persist/pubsub: fix connection leak on gRPC stream error

[teskje]

When the client's gRPC response stream errors, the reconnect loop drops the tonic Channel but hyper's background task keeps running: It's blocked polling the broadcast_messages async stream, which holds a live BroadcastStream receiver. This keeps the HTTP2 connection open, leaking one connection per reconnect.

Fix this by giving the stream a cancellation token. When the reconnect loop drops cancel_tx, the stream observes it via select! and terminates, allowing hyper to close the HTTP2 connection.

Motivation

Fixes https://github.com/MaterializeInc/database-issues/issues/11276

Verification

There is a repro test in the issue comments and I verified that it passes with this fix, i.e. it doesn't reproduce the leak anymore. It'd be great to include the test in this PR, but it requires patching the max_decoding_message_size to allow injecting messages that are too large and produce decoding errors. Is there another way to provoke receive errors? Alternatively, we could make the max_decoding_message_size a dyncfg (currently it's hardcoded to usize::MAX) but it would be a bit of plumbing that only exists for this one test.

[github-actions]

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

• Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
• Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
• Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

• The PR title is descriptive and will make sense in the git log.
• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

[antiguru]

Checks out! Maybe wait for someone else to review, too.

[DAlperin]

LGTM. Slightly bummed not to have the test in this PR but it would be kind of a pain, I agree. Thanks for fixing!

[teskje]

TFTRs!