Introduce oidc auth-proxy for new Cloud Connector routes

closes Create OIDC auth-proxy to verify jwts from GitL... (#2750 - closed)

closes Modify ProjectID of incoming request to include... (#2763 - closed)

This proxy will run as a sidecar container next to the ingest and query containers. This auth-proxy will gate access to only requests that come from Workhorse (SaaS instances or self-managed instances).

This auth-proxy authenticates JWTs created by a GitLab provider and has several verification mechanisms to ensure no customer or user can access data from another.

In the following two request flow diagrams, look for the far right process titled "GOB SaaS behind cloud.gitlab.com(GitLab Observability Backend)" to see what this process does and where it receives requests from:

• gitlab.com GOB Cloud Connector request flow
• self-managed GOB Cloud Connector request flow

ProjectIDs from a self-managed instance are prefixed with the instanceID to ensure no collision of projectIDs across instances while maintaining compatibility with our existing tables, indexes and SaaS operation.

The bulk of this MR contains a comprehensive set of tests.

Related MRs that show the structure of the JWTs sent from a gitlab.com instance (JWT created in gitlab.com instance) or a self-managed instance (JWT created in customers.gitlab.com)

MR for adding the instanceID subject claim to JWTs created by customers.gitlab.com: https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/9491

MR for adding extra claims (gitlab_namespace_id) to JWTs created by gitlab.com: gitlab-org/gitlab!146172 (merged)