Patch versions updates

docs: fixed rendering issue by using generic markdown format (#12652 )
* docs: fix github markdown style * docs: use generic markdown format for quotes
2025-12-13 21:34:40 +03:00 · 2025-12-08 02:57:28 +00:00 · 2025-12-07 12:38:57 -08:00 · 2025-12-07 07:36:55 -08:00 · 2025-12-05 06:30:59 -08:00 · 2025-12-04 23:50:58 -08:00
84 changed files with 441 additions and 821 deletions
--- a/.github/workflows/auto-label-os.yml
+++ b/.github/workflows/auto-label-os.yml
@@ -13,7 +13,7 @@ jobs:
      issues: write

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3

      - name: Parse issue form
        uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e
@@ -22,7 +22,7 @@ jobs:
          template-path: .github/ISSUE_TEMPLATE/bug-report.yaml

      - name: Set labels based on OS field
-        uses: redhat-plumbers-in-action/advanced-issue-labeler@e38e6809c5420d038eed380d49ee9a6ca7c92dbf
+        uses: redhat-plumbers-in-action/advanced-issue-labeler@b80ae64e3e156e9c111b075bfa04b295d54e8e2e
        with:
          issue-form: ${{ steps.issue-parser.outputs.jsonString }}
          section: os
--- a/.github/workflows/upgrade-patch-versions-schedule.yml
+++ b/.github/workflows/upgrade-patch-versions-schedule.yml
@@ -13,7 +13,7 @@ jobs:
    outputs:
      branches: ${{ steps.get-branches.outputs.data }}
    steps:
-    - uses: octokit/graphql-action@8ad880e4d437783ea2ab17010324de1075228110
+    - uses: octokit/graphql-action@abaeca7ba4f0325d63b8de7ef943c2418d161b93
      id: get-branches
      with:
        query: |
--- a/.github/workflows/upgrade-patch-versions.yml
+++ b/.github/workflows/upgrade-patch-versions.yml
@@ -11,7 +11,7 @@ jobs:
  update-patch-versions:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
      with:
        ref: ${{ inputs.branch }}
    - uses: actions/setup-python@v6
@@ -29,7 +29,7 @@ jobs:
          ~/.cache/pre-commit
    - run: pre-commit run --all-files propagate-ansible-variables
      continue-on-error: true
-    - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
+    - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412
      with:
        commit-message: Patch versions updates
        title: Patch versions updates - ${{ inputs.branch }}
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -24,7 +24,7 @@ variables:
  ANSIBLE_REMOTE_USER: kubespray
  ANSIBLE_PRIVATE_KEY_FILE: /tmp/id_rsa
  ANSIBLE_INVENTORY: /tmp/inventory
-  ANSIBLE_STDOUT_CALLBACK: "debug"
+  ANSIBLE_STDOUT_CALLBACK: "default"
  RESET_CHECK: "false"
  REMOVE_NODE_CHECK: "false"
  UPGRADE_TEST: "false"
--- a/.gitlab-ci/kubevirt.yml
+++ b/.gitlab-ci/kubevirt.yml
@@ -4,7 +4,7 @@
  interruptible: true
  script:
    - ansible-playbook tests/cloud_playbooks/create-kubevirt.yml
-                      -c local -e @"tests/files/${TESTCASE}.yml"
+                              -e @"tests/files/${TESTCASE}.yml"
    - ./tests/scripts/testcases_run.sh
  variables:
    ANSIBLE_TIMEOUT: "120"
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 ---
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
    hooks:
      - id: check-added-large-files
      - id: check-case-conflict
@@ -15,13 +15,13 @@ repos:
      - id: trailing-whitespace

  - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.35.1
+    rev: v1.37.1
    hooks:
      - id: yamllint
        args: [--strict]

  - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
+    rev: v0.11.0.1
    hooks:
      - id: shellcheck
        args: ["--severity=error"]
@@ -29,7 +29,7 @@ repos:
        files: "\\.sh$"

  - repo: https://github.com/ansible/ansible-lint
-    rev: v25.1.1
+    rev: v25.11.0
    hooks:
      - id: ansible-lint
        additional_dependencies:
@@ -38,7 +38,7 @@ repos:
          - distlib

  - repo: https://github.com/golangci/misspell
-    rev: v0.6.0
+    rev: v0.7.0
    hooks:
      - id: misspell
        exclude: "OWNERS_ALIASES$"
--- a/4
+++ b/4
@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.33.5/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.33.5/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.34.2/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.2/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl

 COPY *.yml ./
--- a/README.md
+++ b/README.md
@@ -111,15 +111,15 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->

 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.33.5
-  - [etcd](https://github.com/etcd-io/etcd) 3.5.23
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.2
+  - [etcd](https://github.com/etcd-io/etcd) 3.5.25
  - [docker](https://www.docker.com/) 28.3
-  - [containerd](https://containerd.io/) 2.1.4
-  - [cri-o](http://cri-o.io/) 1.33.5 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) 2.1.5
+  - [cri-o](http://cri-o.io/) 1.34.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.3
-  - [cilium](https://github.com/cilium/cilium) 1.18.2
+  - [calico](https://github.com/projectcalico/calico) 3.30.5
+  - [cilium](https://github.com/cilium/cilium) 1.18.4
  - [flannel](https://github.com/flannel-io/flannel) 0.27.3
  - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
  - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
@@ -127,7 +127,7 @@ Note:
  - [kube-vip](https://github.com/kube-vip/kube-vip) 0.8.0
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.0
+  - [coredns](https://github.com/coredns/coredns) 1.12.1
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
  - [argocd](https://argoproj.github.io/) 2.14.5
  - [helm](https://helm.sh/) 3.18.4
--- a/contrib/collection.sh
+++ b/contrib/collection.sh
@@ -0,0 +1,9 @@
+#!/bin/bash -eux
+# Install collection from source assuming dependencies are present.
+# Run in SemaphoreUI this bash script can install Kubespray from the repo
+NAMESPACE=kubernetes_sigs
+COLLECTION=kubespray
+MY_VER=$(grep '^version:' galaxy.yml|cut -d: -f2|sed 's/ //')
+
+ansible-galaxy collection build --force --output-path .
+ansible-galaxy collection install --offline --force $NAMESPACE-$COLLECTION-$MY_VER.tar.gz
--- a/contrib/terraform/upcloud/modules/kubernetes-cluster/versions.tf
+++ b/contrib/terraform/upcloud/modules/kubernetes-cluster/versions.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    upcloud = {
      source  = "UpCloudLtd/upcloud"
-      version = "~>5.9.0"
+      version = "~>5.29.1"
    }
  }
  required_version = ">= 0.13"
--- a/contrib/terraform/upcloud/versions.tf
+++ b/contrib/terraform/upcloud/versions.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    upcloud = {
      source  = "UpCloudLtd/upcloud"
-      version = "~>5.9.0"
+      version = "~>5.29.1"
    }
  }
  required_version = ">= 0.13"
--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@@ -237,7 +237,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version

 ```yml
-cilium_version: "1.18.2"
+cilium_version: "1.18.4"
 ```

 ## Add variable to config
--- a/docs/CNI/macvlan.md
+++ b/docs/CNI/macvlan.md
@@ -32,7 +32,7 @@ add `kube_proxy_masquerade_all: true` in `group_vars/all/all.yml`

 * Disable nodelocaldns

-The nodelocal dns IP is not reacheable.
+The nodelocal dns IP is not reachable.

 Disable it in `sample/group_vars/k8s_cluster/k8s_cluster.yml`

--- a/docs/CRI/cri-o.md
+++ b/docs/CRI/cri-o.md
@@ -80,7 +80,7 @@ The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to
 By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.

 The `crio_default_capabilities` configure the default containers capabilities for the crio.
-Defaults capabilties are:
+Defaults capabilities are:

 ```yaml
 crio_default_capabilities:
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -6,7 +6,6 @@
  * [Downloads](/docs/advanced/downloads.md)
  * [Gcp-lb](/docs/advanced/gcp-lb.md)
  * [Kubernetes-reliability](/docs/advanced/kubernetes-reliability.md)
-  * [Mitogen](/docs/advanced/mitogen.md)
  * [Netcheck](/docs/advanced/netcheck.md)
  * [Ntp](/docs/advanced/ntp.md)
  * [Proxy](/docs/advanced/proxy.md)
--- a/docs/advanced/cert_manager.md
+++ b/docs/advanced/cert_manager.md
@@ -6,7 +6,7 @@
    - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
      - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
      - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
-      - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
+      - [Create Certificate Signing Request (CSR) Configuration File](#create-certificate-signing-request-csr-configuration-file)
      - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)

 Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
@@ -134,7 +134,7 @@ $ cat > ca-config.json <<EOF
 EOF
 ```

-#### Create Certficate Signing Request (CSR) Configuration File
+#### Create Certificate Signing Request (CSR) Configuration File

 The TLS certificate `names` details can be updated to your own specific requirements.

--- a/docs/advanced/gcp-lb.md
+++ b/docs/advanced/gcp-lb.md
@@ -1,4 +1,4 @@
-# GCP Load Balancers for type=LoadBalacer of Kubernetes Services
+# GCP Load Balancers for type=LoadBalancer of Kubernetes Services

 > **Removed**: Since v1.31 (the Kubespray counterpart is v2.27), Kubernetes no longer supports `cloud_provider`. (except external cloud provider)

--- a/docs/advanced/mitogen.md
+++ b/docs/advanced/mitogen.md
@@ -1,30 +0,0 @@
-# Mitogen
-
-*Warning:* Mitogen support is now deprecated in kubespray due to upstream not releasing an updated version to support ansible 4.x (ansible-base 2.11.x) and above. The CI support has been stripped for mitogen and we are no longer validating any support or regressions for it. The supporting mitogen install playbook and integration documentation will be removed in a later version.
-
-[Mitogen for Ansible](https://mitogen.networkgenomics.com/ansible_detailed.html) allow a 1.25x - 7x speedup and a CPU usage reduction of at least 2x, depending on network conditions, modules executed, and time already spent by targets on useful work. Mitogen cannot improve a module once it is executing, it can only ensure the module executes as quickly as possible.
-
-## Install
-
-```ShellSession
-ansible-playbook contrib/mitogen/mitogen.yml
-```
-
-The above playbook sets the ansible `strategy` and `strategy_plugins` in `ansible.cfg` but you can also enable them if you use your own `ansible.cfg` by setting the environment varialbles:
-
-```ShellSession
-export ANSIBLE_STRATEGY=mitogen_linear
-export ANSIBLE_STRATEGY_PLUGINS=plugins/mitogen/ansible_mitogen/plugins/strategy
-```
-
-... or `ansible.cfg` setup:
-
-```ini
-[defaults]
-strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
-strategy=mitogen_linear
-```
-
-## Limitation
-
-If you are experiencing problems, please see the [documentation](https://mitogen.networkgenomics.com/ansible_detailed.html#noteworthy-differences).
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -42,13 +42,10 @@ Kubespray expects users to use one of the following variables sources for settin
 |----------------------------------------|------------------------------------------------------------------------------|
 | inventory vars                         |                                                                              |
 |  - **inventory group_vars**            | most used                                                                    |
-|  - inventory host_vars                 | host specifc vars overrides, group_vars is usually more practical            |
+|  - inventory host_vars                 | host specific vars overrides, group_vars is usually more practical           |
 | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml``                               |

-[!IMPORTANT]
-Extra vars are best used to override kubespray internal variables, for instances, roles/vars/.
-Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray
-interface. Thus they can change, disappear, or break stuff unexpectedly.
+> Extra vars are best used to override kubespray internal variables, for instances, roles/vars/. Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray interface. Thus they can change, disappear, or break stuff unexpectedly.

 ## Ansible tags

@@ -122,7 +119,7 @@ The following tags are defined in playbooks:
 | metrics_server                 | Configuring metrics_server                            |
 | netchecker                     | Installing netchecker K8s app                         |
 | network                        | Configuring networking plugins for K8s                |
-| mounts                         | Umount kubelet dirs when reseting                     |
+| mounts                         | Umount kubelet dirs when resetting                    |
 | multus                         | Network plugin multus                                 |
 | nginx                          | Configuring LB for kube-apiserver instances           |
 | node                           | Configuring K8s minion (compute) node role            |
@@ -181,17 +178,13 @@ ansible-playbook -i inventory/sample/hosts.ini cluster.yml \

 Note: use `--tags` and `--skip-tags` wisely and only if you're 100% sure what you're doing.

-## Mitogen
-
-Mitogen support is deprecated, please see [mitogen related docs](/docs/advanced/mitogen.md) for usage and reasons for deprecation.
-
 ## Troubleshooting Ansible issues

 Having the wrong version of ansible, ansible collections or python dependencies can cause issue.
-In particular, Kubespray ship custom modules which Ansible needs to find, for which you should specify [ANSIBLE_LIBRAY](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html#adding-a-module-or-plugin-outside-of-a-collection)
+In particular, Kubespray ship custom modules which Ansible needs to find, for which you should specify [ANSIBLE_LIBRARY](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html#adding-a-module-or-plugin-outside-of-a-collection)

 ```ShellSession
-export ANSIBLE_LIBRAY=<kubespray_dir>/library`
+export ANSIBLE_LIBRARY=<kubespray_dir>/library`
 ```

 A simple way to ensure you get all the correct version of Ansible is to use
--- a/docs/developers/ci-setup.md
+++ b/docs/developers/ci-setup.md
@@ -6,7 +6,7 @@ See [.gitlab-ci.yml](/.gitlab-ci.yml) and the included files for an overview.

 ## Runners

-Kubespray has 2 types of GitLab runners, both deployed  on the Kubespray CI cluster (hosted on Oracle Cloud Infrastucture):
+Kubespray has 2 types of GitLab runners, both deployed on the Kubespray CI cluster (hosted on Oracle Cloud Infrastructure):

 - pods: use the [gitlab-ci kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes/)
 - vagrant: custom executor running in pods with access to the libvirt socket on the nodes
@@ -156,7 +156,7 @@ kube_feature_gates:
  - "NodeSwap=True"
 ```

-## Aditional files
+## Additional files

 This section documents additional files used to complete a deployment of the kubespray CI, these files sit on the control-plane node and assume a working kubernetes cluster.

--- a/docs/ingress/metallb.md
+++ b/docs/ingress/metallb.md
@@ -35,7 +35,7 @@ metallb_config:
      effect: "NoSchedule"
 ```

-If you'd like to set additional nodeSelector and tolerations values, you can do so in the following fasion:
+If you'd like to set additional nodeSelector and tolerations values, you can do so in the following fashion:

 ```yaml
 metallb_config:
--- a/docs/operating_systems/rhel.md
+++ b/docs/operating_systems/rhel.md
@@ -37,4 +37,4 @@ If you have containers that are using iptables in the host network namespace (`h
 you need to ensure they are using iptables-nft.
 An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)

-The kernel version is lower than the kubenretes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
+The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
--- a/docs/operations/kernel-requirements.md
+++ b/docs/operations/kernel-requirements.md
@@ -11,7 +11,7 @@ kubeadm_ignore_preflight_errors:

 The Kernel Version Matrixs:

-| OS Verion          | Kernel Verion  | Kernel >=4.19      |
+| OS Version         | Kernel Version | Kernel >=4.19      |
 |---                 | ---            | ---                |
 | RHEL 9             | 5.14           | :white_check_mark: |
 | RHEL 8             | 4.18           | :x:                |
--- a/docs/operations/nodes.md
+++ b/docs/operations/nodes.md
@@ -31,6 +31,8 @@ That's it.

 Append the new host to the inventory and run `cluster.yml`. You can NOT use `scale.yml` for that.

+**Note:** When adding new control plane nodes, always append them to the end of the `kube_control_plane` group in your inventory. Adding control plane nodes in the first position is not supported and will cause the playbook to fail.
+
 ### 2) Restart kube-system/nginx-proxy

 In all hosts, restart nginx-proxy pod. This pod is a local proxy for the apiserver. Kubespray will update its static config, but it needs to be restarted in order to reload.
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.29.0
+version: 2.30.0
 readme: README.md
 authors:
  - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)
--- a/index.html
+++ b/index.html
@@ -38,6 +38,7 @@
    loadSidebar: 'docs/_sidebar.md',
    repo: 'https://github.com/kubernetes-sigs/kubespray',
    auto2top: true,
+    noCompileLinks: ['.*\.ini'],
    logo: '/logo/logo-clear.png'
  }
 </script>
--- a/pipeline.Dockerfile
+++ b/pipeline.Dockerfile
@@ -47,8 +47,8 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
    && pip install --no-compile --no-cache-dir pip -U \
    && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
    && pip install --no-compile --no-cache-dir -r requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.33.5/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.33.5/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L https://dl.k8s.io/release/v1.34.2/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.34.2/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl \
    # Install Vagrant
    && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
--- a/remove_node.yml
+++ b/remove_node.yml
@@ -0,0 +1,3 @@
+---
+- name: Remove node
+  ansible.builtin.import_playbook: playbooks/remove_node.yml
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
 ansible==10.7.0
 # Needed for community.crypto module
-cryptography==46.0.2
+cryptography==46.0.3
 # Needed for jinja2 json_query templating
 jmespath==1.0.1
 # Needed for ansible.utils.ipaddr
--- a/roles/bootstrap_os/defaults/main.yml
+++ b/roles/bootstrap_os/defaults/main.yml
@@ -37,8 +37,3 @@ override_system_hostname: true
 is_fedora_coreos: false

 skip_http_proxy_on_os_packages: false
-
-# If this is true, debug information will be displayed but
-# may contain some private data, so it is recommended to set it to false
-# in the production environment.
-unsafe_show_logs: false
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -34,8 +34,6 @@
  with_items:
    - "{{ containerd_systemd_dir }}"
    - "{{ containerd_cfg_dir }}"
-    - "{{ containerd_storage_dir }}"
-    - "{{ containerd_state_dir }}"

 - name: Containerd | Write containerd proxy drop-in
  template:
--- a/roles/container-engine/cri-dockerd/molecule/default/molecule.yml
+++ b/roles/container-engine/cri-dockerd/molecule/default/molecule.yml
@@ -25,6 +25,8 @@ provisioner:
    group_vars:
      all:
        become: true
+      k8s_cluster:
+        container_manager: docker
  playbooks:
    create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
    prepare: ../../../molecule/prepare.yml
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -32,6 +32,8 @@ crio_registry_auth: []
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing') | lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
+# Set the pull progress timeout
+crio_pull_progress_timeout: "10s"

 # Override system default for storage driver
 # crio_storage_driver: "overlay"
--- a/roles/container-engine/cri-o/molecule/default/converge.yml
+++ b/roles/container-engine/cri-o/molecule/default/converge.yml
@@ -2,8 +2,6 @@
 - name: Converge
  hosts: all
  become: true
-  vars:
-    container_manager: crio
  roles:
    - role: kubespray_defaults
    - role: container-engine/cri-o
--- a/roles/container-engine/cri-o/molecule/default/molecule.yml
+++ b/roles/container-engine/cri-o/molecule/default/molecule.yml
@@ -41,6 +41,10 @@ provisioner:
    defaults:
      callbacks_enabled: profile_tasks
      timeout: 120
+  inventory:
+    group_vars:
+      k8s_cluster:
+        container_manager: crio
  playbooks:
    create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
    prepare: ../../../molecule/prepare.yml
--- a/roles/container-engine/cri-o/molecule/default/verify.yml
+++ b/roles/container-engine/cri-o/molecule/default/verify.yml
@@ -2,7 +2,6 @@
 - name: Test CRI-O cri
  import_playbook: ../../../molecule/test_cri.yml
  vars:
-    container_manager: crio
    cri_socket: unix:///var/run/crio/crio.sock
    cri_name: cri-o
 - name: Test running a container with crun
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -348,6 +348,12 @@ signature_policy = "{{ crio_signature_policy }}"
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"

+# The timeout for an image pull to make progress until the pull operation gets
+# canceled. This value will be also used for calculating the pull progress interval
+# to pull_progress_timeout / 10. Can be set to 0 to disable the timeout as well as
+# the progress output.
+pull_progress_timeout = "{{ crio_pull_progress_timeout }}"
+
 # The crio.network table containers settings pertaining to the management of
 # CNI plugins.
 [crio.network]
--- a/roles/container-engine/crictl/tasks/crictl.yml
+++ b/roles/container-engine/crictl/tasks/crictl.yml
@@ -1,22 +0,0 @@
---
- name: Crictl | Download crictl
-  include_tasks: "../../../download/tasks/download_file.yml"
-  vars:
-    download: "{{ download_defaults | combine(downloads.crictl) }}"
-
- name: Install crictl config
-  template:
-    src: crictl.yaml.j2
-    dest: /etc/crictl.yaml
-    owner: root
-    mode: "0644"
-
- name: Copy crictl binary from download dir
-  copy:
-    src: "{{ local_release_dir }}/crictl"
-    dest: "{{ bin_dir }}/crictl"
-    mode: "0755"
-    remote_src: true
-  notify:
-    - Get crictl completion
-    - Install crictl completion
--- a/roles/container-engine/crictl/tasks/main.yml
+++ b/roles/container-engine/crictl/tasks/main.yml
@@ -1,3 +1,22 @@
 ---
- name: Install crictl
-  include_tasks: crictl.yml
+- name: Crictl | Download crictl
+  include_tasks: "../../../download/tasks/download_file.yml"
+  vars:
+    download: "{{ download_defaults | combine(downloads.crictl) }}"
+
+- name: Install crictl config
+  template:
+    src: crictl.yaml.j2
+    dest: /etc/crictl.yaml
+    owner: root
+    mode: "0644"
+
+- name: Copy crictl binary from download dir
+  copy:
+    src: "{{ local_release_dir }}/crictl"
+    dest: "{{ bin_dir }}/crictl"
+    mode: "0755"
+    remote_src: true
+  notify:
+    - Get crictl completion
+    - Install crictl completion
--- a/roles/container-engine/gvisor/molecule/default/molecule.yml
+++ b/roles/container-engine/gvisor/molecule/default/molecule.yml
@@ -21,6 +21,11 @@ provisioner:
    defaults:
      callbacks_enabled: profile_tasks
      timeout: 120
+  inventory:
+    group_vars:
+      k8s_cluster:
+        gvisor_enabled: true
+        container_manager: containerd
  playbooks:
    create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
    prepare: ../../../molecule/prepare.yml
--- a/roles/container-engine/runc/tasks/main.yml
+++ b/roles/container-engine/runc/tasks/main.yml
@@ -12,11 +12,20 @@
    is_ostree: "{{ ostree.stat.exists }}"

 - name: Runc | Uninstall runc package managed by package manager
-  package:
-    name: "{{ runc_package_name }}"
-    state: absent
  when:
-    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))
+    - not is_ostree
+    - ansible_distribution != "Flatcar Container Linux by Kinvolk"
+    - ansible_distribution != "Flatcar"
+  block:
+    - name: Runc | Remove package
+      package:
+        name: "{{ runc_package_name }}"
+        state: absent
+    - name: Runc | Remove orphaned binary
+      file:
+        path: /usr/bin/runc
+        state: absent
+      when: runc_bin_dir != "/usr/bin"

 - name: Runc | Download runc binary
  include_tasks: "../../../download/tasks/download_file.yml"
@@ -29,10 +38,3 @@
    dest: "{{ runc_bin_dir }}/runc"
    mode: "0755"
    remote_src: true
-
- name: Runc | Remove orphaned binary
-  file:
-    path: /usr/bin/runc
-    state: absent
-  when: runc_bin_dir != "/usr/bin"
-  ignore_errors: true  # noqa ignore-errors
--- a/roles/container-engine/youki/molecule/default/molecule.yml
+++ b/roles/container-engine/youki/molecule/default/molecule.yml
@@ -21,6 +21,11 @@ provisioner:
    defaults:
      callbacks_enabled: profile_tasks
      timeout: 120
+  inventory:
+    group_vars:
+      k8s_cluster:
+        youki_enabled: true
+        container_manager: crio
  playbooks:
    create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
    prepare: ../../../molecule/prepare.yml
--- a/roles/etcd_defaults/defaults/main.yml
+++ b/roles/etcd_defaults/defaults/main.yml
@@ -117,11 +117,6 @@ etcd_retries: 4
 # https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer
 etcd_experimental_initial_corrupt_check: true

-# If this is true, debug information will be displayed but
-# may contain some private data, so it is recommended to set it to false
-# in the production environment.
-unsafe_show_logs: false
-
 # Enable distributed tracing
 # https://etcd.io/docs/v3.5/op-guide/monitoring/#distributed-tracing
 etcd_experimental_enable_distributed_tracing: false
--- a/roles/kubernetes-apps/common_crds/gateway_api/defaults/main.yml
+++ b/roles/kubernetes-apps/common_crds/gateway_api/defaults/main.yml
@@ -1,6 +1,5 @@
 ---
 gateway_api_enabled: false
-gateway_api_version: 1.2.1

 # `gateway_api_channel` default is "standard".
 # "standard" release channel includes all resources that have graduated to GA or beta, including GatewayClass, Gateway, HTTPRoute, and ReferenceGrant.
--- a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml
+++ b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml
@@ -27,11 +27,6 @@ vsphere_csi_aggressive_node_not_ready_timeout: 300

 vsphere_csi_node_affinity: {}

-# If this is true, debug information will be displayed but
-# may contain some private data, so it is recommended to set it to false
-# in the production environment.
-unsafe_show_logs: false
-
 # https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/docs/book/features/volume_snapshot.md#how-to-enable-volume-snapshot--restore-feature-in-vsphere-csi-
 # according to the above link , we can controler the block-volume-snapshot parameter
 vsphere_csi_block_volume_snapshot: false
--- a/roles/kubernetes-apps/meta/main.yml
+++ b/roles/kubernetes-apps/meta/main.yml
@@ -1,5 +1,7 @@
 ---
 dependencies:
+  - role: kubernetes-apps/utils
+
  - role: kubernetes-apps/ansible
    when:
      - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -79,6 +79,7 @@ rules:
      - create
      - update
      - delete
+      - watch
  # Needs access to update clusterinformations.
  - apiGroups: ["crd.projectcalico.org"]
    resources:
--- a/roles/kubernetes-apps/utils/defaults/main.yml
+++ b/roles/kubernetes-apps/utils/defaults/main.yml
--- a/roles/kubernetes-apps/utils/vars/main.yml
+++ b/roles/kubernetes-apps/utils/vars/main.yml
@@ -0,0 +1,12 @@
+---
+_kubectl_apply_stdin:
+- "{{ kubectl }}"
+- apply
+- -f
+- "-"
+- -n
+- "{{ k8s_namespace }}"
+- --server-side="{{ server_side_apply | lower }}"
+# TODO: switch to default SSA
+server_side_apply: false
+kubectl_apply_stdin: "{{ _kubectl_apply_stdin | join(' ') }}"
--- a/roles/kubernetes-apps/vars/main.yml
+++ b/roles/kubernetes-apps/vars/main.yml
@@ -1,2 +0,0 @@
---
-kubectl_apply_stdin: "{{ kubectl }} apply -f - -n {{ k8s_namespace }}"
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -240,6 +240,10 @@ auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00"
 # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
 kubeadm_upgrade_auto_cert_renewal: true

+# Add Subject Alternative Names to the Kubernetes apiserver certificates.
+# Useful if you access the API from multiples load balancers, for instance.
+supplementary_addresses_in_ssl_keys: []
+
 # Bash alias of kubectl to interact with Kubernetes cluster much easier
 # kubectl_alias: k

--- a/roles/kubernetes/control-plane/tasks/define-first-kube-control.yml
+++ b/roles/kubernetes/control-plane/tasks/define-first-kube-control.yml
@@ -1,19 +0,0 @@
---
-
- name: Check which kube-control nodes are already members of the cluster
-  command: "{{ bin_dir }}/kubectl get nodes --selector=node-role.kubernetes.io/control-plane -o json"
-  register: kube_control_planes_raw
-  ignore_errors: true
-  changed_when: false
-
- name: Set fact joined_control_planes
-  set_fact:
-    joined_control_planes: "{{ ((kube_control_planes_raw.stdout | from_json)['items']) | default([]) | map(attribute='metadata') | map(attribute='name') | list }}"
-  delegate_to: "{{ item }}"
-  loop: "{{ groups['kube_control_plane'] }}"
-  when: kube_control_planes_raw is succeeded
-  run_once: true
-
- name: Set fact first_kube_control_plane
-  set_fact:
-    first_kube_control_plane: "{{ joined_control_planes | default([]) | first | default(groups['kube_control_plane'] | first) }}"
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -25,9 +25,9 @@

 - name: Kubeadm | aggregate all SANs
  set_fact:
-    apiserver_sans: "{{ (sans_base + groups['kube_control_plane'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_ipv4_address + sans_ipv6_address + sans_override + sans_hostname + sans_fqdn + sans_kube_vip_address) | unique }}"
+    apiserver_sans: "{{ _apiserver_sans | flatten | select | unique }}"
  vars:
-    sans_base:
+    _apiserver_sans:
      - "kubernetes"
      - "kubernetes.default"
      - "kubernetes.default.svc"
@@ -36,17 +36,17 @@
      - "localhost"
      - "127.0.0.1"
      - "::1"
-    sans_lb: "{{ [apiserver_loadbalancer_domain_name] if apiserver_loadbalancer_domain_name is defined else [] }}"
-    sans_lb_ip: "{{ [loadbalancer_apiserver.address] if loadbalancer_apiserver is defined and loadbalancer_apiserver.address is defined else [] }}"
-    sans_supp: "{{ supplementary_addresses_in_ssl_keys if supplementary_addresses_in_ssl_keys is defined else [] }}"
-    sans_access_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') | list | select('defined') | list }}"
-    sans_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') | list | select('defined') | list }}"
-    sans_ipv4_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list | select('defined') | list }}"
-    sans_ipv6_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | list | select('defined') | list }}"
-    sans_override: "{{ [kube_override_hostname] if kube_override_hostname else [] }}"
-    sans_hostname: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_hostname']) | list | select('defined') | list }}"
-    sans_fqdn: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_fqdn']) | list | select('defined') | list }}"
-    sans_kube_vip_address: "{{ [kube_vip_address] if kube_vip_address is defined and kube_vip_address else [] }}"
+      - "{{ apiserver_loadbalancer_domain_name }}"
+      - "{{ loadbalancer_apiserver.address | d('') }}"
+      - "{{ supplementary_addresses_in_ssl_keys }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | select('defined') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | select('defined') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_hostname') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_fqdn') }}"
+      - "{{ kube_override_hostname }}"
+      - "{{ kube_vip_address }}"
  tags: facts

 - name: Create audit-policy directory
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -92,9 +92,6 @@
    - upgrade
  ignore_errors: true  # noqa ignore-errors

- name: Define nodes already joined to existing cluster and first_kube_control_plane
-  import_tasks: define-first-kube-control.yml
-
 - name: Include kubeadm setup
  import_tasks: kubeadm-setup.yml

--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -80,7 +80,6 @@ kube_vip_bgp_peeraddress:
 kube_vip_bgp_peerpass:
 kube_vip_bgp_peeras: 65000
 kube_vip_bgppeers:
-kube_vip_address:
 kube_vip_enableServicesElection: false
 kube_vip_lb_enable: false
 kube_vip_leasename: plndr-cp-lock
--- a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
@@ -18,14 +18,7 @@
    owner: root
    mode: "0755"
    backup: true
-
- name: Haproxy | Get checksum from config
-  stat:
-    path: "{{ haproxy_config_dir }}/haproxy.cfg"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  register: haproxy_stat
+  register: haproxy_conf

 - name: Haproxy | Write static pod
  template:
--- a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
@@ -18,14 +18,7 @@
    owner: root
    mode: "0755"
    backup: true
-
- name: Nginx-proxy | Get checksum from config
-  stat:
-    path: "{{ nginx_config_dir }}/nginx.conf"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  register: nginx_stat
+  register: nginx_conf

 - name: Nginx-proxy | Write static pod
  template:
--- a/roles/kubernetes/node/templates/manifests/haproxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/haproxy.manifest.j2
@@ -7,7 +7,7 @@ metadata:
    addonmanager.kubernetes.io/mode: Reconcile
    k8s-app: kube-haproxy
  annotations:
-    haproxy-cfg-checksum: "{{ haproxy_stat.stat.checksum }}"
+    haproxy-cfg-checksum: "{{ haproxy_conf.checksum }}"
 spec:
  hostNetwork: true
  dnsPolicy: ClusterFirstWithHostNet
--- a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
@@ -7,7 +7,7 @@ metadata:
    addonmanager.kubernetes.io/mode: Reconcile
    k8s-app: kube-nginx
  annotations:
-    nginx-cfg-checksum: "{{ nginx_stat.stat.checksum }}"
+    nginx-cfg-checksum: "{{ nginx_conf.checksum }}"
 spec:
  hostNetwork: true
  dnsPolicy: ClusterFirstWithHostNet
--- a/roles/kubespray_defaults/defaults/main/download.yml
+++ b/roles/kubespray_defaults/defaults/main/download.yml
@@ -5,7 +5,9 @@ download_cache_dir: /tmp/kubespray_cache
 # If this is true, debug information will be displayed but
 # may contain some private data, so it is recommended to set it to false
 # in the production environment.
-unsafe_show_logs: false
+# false by default, unless we're running in CI. (CI_PROJECT_URL should be globally unique even if kubespray happens to run
+# in gitlab-ci in other contexts
+unsafe_show_logs: "{{ lookup('env', 'CI_PROJECT_URL') == 'https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray' }}"

 # do not delete remote cache files after using them
 # NOTE: Setting this parameter to TRUE is only really useful when developing kubespray
@@ -114,7 +116,7 @@ flannel_version: 0.27.3
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"

-cilium_version: "1.18.2"
+cilium_version: "1.18.4"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false

@@ -140,7 +142,7 @@ scheduler_plugins_version: "{{ scheduler_plugins_supported_versions[kube_major_v

 yq_version: "{{ (yq_checksums['amd64'] | dict2items)[0].key }}"

-gateway_api_version: "1.2.1"
+gateway_api_version: "{{ (gateway_api_standard_crds_checksums.no_arch | dict2items)[0].key }}"
 gateway_api_channel: "standard"

 prometheus_operator_crds_version: "{{ (prometheus_operator_crds_checksums.no_arch | dict2items)[0].key }}"
@@ -249,7 +251,7 @@ cilium_hubble_ui_image_tag: "v0.13.3"
 cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend"
 cilium_hubble_ui_backend_image_tag: "v0.13.3"
 cilium_hubble_envoy_image_repo: "{{ quay_image_repo }}/cilium/cilium-envoy"
-cilium_hubble_envoy_image_tag: "v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324"
+cilium_hubble_envoy_image_tag: "v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5"
 kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
 kube_ovn_container_image_tag: "v{{ kube_ovn_version }}"
 kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway"
@@ -274,9 +276,9 @@ haproxy_image_tag: 3.2.4-alpine
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail

 coredns_supported_versions:
+  '1.34': 1.12.1
  '1.33': 1.12.0
  '1.32': 1.11.3
-  '1.31': 1.11.3
 coredns_version: "{{ coredns_supported_versions[kube_major_version] }}"
 coredns_image_repo: "{{ kube_image_repo }}{{ '/coredns' if coredns_version is version('1.7.1', '>=') else '' }}/coredns"
 coredns_image_tag: "{{ 'v' if coredns_version is version('1.7.1', '>=') else '' }}{{ coredns_version }}"
@@ -324,22 +326,22 @@ cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-we
 cert_manager_webhook_image_tag: "v{{ cert_manager_version }}"

 csi_attacher_image_repo: "{{ kube_image_repo }}/sig-storage/csi-attacher"
-csi_attacher_image_tag: "v3.3.0"
+csi_attacher_image_tag: "v4.4.2"
 csi_provisioner_image_repo: "{{ kube_image_repo }}/sig-storage/csi-provisioner"
-csi_provisioner_image_tag: "v3.0.0"
+csi_provisioner_image_tag: "v3.6.2"
 csi_snapshotter_image_repo: "{{ kube_image_repo }}/sig-storage/csi-snapshotter"
-csi_snapshotter_image_tag: "v5.0.0"
+csi_snapshotter_image_tag: "v6.3.2"
 csi_resizer_image_repo: "{{ kube_image_repo }}/sig-storage/csi-resizer"
-csi_resizer_image_tag: "v1.3.0"
+csi_resizer_image_tag: "v1.9.2"
 csi_node_driver_registrar_image_repo: "{{ kube_image_repo }}/sig-storage/csi-node-driver-registrar"
 csi_node_driver_registrar_image_tag: "v2.4.0"
 csi_livenessprobe_image_repo: "{{ kube_image_repo }}/sig-storage/livenessprobe"
-csi_livenessprobe_image_tag: "v2.5.0"
+csi_livenessprobe_image_tag: "v2.11.0"

 snapshot_controller_supported_versions:
+  '1.34': "v7.0.2"
  '1.33': "v7.0.2"
  '1.32': "v7.0.2"
-  '1.31': "v7.0.2"
 snapshot_controller_image_repo: "{{ kube_image_repo }}/sig-storage/snapshot-controller"
 snapshot_controller_image_tag: "{{ snapshot_controller_supported_versions[kube_major_version] }}"

@@ -784,9 +786,9 @@ downloads:
    url: "{{ calico_crds_download_url }}"
    unarchive: true
    unarchive_extra_opts:
-      - "{{ '--strip=6' if (calico_version is version('3.22.3', '<')) else '--strip=3' }}"
+      - "--strip=3"
      - "--wildcards"
-      - "{{ '*/_includes/charts/calico/crds/kdd/' if (calico_version is version('3.22.3', '<')) else '*/libcalico-go/config/crd/' }}"
+      - "*/libcalico-go/config/crd/"
    owner: "root"
    mode: "0755"
    groups:
@@ -1035,6 +1037,15 @@ downloads:
    groups:
      - kube_node

+  csi_livenessprobe:
+    enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
+    container: true
+    repo: "{{ csi_livenessprobe_image_repo }}"
+    tag: "{{ csi_livenessprobe_image_tag }}"
+    checksum: "{{ csi_livenessprobe_digest_checksum | default(None) }}"
+    groups:
+      - kube_node
+
  csi_node_driver_registrar:
    enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
    container: true
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -96,6 +96,7 @@ ignore_assert_errors: false
 # kube-vip
 kube_vip_enabled: false
 kube_vip_lb_fwdmethod: local
+kube_vip_address:

 # nginx-proxy configure
 nginx_config_dir: "/etc/nginx"
@@ -632,6 +633,8 @@ ssl_ca_dirs: |-
  {% endif -%}
  ]

+# used for delegating tasks on a working control plane node
+first_kube_control_plane: "{{ groups['kube_control_plane'] | first }}"
 # Vars for pointing to kubernetes api endpoints
 kube_apiserver_count: "{{ groups['kube_control_plane'] | length }}"
 kube_apiserver_address: "{{ hostvars[inventory_hostname]['main_ip'] }}"
@@ -644,8 +647,8 @@ apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
 kube_apiserver_global_endpoint: |-
  {% if loadbalancer_apiserver is defined -%}
      https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
-  {%- elif loadbalancer_apiserver_localhost and (loadbalancer_apiserver_port is not defined or loadbalancer_apiserver_port == kube_apiserver_port) -%}
-      https://localhost:{{ kube_apiserver_port }}
+  {%- elif loadbalancer_apiserver_localhost -%}
+      https://localhost:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }}
  {%- else -%}
      https://{{ first_kube_control_plane_address | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}
  {%- endif %}
--- a/roles/kubespray_defaults/vars/main/checksums.yml
+++ b/roles/kubespray_defaults/vars/main/checksums.yml
--- a/roles/kubespray_defaults/vars/main/main.yml
+++ b/roles/kubespray_defaults/vars/main/main.yml
@@ -7,14 +7,14 @@ kube_next: "{{ ((kube_version | split('.'))[1] | int) + 1 }}"
 kube_major_next_version: "1.{{ kube_next }}"

 pod_infra_supported_versions:
+  '1.34': '3.10'
  '1.33': '3.10'
  '1.32': '3.10'
-  '1.31': '3.10'

 etcd_supported_versions:
+  '1.34': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
  '1.33': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
  '1.32': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
-  '1.31': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 # Kubespray constants

 kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}"
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -126,23 +126,9 @@
    - ('kube_control_plane' in group_names)
    - calico_datastore == "kdd"
  block:
-    - name: Calico | Check if extra directory is needed
-      stat:
-        path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/{{ 'kdd' if (calico_version is version('3.22.3', '<')) else 'crd' }}"
-      register: kdd_path
-    - name: Calico | Set kdd path when calico < v3.22.3
-      set_fact:
-        calico_kdd_path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds{{ '/kdd' if kdd_path.stat.exists is defined and kdd_path.stat.exists }}"
-      when:
-        - calico_version is version('3.22.3', '<')
-    - name: Calico | Set kdd path when calico > 3.22.2
-      set_fact:
-        calico_kdd_path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds{{ '/crd' if kdd_path.stat.exists is defined and kdd_path.stat.exists }}"
-      when:
-        - calico_version is version('3.22.2', '>')
    - name: Calico | Create calico manifests for kdd
      assemble:
-        src: "{{ calico_kdd_path }}"
+        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crd/"
        dest: "{{ kube_config_dir }}/kdd-crds.yml"
        mode: "0644"
        delimiter: "---\n"
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -235,6 +235,8 @@ rules:
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
+  - validatingadmissionpolicies        # Required for Kubernetes 1.33+
+  - validatingadmissionpolicybindings  # Required for Kubernetes 1.33+
  verbs:
  - get
  - list
--- a/roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2
+++ b/roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2
@@ -5,7 +5,7 @@ metadata:
  namespace: kube-system
  name: kubernetes-services-endpoint
 data:
-{% if calico_bpf_enabled %}
+{% if calico_bpf_enabled or loadbalancer_apiserver_localhost %}
  KUBERNETES_SERVICE_HOST: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
  KUBERNETES_SERVICE_PORT: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
 {% endif %}
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -1,8 +1,6 @@
 ---
 cilium_min_version_required: "1.15"

-# remove migrate after 2.29 released
-cilium_remove_old_resources: false
 # Log-level
 cilium_debug: false

--- a/roles/network_plugin/cilium/tasks/main.yml
+++ b/roles/network_plugin/cilium/tasks/main.yml
@@ -5,10 +5,5 @@
 - name: Cilium install
  include_tasks: install.yml

-# Remove after 2.29 released
- name: Cilium remove old resources
-  when: cilium_remove_old_resources
-  include_tasks: remove_old_resources.yml
-
 - name: Cilium apply
  include_tasks: apply.yml
--- a/roles/network_plugin/cilium/tasks/remove_old_resources.yml
+++ b/roles/network_plugin/cilium/tasks/remove_old_resources.yml
@@ -1,45 +0,0 @@
---
-# Remove after 2.29 released
- name: Cilium | Delete Old Resource
-  command: |
-    {{ kubectl }} delete {{ item.kind | lower }} {{ item.name }} \
-    {{ '-n kube-system' if item.kind not in ['ClusterRole', 'ClusterRoleBinding'] else '' }} \
-  loop:
-    - { kind: ServiceAccount, name: cilium }
-    - { kind: ServiceAccount, name: cilium-operator }
-    - { kind: ServiceAccount, name: hubble-generate-certs }
-    - { kind: ServiceAccount, name: hubble-relay }
-    - { kind: ServiceAccount, name: hubble-ui }
-    - { kind: Service, name: hubble-metrics }
-    - { kind: Service, name: hubble-relay-metrics }
-    - { kind: Service, name: hubble-relay }
-    - { kind: Service, name: hubble-ui }
-    - { kind: Service, name: hubble-peer }
-    - { kind: Deployment, name: cilium-operator }
-    - { kind: Deployment, name: hubble-relay }
-    - { kind: Deployment, name: hubble-ui }
-    - { kind: DaemonSet, name: cilium }
-    - { kind: CronJob, name: hubble-generate-certs }
-    - { kind: Job, name: hubble-generate-certs }
-    - { kind: ConfigMap, name: cilium-config }
-    - { kind: ConfigMap, name: ip-masq-agent }
-    - { kind: ConfigMap, name: hubble-relay-config }
-    - { kind: ConfigMap, name: hubble-ui-nginx }
-    - { kind: ClusterRole, name: cilium }
-    - { kind: ClusterRole, name: cilium-operator }
-    - { kind: ClusterRole, name: hubble-generate-certs }
-    - { kind: ClusterRole, name: hubble-relay }
-    - { kind: ClusterRole, name: hubble-ui }
-    - { kind: ClusterRoleBinding, name: cilium }
-    - { kind: ClusterRoleBinding, name: cilium-operator }
-    - { kind: ClusterRoleBinding, name: hubble-generate-certs }
-    - { kind: ClusterRoleBinding, name: hubble-relay }
-    - { kind: ClusterRoleBinding, name: hubble-ui }
-    - { kind: Secret, name: hubble-ca-secret }
-    - { kind: Secret, name: hubble-relay-client-certs }
-    - { kind: Secret, name: hubble-server-certs }
-  register: patch_result
-  when: inventory_hostname == groups['kube_control_plane'][0]
-  failed_when:
-    - patch_result.rc != 0
-    - "'not found' not in patch_result.stderr"
--- a/roles/network_plugin/cilium/templates/values.yaml.j2
+++ b/roles/network_plugin/cilium/templates/values.yaml.j2
@@ -27,7 +27,7 @@ identityAllocationMode: {{ cilium_identity_allocation_mode }}

 tunnelProtocol: {{ cilium_tunnel_mode }}

-loadbalancer:
+loadBalancer:
  mode: {{ cilium_loadbalancer_mode }}

 kubeProxyReplacement: {{ cilium_kube_proxy_replacement | to_json }}
@@ -107,8 +107,14 @@ hubble:
  metrics:
    enabled: {{ cilium_hubble_metrics | to_json }}
  export:
+{% if cilium_version is version('1.18.0', '>=') %}
+    static:
+      fileMaxBackups: {{ cilium_hubble_export_file_max_backups }}
+      fileMaxSizeMb: {{ cilium_hubble_export_file_max_size_mb }}
+{% else %}
    fileMaxBackups: {{ cilium_hubble_export_file_max_backups }}
    fileMaxSizeMb: {{ cilium_hubble_export_file_max_size_mb }}
+{% endif %}
    dynamic:
      enabled: {{ cilium_hubble_export_dynamic_enabled | to_json }}
      config:
--- a/roles/remove-node/remove-etcd-node/tasks/main.yml
+++ b/roles/remove-node/remove-etcd-node/tasks/main.yml
@@ -1,14 +1,4 @@
 ---
- name: Lookup node IP in kubernetes
-  command: >
-    {{ kubectl }} get nodes {{ node }}
-    -o jsonpath-as-json='{.status.addresses[?(@.type=="InternalIP")].address}'
-  register: k8s_node_ips
-  changed_when: false
-  when:
-  - groups['kube_control_plane'] | length > 0
-  delegate_to: "{{ groups['kube_control_plane'] | first }}"
-
 - name: Remove etcd member from cluster
  environment:
    ETCDCTL_API: "3"
@@ -19,25 +9,18 @@
  delegate_to: "{{ groups['etcd'] | first }}"
  block:
  - name: Lookup members infos
-    command: "{{ bin_dir }}/etcdctl member list"
+    command: "{{ bin_dir }}/etcdctl member list -w json"
    register: etcd_members
    changed_when: false
    check_mode: false
    tags:
    - facts
  - name: Remove member from cluster
-    vars:
-      node_ip: >-
-        {%- if not ipv4_stack -%}
-        {{ ip6 if ip6 is defined else (access_ip6 if access_ip6 is defined else (k8s_node_ips.stdout | from_json)[0]) | ansible.utils.ipwrap }}
-        {%- else -%}
-        {{ ip if ip is defined else (access_ip if access_ip is defined else (k8s_node_ips.stdout | from_json)[0]) | ansible.utils.ipwrap }}
-        {%- endif -%}
    command:
      argv:
      - "{{ bin_dir }}/etcdctl"
      - member
      - remove
-      - "{{ ((etcd_members.stdout_lines | select('contains', '//' + node_ip + ':'))[0] | split(','))[0] }}"
+      - "{{ '%x' | format(((etcd_members.stdout | from_json).members | selectattr('peerURLs.0', '==', etcd_peer_url))[0].ID) }}"
    register: etcd_removal_output
    changed_when: "'Removed member' in etcd_removal_output.stdout"
--- a/roles/reset/tasks/main.yml
+++ b/roles/reset/tasks/main.yml
@@ -432,16 +432,6 @@
    - files
    - dns

-  # TODO: remove after release 2.29
- name: Reset | remove host entries from /etc/hosts
-  blockinfile:
-    path: "/etc/hosts"
-    state: absent
-    marker: "# Ansible inventory hosts {mark}"
-  tags:
-    - files
-    - dns
-
 - name: Reset | include file with reset tasks specific to the network_plugin if exists
  include_role:
    name: "network_plugin/{{ kube_network_plugin }}"
--- a/roles/upgrade/pre-upgrade/tasks/main.yml
+++ b/roles/upgrade/pre-upgrade/tasks/main.yml
@@ -31,14 +31,14 @@
  command: >
    {{ kubectl }} get node {{ kube_override_hostname | default(inventory_hostname) }}
    -o jsonpath='{ .spec.unschedulable }'
-  register: kubectl_node_schedulable
+  register: kubectl_node_unschedulable
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  failed_when: false
  changed_when: false

 - name: Set if node needs cordoning
  set_fact:
-    needs_cordoning: "{{ (kubectl_node_ready.stdout == 'True' and not kubectl_node_schedulable.stdout) or upgrade_node_always_cordon }}"
+    needs_cordoning: "{{ (kubectl_node_ready.stdout == 'True' and not kubectl_node_unschedulable.stdout) or upgrade_node_always_cordon }}"

 - name: Node draining
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
--- a/roles/validate_inventory/tasks/main.yml
+++ b/roles/validate_inventory/tasks/main.yml
@@ -6,14 +6,6 @@
 # -> nothing depending on facts or similar cluster state
 # Checks depending on current state (of the nodes or the cluster)
 # should be in roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
- name: Stop if removed tags are used
-  assert:
-    msg: The tag 'master' is removed. Use 'control-plane' instead
-    that:
-      - ('master' not in ansible_run_tags)
-      - ('master' not in ansible_skip_tags)
-        # TODO: Remove checks after next release
-
 - name: Stop if kube_control_plane group is empty
  assert:
    that: groups.get( 'kube_control_plane' )
--- a/scripts/component_hash_update/src/component_hash_update/components.py
+++ b/scripts/component_hash_update/src/component_hash_update/components.py
@@ -101,9 +101,19 @@ infos = {
        "graphql_id": "R_kgDOApOQGQ",
    },
    "argocd_install": {
-    "url": "https://raw.githubusercontent.com/argoproj/argo-cd/v{version}/manifests/install.yaml",
-    "graphql_id": "R_kgDOBzS60g",
-    "binary": True,
-    "hashtype": "sha256",
+        "url": "https://raw.githubusercontent.com/argoproj/argo-cd/v{version}/manifests/install.yaml",
+        "graphql_id": "R_kgDOBzS60g",
+        "binary": True,
+        "hashtype": "sha256",
+    },
+    "gateway_api_standard_crds": {
+        "url": "https://github.com/kubernetes-sigs/gateway-api/releases/download/v{version}/standard-install.yaml",
+        "graphql_id": "R_kgDODQ6RZw",
+        "binary": True,
+    },
+    "gateway_api_experimental_crds": {
+        "url": "https://github.com/kubernetes-sigs/gateway-api/releases/download/v{version}/experimental-install.yaml",
+        "graphql_id": "R_kgDODQ6RZw",
+        "binary": True,
    },
 }
--- a/tests/cloud_playbooks/create-kubevirt.yml
+++ b/tests/cloud_playbooks/create-kubevirt.yml
@@ -16,9 +16,18 @@
  gather_facts: false

  tasks:
+    # Check ssh access without relying on python - this is an horrible hack
+    # but wait_for_connection does not work without python
+    # and 'until' is incompatible with unreachable errors
+    # https://github.com/ansible/ansible/issues/78358
  - name: Wait until SSH is available
-    wait_for:
-      host: "{{ ansible_host }}"
-      port: 22
-      timeout: 240
+    command: >
+      ssh -i "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') }}"
+      -o StrictHostKeyChecking=no
+      -o UserKnownHostsFile=/dev/null
+      -o ConnectTimeout=3 "{{ lookup('env', 'ANSIBLE_REMOTE_USER') }}@{{ ansible_host }}"
+    register: ssh_command
+    delay: 0
+    until: ssh_command.rc != 255
+    retries: 60
    delegate_to: localhost
--- a/tests/cloud_playbooks/roles/packet-ci/defaults/main.yml
+++ b/tests/cloud_playbooks/roles/packet-ci/defaults/main.yml
@@ -5,6 +5,7 @@ vm_cpu_cores: 2
 vm_cpu_sockets: 1
 vm_cpu_threads: 2
 vm_memory: 2048
+releases_disk_size: 2Gi

 # Request/Limit allocation settings
 cpu_allocation_ratio: 0.25
--- a/tests/cloud_playbooks/roles/packet-ci/templates/vm.yml.j2
+++ b/tests/cloud_playbooks/roles/packet-ci/templates/vm.yml.j2
@@ -14,6 +14,8 @@ metadata:
    kubevirt.io/size: small
    ci_job_id: "{{ ci_job_id }}"
    ci_job_name: "{{ lookup('ansible.builtin.env', 'CI_JOB_NAME_SLUG') }}"
+    ci_pipeline_id: "{{ lookup('ansible.builtin.env', 'CI_PIPELINE_ID') }}"
+    ci_pr_id: "{{ lookup('ansible.builtin.env', 'PR_ID') }}"
  # leverage the Kubernetes GC for resources cleanup
  ownerReferences:
  - apiVersion: v1
@@ -32,6 +34,10 @@ spec:
        - disk:
            bus: virtio
          name: cloudinitvolume
+        - disk:
+            bus: virtio
+          name: releases
+          serial: '2825A83CBDC8A32D5E'
      interfaces:
      - name: default
        bridge: {}
@@ -57,3 +63,6 @@ spec:
    - name: cloudinitvolume
      cloudInit{{ 'ConfigDrive' if cloud_image.startswith('flatcar') else 'NoCloud' }}:
        userDataBase64: '{{ ((ignition_config | to_json) if cloud_image.startswith('flatcar') else cloudinit_config) | b64encode }}'
+    - name: releases
+      emptyDisk:
+        capacity: '{{ releases_disk_size }}'
--- a/tests/cloud_playbooks/roles/packet-ci/vars/main.yml
+++ b/tests/cloud_playbooks/roles/packet-ci/vars/main.yml
@@ -44,6 +44,12 @@ cloudinit_config: |
      lock_passwd: False
      ssh_authorized_keys:
        - {{ ssh_key.public_key }}
+  fs_setup:
+    - device: '/dev/disk/by-id/virtio-2825A83CBDC8A32D5E'
+      filesystem: 'ext4'
+      partition: 'none'
+  mounts:
+    - ['/dev/disk/by-id/virtio-2825A83CBDC8A32D5E', '/tmp/releases']

 ignition_config:
  ignition:
@@ -56,3 +62,9 @@ ignition_config:
          - wheel
        sshAuthorizedKeys:
          - "{{ ssh_key.public_key }}"
+  storage:
+    filesystems:
+      - device: '/dev/disk/by-id/virtio-2825A83CBDC8A32D5E'
+        format: ext4
+        path: /tmp/releases
+        wipeFilesystem: true
--- a/tests/common_vars.yml
+++ b/tests/common_vars.yml
@@ -36,3 +36,5 @@ nginx_image_repo: "{{ quay_image_repo }}/kubespray/nginx"

 flannel_image_repo: "{{ quay_image_repo }}/kubespray/flannel"
 flannel_init_image_repo: "{{ quay_image_repo }}/kubespray/flannel-cni-plugin"
+
+local_release_dir: "{{ '/tmp/releases' if inventory_hostname != 'localhost' else (lookup('env', 'PWD') + '/downloads') }}"
--- a/tests/files/ubuntu24-ha-separate-etcd
+++ b/tests/files/ubuntu24-ha-separate-etcd
@@ -0,0 +1,2 @@
+REMOVE_NODE_CHECK=true
+REMOVE_NODE_NAME=etcd[2]
--- a/tests/scripts/testcases_run.sh
+++ b/tests/scripts/testcases_run.sh
@@ -24,17 +24,13 @@ fi
 export ANSIBLE_BECOME=true
 export ANSIBLE_BECOME_USER=root

-# Test collection build and install by installing our collection, emptying our repository, adding
-# cluster.yml, reset.yml, and remote-node.yml files that simply point to our collection's playbooks, and then
-# running the same tests as before
-if [[ "${TESTCASE}" =~ "collection" ]]; then
-  # Build and install collection
-  ansible-galaxy collection build
-  ansible-galaxy collection install kubernetes_sigs-kubespray-*.tar.gz
-fi
 run_playbook () {
 if [[ "${TESTCASE}" =~ "collection" ]]; then
    playbook=kubernetes_sigs.kubespray.$1
+    # Handle upgrade case properly
+    rm -f kubernetes_sigs-kubespray-*.tar.gz
+    ansible-galaxy collection build
+    ansible-galaxy collection install kubernetes_sigs-kubespray-*.tar.gz
 else
    playbook=$1.yml
 fi
@@ -43,7 +39,6 @@ shift
 ansible-playbook \
    -e @tests/common_vars.yml \
    -e @tests/${TESTCASE_FILE} \
-    -e local_release_dir=${PWD}/downloads \
    "$@" \
    ${playbook}
 }
@@ -70,7 +65,7 @@ if [ "${UPGRADE_TEST}" != "false" ]; then
        run_playbook cluster
        ;;
    "graceful")
-        run_playbook upgrade-cluster
+        run_playbook upgrade_cluster
        ;;
    *)
        ;;
@@ -92,7 +87,7 @@ ansible-playbook \

 # Test node removal procedure
 if [ "${REMOVE_NODE_CHECK}" = "true" ]; then
-  run_playbook remove-node -e skip_confirmation=yes -e node=${REMOVE_NODE_NAME}
+  run_playbook remove-node -e skip_confirmation=yes -e node="${REMOVE_NODE_NAME}"
 fi

 # Clean up at the end, this is to allow stage1 tests to include cleanup test
--- a/tests/testcases/tests.yml
+++ b/tests/testcases/tests.yml
@@ -47,7 +47,7 @@
        - sonobuoy_enabled is defined
        - sonobuoy_enabled
      vars:
-        sonobuoy_version: 0.56.11
+        sonobuoy_version: 0.57.3
        sonobuoy_arch: amd64
        sonobuoy_parallel: 30
        sonobuoy_path: /usr/local/bin/sonobuoy
--- a/upgrade_cluster.yml
+++ b/upgrade_cluster.yml
@@ -0,0 +1,3 @@
+---
+- name: Upgrade cluster
+  ansible.builtin.import_playbook: playbooks/upgrade_cluster.yml
Author	SHA1	Message	Date
github-actions[bot]	6dcbbf7de2	Patch versions updates	2025-12-08 02:57:28 +00:00
AFz	2edf176294	docs: fixed rendering issue by using generic markdown format (#12652 ) * docs: fix github markdown style * docs: use generic markdown format for quotes	2025-12-07 12:38:57 -08:00
Ali Afsharzadeh	39744146b4	Remove legacy `cilium_remove_old_resources` task (#12771 ) Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>	2025-12-07 07:36:55 -08:00
Max Gautier	118b2dce02	Remove checksums for old versions of various components (#12735 ) We only keep 3 minor versions for most stuff	2025-12-05 06:30:59 -08:00
Ali Afsharzadeh	4c5eda9f1e	Remove legacy tasks that were scheduled for cleanup (#12765 ) Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>	2025-12-04 23:50:58 -08:00
Max Gautier	2512e0c50c	Patch versions updates (#12762 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2025-12-04 06:44:57 -08:00
Max Gautier	633d39448e	Add a default (empty) value for `supplementary_addresses_in_ssl_keys` (#12761 ) Most variables should have a default instead of relying on the default filter. (Note that the variable is misnomed, this should be certs and not keys, but it's not worth breaking compat).	2025-12-04 05:28:57 -08:00
Max Gautier	4d87ac1032	Simplify collection of SubjectAlternativeNames for apiserver (#12507 ) Remove a bunch of intermediate variables, which fixes a "'UndefinedMarker' concatenation" error in ansible-lint v25.8.1.	2025-12-04 02:06:57 -08:00
Chris Ricker	2342d0cd57	Calico: populate kubernetes-services-endpoint for localhost LB (#12598 ) When loadbalancer_apiserver_localhost is enabled, Calico falls back to the Kubernetes service IP because the kubernetes-services-endpoint ConfigMap is empty. CNI then fails to reach the API server even though an nginx proxy is listening on localhost. Update kube_apiserver_global_endpoint to always reference the localhost load balancer (respecting the configured port) and populate the ConfigMap for both eBPF and localhost LB modes.	2025-12-03 07:22:19 -08:00
Azhan Latif	e6a5266bad	feat: add noCompileLinks option to Docsify configuration (#12751 )	2025-12-02 08:24:26 -08:00
dependabot[bot]	57f7c44718	build(deps): bump redhat-plumbers-in-action/advanced-issue-labeler (#12756 ) Bumps [redhat-plumbers-in-action/advanced-issue-labeler](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler) from 3.2.3 to 3.2.4. - [Release notes](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases) - [Commits](`e38e6809c5...b80ae64e3e`) --- updated-dependencies: - dependency-name: redhat-plumbers-in-action/advanced-issue-labeler dependency-version: 3.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-01 06:54:26 -08:00
Seena Fallah	5789dc839c	control-plane: fix first_kube_control_plane delegation with kube_override_hostname (#12636 ) * control-plane: fix first_kube_control_plane delegation with kube_override_hostname When kube_override_hostname is configured, the node names reported by `kubectl get nodes` differ from the inventory_hostname known to Ansible. This causes delegation failures in subsequent tasks since Ansible cannot resolve the hostname from kubectl output to an inventory host. Signed-off-by: Seena Fallah <seenafallah@gmail.com> * control-plane: remove fragile first_control_plane selection logic Current implementation breaks with kube_override_hostname and has multiple edge cases. Drop until proper kubectl-based node lookup can be implemented. Signed-off-by: Seena Fallah <seenafallah@gmail.com> --------- Signed-off-by: Seena Fallah <seenafallah@gmail.com>	2025-11-25 08:10:38 -08:00
Max Gautier	3de6fa7220	Patch versions updates (#12743 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2025-11-25 01:04:37 -08:00
dependabot[bot]	9a9e8814e6	build(deps): bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 (#12741 ) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.8 to 7.0.9. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](`271a8d0340...84ae59a2cd`) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 7.0.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-24 02:58:38 -08:00
dependabot[bot]	87a4f61d76	build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#12740 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`08c6903cd8...1af3b93b68`) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-24 02:46:36 -08:00
Max Gautier	9975b5d525	Remove download support for old calico versions (#12724 ) we no longer deploy those versions	2025-11-20 04:56:01 -08:00
Max Gautier	9d06ce1a8d	CI: enable unsafe_show_logs == true by default (#12702 ) * CI: enable unsafe_show_logs == true by default * Deduplicate defaults vars (unsafe_show_logs)	2025-11-19 23:10:00 -08:00
Ali Afsharzadeh	bce107ce3d	Upgrade cilium from 1.18.3 to 1.18.4 (#12717 ) Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>	2025-11-18 19:51:59 -08:00
Kubernetes Prow Robot	7d7a42d931	Merge pull request #12723 from VannTen/molecule_var_in_inventory Put molecule variables in molecule inventories	2025-11-18 19:47:58 -08:00
Max Gautier	5183679a89	crio: molecule: move variables to inventory Fix download/file (which needs the variable to determine the correct binaries)	2025-11-18 15:44:09 +01:00
Max Gautier	b4fe577203	gvisor: molecule: move variables to inventory Fix download/file (which needs the variable to determine the correct binaries)	2025-11-18 15:44:08 +01:00
Max Gautier	bde51ebddf	youki: molecule: move variables to inventory Fix download/file (which needs the variable to determine the correct binaries)	2025-11-18 15:44:06 +01:00
Max Gautier	381426d6d5	cri-docker: molecule: move container_manager to inventory var	2025-11-18 15:44:05 +01:00
Ali Afsharzadeh	b3ee6d6b75	Adjust hubble export values for cilium 1.18 schema change (#12665 ) Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>	2025-11-18 00:07:37 -08:00
ChengHao Yang	7436d63faa	Patch versions updates (#12678 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2025-11-17 05:01:39 -08:00
Max Gautier	6138c6a1a2	CI: use a dedicated disk for releases (#12692 ) This should make 'no space left on device' problems easier to handle Use /tmp/releases as local_release_dir CI created machine, while keeping the same folder on the runner (needed for gitlab-ci runner pods)	2025-11-17 02:57:39 -08:00
Max Gautier	6115eba3c3	CI: label VirtualMachineInstance with PR id and pipeline ids (#12716 ) Helps with CI debuggability	2025-11-17 02:21:39 -08:00
Kubernetes Prow Robot	1c008d79b1	Merge pull request #12714 from tico88612/feat/gateway-api-auto-bump Feat: Gateway API auto bump	2025-11-16 06:27:37 -08:00
ChengHao Yang	b4bbec6772	Feat: Gateway API version always get latest Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2025-11-16 22:11:48 +08:00
ChengHao Yang	5c6ee4852a	Bump: Gateway API to 1.4.0 and set latest version Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2025-11-16 21:53:59 +08:00
ChengHao Yang	8190f952c1	Feat: add Gateway API component hash update Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2025-11-16 21:49:43 +08:00
ChengHao Yang	3edc3d7a36	Style: components.py argocd indent fix Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2025-11-16 21:48:32 +08:00
peterw	2f3f1d7e65	crio: add option pull_progress_timeout (#12555 )	2025-11-15 19:53:37 -08:00
Max Gautier	71c69ec12c	CI: Try a full ssh connection on hosts instead of only checking the port (#12416 ) * CI: Try a full ssh connection on hosts instead of only checking the port If we only try the port, we can try to connect in the playbook which is executed next even though the managed node has not yet completed it's boot-up sequence ("System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8).") This does not account for python-less hosts, but we don't use those in CI anyway (for now, at least). * CI: Remove connection method override when creating VMs This prevented wait_for_connection to work correctly by hijacking the connection to localhost, thus bypassing the connection check.	2025-11-15 08:37:37 -08:00
R. P. Taylor	dab0947150	change kubectl_node_schedulable var (#12661 )	2025-11-15 07:01:37 -08:00
Max Gautier	5488e7d805	Update pre-commit hooks (#12707 )	2025-11-14 07:51:41 -08:00
Max Gautier	ca9873cfcb	crictl: remove useless layer of include_tasks (#12656 )	2025-11-14 06:57:39 -08:00
Bas	65f33c3ef0	Install the clone as collection in SemaphoreUI if airgapped. (#12660 ) Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>	2025-11-14 06:45:40 -08:00
Anurag Ojha	5eccf9ea6c	fix(cilium):correct loadBalancer.mode rendering in values.yaml (#12701 )	2025-11-14 06:39:38 -08:00
Max Gautier	db599b3475	Patch version updates (#12696 )	2025-11-14 04:41:45 -08:00
Chris Ricker	47140083dc	Update Calico apiserver RBAC for Kubernetes 1.33+ (#12654 ) Add missing RBAC permissions for Calico apiserver to function correctly with Kubernetes 1.33+ Changes: 1. Add K8s 1.33 ValidatingAdmissionPolicy resources to calico-webhook-reader - validatingadmissionpolicies - validatingadmissionpolicybindings Kubernetes 1.33 introduced ValidatingAdmissionPolicy resources (KEP-3488) that require explicit RBAC permissions. Without these changes, Calico apiserver on k8s 1.33+ will not work and needless errors are logged	2025-11-14 00:23:38 -08:00
ChengHao Yang	2d179879a0	Bump Sonobuoy to 0.57.3 (#12673 ) Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2025-11-11 19:00:56 -08:00
Max Gautier	61b8e4ce84	Test the correct version when testing collection + upgrade (#12675 ) If we don't rebuild the collection and remove the previous archive we'll test the first built.	2025-11-11 18:56:56 -08:00
Max Gautier	97a3776d8e	Remove etcd member by peerURLs (#12682 ) * Remove etcd member by peerURLs The way to obtain the IP of a particular member is convoluted and depend on multiple variables. The match is also textual and it's not clear against what we're matching It's also broken for etcd member which are not also Kubernetes nodes, because the "Lookup node IP in kubernetes" task will fail and abort the play. Instead, match against 'peerURLs', which does not need new variable, and use json output. * Add testcase for etcd removal on external etcd * do not merge * fixup! Remove etcd member by peerURLs * fixup! Remove etcd member by peerURLs	2025-11-10 03:52:56 -08:00
Max Gautier	990695de7b	Let containerd create storage / state dir (#12681 ) Containerd manages by itself, so there is no need to override it and change permissions.	2025-11-10 03:42:56 -08:00
dependabot[bot]	4059c699dc	build(deps): bump octokit/graphql-action from 2.3.2 to 3.0.0 (#12680 ) Bumps [octokit/graphql-action](https://github.com/octokit/graphql-action) from 2.3.2 to 3.0.0. - [Release notes](https://github.com/octokit/graphql-action/releases) - [Commits](`8ad880e4d4...abaeca7ba4`) --- updated-dependencies: - dependency-name: octokit/graphql-action dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-10 00:50:56 -08:00
xin053	e22ce15429	Update cinder-csi image tag for offline install (#12627 )	2025-11-08 21:38:52 -08:00
Max Gautier	452d4e63e0	Fix the (upgrade/remove_node) + collection test cases (#12672 ) The 'old' playbook and the collection use '-' and '_' as separator, which breaks the logic in scripts/testcases_run.sh. Add aliases using the old schemes to make the test work and avoid breaking anything. Both '-' and '_' variants will be deleted once we switch to supporting collection only.	2025-11-07 07:22:55 -08:00
Kubernetes Prow Robot	d2a46b4ff8	Merge pull request #12671 from VannTen/prep/kubectl_apply_ssa Make kubectl_apply_stdin available to other roles (+ SSA support)	2025-11-07 03:42:52 -08:00
Max Gautier	e090c9ee26	Factor kubectl_apply_stdin into separate "vars only" role This is needed to make it available to other roles than kubernetes-apps	2025-11-07 09:34:57 +01:00
Max Gautier	0d6d3f5828	kubectl_apply_stdin SSA support	2025-11-07 09:34:29 +01:00
Max Gautier	b9662dbd86	cleanup: don't cleanup runc orphan binary on immutable distros (#12669 )	2025-11-06 22:16:53 -08:00
Ali Afsharzadeh	f5a480fdc4	Upgrade cilium from 1.18.2 to 1.18.3 (#12649 )	2025-11-06 21:42:52 -08:00
Albin Björk	5dce75d29b	upcloud: updated terraform provider version (#12642 )	2025-10-24 00:53:34 -07:00
Max Gautier	5acde6cfe2	Get conf checksum directly for localhost CP loadbalancer (#12632 ) There is no need to stat the templated file, because the template module already returns a checksum.	2025-10-23 22:57:36 -07:00
Meza	c6926eb2f9	fix(calico): Add missed rbac verb for hostendpoints (#12641 ) Signed-off-by: Meza <meza-xyz@proton.me>	2025-10-23 09:29:34 -07:00
Meza	1930ab7ed6	[docs] Fix typos found in the docs (#12638 ) Signed-off-by: Meza <meza-xyz@proton.me>	2025-10-22 20:22:38 -07:00
dependabot[bot]	3edc979384	build(deps): bump cryptography from 46.0.2 to 46.0.3 (#12635 ) Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.2 to 46.0.3. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/46.0.2...46.0.3) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-10-19 23:52:12 -07:00
Max Gautier	cde7b2b022	Remove leftover docs fragment about mitogen (#12630 ) This was left behind from `1fb14b746` (docs: remove outdated mitogen documentation. (#12619), 2025-10-14)	2025-10-17 08:44:43 -07:00
i-yasuda	0d88532f3d	[kubernetes] Support kubernetes 1.34 (#12549 ) * [kubernetes] Support kubernetes 1.34.0 Update hashes for kubernetes 1.34.0 except for cri-o * [kubernetes] Support kubernetes 1.34.1 Update hashes for kubernetes 1.34.1 * [cri-o] Update cri-o to 1.34.1 --------- Co-authored-by: Takuya Murakami <tmurakam@tmurakam.org>	2025-10-17 01:56:42 -07:00
Goutham K	1fb14b7463	docs: remove outdated mitogen documentation. (#12619 )	2025-10-14 05:39:38 -07:00
ChengHao Yang	a66d00a535	Releng: bump galaxy version 2.30.0 (#12622 ) Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>	2025-10-14 02:09:35 -07:00