ocspServers test: give a link to the TODO issue

Signed-off-by: Maël Valais <mael@vls.dev>

pkg/controller/certificaterequests/ca/ca_test.go

@@ -435,9 +435,25 @@ func TestCA_Sign(t *testing.T) {
 				},
 			))),
 			assertSignedCert: func(t *testing.T, got *x509.Certificate) {
-				// Let's check that the difference between the expected and
-				// received time is less than one second. One second seems
-				// small enough since the overall duration is 30 minutes.
+				// Although there is less than 1µs between the time.Now
+				// call made by the certificate template func (in the "pki"
+				// package) and the time.Now below, rounding or truncating
+				// will always end up with a flaky test. This is due to the
+				// rounding made to the notAfter value when serializing the
+				// certificate to ASN.1 [1].
+				//
+				//  [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1
+				//
+				// So instead of using a truncation or rounding in order to
+				// check the time, we use a delta of 1 second. One entire
+				// second is totally overkill since, as detailed above, the
+				// delay is probably less than a microsecond. But that will
+				// do for now!
+				//
+				// Note that we do have a plan to fix this. We want to be
+				// injecting a time (instead of time.Now) to the template
+				// functions. This work is being tracked in this issue:
+				// https://github.com/jetstack/cert-manager/issues/3738
 				expectNotAfter := time.Now().UTC().Add(30 * time.Minute)
 				deltaSec := math.Abs(expectNotAfter.Sub(got.NotAfter).Seconds())
 				assert.LessOrEqualf(t, deltaSec, 1., "expected a time delta lower than 1 second. Time expected='%s', got='%s'", expectNotAfter.String(), got.NotAfter.String())