fix: CSR approving

Previously it was possible that selected CSR was from another node (when multiple static worker nodes joined at once) Signed-off-by: Artiom Diomin <kron82@gmail.com>
kubermatic · Feb 7, 2022 · 02f3c49 · 02f3c49
1 parent f026166
commit 02f3c49
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/pkg/tasks/certs.go b/pkg/tasks/certs.go
@@ -185,6 +185,8 @@ func saveCABundleOnControlPlane(s *state.State, _ *kubeoneapi.HostConfig, conn s
 }
 
 func approvePendingCSR(s *state.State, node *kubeoneapi.HostConfig, conn ssh.Connection) error {
+	approveErr := errors.Errorf("no CSR found for node %q", node.Hostname)
+
 	sleepTime := 20 * time.Second
 	s.Logger.Infof("Waiting %s for CSRs to approve...", sleepTime)
 	time.Sleep(sleepTime)
@@ -215,10 +217,17 @@ func approvePendingCSR(s *state.State, node *kubeoneapi.HostConfig, conn ssh.Con
 			continue
 		}
 
+		if fmt.Sprintf("%s:%s", nodeUser, node.Hostname) != csr.Spec.Username {
+			// that's not the CSR we are looking for
+			continue
+		}
+
 		if err := validateCSR(csr.Spec, node); err != nil {
 			return fmt.Errorf("failed to validate CSR: %w", err)
 		}
 
+		approveErr = nil
+
 		csr := csr.DeepCopy()
 		csr.Status.Conditions = append(csr.Status.Conditions, certificatesv1.CertificateSigningRequestCondition{
 			Type:   certificatesv1.CertificateApproved,
@@ -227,19 +236,16 @@ func approvePendingCSR(s *state.State, node *kubeoneapi.HostConfig, conn ssh.Con
 		})
 
 		s.Logger.Infof("Approve pending CSR %q for username %q", csr.Name, csr.Spec.Username)
-		if _, err := certClient.UpdateApproval(s.Context, csr.Name, csr, metav1.UpdateOptions{}); err != nil {
+		_, err := certClient.UpdateApproval(s.Context, csr.Name, csr, metav1.UpdateOptions{})
+		if err != nil {
 			return fmt.Errorf("failed to approve CSR %q: %w", csr.Name, err)
 		}
 	}
 
-	return nil
+	return approveErr
 }
 
 func validateCSR(spec certificatesv1.CertificateSigningRequestSpec, node *kubeoneapi.HostConfig) error {
-	if fmt.Sprintf("%s:%s", nodeUser, node.Hostname) != spec.Username {
-		return fmt.Errorf("CSR username %q and node hostname %q do not match", spec.Username, node.Hostname)
-	}
-
 	if !sets.NewString(spec.Groups...).HasAll(groupNodes, groupAuthenticated) {
 		return errors.New("CSR groups is expecter to be an authenticated node")
 	}