use the ClusterTrustBundles beta API

Author: stlaz

cmd/kube-controller-manager/app/certificates.go

@@ -23,7 +23,7 @@ import (
 	"context"
 	"fmt"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
@@ -272,7 +272,7 @@ func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Co
 }
 
 func clusterTrustBundlesAvailable(client kubernetes.Interface) (bool, error) {
-	resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1alpha1.SchemeGroupVersion.String())
+	resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1beta1.SchemeGroupVersion.String())
 
 	if resList != nil {
 		// even in case of an error above there might be a partial list for APIs that

pkg/controller/certificates/clustertrustbundlepublisher/metrics_test.go

@@ -23,7 +23,7 @@ import (
 	"testing"
 	"time"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
@@ -50,7 +50,7 @@ clustertrustbundle_publisher_sync_total{code="200"} 1
 		},
 		{
 			desc: "kube api error",
-			err:  apierrors.NewNotFound(certificatesv1alpha1.Resource("clustertrustbundle"), "test.test:testSigner:something"),
+			err:  apierrors.NewNotFound(certificatesv1beta1.Resource("clustertrustbundle"), "test.test:testSigner:something"),
 			metrics: []string{
 				"clustertrustbundle_publisher_sync_total",
 			},

pkg/controller/certificates/clustertrustbundlepublisher/publisher.go

@@ -23,17 +23,17 @@ import (
 	"strings"
 	"time"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
-	certinformers "k8s.io/client-go/informers/certificates/v1alpha1"
+	certinformers "k8s.io/client-go/informers/certificates/v1beta1"
 	clientset "k8s.io/client-go/kubernetes"
-	certlisters "k8s.io/client-go/listers/certificates/v1alpha1"
+	certlisters "k8s.io/client-go/listers/certificates/v1beta1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
@@ -174,19 +174,19 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
 
 	bundle, err := p.ctbLister.Get(bundleName)
 	if apierrors.IsNotFound(err) {
-		_, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, &certificatesv1alpha1.ClusterTrustBundle{
+		_, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, &certificatesv1beta1.ClusterTrustBundle{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: bundleName,
 			},
-			Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+			Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 				SignerName:  p.signerName,
 				TrustBundle: caBundle,
 			},
 		}, metav1.CreateOptions{})
 	} else if err == nil && bundle.Spec.TrustBundle != caBundle {
 		bundle = bundle.DeepCopy()
 		bundle.Spec.TrustBundle = caBundle
-		_, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{})
+		_, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{})
 	}
 
 	if err != nil {
@@ -205,7 +205,7 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
 			continue
 		}
 
-		if err := p.client.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
+		if err := p.client.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
 			klog.FromContext(ctx).Error(err, "failed to remove a cluster trust bundle", "bundleName", bundleObject.Name)
 			deletionError = err
 		}

pkg/controller/certificates/clustertrustbundlepublisher/publisher_test.go

@@ -22,7 +22,7 @@ import (
 	cryptorand "crypto/rand"
 	"testing"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
@@ -44,7 +44,7 @@ func TestCTBPublisherSync(t *testing.T) {
 
 		createAction := expectAction[clienttesting.CreateAction](t, filteredActions[0], "create")
 
-		ctb, ok := createAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle)
+		ctb, ok := createAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle)
 		if !ok {
 			t.Fatalf("expected ClusterTrustBundle create, got %v", createAction.GetObject())
 		}
@@ -63,7 +63,7 @@ func TestCTBPublisherSync(t *testing.T) {
 
 			updateAction := expectAction[clienttesting.UpdateAction](t, filteredActions[0], "update")
 
-			ctb, ok := updateAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle)
+			ctb, ok := updateAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle)
 			if !ok {
 				t.Fatalf("expected ClusterTrustBundle update, got %v", updateAction.GetObject())
 			}
@@ -109,19 +109,19 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "no CTBs for the current signer exist",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "nosigner",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						TrustBundle: "somedatahere",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "signer:one",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  "signer",
 						TrustBundle: "signerdata",
 					},
@@ -132,11 +132,11 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "CTB for the signer exists with different content",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: "olddata",
 					},
@@ -147,20 +147,20 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "multiple CTBs for the signer",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test.test/testSigner:name2",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -171,20 +171,20 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "multiple CTBs for the signer - the one with the proper name needs changing",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: "olddata",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test.test/testSigner:name2",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -202,11 +202,11 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "another CTB with a different name exists for the signer",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test.test/testSigner:preexisting",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -224,28 +224,28 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "CTB at the correct state - noop",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "nosigner",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						TrustBundle: "somedatahere",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "signer:one",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  "signer",
 						TrustBundle: "signerdata",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -297,9 +297,9 @@ func fakeKubeClientSetWithCTBList(t *testing.T, signerName string, ctbs ...runti
 			return false, nil, nil
 		}
 
-		retList := &certificatesv1alpha1.ClusterTrustBundleList{}
+		retList := &certificatesv1beta1.ClusterTrustBundleList{}
 		for _, ctb := range ctbs {
-			ctbObj, ok := ctb.(*certificatesv1alpha1.ClusterTrustBundle)
+			ctbObj, ok := ctb.(*certificatesv1beta1.ClusterTrustBundle)
 			if !ok {
 				continue
 			}

pkg/controlplane/apiserver/aggregator.go

@@ -277,6 +277,7 @@ func DefaultGenericAPIServicePriorities() map[schema.GroupVersion]APIServicePrio
 		{Group: "authentication.k8s.io", Version: "v1alpha1"}:        {Group: 17700, Version: 1},
 		{Group: "authorization.k8s.io", Version: "v1"}:               {Group: 17600, Version: 15},
 		{Group: "certificates.k8s.io", Version: "v1"}:                {Group: 17300, Version: 15},
+		{Group: "certificates.k8s.io", Version: "v1beta1"}:           {Group: 17300, Version: 9},
 		{Group: "certificates.k8s.io", Version: "v1alpha1"}:          {Group: 17300, Version: 1},
 		{Group: "rbac.authorization.k8s.io", Version: "v1"}:          {Group: 17000, Version: 15},
 		{Group: "apiextensions.k8s.io", Version: "v1"}:               {Group: 16700, Version: 15},

pkg/controlplane/instance.go

@@ -37,6 +37,7 @@ import (
 	batchapiv1 "k8s.io/api/batch/v1"
 	certificatesapiv1 "k8s.io/api/certificates/v1"
 	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	coordinationapiv1 "k8s.io/api/coordination/v1"
 	coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2"
 	apiv1 "k8s.io/api/core/v1"
@@ -457,6 +458,7 @@ var (
 	betaAPIGroupVersionsDisabledByDefault = []schema.GroupVersion{
 		admissionregistrationv1beta1.SchemeGroupVersion,
 		authenticationv1beta1.SchemeGroupVersion,
+		certificatesv1beta1.SchemeGroupVersion,
 		storageapiv1beta1.SchemeGroupVersion,
 		flowcontrolv1beta1.SchemeGroupVersion,
 		flowcontrolv1beta2.SchemeGroupVersion,

pkg/kubeapiserver/default_storage_factory_builder.go

@@ -86,7 +86,7 @@ func NewStorageFactoryConfigEffectiveVersion(effectiveVersion basecompatibility.
 		networking.Resource("servicecidrs").WithVersion("v1beta1"),
 		admissionregistration.Resource("mutatingadmissionpolicies").WithVersion("v1alpha1"),
 		admissionregistration.Resource("mutatingadmissionpolicybindings").WithVersion("v1alpha1"),
-		certificates.Resource("clustertrustbundles").WithVersion("v1alpha1"),
+		certificates.Resource("clustertrustbundles").WithVersion("v1beta1"),
 		storage.Resource("volumeattributesclasses").WithVersion("v1beta1"),
 		storagemigration.Resource("storagemigrations").WithVersion("v1alpha1"),
 	}