allow using `pomerium-controller` mounted service account for the api server access

[wasaga]

Is your feature request related to a problem? Please describe.

currently we support referencing external token from a Secret. https://github.com/pomerium/ingress-controller/blob/9a75ad2bc4716f0c54d1cbc6da8101b1359434ec/model/ingress_config.go#L40-L43

This is no longer a recommended method since Kubernetes 1.22:

Versions of Kubernetes before v1.22 automatically created credentials for accessing the Kubernetes API. This older mechanism was based on creating token Secrets that could then be mounted into running Pods.

In more recent versions, including Kubernetes v1.31, API credentials are obtained directly using the TokenRequest API, and are mounted into Pods using a projected volume. The tokens obtained using this method have bounded lifetimes, and are automatically invalidated when the Pod they are mounted into is deleted.

Although the manual mechanism for creating a long-lived ServiceAccount token exists, using TokenRequest to obtain short-lived API access tokens is recommended instead.

Describe the solution you'd like

Pomerium Ingress Controller already runs with the dedicated service account. That includes the token and the api server CA.

1. We can add the required impersonation RBAC to this service account.
2. We can automatically configure the token to use and CA from the mounted files.

Describe alternatives you've considered

Explain any additional use-cases

If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

Additional context

Add any other context or screenshots about the feature request here.