feat: add jwt auth for ateapi

[Eitan Yarmush (EItanya)]

Description

Closes #222.

Adds a portable JWT authentication path for ateapi clients while keeping the
existing mTLS mode as the default.

What changed

• Added internal/ateapiauth with:
  • mtls and jwt auth modes
  • server-side JWT gRPC interceptors
  • client-side dial options for projected ServiceAccount tokens
• Wired JWT auth into:
  • ate-api-server
  • ate-controller
  • atenet router
  • kubectl-ate port-forward client path
• Updated Kubernetes JWT verification to support custom HTTP clients for
  OIDC/JWKS discovery.
• Added JWT install overlays:
  • manifests/ate-install/jwt
  • manifests/ate-install/kind-jwt
• Updated hack/install-ate.sh to opt into JWT mode with:
  • ATE_API_AUTH_MODE=jwt
  • --auth-mode=jwt

Notes

• Default install behavior remains mtls. I think this deserves a second look as JWT will support more clusters.

• The JWT overlay projects short-lived ServiceAccount tokens with audience
  api.ate-system.svc and mounts the service-DNS trust bundle for ateapi TLS
  verification.

• The current discovery mechanism for JWT mode involves reading the deployment which I really don't like, but we don't have a "config file" concept so that bit is a massive TODO.

  Validation

KIND_CLUSTER_NAME=substrate-jwt ./hack/create-kind-cluster.sh

KO_DOCKER_REPO=localhost:5001 \
ATE_INSTALL_KIND=true \
./hack/install-ate.sh --auth-mode=jwt --deploy-ate-system

Validation results:

kubectl config current-context
# kind-substrate-jwt

kubectl get pods -n ate-system
# all runtime pods Running; init jobs Completed

go run ./cmd/kubectl-ate --context kind-substrate-jwt get actors
# succeeded, empty actor list