From 94fd1d76ca0e8992b000fbb6b1562c11c37df7cb Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Thu, 28 May 2020 10:48:49 -0400
Subject: [PATCH] Switch issued check to inspect certificate length

---
 pkg/controller/certificates/cleaner/cleaner.go             | 7 +++++--
 pkg/kubelet/certificate/bootstrap/bootstrap_test.go        | 4 +++-
 .../client-go/util/certificate/certificate_manager.go      | 3 +++
 staging/src/k8s.io/client-go/util/certificate/csr/csr.go   | 2 +-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/pkg/controller/certificates/cleaner/cleaner.go b/pkg/controller/certificates/cleaner/cleaner.go
index 966131a95fd..b62d5510743 100644
--- a/pkg/controller/certificates/cleaner/cleaner.go
+++ b/pkg/controller/certificates/cleaner/cleaner.go
@@ -194,13 +194,13 @@ func isOlderThan(t metav1.Time, d time.Duration) bool {
 // 'Issued' status. Implicitly, if there is a certificate associated with the
 // CSR, the CSR statuses that are visible via `kubectl` will include 'Issued'.
 func isIssued(csr *capi.CertificateSigningRequest) bool {
-	return csr.Status.Certificate != nil
+	return len(csr.Status.Certificate) > 0
 }
 
 // isExpired checks if the CSR has a certificate and the date in the `NotAfter`
 // field has gone by.
 func isExpired(csr *capi.CertificateSigningRequest) (bool, error) {
-	if csr.Status.Certificate == nil {
+	if len(csr.Status.Certificate) == 0 {
 		return false, nil
 	}
 	block, _ := pem.Decode(csr.Status.Certificate)
@@ -211,5 +211,8 @@ func isExpired(csr *capi.CertificateSigningRequest) (bool, error) {
 	if err != nil {
 		return false, fmt.Errorf("unable to parse certificate data: %v", err)
 	}
+	if len(certs) == 0 {
+		return false, fmt.Errorf("no certificates found")
+	}
 	return time.Now().After(certs[0].NotAfter), nil
 }
diff --git a/pkg/kubelet/certificate/bootstrap/bootstrap_test.go b/pkg/kubelet/certificate/bootstrap/bootstrap_test.go
index bbfa0e9aa8c..8ba3daeb77a 100644
--- a/pkg/kubelet/certificate/bootstrap/bootstrap_test.go
+++ b/pkg/kubelet/certificate/bootstrap/bootstrap_test.go
@@ -174,6 +174,7 @@ func (c *fakeClient) Watch(_ context.Context, opts metav1.ListOptions) (watch.In
 
 func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
 	var condition certificates.CertificateSigningRequestCondition
+	var certificateData []byte
 	if c.failureType == certificateSigningRequestDenied {
 		condition = certificates.CertificateSigningRequestCondition{
 			Type: certificates.CertificateDenied,
@@ -182,6 +183,7 @@ func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
 		condition = certificates.CertificateSigningRequestCondition{
 			Type: certificates.CertificateApproved,
 		}
+		certificateData = []byte(`issued certificate`)
 	}
 
 	csr := certificates.CertificateSigningRequest{
@@ -192,7 +194,7 @@ func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
 			Conditions: []certificates.CertificateSigningRequestCondition{
 				condition,
 			},
-			Certificate: []byte{},
+			Certificate: certificateData,
 		},
 	}
 	return &csr
diff --git a/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go b/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
index 3cadebc6921..9df414abc6f 100644
--- a/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
+++ b/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
@@ -374,6 +374,9 @@ func getCurrentCertificateOrBootstrap(
 	if err != nil {
 		return nil, false, fmt.Errorf("unable to parse certificate data: %v", err)
 	}
+	if len(certs) < 1 {
+		return nil, false, fmt.Errorf("no cert data found")
+	}
 	bootstrapCert.Leaf = certs[0]
 
 	if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil {
diff --git a/staging/src/k8s.io/client-go/util/certificate/csr/csr.go b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
index 9cc4be8ea0d..c763f31c20b 100644
--- a/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
+++ b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
@@ -125,7 +125,7 @@ func WaitForCertificate(ctx context.Context, client certificatesclient.Certifica
 				}
 			}
 			if approved {
-				if csr.Status.Certificate != nil {
+				if len(csr.Status.Certificate) > 0 {
 					klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
 					return true, nil
 				}