const min = 10 * time.Minute
	if tr.Spec.ExpirationSeconds < int64(min.Seconds()) {
		allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), tr.Spec.ExpirationSeconds, "may not specify a duration less than 10 minutes"))
	}
	if tr.Spec.ExpirationSeconds > 1<<32 {
		allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), tr.Spec.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds"))
	}

	tokenNamespace, tokenServiceAccount string, audiences []string, expirationSeconds int64,
) (*authenticationv1.TokenRequest, error) {
	return client.Kube().CoreV1().ServiceAccounts(tokenNamespace).CreateToken(ctx, tokenServiceAccount,
		&authenticationv1.TokenRequest{
			Spec: authenticationv1.TokenRequestSpec{
				Audiences:         audiences,
				ExpirationSeconds: &expirationSeconds,
			},
		}, metav1.CreateOptions{})

					Certificate: []byte("junk"),
				},
			},
			old: &certificates.CertificateSigningRequest{
				Spec: certificates.CertificateSigningRequestSpec{
					SignerName:        "fancy",
					ExpirationSeconds: ptr.To[int32](77),
				},
			},
			options:       &metav1.UpdateOptions{},
			wantSigner:    "other",
			wantRequested: true,
			wantHonored:   false,
		},
		{

			t.Status.Token = rand.String(16)
			return true, t, nil
		},
	)

	const (
		refreshSeconds      = 1
		expirationSeconds   = 60
		sunsetPeriodSeconds = expirationSeconds - refreshSeconds
	)

	perCred, err := NewRPCCredentials(cli, "default", "default", nil, expirationSeconds, sunsetPeriodSeconds)
	if err != nil {
		t.Fatal(err)
	}

				tr.Spec.ExpirationSeconds = nil
			},
		},
	}

	for i, c := range cases {
		t.Run(fmt.Sprint(i), func(t *testing.T) {
			clock := testingclock.NewFakeClock(c.now)
			secs := int64(c.exp.Sub(start).Seconds())
			tr := &authenticationv1.TokenRequest{
				Spec: authenticationv1.TokenRequestSpec{
					ExpirationSeconds: &secs,
				},

)

func addDefaultingFuncs(scheme *runtime.Scheme) error {
	return RegisterDefaults(scheme)
}

func SetDefaults_TokenRequestSpec(obj *authenticationv1.TokenRequestSpec) {
	if obj.ExpirationSeconds == nil {
		hour := int64(60 * 60)
		obj.ExpirationSeconds = &hour
	}

}

func (s *signer) duration(expirationSeconds *int32) time.Duration {
	if expirationSeconds == nil {
		return s.certTTL
	}

	// honor requested duration is if it is less than the default TTL
	// use 10 min (2x hard coded backdate above) as a sanity check lower bound
	const min = 10 * time.Minute
	switch requestedDuration := csr.ExpirationSecondsToDuration(*expirationSeconds); {
	case requestedDuration > s.certTTL:

	Request           []byte                        `json:"request,omitempty"`
	SignerName        *string                       `json:"signerName,omitempty"`
	ExpirationSeconds *int32                        `json:"expirationSeconds,omitempty"`
	Usages            []v1beta1.KeyUsage            `json:"usages,omitempty"`
	Username          *string                       `json:"username,omitempty"`

type CertificateSigningRequestSpecApplyConfiguration struct {
	Request           []byte                   `json:"request,omitempty"`
	SignerName        *string                  `json:"signerName,omitempty"`
	ExpirationSeconds *int32                   `json:"expirationSeconds,omitempty"`
	Usages            []v1.KeyUsage            `json:"usages,omitempty"`
	Username          *string                  `json:"username,omitempty"`

	if now.After(exp.Add(-1*time.Duration((*tr.Spec.ExpirationSeconds*20)/100)*time.Second - jitter)) {
		return true
	}
	return false
}

// keys should be nonconfidential and safe to log
func keyFunc(name, namespace string, tr *authenticationv1.TokenRequest) string {
	var exp int64
	if tr.Spec.ExpirationSeconds != nil {
		exp = *tr.Spec.ExpirationSeconds
	}

	var ref authenticationv1.BoundObjectReference