chore: update azure/kubelogin to address CVE

[imjasonh]

This PR attempts to update the project's dependency on github.com/Azure/kubelogin to the most recent version, which allows the project to update its dependency on github.com/Azure/azure-sdk-for-go/sdk/azidentity to a version that addresses a medium-severity CVE: GHSA-m5vv-6r4h-3vj9

I don't know whether this project is actually susceptible to this vulnerability, but it gets flagged for users of this project, and in general depending on very old releases of packages is not recommended -- this updates kubelogin from v0.0.20 (Aug 2022) to v0.1.4 (July this year)

The API has changed in breaking ways in the intervening ~2 years, and I assume this is part of the reason this old dependency has stuck around.

This is in part an update to #16661 -- I'm not sure if that PR should just be updated or if that's in some permanently stuck state.

Checklist:

• [c] Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates? no
• I've updated documentation as required by this PR. n/a
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged. n/a
• [?] My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines. n/a
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[imjasonh]

build-only CI failure seems to have failed flakily

ERROR: failed to solve: docker.io/library/node:23.0.0@sha256:e643c0b70dca9704dff42e12b17f5b719dbe4f95e6392fc2dfa0c5f02ea8044d: failed to resolve source metadata for docker.io/library/node:23.0.0@sha256:e643c0b70dca9704dff42e12b17f5b719dbe4f95e6392fc2dfa0c5f02ea8044d: failed to authorize: failed to fetch oauth token: unexpected status from POST request to https://auth.docker.io/token: 502 Bad Gateway

[blakepettersson]

@imjasonh the unit test failure is a real one, which I can consistently reproduce.

What worked for me was reverting some of the unrelated changes (we would still need to find the actual reason for the failure).

[blakepettersson]

I added some changes to go.mod which makes the failing test pass (basically anything that's not directly related to kubelogin is reverted to its prior state for now), you'll then need to run go mod tidy afterwards.

[imjasonh]

Thanks @blakepettersson, I've updated the deps and ran go mod tidy, let me know if I missed anything.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 7 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@eb10b70). Learn more about missing BASE report.
Report is 11 commits behind head on master.

Files with missing lines	Patch %	Lines
cmd/argocd-k8s-auth/commands/azure.go	0.00%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #20578   +/-   ##
=========================================
  Coverage          ?   55.12%           
=========================================
  Files             ?      324           
  Lines             ?    55197           
  Branches          ?        0           
=========================================
  Hits              ?    30426           
  Misses            ?    22156           
  Partials          ?     2615           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[imjasonh]

Before this change (3625689):

govulncheck -show verbose ./...
Scanning your code and 2003 packages across 270 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

Vulnerability #1: GO-2024-2918
    Azure Identity Libraries Elevation of Privilege Vulnerability in
    github.com/Azure/azure-sdk-for-go/sdk/azidentity
  More info: https://pkg.go.dev/vuln/GO-2024-2918
  Module: github.com/Azure/azure-sdk-for-go/sdk/azidentity
    Found in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.1.0
    Fixed in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0

After this change (11ce485):

govulncheck -show verbose ./...
Scanning your code and 2015 packages across 269 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

[blakepettersson]

@imjasonh I'm no Azure expert - how has this been verified that this still works?

[imjasonh]

@imjasonh I'm no Azure expert - how has this been verified that this still works?

I haven't verified anything at all. I'm just basing this on the previous PR from the feature's author to get the dep updated.

If you have any simple instructions to test this, or an end-to-end test that I could run, I'd be happy to give it a shot.

[imjasonh]

@bcho is the previous PR's author, 11 months ago

[bcho]

LGTM