Merge pull request #91779 from liggitt/csr-v1-describe

CSR v1 - add support to kubectl describe
This commit is contained in:
Kubernetes Prow Robot 2020-06-10 04:40:11 -07:00 committed by GitHub
commit 3b1432972c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 54 additions and 28 deletions

View File

@ -3252,26 +3252,57 @@ type CertificateSigningRequestDescriber struct {
} }
func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) { func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
csr, err := p.client.CertificatesV1beta1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{})
if err != nil { var (
crBytes []byte
metadata metav1.ObjectMeta
status string
signerName string
username string
events *corev1.EventList
)
if csr, err := p.client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}); err == nil {
crBytes = csr.Spec.Request
metadata = csr.ObjectMeta
conditionTypes := []string{}
for _, c := range csr.Status.Conditions {
conditionTypes = append(conditionTypes, string(c.Type))
}
status = extractCSRStatus(conditionTypes, csr.Status.Certificate)
signerName = csr.Spec.SignerName
username = csr.Spec.Username
if describerSettings.ShowEvents {
events, _ = p.client.CoreV1().Events(namespace).Search(scheme.Scheme, csr)
}
} else if csr, err := p.client.CertificatesV1beta1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}); err == nil {
crBytes = csr.Spec.Request
metadata = csr.ObjectMeta
conditionTypes := []string{}
for _, c := range csr.Status.Conditions {
conditionTypes = append(conditionTypes, string(c.Type))
}
status = extractCSRStatus(conditionTypes, csr.Status.Certificate)
if csr.Spec.SignerName != nil {
signerName = *csr.Spec.SignerName
}
username = csr.Spec.Username
if describerSettings.ShowEvents {
events, _ = p.client.CoreV1().Events(namespace).Search(scheme.Scheme, csr)
}
} else {
return "", err return "", err
} }
cr, err := certificate.ParseCSR(csr) cr, err := certificate.ParseCSR(crBytes)
if err != nil { if err != nil {
return "", fmt.Errorf("Error parsing CSR: %v", err) return "", fmt.Errorf("Error parsing CSR: %v", err)
} }
status := extractCSRStatus(csr)
var events *corev1.EventList return describeCertificateSigningRequest(metadata, signerName, username, cr, status, events)
if describerSettings.ShowEvents {
events, _ = p.client.CoreV1().Events(namespace).Search(scheme.Scheme, csr)
}
return describeCertificateSigningRequest(csr, cr, status, events)
} }
func describeCertificateSigningRequest(csr *certificatesv1beta1.CertificateSigningRequest, cr *x509.CertificateRequest, status string, events *corev1.EventList) (string, error) { func describeCertificateSigningRequest(csr metav1.ObjectMeta, signerName string, username string, cr *x509.CertificateRequest, status string, events *corev1.EventList) (string, error) {
printListHelper := func(w PrefixWriter, prefix, name string, values []string) { printListHelper := func(w PrefixWriter, prefix, name string, values []string) {
if len(values) == 0 { if len(values) == 0 {
return return
@ -3287,9 +3318,9 @@ func describeCertificateSigningRequest(csr *certificatesv1beta1.CertificateSigni
w.Write(LEVEL_0, "Labels:\t%s\n", labels.FormatLabels(csr.Labels)) w.Write(LEVEL_0, "Labels:\t%s\n", labels.FormatLabels(csr.Labels))
w.Write(LEVEL_0, "Annotations:\t%s\n", labels.FormatLabels(csr.Annotations)) w.Write(LEVEL_0, "Annotations:\t%s\n", labels.FormatLabels(csr.Annotations))
w.Write(LEVEL_0, "CreationTimestamp:\t%s\n", csr.CreationTimestamp.Time.Format(time.RFC1123Z)) w.Write(LEVEL_0, "CreationTimestamp:\t%s\n", csr.CreationTimestamp.Time.Format(time.RFC1123Z))
w.Write(LEVEL_0, "Requesting User:\t%s\n", csr.Spec.Username) w.Write(LEVEL_0, "Requesting User:\t%s\n", username)
if csr.Spec.SignerName != nil { if len(signerName) > 0 {
w.Write(LEVEL_0, "Signer:\t%s\n", *csr.Spec.SignerName) w.Write(LEVEL_0, "Signer:\t%s\n", signerName)
} }
w.Write(LEVEL_0, "Status:\t%s\n", status) w.Write(LEVEL_0, "Status:\t%s\n", status)
@ -4835,20 +4866,20 @@ func formatEndpoints(endpoints *corev1.Endpoints, ports sets.String) string {
return ret return ret
} }
func extractCSRStatus(csr *certificatesv1beta1.CertificateSigningRequest) string { func extractCSRStatus(conditions []string, certificateBytes []byte) string {
var approved, denied, failed bool var approved, denied, failed bool
for _, c := range csr.Status.Conditions { for _, c := range conditions {
switch c.Type { switch c {
case certificatesv1beta1.CertificateApproved: case string(certificatesv1beta1.CertificateApproved):
approved = true approved = true
case certificatesv1beta1.CertificateDenied: case string(certificatesv1beta1.CertificateDenied):
denied = true denied = true
case certificatesv1beta1.CertificateFailed: case string(certificatesv1beta1.CertificateFailed):
failed = true failed = true
} }
} }
var status string var status string
// must be in order of presidence // must be in order of precedence
if denied { if denied {
status += "Denied" status += "Denied"
} else if approved { } else if approved {
@ -4859,7 +4890,7 @@ func extractCSRStatus(csr *certificatesv1beta1.CertificateSigningRequest) string
if failed { if failed {
status += ",Failed" status += ",Failed"
} }
if len(csr.Status.Certificate) > 0 { if len(certificateBytes) > 0 {
status += ",Issued" status += ",Issued"
} }
return status return status

View File

@ -6,7 +6,6 @@ go_library(
importmap = "k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/util/certificate", importmap = "k8s.io/kubernetes/vendor/k8s.io/kubectl/pkg/util/certificate",
importpath = "k8s.io/kubectl/pkg/util/certificate", importpath = "k8s.io/kubectl/pkg/util/certificate",
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
deps = ["//staging/src/k8s.io/api/certificates/v1beta1:go_default_library"],
) )
filegroup( filegroup(

View File

@ -20,16 +20,12 @@ import (
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"errors" "errors"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
) )
// TODO(yue9944882): Remove this helper package once it's copied to k/api // TODO(yue9944882): Remove this helper package once it's copied to k/api
// ParseCSR extracts the CSR from the API object and decodes it. // ParseCSR extracts the CSR from the API object and decodes it.
func ParseCSR(obj *certificatesv1beta1.CertificateSigningRequest) (*x509.CertificateRequest, error) { func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error) {
// extract PEM from request object
pemBytes := obj.Spec.Request
block, _ := pem.Decode(pemBytes) block, _ := pem.Decode(pemBytes)
if block == nil || block.Type != "CERTIFICATE REQUEST" { if block == nil || block.Type != "CERTIFICATE REQUEST" {
return nil, errors.New("PEM block type must be CERTIFICATE REQUEST") return nil, errors.New("PEM block type must be CERTIFICATE REQUEST")