Improving performance of NewJWTSVID API

[sorindumitru]

When an agent wants to fetch a JWT-SVID for a workload it uses the agent.v1.NewJWTSVID API. This does the following:

• Fetches all authorized entries for the agent, which ends up cloning protobuf structures for them (see Prevent mutations by entry cache callers #3215 for the reason for that).
• Put all of them in the map.
• Verify if the entry id the agent requested is part of that map.

Most of this work is unnecessary. We don't need all authorized entries for the decission, we just need the entry if the agent is authorized for it.

I've done a small POC for fetching only the authorized entry id and this looks to behave better. I get spire-server CPU usage to drop by ~50%. Flame graphs also show that more time is spent doing useful work, signing SVIDs.

before:

after:

Fetching X509-SVIDs does the same things but there it makes more sense to do the pre-processing since it needs to sign a batch of SVIDs.

There's probably a bunch of improvement that can be made here:

• Instead of getting all the authorized entries, only get the entries that the agent has requested. This could work for both JWT-SVID and X509-SVID
• Instead of storing protobuf messages, store an intermediary type or at least return an intermediary type. should be faster than cloning protobuf messages. It might end up being a bigger change since we need to modify multiple places to use the new type.

Doing both will probably give us the best performance improvement, but even with just the first option we get a good improvement.

Happy to work on this if the request makes sense.