From f986600d5b7adc8f16a962def4fac4929eb21b89 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Mon, 27 Jul 2020 13:38:32 -0500
Subject: [PATCH] Increase client cert TTL from 5m to 1h.

This will make manual testing easier and seems like a reasonable tradeoff. We'll iterate more in the future.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 pkg/registry/loginrequest/rest.go      | 5 ++++-
 pkg/registry/loginrequest/rest_test.go | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/registry/loginrequest/rest.go b/pkg/registry/loginrequest/rest.go
index bd0b0e1e..afa0cb91 100644
--- a/pkg/registry/loginrequest/rest.go
+++ b/pkg/registry/loginrequest/rest.go
@@ -23,6 +23,9 @@ import (
 	placeholderapi "github.com/suzerain-io/placeholder-name-api/pkg/apis/placeholder"
 )
 
+// clientCertificateTTL is the TTL for short-lived client certificates returned by this API.
+const clientCertificateTTL = 1 * time.Hour
+
 var (
 	_ rest.Creater                 = &REST{}
 	_ rest.NamespaceScopedStrategy = &REST{}
@@ -128,7 +131,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 			OrganizationalUnit: authResponse.User.GetGroups(),
 		},
 		[]string{},
-		5*time.Minute,
+		clientCertificateTTL,
 	)
 	if err != nil {
 		klog.Warningf("failed to issue short lived client certificate: %v", err)
diff --git a/pkg/registry/loginrequest/rest_test.go b/pkg/registry/loginrequest/rest_test.go
index 4368de19..15022471 100644
--- a/pkg/registry/loginrequest/rest_test.go
+++ b/pkg/registry/loginrequest/rest_test.go
@@ -144,7 +144,7 @@ func TestCreateSucceedsWhenGivenATokenAndTheWebhookAuthenticatesTheToken(t *test
 			CommonName:         "test-user",
 			OrganizationalUnit: []string{"test-group-1", "test-group-2"}},
 		[]string{},
-		5*time.Minute,
+		1*time.Hour,
 	).Return([]byte("test-cert"), []byte("test-key"), nil)
 
 	storage := NewREST(&webhook, issuer)