CP/DP split: Secure connection

[sjberman]

Problem: We want to ensure that the connection between the control plane and data plane is authenticated and secure.

Solution:

1. Configure agent to send the kubernetes service token in the request. The control plane validates this token using the TokenReview API to ensure the agent is authenticated.
2. Configure TLS certificates for both the control and data planes. By default, a Job will run when installing NGF that creates self-signed certificates in the nginx-gateway namespace. The server Secret is mounted to the control plane, and the control plane copies the client Secret when deploying nginx resources. This Secret is mounted to the agent.

The control plane will reset the agent connection if it detects that its own certs have changed.

For production environments, we'll recommend a user configures TLS using cert-manager instead, for better security and certificate rotation.

Testing:

• Verified that self-signed certificates are mounted properly and connection succeeds.
• Verified that using cert-manager also works instead of the self-signed certificates.
• Verified that token and cert rotation results in a new connection being created.

Closes #2843

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

[bjee19]

lgtm!

[salonichf5]

🚀