Fix race condition in bearertokenauth extension, the dobule removal of watcher (open-telemetry#44104)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description


```bash
2025-10-02T02:30:59.851Z	error	[email protected]/bearertokenauth.go:131	fsnotify: can't remove non-existent watch: /var/run/secrets/kubernetes.io/serviceaccount/token	{"resource": {"service.instance.id": "db1e09f0-e9b5-421e-b9f2-539af8965363", "service.name": "otelcol", "service.version": "0.135.0"}, "otelcol.component.id": "bearertokenauth", "otelcol.component.kind": "extension"}
github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension.(*bearerTokenAuth).startWatcher
	github.com/open-telemetry/opentelemetry-collector-contrib/extension/[email protected]/bearertokenauth.go:131
```

The error means the code called watcher.Remove(path) on a file that the
fsnotify watcher was already no longer watching.
In the specific case of the Kubernetes service account token, this
happens because Kubernetes rotates the token by deleting and replacing
the file (it's an atomic update).


<!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
Fixes

<!--Describe what testing was performed and which tests were added.-->
#### Testing


```
make otelcontribcol
make docker-otelcontribcol
docker tag localhost/otelcontribcol:latest pavolloffay/otelcolcontrib-bearertokenfix:1 
docker push pavolloffay/otelcolcontrib-bearertokenfix:1

docker run pavolloffay/otelcolcontrib-bearertokenfix:1
```

<!--Describe the documentation added.-->
#### Documentation

<!--Please delete paragraphs that you did not use before submitting.-->

---------

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

.chloggen/bearertoken-fix-race-condition.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog)
+component: extension/bearertokenauth
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Remove error messages `fsnotify: can't remove non-existent watch` when watching kubernetes SA tokens."
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [44104]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]

extension/bearertokenauthextension/bearertokenauth.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"sync/atomic"
 
@@ -106,7 +107,10 @@ func (b *bearerTokenAuth) Start(ctx context.Context, _ component.Host) error {
 	// start file watcher
 	go b.startWatcher(ctx, watcher)
 
-	return watcher.Add(b.filename)
+	// Watch the parent directory instead of the file directly to handle atomic replacements
+	// This eliminates race conditions with fsnotify when files are atomically replaced
+	watchDir := filepath.Dir(b.filename)
+	return watcher.Add(watchDir)
 }
 
 func (b *bearerTokenAuth) startWatcher(ctx context.Context, watcher *fsnotify.Watcher) {
@@ -122,22 +126,20 @@ func (b *bearerTokenAuth) startWatcher(ctx context.Context, watcher *fsnotify.Wa
 			if !ok {
 				continue
 			}
-			// NOTE: k8s configmaps uses symlinks, we need this workaround.
-			// original configmap file is removed.
-			// SEE: https://martensson.io/go-fsnotify-and-kubernetes-configmaps/
-			if event.Op == fsnotify.Remove || event.Op == fsnotify.Chmod {
-				// remove the watcher since the file is removed
-				if err := watcher.Remove(event.Name); err != nil {
-					b.logger.Error(err.Error())
-				}
-				// add a new watcher pointing to the new symlink/file
-				if err := watcher.Add(b.filename); err != nil {
-					b.logger.Error(err.Error())
-				}
-				b.refreshToken()
+
+			// Only process events for our target file by filtering events
+			// Since we're watching the parent directory, we get events for all files in it
+			if event.Name != b.filename {
+				continue
 			}
-			// also allow normal files to be modified and reloaded.
-			if event.Op == fsnotify.Write {
+
+			// Handle file events for our target file
+			// Since we're watching the directory, we don't need to manage watch add/remove
+			// The directory watch persists even when files are atomically replaced
+			if event.Op&fsnotify.Write == fsnotify.Write ||
+				event.Op&fsnotify.Create == fsnotify.Create ||
+				event.Op&fsnotify.Remove == fsnotify.Remove ||
+				event.Op&fsnotify.Chmod == fsnotify.Chmod {
 				b.refreshToken()
 			}
 		}