Introduce auth_request Policy support

[brianehlert]

NGINX supports three different options in the authentication space:

• the JWT module - the request is delivered with a token that is in turn validated against an IdP and NGINX makes the allow or deny decision
• OIDC - where NGINX holds the authentication token for the client and directs the client to an IdP if a token is absent or expired and NGINX makes the allow or deny decision
• auth_request - where NGINX redirects the request to an IdP and the IdP makes the authentication decision and sends an allow or deny decision back to NGINX.

The ingress controller currently supports JWT and OIDC through the Policy resource and we have received requests to support auth_request. This capability would support both the free and paid version of the project.

Also add customizing the 401 response: add error_page in the /api/ location (same place as the auth_request directive).

AC:

• design an auth_request Policy
• support the Policy using VirtualServer / VirtualServerRoute following the pattern of the JWT Policy which supports different Policy per location
• add an nginx.org/auth-request-policy annotation to the Ingress object that supports associating the auth_request Policy (it is fully understood this would require CRDs and related dependencies to use this feature)
• Support the annotation using the Ingress resource.
• Do not support the annotation with a master Ingress resource
• Support the annotation with a minion Ingress resource

Questions to answer:

• Do we require Policy for implementing this with Ingress? (as an experiment, is there undue burden on the existing implementation that might make this difficult to implement)
  • this question comes out of multiple requests to extend capabilities implemented with Policy already, or make sense to implement using Policy. https://github.com/nginxinc/kubernetes-ingress/discussions/4859

### Tasks
- [ ] Implementation on Virtual Server
- [ ] Implementation on Ingress

Aha! Link: https://nginx.aha.io/epics/NIC-E-124

[jasonwilliams14]

I have been working on a prototype for auth_request, for both virtualserver and ingress resources.

It would be fairly straightforward to add a CRD policy to be applied to virtualserver and support the NGINX auth_request directives. This policy could be linked to http, server, or location, depending on the users requirement.

For ingress, we could create two additional annotations to support both directives needed for auth_request.

I will post a few prototypes for both applications in this thread.