oldCSR: &capi.CertificateSigningRequest{Status: capi.CertificateSigningRequestStatus{
			Conditions: []capi.CertificateSigningRequestCondition{{Type: capi.CertificateApproved}, {Type: capi.CertificateDenied}},
		}},
		want: certificateValidationOptions{
			allowBothApprovedAndDenied: true,
		},
	}, {
		name:   "compatible update, legacy signerName",

}

TEST(CAPI, RemoteExecuteSilentCopies) {
  TestRemoteExecuteSilentCopiesOp(/*async=*/false, /*remote=*/true);
}
TEST(CAPI, RemoteExecuteSilentCopiesAsync) {
  TestRemoteExecuteSilentCopiesOp(/*async=*/true, /*remote=*/true);
}
TEST(CAPI, RemoteExecuteSilentCopiesLocal) {
  TestRemoteExecuteSilentCopiesOp(/*async=*/false, /*remote=*/false);
}
TEST(CAPI, RemoteExecuteSilentCopiesLocalAsync) {

import (
	"crypto/x509"
	"fmt"
	"reflect"
	"testing"

	capi "k8s.io/api/certificates/v1"
)

func TestKeyUsagesFromStrings(t *testing.T) {
	testcases := []struct {
		usages              []capi.KeyUsage
		expectedKeyUsage    x509.KeyUsage
		expectedExtKeyUsage []x509.ExtKeyUsage
		expectErr           bool
	}{
		{
			usages:              []capi.KeyUsage{"signing"},
			expectedKeyUsage:    x509.KeyUsageDigitalSignature,

	capi.UsageCRLSign:           x509.KeyUsageCRLSign,
	capi.UsageEncipherOnly:      x509.KeyUsageEncipherOnly,
	capi.UsageDecipherOnly:      x509.KeyUsageDecipherOnly,
}

var extKeyUsageDict = map[capi.KeyUsage]x509.ExtKeyUsage{
	capi.UsageAny:             x509.ExtKeyUsageAny,
	capi.UsageServerAuth:      x509.ExtKeyUsageServerAuth,
	capi.UsageClientAuth:      x509.ExtKeyUsageClientAuth,

	capi.UsageCRLSign:           x509.KeyUsageCRLSign,
	capi.UsageEncipherOnly:      x509.KeyUsageEncipherOnly,
	capi.UsageDecipherOnly:      x509.KeyUsageDecipherOnly,
}

var extKeyUsageDict = map[capi.KeyUsage]x509.ExtKeyUsage{
	capi.UsageAny:             x509.ExtKeyUsageAny,
	capi.UsageServerAuth:      x509.ExtKeyUsageServerAuth,
	capi.UsageClientAuth:      x509.ExtKeyUsageClientAuth,

}

var (
	kubeletClientUsages = []capi.KeyUsage{
		capi.UsageDigitalSignature,
		capi.UsageKeyEncipherment,
		capi.UsageClientAuth,
	}
	kubeletClientUsagesNoRSA = []capi.KeyUsage{
		capi.UsageDigitalSignature,
		capi.UsageClientAuth,
	}
	kubeletClientPEMOptions = pemOptions{
		cn:  "system:node:nodename",
		org: "system:nodes",
	}

	kubeletServerUsages = []capi.KeyUsage{
		capi.UsageDigitalSignature,

func isKubeletServing(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) {
	if signerName != capi.KubeletServingSignerName {
		return false, nil
	}
	return true, capihelper.ValidateKubeletServingCSR(req, usagesToSet(usages))
}

func isKubeletClient(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) {
	if signerName != capi.KubeAPIServerClientKubeletSignerName {

		created         metav1.Time
		certificate     []byte
		conditions      []capi.CertificateSigningRequestCondition
		expectedActions []string
	}{
		{
			"no delete approved not passed deadline",
			metav1.NewTime(time.Now().Add(-1 * time.Minute)),
			[]byte(unexpiredCert),
			[]capi.CertificateSigningRequestCondition{
				{
					Type:           capi.CertificateApproved,

	for _, c := range cases {
		b := csrBuilder{
			signerName: capi.KubeAPIServerClientKubeletSignerName,
			cn:         "system:node:foo",
			orgs:       []string{"system:nodes"},
			requestor:  "system:node:foo",
			usages: []capi.KeyUsage{
				capi.UsageKeyEncipherment,

			usages:     []capi.KeyUsage{capi.UsageServerAuth, capi.UsageClientAuth, capi.UsageDigitalSignature, capi.UsageKeyEncipherment},
			approved:   true,
			verify: func(t *testing.T, as []testclient.Action) {
				if len(as) != 1 {
					t.Errorf("expected one Update action but got %d", len(as))
					return
				}
				csr := as[0].(testclient.UpdateAction).GetObject().(*capi.CertificateSigningRequest)