Merge pull request #9079 from sdodson/fix-oc-adm-csr

Accept client certs from node, system:admin, and bootstrap SA

roles/lib_openshift/library/oc_adm_csr.py

@@ -1558,13 +1558,14 @@ class OCcsr(OpenShiftCLI):
             if node['name'] in self.get_csr_request(csr['spec']['request']):
                 node['csrs'][csr['metadata']['name']] = csr
 
-                # server: check that the username is the node and type is 'Approved'
-                if node['name'] in csr['spec']['username'] and csr['status']:
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
+                # client certs may come in as either the service_account or as the node during upgrade
+                # server certs always come in as the node
+                if ((node['name'] in csr['spec']['username'] or
+                     csr['spec']['username'] in [self.service_account, 'system:admin']) and
+                        csr['status'] and csr['status']['conditions'][0]['type'] == 'Approved'):
+                    if 'server auth' in csr['spec']['usages']:
                         node['server_accepted'] = True
-                # client: check that the username is not the node and type is 'Approved'
-                if node['name'] not in csr['spec']['username'] and csr['status']:
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
+                    if 'client auth' in csr['spec']['usages']:
                         node['client_accepted'] = True
                 # check type is 'Denied' and mark node as such
                 if csr['status'] and csr['status']['conditions'][0]['type'] == 'Denied':
@@ -1615,11 +1616,12 @@ class OCcsr(OpenShiftCLI):
 
                     # mark node as accepted in our list of nodes
                     # we will use {client,server}_accepted fields to determine if we're finished
-                    if node['name'] not in csr['spec']['username']:
-                        node['client_accepted'] = True
-
-                    if node['name'] in csr['spec']['username']:
-                        node['server_accepted'] = True
+                    if (node['name'] in csr['spec']['username'] or
+                            csr['spec']['username'] in [self.service_account, 'system:admin']):
+                        if 'server auth' in csr['spec']['usages']:
+                            node['server_accepted'] = True
+                        if 'client auth' in csr['spec']['usages']:
+                            node['client_accepted'] = True
 
                 results.append(result)
 
@@ -1705,7 +1707,7 @@ def main():
             nodes=dict(default=None, type='list'),
             timeout=dict(default=30, type='int'),
             approve_all=dict(default=False, type='bool'),
-            service_account=dict(default='node-bootstrapper', type='str'),
+            service_account=dict(default='system:serviceaccount:openshift-infra:node-bootstrapper', type='str'),
             fail_on_timeout=dict(default=False, type='bool'),
         ),
         supports_check_mode=True,

roles/lib_openshift/src/ansible/oc_adm_csr.py

@@ -15,7 +15,7 @@ def main():
             nodes=dict(default=None, type='list'),
             timeout=dict(default=30, type='int'),
             approve_all=dict(default=False, type='bool'),
-            service_account=dict(default='node-bootstrapper', type='str'),
+            service_account=dict(default='system:serviceaccount:openshift-infra:node-bootstrapper', type='str'),
             fail_on_timeout=dict(default=False, type='bool'),
         ),
         supports_check_mode=True,

roles/lib_openshift/src/class/oc_adm_csr.py

@@ -89,13 +89,14 @@ class OCcsr(OpenShiftCLI):
             if node['name'] in self.get_csr_request(csr['spec']['request']):
                 node['csrs'][csr['metadata']['name']] = csr
 
-                # server: check that the username is the node and type is 'Approved'
-                if node['name'] in csr['spec']['username'] and csr['status']:
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
+                # client certs may come in as either the service_account or as the node during upgrade
+                # server certs always come in as the node
+                if ((node['name'] in csr['spec']['username'] or
+                     csr['spec']['username'] in [self.service_account, 'system:admin']) and
+                        csr['status'] and csr['status']['conditions'][0]['type'] == 'Approved'):
+                    if 'server auth' in csr['spec']['usages']:
                         node['server_accepted'] = True
-                # client: check that the username is not the node and type is 'Approved'
-                if node['name'] not in csr['spec']['username'] and csr['status']:
-                    if csr['status']['conditions'][0]['type'] == 'Approved':
+                    if 'client auth' in csr['spec']['usages']:
                         node['client_accepted'] = True
                 # check type is 'Denied' and mark node as such
                 if csr['status'] and csr['status']['conditions'][0]['type'] == 'Denied':
@@ -146,11 +147,12 @@ class OCcsr(OpenShiftCLI):
 
                     # mark node as accepted in our list of nodes
                     # we will use {client,server}_accepted fields to determine if we're finished
-                    if node['name'] not in csr['spec']['username']:
-                        node['client_accepted'] = True
-
-                    if node['name'] in csr['spec']['username']:
-                        node['server_accepted'] = True
+                    if (node['name'] in csr['spec']['username'] or
+                            csr['spec']['username'] in [self.service_account, 'system:admin']):
+                        if 'server auth' in csr['spec']['usages']:
+                            node['server_accepted'] = True
+                        if 'client auth' in csr['spec']['usages']:
+                            node['client_accepted'] = True
 
                 results.append(result)