The clusters should be migrated to bullseye and PKI before upgrading the whole clusters to k8s 1.23.
The idea is to do one reimage at the time, doing remove/add member for each of them to allow etcd to bootstrap correctly. Finally we'll just apply PKI settings.