Workload Identity function

[johnbelamaric]

We now have an operator for annotating a KSA for Workload Identity (#3456). This is helpful when the KSA lives in the Porch cluster. But it's not helpful for KSAs that are in the workload clusters that do not have Porch running.

Some examples:

• I want to use WI to authenticate ConfigSync to a CSR.
• Customers can use WI to authenticate to Cloud SQL (https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#workload-identity)
• Almost any other non-CC use case for Workload Identity

I think we just need a function to do this. At least, that is true in the case of a 1:1 relationship between the deployment repository and the workload cluster. Or maybe more accurately, it is true if the project-id of all clusters reading from a given deployment repository is the same. See #3456 (comment) for a little more context.

[johnbelamaric]

Actually it seems this is not what the operator does; rather it handles only the GCP side of the binding. So this raises the priority of this issue.

[liamfallon]

Duplicated to Porch in the Nephio project: nephio-project/nephio#683