Etcd certs: use symlink in kubeadm config

Signed-off-by: Kay Yan <kay.yan@daocloud.io>

.gitlab-ci.yml

@@ -8,11 +8,11 @@ stages:
 variables:
   FAILFASTCI_NAMESPACE: 'kargo-ci'
   GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
-  GIT_CONFIG_COUNT: 1
+  GIT_CONFIG_COUNT: 2
-  GIT_CONFIG_KEY_0: user.key
+  GIT_CONFIG_KEY_0: user.email
   GIT_CONFIG_VALUE_0: "ci@kubespray.io"
   GIT_CONFIG_KEY_1: user.name
-  GIT_CONFIG_VALUE_1: "CI"
+  GIT_CONFIG_VALUE_1: "Kubespray CI"
   ANSIBLE_FORCE_COLOR: "true"
   MAGIC: "ci check this"
   GS_ACCESS_KEY_ID: $GS_KEY

.gitlab-ci/packet.yml

@@ -122,7 +122,7 @@ packet_amazon-linux-2-all-in-one:
     - when: manual
       allow_failure: true
 
-packet_opensuse-docker-cilium:
+packet_opensuse15-6-calico:
   extends: .packet_pr
 
 packet_ubuntu20-cilium-sep:
@@ -159,6 +159,9 @@ packet_almalinux9-calico:
 packet_almalinux9-docker:
   extends: .packet_pr_extended
 
+packet_opensuse15-6-docker-cilium:
+  extends: .packet_pr_extended
+
 packet_ubuntu24-calico-all-in-one:
   extends: .packet_pr_extended
 

README.md

@@ -113,7 +113,7 @@ Note:
 - Core
   - [kubernetes](https://github.com/kubernetes/kubernetes) 1.32.3
   - [etcd](https://github.com/etcd-io/etcd) 3.5.16
-  - [docker](https://www.docker.com/) 26.1
+  - [docker](https://www.docker.com/) 28.0
   - [containerd](https://containerd.io/) 2.0.3
   - [cri-o](http://cri-o.io/) 1.32.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
@@ -129,7 +129,7 @@ Note:
 - Application
   - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
   - [coredns](https://github.com/coredns/coredns) 1.11.3
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.12.0
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.12.1
   - [argocd](https://argoproj.github.io/) 2.14.5
   - [helm](https://helm.sh/) 3.16.4
   - [metallb](https://metallb.universe.tf/) 0.13.9

Vagrantfile

@@ -33,7 +33,7 @@ SUPPORTED_OS = {
   "fedora40"            => {box: "fedora/40-cloud-base",       user: "vagrant"},
   "fedora39-arm64"      => {box: "bento/fedora-39-arm64",      user: "vagrant"},
   "fedora40-arm64"      => {box: "bento/fedora-40",            user: "vagrant"},
-  "opensuse"            => {box: "opensuse/Leap-15.4.x86_64",  user: "vagrant"},
+  "opensuse"            => {box: "opensuse/Leap-15.6.x86_64",  user: "vagrant"},
   "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
   "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
   "oraclelinux8"        => {box: "generic/oracle8",            user: "vagrant"},

docs/ansible/vars.md

@@ -25,7 +25,7 @@ Some variables of note include:
 * *calico_vxlan_mode* - Configures Calico vxlan encapsulation - valid values are 'Never', 'Always' and 'CrossSubnet' (default 'Always')
 * *calico_network_backend* - Configures Calico network backend - valid values are 'none', 'bird' and 'vxlan' (default 'vxlan')
 * *kube_network_plugin* - Sets k8s network plugin (default Calico)
-* *kube_proxy_mode* - Changes k8s proxy mode to iptables mode
+* *kube_proxy_mode* - Changes k8s proxy mode to iptables, ipvs, nftables mode
 * *kube_version* - Specify a given Kubernetes version
 * *searchdomains* - Array of DNS domains to search when looking up hostnames
 * *remove_default_searchdomains* - Boolean that removes the default searchdomain

docs/developers/ci.md

@@ -14,7 +14,7 @@ debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-opensuse |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+opensuse15 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 ubuntu20 |  :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: |
@@ -33,7 +33,7 @@ debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-opensuse |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+opensuse15 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux8 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu20 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
@@ -52,7 +52,7 @@ debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-opensuse |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+opensuse15 |  :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 rockylinux8 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu20 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |

docs/operating_systems/opensuse.md

@@ -1,4 +1,4 @@
-# openSUSE Leap 15.3 and Tumbleweed
+# openSUSE Leap 15.6 and Tumbleweed
 
 openSUSE Leap installation Notes:
 

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -118,7 +118,8 @@ kube_apiserver_ip: "{{ kube_service_subnets.split(',') | first | ansible.utils.i
 kube_apiserver_port: 6443  # (https)
 
 # Kube-proxy proxyMode configuration.
-# Can be ipvs, iptables
+# Can be ipvs, iptables, nftables
+# TODO: it needs to be changed to nftables when the upstream use nftables as default
 kube_proxy_mode: ipvs
 
 # configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface

roles/container-engine/docker/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-docker_version: '26.1'
+docker_version: '28.0'
 docker_cli_version: "{{ docker_version }}"
 
 docker_package_info:
@@ -53,8 +53,8 @@ docker_fedora_repo_base_url: 'https://download.docker.com/linux/fedora/{{ ansibl
 docker_fedora_repo_gpgkey: 'https://download.docker.com/linux/fedora/gpg'
 
 # CentOS/RedHat docker-ce repo
-docker_rh_repo_base_url: 'https://download.docker.com/linux/centos/{{ ansible_distribution_major_version }}/$basearch/stable'
+docker_rh_repo_base_url: 'https://download.docker.com/linux/rhel/{{ ansible_distribution_major_version }}/$basearch/stable'
-docker_rh_repo_gpgkey: 'https://download.docker.com/linux/centos/gpg'
+docker_rh_repo_gpgkey: 'https://download.docker.com/linux/rhel/gpg'
 
 # Ubuntu docker-ce repo
 docker_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"

roles/container-engine/docker/vars/debian.yml

@@ -25,8 +25,17 @@ containerd_versioned_pkg:
   '1.6.28': "{{ containerd_package }}=1.6.28-2"
   '1.6.31': "{{ containerd_package }}=1.6.31-1"
   '1.6.32': "{{ containerd_package }}=1.6.32-1"
-  'stable': "{{ containerd_package }}=1.6.32-1"
+  '1.6.33': "{{ containerd_package }}=1.6.33-1"
-  'edge': "{{ containerd_package }}=1.6.32-1"
+  '1.7.18': "{{ containerd_package }}=1.7.18-1"
+  '1.7.19': "{{ containerd_package }}=1.7.19-1"
+  '1.7.20': "{{ containerd_package }}=1.7.20-1"
+  '1.7.21': "{{ containerd_package }}=1.7.21-1"
+  '1.7.22': "{{ containerd_package }}=1.7.22-1"
+  '1.7.23': "{{ containerd_package }}=1.7.23-1"
+  '1.7.24': "{{ containerd_package }}=1.7.24-1"
+  '1.7.25': "{{ containerd_package }}=1.7.25-1"
+  'stable': "{{ containerd_package }}=1.7.25-1"
+  'edge': "{{ containerd_package }}=1.7.25-1"
 
 # https://download.docker.com/linux/debian/
 docker_versioned_pkg:
@@ -38,9 +47,16 @@ docker_versioned_pkg:
   '24.0': docker-ce=5:24.0.9-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
   '25.0': docker-ce=5:25.0.5-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
   '26.0': docker-ce=5:26.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
-  '26.1': docker-ce=5:26.1.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '26.1': docker-ce=5:26.1.4-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
-  'stable': docker-ce=5:24.0.9-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.0': docker-ce=5:27.0.3-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
-  'edge': docker-ce=5:24.0.9-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.1': docker-ce=5:27.1.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.2': docker-ce=5:27.2.1-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.3': docker-ce=5:27.3.1-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.4': docker-ce=5:27.4.1-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.5': docker-ce=5:27.5.4-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '28.0': docker-ce=5:28.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  'stable': docker-ce=5:28.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  'edge': docker-ce=5:28.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
 
 docker_cli_versioned_pkg:
   'latest': docker-ce-cli
@@ -51,9 +67,16 @@ docker_cli_versioned_pkg:
   '24.0': docker-ce-cli=5:24.0.9-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
   '25.0': docker-ce-cli=5:25.0.5-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
   '26.0': docker-ce-cli=5:26.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
-  '26.1': docker-ce-cli=5:26.1.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '26.1': docker-ce-cli=5:26.1.4-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
-  'stable': docker-ce-cli=5:26.1.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.0': docker-ce-cli=5:27.0.3-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
-  'edge': docker-ce-cli=5:26.1.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.1': docker-ce-cli=5:27.1.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.2': docker-ce-cli=5:27.2.1-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.3': docker-ce-cli=5:27.3.1-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.4': docker-ce-cli=5:27.4.1-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '27.5': docker-ce-cli=5:27.5.4-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  '28.0': docker-ce-cli=5:28.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  'stable': docker-ce-cli=5:28.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
+  'edge': docker-ce-cli=5:28.0.2-1~debian.{{ ansible_distribution_major_version }}~{{ ansible_distribution_release | lower }}
 
 docker_package_info:
   pkgs:

roles/container-engine/docker/vars/fedora.yml

@@ -25,8 +25,17 @@ containerd_versioned_pkg:
   '1.6.28': "{{ containerd_package }}-1.6.28-3.2.fc{{ ansible_distribution_major_version }}"
   '1.6.31': "{{ containerd_package }}-1.6.31-3.1.fc{{ ansible_distribution_major_version }}"
   '1.6.32': "{{ containerd_package }}-1.6.32-3.1.fc{{ ansible_distribution_major_version }}"
-  'stable': "{{ containerd_package }}-1.6.32-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.6.33': "{{ containerd_package }}-1.6.33-3.1.fc{{ ansible_distribution_major_version }}"
-  'edge': "{{ containerd_package }}-1.6.32-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.18': "{{ containerd_package }}-1.7.18-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.19': "{{ containerd_package }}-1.7.19-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.20': "{{ containerd_package }}-1.7.20-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.21': "{{ containerd_package }}-1.7.21-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.22': "{{ containerd_package }}-1.7.22-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.23': "{{ containerd_package }}-1.7.23-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.24': "{{ containerd_package }}-1.7.24-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.7.25': "{{ containerd_package }}-1.7.25-3.1.fc{{ ansible_distribution_major_version }}"
+  'stable': "{{ containerd_package }}-1.7.25-3.1.fc{{ ansible_distribution_major_version }}"
+  'edge': "{{ containerd_package }}-1.7.25-3.1.fc{{ ansible_distribution_major_version }}"
 
 # https://docs.docker.com/install/linux/docker-ce/fedora/
 # https://download.docker.com/linux/fedora/<fedora-version>/x86_64/stable/Packages/
@@ -37,9 +46,16 @@ docker_versioned_pkg:
   '23.0': docker-ce-3:23.0.6-1.fc{{ ansible_distribution_major_version }}
   '24.0': docker-ce-3:24.0.9-1.fc{{ ansible_distribution_major_version }}
   '26.0': docker-ce-3:26.0.2-1.fc{{ ansible_distribution_major_version }}
-  '26.1': docker-ce-3:26.1.2-1.fc{{ ansible_distribution_major_version }}
+  '26.1': docker-ce-3:26.1.4-1.fc{{ ansible_distribution_major_version }}
-  'stable': docker-ce-3:26.1.2-1.fc{{ ansible_distribution_major_version }}
+  '27.0': docker-ce-3:27.0.3-1.fc{{ ansible_distribution_major_version }}
-  'edge': docker-ce-3:26.1.2-1.fc{{ ansible_distribution_major_version }}
+  '27.1': docker-ce-3:27.1.2-1.fc{{ ansible_distribution_major_version }}
+  '27.2': docker-ce-3:27.2.1-1.fc{{ ansible_distribution_major_version }}
+  '27.3': docker-ce-3:27.3.1-1.fc{{ ansible_distribution_major_version }}
+  '27.4': docker-ce-3:27.4.1-1.fc{{ ansible_distribution_major_version }}
+  '27.5': docker-ce-3:27.5.1-1.fc{{ ansible_distribution_major_version }}
+  '28.0': docker-ce-3:28.0.2-1.fc{{ ansible_distribution_major_version }}
+  'stable': docker-ce-3:28.0.2-1.fc{{ ansible_distribution_major_version }}
+  'edge': docker-ce-3:28.0.2-1.fc{{ ansible_distribution_major_version }}
 
 docker_cli_versioned_pkg:
   'latest': docker-ce-cli
@@ -48,9 +64,16 @@ docker_cli_versioned_pkg:
   '23.0': docker-ce-cli-1:23.0.6-1.fc{{ ansible_distribution_major_version }}
   '24.0': docker-ce-cli-1:24.0.9-1.fc{{ ansible_distribution_major_version }}
   '26.0': docker-ce-cli-1:26.0.2-1.fc{{ ansible_distribution_major_version }}
-  '26.1': docker-ce-cli-1:26.0.2-1.fc{{ ansible_distribution_major_version }}
+  '26.1': docker-ce-cli-1:26.1.4-1.fc{{ ansible_distribution_major_version }}
-  'stable': docker-ce-cli-1:26.0.2-1.fc{{ ansible_distribution_major_version }}
+  '27.0': docker-ce-cli-1:27.0.3-1.fc{{ ansible_distribution_major_version }}
-  'edge': docker-ce-cli-1:26.0.2-1.fc{{ ansible_distribution_major_version }}
+  '27.1': docker-ce-cli-1:27.1.2-1.fc{{ ansible_distribution_major_version }}
+  '27.2': docker-ce-cli-1:27.2.1-1.fc{{ ansible_distribution_major_version }}
+  '27.3': docker-ce-cli-1:27.3.1-1.fc{{ ansible_distribution_major_version }}
+  '27.4': docker-ce-cli-1:27.4.1-1.fc{{ ansible_distribution_major_version }}
+  '27.5': docker-ce-cli-1:27.5.1-1.fc{{ ansible_distribution_major_version }}
+  '28.0': docker-ce-cli-1:28.0.2-1.fc{{ ansible_distribution_major_version }}
+  'stable': docker-ce-cli-1:28.0.2-1.fc{{ ansible_distribution_major_version }}
+  'edge': docker-ce-cli-1:28.0.2-1.fc{{ ansible_distribution_major_version }}
 
 docker_package_info:
   enablerepo: "docker-ce"

roles/container-engine/docker/vars/redhat-7.yml

@@ -1,63 +0,0 @@
----
-# containerd versions are only relevant for docker
-containerd_versioned_pkg:
-  'latest': "{{ containerd_package }}"
-  '1.3.7': "{{ containerd_package }}-1.3.7-3.1.el7"
-  '1.3.9': "{{ containerd_package }}-1.3.9-3.1.el7"
-  '1.4.3': "{{ containerd_package }}-1.4.3-3.2.el7"
-  '1.4.4': "{{ containerd_package }}-1.4.4-3.1.el7"
-  '1.4.6': "{{ containerd_package }}-1.4.6-3.1.el7"
-  '1.4.9': "{{ containerd_package }}-1.4.9-3.1.el7"
-  '1.4.12': "{{ containerd_package }}-1.4.12-3.1.el7"
-  '1.6.4': "{{ containerd_package }}-1.6.4-3.1.el7"
-  '1.6.6': "{{ containerd_package }}-1.6.6-3.1.el7"
-  '1.6.7': "{{ containerd_package }}-1.6.7-3.1.el7"
-  '1.6.8': "{{ containerd_package }}-1.6.8-3.1.el7"
-  '1.6.9': "{{ containerd_package }}-1.6.9-3.1.el7"
-  '1.6.10': "{{ containerd_package }}-1.6.10-3.1.el7"
-  '1.6.11': "{{ containerd_package }}-1.6.11-3.1.el7"
-  '1.6.12': "{{ containerd_package }}-1.6.12-3.1.el7"
-  '1.6.13': "{{ containerd_package }}-1.6.13-3.1.el7"
-  '1.6.14': "{{ containerd_package }}-1.6.14-3.1.el7"
-  '1.6.15': "{{ containerd_package }}-1.6.15-3.1.el7"
-  '1.6.16': "{{ containerd_package }}-1.6.16-3.1.el7"
-  '1.6.18': "{{ containerd_package }}-1.6.18-3.1.el7"
-  '1.6.28': "{{ containerd_package }}-1.6.28-3.1.el7"
-  '1.6.31': "{{ containerd_package }}-1.6.31-3.1.el7"
-  '1.6.32': "{{ containerd_package }}-1.6.32-3.1.el7"
-  'stable': "{{ containerd_package }}-1.6.32-3.1.el7"
-  'edge': "{{ containerd_package }}-1.6.32-3.1.el7"
-
-# https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
-# https://download.docker.com/linux/centos/<centos_version>>/x86_64/stable/Packages/
-# or do 'yum --showduplicates list docker-engine'
-docker_versioned_pkg:
-  'latest': docker-ce
-  '18.09': docker-ce-18.09.9-3.el7
-  '19.03': docker-ce-19.03.15-3.el7
-  '20.10': docker-ce-20.10.20-3.el7
-  '23.0': docker-ce-23.0.6-1.el7
-  '24.0': docker-ce-24.0.9-1.el7
-  '26.0': docker-ce-26.0.2-1.el7
-  '26.1': docker-ce-26.1.2-1.el7
-  'stable': docker-ce-26.1.2-1.el7
-  'edge': docker-ce-26.1.2-1.el7
-
-docker_cli_versioned_pkg:
-  'latest': docker-ce-cli
-  '18.09': docker-ce-cli-18.09.9-3.el7
-  '19.03': docker-ce-cli-19.03.15-3.el7
-  '20.10': docker-ce-cli-20.10.20-3.el7
-  '23.0': docker-ce-cli-23.0.6-1.el7
-  '24.0': docker-ce-cli-24.0.9-1.el7
-  '26.0': docker-ce-cli-26.0.2-1.el7
-  '26.1': docker-ce-cli-26.1.2-1.el7
-  'stable': docker-ce-cli-26.1.2-1.el7
-  'edge': docker-ce-cli-26.1.2-1.el7
-
-docker_package_info:
-  enablerepo: "docker-ce"
-  pkgs:
-    - "{{ containerd_versioned_pkg[docker_containerd_version | string] }}"
-    - "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
-    - "{{ docker_versioned_pkg[docker_version | string] }}"

roles/container-engine/docker/vars/redhat.yml

@@ -25,11 +25,20 @@ containerd_versioned_pkg:
   '1.6.28': "{{ containerd_package }}-1.6.28-3.1.el{{ ansible_distribution_major_version }}"
   '1.6.31': "{{ containerd_package }}-1.6.31-3.1.el{{ ansible_distribution_major_version }}"
   '1.6.32': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
-  'stable': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
+  '1.6.33': "{{ containerd_package }}-1.6.33-3.1.el{{ ansible_distribution_major_version }}"
-  'edge': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.18': "{{ containerd_package }}-1.7.18-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.19': "{{ containerd_package }}-1.7.19-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.20': "{{ containerd_package }}-1.7.20-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.21': "{{ containerd_package }}-1.7.21-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.22': "{{ containerd_package }}-1.7.22-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.23': "{{ containerd_package }}-1.7.23-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.24': "{{ containerd_package }}-1.7.24-3.1.el{{ ansible_distribution_major_version }}"
+  '1.7.25': "{{ containerd_package }}-1.7.25-3.1.el{{ ansible_distribution_major_version }}"
+  'stable': "{{ containerd_package }}-1.7.25-3.1.el{{ ansible_distribution_major_version }}"
+  'edge': "{{ containerd_package }}-1.7.25-3.1.el{{ ansible_distribution_major_version }}"
 
-# https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
+# https://docs.docker.com/engine/installation/linux/rhel/#install-from-a-package
-# https://download.docker.com/linux/centos/<centos_version>>/x86_64/stable/Packages/
+# https://download.docker.com/linux/rhel/<rhel_version>>/x86_64/stable/Packages/
 # or do 'yum --showduplicates list docker-engine'
 docker_versioned_pkg:
   'latest': docker-ce
@@ -39,9 +48,16 @@ docker_versioned_pkg:
   '23.0': docker-ce-3:23.0.6-1.el{{ ansible_distribution_major_version }}
   '24.0': docker-ce-3:24.0.9-1.el{{ ansible_distribution_major_version }}
   '26.0': docker-ce-3:26.0.2-1.el{{ ansible_distribution_major_version }}
-  '26.1': docker-ce-3:26.1.2-1.el{{ ansible_distribution_major_version }}
+  '26.1': docker-ce-3:26.1.4-1.el{{ ansible_distribution_major_version }}
-  'stable': docker-ce-3:26.1.2-1.el{{ ansible_distribution_major_version }}
+  '27.0': docker-ce-3:27.0.3-1.el{{ ansible_distribution_major_version }}
-  'edge': docker-ce-3:26.1.2-1.el{{ ansible_distribution_major_version }}
+  '27.1': docker-ce-3:27.1.3-1.el{{ ansible_distribution_major_version }}
+  '27.2': docker-ce-3:27.2.3-1.el{{ ansible_distribution_major_version }}
+  '27.3': docker-ce-3:27.3.3-1.el{{ ansible_distribution_major_version }}
+  '27.4': docker-ce-3:27.4.3-1.el{{ ansible_distribution_major_version }}
+  '27.5': docker-ce-3:27.5.3-1.el{{ ansible_distribution_major_version }}
+  '28.0': docker-ce-3:28.0.2-1.el{{ ansible_distribution_major_version }}
+  'stable': docker-ce-3:28.0.2-1.el{{ ansible_distribution_major_version }}
+  'edge': docker-ce-3:28.0.2-1.el{{ ansible_distribution_major_version }}
 
 docker_cli_versioned_pkg:
   'latest': docker-ce-cli
@@ -51,9 +67,16 @@ docker_cli_versioned_pkg:
   '23.0': docker-ce-cli-1:23.0.6-1.el{{ ansible_distribution_major_version }}
   '24.0': docker-ce-cli-1:24.0.9-1.el{{ ansible_distribution_major_version }}
   '26.0': docker-ce-cli-1:26.0.2-1.el{{ ansible_distribution_major_version }}
-  '26.1': docker-ce-cli-1:26.1.2-1.el{{ ansible_distribution_major_version }}
+  '26.1': docker-ce-cli-1:26.1.4-1.el{{ ansible_distribution_major_version }}
-  'stable': docker-ce-cli-1:26.1.2-1.el{{ ansible_distribution_major_version }}
+  '27.0': docker-ce-cli-1:27.0.3-1.el{{ ansible_distribution_major_version }}
-  'edge': docker-ce-cli-1:26.1.2-1.el{{ ansible_distribution_major_version }}
+  '27.1': docker-ce-cli-1:27.1.3-1.el{{ ansible_distribution_major_version }}
+  '27.2': docker-ce-cli-1:27.2.3-1.el{{ ansible_distribution_major_version }}
+  '27.3': docker-ce-cli-1:27.3.3-1.el{{ ansible_distribution_major_version }}
+  '27.4': docker-ce-cli-1:27.4.3-1.el{{ ansible_distribution_major_version }}
+  '27.5': docker-ce-cli-1:27.5.3-1.el{{ ansible_distribution_major_version }}
+  '28.0': docker-ce-cli-1:28.0.2-1.el{{ ansible_distribution_major_version }}
+  'stable': docker-ce-cli-1:28.0.2-1.el{{ ansible_distribution_major_version }}
+  'edge': docker-ce-cli-1:28.0.2-1.el{{ ansible_distribution_major_version }}
 
 docker_package_info:
   enablerepo: "docker-ce"

roles/container-engine/docker/vars/ubuntu.yml

@@ -2,13 +2,6 @@
 # containerd versions are only relevant for docker
 containerd_versioned_pkg:
   'latest': "{{ containerd_package }}"
-  '1.3.7': "{{ containerd_package }}=1.3.7-1"
-  '1.3.9': "{{ containerd_package }}=1.3.9-1"
-  '1.4.3': "{{ containerd_package }}=1.4.3-2"
-  '1.4.4': "{{ containerd_package }}=1.4.4-1"
-  '1.4.6': "{{ containerd_package }}=1.4.6-1"
-  '1.4.9': "{{ containerd_package }}=1.4.9-1"
-  '1.4.12': "{{ containerd_package }}=1.4.12-1"
   '1.6.4': "{{ containerd_package }}=1.6.4-1"
   '1.6.6': "{{ containerd_package }}=1.6.6-1"
   '1.6.7': "{{ containerd_package }}=1.6.7-1"
@@ -25,8 +18,17 @@ containerd_versioned_pkg:
   '1.6.28': "{{ containerd_package }}=1.6.28-2"
   '1.6.31': "{{ containerd_package }}=1.6.31-1"
   '1.6.32': "{{ containerd_package }}=1.6.32-1"
-  'stable': "{{ containerd_package }}=1.6.32-1"
+  '1.6.33': "{{ containerd_package }}=1.6.33-1"
-  'edge': "{{ containerd_package }}=1.6.32-1"
+  '1.7.18': "{{ containerd_package }}=1.7.18-1"
+  '1.7.19': "{{ containerd_package }}=1.7.19-1"
+  '1.7.20': "{{ containerd_package }}=1.7.20-1"
+  '1.7.21': "{{ containerd_package }}=1.7.21-1"
+  '1.7.22': "{{ containerd_package }}=1.7.22-1"
+  '1.7.23': "{{ containerd_package }}=1.7.23-1"
+  '1.7.24': "{{ containerd_package }}=1.7.24-1"
+  '1.7.25': "{{ containerd_package }}=1.7.25-1"
+  'stable': "{{ containerd_package }}=1.7.25-1"
+  'edge': "{{ containerd_package }}=1.7.25-1"
 
 # https://download.docker.com/linux/ubuntu/
 docker_versioned_pkg:
@@ -37,9 +39,16 @@ docker_versioned_pkg:
   '23.0': docker-ce=5:23.0.6-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
   '24.0': docker-ce=5:24.0.9-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
   '26.0': docker-ce=5:26.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  '26.1': docker-ce=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '26.1': docker-ce=5:26.1.4-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  'stable': docker-ce=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.0': docker-ce=5:27.0.3-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  'edge': docker-ce=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.1': docker-ce=5:27.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.2': docker-ce=5:27.2.1-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.3': docker-ce=5:27.3.1-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.4': docker-ce=5:27.4.1-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.5': docker-ce=5:27.5.4-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '28.0': docker-ce=5:28.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  'stable': docker-ce=5:28.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  'edge': docker-ce=5:28.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
 
 docker_cli_versioned_pkg:
   'latest': docker-ce-cli
@@ -49,9 +58,16 @@ docker_cli_versioned_pkg:
   '23.0': docker-ce-cli=5:23.0.6-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
   '24.0': docker-ce-cli=5:24.0.9-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
   '26.0': docker-ce-cli=5:26.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  '26.1': docker-ce-cli=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '26.1': docker-ce-cli=5:26.1.4-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  'stable': docker-ce-cli=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.0': docker-ce-cli=5:27.0.3-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  'edge': docker-ce-cli=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.1': docker-ce-cli=5:27.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.2': docker-ce-cli=5:27.2.1-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.3': docker-ce-cli=5:27.3.1-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.4': docker-ce-cli=5:27.4.1-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '27.5': docker-ce-cli=5:27.5.4-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  '28.0': docker-ce-cli=5:28.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  'stable': docker-ce-cli=5:28.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  'edge': docker-ce-cli=5:28.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
 
 docker_package_info:
   pkgs:

roles/kubernetes/control-plane/defaults/main/etcd.yml

@@ -27,3 +27,11 @@ etcd_extra_vars: {}
 # etcd_max_request_bytes: "1572864"
 
 etcd_compaction_retention: "8"
+
+
+# softlink to etcd certs
+etcd_cert_paths:
+  client:
+    ca: "{{ etcd_cert_dir }}/ca.pem"
+    cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+    key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -23,10 +23,6 @@ kube_apiserver_etcd_compaction_interval: "5m0s"
 # in the request is actually present in etcd.
 kube_apiserver_service_account_lookup: true
 
-kube_etcd_cacert_file: ca.pem
-kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
-kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
-
 # Associated interfaces must be reachable by the rest of the cluster, and by
 # CLI/web clients.
 kube_controller_manager_bind_address: "::"

roles/kubernetes/control-plane/tasks/0010-etcd-link.yml

@@ -0,0 +1,24 @@
+---
+- name: Create etcd cert directory
+  ansible.builtin.file:
+    path: "{{ etcd_cert_dir }}"
+    state: directory
+    mode: '0750'
+  when:
+    - inventory_hostname  in groups['kube_control_plane']
+
+- name: Generate symlink to etcd certs
+  ansible.builtin.file:
+    src: "{{ etcd_cert_paths.client[item.src] }}"
+    dest: "{{ etcd_cert_dir }}/{{ item.dest }}"
+    state: link
+    force: true
+  loop:
+    - src: ca
+      dest: "{{ kube_etcd_cacert_file }}"
+    - src: cert
+      dest: "{{ kube_etcd_cert_file }}"
+    - src: key
+      dest: "{{ kube_etcd_key_file }}"
+  when:
+    - inventory_hostname  in groups['kube_control_plane']

roles/kubernetes/control-plane/tasks/main.yml

@@ -4,6 +4,11 @@
   tags:
     - k8s-pre-upgrade
 
+- name: Create etcd cert symbolic links
+  import_tasks: 0010-etcd-link.yml
+  when:
+    - etcd_deployment_type != "kubeadm"
+
 - name: Create webhook token auth config
   template:
     src: webhook-token-auth-config.yaml.j2

roles/kubernetes/node/tasks/main.yml

@@ -132,6 +132,15 @@
   tags:
     - kube-proxy
 
+- name: Modprobe Kernel Module for nftables
+  community.general.modprobe:
+    name: "nf_tables"
+    state: present
+    persistent: present
+  when: kube_proxy_mode == 'nftables'
+  tags:
+    - kube-proxy
+
 - name: Install kubelet
   import_tasks: kubelet.yml
   tags:

roles/kubernetes/preinstall/tasks/0040-verify-settings.yml

@@ -202,13 +202,20 @@
     - dashboard_enabled
     - not ignore_assert_errors
 
-- name: Stop if kernel version is too low
+- name: Stop if kernel version is too low for cilium
   assert:
     that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
   when:
     - kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
     - not ignore_assert_errors
 
+- name: Stop if kernel version is too low for nftables
+  assert:
+    that: ansible_kernel.split('-')[0] is version('5.13', '>=')
+  when:
+    - kube_proxy_mode == 'nftables'
+    - not ignore_assert_errors
+
 - name: Stop if bad hostname
   assert:
     that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
@@ -314,7 +321,7 @@
     that:
       - kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni', 'none']
       - dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
-      - kube_proxy_mode in ['iptables', 'ipvs']
+      - kube_proxy_mode in ['iptables', 'ipvs', 'nftables']
       - cert_management in ['script', 'none']
       - resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
       - etcd_deployment_type in ['host', 'docker', 'kubeadm']

roles/kubernetes/preinstall/vars/main.yml

@@ -52,6 +52,9 @@ pkgs:
   mergerfs:
     - "{{ ansible_distribution == 'Debian' }}"
     - "{{ ansible_distribution_major_version == '12' }}"
+  nftables:
+    - "{{ kube_proxy_mode == 'nftables' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
   nss:
     - "{{ ansible_os_family == 'RedHat' }}"
   openssl: []

roles/kubespray-defaults/defaults/main/download.yml

@@ -323,13 +323,13 @@ rbd_provisioner_image_tag: "v{{ rbd_provisioner_version }}"
 local_path_provisioner_version: "0.0.24"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}"
-ingress_nginx_version: "1.12.0"
+ingress_nginx_version: "1.12.1"
 ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
 ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry"
 ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}"
 ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5"
 ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
-ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.0"
+ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.2"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
 cert_manager_version: "1.15.3"

roles/kubespray-defaults/vars/main.yml

@@ -27,3 +27,8 @@ kube_pods_subnets: >-
   {%- else -%}
   {{ kube_pods_subnet_ipv6 }}
   {%- endif -%}
+
+# Symlinks to etcd certs
+kube_etcd_cacert_file: "kube-client-ca.pem"
+kube_etcd_cert_file: "kube-client-cert.pem"
+kube_etcd_key_file: "kube-client-key.pem"

test-infra/image-builder/roles/kubevirt-images/defaults/main.yml

@@ -132,6 +132,13 @@ images:
     converted: true
     tag: "latest"
 
+  opensuse-leap-15-6:
+    filename: openSUSE-Leap-15.6.x86_64-1.0.1-NoCloud-Build1.177.qcow2
+    url: https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.6/images/openSUSE-Leap-15.6.x86_64-1.0.1-NoCloud-Build1.177.qcow2
+    checksum: sha256:9ecd197b34faf1b43627946d0c26e38b5c3058207d1c86c4784b8f765c3289f3
+    converted: true
+    tag: "latest"
+
   openeuler-2203:
     filename: openEuler-22.03-LTS-SP4-x86_64.qcow2.xz
     url: https://mirrors.ocf.berkeley.edu/openeuler/openEuler-22.03-LTS-SP4/virtual_machine_img/x86_64/openEuler-22.03-LTS-SP4-x86_64.qcow2.xz

tests/files/packet_almalinux9-calico.yml

@@ -10,6 +10,8 @@ dashboard_enabled: true
 loadbalancer_apiserver_type: haproxy
 local_path_provisioner_enabled: true
 
+kube_proxy_mode: nftables
+
 # NTP mangement
 ntp_enabled: true
 ntp_timezone: Etc/UTC

tests/files/packet_opensuse15-6-calico.yml

@@ -0,0 +1,5 @@
+---
+# Instance settings
+cloud_image: opensuse-leap-15-6
+
+kube_proxy_mode: nftables

tests/files/packet_opensuse15-6-docker-cilium.yml

@@ -1,6 +1,6 @@
 ---
 # Instance settings
-cloud_image: opensuse-leap-15
+cloud_image: opensuse-leap-15-6
 
 # Kubespray settings
 kube_network_plugin: cilium

tests/files/packet_ubuntu24-calico-etcd-datastore.yml

@@ -8,7 +8,7 @@ vm_memory: 1800
 auto_renew_certificates: true
 
 # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=noble&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
-kube_proxy_mode: iptables
+kube_proxy_mode: nftables
 enable_nodelocaldns: false
 
 containerd_registries: