Proper Kubernetes reader

[timothyb89]

The current Kubernetes reader is pretty hacky and runs kubectl proxy as a subprocess to avoid needing to deal with API authentication and system proxies.

This adds complexity and potentially leaves behind zombie kubectl proxy processes when killed, despite best effort attempts to clean them up. Additionally, due to security restrictions in kubectl, we can't use websockets to watch for namespace events.

Instead, we should use the Kubernetes API directly. This involves:

• discovering and parsing kubeconfig files (they do not appear to have a documented spec) and support various auth mechanisms
  • client cert auth, embedded or file
  • username/password auth
  • exec auth (e.g. aws-iam-authenticator)
  • server certs, embedded or file
  • null auth
• functions for each auth method to add auth headers to a request
• replace existing kubectl proxy implementation

[timothyb89]

Started in #29, but blocked on SSL issues.

The native client implementation supports all auth types I'm aware of and should theoretically work with any given kubeconfig... except for servers without a proper hostname (minikube, microk8s, etc). rustls can't verify IP addresses, so we'll probably need to pull in the kubectl proxy hack so these cases still work. At least now it's usually avoidable.

I'd also like to spin the Kubernetes client out into its own crate at some point.