github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-05 07:27:21 +00:00
Code Issues Projects Releases Wiki Activity

Switch CSR approver/signer/cleaner controllers to v1

Browse Source
This commit is contained in:
Jordan Liggitt
2020-06-02 22:54:33 -04:00
parent fbcd0f84d8
commit db4ca87d9d
26 changed files with 213 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
pkg/controller/certificates/approver/sarapprove.go
View File

@@ -23,12 +23,14 @@ import (
"fmt"
authorization "k8s.io/api/authorization/v1"
capi "k8s.io/api/certificates/v1beta1"
capi "k8s.io/api/certificates/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
certificatesinformers "k8s.io/client-go/informers/certificates/v1beta1"
"k8s.io/apimachinery/pkg/util/sets"
certificatesinformers "k8s.io/client-go/informers/certificates/v1"
clientset "k8s.io/client-go/kubernetes"
capihelper "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
capihelper "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/controller/certificates"
)
@@ -100,7 +102,7 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
}
if approved {
appendApprovalCondition(csr, r.successMessage)
_, err = a.client.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(context.Background(), csr, metav1.UpdateOptions{})
_, err = a.client.CertificatesV1().CertificateSigningRequests().UpdateApproval(context.Background(), csr.Name, csr, metav1.UpdateOptions{})
if err != nil {
return fmt.Errorf("error updating approval for csr: %v", err)
}
@@ -140,25 +142,30 @@ func (a *sarApprover) authorize(csr *capi.CertificateSigningRequest, rattrs auth
func appendApprovalCondition(csr *capi.CertificateSigningRequest, message string) {
csr.Status.Conditions = append(csr.Status.Conditions, capi.CertificateSigningRequestCondition{
Type: capi.CertificateApproved,
Status: corev1.ConditionTrue,
Reason: "AutoApproved",
Message: message,
})
}
func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
isClientCSR := capihelper.IsKubeletClientCSR(x509cr, csr.Spec.Usages)
if !isClientCSR {
if csr.Spec.SignerName != capi.KubeAPIServerClientKubeletSignerName {
return false
}
return *csr.Spec.SignerName == capi.KubeAPIServerClientKubeletSignerName
return capihelper.IsKubeletClientCSR(x509cr, usagesToSet(csr.Spec.Usages))
}
func isSelfNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
if !isNodeClientCert(csr, x509cr) {
return false
}
if csr.Spec.Username != x509cr.Subject.CommonName {
return false
}
return true
return isNodeClientCert(csr, x509cr)
}
func usagesToSet(usages []capi.KeyUsage) sets.String {
result := sets.NewString()
for _, usage := range usages {
result.Insert(string(usage))
}
return result
}