New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
signerName: extend client-go ensureCompatibility and additional unit tests #88760
Conversation
/kind cleanup |
@@ -150,6 +150,9 @@ func ensureCompatible(new, orig *certificates.CertificateSigningRequest, private | |||
if !reflect.DeepEqual(newCSR.Subject, origCSR.Subject) { | |||
return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCSR.Subject, origCSR.Subject) | |||
} | |||
if new.Spec.SignerName != nil && orig.Spec.SignerName != nil && *new.Spec.SignerName != *orig.Spec.SignerName { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's worth noting that RequestCertificate
accepts signerName
as a string
, which means that orig
can never be nil
here. @liggitt was it a mistake that I made signerName (the arg) a non-ptr? Is it ever desirable to allow people to mark it as nil and defer the decision to the apiserver?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was it a mistake that I made signerName (the arg) a non-ptr
No, making callers understand and choose their signer matches my expectations and the likely shape of the v1 API.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/lgtm (got to this a bit late) |
This PR addresses the feedback provided in #88246 (comment).
It allows client-go's
csr
package to 'invalidate' a CSR if the requested signerNames do not match.As per @enj's request, I have also added explicit unit test cases for
IsKubeletClientCSR
andIsKubeletServingCSR
. These functions were actually already covered by the defaulting tests (and I actually copied the various different cases from these tests too)./assign @liggitt @enj
/sig auth
/priority important-soon