feat: add native Kubernetes service discovery and auto-ingress (#1607)

[mahendrarathore1742]

Implements native Kubernetes API integration for cloudflared, enabling automatic discovery and exposure of annotated Kubernetes services through Cloudflare Tunnel without manual ingress configuration.

New k8s/ package

• Lightweight REST client (no client-go dependency) supporting both in-cluster service account auth and kubeconfig-based auth
• Annotation-based service discovery:
  • cloudflared.cloudflare.com/tunnel: "true" (required)
  • cloudflared.cloudflare.com/hostname (override generated hostname)
  • cloudflared.cloudflare.com/port (select specific service port)
  • cloudflared.cloudflare.com/scheme (http/https)
  • cloudflared.cloudflare.com/path (path regex for ingress rule)
  • cloudflared.cloudflare.com/no-tls-verify (disable TLS verify)
  • cloudflared.cloudflare.com/origin-server-name (SNI override)
• Ingress rule generation from discovered services with merge/dedup
• Periodic watcher with configurable resync interval for runtime updates

CLI subcommands (cloudflared tunnel kubernetes)

• discover: one-shot service discovery (table/json/yaml output)
• watch: continuous watching with live updates
• generate-config: output mergeable ingress YAML

Config file support

kubernetes: enabled: true baseDomain: example.com namespace: default exposeAPIServer: true apiServerHostname: k8s.example.com

Integration

• Startup: discovered services merged into ingress rules at tunnel start
• Runtime: watcher updates orchestrator config on service changes
• Optional Kubernetes API server exposure through the tunnel

Closes #1607