[Feature] Introduce the support for offloaded applications interacting with the API server

[giorio94]

Is your feature request related to a problem? Please describe.

This feature aims to introduce the possibility for offloaded applications to interact with the home API server, thus supporting scenarios such as controllers, high-availability database solutions, and in general all the workloads that leverage service accounts for authentication purposes.

Describe the solution you'd like

This feature involves three main aspects:

1. The reflection of the secrets associated with the service accounts, and the appropriate mutation of the pod specifications (#1184).
2. The appropriate remapping of the API server address, to ensure the communication with the home cluster instead of the remote one (#1196).
3. The implementation of a logic to retrieve tokens from the TokenRequest API and store them in remote secrets, to support for token rotation and configuration of specific audiences. This is similar to the token_manager functionality implemented by the standard Kubelet.

Describe alternatives you've considered As for point 2., two main alternatives are possible:

1. Leverage the http proxy already used by liqoctl connect, appropriately configuring the HTTP_PROXY variables;
2. Configure a static DNS host alias, to associate the home API server IP address to kubernetes.default.

In the end, #1196 follows strategy 2., as using the http proxy would mean forcing all traffic from offloaded pods to flow through it, which might introduce an excessive overhead.