternatives you've considered
Kubernetes +v1.20 supports feature gate CSIServiceAccountToken that requests a token through the kubelet and it is considered to be the standard method for secrets-store-csi-driver. However, this is the method since v1.20, and we are discussing the method for users of v1.19 or eariler.

Explain any additional use-cases

Additional context
Original discussion thread #64 (comment)

[tomhjp]

I'll close this now, as the driver has implemented sending tokens in the MountRequest in kubernetes-sigs/secrets-store-csi-driver#805, released in v1.3.0, and then this provider implemented support for consuming those tokens in #163. So the provider can be deployed without the ClusterRole, which I believe was the main driver for the feature request.

I'll add a feature to the helm chart to allow disabling the ClusterRole too.