Add support for OIDC login to Pulumi Cloud

[blampe]

As a user, I would like to perform updates against the Pulumi Cloud backend without needing to hard-code an access token.

A possible implementation would be to automatically mount an OIDC service account token using a projected volume, as provided by Kubernetes:

      volumes:
        - name: oidc-token
          projected:
            sources:
              - serviceAccountToken:
                  audience: urn:pulumi:org:ORG_NAME
                  path: token
                  expirationSeconds: 3600
      containers:
        - name: pulumi
          volumeMounts:
            - name: oidc-token
              mountPath: /var/run/secrets/pulumi
          env:
            - name: PULUMI_OIDC_TOKEN_FILE
            - value: /var/run/secrets/pulumi/token

How would the audience value be determined? Perhaps a new top-level spec element in the Workspace and/or Stack? Would it be the literal audience or would it be higher-level parameter(s) like organization (similar to pulumi/auth-actions)?

spec:
  cloud:
    organization: contoso
    requested-token-type: urn:pulumi:token-type:access_token:organization

How is the token consumed by the CLI? Ideally an environment variable would be natively supported, similar to PULUMI_ACCESS_TOKEN. Otherwise one would need to exchange the token by hand on each RPC operation. Ideally we'd teach the CLI to exchange the token on-the-fly, to allow for long-running stacks (necessitating a mid-flight refresh).

[cleverguy25]

Added to epic https://github.com/pulumi/pulumi-kubernetes-operator/issues/586

[blampe]

Need to follow up with Cloud to see if this is feasible.