feat(kuma-cp) user token with RSA256

[jakubdyszkiewicz]

Summary

After discussing offline with @jpeach #2923 (comment) we decided we want to switch to RSA256 to provide the future possibility of extending User Token to be able to generate private key offline, issue tokens offline, and provide the public key as plain config.

Full changelog

• Change JWT alg to RSA256. We already used RSA256 key but for JWT alg we picked HMAC which results in symmetric cryptography. Switch to RSA256 means that we can use only a public part of the key to validate tokens.
• UserTokenIssuer was split to UserTokenIssuer/UserTokenValidator and UserTokenValidator is now using SigningKeyAccessor. In the future, we can implement static version of UserTokenValidator that relies ONLY on public key provided as a config (for example KUMA_API_SERVER_AUTHN_USER_TOKEN_PUB_KEYS). Of course, that means that token issuer would not be available in the control plane, but tokens will be issued offline somewhere else (other system like Vault or kumactl).
• I considered splitting the key to two GlobalSecret resources, one for private key and one for public key, but since public key can be retrieved from private key in PKCS1 format, it seems like a duplication of information. Additionally, it's an extra hassle (generate two resources, when rotate you need to set two of them etc.). We can add kumactl extract public-key --private-key-file=key.pem or something like this.

Issues resolved

Related #2955

Documentation

• UX stays the same with the online issuer.

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

• No backporting.

[codecov-commenter]

Codecov Report

Merging #2992 (039d5d0) into master (c98be17) will increase coverage by 0.03%.
The diff coverage is 69.76%.

@@            Coverage Diff             @@
##           master    #2992      +/-   ##
==========================================
+ Coverage   52.30%   52.33%   +0.03%     
==========================================
  Files         916      919       +3     
  Lines       52962    52999      +37     
==========================================
+ Hits        27701    27739      +38     
+ Misses      23056    23048       -8     
- Partials     2205     2212       +7     

Impacted Files	Coverage Δ
...s/authn/api-server/tokens/admin_token_bootstrap.go	82.69% <ø> (ø)
...hn/api-server/tokens/issuer/default_signing_key.go	67.56% <0.00%> (ø)
...g/plugins/authn/api-server/tokens/authenticator.go	7.14% <25.00%> (-0.55%)	⬇️
...lugins/authn/api-server/tokens/issuer/validator.go	66.66% <66.66%> (ø)
pkg/util/rsa/pem.go	69.23% <69.23%> (ø)
...gins/authn/api-server/tokens/issuer/signing_key.go	75.43% <71.42%> (-1.35%)	⬇️
...n/api-server/tokens/issuer/signing_key_accessor.go	78.57% <78.57%> (ø)
pkg/plugins/authn/api-server/tokens/plugin.go	76.92% <87.50%> (+1.92%)	⬆️
...g/plugins/authn/api-server/tokens/issuer/issuer.go	90.90% <100.00%> (+12.64%)	⬆️
pkg/xds/cache/once/cache.go	87.17% <0.00%> (-7.70%)	⬇️
... and 5 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c98be17...039d5d0. Read the comment docs.

[jpeach]

Oh, also I think the commentary from the PR is really useful context that should be included in the commit message :)

[jpeach]

I had some minor quibbles about error propagation, but overall this looks great 👍