add agentcsrapproving controller to auto approve agent csr

[zhzhuang-zju]

What type of PR is this?
/kind feature

What this PR does / why we need it:
In #5793, we decided to change the user group that the karmada-agent accesses the Karmada API server from system:nodes to system:karmada:agents, and change the user system:node: to system:karmada:agent:, thereby isolating the permissions of the karmada-agent and kubelet to avoid being affected by node authentication.
To provide the capability for the agent's CSR to be automatically approved, this PR introduces the agentcsrapproving controller. It is disabled by default and maintains the same behavior as the csrapproving in kube-controller-manager, which used to automatically approve the csr of kubelet.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

`karmada-controller-manager`:  introduces the `agentcsrapproving` controller to provide the capability for the agent's CSR to be automatically approved

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 5.00000% with 171 lines in your changes missing coverage. Please review.

Project coverage is 46.20%. Comparing base (2c82055) to head (1033461).
Report is 23 commits behind head on master.

Files with missing lines	Patch %	Lines
...ollers/certificate/approver/agent_csr_approving.go	0.00%	153 Missing ⚠️
pkg/util/certificate/csr.go	47.36%	10 Missing ⚠️
cmd/controller-manager/app/controllermanager.go	0.00%	8 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5825      +/-   ##
==========================================
- Coverage   46.31%   46.20%   -0.12%     
==========================================
  Files         661      663       +2     
  Lines       54326    54580     +254     
==========================================
+ Hits        25163    25220      +57     
- Misses      27537    27737     +200     
+ Partials     1626     1623       -3     

Flag	Coverage Δ
unittests	46.20% <5.00%> (-0.12%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests

[zhzhuang-zju]

local verification:

1. enable agentcsrapproving controller
```yaml
- --controllers=*,agentcsrapproving

2. register a new pull mode cluster member4

$  karmadactl register 172.18.0.4:31534 --token yzb0km.xsxut61mkvjulp51 --discovery-token-ca-cert-hash sha256:f161cd56b59b56e2a4a685ebfbc519aa11f3b08a52b11602db412d3d7275f8d7 --kubeconfig ~/.kube/member4.config --context member4  --karmada-agent-image docker.io/karmada/karmada-agent:latest --cluster-name member4 -v 4
I1121 14:46:59.807834 2566165 register.go:330] Registering cluster. cluster name: member4
I1121 14:46:59.807985 2566165 register.go:331] Registering cluster. cluster namespace: karmada-cluster
[preflight] Running pre-flight checks
I1121 14:46:59.808101 2566165 register.go:517] Validating the existence of file /etc/karmada/bootstrap-karmada-agent.conf
I1121 14:46:59.808167 2566165 register.go:517] Validating the existence of file /etc/karmada/karmada-agent.conf
I1121 14:46:59.808215 2566165 register.go:517] Validating the existence of file /etc/karmada/pki/ca.crt
[preflight] All pre-flight checks were passed
[karmada-agent-start] Waiting to perform the TLS Bootstrap
I1121 14:46:59.828019 2566165 register.go:1201] [discovery] Created cluster-info discovery client, requesting info from "172.18.0.4:31534"
I1121 14:46:59.843421 2566165 register.go:1239] [discovery] Requesting info from "172.18.0.4:31534" again to validate TLS against the pinned public key
I1121 14:46:59.856824 2566165 register.go:1256] [discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "172.18.0.4:31534"
I1121 14:46:59.856855 2566165 register.go:532] [discovery] Using provided TLSBootstrapToken as authentication credentials for the join process
I1121 14:46:59.856877 2566165 register.go:543] [discovery] writing bootstrap karmada-agent config file at /etc/karmada/bootstrap-karmada-agent.conf
I1121 14:46:59.857628 2566165 register.go:552] [discovery] writing CA certificate at /etc/karmada/pki/ca.crt
I1121 14:47:01.842790 2566165 register.go:911] Waiting for the client certificate agent-rbac-generator-member426cmb to be issued
I1121 14:47:02.845515 2566165 register.go:919] Signing certificate of csr agent-rbac-generator-member426cmb successfully
[karmada-agent-start] Waiting to check cluster exists
[karmada-agent-start] Assign the necessary RBAC permissions to the agent
[karmada-agent-start] Waiting to construct karmada-agent kubeconfig
I1121 14:47:03.642471 2566165 register.go:911] Waiting for the client certificate member4-6ddxj to be issued
I1121 14:47:04.646342 2566165 register.go:919] Signing certificate of csr member4-6ddxj successfully
I1121 14:47:04.646374 2566165 register.go:954] writing bootstrap karmada-agent config file at /etc/karmada/karmada-agent.conf
[karmada-agent-start] Waiting the necessary secret and RBAC
I1121 14:47:04.669992 2566165 idempotency.go:68] Secret karmada-system/karmada-kubeconfig has been created or updated.
I1121 14:47:04.676011 2566165 idempotency.go:188] ClusterRole karmada-agent has been created or updated.
I1121 14:47:04.684354 2566165 idempotency.go:212] ClusterRolebinding karmada-agent has been created or updated.
[karmada-agent-start] Waiting karmada-agent Deployment

3. check whether the new cluster is healthy

$ karmadactl get cluster -w
NAME      CLUSTER   VERSION   MODE   READY   AGE    ADOPTION
member1   Karmada   v1.31.0   Push   True    2d4h   N
member2   Karmada   v1.31.0   Push   True    2d4h   N
member3   Karmada   v1.31.0   Pull   True    46h    N
member4   Karmada   v1.31.0   Pull   True    18s    N

/assign @RainbowMango

[RainbowMango]

/lgtm
/approve

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/OWNERS [RainbowMango]
• pkg/controllers/OWNERS [RainbowMango]
• pkg/util/OWNERS [RainbowMango]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment