diff --git a/cmd/kube-controller-manager/app/certificates.go b/cmd/kube-controller-manager/app/certificates.go index 062454b243b..42880fa4645 100644 --- a/cmd/kube-controller-manager/app/certificates.go +++ b/cmd/kube-controller-manager/app/certificates.go @@ -23,7 +23,7 @@ import ( "context" "fmt" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" "k8s.io/apiserver/pkg/server/dynamiccertificates" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/kubernetes" @@ -272,7 +272,7 @@ func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Co } func clusterTrustBundlesAvailable(client kubernetes.Interface) (bool, error) { - resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1alpha1.SchemeGroupVersion.String()) + resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1beta1.SchemeGroupVersion.String()) if resList != nil { // even in case of an error above there might be a partial list for APIs that diff --git a/pkg/controller/certificates/clustertrustbundlepublisher/metrics_test.go b/pkg/controller/certificates/clustertrustbundlepublisher/metrics_test.go index 3a75f44870e..239bc11dd54 100644 --- a/pkg/controller/certificates/clustertrustbundlepublisher/metrics_test.go +++ b/pkg/controller/certificates/clustertrustbundlepublisher/metrics_test.go @@ -23,7 +23,7 @@ import ( "testing" "time" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/component-base/metrics/legacyregistry" "k8s.io/component-base/metrics/testutil" @@ -50,7 +50,7 @@ clustertrustbundle_publisher_sync_total{code="200"} 1 }, { desc: "kube api error", - err: apierrors.NewNotFound(certificatesv1alpha1.Resource("clustertrustbundle"), "test.test:testSigner:something"), + err: apierrors.NewNotFound(certificatesv1beta1.Resource("clustertrustbundle"), "test.test:testSigner:something"), metrics: []string{ "clustertrustbundle_publisher_sync_total", }, diff --git a/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go b/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go index 82aa9d38501..2197f5bb801 100644 --- a/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go +++ b/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go @@ -23,7 +23,7 @@ import ( "strings" "time" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" @@ -31,9 +31,9 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/server/dynamiccertificates" - certinformers "k8s.io/client-go/informers/certificates/v1alpha1" + certinformers "k8s.io/client-go/informers/certificates/v1beta1" clientset "k8s.io/client-go/kubernetes" - certlisters "k8s.io/client-go/listers/certificates/v1alpha1" + certlisters "k8s.io/client-go/listers/certificates/v1beta1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" "k8s.io/klog/v2" @@ -174,11 +174,11 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context bundle, err := p.ctbLister.Get(bundleName) if apierrors.IsNotFound(err) { - _, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, &certificatesv1alpha1.ClusterTrustBundle{ + _, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: bundleName, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: p.signerName, TrustBundle: caBundle, }, @@ -186,7 +186,7 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context } else if err == nil && bundle.Spec.TrustBundle != caBundle { bundle = bundle.DeepCopy() bundle.Spec.TrustBundle = caBundle - _, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{}) + _, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{}) } if err != nil { @@ -205,7 +205,7 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context continue } - if err := p.client.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { + if err := p.client.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { klog.FromContext(ctx).Error(err, "failed to remove a cluster trust bundle", "bundleName", bundleObject.Name) deletionError = err } diff --git a/pkg/controller/certificates/clustertrustbundlepublisher/publisher_test.go b/pkg/controller/certificates/clustertrustbundlepublisher/publisher_test.go index 3114833c683..cd7f83858b3 100644 --- a/pkg/controller/certificates/clustertrustbundlepublisher/publisher_test.go +++ b/pkg/controller/certificates/clustertrustbundlepublisher/publisher_test.go @@ -22,7 +22,7 @@ import ( cryptorand "crypto/rand" "testing" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apiserver/pkg/server/dynamiccertificates" @@ -44,7 +44,7 @@ func TestCTBPublisherSync(t *testing.T) { createAction := expectAction[clienttesting.CreateAction](t, filteredActions[0], "create") - ctb, ok := createAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle) + ctb, ok := createAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle) if !ok { t.Fatalf("expected ClusterTrustBundle create, got %v", createAction.GetObject()) } @@ -63,7 +63,7 @@ func TestCTBPublisherSync(t *testing.T) { updateAction := expectAction[clienttesting.UpdateAction](t, filteredActions[0], "update") - ctb, ok := updateAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle) + ctb, ok := updateAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle) if !ok { t.Fatalf("expected ClusterTrustBundle update, got %v", updateAction.GetObject()) } @@ -109,19 +109,19 @@ func TestCTBPublisherSync(t *testing.T) { { name: "no CTBs for the current signer exist", existingCTBs: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "nosigner", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: "somedatahere", }, }, - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "signer:one", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: "signer", TrustBundle: "signerdata", }, @@ -132,11 +132,11 @@ func TestCTBPublisherSync(t *testing.T) { { name: "CTB for the signer exists with different content", existingCTBs: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: testBundleName, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: testSignerName, TrustBundle: "olddata", }, @@ -147,20 +147,20 @@ func TestCTBPublisherSync(t *testing.T) { { name: "multiple CTBs for the signer", existingCTBs: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: testBundleName, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: testSignerName, TrustBundle: string(testCAProvider.CurrentCABundleContent()), }, }, - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "test.test/testSigner:name2", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: testSignerName, TrustBundle: string(testCAProvider.CurrentCABundleContent()), }, @@ -171,20 +171,20 @@ func TestCTBPublisherSync(t *testing.T) { { name: "multiple CTBs for the signer - the one with the proper name needs changing", existingCTBs: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: testBundleName, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: testSignerName, TrustBundle: "olddata", }, }, - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "test.test/testSigner:name2", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: testSignerName, TrustBundle: string(testCAProvider.CurrentCABundleContent()), }, @@ -202,11 +202,11 @@ func TestCTBPublisherSync(t *testing.T) { { name: "another CTB with a different name exists for the signer", existingCTBs: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "test.test/testSigner:preexisting", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: testSignerName, TrustBundle: string(testCAProvider.CurrentCABundleContent()), }, @@ -224,28 +224,28 @@ func TestCTBPublisherSync(t *testing.T) { { name: "CTB at the correct state - noop", existingCTBs: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "nosigner", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: "somedatahere", }, }, - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "signer:one", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: "signer", TrustBundle: "signerdata", }, }, - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: testBundleName, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: testSignerName, TrustBundle: string(testCAProvider.CurrentCABundleContent()), }, @@ -297,9 +297,9 @@ func fakeKubeClientSetWithCTBList(t *testing.T, signerName string, ctbs ...runti return false, nil, nil } - retList := &certificatesv1alpha1.ClusterTrustBundleList{} + retList := &certificatesv1beta1.ClusterTrustBundleList{} for _, ctb := range ctbs { - ctbObj, ok := ctb.(*certificatesv1alpha1.ClusterTrustBundle) + ctbObj, ok := ctb.(*certificatesv1beta1.ClusterTrustBundle) if !ok { continue } diff --git a/pkg/controlplane/apiserver/aggregator.go b/pkg/controlplane/apiserver/aggregator.go index a9f4613fc8a..5edb9976dcb 100644 --- a/pkg/controlplane/apiserver/aggregator.go +++ b/pkg/controlplane/apiserver/aggregator.go @@ -277,6 +277,7 @@ func DefaultGenericAPIServicePriorities() map[schema.GroupVersion]APIServicePrio {Group: "authentication.k8s.io", Version: "v1alpha1"}: {Group: 17700, Version: 1}, {Group: "authorization.k8s.io", Version: "v1"}: {Group: 17600, Version: 15}, {Group: "certificates.k8s.io", Version: "v1"}: {Group: 17300, Version: 15}, + {Group: "certificates.k8s.io", Version: "v1beta1"}: {Group: 17300, Version: 9}, {Group: "certificates.k8s.io", Version: "v1alpha1"}: {Group: 17300, Version: 1}, {Group: "rbac.authorization.k8s.io", Version: "v1"}: {Group: 17000, Version: 15}, {Group: "apiextensions.k8s.io", Version: "v1"}: {Group: 16700, Version: 15}, diff --git a/pkg/controlplane/instance.go b/pkg/controlplane/instance.go index 255157707e6..70953db9f0a 100644 --- a/pkg/controlplane/instance.go +++ b/pkg/controlplane/instance.go @@ -37,6 +37,7 @@ import ( batchapiv1 "k8s.io/api/batch/v1" certificatesapiv1 "k8s.io/api/certificates/v1" certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" coordinationapiv1 "k8s.io/api/coordination/v1" coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2" apiv1 "k8s.io/api/core/v1" @@ -457,6 +458,7 @@ var ( betaAPIGroupVersionsDisabledByDefault = []schema.GroupVersion{ admissionregistrationv1beta1.SchemeGroupVersion, authenticationv1beta1.SchemeGroupVersion, + certificatesv1beta1.SchemeGroupVersion, storageapiv1beta1.SchemeGroupVersion, flowcontrolv1beta1.SchemeGroupVersion, flowcontrolv1beta2.SchemeGroupVersion, diff --git a/pkg/kubeapiserver/default_storage_factory_builder.go b/pkg/kubeapiserver/default_storage_factory_builder.go index e9d57598f8c..7ac6039db0c 100644 --- a/pkg/kubeapiserver/default_storage_factory_builder.go +++ b/pkg/kubeapiserver/default_storage_factory_builder.go @@ -86,7 +86,7 @@ func NewStorageFactoryConfigEffectiveVersion(effectiveVersion basecompatibility. networking.Resource("servicecidrs").WithVersion("v1beta1"), admissionregistration.Resource("mutatingadmissionpolicies").WithVersion("v1alpha1"), admissionregistration.Resource("mutatingadmissionpolicybindings").WithVersion("v1alpha1"), - certificates.Resource("clustertrustbundles").WithVersion("v1alpha1"), + certificates.Resource("clustertrustbundles").WithVersion("v1beta1"), storage.Resource("volumeattributesclasses").WithVersion("v1beta1"), storagemigration.Resource("storagemigrations").WithVersion("v1alpha1"), } diff --git a/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager.go b/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager.go index 2cf6b3f1c9e..a2051a51ec7 100644 --- a/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager.go +++ b/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager.go @@ -25,13 +25,13 @@ import ( "math/rand" "time" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" lrucache "k8s.io/apimachinery/pkg/util/cache" "k8s.io/apimachinery/pkg/util/sets" - certinformersv1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1" - certlistersv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1" + certinformersv1beta1 "k8s.io/client-go/informers/certificates/v1beta1" + certlistersv1beta1 "k8s.io/client-go/listers/certificates/v1beta1" "k8s.io/client-go/tools/cache" "k8s.io/klog/v2" ) @@ -50,7 +50,7 @@ type Manager interface { // ClusterTrustBundle objects. type InformerManager struct { ctbInformer cache.SharedIndexInformer - ctbLister certlistersv1alpha1.ClusterTrustBundleLister + ctbLister certlistersv1beta1.ClusterTrustBundleLister normalizationCache *lrucache.LRUExpireCache cacheTTL time.Duration @@ -59,7 +59,7 @@ type InformerManager struct { var _ Manager = (*InformerManager)(nil) // NewInformerManager returns an initialized InformerManager. -func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.ClusterTrustBundleInformer, cacheSize int, cacheTTL time.Duration) (*InformerManager, error) { +func NewInformerManager(ctx context.Context, bundles certinformersv1beta1.ClusterTrustBundleInformer, cacheSize int, cacheTTL time.Duration) (*InformerManager, error) { // We need to call Informer() before calling start on the shared informer // factory, or the informer won't be registered to be started. m := &InformerManager{ @@ -74,7 +74,7 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust // apply to them. _, err := m.ctbInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: func(obj any) { - ctb, ok := obj.(*certificatesv1alpha1.ClusterTrustBundle) + ctb, ok := obj.(*certificatesv1beta1.ClusterTrustBundle) if !ok { return } @@ -82,21 +82,21 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust m.dropCacheFor(ctb) }, UpdateFunc: func(old, new any) { - ctb, ok := new.(*certificatesv1alpha1.ClusterTrustBundle) + ctb, ok := new.(*certificatesv1beta1.ClusterTrustBundle) if !ok { return } logger.Info("Dropping cache for ClusterTrustBundle", "signerName", ctb.Spec.SignerName) - m.dropCacheFor(new.(*certificatesv1alpha1.ClusterTrustBundle)) + m.dropCacheFor(new.(*certificatesv1beta1.ClusterTrustBundle)) }, DeleteFunc: func(obj any) { - ctb, ok := obj.(*certificatesv1alpha1.ClusterTrustBundle) + ctb, ok := obj.(*certificatesv1beta1.ClusterTrustBundle) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { return } - ctb, ok = tombstone.Obj.(*certificatesv1alpha1.ClusterTrustBundle) + ctb, ok = tombstone.Obj.(*certificatesv1beta1.ClusterTrustBundle) if !ok { return } @@ -112,7 +112,7 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust return m, nil } -func (m *InformerManager) dropCacheFor(ctb *certificatesv1alpha1.ClusterTrustBundle) { +func (m *InformerManager) dropCacheFor(ctb *certificatesv1beta1.ClusterTrustBundle) { if ctb.Spec.SignerName != "" { m.normalizationCache.RemoveAll(func(key any) bool { return key.(cacheKeyType).signerName == ctb.Spec.SignerName @@ -145,7 +145,7 @@ func (m *InformerManager) GetTrustAnchorsByName(name string, allowMissing bool) return nil, fmt.Errorf("while getting ClusterTrustBundle: %w", err) } - pemTrustAnchors, err := m.normalizeTrustAnchors([]*certificatesv1alpha1.ClusterTrustBundle{ctb}) + pemTrustAnchors, err := m.normalizeTrustAnchors([]*certificatesv1beta1.ClusterTrustBundle{ctb}) if err != nil { return nil, fmt.Errorf("while normalizing trust anchors: %w", err) } @@ -184,7 +184,7 @@ func (m *InformerManager) GetTrustAnchorsBySigner(signerName string, labelSelect return nil, fmt.Errorf("while listing ClusterTrustBundles matching label selector %v: %w", labelSelector, err) } - ctbList := []*certificatesv1alpha1.ClusterTrustBundle{} + ctbList := []*certificatesv1beta1.ClusterTrustBundle{} for _, ctb := range rawCTBList { if ctb.Spec.SignerName == signerName { ctbList = append(ctbList, ctb) @@ -208,7 +208,7 @@ func (m *InformerManager) GetTrustAnchorsBySigner(signerName string, labelSelect return pemTrustAnchors, nil } -func (m *InformerManager) normalizeTrustAnchors(ctbList []*certificatesv1alpha1.ClusterTrustBundle) ([]byte, error) { +func (m *InformerManager) normalizeTrustAnchors(ctbList []*certificatesv1beta1.ClusterTrustBundle) ([]byte, error) { // Deduplicate trust anchors from all ClusterTrustBundles. trustAnchorSet := sets.Set[string]{} for _, ctb := range ctbList { diff --git a/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager_test.go b/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager_test.go index 7fe6a0914bc..636a0fa40f2 100644 --- a/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager_test.go +++ b/pkg/kubelet/clustertrustbundle/clustertrustbundle_manager_test.go @@ -32,7 +32,7 @@ import ( "time" "github.com/google/go-cmp/cmp" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes/fake" @@ -46,7 +46,7 @@ func TestBeforeSynced(t *testing.T) { informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0) - ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles() + ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles() ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute) _, err := ctbManager.GetTrustAnchorsByName("foo", false) @@ -60,20 +60,20 @@ func TestGetTrustAnchorsByName(t *testing.T) { tCtx := ktesting.Init(t) defer cancel() - ctb1 := &certificatesv1alpha1.ClusterTrustBundle{ + ctb1 := &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "ctb1", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: mustMakeRoot(t, "root1"), }, } - ctb2 := &certificatesv1alpha1.ClusterTrustBundle{ + ctb2 := &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "ctb2", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: mustMakeRoot(t, "root2"), }, } @@ -82,7 +82,7 @@ func TestGetTrustAnchorsByName(t *testing.T) { informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0) - ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles() + ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles() ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute) informerFactory.Start(ctx.Done()) @@ -124,20 +124,20 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) { ctx, cancel := context.WithTimeout(tCtx, 20*time.Second) defer cancel() - ctb1 := &certificatesv1alpha1.ClusterTrustBundle{ + ctb1 := &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: mustMakeRoot(t, "root1"), }, } - ctb2 := &certificatesv1alpha1.ClusterTrustBundle{ + ctb2 := &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: mustMakeRoot(t, "root2"), }, } @@ -146,7 +146,7 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) { informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0) - ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles() + ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles() ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute) informerFactory.Start(ctx.Done()) @@ -180,10 +180,10 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) { } }) - if err := kc.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil { + if err := kc.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil { t.Fatalf("Error while deleting the old CTB: %v", err) } - if _, err := kc.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil { + if _, err := kc.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil { t.Fatalf("Error while adding new CTB: %v", err) } @@ -221,7 +221,7 @@ func TestGetTrustAnchorsBySignerName(t *testing.T) { informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0) - ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles() + ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles() ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute) informerFactory.Start(ctx.Done()) @@ -335,7 +335,7 @@ func TestGetTrustAnchorsBySignerNameCaching(t *testing.T) { informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0) - ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles() + ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles() ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute) informerFactory.Start(ctx.Done()) @@ -369,10 +369,10 @@ func TestGetTrustAnchorsBySignerNameCaching(t *testing.T) { } }) - if err := kc.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil { + if err := kc.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil { t.Fatalf("Error while deleting the old CTB: %v", err) } - if _, err := kc.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil { + if _, err := kc.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil { t.Fatalf("Error while adding new CTB: %v", err) } @@ -422,13 +422,13 @@ func mustMakeRoot(t *testing.T, cn string) string { })) } -func mustMakeCTB(name, signerName string, labels map[string]string, bundle string) *certificatesv1alpha1.ClusterTrustBundle { - return &certificatesv1alpha1.ClusterTrustBundle{ +func mustMakeCTB(name, signerName string, labels map[string]string, bundle string) *certificatesv1beta1.ClusterTrustBundle { + return &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: name, Labels: labels, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: signerName, TrustBundle: bundle, }, diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 9c98a659b65..4d9514a6b08 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -881,7 +881,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, var clusterTrustBundleManager clustertrustbundle.Manager if kubeDeps.KubeClient != nil && utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundleProjection) { kubeInformers := informers.NewSharedInformerFactoryWithOptions(kubeDeps.KubeClient, 0) - clusterTrustBundleManager, err = clustertrustbundle.NewInformerManager(ctx, kubeInformers.Certificates().V1alpha1().ClusterTrustBundles(), 2*int(kubeCfg.MaxPods), 5*time.Minute) + clusterTrustBundleManager, err = clustertrustbundle.NewInformerManager(ctx, kubeInformers.Certificates().V1beta1().ClusterTrustBundles(), 2*int(kubeCfg.MaxPods), 5*time.Minute) if err != nil { return nil, fmt.Errorf("while starting informer-based ClusterTrustBundle manager: %w", err) } diff --git a/pkg/printers/internalversion/printers.go b/pkg/printers/internalversion/printers.go index 196bc40ec08..868ab8170da 100644 --- a/pkg/printers/internalversion/printers.go +++ b/pkg/printers/internalversion/printers.go @@ -30,8 +30,7 @@ import ( autoscalingv1 "k8s.io/api/autoscaling/v1" autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1" batchv1 "k8s.io/api/batch/v1" - batchv1beta1 "k8s.io/api/batch/v1beta1" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + batchv1beta1 "k8s.io/api/batch/v1beta1" // should this change, too? there are still certv1beta1.CSR printers, but not their v1 versions certificatesv1beta1 "k8s.io/api/certificates/v1beta1" coordinationv1 "k8s.io/api/coordination/v1" coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2" @@ -420,7 +419,7 @@ func AddHandlers(h printers.PrintHandler) { clusterTrustBundleColumnDefinitions := []metav1.TableColumnDefinition{ {Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]}, - {Name: "SignerName", Type: "string", Description: certificatesv1alpha1.ClusterTrustBundleSpec{}.SwaggerDoc()["signerName"]}, + {Name: "SignerName", Type: "string", Description: certificatesv1beta1.ClusterTrustBundleSpec{}.SwaggerDoc()["signerName"]}, } h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundle) h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundleList) diff --git a/pkg/registry/certificates/rest/storage_certificates.go b/pkg/registry/certificates/rest/storage_certificates.go index 2eaef4bb202..3f7f92b8414 100644 --- a/pkg/registry/certificates/rest/storage_certificates.go +++ b/pkg/registry/certificates/rest/storage_certificates.go @@ -19,6 +19,7 @@ package rest import ( certificatesapiv1 "k8s.io/api/certificates/v1" certificatesapiv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesapiv1beta1 "k8s.io/api/certificates/v1beta1" "k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" @@ -45,6 +46,12 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1.SchemeGroupVersion.Version] = storageMap } + if storageMap, err := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); err != nil { + return genericapiserver.APIGroupInfo{}, err + } else if len(storageMap) > 0 { + apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1beta1.SchemeGroupVersion.Version] = storageMap + } + if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil { return genericapiserver.APIGroupInfo{}, err } else if len(storageMap) > 0 { @@ -70,6 +77,24 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API return storage, nil } +func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) { + storage := map[string]rest.Storage{} + + if resource := "clustertrustbundles"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1beta1.SchemeGroupVersion.WithResource(resource)) { + if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) { + bundleStorage, err := clustertrustbundlestore.NewREST(restOptionsGetter) + if err != nil { + return nil, err + } + storage[resource] = bundleStorage + } else { + klog.Warning("ClusterTrustBundle storage is disabled because the ClusterTrustBundle feature gate is disabled") + } + } + + return storage, nil +} + func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) { storage := map[string]rest.Storage{} diff --git a/pkg/volume/projected/projected_test.go b/pkg/volume/projected/projected_test.go index f021748e323..0844d59a0ec 100644 --- a/pkg/volume/projected/projected_test.go +++ b/pkg/volume/projected/projected_test.go @@ -32,7 +32,7 @@ import ( "github.com/google/go-cmp/cmp" authenticationv1 "k8s.io/api/authentication/v1" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -912,11 +912,11 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) { DefaultMode: utilptr.Int32(0644), }, bundles: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: string(goodCert1), }, }, @@ -947,14 +947,14 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) { DefaultMode: utilptr.Int32(0644), }, bundles: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "foo:example:bar", Labels: map[string]string{ "key": "value", }, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: "foo.example/bar", TrustBundle: string(goodCert1), }, @@ -981,11 +981,11 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) { DefaultMode: utilptr.Int32(0600), }, bundles: []runtime.Object{ - &certificatesv1alpha1.ClusterTrustBundle{ + &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ TrustBundle: string(goodCert1), }, }, diff --git a/pkg/volume/testing/volume_host.go b/pkg/volume/testing/volume_host.go index 30cbb0fab7d..b58ff3c75c4 100644 --- a/pkg/volume/testing/volume_host.go +++ b/pkg/volume/testing/volume_host.go @@ -427,7 +427,7 @@ func (f *fakeKubeletVolumeHost) GetHostUtil() hostutil.HostUtils { } func (f *fakeKubeletVolumeHost) GetTrustAnchorsByName(name string, allowMissing bool) ([]byte, error) { - ctb, err := f.kubeClient.CertificatesV1alpha1().ClusterTrustBundles().Get(context.Background(), name, metav1.GetOptions{}) + ctb, err := f.kubeClient.CertificatesV1beta1().ClusterTrustBundles().Get(context.Background(), name, metav1.GetOptions{}) if err != nil { return nil, fmt.Errorf("while getting ClusterTrustBundle %s: %w", name, err) } @@ -437,7 +437,7 @@ func (f *fakeKubeletVolumeHost) GetTrustAnchorsByName(name string, allowMissing // Note: we do none of the deduplication and sorting that the real deal should do. func (f *fakeKubeletVolumeHost) GetTrustAnchorsBySigner(signerName string, labelSelector *metav1.LabelSelector, allowMissing bool) ([]byte, error) { - ctbList, err := f.kubeClient.CertificatesV1alpha1().ClusterTrustBundles().List(context.Background(), metav1.ListOptions{}) + ctbList, err := f.kubeClient.CertificatesV1beta1().ClusterTrustBundles().List(context.Background(), metav1.ListOptions{}) if err != nil { return nil, fmt.Errorf("while listing all ClusterTrustBundles: %w", err) } diff --git a/staging/src/k8s.io/api/certificates/v1beta1/types.go b/staging/src/k8s.io/api/certificates/v1beta1/types.go index 7fd19ef3a7c..1ce104807dd 100644 --- a/staging/src/k8s.io/api/certificates/v1beta1/types.go +++ b/staging/src/k8s.io/api/certificates/v1beta1/types.go @@ -265,7 +265,7 @@ const ( // +genclient // +genclient:nonNamespaced -// +k8s:prerelease-lifecycle-gen:introduced=1.32 +// +k8s:prerelease-lifecycle-gen:introduced=1.33 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors @@ -332,7 +332,7 @@ type ClusterTrustBundleSpec struct { TrustBundle string `json:"trustBundle" protobuf:"bytes,2,opt,name=trustBundle"` } -// +k8s:prerelease-lifecycle-gen:introduced=1.32 +// +k8s:prerelease-lifecycle-gen:introduced=1.33 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // ClusterTrustBundleList is a collection of ClusterTrustBundle objects diff --git a/test/e2e/auth/projected_clustertrustbundle.go b/test/e2e/auth/projected_clustertrustbundle.go index 6b07a198410..8b684cf1d85 100644 --- a/test/e2e/auth/projected_clustertrustbundle.go +++ b/test/e2e/auth/projected_clustertrustbundle.go @@ -32,7 +32,7 @@ import ( "strings" "time" - certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" @@ -266,7 +266,7 @@ var _ = SIGDescribe(framework.WithFeatureGate(features.ClusterTrustBundle), fram ginkgo.It("should be able to mount a big number (>100) of CTBs", func(ctx context.Context) { const numCTBs = 150 - var initCTBs []*certificatesv1alpha1.ClusterTrustBundle + var initCTBs []*certificatesv1beta1.ClusterTrustBundle var cleanups []func(ctx context.Context) var projections []v1.VolumeProjection @@ -443,7 +443,7 @@ func podForCTBProjection(projectionSources ...v1.VolumeProjection) *v1.Pod { // "signer.alive=false": , // "no-signer": , // } -func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets.Set[string]) { +func initCTBData() ([]*certificatesv1beta1.ClusterTrustBundle, map[string]sets.Set[string]) { var pemSets = map[string]sets.Set[string]{ testSignerOneName: sets.New[string](), testSignerTwoName: sets.New[string](), @@ -452,7 +452,7 @@ func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets. noSignerKey: sets.New[string](), } - var ctbs []*certificatesv1alpha1.ClusterTrustBundle + var ctbs []*certificatesv1beta1.ClusterTrustBundle for i := range 10 { caPEM := mustMakeCAPEM(fmt.Sprintf("root%d", i)) @@ -487,20 +487,20 @@ func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets. return ctbs, pemSets } -func ctbForCA(ctbName, signerName, caPEM string, labels map[string]string) *certificatesv1alpha1.ClusterTrustBundle { - return &certificatesv1alpha1.ClusterTrustBundle{ +func ctbForCA(ctbName, signerName, caPEM string, labels map[string]string) *certificatesv1beta1.ClusterTrustBundle { + return &certificatesv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: ctbName, Labels: labels, }, - Spec: certificatesv1alpha1.ClusterTrustBundleSpec{ + Spec: certificatesv1beta1.ClusterTrustBundleSpec{ SignerName: signerName, TrustBundle: caPEM, }, } } -func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certificatesv1alpha1.ClusterTrustBundle) func(context.Context) { +func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certificatesv1beta1.ClusterTrustBundle) func(context.Context) { cleanups := []func(context.Context){} for _, ctb := range ctbs { ctb := ctb @@ -514,15 +514,15 @@ func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certifica } } -func mustCreateCTB(ctx context.Context, f *framework.Framework, ctb *certificatesv1alpha1.ClusterTrustBundle) func(context.Context) { +func mustCreateCTB(ctx context.Context, f *framework.Framework, ctb *certificatesv1beta1.ClusterTrustBundle) func(context.Context) { mutateCTBForTesting(ctb, f.UniqueName) - if _, err := f.ClientSet.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb, metav1.CreateOptions{}); err != nil { + if _, err := f.ClientSet.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb, metav1.CreateOptions{}); err != nil { framework.Failf("Error while creating ClusterTrustBundle: %v", err) } return func(ctx context.Context) { - if err := f.ClientSet.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb.Name, metav1.DeleteOptions{}); err != nil { + if err := f.ClientSet.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb.Name, metav1.DeleteOptions{}); err != nil { framework.Logf("failed to remove a cluster trust bundle: %v", err) } } @@ -584,7 +584,7 @@ func getFileModeRegex(filePath string, mask *int32) string { return fmt.Sprintf("(%s|%s)", linuxOutput, windowsOutput) } -func ctbsToPEMs(ctbs []*certificatesv1alpha1.ClusterTrustBundle) []string { +func ctbsToPEMs(ctbs []*certificatesv1beta1.ClusterTrustBundle) []string { var certPEMs []string for _, ctb := range ctbs { certPEMs = append(certPEMs, ctb.Spec.TrustBundle) @@ -594,7 +594,7 @@ func ctbsToPEMs(ctbs []*certificatesv1alpha1.ClusterTrustBundle) []string { // mutateCTBForTesting mutates the .spec.signerName and .name so that the created cluster // objects are unique and the tests can run in parallel -func mutateCTBForTesting(ctb *certificatesv1alpha1.ClusterTrustBundle, uniqueName string) { +func mutateCTBForTesting(ctb *certificatesv1beta1.ClusterTrustBundle, uniqueName string) { signer := ctb.Spec.SignerName if len(signer) == 0 { ctb.Name += uniqueName diff --git a/test/integration/clustertrustbundles/admission_establishtrust_test.go b/test/integration/clustertrustbundles/admission_establishtrust_test.go index da720b815cc..62659427bbc 100644 --- a/test/integration/clustertrustbundles/admission_establishtrust_test.go +++ b/test/integration/clustertrustbundles/admission_establishtrust_test.go @@ -24,7 +24,7 @@ import ( "math/big" "testing" - certsv1alpha1 "k8s.io/api/certificates/v1alpha1" + certsv1beta1 "k8s.io/api/certificates/v1beta1" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -38,10 +38,6 @@ import ( // Verifies that the ClusterTrustBundle attest admission plugin correctly // enforces that a user has "attest" on the affected signer name. func TestCTBAttestPlugin(t *testing.T) { - // KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests - // TODO: Remove this line once certificates v1alpha1 types to be removed in 1.32 are fully removed - t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true") - testCases := []struct { description string trustBundleName string @@ -78,7 +74,7 @@ func TestCTBAttestPlugin(t *testing.T) { t.Run(tc.description, func(t *testing.T) { ctx := context.Background() - server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--authorization-mode=RBAC", "--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd()) + server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--authorization-mode=RBAC", "--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd()) defer server.TearDownFn() client := kubernetes.NewForConfigOrDie(server.ClientConfig) @@ -92,11 +88,11 @@ func TestCTBAttestPlugin(t *testing.T) { testUserConfig.Impersonate = rest.ImpersonationConfig{UserName: "test-user"} testUserClient := kubernetes.NewForConfigOrDie(testUserConfig) - bundle := &certsv1alpha1.ClusterTrustBundle{ + bundle := &certsv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: tc.trustBundleName, }, - Spec: certsv1alpha1.ClusterTrustBundleSpec{ + Spec: certsv1beta1.ClusterTrustBundleSpec{ SignerName: tc.targetSignerName, TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{ SerialNumber: big.NewInt(0), @@ -108,7 +104,7 @@ func TestCTBAttestPlugin(t *testing.T) { })), }, } - _, err := testUserClient.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle, metav1.CreateOptions{}) + _, err := testUserClient.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle, metav1.CreateOptions{}) if err != nil && err.Error() != tc.wantError { t.Fatalf("Bad error while creating ClusterTrustBundle; got %q want %q", err.Error(), tc.wantError) } else if err == nil && tc.wantError != "" { diff --git a/test/integration/clustertrustbundles/field_selector_test.go b/test/integration/clustertrustbundles/field_selector_test.go index a1257c83674..0ea6d5c4650 100644 --- a/test/integration/clustertrustbundles/field_selector_test.go +++ b/test/integration/clustertrustbundles/field_selector_test.go @@ -24,7 +24,7 @@ import ( "math/big" "testing" - certsv1alpha1 "k8s.io/api/certificates/v1alpha1" + certsv1beta1 "k8s.io/api/certificates/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" @@ -38,16 +38,16 @@ func TestCTBSignerNameFieldSelector(t *testing.T) { ctx := context.Background() - server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd()) + server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd()) defer server.TearDownFn() client := kubernetes.NewForConfigOrDie(server.ClientConfig) - bundle1 := &certsv1alpha1.ClusterTrustBundle{ + bundle1 := &certsv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "foo.com:bar:v1", }, - Spec: certsv1alpha1.ClusterTrustBundleSpec{ + Spec: certsv1beta1.ClusterTrustBundleSpec{ SignerName: "foo.com/bar", TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{ SerialNumber: big.NewInt(0), @@ -59,15 +59,15 @@ func TestCTBSignerNameFieldSelector(t *testing.T) { })), }, } - if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}); err != nil { + if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}); err != nil { t.Fatalf("Error while creating bundle1: %v", err) } - bundle2 := &certsv1alpha1.ClusterTrustBundle{ + bundle2 := &certsv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "foo.com:bar:v2", }, - Spec: certsv1alpha1.ClusterTrustBundleSpec{ + Spec: certsv1beta1.ClusterTrustBundleSpec{ SignerName: "foo.com/bar", TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{ SerialNumber: big.NewInt(0), @@ -79,15 +79,15 @@ func TestCTBSignerNameFieldSelector(t *testing.T) { })), }, } - if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle2, metav1.CreateOptions{}); err != nil { + if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle2, metav1.CreateOptions{}); err != nil { t.Fatalf("Error while creating bundle2: %v", err) } - bundle3 := &certsv1alpha1.ClusterTrustBundle{ + bundle3 := &certsv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: "baz.com:bar:v1", }, - Spec: certsv1alpha1.ClusterTrustBundleSpec{ + Spec: certsv1beta1.ClusterTrustBundleSpec{ SignerName: "baz.com/bar", TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{ SerialNumber: big.NewInt(0), @@ -99,11 +99,11 @@ func TestCTBSignerNameFieldSelector(t *testing.T) { })), }, } - if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle3, metav1.CreateOptions{}); err != nil { + if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle3, metav1.CreateOptions{}); err != nil { t.Fatalf("Error while creating bundle3: %v", err) } - fooList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=foo.com/bar"}) + fooList, err := client.CertificatesV1beta1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=foo.com/bar"}) if err != nil { t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=foo.com/bar") } @@ -127,7 +127,7 @@ func TestCTBSignerNameFieldSelector(t *testing.T) { t.Errorf("Didn't find foo.com:bar:v2 in the list when listing for foo.com/bar") } - bazList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=baz.com/bar"}) + bazList, err := client.CertificatesV1beta1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=baz.com/bar"}) if err != nil { t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=baz.com/bar") } diff --git a/test/integration/clustertrustbundles/signer_name_change_forbidden_test.go b/test/integration/clustertrustbundles/signer_name_change_forbidden_test.go index 8afa1cdbc1b..7722d164c3d 100644 --- a/test/integration/clustertrustbundles/signer_name_change_forbidden_test.go +++ b/test/integration/clustertrustbundles/signer_name_change_forbidden_test.go @@ -24,7 +24,7 @@ import ( "math/big" "testing" - certsv1alpha1 "k8s.io/api/certificates/v1alpha1" + certsv1beta1 "k8s.io/api/certificates/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" @@ -32,10 +32,6 @@ import ( ) func TestCTBSignerNameChangeForbidden(t *testing.T) { - // KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests - // TODO: Remove this line once certificates v1alpha1 types to be removed in 1.32 are fully removed - t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true") - testCases := []struct { objectName string signer1 string @@ -63,16 +59,16 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) { ctx := context.Background() - server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd()) + server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd()) defer server.TearDownFn() client := kubernetes.NewForConfigOrDie(server.ClientConfig) - bundle1 := &certsv1alpha1.ClusterTrustBundle{ + bundle1 := &certsv1beta1.ClusterTrustBundle{ ObjectMeta: metav1.ObjectMeta{ Name: tc.objectName, }, - Spec: certsv1alpha1.ClusterTrustBundleSpec{ + Spec: certsv1beta1.ClusterTrustBundleSpec{ SignerName: tc.signer1, TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{ SerialNumber: big.NewInt(0), @@ -84,7 +80,7 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) { })), }, } - bundle1, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}) + bundle1, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}) if err != nil { t.Fatalf("Error while creating bundle1: %v", err) } @@ -95,7 +91,7 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) { // cluster trust bundle. bundle1.Spec.SignerName = tc.signer2 - _, err = client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{}) + _, err = client.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{}) if err == nil { t.Fatalf("Got nil error from updating bundle foo-com--bar from signerName=foo.com/bar to signerName=foo.com/bar2, but wanted an error") } diff --git a/test/integration/etcd/data.go b/test/integration/etcd/data.go index 8b8031d0f55..5712c83dedb 100644 --- a/test/integration/etcd/data.go +++ b/test/integration/etcd/data.go @@ -216,13 +216,23 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, removeAl // k8s.io/kubernetes/pkg/apis/certificates/v1alpha1 gvr("certificates.k8s.io", "v1alpha1", "clustertrustbundles"): { - Stub: `{"metadata": {"name": "example.com:signer:abc"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`, - ExpectedEtcdPath: "/registry/clustertrustbundles/example.com:signer:abc", + Stub: `{"metadata": {"name": "example.com:signer:abcd"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`, + ExpectedEtcdPath: "/registry/clustertrustbundles/example.com:signer:abcd", + ExpectedGVK: gvkP("certificates.k8s.io", "v1beta1", "ClusterTrustBundle"), IntroducedVersion: "1.26", RemovedVersion: "1.37", }, // -- + // k8s.io/kubernetes/pkg/apis/certificates/v1beta1 + gvr("certificates.k8s.io", "v1beta1", "clustertrustbundles"): { + Stub: `{"metadata": {"name": "example.com:signer:abc"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`, + ExpectedEtcdPath: "/registry/clustertrustbundles/example.com:signer:abc", + IntroducedVersion: "1.33", + RemovedVersion: "1.39", + }, + // -- + // k8s.io/kubernetes/pkg/apis/coordination/v1 gvr("coordination.k8s.io", "v1", "leases"): { Stub: `{"metadata": {"name": "leasev1"}, "spec": {"holderIdentity": "holder", "leaseDurationSeconds": 5}}`,