tokenNamespace, tokenServiceAccount string, audiences []string, expirationSeconds int64,
) (*authenticationv1.TokenRequest, error) {
	return client.Kube().CoreV1().ServiceAccounts(tokenNamespace).CreateToken(ctx, tokenServiceAccount,
		&authenticationv1.TokenRequest{
			Spec: authenticationv1.TokenRequestSpec{
				Audiences:         audiences,
				ExpirationSeconds: &expirationSeconds,
			},
		}, metav1.CreateOptions{})

					Certificate: []byte("junk"),
				},
			},
			old: &certificates.CertificateSigningRequest{
				Spec: certificates.CertificateSigningRequestSpec{
					SignerName:        "fancy",
					ExpirationSeconds: ptr.To[int32](77),
				},
			},
			options:       &metav1.UpdateOptions{},
			wantSigner:    "other",
			wantRequested: true,
			wantHonored:   false,
		},
		{

			t.Status.Token = rand.String(16)
			return true, t, nil
		},
	)

	const (
		refreshSeconds      = 1
		expirationSeconds   = 60
		sunsetPeriodSeconds = expirationSeconds - refreshSeconds
	)

	perCred, err := NewRPCCredentials(cli, "default", "default", nil, expirationSeconds, sunsetPeriodSeconds)
	if err != nil {
		t.Fatal(err)
	}

				tr.Spec.ExpirationSeconds = nil
			},
		},
	}

	for i, c := range cases {
		t.Run(fmt.Sprint(i), func(t *testing.T) {
			clock := testingclock.NewFakeClock(c.now)
			secs := int64(c.exp.Sub(start).Seconds())
			tr := &authenticationv1.TokenRequest{
				Spec: authenticationv1.TokenRequestSpec{
					ExpirationSeconds: &secs,
				},

}

func (s *signer) duration(expirationSeconds *int32) time.Duration {
	if expirationSeconds == nil {
		return s.certTTL
	}

	// honor requested duration is if it is less than the default TTL
	// use 10 min (2x hard coded backdate above) as a sanity check lower bound
	const min = 10 * time.Minute
	switch requestedDuration := csr.ExpirationSecondsToDuration(*expirationSeconds); {
	case requestedDuration > s.certTTL:

	if now.After(exp.Add(-1*time.Duration((*tr.Spec.ExpirationSeconds*20)/100)*time.Second - jitter)) {
		return true
	}
	return false
}

// keys should be nonconfidential and safe to log
func keyFunc(name, namespace string, tr *authenticationv1.TokenRequest) string {
	var exp int64
	if tr.Spec.ExpirationSeconds != nil {
		exp = *tr.Spec.ExpirationSeconds
	}

	var ref authenticationv1.BoundObjectReference

	//   3. Signer whose configured minimum is longer than the requested duration
	//
	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
	//
	// +optional
	ExpirationSeconds *int32 `json:"expirationSeconds,omitempty" protobuf:"varint,8,opt,name=expirationSeconds"`

	// allowedUsages specifies a set of usage contexts the key will be
	// valid for.
	// See:

	t.Parallel()

	tests := []struct {
		name              string
		certTTL           time.Duration
		expirationSeconds *int32
		want              time.Duration
	}{
		{
			name:              "can request shorter duration than TTL",
			certTTL:           time.Hour,
			expirationSeconds: csr.DurationToExpirationSeconds(30 * time.Minute),
			want:              30 * time.Minute,
		},
		{

		}
	}

	if r.maxExpirationSeconds > 0 && req.Spec.ExpirationSeconds > r.maxExpirationSeconds {
		//only positive value is valid
		warning.AddWarning(ctx, "", fmt.Sprintf("requested expiration of %d seconds shortened to %d seconds", req.Spec.ExpirationSeconds, r.maxExpirationSeconds))
		req.Spec.ExpirationSeconds = r.maxExpirationSeconds
	}

	"expirationSeconds": "expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the...