Patch versions updates

Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>

.github/workflows/auto-label-os.yml

@@ -13,16 +13,16 @@ jobs:
       issues: write
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
       - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e
+        uses: stefanbuck/github-issue-parser@25f1485edffc1fee3ea68eb9f59a72e58720ffc4
         id: issue-parser
         with:
           template-path: .github/ISSUE_TEMPLATE/bug-report.yaml
 
       - name: Set labels based on OS field
-        uses: redhat-plumbers-in-action/advanced-issue-labeler@e38e6809c5420d038eed380d49ee9a6ca7c92dbf
+        uses: redhat-plumbers-in-action/advanced-issue-labeler@b80ae64e3e156e9c111b075bfa04b295d54e8e2e
         with:
           issue-form: ${{ steps.issue-parser.outputs.jsonString }}
           section: os

.github/workflows/upgrade-patch-versions-schedule.yml

@@ -13,7 +13,7 @@ jobs:
     outputs:
       branches: ${{ steps.get-branches.outputs.data }}
     steps:
-    - uses: octokit/graphql-action@8ad880e4d437783ea2ab17010324de1075228110
+    - uses: octokit/graphql-action@abaeca7ba4f0325d63b8de7ef943c2418d161b93
       id: get-branches
       with:
         query: |

.github/workflows/upgrade-patch-versions.yml

@@ -11,7 +11,7 @@ jobs:
   update-patch-versions:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         ref: ${{ inputs.branch }}
     - uses: actions/setup-python@v6
@@ -29,7 +29,7 @@ jobs:
           ~/.cache/pre-commit
     - run: pre-commit run --all-files propagate-ansible-variables
       continue-on-error: true
-    - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
+    - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676
       with:
         commit-message: Patch versions updates
         title: Patch versions updates - ${{ inputs.branch }}

.gitlab-ci.yml

@@ -24,7 +24,7 @@ variables:
   ANSIBLE_REMOTE_USER: kubespray
   ANSIBLE_PRIVATE_KEY_FILE: /tmp/id_rsa
   ANSIBLE_INVENTORY: /tmp/inventory
-  ANSIBLE_STDOUT_CALLBACK: "debug"
+  ANSIBLE_STDOUT_CALLBACK: "default"
   RESET_CHECK: "false"
   REMOVE_NODE_CHECK: "false"
   UPGRADE_TEST: "false"

.gitlab-ci/kubevirt.yml

@@ -4,7 +4,7 @@
   interruptible: true
   script:
     - ansible-playbook tests/cloud_playbooks/create-kubevirt.yml
-                      -c local -e @"tests/files/${TESTCASE}.yml"
+                              -e @"tests/files/${TESTCASE}.yml"
     - ./tests/scripts/testcases_run.sh
   variables:
     ANSIBLE_TIMEOUT: "120"

.gitlab-ci/terraform.yml

@@ -116,5 +116,5 @@ tf-elastx_ubuntu20-calico:
     TF_VAR_az_list_node: '["sto1"]'
     TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
     TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
-    TF_VAR_image: ubuntu-20.04-server-latest
+    TF_VAR_image: ubuntu-24.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-added-large-files
       - id: check-case-conflict
@@ -15,13 +15,13 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.35.1
+    rev: v1.37.1
     hooks:
       - id: yamllint
         args: [--strict]
 
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
+    rev: v0.11.0.1
     hooks:
       - id: shellcheck
         args: ["--severity=error"]
@@ -29,7 +29,7 @@ repos:
         files: "\\.sh$"
 
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.1.1
+    rev: v25.11.0
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -38,7 +38,7 @@ repos:
           - distlib
 
   - repo: https://github.com/golangci/misspell
-    rev: v0.6.0
+    rev: v0.7.0
     hooks:
       - id: misspell
         exclude: "OWNERS_ALIASES$"

Dockerfile

@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.33.5/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.33.5/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl
 
 COPY *.yml ./

README.md

@@ -111,15 +111,15 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.33.5
-  - [etcd](https://github.com/etcd-io/etcd) 3.5.23
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.3
+  - [etcd](https://github.com/etcd-io/etcd) 3.5.25
   - [docker](https://www.docker.com/) 28.3
-  - [containerd](https://containerd.io/) 2.1.4
-  - [cri-o](http://cri-o.io/) 1.33.5 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) 2.1.5
+  - [cri-o](http://cri-o.io/) 1.34.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.3
-  - [cilium](https://github.com/cilium/cilium) 1.18.2
+  - [calico](https://github.com/projectcalico/calico) 3.30.5
+  - [cilium](https://github.com/cilium/cilium) 1.18.4
   - [flannel](https://github.com/flannel-io/flannel) 0.27.3
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
@@ -127,7 +127,7 @@ Note:
   - [kube-vip](https://github.com/kube-vip/kube-vip) 0.8.0
 - Application
   - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.0
+  - [coredns](https://github.com/coredns/coredns) 1.12.1
   - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
   - [argocd](https://argoproj.github.io/) 2.14.5
   - [helm](https://helm.sh/) 3.18.4

contrib/collection.sh

@@ -0,0 +1,9 @@
+#!/bin/bash -eux
+# Install collection from source assuming dependencies are present.
+# Run in SemaphoreUI this bash script can install Kubespray from the repo
+NAMESPACE=kubernetes_sigs
+COLLECTION=kubespray
+MY_VER=$(grep '^version:' galaxy.yml|cut -d: -f2|sed 's/ //')
+
+ansible-galaxy collection build --force --output-path .
+ansible-galaxy collection install --offline --force $NAMESPACE-$COLLECTION-$MY_VER.tar.gz

contrib/terraform/upcloud/modules/kubernetes-cluster/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>5.9.0"
+      version = "~>5.29.1"
     }
   }
   required_version = ">= 0.13"

contrib/terraform/upcloud/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>5.9.0"
+      version = "~>5.29.1"
     }
   }
   required_version = ">= 0.13"

docs/CNI/cilium.md

@@ -237,7 +237,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.18.2"
+cilium_version: "1.18.4"
 ```
 
 ## Add variable to config

docs/CNI/macvlan.md

@@ -32,7 +32,7 @@ add `kube_proxy_masquerade_all: true` in `group_vars/all/all.yml`
 
 * Disable nodelocaldns
 
-The nodelocal dns IP is not reacheable.
+The nodelocal dns IP is not reachable.
 
 Disable it in `sample/group_vars/k8s_cluster/k8s_cluster.yml`
 

docs/CRI/cri-o.md

@@ -80,7 +80,7 @@ The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to
 By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.
 
 The `crio_default_capabilities` configure the default containers capabilities for the crio.
-Defaults capabilties are:
+Defaults capabilities are:
 
 ```yaml
 crio_default_capabilities:

docs/_sidebar.md

@@ -6,7 +6,6 @@
   * [Downloads](/docs/advanced/downloads.md)
   * [Gcp-lb](/docs/advanced/gcp-lb.md)
   * [Kubernetes-reliability](/docs/advanced/kubernetes-reliability.md)
-  * [Mitogen](/docs/advanced/mitogen.md)
   * [Netcheck](/docs/advanced/netcheck.md)
   * [Ntp](/docs/advanced/ntp.md)
   * [Proxy](/docs/advanced/proxy.md)

docs/advanced/cert_manager.md

@@ -6,7 +6,7 @@
     - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
       - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
       - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
-      - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
+      - [Create Certificate Signing Request (CSR) Configuration File](#create-certificate-signing-request-csr-configuration-file)
       - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
 
 Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
@@ -134,7 +134,7 @@ $ cat > ca-config.json <<EOF
 EOF
 ```
 
-#### Create Certficate Signing Request (CSR) Configuration File
+#### Create Certificate Signing Request (CSR) Configuration File
 
 The TLS certificate `names` details can be updated to your own specific requirements.
 

docs/advanced/gcp-lb.md

@@ -1,4 +1,4 @@
-# GCP Load Balancers for type=LoadBalacer of Kubernetes Services
+# GCP Load Balancers for type=LoadBalancer of Kubernetes Services
 
 > **Removed**: Since v1.31 (the Kubespray counterpart is v2.27), Kubernetes no longer supports `cloud_provider`. (except external cloud provider)
 

docs/advanced/mitogen.md

@@ -1,30 +0,0 @@
-# Mitogen
-
-*Warning:* Mitogen support is now deprecated in kubespray due to upstream not releasing an updated version to support ansible 4.x (ansible-base 2.11.x) and above. The CI support has been stripped for mitogen and we are no longer validating any support or regressions for it. The supporting mitogen install playbook and integration documentation will be removed in a later version.
-
-[Mitogen for Ansible](https://mitogen.networkgenomics.com/ansible_detailed.html) allow a 1.25x - 7x speedup and a CPU usage reduction of at least 2x, depending on network conditions, modules executed, and time already spent by targets on useful work. Mitogen cannot improve a module once it is executing, it can only ensure the module executes as quickly as possible.
-
-## Install
-
-```ShellSession
-ansible-playbook contrib/mitogen/mitogen.yml
-```
-
-The above playbook sets the ansible `strategy` and `strategy_plugins` in `ansible.cfg` but you can also enable them if you use your own `ansible.cfg` by setting the environment varialbles:
-
-```ShellSession
-export ANSIBLE_STRATEGY=mitogen_linear
-export ANSIBLE_STRATEGY_PLUGINS=plugins/mitogen/ansible_mitogen/plugins/strategy
-```
-
-... or `ansible.cfg` setup:
-
-```ini
-[defaults]
-strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
-strategy=mitogen_linear
-```
-
-## Limitation
-
-If you are experiencing problems, please see the [documentation](https://mitogen.networkgenomics.com/ansible_detailed.html#noteworthy-differences).

docs/ansible/ansible.md

@@ -42,13 +42,10 @@ Kubespray expects users to use one of the following variables sources for settin
 |----------------------------------------|------------------------------------------------------------------------------|
 | inventory vars                         |                                                                              |
 |  - **inventory group_vars**            | most used                                                                    |
-|  - inventory host_vars                 | host specifc vars overrides, group_vars is usually more practical            |
+|  - inventory host_vars                 | host specific vars overrides, group_vars is usually more practical           |
 | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml``                               |
 
-[!IMPORTANT]
-Extra vars are best used to override kubespray internal variables, for instances, roles/vars/.
-Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray
-interface. Thus they can change, disappear, or break stuff unexpectedly.
+> Extra vars are best used to override kubespray internal variables, for instances, roles/vars/. Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray interface. Thus they can change, disappear, or break stuff unexpectedly.
 
 ## Ansible tags
 
@@ -122,7 +119,7 @@ The following tags are defined in playbooks:
 | metrics_server                 | Configuring metrics_server                            |
 | netchecker                     | Installing netchecker K8s app                         |
 | network                        | Configuring networking plugins for K8s                |
-| mounts                         | Umount kubelet dirs when reseting                     |
+| mounts                         | Umount kubelet dirs when resetting                    |
 | multus                         | Network plugin multus                                 |
 | nginx                          | Configuring LB for kube-apiserver instances           |
 | node                           | Configuring K8s minion (compute) node role            |
@@ -181,17 +178,13 @@ ansible-playbook -i inventory/sample/hosts.ini cluster.yml \
 
 Note: use `--tags` and `--skip-tags` wisely and only if you're 100% sure what you're doing.
 
-## Mitogen
-
-Mitogen support is deprecated, please see [mitogen related docs](/docs/advanced/mitogen.md) for usage and reasons for deprecation.
-
 ## Troubleshooting Ansible issues
 
 Having the wrong version of ansible, ansible collections or python dependencies can cause issue.
-In particular, Kubespray ship custom modules which Ansible needs to find, for which you should specify [ANSIBLE_LIBRAY](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html#adding-a-module-or-plugin-outside-of-a-collection)
+In particular, Kubespray ship custom modules which Ansible needs to find, for which you should specify [ANSIBLE_LIBRARY](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html#adding-a-module-or-plugin-outside-of-a-collection)
 
 ```ShellSession
-export ANSIBLE_LIBRAY=<kubespray_dir>/library`
+export ANSIBLE_LIBRARY=<kubespray_dir>/library`
 ```
 
 A simple way to ensure you get all the correct version of Ansible is to use

docs/developers/ci-setup.md

@@ -6,7 +6,7 @@ See [.gitlab-ci.yml](/.gitlab-ci.yml) and the included files for an overview.
 
 ## Runners
 
-Kubespray has 2 types of GitLab runners, both deployed  on the Kubespray CI cluster (hosted on Oracle Cloud Infrastucture):
+Kubespray has 2 types of GitLab runners, both deployed on the Kubespray CI cluster (hosted on Oracle Cloud Infrastructure):
 
 - pods: use the [gitlab-ci kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes/)
 - vagrant: custom executor running in pods with access to the libvirt socket on the nodes
@@ -156,7 +156,7 @@ kube_feature_gates:
   - "NodeSwap=True"
 ```
 
-## Aditional files
+## Additional files
 
 This section documents additional files used to complete a deployment of the kubespray CI, these files sit on the control-plane node and assume a working kubernetes cluster.
 

docs/ingress/metallb.md

@@ -35,7 +35,7 @@ metallb_config:
       effect: "NoSchedule"
 ```
 
-If you'd like to set additional nodeSelector and tolerations values, you can do so in the following fasion:
+If you'd like to set additional nodeSelector and tolerations values, you can do so in the following fashion:
 
 ```yaml
 metallb_config:

docs/operating_systems/rhel.md

@@ -37,4 +37,4 @@ If you have containers that are using iptables in the host network namespace (`h
 you need to ensure they are using iptables-nft.
 An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
 
-The kernel version is lower than the kubenretes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
+The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).

docs/operations/kernel-requirements.md

@@ -11,7 +11,7 @@ kubeadm_ignore_preflight_errors:
 
 The Kernel Version Matrixs:
 
-| OS Verion          | Kernel Verion  | Kernel >=4.19      |
+| OS Version         | Kernel Version | Kernel >=4.19      |
 |---                 | ---            | ---                |
 | RHEL 9             | 5.14           | :white_check_mark: |
 | RHEL 8             | 4.18           | :x:                |

docs/operations/nodes.md

@@ -31,6 +31,8 @@ That's it.
 
 Append the new host to the inventory and run `cluster.yml`. You can NOT use `scale.yml` for that.
 
+**Note:** When adding new control plane nodes, always append them to the end of the `kube_control_plane` group in your inventory. Adding control plane nodes in the first position is not supported and will cause the playbook to fail.
+
 ### 2) Restart kube-system/nginx-proxy
 
 In all hosts, restart nginx-proxy pod. This pod is a local proxy for the apiserver. Kubespray will update its static config, but it needs to be restarted in order to reload.

galaxy.yml

@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.29.0
+version: 2.30.0
 readme: README.md
 authors:
   - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)

index.html

@@ -38,6 +38,7 @@
     loadSidebar: 'docs/_sidebar.md',
     repo: 'https://github.com/kubernetes-sigs/kubespray',
     auto2top: true,
+    noCompileLinks: ['.*\.ini'],
     logo: '/logo/logo-clear.png'
   }
 </script>

pipeline.Dockerfile

@@ -47,8 +47,8 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && pip install --no-compile --no-cache-dir pip -U \
     && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
     && pip install --no-compile --no-cache-dir -r requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.33.5/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.33.5/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \
     # Install Vagrant
     && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \

remove_node.yml

@@ -0,0 +1,3 @@
+---
+- name: Remove node
+  ansible.builtin.import_playbook: playbooks/remove_node.yml

requirements.txt

@@ -1,6 +1,6 @@
 ansible==10.7.0
 # Needed for community.crypto module
-cryptography==46.0.2
+cryptography==46.0.3
 # Needed for jinja2 json_query templating
 jmespath==1.0.1
 # Needed for ansible.utils.ipaddr

roles/bootstrap_os/defaults/main.yml

@@ -37,8 +37,3 @@ override_system_hostname: true
 is_fedora_coreos: false
 
 skip_http_proxy_on_os_packages: false
-
-# If this is true, debug information will be displayed but
-# may contain some private data, so it is recommended to set it to false
-# in the production environment.
-unsafe_show_logs: false

roles/container-engine/containerd/tasks/main.yml

@@ -34,8 +34,6 @@
   with_items:
     - "{{ containerd_systemd_dir }}"
     - "{{ containerd_cfg_dir }}"
-    - "{{ containerd_storage_dir }}"
-    - "{{ containerd_state_dir }}"
 
 - name: Containerd | Write containerd proxy drop-in
   template:

roles/container-engine/cri-dockerd/molecule/default/molecule.yml

@@ -25,6 +25,8 @@ provisioner:
     group_vars:
       all:
         become: true
+      k8s_cluster:
+        container_manager: docker
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/container-engine/cri-o/defaults/main.yml

@@ -32,6 +32,8 @@ crio_registry_auth: []
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing') | lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
+# Set the pull progress timeout
+crio_pull_progress_timeout: "10s"
 
 # Override system default for storage driver
 # crio_storage_driver: "overlay"

roles/container-engine/cri-o/molecule/default/converge.yml

@@ -2,8 +2,6 @@
 - name: Converge
   hosts: all
   become: true
-  vars:
-    container_manager: crio
   roles:
     - role: kubespray_defaults
     - role: container-engine/cri-o

roles/container-engine/cri-o/molecule/default/molecule.yml

@@ -41,6 +41,10 @@ provisioner:
     defaults:
       callbacks_enabled: profile_tasks
       timeout: 120
+  inventory:
+    group_vars:
+      k8s_cluster:
+        container_manager: crio
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/container-engine/cri-o/molecule/default/verify.yml

@@ -2,7 +2,6 @@
 - name: Test CRI-O cri
   import_playbook: ../../../molecule/test_cri.yml
   vars:
-    container_manager: crio
     cri_socket: unix:///var/run/crio/crio.sock
     cri_name: cri-o
 - name: Test running a container with crun

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -348,6 +348,12 @@ signature_policy = "{{ crio_signature_policy }}"
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"
 
+# The timeout for an image pull to make progress until the pull operation gets
+# canceled. This value will be also used for calculating the pull progress interval
+# to pull_progress_timeout / 10. Can be set to 0 to disable the timeout as well as
+# the progress output.
+pull_progress_timeout = "{{ crio_pull_progress_timeout }}"
+
 # The crio.network table containers settings pertaining to the management of
 # CNI plugins.
 [crio.network]

roles/container-engine/crictl/tasks/crictl.yml

@@ -1,22 +0,0 @@
----
-- name: Crictl | Download crictl
-  include_tasks: "../../../download/tasks/download_file.yml"
-  vars:
-    download: "{{ download_defaults | combine(downloads.crictl) }}"
-
-- name: Install crictl config
-  template:
-    src: crictl.yaml.j2
-    dest: /etc/crictl.yaml
-    owner: root
-    mode: "0644"
-
-- name: Copy crictl binary from download dir
-  copy:
-    src: "{{ local_release_dir }}/crictl"
-    dest: "{{ bin_dir }}/crictl"
-    mode: "0755"
-    remote_src: true
-  notify:
-    - Get crictl completion
-    - Install crictl completion

roles/container-engine/crictl/tasks/main.yml

@@ -1,3 +1,22 @@
 ---
-- name: Install crictl
-  include_tasks: crictl.yml
+- name: Crictl | Download crictl
+  include_tasks: "../../../download/tasks/download_file.yml"
+  vars:
+    download: "{{ download_defaults | combine(downloads.crictl) }}"
+
+- name: Install crictl config
+  template:
+    src: crictl.yaml.j2
+    dest: /etc/crictl.yaml
+    owner: root
+    mode: "0644"
+
+- name: Copy crictl binary from download dir
+  copy:
+    src: "{{ local_release_dir }}/crictl"
+    dest: "{{ bin_dir }}/crictl"
+    mode: "0755"
+    remote_src: true
+  notify:
+    - Get crictl completion
+    - Install crictl completion

roles/container-engine/gvisor/molecule/default/molecule.yml

@@ -21,6 +21,11 @@ provisioner:
     defaults:
       callbacks_enabled: profile_tasks
       timeout: 120
+  inventory:
+    group_vars:
+      k8s_cluster:
+        gvisor_enabled: true
+        container_manager: containerd
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/container-engine/runc/tasks/main.yml

@@ -12,11 +12,20 @@
     is_ostree: "{{ ostree.stat.exists }}"
 
 - name: Runc | Uninstall runc package managed by package manager
-  package:
-    name: "{{ runc_package_name }}"
-    state: absent
   when:
-    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))
+    - not is_ostree
+    - ansible_distribution != "Flatcar Container Linux by Kinvolk"
+    - ansible_distribution != "Flatcar"
+  block:
+    - name: Runc | Remove package
+      package:
+        name: "{{ runc_package_name }}"
+        state: absent
+    - name: Runc | Remove orphaned binary
+      file:
+        path: /usr/bin/runc
+        state: absent
+      when: runc_bin_dir != "/usr/bin"
 
 - name: Runc | Download runc binary
   include_tasks: "../../../download/tasks/download_file.yml"
@@ -29,10 +38,3 @@
     dest: "{{ runc_bin_dir }}/runc"
     mode: "0755"
     remote_src: true
-
-- name: Runc | Remove orphaned binary
-  file:
-    path: /usr/bin/runc
-    state: absent
-  when: runc_bin_dir != "/usr/bin"
-  ignore_errors: true  # noqa ignore-errors

roles/container-engine/youki/molecule/default/molecule.yml

@@ -21,6 +21,11 @@ provisioner:
     defaults:
       callbacks_enabled: profile_tasks
       timeout: 120
+  inventory:
+    group_vars:
+      k8s_cluster:
+        youki_enabled: true
+        container_manager: crio
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/etcd_defaults/defaults/main.yml

@@ -117,11 +117,6 @@ etcd_retries: 4
 # https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer
 etcd_experimental_initial_corrupt_check: true
 
-# If this is true, debug information will be displayed but
-# may contain some private data, so it is recommended to set it to false
-# in the production environment.
-unsafe_show_logs: false
-
 # Enable distributed tracing
 # https://etcd.io/docs/v3.5/op-guide/monitoring/#distributed-tracing
 etcd_experimental_enable_distributed_tracing: false

roles/kubernetes-apps/common_crds/gateway_api/defaults/main.yml

@@ -1,6 +1,5 @@
 ---
 gateway_api_enabled: false
-gateway_api_version: 1.2.1
 
 # `gateway_api_channel` default is "standard".
 # "standard" release channel includes all resources that have graduated to GA or beta, including GatewayClass, Gateway, HTTPRoute, and ReferenceGrant.

roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml

@@ -27,11 +27,6 @@ vsphere_csi_aggressive_node_not_ready_timeout: 300
 
 vsphere_csi_node_affinity: {}
 
-# If this is true, debug information will be displayed but
-# may contain some private data, so it is recommended to set it to false
-# in the production environment.
-unsafe_show_logs: false
-
 # https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/docs/book/features/volume_snapshot.md#how-to-enable-volume-snapshot--restore-feature-in-vsphere-csi-
 # according to the above link , we can controler the block-volume-snapshot parameter
 vsphere_csi_block_volume_snapshot: false

roles/kubernetes-apps/meta/main.yml

@@ -1,5 +1,7 @@
 ---
 dependencies:
+  - role: kubernetes-apps/utils
+
   - role: kubernetes-apps/ansible
     when:
       - inventory_hostname == groups['kube_control_plane'][0]

roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2

@@ -79,6 +79,7 @@ rules:
       - create
       - update
       - delete
+      - watch
   # Needs access to update clusterinformations.
   - apiGroups: ["crd.projectcalico.org"]
     resources:

roles/kubernetes-apps/utils/vars/main.yml

@@ -0,0 +1,12 @@
+---
+_kubectl_apply_stdin:
+- "{{ kubectl }}"
+- apply
+- -f
+- "-"
+- -n
+- "{{ k8s_namespace }}"
+- --server-side="{{ server_side_apply | lower }}"
+# TODO: switch to default SSA
+server_side_apply: false
+kubectl_apply_stdin: "{{ _kubectl_apply_stdin | join(' ') }}"

roles/kubernetes-apps/vars/main.yml

@@ -1,2 +0,0 @@
----
-kubectl_apply_stdin: "{{ kubectl }} apply -f - -n {{ k8s_namespace }}"

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -240,6 +240,10 @@ auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00"
 # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
 kubeadm_upgrade_auto_cert_renewal: true
 
+# Add Subject Alternative Names to the Kubernetes apiserver certificates.
+# Useful if you access the API from multiples load balancers, for instance.
+supplementary_addresses_in_ssl_keys: []
+
 # Bash alias of kubectl to interact with Kubernetes cluster much easier
 # kubectl_alias: k
 

roles/kubernetes/control-plane/tasks/define-first-kube-control.yml

@@ -1,19 +0,0 @@
----
-
-- name: Check which kube-control nodes are already members of the cluster
-  command: "{{ bin_dir }}/kubectl get nodes --selector=node-role.kubernetes.io/control-plane -o json"
-  register: kube_control_planes_raw
-  ignore_errors: true
-  changed_when: false
-
-- name: Set fact joined_control_planes
-  set_fact:
-    joined_control_planes: "{{ ((kube_control_planes_raw.stdout | from_json)['items']) | default([]) | map(attribute='metadata') | map(attribute='name') | list }}"
-  delegate_to: "{{ item }}"
-  loop: "{{ groups['kube_control_plane'] }}"
-  when: kube_control_planes_raw is succeeded
-  run_once: true
-
-- name: Set fact first_kube_control_plane
-  set_fact:
-    first_kube_control_plane: "{{ joined_control_planes | default([]) | first | default(groups['kube_control_plane'] | first) }}"

roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml

@@ -11,24 +11,23 @@
   tags:
     - facts
 
-- name: Upload certificates so they are fresh and not expired
-  command: >-
-    {{ bin_dir }}/kubeadm init phase
-    --config {{ kube_config_dir }}/kubeadm-config.yaml
-    upload-certs
-    --upload-certs
-  register: kubeadm_upload_cert
+- name: Obtain kubeadm certificate key for joining control planes nodes
   when:
-    - inventory_hostname == first_kube_control_plane
     - not kube_external_ca_mode
-
-- name: Parse certificate key if not set
-  set_fact:
-    kubeadm_certificate_key: "{{ hostvars[first_kube_control_plane]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
   run_once: true
-  when:
-    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is defined
-    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is not skipped
+  block:
+    - name: Upload certificates so they are fresh and not expired
+      command: >-
+        {{ bin_dir }}/kubeadm init phase
+        --config {{ kube_config_dir }}/kubeadm-config.yaml
+        upload-certs
+        --upload-certs
+      register: kubeadm_upload_cert
+      delegate_to: "{{ first_kube_control_plane }}"
+
+    - name: Parse certificate key if not set
+      set_fact:
+        kubeadm_certificate_key: "{{ kubeadm_upload_cert.stdout_lines[-1] | trim }}"
 
 - name: Wait for k8s apiserver
   wait_for:

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -25,9 +25,9 @@
 
 - name: Kubeadm | aggregate all SANs
   set_fact:
-    apiserver_sans: "{{ (sans_base + groups['kube_control_plane'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_ipv4_address + sans_ipv6_address + sans_override + sans_hostname + sans_fqdn + sans_kube_vip_address) | unique }}"
+    apiserver_sans: "{{ _apiserver_sans | flatten | select | unique }}"
   vars:
-    sans_base:
+    _apiserver_sans:
       - "kubernetes"
       - "kubernetes.default"
       - "kubernetes.default.svc"
@@ -36,17 +36,17 @@
       - "localhost"
       - "127.0.0.1"
       - "::1"
-    sans_lb: "{{ [apiserver_loadbalancer_domain_name] if apiserver_loadbalancer_domain_name is defined else [] }}"
-    sans_lb_ip: "{{ [loadbalancer_apiserver.address] if loadbalancer_apiserver is defined and loadbalancer_apiserver.address is defined else [] }}"
-    sans_supp: "{{ supplementary_addresses_in_ssl_keys if supplementary_addresses_in_ssl_keys is defined else [] }}"
-    sans_access_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') | list | select('defined') | list }}"
-    sans_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') | list | select('defined') | list }}"
-    sans_ipv4_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list | select('defined') | list }}"
-    sans_ipv6_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | list | select('defined') | list }}"
-    sans_override: "{{ [kube_override_hostname] if kube_override_hostname else [] }}"
-    sans_hostname: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_hostname']) | list | select('defined') | list }}"
-    sans_fqdn: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_fqdn']) | list | select('defined') | list }}"
-    sans_kube_vip_address: "{{ [kube_vip_address] if kube_vip_address is defined and kube_vip_address else [] }}"
+      - "{{ apiserver_loadbalancer_domain_name }}"
+      - "{{ loadbalancer_apiserver.address | d('') }}"
+      - "{{ supplementary_addresses_in_ssl_keys }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | select('defined') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | select('defined') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_hostname') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_fqdn') }}"
+      - "{{ kube_override_hostname }}"
+      - "{{ kube_vip_address }}"
   tags: facts
 
 - name: Create audit-policy directory

roles/kubernetes/control-plane/tasks/main.yml

@@ -92,9 +92,6 @@
     - upgrade
   ignore_errors: true  # noqa ignore-errors
 
-- name: Define nodes already joined to existing cluster and first_kube_control_plane
-  import_tasks: define-first-kube-control.yml
-
 - name: Include kubeadm setup
   import_tasks: kubeadm-setup.yml
 

roles/kubernetes/node/defaults/main.yml

@@ -80,7 +80,6 @@ kube_vip_bgp_peeraddress:
 kube_vip_bgp_peerpass:
 kube_vip_bgp_peeras: 65000
 kube_vip_bgppeers:
-kube_vip_address:
 kube_vip_enableServicesElection: false
 kube_vip_lb_enable: false
 kube_vip_leasename: plndr-cp-lock

roles/kubernetes/node/tasks/loadbalancer/haproxy.yml

@@ -18,14 +18,7 @@
     owner: root
     mode: "0755"
     backup: true
-
-- name: Haproxy | Get checksum from config
-  stat:
-    path: "{{ haproxy_config_dir }}/haproxy.cfg"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  register: haproxy_stat
+  register: haproxy_conf
 
 - name: Haproxy | Write static pod
   template:

roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml

@@ -18,14 +18,7 @@
     owner: root
     mode: "0755"
     backup: true
-
-- name: Nginx-proxy | Get checksum from config
-  stat:
-    path: "{{ nginx_config_dir }}/nginx.conf"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  register: nginx_stat
+  register: nginx_conf
 
 - name: Nginx-proxy | Write static pod
   template:

roles/kubernetes/node/templates/manifests/haproxy.manifest.j2

@@ -7,7 +7,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
     k8s-app: kube-haproxy
   annotations:
-    haproxy-cfg-checksum: "{{ haproxy_stat.stat.checksum }}"
+    haproxy-cfg-checksum: "{{ haproxy_conf.checksum }}"
 spec:
   hostNetwork: true
   dnsPolicy: ClusterFirstWithHostNet

roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2

@@ -7,7 +7,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
     k8s-app: kube-nginx
   annotations:
-    nginx-cfg-checksum: "{{ nginx_stat.stat.checksum }}"
+    nginx-cfg-checksum: "{{ nginx_conf.checksum }}"
 spec:
   hostNetwork: true
   dnsPolicy: ClusterFirstWithHostNet

roles/kubespray_defaults/defaults/main/download.yml

@@ -5,7 +5,9 @@ download_cache_dir: /tmp/kubespray_cache
 # If this is true, debug information will be displayed but
 # may contain some private data, so it is recommended to set it to false
 # in the production environment.
-unsafe_show_logs: false
+# false by default, unless we're running in CI. (CI_PROJECT_URL should be globally unique even if kubespray happens to run
+# in gitlab-ci in other contexts
+unsafe_show_logs: "{{ lookup('env', 'CI_PROJECT_URL') == 'https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray' }}"
 
 # do not delete remote cache files after using them
 # NOTE: Setting this parameter to TRUE is only really useful when developing kubespray
@@ -114,7 +116,7 @@ flannel_version: 0.27.3
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"
 
-cilium_version: "1.18.2"
+cilium_version: "1.18.4"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false
 
@@ -140,7 +142,7 @@ scheduler_plugins_version: "{{ scheduler_plugins_supported_versions[kube_major_v
 
 yq_version: "{{ (yq_checksums['amd64'] | dict2items)[0].key }}"
 
-gateway_api_version: "1.2.1"
+gateway_api_version: "{{ (gateway_api_standard_crds_checksums.no_arch | dict2items)[0].key }}"
 gateway_api_channel: "standard"
 
 prometheus_operator_crds_version: "{{ (prometheus_operator_crds_checksums.no_arch | dict2items)[0].key }}"
@@ -249,7 +251,7 @@ cilium_hubble_ui_image_tag: "v0.13.3"
 cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend"
 cilium_hubble_ui_backend_image_tag: "v0.13.3"
 cilium_hubble_envoy_image_repo: "{{ quay_image_repo }}/cilium/cilium-envoy"
-cilium_hubble_envoy_image_tag: "v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324"
+cilium_hubble_envoy_image_tag: "v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5"
 kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
 kube_ovn_container_image_tag: "v{{ kube_ovn_version }}"
 kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway"
@@ -274,9 +276,9 @@ haproxy_image_tag: 3.2.4-alpine
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail
 
 coredns_supported_versions:
+  '1.34': 1.12.1
   '1.33': 1.12.0
   '1.32': 1.11.3
-  '1.31': 1.11.3
 coredns_version: "{{ coredns_supported_versions[kube_major_version] }}"
 coredns_image_repo: "{{ kube_image_repo }}{{ '/coredns' if coredns_version is version('1.7.1', '>=') else '' }}/coredns"
 coredns_image_tag: "{{ 'v' if coredns_version is version('1.7.1', '>=') else '' }}{{ coredns_version }}"
@@ -324,22 +326,22 @@ cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-we
 cert_manager_webhook_image_tag: "v{{ cert_manager_version }}"
 
 csi_attacher_image_repo: "{{ kube_image_repo }}/sig-storage/csi-attacher"
-csi_attacher_image_tag: "v3.3.0"
+csi_attacher_image_tag: "v4.4.2"
 csi_provisioner_image_repo: "{{ kube_image_repo }}/sig-storage/csi-provisioner"
-csi_provisioner_image_tag: "v3.0.0"
+csi_provisioner_image_tag: "v3.6.2"
 csi_snapshotter_image_repo: "{{ kube_image_repo }}/sig-storage/csi-snapshotter"
-csi_snapshotter_image_tag: "v5.0.0"
+csi_snapshotter_image_tag: "v6.3.2"
 csi_resizer_image_repo: "{{ kube_image_repo }}/sig-storage/csi-resizer"
-csi_resizer_image_tag: "v1.3.0"
+csi_resizer_image_tag: "v1.9.2"
 csi_node_driver_registrar_image_repo: "{{ kube_image_repo }}/sig-storage/csi-node-driver-registrar"
 csi_node_driver_registrar_image_tag: "v2.4.0"
 csi_livenessprobe_image_repo: "{{ kube_image_repo }}/sig-storage/livenessprobe"
-csi_livenessprobe_image_tag: "v2.5.0"
+csi_livenessprobe_image_tag: "v2.11.0"
 
 snapshot_controller_supported_versions:
+  '1.34': "v7.0.2"
   '1.33': "v7.0.2"
   '1.32': "v7.0.2"
-  '1.31': "v7.0.2"
 snapshot_controller_image_repo: "{{ kube_image_repo }}/sig-storage/snapshot-controller"
 snapshot_controller_image_tag: "{{ snapshot_controller_supported_versions[kube_major_version] }}"
 
@@ -784,9 +786,9 @@ downloads:
     url: "{{ calico_crds_download_url }}"
     unarchive: true
     unarchive_extra_opts:
-      - "{{ '--strip=6' if (calico_version is version('3.22.3', '<')) else '--strip=3' }}"
+      - "--strip=3"
       - "--wildcards"
-      - "{{ '*/_includes/charts/calico/crds/kdd/' if (calico_version is version('3.22.3', '<')) else '*/libcalico-go/config/crd/' }}"
+      - "*/libcalico-go/config/crd/"
     owner: "root"
     mode: "0755"
     groups:
@@ -1035,6 +1037,15 @@ downloads:
     groups:
       - kube_node
 
+  csi_livenessprobe:
+    enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
+    container: true
+    repo: "{{ csi_livenessprobe_image_repo }}"
+    tag: "{{ csi_livenessprobe_image_tag }}"
+    checksum: "{{ csi_livenessprobe_digest_checksum | default(None) }}"
+    groups:
+      - kube_node
+
   csi_node_driver_registrar:
     enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
     container: true

roles/kubespray_defaults/defaults/main/main.yml

@@ -96,6 +96,7 @@ ignore_assert_errors: false
 # kube-vip
 kube_vip_enabled: false
 kube_vip_lb_fwdmethod: local
+kube_vip_address:
 
 # nginx-proxy configure
 nginx_config_dir: "/etc/nginx"
@@ -632,6 +633,8 @@ ssl_ca_dirs: |-
   {% endif -%}
   ]
 
+# used for delegating tasks on a working control plane node
+first_kube_control_plane: "{{ groups['kube_control_plane'] | first }}"
 # Vars for pointing to kubernetes api endpoints
 kube_apiserver_count: "{{ groups['kube_control_plane'] | length }}"
 kube_apiserver_address: "{{ hostvars[inventory_hostname]['main_ip'] }}"
@@ -644,8 +647,8 @@ apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
 kube_apiserver_global_endpoint: |-
   {% if loadbalancer_apiserver is defined -%}
       https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
-  {%- elif loadbalancer_apiserver_localhost and (loadbalancer_apiserver_port is not defined or loadbalancer_apiserver_port == kube_apiserver_port) -%}
-      https://localhost:{{ kube_apiserver_port }}
+  {%- elif loadbalancer_apiserver_localhost -%}
+      https://localhost:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }}
   {%- else -%}
       https://{{ first_kube_control_plane_address | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}
   {%- endif %}

roles/kubespray_defaults/vars/main/main.yml

@@ -7,14 +7,14 @@ kube_next: "{{ ((kube_version | split('.'))[1] | int) + 1 }}"
 kube_major_next_version: "1.{{ kube_next }}"
 
 pod_infra_supported_versions:
+  '1.34': '3.10'
   '1.33': '3.10'
   '1.32': '3.10'
-  '1.31': '3.10'
 
 etcd_supported_versions:
+  '1.34': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
   '1.33': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
   '1.32': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
-  '1.31': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 # Kubespray constants
 
 kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}"

roles/network_plugin/calico/tasks/check.yml

@@ -61,6 +61,7 @@
         executable: /bin/bash
       register: calico_version_on_server
       changed_when: false
+      check_mode: false
 
     - name: Assert that current calico version is enough for upgrade
       assert:

roles/network_plugin/calico/tasks/install.yml

@@ -126,23 +126,9 @@
     - ('kube_control_plane' in group_names)
     - calico_datastore == "kdd"
   block:
-    - name: Calico | Check if extra directory is needed
-      stat:
-        path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/{{ 'kdd' if (calico_version is version('3.22.3', '<')) else 'crd' }}"
-      register: kdd_path
-    - name: Calico | Set kdd path when calico < v3.22.3
-      set_fact:
-        calico_kdd_path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds{{ '/kdd' if kdd_path.stat.exists is defined and kdd_path.stat.exists }}"
-      when:
-        - calico_version is version('3.22.3', '<')
-    - name: Calico | Set kdd path when calico > 3.22.2
-      set_fact:
-        calico_kdd_path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds{{ '/crd' if kdd_path.stat.exists is defined and kdd_path.stat.exists }}"
-      when:
-        - calico_version is version('3.22.2', '>')
     - name: Calico | Create calico manifests for kdd
       assemble:
-        src: "{{ calico_kdd_path }}"
+        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crd/"
         dest: "{{ kube_config_dir }}/kdd-crds.yml"
         mode: "0644"
         delimiter: "---\n"

roles/network_plugin/calico/templates/calico-apiserver.yml.j2

@@ -235,6 +235,8 @@ rules:
   resources:
   - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
+  - validatingadmissionpolicies        # Required for Kubernetes 1.33+
+  - validatingadmissionpolicybindings  # Required for Kubernetes 1.33+
   verbs:
   - get
   - list

roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   name: kubernetes-services-endpoint
 data:
-{% if calico_bpf_enabled %}
+{% if calico_bpf_enabled or loadbalancer_apiserver_localhost %}
   KUBERNETES_SERVICE_HOST: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
   KUBERNETES_SERVICE_PORT: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
 {% endif %}

roles/network_plugin/cilium/defaults/main.yml

@@ -1,8 +1,6 @@
 ---
 cilium_min_version_required: "1.15"
 
-# remove migrate after 2.29 released
-cilium_remove_old_resources: false
 # Log-level
 cilium_debug: false
 

roles/network_plugin/cilium/tasks/main.yml

@@ -5,10 +5,5 @@
 - name: Cilium install
   include_tasks: install.yml
 
-# Remove after 2.29 released
-- name: Cilium remove old resources
-  when: cilium_remove_old_resources
-  include_tasks: remove_old_resources.yml
-
 - name: Cilium apply
   include_tasks: apply.yml

roles/network_plugin/cilium/tasks/remove_old_resources.yml

@@ -1,45 +0,0 @@
----
-# Remove after 2.29 released
-- name: Cilium | Delete Old Resource
-  command: |
-    {{ kubectl }} delete {{ item.kind | lower }} {{ item.name }} \
-    {{ '-n kube-system' if item.kind not in ['ClusterRole', 'ClusterRoleBinding'] else '' }} \
-  loop:
-    - { kind: ServiceAccount, name: cilium }
-    - { kind: ServiceAccount, name: cilium-operator }
-    - { kind: ServiceAccount, name: hubble-generate-certs }
-    - { kind: ServiceAccount, name: hubble-relay }
-    - { kind: ServiceAccount, name: hubble-ui }
-    - { kind: Service, name: hubble-metrics }
-    - { kind: Service, name: hubble-relay-metrics }
-    - { kind: Service, name: hubble-relay }
-    - { kind: Service, name: hubble-ui }
-    - { kind: Service, name: hubble-peer }
-    - { kind: Deployment, name: cilium-operator }
-    - { kind: Deployment, name: hubble-relay }
-    - { kind: Deployment, name: hubble-ui }
-    - { kind: DaemonSet, name: cilium }
-    - { kind: CronJob, name: hubble-generate-certs }
-    - { kind: Job, name: hubble-generate-certs }
-    - { kind: ConfigMap, name: cilium-config }
-    - { kind: ConfigMap, name: ip-masq-agent }
-    - { kind: ConfigMap, name: hubble-relay-config }
-    - { kind: ConfigMap, name: hubble-ui-nginx }
-    - { kind: ClusterRole, name: cilium }
-    - { kind: ClusterRole, name: cilium-operator }
-    - { kind: ClusterRole, name: hubble-generate-certs }
-    - { kind: ClusterRole, name: hubble-relay }
-    - { kind: ClusterRole, name: hubble-ui }
-    - { kind: ClusterRoleBinding, name: cilium }
-    - { kind: ClusterRoleBinding, name: cilium-operator }
-    - { kind: ClusterRoleBinding, name: hubble-generate-certs }
-    - { kind: ClusterRoleBinding, name: hubble-relay }
-    - { kind: ClusterRoleBinding, name: hubble-ui }
-    - { kind: Secret, name: hubble-ca-secret }
-    - { kind: Secret, name: hubble-relay-client-certs }
-    - { kind: Secret, name: hubble-server-certs }
-  register: patch_result
-  when: inventory_hostname == groups['kube_control_plane'][0]
-  failed_when:
-    - patch_result.rc != 0
-    - "'not found' not in patch_result.stderr"

roles/network_plugin/cilium/templates/values.yaml.j2

@@ -27,7 +27,7 @@ identityAllocationMode: {{ cilium_identity_allocation_mode }}
 
 tunnelProtocol: {{ cilium_tunnel_mode }}
 
-loadbalancer:
+loadBalancer:
   mode: {{ cilium_loadbalancer_mode }}
 
 kubeProxyReplacement: {{ cilium_kube_proxy_replacement | to_json }}
@@ -107,8 +107,14 @@ hubble:
   metrics:
     enabled: {{ cilium_hubble_metrics | to_json }}
   export:
+{% if cilium_version is version('1.18.0', '>=') %}
+    static:
+      fileMaxBackups: {{ cilium_hubble_export_file_max_backups }}
+      fileMaxSizeMb: {{ cilium_hubble_export_file_max_size_mb }}
+{% else %}
     fileMaxBackups: {{ cilium_hubble_export_file_max_backups }}
     fileMaxSizeMb: {{ cilium_hubble_export_file_max_size_mb }}
+{% endif %}
     dynamic:
       enabled: {{ cilium_hubble_export_dynamic_enabled | to_json }}
       config:

roles/remove-node/remove-etcd-node/tasks/main.yml

@@ -1,14 +1,4 @@
 ---
-- name: Lookup node IP in kubernetes
-  command: >
-    {{ kubectl }} get nodes {{ node }}
-    -o jsonpath-as-json='{.status.addresses[?(@.type=="InternalIP")].address}'
-  register: k8s_node_ips
-  changed_when: false
-  when:
-  - groups['kube_control_plane'] | length > 0
-  delegate_to: "{{ groups['kube_control_plane'] | first }}"
-
 - name: Remove etcd member from cluster
   environment:
     ETCDCTL_API: "3"
@@ -19,25 +9,18 @@
   delegate_to: "{{ groups['etcd'] | first }}"
   block:
   - name: Lookup members infos
-    command: "{{ bin_dir }}/etcdctl member list"
+    command: "{{ bin_dir }}/etcdctl member list -w json"
     register: etcd_members
     changed_when: false
     check_mode: false
     tags:
     - facts
   - name: Remove member from cluster
-    vars:
-      node_ip: >-
-        {%- if not ipv4_stack -%}
-        {{ ip6 if ip6 is defined else (access_ip6 if access_ip6 is defined else (k8s_node_ips.stdout | from_json)[0]) | ansible.utils.ipwrap }}
-        {%- else -%}
-        {{ ip if ip is defined else (access_ip if access_ip is defined else (k8s_node_ips.stdout | from_json)[0]) | ansible.utils.ipwrap }}
-        {%- endif -%}
     command:
       argv:
       - "{{ bin_dir }}/etcdctl"
       - member
       - remove
-      - "{{ ((etcd_members.stdout_lines | select('contains', '//' + node_ip + ':'))[0] | split(','))[0] }}"
+      - "{{ '%x' | format(((etcd_members.stdout | from_json).members | selectattr('peerURLs.0', '==', etcd_peer_url))[0].ID) }}"
     register: etcd_removal_output
     changed_when: "'Removed member' in etcd_removal_output.stdout"

roles/reset/tasks/main.yml

@@ -432,16 +432,6 @@
     - files
     - dns
 
-  # TODO: remove after release 2.29
-- name: Reset | remove host entries from /etc/hosts
-  blockinfile:
-    path: "/etc/hosts"
-    state: absent
-    marker: "# Ansible inventory hosts {mark}"
-  tags:
-    - files
-    - dns
-
 - name: Reset | include file with reset tasks specific to the network_plugin if exists
   include_role:
     name: "network_plugin/{{ kube_network_plugin }}"

roles/upgrade/pre-upgrade/tasks/main.yml

@@ -31,14 +31,14 @@
   command: >
     {{ kubectl }} get node {{ kube_override_hostname | default(inventory_hostname) }}
     -o jsonpath='{ .spec.unschedulable }'
-  register: kubectl_node_schedulable
+  register: kubectl_node_unschedulable
   delegate_to: "{{ groups['kube_control_plane'][0] }}"
   failed_when: false
   changed_when: false
 
 - name: Set if node needs cordoning
   set_fact:
-    needs_cordoning: "{{ (kubectl_node_ready.stdout == 'True' and not kubectl_node_schedulable.stdout) or upgrade_node_always_cordon }}"
+    needs_cordoning: "{{ (kubectl_node_ready.stdout == 'True' and not kubectl_node_unschedulable.stdout) or upgrade_node_always_cordon }}"
 
 - name: Node draining
   delegate_to: "{{ groups['kube_control_plane'][0] }}"

roles/validate_inventory/tasks/main.yml

@@ -6,14 +6,6 @@
 # -> nothing depending on facts or similar cluster state
 # Checks depending on current state (of the nodes or the cluster)
 # should be in roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
-- name: Stop if removed tags are used
-  assert:
-    msg: The tag 'master' is removed. Use 'control-plane' instead
-    that:
-      - ('master' not in ansible_run_tags)
-      - ('master' not in ansible_skip_tags)
-        # TODO: Remove checks after next release
-
 - name: Stop if kube_control_plane group is empty
   assert:
     that: groups.get( 'kube_control_plane' )

scripts/component_hash_update/src/component_hash_update/components.py

@@ -101,9 +101,19 @@ infos = {
         "graphql_id": "R_kgDOApOQGQ",
     },
     "argocd_install": {
-    "url": "https://raw.githubusercontent.com/argoproj/argo-cd/v{version}/manifests/install.yaml",
-    "graphql_id": "R_kgDOBzS60g",
-    "binary": True,
-    "hashtype": "sha256",
+        "url": "https://raw.githubusercontent.com/argoproj/argo-cd/v{version}/manifests/install.yaml",
+        "graphql_id": "R_kgDOBzS60g",
+        "binary": True,
+        "hashtype": "sha256",
+    },
+    "gateway_api_standard_crds": {
+        "url": "https://github.com/kubernetes-sigs/gateway-api/releases/download/v{version}/standard-install.yaml",
+        "graphql_id": "R_kgDODQ6RZw",
+        "binary": True,
+    },
+    "gateway_api_experimental_crds": {
+        "url": "https://github.com/kubernetes-sigs/gateway-api/releases/download/v{version}/experimental-install.yaml",
+        "graphql_id": "R_kgDODQ6RZw",
+        "binary": True,
     },
 }

tests/cloud_playbooks/create-kubevirt.yml

@@ -16,9 +16,18 @@
   gather_facts: false
 
   tasks:
+    # Check ssh access without relying on python - this is an horrible hack
+    # but wait_for_connection does not work without python
+    # and 'until' is incompatible with unreachable errors
+    # https://github.com/ansible/ansible/issues/78358
   - name: Wait until SSH is available
-    wait_for:
-      host: "{{ ansible_host }}"
-      port: 22
-      timeout: 240
+    command: >
+      ssh -i "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') }}"
+      -o StrictHostKeyChecking=no
+      -o UserKnownHostsFile=/dev/null
+      -o ConnectTimeout=3 "{{ lookup('env', 'ANSIBLE_REMOTE_USER') }}@{{ ansible_host }}"
+    register: ssh_command
+    delay: 0
+    until: ssh_command.rc != 255
+    retries: 60
     delegate_to: localhost

tests/cloud_playbooks/roles/packet-ci/defaults/main.yml

@@ -5,6 +5,7 @@ vm_cpu_cores: 2
 vm_cpu_sockets: 1
 vm_cpu_threads: 2
 vm_memory: 2048
+releases_disk_size: 2Gi
 
 # Request/Limit allocation settings
 cpu_allocation_ratio: 0.25

tests/cloud_playbooks/roles/packet-ci/templates/vm.yml.j2

@@ -14,6 +14,8 @@ metadata:
     kubevirt.io/size: small
     ci_job_id: "{{ ci_job_id }}"
     ci_job_name: "{{ lookup('ansible.builtin.env', 'CI_JOB_NAME_SLUG') }}"
+    ci_pipeline_id: "{{ lookup('ansible.builtin.env', 'CI_PIPELINE_ID') }}"
+    ci_pr_id: "{{ lookup('ansible.builtin.env', 'PR_ID') }}"
   # leverage the Kubernetes GC for resources cleanup
   ownerReferences:
   - apiVersion: v1
@@ -32,6 +34,10 @@ spec:
         - disk:
             bus: virtio
           name: cloudinitvolume
+        - disk:
+            bus: virtio
+          name: releases
+          serial: '2825A83CBDC8A32D5E'
       interfaces:
       - name: default
         bridge: {}
@@ -57,3 +63,6 @@ spec:
     - name: cloudinitvolume
       cloudInit{{ 'ConfigDrive' if cloud_image.startswith('flatcar') else 'NoCloud' }}:
         userDataBase64: '{{ ((ignition_config | to_json) if cloud_image.startswith('flatcar') else cloudinit_config) | b64encode }}'
+    - name: releases
+      emptyDisk:
+        capacity: '{{ releases_disk_size }}'

tests/cloud_playbooks/roles/packet-ci/vars/main.yml

@@ -44,6 +44,12 @@ cloudinit_config: |
       lock_passwd: False
       ssh_authorized_keys:
         - {{ ssh_key.public_key }}
+  fs_setup:
+    - device: '/dev/disk/by-id/virtio-2825A83CBDC8A32D5E'
+      filesystem: 'ext4'
+      partition: 'none'
+  mounts:
+    - ['/dev/disk/by-id/virtio-2825A83CBDC8A32D5E', '/tmp/releases']
 
 ignition_config:
   ignition:
@@ -56,3 +62,9 @@ ignition_config:
           - wheel
         sshAuthorizedKeys:
           - "{{ ssh_key.public_key }}"
+  storage:
+    filesystems:
+      - device: '/dev/disk/by-id/virtio-2825A83CBDC8A32D5E'
+        format: ext4
+        path: /tmp/releases
+        wipeFilesystem: true

tests/common_vars.yml

@@ -36,3 +36,5 @@ nginx_image_repo: "{{ quay_image_repo }}/kubespray/nginx"
 
 flannel_image_repo: "{{ quay_image_repo }}/kubespray/flannel"
 flannel_init_image_repo: "{{ quay_image_repo }}/kubespray/flannel-cni-plugin"
+
+local_release_dir: "{{ '/tmp/releases' if inventory_hostname != 'localhost' else (lookup('env', 'PWD') + '/downloads') }}"

tests/files/ubuntu24-ha-separate-etcd

@@ -0,0 +1,2 @@
+REMOVE_NODE_CHECK=true
+REMOVE_NODE_NAME=etcd[2]

tests/scripts/testcases_run.sh

@@ -24,17 +24,13 @@ fi
 export ANSIBLE_BECOME=true
 export ANSIBLE_BECOME_USER=root
 
-# Test collection build and install by installing our collection, emptying our repository, adding
-# cluster.yml, reset.yml, and remote-node.yml files that simply point to our collection's playbooks, and then
-# running the same tests as before
-if [[ "${TESTCASE}" =~ "collection" ]]; then
-  # Build and install collection
-  ansible-galaxy collection build
-  ansible-galaxy collection install kubernetes_sigs-kubespray-*.tar.gz
-fi
 run_playbook () {
 if [[ "${TESTCASE}" =~ "collection" ]]; then
     playbook=kubernetes_sigs.kubespray.$1
+    # Handle upgrade case properly
+    rm -f kubernetes_sigs-kubespray-*.tar.gz
+    ansible-galaxy collection build
+    ansible-galaxy collection install kubernetes_sigs-kubespray-*.tar.gz
 else
     playbook=$1.yml
 fi
@@ -43,7 +39,6 @@ shift
 ansible-playbook \
     -e @tests/common_vars.yml \
     -e @tests/${TESTCASE_FILE} \
-    -e local_release_dir=${PWD}/downloads \
     "$@" \
     ${playbook}
 }
@@ -70,7 +65,7 @@ if [ "${UPGRADE_TEST}" != "false" ]; then
         run_playbook cluster
         ;;
     "graceful")
-        run_playbook upgrade-cluster
+        run_playbook upgrade_cluster
         ;;
     *)
         ;;
@@ -92,7 +87,7 @@ ansible-playbook \
 
 # Test node removal procedure
 if [ "${REMOVE_NODE_CHECK}" = "true" ]; then
-  run_playbook remove-node -e skip_confirmation=yes -e node=${REMOVE_NODE_NAME}
+  run_playbook remove-node -e skip_confirmation=yes -e node="${REMOVE_NODE_NAME}"
 fi
 
 # Clean up at the end, this is to allow stage1 tests to include cleanup test

tests/testcases/tests.yml

@@ -47,7 +47,7 @@
         - sonobuoy_enabled is defined
         - sonobuoy_enabled
       vars:
-        sonobuoy_version: 0.56.11
+        sonobuoy_version: 0.57.3
         sonobuoy_arch: amd64
         sonobuoy_parallel: 30
         sonobuoy_path: /usr/local/bin/sonobuoy

upgrade_cluster.yml

@@ -0,0 +1,3 @@
+---
+- name: Upgrade cluster
+  ansible.builtin.import_playbook: playbooks/upgrade_cluster.yml