The java client does not read certificate chains, but kubectl does

[rrayst]

Describe the bug

kubernetes-client/java does not work with certificate chains for client authentication, while kubelet does.

Client Version
almost any, including current master or 14.0.0

Kubernetes Version
almost any, including 1.22.3

Java Version
any

To Reproduce

Steps to reproduce the behavior:

• Setup the Kubernetes API server using TLS Client Authentication: Start kube-apiserver with --client-ca-file=root.pem (=trust anything signed by the root CA certificate).
• Use an intermediate CA certificate to sign the user's client certificate.
• Use a user.pem as user credential on the client side containing the full certificate chain, that is 1. the user certificate as well 2. the intermediate certificate.

kubectl works in this scenario

kubernetes-client/java does not work in this scenario

Expected behavior
kubernetes-client/java should not only load the first certificate found in user.pem, but load and use the full chain.

KubeConfig

apiVersion: v1
clusters:
- cluster:
    certificate-authority: .\ca.pem
    server: https://apiserver.example
  name: demo
contexts:
- context:
    cluster: demo
    user: demo
  name: demo
current-context: demo
kind: Config
preferences: {}
users:
- name: demo
  user:
    client-certificate: .\user.pem
    client-key: .\user-key.pem

Certificate Chain

   +-----------------+
   |     Root CA     |
   +-----------------+
                \
        +-----------------+
        | Intermediate CA |
        +-----------------+
                     \
              +-----------------+
              |   User Cert     |
              +-----------------+

user.pem containing

-----BEGIN CERTIFICATE-----
....user cert....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
....intermediate....
-----END CERTIFICATE-----

The user cert has

  Issuer: CN = intermediate
  Subject: CN = user

and the intermediate cert has

  Issuer: CN = root
  Subject: CN = intermediate