client certificate expiration seconds must greater or qual to 3600

Signed-off-by: johan <wangyouhang@ibm.com>

pkg/registration/clientcert/cert_controller.go

@@ -71,7 +71,7 @@ type CSROption struct {
 	//   2. Signer whose configured maximum is shorter than the requested duration
 	//   3. Signer whose configured minimum is longer than the requested duration
 	//
-	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
+	// The minimum valid value for expirationSeconds is 3600, i.e. 1 hour.
 	ExpirationSeconds *int32
 
 	// EventFilterFunc matches csrs created with above options

pkg/registration/spoke/spokeagent.go

@@ -459,8 +459,8 @@ func (o *SpokeAgentOptions) Validate() error {
 		return errors.New("cluster healthcheck period must greater than zero")
 	}
 
-	if o.ClientCertExpirationSeconds != 0 && o.ClientCertExpirationSeconds < 600 {
-		return errors.New("client certificate expiration seconds must greater or qual to 600")
+	if o.ClientCertExpirationSeconds != 0 && o.ClientCertExpirationSeconds < 3600 {
+		return errors.New("client certificate expiration seconds must greater or qual to 3600")
 	}
 
 	return nil

pkg/registration/spoke/spokeagent_test.go

@@ -196,7 +196,7 @@ func TestValidate(t *testing.T) {
 				BootstrapKubeconfig:         "/spoke/bootstrap/kubeconfig",
 				ClusterName:                 "testcluster",
 				AgentName:                   "testagent",
-				ClientCertExpirationSeconds: 599,
+				ClientCertExpirationSeconds: 3599,
 			},
 			expectedErr: "client certificate expiration seconds must greater or qual to 600",
 		},
@@ -210,7 +210,7 @@ func TestValidate(t *testing.T) {
 				BootstrapKubeconfig:         "/spoke/bootstrap/kubeconfig",
 				ClusterName:                 "testcluster",
 				AgentName:                   "testagent",
-				ClientCertExpirationSeconds: 600,
+				ClientCertExpirationSeconds: 3600,
 			},
 			expectedErr: "",
 		},