fix: address TLS security vulnerabilities in SSL log, OIDC encryption, and K8s ssl_verify

[AlinsRan]

Summary

• Remove debug log in apisix/ssl/router/radixtree_sni.lua that logged the full SSL object including private keys via core.log.info("debug - matched: ...). This is a security vulnerability as private key material could be exposed in logs.
• Add client_rsa_private_key to encrypt_fields in openid-connect.lua so it is stored encrypted in etcd, not in plaintext.
• Fix ssl_verify hardcoded to false in Kubernetes discovery informer_factory.lua; now reads from apiserver.ssl_verify which is configured in init.lua.
• Add ssl_verify field to Kubernetes discovery schema — allows users to explicitly enable TLS certificate verification for the Kubernetes API server. Defaults to false for backward compatibility.

Changes

• apisix/ssl/router/radixtree_sni.lua — Remove debug - matched log that leaked SSL private keys
• apisix/plugins/openid-connect.lua — Add client_rsa_private_key to encrypt_fields
• apisix/discovery/kubernetes/informer_factory.lua — Use apiserver.ssl_verify instead of hardcoded false
• apisix/discovery/kubernetes/init.lua — Populate apiserver.ssl_verify from config (defaults to false)
• apisix/discovery/kubernetes/schema.lua — Add ssl_verify boolean field to service schema

Tests

• t/router/radixtree-sni3.t — TEST 8: verifies debug - matched is no longer logged after SSL handshake
• t/plugin/openid-connect2.t — TEST 20: verifies client_rsa_private_key is encrypted at rest in etcd
• t/discovery/kubernetes_ssl_verify.t — 4 new tests verifying ssl_verify behavior for http/https schemes and explicit configuration
• t/kubernetes/discovery/kubernetes2.t — Updated to explicitly set ssl_verify: false in test config