Initial plan

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

.gitlab-ci/kubevirt.yml

@@ -57,6 +57,7 @@ pr:
           - ubuntu24-kube-router-svc-proxy
           - ubuntu24-ha-separate-etcd
           - fedora40-flannel-crio-collection-scale
+          - openeuler24-calico
 
 # This is for flakey test so they don't disrupt the PR worklflow too much.
 # Jobs here MUST have a open issue so we don't lose sight of them
@@ -67,7 +68,6 @@ pr-flakey:
     matrix:
       - TESTCASE:
           - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
-          - openeuler24-calico # https://github.com/kubernetes-sigs/kubespray/issues/12877
 
 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:

.gitlab-ci/terraform.yml

@@ -116,3 +116,4 @@ tf-elastx_ubuntu24-calico:
     TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
     TF_VAR_image: ubuntu-24.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
+    TESTCASE: $CI_JOB_NAME

README.md

@@ -119,7 +119,7 @@ Note:
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
   - [calico](https://github.com/projectcalico/calico) 3.30.6
-  - [cilium](https://github.com/cilium/cilium) 1.18.6
+  - [cilium](https://github.com/cilium/cilium) 1.19.1
   - [flannel](https://github.com/flannel-io/flannel) 0.27.3
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1

docs/CNI/cilium.md

@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.18.6"
+cilium_version: "1.19.1"
 ```
 
 ## Add variable to config

docs/ingress/kube-vip.md

@@ -63,6 +63,8 @@ kube_vip_bgppeers:
 # kube_vip_bgp_peeraddress:
 # kube_vip_bgp_peerpass:
 # kube_vip_bgp_peeras:
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
 ```
 
 If using [control plane load-balancing](https://kube-vip.io/docs/about/architecture/#control-plane-load-balancing):

docs/operations/etcd.md

@@ -32,12 +32,12 @@ etcd_metrics_service_labels:
   k8s-app: etcd
   app.kubernetes.io/managed-by: Kubespray
   app: kube-prometheus-stack-kube-etcd
-  release: prometheus-stack
+  release: kube-prometheus-stack
 ```
 
 The last two labels in the above example allows to scrape the metrics from the
 [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
-chart with the following Helm `values.yaml` :
+chart when it is installed with the release name `kube-prometheus-stack` and the following Helm `values.yaml`:
 
 ```yaml
 kubeEtcd:
@@ -45,8 +45,22 @@ kubeEtcd:
     enabled: false
 ```
 
-To fully override metrics exposition urls, define it in the inventory with:
+If your Helm release name is different, adjust the `release` label accordingly.
+
+To fully override metrics exposition URLs, define it in the inventory with:
 
 ```yaml
 etcd_listen_metrics_urls: "http://0.0.0.0:2381"
 ```
+
+If you choose to expose metrics on specific node IPs (for example `10.141.4.22`, `10.141.4.23`, `10.141.4.24`) in `etcd_listen_metrics_urls`,
+you can configure kube-prometheus-stack to scrape those endpoints directly with:
+
+```yaml
+kubeEtcd:
+  enabled: true
+  endpoints:
+    - 10.141.4.22
+    - 10.141.4.23
+    - 10.141.4.24
+```

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -199,6 +199,8 @@ kube_vip_enabled: false
 # kube_vip_leasename: plndr-cp-lock
 # kube_vip_enable_node_labeling: false
 # kube_vip_lb_fwdmethod: local
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
 
 # Node Feature Discovery
 node_feature_discovery_enabled: false

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -361,8 +361,6 @@ cilium_l2announcements: false
 # -- Enable the use of well-known identities.
 # cilium_enable_well_known_identities: false
 
-# cilium_enable_bpf_clock_probe: true
-
 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true
 

playbooks/internal_facts.yml

@@ -16,6 +16,8 @@
     - name: Gather and compute network facts
       import_role:
         name: network_facts
+      tags:
+        - always
     - name: Gather minimal facts
       setup:
         gather_subset: '!all'

roles/bootstrap_os/defaults/main.yml

@@ -12,6 +12,10 @@ coreos_locksmithd_disable: false
 # Install epel repo on Centos/RHEL
 epel_enabled: false
 
+## openEuler specific variables
+# Enable metalink for openEuler repos (auto-selects fastest mirror by location)
+openeuler_metalink_enabled: false
+
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true

roles/bootstrap_os/tasks/openEuler.yml

@@ -1,3 +1,43 @@
 ---
-- name: Import Centos boostrap for openEuler
-  import_tasks: centos.yml
+- name: Import CentOS bootstrap for openEuler
+  ansible.builtin.import_tasks: centos.yml
+
+- name: Get existing openEuler repo sections
+  ansible.builtin.shell:
+    cmd: "set -o pipefail && grep '^\\[' /etc/yum.repos.d/openEuler.repo | tr -d '[]'"
+    executable: /bin/bash
+  register: _openeuler_repo_sections
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  become: true
+  when: openeuler_metalink_enabled
+
+- name: Enable metalink for openEuler repos
+  community.general.ini_file:
+    path: /etc/yum.repos.d/openEuler.repo
+    section: "{{ item.key }}"
+    option: metalink
+    value: "{{ item.value }}"
+    no_extra_spaces: true
+    mode: "0644"
+  loop: "{{ _openeuler_metalink_repos | dict2items | selectattr('key', 'in', _openeuler_repo_sections.stdout_lines | default([])) }}"
+  become: true
+  when: openeuler_metalink_enabled
+  register: _openeuler_metalink_result
+  vars:
+    _openeuler_metalink_repos:
+      OS: "https://mirrors.openeuler.org/metalink?repo=$releasever/OS&arch=$basearch"
+      everything: "https://mirrors.openeuler.org/metalink?repo=$releasever/everything&arch=$basearch"
+      EPOL: "https://mirrors.openeuler.org/metalink?repo=$releasever/EPOL/main&arch=$basearch"
+      debuginfo: "https://mirrors.openeuler.org/metalink?repo=$releasever/debuginfo&arch=$basearch"
+      source: "https://mirrors.openeuler.org/metalink?repo=$releasever&arch=source"
+      update: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=$basearch"
+      update-source: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=source"
+
+- name: Clean dnf cache to apply metalink mirror selection
+  ansible.builtin.command: dnf clean all
+  become: true
+  when:
+    - openeuler_metalink_enabled
+    - _openeuler_metalink_result.changed

roles/download/templates/kubeadm-images.yaml.j2

@@ -1,9 +1,9 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: InitConfiguration
 nodeRegistration:
   criSocket: {{ cri_socket }}
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 imageRepository: {{ kubeadm_image_repo }}
 kubernetesVersion: v{{ kube_version }}

roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2

@@ -45,7 +45,7 @@ data:
             force_tcp
         }
         prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_health_port }}
 {% if dns_etchosts | default(None) %}
         hosts /etc/coredns/hosts {
           fallthrough
@@ -132,7 +132,7 @@ data:
             force_tcp
         }
         prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_secondary_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_second_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_second_health_port }}
 {% if dns_etchosts | default(None) %}
         hosts /etc/coredns/hosts {
           fallthrough

roles/kubernetes-apps/snapshots/cinder-csi/templates/cinder-csi-snapshot-class.yml.j2

@@ -1,7 +1,7 @@
 {% for class in snapshot_classes %}
 ---
 kind: VolumeSnapshotClass
-apiVersion: snapshot.storage.k8s.io/v1beta1
+apiVersion: snapshot.storage.k8s.io/v1
 metadata:
   name: "{{ class.name }}"
   annotations:

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -95,7 +95,7 @@
 
 - name: Kubeadm | Create kubeadm config
   template:
-    src: "kubeadm-config.{{ kubeadm_config_api_version }}.yaml.j2"
+    src: "kubeadm-config.v1beta4.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
     mode: "0640"
     validate: "{{ kubeadm_config_validate_enabled | ternary(bin_dir + '/kubeadm config validate --config %s', omit) }}"

roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml

@@ -2,44 +2,21 @@
 - name: Ensure kube-apiserver is up before upgrade
   import_tasks: check-api.yml
 
-  # kubeadm-config.v1beta4 with UpgradeConfiguration requires some values that were previously allowed as args to be specified in the config file
-  # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases
 - name: Kubeadm | Upgrade first control plane node to {{ kube_version }}
   command: >-
     timeout -k 600s 600s
     {{ bin_dir }}/kubeadm upgrade apply -y v{{ kube_version }}
-    {%- if kubeadm_config_api_version == 'v1beta3' %}
-    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --allow-experimental-upgrades
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
-    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
-    --force
-    {%- else %}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    {%- endif %}
-    {%- if kube_version is version('1.32.0', '>=') %}
-    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
-    {%- endif %}
   register: kubeadm_upgrade
   when: inventory_hostname == first_kube_control_plane
   failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
   environment:
     PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
 
-# TODO: When we retire kubeadm-config.v1beta3, remove --certificate-renewal, --ignore-preflight-errors, --etcd-upgrade, --patches, and --skip-phases from command, since v1beta4+ supports these in UpgradeConfiguration.node
 - name: Kubeadm | Upgrade other control plane nodes to {{ kube_version }}
   command: >-
     {{ bin_dir }}/kubeadm upgrade node
-    {%- if kubeadm_config_api_version == 'v1beta3' %}
-    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
-    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
-    {%- else %}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    {%- endif %}
-    --skip-phases={{ kubeadm_upgrade_node_phases_skip | join(',') }}
   register: kubeadm_upgrade
   when: inventory_hostname != first_kube_control_plane
   failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2

@@ -1,445 +0,0 @@
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: InitConfiguration
-{% if kubeadm_token is defined %}
-bootstrapTokens:
-- token: "{{ kubeadm_token }}"
-  description: "kubespray kubeadm bootstrap token"
-  ttl: "24h"
-{% endif %}
-localAPIEndpoint:
-  advertiseAddress: "{{ kube_apiserver_address }}"
-  bindPort: {{ kube_apiserver_port }}
-{% if kubeadm_certificate_key is defined %}
-certificateKey: {{ kubeadm_certificate_key }}
-{% endif %}
-nodeRegistration:
-{% if kube_override_hostname | default('') %}
-  name: "{{ kube_override_hostname }}"
-{% endif %}
-{% if 'kube_control_plane' in group_names and 'kube_node' not in group_names %}
-  taints:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/control-plane
-{% else %}
-  taints: []
-{% endif %}
-  criSocket: {{ cri_socket }}
-{% if cloud_provider == "external" %}
-  kubeletExtraArgs:
-    cloud-provider: external
-{% endif %}
-{% if kubeadm_patches | length > 0 %}
-patches:
-  directory: {{ kubeadm_patches_dir }}
-{% endif %}
----
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: ClusterConfiguration
-clusterName: {{ cluster_name }}
-etcd:
-{% if etcd_deployment_type != "kubeadm" %}
-  external:
-      endpoints:
-{% for endpoint in etcd_access_addresses.split(',') %}
-      - "{{ endpoint }}"
-{% endfor %}
-      caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
-      certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
-      keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
-{% elif etcd_deployment_type == "kubeadm" %}
-  local:
-    imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
-    imageTag: "{{ etcd_image_tag }}"
-    dataDir: "{{ etcd_data_dir }}"
-    extraArgs:
-      metrics: {{ etcd_metrics }}
-      election-timeout: "{{ etcd_election_timeout }}"
-      heartbeat-interval: "{{ etcd_heartbeat_interval }}"
-      auto-compaction-retention: "{{ etcd_compaction_retention }}"
-{% if etcd_listen_metrics_urls is defined %}
-      listen-metrics-urls: "{{ etcd_listen_metrics_urls }}"
-{% endif %}
-      snapshot-count: "{{ etcd_snapshot_count }}"
-      quota-backend-bytes: "{{ etcd_quota_backend_bytes }}"
-      max-request-bytes: "{{ etcd_max_request_bytes }}"
-      log-level: "{{ etcd_log_level }}"
-{% for key, value in etcd_extra_vars.items() %}
-      {{ key }}: "{{ value }}"
-{% endfor %}
-    serverCertSANs:
-{% for san in etcd_cert_alt_names %}
-      - "{{ san }}"
-{% endfor %}
-{% for san in etcd_cert_alt_ips %}
-      - "{{ san }}"
-{% endfor %}
-    peerCertSANs:
-{% for san in etcd_cert_alt_names %}
-      - "{{ san }}"
-{% endfor %}
-{% for san in etcd_cert_alt_ips %}
-      - "{{ san }}"
-{% endfor %}
-{% endif %}
-dns:
-  imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$', '') }}
-  imageTag: {{ coredns_image_tag }}
-networking:
-  dnsDomain: {{ dns_domain }}
-  serviceSubnet: "{{ kube_service_subnets }}"
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-  podSubnet: "{{ kube_pods_subnets }}"
-{% endif %}
-{% if kubeadm_feature_gates %}
-featureGates:
-{%   for feature in kubeadm_feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}
-kubernetesVersion: v{{ kube_version }}
-{% if kubeadm_config_api_fqdn is defined %}
-controlPlaneEndpoint: "{{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}"
-{% else %}
-controlPlaneEndpoint: "{{ main_ip | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}"
-{% endif %}
-certificatesDir: {{ kube_cert_dir }}
-imageRepository: {{ kubeadm_image_repo }}
-apiServer:
-  extraArgs:
-    etcd-compaction-interval: "{{ kube_apiserver_etcd_compaction_interval }}"
-    default-not-ready-toleration-seconds: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
-    default-unreachable-toleration-seconds: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
-{% if kube_api_anonymous_auth is defined %}
-{# TODO: rework once suppport for structured auth lands #}
-    anonymous-auth: "{{ kube_api_anonymous_auth }}"
-{% endif %}
-{% if kube_apiserver_use_authorization_config_file %}
-    authorization-config: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
-{% else %}
-    authorization-mode: {{ authorization_modes | join(',') }}
-{% endif %}
-    bind-address: "{{ kube_apiserver_bind_address }}"
-{% if kube_apiserver_enable_admission_plugins | length > 0 %}
-    enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
-{% endif %}
-{% if kube_apiserver_admission_control_config_file %}
-    admission-control-config-file: {{ kube_config_dir }}/admission-controls.yaml
-{% endif %}
-{% if kube_apiserver_disable_admission_plugins | length > 0 %}
-    disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
-{% endif %}
-    apiserver-count: "{{ kube_apiserver_count }}"
-    endpoint-reconciler-type: lease
-{% if etcd_events_cluster_enabled %}
-    etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
-{% endif %}
-    service-node-port-range: {{ kube_apiserver_node_port_range }}
-    service-cluster-ip-range: "{{ kube_service_subnets }}"
-    kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
-    profiling: "{{ kube_profiling }}"
-    request-timeout: "{{ kube_apiserver_request_timeout }}"
-    enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
-{% if kube_token_auth %}
-    token-auth-file: {{ kube_token_dir }}/known_tokens.csv
-{% endif %}
-{% if kube_apiserver_service_account_lookup %}
-    service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
-{% endif %}
-{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
-    oidc-issuer-url: "{{ kube_oidc_url }}"
-    oidc-client-id: "{{ kube_oidc_client_id }}"
-{%   if kube_oidc_ca_file is defined %}
-    oidc-ca-file: "{{ kube_oidc_ca_file }}"
-{%   endif %}
-{%   if kube_oidc_username_claim is defined %}
-    oidc-username-claim: "{{ kube_oidc_username_claim }}"
-{%   endif %}
-{%   if kube_oidc_groups_claim is defined %}
-    oidc-groups-claim: "{{ kube_oidc_groups_claim }}"
-{%   endif %}
-{%   if kube_oidc_username_prefix is defined %}
-    oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
-{%   endif %}
-{%   if kube_oidc_groups_prefix is defined %}
-    oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
-{%   endif %}
-{% endif %}
-{% if kube_webhook_token_auth %}
-    authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kube_webhook_authorization and not kube_apiserver_use_authorization_config_file %}
-    authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
-{% endif %}
-{% if kube_encrypt_secret_data %}
-    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
-{% endif %}
-    storage-backend: {{ kube_apiserver_storage_backend }}
-{% if kube_api_runtime_config | length > 0 %}
-    runtime-config: {{ kube_api_runtime_config | join(',') }}
-{% endif %}
-    allow-privileged: "true"
-{% if kubernetes_audit or kubernetes_audit_webhook %}
-    audit-policy-file: {{ audit_policy_file }}
-{% endif %}
-{% if kubernetes_audit %}
-    audit-log-path: "{{ audit_log_path }}"
-    audit-log-maxage: "{{ audit_log_maxage }}"
-    audit-log-maxbackup: "{{ audit_log_maxbackups }}"
-    audit-log-maxsize: "{{ audit_log_maxsize }}"
-{% endif %}
-{% if kubernetes_audit_webhook %}
-    audit-webhook-config-file: {{ audit_webhook_config_file }}
-    audit-webhook-mode: {{ audit_webhook_mode }}
-{% if audit_webhook_mode == "batch" %}
-    audit-webhook-batch-max-size: "{{ audit_webhook_batch_max_size }}"
-    audit-webhook-batch-max-wait: "{{ audit_webhook_batch_max_wait }}"
-{% endif %}
-{% endif %}
-{% for key in kube_kubeadm_apiserver_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
-{% endfor %}
-{% if kube_apiserver_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_apiserver_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-    event-ttl: {{ event_ttl_duration }}
-{% if kubelet_rotate_server_certificates %}
-    kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
-{% endif %}
-{% if kube_apiserver_tracing %}
-    tracing-config-file: {{ kube_config_dir }}/tracing/apiserver-tracing.yaml
-{% endif %}
-{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %}
-  extraVolumes:
-{% if kube_token_auth %}
-  - name: token-auth-config
-    hostPath: {{ kube_token_dir }}
-    mountPath: {{ kube_token_dir }}
-{% endif %}
-{% if kube_webhook_token_auth %}
-  - name: webhook-token-auth-config
-    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kube_webhook_authorization %}
-  - name: webhook-authorization-config
-    hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
-    mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
-{% endif %}
-{% if kube_apiserver_use_authorization_config_file %}
-  - name: authorization-config
-    hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
-    mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
-{% endif %}
-{% if kubernetes_audit or kubernetes_audit_webhook %}
-  - name: {{ audit_policy_name }}
-    hostPath: {{ audit_policy_hostpath }}
-    mountPath: {{ audit_policy_mountpath }}
-{% if audit_log_path != "-" %}
-  - name: {{ audit_log_name }}
-    hostPath: {{ audit_log_hostpath }}
-    mountPath: {{ audit_log_mountpath }}
-    readOnly: false
-{% endif %}
-{% endif %}
-{% if kube_apiserver_admission_control_config_file %}
-  - name: admission-control-configs
-    hostPath: {{ kube_config_dir }}/admission-controls
-    mountPath: {{ kube_config_dir }}
-    readOnly: false
-    pathType: DirectoryOrCreate
-{% endif %}
-{% if kube_apiserver_tracing %}
-  - name: tracing
-    hostPath: {{ kube_config_dir }}/tracing
-    mountPath: {{ kube_config_dir }}/tracing
-    readOnly: true
-    pathType: DirectoryOrCreate
-{% endif %}
-{% for volume in apiserver_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% if ssl_ca_dirs | length %}
-{% for dir in ssl_ca_dirs %}
-  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
-    hostPath: {{ dir }}
-    mountPath: {{ dir }}
-    readOnly: true
-{% endfor %}
-{% endif %}
-{% endif %}
-  certSANs:
-{% for san in apiserver_sans %}
-  - "{{ san }}"
-{% endfor %}
-  timeoutForControlPlane: 5m0s
-controllerManager:
-  extraArgs:
-    node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
-    node-monitor-period: {{ kube_controller_node_monitor_period }}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-    cluster-cidr: "{{ kube_pods_subnets }}"
-{% endif %}
-    service-cluster-ip-range: "{{ kube_service_subnets }}"
-{% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %}
-    allocate-node-cidrs: "false"
-{% else %}
-{% if ipv4_stack %}
-    node-cidr-mask-size-ipv4: "{{ kube_network_node_prefix }}"
-{% endif %}
-{% if ipv6_stack %}
-    node-cidr-mask-size-ipv6: "{{ kube_network_node_prefix_ipv6 }}"
-{% endif %}
-{% endif %}
-    profiling: "{{ kube_profiling }}"
-    terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
-    bind-address: "{{ kube_controller_manager_bind_address }}"
-    leader-elect-lease-duration: {{ kube_controller_manager_leader_elect_lease_duration }}
-    leader-elect-renew-deadline: {{ kube_controller_manager_leader_elect_renew_deadline }}
-{% if kube_controller_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_controller_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-{% for key in kube_kubeadm_controller_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
-{% endfor %}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
-    configure-cloud-routes: "false"
-{% endif %}
-{% if kubelet_flexvolumes_plugins_dir is defined %}
-    flex-volume-plugin-dir: {{ kubelet_flexvolumes_plugins_dir }}
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-{% if controller_manager_extra_volumes %}
-  extraVolumes:
-{% for volume in controller_manager_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% endif %}
-scheduler:
-  extraArgs:
-    bind-address: "{{ kube_scheduler_bind_address }}"
-    config: {{ kube_config_dir }}/kubescheduler-config.yaml
-{% if kube_scheduler_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_scheduler_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-    profiling: "{{ kube_profiling }}"
-{% if kube_kubeadm_scheduler_extra_args | length > 0 %}
-{% for key in kube_kubeadm_scheduler_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
-{% endfor %}
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-  extraVolumes:
-  - name: kubescheduler-config
-    hostPath: {{ kube_config_dir }}/kubescheduler-config.yaml
-    mountPath: {{ kube_config_dir }}/kubescheduler-config.yaml
-    readOnly: true
-{% if scheduler_extra_volumes %}
-{% for volume in scheduler_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% endif %}
----
-apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
-bindAddress: "{{ kube_proxy_bind_address }}"
-clientConnection:
-  acceptContentTypes: {{ kube_proxy_client_accept_content_types }}
-  burst: {{ kube_proxy_client_burst }}
-  contentType: {{ kube_proxy_client_content_type }}
-  kubeconfig: {{ kube_proxy_client_kubeconfig }}
-  qps: {{ kube_proxy_client_qps }}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-clusterCIDR: "{{ kube_pods_subnets }}"
-{% endif %}
-configSyncPeriod: {{ kube_proxy_config_sync_period }}
-conntrack:
-  maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
-  min: {{ kube_proxy_conntrack_min }}
-  tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
-  tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }}
-enableProfiling: {{ kube_proxy_enable_profiling }}
-healthzBindAddress: "{{ kube_proxy_healthz_bind_address }}"
-hostnameOverride: "{{ kube_override_hostname }}"
-iptables:
-  masqueradeAll: {{ kube_proxy_masquerade_all }}
-  masqueradeBit: {{ kube_proxy_masquerade_bit }}
-  minSyncPeriod: {{ kube_proxy_min_sync_period }}
-  syncPeriod: {{ kube_proxy_sync_period }}
-ipvs:
-  excludeCIDRs: {{ kube_proxy_exclude_cidrs }}
-  minSyncPeriod: {{ kube_proxy_min_sync_period }}
-  scheduler: {{ kube_proxy_scheduler }}
-  syncPeriod: {{ kube_proxy_sync_period }}
-  strictARP: {{ kube_proxy_strict_arp }}
-  tcpTimeout: {{ kube_proxy_tcp_timeout }}
-  tcpFinTimeout: {{ kube_proxy_tcp_fin_timeout }}
-  udpTimeout: {{ kube_proxy_udp_timeout }}
-metricsBindAddress: "{{ kube_proxy_metrics_bind_address }}"
-mode: {{ kube_proxy_mode }}
-nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
-oomScoreAdj: {{ kube_proxy_oom_score_adj }}
-portRange: {{ kube_proxy_port_range }}
-{% if kube_proxy_feature_gates or kube_feature_gates %}
-{% set feature_gates = ( kube_proxy_feature_gates | default(kube_feature_gates, true) ) %}
-featureGates:
-{%   for feature in feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}
-{# DNS settings for kubelet #}
-{% if enable_nodelocaldns %}
-{% set kubelet_cluster_dns = [nodelocaldns_ip] %}
-{% elif dns_mode in ['coredns'] %}
-{% set kubelet_cluster_dns = [skydns_server] %}
-{% elif dns_mode == 'coredns_dual' %}
-{% set kubelet_cluster_dns = [skydns_server,skydns_server_secondary] %}
-{% elif dns_mode == 'manual' %}
-{% set kubelet_cluster_dns = [manual_dns_server] %}
-{% else %}
-{% set kubelet_cluster_dns = [] %}
-{% endif %}
----
-apiVersion: kubelet.config.k8s.io/v1beta1
-kind: KubeletConfiguration
-{% if kube_version is version('1.35.0', '>=') %}
-failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
-{% endif %}
-clusterDNS:
-{% for dns_address in kubelet_cluster_dns %}
-- {{ dns_address }}
-{% endfor %}
-{% if kubelet_feature_gates or kube_feature_gates %}
-{% set feature_gates = ( kubelet_feature_gates | default(kube_feature_gates, true) ) %}
-featureGates:
-{%   for feature in feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}

roles/kubernetes/control-plane/templates/kubeadm-controlplane.yaml.j2

@@ -1,4 +1,4 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -15,13 +15,8 @@ discovery:
     unsafeSkipCAVerification: true
 {% endif %}
   tlsBootstrapToken: {{ kubeadm_token }}
-{# TODO: drop the if when we drop support for k8s<1.31 #}
-{% if kubeadm_config_api_version == 'v1beta3' %}
-  timeout: {{ discovery_timeout }}
-{% else %}
 timeouts:
   discovery: {{ discovery_timeout }}
-{% endif %}
 controlPlane:
   localAPIEndpoint:
     advertiseAddress: "{{ kube_apiserver_address }}"

roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2

@@ -1,5 +1,5 @@
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -21,13 +21,8 @@ discovery:
 {% endif %}
 {% endif %}
   tlsBootstrapToken: {{ kubeadm_token }}
-{# TODO: drop the if when we drop support for k8s<1.31 #}
-{% if kubeadm_config_api_version == 'v1beta3' %}
-  timeout: {{ discovery_timeout }}
-{% else %}
 timeouts:
   discovery: {{ discovery_timeout }}
-{% endif %}
 caCertPath: {{ kube_cert_dir }}/ca.crt
 {% if kubeadm_cert_controlplane is defined and kubeadm_cert_controlplane %}
 controlPlane:

roles/kubernetes/node/defaults/main.yml

@@ -86,6 +86,8 @@ kube_vip_leaseduration: 5
 kube_vip_renewdeadline: 3
 kube_vip_retryperiod: 1
 kube_vip_enable_node_labeling: false
+kube_vip_bgp_sourceip:
+kube_vip_bgp_sourceif:
 
 # Requests for load balancer app
 loadbalancer_apiserver_memory_requests: 32M

roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml

@@ -6,6 +6,17 @@
     - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
     - kube_vip_arp_enabled
 
+- name: Kube-vip | Check mutually exclusive BGP source settings
+  vars:
+    kube_vip_bgp_sourceip_normalized: "{{ kube_vip_bgp_sourceip | default('', true) | string | trim }}"
+    kube_vip_bgp_sourceif_normalized: "{{ kube_vip_bgp_sourceif | default('', true) | string | trim }}"
+  assert:
+    that:
+      - kube_vip_bgp_sourceip_normalized == '' or kube_vip_bgp_sourceif_normalized == ''
+    fail_msg: "kube-vip allows only one of kube_vip_bgp_sourceip or kube_vip_bgp_sourceif."
+  when:
+    - kube_vip_bgp_enabled | default(false)
+
 - name: Kube-vip | Check if super-admin.conf exists
   stat:
     path: "{{ kube_config_dir }}/super-admin.conf"

roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2

@@ -85,6 +85,16 @@ spec:
       value: {{ kube_vip_bgp_peerpass | to_json }}
     - name: bgp_peeras
       value: {{ kube_vip_bgp_peeras | string | to_json }}
+{% set kube_vip_bgp_sourceip_normalized = kube_vip_bgp_sourceip | default('', true) | string | trim %}
+{% if kube_vip_bgp_sourceip_normalized %}
+    - name: bgp_sourceip
+      value: {{ kube_vip_bgp_sourceip_normalized | to_json }}
+{% endif %}
+{% set kube_vip_bgp_sourceif_normalized = kube_vip_bgp_sourceif | default('', true) | string | trim %}
+{% if kube_vip_bgp_sourceif_normalized %}
+    - name: bgp_sourceif
+      value: {{ kube_vip_bgp_sourceif_normalized | to_json }}
+{% endif %}
 {% if kube_vip_bgppeers %}
     - name: bgp_peers
       value: {{ kube_vip_bgppeers | join(',')  | to_json }}

roles/kubespray_defaults/defaults/main/download.yml

@@ -116,7 +116,7 @@ flannel_version: 0.27.3
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"
 
-cilium_version: "1.18.6"
+cilium_version: "1.19.1"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false
 
@@ -263,9 +263,9 @@ kube_vip_version: 1.0.3
 kube_vip_image_repo: "{{ github_image_repo }}/kube-vip/kube-vip{{ '-iptables' if kube_vip_lb_fwdmethod == 'masquerade' else '' }}"
 kube_vip_image_tag: "v{{ kube_vip_version }}"
 nginx_image_repo: "{{ docker_image_repo }}/library/nginx"
-nginx_image_tag: 1.28.0-alpine
+nginx_image_tag: 1.28.2-alpine
 haproxy_image_repo: "{{ docker_image_repo }}/library/haproxy"
-haproxy_image_tag: 3.2.4-alpine
+haproxy_image_tag: 3.2.13-alpine
 
 # Coredns version should be supported by corefile-migration (or at least work with)
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail

roles/kubespray_defaults/defaults/main/main.yml

@@ -33,10 +33,6 @@ kube_version_min_required: "{{ (kubelet_checksums['amd64'] | dict2items)[-1].key
 ## Kube Proxy mode One of ['ipvs', 'iptables', 'nftables']
 kube_proxy_mode: ipvs
 
-# Kubeadm config api version
-# If kube_version is v1.31 or higher, it will be v1beta4, otherwise it will be v1beta3.
-kubeadm_config_api_version: "{{ 'v1beta4' if kube_version is version('1.31.0', '>=') else 'v1beta3' }}"
-
 # Debugging option for the kubeadm config validate command
 # Set to false only for development and testing scenarios where validation is expected to fail (pre-release Kubernetes versions, etc.)
 kubeadm_config_validate_enabled: true
@@ -222,6 +218,21 @@ kube_network_plugin_multus: false
 # This enables to deploy cilium alongside another CNI to replace kube-proxy.
 cilium_deploy_additionally: false
 
+# Identity allocation mode selects how identities are shared between cilium
+# nodes by setting how they are stored. The options are "crd" or "kvstore".
+# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
+#   These can be queried with:
+#     `kubectl get ciliumid`
+# - "kvstore" stores identities in an etcd kvstore.
+# - In order to support External Workloads, "crd" is required
+#   - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
+# - KVStore operations are only required when cilium-operator is running with any of the below options:
+#   - --synchronize-k8s-services
+#   - --synchronize-k8s-nodes
+#   - --identity-allocation-mode=kvstore
+#   - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
+cilium_identity_allocation_mode: crd
+
 # Determines if calico_rr group exists
 peer_with_calico_rr: "{{ 'calico_rr' in groups and groups['calico_rr'] | length > 0 }}"
 

roles/network_facts/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# Additional string host to inject into NO_PROXY
+additional_no_proxy: ""
+additional_no_proxy_list: "{{ additional_no_proxy | split(',') }}"
+no_proxy_exclude_workers: false

roles/network_facts/tasks/main.yaml

@@ -1,8 +1,4 @@
 ---
-- name: Set facts variables
-  tags:
-    - always
-  block:
 - name: Gather node IPs
   setup:
     gather_subset: '!all,!min,network'
@@ -10,7 +6,7 @@
   when: ansible_default_ipv4 is not defined or ansible_default_ipv6 is not defined
   ignore_unreachable: true
 
-    - name: Set computed IPs varables
+- name: Set computed IPs variables
   vars:
     fallback_ip: "{{ ansible_default_ipv4.address | d('127.0.0.1') }}"
     fallback_ip6: "{{ ansible_default_ipv6.address | d('::1') }}"
@@ -34,8 +30,34 @@
     main_access_ips: "{{ _access_ips | select }}"
     main_ips: "{{ _ips | select }}"
 
-    - name: Set no_proxy
-      import_tasks: no_proxy.yml
+- name: Set no_proxy to all assigned cluster IPs and hostnames
   when:
     - http_proxy is defined or https_proxy is defined
     - no_proxy is not defined
+  vars:
+    groups_with_no_proxy:
+      - kube_control_plane
+      - "{{ '' if no_proxy_exclude_workers else 'kube_node' }}" # TODO: exclude by a boolean in inventory rather than global variable
+      - etcd
+      - calico_rr
+    hosts_with_no_proxy: "{{ groups_with_no_proxy | select | map('extract', groups) | select('defined') | flatten }}"
+    _hostnames: "{{ (hosts_with_no_proxy +
+                      (hosts_with_no_proxy | map('extract', hostvars, morekeys=['ansible_hostname'])
+                      | select('defined')))
+                    | unique }}"
+    no_proxy_prepare:
+      - "{{ apiserver_loadbalancer_domain_name | d('') }}"
+      - "{{ loadbalancer_apiserver.address if loadbalancer_apiserver is defined else '' }}"
+      - "{{ hosts_with_no_proxy | map('extract', hostvars, morekeys=['main_access_ip']) }}"
+      - "{{ _hostnames }}"
+      - "{{ _hostnames | map('regex_replace', '$', '.' + dns_domain ) }}"
+      - "{{ additional_no_proxy_list }}"
+      - 127.0.0.1
+      - localhost
+      - "{{ kube_service_subnets }}"
+      - "{{ kube_pods_subnets }}"
+      - svc
+      - "svc.{{ dns_domain }}"
+  set_fact:
+    no_proxy: "{{ no_proxy_prepare | select | flatten | unique | join(',') }}"
+  run_once: true

roles/network_facts/tasks/no_proxy.yml

@@ -1,40 +0,0 @@
----
-- name: Set no_proxy to all assigned cluster IPs and hostnames
-  set_fact:
-    # noqa: jinja[spacing]
-    no_proxy_prepare: >-
-      {%- if loadbalancer_apiserver is defined -%}
-      {{ apiserver_loadbalancer_domain_name }},
-      {{ loadbalancer_apiserver.address | default('') }},
-      {%- endif -%}
-      {%- if no_proxy_exclude_workers | default(false) -%}
-      {% set cluster_or_control_plane = 'kube_control_plane' %}
-      {%- else -%}
-      {% set cluster_or_control_plane = 'k8s_cluster' %}
-      {%- endif -%}
-      {%- for item in (groups[cluster_or_control_plane] + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique -%}
-      {{ hostvars[item]['main_access_ip'] }},
-      {%- if item != hostvars[item].get('ansible_hostname', '') -%}
-      {{ hostvars[item]['ansible_hostname'] }},
-      {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }},
-      {%- endif -%}
-      {{ item }},{{ item }}.{{ dns_domain }},
-      {%- endfor -%}
-      {%- if additional_no_proxy is defined -%}
-      {{ additional_no_proxy }},
-      {%- endif -%}
-      127.0.0.1,localhost,{{ kube_service_subnets }},{{ kube_pods_subnets }},svc,svc.{{ dns_domain }}
-  delegate_to: localhost
-  connection: local
-  delegate_facts: true
-  become: false
-  run_once: true
-
-- name: Populates no_proxy to all hosts
-  set_fact:
-    no_proxy: "{{ hostvars.localhost.no_proxy_prepare | select }}"
-    # noqa: jinja[spacing]
-    proxy_env: "{{ proxy_env | combine({
-        'no_proxy': hostvars.localhost.no_proxy_prepare,
-        'NO_PROXY': hostvars.localhost.no_proxy_prepare
-      }) }}"

roles/network_plugin/calico/templates/calico-apiserver.yml.j2

@@ -177,6 +177,9 @@ rules:
   - blockaffinities
   - caliconodestatuses
   - tiers
+  - stagednetworkpolicies
+  - stagedglobalnetworkpolicies
+  - stagedkubernetesnetworkpolicies
   verbs:
   - get
   - list

roles/network_plugin/calico/templates/calico-cr.yml.j2

@@ -215,3 +215,17 @@ rules:
       - calico-cni-plugin
     verbs:
       - create
+{% if calico_version is version('3.29.0', '>=') %}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-tier-getter
+rules:
+  - apiGroups:
+      - "projectcalico.org"
+    resources:
+      - "tiers"
+    verbs:
+      - "get"
+{% endif %}

roles/network_plugin/calico/templates/calico-crb.yml.j2

@@ -26,3 +26,18 @@ subjects:
 - kind: ServiceAccount
   name: calico-cni-plugin
   namespace: kube-system
+{% if calico_version is version('3.29.0', '>=') %}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-tier-getter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-tier-getter
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:kube-controller-manager
+{% endif %}

roles/network_plugin/cilium/defaults/main.yml

@@ -14,21 +14,6 @@ cilium_l2announcements: false
 # Cilium agent health port
 cilium_agent_health_port: "9879"
 
-# Identity allocation mode selects how identities are shared between cilium
-# nodes by setting how they are stored. The options are "crd" or "kvstore".
-# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
-#   These can be queried with:
-#     `kubectl get ciliumid`
-# - "kvstore" stores identities in an etcd kvstore.
-# - In order to support External Workloads, "crd" is required
-#   - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
-# - KVStore operations are only required when cilium-operator is running with any of the below options:
-#   - --synchronize-k8s-services
-#   - --synchronize-k8s-nodes
-#   - --identity-allocation-mode=kvstore
-#   - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
-cilium_identity_allocation_mode: crd
-
 # Etcd SSL dirs
 cilium_cert_dir: /etc/cilium/certs
 kube_etcd_cacert_file: ca.pem
@@ -305,12 +290,9 @@ cilium_enable_well_known_identities: false
 # Only effective when monitor aggregation is set to "medium" or higher.
 cilium_monitor_aggregation_flags: "all"
 
-cilium_enable_bpf_clock_probe: true
-
 # -- Enable BGP Control Plane
 cilium_enable_bgp_control_plane: false
 
-
 # -- Configure BGP Instances (New bgpv2 API v1.16+)
 cilium_bgp_cluster_configs: []
 

roles/network_plugin/cilium/templates/cilium/cilium-bgp-advertisement.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_advertisement in cilium_bgp_advertisements %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPAdvertisement
 metadata:
   name: "{{ cilium_bgp_advertisement.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-bgp-cluster-config.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_cluster_config in cilium_bgp_cluster_configs %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPClusterConfig
 metadata:
   name: "{{ cilium_bgp_cluster_config.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-bgp-node-config-override.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_node_config_override in cilium_bgp_node_config_overrides %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPNodeConfigOverride
 metadata:
   name: "{{ cilium_bgp_node_config_override.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-bgp-peer-config.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_peer_config in cilium_bgp_peer_configs %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPPeerConfig
 metadata:
   name: "{{ cilium_bgp_peer_config.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-loadbalancer-ip-pool.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_loadbalancer_ip_pool in cilium_loadbalancer_ip_pools %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumLoadBalancerIPPool
 metadata:
   name: "{{ cilium_loadbalancer_ip_pool.name }}"

roles/network_plugin/cilium/templates/values.yaml.j2

@@ -62,8 +62,8 @@ cni:
 
 autoDirectNodeRoutes: {{ cilium_auto_direct_node_routes | to_json }}
 
-ipv4NativeRoutingCIDR: {{ cilium_native_routing_cidr }}
-ipv6NativeRoutingCIDR: {{ cilium_native_routing_cidr_ipv6 }}
+ipv4NativeRoutingCIDR: "{{ cilium_native_routing_cidr }}"
+ipv6NativeRoutingCIDR: "{{ cilium_native_routing_cidr_ipv6 }}"
 
 encryption:
   enabled: {{ cilium_encryption_enabled | to_json }}
@@ -143,6 +143,14 @@ cgroup:
     enabled: {{ cilium_cgroup_auto_mount | to_json }}
   hostRoot: {{ cilium_cgroup_host_root }}
 
+resources:
+  limits:
+    memory: "{{ cilium_memory_limit }}"
+    cpu: "{{ cilium_cpu_limit }}"
+  requests:
+    memory: "{{ cilium_memory_requests }}"
+    cpu: "{{ cilium_cpu_requests }}"
+
 operator:
   image:
     repository: {{ cilium_operator_image_repo }}

roles/network_plugin/custom_cni/meta/main.yml

@@ -14,6 +14,7 @@ dependencies:
         chart_ref: "{{ custom_cni_chart_ref }}"
         chart_version: "{{ custom_cni_chart_version }}"
         wait: true
+        create_namespace: true
         values: "{{ custom_cni_chart_values }}"
     repositories:
       - name: "{{ custom_cni_chart_repository_name }}"

roles/remove_node/pre_remove/tasks/main.yml

@@ -17,6 +17,8 @@
       --grace-period {{ drain_grace_period }}
       --timeout {{ drain_timeout }}
       --delete-emptydir-data {{ kube_override_hostname }}
+  async: "{{ (drain_timeout | regex_replace('s$', '') | int) + 120 }}"
+  poll: 15
   when:
     - groups['kube_control_plane'] | length > 0
     # ignore servers that are not nodes

roles/upgrade/pre-upgrade/tasks/main.yml

@@ -59,6 +59,8 @@
         --timeout {{ drain_timeout }}
         --delete-emptydir-data {{ kube_override_hostname | default(inventory_hostname) }}
         {% if drain_pod_selector %}--pod-selector '{{ drain_pod_selector }}'{% endif %}
+      async: "{{ (drain_timeout | regex_replace('s$', '') | int) + 120 }}"
+      poll: 15
       when: drain_nodes
       register: result
       failed_when:
@@ -82,6 +84,8 @@
         --delete-emptydir-data {{ kube_override_hostname | default(inventory_hostname) }}
         {% if drain_pod_selector %}--pod-selector '{{ drain_pod_selector }}'{% endif %}
         --disable-eviction
+      async: "{{ (drain_fallback_timeout | regex_replace('s$', '') | int) + 120 }}"
+      poll: 15
       register: drain_fallback_result
       until: drain_fallback_result.rc == 0
       retries: "{{ drain_fallback_retries }}"

roles/validate_inventory/tasks/main.yml

@@ -213,3 +213,13 @@
   when:
     - kube_external_ca_mode
     - not ignore_assert_errors
+
+- name: Download_file | Check if requested Kubernetes are supported
+  assert:
+    that:
+      - kube_version in kubeadm_checksums[image_arch]
+      - kube_version in kubelet_checksums[image_arch]
+      - kube_version in kubectl_checksums[image_arch]
+    msg: >-
+      Kubernetes v{{ kube_version }} is not supported for {{ image_arch }}.
+      Please check roles/kubespray_defaults/vars/main/checksums.yml for supported versions.

test-infra/image-builder/README.md

@@ -0,0 +1,57 @@
+# KubeVirt Image Builder
+
+Build and push KubeVirt VM disk images to quay.io for Kubespray CI testing.
+
+## How It Works
+
+The Ansible playbook downloads upstream cloud images, converts them to qcow2, resizes (+8G), wraps each in a Docker image based on `kubevirt/registry-disk-v1alpha`, and pushes to `quay.io/kubespray/vm-<os-name>:<tag>`.
+
+## Prerequisites
+
+- Docker, `qemu-img`, Ansible
+- Push access to [quay.io/kubespray](https://quay.io/organization/kubespray) (robot account `kubespray+buildvmimages`)
+
+## Image Definitions
+
+All OS images are defined in [`roles/kubevirt-images/defaults/main.yml`](roles/kubevirt-images/defaults/main.yml).
+
+Each entry specifies:
+
+| Field | Description |
+|-------|-------------|
+| `filename` | Downloaded file name |
+| `url` | Upstream cloud image URL |
+| `checksum` | Checksum for download verification |
+| `converted` | `true` if the source is already qcow2, `false` if conversion is needed |
+| `tag` | Docker image tag (usually `latest`) |
+
+## Usage
+
+### Build and push all images
+
+```bash
+cd test-infra/image-builder/
+make docker_password=<quay-robot-token>
+```
+
+### Add a new OS image
+
+1. Add a new entry to `roles/kubevirt-images/defaults/main.yml`:
+
+   ```yaml
+   new-os-name:
+     filename: cloud-image-file.qcow2
+     url: https://example.com/cloud-image-file.qcow2
+     checksum: sha256:<hash>
+     converted: true
+     tag: "latest"
+   ```
+
+2. Build and push the image:
+
+   ```bash
+   make docker_password=<quay-robot-token>
+   ```
+
+3. Submit a PR with the `defaults/main.yml` change so CI can use the new image.
+   See [#12379](https://github.com/kubernetes-sigs/kubespray/pull/12379) for an example.

tests/cloud_playbooks/roles/packet-ci/vars/main.yml

@@ -50,6 +50,8 @@ cloudinit_config: |
       partition: 'none'
   mounts:
     - ['/dev/disk/by-id/virtio-2825A83CBDC8A32D5E', '/tmp/releases']
+  runcmd:
+    - chmod 777 /tmp/releases
 
 ignition_config:
   ignition:
@@ -68,3 +70,9 @@ ignition_config:
         format: ext4
         path: /tmp/releases
         wipeFilesystem: true
+    directories:
+      - path: /tmp/releases
+        # ignition require a integer, so using the octal notation is easier
+        # than noting it in decimal form
+        # yamllint disable-line rule:octal-values
+        mode: 0777

tests/files/openeuler24-calico.yml

@@ -3,8 +3,11 @@
 cloud_image: openeuler-2403
 vm_memory: 3072
 
-# Openeuler package mgmt is slow for some reason
-pkg_install_timeout: "{{ 10 * 60 }}"
+# Use metalink for faster package downloads (auto-selects closest mirror)
+openeuler_metalink_enabled: true
+
+# CI package installation takes ~7min; default 5min is too tight, use 15min for margin
+pkg_install_timeout: "{{ 15 * 60 }}"
 
 # Work around so the Kubernetes 1.35 tests can pass. We will discuss the openeuler support later.
 kubeadm_ignore_preflight_errors:

tests/files/rockylinux10-cilium.yml

@@ -13,3 +13,21 @@ kube_owner: root
 # Node Feature Discovery
 node_feature_discovery_enabled: true
 kube_asymmetric_encryption_algorithm: "ECDSA-P256"
+
+# Testing no_proxy setup
+# The proxy is not intended to be accessed at all, we're only testing
+# the no_proxy construction
+https_proxy: "http://some-proxy.invalid"
+http_proxy: "http://some-proxy.invalid"
+additional_no_proxy_list:
+  - github.com
+  - githubusercontent.com
+  - k8s.io
+  - rockylinux.org
+  - docker.io
+  - googleapis.com
+  - quay.io
+  - pkg.dev
+  - amazonaws.com
+  - cilium.io
+skip_http_proxy_on_os_packages: true

tests/requirements.txt

@@ -1,4 +1,4 @@
 -r ../requirements.txt
 distlib==0.4.0 # required for building collections
-molecule==25.12.0
+molecule==26.3.0
 pytest-testinfra==10.2.2