Patch versions updates

Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>

.gitlab-ci/kubevirt.yml

@@ -57,6 +57,7 @@ pr:
           - ubuntu24-kube-router-svc-proxy
           - ubuntu24-ha-separate-etcd
           - fedora40-flannel-crio-collection-scale
+          - openeuler24-calico
 
 # This is for flakey test so they don't disrupt the PR worklflow too much.
 # Jobs here MUST have a open issue so we don't lose sight of them
@@ -67,7 +68,6 @@ pr-flakey:
     matrix:
       - TESTCASE:
           - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
-          - openeuler24-calico # https://github.com/kubernetes-sigs/kubespray/issues/12877
 
 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:

.gitlab-ci/terraform.yml

@@ -116,3 +116,4 @@ tf-elastx_ubuntu24-calico:
     TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
     TF_VAR_image: ubuntu-24.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
+    TESTCASE: $CI_JOB_NAME

Dockerfile

@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.35.1/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.1/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.35.2/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.2/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl
 
 COPY *.yml ./

README.md

@@ -111,15 +111,15 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.1
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.2
   - [etcd](https://github.com/etcd-io/etcd) 3.6.8
   - [docker](https://www.docker.com/) 28.3
-  - [containerd](https://containerd.io/) 2.2.1
-  - [cri-o](http://cri-o.io/) 1.35.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) 2.2.2
+  - [cri-o](http://cri-o.io/) 1.35.1 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
   - [calico](https://github.com/projectcalico/calico) 3.30.6
-  - [cilium](https://github.com/cilium/cilium) 1.18.6
+  - [cilium](https://github.com/cilium/cilium) 1.19.1
   - [flannel](https://github.com/flannel-io/flannel) 0.27.3
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1

docs/CNI/cilium.md

@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.18.6"
+cilium_version: "1.19.1"
 ```
 
 ## Add variable to config

docs/ingress/kube-vip.md

@@ -63,6 +63,8 @@ kube_vip_bgppeers:
 # kube_vip_bgp_peeraddress:
 # kube_vip_bgp_peerpass:
 # kube_vip_bgp_peeras:
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
 ```
 
 If using [control plane load-balancing](https://kube-vip.io/docs/about/architecture/#control-plane-load-balancing):

docs/operations/etcd.md

@@ -32,12 +32,12 @@ etcd_metrics_service_labels:
   k8s-app: etcd
   app.kubernetes.io/managed-by: Kubespray
   app: kube-prometheus-stack-kube-etcd
-  release: prometheus-stack
+  release: kube-prometheus-stack
 ```
 
 The last two labels in the above example allows to scrape the metrics from the
 [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
-chart with the following Helm `values.yaml` :
+chart when it is installed with the release name `kube-prometheus-stack` and the following Helm `values.yaml`:
 
 ```yaml
 kubeEtcd:
@@ -45,8 +45,22 @@ kubeEtcd:
     enabled: false
 ```
 
-To fully override metrics exposition urls, define it in the inventory with:
+If your Helm release name is different, adjust the `release` label accordingly.
+
+To fully override metrics exposition URLs, define it in the inventory with:
 
 ```yaml
 etcd_listen_metrics_urls: "http://0.0.0.0:2381"
 ```
+
+If you choose to expose metrics on specific node IPs (for example `10.141.4.22`, `10.141.4.23`, `10.141.4.24`) in `etcd_listen_metrics_urls`,
+you can configure kube-prometheus-stack to scrape those endpoints directly with:
+
+```yaml
+kubeEtcd:
+  enabled: true
+  endpoints:
+    - 10.141.4.22
+    - 10.141.4.23
+    - 10.141.4.24
+```

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -199,6 +199,8 @@ kube_vip_enabled: false
 # kube_vip_leasename: plndr-cp-lock
 # kube_vip_enable_node_labeling: false
 # kube_vip_lb_fwdmethod: local
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
 
 # Node Feature Discovery
 node_feature_discovery_enabled: false

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -361,8 +361,6 @@ cilium_l2announcements: false
 # -- Enable the use of well-known identities.
 # cilium_enable_well_known_identities: false
 
-# cilium_enable_bpf_clock_probe: true
-
 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true
 

pipeline.Dockerfile

@@ -46,8 +46,8 @@ ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
     && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.35.1/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.35.1/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L https://dl.k8s.io/release/v1.35.2/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.35.2/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \
     # Install Vagrant
     && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \

playbooks/internal_facts.yml

@@ -16,6 +16,8 @@
     - name: Gather and compute network facts
       import_role:
         name: network_facts
+      tags:
+        - always
     - name: Gather minimal facts
       setup:
         gather_subset: '!all'

roles/bootstrap_os/defaults/main.yml

@@ -12,6 +12,10 @@ coreos_locksmithd_disable: false
 # Install epel repo on Centos/RHEL
 epel_enabled: false
 
+## openEuler specific variables
+# Enable metalink for openEuler repos (auto-selects fastest mirror by location)
+openeuler_metalink_enabled: false
+
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true

roles/bootstrap_os/tasks/openEuler.yml

@@ -1,3 +1,43 @@
 ---
-- name: Import Centos boostrap for openEuler
-  import_tasks: centos.yml
+- name: Import CentOS bootstrap for openEuler
+  ansible.builtin.import_tasks: centos.yml
+
+- name: Get existing openEuler repo sections
+  ansible.builtin.shell:
+    cmd: "set -o pipefail && grep '^\\[' /etc/yum.repos.d/openEuler.repo | tr -d '[]'"
+    executable: /bin/bash
+  register: _openeuler_repo_sections
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  become: true
+  when: openeuler_metalink_enabled
+
+- name: Enable metalink for openEuler repos
+  community.general.ini_file:
+    path: /etc/yum.repos.d/openEuler.repo
+    section: "{{ item.key }}"
+    option: metalink
+    value: "{{ item.value }}"
+    no_extra_spaces: true
+    mode: "0644"
+  loop: "{{ _openeuler_metalink_repos | dict2items | selectattr('key', 'in', _openeuler_repo_sections.stdout_lines | default([])) }}"
+  become: true
+  when: openeuler_metalink_enabled
+  register: _openeuler_metalink_result
+  vars:
+    _openeuler_metalink_repos:
+      OS: "https://mirrors.openeuler.org/metalink?repo=$releasever/OS&arch=$basearch"
+      everything: "https://mirrors.openeuler.org/metalink?repo=$releasever/everything&arch=$basearch"
+      EPOL: "https://mirrors.openeuler.org/metalink?repo=$releasever/EPOL/main&arch=$basearch"
+      debuginfo: "https://mirrors.openeuler.org/metalink?repo=$releasever/debuginfo&arch=$basearch"
+      source: "https://mirrors.openeuler.org/metalink?repo=$releasever&arch=source"
+      update: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=$basearch"
+      update-source: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=source"
+
+- name: Clean dnf cache to apply metalink mirror selection
+  ansible.builtin.command: dnf clean all
+  become: true
+  when:
+    - openeuler_metalink_enabled
+    - _openeuler_metalink_result.changed

roles/download/templates/kubeadm-images.yaml.j2

@@ -1,9 +1,9 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: InitConfiguration
 nodeRegistration:
   criSocket: {{ cri_socket }}
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 imageRepository: {{ kubeadm_image_repo }}
 kubernetesVersion: v{{ kube_version }}

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -88,36 +88,5 @@ dns_autoscaler_affinity: {}
 #   app: kube-prometheus-stack-kube-etcd
 #   release: prometheus-stack
 
-# Netchecker
-deploy_netchecker: false
-netchecker_port: 31081
-agent_report_interval: 15
-netcheck_namespace: default
-
-# Limits for netchecker apps
-netchecker_agent_cpu_limit: 30m
-netchecker_agent_memory_limit: 100M
-netchecker_agent_cpu_requests: 15m
-netchecker_agent_memory_requests: 64M
-netchecker_server_cpu_limit: 100m
-netchecker_server_memory_limit: 256M
-netchecker_server_cpu_requests: 50m
-netchecker_server_memory_requests: 64M
-netchecker_etcd_cpu_limit: 200m
-netchecker_etcd_memory_limit: 256M
-netchecker_etcd_cpu_requests: 100m
-netchecker_etcd_memory_requests: 128M
-
-# SecurityContext (user/group)
-netchecker_agent_user: 1000
-netchecker_server_user: 1000
-netchecker_agent_group: 1000
-netchecker_server_group: 1000
-
-# Log levels
-netchecker_agent_log_level: 5
-netchecker_server_log_level: 5
-netchecker_etcd_log_level: info
-
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]

roles/kubernetes-apps/ansible/tasks/main.yml

@@ -87,25 +87,3 @@
   when: etcd_metrics_port is defined and etcd_metrics_service_labels is defined
   tags:
     - etcd_metrics
-
-- name: Kubernetes Apps | Netchecker
-  command:
-    cmd: "{{ kubectl_apply_stdin }}"
-    stdin: "{{ lookup('template', item) }}"
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  vars:
-    k8s_namespace: "{{ netcheck_namespace }}"
-  when: deploy_netchecker
-  tags:
-    - netchecker
-  loop:
-    - netchecker-ns.yml.j2
-    - netchecker-agent-sa.yml.j2
-    - netchecker-agent-ds.yml.j2
-    - netchecker-agent-hostnet-ds.yml.j2
-    - netchecker-server-sa.yml.j2
-    - netchecker-server-clusterrole.yml.j2
-    - netchecker-server-clusterrolebinding.yml.j2
-    - netchecker-server-deployment.yml.j2
-    - netchecker-server-svc.yml.j2

roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2

@@ -1,56 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app: netchecker-agent
-  name: netchecker-agent
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    matchLabels:
-      app: netchecker-agent
-  template:
-    metadata:
-      name: netchecker-agent
-      labels:
-        app: netchecker-agent
-    spec:
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      nodeSelector:
-        kubernetes.io/os: linux
-      containers:
-        - name: netchecker-agent
-          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: MY_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: MY_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          args:
-            - "-v={{ netchecker_agent_log_level }}"
-            - "-alsologtostderr=true"
-            - "-serverendpoint=netchecker-service:8081"
-            - "-reportinterval={{ agent_report_interval }}"
-          resources:
-            limits:
-              cpu: {{ netchecker_agent_cpu_limit }}
-              memory: {{ netchecker_agent_memory_limit }}
-            requests:
-              cpu: {{ netchecker_agent_cpu_requests }}
-              memory: {{ netchecker_agent_memory_requests }}
-          securityContext:
-            runAsUser: {{ netchecker_agent_user | default('0') }}
-            runAsGroup: {{ netchecker_agent_group | default('0') }}
-      serviceAccountName: netchecker-agent
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 100%
-    type: RollingUpdate

roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2

@@ -1,58 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app: netchecker-agent-hostnet
-  name: netchecker-agent-hostnet
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    matchLabels:
-      app: netchecker-agent-hostnet
-  template:
-    metadata:
-      name: netchecker-agent-hostnet
-      labels:
-        app: netchecker-agent-hostnet
-    spec:
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      nodeSelector:
-        kubernetes.io/os: linux
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      containers:
-        - name: netchecker-agent
-          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: MY_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: MY_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          args:
-            - "-v={{ netchecker_agent_log_level }}"
-            - "-alsologtostderr=true"
-            - "-serverendpoint=netchecker-service:8081"
-            - "-reportinterval={{ agent_report_interval }}"
-          resources:
-            limits:
-              cpu: {{ netchecker_agent_cpu_limit }}
-              memory: {{ netchecker_agent_memory_limit }}
-            requests:
-              cpu: {{ netchecker_agent_cpu_requests }}
-              memory: {{ netchecker_agent_memory_requests }}
-          securityContext:
-            runAsUser: {{ netchecker_agent_user | default('0') }}
-            runAsGroup: {{ netchecker_agent_group | default('0') }}
-      serviceAccountName: netchecker-agent
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 100%
-    type: RollingUpdate

roles/kubernetes-apps/ansible/templates/netchecker-agent-sa.yml.j2

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netchecker-agent
-  namespace: {{ netcheck_namespace }}

roles/kubernetes-apps/ansible/templates/netchecker-ns.yml.j2

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: "{{ netcheck_namespace }}"
-  labels:
-    name: "{{ netcheck_namespace }}"

roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2

@@ -1,9 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["list", "get"]

roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2

@@ -1,13 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: netchecker-server
-    namespace: {{ netcheck_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: netchecker-server
-  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2

@@ -1,86 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-  labels:
-    app: netchecker-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: netchecker-server
-  template:
-    metadata:
-      name: netchecker-server
-      labels:
-        app: netchecker-server
-    spec:
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      volumes:
-        - name: etcd-data
-          emptyDir: {}
-      containers:
-        - name: netchecker-server
-          image: "{{ netcheck_server_image_repo }}:{{ netcheck_server_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          resources:
-            limits:
-              cpu: {{ netchecker_server_cpu_limit }}
-              memory: {{ netchecker_server_memory_limit }}
-            requests:
-              cpu: {{ netchecker_server_cpu_requests }}
-              memory: {{ netchecker_server_memory_requests }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ['ALL']
-            runAsUser: {{ netchecker_server_user | default('0') }}
-            runAsGroup: {{ netchecker_server_group | default('0') }}
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          ports:
-            - containerPort: 8081
-          args:
-            - -v={{ netchecker_server_log_level }}
-            - -logtostderr
-            - -kubeproxyinit=false
-            - -endpoint=0.0.0.0:8081
-            - -etcd-endpoints=http://127.0.0.1:2379
-        - name: etcd
-          image: "{{ etcd_image_repo }}:{{ netcheck_etcd_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: ETCD_LOG_LEVEL
-              value: "{{ netchecker_etcd_log_level }}"
-          command:
-            - etcd
-            - --listen-client-urls=http://127.0.0.1:2379
-            - --advertise-client-urls=http://127.0.0.1:2379
-            - --data-dir=/var/lib/etcd
-            - --enable-v2
-            - --force-new-cluster
-          volumeMounts:
-            - mountPath: /var/lib/etcd
-              name: etcd-data
-          resources:
-            limits:
-              cpu: {{ netchecker_etcd_cpu_limit }}
-              memory: {{ netchecker_etcd_memory_limit }}
-            requests:
-              cpu: {{ netchecker_etcd_cpu_requests }}
-              memory: {{ netchecker_etcd_memory_requests }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ['ALL']
-            runAsUser: {{ netchecker_server_user | default('0') }}
-            runAsGroup: {{ netchecker_server_group | default('0') }}
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      serviceAccountName: netchecker-server

roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}

roles/kubernetes-apps/ansible/templates/netchecker-server-svc.yml.j2

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: netchecker-service
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    app: netchecker-server
-  ports:
-    -
-      protocol: TCP
-      port: 8081
-      targetPort: 8081
-      nodePort: {{ netchecker_port }}
-  type: NodePort

roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2

@@ -45,7 +45,7 @@ data:
             force_tcp
         }
         prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_health_port }}
 {% if dns_etchosts | default(None) %}
         hosts /etc/coredns/hosts {
           fallthrough
@@ -132,7 +132,7 @@ data:
             force_tcp
         }
         prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_secondary_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_second_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_second_health_port }}
 {% if dns_etchosts | default(None) %}
         hosts /etc/coredns/hosts {
           fallthrough

roles/kubernetes-apps/snapshots/cinder-csi/templates/cinder-csi-snapshot-class.yml.j2

@@ -1,7 +1,7 @@
 {% for class in snapshot_classes %}
 ---
 kind: VolumeSnapshotClass
-apiVersion: snapshot.storage.k8s.io/v1beta1
+apiVersion: snapshot.storage.k8s.io/v1
 metadata:
   name: "{{ class.name }}"
   annotations:

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -95,7 +95,7 @@
 
 - name: Kubeadm | Create kubeadm config
   template:
-    src: "kubeadm-config.{{ kubeadm_config_api_version }}.yaml.j2"
+    src: "kubeadm-config.v1beta4.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
     mode: "0640"
     validate: "{{ kubeadm_config_validate_enabled | ternary(bin_dir + '/kubeadm config validate --config %s', omit) }}"

roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml

@@ -2,44 +2,21 @@
 - name: Ensure kube-apiserver is up before upgrade
   import_tasks: check-api.yml
 
-  # kubeadm-config.v1beta4 with UpgradeConfiguration requires some values that were previously allowed as args to be specified in the config file
-  # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases
 - name: Kubeadm | Upgrade first control plane node to {{ kube_version }}
   command: >-
     timeout -k 600s 600s
     {{ bin_dir }}/kubeadm upgrade apply -y v{{ kube_version }}
-    {%- if kubeadm_config_api_version == 'v1beta3' %}
-    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --allow-experimental-upgrades
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
-    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
-    --force
-    {%- else %}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    {%- endif %}
-    {%- if kube_version is version('1.32.0', '>=') %}
-    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
-    {%- endif %}
   register: kubeadm_upgrade
   when: inventory_hostname == first_kube_control_plane
   failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
   environment:
     PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
 
-# TODO: When we retire kubeadm-config.v1beta3, remove --certificate-renewal, --ignore-preflight-errors, --etcd-upgrade, --patches, and --skip-phases from command, since v1beta4+ supports these in UpgradeConfiguration.node
 - name: Kubeadm | Upgrade other control plane nodes to {{ kube_version }}
   command: >-
     {{ bin_dir }}/kubeadm upgrade node
-    {%- if kubeadm_config_api_version == 'v1beta3' %}
-    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
-    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
-    {%- else %}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    {%- endif %}
-    --skip-phases={{ kubeadm_upgrade_node_phases_skip | join(',') }}
   register: kubeadm_upgrade
   when: inventory_hostname != first_kube_control_plane
   failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2

@@ -1,445 +0,0 @@
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: InitConfiguration
-{% if kubeadm_token is defined %}
-bootstrapTokens:
-- token: "{{ kubeadm_token }}"
-  description: "kubespray kubeadm bootstrap token"
-  ttl: "24h"
-{% endif %}
-localAPIEndpoint:
-  advertiseAddress: "{{ kube_apiserver_address }}"
-  bindPort: {{ kube_apiserver_port }}
-{% if kubeadm_certificate_key is defined %}
-certificateKey: {{ kubeadm_certificate_key }}
-{% endif %}
-nodeRegistration:
-{% if kube_override_hostname | default('') %}
-  name: "{{ kube_override_hostname }}"
-{% endif %}
-{% if 'kube_control_plane' in group_names and 'kube_node' not in group_names %}
-  taints:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/control-plane
-{% else %}
-  taints: []
-{% endif %}
-  criSocket: {{ cri_socket }}
-{% if cloud_provider == "external" %}
-  kubeletExtraArgs:
-    cloud-provider: external
-{% endif %}
-{% if kubeadm_patches | length > 0 %}
-patches:
-  directory: {{ kubeadm_patches_dir }}
-{% endif %}
----
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: ClusterConfiguration
-clusterName: {{ cluster_name }}
-etcd:
-{% if etcd_deployment_type != "kubeadm" %}
-  external:
-      endpoints:
-{% for endpoint in etcd_access_addresses.split(',') %}
-      - "{{ endpoint }}"
-{% endfor %}
-      caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
-      certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
-      keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
-{% elif etcd_deployment_type == "kubeadm" %}
-  local:
-    imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
-    imageTag: "{{ etcd_image_tag }}"
-    dataDir: "{{ etcd_data_dir }}"
-    extraArgs:
-      metrics: {{ etcd_metrics }}
-      election-timeout: "{{ etcd_election_timeout }}"
-      heartbeat-interval: "{{ etcd_heartbeat_interval }}"
-      auto-compaction-retention: "{{ etcd_compaction_retention }}"
-{% if etcd_listen_metrics_urls is defined %}
-      listen-metrics-urls: "{{ etcd_listen_metrics_urls }}"
-{% endif %}
-      snapshot-count: "{{ etcd_snapshot_count }}"
-      quota-backend-bytes: "{{ etcd_quota_backend_bytes }}"
-      max-request-bytes: "{{ etcd_max_request_bytes }}"
-      log-level: "{{ etcd_log_level }}"
-{% for key, value in etcd_extra_vars.items() %}
-      {{ key }}: "{{ value }}"
-{% endfor %}
-    serverCertSANs:
-{% for san in etcd_cert_alt_names %}
-      - "{{ san }}"
-{% endfor %}
-{% for san in etcd_cert_alt_ips %}
-      - "{{ san }}"
-{% endfor %}
-    peerCertSANs:
-{% for san in etcd_cert_alt_names %}
-      - "{{ san }}"
-{% endfor %}
-{% for san in etcd_cert_alt_ips %}
-      - "{{ san }}"
-{% endfor %}
-{% endif %}
-dns:
-  imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$', '') }}
-  imageTag: {{ coredns_image_tag }}
-networking:
-  dnsDomain: {{ dns_domain }}
-  serviceSubnet: "{{ kube_service_subnets }}"
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-  podSubnet: "{{ kube_pods_subnets }}"
-{% endif %}
-{% if kubeadm_feature_gates %}
-featureGates:
-{%   for feature in kubeadm_feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}
-kubernetesVersion: v{{ kube_version }}
-{% if kubeadm_config_api_fqdn is defined %}
-controlPlaneEndpoint: "{{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}"
-{% else %}
-controlPlaneEndpoint: "{{ main_ip | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}"
-{% endif %}
-certificatesDir: {{ kube_cert_dir }}
-imageRepository: {{ kubeadm_image_repo }}
-apiServer:
-  extraArgs:
-    etcd-compaction-interval: "{{ kube_apiserver_etcd_compaction_interval }}"
-    default-not-ready-toleration-seconds: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
-    default-unreachable-toleration-seconds: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
-{% if kube_api_anonymous_auth is defined %}
-{# TODO: rework once suppport for structured auth lands #}
-    anonymous-auth: "{{ kube_api_anonymous_auth }}"
-{% endif %}
-{% if kube_apiserver_use_authorization_config_file %}
-    authorization-config: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
-{% else %}
-    authorization-mode: {{ authorization_modes | join(',') }}
-{% endif %}
-    bind-address: "{{ kube_apiserver_bind_address }}"
-{% if kube_apiserver_enable_admission_plugins | length > 0 %}
-    enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
-{% endif %}
-{% if kube_apiserver_admission_control_config_file %}
-    admission-control-config-file: {{ kube_config_dir }}/admission-controls.yaml
-{% endif %}
-{% if kube_apiserver_disable_admission_plugins | length > 0 %}
-    disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
-{% endif %}
-    apiserver-count: "{{ kube_apiserver_count }}"
-    endpoint-reconciler-type: lease
-{% if etcd_events_cluster_enabled %}
-    etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
-{% endif %}
-    service-node-port-range: {{ kube_apiserver_node_port_range }}
-    service-cluster-ip-range: "{{ kube_service_subnets }}"
-    kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
-    profiling: "{{ kube_profiling }}"
-    request-timeout: "{{ kube_apiserver_request_timeout }}"
-    enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
-{% if kube_token_auth %}
-    token-auth-file: {{ kube_token_dir }}/known_tokens.csv
-{% endif %}
-{% if kube_apiserver_service_account_lookup %}
-    service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
-{% endif %}
-{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
-    oidc-issuer-url: "{{ kube_oidc_url }}"
-    oidc-client-id: "{{ kube_oidc_client_id }}"
-{%   if kube_oidc_ca_file is defined %}
-    oidc-ca-file: "{{ kube_oidc_ca_file }}"
-{%   endif %}
-{%   if kube_oidc_username_claim is defined %}
-    oidc-username-claim: "{{ kube_oidc_username_claim }}"
-{%   endif %}
-{%   if kube_oidc_groups_claim is defined %}
-    oidc-groups-claim: "{{ kube_oidc_groups_claim }}"
-{%   endif %}
-{%   if kube_oidc_username_prefix is defined %}
-    oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
-{%   endif %}
-{%   if kube_oidc_groups_prefix is defined %}
-    oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
-{%   endif %}
-{% endif %}
-{% if kube_webhook_token_auth %}
-    authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kube_webhook_authorization and not kube_apiserver_use_authorization_config_file %}
-    authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
-{% endif %}
-{% if kube_encrypt_secret_data %}
-    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
-{% endif %}
-    storage-backend: {{ kube_apiserver_storage_backend }}
-{% if kube_api_runtime_config | length > 0 %}
-    runtime-config: {{ kube_api_runtime_config | join(',') }}
-{% endif %}
-    allow-privileged: "true"
-{% if kubernetes_audit or kubernetes_audit_webhook %}
-    audit-policy-file: {{ audit_policy_file }}
-{% endif %}
-{% if kubernetes_audit %}
-    audit-log-path: "{{ audit_log_path }}"
-    audit-log-maxage: "{{ audit_log_maxage }}"
-    audit-log-maxbackup: "{{ audit_log_maxbackups }}"
-    audit-log-maxsize: "{{ audit_log_maxsize }}"
-{% endif %}
-{% if kubernetes_audit_webhook %}
-    audit-webhook-config-file: {{ audit_webhook_config_file }}
-    audit-webhook-mode: {{ audit_webhook_mode }}
-{% if audit_webhook_mode == "batch" %}
-    audit-webhook-batch-max-size: "{{ audit_webhook_batch_max_size }}"
-    audit-webhook-batch-max-wait: "{{ audit_webhook_batch_max_wait }}"
-{% endif %}
-{% endif %}
-{% for key in kube_kubeadm_apiserver_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
-{% endfor %}
-{% if kube_apiserver_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_apiserver_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-    event-ttl: {{ event_ttl_duration }}
-{% if kubelet_rotate_server_certificates %}
-    kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
-{% endif %}
-{% if kube_apiserver_tracing %}
-    tracing-config-file: {{ kube_config_dir }}/tracing/apiserver-tracing.yaml
-{% endif %}
-{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %}
-  extraVolumes:
-{% if kube_token_auth %}
-  - name: token-auth-config
-    hostPath: {{ kube_token_dir }}
-    mountPath: {{ kube_token_dir }}
-{% endif %}
-{% if kube_webhook_token_auth %}
-  - name: webhook-token-auth-config
-    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kube_webhook_authorization %}
-  - name: webhook-authorization-config
-    hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
-    mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
-{% endif %}
-{% if kube_apiserver_use_authorization_config_file %}
-  - name: authorization-config
-    hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
-    mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
-{% endif %}
-{% if kubernetes_audit or kubernetes_audit_webhook %}
-  - name: {{ audit_policy_name }}
-    hostPath: {{ audit_policy_hostpath }}
-    mountPath: {{ audit_policy_mountpath }}
-{% if audit_log_path != "-" %}
-  - name: {{ audit_log_name }}
-    hostPath: {{ audit_log_hostpath }}
-    mountPath: {{ audit_log_mountpath }}
-    readOnly: false
-{% endif %}
-{% endif %}
-{% if kube_apiserver_admission_control_config_file %}
-  - name: admission-control-configs
-    hostPath: {{ kube_config_dir }}/admission-controls
-    mountPath: {{ kube_config_dir }}
-    readOnly: false
-    pathType: DirectoryOrCreate
-{% endif %}
-{% if kube_apiserver_tracing %}
-  - name: tracing
-    hostPath: {{ kube_config_dir }}/tracing
-    mountPath: {{ kube_config_dir }}/tracing
-    readOnly: true
-    pathType: DirectoryOrCreate
-{% endif %}
-{% for volume in apiserver_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% if ssl_ca_dirs | length %}
-{% for dir in ssl_ca_dirs %}
-  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
-    hostPath: {{ dir }}
-    mountPath: {{ dir }}
-    readOnly: true
-{% endfor %}
-{% endif %}
-{% endif %}
-  certSANs:
-{% for san in apiserver_sans %}
-  - "{{ san }}"
-{% endfor %}
-  timeoutForControlPlane: 5m0s
-controllerManager:
-  extraArgs:
-    node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
-    node-monitor-period: {{ kube_controller_node_monitor_period }}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-    cluster-cidr: "{{ kube_pods_subnets }}"
-{% endif %}
-    service-cluster-ip-range: "{{ kube_service_subnets }}"
-{% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %}
-    allocate-node-cidrs: "false"
-{% else %}
-{% if ipv4_stack %}
-    node-cidr-mask-size-ipv4: "{{ kube_network_node_prefix }}"
-{% endif %}
-{% if ipv6_stack %}
-    node-cidr-mask-size-ipv6: "{{ kube_network_node_prefix_ipv6 }}"
-{% endif %}
-{% endif %}
-    profiling: "{{ kube_profiling }}"
-    terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
-    bind-address: "{{ kube_controller_manager_bind_address }}"
-    leader-elect-lease-duration: {{ kube_controller_manager_leader_elect_lease_duration }}
-    leader-elect-renew-deadline: {{ kube_controller_manager_leader_elect_renew_deadline }}
-{% if kube_controller_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_controller_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-{% for key in kube_kubeadm_controller_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
-{% endfor %}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
-    configure-cloud-routes: "false"
-{% endif %}
-{% if kubelet_flexvolumes_plugins_dir is defined %}
-    flex-volume-plugin-dir: {{ kubelet_flexvolumes_plugins_dir }}
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-{% if controller_manager_extra_volumes %}
-  extraVolumes:
-{% for volume in controller_manager_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% endif %}
-scheduler:
-  extraArgs:
-    bind-address: "{{ kube_scheduler_bind_address }}"
-    config: {{ kube_config_dir }}/kubescheduler-config.yaml
-{% if kube_scheduler_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_scheduler_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-    profiling: "{{ kube_profiling }}"
-{% if kube_kubeadm_scheduler_extra_args | length > 0 %}
-{% for key in kube_kubeadm_scheduler_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
-{% endfor %}
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-  extraVolumes:
-  - name: kubescheduler-config
-    hostPath: {{ kube_config_dir }}/kubescheduler-config.yaml
-    mountPath: {{ kube_config_dir }}/kubescheduler-config.yaml
-    readOnly: true
-{% if scheduler_extra_volumes %}
-{% for volume in scheduler_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% endif %}
----
-apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
-bindAddress: "{{ kube_proxy_bind_address }}"
-clientConnection:
-  acceptContentTypes: {{ kube_proxy_client_accept_content_types }}
-  burst: {{ kube_proxy_client_burst }}
-  contentType: {{ kube_proxy_client_content_type }}
-  kubeconfig: {{ kube_proxy_client_kubeconfig }}
-  qps: {{ kube_proxy_client_qps }}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-clusterCIDR: "{{ kube_pods_subnets }}"
-{% endif %}
-configSyncPeriod: {{ kube_proxy_config_sync_period }}
-conntrack:
-  maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
-  min: {{ kube_proxy_conntrack_min }}
-  tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
-  tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }}
-enableProfiling: {{ kube_proxy_enable_profiling }}
-healthzBindAddress: "{{ kube_proxy_healthz_bind_address }}"
-hostnameOverride: "{{ kube_override_hostname }}"
-iptables:
-  masqueradeAll: {{ kube_proxy_masquerade_all }}
-  masqueradeBit: {{ kube_proxy_masquerade_bit }}
-  minSyncPeriod: {{ kube_proxy_min_sync_period }}
-  syncPeriod: {{ kube_proxy_sync_period }}
-ipvs:
-  excludeCIDRs: {{ kube_proxy_exclude_cidrs }}
-  minSyncPeriod: {{ kube_proxy_min_sync_period }}
-  scheduler: {{ kube_proxy_scheduler }}
-  syncPeriod: {{ kube_proxy_sync_period }}
-  strictARP: {{ kube_proxy_strict_arp }}
-  tcpTimeout: {{ kube_proxy_tcp_timeout }}
-  tcpFinTimeout: {{ kube_proxy_tcp_fin_timeout }}
-  udpTimeout: {{ kube_proxy_udp_timeout }}
-metricsBindAddress: "{{ kube_proxy_metrics_bind_address }}"
-mode: {{ kube_proxy_mode }}
-nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
-oomScoreAdj: {{ kube_proxy_oom_score_adj }}
-portRange: {{ kube_proxy_port_range }}
-{% if kube_proxy_feature_gates or kube_feature_gates %}
-{% set feature_gates = ( kube_proxy_feature_gates | default(kube_feature_gates, true) ) %}
-featureGates:
-{%   for feature in feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}
-{# DNS settings for kubelet #}
-{% if enable_nodelocaldns %}
-{% set kubelet_cluster_dns = [nodelocaldns_ip] %}
-{% elif dns_mode in ['coredns'] %}
-{% set kubelet_cluster_dns = [skydns_server] %}
-{% elif dns_mode == 'coredns_dual' %}
-{% set kubelet_cluster_dns = [skydns_server,skydns_server_secondary] %}
-{% elif dns_mode == 'manual' %}
-{% set kubelet_cluster_dns = [manual_dns_server] %}
-{% else %}
-{% set kubelet_cluster_dns = [] %}
-{% endif %}
----
-apiVersion: kubelet.config.k8s.io/v1beta1
-kind: KubeletConfiguration
-{% if kube_version is version('1.35.0', '>=') %}
-failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
-{% endif %}
-clusterDNS:
-{% for dns_address in kubelet_cluster_dns %}
-- {{ dns_address }}
-{% endfor %}
-{% if kubelet_feature_gates or kube_feature_gates %}
-{% set feature_gates = ( kubelet_feature_gates | default(kube_feature_gates, true) ) %}
-featureGates:
-{%   for feature in feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}

roles/kubernetes/control-plane/templates/kubeadm-controlplane.yaml.j2

@@ -1,4 +1,4 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -15,13 +15,8 @@ discovery:
     unsafeSkipCAVerification: true
 {% endif %}
   tlsBootstrapToken: {{ kubeadm_token }}
-{# TODO: drop the if when we drop support for k8s<1.31 #}
-{% if kubeadm_config_api_version == 'v1beta3' %}
-  timeout: {{ discovery_timeout }}
-{% else %}
 timeouts:
   discovery: {{ discovery_timeout }}
-{% endif %}
 controlPlane:
   localAPIEndpoint:
     advertiseAddress: "{{ kube_apiserver_address }}"

roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2

@@ -1,5 +1,5 @@
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -21,13 +21,8 @@ discovery:
 {% endif %}
 {% endif %}
   tlsBootstrapToken: {{ kubeadm_token }}
-{# TODO: drop the if when we drop support for k8s<1.31 #}
-{% if kubeadm_config_api_version == 'v1beta3' %}
-  timeout: {{ discovery_timeout }}
-{% else %}
 timeouts:
   discovery: {{ discovery_timeout }}
-{% endif %}
 caCertPath: {{ kube_cert_dir }}/ca.crt
 {% if kubeadm_cert_controlplane is defined and kubeadm_cert_controlplane %}
 controlPlane:

roles/kubernetes/node/defaults/main.yml

@@ -86,6 +86,8 @@ kube_vip_leaseduration: 5
 kube_vip_renewdeadline: 3
 kube_vip_retryperiod: 1
 kube_vip_enable_node_labeling: false
+kube_vip_bgp_sourceip:
+kube_vip_bgp_sourceif:
 
 # Requests for load balancer app
 loadbalancer_apiserver_memory_requests: 32M

roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml

@@ -6,6 +6,17 @@
     - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
     - kube_vip_arp_enabled
 
+- name: Kube-vip | Check mutually exclusive BGP source settings
+  vars:
+    kube_vip_bgp_sourceip_normalized: "{{ kube_vip_bgp_sourceip | default('', true) | string | trim }}"
+    kube_vip_bgp_sourceif_normalized: "{{ kube_vip_bgp_sourceif | default('', true) | string | trim }}"
+  assert:
+    that:
+      - kube_vip_bgp_sourceip_normalized == '' or kube_vip_bgp_sourceif_normalized == ''
+    fail_msg: "kube-vip allows only one of kube_vip_bgp_sourceip or kube_vip_bgp_sourceif."
+  when:
+    - kube_vip_bgp_enabled | default(false)
+
 - name: Kube-vip | Check if super-admin.conf exists
   stat:
     path: "{{ kube_config_dir }}/super-admin.conf"

roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2

@@ -85,6 +85,16 @@ spec:
       value: {{ kube_vip_bgp_peerpass | to_json }}
     - name: bgp_peeras
       value: {{ kube_vip_bgp_peeras | string | to_json }}
+{% set kube_vip_bgp_sourceip_normalized = kube_vip_bgp_sourceip | default('', true) | string | trim %}
+{% if kube_vip_bgp_sourceip_normalized %}
+    - name: bgp_sourceip
+      value: {{ kube_vip_bgp_sourceip_normalized | to_json }}
+{% endif %}
+{% set kube_vip_bgp_sourceif_normalized = kube_vip_bgp_sourceif | default('', true) | string | trim %}
+{% if kube_vip_bgp_sourceif_normalized %}
+    - name: bgp_sourceif
+      value: {{ kube_vip_bgp_sourceif_normalized | to_json }}
+{% endif %}
 {% if kube_vip_bgppeers %}
     - name: bgp_peers
       value: {{ kube_vip_bgppeers | join(',')  | to_json }}

roles/kubespray_defaults/defaults/main/download.yml

@@ -116,7 +116,7 @@ flannel_version: 0.27.3
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"
 
-cilium_version: "1.18.6"
+cilium_version: "1.19.1"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false
 
@@ -232,13 +232,6 @@ calico_apiserver_image_repo: "{{ quay_image_repo }}/calico/apiserver"
 calico_apiserver_image_tag: "v{{ calico_apiserver_version }}"
 pod_infra_image_repo: "{{ kube_image_repo }}/pause"
 pod_infra_image_tag: "{{ pod_infra_version }}"
-netcheck_version: "1.2.2"
-netcheck_agent_image_repo: "{{ docker_image_repo }}/mirantis/k8s-netchecker-agent"
-netcheck_agent_image_tag: "v{{ netcheck_version }}"
-netcheck_server_image_repo: "{{ docker_image_repo }}/mirantis/k8s-netchecker-server"
-netcheck_server_image_tag: "v{{ netcheck_version }}"
-# netchecker doesn't work with etcd>=3.6 because etcd v2 API is removed
-netcheck_etcd_image_tag: "v{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 cilium_image_repo: "{{ quay_image_repo }}/cilium/cilium"
 cilium_image_tag: "v{{ cilium_version }}"
 cilium_operator_image_repo: "{{ quay_image_repo }}/cilium/operator"
@@ -270,9 +263,9 @@ kube_vip_version: 1.0.3
 kube_vip_image_repo: "{{ github_image_repo }}/kube-vip/kube-vip{{ '-iptables' if kube_vip_lb_fwdmethod == 'masquerade' else '' }}"
 kube_vip_image_tag: "v{{ kube_vip_version }}"
 nginx_image_repo: "{{ docker_image_repo }}/library/nginx"
-nginx_image_tag: 1.28.0-alpine
+nginx_image_tag: 1.28.2-alpine
 haproxy_image_repo: "{{ docker_image_repo }}/library/haproxy"
-haproxy_image_tag: 3.2.4-alpine
+haproxy_image_tag: 3.2.13-alpine
 
 # Coredns version should be supported by corefile-migration (or at least work with)
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail
@@ -380,24 +373,6 @@ node_feature_discovery_image_repo: "{{ kube_image_repo }}/nfd/node-feature-disco
 node_feature_discovery_image_tag: "v{{ node_feature_discovery_version }}"
 
 downloads:
-  netcheck_server:
-    enabled: "{{ deploy_netchecker }}"
-    container: true
-    repo: "{{ netcheck_server_image_repo }}"
-    tag: "{{ netcheck_server_image_tag }}"
-    checksum: "{{ netcheck_server_digest_checksum | default(None) }}"
-    groups:
-      - k8s_cluster
-
-  netcheck_agent:
-    enabled: "{{ deploy_netchecker }}"
-    container: true
-    repo: "{{ netcheck_agent_image_repo }}"
-    tag: "{{ netcheck_agent_image_tag }}"
-    checksum: "{{ netcheck_agent_digest_checksum | default(None) }}"
-    groups:
-      - k8s_cluster
-
   etcd:
     container: "{{ etcd_deployment_type != 'host' }}"
     file: "{{ etcd_deployment_type == 'host' }}"

roles/kubespray_defaults/defaults/main/main.yml

@@ -33,10 +33,6 @@ kube_version_min_required: "{{ (kubelet_checksums['amd64'] | dict2items)[-1].key
 ## Kube Proxy mode One of ['ipvs', 'iptables', 'nftables']
 kube_proxy_mode: ipvs
 
-# Kubeadm config api version
-# If kube_version is v1.31 or higher, it will be v1beta4, otherwise it will be v1beta3.
-kubeadm_config_api_version: "{{ 'v1beta4' if kube_version is version('1.31.0', '>=') else 'v1beta3' }}"
-
 # Debugging option for the kubeadm config validate command
 # Set to false only for development and testing scenarios where validation is expected to fail (pre-release Kubernetes versions, etc.)
 kubeadm_config_validate_enabled: true
@@ -152,8 +148,6 @@ manual_dns_server: ""
 
 # Can be host_resolvconf, docker_dns or none
 resolvconf_mode: host_resolvconf
-# Deploy netchecker app to verify DNS resolve as an HTTP service
-deploy_netchecker: false
 # Ip address of the kubernetes DNS service (called skydns for historical reasons)
 skydns_server: "{{ kube_service_subnets.split(',') | first | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(3) | ansible.utils.ipaddr('address') }}"
 skydns_server_secondary: "{{ kube_service_subnets.split(',') | first | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(4) | ansible.utils.ipaddr('address') }}"

roles/kubespray_defaults/vars/main/checksums.yml

@@ -14,13 +14,16 @@ crictl_checksums:
     1.33.0: sha256:4224acfef4d1deba2ba456b7d93fa98feb0a96063ef66024375294f1de2b064f
 crio_archive_checksums:
   arm64:
+    1.35.1: sha256:15fe5c7b87c985a3a78324227b920a01f3309fd1aa5eadfaa38fd48a4dd96d17
     1.35.0: sha256:e57175a4d00387b78adfbe248d087d8127bed625afb529e34b2c90d08cfdaf87
+    1.34.6: sha256:ac189974bcc1cb6829e7b61a39bc3f34fc27a32e5c9d2628bdfc74f88edb6988
     1.34.5: sha256:999a5dc2dc9854222aeff8a20897e0b34f0ba02c9b260b611d66c62e00e279e0
     1.34.4: sha256:d176f6256d606a3fc279f9f2994ef4a4c4cbaaa0601f4d1bba1a19bec5674ce9
     1.34.3: sha256:314595247054b53767a736e24bc3030a5f7c17552944c62b2e190c9e95fe4ca6
     1.34.2: sha256:ac7530f7fc9d531a87bfdfcae9cf8bf81a8bbdb75e63a046ed96911aa7b68ebd
     1.34.1: sha256:41a71cab6a61ae429ec447d572fd1cdea0a7e33d62aaa58c3b07467665b50b9f
     1.34.0: sha256:3006658270477c5fb1e88e9124e40982d2ba7b34495fcc12f0fecd33bbab9a5a
+    1.33.10: sha256:1fb33599cccf590594b3a29ca1e3f45140bd25bdb836154dbcbd5eb3c4d21ace
     1.33.9: sha256:bfcd534db3d1a9380dd7007d623e1eb3250ba64f7c4657e79e9e99b1d874f8f1
     1.33.8: sha256:59c91726535dcadd0372df0c6aa8595e4d59590994b598b2d97ea2510b216359
     1.33.7: sha256:af3ea22d3d6944c9a907c6c13d77e9fc4dbcf3972ffbde18dd6f37f1c2ffbd0d
@@ -32,13 +35,16 @@ crio_archive_checksums:
     1.33.1: sha256:6bf135db438937f0ab7a533af64564a0fb1d2079a43723ce9255ecbf9556ae05
     1.33.0: sha256:8a0dbee2879495d5b33e6fdeac32e5d86c356897bdcf3a94cd602851620ce8b5
   amd64:
+    1.35.1: sha256:cd819546f01ae9dddd4a85b82f220518b37596053555a85e4b4a3d200a6e9354
     1.35.0: sha256:55b6d3e9fc9a5864ab5cdf0b24d54b1dcbaf6d4919274b3b9eb37bfc4b0b8cb5
+    1.34.6: sha256:9f17d9a7dc8d8c4fc16eccca65fe5db8177392f26156335dc6318a14215a5cd1
     1.34.5: sha256:d6606fb6d686b8f814dfec801f0f3cf2ded974c194fa90facefda36075b6fab2
     1.34.4: sha256:f6348a781c34b433fe1c5150da3408e51e828b610eacbe734405e9c31136d810
     1.34.3: sha256:e269914f3bc4f36ac87cd593d74daaa43c390571994062180019248be32cc6f7
     1.34.2: sha256:3a0012938ed389e9270a208bb73b250062d5f1be5798472b1728403d55ddc1da
     1.34.1: sha256:22c1e4d68d9339aa58a1b0f1b40a8944102934a7505105abe461dc8a7e3de540
     1.34.0: sha256:5a8bc5c3b8072cb9bde1cf025d5597f75bf21018712c5b72d5cb0657948595c8
+    1.33.10: sha256:1fcf2f23ef874b3df04957f15789fc14eeb34020550fe4307c9fc81fc0490acd
     1.33.9: sha256:81c20a12866d9a7c08c6e381ed326141c917454b696a05b46ae27665fe3c5cfa
     1.33.8: sha256:537adda39074377893f1f650a71b576ba487b3c4d2ee55e9b22f4e95fc188594
     1.33.7: sha256:e2999436a272c77370241a4f962c80737698dd8c2400fe75e5c7cf2142c96001
@@ -50,13 +56,16 @@ crio_archive_checksums:
     1.33.1: sha256:036063194028d24c75b9ce080e475ad97bacc955de796b7c895845294db8edbf
     1.33.0: sha256:dad0cec9e09368b37b35ce824b0ef517a1b33365c4bb164fe82310c73c886f7e
   ppc64le:
+    1.35.1: sha256:b4a23e9f70297f01da2840f94b82adf2ac67a4017e1d93f0c20526637df282ca
     1.35.0: sha256:081ab73a6970ac3c68893dea9a03b0732ca22ab44a2aa8794fddac0bd4dfa749
+    1.34.6: sha256:395a475c0181a0c82e89e6dd8e258c6c0529f889a7fc9d0a54da3218b76f58f4
     1.34.5: sha256:3a10d4c1406df01bd9ab88750eabc1273964e9c5f24c7d4a0b719ae77e6cfec2
     1.34.4: sha256:dca59a28fe9b0b9163418eca1545c9ed01cf514179f108d14e462c6074fd103c
     1.34.3: sha256:4dd782484eeb460b9a95e6e2e07474216fc02ad45a27ba871799d18f2b6ee0ae
     1.34.2: sha256:d4c3c9ba24b1b0eabf3c11ddec98801dda7a87b0529706e9ede18b8cc9e4182a
     1.34.1: sha256:cba0ac74e7202fe28cf8aa895b83f7a30d78b148666add78e19215259f629bb0
     1.34.0: sha256:e9e41d14439db0ca88cf2cd8533038203f379c25cd612f37635c17908e050ebf
+    1.33.10: sha256:da8933e5b90be44e818f2a3d165957897adac3570f42f73131d91edab0201ad5
     1.33.9: sha256:c0a9e60800f66f85c70615128fec5a8358ffde0f715a4058163707dbcca8eb94
     1.33.8: sha256:1d69c01512e8ebdd51fc70fc64473a31d492e8db095c0ee5d3ee58722048150c
     1.33.7: sha256:076e7519bfff72a43fb1121ce836eee3cc1fec5bb5a59a11747c514e9d162d26
@@ -69,13 +78,16 @@ crio_archive_checksums:
     1.33.0: sha256:b4fa46b25538d8145197f8bf2e935486392c0ca2a9fa609aedd02b9f106d37a6
 kubelet_checksums:
   arm64:
+    1.35.2: sha256:eaf11f9c20c385624775671662e127b083c9b5d0b451fd613f9468e09ca5656c
     1.35.1: sha256:73475c6db8fd8a9780b1b378fa2f917875e6146166c24603c1abc6eafd4493a8
     1.35.0: sha256:aa658d077348b43d238f50966a583f4244b2a7d45590c77b3b165b7d44983ab8
+    1.34.5: sha256:a4cd54fa5af5ed6b4ed14cf172d30f53fd1f197d7d3f43af733b54b19cc87ac5
     1.34.4: sha256:c78845473c434ee85a2444eeab87f8b20f524e3ab6854a078f79468f44aad8f5
     1.34.3: sha256:765b740e3ad9c590852652a2623424ec60e2dddce2c6280d7f042f56c8c98619
     1.34.2: sha256:3e31b1bee9ab32264a67af8a19679777cd372b1c3a04b5d7621289cf137b357c
     1.34.1: sha256:6a66bc08d6c637fcea50c19063cf49e708fde1630a7f1d4ceca069a45a87e6f1
     1.34.0: sha256:e45a7795391cd62ee226666039153832d3096c0f892266cd968936e18b2b40b0
+    1.33.9: sha256:c5719223cf378ac6bdd6a7ed79a75ba428bdc4468da70e641b2d4f73f70de6e0
     1.33.8: sha256:e835f15be6d8b7b27b963a46c4a054f7663c26741f17e003bfcb8271350cf882
     1.33.7: sha256:3035c44e0d429946d6b4b66c593d371cf5bbbfc85df39d7e2a03c422e4fe404a
     1.33.6: sha256:7d8b7c63309cfe2da2331a1ae13cce070b9ba01e487099e7881a4281667c131d
@@ -86,13 +98,16 @@ kubelet_checksums:
     1.33.1: sha256:10540261c311ae005b9af514d83c02694e12614406a8524fd2d0bad75296f70d
     1.33.0: sha256:ae5a4fc6d733fc28ff198e2d80334e21fcb5c34e76b411c50fff9cb25accf05a
   amd64:
+    1.35.2: sha256:20887f461c0de96b0cb14c7af6b897f92d424ac078f8642f98e83ef52a0bf03e
     1.35.1: sha256:e7343310e03ff0d424df4397bdfa4468947d6d1f0f93dac586c1e8d6e4086d5d
     1.35.0: sha256:2f4ed7778681649b81244426c29c5d98df60ccabf83d561d69e61c1cbb943ddf
+    1.34.5: sha256:660c7da5cca02dcd83ba21bb3df95a8983bb1c0169af396a8cc234a6d6e7297f
     1.34.4: sha256:03b8fea715a7ef82eeaf518dee34c72670c57cc7bc40dc1320c04fbf4f15172f
     1.34.3: sha256:0e759f40bbc717c05227ae3994b77786f58f59ffa0137a34958c6b26fa5bcbbd
     1.34.2: sha256:9c5e717b774ee9b9285ce47e7d2150c29e84837eb19a7eaa24b60b1543c9d58f
     1.34.1: sha256:5a72c596c253ea0b0e5bcc6f29903fd41d1d542a7cadf3700c165a2a041a8d82
     1.34.0: sha256:5c0d28cea2a3a5c91861dda088a29d56c1b027e184dae1d792686f0710750076
+    1.33.9: sha256:d0cec9b15e1ba1b4e3595754aa2d5200d1c8c704892ac07afe5b04b44bdf288c
     1.33.8: sha256:1caa69c5328cfa774218f75f0621a6f10a1b97e095af85015f468aeb8fdf956a
     1.33.7: sha256:2cea40c8c6929330e799f8fc73233a4b61e63f208739669865e2a23a39c3a007
     1.33.6: sha256:10cd08fe1f9169fd7520123bcdfff87e37b8a4e21c39481faa382f00355b6973
@@ -103,13 +118,16 @@ kubelet_checksums:
     1.33.1: sha256:f7224648451dd4f9f2c4f79416f9874223c286ce41727788965fd0341ddb59c4
     1.33.0: sha256:dd416d94850c342226d3dcdce838518b040ccea16548bfeaf2595934af88ef60
   ppc64le:
+    1.35.2: sha256:6516f318a3711e83c0b3b8b069514a87c7dfeda931082c1b561043a7c54e312e
     1.35.1: sha256:ec8b7f870043f711b5d73e528342af1705d6ad7f8308d7f31d74d967986b54f6
     1.35.0: sha256:f24eb1244878a3876fe180e6052822cc9998033850478b2f4776e5c3b09baecd
+    1.34.5: sha256:625858ed19559873af61728a50cc250419432ecaa2c8062f78e86e41df358f3c
     1.34.4: sha256:fab75e3eb1e0edf15aef7e8ba219256b44f047544ac421737d1778784fa46676
     1.34.3: sha256:67dcceb6d91710e4da7af720eda7b20fd4e8c24237fc345602bb54439ad8ccca
     1.34.2: sha256:a195f278b9bac26803f1e26b0f608e0dce66aad033e8c043e8555775612530c9
     1.34.1: sha256:c4782dbf1987680e9b2baa3ecf5db9e66395772e82b251eb73a150fbfbe0b906
     1.34.0: sha256:ed663fa4ff3e305276dd889885303e07989dfab073e95ef2da931b975f6686e8
+    1.33.9: sha256:2afd4985fa8ef88bbc8e40691b83ad44ccf8ae2e57a17297921f922b4aa6f438
     1.33.8: sha256:392ed39b6c037bc5c510412c9b5cfd29238d31dd67d1a3cbae7ef4a274304c63
     1.33.7: sha256:f96dd4272ca8eccf1f93fb5162323840b9286c5a42a5305fcc1b4d47889534d3
     1.33.6: sha256:00ae91297503518efd237d40900af4de0067597ae4f2ab8250ddb629ffb6df05
@@ -121,13 +139,16 @@ kubelet_checksums:
     1.33.0: sha256:6fa5abbc14d65b943b00fcfc8a6ac7eb39fd7e924271738c6f17e0b7e74c665b
 kubectl_checksums:
   arm:
+    1.35.2: sha256:02b6affb0da9837b88354e44a7a188cbe2ad522060c880c70eacd33f19944c35
     1.35.1: sha256:dbe14e5b12184d72978b17b167aedc3f42f4a1faf249180025d6359eebcd983e
     1.35.0: sha256:dca28f6af03b31ca6043baa1da7332472c7a3df743606a758534b9ac3ed7ecce
+    1.34.5: sha256:a042713dd3911a46c2118d2df3967cfcee0e3cdf4e78865e1d427a67cf58e7ba
     1.34.4: sha256:3a6e631bdbb79e633d23055dadc97b45f45d325105ddf40e696de2a324a254c0
     1.34.3: sha256:e0cf1eddede6abfd539e30ccbb4e50f65b2d6ff44b3bb9d9107ea8775a90a7e4
     1.34.2: sha256:18e03c1c6ab1dbff6d2a648bf944213f627369d1daeea5b43a7890181ab33abf
     1.34.1: sha256:ca6218ae8bf366bd8ccdcb440b756c67422a4e04936163845f74d8c056e786ee
     1.34.0: sha256:69d2ce88274caf9d9117b359cc27656fb6f9dd6517c266cfd93c6513043968b8
+    1.33.9: sha256:d6b8a351fb5f1409e2c50c52452884eca09e56cabdaae03cfaa40467661d3ecc
     1.33.8: sha256:734dea07663751c8b45926c843e2c250f13473d65f396555a1ecfe0c9c502fa8
     1.33.7: sha256:f6b9ac99f4efb406c5184d0a51d9ed896690c80155387007291309cbb8cdd847
     1.33.6: sha256:89bcef827ac8662781740d092cff410744c0653d828b68cc14051294fcd717e6
@@ -138,13 +159,16 @@ kubectl_checksums:
     1.33.1: sha256:6b1cd6e2bf05c6adaa76b952f9c4ea775f5255913974ccdb12145175d4809e93
     1.33.0: sha256:bbb4b4906d483f62b0fc3a0aea3ddac942820984679ad11635b81ee881d69ab3
   arm64:
+    1.35.2: sha256:cd859449f54ad2cb05b491c490c13bb836cdd0886ae013c0aed3dd67ff747467
     1.35.1: sha256:706256e21a4e9192ee62d1a007ac0bfcff2b0b26e92cc7baad487a6a5d08ff82
     1.35.0: sha256:58f82f9fe796c375c5c4b8439850b0f3f4d401a52434052f2df46035a8789e25
+    1.34.5: sha256:2d433b53b99ea532f877df6fa5044286e3950d4933967ac3d99262760bc649fd
     1.34.4: sha256:5b982c0644ab1e27780246b9085a5886651b4a7ed86243acbb2bacc1bea01dda
     1.34.3: sha256:46913a7aa0327f6cc2e1cc2775d53c4a2af5e52f7fd8dacbfbfd098e757f19e9
     1.34.2: sha256:95df604e914941f3172a93fa8feeb1a1a50f4011dfbe0c01e01b660afc8f9b85
     1.34.1: sha256:420e6110e3ba7ee5a3927b5af868d18df17aae36b720529ffa4e9e945aa95450
     1.34.0: sha256:00b182d103a8a73da7a4d11e7526d0543dcf352f06cc63a1fde25ce9243f49a0
+    1.33.9: sha256:af4dc943a6f447ecb070340efe63c7f8ee2808e6c0bc42126efe7cde0cc1e69b
     1.33.8: sha256:76e284669f1f6343bd9fe2a011757809c8c01cf51da9f85ee6ef4eb93c8393a8
     1.33.7: sha256:fa7ee98fdb6fba92ae05b5e0cde0abd5972b2d9a4a084f7052a1fd0dce6bc1de
     1.33.6: sha256:3ab32d945a67a6000ba332bf16382fc3646271da6b7d751608b320819e5b8f38
@@ -155,13 +179,16 @@ kubectl_checksums:
     1.33.1: sha256:d595d1a26b7444e0beb122e25750ee4524e74414bbde070b672b423139295ce6
     1.33.0: sha256:48541d119455ac5bcc5043275ccda792371e0b112483aa0b29378439cf6322b9
   amd64:
+    1.35.2: sha256:924eb50779153f20cb668117d141440b95df2f325a64452d78dff9469145e277
     1.35.1: sha256:36e2f4ac66259232341dd7866952d64a958846470f6a9a6a813b9117bd965207
     1.35.0: sha256:a2e984a18a0c063279d692533031c1eff93a262afcc0afdc517375432d060989
+    1.34.5: sha256:6a17dd8387783b3144a65535e38d02c351027e9718ea34a6c360476cb26d28bb
     1.34.4: sha256:d50c359d95e0841eaad08ddc27c7be37cba8fdccfba5c8e2ded65e121ff112db
     1.34.3: sha256:ab60ca5f0fd60c1eb81b52909e67060e3ba0bd27e55a8ac147cbc2172ff14212
     1.34.2: sha256:9591f3d75e1581f3f7392e6ad119aab2f28ae7d6c6e083dc5d22469667f27253
     1.34.1: sha256:7721f265e18709862655affba5343e85e1980639395d5754473dafaadcaa69e3
     1.34.0: sha256:cfda68cba5848bc3b6c6135ae2f20ba2c78de20059f68789c090166d6abc3e2c
+    1.33.9: sha256:9e33e3234c0842cd44a12c13e334b4ce930145ea84b855ce7cc0a7b6bc670c22
     1.33.8: sha256:7f9c3faab7c9f9cc3f318d49eb88efc60eb3b3a7ce9eee5feb39b1280e108a29
     1.33.7: sha256:471d94e208a89be62eb776700fc8206cbef11116a8de2dc06fc0086b0015375b
     1.33.6: sha256:d25d9b63335c038333bed785e9c6c4b0e41d791a09cac5f3e8df9862c684afbe
@@ -172,13 +199,16 @@ kubectl_checksums:
     1.33.1: sha256:5de4e9f2266738fd112b721265a0c1cd7f4e5208b670f811861f699474a100a3
     1.33.0: sha256:9efe8d3facb23e1618cba36fb1c4e15ac9dc3ed5a2c2e18109e4a66b2bac12dc
   ppc64le:
+    1.35.2: sha256:2101400af7fb53d326cee8d3411c9348e0735ac85d7059cd61514632181b8810
     1.35.1: sha256:bced44e491ce52cce11e2b4bd4bd9181f4f963ffe868438778d028d56485c5d9
     1.35.0: sha256:8989809d0ac771244dabe50ed742249ac60eeb6d385cd234ee151eb40b7c32c4
+    1.34.5: sha256:22e5813388d20881c2225c86420cd2ff69ed7fc5e953842bb041d4842c38d7f7
     1.34.4: sha256:b083c39879483816f34d1f7e2e31e70ec48984fcc1753c79f4b846cfedbf41ac
     1.34.3: sha256:ae239b7f6f071e47014e1b5b20aa60626e06b32922a6b5054562ae2c5fa82c18
     1.34.2: sha256:49a985986a9add6c229c628bf2a83addebbdeeef40469fce2a54e51b6f1bb05b
     1.34.1: sha256:45499f0728b4a3428400db289edb444609d41787061f09b66f18028c0a73652f
     1.34.0: sha256:1773805a0c128f4d267b2e11f4c74cac287e9a07fffaecc3f7af6df9c8aaf82c
+    1.33.9: sha256:0641f8f8a6153c13dc3ab90a86e242d095a218d30e13cf42c41000e9a7ccc9c3
     1.33.8: sha256:aa079f403c80ba6017449c230733fed4e5d7b0a8700bd6590ee202161b8b12af
     1.33.7: sha256:0807c38a1342ab8dea6435f33d5897a01527d348a968a5c4ca2929769f3d54f2
     1.33.6: sha256:4b056b1749c619fab6a855247c3bd04123f2b61cf136ca6bddf69ff97a727e32
@@ -190,13 +220,16 @@ kubectl_checksums:
     1.33.0: sha256:580d076c891711ec37afaf5994f72a8aad9d45c25413e6e94648e988a5a9933a
 kubeadm_checksums:
   arm64:
+    1.35.2: sha256:b540b734e9eaeb134e2cb7c7803dc62160589ac3b2615d717ce41acb22bbec98
     1.35.1: sha256:80097a3c4ef824f4edfe131d2bd429772c4be3a460c42a44f2320164a917de32
     1.35.0: sha256:1dac7dc2c6a56548bbc6bf8a7ecf4734f2e733fb336d7293d84541ebe52d0e50
+    1.34.5: sha256:cc8a59c0f04a1d7389790dc872b1c714e4cf4d3ba0c38ca2f4ca1388fb38b774
     1.34.4: sha256:d8028b7e8c8d6c9b3fc3da6bc88d4d0cfb33df1b4b026a7d6e8c35d1471c9f6e
     1.34.3: sha256:697cf3aa54f1a5740b883a3b18a5d051b4032fd68ba89af626781a43ec9bccc3
     1.34.2: sha256:065f7de266c59831676cc48b50f404fd18d1f6464502d53980957158e4cab3a7
     1.34.1: sha256:b0dc5cf091373caf87d069dc3678e661464837e4f10156f1436bd35a9a7db06b
     1.34.0: sha256:6b7108016bb2b74132f7494e200501d6522682c01759db91892051a052079c77
+    1.33.9: sha256:d57594c581998d011b7c3ec77fde8b5a2d9e37885f21b749b423087715dc4511
     1.33.8: sha256:b5248b51e66e4716261f2c926fe2f08a293795e6863099e7792b4d57dbb9109e
     1.33.7: sha256:b24eeeff288f9565e11a2527e5aed42c21386596110537adb805a5a2a7b3e9ce
     1.33.6: sha256:ef80c198ca15a0850660323655ebf5c32cc4ab00da7a5a59efe95e4bcf8503ab
@@ -207,13 +240,16 @@ kubeadm_checksums:
     1.33.1: sha256:5b3e3a1e18d43522fdee0e15be13a42cee316e07ddcf47ef718104836edebb3e
     1.33.0: sha256:746c0ee45f4d32ec5046fb10d4354f145ba1ff0c997f9712d46036650ad26340
   amd64:
+    1.35.2: sha256:a51cb85c70c98ec6868fd3413ac786af5fab4ce51438963752ec5f58e68e5452
     1.35.1: sha256:8a7ff344eef1bfba88f9a74b3fdc9ea4448c94f1b3cefb8c0aeeaf1f96e05053
     1.35.0: sha256:729e7fb34e4f1bfcf2bdaf2a14891ed64bd18c47aaab42f8cc5030875276cfed
+    1.34.5: sha256:e381f7f5c41f2a6916432177d95c1ee95d5539f790bbeacafe9ef61dc68e8e35
     1.34.4: sha256:b967f1fa0e36621c402d38bb560eb4a943954d5cf5a00e5150842f6f5da73455
     1.34.3: sha256:f9ce265434d306e59d800b26f3049b8430ba71f815947f4bacdcdc33359417fb
     1.34.2: sha256:6a2346006132f6e1ed0b5248e518098cf5abbce25bf11b8926fb1073091b83f4
     1.34.1: sha256:20654fd7c5155057af5c30b86c52c9ba169db6229eee6ac7abab4309df4172e7
     1.34.0: sha256:aecc23726768d1753fd417f6e7395cb1a350373295e8e9d9f80e95ed3618e38e
+    1.33.9: sha256:9732cc2383e73f64275326e02a5595c792a94ee0ebf84cea37a32fcbf926e6e5
     1.33.8: sha256:8259af514dc3655e8abec1a69b637f31cce2ecb940a80ae4a268e5287890f009
     1.33.7: sha256:c10813d54f58ef33bbe6675f3d39c8bd401867743ebc729afdd043265040c31d
     1.33.6: sha256:c1b84cb3482dd79e26629012f432541ccb505c17f5073aa1fdbca26b1e4909fd
@@ -224,13 +260,16 @@ kubeadm_checksums:
     1.33.1: sha256:9a481b0a5f1cee1e071bc9a0867ca0aad5524408c2580596c00767ba1a7df0bd
     1.33.0: sha256:5a65cfec0648cabec124c41be8c61040baf2ba27a99f047db9ca08cac9344987
   ppc64le:
+    1.35.2: sha256:8a3800d88070679a09d2c5cd5dd479d70539dce84415623e876cbaf366d94043
     1.35.1: sha256:eec12948cfabc18115636c44aca894bf9abef3b2ea73cba180314ee3c218dcca
     1.35.0: sha256:77a466e1b6a8e28362a729541269de0a7c4a6b9e7770cccefcd745502e656b90
+    1.34.5: sha256:5e5d7dba56b5bb663e70a5d7962b0f6d4328d9b9a8ee77ddbb2e9760265ff61d
     1.34.4: sha256:69f1065e718ef2aa5f0287444ef97bd4a5fb8841fc0662f54ca8992a39865391
     1.34.3: sha256:2b8b48b3b0eb657e04122a158cb7fcad964fba5bd2d8e07f8eeec6f856a63ecf
     1.34.2: sha256:bea4ed6d971523da794a802de15910b08c09e23bc4c850ee3b953c4bdb0b7976
     1.34.1: sha256:ddb6bd80bee0719924ae901672b99205226badab74fb13a9e1bb6d3de49fbb21
     1.34.0: sha256:7201ba36f44187f408a036c4a545e2a3cd12943b1297092687bb66c9a1a9fed6
+    1.33.9: sha256:b644b9947f3b79d0ff4c19389cf23f436bb5d6f23166ed3b4e0aee09775b3065
     1.33.8: sha256:d618fa97b5782b57512e0a8ab9ed17af190236907af7bd3c9c0776d81c78273f
     1.33.7: sha256:db2e20d0c20928ae7d68d7603020f8ffd89dcdac4fdc160ef83f1da663868bed
     1.33.6: sha256:58aaec7b5066b6e3705e0493a2f51c7f101b17165ce714c4d52a2b53861c078b
@@ -623,6 +662,7 @@ cri_dockerd_archive_checksums:
     0.3.5: sha256:30d47bd89998526d51a8518f9e8ef10baed408ab273879ee0e30350702092938
 runc_checksums:
   arm64:
+    1.3.5: sha256:bd843d75a788e612c9df286b1fa519a44fcbb7a7b8d01e2268431433cc7c718c
     1.3.4: sha256:d6dcab36d1b6af1b72c7f0662e5fcf446a291271ba6006532b95c4144e19d428
     1.3.3: sha256:3c9a8e9e6dafd00db61f4611692447ebab4a56388bae4f82192aed67b66df712
     1.3.2: sha256:06fbccb4528ecd490f3f333d6dcf22c876bd72a024813a0c0a46312121f4c5fd
@@ -647,6 +687,7 @@ runc_checksums:
     1.1.9: sha256:b43e9f561e85906f469eef5a7b7992fc586f750f44a0e011da4467e7008c33a0
     1.1.8: sha256:7c22cb618116d1d5216d79e076349f93a672253d564b19928a099c20e4acd658
   amd64:
+    1.3.5: sha256:66fa8390be8fb3b23dfbb60c767368bb5b51f1acfa88692bbff1a82953d4d9e9
     1.3.4: sha256:5966ca40b6187b30e33bfc299c5f1fe72e8c1aa01cf3fefdadf391668f47f103
     1.3.3: sha256:8781ab9f71c12f314d21c8e85f13ca1a82d90cf475aa5131a7b543fcc5487543
     1.3.2: sha256:e7a8e30bd6d248f494aae9163521ff4eb112a30602ac56ada0871e3531269c2d
@@ -671,6 +712,7 @@ runc_checksums:
     1.1.9: sha256:b9bfdd4cb27cddbb6172a442df165a80bfc0538a676fbca1a6a6c8f4c6933b43
     1.1.8: sha256:1d05ed79854efc707841dfc7afbf3b86546fc1d0b3a204435ca921c14af8385b
   ppc64le:
+    1.3.5: sha256:62e8f062291c2b2b29bd8ab8c983cef56409063287e256c50ab54fb54f5d98a7
     1.3.4: sha256:268d9be1188f3efa82cad0d8e6b938d8da0d741427660d874ca9386c68d72937
     1.3.3: sha256:c42394e7cf7cd508a91b090b72d57ff4df262effde742d5e29ea607e65f38b43
     1.3.2: sha256:9373062bc547b5afe44fb0122a12aaa980763969d4b69dd17134a6a292838ce5
@@ -741,6 +783,10 @@ kata_containers_binary_checksums:
     3.5.0: sha256:fa4cf67d010244c4f8d0e6d450d04e28d1bbce5ad1a3cbc0154adff628d56c0c
 gvisor_runsc_binary_checksums:
   arm64:
+    '20260309.0': sha512:85d37e7a0b249706f1b3b0ec5d84cc38f4dd53a4e490395f489eb406194529233631405be8bcd1648126db3fc0221a8a1b599743eca2b183b2a35ef3aca638fa
+    '20260302.0': sha512:1f5a81cd6080252d4bee22e0828ed796b438bc768b0845015457944ca659b37fa5a2c22acdf655963b1a27855d5bb2263887463238eaf930efb55b0e4ca801ed
+    '20260223.0': sha512:b3077dc8da3142b117829955ea8ecca7f75fda22f8bd59323a62ba34c6b836f62edea0b10ce0b745d3cd001814cd215175a3bd51d90abc07556bafe600683056
+    '20260216.0': sha512:e5e46739fe6eb26477f57224dc66152ac259706b1d76512391eab6cfc70ff235f5d0a506d54d685520534b76576f2837c1f909bbf33b19dbe2e6186010a58c0e
     '20260209.1': sha512:e95170b4f70688d014c795ffa9b3d583753f865edfd8afb4e2969490869bdb46b60672f641741f788e2ffee8f29751a017e9a68b98c1e44f5194da9a64b0ff28
     '20260202.0': sha512:5fbb9c68efdf3a404217fb57be55051b4b5f8b83ca631101204615b87ff5b6ea8680cd6599e434f1d87fecb9071367b65e90cd8ad5df3f0b9f0101796ecc8c43
     '20260126.0': sha512:c1b42f5789c09a68eb006964048448c058776440477fac83c7fd9cef879cec40878fb2f5f2450315ca0e7f568889f0b52c842b84929784a57023961f6eb77d04
@@ -773,6 +819,10 @@ gvisor_runsc_binary_checksums:
     '20250414.0': sha512:d1ba68b20057622e58e886f472e021a473222590c936a86951005d7b97366b446ef0342b91457ffc0d7e543d54c9c06a363f2883bdd6c594799c4ca1091dabd5
     '20250407.0': sha512:cb590f72b0fbda45e89a2300e9247f12ff295a8c52653c8cf815c662d3fbbc774f9b915cdd4fad59e30694d8cc8737fe2a1a8186ab5136f7701bd6e6877a1662
   amd64:
+    '20260309.0': sha512:2f2d5092d53cae40c53006dead1c5b75552f7c901b9f15bd63b967d2444b59953647c029548ee3950adac0de82be6411a7bf199b3aa7a1dfaab59a51509e4768
+    '20260302.0': sha512:67c0125cc0e3b2633c2557ab0d76f1f15f9fe7b47db77b5a0c4d1e025b184c3f10803b88109948378995cf72068a5d486b05bac8f7a69ca77bf38460ae43ccdc
+    '20260223.0': sha512:9ec46dca073545187cc6640350b728d5eb358740919236915f7f1619fdeb1ed14815dd4b117156ea2c6b00a9cf97024902dd6ee9b2b6be0693f1e930c59f40c2
+    '20260216.0': sha512:f9a0c0094e5fdddffabfa1f0f5d6d3e048a320f85c17686f8697df66f6472d594ab11a290348e97f9a78b614aeb3ab814dc60a8f4ecaa73b1bec49b5b33e8f76
     '20260209.1': sha512:1e0e42f7d3f4b3eded4e96be5af4dcdbecc9bca7ce40f5b9fa191210690397d71771c7c0e0835c32221261b004250fe513a9265447e62d9bf92fb6a5f7276a68
     '20260202.0': sha512:f7bb9cc5e3f5e36a6788f959361415f6d7f7cd0225b8b4d99728da4b1ac7e5c7ce9c72b4c61e424ba93db77c983109d56b54907a3b2e2b982b34058410611023
     '20260126.0': sha512:cce974fa832c50d26c6ccc08ce50b4972921cd0818ebe8007587211d360cbc828ceea4ec8296703200afa208b679437d24f27a6dca31887b3c0fc6ee8be5eb05
@@ -806,6 +856,10 @@ gvisor_runsc_binary_checksums:
     '20250407.0': sha512:097259d6d93548bf669e21cfec5ba6a47081e43f61d22c5d8a8a4c0c209c81ac9c4454162b826f98cec49e047bbdc29c270113ab6db5519ef3e6a90f302fa47b
 gvisor_containerd_shim_binary_checksums:
   arm64:
+    '20260309.0': sha512:43ffb3accd1b4e3d12319824917b3defd268190b1efcdce76bdaea862e7784c598dbd1dd4a3565d12db01452a02609fd1d0b68d9e29c4d26cac5dfde1329a8cb
+    '20260302.0': sha512:9bdc7ed0fe570223e6a60368d75e19dd2b211d1b4f84cfbc3d466b0be8b028ba75f49bd9b97e2836ab30140ef2910aec81bebdc444ae9e83805236e5e165b0a9
+    '20260223.0': sha512:9bdc7ed0fe570223e6a60368d75e19dd2b211d1b4f84cfbc3d466b0be8b028ba75f49bd9b97e2836ab30140ef2910aec81bebdc444ae9e83805236e5e165b0a9
+    '20260216.0': sha512:74474c2302ff5623ab55057b9f552edd81f8e41f2b8e702e6236e1c2c56295f6beabd9ff6eb788cf23a42c18fc6c2a328a2af70ac4ebc04fbc586eb9cd0616e3
     '20260209.1': sha512:714ad3a53a28aa4acd891553d848278f5a873d0a1733836382eaf2bf701d62ece9cef324390602d2676af5e2e3a3d329486d2b18803c9cef5685220764757eb4
     '20260202.0': sha512:714ad3a53a28aa4acd891553d848278f5a873d0a1733836382eaf2bf701d62ece9cef324390602d2676af5e2e3a3d329486d2b18803c9cef5685220764757eb4
     '20260126.0': sha512:84abf41b68ba450ed2cbbdf544e7d347d30f6fd577572e2e58f2fa8e038689f557953148287e26c8f4ee5040c1e928670f113bebca6d81ed7ce014ec4e0ad256
@@ -838,6 +892,10 @@ gvisor_containerd_shim_binary_checksums:
     '20250414.0': sha512:33b9c67bc7b73ca49154aff48da52029414a707b6a3a25eb4f71e861a94dec8fce220e63a162841670ddd4876f45b0e39abdf9f8c3235019c89f209684d3007d
     '20250407.0': sha512:1c3838e10c905af0cb52697712bf6bd76b94c9e9d3d07a7643cd43dc2f8dab03b4ed4693c117e555e07a158e04ee583b6b1f1cf2fb9705244ffa5fdc4af67248
   amd64:
+    '20260309.0': sha512:f5708fd1fdad4da12f440780c2c09ca6f2ca7cb47089e24e536851388bae54228927a462d61c584c3adf3426f03addea9f08e390be39c744cac008a84e7559e9
+    '20260302.0': sha512:7b0cbc9130b4f2fdffe45d0f811070a868bbcdafc9cc30264108ee35fa17ee3a54f1a1c7775619c6afa4b7fc623bd4acf0e80f4fb40fbc7f1f58a1cceb8a9f83
+    '20260223.0': sha512:7b0cbc9130b4f2fdffe45d0f811070a868bbcdafc9cc30264108ee35fa17ee3a54f1a1c7775619c6afa4b7fc623bd4acf0e80f4fb40fbc7f1f58a1cceb8a9f83
+    '20260216.0': sha512:f42c07dc741d52720ee531cd8928386ecb9a7605ccb4bd0805a8c3396213e05cd10572936dccc77049e6b4b8094cbdaf02752291047c852e7a48608d35832d58
     '20260209.1': sha512:bd21b80502be25484d8b43168c88d66b6f3e853c78c0ae5b5206c5625e2a365e98c8b3ba259453d18c01d1aa08fb7c8c1e7f122fdcd7ef806bfc2f44f5837b5e
     '20260202.0': sha512:bd21b80502be25484d8b43168c88d66b6f3e853c78c0ae5b5206c5625e2a365e98c8b3ba259453d18c01d1aa08fb7c8c1e7f122fdcd7ef806bfc2f44f5837b5e
     '20260126.0': sha512:51c3b4bc21cb5c3d4e3baf9f43e5fecd86c327abf0c84d492510f480cdfb38c90d43f3b0dbf1887ada8846d3806da79a73729acaedc570894ba6ed7cf9e083ed
@@ -964,6 +1022,7 @@ nerdctl_archive_checksums:
     1.7.0: sha256:e421ae655ff68461bad04b4a1a0ffe40c6f0fcfb0847d5730d66cd95a7fd10cd
 containerd_archive_checksums:
   arm64:
+    2.2.2: sha256:cb102473d6e353beb604178879d51cc456da0cdf368d9437d8d404ed01baf674
     2.2.1: sha256:dac15a0d412a24be8bfe6a40cec8f51829062725169f1e72ac7d120a891ef5b6
     2.2.0: sha256:8805c2123d3b7c7ee2030e9f8fc07a1167d8a3f871d6a7d7ec5d1deb0b51a4a7
     2.1.6: sha256:88d6e32348c36628c8500a630c6dd4b3cb8c680b1d18dc8d1d19041f67757c6e
@@ -1013,6 +1072,7 @@ containerd_archive_checksums:
     1.7.1: sha256:1f828dc063e3c24b0840b284c5635b5a11b1197d564c97f9e873b220bab2b41b
     1.7.0: sha256:e7e5be2d9c92e076f1e2e15c9f0a6e0609ddb75f7616999b843cba92d01e4da2
   amd64:
+    2.2.2: sha256:2c08c99cbde73b3388c6d5da68e0bcaebc70c9174f2b14d785695e4401b3ede0
     2.2.1: sha256:f5d8e90ecb6c1c7e33ecddf8cc268a93b9e5b54e0e850320d765511d76624f41
     2.2.0: sha256:b9626a94ab93b00bcbcbf13d98deef972c6fb064690e57940632df54ad39ee71
     2.1.6: sha256:4793dc5c1f34ebf8402990d0050f3c294aa3c794cd5a4baa403c1cf10602326d
@@ -1062,6 +1122,7 @@ containerd_archive_checksums:
     1.7.1: sha256:9504771bcb816d3b27fab37a6cf76928ee5e95a31eb41510a7d10ae726e01e85
     1.7.0: sha256:b068b05d58025dc9f2fc336674cac0e377a478930f29b48e068f97c783a423f0
   ppc64le:
+    2.2.2: sha256:8f7a8190f2a635cd0e5580a131408a275ba277f7a04edffba4a4005960093987
     2.2.1: sha256:3de0f215ea649952a9e99040cb3888d8059bd3d35b04edbe6afb916c763f9ea7
     2.2.0: sha256:e4ecd0b03200864e117371b25cce5335e39ce0b0a168a01d2ba6562a05020f0b
     2.1.6: sha256:aef2b639a14ae79f2bbe43356b25e84ecfb2c7f269c87f41e41585e724073e54
@@ -1112,6 +1173,7 @@ containerd_archive_checksums:
     1.7.0: sha256:051e897d3ee5b8c8097f65be447fea2d29226b583ca5d9ed78e9aebcf4e69889
 containerd_static_archive_checksums:
   arm64:
+    2.2.2: sha256:f22e03e12edd08dc49e139fec1fb0e0571950df0b6275577bbca718733acea9d
     2.2.1: sha256:6b3b011ee388638eace05ac3be0eb32dfb4a43086695c29d06e997febd336f2e
     2.2.0: sha256:5f2a7f451231ff35d8306f874c51606fc9da1e2db56048834a23260f68a78eef
     2.1.6: sha256:9da292010d36d80afa3bb48cbd15f65d3bf38177217060272a1c3fd65351cfa4
@@ -1161,6 +1223,7 @@ containerd_static_archive_checksums:
     1.7.1: sha256:f0435e7cda3c3abc40d3f27d403a8e24bd0b927a8a893a7e4dfaec5996fa9731
     1.7.0: sha256:6e648cd832f026e23eb6998191e618da7c1ec0c0373263d503ff464e0ae3977a
   amd64:
+    2.2.2: sha256:5db46232ce716f85bf1e71497a9038c87e63030574bf03f9d09557802188ad27
     2.2.1: sha256:af3e82bac6abed58d45956c653244aa2be583359a9753614278ef652012f2883
     2.2.0: sha256:2d20037947cbb0def12b8ac0c572b212284c1832bf3c921df1e58975515d1d08
     2.1.6: sha256:577900a5a8684c27e344aeeb1fc64e355745f58cba7f83c53649235ba25abbbf
@@ -1210,6 +1273,7 @@ containerd_static_archive_checksums:
     1.7.1: sha256:8b4e8ed8a650ea435aa71e115fa1a70701ab98bc1836b3ed33341af35bf85a3a
     1.7.0: sha256:64ad6428cc4aca486db3a6148682052955d1e3134b69f079edf686c21d123fcd
   ppc64le:
+    2.2.2: sha256:7e3d541c578fe06bcdb36ee58140e6e36dc97e784a9228e31c3ce99937cbad10
     2.2.1: sha256:fc9235be9a3dd3005e7fe6a9d7bb80e42dbfbff4b119cdce6ea3ee66bc7ae9ca
     2.2.0: sha256:d15a4edfe689ce71df8cc5a0c1837856f54aba8d7336170600e6592c2fbf3d8d
     2.1.6: sha256:c64312b87181d900452b5c3360a90578acd39ec7664d0c2e060183b24a708766

roles/network_facts/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# Additional string host to inject into NO_PROXY
+additional_no_proxy: ""
+additional_no_proxy_list: "{{ additional_no_proxy | split(',') }}"
+no_proxy_exclude_workers: false

roles/network_facts/tasks/main.yaml

@@ -1,41 +1,63 @@
 ---
-- name: Set facts variables
-  tags:
-    - always
-  block:
-    - name: Gather node IPs
-      setup:
-        gather_subset: '!all,!min,network'
-        filter: "ansible_default_ip*"
-      when: ansible_default_ipv4 is not defined or ansible_default_ipv6 is not defined
-      ignore_unreachable: true
+- name: Gather node IPs
+  setup:
+    gather_subset: '!all,!min,network'
+    filter: "ansible_default_ip*"
+  when: ansible_default_ipv4 is not defined or ansible_default_ipv6 is not defined
+  ignore_unreachable: true
 
-    - name: Set computed IPs varables
-      vars:
-        fallback_ip: "{{ ansible_default_ipv4.address | d('127.0.0.1') }}"
-        fallback_ip6: "{{ ansible_default_ipv6.address | d('::1') }}"
-        # Set 127.0.0.1 as fallback IP if we do not have host facts for host
-        # ansible_default_ipv4 isn't what you think.
-        _ipv4: "{{ ip | default(fallback_ip) }}"
-        _access_ipv4: "{{ access_ip | default(_ipv4) }}"
-        _ipv6: "{{ ip6 | default(fallback_ip6) }}"
-        _access_ipv6: "{{ access_ip6 | default(_ipv6) }}"
-        _access_ips:
-          - "{{ _access_ipv4 if ipv4_stack }}"
-          - "{{ _access_ipv6 if ipv6_stack }}"
-        _ips:
-          - "{{ _ipv4 if ipv4_stack }}"
-          - "{{ _ipv6 if ipv6_stack }}"
-      set_fact:
-        cacheable: true
-        main_access_ip: "{{ _access_ipv4 if ipv4_stack else _access_ipv6 }}"
-        main_ip: "{{ _ipv4 if ipv4_stack else _ipv6  }}"
-        # Mixed IPs - for dualstack
-        main_access_ips: "{{ _access_ips | select }}"
-        main_ips: "{{ _ips | select }}"
+- name: Set computed IPs variables
+  vars:
+    fallback_ip: "{{ ansible_default_ipv4.address | d('127.0.0.1') }}"
+    fallback_ip6: "{{ ansible_default_ipv6.address | d('::1') }}"
+    # Set 127.0.0.1 as fallback IP if we do not have host facts for host
+    # ansible_default_ipv4 isn't what you think.
+    _ipv4: "{{ ip | default(fallback_ip) }}"
+    _access_ipv4: "{{ access_ip | default(_ipv4) }}"
+    _ipv6: "{{ ip6 | default(fallback_ip6) }}"
+    _access_ipv6: "{{ access_ip6 | default(_ipv6) }}"
+    _access_ips:
+      - "{{ _access_ipv4 if ipv4_stack }}"
+      - "{{ _access_ipv6 if ipv6_stack }}"
+    _ips:
+      - "{{ _ipv4 if ipv4_stack }}"
+      - "{{ _ipv6 if ipv6_stack }}"
+  set_fact:
+    cacheable: true
+    main_access_ip: "{{ _access_ipv4 if ipv4_stack else _access_ipv6 }}"
+    main_ip: "{{ _ipv4 if ipv4_stack else _ipv6  }}"
+    # Mixed IPs - for dualstack
+    main_access_ips: "{{ _access_ips | select }}"
+    main_ips: "{{ _ips | select }}"
 
-    - name: Set no_proxy
-      import_tasks: no_proxy.yml
-      when:
-        - http_proxy is defined or https_proxy is defined
-        - no_proxy is not defined
+- name: Set no_proxy to all assigned cluster IPs and hostnames
+  when:
+    - http_proxy is defined or https_proxy is defined
+    - no_proxy is not defined
+  vars:
+    groups_with_no_proxy:
+      - kube_control_plane
+      - "{{ '' if no_proxy_exclude_workers else 'kube_node' }}" # TODO: exclude by a boolean in inventory rather than global variable
+      - etcd
+      - calico_rr
+    hosts_with_no_proxy: "{{ groups_with_no_proxy | select | map('extract', groups) | select('defined') | flatten }}"
+    _hostnames: "{{ (hosts_with_no_proxy +
+                      (hosts_with_no_proxy | map('extract', hostvars, morekeys=['ansible_hostname'])
+                      | select('defined')))
+                    | unique }}"
+    no_proxy_prepare:
+      - "{{ apiserver_loadbalancer_domain_name | d('') }}"
+      - "{{ loadbalancer_apiserver.address if loadbalancer_apiserver is defined else '' }}"
+      - "{{ hosts_with_no_proxy | map('extract', hostvars, morekeys=['main_access_ip']) }}"
+      - "{{ _hostnames }}"
+      - "{{ _hostnames | map('regex_replace', '$', '.' + dns_domain ) }}"
+      - "{{ additional_no_proxy_list }}"
+      - 127.0.0.1
+      - localhost
+      - "{{ kube_service_subnets }}"
+      - "{{ kube_pods_subnets }}"
+      - svc
+      - "svc.{{ dns_domain }}"
+  set_fact:
+    no_proxy: "{{ no_proxy_prepare | select | flatten | unique | join(',') }}"
+  run_once: true

roles/network_facts/tasks/no_proxy.yml

@@ -1,40 +0,0 @@
----
-- name: Set no_proxy to all assigned cluster IPs and hostnames
-  set_fact:
-    # noqa: jinja[spacing]
-    no_proxy_prepare: >-
-      {%- if loadbalancer_apiserver is defined -%}
-      {{ apiserver_loadbalancer_domain_name }},
-      {{ loadbalancer_apiserver.address | default('') }},
-      {%- endif -%}
-      {%- if no_proxy_exclude_workers | default(false) -%}
-      {% set cluster_or_control_plane = 'kube_control_plane' %}
-      {%- else -%}
-      {% set cluster_or_control_plane = 'k8s_cluster' %}
-      {%- endif -%}
-      {%- for item in (groups[cluster_or_control_plane] + groups['etcd'] | default([]) + groups['calico_rr'] | default([])) | unique -%}
-      {{ hostvars[item]['main_access_ip'] }},
-      {%- if item != hostvars[item].get('ansible_hostname', '') -%}
-      {{ hostvars[item]['ansible_hostname'] }},
-      {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }},
-      {%- endif -%}
-      {{ item }},{{ item }}.{{ dns_domain }},
-      {%- endfor -%}
-      {%- if additional_no_proxy is defined -%}
-      {{ additional_no_proxy }},
-      {%- endif -%}
-      127.0.0.1,localhost,{{ kube_service_subnets }},{{ kube_pods_subnets }},svc,svc.{{ dns_domain }}
-  delegate_to: localhost
-  connection: local
-  delegate_facts: true
-  become: false
-  run_once: true
-
-- name: Populates no_proxy to all hosts
-  set_fact:
-    no_proxy: "{{ hostvars.localhost.no_proxy_prepare | select }}"
-    # noqa: jinja[spacing]
-    proxy_env: "{{ proxy_env | combine({
-        'no_proxy': hostvars.localhost.no_proxy_prepare,
-        'NO_PROXY': hostvars.localhost.no_proxy_prepare
-      }) }}"

roles/network_plugin/calico/templates/calico-apiserver.yml.j2

@@ -177,6 +177,9 @@ rules:
   - blockaffinities
   - caliconodestatuses
   - tiers
+  - stagednetworkpolicies
+  - stagedglobalnetworkpolicies
+  - stagedkubernetesnetworkpolicies
   verbs:
   - get
   - list

roles/network_plugin/calico/templates/calico-cr.yml.j2

@@ -215,3 +215,17 @@ rules:
       - calico-cni-plugin
     verbs:
       - create
+{% if calico_version is version('3.29.0', '>=') %}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-tier-getter
+rules:
+  - apiGroups:
+      - "projectcalico.org"
+    resources:
+      - "tiers"
+    verbs:
+      - "get"
+{% endif %}

roles/network_plugin/calico/templates/calico-crb.yml.j2

@@ -26,3 +26,18 @@ subjects:
 - kind: ServiceAccount
   name: calico-cni-plugin
   namespace: kube-system
+{% if calico_version is version('3.29.0', '>=') %}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-tier-getter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-tier-getter
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:kube-controller-manager
+{% endif %}

roles/network_plugin/cilium/defaults/main.yml

@@ -305,12 +305,9 @@ cilium_enable_well_known_identities: false
 # Only effective when monitor aggregation is set to "medium" or higher.
 cilium_monitor_aggregation_flags: "all"
 
-cilium_enable_bpf_clock_probe: true
-
 # -- Enable BGP Control Plane
 cilium_enable_bgp_control_plane: false
 
-
 # -- Configure BGP Instances (New bgpv2 API v1.16+)
 cilium_bgp_cluster_configs: []
 

roles/network_plugin/cilium/templates/cilium/cilium-bgp-advertisement.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_advertisement in cilium_bgp_advertisements %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPAdvertisement
 metadata:
   name: "{{ cilium_bgp_advertisement.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-bgp-cluster-config.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_cluster_config in cilium_bgp_cluster_configs %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPClusterConfig
 metadata:
   name: "{{ cilium_bgp_cluster_config.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-bgp-node-config-override.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_node_config_override in cilium_bgp_node_config_overrides %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPNodeConfigOverride
 metadata:
   name: "{{ cilium_bgp_node_config_override.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-bgp-peer-config.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_bgp_peer_config in cilium_bgp_peer_configs %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumBGPPeerConfig
 metadata:
   name: "{{ cilium_bgp_peer_config.name }}"

roles/network_plugin/cilium/templates/cilium/cilium-loadbalancer-ip-pool.yml.j2

@@ -1,6 +1,6 @@
 {% for cilium_loadbalancer_ip_pool in cilium_loadbalancer_ip_pools %}
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: "cilium.io/v2"
 kind: CiliumLoadBalancerIPPool
 metadata:
   name: "{{ cilium_loadbalancer_ip_pool.name }}"

roles/network_plugin/cilium/templates/values.yaml.j2

@@ -143,6 +143,14 @@ cgroup:
     enabled: {{ cilium_cgroup_auto_mount | to_json }}
   hostRoot: {{ cilium_cgroup_host_root }}
 
+resources:
+  limits:
+    memory: "{{ cilium_memory_limit }}"
+    cpu: "{{ cilium_cpu_limit }}"
+  requests:
+    memory: "{{ cilium_memory_requests }}"
+    cpu: "{{ cilium_cpu_requests }}"
+
 operator:
   image:
     repository: {{ cilium_operator_image_repo }}

roles/network_plugin/custom_cni/meta/main.yml

@@ -14,6 +14,7 @@ dependencies:
         chart_ref: "{{ custom_cni_chart_ref }}"
         chart_version: "{{ custom_cni_chart_version }}"
         wait: true
+        create_namespace: true
         values: "{{ custom_cni_chart_values }}"
     repositories:
       - name: "{{ custom_cni_chart_repository_name }}"

roles/remove_node/pre_remove/tasks/main.yml

@@ -17,6 +17,8 @@
       --grace-period {{ drain_grace_period }}
       --timeout {{ drain_timeout }}
       --delete-emptydir-data {{ kube_override_hostname }}
+  async: "{{ (drain_timeout | regex_replace('s$', '') | int) + 120 }}"
+  poll: 15
   when:
     - groups['kube_control_plane'] | length > 0
     # ignore servers that are not nodes

roles/upgrade/pre-upgrade/tasks/main.yml

@@ -59,6 +59,8 @@
         --timeout {{ drain_timeout }}
         --delete-emptydir-data {{ kube_override_hostname | default(inventory_hostname) }}
         {% if drain_pod_selector %}--pod-selector '{{ drain_pod_selector }}'{% endif %}
+      async: "{{ (drain_timeout | regex_replace('s$', '') | int) + 120 }}"
+      poll: 15
       when: drain_nodes
       register: result
       failed_when:
@@ -82,6 +84,8 @@
         --delete-emptydir-data {{ kube_override_hostname | default(inventory_hostname) }}
         {% if drain_pod_selector %}--pod-selector '{{ drain_pod_selector }}'{% endif %}
         --disable-eviction
+      async: "{{ (drain_fallback_timeout | regex_replace('s$', '') | int) + 120 }}"
+      poll: 15
       register: drain_fallback_result
       until: drain_fallback_result.rc == 0
       retries: "{{ drain_fallback_retries }}"

roles/validate_inventory/tasks/main.yml

@@ -49,7 +49,6 @@
   assert:
     that:
       - download_run_once | type_debug == 'bool'
-      - deploy_netchecker | type_debug == 'bool'
       - download_always_pull | type_debug == 'bool'
       - helm_enabled | type_debug == 'bool'
       - openstack_lbaas_enabled | type_debug == 'bool'
@@ -214,3 +213,13 @@
   when:
     - kube_external_ca_mode
     - not ignore_assert_errors
+
+- name: Download_file | Check if requested Kubernetes are supported
+  assert:
+    that:
+      - kube_version in kubeadm_checksums[image_arch]
+      - kube_version in kubelet_checksums[image_arch]
+      - kube_version in kubectl_checksums[image_arch]
+    msg: >-
+      Kubernetes v{{ kube_version }} is not supported for {{ image_arch }}.
+      Please check roles/kubespray_defaults/vars/main/checksums.yml for supported versions.

scripts/component_hash_update/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "kubespray_component_hash_update"
-version = "1.0.0"
+version = "1.0.1"
 dependencies = [
   "more_itertools",
   "ruamel.yaml",

scripts/component_hash_update/src/component_hash_update/download.py

@@ -126,15 +126,20 @@ def download_hash(downloads: {str: {str: Any}}) -> None:
     releases, tags = map(
         dict, partition(lambda r: r[1].get("tags", False), downloads.items())
     )
-    repos = {
-        "with_releases": [r["graphql_id"] for r in releases.values()],
-        "with_tags": [t["graphql_id"] for t in tags.values()],
-    }
+    unique_release_ids = list(dict.fromkeys(
+        r["graphql_id"] for r in releases.values()
+    ))
+    unique_tag_ids = list(dict.fromkeys(
+        t["graphql_id"] for t in tags.values()
+    ))
     response = s.post(
         "https://api.github.com/graphql",
         json={
             "query": files(__package__).joinpath("list_releases.graphql").read_text(),
-            "variables": repos,
+            "variables": {
+                "with_releases": unique_release_ids,
+                "with_tags": unique_tag_ids,
+            },
         },
         headers={
             "Authorization": f"Bearer {os.environ['API_KEY']}",
@@ -155,31 +160,30 @@ def download_hash(downloads: {str: {str: Any}}) -> None:
         except InvalidVersion:
             return None
 
-    repos = response.json()["data"]
-    github_versions = dict(
-        zip(
-            chain(releases.keys(), tags.keys()),
-            [
-                {
-                    v
-                    for r in repo["releases"]["nodes"]
-                    if not r["isPrerelease"]
-                    and (v := valid_version(r["tagName"])) is not None
-                }
-                for repo in repos["with_releases"]
-            ]
-            + [
-                {
-                    v
-                    for t in repo["refs"]["nodes"]
-                    if (v := valid_version(t["name"].removeprefix("release-")))
-                    is not None
-                }
-                for repo in repos["with_tags"]
-            ],
-            strict=True,
-        )
-    )
+    resp_data = response.json()["data"]
+    release_versions_by_id = {
+        gql_id: {
+            v
+            for r in repo["releases"]["nodes"]
+            if not r["isPrerelease"]
+            and (v := valid_version(r["tagName"])) is not None
+        }
+        for gql_id, repo in zip(unique_release_ids, resp_data["with_releases"])
+    }
+    tag_versions_by_id = {
+        gql_id: {
+            v
+            for t in repo["refs"]["nodes"]
+            if (v := valid_version(t["name"].removeprefix("release-")))
+            is not None
+        }
+        for gql_id, repo in zip(unique_tag_ids, resp_data["with_tags"])
+    }
+    github_versions = {}
+    for name, info in releases.items():
+        github_versions[name] = release_versions_by_id[info["graphql_id"]]
+    for name, info in tags.items():
+        github_versions[name] = tag_versions_by_id[info["graphql_id"]]
 
     components_supported_arch = {
         component.removesuffix("_checksums"): [a for a in archs.keys()]

tests/common_vars.yml

@@ -1,6 +1,5 @@
 ---
 # Kubespray settings for tests
-deploy_netchecker: true
 dns_min_replicas: 1
 unsafe_show_logs: true
 
@@ -29,9 +28,6 @@ crio_registries:
       - location: mirror.gcr.io
         insecure: false
 
-netcheck_agent_image_repo: "{{ quay_image_repo }}/kubespray/k8s-netchecker-agent"
-netcheck_server_image_repo: "{{ quay_image_repo }}/kubespray/k8s-netchecker-server"
-
 nginx_image_repo: "{{ quay_image_repo }}/kubespray/nginx"
 
 flannel_image_repo: "{{ quay_image_repo }}/kubespray/flannel"

tests/files/openeuler24-calico.yml

@@ -3,8 +3,11 @@
 cloud_image: openeuler-2403
 vm_memory: 3072
 
-# Openeuler package mgmt is slow for some reason
-pkg_install_timeout: "{{ 10 * 60 }}"
+# Use metalink for faster package downloads (auto-selects closest mirror)
+openeuler_metalink_enabled: true
+
+# CI package installation takes ~7min; default 5min is too tight, use 15min for margin
+pkg_install_timeout: "{{ 15 * 60 }}"
 
 # Work around so the Kubernetes 1.35 tests can pass. We will discuss the openeuler support later.
 kubeadm_ignore_preflight_errors:

tests/files/rockylinux10-cilium.yml

@@ -13,3 +13,21 @@ kube_owner: root
 # Node Feature Discovery
 node_feature_discovery_enabled: true
 kube_asymmetric_encryption_algorithm: "ECDSA-P256"
+
+# Testing no_proxy setup
+# The proxy is not intended to be accessed at all, we're only testing
+# the no_proxy construction
+https_proxy: "http://some-proxy.invalid"
+http_proxy: "http://some-proxy.invalid"
+additional_no_proxy_list:
+  - github.com
+  - githubusercontent.com
+  - k8s.io
+  - rockylinux.org
+  - docker.io
+  - googleapis.com
+  - quay.io
+  - pkg.dev
+  - amazonaws.com
+  - cilium.io
+skip_http_proxy_on_os_packages: true

tests/files/ubuntu24-crio-upgrade.yml

@@ -2,7 +2,7 @@
 # Instance settings
 cloud_image: ubuntu-2404
 mode: all-in-one
-vm_memory: 1800
+vm_memory: 3072
 
 # Kubespray settings
 container_manager: crio

tests/requirements.txt

@@ -1,4 +1,4 @@
 -r ../requirements.txt
 distlib==0.4.0 # required for building collections
-molecule==25.12.0
+molecule==26.3.0
 pytest-testinfra==10.2.2

tests/testcases/040_check-network-adv.yml

@@ -13,88 +13,6 @@
 - import_role:  # noqa name[missing]
     name: cluster-dump
 
-- name: Wait for netchecker server
-  command: "{{ bin_dir }}/kubectl get pods --field-selector=status.phase==Running -o jsonpath-as-json={.items[*].metadata.name} --namespace {{ netcheck_namespace }}"
-  register: pods_json
-  until:
-    - pods_json.stdout | from_json | select('match', 'netchecker-server.*') | length == 1
-    - (pods_json.stdout | from_json | select('match', 'netchecker-agent.*') | length)
-      >= (groups['k8s_cluster'] | intersect(ansible_play_hosts) | length * 2)
-  retries: 3
-  delay: 10
-  when: inventory_hostname == groups['kube_control_plane'][0]
-
-- name: Get netchecker pods
-  command: "{{ bin_dir }}/kubectl -n {{ netcheck_namespace }} describe pod -l app={{ item }}"
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  with_items:
-    - netchecker-agent
-    - netchecker-agent-hostnet
-  when: not pods_json is success
-
-- name: Perform netchecker tests
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  block:
-    - name: Get netchecker agents
-      uri:
-        url: "http://{{ (ansible_default_ipv6.address if not (ipv4_stack | default(true)) else ansible_default_ipv4.address) | ansible.utils.ipwrap }}:{{ netchecker_port }}/api/v1/agents/"
-        return_content: true
-        headers:
-          Accept: application/json
-      register: agents
-      retries: 18
-      delay: "{{ agent_report_interval }}"
-      until:
-        - agents is success
-        - (agents.content | from_json | length) == (groups['k8s_cluster'] | length * 2)
-
-    - name: Check netchecker status
-      uri:
-        url: "http://{{ (ansible_default_ipv6.address if not (ipv4_stack | default(true)) else ansible_default_ipv4.address) | ansible.utils.ipwrap }}:{{ netchecker_port }}/api/v1/connectivity_check"
-        return_content: true
-        headers:
-          Accept: application/json
-      register: connectivity_check
-      retries: 3
-      delay: "{{ agent_report_interval }}"
-      until:
-        - connectivity_check is success
-        - connectivity_check.content | from_json
-
-  rescue:
-    - name: Get kube-proxy logs
-      command: "{{ bin_dir }}/kubectl -n kube-system logs -l k8s-app=kube-proxy"
-
-    - name: Get logs from other apps
-      command: "{{ bin_dir }}/kubectl -n kube-system logs -l k8s-app={{ item }} --all-containers"
-      with_items:
-        - kube-router
-        - flannel
-        - canal-node
-        - calico-node
-        - cilium
-
-    - name: Netchecker tests failed
-      fail:
-        msg: "netchecker tests failed"
-
-- name: Check connectivity with all netchecker agents
-  vars:
-    connectivity_check_result: "{{ connectivity_check.content | from_json }}"
-    agents_check_result: "{{ agents.content | from_json }}"
-  assert:
-    that:
-      - agents_check_result is defined
-      - connectivity_check_result is defined
-      - agents_check_result.keys() | length > 0
-      - not connectivity_check_result.Absent
-      - not connectivity_check_result.Outdated
-    msg: "Connectivity check to netchecker agents failed"
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-
 - name: Create macvlan network conf
   command:
     cmd: "{{ bin_dir }}/kubectl create -f -"

tests/testcases/tests.yml

@@ -36,10 +36,6 @@
       when:
         - ('macvlan' not in testcase)
         - ('hardening' not in testcase)
-      vars:
-        agent_report_interval: 10
-        netcheck_namespace: default
-        netchecker_port: 31081
     - name: Testcases for kubernetes conformance
       import_tasks: 100_check-k8s-conformance.yml
       delegate_to: "{{ groups['kube_control_plane'][0] }}"