Switch to github.com/golang/dep for vendoring

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

vendor/k8s.io/kubernetes/pkg/controller/certificates/BUILD

@@ -0,0 +1,73 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "certificate_controller.go",
+        "certificate_controller_utils.go",
+        "cfssl_signer.go",
+        "doc.go",
+        "groupapprove.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api/v1:go_default_library",
+        "//pkg/apis/certificates/v1alpha1:go_default_library",
+        "//pkg/client/cache:go_default_library",
+        "//pkg/client/clientset_generated/clientset:go_default_library",
+        "//pkg/client/clientset_generated/clientset/typed/certificates/v1alpha1:go_default_library",
+        "//pkg/client/clientset_generated/clientset/typed/core/v1:go_default_library",
+        "//pkg/client/record:go_default_library",
+        "//pkg/controller:go_default_library",
+        "//pkg/util/workqueue:go_default_library",
+        "//vendor:github.com/cloudflare/cfssl/config",
+        "//vendor:github.com/cloudflare/cfssl/helpers",
+        "//vendor:github.com/cloudflare/cfssl/signer",
+        "//vendor:github.com/cloudflare/cfssl/signer/local",
+        "//vendor:github.com/golang/glog",
+        "//vendor:k8s.io/apimachinery/pkg/runtime",
+        "//vendor:k8s.io/apimachinery/pkg/util/runtime",
+        "//vendor:k8s.io/apimachinery/pkg/util/wait",
+        "//vendor:k8s.io/apimachinery/pkg/watch",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = [
+        "cfssl_signer_test.go",
+        "groupapprove_test.go",
+    ],
+    data = [
+        "testdata/ca.crt",
+        "testdata/ca.key",
+        "testdata/kubelet.csr",
+    ],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/certificates/v1alpha1:go_default_library",
+        "//pkg/util/cert:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/controller/certificates/OWNERS

@@ -0,0 +1,3 @@
+reviewers:
+- deads2k
+- mikedanese

vendor/k8s.io/kubernetes/pkg/controller/certificates/certificate_controller.go

@@ -0,0 +1,216 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"fmt"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/kubernetes/pkg/api/v1"
+	certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+	"k8s.io/kubernetes/pkg/client/cache"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
+	v1core "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/core/v1"
+	"k8s.io/kubernetes/pkg/client/record"
+	"k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/pkg/util/workqueue"
+
+	"github.com/golang/glog"
+)
+
+type AutoApprover interface {
+	AutoApprove(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error)
+}
+
+type Signer interface {
+	Sign(csr *certificates.CertificateSigningRequest) ([]byte, error)
+}
+
+type CertificateController struct {
+	kubeClient clientset.Interface
+
+	// CSR framework and store
+	csrController cache.Controller
+	csrStore      cache.StoreToCertificateRequestLister
+
+	syncHandler func(csrKey string) error
+
+	approver AutoApprover
+	signer   Signer
+
+	queue workqueue.RateLimitingInterface
+}
+
+func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Duration, caCertFile, caKeyFile string, approver AutoApprover) (*CertificateController, error) {
+	// Send events to the apiserver
+	eventBroadcaster := record.NewBroadcaster()
+	eventBroadcaster.StartLogging(glog.Infof)
+	eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: kubeClient.Core().Events("")})
+
+	s, err := NewCFSSLSigner(caCertFile, caKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	cc := &CertificateController{
+		kubeClient: kubeClient,
+		queue:      workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "certificate"),
+		signer:     s,
+		approver:   approver,
+	}
+
+	// Manage the addition/update of certificate requests
+	cc.csrStore.Store, cc.csrController = cache.NewInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				return cc.kubeClient.Certificates().CertificateSigningRequests().List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				return cc.kubeClient.Certificates().CertificateSigningRequests().Watch(options)
+			},
+		},
+		&certificates.CertificateSigningRequest{},
+		syncPeriod,
+		cache.ResourceEventHandlerFuncs{
+			AddFunc: func(obj interface{}) {
+				csr := obj.(*certificates.CertificateSigningRequest)
+				glog.V(4).Infof("Adding certificate request %s", csr.Name)
+				cc.enqueueCertificateRequest(obj)
+			},
+			UpdateFunc: func(old, new interface{}) {
+				oldCSR := old.(*certificates.CertificateSigningRequest)
+				glog.V(4).Infof("Updating certificate request %s", oldCSR.Name)
+				cc.enqueueCertificateRequest(new)
+			},
+			DeleteFunc: func(obj interface{}) {
+				csr, ok := obj.(*certificates.CertificateSigningRequest)
+				if !ok {
+					tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+					if !ok {
+						glog.V(2).Infof("Couldn't get object from tombstone %#v", obj)
+						return
+					}
+					csr, ok = tombstone.Obj.(*certificates.CertificateSigningRequest)
+					if !ok {
+						glog.V(2).Infof("Tombstone contained object that is not a CSR: %#v", obj)
+						return
+					}
+				}
+				glog.V(4).Infof("Deleting certificate request %s", csr.Name)
+				cc.enqueueCertificateRequest(obj)
+			},
+		},
+	)
+	cc.syncHandler = cc.maybeSignCertificate
+	return cc, nil
+}
+
+// Run the main goroutine responsible for watching and syncing jobs.
+func (cc *CertificateController) Run(workers int, stopCh <-chan struct{}) {
+	defer utilruntime.HandleCrash()
+	defer cc.queue.ShutDown()
+
+	go cc.csrController.Run(stopCh)
+
+	glog.Infof("Starting certificate controller manager")
+	for i := 0; i < workers; i++ {
+		go wait.Until(cc.worker, time.Second, stopCh)
+	}
+	<-stopCh
+	glog.Infof("Shutting down certificate controller")
+}
+
+// worker runs a thread that dequeues CSRs, handles them, and marks them done.
+func (cc *CertificateController) worker() {
+	for cc.processNextWorkItem() {
+	}
+}
+
+// processNextWorkItem deals with one key off the queue.  It returns false when it's time to quit.
+func (cc *CertificateController) processNextWorkItem() bool {
+	cKey, quit := cc.queue.Get()
+	if quit {
+		return false
+	}
+	defer cc.queue.Done(cKey)
+
+	err := cc.syncHandler(cKey.(string))
+	if err == nil {
+		cc.queue.Forget(cKey)
+		return true
+	}
+
+	cc.queue.AddRateLimited(cKey)
+	utilruntime.HandleError(fmt.Errorf("Sync %v failed with : %v", cKey, err))
+	return true
+}
+
+func (cc *CertificateController) enqueueCertificateRequest(obj interface{}) {
+	key, err := controller.KeyFunc(obj)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("Couldn't get key for object %+v: %v", obj, err))
+		return
+	}
+	cc.queue.Add(key)
+}
+
+// maybeSignCertificate will inspect the certificate request and, if it has
+// been approved and meets policy expectations, generate an X509 cert using the
+// cluster CA assets. If successful it will update the CSR approve subresource
+// with the signed certificate.
+func (cc *CertificateController) maybeSignCertificate(key string) error {
+	startTime := time.Now()
+	defer func() {
+		glog.V(4).Infof("Finished syncing certificate request %q (%v)", key, time.Now().Sub(startTime))
+	}()
+	obj, exists, err := cc.csrStore.Store.GetByKey(key)
+	if err != nil {
+		return err
+	}
+	if !exists {
+		glog.V(3).Infof("csr has been deleted: %v", key)
+		return nil
+	}
+	csr := obj.(*certificates.CertificateSigningRequest)
+
+	if cc.approver != nil {
+		csr, err = cc.approver.AutoApprove(csr)
+		if err != nil {
+			return fmt.Errorf("error auto approving csr: %v", err)
+		}
+	}
+
+	// At this point, the controller needs to:
+	// 1. Check the approval conditions
+	// 2. Generate a signed certificate
+	// 3. Update the Status subresource
+
+	if csr.Status.Certificate == nil && IsCertificateRequestApproved(csr) {
+		certBytes, err := cc.signer.Sign(csr)
+		if err != nil {
+			return err
+		}
+		csr.Status.Certificate = certBytes
+	}
+
+	_, err = cc.kubeClient.Certificates().CertificateSigningRequests().UpdateStatus(csr)
+	return err
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/certificate_controller_utils.go

@@ -0,0 +1,38 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+
+// IsCertificateRequestApproved returns true if a certificate request has the
+// "Approved" condition and no "Denied" conditions; false otherwise.
+func IsCertificateRequestApproved(csr *certificates.CertificateSigningRequest) bool {
+	approved, denied := getCertApprovalCondition(&csr.Status)
+	return approved && !denied
+}
+
+func getCertApprovalCondition(status *certificates.CertificateSigningRequestStatus) (approved bool, denied bool) {
+	for _, c := range status.Conditions {
+		if c.Type == certificates.CertificateApproved {
+			approved = true
+		}
+		if c.Type == certificates.CertificateDenied {
+			denied = true
+		}
+	}
+	return
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/cfssl_signer.go

@@ -0,0 +1,99 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"crypto"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+
+	"github.com/cloudflare/cfssl/config"
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl/signer"
+	"github.com/cloudflare/cfssl/signer/local"
+)
+
+var onlySigningPolicy = &config.Signing{
+	Default: &config.SigningProfile{
+		Usage:        []string{"signing"},
+		Expiry:       helpers.OneYear,
+		ExpiryString: "8760h",
+	},
+}
+
+type CFSSLSigner struct {
+	ca      *x509.Certificate
+	priv    crypto.Signer
+	sigAlgo x509.SignatureAlgorithm
+}
+
+func NewCFSSLSigner(caFile, caKeyFile string) (*CFSSLSigner, error) {
+	ca, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return nil, err
+	}
+	cakey, err := ioutil.ReadFile(caKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	parsedCa, err := helpers.ParseCertificatePEM(ca)
+	if err != nil {
+		return nil, err
+	}
+
+	strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")
+	password := []byte(strPassword)
+	if strPassword == "" {
+		password = nil
+	}
+
+	priv, err := helpers.ParsePrivateKeyPEMWithPassword(cakey, password)
+	if err != nil {
+		return nil, fmt.Errorf("Malformed private key %v", err)
+	}
+	return &CFSSLSigner{
+		priv:    priv,
+		ca:      parsedCa,
+		sigAlgo: signer.DefaultSigAlgo(priv),
+	}, nil
+}
+
+func (cs *CFSSLSigner) Sign(csr *certificates.CertificateSigningRequest) ([]byte, error) {
+	var usages []string
+	for _, usage := range csr.Spec.Usages {
+		usages = append(usages, string(usage))
+	}
+	policy := &config.Signing{
+		Default: &config.SigningProfile{
+			Usage:        usages,
+			Expiry:       helpers.OneYear,
+			ExpiryString: "8760h",
+		},
+	}
+	s, err := local.NewSigner(cs.priv, cs.ca, cs.sigAlgo, policy)
+	if err != nil {
+		return nil, err
+	}
+	return s.Sign(signer.SignRequest{
+		Request: string(csr.Spec.Request),
+	})
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/cfssl_signer_test.go

@@ -0,0 +1,82 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"crypto/x509"
+	"io/ioutil"
+	"reflect"
+	"testing"
+
+	capi "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+	"k8s.io/kubernetes/pkg/util/cert"
+)
+
+func TestSigner(t *testing.T) {
+	s, err := NewCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key")
+	if err != nil {
+		t.Fatalf("failed to create signer: %v", err)
+	}
+
+	csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")
+	if err != nil {
+		t.Fatalf("failed to read CSR: %v", err)
+	}
+
+	csr := &capi.CertificateSigningRequest{
+		Spec: capi.CertificateSigningRequestSpec{
+			Request: []byte(csrb),
+			Usages: []capi.KeyUsage{
+				capi.UsageSigning,
+				capi.UsageKeyEncipherment,
+				capi.UsageServerAuth,
+				capi.UsageClientAuth,
+			},
+		},
+	}
+
+	certData, err := s.Sign(csr)
+	if err != nil {
+		t.Fatalf("failed to sign CSR: %v", err)
+	}
+	if len(certData) == 0 {
+		t.Fatalf("expected a certificate after signing")
+	}
+
+	certs, err := cert.ParseCertsPEM(certData)
+	if err != nil {
+		t.Fatalf("failed to parse certificate: %v", err)
+	}
+	if len(certs) != 1 {
+		t.Fatalf("expected one certificate")
+	}
+
+	crt := certs[0]
+
+	if crt.Subject.CommonName != "system:node:k-a-node-s36b" {
+		t.Errorf("expected common name of 'system:node:k-a-node-s36b', but got: %v", certs[0].Subject.CommonName)
+	}
+	if !reflect.DeepEqual(crt.Subject.Organization, []string{"system:nodes"}) {
+		t.Errorf("expected organization to be [system:nodes] but got: %v", crt.Subject.Organization)
+	}
+	if crt.KeyUsage != x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment {
+		t.Errorf("bad key usage")
+	}
+	if !reflect.DeepEqual(crt.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
+		t.Errorf("bad extended key usage")
+	}
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates contains logic for watching and synchronizing
+// CertificateSigningRequests.
+package certificates

vendor/k8s.io/kubernetes/pkg/controller/certificates/groupapprove.go

@@ -0,0 +1,113 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+	clientcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1alpha1"
+)
+
+// groupApprover implements AutoApprover for signing Kubelet certificates.
+type groupApprover struct {
+	client                        clientcertificates.CertificateSigningRequestInterface
+	approveAllKubeletCSRsForGroup string
+}
+
+// NewGroupApprover creates an approver that accepts any CSR requests where the subject group contains approveAllKubeletCSRsForGroup.
+func NewGroupApprover(client clientcertificates.CertificateSigningRequestInterface, approveAllKubeletCSRsForGroup string) AutoApprover {
+	return &groupApprover{
+		client: client,
+		approveAllKubeletCSRsForGroup: approveAllKubeletCSRsForGroup,
+	}
+}
+
+func (cc *groupApprover) AutoApprove(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
+	// short-circuit if we're not auto-approving
+	if cc.approveAllKubeletCSRsForGroup == "" {
+		return csr, nil
+	}
+	// short-circuit if we're already approved or denied
+	if approved, denied := getCertApprovalCondition(&csr.Status); approved || denied {
+		return csr, nil
+	}
+
+	isKubeletBootstrapGroup := false
+	for _, g := range csr.Spec.Groups {
+		if g == cc.approveAllKubeletCSRsForGroup {
+			isKubeletBootstrapGroup = true
+			break
+		}
+	}
+	if !isKubeletBootstrapGroup {
+		return csr, nil
+	}
+
+	x509cr, err := certificates.ParseCSR(csr)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to parse csr %q: %v", csr.Name, err))
+		return csr, nil
+	}
+	if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
+		return csr, nil
+	}
+	if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
+		return csr, nil
+	}
+	if len(x509cr.DNSNames)+len(x509cr.EmailAddresses)+len(x509cr.IPAddresses) != 0 {
+		return csr, nil
+	}
+	if !hasExactUsages(csr, kubeletClientUsages) {
+		return csr, nil
+	}
+
+	csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
+		Type:    certificates.CertificateApproved,
+		Reason:  "AutoApproved",
+		Message: "Auto approving of all kubelet CSRs is enabled on the controller manager",
+	})
+	return cc.client.UpdateApproval(csr)
+}
+
+var kubeletClientUsages = []certificates.KeyUsage{
+	certificates.UsageKeyEncipherment,
+	certificates.UsageDigitalSignature,
+	certificates.UsageClientAuth,
+}
+
+func hasExactUsages(csr *certificates.CertificateSigningRequest, usages []certificates.KeyUsage) bool {
+	if len(usages) != len(csr.Spec.Usages) {
+		return false
+	}
+
+	usageMap := map[certificates.KeyUsage]struct{}{}
+	for _, u := range usages {
+		usageMap[u] = struct{}{}
+	}
+
+	for _, u := range csr.Spec.Usages {
+		if _, ok := usageMap[u]; !ok {
+			return false
+		}
+	}
+
+	return true
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/groupapprove_test.go

@@ -0,0 +1,71 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"testing"
+
+	certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+)
+
+func TestHasKubeletUsages(t *testing.T) {
+	cases := []struct {
+		usages   []certificates.KeyUsage
+		expected bool
+	}{
+		{
+			usages:   nil,
+			expected: false,
+		},
+		{
+			usages:   []certificates.KeyUsage{},
+			expected: false,
+		},
+		{
+			usages: []certificates.KeyUsage{
+				certificates.UsageKeyEncipherment,
+				certificates.UsageDigitalSignature,
+			},
+			expected: false,
+		},
+		{
+			usages: []certificates.KeyUsage{
+				certificates.UsageKeyEncipherment,
+				certificates.UsageDigitalSignature,
+				certificates.UsageServerAuth,
+			},
+			expected: false,
+		},
+		{
+			usages: []certificates.KeyUsage{
+				certificates.UsageKeyEncipherment,
+				certificates.UsageDigitalSignature,
+				certificates.UsageClientAuth,
+			},
+			expected: true,
+		},
+	}
+	for _, c := range cases {
+		if hasExactUsages(&certificates.CertificateSigningRequest{
+			Spec: certificates.CertificateSigningRequestSpec{
+				Usages: c.usages,
+			},
+		}, kubeletClientUsages) != c.expected {
+			t.Errorf("unexpected result of hasKubeletUsages(%v), expecting: %v", c.usages, c.expected)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/testdata/ca.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIJAOWJ8tWNUIsZMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB2t1YmUtY2EwHhcNMTYxMjIyMDAyNTI5WhcNNDQwNTA5MDAyNTI5WjASMRAw
+DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+1HK1d2p7N7UC6px8lVtABw8jPpVyNYjrJmI+TKTTdCgWGsUTFMCw4t4Q/KQDDlvB
+P19uPhbfp8aLwOWXBCxOPZzlM2mAEjSUgKjbyGCW/8vaXa2VgQm3tKZdydKiFvIo
+fEsNA+58w8A0WWEB8wYFcdCt8uPyQ0ws/TxE+WW3u7EPlC0/inIX9JqeZZMpDk3N
+lHEv/pGEjQmoet/hBwGHq9PKepkN5/V6rrSADJ5I4Uklp2f7G9MCP/zV8xKfs0lK
+CMoJsIPK3nL9N3C0rqBQPfcyKE2fnEkxC3UVZA8brvLTkBfOgmM2eVg/nauU1ejv
+zOJL7tDwUioLriw2hiGrFwIDAQABo1AwTjAdBgNVHQ4EFgQUbGJxJeW7BgZ4xSmW
+d3Aw3gq8YZUwHwYDVR0jBBgwFoAUbGJxJeW7BgZ4xSmWd3Aw3gq8YZUwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAunzpYAxpzguzxG83pK5n3ObsGDwO
+78d38qX1VRvMLPvioZxYgquqqFPdLI3xe8b8KdZNzb65549tgjAI17tTKGTRgJu5
+yzLU1tO4vNaAFecMCtPvElYfkrAv2vbGCVJ1bYKTnjdu3083jG3sY9TDj0364A57
+lNwKEd5uxHGWg4H+NbyHkDqfKmllzLvJ9XjSWBPmNVLSW50hV+h9fUXgz9LN+qVY
+VEDfAEWqb6PVy9ANw8A8QLnuSRxbd7hAigtlC4MwzYJ6tyFIIH6bCIgfoZuA+brm
+WGcpIxl4fKEGafSgjsK/6Yhb61mkhHmG16mzEUZNkNsjiYJuF2QxpOlQrw==
+-----END CERTIFICATE-----

vendor/k8s.io/kubernetes/pkg/controller/certificates/testdata/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1HK1d2p7N7UC6px8lVtABw8jPpVyNYjrJmI+TKTTdCgWGsUT
+FMCw4t4Q/KQDDlvBP19uPhbfp8aLwOWXBCxOPZzlM2mAEjSUgKjbyGCW/8vaXa2V
+gQm3tKZdydKiFvIofEsNA+58w8A0WWEB8wYFcdCt8uPyQ0ws/TxE+WW3u7EPlC0/
+inIX9JqeZZMpDk3NlHEv/pGEjQmoet/hBwGHq9PKepkN5/V6rrSADJ5I4Uklp2f7
+G9MCP/zV8xKfs0lKCMoJsIPK3nL9N3C0rqBQPfcyKE2fnEkxC3UVZA8brvLTkBfO
+gmM2eVg/nauU1ejvzOJL7tDwUioLriw2hiGrFwIDAQABAoIBAFJCmEFE2bEYRajS
+LusmCgSxt9PjyfUwrtyN7dF/gODZJLX42QqQEe3GTo2EdCp7HLiNGwKvmKo+Fp76
+Rx82iJUSyyy9DPn/ogCvYWqU++LP7B2ZuOnd+WPZhzc+d8Sqv0JhTQjYrzaclaiG
+B1syWalYRAJogMXOGR102MA4wovJrlHFuTVSWiDe0uguLxyjoTMIRqbib9ZAMSLX
+bfcM2abGpXgq10abda3KKAJbZyr2fnBvqKTs4a4zYeHJpQT+NBPMiryb2WnPFg+b
+93nrjDxUtPsx8NJz6HGkSQLagXkZX2J1JpT8loaNIdyQHab1LNXptc84LR8xxusy
+bs5NowECgYEA+j+SwVgeC+NCUIfxr3F9zPAD9A0Tk3gD4z+j0opfLIMghX4jtK0e
+9fQyglecAbojlkEUk/js5IVZ0IIhBNPWXxKtdShZO7EmJ6Z5IEmFrZK1xUomYBa2
+BfysqSAkxVLsTDIfI0Q4DHQNDOV+iY3j8WoaR51cXr+IY+mYBGSNI80CgYEA2VS5
+X5QHDxoh3r5ORiyab3ciubEofJ29D3NR1tCe9ZgSYRV5Y7T/4KPpZdpsEX/ydYD6
+X4DyURuYNK7PUR8DSlX7/VuMzHThqGJMaT0LE+alU4bruiad33X1WXgtcPTGCic0
+8il50TZTgba0CwxuCO1eVb3IijwgJBX/byM67nMCgYEA7As1KSwtwzbMoVtpa/xY
+Fgu7HuOKuIn22M55fylH1puk/GXb1huJ3aNGVU2/+J0T3jFq8JxXDsJ90kA8Vupe
+BXV/qceyS6yv+ax8Cilvbya4T+y+P9qMPR912V1Zccri2ohYeJJrb8uzV5vM/ICb
+JmbXfP+AVlrBksSOwG37920CgYEAsSi2X6o8QtxLhdZd2ihbz8cu4G4AkezHhAO+
+T70KBytquAcYR+Xwu38CMEvn0jAZRh3YeueTH/i9jxx81STRutPysSni0Xvpwyg2
+H4dqM1PNqxQNrlXyVYlDciZb7HsrwHULXOfgbGG7mr6Db4o3XEGap4woID84+BGS
+glcWn+8CgYEA36uulmZcodfet04qQvlDtr1d7mwLdTR/JAO0ZBIgFH7eGZdEVh8O
+DoTJTdSSJGiv8J35PwEXfhKHjhgOjDocLYu+yCOwVj7jRdHqlDS1BaE36Hzdw0rb
+mWkBRMGJtGhzhoRJEFHAnoLXc9danRfnHwVR58drlf7bjR5I9eU9u1I=
+-----END RSA PRIVATE KEY-----

vendor/k8s.io/kubernetes/pkg/controller/certificates/testdata/kubelet.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIH1MIGdAgEAMDsxFTATBgNVBAoTDHN5c3RlbTpub2RlczEiMCAGA1UEAxMZc3lz
+dGVtOm5vZGU6ay1hLW5vZGUtczM2YjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BJbxa5Y8SrUJVHpOoWD5ceqH+5R9mjIhwVP2sqfTcLkjvbitzOiLlxSq/LwJ+qq7
+kVpf9f3GopZVhRWbYSCg0YGgADAKBggqhkjOPQQDAgNHADBEAiAabb6XFtPOJUCQ
++84NhxLEvPANhrtwFq3Q0qFZ9TzH5QIgc/697RTTcbri2lVj+10dLFIC3VYJ7br4
+QjA7haCYXrA=
+-----END CERTIFICATE REQUEST-----