Add additional claims to workload identities

[allisonlarson]

Description

Adds the ability for additional claims to be defined for a namespace and added to a job's workload identity. Core to this change is that JWTs are not supposed to be spoofable claims, and so any additional claims must be configured per namespace by a cluster/namespace admin and the values of the claims interpolated in the jobspec.

Namespaces can be configured to include both (or either) required_extra_claims and optional_extra_claims, where required claims are added to all job's workload identities running in that namespace. Optional extra claims will be added to a job's workload identity if the jobspec includes the claim in the identities extra_claims list.

For a namespace example:

  name        = "default"

  required_extra_claims {
    unique_id = "${job.meta.customer}+${job.id}"
    mymeta = "http://${job.region}.${job.namespace}.${job.id}.com"
  }

  optional_extra_claims {
    baz = "dc:${node.datacenter}"
  }

For the jobspec example:

# job.nomad.hcl
job "service" {
  ...
  group "demo" {
    ...
    task "server" {
      ...
      identity {
        name         = "bar_id"
        aud          = ["org.example.bar"]
        file        =  true
        filepath    = "local/example.jwt"
        extra_claims = ["bar", "baz"]
      }

      service {
        ...
      }
    }
  }
}

This PR also adds the ability for job metadata to be interpolated into the extra claims added to the JWT.

For the above namespace and jobspec, a workload identity is generated with claims:

{
  "aud": "org.example.bar",
  "extra_claims": {
    "baz": "dc:dc1",
    "mymeta": "http://global.default.service.com",
    "unique_id": "${job.meta.customer}+service"
  },
  ...
  "nomad_allocation_id": "048ae42f-3e84-e622-ef3e-35d7554dd629",
  "nomad_job_id": "service",
  "nomad_namespace": "default",
  "nomad_task": "server",
  "sub": "global:default:service:demo:server:bar_id"
}

These extra claims are included under an extra_claims key, which is also used by any extra claims added via the vault block identities. In the case there are conflicting claims (where the vault block and the identity block is defined with the same claim and different values), the vault block will currently take precedence.

Testing & Reproduction steps

Added unit tests, and tested manually with consul & vault integrations and examining the JWT generated

Links

#19438
internal ref: https://hashicorp.atlassian.net/browse/NMD-408

Contributor Checklist

• Changelog Entry If this PR changes user-facing behavior, please generate and add a
  changelog entry using the make cl command.
• Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
  ensure regressions will be caught.
• Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
  and job configuration, please update the Nomad product documentation, which is stored in the
  web-unified-docs repo. Refer to the web-unified-docs contributor guide for docs guidelines.
  Please also consider whether the change requires notes within the upgrade
  guide. If you would like help with the docs, tag the nomad-docs team in this PR.

Reviewer Checklist

• Backport Labels Please add the correct backport labels as described by the internal
  backporting document.
• Commit Type Ensure the correct merge method is selected which should be "squash and merge"
  in the majority of situations. The main exceptions are long-lived feature branches or merges where
  history should be preserved.
• Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
  within the public repository.

• If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.