Merge Admin Server into API Server and secure via TLS

[jakubdyszkiewicz]

Current state (before the PR)

• API Server available on 0.0.0.0:5681 that contains all the endpoints for managing resources in Kuma.
• API Server did not support TLS, so you need to use API Gateway to secure it.
• Admin Server for managing secrets and Dataplane Tokens available on 0.0.0.0:5682. Only available on TLS.
• You can access Admin Server via localhost (127.0.0.1:5679) or when outside of your machine, generate client certs and put in the directory
• Kumactl is juggling between API Server and Admin Server (using catalog API). It’s confusing for users what is where.
• There is no way to configure kumactl to verify CP cert against the CA.

State after PR

• API Server with all the same endpoints including dataplane tokens and secrets is now exposed on two ports. 1) non-TLS on 0.0.0.0:5681. 2) TLS on 0.0.0.0:5682
• TLS is protected with the same autogenerated certs that are used for DP Server.
• You can have a secure way to access API Server via HTTPS without any external systems
• You don’t need to think if the endpoint is on Admin or API Server, you either use HTTP on 5681 or HTTPS on 5682 and you configure kumactl with either URL.
• Admin endpoints (DP tokens, Secrets) still requires the same auth (request from the same machine - you can turn this off, or client certs)
• Kumactl is now using only one endpoint (either 5681 on HTTP or 5682 on HTTPS). No more juggling with catalog.
• Kumactl can now verify CP cert against the specified CA.
• We can introduce one extra flag to require auth on resources modification and have a simple builtin mechanism for authentication on Universal.
• This change also helps us to introduce later more sophisticated mechanism for auth (like OIDC)
• Since Admin Server is gone and so its config. We were using KUMA_ADMIN_SERVER_APIS_DATAPLANE_TOKEN_ENABLED to determine if we should require a dp token on universal. This is now changed to KUMA_DP_SERVER_AUTH_TYPE where you can enable/disable auth on both K8S and Universal

Leftovers for separate PR

• How to configure Kubernetes with client certs for TLS version
• Adjust Kuma CP Grafana dashboard

[lobkovilya]

And if this is an authn then 401 makes more sense

[jakubdyszkiewicz]

After putting some thoughts, I think this is authz. Authentication itself is done by mTLS. Here we are checking if you are Mesh Admin (by providing certs or having access to the machine) you can access admin endpoints

[nickolaev]

That is a fantastic improvement! Merge it :)

[tharun208]

closes #184