Merge pull request #14210 from JoeyC-Dev/aks-kubeconfig

Add note about AKS user authentication expiration scenario in service-endpoints.md

Author: v-dirichards

docs/pipelines/library/service-endpoints.md

@@ -505,6 +505,10 @@ Use the following parameters when you define a connection to a Kubernetes cluste
 | Description | Optional. The description of the service connection. |
 | Security | Optional. Select **Grant access permission to all pipelines** to allow all pipelines to use this connection. If you don't select this option, you must explicitly authorize the service connection for each pipeline that uses it. |
 
+> [!NOTE]
+> User certificates issued by Azure Kubernetes Service are valid for two years. If you choose to use kubeconfig, you will need to reconfigure service connections after two years.
+> To get user certificate issued by Azure Kubernetes Service from current context, use the command: `kubectl config view --raw -o jsonpath="{.users[?(@.name contains clusterUser_.*_$(kubectl config current-context))].user.client-certificate-data}" | base64 -d`
+> To check when user certificate will expire, use the command: `cat <cert_file> | openssl x509 -enddate -noout -in -`
 
 #### Service account option