feat: Add kube-rs client for Kubernetes API access

[initcron]

Summary

Add kube-rs as a dependency and implement shared Kubernetes client for all K8s runtime implementations.

Parent Epic

Part of #1 - Production Kubernetes & Container Support

Motivation

The k8s-job and k8s-service runtimes both need to interact with the Kubernetes API. A shared client implementation ensures:

• Consistent authentication handling
• Connection pooling and efficiency
• Proper error handling
• Unified configuration

Implementation Details

Dependencies

[dependencies]
kube = { version = "0.87", features = ["runtime", "client", "derive"] }
k8s-openapi = { version = "0.20", features = ["v1_28"] }

Client Initialization

pub struct KubeClientProvider {
    client: Option<Client>,
}

impl KubeClientProvider {
    pub async fn get_client(&self) -> Result<Client, KubeError> {
        // Try in-cluster config first
        // Fall back to kubeconfig
        // Cache and reuse client
    }
}

Authentication Methods

1. In-cluster (default when running in K8s)

   • ServiceAccount token from /var/run/secrets/kubernetes.io/serviceaccount/token
   • CA cert from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

2. Kubeconfig (for local development)

   • Default: ~/.kube/config
   • Override via KUBECONFIG env var
   • Context selection via config

Features Required

• In-cluster authentication
• Kubeconfig authentication
• Client singleton/pool management
• Namespace defaulting
• Error handling and retries
• Connection health monitoring

Acceptance Criteria

• Client works in-cluster with ServiceAccount
• Client works locally with kubeconfig
• Multiple runtimes share client instance
• Proper error messages for auth failures
• Configurable timeout and retry settings

Configuration

# gateway.yaml
kubernetes:
  context: my-cluster  # optional, for kubeconfig
  namespace: default   # default namespace
  timeout_seconds: 30

References

• kube-rs documentation
• kube-rs examples