use the ClusterTrustBundles beta API

cmd/kube-controller-manager/app/certificates.go

@@ -23,7 +23,7 @@ import (
 	"context"
 	"fmt"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
@@ -272,7 +272,7 @@ func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Co
 }
 
 func clusterTrustBundlesAvailable(client kubernetes.Interface) (bool, error) {
-	resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1alpha1.SchemeGroupVersion.String())
+	resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1beta1.SchemeGroupVersion.String())
 
 	if resList != nil {
 		// even in case of an error above there might be a partial list for APIs that

pkg/controller/certificates/clustertrustbundlepublisher/metrics_test.go

@@ -23,7 +23,7 @@ import (
 	"testing"
 	"time"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
@@ -50,7 +50,7 @@ clustertrustbundle_publisher_sync_total{code="200"} 1
 		},
 		{
 			desc: "kube api error",
-			err:  apierrors.NewNotFound(certificatesv1alpha1.Resource("clustertrustbundle"), "test.test:testSigner:something"),
+			err:  apierrors.NewNotFound(certificatesv1beta1.Resource("clustertrustbundle"), "test.test:testSigner:something"),
 			metrics: []string{
 				"clustertrustbundle_publisher_sync_total",
 			},

pkg/controller/certificates/clustertrustbundlepublisher/publisher.go

@@ -23,7 +23,7 @@ import (
 	"strings"
 	"time"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
@@ -31,9 +31,9 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
-	certinformers "k8s.io/client-go/informers/certificates/v1alpha1"
+	certinformers "k8s.io/client-go/informers/certificates/v1beta1"
 	clientset "k8s.io/client-go/kubernetes"
-	certlisters "k8s.io/client-go/listers/certificates/v1alpha1"
+	certlisters "k8s.io/client-go/listers/certificates/v1beta1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
@@ -174,11 +174,11 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
 
 	bundle, err := p.ctbLister.Get(bundleName)
 	if apierrors.IsNotFound(err) {
-		_, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, &certificatesv1alpha1.ClusterTrustBundle{
+		_, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, &certificatesv1beta1.ClusterTrustBundle{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: bundleName,
 			},
-			Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+			Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 				SignerName:  p.signerName,
 				TrustBundle: caBundle,
 			},
@@ -186,7 +186,7 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
 	} else if err == nil && bundle.Spec.TrustBundle != caBundle {
 		bundle = bundle.DeepCopy()
 		bundle.Spec.TrustBundle = caBundle
-		_, err = p.client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{})
+		_, err = p.client.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, bundle, metav1.UpdateOptions{})
 	}
 
 	if err != nil {
@@ -205,7 +205,7 @@ func (p *ClusterTrustBundlePublisher) syncClusterTrustBundle(ctx context.Context
 			continue
 		}
 
-		if err := p.client.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
+		if err := p.client.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, bundleObject.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
 			klog.FromContext(ctx).Error(err, "failed to remove a cluster trust bundle", "bundleName", bundleObject.Name)
 			deletionError = err
 		}

pkg/controller/certificates/clustertrustbundlepublisher/publisher_test.go

@@ -22,7 +22,7 @@ import (
 	cryptorand "crypto/rand"
 	"testing"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
@@ -44,7 +44,7 @@ func TestCTBPublisherSync(t *testing.T) {
 
 		createAction := expectAction[clienttesting.CreateAction](t, filteredActions[0], "create")
 
-		ctb, ok := createAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle)
+		ctb, ok := createAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle)
 		if !ok {
 			t.Fatalf("expected ClusterTrustBundle create, got %v", createAction.GetObject())
 		}
@@ -63,7 +63,7 @@ func TestCTBPublisherSync(t *testing.T) {
 
 			updateAction := expectAction[clienttesting.UpdateAction](t, filteredActions[0], "update")
 
-			ctb, ok := updateAction.GetObject().(*certificatesv1alpha1.ClusterTrustBundle)
+			ctb, ok := updateAction.GetObject().(*certificatesv1beta1.ClusterTrustBundle)
 			if !ok {
 				t.Fatalf("expected ClusterTrustBundle update, got %v", updateAction.GetObject())
 			}
@@ -109,19 +109,19 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "no CTBs for the current signer exist",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "nosigner",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						TrustBundle: "somedatahere",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "signer:one",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  "signer",
 						TrustBundle: "signerdata",
 					},
@@ -132,11 +132,11 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "CTB for the signer exists with different content",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: "olddata",
 					},
@@ -147,20 +147,20 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "multiple CTBs for the signer",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test.test/testSigner:name2",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -171,20 +171,20 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "multiple CTBs for the signer - the one with the proper name needs changing",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: "olddata",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test.test/testSigner:name2",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -202,11 +202,11 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "another CTB with a different name exists for the signer",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test.test/testSigner:preexisting",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -224,28 +224,28 @@ func TestCTBPublisherSync(t *testing.T) {
 		{
 			name: "CTB at the correct state - noop",
 			existingCTBs: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "nosigner",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						TrustBundle: "somedatahere",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "signer:one",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  "signer",
 						TrustBundle: "signerdata",
 					},
 				},
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testBundleName,
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  testSignerName,
 						TrustBundle: string(testCAProvider.CurrentCABundleContent()),
 					},
@@ -297,9 +297,9 @@ func fakeKubeClientSetWithCTBList(t *testing.T, signerName string, ctbs ...runti
 			return false, nil, nil
 		}
 
-		retList := &certificatesv1alpha1.ClusterTrustBundleList{}
+		retList := &certificatesv1beta1.ClusterTrustBundleList{}
 		for _, ctb := range ctbs {
-			ctbObj, ok := ctb.(*certificatesv1alpha1.ClusterTrustBundle)
+			ctbObj, ok := ctb.(*certificatesv1beta1.ClusterTrustBundle)
 			if !ok {
 				continue
 			}

pkg/controlplane/apiserver/aggregator.go

@@ -277,6 +277,7 @@ func DefaultGenericAPIServicePriorities() map[schema.GroupVersion]APIServicePrio
 		{Group: "authentication.k8s.io", Version: "v1alpha1"}:        {Group: 17700, Version: 1},
 		{Group: "authorization.k8s.io", Version: "v1"}:               {Group: 17600, Version: 15},
 		{Group: "certificates.k8s.io", Version: "v1"}:                {Group: 17300, Version: 15},
+		{Group: "certificates.k8s.io", Version: "v1beta1"}:           {Group: 17300, Version: 9},
 		{Group: "certificates.k8s.io", Version: "v1alpha1"}:          {Group: 17300, Version: 1},
 		{Group: "rbac.authorization.k8s.io", Version: "v1"}:          {Group: 17000, Version: 15},
 		{Group: "apiextensions.k8s.io", Version: "v1"}:               {Group: 16700, Version: 15},

pkg/controlplane/instance.go

@@ -37,6 +37,7 @@ import (
 	batchapiv1 "k8s.io/api/batch/v1"
 	certificatesapiv1 "k8s.io/api/certificates/v1"
 	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	coordinationapiv1 "k8s.io/api/coordination/v1"
 	coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2"
 	apiv1 "k8s.io/api/core/v1"
@@ -457,6 +458,7 @@ var (
 	betaAPIGroupVersionsDisabledByDefault = []schema.GroupVersion{
 		admissionregistrationv1beta1.SchemeGroupVersion,
 		authenticationv1beta1.SchemeGroupVersion,
+		certificatesv1beta1.SchemeGroupVersion,
 		storageapiv1beta1.SchemeGroupVersion,
 		flowcontrolv1beta1.SchemeGroupVersion,
 		flowcontrolv1beta2.SchemeGroupVersion,

pkg/kubeapiserver/default_storage_factory_builder.go

@@ -86,7 +86,7 @@ func NewStorageFactoryConfigEffectiveVersion(effectiveVersion basecompatibility.
 		networking.Resource("servicecidrs").WithVersion("v1beta1"),
 		admissionregistration.Resource("mutatingadmissionpolicies").WithVersion("v1alpha1"),
 		admissionregistration.Resource("mutatingadmissionpolicybindings").WithVersion("v1alpha1"),
-		certificates.Resource("clustertrustbundles").WithVersion("v1alpha1"),
+		certificates.Resource("clustertrustbundles").WithVersion("v1beta1"),
 		storage.Resource("volumeattributesclasses").WithVersion("v1beta1"),
 		storagemigration.Resource("storagemigrations").WithVersion("v1alpha1"),
 	}

pkg/kubelet/clustertrustbundle/clustertrustbundle_manager.go

@@ -25,13 +25,13 @@ import (
 	"math/rand"
 	"time"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	lrucache "k8s.io/apimachinery/pkg/util/cache"
 	"k8s.io/apimachinery/pkg/util/sets"
-	certinformersv1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1"
+	certinformersv1beta1 "k8s.io/client-go/informers/certificates/v1beta1"
-	certlistersv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
+	certlistersv1beta1 "k8s.io/client-go/listers/certificates/v1beta1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 )
@@ -50,7 +50,7 @@ type Manager interface {
 // ClusterTrustBundle objects.
 type InformerManager struct {
 	ctbInformer cache.SharedIndexInformer
-	ctbLister   certlistersv1alpha1.ClusterTrustBundleLister
+	ctbLister   certlistersv1beta1.ClusterTrustBundleLister
 
 	normalizationCache *lrucache.LRUExpireCache
 	cacheTTL           time.Duration
@@ -59,7 +59,7 @@ type InformerManager struct {
 var _ Manager = (*InformerManager)(nil)
 
 // NewInformerManager returns an initialized InformerManager.
-func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.ClusterTrustBundleInformer, cacheSize int, cacheTTL time.Duration) (*InformerManager, error) {
+func NewInformerManager(ctx context.Context, bundles certinformersv1beta1.ClusterTrustBundleInformer, cacheSize int, cacheTTL time.Duration) (*InformerManager, error) {
 	// We need to call Informer() before calling start on the shared informer
 	// factory, or the informer won't be registered to be started.
 	m := &InformerManager{
@@ -74,7 +74,7 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust
 	// apply to them.
 	_, err := m.ctbInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj any) {
-			ctb, ok := obj.(*certificatesv1alpha1.ClusterTrustBundle)
+			ctb, ok := obj.(*certificatesv1beta1.ClusterTrustBundle)
 			if !ok {
 				return
 			}
@@ -82,21 +82,21 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust
 			m.dropCacheFor(ctb)
 		},
 		UpdateFunc: func(old, new any) {
-			ctb, ok := new.(*certificatesv1alpha1.ClusterTrustBundle)
+			ctb, ok := new.(*certificatesv1beta1.ClusterTrustBundle)
 			if !ok {
 				return
 			}
 			logger.Info("Dropping cache for ClusterTrustBundle", "signerName", ctb.Spec.SignerName)
-			m.dropCacheFor(new.(*certificatesv1alpha1.ClusterTrustBundle))
+			m.dropCacheFor(new.(*certificatesv1beta1.ClusterTrustBundle))
 		},
 		DeleteFunc: func(obj any) {
-			ctb, ok := obj.(*certificatesv1alpha1.ClusterTrustBundle)
+			ctb, ok := obj.(*certificatesv1beta1.ClusterTrustBundle)
 			if !ok {
 				tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 				if !ok {
 					return
 				}
-				ctb, ok = tombstone.Obj.(*certificatesv1alpha1.ClusterTrustBundle)
+				ctb, ok = tombstone.Obj.(*certificatesv1beta1.ClusterTrustBundle)
 				if !ok {
 					return
 				}
@@ -112,7 +112,7 @@ func NewInformerManager(ctx context.Context, bundles certinformersv1alpha1.Clust
 	return m, nil
 }
 
-func (m *InformerManager) dropCacheFor(ctb *certificatesv1alpha1.ClusterTrustBundle) {
+func (m *InformerManager) dropCacheFor(ctb *certificatesv1beta1.ClusterTrustBundle) {
 	if ctb.Spec.SignerName != "" {
 		m.normalizationCache.RemoveAll(func(key any) bool {
 			return key.(cacheKeyType).signerName == ctb.Spec.SignerName
@@ -145,7 +145,7 @@ func (m *InformerManager) GetTrustAnchorsByName(name string, allowMissing bool)
 		return nil, fmt.Errorf("while getting ClusterTrustBundle: %w", err)
 	}
 
-	pemTrustAnchors, err := m.normalizeTrustAnchors([]*certificatesv1alpha1.ClusterTrustBundle{ctb})
+	pemTrustAnchors, err := m.normalizeTrustAnchors([]*certificatesv1beta1.ClusterTrustBundle{ctb})
 	if err != nil {
 		return nil, fmt.Errorf("while normalizing trust anchors: %w", err)
 	}
@@ -184,7 +184,7 @@ func (m *InformerManager) GetTrustAnchorsBySigner(signerName string, labelSelect
 		return nil, fmt.Errorf("while listing ClusterTrustBundles matching label selector %v: %w", labelSelector, err)
 	}
 
-	ctbList := []*certificatesv1alpha1.ClusterTrustBundle{}
+	ctbList := []*certificatesv1beta1.ClusterTrustBundle{}
 	for _, ctb := range rawCTBList {
 		if ctb.Spec.SignerName == signerName {
 			ctbList = append(ctbList, ctb)
@@ -208,7 +208,7 @@ func (m *InformerManager) GetTrustAnchorsBySigner(signerName string, labelSelect
 	return pemTrustAnchors, nil
 }
 
-func (m *InformerManager) normalizeTrustAnchors(ctbList []*certificatesv1alpha1.ClusterTrustBundle) ([]byte, error) {
+func (m *InformerManager) normalizeTrustAnchors(ctbList []*certificatesv1beta1.ClusterTrustBundle) ([]byte, error) {
 	// Deduplicate trust anchors from all ClusterTrustBundles.
 	trustAnchorSet := sets.Set[string]{}
 	for _, ctb := range ctbList {

pkg/kubelet/clustertrustbundle/clustertrustbundle_manager_test.go

@@ -32,7 +32,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
@@ -46,7 +46,7 @@ func TestBeforeSynced(t *testing.T) {
 
 	informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
 
-	ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
+	ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
 	ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
 
 	_, err := ctbManager.GetTrustAnchorsByName("foo", false)
@@ -60,20 +60,20 @@ func TestGetTrustAnchorsByName(t *testing.T) {
 	tCtx := ktesting.Init(t)
 	defer cancel()
 
-	ctb1 := &certificatesv1alpha1.ClusterTrustBundle{
+	ctb1 := &certificatesv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "ctb1",
 		},
-		Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+		Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 			TrustBundle: mustMakeRoot(t, "root1"),
 		},
 	}
 
-	ctb2 := &certificatesv1alpha1.ClusterTrustBundle{
+	ctb2 := &certificatesv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "ctb2",
 		},
-		Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+		Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 			TrustBundle: mustMakeRoot(t, "root2"),
 		},
 	}
@@ -82,7 +82,7 @@ func TestGetTrustAnchorsByName(t *testing.T) {
 
 	informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
 
-	ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
+	ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
 	ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
 
 	informerFactory.Start(ctx.Done())
@@ -124,20 +124,20 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) {
 	ctx, cancel := context.WithTimeout(tCtx, 20*time.Second)
 	defer cancel()
 
-	ctb1 := &certificatesv1alpha1.ClusterTrustBundle{
+	ctb1 := &certificatesv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foo",
 		},
-		Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+		Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 			TrustBundle: mustMakeRoot(t, "root1"),
 		},
 	}
 
-	ctb2 := &certificatesv1alpha1.ClusterTrustBundle{
+	ctb2 := &certificatesv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foo",
 		},
-		Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+		Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 			TrustBundle: mustMakeRoot(t, "root2"),
 		},
 	}
@@ -146,7 +146,7 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) {
 
 	informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
 
-	ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
+	ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
 	ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
 
 	informerFactory.Start(ctx.Done())
@@ -180,10 +180,10 @@ func TestGetTrustAnchorsByNameCaching(t *testing.T) {
 		}
 	})
 
-	if err := kc.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
+	if err := kc.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
 		t.Fatalf("Error while deleting the old CTB: %v", err)
 	}
-	if _, err := kc.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
+	if _, err := kc.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
 		t.Fatalf("Error while adding new CTB: %v", err)
 	}
 
@@ -221,7 +221,7 @@ func TestGetTrustAnchorsBySignerName(t *testing.T) {
 
 	informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
 
-	ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
+	ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
 	ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
 
 	informerFactory.Start(ctx.Done())
@@ -335,7 +335,7 @@ func TestGetTrustAnchorsBySignerNameCaching(t *testing.T) {
 
 	informerFactory := informers.NewSharedInformerFactoryWithOptions(kc, 0)
 
-	ctbInformer := informerFactory.Certificates().V1alpha1().ClusterTrustBundles()
+	ctbInformer := informerFactory.Certificates().V1beta1().ClusterTrustBundles()
 	ctbManager, _ := NewInformerManager(tCtx, ctbInformer, 256, 5*time.Minute)
 
 	informerFactory.Start(ctx.Done())
@@ -369,10 +369,10 @@ func TestGetTrustAnchorsBySignerNameCaching(t *testing.T) {
 		}
 	})
 
-	if err := kc.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
+	if err := kc.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb1.ObjectMeta.Name, metav1.DeleteOptions{}); err != nil {
 		t.Fatalf("Error while deleting the old CTB: %v", err)
 	}
-	if _, err := kc.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
+	if _, err := kc.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb2, metav1.CreateOptions{}); err != nil {
 		t.Fatalf("Error while adding new CTB: %v", err)
 	}
 
@@ -422,13 +422,13 @@ func mustMakeRoot(t *testing.T, cn string) string {
 	}))
 }
 
-func mustMakeCTB(name, signerName string, labels map[string]string, bundle string) *certificatesv1alpha1.ClusterTrustBundle {
+func mustMakeCTB(name, signerName string, labels map[string]string, bundle string) *certificatesv1beta1.ClusterTrustBundle {
-	return &certificatesv1alpha1.ClusterTrustBundle{
+	return &certificatesv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   name,
 			Labels: labels,
 		},
-		Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+		Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 			SignerName:  signerName,
 			TrustBundle: bundle,
 		},

pkg/kubelet/kubelet.go

@@ -881,7 +881,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 	var clusterTrustBundleManager clustertrustbundle.Manager
 	if kubeDeps.KubeClient != nil && utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundleProjection) {
 		kubeInformers := informers.NewSharedInformerFactoryWithOptions(kubeDeps.KubeClient, 0)
-		clusterTrustBundleManager, err = clustertrustbundle.NewInformerManager(ctx, kubeInformers.Certificates().V1alpha1().ClusterTrustBundles(), 2*int(kubeCfg.MaxPods), 5*time.Minute)
+		clusterTrustBundleManager, err = clustertrustbundle.NewInformerManager(ctx, kubeInformers.Certificates().V1beta1().ClusterTrustBundles(), 2*int(kubeCfg.MaxPods), 5*time.Minute)
 		if err != nil {
 			return nil, fmt.Errorf("while starting informer-based ClusterTrustBundle manager: %w", err)
 		}

pkg/printers/internalversion/printers.go

@@ -30,8 +30,7 @@ import (
 	autoscalingv1 "k8s.io/api/autoscaling/v1"
 	autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1"
 	batchv1 "k8s.io/api/batch/v1"
-	batchv1beta1 "k8s.io/api/batch/v1beta1"
+	batchv1beta1 "k8s.io/api/batch/v1beta1" // should this change, too? there are still certv1beta1.CSR printers, but not their v1 versions
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
 	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	coordinationv1 "k8s.io/api/coordination/v1"
 	coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2"
@@ -420,7 +419,7 @@ func AddHandlers(h printers.PrintHandler) {
 
 	clusterTrustBundleColumnDefinitions := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
-		{Name: "SignerName", Type: "string", Description: certificatesv1alpha1.ClusterTrustBundleSpec{}.SwaggerDoc()["signerName"]},
+		{Name: "SignerName", Type: "string", Description: certificatesv1beta1.ClusterTrustBundleSpec{}.SwaggerDoc()["signerName"]},
 	}
 	h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundle)
 	h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundleList)

pkg/registry/certificates/rest/storage_certificates.go

@@ -19,6 +19,7 @@ package rest
 import (
 	certificatesapiv1 "k8s.io/api/certificates/v1"
 	certificatesapiv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesapiv1beta1 "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
@@ -45,6 +46,12 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
 		apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1.SchemeGroupVersion.Version] = storageMap
 	}
 
+	if storageMap, err := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
+		return genericapiserver.APIGroupInfo{}, err
+	} else if len(storageMap) > 0 {
+		apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1beta1.SchemeGroupVersion.Version] = storageMap
+	}
+
 	if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
 		return genericapiserver.APIGroupInfo{}, err
 	} else if len(storageMap) > 0 {
@@ -70,6 +77,24 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
 	return storage, nil
 }
 
+func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
+	storage := map[string]rest.Storage{}
+
+	if resource := "clustertrustbundles"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1beta1.SchemeGroupVersion.WithResource(resource)) {
+		if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
+			bundleStorage, err := clustertrustbundlestore.NewREST(restOptionsGetter)
+			if err != nil {
+				return nil, err
+			}
+			storage[resource] = bundleStorage
+		} else {
+			klog.Warning("ClusterTrustBundle storage is disabled because the ClusterTrustBundle feature gate is disabled")
+		}
+	}
+
+	return storage, nil
+}
+
 func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
 	storage := map[string]rest.Storage{}
 

pkg/volume/projected/projected_test.go

@@ -32,7 +32,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	authenticationv1 "k8s.io/api/authentication/v1"
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -912,11 +912,11 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) {
 				DefaultMode: utilptr.Int32(0644),
 			},
 			bundles: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "foo",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						TrustBundle: string(goodCert1),
 					},
 				},
@@ -947,14 +947,14 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) {
 				DefaultMode: utilptr.Int32(0644),
 			},
 			bundles: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "foo:example:bar",
 						Labels: map[string]string{
 							"key": "value",
 						},
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						SignerName:  "foo.example/bar",
 						TrustBundle: string(goodCert1),
 					},
@@ -981,11 +981,11 @@ func TestCollectDataWithClusterTrustBundle(t *testing.T) {
 				DefaultMode: utilptr.Int32(0600),
 			},
 			bundles: []runtime.Object{
-				&certificatesv1alpha1.ClusterTrustBundle{
+				&certificatesv1beta1.ClusterTrustBundle{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "foo",
 					},
-					Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+					Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 						TrustBundle: string(goodCert1),
 					},
 				},

pkg/volume/testing/volume_host.go

@@ -427,7 +427,7 @@ func (f *fakeKubeletVolumeHost) GetHostUtil() hostutil.HostUtils {
 }
 
 func (f *fakeKubeletVolumeHost) GetTrustAnchorsByName(name string, allowMissing bool) ([]byte, error) {
-	ctb, err := f.kubeClient.CertificatesV1alpha1().ClusterTrustBundles().Get(context.Background(), name, metav1.GetOptions{})
+	ctb, err := f.kubeClient.CertificatesV1beta1().ClusterTrustBundles().Get(context.Background(), name, metav1.GetOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("while getting ClusterTrustBundle %s: %w", name, err)
 	}
@@ -437,7 +437,7 @@ func (f *fakeKubeletVolumeHost) GetTrustAnchorsByName(name string, allowMissing
 
 // Note: we do none of the deduplication and sorting that the real deal should do.
 func (f *fakeKubeletVolumeHost) GetTrustAnchorsBySigner(signerName string, labelSelector *metav1.LabelSelector, allowMissing bool) ([]byte, error) {
-	ctbList, err := f.kubeClient.CertificatesV1alpha1().ClusterTrustBundles().List(context.Background(), metav1.ListOptions{})
+	ctbList, err := f.kubeClient.CertificatesV1beta1().ClusterTrustBundles().List(context.Background(), metav1.ListOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("while listing all ClusterTrustBundles: %w", err)
 	}

staging/src/k8s.io/api/certificates/v1beta1/types.go

@@ -265,7 +265,7 @@ const (
 
 // +genclient
 // +genclient:nonNamespaced
-// +k8s:prerelease-lifecycle-gen:introduced=1.32
+// +k8s:prerelease-lifecycle-gen:introduced=1.33
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
@@ -332,7 +332,7 @@ type ClusterTrustBundleSpec struct {
 	TrustBundle string `json:"trustBundle" protobuf:"bytes,2,opt,name=trustBundle"`
 }
 
-// +k8s:prerelease-lifecycle-gen:introduced=1.32
+// +k8s:prerelease-lifecycle-gen:introduced=1.33
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ClusterTrustBundleList is a collection of ClusterTrustBundle objects

test/e2e/auth/projected_clustertrustbundle.go

@@ -32,7 +32,7 @@ import (
 	"strings"
 	"time"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -266,7 +266,7 @@ var _ = SIGDescribe(framework.WithFeatureGate(features.ClusterTrustBundle), fram
 	ginkgo.It("should be able to mount a big number (>100) of CTBs", func(ctx context.Context) {
 		const numCTBs = 150
 
-		var initCTBs []*certificatesv1alpha1.ClusterTrustBundle
+		var initCTBs []*certificatesv1beta1.ClusterTrustBundle
 		var cleanups []func(ctx context.Context)
 		var projections []v1.VolumeProjection
 
@@ -443,7 +443,7 @@ func podForCTBProjection(projectionSources ...v1.VolumeProjection) *v1.Pod {
 //	  "signer.alive=false": <set of all PEMs whose CTBs contain `signer.alive: false` labels>,
 //	  "no-signer": <set of all PEMs that appear in CTBs with no specific signers>,
 //	}
-func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets.Set[string]) {
+func initCTBData() ([]*certificatesv1beta1.ClusterTrustBundle, map[string]sets.Set[string]) {
 	var pemSets = map[string]sets.Set[string]{
 		testSignerOneName: sets.New[string](),
 		testSignerTwoName: sets.New[string](),
@@ -452,7 +452,7 @@ func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets.
 		noSignerKey:       sets.New[string](),
 	}
 
-	var ctbs []*certificatesv1alpha1.ClusterTrustBundle
+	var ctbs []*certificatesv1beta1.ClusterTrustBundle
 
 	for i := range 10 {
 		caPEM := mustMakeCAPEM(fmt.Sprintf("root%d", i))
@@ -487,20 +487,20 @@ func initCTBData() ([]*certificatesv1alpha1.ClusterTrustBundle, map[string]sets.
 	return ctbs, pemSets
 }
 
-func ctbForCA(ctbName, signerName, caPEM string, labels map[string]string) *certificatesv1alpha1.ClusterTrustBundle {
+func ctbForCA(ctbName, signerName, caPEM string, labels map[string]string) *certificatesv1beta1.ClusterTrustBundle {
-	return &certificatesv1alpha1.ClusterTrustBundle{
+	return &certificatesv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   ctbName,
 			Labels: labels,
 		},
-		Spec: certificatesv1alpha1.ClusterTrustBundleSpec{
+		Spec: certificatesv1beta1.ClusterTrustBundleSpec{
 			SignerName:  signerName,
 			TrustBundle: caPEM,
 		},
 	}
 }
 
-func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certificatesv1alpha1.ClusterTrustBundle) func(context.Context) {
+func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certificatesv1beta1.ClusterTrustBundle) func(context.Context) {
 	cleanups := []func(context.Context){}
 	for _, ctb := range ctbs {
 		ctb := ctb
@@ -514,15 +514,15 @@ func mustInitCTBs(ctx context.Context, f *framework.Framework, ctbs []*certifica
 	}
 }
 
-func mustCreateCTB(ctx context.Context, f *framework.Framework, ctb *certificatesv1alpha1.ClusterTrustBundle) func(context.Context) {
+func mustCreateCTB(ctx context.Context, f *framework.Framework, ctb *certificatesv1beta1.ClusterTrustBundle) func(context.Context) {
 	mutateCTBForTesting(ctb, f.UniqueName)
 
-	if _, err := f.ClientSet.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, ctb, metav1.CreateOptions{}); err != nil {
+	if _, err := f.ClientSet.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, ctb, metav1.CreateOptions{}); err != nil {
 		framework.Failf("Error while creating ClusterTrustBundle: %v", err)
 	}
 
 	return func(ctx context.Context) {
-		if err := f.ClientSet.CertificatesV1alpha1().ClusterTrustBundles().Delete(ctx, ctb.Name, metav1.DeleteOptions{}); err != nil {
+		if err := f.ClientSet.CertificatesV1beta1().ClusterTrustBundles().Delete(ctx, ctb.Name, metav1.DeleteOptions{}); err != nil {
 			framework.Logf("failed to remove a cluster trust bundle: %v", err)
 		}
 	}
@@ -584,7 +584,7 @@ func getFileModeRegex(filePath string, mask *int32) string {
 	return fmt.Sprintf("(%s|%s)", linuxOutput, windowsOutput)
 }
 
-func ctbsToPEMs(ctbs []*certificatesv1alpha1.ClusterTrustBundle) []string {
+func ctbsToPEMs(ctbs []*certificatesv1beta1.ClusterTrustBundle) []string {
 	var certPEMs []string
 	for _, ctb := range ctbs {
 		certPEMs = append(certPEMs, ctb.Spec.TrustBundle)
@@ -594,7 +594,7 @@ func ctbsToPEMs(ctbs []*certificatesv1alpha1.ClusterTrustBundle) []string {
 
 // mutateCTBForTesting mutates the .spec.signerName and .name so that the created cluster
 // objects are unique and the tests can run in parallel
-func mutateCTBForTesting(ctb *certificatesv1alpha1.ClusterTrustBundle, uniqueName string) {
+func mutateCTBForTesting(ctb *certificatesv1beta1.ClusterTrustBundle, uniqueName string) {
 	signer := ctb.Spec.SignerName
 	if len(signer) == 0 {
 		ctb.Name += uniqueName

test/integration/clustertrustbundles/admission_establishtrust_test.go

@@ -24,7 +24,7 @@ import (
 	"math/big"
 	"testing"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -38,10 +38,6 @@ import (
 // Verifies that the ClusterTrustBundle attest admission plugin correctly
 // enforces that a user has "attest" on the affected signer name.
 func TestCTBAttestPlugin(t *testing.T) {
-	// KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests
-	// TODO: Remove this line once certificates v1alpha1 types to be removed in 1.32 are fully removed
-	t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true")
-
 	testCases := []struct {
 		description       string
 		trustBundleName   string
@@ -78,7 +74,7 @@ func TestCTBAttestPlugin(t *testing.T) {
 		t.Run(tc.description, func(t *testing.T) {
 			ctx := context.Background()
 
-			server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--authorization-mode=RBAC", "--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd())
+			server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--authorization-mode=RBAC", "--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd())
 			defer server.TearDownFn()
 
 			client := kubernetes.NewForConfigOrDie(server.ClientConfig)
@@ -92,11 +88,11 @@ func TestCTBAttestPlugin(t *testing.T) {
 			testUserConfig.Impersonate = rest.ImpersonationConfig{UserName: "test-user"}
 			testUserClient := kubernetes.NewForConfigOrDie(testUserConfig)
 
-			bundle := &certsv1alpha1.ClusterTrustBundle{
+			bundle := &certsv1beta1.ClusterTrustBundle{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: tc.trustBundleName,
 				},
-				Spec: certsv1alpha1.ClusterTrustBundleSpec{
+				Spec: certsv1beta1.ClusterTrustBundleSpec{
 					SignerName: tc.targetSignerName,
 					TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
 						SerialNumber: big.NewInt(0),
@@ -108,7 +104,7 @@ func TestCTBAttestPlugin(t *testing.T) {
 					})),
 				},
 			}
-			_, err := testUserClient.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle, metav1.CreateOptions{})
+			_, err := testUserClient.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle, metav1.CreateOptions{})
 			if err != nil && err.Error() != tc.wantError {
 				t.Fatalf("Bad error while creating ClusterTrustBundle; got %q want %q", err.Error(), tc.wantError)
 			} else if err == nil && tc.wantError != "" {

test/integration/clustertrustbundles/field_selector_test.go

@@ -24,7 +24,7 @@ import (
 	"math/big"
 	"testing"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
@@ -38,16 +38,16 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
 
 	ctx := context.Background()
 
-	server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd())
+	server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd())
 	defer server.TearDownFn()
 
 	client := kubernetes.NewForConfigOrDie(server.ClientConfig)
 
-	bundle1 := &certsv1alpha1.ClusterTrustBundle{
+	bundle1 := &certsv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foo.com:bar:v1",
 		},
-		Spec: certsv1alpha1.ClusterTrustBundleSpec{
+		Spec: certsv1beta1.ClusterTrustBundleSpec{
 			SignerName: "foo.com/bar",
 			TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
 				SerialNumber: big.NewInt(0),
@@ -59,15 +59,15 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
 			})),
 		},
 	}
-	if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}); err != nil {
+	if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}); err != nil {
 		t.Fatalf("Error while creating bundle1: %v", err)
 	}
 
-	bundle2 := &certsv1alpha1.ClusterTrustBundle{
+	bundle2 := &certsv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foo.com:bar:v2",
 		},
-		Spec: certsv1alpha1.ClusterTrustBundleSpec{
+		Spec: certsv1beta1.ClusterTrustBundleSpec{
 			SignerName: "foo.com/bar",
 			TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
 				SerialNumber: big.NewInt(0),
@@ -79,15 +79,15 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
 			})),
 		},
 	}
-	if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle2, metav1.CreateOptions{}); err != nil {
+	if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle2, metav1.CreateOptions{}); err != nil {
 		t.Fatalf("Error while creating bundle2: %v", err)
 	}
 
-	bundle3 := &certsv1alpha1.ClusterTrustBundle{
+	bundle3 := &certsv1beta1.ClusterTrustBundle{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "baz.com:bar:v1",
 		},
-		Spec: certsv1alpha1.ClusterTrustBundleSpec{
+		Spec: certsv1beta1.ClusterTrustBundleSpec{
 			SignerName: "baz.com/bar",
 			TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
 				SerialNumber: big.NewInt(0),
@@ -99,11 +99,11 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
 			})),
 		},
 	}
-	if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle3, metav1.CreateOptions{}); err != nil {
+	if _, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle3, metav1.CreateOptions{}); err != nil {
 		t.Fatalf("Error while creating bundle3: %v", err)
 	}
 
-	fooList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=foo.com/bar"})
+	fooList, err := client.CertificatesV1beta1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=foo.com/bar"})
 	if err != nil {
 		t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=foo.com/bar")
 	}
@@ -127,7 +127,7 @@ func TestCTBSignerNameFieldSelector(t *testing.T) {
 		t.Errorf("Didn't find foo.com:bar:v2 in the list when listing for foo.com/bar")
 	}
 
-	bazList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=baz.com/bar"})
+	bazList, err := client.CertificatesV1beta1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=baz.com/bar"})
 	if err != nil {
 		t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=baz.com/bar")
 	}

test/integration/clustertrustbundles/signer_name_change_forbidden_test.go

@@ -24,7 +24,7 @@ import (
 	"math/big"
 	"testing"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
@@ -32,10 +32,6 @@ import (
 )
 
 func TestCTBSignerNameChangeForbidden(t *testing.T) {
-	// KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests
-	// TODO: Remove this line once certificates v1alpha1 types to be removed in 1.32 are fully removed
-	t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true")
-
 	testCases := []struct {
 		objectName string
 		signer1    string
@@ -63,16 +59,16 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) {
 
 			ctx := context.Background()
 
-			server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion)}, framework.SharedEtcd())
+			server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true", fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion)}, framework.SharedEtcd())
 			defer server.TearDownFn()
 
 			client := kubernetes.NewForConfigOrDie(server.ClientConfig)
 
-			bundle1 := &certsv1alpha1.ClusterTrustBundle{
+			bundle1 := &certsv1beta1.ClusterTrustBundle{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: tc.objectName,
 				},
-				Spec: certsv1alpha1.ClusterTrustBundleSpec{
+				Spec: certsv1beta1.ClusterTrustBundleSpec{
 					SignerName: tc.signer1,
 					TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
 						SerialNumber: big.NewInt(0),
@@ -84,7 +80,7 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) {
 					})),
 				},
 			}
-			bundle1, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{})
+			bundle1, err := client.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{})
 			if err != nil {
 				t.Fatalf("Error while creating bundle1: %v", err)
 			}
@@ -95,7 +91,7 @@ func TestCTBSignerNameChangeForbidden(t *testing.T) {
 			// cluster trust bundle.
 			bundle1.Spec.SignerName = tc.signer2
 
-			_, err = client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{})
+			_, err = client.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{})
 			if err == nil {
 				t.Fatalf("Got nil error from updating bundle foo-com--bar from signerName=foo.com/bar to signerName=foo.com/bar2, but wanted an error")
 			}

test/integration/etcd/data.go

@@ -216,13 +216,23 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, removeAl
 
 		// k8s.io/kubernetes/pkg/apis/certificates/v1alpha1
 		gvr("certificates.k8s.io", "v1alpha1", "clustertrustbundles"): {
-			Stub:              `{"metadata": {"name": "example.com:signer:abc"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`,
+			Stub:              `{"metadata": {"name": "example.com:signer:abcd"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`,
-			ExpectedEtcdPath:  "/registry/clustertrustbundles/example.com:signer:abc",
+			ExpectedEtcdPath:  "/registry/clustertrustbundles/example.com:signer:abcd",
+			ExpectedGVK:       gvkP("certificates.k8s.io", "v1beta1", "ClusterTrustBundle"),
 			IntroducedVersion: "1.26",
 			RemovedVersion:    "1.37",
 		},
 		// --
 
+		// k8s.io/kubernetes/pkg/apis/certificates/v1beta1
+		gvr("certificates.k8s.io", "v1beta1", "clustertrustbundles"): {
+			Stub:              `{"metadata": {"name": "example.com:signer:abc"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`,
+			ExpectedEtcdPath:  "/registry/clustertrustbundles/example.com:signer:abc",
+			IntroducedVersion: "1.33",
+			RemovedVersion:    "1.39",
+		},
+		// --
+
 		// k8s.io/kubernetes/pkg/apis/coordination/v1
 		gvr("coordination.k8s.io", "v1", "leases"): {
 			Stub:              `{"metadata": {"name": "leasev1"}, "spec": {"holderIdentity": "holder", "leaseDurationSeconds": 5}}`,