kubeadm: deprecate the flag --use-api for cert renewal

neolit123 · neolit123 · commit 8943e443e81c · 2020-03-05T03:37:00.000+02:00
The KCM is moving to means of only singing apiserver (kubelet) client and kubelet serving certificates. See: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190607-certificates-api.md#signers Up until now the experimental kubeadm functionality '--use-api' under "kubeadm alpha certs renew" was using the KCM to sign *any* certficate as long as the KCM has the root CA cert/key. Post discussions with the kubeadm maintainers, it was decided that this functionality should be removed from kubeadm due to the requirement to have external signers for renewing the common control-plane certificates that kubeadm manages.
diff --git a/cmd/kubeadm/app/cmd/alpha/certs.go b/cmd/kubeadm/app/cmd/alpha/certs.go
@@ -43,7 +43,7 @@ var (
 	genericCertRenewLongDesc = cmdutil.LongDesc(`
 	Renew the %s.
 
-	Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will 
+	Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will
 	be based on the existing file/certificates, there is no need to resupply them.
 
 	Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative
@@ -208,7 +208,12 @@ func addRenewFlags(cmd *cobra.Command, flags *renewFlags) {
 	options.AddKubeConfigFlag(cmd.Flags(), &flags.kubeconfigPath)
 	options.AddCSRFlag(cmd.Flags(), &flags.csrOnly)
 	options.AddCSRDirFlag(cmd.Flags(), &flags.csrPath)
+	// TODO: remove the flag and related logic once legacy signers are removed,
+	// potentially with the release of certificates.k8s.io/v1:
+	//   https://github.com/kubernetes/kubeadm/issues/2047
 	cmd.Flags().BoolVar(&flags.useAPI, "use-api", flags.useAPI, "Use the Kubernetes certificate API to renew certificates")
+	cmd.Flags().MarkDeprecated("use-api", "certificate renewal from kubeadm using the Kubernetes API "+
+		"is deprecated and will be removed when 'certificates.k8s.io/v1' releases.")
 }
 
 func renewCert(flags *renewFlags, kdir string, internalcfg *kubeadmapi.InitConfiguration, handler *renewal.CertificateRenewHandler) error {
