improve error reporting from gcp identity provider

libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceGCPUtils.java

@@ -69,6 +69,7 @@ public InstanceGCPUtils(HttpTransport httpTransport, JsonFactory jsonFactory) {
                 .setAudience(List.of(expectedAudience))
                 .build();
     }
+
     public GoogleIdToken.Payload validateGCPIdentityToken(final String token, StringBuilder errMsg) {
 
         try {
@@ -85,6 +86,8 @@ public GoogleIdToken.Payload validateGCPIdentityToken(final String token, String
                 "email_verified":true,"exp":1678259131,"iat":1678255531,"iss":"https://accounts.google.com","sub":"102023896904281105569"}
                  */
                 return validatedToken.getPayload();
+            } else {
+                errMsg.append("ID token was not verified by GCP. Possible reasons: expired token/invalid issuer or audience/invalid signature");
             }
         } catch (IllegalArgumentException | GeneralSecurityException | IOException e) {
             LOGGER.error("unable to validate GCP instance identity token error={} type={}", e.getMessage(), e.getClass());

libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceUtils.java

@@ -63,7 +63,7 @@ static List<String> processK8SDnsSuffixList(final String propertyName) {
         List<String> k8sDnsSuffixes = new ArrayList<>();
         final String k8sDnsSuffix = System.getProperty(propertyName);
         if (StringUtil.isEmpty(k8sDnsSuffix)) {
-            LOGGER.error("K8S DNS Suffix not specified - all requests must satisfy standard dns suffix checks");
+            LOGGER.info("K8S DNS Suffix not specified - all requests must satisfy standard dns suffix checks");
         } else {
             // in our checks we're going to match against the given suffix so
             // when generating the list we'll verify if the suffix starts with