Merge pull request #90191 from liggitt/csr-status

CSR condition status, lastTransitionTime, versioned validation

Kubernetes-commit: 5fb9e35e57bf0ccdfa52d9f05a27ff641470d430

Godeps/Godeps.json

@@ -436,11 +436,11 @@
 		},
 		{
 			"ImportPath": "k8s.io/api",
-			"Rev": "f9fb59586971"
+			"Rev": "d645287c6abf"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery",
-			"Rev": "17bacc71f57a"
+			"Rev": "76330795f827"
 		},
 		{
 			"ImportPath": "k8s.io/gengo",

go.mod

@@ -26,8 +26,8 @@ require (
 	golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e
 	golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
-	k8s.io/api v0.0.0-20200530103900-f9fb59586971
-	k8s.io/apimachinery v0.0.0-20200528161915-17bacc71f57a
+	k8s.io/api v0.0.0-20200602064703-d645287c6abf
+	k8s.io/apimachinery v0.0.0-20200601184421-76330795f827
 	k8s.io/klog/v2 v2.0.0
 	k8s.io/utils v0.0.0-20200414100711-2df71ebbae66
 	sigs.k8s.io/yaml v1.2.0
@@ -36,6 +36,6 @@ require (
 replace (
 	golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // pinned to release-branch.go1.13
 	golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // pinned to release-branch.go1.13
-	k8s.io/api => k8s.io/api v0.0.0-20200530103900-f9fb59586971
-	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200528161915-17bacc71f57a
+	k8s.io/api => k8s.io/api v0.0.0-20200602064703-d645287c6abf
+	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200601184421-76330795f827
 )

go.sum

@@ -284,8 +284,8 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.0.0-20200530103900-f9fb59586971/go.mod h1:QwbpOY9jAMgVHaP5xSN79SPHIARa3/InRZHl6ytz7gM=
-k8s.io/apimachinery v0.0.0-20200528161915-17bacc71f57a/go.mod h1:x4z2+k1N0YTBvV8PmaVs4/hSmKVVENZmTqI8gBygpLA=
+k8s.io/api v0.0.0-20200602064703-d645287c6abf/go.mod h1:arxhWU66v8ysbZ+0VyRbWB9IRbAU4LocspmPRb97490=
+k8s.io/apimachinery v0.0.0-20200601184421-76330795f827/go.mod h1:x4z2+k1N0YTBvV8PmaVs4/hSmKVVENZmTqI8gBygpLA=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0 h1:Foj74zO6RbjjP4hBEKjnYtjjAhGg4jNynUdYF6fJrok=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=

util/certificate/certificate_manager.go

@@ -374,6 +374,9 @@ func getCurrentCertificateOrBootstrap(
 	if err != nil {
 		return nil, false, fmt.Errorf("unable to parse certificate data: %v", err)
 	}
+	if len(certs) < 1 {
+		return nil, false, fmt.Errorf("no cert data found")
+	}
 	bootstrapCert.Leaf = certs[0]
 
 	if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil {

util/certificate/csr/csr.go

@@ -112,18 +112,25 @@ func WaitForCertificate(ctx context.Context, client certificatesclient.Certifica
 			if csr.UID != req.UID {
 				return false, fmt.Errorf("csr %q changed UIDs", csr.Name)
 			}
+			approved := false
 			for _, c := range csr.Status.Conditions {
 				if c.Type == certificates.CertificateDenied {
-					return false, fmt.Errorf("certificate signing request is not approved, reason: %v, message: %v", c.Reason, c.Message)
+					return false, fmt.Errorf("certificate signing request is denied, reason: %v, message: %v", c.Reason, c.Message)
+				}
+				if c.Type == certificates.CertificateFailed {
+					return false, fmt.Errorf("certificate signing request failed, reason: %v, message: %v", c.Reason, c.Message)
 				}
 				if c.Type == certificates.CertificateApproved {
-					if csr.Status.Certificate != nil {
-						klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
-						return true, nil
-					}
-					klog.V(2).Infof("certificate signing request %s is approved, waiting to be issued", csr.Name)
+					approved = true
 				}
 			}
+			if approved {
+				if len(csr.Status.Certificate) > 0 {
+					klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
+					return true, nil
+				}
+				klog.V(2).Infof("certificate signing request %s is approved, waiting to be issued", csr.Name)
+			}
 			return false, nil
 		},
 	)