)

// CSRCleanerController is a controller that garbage collects old certificate
// signing requests (CSRs). Since there are mechanisms that automatically
// create CSRs, and mechanisms that automatically approve CSRs, in order to
// prevent a build up of CSRs over time, it is necessary to GC them. CSRs will
// be removed if they meet one of the following criteria: the CSR is Approved

const RequestLifeTimeAnnotationForCertManager = "experimental.cert-manager.io/request-duration"

type Signer struct {
	csrs    kclient.Client[*certv1.CertificateSigningRequest]
	signers map[string]*signer.Signer
	queue   controllers.Queue
}

func NewSigner(cl kube.Client, signers map[string]*signer.Signer) *Signer {
	c := &Signer{
		csrs:    kclient.New[*certv1.CertificateSigningRequest](cl),
		signers: signers,
	}

			if oldCSR.Spec.ExpirationSeconds == nil {
				return // ignore CSRs that are not using the CSR duration feature
			}

			newCSR, ok := obj.(*certificates.CertificateSigningRequest)
			if !ok {
				return
			}
			issuedCert := newCSR.Status.Certificate

			// new CSR has no issued certificate yet so do not count it.
			// note that this means that we will ignore CSRs that set a duration

	}
	// Create RBAC rules that makes the bootstrap tokens able to post CSRs
	if err := nodebootstraptokenphase.AllowBootstrapTokensToPostCSRs(client); err != nil {
		return errors.Wrap(err, "error allowing bootstrap tokens to post CSRs")
	}
	// Create RBAC rules that makes the bootstrap tokens able to get their CSRs approved automatically
	if err := nodebootstraptokenphase.AutoApproveNodeBootstrapTokens(client); err != nil {

)

// AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Node Bootstrap Tokens able to post CSRs
func AllowBootstrapTokensToPostCSRs(client clientset.Interface) error {
	fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials")

	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{

apiVersion: release-notes/v2
kind: feature
area: security
issue:
  - 47489
releaseNotes:
  - |-
    **Added** support for istio CA to handle node authorization for CSRs with impersonate identity from remote clusters.

apiVersion: release-notes/v2
kind: feature
area: security
issue:
- 23226
releaseNotes:
- |

		accounts := env.Register(
			"CA_TRUSTED_NODE_ACCOUNTS",
			"",
			"If set, the list of service accounts that are allowed to use node authentication for CSRs. "+
				"Node authentication allows an identity to create CSRs on behalf of other identities, but only if there is a pod "+
				"running on the same node with that identity. "+
				"This is intended for use with node proxies.",
		).Get()

	You can also use "kubeadm init --upload-certs" without specifying a certificate key and it will
	generate and print one for you.
`)
	generateCSRLongDesc = cmdutil.LongDesc(`
	Generates keys and certificate signing requests (CSRs) for all the certificates required to run the control plane.
	This command also generates partial kubeconfig files with private key data in the  "users > user > client-key-data" field,

)

// csrStrategy implements behavior for CSRs
type csrStrategy struct {
	runtime.ObjectTyper
	names.NameGenerator
}

// csrStrategy is the default logic that applies when creating and updating
// CSR objects.
var Strategy = csrStrategy{legacyscheme.Scheme, names.SimpleNameGenerator}

// NamespaceScoped is false for CSRs.
func (csrStrategy) NamespaceScoped() bool {
	return false
}