certauthority: tolerate larger clock skew between API server and pinniped

This change updates our certificate code to use the same 5 minute
backdate that is used by the Kubernetes controller manager.  This
helps to account for clock skews between the API servers and the
kubelets that are running the pinniped pods.  While this backdating
reflects a large percentage of the lifetime of our short lived
certificates (100% for the 5 minute client certificates), even a 10
minute irrevocable client certificate is within our limits.  When
we move to the CSR based short lived certificates, they will always
have at least a 15 minute lifetime (5 minute backdating plus 10 minute
minimum valid duration).

Signed-off-by: Monis Khan <mok@vmware.com>

internal/controller/impersonatorconfig/impersonator_config_test.go

@@ -1056,7 +1056,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 			caCert, err := x509.ParseCertificate(block.Bytes)
 			require.NoError(t, err)
 			require.Equal(t, "Pinniped Impersonation Proxy CA", caCert.Subject.CommonName)
-			require.WithinDuration(t, time.Now().Add(-10*time.Second), caCert.NotBefore, 10*time.Second)
+			require.WithinDuration(t, time.Now().Add(-5*time.Minute), caCert.NotBefore, 10*time.Second)
 			require.WithinDuration(t, time.Now().Add(100*time.Hour*24*365), caCert.NotAfter, 10*time.Second)
 			return createdCertPEM
 		}
@@ -1077,7 +1077,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 			r.NotNil(createdCertPEM)
 			validCert := testutil.ValidateServerCertificate(t, string(caCert), string(createdCertPEM))
 			validCert.RequireMatchesPrivateKey(string(createdKeyPEM))
-			validCert.RequireLifetime(time.Now().Add(-10*time.Second), time.Now().Add(100*time.Hour*24*365), 10*time.Second)
+			validCert.RequireLifetime(time.Now().Add(-5*time.Minute), time.Now().Add(100*time.Hour*24*365), 10*time.Second)
 		}
 
 		var requireSigningCertProviderHasLoadedCerts = func(certPEM, keyPEM []byte) {