kubeadm: promote the "kubeadm certs" command to GA (#24410)

The command resided under "kubeadm alpha certs".
It will be promoted to GA in 1.20 as "kubeadm certs".

The existing command "kubeadm alpha" will
remain present for one more release, but it will be hidden
from documentation as it is deprecated.

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_certificate-key.md

@@ -11,7 +11,7 @@ generate and print one for you.
 
 
 ```
-kubeadm alpha certs certificate-key [flags]
+kubeadm certs certificate-key [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_check-expiration.md

@@ -5,7 +5,7 @@
 Checks expiration for the certificates in the local PKI managed by kubeadm.
 
 ```
-kubeadm alpha certs check-expiration [flags]
+kubeadm certs check-expiration [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md

@@ -9,14 +9,14 @@ This command is designed for use in [Kubeadm External CA Mode](https://kubernete
 The PEM encoded signed certificates should then be saved alongside the key files, using ".crt" as the file extension, or in the case of kubeconfig files, the PEM encoded signed certificate should be base64 encoded and added to the kubeconfig file in the "users > user > client-certificate-data" field.
 
 ```
-kubeadm alpha certs generate-csr [flags]
+kubeadm certs generate-csr [flags]
 ```
 
 ### Examples
 
 ```
   # The following command will generate keys and CSRs for all control-plane certificates and kubeconfig files:
-  kubeadm alpha certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki
+  kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew.md

@@ -5,7 +5,7 @@
 This command is not meant to be run on its own. See list of available subcommands.
 
 ```
-kubeadm alpha certs renew [flags]
+kubeadm certs renew [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_admin.conf.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew admin.conf [flags]
+kubeadm certs renew admin.conf [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_all.md

@@ -5,7 +5,7 @@
 Renew all known certificates necessary to run the control plane. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control.
 
 ```
-kubeadm alpha certs renew all [flags]
+kubeadm certs renew all [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-etcd-client.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew apiserver-etcd-client [flags]
+kubeadm certs renew apiserver-etcd-client [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-kubelet-client.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew apiserver-kubelet-client [flags]
+kubeadm certs renew apiserver-kubelet-client [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew apiserver [flags]
+kubeadm certs renew apiserver [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_controller-manager.conf.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew controller-manager.conf [flags]
+kubeadm certs renew controller-manager.conf [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew etcd-healthcheck-client [flags]
+kubeadm certs renew etcd-healthcheck-client [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew etcd-peer [flags]
+kubeadm certs renew etcd-peer [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew etcd-server [flags]
+kubeadm certs renew etcd-server [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_front-proxy-client.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew front-proxy-client [flags]
+kubeadm certs renew front-proxy-client [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_scheduler.conf.md

@@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 
 ```
-kubeadm alpha certs renew scheduler.conf [flags]
+kubeadm certs renew scheduler.conf [flags]
 ```
 
 ### Options

content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md

@@ -1,7 +1,4 @@
 ---
-reviewers:
-- luxas
-- jbeda
 title: kubeadm alpha
 content_type: concept
 weight: 90
@@ -12,62 +9,6 @@ weight: 90
  from the community. Please try it out and give us feedback!
 {{< /caution >}}
 
-## kubeadm alpha certs {#cmd-certs}
-
-A collection of operations for operating Kubernetes certificates.
-
-{{< tabs name="tab-certs" >}}
-{{< tab name="overview" include="generated/kubeadm_alpha_certs.md" />}}
-{{< /tabs >}}
-
-## kubeadm alpha certs renew {#cmd-certs-renew}
-
-You can renew all Kubernetes certificates using the `all` subcommand or renew them selectively.
-For more details about certificate expiration and renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).
-
-{{< tabs name="tab-certs-renew" >}}
-{{< tab name="renew" include="generated/kubeadm_alpha_certs_renew.md" />}}
-{{< tab name="all" include="generated/kubeadm_alpha_certs_renew_all.md" />}}
-{{< tab name="admin.conf" include="generated/kubeadm_alpha_certs_renew_admin.conf.md" />}}
-{{< tab name="apiserver-etcd-client" include="generated/kubeadm_alpha_certs_renew_apiserver-etcd-client.md" />}}
-{{< tab name="apiserver-kubelet-client" include="generated/kubeadm_alpha_certs_renew_apiserver-kubelet-client.md" />}}
-{{< tab name="apiserver" include="generated/kubeadm_alpha_certs_renew_apiserver.md" />}}
-{{< tab name="controller-manager.conf" include="generated/kubeadm_alpha_certs_renew_controller-manager.conf.md" />}}
-{{< tab name="etcd-healthcheck-client" include="generated/kubeadm_alpha_certs_renew_etcd-healthcheck-client.md" />}}
-{{< tab name="etcd-peer" include="generated/kubeadm_alpha_certs_renew_etcd-peer.md" />}}
-{{< tab name="etcd-server" include="generated/kubeadm_alpha_certs_renew_etcd-server.md" />}}
-{{< tab name="front-proxy-client" include="generated/kubeadm_alpha_certs_renew_front-proxy-client.md" />}}
-{{< tab name="scheduler.conf" include="generated/kubeadm_alpha_certs_renew_scheduler.conf.md" />}}
-{{< /tabs >}}
-
-## kubeadm alpha certs certificate-key {#cmd-certs-certificate-key}
-
-This command can be used to generate a new control-plane certificate key.
-The key can be passed as `--certificate-key` to `kubeadm init` and `kubeadm join`
-to enable the automatic copy of certificates when joining additional control-plane nodes.
-
-{{< tabs name="tab-certs-certificate-key" >}}
-{{< tab name="certificate-key" include="generated/kubeadm_alpha_certs_certificate-key.md" />}}
-{{< /tabs >}}
-
-## kubeadm alpha certs generate-csr {#cmd-certs-generate-csr}
-
-This command can be used to generate certificate signing requests (CSRs) which
-can be submitted to a certificate authority (CA) for signing.
-
-{{< tabs name="tab-certs-generate-csr" >}}
-{{< tab name="certificate-generate-csr" include="generated/kubeadm_alpha_certs_generate-csr.md" />}}
-{{< /tabs >}}
-
-## kubeadm alpha certs check-expiration {#cmd-certs-check-expiration}
-
-This command checks expiration for the certificates in the local PKI managed by kubeadm.
-For more details about certificate expiration and renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).
-
-{{< tabs name="tab-certs-check-expiration" >}}
-{{< tab name="check-expiration" include="generated/kubeadm_alpha_certs_check-expiration.md" />}}
-{{< /tabs >}}
-
 ## kubeadm alpha kubeconfig user {#cmd-phase-kubeconfig}
 
 The `user` subcommand can be used for the creation of kubeconfig files for additional users.

content/en/docs/reference/setup-tools/kubeadm/kubeadm-certs.md

@@ -0,0 +1,73 @@
+---
+title: kubeadm certs
+content_type: concept
+weight: 90
+---
+
+`kubeadm certs` provides utilities for managing certificates.
+For more details on how these commands can be used, see
+[Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).
+
+## kubeadm certs {#cmd-certs}
+
+A collection of operations for operating Kubernetes certificates.
+
+{{< tabs name="tab-certs" >}}
+{{< tab name="overview" include="generated/kubeadm_certs.md" />}}
+{{< /tabs >}}
+
+## kubeadm certs renew {#cmd-certs-renew}
+
+You can renew all Kubernetes certificates using the `all` subcommand or renew them selectively.
+For more details see [Manual certificate renewal](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal).
+
+{{< tabs name="tab-certs-renew" >}}
+{{< tab name="renew" include="generated/kubeadm_certs_renew.md" />}}
+{{< tab name="all" include="generated/kubeadm_certs_renew_all.md" />}}
+{{< tab name="admin.conf" include="generated/kubeadm_certs_renew_admin.conf.md" />}}
+{{< tab name="apiserver-etcd-client" include="generated/kubeadm_certs_renew_apiserver-etcd-client.md" />}}
+{{< tab name="apiserver-kubelet-client" include="generated/kubeadm_certs_renew_apiserver-kubelet-client.md" />}}
+{{< tab name="apiserver" include="generated/kubeadm_certs_renew_apiserver.md" />}}
+{{< tab name="controller-manager.conf" include="generated/kubeadm_certs_renew_controller-manager.conf.md" />}}
+{{< tab name="etcd-healthcheck-client" include="generated/kubeadm_certs_renew_etcd-healthcheck-client.md" />}}
+{{< tab name="etcd-peer" include="generated/kubeadm_certs_renew_etcd-peer.md" />}}
+{{< tab name="etcd-server" include="generated/kubeadm_certs_renew_etcd-server.md" />}}
+{{< tab name="front-proxy-client" include="generated/kubeadm_certs_renew_front-proxy-client.md" />}}
+{{< tab name="scheduler.conf" include="generated/kubeadm_certs_renew_scheduler.conf.md" />}}
+{{< /tabs >}}
+
+## kubeadm certs certificate-key {#cmd-certs-certificate-key}
+
+This command can be used to generate a new control-plane certificate key.
+The key can be passed as `--certificate-key` to [`kubeadm init`](/docs/reference/setup-tools/kubeadm/kubeadm-init)
+and [`kubeadm join`](/docs/reference/setup-tools/kubeadm/kubeadm-join)
+to enable the automatic copy of certificates when joining additional control-plane nodes.
+
+{{< tabs name="tab-certs-certificate-key" >}}
+{{< tab name="certificate-key" include="generated/kubeadm_certs_certificate-key.md" />}}
+{{< /tabs >}}
+
+## kubeadm certs check-expiration {#cmd-certs-check-expiration}
+
+This command checks expiration for the certificates in the local PKI managed by kubeadm.
+For more details see
+[Check certificate expiration](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#check-certificate-expiration).
+
+{{< tabs name="tab-certs-check-expiration" >}}
+{{< tab name="check-expiration" include="generated/kubeadm_certs_check-expiration.md" />}}
+{{< /tabs >}}
+
+## kubeadm certs generate-csr {#cmd-certs-generate-csr}
+
+This command can be used to generate keys and CSRs for all control-plane certificates and kubeconfig files.
+The user can then sign the CSRs with a CA of their choice.
+
+{{< tabs name="tab-certs-generate-csr" >}}
+{{< tab name="generate-csr" include="generated/kubeadm_certs_generate-csr.md" />}}
+{{< /tabs >}}
+
+## {{% heading "whatsnext" %}}
+
+* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes control-plane node
+* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to connect a node to the cluster
+* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`

content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md

@@ -178,7 +178,7 @@ If the flag `--certificate-key` is not passed to `kubeadm init` and
 The following command can be used to generate a new key on demand:
 
 ```shell
-kubeadm alpha certs certificate-key
+kubeadm certs certificate-key
 ```
 
 ### Certificate management with kubeadm
@@ -246,7 +246,7 @@ or use a DNS name or an address of a load balancer.
    nodes. The key can be generated using:
 
    ```shell
-   kubeadm alpha certs certificate-key
+   kubeadm certs certificate-key
    ```
 
 Once the cluster is up, you can grab the admin credentials from the control-plane node

content/en/docs/setup/production-environment/tools/kubeadm/high-availability.md

@@ -133,10 +133,10 @@ option. Your cluster requirements may need a different configuration.
       ...
       You can now join any number of control-plane node by running the following command on each as a root:
           kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07
-      
+
       Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
       As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use kubeadm init phase upload-certs to reload certs afterward.
-      
+
       Then you can join any number of worker nodes by running the following on each as root:
           kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866
       ```
@@ -155,7 +155,7 @@ option. Your cluster requirements may need a different configuration.
       To generate such a key you can use the following command:
 
       ```sh
-      kubeadm alpha certs certificate-key
+      kubeadm certs certificate-key
       ```
 
     {{< note >}}

content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md

@@ -52,7 +52,7 @@ setting up a cluster to use an external CA.
 You can use the `check-expiration` subcommand to check when certificates expire:
 
 ```
-kubeadm alpha certs check-expiration
+kubeadm certs check-expiration
 ```
 
 The output is similar to this:
@@ -120,7 +120,7 @@ command. In that case, you should explicitly set `--certificate-renewal=true`.
 
 ## Manual certificate renewal
 
-You can renew your certificates manually at any time with the `kubeadm alpha certs renew` command.
+You can renew your certificates manually at any time with the `kubeadm certs renew` command.
 
 This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in `/etc/kubernetes/pki`.
 
@@ -129,10 +129,10 @@ If you are running an HA cluster, this command needs to be executed on all the c
 {{< /warning >}}
 
 {{< note >}}
-`alpha certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
+`certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
 {{< /note >}}
 
-`kubeadm alpha certs renew` provides the following options:
+`kubeadm certs renew` provides the following options:
 
 The Kubernetes certificates normally reach their expiration date after one year.
 
@@ -170,14 +170,14 @@ controllerManager:
 
 ### Create certificate signing requests (CSR)
 
-You can create the certificate signing requests for the Kubernetes certificates API with `kubeadm alpha certs renew --use-api`.
+You can create the certificate signing requests for the Kubernetes certificates API with `kubeadm certs renew --use-api`.
 
 If you set up an external signer such as [cert-manager](https://github.com/jetstack/cert-manager), certificate signing requests (CSRs) are automatically approved.
 Otherwise, you must manually approve certificates with the [`kubectl certificate`](/docs/setup/best-practices/certificates/) command.
 The following kubeadm command outputs the name of the certificate to approve, then blocks and waits for approval to occur:
 
 ```shell
-sudo kubeadm alpha certs renew apiserver --use-api &
+sudo kubeadm certs renew apiserver --use-api &
 ```
 The output is similar to this:
 ```
@@ -211,13 +211,13 @@ In kubeadm terms, any certificate that would normally be signed by an on-disk CA
 
 ### Create certificate signing requests (CSR)
 
-You can create certificate signing requests with `kubeadm alpha certs renew --csr-only`.
+You can create certificate signing requests with `kubeadm certs renew --csr-only`.
 
 Both the CSR and the accompanying private key are given in the output.
 You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
 If `--csr-dir` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
 
-Certificates can be renewed with `kubeadm alpha certs renew --csr-only`.
+Certificates can be renewed with `kubeadm certs renew --csr-only`.
 As with `kubeadm init`, an output directory can be specified with the `--csr-dir` flag.
 
 A CSR contains a certificate's name, domains, and IPs, but it does not specify usages.