kvtenant: properly release resources when reconnecting

[knz]

Commit extracted from #106414.

Epic: CRDB-26691

Prior to this patch, the KV tenant connector could leak
grpc.ClientConn objects across RPC errors and re-dials. This is
because the KV tenant connector is more opinionated about "a working
RPC connection" than our rpc package and wants to choose to abandon
a RPC connection (and re-dial, possibly even a different server) even
when the rpc package considers the connection healthy because it
responds to heartbeats.

This patch enhances the situation by more effectively closing
the low-level grpc.ClientConn when the connector decides that it
doesn't want to use it anymore.

Release note: None

[blathers-crl]

It looks like your PR touches production code but doesn't add or edit any test code. Did you consider adding tests to your PR?

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[cockroach-teamcity]

This change is 

[knz]

Internal thread: https://cockroachlabs.slack.com/archives/C0KB9Q03D/p1689066956978959

[tbg]

I'm still unclear why this is the right thing to do. How sure are we that there aren't any callers of tryForgetClient that happen "frequently" in a healthy SQL pod? In that case, closing the connection will look like random connection problems that could be really hard to track down. Are just "worried" (as we discussed on slack¹) but without a concrete example to bolster it, that the address might be a load balancer and the connection is to the wrong cluster, but won't fail because the connection is unvalidated? Or is this PR fixing an actual observed issue (link?)

My decision tree as a reviewer would be the following:

• if this fixes a real bug, we can proceed since this is a simple fix, under the condition that we also log a warning when we close a connection (to avoid the "it looks like a weird network issue" case); I don't want to see this in KV L2.
• if it doesn't, should we discuss moving off GRPCUnvalidatedDial, and perhaps bypass the rpc.Context entirely? After all, this is just a single connection that is being maintained (per pod); we can call c.rpcContext.GRPCDialOptions() instead and manage our own raw ClientConn which we are then of course free to close. Or, we add GRPCDialPodToNode which results in a connection that verifies cluster name, or something like that. That latter option integrates with the existing metrics, etc, but is more complex, so I am leaning towards the former.

Footnotes

1. https://cockroachlabs.slack.com/archives/C0KB9Q03D/p1689066956978959 (internal) ↩