open-cluster-management-io
diff --git a/‎go.mod‎
Lines changed: 2 additions & 3 deletions b/‎go.mod‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 6 deletions b/‎go.sum‎
Lines changed: 4 additions & 6 deletions
diff --git a/‎pkg/utils/csr_helper_test.go‎
Lines changed: 15 additions & 0 deletions b/‎pkg/utils/csr_helper_test.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎pkg/utils/csr_helpers.go‎
Lines changed: 14 additions & 4 deletions b/‎pkg/utils/csr_helpers.go‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎vendor/github.com/evanphx/json-patch/.gitignore‎
Lines changed: 0 additions & 6 deletions b/‎vendor/github.com/evanphx/json-patch/.gitignore‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎vendor/github.com/evanphx/json-patch/LICENSE‎
Lines changed: 0 additions & 25 deletions b/‎vendor/github.com/evanphx/json-patch/LICENSE‎
Lines changed: 0 additions & 25 deletions
@@ -8,7 +8,7 @@ require (
 	github.com/mochi-mqtt/server/v2 v2.6.5
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.36.1
-	github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
+	github.com/openshift/build-machinery-go v0.0.0-20250602125535-1b6d00b8c37c
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
@@ -22,7 +22,7 @@ require (
 	k8s.io/component-base v0.33.2
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
-	open-cluster-management.io/api v1.0.0
+	open-cluster-management.io/api v1.0.1-0.20250827024027-f3e5dab96ea1
 	open-cluster-management.io/sdk-go v1.0.1-0.20250811075710-18b20e146feb
 	sigs.k8s.io/controller-runtime v0.20.2
 )
@@ -52,7 +52,6 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/eclipse/paho.golang v0.21.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 
@@ -74,8 +74,6 @@ github.com/eclipse/paho.golang v0.21.0 h1:cxxEReu+iFbA5RrHfRGxJOh8tXZKDywuehneoe
 github.com/eclipse/paho.golang v0.21.0/go.mod h1:GHF6vy7SvDbDHBguaUpfuBkEB5G6j0zKxMG4gbh6QRQ=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
-github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
@@ -226,8 +224,8 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runc v1.1.3 h1:vIXrkId+0/J2Ymu2m7VjGvbSlAId9XNRPhn2p4b+d8w=
 github.com/opencontainers/runc v1.1.3/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
-github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
-github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
+github.com/openshift/build-machinery-go v0.0.0-20250602125535-1b6d00b8c37c h1:gJvhduWIrpzoUTwrJjjeul+hGETKkhRhEZosBg/X3Hg=
+github.com/openshift/build-machinery-go v0.0.0-20250602125535-1b6d00b8c37c/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -448,8 +446,8 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-open-cluster-management.io/api v1.0.0 h1:54QllH9DTudCk6VrGt0q8CDsE3MghqJeTaTN4RHZpE0=
-open-cluster-management.io/api v1.0.0/go.mod h1:/OeqXycNBZQoe3WG6ghuWsMgsKGuMZrK8ZpsU6gWL0Y=
+open-cluster-management.io/api v1.0.1-0.20250827024027-f3e5dab96ea1 h1:X5dL1aKnkLGHItMsEexGhLZsyZJHDlxGD4eRvsD181g=
+open-cluster-management.io/api v1.0.1-0.20250827024027-f3e5dab96ea1/go.mod h1:lEc5Wkc9ON5ym/qAtIqNgrE7NW7IEOCOC611iQMlnKM=
 open-cluster-management.io/sdk-go v1.0.1-0.20250811075710-18b20e146feb h1:voE6JR6Xi8wNTSkhADHP19FpGICUpqt1/lEREQt7TVU=
 open-cluster-management.io/sdk-go v1.0.1-0.20250811075710-18b20e146feb/go.mod h1:sHOVhUgA286ceEq3IjFWqxobt9Lu+VBCAUZByFgN0oM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 
@@ -16,6 +16,7 @@ import (
 	"open-cluster-management.io/addon-framework/pkg/agent"
 	addonapiv1alpha1 "open-cluster-management.io/api/addon/v1alpha1"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
+	operatorapiv1 "open-cluster-management.io/api/operator/v1"
 )
 
 func newCSR(commonName string, clusterName string, orgs ...string) *certificatesv1.CertificateSigningRequest {
@@ -118,6 +119,20 @@ func TestDefaultCSRApprover(t *testing.T) {
 			addon:    newAddon("addon1", "cluster1"),
 			approved: false,
 		},
+		{
+			name: "approve grpc csr",
+			csr: func() *certificatesv1.CertificateSigningRequest {
+				csr := newCSR(agent.DefaultUser("cluster1", "addon1", "test"), "cluster1", agent.DefaultGroups("cluster1", "addon1")...)
+				csr.Spec.Username = defaultGRPCServiceAccount
+				csr.Annotations = map[string]string{
+					operatorapiv1.CSRUsernameAnnotation: "system:open-cluster-management:cluster1",
+				}
+				return csr
+			}(),
+			cluster:  newCluster("cluster1"),
+			addon:    newAddon("addon1", "cluster1"),
+			approved: true,
+		},
 	}
 
 	approver := DefaultCSRApprover("test")
 
@@ -19,10 +19,13 @@ import (
 	"k8s.io/klog/v2"
 	addonapiv1alpha1 "open-cluster-management.io/api/addon/v1alpha1"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
+	operatorapiv1 "open-cluster-management.io/api/operator/v1"
 
 	"open-cluster-management.io/addon-framework/pkg/agent"
 )
 
+const defaultGRPCServiceAccount = "system:serviceaccount:open-cluster-management-hub:grpc-server-sa"
+
 var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128)
 
 // DefaultSignerWithExpiry generates a signer func for addon agent to sign the csr using caKey and caData with expiry date.
@@ -170,13 +173,20 @@ func DefaultCSRApprover(agentName string) agent.CSRApproveFunc {
 		}
 
 		// check user name
-		if strings.HasPrefix(csr.Spec.Username, "system:open-cluster-management:"+cluster.Name) {
+		username := csr.Spec.Username
+		if csr.Spec.Username == defaultGRPCServiceAccount {
+			// the CSR username is the service account of gRPC server rather than the user of agent.
+			// use the CSRUsernameAnnotation that identifies the agent user who requested the CSR.
+			username = csr.Annotations[operatorapiv1.CSRUsernameAnnotation]
+		}
+
+		if strings.HasPrefix(username, "system:open-cluster-management:"+cluster.Name) {
 			klog.Info("CSR approved")
 			return true
-		} else {
-			klog.Info("CSR not approved due to illegal requester", "requester", csr.Spec.Username)
-			return false
 		}
+
+		klog.Info("CSR not approved due to illegal requester", "requester", csr.Spec.Username)
+		return false
 	}
 }