Consolidate JWT issuance and key management

[jpeach]

Summary

Kuma has 3 JWT token issuers

• zone ingress https://github.com/kumahq/kuma/blob/master/pkg/tokens/builtin/zoneingress/issuer.go#L17
• dataplane https://github.com/kumahq/kuma/blob/master/pkg/tokens/builtin/issuer/issuer.go#L22
• user https://github.com/kumahq/kuma/blob/master/pkg/plugins/authn/api-server/tokens/issuer/issuer.go#L18

These all driver the underlying JWT package in subtly different ways, and manage their keys in slightly different ways (e.g. zone ingress and dataplane key management is a copy/paste, but user key management is quite different).

We should consolidate all this so that JWT and key management in Kuma behaves consistently and predictably across subsystems.

Specifically, we should also switch all these from symmetric JWT signing methods to asymmetric, since that would IMHO make the deployment process substantially easier. What I would like to be able to do for deployment is sign all the dataplane tokens offline, then simply provide kuma-cp with the public key to validate them, removing the need to have a running kuma-cp to issue them in the first place.

[jpeach]

Another weird thing about the JWT code is that we generate a RSA signing key, but we don't use it with RSA signing algorithms. The private key gets serialized as ASN.1 and then passed into the symmetric HMAC signing method as a bag of bytes. It's not clear to be whether this is weaker than a straight crypto-rand byte string, or whether it's approximately the same.

[github-actions]

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.