kubeadm: remove usage of the "certificates" API for cert renewal

The flag "--use-api" for "alpha certs renew" was deprecated in 1.18.
Remove the flag and related logic that executes certificate renewal
using "api/certificates/v1beta1". kubeadm continues to be able
to create CSR files and renew using the local CA on disk.

Author: neolit123

cmd/kubeadm/app/cmd/alpha/certs.go

@@ -121,7 +121,6 @@ type renewFlags struct {
 	cfgPath        string
 	kubeconfigPath string
 	cfg            kubeadmapiv1beta2.ClusterConfiguration
-	useAPI         bool
 	csrOnly        bool
 	csrPath        string
 }
@@ -208,12 +207,6 @@ func addRenewFlags(cmd *cobra.Command, flags *renewFlags) {
 	options.AddKubeConfigFlag(cmd.Flags(), &flags.kubeconfigPath)
 	options.AddCSRFlag(cmd.Flags(), &flags.csrOnly)
 	options.AddCSRDirFlag(cmd.Flags(), &flags.csrPath)
-	// TODO: remove the flag and related logic once legacy signers are removed,
-	// potentially with the release of certificates.k8s.io/v1:
-	//   https://github.com/kubernetes/kubeadm/issues/2047
-	cmd.Flags().BoolVar(&flags.useAPI, "use-api", flags.useAPI, "Use the Kubernetes certificate API to renew certificates")
-	cmd.Flags().MarkDeprecated("use-api", "certificate renewal from kubeadm using the Kubernetes API "+
-		"is deprecated and will be removed when 'certificates.k8s.io/v1' releases.")
 }
 
 func renewCert(flags *renewFlags, kdir string, internalcfg *kubeadmapi.InitConfiguration, handler *renewal.CertificateRenewHandler) error {
@@ -239,29 +232,15 @@ func renewCert(flags *renewFlags, kdir string, internalcfg *kubeadmapi.InitConfi
 
 	// otherwise, the renewal operation has to actually renew a certificate
 
-	// renew the certificate using the requested renew method
-	if flags.useAPI {
-		// renew using K8s certificate API
-		kubeConfigPath := cmdutil.GetKubeConfigPath(flags.kubeconfigPath)
-		client, err := kubeconfigutil.ClientSetFromFile(kubeConfigPath)
-		if err != nil {
-			return err
-		}
-
-		if err := rm.RenewUsingCSRAPI(handler.Name, client); err != nil {
-			return err
-		}
-	} else {
-		// renew using local certificate authorities.
-		// this operation can't complete in case the certificate key is not provided (external CA)
-		renewed, err := rm.RenewUsingLocalCA(handler.Name)
-		if err != nil {
-			return err
-		}
-		if !renewed {
-			fmt.Printf("Detected external %s, %s can't be renewed\n", handler.CABaseName, handler.LongName)
-			return nil
-		}
+	// renew using local certificate authorities.
+	// this operation can't complete in case the certificate key is not provided (external CA)
+	renewed, err := rm.RenewUsingLocalCA(handler.Name)
+	if err != nil {
+		return err
+	}
+	if !renewed {
+		fmt.Printf("Detected external %s, %s can't be renewed\n", handler.CABaseName, handler.LongName)
+		return nil
 	}
 	fmt.Printf("%s renewed\n", handler.LongName)
 	return nil

cmd/kubeadm/app/cmd/alpha/certs_test.go

@@ -39,7 +39,6 @@ func TestCommandsGenerated(t *testing.T) {
 	expectedFlags := []string{
 		"cert-dir",
 		"config",
-		"use-api",
 	}
 
 	expectedCommands := []string{

cmd/kubeadm/app/phases/certs/renewal/BUILD

@@ -3,7 +3,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 go_library(
     name = "go_default_library",
     srcs = [
-        "apirenewer.go",
         "expiration.go",
         "filerenewer.go",
         "manager.go",
@@ -16,14 +15,9 @@ go_library(
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/phases/certs:go_default_library",
         "//cmd/kubeadm/app/util/pkiutil:go_default_library",
-        "//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
-        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
-        "//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
         "//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library",
         "//staging/src/k8s.io/client-go/tools/clientcmd/api:go_default_library",
         "//staging/src/k8s.io/client-go/util/cert:go_default_library",
-        "//staging/src/k8s.io/client-go/util/certificate/csr:go_default_library",
         "//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
         "//vendor/github.com/pkg/errors:go_default_library",
     ],
@@ -32,7 +26,6 @@ go_library(
 go_test(
     name = "go_default_test",
     srcs = [
-        "apirenewer_test.go",
         "expiration_test.go",
         "filerenewer_test.go",
         "manager_test.go",
@@ -46,12 +39,6 @@ go_test(
         "//cmd/kubeadm/app/util/kubeconfig:go_default_library",
         "//cmd/kubeadm/app/util/pkiutil:go_default_library",
         "//cmd/kubeadm/test:go_default_library",
-        "//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
-        "//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake:go_default_library",
-        "//staging/src/k8s.io/client-go/testing:go_default_library",
         "//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library",
         "//staging/src/k8s.io/client-go/util/cert:go_default_library",
         "//staging/src/k8s.io/client-go/util/keyutil:go_default_library",