Use same lifetime for serving cert and CA cert

So that operators won't look at the lifetime of the CA cert and be
like, "wtf, why does the serving cert have the lifetime that I
specified, but its CA cert is valid for 100 years".

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

internal/controller/apicerts/certs_manager.go

@@ -37,8 +37,8 @@ type certsManagerController struct {
 	aggregatorClient aggregatorclient.Interface
 	secretInformer   corev1informers.SecretInformer
 
-	// certDuration is the lifetime of the serving certificate that this
-	// controller will use when issuing the serving certificate.
+	// certDuration is the lifetime of both the serving certificate and its CA
+	// certificate that this controller will use when issuing the certificates.
 	certDuration time.Duration
 }
 
@@ -88,7 +88,7 @@ func (c *certsManagerController) Sync(ctx controller.Context) error {
 	}
 
 	// Create a CA.
-	aggregatedAPIServerCA, err := certauthority.New(pkix.Name{CommonName: "Pinniped CA"})
+	aggregatedAPIServerCA, err := certauthority.New(pkix.Name{CommonName: "Pinniped CA"}, c.certDuration)
 	if err != nil {
 		return fmt.Errorf("could not initialize CA: %w", err)
 	}

internal/controller/apicerts/certs_manager_test.go

@@ -221,6 +221,10 @@ func TestManagerControllerSync(t *testing.T) {
 					r.NotEmpty(actualPrivateKey)
 					r.NotEmpty(actualCertChain)
 
+					// Validate the created CA's lifetime.
+					validCACert := testutil.ValidateCertificate(t, actualCACert, actualCACert)
+					validCACert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute)
+
 					// Validate the created cert using the CA, and also validate the cert's hostname
 					validCert := testutil.ValidateCertificate(t, actualCACert, actualCertChain)
 					validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc")