Merge pull request #66120 from CaoShuFeng/csr_deny

Automatic merge from submit-queue (batch tested with PRs 66136, 64999, 65425, 66120, 66074). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

optimize certificate cleaner

No need to parse certificates for every conditions



**What this PR does / why we need it**:

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```

pkg/controller/certificates/cleaner/cleaner.go

@@ -118,11 +118,11 @@ func (ccc *CSRCleanerController) handle(csr *capi.CertificateSigningRequest) err
 // isIssuedExpired checks if the CSR has been issued a certificate and if the
 // expiration of the certificate (the NotAfter value) has passed.
 func isIssuedExpired(csr *capi.CertificateSigningRequest) (bool, error) {
+	isExpired, err := isExpired(csr)
+	if err != nil {
+		return false, err
+	}
 	for _, c := range csr.Status.Conditions {
-		isExpired, err := isExpired(csr)
-		if err != nil {
-			return false, err
-		}
 		if c.Type == capi.CertificateApproved && isIssued(csr) && isExpired {
 			glog.Infof("Cleaning CSR %q as the associated certificate is expired.", csr.Name)
 			return true, nil