feat: add RRSA storage authentication support for on-demand CSI mounts

[BH4AWS]

Add credential provider fields (CredProviderName, RoleName) to CSIMountConfig and implement the full storage-auth annotation injection pipeline, enabling pod-level RRSA (RAM Roles for Service Accounts) authentication for CSI storage mounts without traditional Secrets.

Key changes:

• api/v1alpha1: add CredProviderName and RoleName fields to CSIMountConfig
• pkg/identity: define AnnotationStorageAuth constant and StorageAuthItem type; propagate storage-auth annotation to sandbox token metadata
• pkg/utils/csiutils: skip Secret lookup when volumeAttributes contains "authType: agent-identity"; add BuildStorageAuthItems() with pluggable StorageAuthItemEnricher hook for inner extension
• pkg/controller/sandboxclaim/core: inject storage-auth annotation via Modifier closure in buildClaimOptions when CredProviderName is set
• pkg/servers/e2b: inject storage-auth annotation via Modifier closure in createSandboxWithClaim when CredProviderName is set

Tests:

• storages_provider_test.go: 11 new cases covering BuildStorageAuthItems, agent-identity Secret skip, and CredProviderName passthrough
• sandbox_token_helper_test.go: 5 new cases for storage-auth annotation propagation to token metadata
• common_control_test.go: 2 new cases for Modifier injection behavior
• create_test.go: 1 new case for CredProviderName request structure

Ⅰ. Describe what this PR does

Ⅱ. Does this pull request fix one issue?

Ⅲ. Describe how to verify it

Ⅳ. Special notes for reviews

[kruise-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zmberg for approval by writing /assign @zmberg in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

❌ Patch coverage is 71.92982% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.75%. Comparing base (04c19b6) to head (09dcff8).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/servers/e2b/create.go	31.57%	11 Missing and 2 partials ⚠️
pkg/controller/sandboxclaim/core/common_control.go	78.57%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #568      +/-   ##
==========================================
- Coverage   79.76%   79.75%   -0.02%     
==========================================
  Files         195      202       +7     
  Lines       14140    14743     +603     
==========================================
+ Hits        11279    11758     +479     
- Misses       2457     2557     +100     
- Partials      404      428      +24     

Flag	Coverage Δ
unittests	79.75% <71.92%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.