ClusterSecretStore Kubernetes Provider shows expired bearer token as valid

**Describe the bug**
Creating a ClusterSecretStore with Kubernetes Provider using an expired bearer token authentication will show a "Valid" status in the secret store.

**To Reproduce**
Steps to reproduce the behavior:
ESO version: `0.18.2`
Kubernetes version: `1.33` (kind)

1. Prerequisites
```yaml
apiVersion: v1
kind: Namespace
metadata:
  name: testing
---
apiVersion: v1
kind: Secret
metadata:
  name: top-secret
  namespace: testing
type: Opaque
data:
  secret: dGhpcyBpcyBhIHNlY3JldA==
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-sa
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-sa-binding
subjects:
  - kind: ServiceAccount
    name: admin-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
``` 
2. Create a service account token with expiration
```shell
kubectl create token admin-sa --duration=600s
```
2. Create a Kubernetes Secret from the token
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-token
  namespace: default
data:
  token: |
    <base64 encoded token>
```
3. Create ClusterSecretStore with Kubernetes Provider using the bearer token
```yaml
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: cluster-store
spec:
  provider:
    kubernetes:
      remoteNamespace: testing
      server:
        url: "https://kubernetes.default.svc"
        caProvider:
          type: ConfigMap
          name: kube-root-ca.crt
          namespace: default
          key: ca.crt
      auth:
        token:
          bearerToken:
            name: my-token
            key: token
            namespace: default
```
4. Create an ExternalSecret refering to the secret store
```yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: "hello-world"
  namespace: default
spec:
  refreshPolicy: Periodic
  refreshInterval: "5s"
  target:
    name: hello-world
    creationPolicy: Owner
    deletionPolicy: Delete
  data:
    - secretKey: admin
      remoteRef:
        key: top-secret
        version: v1
        property: secret
        decodingStrategy: None
      sourceRef:
        storeRef:
          name: cluster-store
          kind: ClusterSecretStore
```
5. When the token expired, the ClusterSecretStore status is still valid, but the ExternalSecret got `err: Unauthorized`
<img width="834" height="335" alt="Image" src="https://github.com/user-attachments/assets/5541d13d-6939-4404-972e-982d8bb11345" />
<img width="811" height="832" alt="Image" src="https://github.com/user-attachments/assets/b969cd10-701b-4fdf-9769-576f65057740" />
<img width="1342" height="936" alt="Image" src="https://github.com/user-attachments/assets/1743f4e5-6092-468d-b063-0fcecf0eb4c8" />

**Expected behavior**
ClusterSecretStore shows authentication error for expired bearer token

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ClusterSecretStore Kubernetes Provider shows expired bearer token as valid #5038

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

ClusterSecretStore Kubernetes Provider shows expired bearer token as valid #5038

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions