apiserver: set proxy auth info via request header

[Iceber]

What type of PR is this?

/kind feature
What this PR does / why we need it:
Users can set authentication information for proxy requests using the X-Clusterpedia-Proxy- prefix in the request headers, supporting:

1. X-Clusterpedia-Proxy-CA
2. X-Clusterpedia-Proxy-Token
3. X-Clusterpedia-Proxy-Client-Cert
4. X-Clusterpedia-Proxy-Client-Key

To make the feature more flexible, administrators can allow proxy requests to reuse the PediaCluster configuration by using the --allow-pediacluster-config-for-proxy-request flag. However, the permissions of this cluster configuration may not satisfy the proxy requests, and if the permissions are too high, it could lead to unauthorized operations. Additionally, reusing the PediaCluster configuration may also raise auditing issues.

$ ./bin/apiserver --help
...
Resource server flags:

      --allow-pediacluster-config-for-proxy-request
                Allow proxy requests to use the cluster configuration from PediaCluster when authentication information cannot be obtained from the header.
...

NOTE: However, for kubectl users, passing custom headers is difficult. In the future, we will add a kubectl plugin, but for now, you may need to enable b and ensure that the configuration within PediaCluster has sufficient permissions.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

[clusterpedia-bot]

Hi @Iceber,
Thanks for your pull request!
If the PR is ready, use the /auto-cc command to assign Reviewer to Review.
We will review it shortly.

Details

Instructions for interacting with me using comments are available here.
If you have questions or suggestions related to my behavior, please file an issue against the gh-ci-bot repository.