Add bootstrap changes to support eks-pod-identity-agent with IAM-RA

[abhay-krishna]

The eks-pod-identity-agent add-on requires AWS credentials to call the EKS Auth AssumeRoleForPodIdentity API which enables it to grant AWS resource access (based on the permissions of the assumed role) to other Pods in the cluster. The eks-pod-identity-agent Daemonset for Bottlerocket hybrid nodes mounts the host path /var/eks-hybrid/.aws to consume AWS credentials present on the host at /var/eks-hybrid/.aws/credentials. We need some process that creates this credentials file and manages the rotation of these credentials. In case of the SSM credentials provider, the Bottlerocket control container generates a credentials file which is symlinked to /var/eks-hybrid/.aws on the host, and the amazon-ssm-agent refreshes these credentials every 30 minutes or so. We follow the symlink approach in nodeadm as well, albeit without the added abstraction of the control container.

To achieve the same in the IAM-RA credentials provider, we are adding a systemd unit file which runs the aws_signing_helper update command. his aligns with what nodeadm does to get pod-identity-agent working in other operating systems. This command creates (first invocation only) the AWS credentials file (/root/.aws/credentials by default but we're overriding this to /var/eks-hybrid/.aws/credentials) with temporary credentials and continuously updates them through a call to the IAM Roles Anywhere CreateSession API five minutes before the previous set of credentials are set to expire.

Changes:

1. Adding new systemd unit file that runs the aws_signing_helper update command. The systemd unit file is added as a template in the bootstrap container during build time, and the actual unit file is created on-the-fly through the script. For creating the unit file, I went with the approach of simply extracting the entire aws_signing_helper credential-process command from the credential_process field and replacing the credential-process with the update command. I did this to align with the values used in the credential_process field of the input AWS config and in favor of avoiding requiring the user to pass in additional arguments that they've already passed in the instance user-data.
2. Adding gettext to the list of installed packages, to be able to use the envsubst command.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.