fix(workloadmanager): refresh user client when token changes

[avinxshKD]

What type of PR is this?

/kind bug

What this PR does / why we need it:

WorkloadManager cached user Kubernetes clients by namespace and service account only. If the same service account came in with a different bearer token, it could still reuse the client built with the old token.

This makes the cache check the token too, so token changes create a fresh user client. Also adds tests for same-token reuse and changed-token refresh.

Which issue(s) this PR fixes:
Fixes #406

Special notes for your reviewer:

NONE

Does this PR introduce a user-facing change?:

NONE

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yaozengzeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/workloadmanager/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Code Review

This pull request updates the Kubernetes client cache (ClientCache) to validate cached clients using the user token in addition to the service account key. It adds a token field to clientCacheEntry, updates the Get method signature and implementation to verify token equality, and updates all callers and unit tests accordingly. Additionally, new tests have been added to verify token mismatch and caching behavior. There are no review comments, and the changes look solid with no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.17%. Comparing base (524e55e) to head (b44e865).
⚠️ Report is 146 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #407       +/-   ##
===========================================
+ Coverage   47.57%   59.17%   +11.60%     
===========================================
  Files          30       37        +7     
  Lines        2819     3495      +676     
===========================================
+ Hits         1341     2068      +727     
+ Misses       1338     1215      -123     
- Partials      140      212       +72     

Flag	Coverage Δ
unittests	59.17% <100.00%> (+11.60%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[avinxshKD]

@LiZhenCheng9527 @YaoZengzeng Pls take a look when get chance