feat(package): kubelet-csr-approver (#57987)

rakshitgondwal · web-flow · commit 84c1ed01f19e · 2025-07-02T13:08:14.000+03:00
Signed-off-by: Rakshit Gondwal &lt;rakshit.gondwal@chainguard.dev&gt;
diff --git a/kubelet-csr-approver.yaml b/kubelet-csr-approver.yaml
@@ -0,0 +1,76 @@
+package:
+  name: kubelet-csr-approver
+  version: "1.2.10"
+  epoch: 0
+  description: Kubernetes controller to enable automatic kubelet CSR validation after a series of (configurable) security checks
+  copyright:
+    - license: MIT
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/postfinance/kubelet-csr-approver
+      tag: v${{package.version}}
+      expected-commit: fabca038b8165aebc7ee62d3019fa67b37b972a3
+
+  - name: make ko dir
+    runs: |
+      mkdir -p ${{targets.contextdir}}/var/run/ko
+
+  - uses: go/build
+    with:
+      packages: ./cmd/kubelet-csr-approver/
+      tags: debug
+      ldflags: |
+        -X github.com/postfinance/kubelet-csr-approver/internal/cmd.commit=$(git rev-parse HEAD)
+        -X github.com/postfinance/kubelet-csr-approver/internal/cmd.ref=$(git rev-parse --abbrev-ref HEAD)
+      output: kubelet-csr-approver
+
+subpackages:
+  - name: ${{package.name}}-compat
+    description: "Compatibility package to place binary in the location expected by kubelet-csr-approver"
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.contextdir}}/ko-app
+          ln -sf /usr/bin/kubelet-csr-approver ${{targets.contextdir}}/ko-app/kubelet-csr-approver
+    test:
+      pipeline:
+        - runs: |
+            test "$(readlink /ko-app/kubelet-csr-approver)" = "/usr/bin/kubelet-csr-approver"
+
+update:
+  enabled: true
+  github:
+    identifier: postfinance/kubelet-csr-approver
+    strip-prefix: v
+
+test:
+  environment:
+    contents:
+      packages:
+        - curl
+  pipeline:
+    - name: basic test
+      runs: |
+        kubelet-csr-approver --help
+    - uses: test/kwok/cluster
+    - name: Test operator
+      uses: test/daemon-check-output
+      with:
+        start: |
+          kubelet-csr-approver \
+          --provider-regex='^test-node-.*' \
+          --max-expiration-sec=86400 \
+          --bypass-dns-resolution \
+          --level=5
+        timeout: 30
+        expected_output: |
+          Kubelet-CSR-Approver controller starting.
+          starting server
+          Starting metrics server
+          Serving metrics server
+          Starting EventSource
+          Starting Controller
+          Starting workers
+        post: |
+          curl -sfSL http://localhost:8080/metrics
