Exclude Multus CSRs when checking for pending CSRs

openshift · Feb 1, 2024 · 0ab9114 · 0ab9114
1 parent e0b73e6
commit 0ab9114
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/pkg/controller/csr_check.go b/pkg/controller/csr_check.go
@@ -510,7 +510,7 @@ func recentlyPendingNodeCSRs(csrs []certificatesv1.CertificateSigningRequest) in
 			continue
 		}
 
-		if (isReqFromNodeBootstrapper(&csr) || isRequestFromNodeUser(csr)) && !isApproved(csr) {
+		if (isReqFromNodeBootstrapper(&csr) || isRequestFromNodeUser(csr) && !isRequestFromMultus(csr)) && !isApproved(csr) {
 			pending++
 		}
 	}
@@ -522,6 +522,16 @@ func isRequestFromNodeUser(csr certificatesv1.CertificateSigningRequest) bool {
 	return strings.HasPrefix(csr.Spec.Username, nodeUserPrefix)
 }
 
+func isRequestFromMultus(csr certificatesv1.CertificateSigningRequest) bool {
+	parsedCSR, err := parseCSR(&csr)
+	if err != nil {
+		klog.Errorf("%v: Failed to parse csr: %v", csr.Name, err)
+		return false
+	}
+
+	return strings.HasPrefix(parsedCSR.Subject.CommonName, "system:multus:")
+}
+
 // getServingCert fetches the node by the given name and attempts to connect to
 // its kubelet on the first advertised address.
 //

diff --git a/pkg/controller/csr_check_test.go b/pkg/controller/csr_check_test.go
@@ -37,7 +37,7 @@ import (
 var serverCertGood, serverKeyGood, rootCertGood string
 
 // Generated CRs, are populating within the init func
-var goodCSR, goodCSRECDSA, extraAddr, otherName, noNamePrefix, noGroup, clientGood, clientExtraO, clientWithDNS, clientWrongCN, clientEmptyName, emptyCSR string
+var goodCSR, goodCSRECDSA, extraAddr, otherName, noNamePrefix, noGroup, clientGood, clientExtraO, clientWithDNS, clientWrongCN, clientEmptyName, emptyCSR, multusCSRPEM string
 
 var presetTimeCorrect, presetTimeExpired time.Time
 
@@ -116,6 +116,7 @@ func init() {
 	clientWrongCN = createCSR("system:notnode:zebra", defaultOrgs, []net.IP{}, []string{})
 	clientEmptyName = createCSR("system:node:", defaultOrgs, []net.IP{}, []string{})
 	emptyCSR = "-----BEGIN??\n"
+	multusCSRPEM = createCSR("system:multus:", defaultOrgs, []net.IP{}, []string{})
 }
 
 func generateCertKeyPair(duration time.Duration, parentCertPEM, parentKeyPEM []byte, commonName string, otherNames ...string) ([]byte, []byte, error) {
@@ -1948,6 +1949,13 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) {
 		},
 	}
 	pendingCSR := certificatesv1.CertificateSigningRequest{}
+	multusCSR := certificatesv1.CertificateSigningRequest{
+		Spec: certificatesv1.CertificateSigningRequestSpec{
+			Username: nodeUserPrefix + "clustername-abcde-master-us-west-1a-0",
+			Request:  []byte(multusCSRPEM),
+		},
+	}
+
 	pendingTime := baseTime.Add(time.Second)
 	pastApprovalTime := baseTime.Add(-maxPendingDelta)
 	preApprovalTime := baseTime.Add(10 * time.Second)
@@ -1992,6 +2000,11 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) {
 			csrs:          []certificatesv1.CertificateSigningRequest{createdAt(preApprovalTime, pendingNodeBootstrapperCSR)},
 			expectPending: 0,
 		},
+		{
+			name:          "multus node CSR",
+			csrs:          []certificatesv1.CertificateSigningRequest{createdAt(pendingTime, multusCSR)},
+			expectPending: 0,
+		},
 		{
 			name: "multiple different csrs",
 			csrs: []certificatesv1.CertificateSigningRequest{
@@ -2001,6 +2014,7 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) {
 
 				createdAt(pendingTime, pendingCSR),
 				createdAt(pendingTime, approvedNodeBootstrapperCSR),
+				createdAt(pendingTime, multusCSR),
 				createdAt(preApprovalTime, approvedNodeBootstrapperCSR),
 				createdAt(pastApprovalTime, approvedNodeBootstrapperCSR),
 				createdAt(preApprovalTime, pendingNodeBootstrapperCSR),