docs: Add EKS kubeconfig authentication integration PRD (#1884)

* docs: Add EKS kubeconfig authentication integration PRD

This PRD defines the design for integrating EKS kubeconfig generation into Atmos's
authentication system via the integration pattern. EKS kubeconfig generation will be
automatic on identity login and available via `atmos auth eks-kubeconfig` command.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Update EKS PRD based on review feedback

Changes based on PR review:
- Use `atmos aws eks update-kubeconfig` instead of `atmos auth eks-kubeconfig`
- Update kubeconfig schema to use nested structure with path/mode/update fields
- Simplify KUBECONFIG env var example to use `atmos auth env --format=export`
- Add note clarifying exec credential plugin is standard AWS CLI format

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Sync EKS kubeconfig PRD with current codebase

Align the PRD with the actual integration infrastructure after
rebasing onto main. Fixes incorrect interface definition, method
names, file paths, and dependency status.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Use atmos as exec credential plugin, simplify XDG path

Replace `aws eks get-token` with `atmos auth eks-token` as the
kubeconfig exec credential plugin, eliminating the AWS CLI dependency.
Simplify XDG path usage to call GetXDGConfigDir directly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Update architecture diagram to show kubectl exec flow

Add the kubectl-time exec flow showing atmos auth eks-token
being invoked by kubectl to generate bearer tokens via STS.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Add identity resolution, KUBECONFIG append, Mode parsing to EKS PRD

- Add --identity flag and interactiveMode: Never to exec plugin spec
  for deterministic credential selection with multiple identities
- Specify KUBECONFIG colon-separated append semantics (idempotent)
- Fix eks-token command path to cmd/auth_eks_token.go matching existing
  auth subcommand pattern (not CommandProvider)
- Specify KubeconfigSettings.Mode octal parsing via strconv.ParseUint
- Replace custom MergeKubeconfig with k8s.io/client-go/tools/clientcmd

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Fix security note, diagram label, Role ARN scope in EKS PRD

- Update security note #5 to reflect deterministic identity binding
  via --identity flag (no longer "ambient AWS credentials")
- Fix diagram: "STS GetCallerID" → "GetCallerIdentity"
- Clarify that auth subcommands use authCmd.AddCommand(), not
  CommandProvider (which is for top-level commands only)
- Distinguish existing --role-arn flag (generation-time) from future
  exec plugin role assumption (runtime) in Future Enhancements

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Sync EKS PRD with current codebase

- Add validation spec for KubeconfigSettings.Update (reject invalid
  values at config-load time, default "merge")
- Add k8s.io/client-go and PR #1903 to Dependencies section
- Fix `atmos auth env --format=export` to `atmos auth env` (bash is
  the default; "export" is not a valid format)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Rewrite EKS PRD intro, add Terraform provider documentation

Rewrite the executive summary and problem statement to better frame
the motivation: Atmos already manages cloud auth, so extending to
Kubernetes config is a natural next step. Add Terraform Kubernetes
provider section showing kubeconfig-based and exec-based approaches.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Clarify exec plugin mechanism in Terraform provider section

Explain that the kubeconfig's exec spec contains `command: atmos`
which the Terraform provider invokes on demand for token refresh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Add integration lifecycle, env var composition, and flag docs to EKS PRD

- Show --identity and --profile flags in Desired Workflow examples
- Extend Integration interface with Cleanup() and Environment() methods
- Add Integration Cleanup on Logout section (logout undoes login effects)
- Add Integration Environment Variables section with composition strategy
  for multi-integration scenarios (blue/green clusters, mixed EKS+ECR)
- Update CLI command flags with env var bindings and flag disambiguation
- Replace kubeconfig cleanup future enhancement with CI/CD workflow item
- Add test cases for cleanup, environment composition, and logout

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

Author: Benbentwo