Fix: Change "empty" definition for PodSecurity Admission configuration (#12477)

Fixes a bug where `kube-apiserver` fails to start if the PodSecurity
configuration file doesn't have the `apiVersion` and `kind` keys.

Signed-off-by: Alejandro Macedo <alex.macedopereira@gmail.com>
Co-authored-by: Alejandro Macedo <alex.macedopereira@gmail.com>

.gitlab-ci/packet.yml

@@ -119,8 +119,13 @@ packet_rockylinux9-cilium:
   variables:
     RESET_CHECK: "true"
 
+# Need an update of the container image to use schema v2
+# update: quay.io/kubespray/vm-amazon-linux-2:latest
 packet_amazon-linux-2-all-in-one:
-  extends: .packet_pr
+  extends: .packet_pr_manual
+  rules:
+    - when: manual
+      allow_failure: true
 
 packet_opensuse-docker-cilium:
   extends: .packet_pr

.pre-commit-config.yaml

@@ -61,14 +61,6 @@ repos:
         additional_dependencies:
           - ansible==9.5.1
 
-      - id: tox-inventory-builder
-        name: tox-inventory-builder
-        entry: bash -c "cd contrib/inventory_builder && tox"
-        language: python
-        pass_filenames: false
-        additional_dependencies:
-          - tox==4.15.0
-
       - id: check-readme-versions
         name: check-readme-versions
         entry: tests/scripts/check_readme_versions.sh

README.md

@@ -160,10 +160,10 @@ Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.30.4
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.30.6
   - [etcd](https://github.com/etcd-io/etcd) v3.5.12
   - [docker](https://www.docker.com/) v26.1
-  - [containerd](https://containerd.io/) v1.7.21
+  - [containerd](https://containerd.io/) v1.7.23
   - [cri-o](http://cri-o.io/) v1.30.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
@@ -178,7 +178,7 @@ Note: Upstart/SysV init based OS types are not supported.
 - Application
   - [cert-manager](https://github.com/jetstack/cert-manager) v1.14.7
   - [coredns](https://github.com/coredns/coredns) v1.11.1
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.5
   - [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
   - [argocd](https://argoproj.github.io/) v2.11.0
   - [helm](https://helm.sh/) v3.15.4

contrib/offline/manage-offline-container-images.sh

@@ -146,7 +146,7 @@ function register_container_images() {
 		if [ "${org_image}" == "ID:" ]; then
 		  org_image=$(echo "${load_image}"  | awk '{print $4}')
 		fi
-		image_id=$(sudo ${runtime} image inspect ${org_image} | grep "\"Id\":" | awk -F: '{print $3}'| sed s/'\",'//)
+		image_id=$(sudo ${runtime} image inspect --format "{{.Id}}" "${org_image}")
 		if [ -z "${file_name}" ]; then
 			echo "Failed to get file_name for line ${line}"
 			exit 1

contrib/terraform/aws/create-infrastructure.tf

@@ -1,5 +1,11 @@
 terraform {
   required_version = ">= 0.12.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
 }
 
 provider "aws" {

galaxy.yml

@@ -14,7 +14,7 @@ documentation: https://kubespray.io
 license_file: LICENSE
 dependencies:
   ansible.utils: '>=2.5.0'
-  community.general: '>=3.0.0'
+  community.general: '>=7.0.0'
   ansible.netcommon: '>=5.3.0'
   ansible.posix: '>=1.5.4'
   community.docker: '>=3.11.0'
@@ -22,3 +22,4 @@ dependencies:
 manifest:
   directives:
     - recursive-exclude tests **
+    - recursive-include roles **/files/*

playbooks/remove_node.yml

@@ -27,6 +27,10 @@
   hosts: "{{ node | default('kube_node') }}"
   gather_facts: false
   environment: "{{ proxy_disable_env }}"
+  pre_tasks:
+    - name: Gather information about installed services
+      service_facts:
+      when: reset_nodes | default(True) | bool
   roles:
     - { role: kubespray-defaults, when: reset_nodes | default(True) | bool }
     - { role: remove-node/pre-remove, tags: pre-remove }

roles/container-engine/containerd/templates/containerd.service.j2

@@ -15,7 +15,7 @@
 [Unit]
 Description=containerd container runtime
 Documentation=https://containerd.io
-After=network.target local-fs.target
+After=network.target local-fs.target dbus.service
 
 [Service]
 ExecStartPre=-/sbin/modprobe overlay

roles/etcd/tasks/gen_certs_script.yml

@@ -35,7 +35,6 @@
     mode: "0700"
   run_once: true
   when:
-    - gen_certs | default(false)
     - inventory_hostname == groups['etcd'][0]
 
 - name: Gen_certs | run cert generation script for etcd and kube control plane nodes
@@ -154,3 +153,25 @@
     owner: "{{ etcd_owner }}"
     mode: "{{ etcd_cert_dir_mode }}"
     recurse: true
+
+# This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
+# TODO: fix certs generation to have the same file everywhere
+# OR work with kubeadm on node-specific config
+- name: Gen_certs | Pretend all control plane have all certs (with symlinks)
+  file:
+    state: link
+    src: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}{{ item[0] }}.pem"
+    dest: "{{ etcd_cert_dir }}/node-{{ item[1] }}{{ item[0] }}.pem"
+    mode: "0640"
+  loop: "{{ suffixes | product(groups['kube_control_plane']) }}"
+  vars:
+    suffixes:
+      - ''
+      - '-key'
+  when:
+    - ('kube_control_plane' in group_names)
+    - item[1] != inventory_hostname
+  register: symlink_created
+  failed_when:
+    - symlink_created is failed
+    - ('refusing to convert from file to symlink' not in symlink_created.msg)

roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2

@@ -73,7 +73,9 @@ data:
           max_concurrent 1000
 {% if dns_upstream_forward_extra_opts is defined %}
 {% for optname, optvalue in dns_upstream_forward_extra_opts.items() %}
-          {{ optname }} {{ optvalue }}
+          {{ (optname ~ ' ' ~ optvalue) | trim }}
+          {# do not add a trailing space when optvalue == ''
+             workaround for: https://github.com/kubernetes/kubernetes/issues/36222 #}
 {% endfor %}
 {% endif %}
         }

roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2

@@ -82,7 +82,9 @@ data:
         bind {{ nodelocaldns_ip }}
         forward . {{ upstreamForwardTarget }}{% if dns_upstream_forward_extra_opts is defined %} {
 {% for optname, optvalue in dns_upstream_forward_extra_opts.items() %}
-          {{ optname }} {{ optvalue }}
+          {{ (optname ~ ' ' ~ optvalue) | trim }}
+          {# do not add a trailing space when optvalue == ''
+             workaround for: https://github.com/kubernetes/kubernetes/issues/36222 #}
 {% endfor %}
         }{% endif %}
 
@@ -164,7 +166,9 @@ data:
         bind {{ nodelocaldns_ip }}
         forward . {{ upstreamForwardTarget }}{% if dns_upstream_forward_extra_opts is defined %} {
 {% for optname, optvalue in dns_upstream_forward_extra_opts.items() %}
-          {{ optname }} {{ optvalue }}
+          {{ (optname ~ ' ' ~ optvalue) | trim }}
+          {# do not add a trailing space when optvalue == ''
+             workaround for: https://github.com/kubernetes/kubernetes/issues/36222 #}
 {% endfor %}
         }{% endif %}
 

roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2

@@ -101,6 +101,7 @@ rules:
     verbs:
       # read its own config
       - get
+      - list
       # create a default if none exists
       - create
       # update status

roles/kubernetes/control-plane/templates/podsecurity.yaml.j2

@@ -1,6 +1,6 @@
-{% if kube_pod_security_use_default %}
 apiVersion: pod-security.admission.config.k8s.io/v1
 kind: PodSecurityConfiguration
+{% if kube_pod_security_use_default %}
 defaults:
   enforce: "{{ kube_pod_security_default_enforce }}"
   enforce-version: "{{ kube_pod_security_default_enforce_version }}"

roles/kubespray-defaults/defaults/main/checksums.yml

@@ -73,11 +73,16 @@ crio_archive_checksums:
 # Kubernetes versions above Kubespray's current target version are untested and should be used with caution.
 kubelet_checksums:
   arm:
+    v1.30.6: 0
+    v1.30.5: 0
     v1.30.4: 0
     v1.30.3: 0
     v1.30.2: 0
     v1.30.1: 0
     v1.30.0: 0
+    v1.29.10: 0
+    v1.29.9: 0
+    v1.29.8: 0
     v1.29.7: 0
     v1.29.6: 0
     v1.29.5: 0
@@ -86,6 +91,9 @@ kubelet_checksums:
     v1.29.2: 0
     v1.29.1: 0
     v1.29.0: 0
+    v1.28.15: 0
+    v1.28.14: 0
+    v1.28.13: 0
     v1.28.12: 0
     v1.28.11: 0
     v1.28.10: 0
@@ -100,11 +108,16 @@ kubelet_checksums:
     v1.28.1: 0
     v1.28.0: 0
   arm64:
+    v1.30.6: a35e5ab0701b84c03c5cffb142e5de78dc3a5a4af9ba503a6eb3bf8944ded26d
+    v1.30.5: 6d11af618f410a186a681b95865539a75146cb908522211520df584f3c09d5cc
     v1.30.4: d3df7a4acff9aba5518930b9c417e8e0ca8cf5e105b7fee6504891fa8f3e962a
     v1.30.3: 41d1926cd7b9c7c250c45f11c8fa9d1946cae98aec2eefc61a2cb4933612bcce
     v1.30.2: 72ceb082311b42032827a936f80cd2437b8eee03053d05dbe36ba48585febfb8
     v1.30.1: c45049b829af876588ec1a30def3884ce77c2c175cd77485d49c78d2064a38fb
     v1.30.0: fa887647422d34f3c7cc5b30fefcf97084d2c3277eff237c5808685ba8e4b15a
+    v1.29.10: 1c750d983e3d2fddeb829d1b9bdcf83c7d81e6f9cf7e1b50ccd9daad47807915
+    v1.29.9: 2bfcfc069bc0ea86a5cecc14c8f442dcc0871a7ba5cc3161b6311592967c040f
+    v1.29.8: f645f4309cadf76b7567d89feeebf979cf46940ea23618c776165712798c0704
     v1.29.7: f088079f26fb3bffc8a1c467e1caa5ad807023b63e70013e874163df87be6829
     v1.29.6: 0f0fa9429d0bcf04f271dcf4f666582dd4a4b15d6f116a45f17b5fcda90c2d2c
     v1.29.5: 0d4328a3c67e4f0dbf270fa49343f3eab9316adde1a1bd2a857fa56876a9aff1
@@ -113,6 +126,9 @@ kubelet_checksums:
     v1.29.2: 9b4aa572d4cd51a41b1067161d961423d0d12b120fb636ea887a12a975d4b19a
     v1.29.1: e46417ab1ceae995f0e00d4177959a36ed34b807829422bc9dda70b263fe5c5d
     v1.29.0: 0e0e4544c2a0a3475529154b7534d0d58683466efa04a2bb2e763b476db0bb16
+    v1.28.15: 7dfb8087ee0eff9a3f667e1ec749b5a57a0848e59ce9ed42ad00e7ece1c55274
+    v1.28.14: 3abc8a9fdc4f2fa7a45995be4be5f6b4797f99205cd605c5721a346d7ac65a7e
+    v1.28.13: e1c222cfe7ba457e0b3dc54bbe6149231586e2031e4e0ffddd6e34836e80acea
     v1.28.12: 8e28fda6ab1bd506ca4090a0a617aa29d9988c7e23711e70819497089ba67388
     v1.28.11: 0e01c1393f8746965994431b70a20c32b8547dfb1dcf2770cb692990fc65ba5f
     v1.28.10: feae161e374ee0155b5263cda339f30f16b525631535a003be7aa437661e1580
@@ -127,11 +143,16 @@ kubelet_checksums:
     v1.28.1: 9b7fa64b2785da4a38768377961e227f8da629c56a5df43ca1b665dd07b56f3c
     v1.28.0: 05dd12e35783cab4960e885ec0e7d0e461989b94297e7bea9018ccbd15c4dce9
   amd64:
+    v1.30.6: 9d5585448bc34d37f70171c282febaa10d32687bfee4f8e4467c1bf149674d50
+    v1.30.5: 9b4b8f8b33c988372cc9c67791418028ca2cef4a4b4b8d98ab67d6f21275a11a
     v1.30.4: 0c02c0f997b3e9769eae7ca051856054411fca947b3d5409d991ce1964dd0e69
     v1.30.3: 9a37ddd5ea026639b7d85e98fa742e392df7aa5ec917bed0711a451613de3c1c
     v1.30.2: 6923abe67ef069afca61c71c585023840426e802b198298055af3a82e11a4e52
     v1.30.1: 87bd6e5de9c0769c605da5fedb77a35c8b764e3bda1632447883c935dcf219d3
     v1.30.0: 32a32ec3d7e7f8b2648c9dd503ce9ef63b4af1d1677f5b5aed7846fb02d66f18
+    v1.29.10: 4cc094062cd1cff49ca551208635669ab86e3982d38e8d0a77ab833a941ff708
+    v1.29.9: 1bf6e9e9a5612ea4f6e1a8f541a08be93fdf144b1430147de6916dae363c34a2
+    v1.29.8: df6e130928403af8b4f49f1197e26f2873a147cd0e23aa6597a26c982c652ae0
     v1.29.7: f16329e64f5b2204c1cb906f694abebb7f6869d56e6e8b60b54afa0057006b84
     v1.29.6: a946789d4fef64e6f5905dbd7dca01d4c3abd302d0da7958fdaa924fe2729c0b
     v1.29.5: 261dc3f3c384d138835fe91a02071c642af94abb0cca56ebc04719240440944c
@@ -140,6 +161,9 @@ kubelet_checksums:
     v1.29.2: f71a85039b71fe08f1c063a93d61a1c952dc8f9a8c6be9b13fbdac8f0d9ff960
     v1.29.1: 1b1975c58d38be1a99a8bcba4564ac489afd223b0abe9f2ab08bbde89d2412a3
     v1.29.0: e1c38137db8d8777eed8813646b59bf4d22d19b9011ab11dc28e2e34f6b80a05
+    v1.28.15: b07a27fd5bd2419c9c623de15c1dd339af84eb27e9276c81070071065db00036
+    v1.28.14: 783b94ac980e9813626c51b0bc92b0b25bc8a61eec447b1c48aa5eaba1016b5f
+    v1.28.13: 9b9cc3a19551ade6f3d98ad3acf0a2b65a27ef575bd089f115f8bb80791f3900
     v1.28.12: 4648ae155b1ab05ab8dbef417bde4d5acfcd5ad32e8d1e3209006b40c440a56c
     v1.28.11: 230f0634ea42a54a6c96771f12eecd6cadfe0b76ab41c3bc39aa7cbbe4dfb12e
     v1.28.10: a361e744aaeef4539f0636ecd1827c85207a5f2b0c2b0a98dbbce1498061f509
@@ -154,11 +178,16 @@ kubelet_checksums:
     v1.28.1: 2bc22332f44f8fcd3fce57879fd873f977949ebd261571fbae31fbb2713a5dd3
     v1.28.0: bfb6b977100963f2879a33e5fbaa59a5276ba829a957a6819c936e9c1465f981
   ppc64le:
+    v1.30.6: a4641d919d28f4a46e6049862a1de5449b009cfa8ee84066451b94374442ba29
+    v1.30.5: ac97aa6ddb6e367ff027c13de8dbd9624a5fe21b6b35546a8603af0ffc608858
     v1.30.4: 50ea965747f3f8c69288aa9268e5c2cc1eb6c3f0b3efa7eba862258bd225d98d
     v1.30.3: c48df46a72ff9764fd1bc54e99b6154772031b1e66c36b0ac5764a5801eadfc0
     v1.30.2: 268dfbb7ee3abcb8ff9fd0a88f81204e40dd33d177f7878941c9ff6b7cca0474
     v1.30.1: 1ac58eae0aa02fefad47d2318bfa5846ae0d7d11a5b691850cd86b2b614ceffe
     v1.30.0: 8d4aa6b10bcddae9a7c754492743cfea88c1c6a4628cab98cdd29bb18d505d03
+    v1.29.10: fbe2c747416ae82690cb255d1122266fd251d182a409e6b6c99a03836254efe1
+    v1.29.9: 0ad253452a40c87dec85bb6621e8ec9658c11856707868e5a65d2283b19ed2fa
+    v1.29.8: 916a7887ee0a9469b11f82645eecc5b97466faaa9dc4c7d13473c6ff22f2f305
     v1.29.7: 52a70e6c9cab9f123cc0f2677b65ac6426cfc549d375c64008b43bcb8fae1d76
     v1.29.6: 77c2256d6863ac0e33a0e8e8c4cc798618ae73aac91b4f18b9e87d8e62973c61
     v1.29.5: b0caa52184a3e89a7f529c776ebabd7d34aecad560614f787fe08cff777a43cb
@@ -167,6 +196,9 @@ kubelet_checksums:
     v1.29.2: b0eb5e0362a4e153ed1239c65b0abb02b2d9fbbca6846d0bab8b285de8c84fca
     v1.29.1: 467d2b457205363f53f72081295ea390fc25215b0ccc29dc04c4f82925266067
     v1.29.0: 67f09f866d3e4aee8211ce9887ec8bc427b188474a882a7af999fc0fee939028
+    v1.28.15: 67992afe37fcea6b36be5d6ae344622ff99b7a6fb2b8dfebbf882ad19535535b
+    v1.28.14: f4bd7f9bc083634ed59ea69c4d2d3702e8027bd6e8ab11a737f34efd63c158d0
+    v1.28.13: 4e8a3721e895ca7508da6c4769f77c23b667e34c7ec4c8a76d1148c7f71b540a
     v1.28.12: d22af902a74d8d257ea508e9e6f91574e6e0e50006868a1943c47144dd3f9615
     v1.28.11: 35daf1aacafd035420d85052b037bc0aa1eec9193100c40f626aa3b140d4d48d
     v1.28.10: 0ba43fda35f588eaf65955481a7c6f633e4e787a45322bf55a7558ece4944e39
@@ -182,11 +214,16 @@ kubelet_checksums:
     v1.28.0: 22de59965f2d220afa24bf04f4c6d6b65a4bb1cd80756c13381973b1ac3b4578
 kubectl_checksums:
   arm:
+    v1.30.6: 20ca85ccceb5f6539a3075d6faaec8bfc6f6351984e59cbe14f00c1b96c57bab
+    v1.30.5: ee26c528357330bd1bb036064d7083d6cc66434acc7ddc003c865ddc10e0d17e
     v1.30.4: a31676f522cc745f241b1fd5755b9965558e4f1f5db5149319439a15f49806d1
     v1.30.3: f9147ca81cbcb7b1cf41b75d95a0fd3597defb7c0e6db8c54e6ca7f493929c71
     v1.30.2: 2dab982920d87bc9a17c539bfa4f94b758afc454bb044029dee06144e8dbee08
     v1.30.1: b05c4c4b1c440e8797445b8b15e9f4a00010f1365533a2420b9e68428da19d89
     v1.30.0: ff54e96c73f4b87d740768f77edada7df8f2003f278d3c79bbbaa047b1fc708d
+    v1.29.10: 5062cab3e174a98d5a6d44f31a0055caa4f98f48839687b5742f086315bdbb58
+    v1.29.9: 7e1e681c2ea5f620a444922b0883bfdb201c1f5c3a54238ff6a55206a0ce3d76
+    v1.29.8: f59f597d5e6174479185b54d0014e0bf84b7110c707fe07b133f94a7d7ae45be
     v1.29.7: cf875cbbdca7ea0e190075c7a4b3f2fa59864079c1fe9da482f8806b1ad64364
     v1.29.6: 7762244b8da5564d2ee6a65403dd3aa3f94e8e9b16887c51936a4e941de8fd95
     v1.29.5: f3c83a9674098c5a4f27defed001934719f487897dd61db1992057e5ed103b3e
@@ -195,6 +232,9 @@ kubectl_checksums:
     v1.29.2: f1bab202f0ce0c4209af0a977fc3dd4076397b1983544e09942ca4f586dff900
     v1.29.1: a4b478cc0e9adaab0c5bb3627c20c5228ea0fe2aeff9e805d611eb3edb761972
     v1.29.0: a2388eb458d07ec734e4fa02fd0147456a1922a7d6b8e67a32db9d64a4d7621c
+    v1.28.15: d8906e79c4516f1ad2257eda589533749ad04bb85136c64d064d645816a04bcd
+    v1.28.14: 9fce4d1bac2355fbb3cbae4d120a7693c7157080cd1708bd9d731e1f75cfd325
+    v1.28.13: 05a76c89aa61946cdd5351fa43bbba237a11a4cf532357c01cda5dcb4606ce32
     v1.28.12: 54d5c9c302a93daec427ff4f20f50124bb0eaa99c1c477b49e78893d7c9ff1d3
     v1.28.11: 2710129489d782a35c5273202a7148aac42e316c5117aa89c64a8cc62f9ce140
     v1.28.10: e7b977779169f394383696afe872f6f0a4274789adbce1b70f5b28a20ee2cbd0
@@ -209,11 +249,16 @@ kubectl_checksums:
     v1.28.1: eaa05dab1bffb8593d8e5caa612530ee5c914ee2be73429b7ce36c3becad893f
     v1.28.0: 372c4e7bbe98c7067c4b7820c4a440c931ad77f7cb83d3237b439ca3c14d3d37
   arm64:
+    v1.30.6: 0b448581f05f46d80219d1a73bd1966de09066c313f64e67e7b75b35e07191cd
+    v1.30.5: efc594857f9255fc33bcda9409b8862a3b47ce5f4e09d51c3427b85dd769b9b9
     v1.30.4: 1d8b4e6443c7df8e92a065d88d146142a202fea5ec694135b83d9668529ea3b1
     v1.30.3: c6f9568f930b16101089f1036677bb15a3185e9ed9b8dbce2f518fb5a52b6787
     v1.30.2: 56becf07105fbacd2b70f87f3f696cfbed226cb48d6d89ed7f65ba4acae3f2f8
     v1.30.1: d90446719b815e3abfe7b2c46ddf8b3fda17599f03ab370d6e47b1580c0e869e
     v1.30.0: 669af0cf520757298ea60a8b6eb6b719ba443a9c7d35f36d3fb2fd7513e8c7d2
+    v1.29.10: 4cfa950fbd354bdc655cc425494aa77fe81710bc8f7d3f95285338aac223cc82
+    v1.29.9: 0fc73b3e4bf5395e0182ae62df24a96d5870baa44fabcc50b5eb2d8dcf22dd78
+    v1.29.8: adf0007e702e05f59fb8de159463765c4440f872515bd04c24939d9c8fb5e4c7
     v1.29.7: 7b6649aaa298be728c5fb7ccb65f98738a4e8bda0741afbd5a9ed9e488c0e725
     v1.29.6: 21816488cf3af4cf2b956ee58f7afc5b4964c29488f63756f5ddcf09b0df5be9
     v1.29.5: 9ee9168def12ac6a6c0c6430e0f73175e756ed262db6040f8aa2121ad2c1f62e
@@ -222,6 +267,9 @@ kubectl_checksums:
     v1.29.2: 3507ecb4224cf05ae2151a98d4932253624e7762159936d5347b19fe037655ca
     v1.29.1: 96d6dc7b2bdcd344ce58d17631c452225de5bbf59b83fd3c89c33c6298fb5d8b
     v1.29.0: 8f7a4bd6bae900a4ddab12bd1399aa652c0d59ea508f39b910e111d248893ff7
+    v1.28.15: 7d45d9620e67095be41403ed80765fe47fcfbf4b4ed0bf0d1c8fe80345bda7d3
+    v1.28.14: 42b813cdde7d5e04593c219a11a07f0866dd2492b7447a700870af1461ce2d8d
+    v1.28.13: a22d234724b82101e1f17e95ab60e0e13c91a0fe17ad0890b3d92681cd551bfa
     v1.28.12: f7e01dfffebb1d5811c37d558f28eefd80cbfadc0b9783b0b0ebf37c40c5c891
     v1.28.11: 7984a98d52365d190b6f56caa962339a7228b6f432e58ba5f1b1e60dbedac275
     v1.28.10: e659d23d442c2706debe5b96742326c0a1e1d7b5c695a9fe7dfe8ea7402caee8
@@ -236,11 +284,16 @@ kubectl_checksums:
     v1.28.1: 46954a604b784a8b0dc16754cfc3fa26aabca9fd4ffd109cd028bfba99d492f6
     v1.28.0: f5484bd9cac66b183c653abed30226b561f537d15346c605cc81d98095f1717c
   amd64:
+    v1.30.6: 7a3adf80ca74b1b2afdfc7f4570f0005ca03c2812367ffb6ee2f731d66e45e61
+    v1.30.5: b8aa921a580c3d8ba473236815de5ce5173d6fbfa2ccff453fa5eef46cc5ee7a
     v1.30.4: 2ffd023712bbc1a9390dbd8c0c15201c165a69d394787ef03eda3eccb4b9ac06
     v1.30.3: abd83816bd236b266c3643e6c852b446f068fe260f3296af1a25b550854ec7e5
     v1.30.2: c6e9c45ce3f82c90663e3c30db3b27c167e8b19d83ed4048b61c1013f6a7c66e
     v1.30.1: 5b86f0b06e1a5ba6f8f00e2b01e8ed39407729c4990aeda961f83a586f975e8a
     v1.30.0: 7c3807c0f5c1b30110a2ff1e55da1d112a6d0096201f1beb81b269f582b5d1c5
+    v1.29.10: 24f2f09a635d36b2ce36eaebf191326e2b25097eec541a3e47fee6726ef06cef
+    v1.29.9: 7b0de2466458cc3c12cf8742dc800c77d4fa72e831aa522df65e510d33b329e2
+    v1.29.8: 038454e0d79748aab41668f44ca6e4ac8affd1895a94f592b9739a0ae2a5f06a
     v1.29.7: e3df008ef60ea50286ea93c3c40a020e178a338cea64a185b4e21792d88c75d6
     v1.29.6: 339553c919874ebe3b719e9e1fcd68b55bc8875f9b5a005cf4c028738d54d309
     v1.29.5: 603c8681fc0d8609c851f9cc58bcf55eeb97e2934896e858d0232aa8d1138366
@@ -249,6 +302,9 @@ kubectl_checksums:
     v1.29.2: 7816d067740f47f949be826ac76943167b7b3a38c4f0c18b902fffa8779a5afa
     v1.29.1: 69ab3a931e826bf7ac14d38ba7ca637d66a6fcb1ca0e3333a2cafdf15482af9f
     v1.29.0: 0e03ab096163f61ab610b33f37f55709d3af8e16e4dcc1eb682882ef80f96fd5
+    v1.28.15: 1f7651ad0b50ef4561aa82e77f3ad06599b5e6b0b2a5fb6c4f474d95a77e41c5
+    v1.28.14: e1e8c08f7fc0b47e5d89422e573c3a2e658d95f1ee0c7ea6c8cb38f37140e607
+    v1.28.13: d7d363dd5a4c95444329bc5239b8718ebe84a043052958b2f15ee2feef9a28c6
     v1.28.12: e8aee7c9206c00062ced394418a17994b58f279a93a1be1143b08afe1758a3a2
     v1.28.11: 1dba63e1a5c9520fc516c6e817924d927b9b83b8e08254c8fe2a2edb65da7a9c
     v1.28.10: 389c17a9700a4b01ebb055e39b8bc0886330497440dde004b5ed90f2a3a028db
@@ -263,11 +319,16 @@ kubectl_checksums:
     v1.28.1: e7a7d6f9d06fab38b4128785aa80f65c54f6675a0d2abef655259ddd852274e1
     v1.28.0: 4717660fd1466ec72d59000bb1d9f5cdc91fac31d491043ca62b34398e0799ce
   ppc64le:
+    v1.30.6: 54ae05b59c52edea26e1d4009b5e469be96d582ddbe388f33d3b07a66caf7ac8
+    v1.30.5: 1289eec1144607b5b11bb4f1bdbba6ee92880f4703c9349c83b47ae6d66d9614
     v1.30.4: a913b4b8573d356483d5c7f14d2cecb290b41ab3b58812567b54ce09e763aad9
     v1.30.3: 3f2ba2216e43b833251a570b1218cba61d43ef2734c0a7751d281656066ab30b
     v1.30.2: 738bc1bad45df79fc4313d167a68ed5a1cf747f1f94e4434f0733e3126989f2e
     v1.30.1: ef01ae21e91600469db3df01172144fac6c61083e7d3282bef72ce732d76d0d8
     v1.30.0: f8a9eac6e12bc8ab7debe6c197d6536f5b3a9f199e8837afd8e4405291351811
+    v1.29.10: 306973163a10c01a76ebab384b0e900b3293b4f6cc935dfd517f0bb69399be54
+    v1.29.9: 65bc83b5c7bda9ab04b8fe59d7f81e74bc70a4b2d1b7cb0e83fdd7b4ac284211
+    v1.29.8: 5a9d8631cf3200bdd714bfe7be1fd25a8e33e1dbd6a79f2df3bfe9076f525ed2
     v1.29.7: fd2bb7de3d46a375c63499f8235dc22901b563a9554f315f7606e0bac78fff94
     v1.29.6: cc145dc1f27f56c81aa2c96c97370e1341b41fbb4fc64cfde4ef4956230fc0e9
     v1.29.5: 1d2635f6bd0218c53037c113171479e15e51b60823f7f1b93afb48ae1d9e5b09
@@ -276,6 +337,9 @@ kubectl_checksums:
     v1.29.2: 382552d15a1aa7ec5a316b2a912e7fbdaaff2f3c714cd38b2b0c6a48b670fed8
     v1.29.1: b7780124ccfe9640f3a37d242d31e8dbb252bcd379bd0d7bf3776d15baf15ca3
     v1.29.0: ea926d8cf25e2ce982ff5c375da32b51ccbd122b721b1bc4a32f52a9a0d073ab
+    v1.28.15: 8ae156fbeb6167e22c02a044361997b6725aa3cb913165ba4f9fb9f483a30f88
+    v1.28.14: b9fe89da881c7498bfe40b9dfe7f9f64ad0d338a2f6805395b17c4e77f8bc9fb
+    v1.28.13: a42fbf4c973a619ec9c52f559ab97c2a0bd4cd4e3d17478f9d4f80376b766da5
     v1.28.12: ed8255ef27836a88982651bff592e98c623677c926b2a9bc08443319c6678257
     v1.28.11: 63fa54ab9b4fc7b61415a8093bd48db9ce609b78f75c09b03b3b82a3a0c3105f
     v1.28.10: aea8f54280e56dd58822fa4ae835ce6c6586727b32fb7bc915c2bee5038ccba9
@@ -291,19 +355,27 @@ kubectl_checksums:
     v1.28.0: 7a9dcb4c75b33b9dac497c1a756b1f12c7c63f86fc0f321452360fbe1a79ce0f
 kubeadm_checksums:
   arm:
+    v1.30.6: 0
+    v1.30.5: 0
     v1.30.4: 0
     v1.30.3: 0
     v1.30.2: 0
     v1.30.1: 0
     v1.30.0: 0
-    v1.29.6: 0
+    v1.29.10: 0
+    v1.29.9: 0
+    v1.29.8: 0
     v1.29.7: 0
+    v1.29.6: 0
     v1.29.5: 0
     v1.29.4: 0
     v1.29.3: 0
     v1.29.2: 0
     v1.29.1: 0
     v1.29.0: 0
+    v1.28.15: 0
+    v1.28.14: 0
+    v1.28.13: 0
     v1.28.12: 0
     v1.28.11: 0
     v1.28.10: 0
@@ -318,11 +390,16 @@ kubeadm_checksums:
     v1.28.1: 0
     v1.28.0: 0
   arm64:
+    v1.30.6: 6206938156e079d1c3031ba9a291e720c9f04031492753759b93bc3b67b3390b
+    v1.30.5: 08b8d17ac39a49b3ebb88a756599496c71e63b756884e88127654bc5c51128e5
     v1.30.4: 609afad8590afb39b500cc5175c64b17690f7bf0b0eebcf1d347656d262e5c8c
     v1.30.3: 6590f2447c87346aac29e2ab42fe4f29873f9bf154ee878f00da4c81bfdb8ea2
     v1.30.2: 7268762b7afd44bf07619985dd52c376b63e47d73b8f9a3b08cc49624a8fbd55
     v1.30.1: bda423cb4b9d056f99a2ef116bdf227fadbc1c3309fa3d76da571427a7f41478
     v1.30.0: c36afd28921303e6db8e58274de16c60a80a1e75030fc3c4e9c4ed6249b6b696
+    v1.29.10: a10b015db9b5b5a29420a9f8e696c39f11d171bb9d67ad39c1a6b05f7da6d823
+    v1.29.9: aa3bd8120fb4c2e8d6eb1b2b9bb27dad92f08ce53275b7246f0f32eff3a025c1
+    v1.29.8: 37ff550d5c1af726032a38206daeedfd2e0de6124c41379b314dbbcba394d0b1
     v1.29.7: d0ad904dc3823821c3920499fc151fc83fb6cb9e1c920e39173f96720ad0e053
     v1.29.6: 3ba6879ef491cdd8433647020d345d86c0ea8e77f726375bc4b5495888bbf778
     v1.29.5: d4db8c514f2764edc039462c218dbcd316577f76f21b209b76e9a4b1f08e3100
@@ -331,6 +408,9 @@ kubeadm_checksums:
     v1.29.2: e05720feb9d2d67eff25b0156a5c22e2de37be2ffab4e1f4d31e8c526fafd0e1
     v1.29.1: 3bff8c50c104c45e416cce9991706c6ac46365f0defbcd54f8cf4ace0fa68dcf
     v1.29.0: bbddee2d46d2e1643ae3623698b45b13aa2e858616d61c642f2f49e5bb14c980
+    v1.28.15: e907b9e8e47a42ea5c1a15d0f7f493337dd35fc53540d344af6fecf191f5764e
+    v1.28.14: 13f89baf897e8a066bc3e840eee120bb9c36ae3b0fc38c998e3c1812d909f26d
+    v1.28.13: 989630fb0de6fe750c6ee25ee01b72654a3087434ff488ff8fddedd0278720cc
     v1.28.12: e0d94607a036323e45a6866127bc7a374543e27f45f8fc0bf948a2452eab667f
     v1.28.11: 15a021fdecf08989d6b64af873d89c61750d3a0564bee58c248eafe5cc4df433
     v1.28.10: f6809d72ed1bf6fde460e48e5c714c3bc92f680e328defa9bd592a796347b644
@@ -345,11 +425,16 @@ kubeadm_checksums:
     v1.28.1: 7d2f68917470a5d66bd2a7d62897f59cb4afaeffb2f26c028afa119acd8c3fc8
     v1.28.0: b9b473d2d9136559b19eb465006af77df45c09862cd7ce6673a33aae517ff5ab
   amd64:
+    v1.30.6: 216b7728c6eca12a6a21a7e4199d898d4b88cf8f489a63c2779e2e525302cca7
+    v1.30.5: b91e32e527d3941369cee016fccb6cb12cd214a120a81d8c5f84c7cbc9e120b2
     v1.30.4: 6c6053fb8b31030ef7fffe146eb29489f7bf53d7a5ca10e0b10c907bf4b7e281
     v1.30.3: bb78c2a27027278ee644d523f583ed7fdba48b4fbf31e3cfb0e309b6457dda69
     v1.30.2: 672b0cae2accce5eac10a1fe4ea6b166e5b518c79ccf71a2fbe7b53c2ca74062
     v1.30.1: 651faa3bbbfb368ed00460e4d11732614310b690b767c51810a7b638cc0961a2
     v1.30.0: 29f4232c50e6524abba3443ff3b9948d386964d79eb8dfefb409e1f8a8434c14
+    v1.29.10: 9098c908e0f3a601e8bef9b2cdb4a9777e18204595a6542be58b3928c7b51440
+    v1.29.9: e313046d79c3f78d487804fc32248c0575af129bc8a31bca74b191efa036e0b1
+    v1.29.8: fe054355e0ae8dc35d868a3d3bc408ccdff0969c20bf7a231ae9b71484e41be3
     v1.29.7: 7699c6f06fbc8e813766b8237de69a095ad820fe484856ffd921a7894b5af605
     v1.29.6: 8f1e04079e614dd549e36be8114ee7022517d646ea715b5778e7c6ab353eb354
     v1.29.5: e424dcdbe661314b6ca1fcc94726eb554bc3f4392b060b9626f9df8d7d44d42c
@@ -358,6 +443,9 @@ kubeadm_checksums:
     v1.29.2: 2d4e4fa8685bcbfb661cb41050cd4756f50a7aa147f68492d51a99f9cdfd69ac
     v1.29.1: d4d81d9020b550c896376fb9e0586a9f15a332175890d061619b52b3e9bc6cbd
     v1.29.0: 629d4630657caace9c819fd3797f4a70c397fbd41a2a7e464a0507dad675d52c
+    v1.28.15: 0555b2c2fd30efcdb44b7fba5460c3dc3d3e39f2301e1eef7894a9f8976e1b4c
+    v1.28.14: 2fd2f8269a3baa8248f598cfbea8d2234291726fd534d17211b55a1ffb6b8c9b
+    v1.28.13: f23e9586811312998bc5e8847f6df52fc04809aed8c2c2fd750f2c42b3f87192
     v1.28.12: 3ffcf5100c6bca3dd0a6c317c744dd97fe497c7c4aefe468321171f940d34971
     v1.28.11: 1f2c7c69736698aa13a59c6705ac26b7b6752d9651330605369357c1ac99c7c6
     v1.28.10: 1a344d34755c5f005120308f09a730e7564c8f857de6606b6bc5f18a69606e5a
@@ -372,11 +460,16 @@ kubeadm_checksums:
     v1.28.1: 6134dbc92dcb83c3bae1a8030f7bb391419b5d13ea94badd3a79b7ece75b2736
     v1.28.0: 12ea68bfef0377ccedc1a7c98a05ea76907decbcf1e1ec858a60a7b9b73211bb
   ppc64le:
+    v1.30.6: 8febc55f1a984b23deb3ecca2dfe7073180f462636512dbfdfb69537c0783ec2
+    v1.30.5: 996a353e6a443a1d88fa2aff93beb9f6b3073c53d0565dcccc2886642ce79c05
     v1.30.4: df0a42a57e69f3080871736d0953f1f287f63def0ed514324aca2469463efd7a
     v1.30.3: 76a58a7389365295fb4ea1163c2644c3700f066a8e8cb1b7897ad83576e43ce2
     v1.30.2: 8aee71554003411470a5933cdff7896736ae1182055c0de6bb3782d0a7581c71
     v1.30.1: dc529fae8227422a23a8d4f70e28161fa207a4da7cb24d340aae0592dd729ea5
     v1.30.0: a77badcaff292862df8324e17f74ab7ce3c6ea9f390647878f1838a3a832f413
+    v1.29.10: 5f90095f3bd107fef219984e0aade9a7ab12c960392596e9ec08f31dca73acc1
+    v1.29.9: c3d815d39d53c8baa61ee6cd1185c59fb29ecf49775585b689a2ae7dde62ca7a
+    v1.29.8: 8a43d185d3eea5abcf98abe8d4b8ca9fe8d7afef65073e026a3bb16cf5c9df99
     v1.29.7: 8570e534f3712511284b2e0122d8fe46e36050a0c009df852b69b2de931c53b7
     v1.29.6: 577cdd37fc929be0ffcdc2aa5337bba36a409e00f538da0dcca611a4161be461
     v1.29.5: 05c92f52d75268f0aaff5056e0d6b3e03002b2d17432360750100ada9b2c381b
@@ -385,6 +478,9 @@ kubeadm_checksums:
     v1.29.2: a0f8ffa8cbfa4bb061ff028df2f6dbb31a9527c561d8c0186d679559f9f347b4
     v1.29.1: 3ec6d90c05dd8e4c6bb1f42fd2fe0f091d85317efaf47d9baebd9af506b3878b
     v1.29.0: 4c414a463ed4277e9062c797d1c0435aa7aec2fd1688c5d34e3161c898113cb5
+    v1.28.15: cdb1491e3b275a26d3450feb0cb3d02fbf301681d91c1e0b056e82629417efa2
+    v1.28.14: cdd9d968ef1d78a45b993417dcb5866aabdf69807362369d2e8f5e18689829eb
+    v1.28.13: 5bb59bbb9b6d813d30eb0af905d66e6f1e24f9b8576a272bdb5cf7ab75044e76
     v1.28.12: 36f6419cacb46b44d762c12a9580f1e16c6af266e4269e8cedb4d8e5fe355da1
     v1.28.11: 23d8f0c63acea7c9ae4082930f4fa82fc9659ea112f408a439a09a40c5d59223
     v1.28.10: 39a5a27b70ea9eb7e86a37c8862691d875f462a6d52a02355873ffca4595e045
@@ -985,6 +1081,8 @@ nerdctl_archive_checksums:
     1.7.0: e421ae655ff68461bad04b4a1a0ffe40c6f0fcfb0847d5730d66cd95a7fd10cd
 containerd_archive_checksums:
   arm:
+    1.7.23: 0
+    1.7.22: 0
     1.7.21: 0
     1.7.20: 0
     1.7.19: 0
@@ -1007,6 +1105,8 @@ containerd_archive_checksums:
     1.7.2: 0
     1.7.1: 0
     1.7.0: 0
+    1.6.36: 0
+    1.6.35: 0
     1.6.34: 0
     1.6.33: 0
     1.6.32: 0
@@ -1029,6 +1129,8 @@ containerd_archive_checksums:
     1.6.15: 0
     1.6.14: 0
   arm64:
+    1.7.23: 6a66b5e63a5e88ff7eeb478ccaca9083d44e51e1d7261ae183fe5951a6226ccd
+    1.7.22: 48d0a8461ae829b12b07c3663b14b70287d0607a0792719c51b4e4dd700b02ce
     1.7.21: 7b6b67d998eb86856d23df5d57269c054539072bbb27677975cf78269b2c5c10
     1.7.20: cf80cd305f7d1c23aaf0c57bc1c1e37089cad9130d533db6fe968cdebd16c759
     1.7.19: 1839e6f7cd7c62d9df3ef3deac3f404cdd5cd47bbdf8acfeb0b0f3776eb20002
@@ -1051,6 +1153,8 @@ containerd_archive_checksums:
     1.7.2: d75a4ca53d9addd0b2c50172d168b12957e18b2d8b802db2658f2767f15889a6
     1.7.1: 1f828dc063e3c24b0840b284c5635b5a11b1197d564c97f9e873b220bab2b41b
     1.7.0: e7e5be2d9c92e076f1e2e15c9f0a6e0609ddb75f7616999b843cba92d01e4da2
+    1.6.36: 48aaf746ad4adc6e5c3b077875ddbd15a8f5b660a5f7dcb533f0205aeeff3785
+    1.6.35: 0e0066aeffbd4360bfcf16bd08b6a9e40da7f437aa7b292991ce8d08083bee40
     1.6.34: 9e898686ff003cec2d80c30cf5ad342c1ac88373568dae792f93cd088e66d038
     1.6.33: 432cf17fbc01ba4fc59b949210baa96865185b8eb3b3292eb7a00e2f6bde9fe9
     1.6.32: a9cb16bafbf1eb8cea11b4803d76f78cf7bef311b951dd1ae49c238bb41ec649
@@ -1073,6 +1177,8 @@ containerd_archive_checksums:
     1.6.15: d63e4d27c51e33cd10f8b5621c559f09ece8a65fec66d80551b36cac9e61a07d
     1.6.14: 3ccb61218e60cbba0e1bbe1e5e2bf809ac1ead8eafbbff36c3195d3edd0e4809
   amd64:
+    1.7.23: 8a0de43d9313aef2ebdccc0ffa49461a4a28139a2c0ef104c3c847f6f37c8119
+    1.7.22: f8b2d935d1f86003f4e0c1af3b9f0d2820bacabe6dc9f562785b74af24c5e468
     1.7.21: 3d1fcdfd0b141f4dc4916b7aee7f9a7773dc344baffc8954e1ca66b1adc5c120
     1.7.20: e09410787b6f392748959177a84e024424f75d7aff33ea1c5b783f2260edce67
     1.7.19: 97f75e60f0ad19d335b1d23385835df721cad4492740d50576997f2717dc3f94
@@ -1095,6 +1201,8 @@ containerd_archive_checksums:
     1.7.2: 2755c70152ab40856510b4549c2dd530e15f5355eb7bf82868e813c9380e22a7
     1.7.1: 9504771bcb816d3b27fab37a6cf76928ee5e95a31eb41510a7d10ae726e01e85
     1.7.0: b068b05d58025dc9f2fc336674cac0e377a478930f29b48e068f97c783a423f0
+    1.6.36: e9a53f5f7549afbe9208578609eddecd238b7166663ab273f2954fab77602b3f
+    1.6.35: 50f05b2986a8635827e3f015f10d8d1c342e9a9d6886c7392160b5c27ac77c83
     1.6.34: 18969d667cd6b9993d168f6d30f9ad978f0aca72cf984c1f522fc5277780885b
     1.6.33: a0c7daa50386dc3ca19cbeb83d6987d43bdd92c0bb0429d08be7f9be4f9c307a
     1.6.32: 7acab4dda6edb7e8e0a6cfc3abd9f323db05a3d92a8a1842de8f6c9e28af501d
@@ -1117,6 +1225,8 @@ containerd_archive_checksums:
     1.6.15: 191bb4f6e4afc237efc5c85b5866b6fdfed731bde12cceaa6017a9c7f8aeda02
     1.6.14: 7da626d46c4edcae1eefe6d48dc6521db3e594a402715afcddc6ac9e67e1bfcd
   ppc64le:
+    1.7.23: 00dd8a1145d7392ffe1e2b74da147b896e4387afb5e73ed6e5cd3744add32826
+    1.7.22: 6747b7291ffbfde2c0bf0031978985df92ac74414f09bf190afda0fc9e797146
     1.7.21: 5ce0c1125e8d9ca04e2b524a2bac8b1eb97876c073023d5e083f7da64fcd8207
     1.7.20: dc611df0baa90509dda35e0be993da52f42b067514329fcf538d000b110364e8
     1.7.19: f41c2f28ee933a9ca24ff02cca159099fbcf798850e56cf0b7a6047ebe21fa86
@@ -1139,6 +1249,8 @@ containerd_archive_checksums:
     1.7.2: cbe7ec913cb603ca218bd8867efdce4bee3b0e0115e467e51c910467daf8184e
     1.7.1: 17d97ef55c6ce7af9778dbafb5e73f577d1b34220043a91cccde49dbcc610342
     1.7.0: 051e897d3ee5b8c8097f65be447fea2d29226b583ca5d9ed78e9aebcf4e69889
+    1.6.36: 8978cd8bcd4d5a2640bad26d8ea522a46847b6e4a62da1b07bfa482c8906e5ce
+    1.6.35: 99095ab778f6fd532eb01d11771e7f8de8383ef20a00ec536c0cf9c018895115
     1.6.34: 14a4392ba4e533e313fe6d3ed1a68cfdce038b87ad4693be6e71ff31568e2173
     1.6.33: 0a77fba37290a40a7853dbd7e5a297288d3657f7e92cd7864bc7187189a0a370
     1.6.32: d733e4b66ca2bc8191ae5e8770e4806ebd4094fdc657258045b925930ad9bfc5

roles/kubespray-defaults/defaults/main/download.yml

@@ -79,7 +79,7 @@ runc_version: v1.1.13
 kata_containers_version: 3.1.3
 youki_version: 0.1.0
 gvisor_version: 20240305
-containerd_version: 1.7.21
+containerd_version: 1.7.23
 cri_dockerd_version: 0.3.11
 
 # this is relevant when container_manager == 'docker'
@@ -103,7 +103,6 @@ github_image_repo: "ghcr.io"
 calico_version: "v3.28.1"
 calico_ctl_version: "{{ calico_version }}"
 calico_cni_version: "{{ calico_version }}"
-calico_flexvol_version: "{{ calico_version }}"
 calico_policy_version: "{{ calico_version }}"
 calico_typha_version: "{{ calico_version }}"
 calico_apiserver_version: "{{ calico_version }}"
@@ -238,8 +237,6 @@ calico_node_image_repo: "{{ quay_image_repo }}/calico/node"
 calico_node_image_tag: "{{ calico_version }}"
 calico_cni_image_repo: "{{ quay_image_repo }}/calico/cni"
 calico_cni_image_tag: "{{ calico_cni_version }}"
-calico_flexvol_image_repo: "{{ quay_image_repo }}/calico/pod2daemon-flexvol"
-calico_flexvol_image_tag: "{{ calico_flexvol_version }}"
 calico_policy_image_repo: "{{ quay_image_repo }}/calico/kube-controllers"
 calico_policy_image_tag: "{{ calico_policy_version }}"
 calico_typha_image_repo: "{{ quay_image_repo }}/calico/typha"
@@ -332,13 +329,13 @@ rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}"
 local_path_provisioner_version: "v0.0.24"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}"
-ingress_nginx_version: "v1.11.2"
+ingress_nginx_version: "v1.11.5"
 ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
 ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry"
 ingress_nginx_controller_image_tag: "{{ ingress_nginx_version }}"
 ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5"
 ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
-ingress_nginx_kube_webhook_certgen_image_tag: "v1.4.3"
+ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.2"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
 cert_manager_version: "v1.14.7"
@@ -793,15 +790,6 @@ downloads:
     groups:
       - k8s_cluster
 
-  calico_flexvol:
-    enabled: "{{ kube_network_plugin == 'calico' }}"
-    container: true
-    repo: "{{ calico_flexvol_image_repo }}"
-    tag: "{{ calico_flexvol_image_tag }}"
-    sha256: "{{ calico_flexvol_digest_checksum | default(None) }}"
-    groups:
-      - k8s_cluster
-
   calico_policy:
     enabled: "{{ enable_network_policy and kube_network_plugin in ['calico'] }}"
     container: true

roles/kubespray-defaults/defaults/main/main.yml

@@ -18,7 +18,7 @@ kubelet_fail_swap_on: true
 kubelet_swap_behavior: LimitedSwap
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.30.4
+kube_version: v1.30.6
 
 ## The minimum version working
 kube_version_min_required: v1.28.0

roles/kubespray-defaults/tasks/fallback_ips.yml

@@ -3,14 +3,14 @@
 # ansible_default_ipv4 isn't what you think.
 # Thanks https://medium.com/opsops/ansible-default-ipv4-is-not-what-you-think-edb8ab154b10
 
-- name: Gather ansible_default_ipv4 from all hosts or specific hosts
+- name: Gather ansible_default_ipv4 from all hosts
   setup:
     gather_subset: '!all,network'
     filter: "ansible_default_ipv4"
   delegate_to: "{{ item }}"
   delegate_facts: true
   when: hostvars[item].ansible_default_ipv4 is not defined
-  loop: "{{ (ansible_play_hosts_all + [groups['kube_control_plane'][0]]) | unique if ansible_limit is defined else (groups['k8s_cluster'] | default([]) + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique }}"
+  loop: "{{ (groups['k8s_cluster'] | default([]) + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique }}"
   run_once: true
   ignore_unreachable: true
   tags: always
@@ -19,8 +19,7 @@
   set_fact:
     fallback_ips_base: |
       ---
-      {% set search_hosts = (ansible_play_hosts_all + [groups['kube_control_plane'][0]]) | unique if ansible_limit is defined else (groups['k8s_cluster'] | default([]) + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique %}
-      {% for item in search_hosts %}
+      {% for item in (groups['k8s_cluster'] | default([]) + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique %}
       {% set found = hostvars[item].get('ansible_default_ipv4') %}
       {{ item }}: "{{ found.get('address', '127.0.0.1') }}"
       {% endfor %}

roles/network_plugin/calico/templates/calico-node.yml.j2

@@ -13,6 +13,10 @@ spec:
   selector:
     matchLabels:
       k8s-app: calico-node
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   template:
     metadata:
       labels:
@@ -30,10 +34,16 @@ spec:
         {{ calico_ds_nodeselector }}
       priorityClassName: system-node-critical
       hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: calico-node
       tolerations:
-      - operator: Exists
+        # Make sure calico-node gets scheduled on all nodes.
+        - effect: NoSchedule
+          operator: Exists
+        # Mark the pod as a critical add-on for rescheduling.
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
       # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
       # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
       terminationGracePeriodSeconds: 0
@@ -90,9 +100,11 @@ spec:
             # Name of the CNI config file to create.
             - name: CNI_CONF_NAME
               value: "10-calico.conflist"
-            # Install CNI binaries
-            - name: UPDATE_CNI_BINARIES
-              value: "true"
+{% if calico_mtu is defined %}
+            # CNI MTU Config variable
+            - name: CNI_MTU
+              value: "{{ calico_veth_mtu | default(calico_mtu) }}"
+{% endif %}
             # Prevents the container from sleeping forever.
             - name: SLEEP
               value: "false"
@@ -117,14 +129,29 @@ spec:
               name: cni-bin-dir
           securityContext:
             privileged: true
-        # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
-        # to communicate with Felix over the Policy Sync API.
-        - name: flexvol-driver
-          image: {{ calico_flexvol_image_repo }}:{{ calico_flexvol_image_tag }}
+        # This init container mounts the necessary filesystems needed by the BPF data plane
+        # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
+        # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
+        - name: "mount-bpffs"
+          image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
           imagePullPolicy: {{ k8s_image_pull_policy }}
+          command: ["calico-node", "-init", "-best-effort"]
           volumeMounts:
-            - name: flexvol-driver-host
-              mountPath: /host/driver
+            - mountPath: /sys/fs
+              name: sys-fs
+              # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
+              # so that it outlives the init container.
+              mountPropagation: Bidirectional
+            - mountPath: /var/run/calico
+              name: var-run-calico
+              # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
+              # so that it outlives the init container.
+              mountPropagation: Bidirectional
+            # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
+            # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
+            - mountPath: /nodeproc
+              name: nodeproc
+              readOnly: true
           securityContext:
             privileged: true
       containers:
@@ -205,10 +232,7 @@ spec:
                   key: calico_backend
             # Cluster type to identify the deployment type
             - name: CLUSTER_TYPE
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: cluster_type
+              value: "k8s,bgp"
             # Set noderef for node controller.
             - name: CALICO_K8S_NODE_REF
               valueFrom:
@@ -230,12 +254,16 @@ spec:
               value: "{{ calico_iptables_backend }}"
             - name: FELIX_IPTABLESLOCKTIMEOUTSECS
               value: "{{ calico_iptables_lock_timeout_secs }}"
-# should be set in etcd before deployment
-#            # Configure the IP Pool from which Pod IPs will be chosen.
-#            - name: CALICO_IPV4POOL_CIDR
-#              value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}"
+            # The default IPv4 pool to create on startup if none exists. Pod IPs will be
+            # chosen from this range. Changing this value after installation will have
+            # no effect. This should fall within `--cluster-cidr`.
+            # - name: CALICO_IPV4POOL_CIDR
+            #   value: "192.168.0.0/16"
             - name: CALICO_IPV4POOL_IPIP
               value: "{{ calico_ipv4pool_ipip }}"
+            # Enable or Disable VXLAN on the default IP pool.
+            - name: CALICO_IPV4POOL_VXLAN
+              value: "Never"
             - name: FELIX_IPV6SUPPORT
               value: "{{ enable_dual_stack_networks | default(false) }}"
             # Set Felix logging to "info"
@@ -391,15 +419,10 @@ spec:
 {% endif %}
             - name: policysync
               mountPath: /var/run/nodeagent
-{% if calico_bpf_enabled %}
             # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
             # parent directory.
-            - name: sysfs
-              mountPath: /sys/fs/
-              # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
-              # If the host is known to mount that filesystem already then Bidirectional can be omitted.
-              mountPropagation: Bidirectional
-{% endif %}
+            - name: bpffs
+              mountPath: /sys/fs/bpf
             - name: cni-log-dir
               mountPath: /var/log/calico/cni
               readOnly: true
@@ -456,12 +479,18 @@ spec:
           hostPath:
             path: "/etc/kubernetes/ssl/"
 {% endif %}
-{% if calico_bpf_enabled %}
-        - name: sysfs
+        - name: sys-fs
           hostPath:
             path: /sys/fs/
             type: DirectoryOrCreate
-{% endif %}
+        - name: bpffs
+          hostPath:
+            path: /sys/fs/bpf
+            type: Directory
+        # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
+        - name: nodeproc
+          hostPath:
+            path: /proc
         # Used to access CNI logs.
         - name: cni-log-dir
           hostPath:
@@ -471,12 +500,3 @@ spec:
           hostPath:
             type: DirectoryOrCreate
             path: /var/run/nodeagent
-        # Used to install Flex Volume Driver
-        - name: flexvol-driver-host
-          hostPath:
-            type: DirectoryOrCreate
-            path: "{{ kubelet_flexvolumes_plugins_dir | default('/usr/libexec/kubernetes/kubelet-plugins/volume/exec') }}/nodeagent~uds"
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: {{ serial | default('20%') }}
-    type: RollingUpdate

scripts/download_hash.py

@@ -6,8 +6,10 @@
 
 import sys
 
-from itertools import count
+from itertools import count, groupby
 from collections import defaultdict
+from functools import cache
+import argparse
 import requests
 from ruamel.yaml import YAML
 from packaging.version import Version
@@ -25,36 +27,144 @@ def open_checksums_yaml():
 
     return data, yaml
 
+def version_compare(version):
+    return Version(version.removeprefix("v"))
 
-def download_hash(minors):
-    architectures = ["arm", "arm64", "amd64", "ppc64le"]
-    downloads = ["kubelet", "kubectl", "kubeadm"]
+downloads = {
+    "calicoctl_binary": "https://github.com/projectcalico/calico/releases/download/{version}/SHA256SUMS",
+    "ciliumcli_binary": "https://github.com/cilium/cilium-cli/releases/download/{version}/cilium-{os}-{arch}.tar.gz.sha256sum",
+    "cni_binary": "https://github.com/containernetworking/plugins/releases/download/{version}/cni-plugins-{os}-{arch}-{version}.tgz.sha256",
+    "containerd_archive": "https://github.com/containerd/containerd/releases/download/v{version}/containerd-{version}-{os}-{arch}.tar.gz.sha256sum",
+    "crictl": "https://github.com/kubernetes-sigs/cri-tools/releases/download/{version}/critest-{version}-{os}-{arch}.tar.gz.sha256",
+    "crio_archive": "https://storage.googleapis.com/cri-o/artifacts/cri-o.{arch}.{version}.tar.gz.sha256sum",
+    "etcd_binary": "https://github.com/etcd-io/etcd/releases/download/{version}/SHA256SUMS",
+    "kubeadm": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubeadm.sha256",
+    "kubectl": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubectl.sha256",
+    "kubelet": "https://dl.k8s.io/release/{version}/bin/linux/{arch}/kubelet.sha256",
+    "nerdctl_archive": "https://github.com/containerd/nerdctl/releases/download/v{version}/SHA256SUMS",
+    "runc": "https://github.com/opencontainers/runc/releases/download/{version}/runc.sha256sum",
+    "skopeo_binary": "https://github.com/lework/skopeo-binary/releases/download/{version}/skopeo-{os}-{arch}.sha256",
+    "yq": "https://github.com/mikefarah/yq/releases/download/{version}/checksums-bsd", # see https://github.com/mikefarah/yq/pull/1691 for why we use this url
+}
+# TODO: downloads not supported
+# youki: no checkusms in releases
+# kata: no checksums in releases
+# gvisor: sha512 checksums
+# crun : PGP signatures
+# cri_dockerd: no checksums or signatures
+# helm_archive: PGP signatures
+# krew_archive: different yaml structure
+# calico_crds_archive: different yaml structure
+
+# TODO:
+# noarch support -> k8s manifests, helm charts
+# different checksum format (needs download role changes)
+# different verification methods (gpg, cosign) ( needs download role changes) (or verify the sig in this script and only use the checksum in the playbook)
+# perf improvements (async)
+
+def download_hash(only_downloads: [str]) -> None:
+    # Handle file with multiples hashes, with various formats.
+    # the lambda is expected to produce a dictionary of hashes indexed by arch name
+    download_hash_extract = {
+            "calicoctl_binary": lambda hashes : {
+                line.split('-')[-1] : line.split()[0]
+                for line in hashes.strip().split('\n')
+                if line.count('-') == 2 and line.split('-')[-2] == "linux"
+                },
+            "etcd_binary": lambda hashes : {
+                line.split('-')[-1].removesuffix('.tar.gz') : line.split()[0]
+                for line in hashes.strip().split('\n')
+                if line.split('-')[-2] == "linux"
+                },
+             "nerdctl_archive": lambda hashes : {
+                line.split()[1].removesuffix('.tar.gz').split('-')[3] : line.split()[0]
+                for line in hashes.strip().split('\n')
+                if [x for x in line.split(' ') if x][1].split('-')[2] == "linux"
+                },
+            "runc": lambda hashes : {
+                parts[1].split('.')[1] : parts[0]
+                for parts in (line.split()
+                              for line in hashes.split('\n')[3:9])
+                },
+             "yq": lambda rhashes_bsd : {
+                 pair[0].split('_')[-1] : pair[1]
+                 # pair = (yq_<os>_<arch>, <hash>)
+                 for pair in ((line.split()[1][1:-1], line.split()[3])
+                     for line in rhashes_bsd.splitlines()
+                     if line.startswith("SHA256"))
+                 if pair[0].startswith("yq")
+                     and pair[0].split('_')[1] == "linux"
+                     and not pair[0].endswith(".tar.gz")
+                },
+            }
 
     data, yaml = open_checksums_yaml()
-    if not minors:
-        minors = {'.'.join(minor.split('.')[:-1]) for minor in data["kubelet_checksums"]["amd64"].keys()}
+    s = requests.Session()
 
-    for download in downloads:
+    @cache
+    def _get_hash_by_arch(download: str, version: str) -> {str: str}:
+
+        hash_file = s.get(downloads[download].format(
+            version = version,
+            os = "linux",
+            ),
+                          allow_redirects=True)
+        if hash_file.status_code == 404:
+            print(f"Unable to find {download} hash file for version {version} at {hash_file.url}")
+            return None
+        hash_file.raise_for_status()
+        return download_hash_extract[download](hash_file.content.decode())
+
+    for download, url in (downloads if only_downloads == []
+                          else {k:downloads[k] for k in downloads.keys() & only_downloads}).items():
         checksum_name = f"{download}_checksums"
-        data[checksum_name] = defaultdict(dict, data[checksum_name])
-        for arch in architectures:
-            for minor in minors:
-                if not minor.startswith("v"):
-                    minor = f"v{minor}"
-                for release in (f"{minor}.{patch}" for patch in count(start=0, step=1)):
-                    if release in data[checksum_name][arch]:
+        # Propagate new patch versions to all architectures
+        for arch in data[checksum_name].values():
+            for arch2 in data[checksum_name].values():
+                arch.update({
+                    v:("NONE" if arch2[v] == "NONE" else 0)
+                    for v in (set(arch2.keys()) - set(arch.keys()))
+                    if v.split('.')[2] == '0'})
+                    # this is necessary to make the script indempotent,
+                    # by only adding a vX.X.0 version (=minor release) in each arch
+                    # and letting the rest of the script populate the potential
+                    # patch versions
+
+        for arch, versions in data[checksum_name].items():
+            for minor, patches in groupby(versions.copy().keys(), lambda v : '.'.join(v.split('.')[:-1])):
+                for version in (f"{minor}.{patch}" for patch in
+                                count(start=int(max(patches, key=version_compare).split('.')[-1]),
+                                      step=1)):
+                    # Those barbaric generators do the following:
+                    # Group all patches versions by minor number, take the newest and start from that
+                    # to find new versions
+                    if version in versions and versions[version] != 0:
                         continue
-                    hash_file = requests.get(f"https://dl.k8s.io/release/{release}/bin/linux/{arch}/{download}.sha256", allow_redirects=True)
-                    if hash_file.status_code == 404:
-                        print(f"Unable to find {download} hash file for release {release} (arch: {arch})")
-                        break
-                    hash_file.raise_for_status()
-                    sha256sum = hash_file.content.decode().strip()
+                    if download in download_hash_extract:
+                        hashes = _get_hash_by_arch(download, version)
+                        if hashes == None:
+                            break
+                        sha256sum = hashes.get(arch)
+                        if sha256sum == None:
+                            break
+                    else:
+                        hash_file = s.get(downloads[download].format(
+                            version = version,
+                            os = "linux",
+                            arch = arch
+                            ),
+                         allow_redirects=True)
+                        if hash_file.status_code == 404:
+                            print(f"Unable to find {download} hash file for version {version} (arch: {arch}) at {hash_file.url}")
+                            break
+                        hash_file.raise_for_status()
+                        sha256sum = hash_file.content.decode().split()[0]
+
                     if len(sha256sum) != 64:
-                        raise Exception(f"Checksum has an unexpected length: {len(sha256sum)} (binary: {download}, arch: {arch}, release: 1.{minor}.{patch})")
-                    data[checksum_name][arch][release] = sha256sum
+                        raise Exception(f"Checksum has an unexpected length: {len(sha256sum)} (binary: {download}, arch: {arch}, release: {version}, checksum: '{sha256sum}')")
+                    data[checksum_name][arch][version] = sha256sum
         data[checksum_name] = {arch : {r : releases[r] for r in sorted(releases.keys(),
-                                                  key=lambda v : Version(v[1:]),
+                                                  key=version_compare,
                                                   reverse=True)}
                                for arch, releases in data[checksum_name].items()}
 
@@ -62,15 +172,34 @@ def download_hash(minors):
         yaml.dump(data, checksums_yml)
         print(f"\n\nUpdated {CHECKSUMS_YML}\n")
 
+parser = argparse.ArgumentParser(description=f"Add new patch versions hashes in {CHECKSUMS_YML}",
+                                 formatter_class=argparse.RawTextHelpFormatter,
+                                 epilog=f"""
+ This script only lookup new patch versions relative to those already existing
+ in the data in {CHECKSUMS_YML},
+ which means it won't add new major or minor versions.
+ In order to add one of these, edit {CHECKSUMS_YML}
+ by hand, adding the new versions with a patch number of 0 (or the lowest relevant patch versions)
+ ; then run this script.
 
-def usage():
-    print(f"USAGE:\n    {sys.argv[0]} [k8s_version1] [[k8s_version2]....[k8s_versionN]]")
+ Note that the script will try to add the versions on all
+ architecture keys already present for a given download target.
 
+ The '0' value for a version hash is treated as a missing hash, so the script will try to download it again.
+ To notify a non-existing version (yanked, or upstream does not have monotonically increasing versions numbers),
+ use the special value 'NONE'.
 
-def main(argv=None):
-    download_hash(sys.argv[1:])
-    return 0
+ EXAMPLES:
 
+ crictl_checksums:
+      ...
+    amd64:
++     v1.30.0: 0
+      v1.29.0: d16a1ffb3938f5a19d5c8f45d363bd091ef89c0bc4d44ad16b933eede32fdcbb
+      v1.28.0: 8dc78774f7cbeaf787994d386eec663f0a3cf24de1ea4893598096cb39ef2508"""
 
-if __name__ == "__main__":
-    sys.exit(main())
+)
+parser.add_argument('binaries', nargs='*', choices=downloads.keys())
+
+args = parser.parse_args()
+download_hash(args.binaries)

scripts/openstack-cleanup/main.py

@@ -37,17 +37,6 @@ def main():
     map_if_old(conn.compute.delete_server,
                conn.compute.servers())
 
-    print('Security groups...')
-    try:
-        map_if_old(conn.network.delete_security_group,
-                conn.network.security_groups())
-    except openstack.exceptions.ConflictException as ex:
-        # Need to delete port when security groups is in used
-        map_if_old(conn.network.delete_port,
-                   conn.network.ports())
-        map_if_old(conn.network.delete_security_group,
-                conn.network.security_groups())
-
     print('Ports...')
     try:
         map_if_old(conn.network.delete_port,
@@ -73,6 +62,17 @@ def main():
         map_if_old(conn.network.delete_port,
                    conn.network.ports())
 
+    print('Security groups...')
+    try:
+        map_if_old(conn.network.delete_security_group,
+                conn.network.security_groups())
+    except openstack.exceptions.ConflictException as ex:
+        # Need to delete port when security groups is in used
+        map_if_old(conn.network.delete_port,
+                   conn.network.ports())
+        map_if_old(conn.network.delete_security_group,
+                conn.network.security_groups())
+
     print('Subnets...')
     map_if_old(conn.network.delete_subnet,
                conn.network.subnets())

tests/files/custom_cni/values.yaml

@@ -8,4 +8,4 @@ hubble:
 ipam:
   operator:
     # Set the appropriate pods subnet
-    clusterPoolIPv4PodCIDR: "{{ kube_pods_subnet }}"
+    clusterPoolIPv4PodCIDRList: ["{{ kube_pods_subnet }}"]

tests/files/packet_debian11-custom-cni.yml

@@ -4,6 +4,7 @@ cloud_image: debian-11
 mode: default
 
 # Kubespray settings
+kube_owner: root
 kube_network_plugin: custom_cni
 custom_cni_manifests:
   - "{{ playbook_dir }}/../tests/files/custom_cni/cilium.yaml"

tests/files/packet_debian12-custom-cni-helm.yml

@@ -11,7 +11,7 @@ custom_cni_chart_release_name: cilium
 custom_cni_chart_repository_name: cilium
 custom_cni_chart_repository_url: https://helm.cilium.io
 custom_cni_chart_ref: cilium/cilium
-custom_cni_chart_version: 1.14.3
+custom_cni_chart_version: 1.16.3
 custom_cni_chart_values:
   cluster:
     name: kubespray