Manage expiration of kubeconfig client certificates

Summary

We lack an automated refresh of the client certificates of Sylva kubeconfig files

Details

It appears that at some point, the sylva kubeconfig files does not work any more

~/my-deployment/sylva-core$ k get nodes -A --kubeconfig management-cluster-kubeconfig
E0505 10:07:57.473322    1836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0505 10:07:57.478448    1836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0505 10:07:57.483944    1836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0505 10:07:57.490368    1836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0505 10:07:57.495616    1836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)

For both kubeadm and RKE2, the client certificates expires after 1 year, so it will occur on all long-lived platforms.

A possible implementation could be to have apply.sh and apply-workload-cluster.sh to refresh the certificates when needed.