Docs: update 2.29.0 to 2.30.0 (#12899 )

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
wait for control plane node to become ready after joining (#12794 )
2026-02-04 08:48:42 +03:00 · 2026-01-29 23:45:50 +05:30 · 2026-01-28 22:15:51 +05:30 · 2026-01-27 20:25:52 +05:30 · 2026-01-27 20:21:53 +05:30 · 2026-01-27 16:43:48 +05:30
14 changed files with 40 additions and 27 deletions
--- a/.github/workflows/auto-label-os.yml
+++ b/.github/workflows/auto-label-os.yml
@@ -13,7 +13,7 @@ jobs:
      issues: write

    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: Parse issue form
        uses: stefanbuck/github-issue-parser@10dcc54158ba4c137713d9d69d70a2da63b6bda3
--- a/.github/workflows/upgrade-patch-versions.yml
+++ b/.github/workflows/upgrade-patch-versions.yml
@@ -11,7 +11,7 @@ jobs:
  update-patch-versions:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        ref: ${{ inputs.branch }}
    - uses: actions/setup-python@v6
@@ -29,7 +29,7 @@ jobs:
          ~/.cache/pre-commit
    - run: pre-commit run --all-files propagate-ansible-variables
      continue-on-error: true
-    - uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725
+    - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
      with:
        commit-message: Patch versions updates
        title: Patch versions updates - ${{ inputs.branch }}
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Ensure you have installed Docker then
 ```ShellSession
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.29.0 bash
+  quay.io/kubespray/kubespray:v2.30.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
@@ -118,8 +118,8 @@ Note:
  - [cri-o](http://cri-o.io/) 1.34.4 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.5
-  - [cilium](https://github.com/cilium/cilium) 1.18.5
+  - [calico](https://github.com/projectcalico/calico) 3.30.6
+  - [cilium](https://github.com/cilium/cilium) 1.18.6
  - [flannel](https://github.com/flannel-io/flannel) 0.27.3
  - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
  - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -15,7 +15,7 @@ The Kubespray Project is released on an as-needed basis. The process is as follo
 1. The release issue is closed
 1. An announcement email is sent to `dev@kubernetes.io` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
 1. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
-1. Create/Update Issue for upgradeing kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)
+1. Create/Update Issue for upgrading kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)

 ## Major/minor releases and milestones

--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version

 ```yml
-cilium_version: "1.18.5"
+cilium_version: "1.18.6"
 ```

 ## Add variable to config
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -193,11 +193,11 @@ You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mou
 to access the inventory and SSH key in the container, like this:

 ```ShellSession
-git checkout v2.29.0
-docker pull quay.io/kubespray/kubespray:v2.29.0
+git checkout v2.30.0
+docker pull quay.io/kubespray/kubespray:v2.30.0
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.29.0 bash
+  quay.io/kubespray/kubespray:v2.30.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -56,8 +56,8 @@ cilium_l2announcements: false
 #
 # Only effective when monitor aggregation is set to "medium" or higher.
 # cilium_monitor_aggregation_flags: "all"
-# Kube Proxy Replacement mode (strict/partial)
-# cilium_kube_proxy_replacement: partial
+# Kube Proxy Replacement mode (true/false)
+# cilium_kube_proxy_replacement: false

 # If upgrading from Cilium < 1.5, you may want to override some of these options
 # to prevent service disruptions. See also:
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,6 +2,6 @@ ansible==10.7.0
 # Needed for community.crypto module
 cryptography==46.0.3
 # Needed for jinja2 json_query templating
-jmespath==1.0.1
+jmespath==1.1.0
 # Needed for ansible.utils.ipaddr
 netaddr==1.3.0
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -5,8 +5,7 @@
    group: "{{ etcd_cert_group }}"
    state: directory
    owner: "{{ etcd_owner }}"
-    mode: "{{ etcd_cert_dir_mode }}"
-    recurse: true
+    mode: "0700"

 - name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})"
  file:
@@ -145,15 +144,6 @@
    - ('k8s_cluster' in group_names) and
        sync_certs | default(false) and inventory_hostname not in groups['etcd']

- name: Gen_certs | check certificate permissions
-  file:
-    path: "{{ etcd_cert_dir }}"
-    group: "{{ etcd_cert_group }}"
-    state: directory
-    owner: "{{ etcd_owner }}"
-    mode: "{{ etcd_cert_dir_mode }}"
-    recurse: true
-
 # This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
 # TODO: fix certs generation to have the same file everywhere
 # OR work with kubeadm on node-specific config
--- a/roles/etcd_defaults/defaults/main.yml
+++ b/roles/etcd_defaults/defaults/main.yml
@@ -18,7 +18,6 @@ etcd_backup_retention_count: -1
 force_etcd_cert_refresh: true
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
-etcd_cert_dir_mode: "0700"
 etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -2,6 +2,9 @@
 # disable upgrade cluster
 upgrade_cluster_setup: false

+# Number of retries (with 5 seconds interval) to check that new control plane nodes
+# are in Ready condition after joining
+control_plane_node_become_ready_tries: 24
 # By default the external API listens on all interfaces, this can be changed to
 # listen on a specific address/interface.
 # NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
--- a/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
@@ -98,3 +98,18 @@
  when:
    - inventory_hostname != first_kube_control_plane
    - kubeadm_already_run is not defined or not kubeadm_already_run.stat.exists
+
+- name: Wait for new control plane nodes to be Ready
+  when: kubeadm_already_run.stat.exists
+  run_once: true
+  command: >
+    {{ kubectl }} get nodes --selector node-role.kubernetes.io/control-plane
+    -o jsonpath-as-json="{.items[*].status.conditions[?(@.type == 'Ready')]}"
+  register: control_plane_node_ready_conditions
+  retries: "{{ control_plane_node_become_ready_tries }}"
+  delay: 5
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+  until: >
+    control_plane_node_ready_conditions.stdout
+    | from_json | selectattr('status', '==', 'True')
+    | length == (groups['kube_control_plane'] | length)
--- a/roles/kubespray_defaults/defaults/main/download.yml
+++ b/roles/kubespray_defaults/defaults/main/download.yml
@@ -116,7 +116,7 @@ flannel_version: 0.27.3
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"

-cilium_version: "1.18.5"
+cilium_version: "1.18.6"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false

--- a/roles/kubespray_defaults/vars/main/checksums.yml
+++ b/roles/kubespray_defaults/vars/main/checksums.yml
@@ -440,6 +440,7 @@ cni_binary_checksums:
    1.6.0: sha256:d8d4bd74247407c8c73de057bc00adac28bb1ed2d2ee60a9dda278e3b398bcc2
 calicoctl_binary_checksums:
  arm64:
+    3.30.6: sha256:47ecc00bdd797f82e4bac0ff3904c3a5143ba2d61e8ae1cbbce286ca76d3790a
    3.30.5: sha256:7611343e7a56e770b95e2bb882dda787efbbd4331b1dd6316ff8ea189238dfaa
    3.30.4: sha256:b21fbbc55b6f5d50c1c0faae714242cae3e013185cb8e26ce56981bd10da260d
    3.30.3: sha256:2ae0474b88a6042e5489d7410d2669a9d443c9d5c51e2bdc8ebe4d6dd98f2475
@@ -461,6 +462,7 @@ calicoctl_binary_checksums:
    3.28.1: sha256:c062d13534498a427c793a4a9190be4df3cf796a3feb29e4a501e1d6f48daa7c
    3.28.0: sha256:c4ca8563d2a920729116a3a30171c481580c8c447938ce974ce14d7ce25a31bf
  amd64:
+    3.30.6: sha256:2017e19727dca689d8bb73a9d8dff3c6a8ba7d8c75049f99ee207272161b5749
    3.30.5: sha256:6cdfb17b0276f648f4fdb051a5d75617a50b3c328d4cccfc40d087b96c361d80
    3.30.4: sha256:7e2e5e75b25c55683b68eabeb9b00390b1d359e72bf57f7ec2b76bb006fd175f
    3.30.3: sha256:a7d017d1abf6ef5d6e03267187c0dd68c32f5e937b64decd29d003be44fa6b94
@@ -482,6 +484,7 @@ calicoctl_binary_checksums:
    3.28.1: sha256:22ec5727c38dbe19001792b4ca64ac760a6e2985d5c1a231d919dbebe5bca171
    3.28.0: sha256:4ea270699e67ca29e5533ddb0a68d370cb0005475796c7e841f83047da6297b6
  ppc64le:
+    3.30.6: sha256:9a9c368499b1e3d08418dfbb566379483e15c50d08dd1bcaf6148c115d82ed36
    3.30.5: sha256:5b6de49da1af2633549bff5e8f4d8a573a175b65c47c29d327ef6a0760d39a93
    3.30.4: sha256:8fc8ef492d463e184e714bc6d31b05f9066c8af3445928efef233850f036bb92
    3.30.3: sha256:ccd13ced62baf633fb4347fbe6c9fdc0d3b1b7deb1794c83c015507a0cb8238e
@@ -579,6 +582,7 @@ ciliumcli_binary_checksums:
    0.16.0: sha256:da98675f961833d4ffd68b1046d907b228a7d394ded2abd70a50b20eaca171c4
 calico_crds_archive_checksums:
  no_arch:
+    3.30.6: sha256:d61aa5bcddfc78b0094acd54e0358009fa79e1cbe6d8c23bdacb34ff7a2c6c82
    3.30.5: sha256:3a38f91596c204b43c70f642a3e686d8c3fbfdfa5caa7824b716aa2f4a4e568b
    3.30.4: sha256:a9398f6de6cce8f683e0ad649a21f3d3b8bb5fe4cd26e7b26b33b9a8c740274f
    3.30.3: sha256:36c50905b9b62a78638bcfb9d1c4faf1efa08e2013265dcd694ec4e370b78dd7
@@ -658,6 +662,7 @@ helm_archive_checksums:
    3.16.0: sha256:d13a4b87b31a5b50c8d93dd9988dfb312a61e56504102f466a4004e5a3ab8e9e
 cri_dockerd_archive_checksums:
  arm64:
+    0.3.23: sha256:a78037d2d2e9c52c48372a5cbba7b94b1c57be5759449beef29cfe03cbe6f14b
    0.3.22: sha256:3260b214c9b12dbf0cbf4d60410c45aacfc31ba52aa7b74164135968e8950cb6
    0.3.21: sha256:35de6b1e8eba11d8ba6d71fa7499cb3d610a1e7b866c9d43b7f87029e3a769cd
    0.3.20: sha256:e6b4661c51c832ee1cbbb75d1c8b086fa803acc153d400454c3b8cf324547d89
@@ -676,6 +681,7 @@ cri_dockerd_archive_checksums:
    0.3.6: sha256:793b8f57cecf734c47bface10387a8e90994c570b516cb755900f21ebd0a663b
    0.3.5: sha256:c20014dc5a71e6991a3bd7e1667c744e3807b5675b1724b26bb7c70093582cfe
  amd64:
+    0.3.23: sha256:c7fe5db7f9396186193b58ded0e62a31eca7b3c58ad8691d57017986f96482ee
    0.3.22: sha256:6621a96a885c82844d12318de00f510eae3459871cf1ad47317f38dd242f9a03
    0.3.21: sha256:6c35838bc4b1aef74f9113670e114ca729a5f295f9457b226791e18e86e91698
    0.3.20: sha256:2ce46d6bbd7f6a7e06e211836c201fdc2311111913eccc63a03f6ef4fe1958fc
Author	SHA1	Message	Date
ChengHao Yang	f4ccdb5e72	Docs: update 2.29.0 to 2.30.0 (#12899 ) Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2026-01-29 23:45:50 +05:30
Max Gautier	fcecaf6943	wait for control plane node to become ready after joining (#12794 ) When joining a control plane node and "upgrading" the cluster setup (for example, to update etcd addresses after adding a new etcd) in the same playbook run, the node can take a bit of time to become ready after joining. This triggers a kubeadm preflight check (ControlPlaneNodesReady) in kubeadm upgrade, which is run directly after the join tasks. Add a configurable wait for the control plane node to become Ready to fix this race condition.	2026-01-28 22:15:51 +05:30
Max Gautier	37f7a86014	etcd-certs: only change necessary permissions (#12908 ) We currently recursively set the permissions of /etc/ssl/etcd/ssl (default path) to 700. But this removes group permission from the files under it, and certain composents (like calio with etcd datastore) rely on it ; thus, the upgrade of a cluster can fail because the calico-kube-controller can't access the certs, and thus the etcd. This works in other case because as far as I can tell, the apiserver which do access the etcd run as root (the owner of the files, not just the "group owner") We also for some reasons do this twice. Only create the etcd cert directory with the correct permissions once, not recursively.	2026-01-27 20:25:52 +05:30
Max Gautier	fff7f10a85	Patch versions updates (#12912 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2026-01-27 20:21:53 +05:30
ChengHao Yang	dc09298f7e	Docs: cilium_kube_proxy_replacement change boolean (#12898 ) Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2026-01-27 16:43:48 +05:30
dependabot[bot]	680db0c921	build(deps): bump jmespath from 1.0.1 to 1.1.0 (#12905 ) Bumps [jmespath](https://github.com/jmespath/jmespath.py) from 1.0.1 to 1.1.0. - [Changelog](https://github.com/jmespath/jmespath.py/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/jmespath/jmespath.py/compare/1.0.1...1.1.0) --- updated-dependencies: - dependency-name: jmespath dependency-version: 1.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-27 16:39:49 +05:30
dependabot[bot]	9977d4dc10	build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#12906 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`8e8c483db8...de0fac2e45`) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-26 20:41:53 +05:30
dependabot[bot]	1b6129566b	build(deps): bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#12907 ) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 8.0.0 to 8.1.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](`98357b18bf...c0f553fe54`) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-26 20:37:51 +05:30
Ali Afsharzadeh	c3404c3685	Upgrade cilium from 1.18.5 to 1.18.6 (#12900 ) Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>	2026-01-26 20:21:50 +05:30
Max Gautier	fba8708486	RELEASE.md: fix minor typo (#12891 )	2026-01-22 16:43:29 +05:30