vendor files

vendor/k8s.io/kubernetes/pkg/registry/certificates/OWNERS

@@ -0,0 +1,11 @@
+reviewers:
+- smarterclayton
+- wojtek-t
+- deads2k
+- mikedanese
+- liggitt
+- timothysc
+- dims
+- hongchaodeng
+- david-mcmahon
+- enj

vendor/k8s.io/kubernetes/pkg/registry/certificates/certificates/BUILD

@@ -0,0 +1,60 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "registry.go",
+        "strategy.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/registry/certificates/certificates",
+    deps = [
+        "//pkg/api/legacyscheme:go_default_library",
+        "//pkg/apis/certificates:go_default_library",
+        "//pkg/apis/certificates/validation:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["strategy_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/certificates/certificates",
+    library = ":go_default_library",
+    deps = [
+        "//pkg/apis/certificates:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//pkg/registry/certificates/certificates/storage:all-srcs",
+    ],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/registry/certificates/certificates/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates provides Registry interface and its RESTStorage
+// implementation for storing CertificateSigningRequest objects.
+package certificates // import "k8s.io/kubernetes/pkg/registry/certificates/certificates"

vendor/k8s.io/kubernetes/pkg/registry/certificates/certificates/registry.go

@@ -0,0 +1,83 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	"k8s.io/kubernetes/pkg/apis/certificates"
+)
+
+// Registry is an interface for things that know how to store CSRs.
+type Registry interface {
+	ListCSRs(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*certificates.CertificateSigningRequestList, error)
+	CreateCSR(ctx genericapirequest.Context, csr *certificates.CertificateSigningRequest, createValidation rest.ValidateObjectFunc) error
+	UpdateCSR(ctx genericapirequest.Context, csr *certificates.CertificateSigningRequest, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error
+	GetCSR(ctx genericapirequest.Context, csrID string, options *metav1.GetOptions) (*certificates.CertificateSigningRequest, error)
+	DeleteCSR(ctx genericapirequest.Context, csrID string) error
+	WatchCSRs(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error)
+}
+
+// storage puts strong typing around storage calls
+type storage struct {
+	rest.StandardStorage
+}
+
+// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
+// types will panic.
+func NewRegistry(s rest.StandardStorage) Registry {
+	return &storage{s}
+}
+
+func (s *storage) ListCSRs(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*certificates.CertificateSigningRequestList, error) {
+	obj, err := s.List(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+
+	return obj.(*certificates.CertificateSigningRequestList), nil
+}
+
+func (s *storage) CreateCSR(ctx genericapirequest.Context, csr *certificates.CertificateSigningRequest, createValidation rest.ValidateObjectFunc) error {
+	_, err := s.Create(ctx, csr, createValidation, false)
+	return err
+}
+
+func (s *storage) UpdateCSR(ctx genericapirequest.Context, csr *certificates.CertificateSigningRequest, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error {
+	_, _, err := s.Update(ctx, csr.Name, rest.DefaultUpdatedObjectInfo(csr), createValidation, updateValidation)
+	return err
+}
+
+func (s *storage) WatchCSRs(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) {
+	return s.Watch(ctx, options)
+}
+
+func (s *storage) GetCSR(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*certificates.CertificateSigningRequest, error) {
+	obj, err := s.Get(ctx, name, options)
+	if err != nil {
+		return nil, err
+	}
+	return obj.(*certificates.CertificateSigningRequest), nil
+}
+
+func (s *storage) DeleteCSR(ctx genericapirequest.Context, name string) error {
+	_, _, err := s.Delete(ctx, name, nil)
+	return err
+}

vendor/k8s.io/kubernetes/pkg/registry/certificates/certificates/storage/BUILD

@@ -0,0 +1,34 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/certificates/certificates/storage",
+    deps = [
+        "//pkg/apis/certificates:go_default_library",
+        "//pkg/registry/certificates/certificates:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/registry/certificates/certificates/storage/storage.go

@@ -0,0 +1,97 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storage
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/generic"
+	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
+	"k8s.io/apiserver/pkg/registry/rest"
+	"k8s.io/kubernetes/pkg/apis/certificates"
+	csrregistry "k8s.io/kubernetes/pkg/registry/certificates/certificates"
+)
+
+// REST implements a RESTStorage for CertificateSigningRequest
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a registry which will store CertificateSigningRequest in the given helper
+func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, *StatusREST, *ApprovalREST) {
+	store := &genericregistry.Store{
+		NewFunc:                  func() runtime.Object { return &certificates.CertificateSigningRequest{} },
+		NewListFunc:              func() runtime.Object { return &certificates.CertificateSigningRequestList{} },
+		DefaultQualifiedResource: certificates.Resource("certificatesigningrequests"),
+
+		CreateStrategy: csrregistry.Strategy,
+		UpdateStrategy: csrregistry.Strategy,
+		DeleteStrategy: csrregistry.Strategy,
+		ExportStrategy: csrregistry.Strategy,
+	}
+	options := &generic.StoreOptions{RESTOptions: optsGetter}
+	if err := store.CompleteWithOptions(options); err != nil {
+		panic(err) // TODO: Propagate error up
+	}
+
+	// Subresources use the same store and creation strategy, which only
+	// allows empty subs. Updates to an existing subresource are handled by
+	// dedicated strategies.
+	statusStore := *store
+	statusStore.UpdateStrategy = csrregistry.StatusStrategy
+
+	approvalStore := *store
+	approvalStore.UpdateStrategy = csrregistry.ApprovalStrategy
+
+	return &REST{store}, &StatusREST{store: &statusStore}, &ApprovalREST{store: &approvalStore}
+}
+
+// Implement ShortNamesProvider
+var _ rest.ShortNamesProvider = &REST{}
+
+// ShortNames implements the ShortNamesProvider interface. Returns a list of short names for a resource.
+func (r *REST) ShortNames() []string {
+	return []string{"csr"}
+}
+
+// StatusREST implements the REST endpoint for changing the status of a CSR.
+type StatusREST struct {
+	store *genericregistry.Store
+}
+
+func (r *StatusREST) New() runtime.Object {
+	return &certificates.CertificateSigningRequest{}
+}
+
+// Update alters the status subset of an object.
+func (r *StatusREST) Update(ctx genericapirequest.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
+	return r.store.Update(ctx, name, objInfo, createValidation, updateValidation)
+}
+
+// ApprovalREST implements the REST endpoint for changing the approval state of a CSR.
+type ApprovalREST struct {
+	store *genericregistry.Store
+}
+
+func (r *ApprovalREST) New() runtime.Object {
+	return &certificates.CertificateSigningRequest{}
+}
+
+// Update alters the approval subset of an object.
+func (r *ApprovalREST) Update(ctx genericapirequest.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
+	return r.store.Update(ctx, name, objInfo, createValidation, updateValidation)
+}

vendor/k8s.io/kubernetes/pkg/registry/certificates/certificates/strategy.go

@@ -0,0 +1,191 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/storage/names"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/apis/certificates"
+	"k8s.io/kubernetes/pkg/apis/certificates/validation"
+)
+
+// csrStrategy implements behavior for CSRs
+type csrStrategy struct {
+	runtime.ObjectTyper
+	names.NameGenerator
+}
+
+// csrStrategy is the default logic that applies when creating and updating
+// CSR objects.
+var Strategy = csrStrategy{legacyscheme.Scheme, names.SimpleNameGenerator}
+
+// NamespaceScoped is true for CSRs.
+func (csrStrategy) NamespaceScoped() bool {
+	return false
+}
+
+// AllowCreateOnUpdate is false for CSRs.
+func (csrStrategy) AllowCreateOnUpdate() bool {
+	return false
+}
+
+// PrepareForCreate clears fields that are not allowed to be set by end users
+// on creation.
+func (csrStrategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.Object) {
+	csr := obj.(*certificates.CertificateSigningRequest)
+
+	// Clear any user-specified info
+	csr.Spec.Username = ""
+	csr.Spec.UID = ""
+	csr.Spec.Groups = nil
+	csr.Spec.Extra = nil
+	// Inject user.Info from request context
+	if user, ok := genericapirequest.UserFrom(ctx); ok {
+		csr.Spec.Username = user.GetName()
+		csr.Spec.UID = user.GetUID()
+		csr.Spec.Groups = user.GetGroups()
+		if extra := user.GetExtra(); len(extra) > 0 {
+			csr.Spec.Extra = map[string]certificates.ExtraValue{}
+			for k, v := range extra {
+				csr.Spec.Extra[k] = certificates.ExtraValue(v)
+			}
+		}
+	}
+
+	// Be explicit that users cannot create pre-approved certificate requests.
+	csr.Status = certificates.CertificateSigningRequestStatus{}
+	csr.Status.Conditions = []certificates.CertificateSigningRequestCondition{}
+}
+
+// PrepareForUpdate clears fields that are not allowed to be set by end users
+// on update. Certificate requests are immutable after creation except via subresources.
+func (csrStrategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime.Object) {
+	newCSR := obj.(*certificates.CertificateSigningRequest)
+	oldCSR := old.(*certificates.CertificateSigningRequest)
+
+	newCSR.Spec = oldCSR.Spec
+	newCSR.Status = oldCSR.Status
+}
+
+// Validate validates a new CSR. Validation must check for a correct signature.
+func (csrStrategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
+	csr := obj.(*certificates.CertificateSigningRequest)
+	return validation.ValidateCertificateSigningRequest(csr)
+}
+
+// Canonicalize normalizes the object after validation (which includes a signature check).
+func (csrStrategy) Canonicalize(obj runtime.Object) {}
+
+// ValidateUpdate is the default update validation for an end user.
+func (csrStrategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
+	oldCSR := old.(*certificates.CertificateSigningRequest)
+	newCSR := obj.(*certificates.CertificateSigningRequest)
+	return validation.ValidateCertificateSigningRequestUpdate(newCSR, oldCSR)
+}
+
+// If AllowUnconditionalUpdate() is true and the object specified by
+// the user does not have a resource version, then generic Update()
+// populates it with the latest version. Else, it checks that the
+// version specified by the user matches the version of latest etcd
+// object.
+func (csrStrategy) AllowUnconditionalUpdate() bool {
+	return true
+}
+
+func (s csrStrategy) Export(ctx genericapirequest.Context, obj runtime.Object, exact bool) error {
+	csr, ok := obj.(*certificates.CertificateSigningRequest)
+	if !ok {
+		// unexpected programmer error
+		return fmt.Errorf("unexpected object: %v", obj)
+	}
+	s.PrepareForCreate(ctx, obj)
+	if exact {
+		return nil
+	}
+	// CSRs allow direct subresource edits, we clear them without exact so the CSR value can be reused.
+	csr.Status = certificates.CertificateSigningRequestStatus{}
+	return nil
+}
+
+// Storage strategy for the Status subresource
+type csrStatusStrategy struct {
+	csrStrategy
+}
+
+var StatusStrategy = csrStatusStrategy{Strategy}
+
+func (csrStatusStrategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime.Object) {
+	newCSR := obj.(*certificates.CertificateSigningRequest)
+	oldCSR := old.(*certificates.CertificateSigningRequest)
+
+	// Updating the Status should only update the Status and not the spec
+	// or approval conditions. The intent is to separate the concerns of
+	// approval and certificate issuance.
+	newCSR.Spec = oldCSR.Spec
+	newCSR.Status.Conditions = oldCSR.Status.Conditions
+	for i := range newCSR.Status.Conditions {
+		if newCSR.Status.Conditions[i].LastUpdateTime.IsZero() {
+			newCSR.Status.Conditions[i].LastUpdateTime = metav1.Now()
+		}
+	}
+}
+
+func (csrStatusStrategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
+	return validation.ValidateCertificateSigningRequestUpdate(obj.(*certificates.CertificateSigningRequest), old.(*certificates.CertificateSigningRequest))
+}
+
+// Canonicalize normalizes the object after validation.
+func (csrStatusStrategy) Canonicalize(obj runtime.Object) {
+}
+
+// Storage strategy for the Approval subresource
+type csrApprovalStrategy struct {
+	csrStrategy
+}
+
+var ApprovalStrategy = csrApprovalStrategy{Strategy}
+
+// PrepareForUpdate prepares the new certificate signing request by limiting
+// the data that is updated to only the conditions. Also, if there is no
+// existing LastUpdateTime on a condition, the current date/time will be set.
+func (csrApprovalStrategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime.Object) {
+	newCSR := obj.(*certificates.CertificateSigningRequest)
+	oldCSR := old.(*certificates.CertificateSigningRequest)
+
+	// Updating the approval should only update the conditions.
+	newCSR.Spec = oldCSR.Spec
+	oldCSR.Status.Conditions = newCSR.Status.Conditions
+	for i := range newCSR.Status.Conditions {
+		// The Conditions are an array of values, some of which may be
+		// pre-existing and unaltered by this update, so a LastUpdateTime is
+		// added only if one isn't already set.
+		if newCSR.Status.Conditions[i].LastUpdateTime.IsZero() {
+			newCSR.Status.Conditions[i].LastUpdateTime = metav1.Now()
+		}
+	}
+	newCSR.Status = oldCSR.Status
+}
+
+func (csrApprovalStrategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
+	return validation.ValidateCertificateSigningRequestUpdate(obj.(*certificates.CertificateSigningRequest), old.(*certificates.CertificateSigningRequest))
+}

vendor/k8s.io/kubernetes/pkg/registry/certificates/certificates/strategy_test.go

@@ -0,0 +1,122 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/diff"
+	"k8s.io/apiserver/pkg/authentication/user"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	certapi "k8s.io/kubernetes/pkg/apis/certificates"
+)
+
+func TestStrategyCreate(t *testing.T) {
+	tests := map[string]struct {
+		ctx         genericapirequest.Context
+		obj         runtime.Object
+		expectedObj runtime.Object
+	}{
+		"no user in context, no user in obj": {
+			ctx: genericapirequest.NewContext(),
+			obj: &certapi.CertificateSigningRequest{},
+			expectedObj: &certapi.CertificateSigningRequest{
+				Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
+			},
+		},
+		"user in context, no user in obj": {
+			ctx: genericapirequest.WithUser(
+				genericapirequest.NewContext(),
+				&user.DefaultInfo{
+					Name:   "bob",
+					UID:    "123",
+					Groups: []string{"group1"},
+					Extra:  map[string][]string{"foo": {"bar"}},
+				},
+			),
+			obj: &certapi.CertificateSigningRequest{},
+			expectedObj: &certapi.CertificateSigningRequest{
+				Spec: certapi.CertificateSigningRequestSpec{
+					Username: "bob",
+					UID:      "123",
+					Groups:   []string{"group1"},
+					Extra:    map[string]certapi.ExtraValue{"foo": {"bar"}},
+				},
+				Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
+			},
+		},
+		"no user in context, user in obj": {
+			ctx: genericapirequest.NewContext(),
+			obj: &certapi.CertificateSigningRequest{
+				Spec: certapi.CertificateSigningRequestSpec{
+					Username: "bob",
+					UID:      "123",
+					Groups:   []string{"group1"},
+				},
+			},
+			expectedObj: &certapi.CertificateSigningRequest{
+				Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
+			},
+		},
+		"user in context, user in obj": {
+			ctx: genericapirequest.WithUser(
+				genericapirequest.NewContext(),
+				&user.DefaultInfo{
+					Name: "alice",
+					UID:  "234",
+				},
+			),
+			obj: &certapi.CertificateSigningRequest{
+				Spec: certapi.CertificateSigningRequestSpec{
+					Username: "bob",
+					UID:      "123",
+					Groups:   []string{"group1"},
+				},
+			},
+			expectedObj: &certapi.CertificateSigningRequest{
+				Spec: certapi.CertificateSigningRequestSpec{
+					Username: "alice",
+					UID:      "234",
+					Groups:   nil,
+				},
+				Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
+			},
+		},
+		"pre-approved status": {
+			ctx: genericapirequest.NewContext(),
+			obj: &certapi.CertificateSigningRequest{
+				Status: certapi.CertificateSigningRequestStatus{
+					Conditions: []certapi.CertificateSigningRequestCondition{
+						{Type: certapi.CertificateApproved},
+					},
+				},
+			},
+			expectedObj: &certapi.CertificateSigningRequest{
+				Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
+			}},
+	}
+
+	for k, tc := range tests {
+		obj := tc.obj
+		Strategy.PrepareForCreate(tc.ctx, obj)
+		if !reflect.DeepEqual(obj, tc.expectedObj) {
+			t.Errorf("%s: object diff: %s", k, diff.ObjectDiff(obj, tc.expectedObj))
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/registry/certificates/rest/BUILD

@@ -0,0 +1,35 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage_certificates.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/certificates/rest",
+    deps = [
+        "//pkg/api/legacyscheme:go_default_library",
+        "//pkg/apis/certificates:go_default_library",
+        "//pkg/registry/certificates/certificates/storage:go_default_library",
+        "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server/storage:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/registry/certificates/rest/storage_certificates.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	certificatesapiv1beta1 "k8s.io/api/certificates/v1beta1"
+	"k8s.io/apiserver/pkg/registry/generic"
+	"k8s.io/apiserver/pkg/registry/rest"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	serverstorage "k8s.io/apiserver/pkg/server/storage"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/apis/certificates"
+	certificatestore "k8s.io/kubernetes/pkg/registry/certificates/certificates/storage"
+)
+
+type RESTStorageProvider struct{}
+
+func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) {
+	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(certificates.GroupName, legacyscheme.Registry, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
+	// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
+	// TODO refactor the plumbing to provide the information in the APIGroupInfo
+
+	if apiResourceConfigSource.AnyResourcesForVersionEnabled(certificatesapiv1beta1.SchemeGroupVersion) {
+		apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1beta1.SchemeGroupVersion.Version] = p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter)
+		apiGroupInfo.GroupMeta.GroupVersion = certificatesapiv1beta1.SchemeGroupVersion
+	}
+
+	return apiGroupInfo, true
+}
+
+func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
+	version := certificatesapiv1beta1.SchemeGroupVersion
+
+	storage := map[string]rest.Storage{}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("certificatesigningrequests")) {
+		csrStorage, csrStatusStorage, csrApprovalStorage := certificatestore.NewREST(restOptionsGetter)
+		storage["certificatesigningrequests"] = csrStorage
+		storage["certificatesigningrequests/status"] = csrStatusStorage
+		storage["certificatesigningrequests/approval"] = csrApprovalStorage
+	}
+	return storage
+}
+
+func (p RESTStorageProvider) GroupName() string {
+	return certificates.GroupName
+}