feat(kuma-cp) consolidate tokens logic to support expiration, rotation, revocation and RSA256

[jakubdyszkiewicz]

Summary

This PR consolidates the logic of JWT tokens in the project, to have one standard for all the tokens.

I refactored the logic to core/tokens to serve the functionality as a "library" for token implementations (dataplane token, zone ingress token, user token).

All the tokens now have

• Expiration. Not required for now for backwards compatibility (aside for user token, because it was required when we introduced it). If not specified then it's valid for 10 years.
• Revocation. In case that token is compromised, we can now put the ID of the token in revocation list in Secret/GlobalSecret.
• Signing Key rotation. In case that signing key is compromised, you can now rotate it without downtime.
• RSA256 signing method. All the tokens are now signed with RSA256. This is future proof if we want to build generating token offline (kumactl or other system), but only validate it in Kuma with public RSA key.
  All new tokens are generated using RSA256, but we still support HMAC256 for backwards compatibility.
• PEM-encoded signing key. Signing key (private RSA key) was encoded in GlobalSecret/Secert using ASN.1. It is now encoded using PEM which suppose to be easier to manage.
  We still support ASN.1 signing keys for backwards compatibility.

All those features were available for User Token already but not for other tokens.

Issues resolved

Fix #2955
Fix #3197

Documentation

• docs(security) token expiration, revocation, signing key rotation kuma-website#616

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

• No need for changes in UPGRADE.md
• The change is backwards compatible.

[jpeach]

This is a great improvement. Just some little nits and suggestions.

[codecov-commenter]

Codecov Report

Merging #3376 (03fa106) into master (16f0848) will increase coverage by 0.13%.
The diff coverage is 78.57%.

@@            Coverage Diff             @@
##           master    #3376      +/-   ##
==========================================
+ Coverage   52.13%   52.27%   +0.13%     
==========================================
  Files         932      939       +7     
  Lines       54547    54618      +71     
==========================================
+ Hits        28439    28552     +113     
+ Misses      23882    23846      -36     
+ Partials     2226     2220       -6     

Impacted Files	Coverage Δ
pkg/core/rest/errors/error_handler.go	70.53% <0.00%> (ø)
pkg/kds/context/context.go	52.63% <0.00%> (ø)
pkg/kds/zone/components.go	16.92% <0.00%> (ø)
pkg/tokens/builtin/zoneingress/token.go	0.00% <0.00%> (ø)
pkg/tokens/builtin/zoneingress/validator.go	30.00% <30.00%> (ø)
pkg/defaults/components.go	87.75% <33.33%> (-0.49%)	⬇️
pkg/defaults/mesh/signing_key.go	60.00% <33.33%> (ø)
pkg/tokens/builtin/zoneingress/issuer.go	42.85% <42.85%> (+37.30%)	⬆️
pkg/core/tokens/default_signing_key.go	68.42% <57.14%> (ø)
pkg/tokens/builtin/server/webservice.go	60.91% <61.53%> (-0.02%)	⬇️
... and 34 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 16f0848...03fa106. Read the comment docs.