KUBE-637: handle csr approving after pod restart

internal/actions/approve_csr_handler.go

@@ -90,15 +90,8 @@ func (h *ApproveCSRHandler) handleWithRetry(ctx context.Context, log *logrus.Ent
 }
 
 func (h *ApproveCSRHandler) handle(ctx context.Context, log logrus.FieldLogger, cert *csr.Certificate) (reterr error) {
-	// Since this new csr may be denied we need to delete it.
-	log.Debug("deleting old csr")
-	//!!!CLEAN IT UP!!!
-	time.Sleep(25 * time.Second)
-	if err := cert.DeleteCertificate(ctx, h.clientset); err != nil {
-		return fmt.Errorf("deleting csr: %w", err)
-	}
-
-	// Create a new CSR with the same request data as the original one.
+	// Create a new CSR with the same request data as the original one,
+	// since old csr may be denied.
 	log.Debug("requesting new csr")
 	newCert, err := cert.NewCSR(ctx, h.clientset)
 	if err != nil {
@@ -107,14 +100,21 @@ func (h *ApproveCSRHandler) handle(ctx context.Context, log logrus.FieldLogger,
 
 	// Approve new csr.
 	log.Debug("approving new csr")
-	resp, err := newCert.ApproveCertificate(ctx, h.clientset)
+	resp, err := newCert.ApproveCSRCertificate(ctx, h.clientset)
 	if err != nil {
 		return fmt.Errorf("approving csr: %w", err)
 	}
 	if resp.Approved() {
 		return nil
 	}
 
+	log.Debug("deleting old csr")
+	//!!!CLEAN IT UP!!!
+	time.Sleep(25 * time.Second)
+	if err := cert.DeleteCSR(ctx, h.clientset); err != nil {
+		return fmt.Errorf("deleting csr: %w", err)
+	}
+
 	return errors.New("certificate signing request was not approved")
 }
 

internal/actions/csr/csr.go

@@ -71,8 +71,8 @@ func isAlreadyApproved(err error) bool {
 	return strings.Contains(err.Error(), "Duplicate value: \"Approved\"")
 }
 
-// ApproveCertificate approves csr.
-func (c *Certificate) ApproveCertificate(ctx context.Context, client kubernetes.Interface) (*Certificate, error) {
+// ApproveCSRCertificate approves csr.
+func (c *Certificate) ApproveCSRCertificate(ctx context.Context, client kubernetes.Interface) (*Certificate, error) {
 	if err := c.Validate(); err != nil {
 		return nil, err
 	}
@@ -105,8 +105,8 @@ func (c *Certificate) ApproveCertificate(ctx context.Context, client kubernetes.
 	return &Certificate{v1: resp}, nil
 }
 
-// DeleteCertificate deletes csr.
-func (c *Certificate) DeleteCertificate(ctx context.Context, client kubernetes.Interface) error {
+// DeleteCSR deletes csr.
+func (c *Certificate) DeleteCSR(ctx context.Context, client kubernetes.Interface) error {
 	if err := c.Validate(); err != nil {
 		return err
 	}

internal/actions/csr/csr_test.go

@@ -32,13 +32,13 @@ func TestApproveCSR(t *testing.T) {
 	cert, err := GetCertificateByNodeName(ctx, client, "gke-csr-cast-pool-ab259afb")
 	r.NoError(err)
 
-	err = cert.DeleteCertificate(ctx, client)
+	err = cert.DeleteCSR(ctx, client)
 	r.NoError(err)
 
 	cert, err = cert.NewCSR(ctx, client)
 	r.NoError(err)
 
-	_, err = cert.ApproveCertificate(ctx, client)
+	_, err = cert.ApproveCSRCertificate(ctx, client)
 	r.NoError(err)
 }
 

internal/actions/csr/svc.go

@@ -68,7 +68,7 @@ func (h *ApprovalManager) handle(ctx context.Context, log logrus.FieldLogger, ce
 	log = log.WithField("csr_name", cert.Name)
 	// Since this new csr may be denied we need to delete it.
 	log.Info("deleting old csr")
-	if err := cert.DeleteCertificate(ctx, h.clientset); err != nil {
+	if err := cert.DeleteCSR(ctx, h.clientset); err != nil {
 		if !apierrors.IsNotFound(err) {
 			return fmt.Errorf("deleting csr: %w", err)
 		}
@@ -83,7 +83,7 @@ func (h *ApprovalManager) handle(ctx context.Context, log logrus.FieldLogger, ce
 
 	// Approve new csr.
 	log.Info("approving new csr")
-	resp, err := newCert.ApproveCertificate(ctx, h.clientset)
+	resp, err := newCert.ApproveCSRCertificate(ctx, h.clientset)
 	if err != nil {
 		return fmt.Errorf("approving csr: %w", err)
 	}