Use this bug to track the work for secret discovery service(SDS) works E2E in master branch.

The SDS change on collab-gcp-identity is almost merged into master now, next step is making SDS E2E flow work in master.

Workitems for SDS to work in master(based on collab-gcp-identity):

• support multiple CA : fetching root CA through SDS instead of baking root CA into proxy docker image like in collab-gcp-identity today
• accommodate envoy latest changes: In SDS config(distributed from pilot), channel credential required to be local_credential otherwise token cannot be passed through.

Then change on e2e flow to support for k8s sa:

• pilot side change: construct envoy config so that envoy could fetch/send out k8s sa jwt(trustworthy jwt preferred, normal k8s sa jwt if trustworthy not available) token in SDS request header.
• sidecar injector: inject token volume mount in istio-proxy container, both for manual and auto webhook
• nodeagent side: parse k8s jwt token, authN provider specific plugin(exchange token with IAM Service Account Credentials API), CSR to CAs, CA adapter for pluggable CA.
• citadel side: validate jwt(trustworthy or normal jwt) sent by nodeagent and issue cert.
• integration test, mTLS works through identity provisioned by SDS flow.
• documentation.