fix(iam): oidc provider retrieves leaf certificate instead of root certificate (#22509)

Currently, the IAM OIDC Provider is retrieving leaf certificates for a given url. The validity for these certificates is not that long. This can cause an outage for the customer since they might not be aware of when the certificate is going to expire. We have seen an [outage](#8607) in EKS due to this issue. 

This change will help retrieving root certificates instead of leaf certificates. The validity of root certificate is much more than the leaf certificates. I am also adding validations for the certificate and also informing the customer if there retrieved certificate is going to expire within six months when they do a new deployment.

Fixes #8607

Signed-off-by: Vinayak Kukreja <[email protected]>

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: vinayak-kukreja

packages/@aws-cdk/aws-eks/lib/oidc-provider.ts

@@ -41,18 +41,10 @@ export class OpenIdConnectProvider extends iam.OpenIdConnectProvider {
    * @param props Initialization properties
    */
   public constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps) {
-    /**
-     * For some reason EKS isn't validating the root certificate but a intermediate certificate
-     * which is one level up in the tree. Because of the a constant thumbprint value has to be
-     * stated with this OpenID Connect provider. The certificate thumbprint is the same for all the regions.
-     */
-    const thumbprints = ['9e99a48a9960b14926bb7f3b02e22da2b0ab7280'];
-
     const clientIds = ['sts.amazonaws.com'];
 
     super(scope, id, {
       url: props.url,
-      thumbprints,
       clientIds,
     });
   }

packages/@aws-cdk/aws-eks/test/cluster.test.ts

@@ -2156,9 +2156,6 @@ describe('cluster', () => {
         ClientIDList: [
           'sts.amazonaws.com',
         ],
-        ThumbprintList: [
-          '9e99a48a9960b14926bb7f3b02e22da2b0ab7280',
-        ],
         Url: {
           'Fn::GetAtt': [
             'Cluster9EE0221C',