Move the CI Tunnel with agent identity to Core

namespace below means a GitLab group or project.

Authorization to use EE features of CI tunnel depends on who is trying to access it, see https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/136#note_621564649 (confidential), not the license of the agent owner/creator/namespace.

• For CI jobs under a licensed namespace, allow access to all CI tunnel features.

• For CI jobs under a non-licensed namespace, return an empty list from /api/v4/job/allowed_agents rails endpoint.

  i.e. this API returns a list of allowed agents to be accessed by this CI job token. It's a an empty list if nothing is allowed. We don't want to return a 403 to avoid confusing kas as to whether the token is invalid vs something else. Kas can return a more meaningful response to the user if it understands the difference.

Don't forget to update documentation.