diff --git a/internal/controller/csr_controller_test.go b/internal/controller/csr_controller_test.go index d3e6597..a26ce8f 100644 --- a/internal/controller/csr_controller_test.go +++ b/internal/controller/csr_controller_test.go @@ -235,6 +235,30 @@ func TestSANCheckedEvenWithDNSResolutionBypassed(t *testing.T) { assert.False(t, denied) } +func TestX509CRIPAddressesWithDNSBypass(t *testing.T) { // reproduces issue #253 + csrParams := CsrParams{ + csrName: "dns-bypass-regex-check-with-x509-cr-san-ips", + nodeName: testNodeName, + dnsName: testNodeName + "-unresolved.test.ch", + ipAddresses: []net.IP{{192, 168, 3, 4}}, + } + csr := createCsr(t, csrParams) + _, nodeClientSet, _ := createControlPlaneUser(t, csr.Spec.Username, []string{"system:masters"}) + + csrController.BypassDNSResolution = true + defer func() { csrController.BypassDNSResolution = false }() + + _, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create( + testContext, &csr, metav1.CreateOptions{}) + require.Nil(t, err, "Could not create the CSR.") + + approved, denied, reason, err := waitCsrApprovalStatus(csr.Name) + t.Log(reason) + require.Nil(t, err, "Could not retrieve the CSR to check its approval status") + assert.True(t, approved) + assert.False(t, denied) +} + func TestBypassDNSResolution(t *testing.T) { csrParams := CsrParams{ csrName: "dns-bypass",