[v13] Add bot field to certificates and various usage events (#35881)

[timothyb89]

Backport of #35881 for branch/v13

changelog: Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity

---

• Add bot field to certificates and various usage events

This adds a new certificate extension field, teleport-bot, to certificates issued to Machine ID bot users that can definitively identify certificates as having been issued to a bot user.

Additionally, this uses the new Bot identity flag to mark certain usage events as originating from bot users. As such, it includes a protobuf update from Cloud [1], which pulled in some small additional (mostly comment) changes.

[1] https://github.com/gravitational/cloud/pull/7060

• Small bot flag plumbing fixes

• Convert bot flag to BotName and UserKind enum

This makes a few changes to the bot tagging approach:

• The bot name is embedded in the cert rather than just true/false

• UserKind is included in events rather than just a bot flag, to allow for an unspecified value for older client nodes.

• Add a quick unit test for bot cert extensions

• Fix outdated grpc

• Include bot flag on initial certs

• Log a warning and override user kind for usage records if they differ

• Fix several unit tests; add a bot metadata test case

• Fix unit tests with UserKind zero value

• Rename SSH cert extension to use standard format

Renames the teleport-bot extension to bot-name@goteleport.com, to better follow SSH cert extension naming conventions.

• Attempt to improve unspecified userkind aggregating logic

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[timothyb89]

As an aside, I'm not sure what the best backporting behavior is here and pulled in an adjacent field that was not backported itself. I think it's harmless, and slightly nicer to keep the fields contiguous? Would it be better to remove it and let it be backported later if needed?

[espadolini]

I think we only add the needed fields when backporting.

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[espadolini]

There's some failing test that does some proto diff on UserMetadata; I'm not sure why it worked fine for the v14 backport but we should backport that if possible rather than fix it in a v13-specific way I think.

[timothyb89]

There's some failing test that does some proto diff on UserMetadata; I'm not sure why it worked fine for the v14 backport but we should backport that if possible rather than fix it in a v13-specific way I think.

Ah, I manually fixed the v14 test, I think. It's mostly deprecated stuff that was marked for removal in v15 IIRC. I'll fix it regardless - I'd meant to include those changes here and missed a few.