From a2bd60f86dffc9719ef63b389c31296bc988c83d Mon Sep 17 00:00:00 2001
From: johan <wangyouhang@ibm.com>
Date: Tue, 30 May 2023 14:32:43 +0800
Subject: [PATCH] client certificate expiration seconds must greater or qual to
 3600

Signed-off-by: johan <wangyouhang@ibm.com>
---
 pkg/registration/clientcert/cert_controller.go | 2 +-
 pkg/registration/spoke/spokeagent.go           | 4 ++--
 pkg/registration/spoke/spokeagent_test.go      | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/registration/clientcert/cert_controller.go b/pkg/registration/clientcert/cert_controller.go
index a6b534771..af4227f2c 100644
--- a/pkg/registration/clientcert/cert_controller.go
+++ b/pkg/registration/clientcert/cert_controller.go
@@ -71,7 +71,7 @@ type CSROption struct {
 	//   2. Signer whose configured maximum is shorter than the requested duration
 	//   3. Signer whose configured minimum is longer than the requested duration
 	//
-	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
+	// The minimum valid value for expirationSeconds is 3600, i.e. 1 hour.
 	ExpirationSeconds *int32
 
 	// EventFilterFunc matches csrs created with above options
diff --git a/pkg/registration/spoke/spokeagent.go b/pkg/registration/spoke/spokeagent.go
index 14182f8ee..163416406 100644
--- a/pkg/registration/spoke/spokeagent.go
+++ b/pkg/registration/spoke/spokeagent.go
@@ -459,8 +459,8 @@ func (o *SpokeAgentOptions) Validate() error {
 		return errors.New("cluster healthcheck period must greater than zero")
 	}
 
-	if o.ClientCertExpirationSeconds != 0 && o.ClientCertExpirationSeconds < 600 {
-		return errors.New("client certificate expiration seconds must greater or qual to 600")
+	if o.ClientCertExpirationSeconds != 0 && o.ClientCertExpirationSeconds < 3600 {
+		return errors.New("client certificate expiration seconds must greater or qual to 3600")
 	}
 
 	return nil
diff --git a/pkg/registration/spoke/spokeagent_test.go b/pkg/registration/spoke/spokeagent_test.go
index afe29b10f..70b03ab71 100644
--- a/pkg/registration/spoke/spokeagent_test.go
+++ b/pkg/registration/spoke/spokeagent_test.go
@@ -196,7 +196,7 @@ func TestValidate(t *testing.T) {
 				BootstrapKubeconfig:         "/spoke/bootstrap/kubeconfig",
 				ClusterName:                 "testcluster",
 				AgentName:                   "testagent",
-				ClientCertExpirationSeconds: 599,
+				ClientCertExpirationSeconds: 3599,
 			},
 			expectedErr: "client certificate expiration seconds must greater or qual to 600",
 		},
@@ -210,7 +210,7 @@ func TestValidate(t *testing.T) {
 				BootstrapKubeconfig:         "/spoke/bootstrap/kubeconfig",
 				ClusterName:                 "testcluster",
 				AgentName:                   "testagent",
-				ClientCertExpirationSeconds: 600,
+				ClientCertExpirationSeconds: 3600,
 			},
 			expectedErr: "",
 		},