Patch versions updates

playbooks/internal_facts.yml

@@ -16,8 +16,6 @@
     - name: Gather and compute network facts
       import_role:
         name: network_facts
-      tags:
-        - always
     - name: Gather minimal facts
       setup:
         gather_subset: '!all'

roles/kubespray_defaults/vars/main/checksums.yml

@@ -933,7 +933,6 @@ cri_dockerd_archive_checksums:
     0.3.5: sha256:30d47bd89998526d51a8518f9e8ef10baed408ab273879ee0e30350702092938
 runc_checksums:
   arm64:
-    1.3.5: sha256:bd843d75a788e612c9df286b1fa519a44fcbb7a7b8d01e2268431433cc7c718c
     1.3.4: sha256:d6dcab36d1b6af1b72c7f0662e5fcf446a291271ba6006532b95c4144e19d428
     1.3.3: sha256:3c9a8e9e6dafd00db61f4611692447ebab4a56388bae4f82192aed67b66df712
     1.3.2: sha256:06fbccb4528ecd490f3f333d6dcf22c876bd72a024813a0c0a46312121f4c5fd
@@ -958,7 +957,6 @@ runc_checksums:
     1.1.9: sha256:b43e9f561e85906f469eef5a7b7992fc586f750f44a0e011da4467e7008c33a0
     1.1.8: sha256:7c22cb618116d1d5216d79e076349f93a672253d564b19928a099c20e4acd658
   amd64:
-    1.3.5: sha256:66fa8390be8fb3b23dfbb60c767368bb5b51f1acfa88692bbff1a82953d4d9e9
     1.3.4: sha256:5966ca40b6187b30e33bfc299c5f1fe72e8c1aa01cf3fefdadf391668f47f103
     1.3.3: sha256:8781ab9f71c12f314d21c8e85f13ca1a82d90cf475aa5131a7b543fcc5487543
     1.3.2: sha256:e7a8e30bd6d248f494aae9163521ff4eb112a30602ac56ada0871e3531269c2d
@@ -983,7 +981,6 @@ runc_checksums:
     1.1.9: sha256:b9bfdd4cb27cddbb6172a442df165a80bfc0538a676fbca1a6a6c8f4c6933b43
     1.1.8: sha256:1d05ed79854efc707841dfc7afbf3b86546fc1d0b3a204435ca921c14af8385b
   ppc64le:
-    1.3.5: sha256:62e8f062291c2b2b29bd8ab8c983cef56409063287e256c50ab54fb54f5d98a7
     1.3.4: sha256:268d9be1188f3efa82cad0d8e6b938d8da0d741427660d874ca9386c68d72937
     1.3.3: sha256:c42394e7cf7cd508a91b090b72d57ff4df262effde742d5e29ea607e65f38b43
     1.3.2: sha256:9373062bc547b5afe44fb0122a12aaa980763969d4b69dd17134a6a292838ce5

roles/network_facts/defaults/main.yml

@@ -1,5 +0,0 @@
----
-# Additional string host to inject into NO_PROXY
-additional_no_proxy: ""
-additional_no_proxy_list: "{{ additional_no_proxy | split(',') }}"
-no_proxy_exclude_workers: false

roles/network_facts/tasks/main.yaml

@@ -1,63 +1,41 @@
 ---
-- name: Gather node IPs
+- name: Set facts variables
-  setup:
+  tags:
-    gather_subset: '!all,!min,network'
+    - always
-    filter: "ansible_default_ip*"
+  block:
-  when: ansible_default_ipv4 is not defined or ansible_default_ipv6 is not defined
+    - name: Gather node IPs
-  ignore_unreachable: true
+      setup:
+        gather_subset: '!all,!min,network'
+        filter: "ansible_default_ip*"
+      when: ansible_default_ipv4 is not defined or ansible_default_ipv6 is not defined
+      ignore_unreachable: true
 
-- name: Set computed IPs variables
+    - name: Set computed IPs varables
-  vars:
+      vars:
-    fallback_ip: "{{ ansible_default_ipv4.address | d('127.0.0.1') }}"
+        fallback_ip: "{{ ansible_default_ipv4.address | d('127.0.0.1') }}"
-    fallback_ip6: "{{ ansible_default_ipv6.address | d('::1') }}"
+        fallback_ip6: "{{ ansible_default_ipv6.address | d('::1') }}"
-    # Set 127.0.0.1 as fallback IP if we do not have host facts for host
+        # Set 127.0.0.1 as fallback IP if we do not have host facts for host
-    # ansible_default_ipv4 isn't what you think.
+        # ansible_default_ipv4 isn't what you think.
-    _ipv4: "{{ ip | default(fallback_ip) }}"
+        _ipv4: "{{ ip | default(fallback_ip) }}"
-    _access_ipv4: "{{ access_ip | default(_ipv4) }}"
+        _access_ipv4: "{{ access_ip | default(_ipv4) }}"
-    _ipv6: "{{ ip6 | default(fallback_ip6) }}"
+        _ipv6: "{{ ip6 | default(fallback_ip6) }}"
-    _access_ipv6: "{{ access_ip6 | default(_ipv6) }}"
+        _access_ipv6: "{{ access_ip6 | default(_ipv6) }}"
-    _access_ips:
+        _access_ips:
-      - "{{ _access_ipv4 if ipv4_stack }}"
+          - "{{ _access_ipv4 if ipv4_stack }}"
-      - "{{ _access_ipv6 if ipv6_stack }}"
+          - "{{ _access_ipv6 if ipv6_stack }}"
-    _ips:
+        _ips:
-      - "{{ _ipv4 if ipv4_stack }}"
+          - "{{ _ipv4 if ipv4_stack }}"
-      - "{{ _ipv6 if ipv6_stack }}"
+          - "{{ _ipv6 if ipv6_stack }}"
-  set_fact:
+      set_fact:
-    cacheable: true
+        cacheable: true
-    main_access_ip: "{{ _access_ipv4 if ipv4_stack else _access_ipv6 }}"
+        main_access_ip: "{{ _access_ipv4 if ipv4_stack else _access_ipv6 }}"
-    main_ip: "{{ _ipv4 if ipv4_stack else _ipv6  }}"
+        main_ip: "{{ _ipv4 if ipv4_stack else _ipv6  }}"
-    # Mixed IPs - for dualstack
+        # Mixed IPs - for dualstack
-    main_access_ips: "{{ _access_ips | select }}"
+        main_access_ips: "{{ _access_ips | select }}"
-    main_ips: "{{ _ips | select }}"
+        main_ips: "{{ _ips | select }}"
 
-- name: Set no_proxy to all assigned cluster IPs and hostnames
+    - name: Set no_proxy
-  when:
+      import_tasks: no_proxy.yml
-    - http_proxy is defined or https_proxy is defined
+      when:
-    - no_proxy is not defined
+        - http_proxy is defined or https_proxy is defined
-  vars:
+        - no_proxy is not defined
-    groups_with_no_proxy:
-      - kube_control_plane
-      - "{{ '' if no_proxy_exclude_workers else 'kube_node' }}" # TODO: exclude by a boolean in inventory rather than global variable
-      - etcd
-      - calico_rr
-    hosts_with_no_proxy: "{{ groups_with_no_proxy | select | map('extract', groups) | select('defined') | flatten }}"
-    _hostnames: "{{ (hosts_with_no_proxy +
-                      (hosts_with_no_proxy | map('extract', hostvars, morekeys=['ansible_hostname'])
-                      | select('defined')))
-                    | unique }}"
-    no_proxy_prepare:
-      - "{{ apiserver_loadbalancer_domain_name | d('') }}"
-      - "{{ loadbalancer_apiserver.address if loadbalancer_apiserver is defined else '' }}"
-      - "{{ hosts_with_no_proxy | map('extract', hostvars, morekeys=['main_access_ip']) }}"
-      - "{{ _hostnames }}"
-      - "{{ _hostnames | map('regex_replace', '$', '.' + dns_domain ) }}"
-      - "{{ additional_no_proxy_list }}"
-      - 127.0.0.1
-      - localhost
-      - "{{ kube_service_subnets }}"
-      - "{{ kube_pods_subnets }}"
-      - svc
-      - "svc.{{ dns_domain }}"
-  set_fact:
-    no_proxy: "{{ no_proxy_prepare | select | flatten | unique | join(',') }}"
-  run_once: true

roles/network_facts/tasks/no_proxy.yml

@@ -0,0 +1,40 @@
+---
+- name: Set no_proxy to all assigned cluster IPs and hostnames
+  set_fact:
+    # noqa: jinja[spacing]
+    no_proxy_prepare: >-
+      {%- if loadbalancer_apiserver is defined -%}
+      {{ apiserver_loadbalancer_domain_name }},
+      {{ loadbalancer_apiserver.address | default('') }},
+      {%- endif -%}
+      {%- if no_proxy_exclude_workers | default(false) -%}
+      {% set cluster_or_control_plane = 'kube_control_plane' %}
+      {%- else -%}
+      {% set cluster_or_control_plane = 'k8s_cluster' %}
+      {%- endif -%}
+      {%- for item in (groups[cluster_or_control_plane] + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique -%}
+      {{ hostvars[item]['main_access_ip'] }},
+      {%- if item != hostvars[item].get('ansible_hostname', '') -%}
+      {{ hostvars[item]['ansible_hostname'] }},
+      {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }},
+      {%- endif -%}
+      {{ item }},{{ item }}.{{ dns_domain }},
+      {%- endfor -%}
+      {%- if additional_no_proxy is defined -%}
+      {{ additional_no_proxy }},
+      {%- endif -%}
+      127.0.0.1,localhost,{{ kube_service_subnets }},{{ kube_pods_subnets }},svc,svc.{{ dns_domain }}
+  delegate_to: localhost
+  connection: local
+  delegate_facts: true
+  become: false
+  run_once: true
+
+- name: Populates no_proxy to all hosts
+  set_fact:
+    no_proxy: "{{ hostvars.localhost.no_proxy_prepare | select }}"
+    # noqa: jinja[spacing]
+    proxy_env: "{{ proxy_env | combine({
+        'no_proxy': hostvars.localhost.no_proxy_prepare,
+        'NO_PROXY': hostvars.localhost.no_proxy_prepare
+      }) }}"

tests/files/rockylinux9-cilium.yml

@@ -13,21 +13,3 @@ kube_owner: root
 # Node Feature Discovery
 node_feature_discovery_enabled: true
 kube_asymmetric_encryption_algorithm: "ECDSA-P256"
-
-# Testing no_proxy setup
-# The proxy is not intended to be accessed at all, we're only testing
-# the no_proxy construction
-https_proxy: "http://some-proxy.invalid"
-http_proxy: "http://some-proxy.invalid"
-additional_no_proxy_list:
-  - github.com
-  - githubusercontent.com
-  - k8s.io
-  - rockylinux.org
-  - docker.io
-  - googleapis.com
-  - quay.io
-  - pkg.dev
-  - amazonaws.com
-  - cilium.io
-skip_http_proxy_on_os_packages: true