fix: add CSR auto-approval configuration and verification step in ins…

…tallation workflow Signed-off-by: Akash <[email protected]>
karmada-io · Feb 4, 2025 · 812091d · 812091d
1 parent 02d7211
commit 812091d
Showing 1 changed file with 28 additions and 2 deletions.
diff --git a/.github/workflows/installation-chart.yaml b/.github/workflows/installation-chart.yaml
@@ -146,10 +146,36 @@ jobs:
           kubectl create clusterrolebinding karmada-bootstrap-csr \
             --clusterrole=system:node-bootstrapper \
             --group=system:bootstrappers
-            
+
+      - name: Configure CSR Auto-Approval
+        run: |
+          export KUBECONFIG=$HOME/.kube/karmada.config
+          kubectl apply -f - <<EOF
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: ClusterRoleBinding
+          metadata:
+            name: auto-approve-csrs-for-bootstrappers
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: ClusterRole
+            name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
+          subjects:
+          - kind: Group
+            name: system:bootstrappers
+            apiGroup: rbac.authorization.k8s.io
+          EOF
+
       - name: Register cluster
         run: |
           karmadactl register ${{ steps.token.outputs.endpoint }} \
             --token ${{ steps.token.outputs.token }} \
             --discovery-token-ca-cert-hash ${{ steps.token.outputs.hash }} \
-            --kubeconfig $HOME/.kube/karmada.config
+            --discovery-timeout=10m \
+            --kubeconfig $HOME/.kube/karmada.config
+
+      - name: Verify CSR Approval
+        run: |
+          export KUBECONFIG=$HOME/.kube/karmada.config
+          echo "Pending CSRs:"
+          kubectl get csr -o wide
+          kubectl get csr -o name | xargs -I {} kubectl certificate approve {} || true