fix: metrics should be protected behind authZ

[adodon2go]

What type of PR is this?
bug

Which issue does this PR fix:
#1876

What does this PR do / Why do we need it:
In case anonymous policy is present in access control,we allow anonymous users to access to access /metrics endpoints.
To prevent this in accessControl section of config you can specify a list of metrics users that are allowed to access /metrics endpoint.
In case accessControl is not specified in config but auth is present than only authenticated users can access /metrics endpoint

If an issue # is not available please add repro steps and logs showing the issue:

Testing done on this change:

Automation added to e2e:

Will this break upgrades or downgrades?

Does this PR introduce any user-facing change?:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov]

Codecov Report

Merging #1895 (7b1441d) into main (a44ca57) will decrease coverage by 0.03%.
The diff coverage is 88.37%.

@@            Coverage Diff             @@
##             main    #1895      +/-   ##
==========================================
- Coverage   91.87%   91.85%   -0.03%     
==========================================
  Files         155      155              
  Lines       26678    26701      +23     
==========================================
+ Hits        24511    24525      +14     
- Misses       1603     1611       +8     
- Partials      564      565       +1     

Files	Coverage Δ
pkg/api/authn.go	95.71% <100.00%> (ø)
pkg/api/config/config.go	97.35% <ø> (ø)
pkg/api/routes.go	94.50% <100.00%> (ø)
pkg/extensions/extension_metrics.go	100.00% <100.00%> (ø)
pkg/extensions/extension_metrics_disabled.go	100.00% <100.00%> (ø)
pkg/api/authz.go	94.00% <86.11%> (-1.64%)	⬇️

... and 3 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[rchincha]

There is a test failure?