ROX-32716: Update auth header logic for plugin

[dvail]

Description

Updates the auth header logic to conform with the agreed upon behavior.

If ACS-AUTH-NAMESPACE-SCOPE is set to a k8s allowed namespace value, Sensor requests a token from Central with Analyst permission set and dynamic access scope tied to the namespace. This is guarded by TokenReview + SubjectAccessReview for the namespace.

If ACS-AUTH-NAMESPACE-SCOPE is set to *, Sensor requests a token with Analyst permission and full cluster access. This is guarded by TokenReview + SubjectAccessReview for all namespaces.

If ACS-AUTH-NAMESPACE-SCOPE is either empty or not set, Sensor requests a token with Analyst permission set and empty access scope. This is guarded just by TokenReview (i.e. only authentication).

Bonus: Thanks @pedrottimark for your comment on the need to explicitly call useNamespaceScope(). That was a leftover from a previous draft where we needed to do the same with the deployment scope as well. Since this is no longer needed, we can actually remove all explicit calls that set the namespace hook.

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

Updated unit tests.

Inspect the Network console and verify:

1. ACS-AUTH-NAMESPACE-SCOPE is not set at all on metadata/permissions/featureflags requests
2. ACS-AUTH-NAMESPACE-SCOPE is set to the currently selected namespace on data requests
3. ACS-AUTH-NAMESPACE-SCOPE is set to '*' when the "All projects" dropdown option is selected

[dvail]

This change is part of the following stack:

• ROX-32717: Update console plugin dev docs for proxy #18574
  • ROX-32716: Update auth header logic for plugin #18578 ◀

_{Change managed by git-spice.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[rhacs-bot]

Images are ready for the commit at 353ec07.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-842-g353ec07137.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.13%. Comparing base (7ec15d9) to head (353ec07).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #18578   +/-   ##
=======================================
  Coverage   49.13%   49.13%           
=======================================
  Files        2651     2651           
  Lines      199124   199124           
=======================================
+ Hits        97830    97839    +9     
+ Misses      93878    93871    -7     
+ Partials     7416     7414    -2     

Flag	Coverage Δ
go-unit-tests	49.13% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.