From 63537e84cf54fd685076e5ce51d63e12a8561063 Mon Sep 17 00:00:00 2001
From: Steve Kuznetsov <skuznets@redhat.com>
Date: Wed, 24 Jan 2024 14:33:38 -0700
Subject: [PATCH] api: re-add the v1beta1 CSRA

Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
---
 ...certificatesigningrequestapproval_types.go |  34 +++
 .../v1beta1/zz_generated.deepcopy.go          |  89 ++++++
 .../certificatesigningrequestapproval.go      | 219 +++++++++++++++
 client/applyconfiguration/utils.go            |   2 +
 .../certificatesigningrequestapproval.go      | 255 ++++++++++++++++++
 .../fake_certificatesigningrequestapproval.go | 188 +++++++++++++
 .../v1beta1/fake/fake_hypershift_client.go    |   4 +
 .../hypershift/v1beta1/generated_expansion.go |   2 +
 .../hypershift/v1beta1/hypershift_client.go   |   5 +
 client/informers/externalversions/generic.go  |   2 +
 .../certificatesigningrequestapproval.go      |  89 ++++++
 .../hypershift/v1beta1/interface.go           |   7 +
 .../certificatesigningrequestapproval.go      |  98 +++++++
 .../hypershift/v1beta1/expansion_generated.go |   8 +
 ...io_certificatesigningrequestapprovals.yaml |  48 ++++
 docs/content/reference/api.md                 |  89 ++++++
 hack/app-sre/saas_template.yaml               |  67 +++++
 17 files changed, 1206 insertions(+)
 create mode 100644 api/hypershift/v1beta1/certificatesigningrequestapproval_types.go
 create mode 100644 client/applyconfiguration/hypershift/v1beta1/certificatesigningrequestapproval.go
 create mode 100644 client/clientset/clientset/typed/hypershift/v1beta1/certificatesigningrequestapproval.go
 create mode 100644 client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_certificatesigningrequestapproval.go
 create mode 100644 client/informers/externalversions/hypershift/v1beta1/certificatesigningrequestapproval.go
 create mode 100644 client/listers/hypershift/v1beta1/certificatesigningrequestapproval.go
 create mode 100644 cmd/install/assets/hypershift-operator/hypershift.openshift.io_certificatesigningrequestapprovals.yaml

diff --git a/api/hypershift/v1beta1/certificatesigningrequestapproval_types.go b/api/hypershift/v1beta1/certificatesigningrequestapproval_types.go
new file mode 100644
index 0000000000..00d7ce48d7
--- /dev/null
+++ b/api/hypershift/v1beta1/certificatesigningrequestapproval_types.go
@@ -0,0 +1,34 @@
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +kubebuilder:resource:path=certificatesigningrequestapprovals,shortName=csra;csras,scope=Namespaced
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+
+// CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
+type CertificateSigningRequestApproval struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   CertificateSigningRequestApprovalSpec   `json:"spec,omitempty"`
+	Status CertificateSigningRequestApprovalStatus `json:"status,omitempty"`
+}
+
+// CertificateSigningRequestApprovalSpec defines the desired state of CertificateSigningRequestApproval
+type CertificateSigningRequestApprovalSpec struct{}
+
+// CertificateSigningRequestApprovalStatus defines the observed state of CertificateSigningRequestApproval
+type CertificateSigningRequestApprovalStatus struct{}
+
+// +kubebuilder:object:root=true
+
+// CertificateSigningRequestApprovalList contains a list of CertificateSigningRequestApprovals.
+type CertificateSigningRequestApprovalList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CertificateSigningRequestApproval `json:"items"`
+}
diff --git a/api/hypershift/v1beta1/zz_generated.deepcopy.go b/api/hypershift/v1beta1/zz_generated.deepcopy.go
index 4c531fc17b..32bab9b619 100644
--- a/api/hypershift/v1beta1/zz_generated.deepcopy.go
+++ b/api/hypershift/v1beta1/zz_generated.deepcopy.go
@@ -533,6 +533,95 @@ func (in *AzurePlatformSpec) DeepCopy() *AzurePlatformSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestApproval) DeepCopyInto(out *CertificateSigningRequestApproval) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestApproval.
+func (in *CertificateSigningRequestApproval) DeepCopy() *CertificateSigningRequestApproval {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestApproval)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CertificateSigningRequestApproval) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestApprovalList) DeepCopyInto(out *CertificateSigningRequestApprovalList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CertificateSigningRequestApproval, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestApprovalList.
+func (in *CertificateSigningRequestApprovalList) DeepCopy() *CertificateSigningRequestApprovalList {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestApprovalList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CertificateSigningRequestApprovalList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestApprovalSpec) DeepCopyInto(out *CertificateSigningRequestApprovalSpec) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestApprovalSpec.
+func (in *CertificateSigningRequestApprovalSpec) DeepCopy() *CertificateSigningRequestApprovalSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestApprovalSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestApprovalStatus) DeepCopyInto(out *CertificateSigningRequestApprovalStatus) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestApprovalStatus.
+func (in *CertificateSigningRequestApprovalStatus) DeepCopy() *CertificateSigningRequestApprovalStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestApprovalStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterAutoscaling) DeepCopyInto(out *ClusterAutoscaling) {
 	*out = *in
diff --git a/client/applyconfiguration/hypershift/v1beta1/certificatesigningrequestapproval.go b/client/applyconfiguration/hypershift/v1beta1/certificatesigningrequestapproval.go
new file mode 100644
index 0000000000..5798fbf9ad
--- /dev/null
+++ b/client/applyconfiguration/hypershift/v1beta1/certificatesigningrequestapproval.go
@@ -0,0 +1,219 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	v1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CertificateSigningRequestApprovalApplyConfiguration represents an declarative configuration of the CertificateSigningRequestApproval type for use
+// with apply.
+type CertificateSigningRequestApprovalApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *v1beta1.CertificateSigningRequestApprovalSpec   `json:"spec,omitempty"`
+	Status                           *v1beta1.CertificateSigningRequestApprovalStatus `json:"status,omitempty"`
+}
+
+// CertificateSigningRequestApproval constructs an declarative configuration of the CertificateSigningRequestApproval type for use with
+// apply.
+func CertificateSigningRequestApproval(name, namespace string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b := &CertificateSigningRequestApprovalApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("CertificateSigningRequestApproval")
+	b.WithAPIVersion("hypershift.openshift.io/v1beta1")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithKind(value string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithAPIVersion(value string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithName(value string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithGenerateName(value string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithNamespace(value string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithUID(value types.UID) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithResourceVersion(value string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithGeneration(value int64) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithLabels(entries map[string]string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithAnnotations(entries map[string]string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithFinalizers(values ...string) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CertificateSigningRequestApprovalApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithSpec(value v1beta1.CertificateSigningRequestApprovalSpec) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.Spec = &value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CertificateSigningRequestApprovalApplyConfiguration) WithStatus(value v1beta1.CertificateSigningRequestApprovalStatus) *CertificateSigningRequestApprovalApplyConfiguration {
+	b.Status = &value
+	return b
+}
diff --git a/client/applyconfiguration/utils.go b/client/applyconfiguration/utils.go
index d893783041..6e69f1b481 100644
--- a/client/applyconfiguration/utils.go
+++ b/client/applyconfiguration/utils.go
@@ -248,6 +248,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &hypershiftv1beta1.AzureNodePoolPlatformApplyConfiguration{}
 	case v1beta1.SchemeGroupVersion.WithKind("AzurePlatformSpec"):
 		return &hypershiftv1beta1.AzurePlatformSpecApplyConfiguration{}
+	case v1beta1.SchemeGroupVersion.WithKind("CertificateSigningRequestApproval"):
+		return &hypershiftv1beta1.CertificateSigningRequestApprovalApplyConfiguration{}
 	case v1beta1.SchemeGroupVersion.WithKind("ClusterAutoscaling"):
 		return &hypershiftv1beta1.ClusterAutoscalingApplyConfiguration{}
 	case v1beta1.SchemeGroupVersion.WithKind("ClusterConfiguration"):
diff --git a/client/clientset/clientset/typed/hypershift/v1beta1/certificatesigningrequestapproval.go b/client/clientset/clientset/typed/hypershift/v1beta1/certificatesigningrequestapproval.go
new file mode 100644
index 0000000000..313ecdd31c
--- /dev/null
+++ b/client/clientset/clientset/typed/hypershift/v1beta1/certificatesigningrequestapproval.go
@@ -0,0 +1,255 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+	"time"
+
+	v1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+	hypershiftv1beta1 "github.com/openshift/hypershift/client/applyconfiguration/hypershift/v1beta1"
+	scheme "github.com/openshift/hypershift/client/clientset/clientset/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CertificateSigningRequestApprovalsGetter has a method to return a CertificateSigningRequestApprovalInterface.
+// A group's client should implement this interface.
+type CertificateSigningRequestApprovalsGetter interface {
+	CertificateSigningRequestApprovals(namespace string) CertificateSigningRequestApprovalInterface
+}
+
+// CertificateSigningRequestApprovalInterface has methods to work with CertificateSigningRequestApproval resources.
+type CertificateSigningRequestApprovalInterface interface {
+	Create(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.CreateOptions) (*v1beta1.CertificateSigningRequestApproval, error)
+	Update(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.UpdateOptions) (*v1beta1.CertificateSigningRequestApproval, error)
+	UpdateStatus(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.UpdateOptions) (*v1beta1.CertificateSigningRequestApproval, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1beta1.CertificateSigningRequestApproval, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1beta1.CertificateSigningRequestApprovalList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.CertificateSigningRequestApproval, err error)
+	Apply(ctx context.Context, certificateSigningRequestApproval *hypershiftv1beta1.CertificateSigningRequestApprovalApplyConfiguration, opts v1.ApplyOptions) (result *v1beta1.CertificateSigningRequestApproval, err error)
+	ApplyStatus(ctx context.Context, certificateSigningRequestApproval *hypershiftv1beta1.CertificateSigningRequestApprovalApplyConfiguration, opts v1.ApplyOptions) (result *v1beta1.CertificateSigningRequestApproval, err error)
+	CertificateSigningRequestApprovalExpansion
+}
+
+// certificateSigningRequestApprovals implements CertificateSigningRequestApprovalInterface
+type certificateSigningRequestApprovals struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCertificateSigningRequestApprovals returns a CertificateSigningRequestApprovals
+func newCertificateSigningRequestApprovals(c *HypershiftV1beta1Client, namespace string) *certificateSigningRequestApprovals {
+	return &certificateSigningRequestApprovals{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the certificateSigningRequestApproval, and returns the corresponding certificateSigningRequestApproval object, and an error if there is any.
+func (c *certificateSigningRequestApprovals) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	result = &v1beta1.CertificateSigningRequestApproval{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CertificateSigningRequestApprovals that match those selectors.
+func (c *certificateSigningRequestApprovals) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.CertificateSigningRequestApprovalList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1beta1.CertificateSigningRequestApprovalList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested certificateSigningRequestApprovals.
+func (c *certificateSigningRequestApprovals) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a certificateSigningRequestApproval and creates it.  Returns the server's representation of the certificateSigningRequestApproval, and an error, if there is any.
+func (c *certificateSigningRequestApprovals) Create(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.CreateOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	result = &v1beta1.CertificateSigningRequestApproval{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(certificateSigningRequestApproval).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a certificateSigningRequestApproval and updates it. Returns the server's representation of the certificateSigningRequestApproval, and an error, if there is any.
+func (c *certificateSigningRequestApprovals) Update(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.UpdateOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	result = &v1beta1.CertificateSigningRequestApproval{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		Name(certificateSigningRequestApproval.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(certificateSigningRequestApproval).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *certificateSigningRequestApprovals) UpdateStatus(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.UpdateOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	result = &v1beta1.CertificateSigningRequestApproval{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		Name(certificateSigningRequestApproval.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(certificateSigningRequestApproval).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the certificateSigningRequestApproval and deletes it. Returns an error if one occurs.
+func (c *certificateSigningRequestApprovals) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *certificateSigningRequestApprovals) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched certificateSigningRequestApproval.
+func (c *certificateSigningRequestApprovals) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	result = &v1beta1.CertificateSigningRequestApproval{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied certificateSigningRequestApproval.
+func (c *certificateSigningRequestApprovals) Apply(ctx context.Context, certificateSigningRequestApproval *hypershiftv1beta1.CertificateSigningRequestApprovalApplyConfiguration, opts v1.ApplyOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	if certificateSigningRequestApproval == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(certificateSigningRequestApproval)
+	if err != nil {
+		return nil, err
+	}
+	name := certificateSigningRequestApproval.Name
+	if name == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval.Name must be provided to Apply")
+	}
+	result = &v1beta1.CertificateSigningRequestApproval{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		Name(*name).
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *certificateSigningRequestApprovals) ApplyStatus(ctx context.Context, certificateSigningRequestApproval *hypershiftv1beta1.CertificateSigningRequestApprovalApplyConfiguration, opts v1.ApplyOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	if certificateSigningRequestApproval == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(certificateSigningRequestApproval)
+	if err != nil {
+		return nil, err
+	}
+
+	name := certificateSigningRequestApproval.Name
+	if name == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval.Name must be provided to Apply")
+	}
+
+	result = &v1beta1.CertificateSigningRequestApproval{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("certificatesigningrequestapprovals").
+		Name(*name).
+		SubResource("status").
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_certificatesigningrequestapproval.go b/client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_certificatesigningrequestapproval.go
new file mode 100644
index 0000000000..6d9e62e34d
--- /dev/null
+++ b/client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_certificatesigningrequestapproval.go
@@ -0,0 +1,188 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+
+	v1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+	hypershiftv1beta1 "github.com/openshift/hypershift/client/applyconfiguration/hypershift/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCertificateSigningRequestApprovals implements CertificateSigningRequestApprovalInterface
+type FakeCertificateSigningRequestApprovals struct {
+	Fake *FakeHypershiftV1beta1
+	ns   string
+}
+
+var certificatesigningrequestapprovalsResource = v1beta1.SchemeGroupVersion.WithResource("certificatesigningrequestapprovals")
+
+var certificatesigningrequestapprovalsKind = v1beta1.SchemeGroupVersion.WithKind("CertificateSigningRequestApproval")
+
+// Get takes name of the certificateSigningRequestApproval, and returns the corresponding certificateSigningRequestApproval object, and an error if there is any.
+func (c *FakeCertificateSigningRequestApprovals) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(certificatesigningrequestapprovalsResource, c.ns, name), &v1beta1.CertificateSigningRequestApproval{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), err
+}
+
+// List takes label and field selectors, and returns the list of CertificateSigningRequestApprovals that match those selectors.
+func (c *FakeCertificateSigningRequestApprovals) List(ctx context.Context, opts v1.ListOptions) (result *v1beta1.CertificateSigningRequestApprovalList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(certificatesigningrequestapprovalsResource, certificatesigningrequestapprovalsKind, c.ns, opts), &v1beta1.CertificateSigningRequestApprovalList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1beta1.CertificateSigningRequestApprovalList{ListMeta: obj.(*v1beta1.CertificateSigningRequestApprovalList).ListMeta}
+	for _, item := range obj.(*v1beta1.CertificateSigningRequestApprovalList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested certificateSigningRequestApprovals.
+func (c *FakeCertificateSigningRequestApprovals) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(certificatesigningrequestapprovalsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a certificateSigningRequestApproval and creates it.  Returns the server's representation of the certificateSigningRequestApproval, and an error, if there is any.
+func (c *FakeCertificateSigningRequestApprovals) Create(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.CreateOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(certificatesigningrequestapprovalsResource, c.ns, certificateSigningRequestApproval), &v1beta1.CertificateSigningRequestApproval{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), err
+}
+
+// Update takes the representation of a certificateSigningRequestApproval and updates it. Returns the server's representation of the certificateSigningRequestApproval, and an error, if there is any.
+func (c *FakeCertificateSigningRequestApprovals) Update(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.UpdateOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(certificatesigningrequestapprovalsResource, c.ns, certificateSigningRequestApproval), &v1beta1.CertificateSigningRequestApproval{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCertificateSigningRequestApprovals) UpdateStatus(ctx context.Context, certificateSigningRequestApproval *v1beta1.CertificateSigningRequestApproval, opts v1.UpdateOptions) (*v1beta1.CertificateSigningRequestApproval, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(certificatesigningrequestapprovalsResource, "status", c.ns, certificateSigningRequestApproval), &v1beta1.CertificateSigningRequestApproval{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), err
+}
+
+// Delete takes name of the certificateSigningRequestApproval and deletes it. Returns an error if one occurs.
+func (c *FakeCertificateSigningRequestApprovals) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteActionWithOptions(certificatesigningrequestapprovalsResource, c.ns, name, opts), &v1beta1.CertificateSigningRequestApproval{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCertificateSigningRequestApprovals) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(certificatesigningrequestapprovalsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1beta1.CertificateSigningRequestApprovalList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched certificateSigningRequestApproval.
+func (c *FakeCertificateSigningRequestApprovals) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(certificatesigningrequestapprovalsResource, c.ns, name, pt, data, subresources...), &v1beta1.CertificateSigningRequestApproval{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), err
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied certificateSigningRequestApproval.
+func (c *FakeCertificateSigningRequestApprovals) Apply(ctx context.Context, certificateSigningRequestApproval *hypershiftv1beta1.CertificateSigningRequestApprovalApplyConfiguration, opts v1.ApplyOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	if certificateSigningRequestApproval == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(certificateSigningRequestApproval)
+	if err != nil {
+		return nil, err
+	}
+	name := certificateSigningRequestApproval.Name
+	if name == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(certificatesigningrequestapprovalsResource, c.ns, *name, types.ApplyPatchType, data), &v1beta1.CertificateSigningRequestApproval{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), err
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *FakeCertificateSigningRequestApprovals) ApplyStatus(ctx context.Context, certificateSigningRequestApproval *hypershiftv1beta1.CertificateSigningRequestApprovalApplyConfiguration, opts v1.ApplyOptions) (result *v1beta1.CertificateSigningRequestApproval, err error) {
+	if certificateSigningRequestApproval == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(certificateSigningRequestApproval)
+	if err != nil {
+		return nil, err
+	}
+	name := certificateSigningRequestApproval.Name
+	if name == nil {
+		return nil, fmt.Errorf("certificateSigningRequestApproval.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(certificatesigningrequestapprovalsResource, c.ns, *name, types.ApplyPatchType, data, "status"), &v1beta1.CertificateSigningRequestApproval{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), err
+}
diff --git a/client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_hypershift_client.go b/client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_hypershift_client.go
index 6d0b9d23a2..c5d32a5901 100644
--- a/client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_hypershift_client.go
+++ b/client/clientset/clientset/typed/hypershift/v1beta1/fake/fake_hypershift_client.go
@@ -27,6 +27,10 @@ type FakeHypershiftV1beta1 struct {
 	*testing.Fake
 }
 
+func (c *FakeHypershiftV1beta1) CertificateSigningRequestApprovals(namespace string) v1beta1.CertificateSigningRequestApprovalInterface {
+	return &FakeCertificateSigningRequestApprovals{c, namespace}
+}
+
 func (c *FakeHypershiftV1beta1) HostedClusters(namespace string) v1beta1.HostedClusterInterface {
 	return &FakeHostedClusters{c, namespace}
 }
diff --git a/client/clientset/clientset/typed/hypershift/v1beta1/generated_expansion.go b/client/clientset/clientset/typed/hypershift/v1beta1/generated_expansion.go
index 29c529638c..33cbdad7ac 100644
--- a/client/clientset/clientset/typed/hypershift/v1beta1/generated_expansion.go
+++ b/client/clientset/clientset/typed/hypershift/v1beta1/generated_expansion.go
@@ -17,6 +17,8 @@ limitations under the License.
 
 package v1beta1
 
+type CertificateSigningRequestApprovalExpansion interface{}
+
 type HostedClusterExpansion interface{}
 
 type HostedControlPlaneExpansion interface{}
diff --git a/client/clientset/clientset/typed/hypershift/v1beta1/hypershift_client.go b/client/clientset/clientset/typed/hypershift/v1beta1/hypershift_client.go
index dfcdaf022e..7ce2da0f94 100644
--- a/client/clientset/clientset/typed/hypershift/v1beta1/hypershift_client.go
+++ b/client/clientset/clientset/typed/hypershift/v1beta1/hypershift_client.go
@@ -27,6 +27,7 @@ import (
 
 type HypershiftV1beta1Interface interface {
 	RESTClient() rest.Interface
+	CertificateSigningRequestApprovalsGetter
 	HostedClustersGetter
 	HostedControlPlanesGetter
 	NodePoolsGetter
@@ -37,6 +38,10 @@ type HypershiftV1beta1Client struct {
 	restClient rest.Interface
 }
 
+func (c *HypershiftV1beta1Client) CertificateSigningRequestApprovals(namespace string) CertificateSigningRequestApprovalInterface {
+	return newCertificateSigningRequestApprovals(c, namespace)
+}
+
 func (c *HypershiftV1beta1Client) HostedClusters(namespace string) HostedClusterInterface {
 	return newHostedClusters(c, namespace)
 }
diff --git a/client/informers/externalversions/generic.go b/client/informers/externalversions/generic.go
index 4aac6fa7e6..9c7736e989 100644
--- a/client/informers/externalversions/generic.go
+++ b/client/informers/externalversions/generic.go
@@ -64,6 +64,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Hypershift().V1alpha1().NodePools().Informer()}, nil
 
 		// Group=hypershift.openshift.io, Version=v1beta1
+	case v1beta1.SchemeGroupVersion.WithResource("certificatesigningrequestapprovals"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Hypershift().V1beta1().CertificateSigningRequestApprovals().Informer()}, nil
 	case v1beta1.SchemeGroupVersion.WithResource("hostedclusters"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Hypershift().V1beta1().HostedClusters().Informer()}, nil
 	case v1beta1.SchemeGroupVersion.WithResource("hostedcontrolplanes"):
diff --git a/client/informers/externalversions/hypershift/v1beta1/certificatesigningrequestapproval.go b/client/informers/externalversions/hypershift/v1beta1/certificatesigningrequestapproval.go
new file mode 100644
index 0000000000..bd82a48460
--- /dev/null
+++ b/client/informers/externalversions/hypershift/v1beta1/certificatesigningrequestapproval.go
@@ -0,0 +1,89 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	"context"
+	time "time"
+
+	hypershiftv1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+	clientset "github.com/openshift/hypershift/client/clientset/clientset"
+	internalinterfaces "github.com/openshift/hypershift/client/informers/externalversions/internalinterfaces"
+	v1beta1 "github.com/openshift/hypershift/client/listers/hypershift/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CertificateSigningRequestApprovalInformer provides access to a shared informer and lister for
+// CertificateSigningRequestApprovals.
+type CertificateSigningRequestApprovalInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1beta1.CertificateSigningRequestApprovalLister
+}
+
+type certificateSigningRequestApprovalInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewCertificateSigningRequestApprovalInformer constructs a new informer for CertificateSigningRequestApproval type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCertificateSigningRequestApprovalInformer(client clientset.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCertificateSigningRequestApprovalInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCertificateSigningRequestApprovalInformer constructs a new informer for CertificateSigningRequestApproval type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCertificateSigningRequestApprovalInformer(client clientset.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.HypershiftV1beta1().CertificateSigningRequestApprovals(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.HypershiftV1beta1().CertificateSigningRequestApprovals(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&hypershiftv1beta1.CertificateSigningRequestApproval{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *certificateSigningRequestApprovalInformer) defaultInformer(client clientset.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCertificateSigningRequestApprovalInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *certificateSigningRequestApprovalInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&hypershiftv1beta1.CertificateSigningRequestApproval{}, f.defaultInformer)
+}
+
+func (f *certificateSigningRequestApprovalInformer) Lister() v1beta1.CertificateSigningRequestApprovalLister {
+	return v1beta1.NewCertificateSigningRequestApprovalLister(f.Informer().GetIndexer())
+}
diff --git a/client/informers/externalversions/hypershift/v1beta1/interface.go b/client/informers/externalversions/hypershift/v1beta1/interface.go
index 098e82000f..9178b91e24 100644
--- a/client/informers/externalversions/hypershift/v1beta1/interface.go
+++ b/client/informers/externalversions/hypershift/v1beta1/interface.go
@@ -23,6 +23,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// CertificateSigningRequestApprovals returns a CertificateSigningRequestApprovalInformer.
+	CertificateSigningRequestApprovals() CertificateSigningRequestApprovalInformer
 	// HostedClusters returns a HostedClusterInformer.
 	HostedClusters() HostedClusterInformer
 	// HostedControlPlanes returns a HostedControlPlaneInformer.
@@ -42,6 +44,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// CertificateSigningRequestApprovals returns a CertificateSigningRequestApprovalInformer.
+func (v *version) CertificateSigningRequestApprovals() CertificateSigningRequestApprovalInformer {
+	return &certificateSigningRequestApprovalInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // HostedClusters returns a HostedClusterInformer.
 func (v *version) HostedClusters() HostedClusterInformer {
 	return &hostedClusterInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
diff --git a/client/listers/hypershift/v1beta1/certificatesigningrequestapproval.go b/client/listers/hypershift/v1beta1/certificatesigningrequestapproval.go
new file mode 100644
index 0000000000..2a1ca77486
--- /dev/null
+++ b/client/listers/hypershift/v1beta1/certificatesigningrequestapproval.go
@@ -0,0 +1,98 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	v1beta1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// CertificateSigningRequestApprovalLister helps list CertificateSigningRequestApprovals.
+// All objects returned here must be treated as read-only.
+type CertificateSigningRequestApprovalLister interface {
+	// List lists all CertificateSigningRequestApprovals in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1beta1.CertificateSigningRequestApproval, err error)
+	// CertificateSigningRequestApprovals returns an object that can list and get CertificateSigningRequestApprovals.
+	CertificateSigningRequestApprovals(namespace string) CertificateSigningRequestApprovalNamespaceLister
+	CertificateSigningRequestApprovalListerExpansion
+}
+
+// certificateSigningRequestApprovalLister implements the CertificateSigningRequestApprovalLister interface.
+type certificateSigningRequestApprovalLister struct {
+	indexer cache.Indexer
+}
+
+// NewCertificateSigningRequestApprovalLister returns a new CertificateSigningRequestApprovalLister.
+func NewCertificateSigningRequestApprovalLister(indexer cache.Indexer) CertificateSigningRequestApprovalLister {
+	return &certificateSigningRequestApprovalLister{indexer: indexer}
+}
+
+// List lists all CertificateSigningRequestApprovals in the indexer.
+func (s *certificateSigningRequestApprovalLister) List(selector labels.Selector) (ret []*v1beta1.CertificateSigningRequestApproval, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1beta1.CertificateSigningRequestApproval))
+	})
+	return ret, err
+}
+
+// CertificateSigningRequestApprovals returns an object that can list and get CertificateSigningRequestApprovals.
+func (s *certificateSigningRequestApprovalLister) CertificateSigningRequestApprovals(namespace string) CertificateSigningRequestApprovalNamespaceLister {
+	return certificateSigningRequestApprovalNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CertificateSigningRequestApprovalNamespaceLister helps list and get CertificateSigningRequestApprovals.
+// All objects returned here must be treated as read-only.
+type CertificateSigningRequestApprovalNamespaceLister interface {
+	// List lists all CertificateSigningRequestApprovals in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1beta1.CertificateSigningRequestApproval, err error)
+	// Get retrieves the CertificateSigningRequestApproval from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1beta1.CertificateSigningRequestApproval, error)
+	CertificateSigningRequestApprovalNamespaceListerExpansion
+}
+
+// certificateSigningRequestApprovalNamespaceLister implements the CertificateSigningRequestApprovalNamespaceLister
+// interface.
+type certificateSigningRequestApprovalNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all CertificateSigningRequestApprovals in the indexer for a given namespace.
+func (s certificateSigningRequestApprovalNamespaceLister) List(selector labels.Selector) (ret []*v1beta1.CertificateSigningRequestApproval, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1beta1.CertificateSigningRequestApproval))
+	})
+	return ret, err
+}
+
+// Get retrieves the CertificateSigningRequestApproval from the indexer for a given namespace and name.
+func (s certificateSigningRequestApprovalNamespaceLister) Get(name string) (*v1beta1.CertificateSigningRequestApproval, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1beta1.Resource("certificatesigningrequestapproval"), name)
+	}
+	return obj.(*v1beta1.CertificateSigningRequestApproval), nil
+}
diff --git a/client/listers/hypershift/v1beta1/expansion_generated.go b/client/listers/hypershift/v1beta1/expansion_generated.go
index 41f055a9c4..06d27550ca 100644
--- a/client/listers/hypershift/v1beta1/expansion_generated.go
+++ b/client/listers/hypershift/v1beta1/expansion_generated.go
@@ -17,6 +17,14 @@ limitations under the License.
 
 package v1beta1
 
+// CertificateSigningRequestApprovalListerExpansion allows custom methods to be added to
+// CertificateSigningRequestApprovalLister.
+type CertificateSigningRequestApprovalListerExpansion interface{}
+
+// CertificateSigningRequestApprovalNamespaceListerExpansion allows custom methods to be added to
+// CertificateSigningRequestApprovalNamespaceLister.
+type CertificateSigningRequestApprovalNamespaceListerExpansion interface{}
+
 // HostedClusterListerExpansion allows custom methods to be added to
 // HostedClusterLister.
 type HostedClusterListerExpansion interface{}
diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_certificatesigningrequestapprovals.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_certificatesigningrequestapprovals.yaml
new file mode 100644
index 0000000000..4bd1d3f47d
--- /dev/null
+++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_certificatesigningrequestapprovals.yaml
@@ -0,0 +1,48 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: certificatesigningrequestapprovals.hypershift.openshift.io
+spec:
+  group: hypershift.openshift.io
+  names:
+    kind: CertificateSigningRequestApproval
+    listKind: CertificateSigningRequestApprovalList
+    plural: certificatesigningrequestapprovals
+    shortNames:
+    - csra
+    - csras
+    singular: certificatesigningrequestapproval
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: CertificateSigningRequestApproval defines the desired state of
+          CertificateSigningRequestApproval
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: CertificateSigningRequestApprovalSpec defines the desired
+              state of CertificateSigningRequestApproval
+            type: object
+          status:
+            description: CertificateSigningRequestApprovalStatus defines the observed
+              state of CertificateSigningRequestApproval
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md
index 362d689b74..80459e2a63 100644
--- a/docs/content/reference/api.md
+++ b/docs/content/reference/api.md
@@ -21,6 +21,79 @@ OpenShift clusters at scale.</p>
 worker nodes and their kubelets, and the infrastructure on which they run). This
 enables &ldquo;hosted control plane as a service&rdquo; use cases.</p>
 </p>
+##CertificateSigningRequestApproval { #hypershift.openshift.io/v1beta1.CertificateSigningRequestApproval }
+<p>
+<p>CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code></br>
+string</td>
+<td>
+<code>
+hypershift.openshift.io/v1beta1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code></br>
+string
+</td>
+<td><code>CertificateSigningRequestApproval</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code></br>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code></br>
+<em>
+<a href="#hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalSpec">
+CertificateSigningRequestApprovalSpec
+</a>
+</em>
+</td>
+<td>
+<br/>
+<br/>
+<table>
+</table>
+</td>
+</tr>
+<tr>
+<td>
+<code>status</code></br>
+<em>
+<a href="#hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalStatus">
+CertificateSigningRequestApprovalStatus
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 ##HostedCluster { #hypershift.openshift.io/v1beta1.HostedCluster }
 <p>
 <p>HostedCluster is the primary representation of a HyperShift cluster and encapsulates
@@ -2394,6 +2467,22 @@ string
 </p>
 <p>
 </p>
+###CertificateSigningRequestApprovalSpec { #hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalSpec }
+<p>
+(<em>Appears on:</em>
+<a href="#hypershift.openshift.io/v1beta1.CertificateSigningRequestApproval">CertificateSigningRequestApproval</a>)
+</p>
+<p>
+<p>CertificateSigningRequestApprovalSpec defines the desired state of CertificateSigningRequestApproval</p>
+</p>
+###CertificateSigningRequestApprovalStatus { #hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalStatus }
+<p>
+(<em>Appears on:</em>
+<a href="#hypershift.openshift.io/v1beta1.CertificateSigningRequestApproval">CertificateSigningRequestApproval</a>)
+</p>
+<p>
+<p>CertificateSigningRequestApprovalStatus defines the observed state of CertificateSigningRequestApproval</p>
+</p>
 ###ClusterAutoscaling { #hypershift.openshift.io/v1beta1.ClusterAutoscaling }
 <p>
 (<em>Appears on:</em>
diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml
index 69841402b2..db17905c1f 100644
--- a/hack/app-sre/saas_template.yaml
+++ b/hack/app-sre/saas_template.yaml
@@ -37068,6 +37068,73 @@ objects:
       plural: ""
     conditions: null
     storedVersions: null
+- apiVersion: apiextensions.k8s.io/v1
+  kind: CustomResourceDefinition
+  metadata:
+    annotations:
+      service.beta.openshift.io/inject-cabundle: "true"
+    creationTimestamp: null
+    name: certificatesigningrequestapprovals.hypershift.openshift.io
+  spec:
+    conversion:
+      strategy: Webhook
+      webhook:
+        clientConfig:
+          service:
+            name: operator
+            namespace: ${NAMESPACE}
+            path: /convert
+            port: 443
+        conversionReviewVersions:
+        - v1beta1
+        - v1alpha1
+    group: hypershift.openshift.io
+    names:
+      kind: CertificateSigningRequestApproval
+      listKind: CertificateSigningRequestApprovalList
+      plural: certificatesigningrequestapprovals
+      shortNames:
+      - csra
+      - csras
+      singular: certificatesigningrequestapproval
+    scope: Namespaced
+    versions:
+    - name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: CertificateSigningRequestApproval defines the desired state
+            of CertificateSigningRequestApproval
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource
+                this object represents. Servers may infer this from the endpoint the
+                client submits requests to. Cannot be updated. In CamelCase. More
+                info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: CertificateSigningRequestApprovalSpec defines the desired
+                state of CertificateSigningRequestApproval
+              type: object
+            status:
+              description: CertificateSigningRequestApprovalStatus defines the observed
+                state of CertificateSigningRequestApproval
+              type: object
+          type: object
+      served: true
+      storage: true
+  status:
+    acceptedNames:
+      kind: ""
+      plural: ""
+    conditions: null
+    storedVersions: null
 - apiVersion: apiextensions.k8s.io/v1
   kind: CustomResourceDefinition
   metadata: