const min = 10 * time.Minute
	if tr.Spec.ExpirationSeconds < int64(min.Seconds()) {
		allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), tr.Spec.ExpirationSeconds, "may not specify a duration less than 10 minutes"))
	}
	if tr.Spec.ExpirationSeconds > 1<<32 {
		allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), tr.Spec.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds"))
	}

	tokenNamespace, tokenServiceAccount string, audiences []string, expirationSeconds int64,
) (*authenticationv1.TokenRequest, error) {
	return client.Kube().CoreV1().ServiceAccounts(tokenNamespace).CreateToken(ctx, tokenServiceAccount,
		&authenticationv1.TokenRequest{
			Spec: authenticationv1.TokenRequestSpec{
				Audiences:         audiences,
				ExpirationSeconds: &expirationSeconds,
			},
		}, metav1.CreateOptions{})

			t.Status.Token = rand.String(16)
			return true, t, nil
		},
	)

	const (
		refreshSeconds      = 1
		expirationSeconds   = 60
		sunsetPeriodSeconds = expirationSeconds - refreshSeconds
	)

	perCred, err := NewRPCCredentials(cli, "default", "default", nil, expirationSeconds, sunsetPeriodSeconds)
	if err != nil {
		t.Fatal(err)
	}

)

func addDefaultingFuncs(scheme *runtime.Scheme) error {
	return RegisterDefaults(scheme)
}

func SetDefaults_TokenRequestSpec(obj *authenticationv1.TokenRequestSpec) {
	if obj.ExpirationSeconds == nil {
		hour := int64(60 * 60)
		obj.ExpirationSeconds = &hour
	}

	Request           []byte                        `json:"request,omitempty"`
	SignerName        *string                       `json:"signerName,omitempty"`
	ExpirationSeconds *int32                        `json:"expirationSeconds,omitempty"`
	Usages            []v1beta1.KeyUsage            `json:"usages,omitempty"`
	Username          *string                       `json:"username,omitempty"`

type CertificateSigningRequestSpecApplyConfiguration struct {
	Request           []byte                   `json:"request,omitempty"`
	SignerName        *string                  `json:"signerName,omitempty"`
	ExpirationSeconds *int32                   `json:"expirationSeconds,omitempty"`
	Usages            []v1.KeyUsage            `json:"usages,omitempty"`
	Username          *string                  `json:"username,omitempty"`

	if now.After(exp.Add(-1*time.Duration((*tr.Spec.ExpirationSeconds*20)/100)*time.Second - jitter)) {
		return true
	}
	return false
}

// keys should be nonconfidential and safe to log
func keyFunc(name, namespace string, tr *authenticationv1.TokenRequest) string {
	var exp int64
	if tr.Spec.ExpirationSeconds != nil {
		exp = *tr.Spec.ExpirationSeconds
	}

	var ref authenticationv1.BoundObjectReference

	"expirationSeconds": "expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the...

  //   3. Signer whose configured minimum is longer than the requested duration
  //
  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
  //
  // +optional
  optional int32 expirationSeconds = 8;

  // allowedUsages specifies a set of usage contexts the key will be
  // valid for.
  // See:
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.3

  //   3. Signer whose configured minimum is longer than the requested duration
  //
  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
  //
  // +optional
  optional int32 expirationSeconds = 8;

  // allowedUsages specifies a set of usage contexts the key will be
  // valid for.
  // See:
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.3