Unverified Commit 61cddc9a authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #61971 from smarterclayton/force_approve

Automatic merge from submit-queue (batch tested with PRs 59533, 61971). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make certificate approve/deny no-op if CSR is already approved Approval for CSRs is only needed once. If the CSR is already approved or denied we can skip updating it. Add a `--force` flag that allows the existing behavior for when a user has a specific need to update the CSR. This is backwards compatible with the intended use of the conditions, although it's possible some users are depending on the status being updated. It makes bulk approval as an admin much faster for scripting. @kubernetes/sig-auth-pr-reviews ```release-note `kubectl certificate approve|deny` will not modify an already approved or denied CSR unless the `--force` flag is provided. ```
parents 2cd555e3 c7b37767
...@@ -87,17 +87,18 @@ func NewCmdCertificateApprove(f cmdutil.Factory, out io.Writer) *cobra.Command { ...@@ -87,17 +87,18 @@ func NewCmdCertificateApprove(f cmdutil.Factory, out io.Writer) *cobra.Command {
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(options.Complete(cmd, args)) cmdutil.CheckErr(options.Complete(cmd, args))
cmdutil.CheckErr(options.Validate()) cmdutil.CheckErr(options.Validate())
cmdutil.CheckErr(options.RunCertificateApprove(f, out)) cmdutil.CheckErr(options.RunCertificateApprove(f, out, cmdutil.GetFlagBool(cmd, "force")))
}, },
} }
cmd.Flags().Bool("force", false, "Update the CSR even if it is already approved.")
cmdutil.AddOutputFlagsForMutation(cmd) cmdutil.AddOutputFlagsForMutation(cmd)
cmdutil.AddFilenameOptionFlags(cmd, &options.FilenameOptions, "identifying the resource to update") cmdutil.AddFilenameOptionFlags(cmd, &options.FilenameOptions, "identifying the resource to update")
return cmd return cmd
} }
func (options *CertificateOptions) RunCertificateApprove(f cmdutil.Factory, out io.Writer) error { func (options *CertificateOptions) RunCertificateApprove(f cmdutil.Factory, out io.Writer, force bool) error {
return options.modifyCertificateCondition(f, out, func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, string) { return options.modifyCertificateCondition(f, out, force, func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, bool, string) {
var alreadyApproved bool var alreadyApproved bool
for _, c := range csr.Status.Conditions { for _, c := range csr.Status.Conditions {
if c.Type == certificates.CertificateApproved { if c.Type == certificates.CertificateApproved {
...@@ -105,7 +106,7 @@ func (options *CertificateOptions) RunCertificateApprove(f cmdutil.Factory, out ...@@ -105,7 +106,7 @@ func (options *CertificateOptions) RunCertificateApprove(f cmdutil.Factory, out
} }
} }
if alreadyApproved { if alreadyApproved {
return csr, "approved" return csr, true, "approved"
} }
csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{ csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
Type: certificates.CertificateApproved, Type: certificates.CertificateApproved,
...@@ -113,7 +114,7 @@ func (options *CertificateOptions) RunCertificateApprove(f cmdutil.Factory, out ...@@ -113,7 +114,7 @@ func (options *CertificateOptions) RunCertificateApprove(f cmdutil.Factory, out
Message: "This CSR was approved by kubectl certificate approve.", Message: "This CSR was approved by kubectl certificate approve.",
LastUpdateTime: metav1.Now(), LastUpdateTime: metav1.Now(),
}) })
return csr, "approved" return csr, false, "approved"
}) })
} }
...@@ -133,17 +134,18 @@ func NewCmdCertificateDeny(f cmdutil.Factory, out io.Writer) *cobra.Command { ...@@ -133,17 +134,18 @@ func NewCmdCertificateDeny(f cmdutil.Factory, out io.Writer) *cobra.Command {
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(options.Complete(cmd, args)) cmdutil.CheckErr(options.Complete(cmd, args))
cmdutil.CheckErr(options.Validate()) cmdutil.CheckErr(options.Validate())
cmdutil.CheckErr(options.RunCertificateDeny(f, out)) cmdutil.CheckErr(options.RunCertificateDeny(f, out, cmdutil.GetFlagBool(cmd, "force")))
}, },
} }
cmd.Flags().Bool("force", false, "Update the CSR even if it is already denied.")
cmdutil.AddOutputFlagsForMutation(cmd) cmdutil.AddOutputFlagsForMutation(cmd)
cmdutil.AddFilenameOptionFlags(cmd, &options.FilenameOptions, "identifying the resource to update") cmdutil.AddFilenameOptionFlags(cmd, &options.FilenameOptions, "identifying the resource to update")
return cmd return cmd
} }
func (options *CertificateOptions) RunCertificateDeny(f cmdutil.Factory, out io.Writer) error { func (options *CertificateOptions) RunCertificateDeny(f cmdutil.Factory, out io.Writer, force bool) error {
return options.modifyCertificateCondition(f, out, func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, string) { return options.modifyCertificateCondition(f, out, force, func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, bool, string) {
var alreadyDenied bool var alreadyDenied bool
for _, c := range csr.Status.Conditions { for _, c := range csr.Status.Conditions {
if c.Type == certificates.CertificateDenied { if c.Type == certificates.CertificateDenied {
...@@ -151,7 +153,7 @@ func (options *CertificateOptions) RunCertificateDeny(f cmdutil.Factory, out io. ...@@ -151,7 +153,7 @@ func (options *CertificateOptions) RunCertificateDeny(f cmdutil.Factory, out io.
} }
} }
if alreadyDenied { if alreadyDenied {
return csr, "denied" return csr, true, "denied"
} }
csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{ csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
Type: certificates.CertificateDenied, Type: certificates.CertificateDenied,
...@@ -159,11 +161,11 @@ func (options *CertificateOptions) RunCertificateDeny(f cmdutil.Factory, out io. ...@@ -159,11 +161,11 @@ func (options *CertificateOptions) RunCertificateDeny(f cmdutil.Factory, out io.
Message: "This CSR was approved by kubectl certificate deny.", Message: "This CSR was approved by kubectl certificate deny.",
LastUpdateTime: metav1.Now(), LastUpdateTime: metav1.Now(),
}) })
return csr, "denied" return csr, false, "denied"
}) })
} }
func (options *CertificateOptions) modifyCertificateCondition(f cmdutil.Factory, out io.Writer, modify func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, string)) error { func (options *CertificateOptions) modifyCertificateCondition(f cmdutil.Factory, out io.Writer, force bool, modify func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, bool, string)) error {
var found int var found int
c, err := f.ClientSet() c, err := f.ClientSet()
if err != nil { if err != nil {
...@@ -183,12 +185,14 @@ func (options *CertificateOptions) modifyCertificateCondition(f cmdutil.Factory, ...@@ -183,12 +185,14 @@ func (options *CertificateOptions) modifyCertificateCondition(f cmdutil.Factory,
return err return err
} }
csr := info.Object.(*certificates.CertificateSigningRequest) csr := info.Object.(*certificates.CertificateSigningRequest)
csr, verb := modify(csr) csr, hasCondition, verb := modify(csr)
csr, err = c.Certificates(). if !hasCondition || force {
CertificateSigningRequests(). csr, err = c.Certificates().
UpdateApproval(csr) CertificateSigningRequests().
if err != nil { UpdateApproval(csr)
return err if err != nil {
return err
}
} }
found++ found++
cmdutil.PrintSuccess(options.outputStyle == "name", out, info.Object, false, verb) cmdutil.PrintSuccess(options.outputStyle == "name", out, info.Object, false, verb)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment