Add audience for teleport-proxy kubernetes service account token in teleport-cluster chart

[verdel]

After backporting changes that allow the kubernetes in-cluster joining mechanism to use tokens with the clusterName specified in the audience, authorization for teleport-proxy in GKE (Google Cloud Kubernetes Engine) clusters breaks.

This happens because the TokenReview request now includes an audience that contains both https://kubernetes.default.svc and clusterName. However, in GKE, the default audience for ServiceAccount tokens is https://container.googleapis.com/v1/projects/PROJECT/locations/LOCATION/clusters/NAME. As a result, teleport-auth rejects the token from teleport-proxy.

Fixes #49756

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[CLAassistant]

All committers have signed the CLA.

[verdel]

I have read the CLA Document and I hereby sign the CLA

[hugoShaka]

Hello @verdel , thank you for quickly identifying the problem and contributing a fix, this is greatly appreciated 👍

Failing to join on clusters with custom domains was a regression in 16.4.9 and 17.0.3. I preferred fixing the Kube joining method by dynamically detecting audiences instead of doing a chart-only fix as some users rely on custom charts chart to deploy teleport on kube.

16.4.10 and 17.0.4 should work again on every cluster, please reopen the issue if this does not work for you.

Done in: #49796

[verdel]

@hugoShaka, Yes, I agree. I was just about to write a message to ask if I should close this PR.
Thank you for fixing the issue so quickly!