From 78199c3bc3a7dfed6c7fef105a670fcc1d762d93 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Sat, 29 Nov 2025 01:40:17 +0800
Subject: [PATCH] Refactor: check csr request is separated from check network

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 tests/testcases/025_check-csr-request.yml | 48 +++++++++++++++++++++++
 tests/testcases/030_check-network.yml     | 48 -----------------------
 tests/testcases/tests.yml                 |  2 +
 3 files changed, 50 insertions(+), 48 deletions(-)
 create mode 100644 tests/testcases/025_check-csr-request.yml

diff --git a/tests/testcases/025_check-csr-request.yml b/tests/testcases/025_check-csr-request.yml
new file mode 100644
index 000000000..f5cae20a0
--- /dev/null
+++ b/tests/testcases/025_check-csr-request.yml
@@ -0,0 +1,48 @@
+---
+- name: Check kubelet serving certificates approved with kubelet_csr_approver
+  when:
+  - kubelet_rotate_server_certificates | default(false)
+  - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
+  vars:
+    csrs: "{{ csr_json.stdout | from_json }}"
+  block:
+
+  - name: Get certificate signing requests
+    command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
+    register: csr_json
+    changed_when: false
+
+  - name: Check there are csrs
+    assert:
+      that: csrs | length > 0
+      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
+
+  - name: Check there are Denied/Pending csrs
+    assert:
+      that:
+      - csrs | rejectattr('status') | length == 0 # Pending == no status
+      - csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
+
+      fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
+
+- name: Approve kubelet serving certificates
+  when:
+  - kubelet_rotate_server_certificates | default(false)
+  - not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))
+  block:
+
+  - name: Get certificate signing requests
+    command: "{{ bin_dir }}/kubectl get csr -o name"
+    register: get_csr
+    changed_when: false
+
+  - name: Check there are csrs
+    assert:
+      that: get_csr.stdout_lines | length > 0
+      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
+
+  - name: Approve certificates
+    command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}"
+    register: certificate_approve
+    when: get_csr.stdout_lines | length > 0
+    changed_when: certificate_approve.stdout
diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml
index 28d869efc..a0b0a5c99 100644
--- a/tests/testcases/030_check-network.yml
+++ b/tests/testcases/030_check-network.yml
@@ -1,52 +1,4 @@
 ---
-- name: Check kubelet serving certificates approved with kubelet_csr_approver
-  when:
-  - kubelet_rotate_server_certificates | default(false)
-  - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
-  vars:
-    csrs: "{{ csr_json.stdout | from_json }}"
-  block:
-
-  - name: Get certificate signing requests
-    command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
-    register: csr_json
-    changed_when: false
-
-  - name: Check there are csrs
-    assert:
-      that: csrs | length > 0
-      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
-
-  - name: Check there are Denied/Pending csrs
-    assert:
-      that:
-      - csrs | rejectattr('status') | length == 0 # Pending == no status
-      - csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
-
-      fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
-
-- name: Approve kubelet serving certificates
-  when:
-  - kubelet_rotate_server_certificates | default(false)
-  - not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))
-  block:
-
-  - name: Get certificate signing requests
-    command: "{{ bin_dir }}/kubectl get csr -o name"
-    register: get_csr
-    changed_when: false
-
-  - name: Check there are csrs
-    assert:
-      that: get_csr.stdout_lines | length > 0
-      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
-
-  - name: Approve certificates
-    command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}"
-    register: certificate_approve
-    when: get_csr.stdout_lines | length > 0
-    changed_when: certificate_approve.stdout
-
 - name: Create test namespace
   command: "{{ bin_dir }}/kubectl create namespace test"
   changed_when: false
diff --git a/tests/testcases/tests.yml b/tests/testcases/tests.yml
index 236de0033..04480e25e 100644
--- a/tests/testcases/tests.yml
+++ b/tests/testcases/tests.yml
@@ -24,6 +24,8 @@
         - name: Testcases checking pods
           import_tasks: 020_check-pods-running.yml
           when: ('macvlan' not in testcase)
+        - name: Checking CSR approver
+          import_tasks: 025_check-csr-request.yml
         - name: Testcases for network
           import_tasks: 030_check-network.yml
           when: ('macvlan' not in testcase)