"fieldsType": "fieldsTypeValue",
        "fieldsV1": {},
        "subresource": "subresourceValue"
      }
    ]
  },
  "spec": {
    "request": "AQ==",
    "signerName": "signerNameValue",
    "expirationSeconds": 8,
    "usages": [
      "usagesValue"
    ],
    "username": "usernameValue",
    "uid": "uidValue",
    "groups": [
      "groupsValue"
    ],
    "extra": {
      "extraKey": [

    blockOwnerDeletion: true
    controller: true
    kind: kindValue
    name: nameValue
    uid: uidValue
  resourceVersion: resourceVersionValue
  selfLink: selfLinkValue
  uid: uidValue
spec:
  expirationSeconds: 8
  extra:
    extraKey:
    - extraValue
  groups:
  - groupsValue
  request: AQ==
  signerName: signerNameValue
  uid: uidValue
  usages:
  - usagesValue
  username: usernameValue
status:

        "fieldsType": "fieldsTypeValue",
        "fieldsV1": {},
        "subresource": "subresourceValue"
      }
    ]
  },
  "spec": {
    "request": "AQ==",
    "signerName": "signerNameValue",
    "expirationSeconds": 8,
    "usages": [
      "usagesValue"
    ],
    "username": "usernameValue",
    "uid": "uidValue",
    "groups": [
      "groupsValue"
    ],
    "extra": {
      "extraKey": [

        "fieldsType": "fieldsTypeValue",
        "fieldsV1": {},
        "subresource": "subresourceValue"
      }
    ]
  },
  "spec": {
    "request": "AQ==",
    "signerName": "signerNameValue",
    "expirationSeconds": 8,
    "usages": [
      "usagesValue"
    ],
    "username": "usernameValue",
    "uid": "uidValue",
    "groups": [
      "groupsValue"
    ],
    "extra": {
      "extraKey": [

	// trust between the target audiences.
	Audiences []string

	// ExpirationSeconds is the requested duration of validity of the request. The
	// token issuer may return a token with a different validity duration so a
	// client needs to check the 'expiration' field in a response.
	ExpirationSeconds int64

	// BoundObjectRef is a reference to an object that the token will be bound to.

			if !ok {
				return
			}

			// if the old CSR already has a certificate, do not double count it
			if len(oldCSR.Status.Certificate) > 0 {
				return
			}

			if oldCSR.Spec.ExpirationSeconds == nil {
				return // ignore CSRs that are not using the CSR duration feature
			}

			newCSR, ok := obj.(*certificates.CertificateSigningRequest)
			if !ok {
				return
			}

	"expirationSeconds": "ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.",

	*out = *in
	if in.Audiences != nil {
		in, out := &in.Audiences, &out.Audiences
		*out = make([]string, len(*in))
		copy(*out, *in)
	}
	if in.ExpirationSeconds != nil {
		in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
		*out = new(int64)
		**out = **in
	}
	if in.BoundObjectRef != nil {
		in, out := &in.BoundObjectRef, &out.BoundObjectRef
		*out = new(BoundObjectReference)

	*out = *in
	if in.Request != nil {
		in, out := &in.Request, &out.Request
		*out = make([]byte, len(*in))
		copy(*out, *in)
	}
	if in.ExpirationSeconds != nil {
		in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
		*out = new(int32)
		**out = **in
	}
	if in.Usages != nil {
		in, out := &in.Usages, &out.Usages
		*out = make([]KeyUsage, len(*in))
		copy(*out, *in)
	}

  // +listType=atomic
  repeated string audiences = 1;

  // ExpirationSeconds is the requested duration of validity of the request. The
  // token issuer may return a token with a different validity duration so a
  // client needs to check the 'expiration' field in a response.
  // +optional
  optional int64 expirationSeconds = 4;

  // BoundObjectRef is a reference to an object that the token will be bound to.