Patch versions updates

.github/workflows/auto-label-os.yml

@@ -13,10 +13,10 @@ jobs:
       issues: write
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
 
       - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@25f1485edffc1fee3ea68eb9f59a72e58720ffc4
+        uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e
         id: issue-parser
         with:
           template-path: .github/ISSUE_TEMPLATE/bug-report.yaml

.github/workflows/upgrade-patch-versions.yml

@@ -11,7 +11,7 @@ jobs:
   update-patch-versions:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
       with:
         ref: ${{ inputs.branch }}
     - uses: actions/setup-python@v6
@@ -29,7 +29,7 @@ jobs:
           ~/.cache/pre-commit
     - run: pre-commit run --all-files propagate-ansible-variables
       continue-on-error: true
-    - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676
+    - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412
       with:
         commit-message: Patch versions updates
         title: Patch versions updates - ${{ inputs.branch }}

.gitlab-ci/terraform.yml

@@ -116,5 +116,5 @@ tf-elastx_ubuntu20-calico:
     TF_VAR_az_list_node: '["sto1"]'
     TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
     TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
-    TF_VAR_image: ubuntu-24.04-server-latest
+    TF_VAR_image: ubuntu-20.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'

docs/ansible/ansible.md

@@ -45,7 +45,10 @@ Kubespray expects users to use one of the following variables sources for settin
 |  - inventory host_vars                 | host specific vars overrides, group_vars is usually more practical           |
 | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml``                               |
 
-> Extra vars are best used to override kubespray internal variables, for instances, roles/vars/. Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray interface. Thus they can change, disappear, or break stuff unexpectedly.
+[!IMPORTANT]
+Extra vars are best used to override kubespray internal variables, for instances, roles/vars/.
+Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray
+interface. Thus they can change, disappear, or break stuff unexpectedly.
 
 ## Ansible tags
 

roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml

@@ -11,23 +11,24 @@
   tags:
     - facts
 
-- name: Obtain kubeadm certificate key for joining control planes nodes
+- name: Upload certificates so they are fresh and not expired
+  command: >-
+    {{ bin_dir }}/kubeadm init phase
+    --config {{ kube_config_dir }}/kubeadm-config.yaml
+    upload-certs
+    --upload-certs
+  register: kubeadm_upload_cert
   when:
+    - inventory_hostname == first_kube_control_plane
     - not kube_external_ca_mode
-  run_once: true
-  block:
-    - name: Upload certificates so they are fresh and not expired
-      command: >-
-        {{ bin_dir }}/kubeadm init phase
-        --config {{ kube_config_dir }}/kubeadm-config.yaml
-        upload-certs
-        --upload-certs
-      register: kubeadm_upload_cert
-      delegate_to: "{{ first_kube_control_plane }}"
 
-    - name: Parse certificate key if not set
-      set_fact:
-        kubeadm_certificate_key: "{{ kubeadm_upload_cert.stdout_lines[-1] | trim }}"
+- name: Parse certificate key if not set
+  set_fact:
+    kubeadm_certificate_key: "{{ hostvars[first_kube_control_plane]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
+  run_once: true
+  when:
+    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is defined
+    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is not skipped
 
 - name: Wait for k8s apiserver
   wait_for:

roles/kubespray_defaults/vars/main/checksums.yml

@@ -462,6 +462,7 @@ calicoctl_binary_checksums:
     3.28.0: sha256:0789cb0d1478ec3f0a44db265b19042be9dfc18bc1776343c7ea8d246561d12b
 ciliumcli_binary_checksums:
   arm64:
+    0.18.9: sha256:eaa2b3570d3737592ec912505a247173e25fc7bca92d16b32d72b3aca94a743f
     0.18.8: sha256:44e6dd188336b9168986945c99f8e0882ec4e54a4b6422d44d8e36ec449ba929
     0.18.7: sha256:dbaa2ab4b1969f4402adf430d6a1bd914c5ab52475ec68f50b3af6fa7fe2fecc
     0.18.6: sha256:7639c69b410c26d0276fe1297d53e9573f094b56822bd01e85153acb3ca7dd43
@@ -498,6 +499,7 @@ ciliumcli_binary_checksums:
     0.16.1: sha256:07f3f2ba4d772140e46004ee7fa239134acc27afc4f79fc301ee7037617babc1
     0.16.0: sha256:fe16bcd447fc6fe764ca75712f5832d7504845e9f782684ff09c9f52548237fe
   amd64:
+    0.18.9: sha256:15978aaf82373b0682aa87ab217848b3fb6e3cd80adad365d34696fe92543923
     0.18.8: sha256:422940f0b7eb6eabc1e126945d1772e3f824c3f4f9fbb0df0dbbf00a271311ba
     0.18.7: sha256:7f5ff96f1793ee389ef77435a72debf122f5ec253d41418fca99d2c21472016a
     0.18.6: sha256:075bcc605308ff40a488d75a9a8555713dc0139d36536e032d3ebc2a1e7a9f4d
@@ -767,6 +769,7 @@ kata_containers_binary_checksums:
     3.5.0: sha256:fa4cf67d010244c4f8d0e6d450d04e28d1bbce5ad1a3cbc0154adff628d56c0c
 gvisor_runsc_binary_checksums:
   arm64:
+    '20251201.0': sha512:fb527cea4d165478f297a918734f10acabf5230a4a0d29b19709cb6a69a389d32c2a0da328146f72ef0d8776aca35d97647db82ff46be60e85ad02305f631896
     '20251118.0': sha512:80a2970cb966d69d59313ec64583174189293db24605f8309a9e8b230e3be6f0e7e387bc11dd5db1896a8c308dd81da8778c0f0418d7ebfdda6b26f03c8d499f
     '20251110.0': sha512:297d42a46463d5b68c4786bcd448fe0914d7af91cd62f3c51b494b94e1c91d7eda68c6f21cfb1a66ac4d45aadcf20f7410291c0f3f17b090799f9cfa676cb563
     '20251103.0': sha512:a124f892b6f937ff88f9833cba78bc22d2cf869a205e20694374cbad575c9c9dd501cd4b8897aa4338622b6171d7cf4ce8d5a9b3b259c60450a6ade5b3fbc4f5
@@ -791,6 +794,7 @@ gvisor_runsc_binary_checksums:
     '20250414.0': sha512:d1ba68b20057622e58e886f472e021a473222590c936a86951005d7b97366b446ef0342b91457ffc0d7e543d54c9c06a363f2883bdd6c594799c4ca1091dabd5
     '20250407.0': sha512:cb590f72b0fbda45e89a2300e9247f12ff295a8c52653c8cf815c662d3fbbc774f9b915cdd4fad59e30694d8cc8737fe2a1a8186ab5136f7701bd6e6877a1662
   amd64:
+    '20251201.0': sha512:8534bc833d9b1e286b8876abb17dd6fe202c40a75a36dd62b0ce892bf9dceb1773e71447848e7acab120ce99283c22d2f4e4a6171008c9c5f3d5fe6ad6f1cc75
     '20251118.0': sha512:cc95eec3e22a574ac533278ee8c72672542edf0ab467a89c13f02abea6404ffe20ea4a538a3482b072a8e45222a13cefbf9e7f44bada35b436769e04b12ab970
     '20251110.0': sha512:40d9ec839850cb1994321f0716026b6149adb712bab576b157be2c31b832e68e11475647b2776499fca4c52e96fc7489877fff2fb1985d5f1e128d14f776bd6b
     '20251103.0': sha512:01a465bb5bb37d3c6343a33420b6badfe6e5d8a5ff522f1fb2c183a6e24559cc660373137adc8f5a8c8c362c573a2d01ef6936e126c74c810b16bf9bd19bfd04
@@ -816,6 +820,7 @@ gvisor_runsc_binary_checksums:
     '20250407.0': sha512:097259d6d93548bf669e21cfec5ba6a47081e43f61d22c5d8a8a4c0c209c81ac9c4454162b826f98cec49e047bbdc29c270113ab6db5519ef3e6a90f302fa47b
 gvisor_containerd_shim_binary_checksums:
   arm64:
+    '20251201.0': sha512:9546236a7ddad9a2ccd51c41f2f309b7f4016fdf489581f77b1b803ed73ca72501af2de3e3d0b58daa633384baa0d46ecd515760165ed51bfb6c0900649c6306
     '20251118.0': sha512:0179f0b049c882703758d5cba387e1e4fd0300aef20197e35e2886f480f0668fecb8deb3aa84341d0b874127d88b337fbcf609f563c3310b47520e8144e9d55a
     '20251110.0': sha512:8f2b16ad59e9ffdafd1218851cba9d007d4ffb15c5ec2003e0c691eb048935a82f9e8b578c051b05738e3b4e1f141ed893c73415313ec639f348fe989659b893
     '20251103.0': sha512:8f2b16ad59e9ffdafd1218851cba9d007d4ffb15c5ec2003e0c691eb048935a82f9e8b578c051b05738e3b4e1f141ed893c73415313ec639f348fe989659b893
@@ -840,6 +845,7 @@ gvisor_containerd_shim_binary_checksums:
     '20250414.0': sha512:33b9c67bc7b73ca49154aff48da52029414a707b6a3a25eb4f71e861a94dec8fce220e63a162841670ddd4876f45b0e39abdf9f8c3235019c89f209684d3007d
     '20250407.0': sha512:1c3838e10c905af0cb52697712bf6bd76b94c9e9d3d07a7643cd43dc2f8dab03b4ed4693c117e555e07a158e04ee583b6b1f1cf2fb9705244ffa5fdc4af67248
   amd64:
+    '20251201.0': sha512:216a937437cb1747d5e84edd9ae7274c5a2c4f712f4601e7e0ca06e0a688bebfac267707028b78845276302023d305ec9a93f5b200c9c3c3cdf86a2f41817703
     '20251118.0': sha512:b0f0fa1ee431c63cfbb9007a62c49a374bcbfbbbf5997e63c827d1673f6933d65044ca4f06608bb494f870ced97295dc065810f5e905dfd4a632fe4d61faff7f
     '20251110.0': sha512:56a27dab74191db97f888c936b53861248851a2579d838073f528db7cb9353da5a919a27a38a48447b0a81bd42ab92873c480be769a9818a464ba9cf27872581
     '20251103.0': sha512:56a27dab74191db97f888c936b53861248851a2579d838073f528db7cb9353da5a919a27a38a48447b0a81bd42ab92873c480be769a9818a464ba9cf27872581
@@ -1283,6 +1289,7 @@ yq_checksums:
     4.40.3: sha256:2fe818a0b141913a41548e0e727267479d0f755221c73f9e304788c8e9139a45
 gateway_api_standard_crds_checksums:
   no_arch:
+    1.4.1: sha256:daa2999f0978ba3e43b65fec179f82a1a690649da10aa5c7c5871165477368f8
     1.4.0: sha256:6a4029e661446d64add866a00ecdc40c14219b68777ab614c5cdaac0adb481f1
     1.3.0: sha256:78796d5c51450fc55d8dc8092ba8137f8c807982d7508d7875d5c537a24082b9
     1.2.1: sha256:97598bf6ab3b33b9b5c5432bdd24de091e4e9c3aa0575ebb0710a2a19cd64d64
@@ -1292,6 +1299,7 @@ gateway_api_standard_crds_checksums:
     1.0.0: sha256:23e4e1095c72a0587474f7fb3f85c319cdec77a083ab91237ffbdec1f1834d2a
 gateway_api_experimental_crds_checksums:
   no_arch:
+    1.4.1: sha256:d3c20dd4c0431936567a6917ca931f6dced1310242be62b9eca07bd9892e2025
     1.4.0: sha256:0414b160767377e85fd362855501200c6b83b84758bcd532652e3fe1cc677e49
     1.3.0: sha256:3e7a27e4456ff3d68606a6a8516306aaff354d6f0950b32bb31930669b7bf8b8
     1.2.1: sha256:d3aa6723a3306770cffb601ee22af3d35da43acfa1ca547fc0d3bce08dad66e7

roles/network_plugin/calico/tasks/check.yml

@@ -61,7 +61,6 @@
         executable: /bin/bash
       register: calico_version_on_server
       changed_when: false
-      check_mode: false
 
     - name: Assert that current calico version is enough for upgrade
       assert:

roles/network_plugin/cilium/defaults/main.yml

@@ -1,6 +1,8 @@
 ---
 cilium_min_version_required: "1.15"
 
+# remove migrate after 2.29 released
+cilium_remove_old_resources: false
 # Log-level
 cilium_debug: false
 

roles/network_plugin/cilium/tasks/main.yml

@@ -5,5 +5,10 @@
 - name: Cilium install
   include_tasks: install.yml
 
+# Remove after 2.29 released
+- name: Cilium remove old resources
+  when: cilium_remove_old_resources
+  include_tasks: remove_old_resources.yml
+
 - name: Cilium apply
   include_tasks: apply.yml

roles/network_plugin/cilium/tasks/remove_old_resources.yml

@@ -0,0 +1,45 @@
+---
+# Remove after 2.29 released
+- name: Cilium | Delete Old Resource
+  command: |
+    {{ kubectl }} delete {{ item.kind | lower }} {{ item.name }} \
+    {{ '-n kube-system' if item.kind not in ['ClusterRole', 'ClusterRoleBinding'] else '' }} \
+  loop:
+    - { kind: ServiceAccount, name: cilium }
+    - { kind: ServiceAccount, name: cilium-operator }
+    - { kind: ServiceAccount, name: hubble-generate-certs }
+    - { kind: ServiceAccount, name: hubble-relay }
+    - { kind: ServiceAccount, name: hubble-ui }
+    - { kind: Service, name: hubble-metrics }
+    - { kind: Service, name: hubble-relay-metrics }
+    - { kind: Service, name: hubble-relay }
+    - { kind: Service, name: hubble-ui }
+    - { kind: Service, name: hubble-peer }
+    - { kind: Deployment, name: cilium-operator }
+    - { kind: Deployment, name: hubble-relay }
+    - { kind: Deployment, name: hubble-ui }
+    - { kind: DaemonSet, name: cilium }
+    - { kind: CronJob, name: hubble-generate-certs }
+    - { kind: Job, name: hubble-generate-certs }
+    - { kind: ConfigMap, name: cilium-config }
+    - { kind: ConfigMap, name: ip-masq-agent }
+    - { kind: ConfigMap, name: hubble-relay-config }
+    - { kind: ConfigMap, name: hubble-ui-nginx }
+    - { kind: ClusterRole, name: cilium }
+    - { kind: ClusterRole, name: cilium-operator }
+    - { kind: ClusterRole, name: hubble-generate-certs }
+    - { kind: ClusterRole, name: hubble-relay }
+    - { kind: ClusterRole, name: hubble-ui }
+    - { kind: ClusterRoleBinding, name: cilium }
+    - { kind: ClusterRoleBinding, name: cilium-operator }
+    - { kind: ClusterRoleBinding, name: hubble-generate-certs }
+    - { kind: ClusterRoleBinding, name: hubble-relay }
+    - { kind: ClusterRoleBinding, name: hubble-ui }
+    - { kind: Secret, name: hubble-ca-secret }
+    - { kind: Secret, name: hubble-relay-client-certs }
+    - { kind: Secret, name: hubble-server-certs }
+  register: patch_result
+  when: inventory_hostname == groups['kube_control_plane'][0]
+  failed_when:
+    - patch_result.rc != 0
+    - "'not found' not in patch_result.stderr"