xds/gcp_authn: implement GCP Authentication filter (gRFC A83).

[Pranjali-2501]

This PR implements the xDS GCP Authentication HTTP filter for gRPC-Go, as specified in gRFC A83.

The implementation provides a mechanism for attaching service account identity JWT tokens as gRPC call credentials on GCP, featuring a two-level caching strategy (filter-level cache of credentials objects and credential-level cache of tokens) to minimize latency and metadata server load.

Note: This PR includes the changes from #9118 , which added the GcpServiceAccountIdentityCallCredentials call credentials type. List of common files:

• credentials/google/gcp_service_account_identity_credentials.go
• credentials/google/gcp_service_account_identity_credentials_test.go
• credentials/google/google_test.go

RELEASE NOTES: None

[Pranjali-2501]

/gemini review

[codecov]

Codecov Report

❌ Patch coverage is 85.39823% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.19%. Comparing base (39a15f6) to head (4531cb1).
⚠️ Report is 25 commits behind head on master.

Files with missing lines	Patch %	Lines
...ernal/xds/httpfilter/gcp_authn/gcp_authn_filter.go	83.46%	12 Missing and 9 partials ⚠️
...google/gcp_service_account_identity_credentials.go	88.88%	6 Missing and 4 partials ⚠️
internal/xds/xdsclient/xdsresource/metadata.go	60.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9119      +/-   ##
==========================================
+ Coverage   81.58%   83.19%   +1.60%     
==========================================
  Files         413      415       +2     
  Lines       33448    33701     +253     
==========================================
+ Hits        27289    28036     +747     
+ Misses       4264     4237      -27     
+ Partials     1895     1428     -467     

Files with missing lines	Coverage Δ
internal/xds/balancer/clustermanager/picker.go	100.00% <100.00%> (ø)
internal/xds/resolver/xds_resolver.go	87.95% <100.00%> (-0.35%)	⬇️
internal/xds/xdsclient/xdsresource/metadata.go	74.19% <60.00%> (+21.25%)	⬆️
...google/gcp_service_account_identity_credentials.go	88.88% <88.88%> (ø)
...ernal/xds/httpfilter/gcp_authn/gcp_authn_filter.go	83.46% <83.46%> (ø)

... and 44 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request introduces GCP Service Account Identity credentials and a new xDS HTTP filter, gcp_authn, which attaches these credentials to outgoing RPCs using cluster metadata. The implementation features an LRU cache for credential management. Key review feedback points out critical bugs involving incorrect access paths for cluster metadata and security settings, which would cause nil pointer dereferences or compilation failures. Furthermore, the reviewer identified significant thread-safety issues in the cache resizing logic that could lead to data races. A minor suggestion was also made to declare the early expiry duration as a constant.