Kube ignores expirationTimestamp when exec returns a client certificate #1675
Description
Current and expected behavior
gardenlogin returns a client certificate with expirationTimestamp, but kube does not use it, which means it's not able to refresh the certs.
Here's an example of the response:
kubectl gardenlogin get-client-certificate --name local --namespace garden-local --garden-cluster-identity gardener-local
{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"2025-01-01T18:20:20Z","clientCertificateData":"-----BEGIN CERTIFICATE-----\nMIIEMTCCApmgAwIBAgIQVBZZJvTJ964WKGdxRCOsQDANBgkqhkiG9w0BAQsFADAd\nMRswGQYDVQQDExJjYS1jbGllbnQtNThmOGU5YWMwHhcNMjUwMTAxMTgwNDIwWhcN\nMjUwMTAxMTgyMDIwWjA0MRcwFQYDVQQKEw5zeXN0ZW06bWFzdGVyczEZMBcGA1UE\nAxMQa3ViZXJuZXRlcy1hZG1pbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC\nggGBANubtCbumr4HNqObBsWgtySJJaFJyMBZbFqseIbgjfLYiGjYd2Xht7IwdcDM\nkhhH3UoOtofsUHo7suEyKYhUr1Wvjvw2mq/usukji5ahYdgjoiJY8rBZMHlHp0Tl\nB8pH2WD3J/iDRWtJDEjMnD0uuhqXAAOFrbt6gdBeY9g7SqxQIQuCc1RQdcTIsda6\nvfqn2QWbL2Xm6vRzSg/TRPoHCPWhzv1hLsLsmGjZAzuwV/F6TsZveEyEKOFVfuPE\nZ8YVZYm7fHpZUEhBPzBzuNkh6mVcF39AAF5NX6Qc6btmI7UBXX6LTEEU3rSguLlq\n2dqJsW3wQRLRQ8KZFBGv5kXN3UGjZVWSwxFGtkMU5PT/BPCRptbYTV0+Wpy0xbeo\njgNTSKIQHA09Tj0iFhx6EQIYVnusl0d8/1M9jh1k4CJRRMd1/YEooO8I+uKrEu25\nBhy1dFBxc/4cllwDGcJ/v7hDAveh8sttegs7IFwfsP89l6CE94hMXUz0qAVOz02J\n/As4GQIDAQABo1YwVDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH\nAwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQPOaAVARxxRj+5fazPH1Qb7y1B\ngTANBgkqhkiG9w0BAQsFAAOCAYEASO9O1P8ItfmkDFtalm0InzaJnD4yL/M4jzdd\nL4zFAmH2hrOZUaO76cscx8f2PWaY5uyZsMJYo194qCvuG8klF1D7HwbccU9eKiaG\nPj229wkke4cJVYZftuLN+2K/pF0N2UmmwFS5RrnWnos3czC0IAzHNqbPZw8kWoVI\nnyYEUeAcww+cG4fhco+xOI+lED6XdgsBbKun4n+Hk2awR06EZAVZXh5XBpx0Wtpq\nJqwpyNAs6qhnYnpYD83OPTR1QbaXdzPzd+vUAND78cDhUfIBTDeunAdrDIZKhNS0\nSpR0OSu5o/+ouMdJ7vlFadKJFRJMz6OD2oalk7e7vRiJYXUy1jOP7KzNMPBYkPfO\nNa9we3Swdtrf783n6nB5IQWyNz0O6YkfKA9V3nGYr1WOfwDyGHGZe0Tl9KhwHvbn\nHTqt3SXcq4cNlfgEe52Sxvapv2VWHBE2hSGhwtXYtKTUxt/5561dz95/bdFYJaST\nMZkq9c7MoI0P0AiSmhzPiUqRJjip\n-----END CERTIFICATE-----\n","clientKeyData":"-----BEGIN RSA PRIVATE KEY-----\nMIIG4wIBAAKCAYEA25u0Ju6avgc2o5sGxaC3JIkloUnIwFlsWqx4huCN8tiIaNh3\nZeG3sjB1wMySGEfdSg62h+xQejuy4TIpiFSvVa+O/Daar+6y6SOLlqFh2COiIljy\nsFkweUenROUHykfZYPcn+INFa0kMSMycPS66GpcAA4Wtu3qB0F5j2DtKrFAhC4Jz\nVFB1xMix1rq9+qfZBZsvZebq9HNKD9NE+gcI9aHO/WEuwuyYaNkDO7BX8XpOxm94\nTIQo4VV+48RnxhVlibt8ellQSEE/MHO42SHqZVwXf0AAXk1fpBzpu2YjtQFdfotM\nQRTetKC4uWrZ2omxbfBBEtFDwpkUEa/mRc3dQaNlVZLDEUa2QxTk9P8E8JGm1thN\nXT5anLTFt6iOA1NIohAcDT1OPSIWHHoRAhhWe6yXR3z/Uz2OHWTgIlFEx3X9gSig\n7wj64qsS7bkGHLV0UHFz/hyWXAMZwn+/uEMC96Hyy216CzsgXB+w/z2XoIT3iExd\nTPSoBU7PTYn8CzgZAgMBAAECggGANaUGT9BPWoYWkcaH0/TbaABcgdatRFdTwZ6J\n3qCx7BV61Omz2N5Xah6uVQdj1KyRYMrRScivK/yzSJFhVd0h63N0ISYRiVJsv8ig\nC46mgQ7LR0qlFfDjh2y6bnjn+0Cr2CTnzav7ZCa26n2Y2NU2PtKN/U5FTxuw5D56\nc1KgfhEg0VfvZjQ1YHmJ/6MkTzt7JwRugpzy3f3fpJf+LHlVdfMtxfVcX989p7cD\nNCxyfxlabtzB7ScHeWvSED9k/h0xealpgtJqA3ZSHP2BQas4AFXxo7/+iNO4plkq\nX9Fug318HxshiA5wUhObfucQZS6jeuUaShnPOd0Rx9URRniZnXrUBOpnQHfstntt\nG0YTq0x63mLdJUCleGitmcYHTiD2f1fe7BVGrgFjj+7i9PluxAUvOA+bhWy7mz9C\nc7jGW3EFZvYO1IeBQ645Lo7qtpQwHwgMtb14r4Yra68yyMipJS4A2VsCgFauixju\nMBxojfo82K68APrYADoFz/eErDORAoHBAO3z4cEIHxzVanNnk6L9+UhnPr/zoNfU\nrC8i2ICKjBfELNx9JdzXvKL1Hi05P0ico8N2PQBr2y2ChW2qGNmWPoZ9J7jk37jE\n04YsARJ3Qb2BYRZKGBEEeAsEPZMK+PONBaF4pQ4MzkJWvPMLYeTKym3mQHKhOkTb\nTs4g7KjYbj6J6+7xXzFozAUiilZcso6VWAUGXsZVQoKSpyH6ZyHT4utOfsgOlaLf\nU3T8XYDQMMyplpQB+x0DyEJCu2FPxj7rlQKBwQDsQ6TTk1l4C3XDTlgbqu1cwuxT\nPKpZnNVCxJ0irrdXdE0agvAlpoYVoyKjkEw55Rx7JmFHuXvnnOtXlo0hWXCMOYSR\ndnn/wSSpjvKFfeGHRRJ0hcW+HgyTmyrsmuDniWwDrAp/pFvJmtq/b9I3ibWbcJuK\neJmn9ROCtex8mkYh8zQABMri3Qg6ZrsUDpLjOywO59U1kaeohmuX5E8jIb7v9KBF\nQYDHMsT1eW7iwukyMPMMorT2FoBPetS14nkoGXUCgcEAlqZVQ3T03bhwUOg+nG7X\nKHPVUonYR00qRh11nMwareFR1baWBh/AGhu+IzufSUWCmPl+3YlrloCQIUITwY5R\nv6v1PiYJTl2u3b92Xk6KnIQRB5+ZZQzDQ5ZHtZS40Nlzuys6tI5+95kav3VxYPzS\n9IlWPDy/O2Dtn6tQqgV8prODYCAI+Ks0n/uiQdMmaQc8VtIVptPL7AcVMXnrWYtg\nm0FzGw3AxwFFQUeVmzwz6R9lagdnCJOgcfL110I+bQ+RAoHAQk7Fvp93F6rXtSWS\nssko7sTCAKZhBN9wNtnpY+d3CzNXxF4FOfvfW8k6Gn+P9Ruo/6MI4FFdReaTYjSd\njUOFw8UMwKpomO/C81dsFyz6E7W99TfqBG54hyCgTmE1R6YYy3sIQ0SEgjNUuy+N\n5wpeDq7u6FDqhunQPPoD0gCWOEcCTBMMQdlYytM0I+/nJ6Dev5wvCWbEkBaRscJg\nt3JsHPoh1O4KT12fS2l2Rmv/eJemTuCHOx2bizLk6dsSt79VAoHADt+qLlyodtT6\nynfKu4Uv2e6pY1vunO421t+o4FtwsAj4ageHSAYJ1vUkPUr+pShXGcSRG5iZamv1\ncqfbdi5Kua7PpAYS7rVPk+t4kIgicBsT28M9IFnzvYlcGfXpf7pc5Qe1gGOVaPG4\nbfOA825xNvi0rl11YzCq4+X/IWSJATmq/Dqsx7W9PpgOhl6MoD5If562zEry5JU7\nU0+kVuRjzuzj7327TMhHYGad8wOT8BA4y6wZ+f2gYFGSMokRVygR\n-----END RSA PRIVATE KEY-----\n"}}
Possible solution
I'd like to contribute but I'm struggling to find the solution for it. The credentials are used to build a rustls::ClientConfig and added as a connector to the tower Stack, which means that if the credentials change, we should probably rebuild the stack?
Is that even possible?
Any suggestions on how to approach this one?
Additional context
No response
Environment
macOS on a Gardener cluster
Configuration and features
No response
Affected crates
kube-client
Would you like to work on fixing this bug?
maybe