Don't allow --csr-only for CA certs or all

cmd/kubeadm/app/cmd/phases/certs.go

@@ -91,7 +91,6 @@ func newCertSubPhases() []workflow.Phase {
 		Short:          "Generates all certificates",
 		InheritFlags:   getCertPhaseFlags("all"),
 		RunAllSiblings: true,
-		LocalFlags:     localFlags(),
 	}
 
 	subPhases = append(subPhases, allPhase)
@@ -104,6 +103,7 @@ func newCertSubPhases() []workflow.Phase {
 
 		for _, cert := range certList {
 			certPhase := newCertSubPhase(cert, runCertPhase(cert, ca))
+			certPhase.LocalFlags = localFlags()
 			subPhases = append(subPhases, certPhase)
 		}
 	}
@@ -133,7 +133,6 @@ func newCertSubPhase(certSpec *certsphase.KubeadmCert, run func(c workflow.RunDa
 		),
 		Run:          run,
 		InheritFlags: getCertPhaseFlags(certSpec.Name),
-		LocalFlags:   localFlags(),
 	}
 	return phase
 }

cmd/kubeadm/test/cmd/BUILD

@@ -36,6 +36,7 @@ go_test(
         "//cmd/kubeadm/app/phases/certs:go_default_library",
         "//cmd/kubeadm/app/util/pkiutil:go_default_library",
         "//cmd/kubeadm/test:go_default_library",
+        "//vendor/github.com/pkg/errors:go_default_library",
         "//vendor/github.com/renstrom/dedent:go_default_library",
         "//vendor/sigs.k8s.io/yaml:go_default_library",
     ],

cmd/kubeadm/test/cmd/init_test.go

@@ -17,8 +17,11 @@ limitations under the License.
 package kubeadm
 
 import (
+	"os/exec"
+	"strings"
 	"testing"
 
+	"github.com/pkg/errors"
 	"github.com/renstrom/dedent"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
@@ -200,18 +203,54 @@ func TestCmdInitCertPhaseCSR(t *testing.T) {
 		t.Skip()
 	}
 
-	csrDir := testutil.SetupTempDir(t)
+	tests := []struct {
+		name          string
+		baseName      string
+		expectedError string
+	}{
+		{
+			name:     "generate CSR",
+			baseName: certs.KubeadmCertKubeletClient.BaseName,
+		},
+		{
+			name:          "fails on CSR",
+			baseName:      certs.KubeadmCertRootCA.BaseName,
+			expectedError: "unknown flag: --csr-only",
+		},
+		{
+			name:          "fails on all",
+			baseName:      "all",
+			expectedError: "unknown flag: --csr-only",
+		},
+	}
 
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			csrDir := testutil.SetupTempDir(t)
 			cert := &certs.KubeadmCertKubeletClient
 			kubeadmPath := getKubeadmPath()
-	_, _, err := RunCmd(kubeadmPath,
+			_, stderr, err := RunCmd(kubeadmPath,
 				"init",
 				"phase",
 				"certs",
-		cert.BaseName,
+				test.baseName,
 				"--csr-only",
 				"--csr-dir="+csrDir,
 			)
+
+			if test.expectedError != "" {
+				cause := errors.Cause(err)
+				_, ok := cause.(*exec.ExitError)
+				if !ok {
+					t.Fatalf("expected exitErr: got %T (%v)", cause, err)
+				}
+
+				if !strings.Contains(stderr, test.expectedError) {
+					t.Errorf("expected %q to contain %q", stderr, test.expectedError)
+				}
+				return
+			}
+
 			if err != nil {
 				t.Fatalf("couldn't run kubeadm: %v", err)
 			}
@@ -219,6 +258,8 @@ func TestCmdInitCertPhaseCSR(t *testing.T) {
 			if _, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(csrDir, cert.BaseName); err != nil {
 				t.Fatalf("couldn't load certificate %q: %v", cert.BaseName, err)
 			}
+		})
+	}
 }
 
 func TestCmdInitAPIPort(t *testing.T) {

cmd/kubeadm/test/cmd/util.go

@@ -43,7 +43,7 @@ func runCmdNoWrap(command string, args ...string) (string, string, error) {
 func RunCmd(command string, args ...string) (string, string, error) {
 	stdout, stderr, err := runCmdNoWrap(command, args...)
 	if err != nil {
-		return "", "", errors.Wrapf(err, "error running %s %v; \nstdout %q, \nstderr %q, \ngot error",
+		return stdout, stderr, errors.Wrapf(err, "error running %s %v; \nstdout %q, \nstderr %q, \ngot error",
 			command, args, stdout, stderr)
 	}
 	return stdout, stderr, nil