// Updating /status should not modify spec
	newCSR.Spec = oldCSR.Spec

	// Specifically preserve existing Approved/Denied conditions.
	// Adding/removing Approved/Denied conditions will cause these to fail,
	// and the change in Approved/Denied conditions will produce a validation error
	preserveConditionInstances(newCSR, oldCSR, certificates.CertificateApproved)

		}},
		oldCSR: &capi.CertificateSigningRequest{ObjectMeta: validUpdateMetaWithFinalizers, Spec: validSpec},
		errs: []string{
			`status.conditions: Forbidden: updates may not add a condition of type "Approved"`,
		},
	}, {
		name:   "remove Approved condition",
		newCSR: &capi.CertificateSigningRequest{ObjectMeta: validUpdateMeta, Spec: validSpec},

// implementations compliant with FIPS 140.
//
// FIPS 140 [1] is a US standard for data processing that specifies
// requirements for cryptographic modules. Software that is "FIPS 140
// compliant" must use approved cryptographic primitives only and that
// are implemented by a FIPS 140 certified cryptographic module.
//
// So, FIPS 140 requires that a certified implementation of e.g. AES

  optional CertificateSigningRequestStatus status = 3;
}

message CertificateSigningRequestCondition {
  // type of the condition. Known conditions include "Approved", "Denied", and "Failed".
  optional string type = 1;

  // Status of the condition, one of True, False, Unknown.
  // Approved, Denied, and Failed conditions may not be "False" or "Unknown".
  // Defaults to "True".
  // If unset, should be treated as "True".
  // +optional

// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

//go:build boringcrypto

// Package fipsonly restricts all TLS configuration to FIPS-approved settings.
//
// The effect is triggered by importing the package anywhere in a program, as in:
//
//	import _ "crypto/tls/fipsonly"
//
// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto.

| token          | string     | Token from the AssumeRoleWithCustomToken call for external verification |

### Response

If the token is valid and access is approved, the plugin must return a `200` (OK) HTTP status code.

A `200 OK` Response should have `application/json` content-type and body with the following structure:

```json
{
    "user": <string>,

// be removed if they meet one of the following criteria: the CSR is Approved
// with a certificate and is old enough to be past the GC issued deadline, the
// CSR is denied and is old enough to be past the GC denied deadline, the CSR
// is Pending and is old enough to be past the GC pending deadline, the CSR is
// approved with a certificate and the certificate is expired.
type CSRCleanerController struct {

  held off after the release. Hiding/Showing documentation does not require TOC approval.
* Cases for other API changes require TOC approval
    * Simple `meshConfig` changes have been approved in the past. Functionality should not be enabled by default.
* For large API changes, 2 members of the TOC must approve the PR before release manager approval in the release branch

					log.Debugf("test signer sign %v: %v", csr.Name, err)
				} else {
					log.Debugf("test signer skip, not approved: %v", csr.Name)
				}
			}
		}
	}()
	return client
}

func approved(csr *cert.CertificateSigningRequest) bool {
	return GetCondition(csr.Status.Conditions, cert.CertificateApproved).Status == corev1.ConditionTrue
}

				},
				Scope: apiextensionsv1.NamespaceScoped,
			},
		}
	}
	// the unit tests cover all variations. We just need to be sure that we see the code being called
	approvedKubeAPI := newSigKubeAPIFn("approved", "https://github.com/kubernetes/kubernetes/pull/79724")
	approvedKubeAPI, err = fixtures.CreateNewV1CustomResourceDefinition(approvedKubeAPI, apiExtensionClient, dynamicClient)
	if err != nil {
		t.Fatal(err)
	}