certauthority: tolerate larger clock skew between API server and pinniped

[enj]

This change updates our certificate code to use the same 5 minute
backdate that is used by the Kubernetes controller manager. This
helps to account for clock skews between the API servers and the
kubelets that are running the pinniped pods. While this backdating
reflects a large percentage of the lifetime of our short lived
certificates (100% for the 5 minute client certificates), even a 10
minute irrevocable client certificate is within our limits. When
we move to the CSR based short lived certificates, they will always
have at least a 15 minute lifetime (5 minute backdating plus 10 minute
minimum valid duration).

Signed-off-by: Monis Khan mok@vmware.com

Release note:

Pinniped components now tolerate a larger clock skew between the API servers and the kubelets running the pinniped pods.

[codecov]

Codecov Report

Merging #849 (91c8f74) into main (43ba6ba) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #849   +/-   ##
=======================================
  Coverage   78.60%   78.60%           
=======================================
  Files         129      129           
  Lines        8964     8964           
=======================================
  Hits         7046     7046           
  Misses       1690     1690           
  Partials      228      228           

Impacted Files	Coverage Δ
internal/certauthority/certauthority.go	95.20% <ø> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 43ba6ba...91c8f74. Read the comment docs.