Allow multi-tenant environments to authenticate with different Managed Identities through AAD Pod Identity

[nojnhuh]

Describe the current behavior
Currently, ASO allows authenticating to Azure with a user-assigned managed identity + AAD Pod Identity, but only by referencing the managed identity's client ID in the global aso-controller-settings Secret as documented here: https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#deprecated-managed-identity-aad-pod-identity.

When trying to configure the same credentials in a per-resource Secret that looks like:

apiVersion: v1
kind: Secret
metadata:
 name: my-resource-secret
 namespace: default
stringData:
 AZURE_SUBSCRIPTION_ID: "$AZURE_SUBSCRIPTION_ID"
 AZURE_TENANT_ID: "$AZURE_TENANT_ID"
 AZURE_CLIENT_ID: "$IDENTITY_CLIENT_ID"

I see an error that seems to indicate ASO is trying to authenticate with Workload Identity:

- lastTransitionTime: "2023-07-25T19:38:36Z"
    message: |-
      WorkloadIdentityCredential authentication failed
      POST https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token
      --------------------------------------------------------------------------------
      RESPONSE 401 Unauthorized
      --------------------------------------------------------------------------------
      {
        "error": "unauthorized_client",
        "error_description": "AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://aso-auth-test-dns-1vkelzym.hcp.westus2.azmk8s.io/'. Assertion Subject: 'system:serviceaccount:capz-system:azureserviceoperator-default'. Assertion Audience: 'api://AzureADTokenExchange'. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation\r\nTrace ID: 5df76890-4f45-4eb2-9954-e5cd2e302400\r\nCorrelation ID: 8d3a2801-8496-4176-94aa-f4bea2755ad1\r\nTimestamp: 2023-07-25 19:38:36Z",
        "error_codes": [
          70021
        ],
        "timestamp": "2023-07-25 19:38:36Z",
        "trace_id": "5df76890-4f45-4eb2-9954-e5cd2e302400",
        "correlation_id": "8d3a2801-8496-4176-94aa-f4bea2755ad1",
        "error_uri": "https://login.microsoftonline.com/error?code=70021"
      }
      --------------------------------------------------------------------------------
      To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#workload
    observedGeneration: 1
    reason: UnknownError
    severity: Warning
    status: "False"
    type: Ready

Describe the improvement
ASO should allow resources to set a credential-from that refers to a Secret whose AZURE_CLIENT_ID refers to a managed identity.

Additional context
CAPZ supports this use case as documented here: https://capz.sigs.k8s.io/topics/multitenancy.html#user-assigned-managed-identity. We'd like to be able to support this with our ASO integration as well to help smooth the transition for users to Workload ID.

[matthchr]

I think we need a flag on the secret which users can set for AAD Pod Identity scenario which indicates that the secret is an AAD Pod Identity secret. Right now if it doesnt have a AZURE_CLIENT_SECRET we assume it's a workload identity.