Proxy doesn't support auth providers in kubeconfig

[awly]

Description

What happened:

Running proxy with a kubeconfig that uses auth providers (gcp/azure/openstack/etc) will fail at startup with Original Error: *errors.errorString no Auth Provider found for name "gcp"

There are a few missing pieces:

• teleport binary should import k8s.io/client-go/plugin/pkg/client/auth for support to be compiled in
• lib/kube/proxy/forwarder.go should propagate their credentials (usually bearer tokens) with http.RoundTripper wrappers (instead of cfg.BearerToken, since they are dynamically generated)
  • note: there seem to be two separate authn plumbing code paths for exec/portforward/etc and all other requests
  • we should probably unify those and make connecting+authn independent from what kind of request this is (if possible)

Note: auth providers are on the path to deprecation. However, at least GCP currently still defaults to them instead of exec plugins.

What you expected to happen:

Proxy starts successfully and provisions either mTLS key/certs or bearers token from auth providers.

How to reproduce it (as minimally and precisely as possible):

1. gcloud container clusters create foo
2. teleport start with a config pointing at kubeconfig generated by gcloud

[awly]

Talked to @klizhentas, we will only support gcp and azure providers, but not oidc or openstack.
This gives us coverage for most popular k8s hosting providers and keeps attack surface increase small.

Exec providers (which are, confusingly, not a type of "auth provider") are supported by default without magic imports. However, we're not using http.RoundTripper wrapping correctly to support bearer tokens from exec providers (which is what AWS uses).