From 11c2674ec2af4e007732d9f471da579aacfd11a7 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Fri, 1 Oct 2021 09:11:17 -0400
Subject: [PATCH] Fix CSR test to accept certs shorter than the requested
 duration

---
 test/e2e/auth/certificates.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/test/e2e/auth/certificates.go b/test/e2e/auth/certificates.go
index aff700e585b..ba1be96573b 100644
--- a/test/e2e/auth/certificates.go
+++ b/test/e2e/auth/certificates.go
@@ -166,7 +166,10 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
 		framework.ExpectNoError(err)
 		framework.ExpectEqual(len(certs), 1, "expected a single cert, got %#v", certs)
 		cert := certs[0]
-		framework.ExpectEqual(cert.NotAfter.Sub(cert.NotBefore), time.Hour+5*time.Minute, "unexpected cert duration: %s", dynamiccertificates.GetHumanCertDetail(cert))
+		// make sure the cert is not valid for longer than our requested time (plus allowance for backdating)
+		if e, a := time.Hour+5*time.Minute, cert.NotAfter.Sub(cert.NotBefore); a > e {
+			framework.Failf("expected cert valid for %s or less, got %s: %s", e, a, dynamiccertificates.GetHumanCertDetail(cert))
+		}
 
 		newClient, err := certificatesclient.NewForConfig(rcfg)
 		framework.ExpectNoError(err)