Refactor: check csr request is separated from check network

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
2026-02-28 08:18:44 -03:30 · 2025-11-29 01:40:17 +08:00
parent 3e42b84e94
commit 78199c3bc3
3 changed files with 50 additions and 48 deletions
--- a/tests/testcases/025_check-csr-request.yml
+++ b/tests/testcases/025_check-csr-request.yml
@@ -0,0 +1,48 @@
+---
+- name: Check kubelet serving certificates approved with kubelet_csr_approver
+  when:
+  - kubelet_rotate_server_certificates | default(false)
+  - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
+  vars:
+    csrs: "{{ csr_json.stdout | from_json }}"
+  block:
+
+  - name: Get certificate signing requests
+    command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
+    register: csr_json
+    changed_when: false
+
+  - name: Check there are csrs
+    assert:
+      that: csrs | length > 0
+      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
+
+  - name: Check there are Denied/Pending csrs
+    assert:
+      that:
+      - csrs | rejectattr('status') | length == 0 # Pending == no status
+      - csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
+
+      fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
+
+- name: Approve kubelet serving certificates
+  when:
+  - kubelet_rotate_server_certificates | default(false)
+  - not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))
+  block:
+
+  - name: Get certificate signing requests
+    command: "{{ bin_dir }}/kubectl get csr -o name"
+    register: get_csr
+    changed_when: false
+
+  - name: Check there are csrs
+    assert:
+      that: get_csr.stdout_lines | length > 0
+      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
+
+  - name: Approve certificates
+    command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}"
+    register: certificate_approve
+    when: get_csr.stdout_lines | length > 0
+    changed_when: certificate_approve.stdout
--- a/tests/testcases/030_check-network.yml
+++ b/tests/testcases/030_check-network.yml
@@ -1,52 +1,4 @@
 ---
- name: Check kubelet serving certificates approved with kubelet_csr_approver
-  when:
-  - kubelet_rotate_server_certificates | default(false)
-  - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
-  vars:
-    csrs: "{{ csr_json.stdout | from_json }}"
-  block:
-
-  - name: Get certificate signing requests
-    command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
-    register: csr_json
-    changed_when: false
-
-  - name: Check there are csrs
-    assert:
-      that: csrs | length > 0
-      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
-
-  - name: Check there are Denied/Pending csrs
-    assert:
-      that:
-      - csrs | rejectattr('status') | length == 0 # Pending == no status
-      - csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
-
-      fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
-
- name: Approve kubelet serving certificates
-  when:
-  - kubelet_rotate_server_certificates | default(false)
-  - not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))
-  block:
-
-  - name: Get certificate signing requests
-    command: "{{ bin_dir }}/kubectl get csr -o name"
-    register: get_csr
-    changed_when: false
-
-  - name: Check there are csrs
-    assert:
-      that: get_csr.stdout_lines | length > 0
-      fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
-
-  - name: Approve certificates
-    command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}"
-    register: certificate_approve
-    when: get_csr.stdout_lines | length > 0
-    changed_when: certificate_approve.stdout
-
 - name: Create test namespace
  command: "{{ bin_dir }}/kubectl create namespace test"
  changed_when: false
--- a/tests/testcases/tests.yml
+++ b/tests/testcases/tests.yml
@@ -24,6 +24,8 @@
        - name: Testcases checking pods
          import_tasks: 020_check-pods-running.yml
          when: ('macvlan' not in testcase)
+        - name: Checking CSR approver
+          import_tasks: 025_check-csr-request.yml
        - name: Testcases for network
          import_tasks: 030_check-network.yml
          when: ('macvlan' not in testcase)