Wasm: cache Wasm OCI image permission check results

[zhaohuabing]

This PR introduce a caching mechanism for the Wasm OCI image permission check results.

Background:
Previously, to prevent unauthorized EEPs from accessing a private Wasm OCI image, EG would verify the pullSecrect against the OCI registry in the Gateway API translator, even if the OCI image has already been pulled and cached locally. Because this verification involved network access, it could block the translator, especially when a lots of endpoints are scaling up/down.

What's changed:
This PR adds a permission cache in the Wasm package. A backgroud goroutine perodically checks the EEP's pullSecret against OCI registry and cache the check result. The Gateway API translator can now use the cached permission check result to tell if an EEP can access the OCI image.

• Initial Image Pull: The first attempt to pull an OCI image will still block because neither the file cache nor the permission cache has any entry yet.
• Subsequent Requests: After the initial pull, subsequent requests for the same image will not block because the permission check is served from the cache.

Cache expiry:

• The cached permissions are rechecked every hour in case the registry invalidates an existing pullSecret.
• If a chaced entry is not accessed in 24 hours, it will be removed from the cache.

These default values are now fixed consts, they can be exposed to EG configuration later if needed.

fix: #5326

[codecov]

Codecov Report

Attention: Patch coverage is 78.37838% with 32 lines in your changes missing coverage. Please review.

Project coverage is 65.17%. Comparing base (1c0eca6) to head (f935443).
Report is 27 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/wasm/cache.go	38.46%	14 Missing and 2 partials ⚠️
internal/wasm/premissioncache.go	86.88%	14 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5358      +/-   ##
==========================================
+ Coverage   65.07%   65.17%   +0.10%     
==========================================
  Files         213      214       +1     
  Lines       33588    33723     +135     
==========================================
+ Hits        21857    21979     +122     
- Misses      10402    10415      +13     
  Partials     1329     1329              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[arkodg]

the drawback of this, is, if permissions change on the server side, I'll have to wait 1 hr to update my wasm image

[arkodg]

the primary issue here is - fetching a WASM Image including checking permissions blocks the route linked to this EEP as well as other routes and endpoints and other xds from being pushed to the data plane. Ideally we'd like this two tasks to be happening in parallel.
Can we fetch and check permissions in a separate go routine to unblock the translator ? If the wasm fetcher / checker go routine finds errors it could flag it in the status using watchable
Hoping the WASM URL is based off policy ns-name so data plane requests will fail in case of a deny

[zhaohuabing]

Can we fetch and check permissions in a separate go routine to unblock the translator ? If the wasm fetcher / checker go routine finds errors it could flag it in the status using watchable
Hoping the WASM URL is based off policy ns-name so data plane requests will fail in case of a deny

We can't fetch the OCI image async. The sha256 checksum of the wasm module is a mandatory field for xDS Wasm remote code source, and we can't get the checksum without fetching the image.

[zhaohuabing]

the drawback of this, is, if permissions change on the server side, I'll have to wait 1 hr to update my wasm image

Permission change actually won't invalidate cached wasm image, it only prevents the requests from unauthorized EEPs, unauthorized EEP translation will fail.

The cached images are purged after not being touched for expiry duration, which is handled in the wasm image chace.

[arkodg]

LGTM thanks !