Ensure correct AuthorizationConfiguration API version during upgrades (#12058)

* Ensure correct `AuthorizationConfiguration` API version during upgrades

Fixes an issue where the wrong AuthorizationConfiguration API version could be used by kube-apiserver prematurely during upgrades.

The `kubernets/control-plane` role writes configuration for the target version before control plane pods are upgraded.

However, since the `AuthorizationConfiguration` file is reconciled continuously, this leads to a race condition where a new configuration version can be reconciled before kube-apiserver is upgraded to the compatible version.

This solution ensures the correct configuration is available throughout the process by writing each api version to a different file path. Unused file versions are cleaned up post-upgrade for better hygiene.

* Avoid from_json in cleanup task

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2

@@ -144,7 +144,7 @@ apiServer:
 {% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
   - name: authorization-config
-    value: "{{ kube_config_dir }}/apiserver-authorization-config.yaml"
+    value: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
 {% else %}
   - name: authorization-mode
     value: "{{ authorization_modes | join(',') }}"
@@ -306,8 +306,8 @@ apiServer:
 {% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
   - name: authorization-config
-    hostPath: {{ kube_config_dir }}/apiserver-authorization-config.yaml
-    mountPath: {{ kube_config_dir }}/apiserver-authorization-config.yaml
+    hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
+    mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
 {% endif %}
 {% if kubernetes_audit or kubernetes_audit_webhook %}
   - name: {{ audit_policy_name }}