[krbkeys] Should we look up account UUIDs in the Auth service?

[amrc-benmorrow]

Currently an account section which requests account generation stores the generated account UUID in an annotation. This is usual practice for a Kubernetes operator but it means that if the edge cluster is torn down and recreated we lose this information.

It might be better to treat the account mapping in the Auth service as authoritative, if it exists.

[amrc-benmorrow]

This will need to keep the separate account_uuid step, and it's probably easiest to keep the annotation as well. The only changes should be:

• Move the principal mapping into account_uuid.
• Look up the principal in the Auth service if we have no annotation. Only create a new account as a fallback.
• Possibly we should gensym our own UUID rather than letting the ConfigDB do it? Then the auth principal mapping creation is atomic. Otherwise we still risk crashing between account creation and principal mapping; this will leave an orphaned account object which will never be cleaned up.