go func() {
		for {
			select {
			case <-ctx.Done():
				return
			case r := <-w.ResultChan():
				csr := r.Object.(*cert.CertificateSigningRequest).DeepCopy()
				if csr.Status.Certificate != nil {
					log.Debugf("test signer skip, already signed: %v", csr.Name)
					continue
				}
				if approved(csr) {
					// This is a pretty terrible hack, but client-go fake doesn't properly support list+watch,

cfssl gencert -initca root.csr.json | cfssljson -bare root

cfssl gencert -initca intermediate.csr.json | cfssljson -bare intermediate
cfssl sign -ca root.pem -ca-key root-key.pem -config intermediate.config.json intermediate.csr | cfssljson -bare intermediate

cfssl gencert -ca intermediate.pem -ca-key intermediate-key.pem -config client.config.json --profile=valid   client.csr.json | cfssljson -bare client-valid

rm "${WD}/server.conf" "${WD}/client.conf" "${WD}/dns-client.conf" "${WD}/crl.conf"
rm "${WD}/server.csr" "${WD}/client.csr" "${WD}/dns-client.csr"
rm "${WD}/mountedcerts-server.conf" "${WD}/mountedcerts-server.csr"
rm "${WD}/mountedcerts-client.conf" "${WD}/mountedcerts-client.csr"

openssl req -new -key ecc-root-key.pem -out ecc-root-cert.csr -sha256 <<EOF
US
California
Sunnyvale
Istio
Test
Root CA
******@****.***


EOF
openssl x509 -req -days 3650 -in ecc-root-cert.csr -sha256 -signkey ecc-root-key.pem -out ecc-root-cert.pem

# Intermediate CA
#openssl ecparam -genkey -name prime256v1 -out ecc-int-key.pem -noout
openssl req -new -key ecc-int-key.pem -out ecc-int-cert.csr -config int-cert.cfg -batch -sha256

	go func() {
		for {
			select {
			case <-ctx.Done():
				return
			case r := <-w.ResultChan():
				csr := r.Object.(*cert.CertificateSigningRequest).DeepCopy()
				if csr.Status.Certificate != nil {
					continue
				}
				csr.Status.Certificate = certificate
				// fake clientset doesn't handle resource version, so we need to delay the update

					SignerName:        "pandas",
					ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
				},
			},
			options:       &metav1.UpdateOptions{DryRun: []string{"stuff"}},
			wantSigner:    "",
			wantRequested: false,
			wantHonored:   false,
		},
		{
			name:    "old CSR already has a cert so it is ignored",
			success: true,

	if err != nil {
		return nil, nil, fmt.Errorf("CSR template creation failed (%v)", err)
	}

	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, template, crypto.PrivateKey(priv))
	if err != nil {
		return nil, nil, fmt.Errorf("CSR creation failed (%v)", err)
	}

	csr, privKey, err := encodePem(true, csrBytes, priv, options.PKCS8Key)
	return csr, privKey, err
}

	signingCert, signingKey, certChain, rootCert := c.bundle.GetAll()
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return nil, fmt.Errorf("csr sign error: %v", err)
	}
	subjectIDs := []string{"test"}
	certBytes, err := util.GenCertFromCSR(csr, signingCert, csr.PublicKey, *signingKey, subjectIDs, c.certLifetime, false)
	if err != nil {
		return nil, fmt.Errorf("csr sign error: %v", err)
	}

	block := &pem.Block{

cfssl gencert -initca root.csr.json | cfssljson -bare root

cfssl gencert -initca intermediate.csr.json | cfssljson -bare intermediate
cfssl sign -ca root.pem -ca-key root-key.pem -config intermediate.config.json intermediate.csr | cfssljson -bare intermediate

cfssl gencert -ca intermediate.pem -ca-key intermediate-key.pem -config client.config.json --profile=valid   client.csr.json | cfssljson -bare client-valid

func IsCertificateRequestApproved(csr *certificates.CertificateSigningRequest) bool {
	approved, denied := GetCertApprovalCondition(&csr.Status)
	return approved && !denied
}

// HasTrueCondition returns true if the csr contains a condition of the specified type with a status that is set to True or is empty