pkg/*: use Kubernetes ServiceAccount as service identity

[shashankram]

Description:
This change does the following:

• Uses kubernetes ServiceAccount as service identity for
  proxy service certificates. The service certificate
  CN/SAN will be of the form <svc-account>.<namespace>.<domain>.

• Refactors SDS to make it easier to share code in its internal
  implementation.

• Removes the overloaded usage of the certificate's CN for SNI.
  SNI (Server Name Identifier) is based on the service FQDN,
  while the service certificate is derived from the ServiceIdentity
  being used.

• Removes SAN matching for the downstream/upstream service
  in permissive mode, where there are no SMI TrafficTarget policies.
  In permissive mode, every service within the mesh is allowed to
  reach every other service as long as they use the correct certificate.

• Refactors sds/response_test.go to make it possible to use
  table-driven testing to test different unit testing scenarios.

Part of #1965

Affected area:

• New Functionality [ ]
• Documentation [ ]
• Install [ ]
• Control Plane [X]
• CLI Tool [ ]
• Certificate Management [X]
• Networking [ ]
• Metrics [ ]
• SMI Policy [ ]
• Security [X]
• Tests [X]
• CI System [ ]
• Performance [ ]
• Other [ ]

Please answer the following questions with yes/no.

• Does this change contain code from or inspired by another project? If so, did you notify the maintainers and provide attribution?
  No

[codecov-io]

Codecov Report

Merging #1990 into main will decrease coverage by 0.02%.
The diff coverage is 45.45%.

@@            Coverage Diff             @@
##             main    #1990      +/-   ##
==========================================
- Coverage   56.64%   56.62%   -0.03%     
==========================================
  Files         139      140       +1     
  Lines        5589     5611      +22     
==========================================
+ Hits         3166     3177      +11     
- Misses       2420     2431      +11     
  Partials        3        3              

Impacted Files	Coverage Δ
pkg/identity/kubernetes.go	100.00% <ø> (ø)
pkg/identity/types.go	0.00% <0.00%> (ø)
pkg/envoy/sds/response.go	63.41% <32.55%> (-5.40%)	⬇️
pkg/catalog/xds_certificates.go	93.40% <100.00%> (+0.54%)	⬆️
pkg/envoy/cds/cluster.go	96.80% <100.00%> (ø)
pkg/envoy/lds/ingress.go	90.24% <100.00%> (ø)
pkg/envoy/lds/inmesh.go	86.20% <100.00%> (ø)
pkg/service/types.go	87.50% <100.00%> (+6.25%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2047ca9...74e2215. Read the comment docs.

[draychev]

Left a few comments that could be addressed in follow-up PRs - feel free to ignore.
Thanks for working on this!

[draychev]

🤔

[draychev]

Not sure what impl means here or anywhere below really. I would prefer to use something that reads easily in plain english and helps you understand what's behind this variable.

No need to change this PR - but eventually would be good to add clarity so it is easy to read.

[shashankram]

I left a comment on what sdsImpl refers to in sds/types.go.

[draychev]

Debug makes sense, except I worry that it would hide this message, when I believe it should be emitted with a higher level of urgency. If error seems to high - I'd say warn.

[shashankram]

Warn seems appropriate for this use case, will address!

[shashankram]

Addressed in #1995

[shashankram]

Left a few comments that could be addressed in follow-up PRs - feel free to ignore.
Thanks for working on this!

Thanks for the review, will address the nits in a follow-up coming shortly.