Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSR condition status, lastTransitionTime, versioned validation #90191

Merged
merged 11 commits into from
Jun 2, 2020
Merged

CSR condition status, lastTransitionTime, versioned validation #90191

merged 11 commits into from
Jun 2, 2020

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Apr 16, 2020
edited
Loading

What type of PR is this?
/kind api-change
/kind feature

What this PR does / why we need it:

Implements v1beta1 portions of the CSR KEP (kubernetes/enhancements#1513)

Best reviewed commit-by-commit

  • Adds a well-known condition type of Failed for use by signers that want to indicate permanent failure
    • Updates the signer controller to record a Failed condition when a request does not pass signerName validation
    • Updates printers/describers to surface failed status
    • Updates cert manager to stop waiting for failed CSRs
    • Updates cert cleaner to clean up stale failed CSRs
    • Allows conditions other than Approved and Denied to be added via /status
  • Brings CSR conditions in line with recommended condition schema:
    • Adds a status field (for compatibility, defaults to True if unspecified, may only be True for Approved, Denied, and Failed conditions)
    • Adds a lastTransitionTime field
  • Plumbs API version information to CSR validation
  • Partitions validation functions for the main resource, status, and approval subresources
  • In all API versions:
  • In versions other than v1beta1:
    • status.certificate is required to be well-formed
    • status.certificate is immutable once set
    • duplicate condition types are not allowed
    • empty condition type is not allowed
    • legacy-unknown signer is not allowed

Does this PR introduce a user-facing change?:

CertificateSigningRequest API conditions were updated:
* a `status` field was added; this field defaults to `True`, and may only be set to `True` for `Approved`, `Denied`, and `Failed` conditions
* a `lastTransitionTime` field was added
* a `Failed` condition type was added to allow signers to indicate permanent failure; this condition can be added via the `certificatesigningrequests/status` subresource.
* `Approved` and `Denied` conditions are mutually exclusive
* `Approved`, `Denied`, and `Failed` conditions can no longer be removed from a CSR

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190607-certificates-api.md

/sig auth
/milestone v1.19
/priority important-soon
/cc @deads2k @munnerz

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. kind/feature Categorizes issue or PR as related to a new feature. labels Apr 16, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.19 milestone Apr 16, 2020
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Apr 16, 2020
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 16, 2020
@liggitt liggitt changed the title WIP - CSR conditions, versioned validation WIP - CSR condition status, versioned validation Apr 16, 2020
@k8s-ci-robot k8s-ci-robot added the sig/apps Categorizes an issue or PR as relevant to SIG Apps. label Apr 16, 2020
@k8s-ci-robot k8s-ci-robot added area/kubectl sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cli Categorizes an issue or PR as relevant to SIG CLI. labels Apr 16, 2020
@liggitt liggitt mentioned this pull request Apr 20, 2020
Closed
@liggitt liggitt added this to Assigned in API Reviews Apr 23, 2020
munnerz
munnerz reviewed May 5, 2020
View reviewed changes
pkg/apis/certificates/types.go Show resolved Hide resolved
pkg/apis/certificates/v1beta1/defaults.go Show resolved Hide resolved
pkg/apis/certificates/validation/validation.go Show resolved Hide resolved
pkg/apis/certificates/v1beta1/defaults.go Show resolved Hide resolved
pkg/apis/certificates/validation/validation.go Show resolved Hide resolved
pkg/apis/certificates/validation/validation.go Outdated Show resolved Hide resolved
pkg/apis/certificates/validation/validation.go Show resolved Hide resolved
pkg/apis/certificates/validation/validation_test.go Outdated Show resolved Hide resolved
staging/src/k8s.io/api/certificates/v1beta1/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/api/certificates/v1beta1/types.go Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 9, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 27, 2020
@liggitt
Copy link
Member Author

liggitt commented May 28, 2020
edited
Loading

regenerated openapi - https://github.com/kubernetes/kubernetes/compare/01a835ae5da08076c0e0cbf2c32c798884cf2d2d..7049149181189eae304246cc49de78d08eef4f80

@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 28, 2020
@liggitt liggitt added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. labels May 28, 2020
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. labels May 28, 2020
@liggitt
Copy link
Member Author

liggitt commented May 29, 2020

/retest

This was referenced May 29, 2020
Merged
Closed
smarterclayton
smarterclayton reviewed Jun 1, 2020
View reviewed changes
pkg/apis/certificates/v1beta1/defaults.go
@@ -59,18 +67,34 @@ func DefaultSignerNameFromSpec(obj *certificatesv1beta1.CertificateSigningReques
}
}

var (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So much better

@smarterclayton
Copy link
Contributor

API changes look fine to me, lgtm from that perspective.

@liggitt
Copy link
Member Author

liggitt commented Jun 1, 2020
edited
Loading

thanks

/hold cancel

@liggitt liggitt removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 1, 2020
@smarterclayton
Copy link
Contributor

Only one question, I had to read the KEP again but I didn't see anything really crazy.

@smarterclayton
Copy link
Contributor

/approve
/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt
Copy link
Member Author

liggitt commented Jun 2, 2020

/retest

2 similar comments
@liggitt
Copy link
Member Author

liggitt commented Jun 2, 2020

/retest

@liggitt
Copy link
Member Author

liggitt commented Jun 2, 2020

/retest

@k8s-ci-robot k8s-ci-robot merged commit 5fb9e35 into kubernetes:master Jun 2, 2020
@liggitt liggitt moved this from In progress to Done in SIG-Auth: CertificateSigningRequests Jun 2, 2020
@liggitt liggitt deleted the csr-status branch June 2, 2020 15:02
@github-actions github-actions bot mentioned this pull request Jun 9, 2020
Open
@liggitt liggitt moved this from Assigned to API review completed, 1.19 in API Reviews Jun 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@munnerz munnerz munnerz left review comments

@smarterclayton smarterclayton smarterclayton left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@munnerz munnerz

@smarterclayton smarterclayton

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubectl area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
API Reviews
Status: API review completed, 1.19
SIG-Auth: CertificateSigningRequests
1.19 - Done
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.

csr approved than denied ,can not be approved again
4 participants
@liggitt @munnerz @k8s-ci-robot @smarterclayton