External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-08 21:19:28 -02:30
Code Issues Packages Projects Releases Wiki Activity

Refactor: check csr request is separated from check network

Browse Source 
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
This commit is contained in:
ChengHao Yang
2025-11-29 01:40:17 +08:00
parent 3e42b84e94
commit 78199c3bc3
3 changed files with 50 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
tests/testcases/025_check-csr-request.yml Normal file
View File

@@ -0,0 +1,48 @@
---
- name: Check kubelet serving certificates approved with kubelet_csr_approver
when:
- kubelet_rotate_server_certificates | default(false)
- kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
vars:
csrs: "{{ csr_json.stdout | from_json }}"
block:
- name: Get certificate signing requests
command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
register: csr_json
changed_when: false
- name: Check there are csrs
assert:
that: csrs | length > 0
fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
- name: Check there are Denied/Pending csrs
assert:
that:
- csrs | rejectattr('status') | length == 0 # Pending == no status
- csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
- name: Approve kubelet serving certificates
when:
- kubelet_rotate_server_certificates | default(false)
- not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))
block:
- name: Get certificate signing requests
command: "{{ bin_dir }}/kubectl get csr -o name"
register: get_csr
changed_when: false
- name: Check there are csrs
assert:
that: get_csr.stdout_lines | length > 0
fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
- name: Approve certificates
command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}"
register: certificate_approve
when: get_csr.stdout_lines | length > 0
changed_when: certificate_approve.stdout

48
tests/testcases/030_check-network.yml
View File

@@ -1,52 +1,4 @@
--- ---
- name: Check kubelet serving certificates approved with kubelet_csr_approver
when:
- kubelet_rotate_server_certificates | default(false)
- kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
vars:
csrs: "{{ csr_json.stdout | from_json }}"
block:
- name: Get certificate signing requests
command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
register: csr_json
changed_when: false
- name: Check there are csrs
assert:
that: csrs | length > 0
fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
- name: Check there are Denied/Pending csrs
assert:
that:
- csrs | rejectattr('status') | length == 0 # Pending == no status
- csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
- name: Approve kubelet serving certificates
when:
- kubelet_rotate_server_certificates | default(false)
- not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))
block:
- name: Get certificate signing requests
command: "{{ bin_dir }}/kubectl get csr -o name"
register: get_csr
changed_when: false
- name: Check there are csrs
assert:
that: get_csr.stdout_lines | length > 0
fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
- name: Approve certificates
command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}"
register: certificate_approve
when: get_csr.stdout_lines | length > 0
changed_when: certificate_approve.stdout
- name: Create test namespace - name: Create test namespace
command: "{{ bin_dir }}/kubectl create namespace test" command: "{{ bin_dir }}/kubectl create namespace test"
changed_when: false changed_when: false

2
tests/testcases/tests.yml
View File

@@ -24,6 +24,8 @@
- name: Testcases checking pods - name: Testcases checking pods
import_tasks: 020_check-pods-running.yml import_tasks: 020_check-pods-running.yml
when: ('macvlan' not in testcase) when: ('macvlan' not in testcase)
- name: Checking CSR approver
import_tasks: 025_check-csr-request.yml
- name: Testcases for network - name: Testcases for network
import_tasks: 030_check-network.yml import_tasks: 030_check-network.yml
when: ('macvlan' not in testcase) when: ('macvlan' not in testcase)