Patch versions updates

2026-02-14 04:47:31 +03:00 · 2026-02-09 03:23:21 +00:00
75 changed files with 1639 additions and 450 deletions
--- a/.gitlab-ci/kubevirt.yml
+++ b/.gitlab-ci/kubevirt.yml
@@ -41,8 +41,7 @@ pr:
          - debian12-cilium
          - debian13-cilium
          - fedora39-kube-router
-          - fedora41-kube-router
+          - openeuler24-calico
          - fedora42-calico
          - rockylinux9-cilium
          - rockylinux10-cilium
          - ubuntu22-calico-all-in-one
@@ -50,25 +49,13 @@ pr:
          - ubuntu24-calico-etcd-datastore
          - ubuntu24-calico-all-in-one-hardening
          - ubuntu24-cilium-sep
          - ubuntu24-crio-scale
          - ubuntu24-crio-upgrade
          - ubuntu24-flannel-collection
          - ubuntu24-kube-router-sep
          - ubuntu24-kube-router-svc-proxy
          - ubuntu24-ha-separate-etcd
          - flatcar4081-calico
          - fedora40-flannel-crio-collection-scale
 # This is for flakey test so they don't disrupt the PR worklflow too much.
 # Jobs here MUST have a open issue so we don't lose sight of them
 pr-flakey:
  extends: pr
  retry: 1
  parallel:
    matrix:
      - TESTCASE:
          - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
          - openeuler24-calico # https://github.com/kubernetes-sigs/kubespray/issues/12877
 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:
  stage: deploy-part1
@@ -104,8 +91,6 @@ pr_full:
          - debian12-custom-cni-helm
          - fedora39-calico-swap-selinux
          - fedora39-crio
          - fedora41-calico-swap-selinux
          - fedora41-crio
          - ubuntu24-calico-ha-wireguard
          - ubuntu24-flannel-ha
          - ubuntu24-flannel-ha-once
@@ -165,7 +150,6 @@ periodic:
          - debian12-cilium-svc-proxy
          - fedora39-calico-selinux
          - fedora40-docker-calico
          - fedora41-calico-selinux
          - ubuntu24-calico-etcd-kubeadm-upgrade-ha
          - ubuntu24-calico-ha-recover
          - ubuntu24-calico-ha-recover-noquorum
--- a/4
+++ b/4
@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.35.0/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.0/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl
 COPY *.yml ./
--- a/README.md
+++ b/README.md
@@ -90,7 +90,7 @@ vagrant up
 - **Debian** Bookworm, Bullseye, Trixie
 - **Ubuntu** 22.04, 24.04
 - **CentOS Stream / RHEL** [9, 10](docs/operating_systems/rhel.md#rhel-8)
- **Fedora** 39, 40, 41, 42
+- **Fedora** 39, 40
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
 - **Oracle Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
@@ -111,11 +111,11 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.0
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.3
  - [etcd](https://github.com/etcd-io/etcd) 3.5.26
  - [docker](https://www.docker.com/) 28.3
  - [containerd](https://containerd.io/) 2.2.1
-  - [cri-o](http://cri-o.io/) 1.35.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) 1.34.5 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
  - [calico](https://github.com/projectcalico/calico) 3.30.6
@@ -127,7 +127,8 @@ Note:
  - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.4
+  - [coredns](https://github.com/coredns/coredns) 1.12.1
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
  - [argocd](https://argoproj.github.io/) 2.14.5
  - [helm](https://helm.sh/) 3.18.4
  - [metallb](https://metallb.universe.tf/) 0.13.9
@@ -201,6 +202,8 @@ See also [Network checker](docs/advanced/netcheck.md).
 ## Ingress Plugins
 - [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
 - [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider.
 ## Community docs and resources
--- a/3
+++ b/3
@@ -35,9 +35,6 @@ SUPPORTED_OS = {
  "fedora40"            => {box: "fedora/40-cloud-base",       user: "vagrant"},
  "fedora39-arm64"      => {box: "bento/fedora-39-arm64",      user: "vagrant"},
  "fedora40-arm64"      => {box: "bento/fedora-40",            user: "vagrant"},
  "fedora41"            => {box: "fedora/41-cloud-base",       user: "vagrant"},
  "fedora42"            => {box: "fedora/42-cloud-base",       user: "vagrant"},
  "fedora41-bento"      => {box: "bento/fedora-41",            user: "vagrant"},
  "opensuse"            => {box: "opensuse/Leap-15.6.x86_64",  user: "vagrant"},
  "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
  "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
--- a/contrib/terraform/gcp/README.md
+++ b/contrib/terraform/gcp/README.md
@@ -51,7 +51,7 @@ To generate kubespray inventory based on the terraform state file you can run th
 You should now have a inventory file named `inventory.ini` that you can use with kubespray, e.g.
 ```bash
-ansible-playbook -i contrib/terraform/gcp/inventory.ini cluster.yml -b -v
+ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
 ```
 ## Variables
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -57,6 +57,7 @@
  * [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md)
 * Ingress
  * [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md)
  * [Ingress Nginx](/docs/ingress/ingress_nginx.md)
  * [Kube-vip](/docs/ingress/kube-vip.md)
  * [Metallb](/docs/ingress/metallb.md)
 * Operating Systems
--- a/docs/advanced/cert_manager.md
+++ b/docs/advanced/cert_manager.md
@@ -30,7 +30,14 @@ If you don't have a TLS Root CA certificate and key available, you can create th
 A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
-For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
+To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
 ```ini
 # Nginx ingress controller deployment
 ingress_nginx_enabled: true
 ```
 For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -41,9 +48,9 @@ metadata:
  labels:
    prometheus: k8s
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: ca-issuer
 spec:
  ingressClassName: "traefik"
  tls:
  - hosts:
    - prometheus.example.com
@@ -65,8 +72,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall
 Please consult the official upstream documentation:
- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/)
+- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name)
+- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
 ### ACME
@@ -74,12 +81,12 @@ The ACME Issuer type represents a single account registered with the Automated C
 Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free.
- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/)
+- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/)
+- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
-  - [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/)
+  - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/)
+- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
-  - [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/)
+  - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/)
+- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
 #### ACME With An Internal Certificate Authority
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -30,9 +30,9 @@ If the latest version supported according to pip is 6.7.0 it means you are runni
 Based on the table below and the available python version for your ansible host you should choose the appropriate ansible version to use with kubespray.
-|  Ansible Version  | Python Version |
+| Ansible Version | Python Version |
-|-------------------|----------------|
+|-----------------|----------------|
-| >=2.18.0, <2.19.0 | 3.11-3.13      |
+| >= 2.17.3       | 3.10-3.12      |
 ## Customize Ansible vars
--- a/docs/developers/ci-setup.md
+++ b/docs/developers/ci-setup.md
@@ -145,6 +145,7 @@ upstream_dns_servers:
  - 1.0.0.1
 # Extensions
 ingress_nginx_enabled: True
 helm_enabled: True
 cert_manager_enabled: True
 metrics_server_enabled: True
--- a/docs/developers/ci.md
+++ b/docs/developers/ci.md
@@ -13,8 +13,6 @@ debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 debian13 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
@@ -33,14 +31,12 @@ debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ## docker
@@ -53,8 +49,6 @@ debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
--- a/docs/ingress/ingress_nginx.md
+++ b/docs/ingress/ingress_nginx.md
@@ -0,0 +1,203 @@
 # Installation Guide
 ## Contents
 - [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command)
  - [Provider Specific Steps](#provider-specific-steps)
    - [Docker for Mac](#docker-for-mac)
    - [minikube](#minikube)
    - [AWS](#aws)
    - [GCE - GKE](#gce-gke)
    - [Azure](#azure)
    - [Bare-metal](#bare-metal)
  - [Verify installation](#verify-installation)
  - [Detect installed version](#detect-installed-version)
 - [Using Helm](#using-helm)
 ## Prerequisite Generic Deployment Command
 !!! attention
    The default configuration watches Ingress object from *all the namespaces*.
    To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
 !!! warning
    If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions.
 !!! attention
    If you're using GKE you need to initialize your user as a cluster-admin with the following command:
 ```console
 kubectl create clusterrolebinding cluster-admin-binding \
 --clusterrole cluster-admin \
 --user $(gcloud config get-value account)
 ```
 The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
 ```
 ### Provider Specific Steps
 There are cloud provider specific yaml files.
 #### Docker for Mac
 Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018))
 First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes).
 Then you have to create a service:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### minikube
 For standard usage:
 ```console
 minikube addons enable ingress
 ```
 For development:
 1. Disable the ingress addon:
 ```console
 minikube addons disable ingress
 ```
 1. Execute `make dev-env`
 1. Confirm the `nginx-ingress-controller` deployment exists:
 ```console
 $ kubectl get pods -n ingress-nginx
 NAME                                       READY     STATUS    RESTARTS   AGE
 default-http-backend-66b447d9cf-rrlf9      1/1       Running   0          12s
 nginx-ingress-controller-fdcdcd6dd-vvpgs   1/1       Running   0          11s
 ```
 #### AWS
 In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
 Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
 Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/)
 ##### Elastic Load Balancer - ELB
 This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer:
 - [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443.
 - [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB
 For L4:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml
 ```
 For L7:
 Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"`
 Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml`
 Then execute:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 This example creates an ELB with just two listeners, one in port 80 and another in port 443
 ![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png)
 ##### ELB Idle Timeouts
 In some scenarios users will need to modify the value of the ELB idle timeout.
 Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX.
 By default NGINX `keepalive_timeout` is set to `75s`.
 The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified,
 in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured.
 *Please Note: An idle timeout of `3600s` is recommended when using WebSockets.*
 More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html).
 ##### Network Load Balancer (NLB)
 This type of load balancer is supported since v1.10.0 as an ALPHA feature.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml
 ```
 #### GCE-GKE
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 **Important Note:** proxy protocol is not supported in GCE/GKE
 #### Azure
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### Bare-metal
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
 ```
 !!! tip
    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md).
 ### Verify installation
 To check if the ingress controller pods have started, run the following command:
 ```console
 kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
 ```
 Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`.
 Now, you are ready to create your first ingress.
 ### Detect installed version
 To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command.
 ```console
 POD_NAMESPACE=ingress-nginx
 POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
 ```
 ## Using Helm
 NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
 Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
 To install the chart with the release name `my-nginx`:
 ```console
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm install my-nginx ingress-nginx/ingress-nginx
 ```
 Detect installed version:
 ```console
 POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
 ```
--- a/docs/operations/offline-environment.md
+++ b/docs/operations/offline-environment.md
@@ -85,7 +85,7 @@ crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_ve
 # If using Calico
 calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_version }}.tar.gz"
 # Containerd
 containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
 runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"
--- a/inventory/sample/group_vars/all/offline.yml
+++ b/inventory/sample/group_vars/all/offline.yml
@@ -44,7 +44,7 @@
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
-# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
 # [Optional] Cilium: If using Cilium network plugin
 # ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -63,6 +63,39 @@ local_volume_provisioner_enabled: false
 # Gateway API CRDs
 gateway_api_enabled: false
 # Nginx ingress controller deployment
 ingress_nginx_enabled: false
 # ingress_nginx_host_network: false
 # ingress_nginx_service_type: LoadBalancer
 # ingress_nginx_service_annotations:
 #   example.io/loadbalancerIPs: 1.2.3.4
 # ingress_nginx_service_nodeport_http: 30080
 # ingress_nginx_service_nodeport_https: 30081
 ingress_publish_status_address: ""
 # ingress_nginx_nodeselector:
 #   kubernetes.io/os: "linux"
 # ingress_nginx_tolerations:
 #   - key: "node-role.kubernetes.io/control-plane"
 #     operator: "Equal"
 #     value: ""
 #     effect: "NoSchedule"
 # ingress_nginx_namespace: "ingress-nginx"
 # ingress_nginx_insecure_port: 80
 # ingress_nginx_secure_port: 443
 # ingress_nginx_configmap:
 #   map-hash-bucket-size: "128"
 #   ssl-protocols: "TLSv1.2 TLSv1.3"
 # ingress_nginx_configmap_tcp_services:
 #   9000: "default/example-go:8080"
 # ingress_nginx_configmap_udp_services:
 #   53: "kube-system/coredns:53"
 # ingress_nginx_extra_args:
 #   - --default-ssl-certificate=default/foo-tls
 # ingress_nginx_termination_grace_period_seconds: 300
 # ingress_nginx_class: nginx
 # ingress_nginx_without_class: true
 # ingress_nginx_default: false
 # ALB ingress controller deployment
 ingress_alb_enabled: false
 # alb_ingress_aws_region: "us-east-1"
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.18.0,<2.19.0"
+requires_ansible: ">=2.17.3"
--- a/pipeline.Dockerfile
+++ b/pipeline.Dockerfile
@@ -46,8 +46,8 @@ ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
    && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
    && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.35.0/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.35.0/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && echo $(curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl \
    # Install Vagrant
    && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
--- a/playbooks/ansible_version.yml
+++ b/playbooks/ansible_version.yml
@@ -5,8 +5,8 @@
  become: false
  run_once: true
  vars:
-    minimal_ansible_version: 2.18.0
+    minimal_ansible_version: 2.17.3
-    maximal_ansible_version: 2.19.0
+    maximal_ansible_version: 2.18.0
  tags: always
  tasks:
    - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
-ansible==11.13.0
+ansible==10.7.0
 # Needed for community.crypto module
 cryptography==46.0.4
 # Needed for jinja2 json_query templating
--- a/roles/container-engine/cri-dockerd/handlers/main.yml
+++ b/roles/container-engine/cri-dockerd/handlers/main.yml
@@ -6,6 +6,12 @@
    masked: false
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | restart docker.service
  service:
    name: docker.service
    state: restarted
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | reload cri-dockerd.socket
  service:
    name: cri-dockerd.socket
--- a/roles/container-engine/docker/templates/docker.service.j2
+++ b/roles/container-engine/docker/templates/docker.service.j2
@@ -30,7 +30,7 @@ LimitCORE=infinity
 TimeoutStartSec=1min
 # restart the docker process if it exits prematurely
 Restart=on-failure
-StartLimitBurst=10
+StartLimitBurst=3
 StartLimitInterval=60s
 # Set the cgroup slice of the service so that kube reserved takes effect
 {% if kube_reserved is defined and kube_reserved|bool %}
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
@@ -21,7 +21,7 @@ external_openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
 ##    arg1: "value1"
 ##    arg2: "value2"
 external_openstack_cloud_controller_extra_args: {}
-external_openstack_cloud_controller_image_tag: "v1.35.0"
+external_openstack_cloud_controller_image_tag: "v1.32.0"
 external_openstack_cloud_controller_bind_address: 127.0.0.1
 external_openstack_cloud_controller_dns_policy: ClusterFirst
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml
@@ -0,0 +1,28 @@
 ---
 ingress_nginx_namespace: "ingress-nginx"
 ingress_nginx_host_network: false
 ingress_nginx_service_type: LoadBalancer
 ingress_nginx_service_nodeport_http: ""
 ingress_nginx_service_nodeport_https: ""
 ingress_nginx_service_annotations: {}
 ingress_publish_status_address: ""
 ingress_nginx_publish_service: "{{ ingress_nginx_namespace }}/ingress-nginx"
 ingress_nginx_nodeselector:
  kubernetes.io/os: "linux"
 ingress_nginx_tolerations: []
 ingress_nginx_insecure_port: 80
 ingress_nginx_secure_port: 443
 ingress_nginx_metrics_port: 10254
 ingress_nginx_configmap: {}
 ingress_nginx_configmap_tcp_services: {}
 ingress_nginx_configmap_udp_services: {}
 ingress_nginx_extra_args: []
 ingress_nginx_termination_grace_period_seconds: 300
 ingress_nginx_class: nginx
 ingress_nginx_without_class: true
 ingress_nginx_default: false
 ingress_nginx_webhook_enabled: false
 ingress_nginx_webhook_job_ttl: 1800
 ingress_nginx_opentelemetry_enabled: false
 ingress_nginx_probe_initial_delay_seconds: 10
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
@@ -0,0 +1,69 @@
 ---
 - name: NGINX Ingress Controller | Create addon dir
  file:
    path: "{{ kube_config_dir }}/addons/ingress_nginx"
    state: directory
    owner: root
    group: root
    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
 - name: NGINX Ingress Controller | Templates list
  set_fact:
    ingress_nginx_templates:
      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
      - { name: cm-ingress-nginx, file: cm-ingress-nginx.yml, type: cm }
      - { name: cm-tcp-services, file: cm-tcp-services.yml, type: cm }
      - { name: cm-udp-services, file: cm-udp-services.yml, type: cm }
      - { name: sa-ingress-nginx, file: sa-ingress-nginx.yml, type: sa }
      - { name: clusterrole-ingress-nginx, file: clusterrole-ingress-nginx.yml, type: clusterrole }
      - { name: clusterrolebinding-ingress-nginx, file: clusterrolebinding-ingress-nginx.yml, type: clusterrolebinding }
      - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
      - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
      - { name: ingressclass-nginx, file: ingressclass-nginx.yml, type: ingressclass }
      - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
    ingress_nginx_template_for_service:
      - { name: svc-ingress-nginx, file: svc-ingress-nginx.yml, type: svc }
    ingress_nginx_templates_for_webhook:
      - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
      - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
      - { name: clusterrole-admission-webhook, file: clusterrole-admission-webhook.yml, type: clusterrole }
      - { name: clusterrolebinding-admission-webhook, file: clusterrolebinding-admission-webhook.yml, type: clusterrolebinding }
      - { name: role-admission-webhook, file: role-admission-webhook.yml, type: role }
      - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
      - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
      - { name: svc-ingress-nginx-controller-admission, file: svc-ingress-nginx-controller-admission.yml, type: svc }
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Template list for service
  set_fact:
    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_template_for_service }}"
  when: not ingress_nginx_host_network
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
  set_fact:
    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
  when: ingress_nginx_webhook_enabled
 - name: NGINX Ingress Controller | Create manifests
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
    mode: "0644"
  with_items: "{{ ingress_nginx_templates }}"
  register: ingress_nginx_manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
 - name: NGINX Ingress Controller | Apply manifests
  kube:
    name: "{{ item.item.name }}"
    namespace: "{{ ingress_nginx_namespace }}"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.item.file }}"
    state: "latest"
  with_items: "{{ ingress_nginx_manifests.results }}"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2
@@ -0,0 +1,7 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ ingress_nginx_namespace }}
  labels:
    name: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2
@@ -0,0 +1,30 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: {{ ingress_nginx_namespace }}
      path: /networking/v1/ingresses
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
@@ -0,0 +1,96 @@
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission-create
  namespace: {{ ingress_nginx_namespace }}
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      name: ingress-nginx-admission-create
    spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: create
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission-patch
  namespace: {{ ingress_nginx_namespace }}
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      name: ingress-nginx-admission-patch
    spec:
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2
@@ -0,0 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 rules:
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
@@ -0,0 +1,36 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 rules:
  - apiGroups: [""]
    resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"]
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["list", "watch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2
@@ -0,0 +1,16 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2
@@ -0,0 +1,16 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap %}
 data:
  {{ ingress_nginx_configmap | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: tcp-services
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap_tcp_services %}
 data:
  {{ ingress_nginx_configmap_tcp_services | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: udp-services
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap_udp_services %}
 data:
  {{ ingress_nginx_configmap_udp_services | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
@@ -0,0 +1,201 @@
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: ingress-nginx-controller
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: {{ ingress_nginx_termination_grace_period_seconds }}
 {% if ingress_nginx_opentelemetry_enabled %}
      initContainers:
      - name: opentelemetry
        command:
        - /init_module
        image: {{ ingress_nginx_opentelemetry_image_repo }}:{{ ingress_nginx_opentelemetry_image_tag }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          readOnlyRootFilesystem: false
          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /modules_mount
          name: modules
 {% endif %}
 {% if ingress_nginx_host_network %}
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
 {% endif %}
 {% if ingress_nginx_nodeselector %}
      nodeSelector:
        {{ ingress_nginx_nodeselector | to_nice_yaml | indent(width=8) }}
 {%- endif %}
 {% if ingress_nginx_tolerations %}
      tolerations:
        {{ ingress_nginx_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
 {% endif %}
      priorityClassName: {% if ingress_nginx_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      containers:
        - name: ingress-nginx-controller
          image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }}
          imagePullPolicy: {{ k8s_image_pull_policy }}
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/ingress-nginx
            - --election-id=ingress-controller-leader-{{ ingress_nginx_class }}
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --annotations-prefix=nginx.ingress.kubernetes.io
            - --ingress-class={{ ingress_nginx_class }}
 {% if ingress_nginx_without_class %}
            - --watch-ingress-without-class=true
 {% endif %}
 {% if ingress_publish_status_address != "" %}
            - --publish-status-address={{ ingress_publish_status_address }}
 {% elif ingress_nginx_host_network %}
            - --report-node-internal-ip-address
 {% elif ingress_nginx_publish_service != "" %}
            - --publish-service={{ ingress_nginx_publish_service }}
 {% endif %}
 {% for extra_arg in ingress_nginx_extra_args %}
            - {{ extra_arg }}
 {% endfor %}
 {% if ingress_nginx_webhook_enabled %}
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
 {% endif %}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
              - NET_BIND_SERVICE
              drop:
              - ALL
            readOnlyRootFilesystem: false
            runAsGroup: 82
            runAsNonRoot: true
            runAsUser: 101
            seccompProfile:
              type: RuntimeDefault
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          ports:
            - name: http
              containerPort: 80
              hostPort: {{ ingress_nginx_insecure_port }}
            - name: https
              containerPort: 443
              hostPort: {{ ingress_nginx_secure_port }}
            - name: metrics
              containerPort: 10254
 {% if not ingress_nginx_host_network %}
              hostPort: {{ ingress_nginx_metrics_port }}
 {% endif %}
 {% if ingress_nginx_configmap_tcp_services %}
 {% for port in ingress_nginx_configmap_tcp_services.keys() %}
            - name: tcp-port-{{ port }}
              containerPort: {{ port | int }}
              protocol: TCP
 {% if not ingress_nginx_host_network %}
              hostPort: {{ port | int }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_configmap_udp_services %}
 {% for port in ingress_nginx_configmap_udp_services.keys() %}
            - name: udp-port-{{ port }}
              containerPort: {{ port | int }}
              protocol: UDP
 {% if not ingress_nginx_host_network %}
              hostPort: {{ port | int }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_webhook_enabled %}
            - name: webhook
              containerPort: 8443
              protocol: TCP
 {% endif %}
          livenessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 3
 {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
          volumeMounts:
 {% if ingress_nginx_webhook_enabled %}
            - mountPath: /usr/local/certificates/
              name: webhook-cert
              readOnly: true
 {% endif %}
 {% if ingress_nginx_opentelemetry_enabled %}
            - name: modules
              mountPath: /modules_mount
 {% endif %}
 {% endif %}
 {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
      volumes:
 {% if ingress_nginx_webhook_enabled %}
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
 {% endif %}
 {% if ingress_nginx_opentelemetry_enabled %}
        - name: modules
          emptyDir: {}
 {% endif %}
 {% endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2
@@ -0,0 +1,13 @@
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
  name: {{ ingress_nginx_class }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_default %}
  annotations:
    ingressclass.kubernetes.io/is-default-class: "true"
 {% endif %}
 spec:
  controller: k8s.io/ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2
@@ -0,0 +1,17 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
@@ -0,0 +1,47 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["configmaps", "pods", "secrets", "endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    # Defaults to "<election-id>", defined in
    # ds-ingress-nginx-controller.yml.js
    # by a command-line argument.
    #
    # This is the correct behaviour for ingress-controller
    # version 1.8.1
    resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"]
    verbs: ["get", "update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2
@@ -0,0 +1,17 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2
@@ -0,0 +1,17 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2
@@ -0,0 +1,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2
@@ -0,0 +1,9 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2
@@ -0,0 +1,18 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-controller-admission
  namespace: {{ ingress_nginx_namespace }}
 spec:
  type: ClusterIP
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2
@@ -0,0 +1,50 @@
 {% if not ingress_nginx_host_network %}
 apiVersion: v1
 kind: Service
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_service_annotations %}
  annotations:
    {{ ingress_nginx_service_annotations | to_nice_yaml(indent=2, width=1337) | indent(width=4) }}
 {% endif %}
 spec:
  type: {{ ingress_nginx_service_type }}
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
 {% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_http %}
      nodePort: {{ingress_nginx_service_nodeport_http | int}}
 {% endif %}
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
 {% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_https %}
      nodePort: {{ingress_nginx_service_nodeport_https | int}}
 {% endif %}
 {% if ingress_nginx_configmap_tcp_services %}
 {% for port in ingress_nginx_configmap_tcp_services.keys() %}
    - name: tcp-port-{{ port }}
      port: {{ port | int }}
      targetPort: {{ port | int }}
      protocol: TCP
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_configmap_udp_services %}
 {% for port in ingress_nginx_configmap_udp_services.keys() %}
    - name: udp-port-{{ port }}
      port: {{ port | int }}
      targetPort: {{ port | int }}
      protocol: UDP
 {% endfor %}
 {% endif %}
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% endif %}
--- a/roles/kubernetes-apps/ingress_controller/meta/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/meta/main.yml
@@ -1,5 +1,12 @@
 ---
 dependencies:
  - role: kubernetes-apps/ingress_controller/ingress_nginx
    when: ingress_nginx_enabled
    tags:
      - apps
      - ingress-controller
      - ingress-nginx
  - role: kubernetes-apps/ingress_controller/cert_manager
    when: cert_manager_enabled
    tags:
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -114,14 +114,4 @@ rules:
      - update
      # watch for changes
      - watch
  # Services are monitored for service LoadBalancer IP allocation
  - apiGroups: [""]
    resources:
      - services
      - services/status
    verbs:
      - get
      - list
      - update
      - watch
 {% endif %}
--- a/roles/kubernetes-apps/registry/tasks/main.yml
+++ b/roles/kubernetes-apps/registry/tasks/main.yml
@@ -43,12 +43,12 @@
      - { name: registry-cm, file: registry-cm.yml, type: cm }
      - { name: registry-rs, file: registry-rs.yml, type: rs }
- name: Registry | Append ingress templates to Registry Templates list when ALB ingress enabled
+- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
  set_fact:
    registry_templates: "{{ registry_templates + [item] }}"
  with_items:
    - [{ name: registry-ing, file: registry-ing.yml, type: ing }]
-  when: ingress_alb_enabled
+  when: ingress_nginx_enabled or ingress_alb_enabled
 - name: Registry | Create manifests
  template:
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -26,7 +26,7 @@
    mode: "0700"
    state: directory
- name: Write admin kubeconfig to current/ansible become user home
+- name: Copy admin kubeconfig to current/ansible become user home
  copy:
    src: "{{ kube_config_dir }}/admin.conf"
    dest: "{{ ansible_env.HOME | default('/root') }}/.kube/config"
@@ -51,38 +51,41 @@
    port: "{{ kube_apiserver_port }}"
    timeout: 180
- name: Create kubeconfig localhost artifacts
+- name: Get admin kubeconfig from remote host
  slurp:
    src: "{{ kube_config_dir }}/admin.conf"
  run_once: true
  register: raw_admin_kubeconfig
  when: kubeconfig_localhost
  block:
    - name: Generate admin kubeconfig using kubeadm
      command: >-
        {{ bin_dir }}/kubeadm kubeconfig user
        --client-name=kubernetes-admin-{{ cluster_name }}
        --org=kubeadm:cluster-admins
        --config {{ kube_config_dir }}/kubeadm-config.yaml
      register: kubeadm_admin_kubeconfig
      changed_when: false
      run_once: true
      delegate_to: "{{ groups['kube_control_plane'][0] }}"
-    - name: Write admin kubeconfig on ansible host
+- name: Convert kubeconfig to YAML
-      copy:
+  set_fact:
-        content: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml | combine(override, recursive=true) | to_nice_yaml(indent=2) }}"
+    admin_kubeconfig: "{{ raw_admin_kubeconfig.content | b64decode | from_yaml }}"
-        dest: "{{ artifacts_dir }}/admin.conf"
+  when: kubeconfig_localhost
-        mode: "0600"
+
-      vars:
+- name: Override username in kubeconfig
-        admin_kubeconfig: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml }}"
+  set_fact:
-        context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
+    final_admin_kubeconfig: "{{ admin_kubeconfig | combine(override_cluster_name, recursive=true) | combine(override_context, recursive=true) | combine(override_user, recursive=true) }}"
-        override:
+  vars:
-          clusters:
+    cluster_infos: "{{ admin_kubeconfig['clusters'][0]['cluster'] }}"
-            - "{{ admin_kubeconfig['clusters'][0] | combine({'name': cluster_name, 'cluster': admin_kubeconfig['clusters'][0]['cluster'] | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})}, recursive=true) }}"
+    user_certs: "{{ admin_kubeconfig['users'][0]['user'] }}"
-          contexts:
+    username: "kubernetes-admin-{{ cluster_name }}"
-            - "{{ admin_kubeconfig['contexts'][0] | combine({'name': context, 'context': admin_kubeconfig['contexts'][0]['context'] | combine({'cluster': cluster_name})}, recursive=true) }}"
+    context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
-          current-context: "{{ context }}"
+    override_cluster_name: "{{ {'clusters': [{'cluster': (cluster_infos | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})), 'name': cluster_name}]} }}"
-      delegate_to: localhost
+    override_context: "{{ {'contexts': [{'context': {'user': username, 'cluster': cluster_name}, 'name': context}], 'current-context': context} }}"
-      connection: local
+    override_user: "{{ {'users': [{'name': username, 'user': user_certs}]} }}"
-      become: false
+  when: kubeconfig_localhost
-      run_once: true
+
 - name: Write admin kubeconfig on ansible host
  copy:
    content: "{{ final_admin_kubeconfig | to_nice_yaml(indent=2) }}"
    dest: "{{ artifacts_dir }}/admin.conf"
    mode: "0600"
  delegate_to: localhost
  connection: local
  become: false
  run_once: true
  when: kubeconfig_localhost
 - name: Copy kubectl binary to ansible host
  fetch:
--- a/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml
@@ -0,0 +1,17 @@
 ---
 - name: Update server field in component kubeconfigs
  lineinfile:
    dest: "{{ kube_config_dir }}/{{ item }}"
    regexp: '^    server: https'
    line: '    server: {{ kube_apiserver_endpoint }}'
    backup: true
  with_items:
    - admin.conf
    - controller-manager.conf
    - kubelet.conf
    - scheduler.conf
  notify:
    - "Control plane | Restart kube-controller-manager"
    - "Control plane | Restart kube-scheduler"
    - "Control plane | reload kubelet"
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -99,6 +99,9 @@
  include_tasks: kubeadm-etcd.yml
  when: etcd_deployment_type == "kubeadm"
 - name: Include kubeadm secondary server apiserver fixes
  include_tasks: kubeadm-fix-apiserver.yml
 - name: Cleanup unused AuthorizationConfiguration file versions
  file:
    path: "{{ kube_config_dir }}/apiserver-authorization-config-{{ item }}.yaml"
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
@@ -429,9 +429,6 @@ featureGates:
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 {% if kube_version is version('1.35.0', '>=') %}
 failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
 {% endif %}
 clusterDNS:
 {% for dns_address in kubelet_cluster_dns %}
 - {{ dns_address }}
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -563,9 +563,6 @@ featureGates:
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 {% if kube_version is version('1.35.0', '>=') %}
 failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
 {% endif %}
 clusterDNS:
 {% for dns_address in kubelet_cluster_dns %}
 - {{ dns_address }}
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -15,9 +15,6 @@ authorization:
 {% else %}
  mode: AlwaysAllow
 {% endif %}
 {% if kube_version is version('1.35.0', '>=') %}
 failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
 {% endif %}
 {% if kubelet_enforce_node_allocatable is defined and kubelet_enforce_node_allocatable != "\"\"" %}
 {% set kubelet_enforce_node_allocatable_list = kubelet_enforce_node_allocatable.split(",") %}
 enforceNodeAllocatable:
--- a/roles/kubespray_defaults/defaults/main/download.yml
+++ b/roles/kubespray_defaults/defaults/main/download.yml
@@ -159,7 +159,7 @@ kubeadm_download_url: "{{ dl_k8s_io_url }}/release/v{{ kube_version }}/bin/linux
 etcd_download_url: "{{ github_url }}/etcd-io/etcd/releases/download/v{{ etcd_version }}/etcd-v{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
 cni_download_url: "{{ github_url }}/containernetworking/plugins/releases/download/v{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz"
 calicoctl_download_url: "{{ github_url }}/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
-calico_crds_download_url: "{{ github_url }}/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+calico_crds_download_url: "{{ github_url }}/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
 ciliumcli_download_url: "{{ github_url }}/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
 crictl_download_url: "{{ github_url }}/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
 crio_download_url: "{{ storage_googleapis_url }}/cri-o/artifacts/cri-o.{{ image_arch }}.v{{ crio_version }}.tar.gz"
@@ -263,7 +263,7 @@ kube_router_image_tag: "v{{ kube_router_version }}"
 multus_image_repo: "{{ github_image_repo }}/k8snetworkplumbingwg/multus-cni"
 multus_image_tag: "v{{ multus_version }}"
 external_openstack_cloud_controller_image_repo: "{{ kube_image_repo }}/provider-os/openstack-cloud-controller-manager"
-external_openstack_cloud_controller_image_tag: "v1.35.0"
+external_openstack_cloud_controller_image_tag: "v1.32.0"
 kube_vip_version: 1.0.3
 kube_vip_image_repo: "{{ github_image_repo }}/kube-vip/kube-vip{{ '-iptables' if kube_vip_lb_fwdmethod == 'masquerade' else '' }}"
@@ -277,9 +277,9 @@ haproxy_image_tag: 3.2.4-alpine
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail
 coredns_supported_versions:
  '1.35': 1.12.4
  '1.34': 1.12.1
  '1.33': 1.12.0
  '1.32': 1.11.3
 coredns_version: "{{ coredns_supported_versions[kube_major_version] }}"
 coredns_image_repo: "{{ kube_image_repo }}{{ '/coredns' if coredns_version is version('1.7.1', '>=') else '' }}/coredns"
 coredns_image_tag: "{{ 'v' if coredns_version is version('1.7.1', '>=') else '' }}{{ coredns_version }}"
@@ -309,6 +309,13 @@ local_volume_provisioner_image_tag: "v{{ local_volume_provisioner_version }}"
 local_path_provisioner_version: "0.0.32"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}"
 ingress_nginx_version: "1.13.3"
 ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
 ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry"
 ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}"
 ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5"
 ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
 ingress_nginx_kube_webhook_certgen_image_tag: "v1.6.3"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
 cert_manager_version: "1.15.3"
@@ -333,9 +340,9 @@ csi_livenessprobe_image_repo: "{{ kube_image_repo }}/sig-storage/livenessprobe"
 csi_livenessprobe_image_tag: "v2.11.0"
 snapshot_controller_supported_versions:
  '1.35': "v7.0.2"
  '1.34': "v7.0.2"
  '1.33': "v7.0.2"
  '1.32': "v7.0.2"
 snapshot_controller_image_repo: "{{ kube_image_repo }}/sig-storage/snapshot-controller"
 snapshot_controller_image_tag: "{{ snapshot_controller_supported_versions[kube_major_version] }}"
@@ -770,9 +777,14 @@ downloads:
  calico_crds:
    file: true
    enabled: "{{ kube_network_plugin == 'calico' and calico_datastore == 'kdd' }}"
-    dest: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crds.yaml"
+    dest: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/{{ calico_version }}.tar.gz"
-    checksum: "{{ calico_crds_checksums.no_arch[calico_version] }}"
+    checksum: "{{ calico_crds_archive_checksums.no_arch[calico_version] }}"
    url: "{{ calico_crds_download_url }}"
    unarchive: true
    unarchive_extra_opts:
      - "--strip=3"
      - "--wildcards"
      - "*/libcalico-go/config/crd/"
    owner: "root"
    mode: "0755"
    groups:
@@ -907,6 +919,15 @@ downloads:
    groups:
      - kube_node
  ingress_nginx_controller:
    enabled: "{{ ingress_nginx_enabled }}"
    container: true
    repo: "{{ ingress_nginx_controller_image_repo }}"
    tag: "{{ ingress_nginx_controller_image_tag }}"
    checksum: "{{ ingress_nginx_controller_digest_checksum | default(None) }}"
    groups:
      - kube_node
  ingress_alb_controller:
    enabled: "{{ ingress_alb_enabled }}"
    container: true
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -17,9 +17,6 @@ kube_api_anonymous_auth: true
 # Default value, but will be set to true automatically if detected
 is_fedora_coreos: false
 # Kubernetes 1.35+: fail on cgroup v1 by default
 kubelet_fail_cgroup_v1: true
 # Swap settings
 kubelet_fail_swap_on: true
 kubelet_swap_behavior: LimitedSwap
@@ -455,6 +452,7 @@ vsphere_csi_enabled: false
 upcloud_csi_enabled: false
 csi_snapshot_controller_enabled: false
 persistent_volumes_enabled: false
 ingress_nginx_enabled: false
 ingress_alb_enabled: false
 cert_manager_enabled: false
 expand_persistent_volumes: false
--- a/roles/kubespray_defaults/vars/main/checksums.yml
+++ b/roles/kubespray_defaults/vars/main/checksums.yml
@@ -1,20 +1,19 @@
 ---
 crictl_checksums:
  arm64:
    1.35.0: sha256:519071de89b64c43e2a1661bb5489c6c3fd5e9e5fcef75e50e542b0c891f1118
    1.34.0: sha256:c31d252e203df5f4cf37f314bd3092eb79087e791631c1e607087c74b6d0423f
    1.33.0: sha256:e1f34918d77d5b4be85d48f5d713ca617698a371b049ea1486000a5e86ab1ff3
    1.32.0: sha256:f2f4e20658b72d00897f41e4b57093c8080e2d800ee894a5f4351f31d1833e30
  amd64:
    1.35.0: sha256:2e141e5b22cb189c40365a11807d69b76b9b3caced89fac2f4ec879408ce2177
    1.34.0: sha256:a8ff2a3edb37a98daf3aba7c3b284fe0aa5bff24166d896ab9ef64c8913c9f51
    1.33.0: sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f
    1.32.0: sha256:f050b71d3a73a91a4e0990b90143ed04dcd100cc66f953736fcb6a2730e283c4
  ppc64le:
    1.35.0: sha256:786522b14d684604c8b435312a310972bc1b460cddb1bb216a298098cd86b22e
    1.34.0: sha256:1da50181f2f6f6f6332b9dbc7d7cc020457ccd542620167953c0e288535acc93
    1.33.0: sha256:4224acfef4d1deba2ba456b7d93fa98feb0a96063ef66024375294f1de2b064f
    1.32.0: sha256:4ffaf29bbda8df42ed2dda4f1ad33cc785987701dc8d1e0043c17cfea9af43e0
 crio_archive_checksums:
  arm64:
    1.35.0: sha256:e57175a4d00387b78adfbe248d087d8127bed625afb529e34b2c90d08cfdaf87
    1.34.5: sha256:999a5dc2dc9854222aeff8a20897e0b34f0ba02c9b260b611d66c62e00e279e0
    1.34.4: sha256:d176f6256d606a3fc279f9f2994ef4a4c4cbaaa0601f4d1bba1a19bec5674ce9
    1.34.3: sha256:314595247054b53767a736e24bc3030a5f7c17552944c62b2e190c9e95fe4ca6
@@ -46,7 +45,6 @@ crio_archive_checksums:
    1.32.1: sha256:f64da0ef41604575b476ad6d7288ca14f56fc06cc0ca138a5c3dc933427f7b32
    1.32.0: sha256:b092eddabedac98a0f8449dc535acfec0e14c21f59cabe8f9703043d995a1a41
  amd64:
    1.35.0: sha256:55b6d3e9fc9a5864ab5cdf0b24d54b1dcbaf6d4919274b3b9eb37bfc4b0b8cb5
    1.34.5: sha256:d6606fb6d686b8f814dfec801f0f3cf2ded974c194fa90facefda36075b6fab2
    1.34.4: sha256:f6348a781c34b433fe1c5150da3408e51e828b610eacbe734405e9c31136d810
    1.34.3: sha256:e269914f3bc4f36ac87cd593d74daaa43c390571994062180019248be32cc6f7
@@ -78,7 +76,6 @@ crio_archive_checksums:
    1.32.1: sha256:d35de1e765481018c7ccdc92edeb59b25938f3bd9d1670440e7ccd3d599f95a7
    1.32.0: sha256:8f483f1429d2d9cd6bfa6db2e3a4263151701dd4f05f2b1c06cf8e67c44ea67e
  ppc64le:
    1.35.0: sha256:081ab73a6970ac3c68893dea9a03b0732ca22ab44a2aa8794fddac0bd4dfa749
    1.34.5: sha256:3a10d4c1406df01bd9ab88750eabc1273964e9c5f24c7d4a0b719ae77e6cfec2
    1.34.4: sha256:dca59a28fe9b0b9163418eca1545c9ed01cf514179f108d14e462c6074fd103c
    1.34.3: sha256:4dd782484eeb460b9a95e6e2e07474216fc02ad45a27ba871799d18f2b6ee0ae
@@ -111,7 +108,6 @@ crio_archive_checksums:
    1.32.0: sha256:e0544544c91f603afaf54ed814c8519883212bcb149f53a8be9bb0c749e9ec86
 kubelet_checksums:
  arm64:
    1.35.0: sha256:aa658d077348b43d238f50966a583f4244b2a7d45590c77b3b165b7d44983ab8
    1.34.3: sha256:765b740e3ad9c590852652a2623424ec60e2dddce2c6280d7f042f56c8c98619
    1.34.2: sha256:3e31b1bee9ab32264a67af8a19679777cd372b1c3a04b5d7621289cf137b357c
    1.34.1: sha256:6a66bc08d6c637fcea50c19063cf49e708fde1630a7f1d4ceca069a45a87e6f1
@@ -124,8 +120,19 @@ kubelet_checksums:
    1.33.2: sha256:0fa15aca9b90fe7aef1ed3aad31edd1d9944a8c7aae34162963a6aaaf726e065
    1.33.1: sha256:10540261c311ae005b9af514d83c02694e12614406a8524fd2d0bad75296f70d
    1.33.0: sha256:ae5a4fc6d733fc28ff198e2d80334e21fcb5c34e76b411c50fff9cb25accf05a
    1.32.11: sha256:7d1c3aaae0dffa8d5c90bbaed49f25d32f98332801bde55cfea6efaead639491
    1.32.10: sha256:21cc3d98550d3a23052d649e77956f2557e7f6119ff1e27dc82b852d006136cd
    1.32.9: sha256:29037381c79152409adacee83448a2bdb67e113f003613663c7589286200ded8
    1.32.8: sha256:d5527714fac08eac4c1ddcbd8a3c6db35f3acd335d43360219d733273b672cce
    1.32.7: sha256:b862a8d550875924c8abed6c15ba22564f7e232c239aa6a2e88caf069a0ab548
    1.32.6: sha256:b045d4f8f96bf934c894f9704ab2931ffa3c6cf78a8d98e457482a6c455dab6d
    1.32.5: sha256:034753a2e308afeb4ce3cf332d38346c6e660252eac93b268fac0e112a56ff46
    1.32.4: sha256:91117b71eb2bb3dd79ec3ed444e058a347349108bf661838f53ee30d2a0ff168
    1.32.3: sha256:5c3c98e6e0fa35d209595037e05022597954b8d764482417a9588e15218f0fe2
    1.32.2: sha256:d74b659bbde5adf919529d079975900e51e10bc807f0fda9dc9f6bb07c4a3a7b
    1.32.1: sha256:8e6d0eeedd9f0b8b38d4f600ee167816f71cf4dacfa3d9a9bb6c3561cc884e95
    1.32.0: sha256:bda9b2324c96693b38c41ecea051bab4c7c434be5683050b5e19025b50dbc0bf
  amd64:
    1.35.0: sha256:2f4ed7778681649b81244426c29c5d98df60ccabf83d561d69e61c1cbb943ddf
    1.34.3: sha256:0e759f40bbc717c05227ae3994b77786f58f59ffa0137a34958c6b26fa5bcbbd
    1.34.2: sha256:9c5e717b774ee9b9285ce47e7d2150c29e84837eb19a7eaa24b60b1543c9d58f
    1.34.1: sha256:5a72c596c253ea0b0e5bcc6f29903fd41d1d542a7cadf3700c165a2a041a8d82
@@ -138,8 +145,19 @@ kubelet_checksums:
    1.33.2: sha256:77fa5d29995653fe7e2855759a909caf6869c88092e2f147f0b84cbdba98c8f3
    1.33.1: sha256:f7224648451dd4f9f2c4f79416f9874223c286ce41727788965fd0341ddb59c4
    1.33.0: sha256:dd416d94850c342226d3dcdce838518b040ccea16548bfeaf2595934af88ef60
    1.32.11: sha256:02b25e87a3fe14e9ea74c10d3b1e204d12af30b8ce7ed11af2a985b49ddb0b83
    1.32.10: sha256:bfff8f244992162c0491f8f42d807165ed5c685aecfb3e8000412535ad18a873
    1.32.9: sha256:fd7711d1f0c1e263e9332004858fc4a6c39462e3e2ee485706eea5297966ed9c
    1.32.8: sha256:7dfca4da9cdf592c0f70800e09fb42553765bc0951cade3d6e0c571daf3f23ee
    1.32.7: sha256:7ab96898436475640cbd416b2446f33aba1c2cb62dae876302ff7775d850041c
    1.32.6: sha256:aa37219c4796a2fbf5af7f37fb7f11998947f9fd0d0f30dbeb40c47d4e9c8777
    1.32.5: sha256:2b2988edd1646bf139dee6956d4283c520ff151a36febd10701ffda4852b8250
    1.32.4: sha256:3e0c265fe80f3ea1b7271a00879d4dbd5e6ea1e91ecf067670c983e07c33a6f4
    1.32.3: sha256:024bb7faffa787c7717a2b37398a8c6df35694a8585a73074b052c3f4c4906ce
    1.32.2: sha256:9927fee1678202719075d8d546390bcda86c9e519b811fb7f4820b6823f84cab
    1.32.1: sha256:967dc8984651c48230a2ff5319e22cbf858452e974104a19bbade5d1708f72ad
    1.32.0: sha256:5ad4965598773d56a37a8e8429c3dc3d86b4c5c26d8417ab333ae345c053dae2
  ppc64le:
    1.35.0: sha256:f24eb1244878a3876fe180e6052822cc9998033850478b2f4776e5c3b09baecd
    1.34.3: sha256:67dcceb6d91710e4da7af720eda7b20fd4e8c24237fc345602bb54439ad8ccca
    1.34.2: sha256:a195f278b9bac26803f1e26b0f608e0dce66aad033e8c043e8555775612530c9
    1.34.1: sha256:c4782dbf1987680e9b2baa3ecf5db9e66395772e82b251eb73a150fbfbe0b906
@@ -152,9 +170,20 @@ kubelet_checksums:
    1.33.2: sha256:be8412cb9bf30125e3a88ecb9bfca4df1ff5d4e650947c46222683071f1a17d7
    1.33.1: sha256:c1bc01115a513eaec76d56dc52a52aeb05f866a6d07c55335c1fff56c868543d
    1.33.0: sha256:6fa5abbc14d65b943b00fcfc8a6ac7eb39fd7e924271738c6f17e0b7e74c665b
    1.32.11: sha256:17baef329a468f958658f3e4c3f04689dd2506077214e36d4495b8d0c6776da9
    1.32.10: sha256:277e68bcf192ea91f3426b8fb540c4951e2e3bffc659a7b39b98c749e828acc7
    1.32.9: sha256:81ba713e8b51644336d428dfa5654cc4e2e4a4ea742976b56ddf965a347330e5
    1.32.8: sha256:ec5a2e045dc49b7e1d34a0c78fbc645ce568b2275e807b6313da46e584f56f68
    1.32.7: sha256:4ddc5a0b42100295896a43a1a637180872293c9f7305a90dd3377681b1401469
    1.32.6: sha256:fd0140949b02c82539ff84db15d0d406445f34221d0547e7ee31245cd982ff47
    1.32.5: sha256:b9cb7bf4b5518e1b5542717c82a753663154e08c84e336feba424cf3575313a3
    1.32.4: sha256:62e7854ea84bf0fd5a9c47a1ab7ade7a74b4f160efdf486320ed913b4e8e7f79
    1.32.3: sha256:efc2b01d4ab74f283ab4ff2bad4369e2b9f66fa875673b72627aa6e7a7b507cb
    1.32.2: sha256:3602474e25b0b42a4b0f43ece2ca1e03fe5f3864f0936537256920bbb2eb9acd
    1.32.1: sha256:623889368808042a236d7078d85a23ce5ef0e43b6fadc09bcacfdf704ac876b4
    1.32.0: sha256:99d409a8023224d84c361e29cdf21ac0458a5449f03e12550288aa654539e3a1
 kubectl_checksums:
  arm:
    1.35.0: sha256:dca28f6af03b31ca6043baa1da7332472c7a3df743606a758534b9ac3ed7ecce
    1.34.3: sha256:e0cf1eddede6abfd539e30ccbb4e50f65b2d6ff44b3bb9d9107ea8775a90a7e4
    1.34.2: sha256:18e03c1c6ab1dbff6d2a648bf944213f627369d1daeea5b43a7890181ab33abf
    1.34.1: sha256:ca6218ae8bf366bd8ccdcb440b756c67422a4e04936163845f74d8c056e786ee
@@ -167,8 +196,19 @@ kubectl_checksums:
    1.33.2: sha256:f3992382aa0ea21f71a976b6fd6a213781c9b58be60c42013950110cf2184f2a
    1.33.1: sha256:6b1cd6e2bf05c6adaa76b952f9c4ea775f5255913974ccdb12145175d4809e93
    1.33.0: sha256:bbb4b4906d483f62b0fc3a0aea3ddac942820984679ad11635b81ee881d69ab3
    1.32.11: sha256:358dafd910cec676f05e04fbed44ea26ec393cd60b5b885bc60c27e1aaf383c9
    1.32.10: sha256:b42bc77586238b43b8c5cdd06086f1ab00190245dd8b66b28822785b177fbde4
    1.32.9: sha256:84629d460b60693ca954e148ce522defd34d18bc5c934836cfaf0268930713dd
    1.32.8: sha256:ed54b52631fdf5ecc4ddb12c47df481f84b5890683beaeaa55dc84e43d2cd023
    1.32.7: sha256:c5416b59afdf897c4fbf08867c8a32b635f83f26e40980d38233fad6b345e37c
    1.32.6: sha256:77fec65c6f08c28f8695de4db877d82d74c881ed3ed110ebfd88cbd4ee3d01dc
    1.32.5: sha256:7270e6ac4b82b5e4bd037dccae1631964634214baa66a9548deb5edd3f79de31
    1.32.4: sha256:bf28793213039690d018bbfa9bcfcfed76a9aa8e18dc299eced8709ca542fcdd
    1.32.3: sha256:f990c878e54e5fac82eac7398ef643acca9807838b19014f1816fa9255b2d3d9
    1.32.2: sha256:e1e6a2fd4571cd66c885aa42b290930660d34a7331ffb576fcab9fd1a0941a83
    1.32.1: sha256:8ccf69be2578d3a324e9fc7d4f3b29bc9743cc02d72f33ba2d0fe30389014bc8
    1.32.0: sha256:6b33ea8c80f785fb07be4d021301199ae9ee4f8d7ea037a8ae544d5a7514684e
  arm64:
    1.35.0: sha256:58f82f9fe796c375c5c4b8439850b0f3f4d401a52434052f2df46035a8789e25
    1.34.3: sha256:46913a7aa0327f6cc2e1cc2775d53c4a2af5e52f7fd8dacbfbfd098e757f19e9
    1.34.2: sha256:95df604e914941f3172a93fa8feeb1a1a50f4011dfbe0c01e01b660afc8f9b85
    1.34.1: sha256:420e6110e3ba7ee5a3927b5af868d18df17aae36b720529ffa4e9e945aa95450
@@ -181,8 +221,19 @@ kubectl_checksums:
    1.33.2: sha256:54dc02c8365596eaa2b576fae4e3ac521db9130e26912385e1e431d156f8344d
    1.33.1: sha256:d595d1a26b7444e0beb122e25750ee4524e74414bbde070b672b423139295ce6
    1.33.0: sha256:48541d119455ac5bcc5043275ccda792371e0b112483aa0b29378439cf6322b9
    1.32.11: sha256:b1c91c106ec20e61c5dff869e9a39e6af4fb96572bddaac9cce307dfa3ed2348
    1.32.10: sha256:1f4229526e16bf9f5b854fbf3bdb9c7040404a29c1d1e4193258b8a73de06e92
    1.32.9: sha256:d5f6b45ad81b7d199187a28589e65f83406e0610b036491a9abaa49bfd04a708
    1.32.8: sha256:8a7371e54187249389a9aa222b150d61a4a745c121ab24dbcbb56d1ac2d0b912
    1.32.7: sha256:232f6e517633fbb4696c9eb7a0431ee14b3fccbb47360b4843d451e0d8c9a3a2
    1.32.6: sha256:f7bac84f8c35f55fb2c6ad167beb59eba93de5924b50bbaa482caa14ff480eec
    1.32.5: sha256:9edee84103e63c40a37cd15bd11e04e7835f65cb3ff5a50972058ffc343b4d96
    1.32.4: sha256:c6f96d0468d6976224f5f0d81b65e1a63b47195022646be83e49d38389d572c2
    1.32.3: sha256:6c2c91e760efbf3fa111a5f0b99ba8975fb1c58bb3974eca88b6134bcf3717e2
    1.32.2: sha256:7381bea99c83c264100f324c2ca6e7e13738a73b8928477ac805991440a065cd
    1.32.1: sha256:98206fd83a4fd17f013f8c61c33d0ae8ec3a7c53ec59ef3d6a0a9400862dc5b2
    1.32.0: sha256:ba4004f98f3d3a7b7d2954ff0a424caa2c2b06b78c17b1dccf2acc76a311a896
  amd64:
    1.35.0: sha256:a2e984a18a0c063279d692533031c1eff93a262afcc0afdc517375432d060989
    1.34.3: sha256:ab60ca5f0fd60c1eb81b52909e67060e3ba0bd27e55a8ac147cbc2172ff14212
    1.34.2: sha256:9591f3d75e1581f3f7392e6ad119aab2f28ae7d6c6e083dc5d22469667f27253
    1.34.1: sha256:7721f265e18709862655affba5343e85e1980639395d5754473dafaadcaa69e3
@@ -195,8 +246,19 @@ kubectl_checksums:
    1.33.2: sha256:33d0cdec6967817468f0a4a90f537dfef394dcf815d91966ca651cc118393eea
    1.33.1: sha256:5de4e9f2266738fd112b721265a0c1cd7f4e5208b670f811861f699474a100a3
    1.33.0: sha256:9efe8d3facb23e1618cba36fb1c4e15ac9dc3ed5a2c2e18109e4a66b2bac12dc
    1.32.11: sha256:48581d0e808bd8b7d3c3fc014e86b170e25a987df04c8a879b982b28a5180815
    1.32.10: sha256:6e14ef4e509e9f3d1dfc2815643f832f853d2d9f6622d4a0f83f77c7e4014b57
    1.32.9: sha256:509ae171bac7ad3b98cc49f5594d6bc84900cf6860f155968d1059fde3be5286
    1.32.8: sha256:0fc709a8262be523293a18965771fedfba7466eda7ab4337feaa5c028aa46b1b
    1.32.7: sha256:b8f24d467a8963354b028796a85904824d636132bef00988394cadacffe959c9
    1.32.6: sha256:0e31ebf882578b50e50fe6c43e3a0e3db61f6a41c9cded46485bc74d03d576eb
    1.32.5: sha256:aaa7e6ff3bd28c262f2d95c8c967597e097b092e9b79bcb37de699e7488e3e7b
    1.32.4: sha256:10d739e9af8a59c9e7a730a2445916e04bc9cbb44bc79d22ce460cd329fa076c
    1.32.3: sha256:ab209d0c5134b61486a0486585604a616a5bb2fc07df46d304b3c95817b2d79f
    1.32.2: sha256:4f6a959dcc5b702135f8354cc7109b542a2933c46b808b248a214c1f69f817ea
    1.32.1: sha256:e16c80f1a9f94db31063477eb9e61a2e24c1a4eee09ba776b029048f5369db0c
    1.32.0: sha256:646d58f6d98ee670a71d9cdffbf6625aeea2849d567f214bc43a35f8ccb7bf70
  ppc64le:
    1.35.0: sha256:8989809d0ac771244dabe50ed742249ac60eeb6d385cd234ee151eb40b7c32c4
    1.34.3: sha256:ae239b7f6f071e47014e1b5b20aa60626e06b32922a6b5054562ae2c5fa82c18
    1.34.2: sha256:49a985986a9add6c229c628bf2a83addebbdeeef40469fce2a54e51b6f1bb05b
    1.34.1: sha256:45499f0728b4a3428400db289edb444609d41787061f09b66f18028c0a73652f
@@ -209,9 +271,20 @@ kubectl_checksums:
    1.33.2: sha256:d1cdf13cb786c1ee6d5bf6d85034f496aa2fee97b287028043eb14c5dc74993f
    1.33.1: sha256:f922dd8f558dc616ebaa34908ceb7964ebb8caadd7c48699d0b791ffff2be1aa
    1.33.0: sha256:580d076c891711ec37afaf5994f72a8aad9d45c25413e6e94648e988a5a9933a
    1.32.11: sha256:4310edfc10fbc64cc69a25d27a1a8c4e134ad6642f8c83a8b0b612768ac63e84
    1.32.10: sha256:544722455bc0a3f57b68e9aafe8bffa0af25d4f0f383848f03ba7aff2cab7e10
    1.32.9: sha256:bdc8af9c1aed9737d58442f59034ad0125efe3a2dfad9f6ec14f1264e7020cc3
    1.32.8: sha256:52cc07556a8f0076d4e48003aa416b486c729e9679dbe2ea92bbd88e5be5cc93
    1.32.7: sha256:c0fb655243a98c4b063f39f2208c7b9d3cbe77b302a8b8b683aabe42e47fc556
    1.32.6: sha256:808e2b86128a9f25922bdb099ebf276ba4220dbf53c63a033348ee119697b22a
    1.32.5: sha256:1fc869a9d620982f16104f3b33c393aba54dd41136d18009bf6fc39accf6465c
    1.32.4: sha256:61a8c1f441900b4e61defcb83bb54f61f883f9e75810897cfabfd6860ae7e195
    1.32.3: sha256:11e1a377f404bdab6e3587375f7c2ee432df80b56d7ccf6151d4e48cd8063f55
    1.32.2: sha256:c25500027cd331ae3e65bed2612491c5307721894e9d39e869f24ca14973677f
    1.32.1: sha256:46d98d3463e065dff035d76f6c2b604c990d79634cc574d43b0c21f0367bbf0c
    1.32.0: sha256:9f3f239e2601ce53ec4e70b80b7684f9c89817cc9938ed0bb14f125a3c4f8c8f
 kubeadm_checksums:
  arm64:
    1.35.0: sha256:1dac7dc2c6a56548bbc6bf8a7ecf4734f2e733fb336d7293d84541ebe52d0e50
    1.34.3: sha256:697cf3aa54f1a5740b883a3b18a5d051b4032fd68ba89af626781a43ec9bccc3
    1.34.2: sha256:065f7de266c59831676cc48b50f404fd18d1f6464502d53980957158e4cab3a7
    1.34.1: sha256:b0dc5cf091373caf87d069dc3678e661464837e4f10156f1436bd35a9a7db06b
@@ -224,8 +297,19 @@ kubeadm_checksums:
    1.33.2: sha256:21efc1ba54a1cf25ac68208b7dde2e67f6d0331259f432947d83e70b975ad4cc
    1.33.1: sha256:5b3e3a1e18d43522fdee0e15be13a42cee316e07ddcf47ef718104836edebb3e
    1.33.0: sha256:746c0ee45f4d32ec5046fb10d4354f145ba1ff0c997f9712d46036650ad26340
    1.32.11: sha256:0190c49b61b065409b1e99c70e5ec3c52576bf8902432fb2c97bf1d0d2777b69
    1.32.10: sha256:a201f246be3d2c35ffa7fc51a1d2596797628f9b1455da52a246b42ce8e1f779
    1.32.9: sha256:377349141e865849355140c78063fa2b87443bf1aecb06319be4de4df8dbd918
    1.32.8: sha256:8dbd3fa2d94335d763b983caaf2798caae2d4183f6a95ebff28289f2e86edf68
    1.32.7: sha256:a2aad7f7b320c3c847dea84c08e977ba8b5c84d4b7102b46ffd09d41af6c4b51
    1.32.6: sha256:f786731c37ce6e89e6b71d5a7518e4d1c633337237e3803615056eb4640bfc8e
    1.32.5: sha256:2956c694ff2891acdc4690b807f87ab48419b4925d3fad2ac52ace2a1160bd17
    1.32.4: sha256:1b9d97b44758dc4da20d31e3b6d46f50af75ac48be887793e16797a43d9c30e7
    1.32.3: sha256:f9d007aaf1468ea862ef2a1a1a3f6f34cc57358742ceaff518e1533f5a794181
    1.32.2: sha256:fd8a8c1c41d719de703bf49c6f56692dd6477188d8f43dcb77019fd8bc30cbd3
    1.32.1: sha256:55a57145708aaa37f716f140ef774ca64b7088b6df5ee8eae182936ad6580328
    1.32.0: sha256:5da9746a449a3b8a8312b6dd8c48dcb861036cf394306cfbc66a298ba1e8fbde
  amd64:
    1.35.0: sha256:729e7fb34e4f1bfcf2bdaf2a14891ed64bd18c47aaab42f8cc5030875276cfed
    1.34.3: sha256:f9ce265434d306e59d800b26f3049b8430ba71f815947f4bacdcdc33359417fb
    1.34.2: sha256:6a2346006132f6e1ed0b5248e518098cf5abbce25bf11b8926fb1073091b83f4
    1.34.1: sha256:20654fd7c5155057af5c30b86c52c9ba169db6229eee6ac7abab4309df4172e7
@@ -238,8 +322,19 @@ kubeadm_checksums:
    1.33.2: sha256:5c623ec9a9b8584beba510da5c2b775c41cf51c0accdfb43af093bc084563845
    1.33.1: sha256:9a481b0a5f1cee1e071bc9a0867ca0aad5524408c2580596c00767ba1a7df0bd
    1.33.0: sha256:5a65cfec0648cabec124c41be8c61040baf2ba27a99f047db9ca08cac9344987
    1.32.11: sha256:5e191b7329897a16ea87aed75b66f561e7243691620d6b792f34d488285484ce
    1.32.10: sha256:1c5033ee113d9072a53ee1ef3a3b18e566721bb3879b49c6813c67066687afbc
    1.32.9: sha256:183b3b12e39b3ed2dc2db25cbc17769610cdd5f02e9d1325ba747d54978d8f5f
    1.32.8: sha256:da4cc996800db14f82fce8813caa55be318e52ef69d82e50e728ef4cfa18b69f
    1.32.7: sha256:dcd40af0042c559f3218dbd23bf318b850a5213528b428e1637ccb357ac32498
    1.32.6: sha256:7092527a63e5380a6be05cf6041c849ba8d13bf41a2adb2a029f44717f53439f
    1.32.5: sha256:9070c3d469f5a3e777948b63a7a5e6c5bd7682c7416547770a78880fe4293ea9
    1.32.4: sha256:445cdebd140dc0a9f4d18505821dcca77d7a21992133bf6731777f5724968255
    1.32.3: sha256:be42caa726b85b7723605ca8fea22e4a26e0d439b789a3d9d6e636a7078b3db4
    1.32.2: sha256:fb3a90f1bfc78146a8a03b50eb59aaf957a023c1c5a2b166062ef9412550bba6
    1.32.1: sha256:5ed13bb4bc1d5fb4579b8cc8c7c2245356837122f9a3fd729c2f6d1338f58dcf
    1.32.0: sha256:8a10abe691a693d6deeeb1c992bc75da9d8c76718a22327688f7eb1d7c15f0d6
  ppc64le:
    1.35.0: sha256:77a466e1b6a8e28362a729541269de0a7c4a6b9e7770cccefcd745502e656b90
    1.34.3: sha256:2b8b48b3b0eb657e04122a158cb7fcad964fba5bd2d8e07f8eeec6f856a63ecf
    1.34.2: sha256:bea4ed6d971523da794a802de15910b08c09e23bc4c850ee3b953c4bdb0b7976
    1.34.1: sha256:ddb6bd80bee0719924ae901672b99205226badab74fb13a9e1bb6d3de49fbb21
@@ -252,6 +347,18 @@ kubeadm_checksums:
    1.33.2: sha256:1b818900ac7af72a14f50300d6c6ad600eecdc578c37b75fa488cc654ca08c25
    1.33.1: sha256:a772834ba22478c9119f03ecca2a27a70234623d74ff1d7671ee85675a4e830b
    1.33.0: sha256:26cb7ac57d522a59c84c4784b176097d23c7b4e61874fab84ae719d0e43ac0bc
    1.32.11: sha256:c7bb0bbac734290666f6deaba731f4eae46045c94ae53501153e4167dad51d34
    1.32.10: sha256:5cfda89b98b6308f4d28e77eabc0111c3eb3c7b64baccf644ecdbcac90b258d0
    1.32.9: sha256:fcc5aa3401d130156e0b73dab192631108b77e778f3d87838419993aea1ef8d5
    1.32.8: sha256:b5e4f0da030de98f1179a148f6563d69fbfb4c35c2dd1de1d30f000805d12412
    1.32.7: sha256:d87ec6c40aef05df1cb23298aff4a7a6c5af64c8a7a1671d4274385a0601b6cb
    1.32.6: sha256:ec3fdb5f563b000c824bc4438664ae62797bf75cdcee1448e617f296cbd3e955
    1.32.5: sha256:9ace8b24eba37d960a9cafd947015722c383bd695767b7a7c8449a4f6a3f3e9e
    1.32.4: sha256:fb0223765d57c59ff4202445b3768e848b6d383dfac058b5882696bca0286053
    1.32.3: sha256:68cc7669e47575ead58563c39abf89c7faf1c70fb6733ea9c727f303f2af1abf
    1.32.2: sha256:02573483126e39c6b25c769131cf30ea7c470ad635374be343d5e76845a4ecdb
    1.32.1: sha256:ff7f1dd3f1a6a5c0cf2c9977ec7c474bd22908850e33358dd40aeba17d8375b0
    1.32.0: sha256:d79fe8cbd1d98bcbe56b8c0c3a64716603581cecf274951af49aa07748bf175a
 etcd_binary_checksums:
  arm64:
    3.5.26: sha256:93ac1667df0e178ea6d152476ce4088df4075604fe4bc7f85f4719e863cd030b
@@ -482,29 +589,29 @@ ciliumcli_binary_checksums:
    0.16.2: sha256:9cfb7ee5b1d6bd125174675e8aab6f9a09283cde699b5ac201475784ecb864f8
    0.16.1: sha256:9c3bb746e554efc788631629932ab00d13979c75799d957f6d3c17219deb6d45
    0.16.0: sha256:da98675f961833d4ffd68b1046d907b228a7d394ded2abd70a50b20eaca171c4
-calico_crds_checksums:
+calico_crds_archive_checksums:
  no_arch:
-    3.30.6: sha256:b0eb83f6d70afac27e8830f22642cd12b0692e4d1a1b5060caa9231a951e736a
+    3.30.6: sha256:d61aa5bcddfc78b0094acd54e0358009fa79e1cbe6d8c23bdacb34ff7a2c6c82
-    3.30.5: sha256:68bbe7f44693374f1379aa3fa55f254e9a689d070c26d0de26b2c9fb8d1166ab
+    3.30.5: sha256:3a38f91596c204b43c70f642a3e686d8c3fbfdfa5caa7824b716aa2f4a4e568b
-    3.30.4: sha256:be1d346a966a0be79cad7c9856ee5fc0eef8d88b70eba8d4d0bc4be057138bd3
+    3.30.4: sha256:a9398f6de6cce8f683e0ad649a21f3d3b8bb5fe4cd26e7b26b33b9a8c740274f
-    3.30.3: sha256:f813232c182229da17658f59db511acb3997e51973eeb293b57ac0dbb5ccf791
+    3.30.3: sha256:36c50905b9b62a78638bcfb9d1c4faf1efa08e2013265dcd694ec4e370b78dd7
-    3.30.2: sha256:57ccedd965f3dcbfd2a38a53b6b9e84e07232205fb83d23ed2afcee94590eed2
+    3.30.2: sha256:40885e201efb3458bb2e145928aadbe63d6a54c00dd505323776cc9cddc02825
-    3.30.1: sha256:af066bd48e68c391dec3645b94d11a1ca513398ee6c56b5a67f0eb13f13fe21e
+    3.30.1: sha256:3040a1d313bafd30e4e2dea24c2155c8d1afbe3c6e961e0a4a52482d12b32490
-    3.30.0: sha256:ee795478b6ab659ee172de74e1cf974871b37f10290dfc75f4d5eae887ba4ce0
+    3.30.0: sha256:7373910b311213d00cb6f079690c90071b68724cd01b1b4eba04831c26454e1a
-    3.29.7: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.7: sha256:d60fd083ad0279a4bd20109d01689e4eecb7a5e8c6d5e8be2b1718e6057f85e9
-    3.29.6: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.6: sha256:927e35d130d0413399735dc401e8448c783794cb8bb9e169ccdc7b00f516a698
-    3.29.5: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.5: sha256:f36d0b31aaa34f648b211d16f864f262e4700aad30ab0889b327d31c115b6a42
-    3.29.4: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.4: sha256:6d2396fde36ba59ad55a92b5b66643adcc9ee13bb2b3986b1014e2f8f95fa861
-    3.29.3: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.3: sha256:66d49b3af986944e58fede252a2c164251a63f43894181ed7401a6e11dcd8421
-    3.29.2: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.2: sha256:1866b407213b6191627c0ce7be5a0d7c14a016823b3bbc2a6898c57be6c59917
-    3.29.1: sha256:aaa336bf0ef87495eccecae7eb65acaf59508a7f0a44dbeec933e05d73bbe0a0
+    3.29.1: sha256:17894ed9f7487f1418e599fdeff5db9047374dee12d560114e25ff9147a455c3
-    3.29.0: sha256:ed35a2bd383674f4d61b013f2588be1ee08b5e7a26eb3208ba6a5565ebf0175c
+    3.29.0: sha256:403a6b8616c4e97b081d7be27e9024f2f66b2d73a0ea037420a29689205b2064
-    3.28.5: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
+    3.28.5: sha256:c3ca0752eac5cab50dc9ae5bc2e3c2f8eea2d9030c1f9846d2e8563c8a8aec2c
-    3.28.4: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
+    3.28.4: sha256:a296906bd6b38187ba15669139dd6bf8bd26d0b191e9773fa0e85a5cc2d0b5e9
-    3.28.3: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
+    3.28.3: sha256:b31d3aa35119359d619004fe0a8e3332529e396e8c57207ad56d58a2ed4cf3fb
-    3.28.2: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
+    3.28.2: sha256:f02a0e99e060850bd9050d4c94d37df899911a5e357e1d26e1b5b79a923bb389
-    3.28.1: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
+    3.28.1: sha256:c56f1530e7ded9d5b4afb9d83a7a24da6d2959ef7ad38521813f1c2bf138182d
-    3.28.0: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
+    3.28.0: sha256:ee721337db0cd847e91aae1cdfd420596896ebcb865575fd913c2f12ac2cdb76
 helm_archive_checksums:
  arm:
    3.18.4: sha256:34ea88aef15fd822e839da262176a36e865bb9cfdb89b1f723811c0cc527f981
--- a/roles/kubespray_defaults/vars/main/main.yml
+++ b/roles/kubespray_defaults/vars/main/main.yml
@@ -7,14 +7,14 @@ kube_next: "{{ ((kube_version | split('.'))[1] | int) + 1 }}"
 kube_major_next_version: "1.{{ kube_next }}"
 pod_infra_supported_versions:
  '1.35': '3.10.1'
  '1.34': '3.10.1'
  '1.33': '3.10'
  '1.32': '3.10'
 etcd_supported_versions:
  '1.35': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
  '1.34': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
  '1.33': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
  '1.32': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 # Kubespray constants
 kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}"
--- a/roles/network_plugin/calico/tasks/check.yml
+++ b/roles/network_plugin/calico/tasks/check.yml
@@ -27,8 +27,8 @@
 - name: Stop if supported Calico versions
  assert:
    that:
-      - "calico_version in calico_crds_checksums.no_arch.keys()"
+      - "calico_version in calico_crds_archive_checksums.no_arch.keys()"
-    msg: "Calico version not supported {{ calico_version }} not in {{ calico_crds_checksums.no_arch.keys() }}"
+    msg: "Calico version not supported {{ calico_version }} not in {{ calico_crds_archive_checksums.no_arch.keys() }}"
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -127,10 +127,12 @@
    - calico_datastore == "kdd"
  block:
    - name: Calico | Create calico manifests for kdd
-      copy:
+      assemble:
-        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crds.yaml"
+        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crd/"
        dest: "{{ kube_config_dir }}/kdd-crds.yml"
        mode: "0644"
        delimiter: "---\n"
        regexp: ".*\\.yaml"
        remote_src: true
    - name: Calico | Create Calico Kubernetes datastore resources
--- a/roles/remove-node/post-remove/tasks/main.yml
+++ b/roles/remove-node/post-remove/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
 - name: Remove-node | Delete node
-  command: "{{ kubectl }} delete node {{ kube_override_hostname }}"
+  command: "{{ kubectl }} delete node {{ kube_override_hostname | default(inventory_hostname) }}"
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  when:
    - groups['kube_control_plane'] | length > 0
    # ignore servers that are not nodes
-    - ('k8s_cluster' in group_names) and kube_override_hostname in nodes.stdout_lines
+    - ('k8s_cluster' in group_names) and kube_override_hostname | default(inventory_hostname) in nodes.stdout_lines
  retries: "{{ delete_node_retries }}"
  # Sometimes the api-server can have a short window of indisponibility when we delete a control plane node
  delay: "{{ delete_node_delay_seconds }}"
--- a/roles/remove_node/pre_remove/tasks/main.yml
+++ b/roles/remove_node/pre_remove/tasks/main.yml
@@ -16,11 +16,11 @@
      --ignore-daemonsets
      --grace-period {{ drain_grace_period }}
      --timeout {{ drain_timeout }}
-      --delete-emptydir-data {{ kube_override_hostname }}
+      --delete-emptydir-data {{ kube_override_hostname | default(inventory_hostname) }}
  when:
    - groups['kube_control_plane'] | length > 0
    # ignore servers that are not nodes
-    - kube_override_hostname in nodes.stdout_lines
+    - kube_override_hostname | default(inventory_hostname) in nodes.stdout_lines
  register: result
  failed_when: result.rc != 0 and not allow_ungraceful_removal
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
@@ -34,10 +34,10 @@
  register: nodes_with_volumes
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  changed_when: false
-  until: not (kube_override_hostname in nodes_with_volumes.stdout_lines)
+  until: not (kube_override_hostname | default(inventory_hostname) in nodes_with_volumes.stdout_lines)
  retries: 3
  delay: "{{ drain_grace_period }}"
  when:
    - groups['kube_control_plane'] | length > 0
    - not allow_ungraceful_removal
-    - kube_override_hostname in nodes.stdout_lines
+    - kube_override_hostname | default(inventory_hostname) in nodes.stdout_lines
--- a/roles/system_packages/defaults/main.yml
+++ b/roles/system_packages/defaults/main.yml
@@ -1,5 +1,4 @@
 ---
 # number of times package install task should be retried
 pkg_install_retries: 4
 pkg_install_timeout: "{{ 5 * 60 }}"
 yum_repo_dir: /etc/yum.repos.d
--- a/roles/system_packages/tasks/main.yml
+++ b/roles/system_packages/tasks/main.yml
@@ -34,17 +34,6 @@
  tags:
    - bootstrap_os
 # Remove this after ansible-core >= 2.19.0
 # See https://github.com/kubernetes-sigs/kubespray/pull/12138#issuecomment-3019304574
 - name: Install python3-libdnf5 on Fedora >= 41
  raw: >
    dnf install --assumeyes python3-libdnf5
  become: true
  retries: "{{ pkg_install_retries }}"
  when:
    - ansible_distribution == "Fedora"
    - ansible_distribution_major_version | int >= 41
 - name: Manage packages
  package:
    name: "{{ item.packages | dict2items | selectattr('value', 'ansible.builtin.all') | map(attribute='key') }}"
@@ -63,4 +52,3 @@
    label: "{{ item.action_label }}"
  tags:
    - bootstrap_os
  timeout: "{{ pkg_install_timeout }}"
--- a/scripts/component_hash_update/src/component_hash_update/components.py
+++ b/scripts/component_hash_update/src/component_hash_update/components.py
@@ -7,8 +7,8 @@ infos = {
        "url": "https://github.com/projectcalico/calico/releases/download/v{version}/SHA256SUMS",
        "graphql_id": "R_kgDOA87D0g",
    },
-    "calico_crds": {
+    "calico_crds_archive": {
-        "url": "https://github.com/projectcalico/calico/raw/v{version}/manifests/crds.yaml",
+        "url": "https://github.com/projectcalico/calico/archive/v{version}.tar.gz",
        "graphql_id": "R_kgDOA87D0g",
        "binary": True,
    },
--- a/scripts/readme_versions.md.j2
+++ b/scripts/readme_versions.md.j2
@@ -16,6 +16,7 @@
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) {{ cert_manager_version }}
  - [coredns](https://github.com/coredns/coredns) {{ coredns_version }}
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) {{ ingress_nginx_version }}
  - [argocd](https://argoproj.github.io/) {{ argocd_version }}
  - [helm](https://helm.sh/) {{ helm_version }}
  - [metallb](https://metallb.universe.tf/) {{ metallb_version }}
--- a/tests/files/custom_cni/cilium.yaml
+++ b/tests/files/custom_cni/cilium.yaml
--- a/tests/files/debian12-custom-cni-helm.yml
+++ b/tests/files/debian12-custom-cni-helm.yml
@@ -10,7 +10,7 @@ custom_cni_chart_release_name: cilium
 custom_cni_chart_repository_name: cilium
 custom_cni_chart_repository_url: https://helm.cilium.io
 custom_cni_chart_ref: cilium/cilium
-custom_cni_chart_version: 1.18.6
+custom_cni_chart_version: 1.16.3
 custom_cni_chart_values:
  cluster:
    name: kubespray
--- a/tests/files/fedora41-calico-selinux.yml
+++ b/tests/files/fedora41-calico-selinux.yml
@@ -1,9 +0,0 @@
 ---
 # Instance settings
 cloud_image: fedora-41
 # Kubespray settings
 auto_renew_certificates: true
 # Test with SELinux in enforcing mode
 preinstall_selinux_state: enforcing
--- a/tests/files/fedora41-calico-swap-selinux.yml
+++ b/tests/files/fedora41-calico-swap-selinux.yml
@@ -1,14 +0,0 @@
 ---
 # Instance settings
 cloud_image: fedora-41
 # Kubespray settings
 auto_renew_certificates: true
 # Test with SELinux in enforcing mode
 preinstall_selinux_state: enforcing
 # Test Alpha swap feature by leveraging zswap default config in Fedora 35
 kubelet_fail_swap_on: false
 kube_feature_gates:
  - "NodeSwap=True"
--- a/tests/files/fedora41-crio.yml
+++ b/tests/files/fedora41-crio.yml
@@ -1,7 +0,0 @@
 ---
 # Instance settings
 cloud_image: fedora-41
 # Kubespray settings
 container_manager: crio
 auto_renew_certificates: true
--- a/tests/files/fedora41-kube-router.yml
+++ b/tests/files/fedora41-kube-router.yml
@@ -1,7 +0,0 @@
 ---
 cloud_image: fedora-41
 cluster_layout:
  - node_groups: ['kube_control_plane', 'etcd', 'kube_node']
  - node_groups: ['kube_node']
 kube_network_plugin: "kube-router"
--- a/tests/files/fedora42-calico.yml
+++ b/tests/files/fedora42-calico.yml
@@ -1,9 +0,0 @@
 ---
 # Instance settings
 cloud_image: fedora-42
 # Kubespray settings
 auto_renew_certificates: true
 # Test with SELinux in enforcing mode
 preinstall_selinux_state: enforcing
--- a/tests/files/openeuler24-calico.yml
+++ b/tests/files/openeuler24-calico.yml
@@ -2,12 +2,3 @@
 # Instance settings
 cloud_image: openeuler-2403
 vm_memory: 3072
 # Openeuler package mgmt is slow for some reason
 pkg_install_timeout: "{{ 10 * 60 }}"
 # Work around so the Kubernetes 1.35 tests can pass. We will discuss the openeuler support later.
 kubeadm_ignore_preflight_errors:
  - SystemVerification
 kubelet_fail_cgroup_v1: false
--- a/tests/files/ubuntu24-crio-scale.yml
+++ b/tests/files/ubuntu24-crio-scale.yml
@@ -1,8 +0,0 @@
 ---
 cloud_image: ubuntu-2404
 container_manager: crio
 cluster_layout:
  - node_groups: ["kube_control_plane", "etcd"]
  - node_groups: ["kube_node"]
  - node_groups: ["kube_node", "for_scale"]
--- a/tests/files/ubuntu24-crio-upgrade
+++ b/tests/files/ubuntu24-crio-upgrade
@@ -1 +0,0 @@
 UPGRADE_TEST=graceful
--- a/tests/files/ubuntu24-crio-upgrade.yml
+++ b/tests/files/ubuntu24-crio-upgrade.yml
@@ -1,16 +0,0 @@
 ---
 # Instance settings
 cloud_image: ubuntu-2404
 mode: all-in-one
 vm_memory: 1800
 # Kubespray settings
 container_manager: crio
 auto_renew_certificates: true
 # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=noble&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
 kube_proxy_mode: iptables
 enable_nodelocaldns: false
 # Single node don't need the DNS autoscaler
 enable_dns_autoscaler: false
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.18.0,<2.19.0"`	`requires_ansible: ">=2.17.3"`