Drop kubevault.dev/apimachinery/client dependency

[tamalsaha]

Pairs with kubevault/operator#183 — both repos drop their dependency on apimachinery's generated typed clientsets / informers / listers. apimachinery itself is unchanged; its `client/` tree becomes unreferenced from both production consumers and is a candidate for deletion in a follow-up.

Summary

The CLI now uses `sigs.k8s.io/controller-runtime/pkg/client.Client` for every CRUD against KubeVault custom resources (VaultServer, VaultPolicy, SecretAccessRequest, SecretRoleBinding, AWSRole/GCPRole/AzureRole/MongoDBRole/MySQLRole/MariaDBRole/PostgresRole/RedisRole/ElasticsearchRole/PKIRole, SecretEngine, VaultPolicyBinding).

Changes (12 files)

• `pkg/cmds/generate.go` — `initClients(cfg)` now returns `(client.Client, *kubernetes.Clientset, error)`. Builds a `runtime.Scheme` with per-group `AddToScheme`s then `client.New`. `generateSecretObjects` takes `(kc client.Client, kubeClient *kubernetes.Clientset)`. Typed `engineClient.SecretRoleBindings(srbNs).Get(...)` became `kc.Get(ctx, types.NamespacedName{...}, &engineapi.SecretRoleBinding{})`.
• `pkg/cmds/utils.go` — `UpdateSecretAccessRequestCondition(kc client.Client, req metav1.ObjectMeta, cond)` now uses `cu.PatchStatus` (alias `cu "kmodules.xyz/client-go/client"`) with a mutator that casts `o.(*engineapi.SecretAccessRequest)`, mutates conditions/observedGeneration, and returns the object. `isApplicable` GCPRole get migrated to controller-runtime. `modifyStatusCondition` builds the client via `client.New` with explicit per-group `AddToScheme`.
• `pkg/cmds/root.go` — replaced `scheme.AddToScheme` (apimachinery aggregated) with explicit `engineapi.AddToScheme`, `vaultapi.AddToScheme`, `policyapi.AddToScheme` — only the groups the CLI actually uses.
• `pkg/generate/generate.go` — `NewGenerator` signature collapsed from `(engineClient, vaultClient, policyClient, kubeClient)` to `(kc client.Client, kubeClient *kubernetes.Clientset)`.
• `pkg/generate/{aws,gcp,azure}/...go` and `pkg/generate/database/{mariadb,mongodb,mysql,postgres,redis,elasticsearch}/*.go` — each `NewXxxGenerator` and all `Generate / GetVaultServerURL / GetVaultRoleName` call sites swap typed clientset Gets for controller-runtime `kc.Get(ctx, types.NamespacedName{...}, obj)`. Struct fields collapsed from three typed clients to a single `kc client.Client`.

Vendor cleanup

`go mod tidy && go mod vendor` removed `vendor/kubevault.dev/apimachinery/client/` entirely (40 files gone) plus other api-group subtrees only reachable through the aggregated scheme builder. Diff stat: 86 files changed, 344 insertions(+), 108,337 deletions(-).

Test plan

• `go build -mod=vendor ./...` clean
• `go vet -mod=vendor ./...` clean
• `go test -mod=vendor ./...` — no test files in any package; all build
• `grep -rn 'kubevault.dev/apimachinery/client' --include='*.go' .` (non-vendor) returns 0
• Run `kubevault generate ...` against a real cluster to confirm Get-by-name paths still resolve correctly

Pre-existing oddity flagged (not fixed in this PR)

`pkg/generate/database/postgres/postgres.go::NewPostgresGenerator` fetches a MongoDBRole (not PostgresRole) to read its `SecretEngineRef`. The constructor still does that; only `Generate()` uses the correct `PostgresRole`. Behavior preserved verbatim — fixing would be a behavioral change outside the refactor's scope.

🤖 Generated with Claude Code

[tamalsaha]

Updated with commit 8e90b4254 — uniform api package aliases. Only vaultapi → vaultv1a2 was needed in this repo (19 files, 114/114 lines); other packages were already canonical or unused. Same canonical set as kubevault/operator#183:

Package	Alias
kubevault/v1alpha2	vaultv1a2
engine/v1alpha1	engineapi
policy/v1alpha1	policyapi

Build + vet + gofmt clean.