mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
Merge pull request #49788 from mikedanese/resync-csr
Automatic merge from submit-queue (batch tested with PRs 49615, 49321, 49982, 49788, 50355) csr: add resync to csr approver fixes https://github.com/kubernetes/kubernetes/issues/49787 ```release-note Fix an issue where if a CSR is not approved initially by the SAR approver is not retried. ```
This commit is contained in:
commit
319bef285a
@ -91,10 +91,15 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
|
|||||||
return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
|
return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tried := []string{}
|
||||||
|
|
||||||
for _, r := range a.recognizers {
|
for _, r := range a.recognizers {
|
||||||
if !r.recognize(csr, x509cr) {
|
if !r.recognize(csr, x509cr) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tried = append(tried, r.permission.Subresource)
|
||||||
|
|
||||||
approved, err := a.authorize(csr, r.permission)
|
approved, err := a.authorize(csr, r.permission)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -108,6 +113,11 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(tried) != 0 {
|
||||||
|
return fmt.Errorf("recognized csr %q as %v but subject access review was not approved", csr.Name, tried)
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -89,6 +89,7 @@ func TestHandle(t *testing.T) {
|
|||||||
message string
|
message string
|
||||||
allowed bool
|
allowed bool
|
||||||
recognized bool
|
recognized bool
|
||||||
|
err bool
|
||||||
verify func(*testing.T, []testclient.Action)
|
verify func(*testing.T, []testclient.Action)
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
@ -119,6 +120,7 @@ func TestHandle(t *testing.T) {
|
|||||||
}
|
}
|
||||||
_ = as[0].(testclient.CreateActionImpl)
|
_ = as[0].(testclient.CreateActionImpl)
|
||||||
},
|
},
|
||||||
|
err: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
recognized: true,
|
recognized: true,
|
||||||
@ -155,7 +157,7 @@ func TestHandle(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, c := range cases {
|
for _, c := range cases {
|
||||||
t.Run(fmt.Sprintf("recognized:%v,allowed: %v", c.recognized, c.allowed), func(t *testing.T) {
|
t.Run(fmt.Sprintf("recognized:%v,allowed: %v,err: %v", c.recognized, c.allowed, c.err), func(t *testing.T) {
|
||||||
client := &fake.Clientset{}
|
client := &fake.Clientset{}
|
||||||
client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) {
|
client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) {
|
||||||
return true, &authorization.SubjectAccessReview{
|
return true, &authorization.SubjectAccessReview{
|
||||||
@ -177,7 +179,7 @@ func TestHandle(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
csr := makeTestCsr()
|
csr := makeTestCsr()
|
||||||
if err := approver.handle(csr); err != nil {
|
if err := approver.handle(csr); err != nil && !c.err {
|
||||||
t.Errorf("unexpected err: %v", err)
|
t.Errorf("unexpected err: %v", err)
|
||||||
}
|
}
|
||||||
c.verify(t, client.Actions())
|
c.verify(t, client.Actions())
|
||||||
|
Loading…
Reference in New Issue
Block a user