}

// CertificateSigningRequestList is a collection of CertificateSigningRequest objects
message CertificateSigningRequestList {
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  // items is a collection of CertificateSigningRequest objects
  repeated CertificateSigningRequest items = 2;
}

// CertificateSigningRequestSpec contains the certificate request.

				resource:    certificatesapi.Resource("certificatesigningrequests"),
				subresource: "approval",
				oldObj: &certificatesapi.CertificateSigningRequest{Spec: certificatesapi.CertificateSigningRequestSpec{
					SignerName: "notallowed.com/xyz",
				}},
				obj: &certificatesapi.CertificateSigningRequest{Spec: certificatesapi.CertificateSigningRequestSpec{
					SignerName: "allowed.com/xyz",
				}},
				operation: admission.Update,

					t.Errorf("got: %v, expected: %v", got, expected)
				}
				if got, expected := a.Subresource, "approval"; got != expected {
					t.Errorf("got: %v, expected: %v", got, expected)
				}
				csr := a.Object.(*capi.CertificateSigningRequest)
				if len(csr.Status.Conditions) != 1 {
					t.Errorf("expected CSR to have approved condition: %#v", csr)
				}
				c := csr.Status.Conditions[0]

// CSR, the CSR statuses that are visible via `kubectl` will include 'Issued'.
func isIssued(csr *capi.CertificateSigningRequest) bool {
	return len(csr.Status.Certificate) > 0
}

// isExpired checks if the CSR has a certificate and the date in the `NotAfter`
// field has gone by.
func isExpired(csr *capi.CertificateSigningRequest) bool {
	if len(csr.Status.Certificate) == 0 {
		return false
	}

	handler func(context.Context, *certificates.CertificateSigningRequest) error

	queue workqueue.TypedRateLimitingInterface[string]
}

func NewCertificateController(
	ctx context.Context,
	name string,
	kubeClient clientset.Interface,
	csrInformer certificatesinformers.CertificateSigningRequestInformer,
	handler func(context.Context, *certificates.CertificateSigningRequest) error,
) *CertificateController {

	csr, ok := a.GetOldObject().(*api.CertificateSigningRequest)
	if !ok {
		return admission.NewForbidden(a, fmt.Errorf("expected type CertificateSigningRequest, got: %T", a.GetOldObject()))
	}

	if !certificates.IsAuthorizedForSignerName(ctx, p.authz, a.GetUserInfo(), "approve", csr.Spec.SignerName) {
		klog.V(4).Infof("user not permitted to approve CertificateSigningRequest %q with signerName %q", csr.Name, csr.Spec.SignerName)

// +genclient:method=UpdateApproval,verb=update,subresource=approval,input=k8s.io/api/certificates/v1.CertificateSigningRequest,result=k8s.io/api/certificates/v1.CertificateSigningRequest
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +k8s:prerelease-lifecycle-gen:introduced=1.19

// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates

	"uid":               "uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
	"groups":            "groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",

}

// CertificateSigningRequestList is a collection of CertificateSigningRequest objects
message CertificateSigningRequestList {
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  // items is a collection of CertificateSigningRequest objects
  repeated CertificateSigningRequest items = 2;
}

// CertificateSigningRequestSpec contains the certificate request.

func IsCertificateRequestApproved(csr *certificates.CertificateSigningRequest) bool {
	approved, denied := GetCertApprovalCondition(&csr.Status)
	return approved && !denied
}

// HasTrueCondition returns true if the csr contains a condition of the specified type with a status that is set to True or is empty
func HasTrueCondition(csr *certificates.CertificateSigningRequest, conditionType certificates.RequestConditionType) bool {