[helm/teleport-cluster] Add audience into serviceAccountToken for proxy service

[verdel]

What would you like Teleport to do?

We need to add the audience with the value {{ .Values.clusterName }} to the projected serviceAccountToken in the teleport-proxy deployment in the teleport-cluster helm chart.

What problem does this solve?

After backporting changes that allow the kubernetes in-cluster joining mechanism to use tokens with the clusterName specified in the audience, authorization for teleport-proxy in GKE (Google Cloud Kubernetes Engine) clusters breaks.

This happens because the TokenReview request now includes an audience that contains both https://kubernetes.default.svc and clusterName. However, in GKE, the default audience for ServiceAccount tokens is https://container.googleapis.com/v1/projects/PROJECT/locations/LOCATION/clusters/NAME. As a result, teleport-auth rejects the token from teleport-proxy.

It is necessary to explicitly specify the audience in the Deployment configuration to include clusterName, as it is already done in the chart for tbot.