feat: add auth accessor resolution to IdentityTokenRole template field

[dyna-stadt]

Summary

• Extracts the ${auth/<path>/@accessor} placeholder resolution logic from Policy into a shared ResolveAuthAccessors utility function in api/v1alpha1/utils/commons.go
• Refactors Policy.PrepareInternalValues() to use the new shared utility, removing duplicated code and unused imports
• Adds auth accessor resolution to IdentityTokenRole.PrepareInternalValues(), enabling ${auth/<path>/@accessor} placeholders in the template field
• Updates docs/identities.md with documentation and an example for the new IdentityTokenRole template accessor syntax

Motivation

The ${auth/<auth engine path>/@accessor} placeholder syntax was previously only supported in Policy HCL rules. However, identity token role templates often need to reference auth engine accessors as well (e.g. {{identity.entity.aliases.<accessor>.metadata.service_account_namespace}}). Without this feature, users had
to manually look up and hard-code accessor values, which change across Vault instances and are not portable.

Example

apiVersion: redhatcop.redhat.io/v1alpha1
kind: IdentityTokenRole
metadata:
  name: my-role
spec:
  authentication:
    path: kubernetes
    role: policy-admin
  key: my-key
  template: |
    {
      "namespace": {{identity.entity.aliases.${auth/kubernetes/@accessor}.metadata.service_account_namespace}}
    }

The operator resolves ${auth/kubernetes/@accessor} to the actual accessor value (e.g. auth_kubernetes_804f1655) before writing the role to Vault.

Note: The Vault role used for authentication must have read and list access to sys/auth for resolution to work. Unresolved placeholders are left as-is.

[dyna-stadt]

@raffaelespazzoli
Can you please review this one? Thanks!

[raffaelespazzoli]

please rebase off of main, you are using an old pipeline.