Track opened connections with a single tracker per authenticator

[liggitt]

What type of PR is this?

/kind bug

What this PR does / why we need it:

Consolidates connection tracking when creating exec auth clients to use a single tracker per authenticator.

This side-steps the following issues to unblock exec auth:

• clientset.New creating egregiously many new restclients for a clientset (~40+)
• kubectl describe creating a new clientset per object
• kubectl get creating a new clientset per object (for some output types)

Which issue(s) this PR fixes:
Fixes #91913

Does this PR introduce a user-facing change?:

Using exec auth plugins with kubectl no longer results in warnings about constructing many client instances from the same exec auth config.

/cc @enj @ankeesler
@kubernetes/sig-auth-pr-reviews

[k8s-ci-robot]

@liggitt: GitHub didn't allow me to request PR reviews from the following users: ankeesler.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

What type of PR is this?

/kind bug

What this PR does / why we need it:

Consolidates connection tracking when creating exec auth clients to use a single tracker per authenticator.

Which issue(s) this PR fixes:
Fixes #91913

Does this PR introduce a user-facing change?:

Using exec auth plugins with kubectl no longer results in warnings about constructing many client instances from the same exec auth config.

/cc @enj @ankeesler
@kubernetes/sig-auth-pr-reviews

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/client-go/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

/triage accepted
/priority important-soon
/milestone v1.21

[ankeesler]

lol, i tried something remarkably similar yesterday, so that is a good sign.

one thing i still can't convince myself of: will sibling clients that use the same exec authenticator potentially interrupt each other's connections?

• scenario: 2 rest.RESTClient's, using the same exec.Authenticator
• rest.RESTClient A wants to make HTTP call, so it creates TCP connection to API, gets certs from tls.Config.GetCert, creates TLS session, starts long REST operation (i.e., watch?)
• rest.RESTClient B wants to make HTTP call, so it creates TCP connection to API, gets certs from tls.Config.GetCert, exec.Authenticator sees that cert has expired, so it goes to refresh the cert and therefore calls CloseAll() on all the TCP connections, and thus rest.RESTClient A's long REST operation is interrupted because the TCP connection is closed

[liggitt]

will sibling clients that use the same exec authenticator potentially interrupt each other's connections?

Yes, as they did before this PR

[ankeesler]

Yes, as they did before this PR

ah, yes. dang should have caught that! alrighty, this seems like a net improvement then.

[liggitt]

kind flakes were both #96803

/retest

[liggitt]

/cc @deads2k

[enj]

/lgtm

[ipleten]

Is there any chances it can be backported to v1.19?