Use new virtual time for TestController_RotateCertificates (#5285)

Use a virtual time in the future. This is because
certutil.NewSelfSignedCACert uses real wall-clock time to generate the
root certificate, and there is a possibility that the NotBefore field
for the CA certificate is after the "now" virtual time. This can in turn
cause certificate validation to fail and the unit test to fail.

Signed-off-by: Antonin Bas <[email protected]>

pkg/agent/controller/ipseccertificate/ipsec_certificate_controller_test.go

@@ -272,7 +272,10 @@ func TestController_RotateCertificates(t *testing.T) {
 	// It is important to truncate to the second, because the accuracy of notAfter in the
 	// certificate is at the second level. If we don't, the certificate may actually be rotated
 	// before 7s.
-	now := time.Now().Truncate(time.Second)
+	// We use a time in the future (1 hour), because newFakeController will create self-signed
+	// root certificates using the wall-clock time. We want to make sure that the root
+	// certificates are valid for this virtual time.
+	now := time.Now().Add(1 * time.Hour).Truncate(time.Second)
 	fakeClock := testingclock.NewFakeClock(now)
 	fakeController := newFakeController(t, fakeClock)
 	defer fakeController.mockController.Finish()
@@ -314,12 +317,17 @@ func TestController_RotateCertificates(t *testing.T) {
 	fakeClock.SetTime(now.Add(time.Millisecond * 6999))
 	select {
 	case <-signCh:
-		t.Error("CSR should not be signed before the rotation deadline")
+		t.Fatal("CSR should not be signed before the rotation deadline")
 	case <-time.After(2 * time.Second):
 	}
 	fakeClock.SetTime(now.Add(time.Second * 9))
 	// wait for the signer to finish signing two CSRs.
-	<-signCh
+	select {
+	case <-signCh:
+		break
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout while waiting for second CSR to be signed")
+	}
 	list, err := fakeController.kubeClient.CertificatesV1().CertificateSigningRequests().List(context.TODO(), metav1.ListOptions{})
 	assert.NoError(t, err)
 	assert.Len(t, list.Items, 2)