The Result API accepts bearer token auth, which is then checked against
the cluster. For human accounts, this means accepting a token that
likely has much higher priviledge than the Result API needs. As an
alternative, this adds support for fetching a service account bearer
token as a delegate for Result operations - the service account is
expected to have much finer permissions, reducing the scope / blast
radius of the credential.

This change:
- Adds a service_account config field
- Refactors client creation to allow for fake dependencies (i.e. k8s
client) to be injected for tests.
- Adds tests for token generation, SSL cert reading.