Add dynamic config provider for exec-based credential refresh

[kushwiz]

Summary

This PR adds support for a new cluster authentication method called KubeConfigExecProvider that executes an external command to produce a full kubeconfig file dynamically. Unlike the existing ExecProviderConfig which only produces credentials, this provider generates an entire kubeconfig (including server, CA, and auth) that ArgoCD reads to build a REST config.

Why is this needed?

In secure enterprise environments, cluster credentials and CA certificates are frequently rotated. The existing ExecProviderConfig only refreshes auth credentials, not the full TLS configuration including CA certificates. This causes connection failures when CAs rotate, requiring manual cluster re-registration.

This feature enables:

• Dynamic credential AND CA certificate rotation
• Integration with custom authentication proxies that generate full kubeconfigs
• HashiCorp Vault integration for complete cluster configs
• Cloud provider CLI tools that produce auto-refreshing kubeconfigs

Closes argoproj#26729

Changes

• Added KubeConfigExecProvider type in ClusterConfig for executing external commands that produce full kubeconfig files
• Added SetConfigProvider option in gitops-engine cluster cache for dynamic config refresh on each sync cycle
• Added unit tests for new functionality

Checklist

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.

---

PR Title:

feat: add KubeConfigExecProvider for dynamic cluster credentials (#26729)

[baurmatt]

@kushwiz Hey! 👋 Aren't you targeting the wrong repository? 🤔 I think this should be a MR to https://github.com/argoproj/argo-cd ? 🤔

[kushwiz]

@kushwiz Hey! 👋 Aren't you targeting the wrong repository? 🤔 I think this should be a MR to https://github.com/argoproj/argo-cd ? 🤔

Yes! I am waiting for the proposal to get approved So, I can send the PR there :)

[kushwiz]

argoproj#27743 here is it @baurmatt