[Bigquery] Add support for impersonation of GSA bound to task's KSA

[jeevb]

Addresses: flyteorg/flyte#3736

Incorporates lost changes from #161 with some some modern bits.

Smoke tested on GCP test cluster with flytesnacks BQ workflow. In the second snapshot, the correct GSA, userflyterole, is used.

[codecov]

Codecov Report

Merging #355 (fa0f9fd) into master (c499a48) will increase coverage by 1.08%.
The diff coverage is 27.86%.

❗ Current head fa0f9fd differs from pull request most recent head 0f509a7. Consider uploading reports for the commit 0f509a7 to get more accurate results

@@            Coverage Diff             @@
##           master     #355      +/-   ##
==========================================
+ Coverage   62.80%   63.89%   +1.08%     
==========================================
  Files         148      152       +4     
  Lines       12701    10355    -2346     
==========================================
- Hits         7977     6616    -1361     
+ Misses       4112     3126     -986     
- Partials      612      613       +1     

Flag	Coverage Δ
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
go/tasks/pluginmachinery/google/config.go	0.00% <ø> (ø)
...inmachinery/google/default_token_source_factory.go	0.00% <0.00%> (ø)
...sks/pluginmachinery/google/token_source_factory.go	0.00% <0.00%> (ø)
...gke_task_workload_identity_token_source_factory.go	34.00% <34.00%> (ø)

... and 131 files with indirect coverage changes

[ctso]

This all looks pretty reasonable to me. We should make sure we update the docs to call out this new gke-task-workload-identity token source. We should be sure to mention that the KSA that (I think...) flytepropeller uses must have enough permissions to read ServiceAccount objects from the k8s API.

[jeevb]

And also that the GSA bound to Flytepropeller's KSA must be able to impersonate GSAs bound to the respective task KSAs.

[eapolinario]

Awesome.