chore(*) refactor authz and authn to plugins

[jakubdyszkiewicz]

Summary

Refactor authentication and authorization to be separate components and to be pluggable.

Right now we have a simple client cert auth to execute administrative operations like generating tokens or managing secrets.

Authentication is pluggable which means that a mesh operator and developers of products building on top of Kuma can plug their own authentication mechanism.

Simple RBAC (admin can operate on Secrets) is refactored in a way that it can be replaced.

When accessing CP in localhost instead of doing immediate authorization, we now log in user as admin/admin so RBAC / filters can read this data and react properly.
A user has a role attached to it. Right now there are 2 simple static roles (user/admin). Admins are defined in a Kuma CP config. This strategy can be replaced by providing your own RoleAssignments.

Access to resources is now validated in ResourceAccess component.
Initially, I had a plan to build an RBACResoruceManager and make this manager default to the whole project, but in the end, I did not do this because

• On Kubernetes resources are not going through ResourceManager
• We would have to attach a "system" user whenever Kuma itself uses ResourceManager. This can be error-prone (if we forget to do this) and a bit cumbersome.

Next steps (for better understanding of the context)

• Introduce User Token as new API Auth that carries name/group info which is consistent with other tokens
• Change User Token to auth default strategy
• Deprecate client certs
• Warn about localhostIsAdmin set to true on Kuma CP start.
• Add ResourceAccess as Kubernetes hooks

Documentation

• No docs yet, I'd rather write them at the end.

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

• Breaking change allowFromLocalhost -> localhostIsAdmin. There will be more breaking changes build on top of it. I don't think it's a good idea to backport it.

[codecov-commenter]

Codecov Report

Merging #2837 (54c35e2) into master (511eeb9) will increase coverage by 0.08%.
The diff coverage is 68.76%.

@@            Coverage Diff             @@
##           master    #2837      +/-   ##
==========================================
+ Coverage   52.34%   52.43%   +0.08%     
==========================================
  Files         888      898      +10     
  Lines       51804    52052     +248     
==========================================
+ Hits        27118    27293     +175     
- Misses      22536    22588      +52     
- Partials     2150     2171      +21     

Impacted Files	Coverage Δ
pkg/api-server/service_insight_endpoints.go	71.05% <ø> (-0.75%)	⬇️
pkg/api-server/zoneingress_overview_endpoints.go	14.49% <0.00%> (-3.37%)	⬇️
pkg/core/config/manager/manager.go	50.00% <ø> (+18.57%)	⬆️
pkg/core/rest/errors/errors.go	0.00% <0.00%> (ø)
pkg/api-server/authz/admin.go	9.09% <11.11%> (-52.03%)	⬇️
pkg/core/rest/errors/error_handler.go	65.28% <33.33%> (-9.18%)	⬇️
pkg/core/rbac/role.go	50.00% <50.00%> (ø)
pkg/api-server/dataplane_overview_endpoints.go	66.66% <53.84%> (-1.41%)	⬇️
pkg/api-server/zone_overview_endpoints.go	60.86% <53.84%> (-1.64%)	⬇️
pkg/core/bootstrap/bootstrap.go	64.41% <57.14%> (-0.41%)	⬇️
... and 25 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 511eeb9...54c35e2. Read the comment docs.

[bartsmykla]

lgtm