Replace csr 'accepted' field with '{server,client}_accepted' fields and wait for server and client requests to be approved.

roles/lib_openshift/library/oc_adm_csr.py

@@ -1507,11 +1507,13 @@ class OCcsr(OpenShiftCLI):
         results = self._get(resource='nodes')['results'][0]['items']
 
         for node in nodes:
-            nodes_list.append(dict(name=node, csrs={}, accepted=False, denied=False))
+            nodes_list.append(dict(name=node, csrs={}, server_accepted=False, client_accepted=False, denied=False))
 
+            # Nodes that we were able to retrieve via "oc get nodes" are approved so mark them approved.
             for ocnode in results:
                 if node in ocnode['metadata']['name']:
-                    nodes_list[-1]['accepted'] = True
+                    nodes_list[-1]['server_accepted'] = True
+                    nodes_list[-1]['client_accepted'] = True
 
         return nodes_list
 
@@ -1554,23 +1556,25 @@ class OCcsr(OpenShiftCLI):
             if node['name'] in self.get_csr_request(csr['spec']['request']):
                 node['csrs'][csr['metadata']['name']] = csr
 
-                # check that the username is the node and type is 'Approved'
+                # server: check that the username is the node and type is 'Approved'
                 if node['name'] in csr['spec']['username'] and csr['status']:
                     if csr['status']['conditions'][0]['type'] == 'Approved':
-                        node['accepted'] = True
+                        node['server_accepted'] = True
+                # client: check that the username is not the node and type is 'Approved'
+                if node['name'] not in csr['spec']['username'] and csr['status']:
+                    if csr['status']['conditions'][0]['type'] == 'Approved':
+                        node['client_accepted'] = True
                 # check type is 'Denied' and mark node as such
                 if csr['status'] and csr['status']['conditions'][0]['type'] == 'Denied':
                     node['denied'] = True
-
                 return node
-
         return None
 
     def finished(self):
         '''determine if there are more csrs to sign'''
         # if nodes is set and we have nodes then return if all nodes are 'accepted'
         if self.nodes is not None and len(self.nodes) > 0:
-            return all([node['accepted'] or node['denied'] for node in self.nodes])
+            return all([(node['server_accepted'] and node['client_accepted']) or node['denied'] for node in self.nodes])
 
         # we are approving everything or we still have nodes outstanding
         return False
@@ -1594,7 +1598,7 @@ class OCcsr(OpenShiftCLI):
         for csr in self.csrs:
             node = self.match_node(csr)
             # oc adm certificate <approve|deny> csr
-            # there are 3 known states: Denied, Aprroved, {}
+            # there are 3 known states: Denied, Approved, {}
             # verify something is needed by OCcsr.action_needed
             # if approve_all, then do it
             # if you passed in nodes, you must have a node that matches
@@ -1607,9 +1611,13 @@ class OCcsr(OpenShiftCLI):
                     if node and csr['metadata']['name'] not in node['csrs']:
                         node['csrs'][csr['metadata']['name']] = csr
 
-                        # accept node in cluster
-                        if node['name'] in csr['spec']['username']:
-                            node['accepted'] = True
+                    # mark node as accepted in our list of nodes
+                    # we will use {client,server}_accepted fields to determine if we're finished
+                    if node['name'] not in csr['spec']['username']:
+                        node['client_accepted'] = True
+
+                    if node['name'] in csr['spec']['username']:
+                        node['server_accepted'] = True
 
                 results.append(result)
 

roles/lib_openshift/src/class/oc_adm_csr.py

@@ -38,11 +38,13 @@ class OCcsr(OpenShiftCLI):
         results = self._get(resource='nodes')['results'][0]['items']
 
         for node in nodes:
-            nodes_list.append(dict(name=node, csrs={}, accepted=False, denied=False))
+            nodes_list.append(dict(name=node, csrs={}, server_accepted=False, client_accepted=False, denied=False))
 
+            # Nodes that we were able to retrieve via "oc get nodes" are approved so mark them approved.
             for ocnode in results:
                 if node in ocnode['metadata']['name']:
-                    nodes_list[-1]['accepted'] = True
+                    nodes_list[-1]['server_accepted'] = True
+                    nodes_list[-1]['client_accepted'] = True
 
         return nodes_list
 
@@ -85,23 +87,25 @@ class OCcsr(OpenShiftCLI):
             if node['name'] in self.get_csr_request(csr['spec']['request']):
                 node['csrs'][csr['metadata']['name']] = csr
 
-                # check that the username is the node and type is 'Approved'
+                # server: check that the username is the node and type is 'Approved'
                 if node['name'] in csr['spec']['username'] and csr['status']:
                     if csr['status']['conditions'][0]['type'] == 'Approved':
-                        node['accepted'] = True
+                        node['server_accepted'] = True
+                # client: check that the username is not the node and type is 'Approved'
+                if node['name'] not in csr['spec']['username'] and csr['status']:
+                    if csr['status']['conditions'][0]['type'] == 'Approved':
+                        node['client_accepted'] = True
                 # check type is 'Denied' and mark node as such
                 if csr['status'] and csr['status']['conditions'][0]['type'] == 'Denied':
                     node['denied'] = True
-
                 return node
-
         return None
 
     def finished(self):
         '''determine if there are more csrs to sign'''
         # if nodes is set and we have nodes then return if all nodes are 'accepted'
         if self.nodes is not None and len(self.nodes) > 0:
-            return all([node['accepted'] or node['denied'] for node in self.nodes])
+            return all([(node['server_accepted'] and node['client_accepted']) or node['denied'] for node in self.nodes])
 
         # we are approving everything or we still have nodes outstanding
         return False
@@ -125,7 +129,7 @@ class OCcsr(OpenShiftCLI):
         for csr in self.csrs:
             node = self.match_node(csr)
             # oc adm certificate <approve|deny> csr
-            # there are 3 known states: Denied, Aprroved, {}
+            # there are 3 known states: Denied, Approved, {}
             # verify something is needed by OCcsr.action_needed
             # if approve_all, then do it
             # if you passed in nodes, you must have a node that matches
@@ -138,9 +142,13 @@ class OCcsr(OpenShiftCLI):
                     if node and csr['metadata']['name'] not in node['csrs']:
                         node['csrs'][csr['metadata']['name']] = csr
 
-                        # accept node in cluster
-                        if node['name'] in csr['spec']['username']:
-                            node['accepted'] = True
+                    # mark node as accepted in our list of nodes
+                    # we will use {client,server}_accepted fields to determine if we're finished
+                    if node['name'] not in csr['spec']['username']:
+                        node['client_accepted'] = True
+
+                    if node['name'] in csr['spec']['username']:
+                        node['server_accepted'] = True
 
                 results.append(result)