fix multus include (#10105 )

`` "msg": "Failed to template loop_control.label: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'item'. 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'item'", "skip_reason": "Conditional result was False"} `` fixes case when multus should NOT be included.
playbooks: bootstrap in facts playbook (#10069 )
2025-12-14 13:54:37 +03:00 · 2023-05-23 01:12:27 -07:00 · 2023-05-23 00:18:28 -07:00 · 2023-05-22 17:50:21 -07:00 · 2023-05-22 17:44:20 -07:00 · 2023-05-22 16:58:20 -07:00
839 changed files with 24020 additions and 21633 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -24,7 +24,17 @@ skip_list:
  # (Disabled in June 2021)
  - 'role-name'
  - 'experimental'
  # [var-naming] "defaults/main.yml" File defines variable 'apiVersion' that violates variable naming standards
  # In Kubespray we use variables that use camelCase to match their k8s counterparts
  # (Disabled in June 2021)
  - 'var-naming'
  - 'var-spacing'
  # [fqcn-builtins]
  # Roles in kubespray don't need fully qualified collection names
  # (Disabled in Feb 2023)
  - 'fqcn-builtins'
 exclude_paths:
  # Generated files
  - tests/files/custom_cni/cilium.yaml
--- a/.gitignore
+++ b/.gitignore
@@ -3,14 +3,19 @@
 **/vagrant_ansible_inventory
 *.iml
 temp
 contrib/offline/offline-files
 contrib/offline/offline-files.tar.gz
 .idea
 .vscode
 .tox
 .cache
 *.bak
 *.tfstate
 *.tfstate.backup
 *.lock.hcl
 .terraform/
 contrib/terraform/aws/credentials.tfvars
 .terraform.lock.hcl
 /ssh-bastion.conf
 **/*.sw[pon]
 *~
@@ -102,10 +107,14 @@ ENV/
 # molecule
 roles/**/molecule/**/__pycache__/
 roles/**/molecule/**/*.conf
 # macOS
 .DS_Store
 # Temp location used by our scripts
 scripts/tmp/
 tmp.md
 # Ansible collection files
 kubernetes_sigs-kubespray*tar.gz
 ansible_collections
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,6 @@
 ---
 stages:
  - build
  - unit-tests
  - deploy-part1
  - moderator
@@ -8,12 +9,12 @@ stages:
  - deploy-special
 variables:
-  KUBESPRAY_VERSION: v2.17.1
+  KUBESPRAY_VERSION: v2.21.0
  FAILFASTCI_NAMESPACE: 'kargo-ci'
  GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
  ANSIBLE_FORCE_COLOR: "true"
  MAGIC: "ci check this"
-  TEST_ID: "$CI_PIPELINE_ID-$CI_BUILD_ID"
+  TEST_ID: "$CI_PIPELINE_ID-$CI_JOB_ID"
  CI_TEST_VARS: "./tests/files/${CI_JOB_NAME}.yml"
  CI_TEST_REGISTRY_MIRROR: "./tests/common/_docker_hub_registry_mirror.yml"
  CI_TEST_SETTING: "./tests/common/_kubespray_test_settings.yml"
@@ -27,13 +28,15 @@ variables:
  ANSIBLE_INVENTORY: ./inventory/sample/${CI_JOB_NAME}-${BUILD_NUMBER}.ini
  IDEMPOT_CHECK: "false"
  RESET_CHECK: "false"
  REMOVE_NODE_CHECK: "false"
  UPGRADE_TEST: "false"
  MITOGEN_ENABLE: "false"
  ANSIBLE_LOG_LEVEL: "-vv"
  RECOVER_CONTROL_PLANE_TEST: "false"
  RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:],kube_control_plane[1:]"
-  TERRAFORM_VERSION: 1.0.8
+  TERRAFORM_VERSION: 1.3.7
-  ANSIBLE_MAJOR_VERSION: "2.10"
+  ANSIBLE_MAJOR_VERSION: "2.11"
  PIPELINE_IMAGE: "$CI_REGISTRY_IMAGE/pipeline:${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}"
 before_script:
  - ./tests/scripts/rebase.sh
@@ -45,7 +48,7 @@ before_script:
 .job: &job
  tags:
    - packet
-  image: quay.io/kubespray/kubespray:$KUBESPRAY_VERSION
+  image: $PIPELINE_IMAGE
  artifacts:
    when: always
    paths:
@@ -75,8 +78,10 @@ ci-authorized:
  only: []
 include:
  - .gitlab-ci/build.yml
  - .gitlab-ci/lint.yml
  - .gitlab-ci/shellcheck.yml
  - .gitlab-ci/terraform.yml
  - .gitlab-ci/packet.yml
  - .gitlab-ci/vagrant.yml
  - .gitlab-ci/molecule.yml
--- a/.gitlab-ci/build.yml
+++ b/.gitlab-ci/build.yml
@@ -0,0 +1,40 @@
 ---
 .build:
  stage: build
  image:
    name: moby/buildkit:rootless
    entrypoint: [""]
  variables:
    BUILDKITD_FLAGS: --oci-worker-no-process-sandbox
  before_script:
    - mkdir ~/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > ~/.docker/config.json
 pipeline image:
  extends: .build
  script:
    - |
      buildctl-daemonless.sh build \
        --frontend=dockerfile.v0 \
        --local context=. \
        --local dockerfile=. \
        --opt filename=./pipeline.Dockerfile \
        --output type=image,name=$PIPELINE_IMAGE,push=true \
        --import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache
  rules:
    - if: '$CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
 pipeline image and build cache:
  extends: .build
  script:
    - |
      buildctl-daemonless.sh build \
        --frontend=dockerfile.v0 \
        --local context=. \
        --local dockerfile=. \
        --opt filename=./pipeline.Dockerfile \
        --output type=image,name=$PIPELINE_IMAGE,push=true \
        --import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache \
        --export-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache,mode=max
  rules:
    - if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
--- a/.gitlab-ci/lint.yml
+++ b/.gitlab-ci/lint.yml
@@ -14,7 +14,7 @@ vagrant-validate:
  stage: unit-tests
  tags: [light]
  variables:
-    VAGRANT_VERSION: 2.2.19
+    VAGRANT_VERSION: 2.3.4
  script:
    - ./tests/scripts/vagrant-validate.sh
  except: ['triggers', 'master']
@@ -23,9 +23,8 @@ ansible-lint:
  extends: .job
  stage: unit-tests
  tags: [light]
-  # lint every yml/yaml file that looks like it contains Ansible plays
+  script:
-  script: |-
+    - ansible-lint -v
    grep -Rl '^- hosts: \|^  hosts: ' --include \*.yml --include \*.yaml . | xargs -P 4 -n 25 ansible-lint -v
  except: ['triggers', 'master']
 syntax-check:
@@ -40,11 +39,28 @@ syntax-check:
    ANSIBLE_VERBOSITY: "3"
  script:
    - ansible-playbook --syntax-check cluster.yml
    - ansible-playbook --syntax-check playbooks/cluster.yml
    - ansible-playbook --syntax-check upgrade-cluster.yml
    - ansible-playbook --syntax-check playbooks/upgrade_cluster.yml
    - ansible-playbook --syntax-check reset.yml
    - ansible-playbook --syntax-check playbooks/reset.yml
    - ansible-playbook --syntax-check extra_playbooks/upgrade-only-k8s.yml
  except: ['triggers', 'master']
 collection-build-install-sanity-check:
  extends: .job
  stage: unit-tests
  tags: [light]
  variables:
    ANSIBLE_COLLECTIONS_PATH: "./ansible_collections"
  script:
    - ansible-galaxy collection build
    - ansible-galaxy collection install kubernetes_sigs-kubespray-$(grep "^version:" galaxy.yml | awk '{print $2}').tar.gz
    - ansible-galaxy collection list $(egrep -i '(name:\s+|namespace:\s+)' galaxy.yml | awk '{print $2}' | tr '\n' '.' | sed 's|\.$||g') | grep "^kubernetes_sigs.kubespray"
    - test -f ansible_collections/kubernetes_sigs/kubespray/playbooks/cluster.yml
    - test -f ansible_collections/kubernetes_sigs/kubespray/playbooks/reset.yml
  except: ['triggers', 'master']
 tox-inventory-builder:
  stage: unit-tests
  tags: [light]
@@ -53,7 +69,7 @@ tox-inventory-builder:
    - ./tests/scripts/rebase.sh
    - apt-get update && apt-get install -y python3-pip
    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible
+    - python -m pip uninstall -y ansible ansible-base ansible-core
    - python -m pip install -r tests/requirements.txt
  script:
    - pip3 install tox
@@ -69,6 +85,27 @@ markdownlint:
  script:
    - markdownlint $(find . -name '*.md' | grep -vF './.git') --ignore docs/_sidebar.md --ignore contrib/dind/README.md
 check-readme-versions:
  stage: unit-tests
  tags: [light]
  image: python:3
  script:
    - tests/scripts/check_readme_versions.sh
 check-galaxy-version:
  stage: unit-tests
  tags: [light]
  image: python:3
  script:
    - tests/scripts/check_galaxy_version.sh
 check-typo:
  stage: unit-tests
  tags: [light]
  image: python:3
  script:
    - tests/scripts/check_typo.sh
 ci-matrix:
  stage: unit-tests
  tags: [light]
--- a/.gitlab-ci/molecule.yml
+++ b/.gitlab-ci/molecule.yml
@@ -0,0 +1,86 @@
 ---
 .molecule:
  tags: [c3.small.x86]
  only: [/^pr-.*$/]
  except: ['triggers']
  image: $PIPELINE_IMAGE
  services: []
  stage: deploy-part1
  before_script:
    - tests/scripts/rebase.sh
    - apt-get update && apt-get install -y python3-pip
    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
    - python -m pip uninstall -y ansible ansible-base ansible-core
    - python -m pip install -r tests/requirements.txt
    - ./tests/scripts/vagrant_clean.sh
  script:
    - ./tests/scripts/molecule_run.sh
  after_script:
    - chronic ./tests/scripts/molecule_logs.sh
  artifacts:
    when: always
    paths:
      - molecule_logs/
 # CI template for periodic CI jobs
 # Enabled when PERIODIC_CI_ENABLED var is set
 .molecule_periodic:
  only:
    variables:
      - $PERIODIC_CI_ENABLED
  allow_failure: true
  extends: .molecule
 molecule_full:
  extends: .molecule_periodic
 molecule_no_container_engines:
  extends: .molecule
  script:
    - ./tests/scripts/molecule_run.sh -e container-engine
  when: on_success
 molecule_docker:
  extends: .molecule
  script:
    - ./tests/scripts/molecule_run.sh -i container-engine/cri-dockerd
  when: on_success
 molecule_containerd:
  extends: .molecule
  script:
    - ./tests/scripts/molecule_run.sh -i container-engine/containerd
  when: on_success
 molecule_cri-o:
  extends: .molecule
  stage: deploy-part2
  script:
    - ./tests/scripts/molecule_run.sh -i container-engine/cri-o
  when: on_success
 # Stage 3 container engines don't get as much attention so allow them to fail
 molecule_kata:
  extends: .molecule
  stage: deploy-part3
  allow_failure: true
  script:
    - ./tests/scripts/molecule_run.sh -i container-engine/kata-containers
  when: on_success
 molecule_gvisor:
  extends: .molecule
  stage: deploy-part3
  allow_failure: true
  script:
    - ./tests/scripts/molecule_run.sh -i container-engine/gvisor
  when: on_success
 molecule_youki:
  extends: .molecule
  stage: deploy-part3
  allow_failure: true
  script:
    - ./tests/scripts/molecule_run.sh -i container-engine/youki
  when: on_success
--- a/.gitlab-ci/packet.yml
+++ b/.gitlab-ci/packet.yml
@@ -31,18 +31,9 @@ packet_ubuntu20-calico-aio:
  variables:
    RESET_CHECK: "true"
 # Exericse ansible variants
 packet_ubuntu20-calico-aio-ansible-2_9:
  stage: deploy-part1
  extends: .packet_pr
  when: on_success
  variables:
    ANSIBLE_MAJOR_VERSION: "2.9"
    RESET_CHECK: "true"
 packet_ubuntu20-calico-aio-ansible-2_11:
  stage: deploy-part1
-  extends: .packet_pr
+  extends: .packet_periodic
  when: on_success
  variables:
    ANSIBLE_MAJOR_VERSION: "2.11"
@@ -60,17 +51,32 @@ packet_ubuntu20-aio-docker:
  extends: .packet_pr
  when: on_success
 packet_ubuntu20-calico-aio-hardening:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
 packet_ubuntu18-calico-aio:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
 packet_ubuntu22-aio-docker:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
 packet_ubuntu22-calico-aio:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
 packet_centos7-flannel-addons-ha:
  extends: .packet_pr
  stage: deploy-part2
  when: on_success
-packet_centos8-crio:
+packet_almalinux8-crio:
  extends: .packet_pr
  stage: deploy-part2
  when: on_success
@@ -85,31 +91,11 @@ packet_fedora35-crio:
  stage: deploy-part2
  when: manual
 packet_ubuntu16-canal-ha:
  stage: deploy-part2
  extends: .packet_periodic
  when: on_success
 packet_ubuntu16-canal-sep:
  stage: deploy-special
  extends: .packet_pr
  when: manual
 packet_ubuntu16-flannel-ha:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
 packet_ubuntu16-kube-router-sep:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
 packet_ubuntu16-kube-router-svc-proxy:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
 packet_debian10-cilium-svc-proxy:
  stage: deploy-part2
  extends: .packet_periodic
@@ -145,34 +131,41 @@ packet_centos7-calico-ha-once-localhost:
  services:
    - docker:19.03.9-dind
-packet_centos8-kube-ovn:
+packet_almalinux8-kube-ovn:
  stage: deploy-part2
  extends: .packet_periodic
  when: on_success
-packet_centos8-calico:
+packet_almalinux8-calico:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
-packet_centos8-docker:
+packet_rockylinux8-calico:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
-packet_fedora34-docker-weave:
+packet_rockylinux9-calico:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
-packet_fedora35-kube-router:
+packet_rockylinux9-cilium:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
  variables:
    RESET_CHECK: "true"
 packet_almalinux8-docker:
  stage: deploy-part2
  extends: .packet_pr
  when: on_success
-packet_opensuse-canal:
+packet_fedora36-docker-weave:
  stage: deploy-part2
-  extends: .packet_periodic
+  extends: .packet_pr
  when: on_success
 packet_opensuse-docker-cilium:
@@ -203,12 +196,12 @@ packet_ubuntu18-flannel-ha-once:
  when: manual
 # Calico HA eBPF
-packet_centos8-calico-ha-ebpf:
+packet_almalinux8-calico-ha-ebpf:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
-packet_debian9-macvlan:
+packet_debian10-macvlan:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
@@ -218,29 +211,19 @@ packet_centos7-calico-ha:
  extends: .packet_pr
  when: manual
 packet_centos7-kube-router:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
 packet_centos7-multus-calico:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
-packet_oracle7-canal-ha:
+packet_fedora36-docker-calico:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
 packet_fedora35-docker-calico:
  stage: deploy-part2
  extends: .packet_periodic
  when: on_success
  variables:
    RESET_CHECK: "true"
-packet_fedora34-calico-selinux:
+packet_fedora35-calico-selinux:
  stage: deploy-part2
  extends: .packet_periodic
  when: on_success
@@ -255,20 +238,37 @@ packet_amazon-linux-2-aio:
  extends: .packet_pr
  when: manual
-packet_centos8-calico-nodelocaldns-secondary:
+packet_almalinux8-calico-nodelocaldns-secondary:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
-packet_fedora34-kube-ovn:
+packet_fedora36-kube-ovn:
  stage: deploy-part2
  extends: .packet_periodic
  when: on_success
 packet_debian11-custom-cni:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
 packet_debian11-kubelet-csr-approver:
  stage: deploy-part2
  extends: .packet_pr
  when: manual
 # ### PR JOBS PART3
 # Long jobs (45min+)
-packet_centos7-docker-weave-upgrade-ha:
+packet_centos7-weave-upgrade-ha:
  stage: deploy-part3
  extends: .packet_periodic
  when: on_success
  variables:
    UPGRADE_TEST: basic
 packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha:
  stage: deploy-part3
  extends: .packet_periodic
  when: on_success
@@ -281,14 +281,27 @@ packet_ubuntu20-calico-ha-wireguard:
  extends: .packet_pr
  when: manual
-packet_debian10-calico-upgrade:
+packet_debian11-calico-upgrade:
  stage: deploy-part3
  extends: .packet_pr
  when: on_success
  variables:
    UPGRADE_TEST: graceful
-packet_debian10-calico-upgrade-once:
+packet_almalinux8-calico-remove-node:
  stage: deploy-part3
  extends: .packet_pr
  when: on_success
  variables:
    REMOVE_NODE_CHECK: "true"
    REMOVE_NODE_NAME: "instance-3"
 packet_ubuntu20-calico-etcd-kubeadm:
  stage: deploy-part3
  extends: .packet_pr
  when: on_success
 packet_debian11-calico-upgrade-once:
  stage: deploy-part3
  extends: .packet_periodic
  when: on_success
--- a/.gitlab-ci/shellcheck.yml
+++ b/.gitlab-ci/shellcheck.yml
@@ -11,6 +11,6 @@ shellcheck:
    - cp shellcheck-"${SHELLCHECK_VERSION}"/shellcheck /usr/bin/
    - shellcheck --version
  script:
-    # Run shellcheck for all *.sh except contrib/
+    # Run shellcheck for all *.sh
-    - find . -name '*.sh' -not -path './contrib/*' -not -path './.git/*' | xargs shellcheck --severity error
+    - find . -name '*.sh' -not -path './.git/*' | xargs shellcheck --severity error
  except: ['triggers', 'master']
--- a/.gitlab-ci/terraform.yml
+++ b/.gitlab-ci/terraform.yml
@@ -60,11 +60,11 @@ tf-validate-openstack:
    PROVIDER: openstack
    CLUSTER: $CI_COMMIT_REF_NAME
-tf-validate-packet:
+tf-validate-equinix:
  extends: .terraform_validate
  variables:
    TF_VERSION: $TERRAFORM_VERSION
-    PROVIDER: packet
+    PROVIDER: equinix
    CLUSTER: $CI_COMMIT_REF_NAME
 tf-validate-aws:
@@ -80,6 +80,12 @@ tf-validate-exoscale:
    TF_VERSION: $TERRAFORM_VERSION
    PROVIDER: exoscale
 tf-validate-hetzner:
  extends: .terraform_validate
  variables:
    TF_VERSION: $TERRAFORM_VERSION
    PROVIDER: hetzner
 tf-validate-vsphere:
  extends: .terraform_validate
  variables:
@@ -104,7 +110,7 @@ tf-validate-upcloud:
 #     TF_VAR_number_of_k8s_nodes: "1"
 #     TF_VAR_plan_k8s_masters: t1.small.x86
 #     TF_VAR_plan_k8s_nodes: t1.small.x86
-#     TF_VAR_facility: ewr1
+#     TF_VAR_metro: ny
 #     TF_VAR_public_key_path: ""
 #     TF_VAR_operating_system: ubuntu_16_04
 #
@@ -118,7 +124,7 @@ tf-validate-upcloud:
 #     TF_VAR_number_of_k8s_nodes: "1"
 #     TF_VAR_plan_k8s_masters: t1.small.x86
 #     TF_VAR_plan_k8s_nodes: t1.small.x86
-#     TF_VAR_facility: ams1
+#     TF_VAR_metro: am
 #     TF_VAR_public_key_path: ""
 #     TF_VAR_operating_system: ubuntu_18_04
--- a/.gitlab-ci/vagrant.yml
+++ b/.gitlab-ci/vagrant.yml
@@ -1,28 +1,5 @@
 ---
 molecule_tests:
  tags: [c3.small.x86]
  only: [/^pr-.*$/]
  except: ['triggers']
  image: quay.io/kubespray/vagrant:$KUBESPRAY_VERSION
  services: []
  stage: deploy-part1
  before_script:
    - tests/scripts/rebase.sh
    - apt-get update && apt-get install -y python3-pip
    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
    - python -m pip uninstall -y ansible
    - python -m pip install -r tests/requirements.txt
    - ./tests/scripts/vagrant_clean.sh
  script:
    - ./tests/scripts/molecule_run.sh
  after_script:
    - chronic ./tests/scripts/molecule_logs.sh
  artifacts:
    when: always
    paths:
      - molecule_logs/
 .vagrant:
  extends: .testcases
  variables:
@@ -33,12 +10,12 @@ molecule_tests:
  tags: [c3.small.x86]
  only: [/^pr-.*$/]
  except: ['triggers']
-  image: quay.io/kubespray/vagrant:$KUBESPRAY_VERSION
+  image: $PIPELINE_IMAGE
  services: []
  before_script:
    - apt-get update && apt-get install -y python3-pip
    - update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-    - python -m pip uninstall -y ansible
+    - python -m pip uninstall -y ansible ansible-base ansible-core
    - python -m pip install -r tests/requirements.txt
    - ./tests/scripts/vagrant_clean.sh
  script:
@@ -66,3 +43,30 @@ vagrant_ubuntu20-flannel:
  stage: deploy-part2
  extends: .vagrant
  when: on_success
  allow_failure: false
 vagrant_ubuntu20-flannel-collection:
  stage: deploy-part2
  extends: .vagrant
  when: on_success
 vagrant_ubuntu16-kube-router-sep:
  stage: deploy-part2
  extends: .vagrant
  when: manual
 # Service proxy test fails connectivity testing
 vagrant_ubuntu16-kube-router-svc-proxy:
  stage: deploy-part2
  extends: .vagrant
  when: manual
 vagrant_fedora35-kube-router:
  stage: deploy-part2
  extends: .vagrant
  when: on_success
 vagrant_centos7-kube-router:
  stage: deploy-part2
  extends: .vagrant
  when: manual
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@@ -1,2 +1,3 @@
 ---
 MD013: false
 MD029: false
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,71 @@
 ---
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v3.4.0
    hooks:
      - id: check-added-large-files
      - id: check-case-conflict
      - id: check-executables-have-shebangs
      - id: check-xml
      - id: check-merge-conflict
      - id: detect-private-key
      - id: end-of-file-fixer
      - id: forbid-new-submodules
      - id: requirements-txt-fixer
      - id: trailing-whitespace
  - repo: https://github.com/adrienverge/yamllint.git
    rev: v1.27.1
    hooks:
      - id: yamllint
        args: [--strict]
  - repo: https://github.com/markdownlint/markdownlint
    rev: v0.11.0
    hooks:
      - id: markdownlint
        args: [ -r, "~MD013,~MD029" ]
        exclude: "^.git"
  - repo: https://github.com/jumanjihouse/pre-commit-hooks
    rev: 3.0.0
    hooks:
      - id: shellcheck
        args: [ --severity, "error" ]
        exclude: "^.git"
        files: "\\.sh$"
  - repo: local
    hooks:
      - id: ansible-lint
        name: ansible-lint
        entry: ansible-lint -v
        language: python
        pass_filenames: false
        additional_dependencies:
          - .[community]
      - id: ansible-syntax-check
        name: ansible-syntax-check
        entry: env ANSIBLE_INVENTORY=inventory/local-tests.cfg ANSIBLE_REMOTE_USER=root ANSIBLE_BECOME="true" ANSIBLE_BECOME_USER=root ANSIBLE_VERBOSITY="3" ansible-playbook --syntax-check
        language: python
        files: "^cluster.yml|^upgrade-cluster.yml|^reset.yml|^extra_playbooks/upgrade-only-k8s.yml"
      - id: tox-inventory-builder
        name: tox-inventory-builder
        entry: bash -c "cd contrib/inventory_builder && tox"
        language: python
        pass_filenames: false
      - id: check-readme-versions
        name: check-readme-versions
        entry: tests/scripts/check_readme_versions.sh
        language: script
        pass_filenames: false
      - id: ci-matrix
        name: ci-matrix
        entry: tests/scripts/md-table/test.sh
        language: script
        pass_filenames: false
--- a/.yamllint
+++ b/.yamllint
@@ -3,6 +3,8 @@ extends: default
 ignore: |
  .git/
  # Generated file
  tests/files/custom_cni/cilium.yaml
 rules:
  braces:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -16,7 +16,12 @@ pip install -r tests/requirements.txt
 #### Linting
-Kubespray uses `yamllint` and `ansible-lint`. To run them locally use `yamllint .` and `ansible-lint`. It is a good idea to add call these tools as part of your pre-commit hook and avoid a lot of back end forth on fixing linting issues (<https://support.gitkraken.com/working-with-repositories/githooksexample/>).
+Kubespray uses [pre-commit](https://pre-commit.com) hook configuration to run several linters, please install this tool and use it to run validation tests before submitting a PR.
 ```ShellSession
 pre-commit install
 pre-commit run -a  # To run pre-commit hook on all files in the repository, even if they were not modified
 ```
 #### Molecule
@@ -33,7 +38,9 @@ Vagrant with VirtualBox or libvirt driver helps you to quickly spin test cluster
 1. Submit an issue describing your proposed change to the repo in question.
 2. The [repo owners](OWNERS) will respond to your issue promptly.
 3. Fork the desired repo, develop and test your code changes.
-4. Sign the CNCF CLA (<https://git.k8s.io/community/CLA.md#the-contributor-license-agreement>)
+4. Install [pre-commit](https://pre-commit.com) and install it in your development repo.
-5. Submit a pull request.
+5. Addess any pre-commit validation failures.
-6. Work with the reviewers on their suggestions.
+6. Sign the CNCF CLA (<https://git.k8s.io/community/CLA.md#the-contributor-license-agreement>)
-7. Ensure to rebase to the HEAD of your target branch and squash un-necessary commits (<https://blog.carbonfive.com/always-squash-and-rebase-your-git-commits/>) before final merger of your contribution.
+7. Submit a pull request.
 8. Work with the reviewers on their suggestions.
 9. Ensure to rebase to the HEAD of your target branch and squash un-necessary commits (<https://blog.carbonfive.com/always-squash-and-rebase-your-git-commits/>) before final merger of your contribution.
--- a/62
+++ b/62
@@ -1,33 +1,41 @@
-# Use imutable image tags rather than mutable tags (like ubuntu:18.04)
+# Use imutable image tags rather than mutable tags (like ubuntu:22.04)
-FROM ubuntu:bionic-20200807
+FROM ubuntu:jammy-20230308
 RUN apt update -y \
    && apt install -y \
    libssl-dev python3-dev sshpass apt-transport-https jq moreutils \
    ca-certificates curl gnupg2 software-properties-common python3-pip unzip rsync git \
    && rm -rf /var/lib/apt/lists/*
 RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
    && add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
    $(lsb_release -cs) \
    stable" \
    && apt update -y && apt-get install --no-install-recommends -y docker-ce \
    && rm -rf /var/lib/apt/lists/*
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
 # (and potentially other packages) 
 # See: https://github.com/pypa/pip/issues/10219
-ENV LANG=C.UTF-8
+ENV LANG=C.UTF-8 \
-
+    DEBIAN_FRONTEND=noninteractive \
    PYTHONDONTWRITEBYTECODE=1
 WORKDIR /kubespray
-COPY . .
+COPY *yml .
-RUN /usr/bin/python3 -m pip install --no-cache-dir pip -U \
+COPY roles ./roles
-    && /usr/bin/python3 -m pip install --no-cache-dir -r tests/requirements.txt \
+COPY contrib ./contrib
-    && python3 -m pip install --no-cache-dir -r requirements.txt \
+COPY inventory ./inventory
-    && update-alternatives --install /usr/bin/python python /usr/bin/python3 1
+COPY library ./library
 COPY extra_playbooks ./extra_playbooks
-RUN KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
+RUN apt update -q \
-    && curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubectl \
+    && apt install -yq --no-install-recommends \
-    && chmod a+x kubectl \
+       curl \
-    && mv kubectl /usr/local/bin/kubectl
+       python3 \
       python3-pip \
       sshpass \
       vim \
       rsync \
       openssh-client \
    && pip install --no-compile --no-cache-dir \
       ansible==5.7.1 \
       ansible-core==2.12.5 \
       cryptography==3.4.8 \
       jinja2==3.1.2 \
       netaddr==0.8.0 \
       jmespath==1.0.1 \
       MarkupSafe==2.1.2 \
       ruamel.yaml==0.17.21 \
    && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main.yaml) \
    && curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
    && echo $(curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl \
    && rm -rf /var/lib/apt/lists/* /var/log/* \
    && find / -type d -name '*__pycache__' -prune -exec rm -rf {} \;
--- a/11
+++ b/11
@@ -4,10 +4,13 @@ aliases:
    - chadswen
    - mirwan
    - miouge1
    - woopstar
    - luckysb
    - floryut
    - oomichi
    - cristicalin
    - liupeng0518
    - yankay
    - mzaian
  kubespray-reviewers:
    - holmsten
    - bozzo
@@ -15,7 +18,13 @@ aliases:
    - oomichi
    - jayonlau
    - cristicalin
    - liupeng0518
    - yankay
    - cyclinder
    - mzaian
    - mrfreezeex
  kubespray-emeritus_approvers:
    - riverzhang
    - atoms
    - ant31
    - woopstar
--- a/README.md
+++ b/README.md
@@ -13,16 +13,16 @@ You can get your invite [here](http://slack.k8s.io/)
 ## Quick Start
-To deploy the cluster you can use :
+Below are several ways to use Kubespray to deploy a Kubernetes cluster.
 ### Ansible
 #### Usage
-```ShellSession
+Install Ansible according to [Ansible installation guide](/docs/ansible.md#installing-ansible)
-# Install dependencies from ``requirements.txt``
+then run the following steps:
 sudo pip3 install -r requirements.txt
 ```ShellSession
 # Copy ``inventory/sample`` as ``inventory/mycluster``
 cp -rfp inventory/sample inventory/mycluster
@@ -34,6 +34,13 @@ CONFIG_FILE=inventory/mycluster/hosts.yaml python3 contrib/inventory_builder/inv
 cat inventory/mycluster/group_vars/all/all.yml
 cat inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
 # Clean up old Kubernete cluster with Ansible Playbook - run the playbook as root
 # The option `--become` is required, as for example cleaning up SSL keys in /etc/,
 # uninstalling old packages and interacting with various systemd daemons.
 # Without --become the playbook will fail to run!
 # And be mind it will remove the current kubernetes cluster (if it's running)!
 ansible-playbook -i inventory/mycluster/hosts.yaml  --become --become-user=root reset.yml
 # Deploy Kubespray with Ansible Playbook - run the playbook as root
 # The option `--become` is required, as for example writing SSL keys in /etc/,
 # installing packages and interacting with various systemd daemons.
@@ -41,44 +48,61 @@ cat inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
 ansible-playbook -i inventory/mycluster/hosts.yaml  --become --become-user=root cluster.yml
 ```
-Note: When Ansible is already installed via system packages on the control machine, other python packages installed via `sudo pip install -r requirements.txt` will go to a different directory tree (e.g. `/usr/local/lib/python2.7/dist-packages` on Ubuntu) from Ansible's (e.g. `/usr/lib/python2.7/dist-packages/ansible` still on Ubuntu).
+Note: When Ansible is already installed via system packages on the control node,
-As a consequence, `ansible-playbook` command will fail with:
+Python packages installed via `sudo pip install -r requirements.txt` will go to
 a different directory tree (e.g. `/usr/local/lib/python2.7/dist-packages` on
 Ubuntu) from Ansible's (e.g. `/usr/lib/python2.7/dist-packages/ansible` still on
 Ubuntu). As a consequence, the `ansible-playbook` command will fail with:
 ```raw
 ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.
 ```
-probably pointing on a task depending on a module present in requirements.txt.
+This likely indicates that a task depends on a module present in ``requirements.txt``.
-One way of solving this would be to uninstall the Ansible package and then, to install it via pip but it is not always possible.
+One way of addressing this is to uninstall the system Ansible package then
-A workaround consists of setting `ANSIBLE_LIBRARY` and `ANSIBLE_MODULE_UTILS` environment variables respectively to the `ansible/modules` and `ansible/module_utils` subdirectories of pip packages installation location, which can be found in the Location field of the output of `pip show [package]` before executing `ansible-playbook`.
+reinstall Ansible via ``pip``, but this not always possible and one must
 take care regarding package versions.
 A workaround consists of setting the `ANSIBLE_LIBRARY`
 and `ANSIBLE_MODULE_UTILS` environment variables respectively to
 the `ansible/modules` and `ansible/module_utils` subdirectories of the ``pip``
 installation location, which is the ``Location`` shown by running
 `pip show [package]` before executing `ansible-playbook`.
-A simple way to ensure you get all the correct version of Ansible is to use the [pre-built docker image from Quay](https://quay.io/repository/kubespray/kubespray?tab=tags).
+A simple way to ensure you get all the correct version of Ansible is to use
-You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mounts/) to get the inventory and ssh key into the container, like this:
+the [pre-built docker image from Quay](https://quay.io/repository/kubespray/kubespray?tab=tags).
 You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mounts/)
 to access the inventory and SSH key in the container, like this:
 ```ShellSession
-docker pull quay.io/kubespray/kubespray:v2.17.1
+git checkout v2.21.0
 docker pull quay.io/kubespray/kubespray:v2.21.0
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.17.1 bash
+  quay.io/kubespray/kubespray:v2.21.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
 #### Collection
 See [here](docs/ansible_collection.md) if you wish to use this repository as an Ansible collection
 ### Vagrant
-For Vagrant we need to install python dependencies for provisioning tasks.
+For Vagrant we need to install Python dependencies for provisioning tasks.
-Check if Python and pip are installed:
+Check that ``Python`` and ``pip`` are installed:
 ```ShellSession
 python -V && pip -V
 ```
 If this returns the version of the software, you're good to go. If not, download and install Python from here <https://www.python.org/downloads/source/>
-Install the necessary requirements
+
 Install Ansible according to [Ansible installation guide](/docs/ansible.md#installing-ansible)
 then run the following step:
 ```ShellSession
 sudo pip install -r requirements.txt
 vagrant up
 ```
@@ -110,69 +134,87 @@ vagrant up
 - [Adding/replacing a node](docs/nodes.md)
 - [Upgrades basics](docs/upgrades.md)
 - [Air-Gap installation](docs/offline-environment.md)
 - [NTP](docs/ntp.md)
 - [Hardening](docs/hardening.md)
 - [Mirror](docs/mirror.md)
 - [Roadmap](docs/roadmap.md)
 ## Supported Linux Distributions
 - **Flatcar Container Linux by Kinvolk**
- **Debian** Bullseye, Buster, Jessie, Stretch
+- **Debian** Bullseye, Buster
- **Ubuntu** 16.04, 18.04, 20.04
+- **Ubuntu** 16.04, 18.04, 20.04, 22.04
- **CentOS/RHEL** 7, [8](docs/centos8.md)
+- **CentOS/RHEL** 7, [8, 9](docs/centos.md#centos-8)
- **Fedora** 34, 35
+- **Fedora** 35, 36
 - **Fedora CoreOS** (see [fcos Note](docs/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
- **Oracle Linux** 7, [8](docs/centos8.md)
+- **Oracle Linux** 7, [8, 9](docs/centos.md#centos-8)
- **Alma Linux** [8](docs/centos8.md)
+- **Alma Linux** [8, 9](docs/centos.md#centos-8)
- **Rocky Linux** [8](docs/centos8.md)
+- **Rocky Linux** [8, 9](docs/centos.md#centos-8)
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/amazonlinux.md))
 - **UOS Linux** (experimental: see [uos linux notes](docs/uoslinux.md))
 - **openEuler** (experimental: see [openEuler notes](docs/openeuler.md))
 Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.22.5
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.26.5
-  - [etcd](https://github.com/coreos/etcd) v3.5.0
+  - [etcd](https://github.com/etcd-io/etcd) v3.5.6
  - [docker](https://www.docker.com/) v20.10 (see note)
-  - [containerd](https://containerd.io/) v1.5.8
+  - [containerd](https://containerd.io/) v1.7.1
-  - [cri-o](http://cri-o.io/) v1.22 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) v1.24 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
-  - [cni-plugins](https://github.com/containernetworking/plugins) v1.0.1
+  - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
-  - [calico](https://github.com/projectcalico/calico) v3.20.3
+  - [calico](https://github.com/projectcalico/calico) v3.25.1
-  - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
+  - [cilium](https://github.com/cilium/cilium) v1.13.0
-  - [cilium](https://github.com/cilium/cilium) v1.9.11
+  - [flannel](https://github.com/flannel-io/flannel) v0.21.4
-  - [flanneld](https://github.com/flannel-io/flannel) v0.15.1
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.10.7
-  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.8.1
+  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.5.1
-  - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.3.2
+  - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8
  - [multus](https://github.com/intel/multus-cni) v3.8
  - [weave](https://github.com/weaveworks/weave) v2.8.1
  - [kube-vip](https://github.com/kube-vip/kube-vip) v0.5.12
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) v1.11.1
  - [coredns](https://github.com/coredns/coredns) v1.9.3
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.7.1
  - [krew](https://github.com/kubernetes-sigs/krew) v0.4.3
  - [argocd](https://argoproj.github.io/) v2.7.2
  - [helm](https://helm.sh/) v3.12.0
  - [metallb](https://metallb.universe.tf/)  v0.13.9
  - [registry](https://github.com/distribution/distribution) v2.8.1
 - Storage Plugin
  - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
  - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.5.4
+  - [aws-ebs-csi-plugin](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) v0.5.0
-  - [coredns](https://github.com/coredns/coredns) v1.8.0
+  - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.4
+  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0
  - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.4.0
  - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.23
  - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0
 ## Container Runtime Notes
- The list of available docker version is 18.09, 19.03 and 20.10. The recommended docker version is 20.10. The kubelet might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. yum versionlock plugin or apt pin).
+- Supported Docker versions are 18.09, 19.03 and 20.10. The *recommended* Docker version is 20.10. `Kubelet` might break on docker's non-standard version numbering (it no longer uses semantic versioning). To ensure auto-updates don't break your cluster look into e.g. the YUM  ``versionlock`` plugin or ``apt pin``).
 - The cri-o version should be aligned with the respective kubernetes version (i.e. kube_version=1.20.x, crio_version=1.20)
 ## Requirements
- **Minimum required version of Kubernetes is v1.20**
+- **Minimum required version of Kubernetes is v1.24**
- **Ansible v2.9.x, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands, Ansible 2.10.x is experimentally supported for now**
+- **Ansible v2.11+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands**
 - The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](docs/offline-environment.md))
 - The target servers are configured to allow **IPv4 forwarding**.
 - If using IPv6 for pods and services, the target servers are configured to allow **IPv6 forwarding**.
 - The **firewalls are not managed**, you'll need to implement your own rules the way you used to.
    in order to avoid any issue during deployment you should disable your firewall.
- If kubespray is ran from non-root user account, correct privilege escalation method
+- If kubespray is run from non-root user account, correct privilege escalation method
    should be configured in the target servers. Then the `ansible_become` flag
    or command parameters `--become or -b` should be specified.
 Hardware:
-These limits are safe guarded by Kubespray. Actual requirements for your workload can differ. For a sizing guide go to the [Building Large Clusters](https://kubernetes.io/docs/setup/cluster-large/#size-of-master-and-master-components) guide.
+These limits are safeguarded by Kubespray. Actual requirements for your workload can differ. For a sizing guide go to the [Building Large Clusters](https://kubernetes.io/docs/setup/cluster-large/#size-of-master-and-master-components) guide.
 - Master
  - Memory: 1500 MB
@@ -181,7 +223,7 @@ These limits are safe guarded by Kubespray. Actual requirements for your workloa
 ## Network Plugins
-You can choose between 10 network plugins. (default: `calico`, except Vagrant uses `flannel`)
+You can choose among ten network plugins. (default: `calico`, except Vagrant uses `flannel`)
 - [flannel](docs/flannel.md): gre/vxlan (layer 2) networking.
@@ -190,8 +232,6 @@ You can choose between 10 network plugins. (default: `calico`, except Vagrant us
    and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts,
    pods, and (if using Istio and Envoy) applications at the service mesh layer.
 - [canal](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.
 - [cilium](http://docs.cilium.io/en/latest/): layer 3/4 networking (as well as layer 7 to protect and secure application protocols), supports dynamic insertion of BPF bytecode into the Linux kernel to implement security services, networking and visibility logic.
 - [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
@@ -208,7 +248,10 @@ You can choose between 10 network plugins. (default: `calico`, except Vagrant us
 - [multus](docs/multus.md): Multus is a meta CNI plugin that provides multiple network interface support to pods. For each interface Multus delegates CNI calls to secondary CNI plugins such as Calico, macvlan, etc.
-The choice is defined with the variable `kube_network_plugin`. There is also an
+- [custom_cni](roles/network-plugin/custom_cni/) : You can specify some manifests that will be applied to the clusters to bring you own CNI and use non-supported ones by Kubespray.
  See `tests/files/custom_cni/README.md` and `tests/files/custom_cni/values.yaml`for an example with a CNI provided by a Helm Chart.
 The network plugin to use is defined by the variable `kube_network_plugin`. There is also an
 option to leverage built-in cloud provider networking instead.
 See also [Network checker](docs/netcheck.md).
@@ -229,10 +272,11 @@ See also [Network checker](docs/netcheck.md).
 - [Digital Rebar Provision](https://github.com/digitalrebar/provision/blob/v4/doc/integrations/ansible.rst)
 - [Terraform Contrib](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/terraform)
 - [Kubean](https://github.com/kubean-io/kubean)
 ## CI Tests
-[![Build graphs](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/badges/master/pipeline.svg)](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/pipelines)
+[![Build graphs](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/badges/master/pipeline.svg)](https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/pipelines)
 CI/end-to-end tests sponsored by: [CNCF](https://cncf.io), [Equinix Metal](https://metal.equinix.com/), [OVHcloud](https://www.ovhcloud.com/), [ELASTX](https://elastx.se/).
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -2,17 +2,18 @@
 The Kubespray Project is released on an as-needed basis. The process is as follows:
-1. An issue is proposing a new release with a changelog since the last release
+1. An issue is proposing a new release with a changelog since the last release. Please see [a good sample issue](https://github.com/kubernetes-sigs/kubespray/issues/8325)
 2. At least one of the [approvers](OWNERS_ALIASES) must approve this release
 3. The `kube_version_min_required` variable is set to `n-1`
-4. Remove hashes for [EOL versions](https://github.com/kubernetes/sig-release/blob/master/releases/patch-releases.md) of kubernetes from `*_checksums` variables.
+4. Remove hashes for [EOL versions](https://github.com/kubernetes/website/blob/main/content/en/releases/patch-releases.md) of kubernetes from `*_checksums` variables.
-5. An approver creates [new release in GitHub](https://github.com/kubernetes-sigs/kubespray/releases/new) using a version and tag name like `vX.Y.Z` and attaching the release notes
+5. Create the release note with [Kubernetes Release Notes Generator](https://github.com/kubernetes/release/blob/master/cmd/release-notes/README.md). See the following `Release note creation` section for the details.
-6. An approver creates a release branch in the form `release-X.Y`
+6. An approver creates [new release in GitHub](https://github.com/kubernetes-sigs/kubespray/releases/new) using a version and tag name like `vX.Y.Z` and attaching the release notes
-7. The corresponding version of [quay.io/kubespray/kubespray:vX.Y.Z](https://quay.io/repository/kubespray/kubespray) and [quay.io/kubespray/vagrant:vX.Y.Z](https://quay.io/repository/kubespray/vagrant) docker images are built and tagged
+7. An approver creates a release branch in the form `release-X.Y`
-8. The `KUBESPRAY_VERSION` variable is updated in `.gitlab-ci.yml`
+8. The corresponding version of [quay.io/kubespray/kubespray:vX.Y.Z](https://quay.io/repository/kubespray/kubespray) and [quay.io/kubespray/vagrant:vX.Y.Z](https://quay.io/repository/kubespray/vagrant) container images are built and tagged. See the following `Container image creation` section for the details.
-9. The release issue is closed
+9. The `KUBESPRAY_VERSION` variable is updated in `.gitlab-ci.yml`
-10. An announcement email is sent to `kubernetes-dev@googlegroups.com` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
+10. The release issue is closed
-11. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
+11. An announcement email is sent to `dev@kubernetes.io` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
 12. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
 ## Major/minor releases and milestones
@@ -46,3 +47,37 @@ The Kubespray Project is released on an as-needed basis. The process is as follo
  then Kubespray v2.1.0 may be bound to only minor changes to `kube_version`, like v1.5.1
  and *any* changes to other components, like etcd v4, or calico 1.2.3.
  And Kubespray v3.x.x shall be bound to `kube_version: 2.x.x` respectively.
 ## Release note creation
 You can create a release note with:
 ```shell
 export GITHUB_TOKEN=<your-github-token>
 export ORG=kubernetes-sigs
 export REPO=kubespray
 release-notes --start-sha <The start commit-id> --end-sha <The end commit-id> --dependencies=false --output=/tmp/kubespray-release-note --required-author=""
 ```
 If the release note file(/tmp/kubespray-release-note) contains "### Uncategorized" pull requests, those pull requests don't have a valid kind label(`kind/feature`, etc.).
 It is necessary to put a valid label on each pull request and run the above release-notes command again to get a better release note
 ## Container image creation
 The container image `quay.io/kubespray/kubespray:vX.Y.Z` can be created from Dockerfile of the kubespray root directory:
 ```shell
 cd kubespray/
 nerdctl build -t quay.io/kubespray/kubespray:vX.Y.Z .
 nerdctl push quay.io/kubespray/kubespray:vX.Y.Z
 ```
 The container image `quay.io/kubespray/vagrant:vX.Y.Z` can be created from build.sh of test-infra/vagrant-docker/:
 ```shell
 cd kubespray/test-infra/vagrant-docker/
 ./build vX.Y.Z
 ```
 Please note that the above operation requires the permission to push container images into quay.io/kubespray/.
 If you don't have the permission, please ask it on the #kubespray-dev channel.
--- a/4
+++ b/4
@@ -9,5 +9,7 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
 atoms
 mattymo
 floryut
 oomichi
 cristicalin
--- a/38
+++ b/38
@@ -10,6 +10,7 @@ Vagrant.require_version ">= 2.0.0"
 CONFIG = File.join(File.dirname(__FILE__), ENV['KUBESPRAY_VAGRANT_CONFIG'] || 'vagrant/config.rb')
 FLATCAR_URL_TEMPLATE = "https://%s.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vagrant.json"
 FEDORA35_MIRROR = "https://download.fedoraproject.org/pub/fedora/linux/releases/35/Cloud/x86_64/images/Fedora-Cloud-Base-Vagrant-35-1.2.x86_64.vagrant-libvirt.box"
 # Uniq disk UUID for libvirt
 DISK_UUID = Time.now.utc.to_i
@@ -26,9 +27,12 @@ SUPPORTED_OS = {
  "centos-bento"        => {box: "bento/centos-7.6",           user: "vagrant"},
  "centos8"             => {box: "centos/8",                   user: "vagrant"},
  "centos8-bento"       => {box: "bento/centos-8",             user: "vagrant"},
-  "fedora34"            => {box: "fedora/34-cloud-base",       user: "vagrant"},
+  "almalinux8"          => {box: "almalinux/8",                user: "vagrant"},
-  "fedora35"            => {box: "fedora/35-cloud-base",       user: "vagrant"},
+  "almalinux8-bento"    => {box: "bento/almalinux-8",          user: "vagrant"},
-  "opensuse"            => {box: "bento/opensuse-leap-15.2",   user: "vagrant"},
+  "rockylinux8"         => {box: "generic/rocky8",             user: "vagrant"},
  "fedora35"            => {box: "fedora/35-cloud-base",       user: "vagrant", box_url: FEDORA35_MIRROR},
  "fedora36"            => {box: "fedora/36-cloud-base",       user: "vagrant"},
  "opensuse"            => {box: "opensuse/Leap-15.4.x86_64",  user: "vagrant"},
  "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
  "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
  "oraclelinux8"        => {box: "generic/oracle8",            user: "vagrant"},
@@ -52,14 +56,14 @@ $subnet ||= "172.18.8"
 $subnet_ipv6 ||= "fd3c:b398:0698:0756"
 $os ||= "ubuntu1804"
 $network_plugin ||= "flannel"
-# Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni
+# Setting multi_networking to true will install Multus: https://github.com/k8snetworkplumbingwg/multus-cni
-$multi_networking ||= false
+$multi_networking ||= "False"
 $download_run_once ||= "True"
 $download_force_cache ||= "False"
 # The first three nodes are etcd servers
-$etcd_instances ||= $num_instances
+$etcd_instances ||= [$num_instances, 3].min
 # The first two nodes are kube masters
-$kube_master_instances ||= $num_instances == 1 ? $num_instances : ($num_instances - 1)
+$kube_master_instances ||= [$num_instances, 2].min
 # All nodes are kube nodes
 $kube_node_instances ||= $num_instances
 # The following only works when using the libvirt provider
@@ -68,14 +72,24 @@ $kube_node_instances_with_disks_size ||= "20G"
 $kube_node_instances_with_disks_number ||= 2
 $override_disk_size ||= false
 $disk_size ||= "20GB"
-$local_path_provisioner_enabled ||= false
+$local_path_provisioner_enabled ||= "False"
 $local_path_provisioner_claim_root ||= "/opt/local-path-provisioner/"
 $libvirt_nested ||= false
 # boolean or string (e.g. "-vvv")
 $ansible_verbosity ||= false
 $ansible_tags ||= ENV['VAGRANT_ANSIBLE_TAGS'] || ""
 $playbook ||= "cluster.yml"
 host_vars = {}
 # throw error if os is not supported
 if ! SUPPORTED_OS.key?($os)
  puts "Unsupported OS: #{$os}"
  puts "Supported OS are: #{SUPPORTED_OS.keys.join(', ')}"
  exit 1
 end
 $box = SUPPORTED_OS[$os][:box]
 # if $inventory is not set, try to use example
 $inventory = "inventory/sample" if ! $inventory
@@ -167,7 +181,7 @@ Vagrant.configure("2") do |config|
          # always make /dev/sd{a/b/c} so that CI can ensure that
          # virtualbox and libvirt will have the same devices to use for OSDs
          (1..$kube_node_instances_with_disks_number).each do |d|
-            lv.storage :file, :device => "hd#{driverletters[d]}", :path => "disk-#{i}-#{d}-#{DISK_UUID}.disk", :size => $kube_node_instances_with_disks_size, :bus => "ide"
+            lv.storage :file, :device => "hd#{driverletters[d]}", :path => "disk-#{i}-#{d}-#{DISK_UUID}.disk", :size => $kube_node_instances_with_disks_size, :bus => "scsi"
          end
        end
      end
@@ -238,9 +252,11 @@ Vagrant.configure("2") do |config|
      }
      # Only execute the Ansible provisioner once, when all the machines are up and ready.
      # And limit the action to gathering facts, the full playbook is going to be ran by testcases_run.sh
      if i == $num_instances
        node.vm.provision "ansible" do |ansible|
          ansible.playbook = $playbook
          ansible.verbose = $ansible_verbosity
          $ansible_inventory_path = File.join( $inventory, "hosts.ini")
          if File.exist?($ansible_inventory_path)
            ansible.inventory_path = $ansible_inventory_path
@@ -250,7 +266,9 @@ Vagrant.configure("2") do |config|
          ansible.host_key_checking = false
          ansible.raw_arguments = ["--forks=#{$num_instances}", "--flush-cache", "-e ansible_become_pass=vagrant"]
          ansible.host_vars = host_vars
-          #ansible.tags = ['download']
+          if $ansible_tags != ""
            ansible.tags = [$ansible_tags]
          end
          ansible.groups = {
            "etcd" => ["#{$instance_name_prefix}-[1:#{$etcd_instances}]"],
            "kube_control_plane" => ["#{$instance_name_prefix}-[1:#{$kube_master_instances}]"],
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,6 +1,6 @@
 [ssh_connection]
 pipelining=True
-ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
+ansible_ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
 #control_path = ~/.ssh/ansible-%%r@%%h:%%p
 [defaults]
 # https://github.com/ansible/ansible/issues/56930 (to ignore group names with - and .)
@@ -10,11 +10,11 @@ host_key_checking=False
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = /tmp
-fact_caching_timeout = 7200
+fact_caching_timeout = 86400
 stdout_callback = default
 display_skipped_hosts = no
 library = ./library
-callback_whitelist = profile_tasks
+callbacks_enabled = profile_tasks,ara_default
 roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles:/usr/share/kubespray/roles
 deprecation_warnings=False
 inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo, .creds, .gpg
--- a/cluster.yml
+++ b/cluster.yml
@@ -1,127 +1,3 @@
 ---
- name: Check ansible version
+- name: Install Kubernetes
-  import_playbook: ansible_version.yml
+  ansible.builtin.import_playbook: playbooks/cluster.yml
 - name: Ensure compatibility with old groups
  import_playbook: legacy_groups.yml
 - hosts: bastion[0]
  gather_facts: False
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: bastion-ssh-config, tags: ["localhost", "bastion"] }
 - hosts: k8s_cluster:etcd
  strategy: linear
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  gather_facts: false
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: bootstrap-os, tags: bootstrap-os}
 - name: Gather facts
  tags: always
  import_playbook: facts.yml
 - hosts: k8s_cluster:etcd
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: kubernetes/preinstall, tags: preinstall }
    - { role: "container-engine", tags: "container-engine", when: deploy_container_engine }
    - { role: download, tags: download, when: "not skip_downloads" }
 - hosts: etcd
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - role: etcd
      tags: etcd
      vars:
        etcd_cluster_setup: true
        etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
      when: not etcd_kubeadm_enabled| default(false)
 - hosts: k8s_cluster
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - role: etcd
      tags: etcd
      vars:
        etcd_cluster_setup: false
        etcd_events_cluster_setup: false
      when: not etcd_kubeadm_enabled| default(false)
 - hosts: k8s_cluster
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: kubernetes/node, tags: node }
 - hosts: kube_control_plane
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: kubernetes/control-plane, tags: master }
    - { role: kubernetes/client, tags: client }
    - { role: kubernetes-apps/cluster_roles, tags: cluster-roles }
 - hosts: k8s_cluster
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: kubernetes/kubeadm, tags: kubeadm}
    - { role: kubernetes/node-label, tags: node-label }
    - { role: network_plugin, tags: network }
 - hosts: calico_rr
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: network_plugin/calico/rr, tags: ['network', 'calico_rr'] }
 - hosts: kube_control_plane[0]
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 - hosts: kube_control_plane
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: kubernetes-apps/external_cloud_controller, tags: external-cloud-controller }
    - { role: kubernetes-apps/network_plugin, tags: network }
    - { role: kubernetes-apps/policy_controller, tags: policy-controller }
    - { role: kubernetes-apps/ingress_controller, tags: ingress-controller }
    - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }
    - { role: kubernetes-apps, tags: apps }
 - hosts: k8s_cluster
  gather_facts: False
  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
  environment: "{{ proxy_disable_env }}"
  roles:
    - { role: kubespray-defaults }
    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }
--- a/contrib/azurerm/README.md
+++ b/contrib/azurerm/README.md
@@ -47,6 +47,10 @@ If you need to delete all resources from a resource group, simply call:
 **WARNING** this really deletes everything from your resource group, including everything that was later created by you!
 ## Installing Ansible and the dependencies
 Install Ansible according to [Ansible installation guide](/docs/ansible.md#installing-ansible)
 ## Generating an inventory for kubespray
 After you have applied the templates, you can generate an inventory with this call:
@@ -59,6 +63,5 @@ It will create the file ./inventory which can then be used with kubespray, e.g.:
 ```shell
 cd kubespray-root-dir
 sudo pip3 install -r requirements.txt
 ansible-playbook -i contrib/azurerm/inventory -u devops --become -e "@inventory/sample/group_vars/all/all.yml" cluster.yml
 ```
--- a/contrib/azurerm/roles/generate-inventory_2/templates/inventory.j2
+++ b/contrib/azurerm/roles/generate-inventory_2/templates/inventory.j2
@@ -31,4 +31,3 @@
 [k8s_cluster:children]
 kube_node
 kube_control_plane
--- a/contrib/dind/roles/dind-cluster/tasks/main.yaml
+++ b/contrib/dind/roles/dind-cluster/tasks/main.yaml
@@ -43,7 +43,7 @@
  package:
    name: "{{ item }}"
    state: present
-  with_items: "{{ distro_extra_packages }} + [ 'rsyslog', 'openssh-server' ]"
+  with_items: "{{ distro_extra_packages + [ 'rsyslog', 'openssh-server' ] }}"
 - name: Start needed services
  service:
--- a/contrib/dind/run-test-distros.sh
+++ b/contrib/dind/run-test-distros.sh
@@ -17,7 +17,7 @@ pass_or_fail() {
 test_distro() {
    local distro=${1:?};shift
    local extra="${*:-}"
-    local prefix="$distro[${extra}]}"
+    local prefix="${distro[${extra}]}"
    ansible-playbook -i hosts dind-cluster.yaml -e node_distro=$distro
    pass_or_fail "$prefix: dind-nodes" || return 1
    (cd ../..
@@ -71,15 +71,15 @@ for spec in ${SPECS}; do
    echo "Loading file=${spec} ..."
    . ${spec} || continue
    : ${DISTROS:?} || continue
-    echo "DISTROS=${DISTROS[@]}"
+    echo "DISTROS:" "${DISTROS[@]}"
    echo "EXTRAS->"
    printf "  %s\n" "${EXTRAS[@]}"
    let n=1
-    for distro in ${DISTROS[@]}; do
+    for distro in "${DISTROS[@]}"; do
        for extra in "${EXTRAS[@]:-NULL}"; do
            # Magic value to let this for run once:
            [[ ${extra} == NULL ]] && unset extra
-            docker rm -f ${NODES[@]}
+            docker rm -f "${NODES[@]}"
            printf -v file_out "%s/%s-%02d.out" ${OUTPUT_DIR} ${spec} $((n++))
            {
                info "${distro}[${extra}] START: file_out=${file_out}"
--- a/contrib/inventory_builder/inventory.py
+++ b/contrib/inventory_builder/inventory.py
@@ -83,11 +83,15 @@ class KubesprayInventory(object):
        self.config_file = config_file
        self.yaml_config = {}
        loadPreviousConfig = False
        printHostnames = False
        # See whether there are any commands to process
        if changed_hosts and changed_hosts[0] in AVAILABLE_COMMANDS:
            if changed_hosts[0] == "add":
                loadPreviousConfig = True
                changed_hosts = changed_hosts[1:]
            elif changed_hosts[0] == "print_hostnames":
                loadPreviousConfig = True
                printHostnames = True
            else:
                self.parse_command(changed_hosts[0], changed_hosts[1:])
                sys.exit(0)
@@ -105,6 +109,10 @@ class KubesprayInventory(object):
                print(e)
                sys.exit(1)
        if printHostnames:
            self.print_hostnames()
            sys.exit(0)
        self.ensure_required_groups(ROLES)
        if changed_hosts:
--- a/contrib/inventory_builder/requirements.txt
+++ b/contrib/inventory_builder/requirements.txt
@@ -1,3 +1,3 @@
 configparser>=3.3.0
 ruamel.yaml>=0.15.88
 ipaddress
 ruamel.yaml>=0.15.88
--- a/contrib/inventory_builder/test-requirements.txt
+++ b/contrib/inventory_builder/test-requirements.txt
@@ -1,3 +1,3 @@
 hacking>=0.10.2
 pytest>=2.8.0
 mock>=1.3.0
 pytest>=2.8.0
--- a/contrib/inventory_builder/tests/test_inventory.py
+++ b/contrib/inventory_builder/tests/test_inventory.py
@@ -13,6 +13,7 @@
 # under the License.
 import inventory
 from io import StringIO
 import unittest
 from unittest import mock
@@ -26,6 +27,28 @@ if path not in sys.path:
 import inventory  # noqa
 class TestInventoryPrintHostnames(unittest.TestCase):
    @mock.patch('ruamel.yaml.YAML.load')
    def test_print_hostnames(self, load_mock):
        mock_io = mock.mock_open(read_data='')
        load_mock.return_value = OrderedDict({'all': {'hosts': {
            'node1': {'ansible_host': '10.90.0.2',
                      'ip': '10.90.0.2',
                      'access_ip': '10.90.0.2'},
            'node2': {'ansible_host': '10.90.0.3',
                      'ip': '10.90.0.3',
                      'access_ip': '10.90.0.3'}}}})
        with mock.patch('builtins.open', mock_io):
            with self.assertRaises(SystemExit) as cm:
                with mock.patch('sys.stdout', new_callable=StringIO) as stdout:
                    inventory.KubesprayInventory(
                        changed_hosts=["print_hostnames"],
                        config_file="file")
            self.assertEqual("node1 node2\n", stdout.getvalue())
            self.assertEqual(cm.exception.code, 0)
 class TestInventory(unittest.TestCase):
    @mock.patch('inventory.sys')
    def setUp(self, sys_mock):
--- a/contrib/kvm-setup/group_vars/all
+++ b/contrib/kvm-setup/group_vars/all
@@ -1,3 +1,2 @@
 #k8s_deployment_user: kubespray
 #k8s_deployment_user_pkey_path: /tmp/ssh_rsa
--- a/contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml
+++ b/contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml
@@ -28,7 +28,7 @@
  sysctl:
    name: net.ipv4.ip_forward
    value: 1
-    sysctl_file: /etc/sysctl.d/ipv4-ip_forward.conf
+    sysctl_file: "{{ sysctl_file_path }}"
    state: present
    reload: yes
@@ -37,7 +37,7 @@
    name: "{{ item }}"
    state: present
    value: 0
-    sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
+    sysctl_file: "{{ sysctl_file_path }}"
    reload: yes
  with_items:
    - net.bridge.bridge-nf-call-arptables
--- a/contrib/mitogen/mitogen.yml
+++ b/contrib/mitogen/mitogen.yml
@@ -5,8 +5,8 @@
 - hosts: localhost
  strategy: linear
  vars:
-    mitogen_version: 0.3.0rc1
+    mitogen_version: 0.3.2
-    mitogen_url: https://github.com/dw/mitogen/archive/v{{ mitogen_version }}.tar.gz
+    mitogen_url: https://github.com/mitogen-hq/mitogen/archive/refs/tags/v{{ mitogen_version }}.tar.gz
    ansible_connection: local
  tasks:
    - name: Create mitogen plugin dir
@@ -38,7 +38,12 @@
    - name: add strategy to ansible.cfg
      ini_file:
        path: ansible.cfg
        section: defaults
        option: strategy
        value: mitogen_linear
        mode: 0644
        section: "{{ item.section | d('defaults') }}"
        option: "{{ item.option }}"
        value: "{{ item.value }}"
      with_items:
        - option: strategy
          value: mitogen_linear
        - option: strategy_plugins
          value: plugins/mitogen/ansible_mitogen/plugins/strategy
--- a/contrib/network-storage/glusterfs/inventory.example
+++ b/contrib/network-storage/glusterfs/inventory.example
@@ -41,4 +41,3 @@
 # [network-storage:children]
 # gfs-cluster
--- a/contrib/network-storage/glusterfs/roles/glusterfs/README.md
+++ b/contrib/network-storage/glusterfs/roles/glusterfs/README.md
@@ -14,12 +14,16 @@ This role performs basic installation and setup of Gluster, but it does not conf
 Available variables are listed below, along with default values (see `defaults/main.yml`):
-    glusterfs_default_release: ""
+```yaml
 glusterfs_default_release: ""
 ```
 You can specify a `default_release` for apt on Debian/Ubuntu by overriding this variable. This is helpful if you need a different package or version for the main GlusterFS packages (e.g. GlusterFS 3.5.x instead of 3.2.x with the `wheezy-backports` default release on Debian Wheezy).
-    glusterfs_ppa_use: yes
+```yaml
-    glusterfs_ppa_version: "3.5"
+glusterfs_ppa_use: yes
 glusterfs_ppa_version: "3.5"
 ```
 For Ubuntu, specify whether to use the official Gluster PPA, and which version of the PPA to use. See Gluster's [Getting Started Guide](https://docs.gluster.org/en/latest/Quick-Start-Guide/Quickstart/) for more info.
@@ -29,9 +33,11 @@ None.
 ## Example Playbook
 ```yaml
    - hosts: server
      roles:
        - geerlingguy.glusterfs
 ```
 For a real-world use example, read through [Simple GlusterFS Setup with Ansible](http://www.jeffgeerling.com/blog/simple-glusterfs-setup-ansible), a blog post by this role's author, which is included in Chapter 8 of [Ansible for DevOps](https://www.ansiblefordevops.com/).
--- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml
+++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml
@@ -3,6 +3,7 @@
  template:
    src: "{{ item.file }}"
    dest: "{{ kube_config_dir }}/{{ item.dest }}"
    mode: 0644
  with_items:
    - { file: glusterfs-kubernetes-endpoint.json.j2, type: ep, dest: glusterfs-kubernetes-endpoint.json}
    - { file: glusterfs-kubernetes-pv.yml.j2, type: pv, dest: glusterfs-kubernetes-pv.yml}
--- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2
+++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2
@@ -21,4 +21,3 @@
    {% endfor %}
  ]
 }
--- a/contrib/offline/README.md
+++ b/contrib/offline/README.md
@@ -9,7 +9,8 @@ This script has two features:
 (2) Deploy local container registry and register the container images to the registry.
 Step(1) should be done online site as a preparation, then we bring the gotten images
-to the target offline environment.
+to the target offline environment. if images are from a private registry,
 you need to set `PRIVATE_REGISTRY` environment variable.
 Then we will run step(2) for registering the images to local registry.
 Step(1) can be operated with:
@@ -28,16 +29,37 @@ manage-offline-container-images.sh   register
 This script generates the list of downloaded files and the list of container images by `roles/download/defaults/main.yml` file.
-Run this script will generates three files, all downloaded files url in files.list, all container images in images.list, all component version in generate.sh.
+Run this script will execute `generate_list.yml` playbook in kubespray root directory and generate four files,
 all downloaded files url in files.list, all container images in images.list, jinja2 templates in *.template.
 ```shell
-bash generate_list.sh
+./generate_list.sh
 tree temp
 temp
 ├── files.list
-├── generate.sh
+├── files.list.template
-└── images.list
+├── images.list
-0 directories, 3 files
+└── images.list.template
 0 directories, 5 files
 ```
-In some cases you may want to update some component version, you can edit `generate.sh` file, then run `bash generate.sh | grep 'https' > files.list` to update file.list or run `bash generate.sh | grep -v 'https'> images.list` to update images.list.
+In some cases you may want to update some component version, you can declare version variables in ansible inventory file or group_vars,
 then run `./generate_list.sh -i [inventory_file]` to update file.list and images.list.
 ## manage-offline-files.sh
 This script will download all files according to `temp/files.list` and run nginx container to provide offline file download.
 Step(1) generate `files.list`
 ```shell
 ./generate_list.sh
 ```
 Step(2) download files and run nginx container
 ```shell
 ./manage-offline-files.sh
 ```
 when nginx container is running, it can be accessed through <http://127.0.0.1:8080/>.
--- a/contrib/offline/generate_list.sh
+++ b/contrib/offline/generate_list.sh
@@ -5,53 +5,29 @@ CURRENT_DIR=$(cd $(dirname $0); pwd)
 TEMP_DIR="${CURRENT_DIR}/temp"
 REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"
 : ${IMAGE_ARCH:="amd64"}
 : ${ANSIBLE_SYSTEM:="linux"}
 : ${ANSIBLE_ARCHITECTURE:="x86_64"}
 : ${DOWNLOAD_YML:="roles/download/defaults/main.yml"}
 : ${KUBE_VERSION_YAML:="roles/kubespray-defaults/defaults/main.yaml"}
 mkdir -p ${TEMP_DIR}
-# ARCH used in convert {%- if image_arch != 'amd64' -%}-{{ image_arch }}{%- endif -%} to {{arch}}
+# generate all download files url template
 if [ "${IMAGE_ARCH}" != "amd64" ]; then ARCH="${IMAGE_ARCH}"; fi
 cat > ${TEMP_DIR}/generate.sh << EOF
 arch=${ARCH}
 image_arch=${IMAGE_ARCH}
 ansible_system=${ANSIBLE_SYSTEM}
 ansible_architecture=${ANSIBLE_ARCHITECTURE}
 EOF
 # generate all component version by $DOWNLOAD_YML
 grep 'kube_version:' ${REPO_ROOT_DIR}/${KUBE_VERSION_YAML} \
 | sed 's/: /=/g' >> ${TEMP_DIR}/generate.sh
 grep '_version:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
 | sed 's/: /=/g;s/{{/${/g;s/}}/}/g' | tr -d ' ' >> ${TEMP_DIR}/generate.sh
 sed -i 's/kube_major_version=.*/kube_major_version=${kube_version%.*}/g' ${TEMP_DIR}/generate.sh
 sed -i 's/crictl_version=.*/crictl_version=${kube_version%.*}.0/g' ${TEMP_DIR}/generate.sh
 # generate all download files url
 grep 'download_url:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
-| sed 's/: /=/g;s/ //g;s/{{/${/g;s/}}/}/g;s/|lower//g;s/^.*_url=/echo /g' >> ${TEMP_DIR}/generate.sh
+    | sed 's/^.*_url: //g;s/\"//g' > ${TEMP_DIR}/files.list.template
-# generate all images list
+# generate all images list template
 grep -E '_repo:|_tag:' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
 | sed "s#{%- if image_arch != 'amd64' -%}-{{ image_arch }}{%- endif -%}#{{arch}}#g" \
 | sed 's/: /=/g;s/{{/${/g;s/}}/}/g' | tr -d ' ' >> ${TEMP_DIR}/generate.sh
 sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
-| sed -n "s/repo: //p;s/tag: //p" | tr -d ' ' | sed 's/{{/${/g;s/}}/}/g' \
+    | sed -n "s/repo: //p;s/tag: //p" | tr -d ' ' \
-| sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/^/echo /g' >> ${TEMP_DIR}/generate.sh
+    | sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/\"//g' > ${TEMP_DIR}/images.list.template
-# special handling for https://github.com/kubernetes-sigs/kubespray/pull/7570
+# add kube-* images to images list template
-sed -i 's#^coredns_image_repo=.*#coredns_image_repo=${kube_image_repo}$(if printf "%s\\n%s\\n" v1.21 ${kube_version%.*} | sort --check=quiet --version-sort; then echo -n /coredns/coredns;else echo -n /coredns; fi)#' ${TEMP_DIR}/generate.sh
+# Those container images are downloaded by kubeadm, then roles/download/defaults/main.yml
-sed -i 's#^coredns_image_tag=.*#coredns_image_tag=$(if printf "%s\\n%s\\n" v1.21 ${kube_version%.*} | sort --check=quiet --version-sort; then echo -n ${coredns_version};else echo -n ${coredns_version/v/}; fi)#' ${TEMP_DIR}/generate.sh
+# doesn't contain those images. That is reason why here needs to put those images into the
-
+# list separately.
 # add kube-* images to images list
 KUBE_IMAGES="kube-apiserver kube-controller-manager kube-scheduler kube-proxy"
-echo "${KUBE_IMAGES}" | tr ' ' '\n' | xargs -L1 -I {} \
+for i in $KUBE_IMAGES; do
-echo 'echo ${kube_image_repo}/{}:${kube_version}' >> ${TEMP_DIR}/generate.sh
+    echo "{{ kube_image_repo }}/$i:{{ kube_version }}" >> ${TEMP_DIR}/images.list.template
 done
-# print files.list and images.list
+# run ansible to expand templates
-bash ${TEMP_DIR}/generate.sh | grep 'https' | sort > ${TEMP_DIR}/files.list
+/bin/cp ${CURRENT_DIR}/generate_list.yml ${REPO_ROOT_DIR}
-bash ${TEMP_DIR}/generate.sh | grep -v 'https' | sort > ${TEMP_DIR}/images.list
+
 (cd ${REPO_ROOT_DIR} && ansible-playbook $* generate_list.yml && /bin/rm generate_list.yml) || exit 1
--- a/contrib/offline/generate_list.yml
+++ b/contrib/offline/generate_list.yml
@@ -0,0 +1,19 @@
 ---
 - hosts: localhost
  become: no
  roles:
    # Just load default variables from roles.
    - role: kubespray-defaults
      when: false
    - role: download
      when: false
  tasks:
    # Generate files.list and images.list files from templates.
    - template:
        src: ./contrib/offline/temp/{{ item }}.list.template
        dest: ./contrib/offline/temp/{{ item }}.list
      with_items:
        - files
        - images
--- a/contrib/offline/manage-offline-container-images.sh
+++ b/contrib/offline/manage-offline-container-images.sh
@@ -15,7 +15,7 @@ function create_container_image_tar() {
 	IMAGES=$(kubectl describe pods --all-namespaces | grep " Image:" | awk '{print $2}' | sort | uniq)
 	# NOTE: etcd and pause cannot be seen as pods.
 	# The pause image is used for --pod-infra-container-image option of kubelet.
-	EXT_IMAGES=$(kubectl cluster-info dump | egrep "quay.io/coreos/etcd:|k8s.gcr.io/pause:" | sed s@\"@@g)
+	EXT_IMAGES=$(kubectl cluster-info dump | egrep "quay.io/coreos/etcd:|registry.k8s.io/pause:" | sed s@\"@@g)
 	IMAGES="${IMAGES} ${EXT_IMAGES}"
 	rm -f  ${IMAGE_TAR_FILE}
@@ -46,15 +46,16 @@ function create_container_image_tar() {
 		# NOTE: Here removes the following repo parts from each image
 		# so that these parts will be replaced with Kubespray.
-		# - kube_image_repo: "k8s.gcr.io"
+		# - kube_image_repo: "registry.k8s.io"
 		# - gcr_image_repo: "gcr.io"
 		# - docker_image_repo: "docker.io"
 		# - quay_image_repo: "quay.io"
 		FIRST_PART=$(echo ${image} | awk -F"/" '{print $1}')
-		if [ "${FIRST_PART}" = "k8s.gcr.io" ] ||
+		if [ "${FIRST_PART}" = "registry.k8s.io" ] ||
 		   [ "${FIRST_PART}" = "gcr.io" ] ||
 		   [ "${FIRST_PART}" = "docker.io" ] ||
-		   [ "${FIRST_PART}" = "quay.io" ]; then
+		   [ "${FIRST_PART}" = "quay.io" ] ||
 		   [ "${FIRST_PART}" = "${PRIVATE_REGISTRY}" ]; then
 			image=$(echo ${image} | sed s@"${FIRST_PART}/"@@)
 		fi
 		echo "${FILE_NAME}  ${image}" >> ${IMAGE_LIST}
@@ -152,7 +153,8 @@ else
 	echo "(2) Deploy local container registry and register the container images to the registry."
 	echo ""
 	echo "Step(1) should be done online site as a preparation, then we bring"
-	echo "the gotten images to the target offline environment."
+	echo "the gotten images to the target offline environment. if images are from"
 	echo "a private registry, you need to set PRIVATE_REGISTRY environment variable."
 	echo "Then we will run step(2) for registering the images to local registry."
 	echo ""
 	echo "${IMAGE_TAR_FILE} is created to contain your container images."
--- a/contrib/offline/manage-offline-files.sh
+++ b/contrib/offline/manage-offline-files.sh
@@ -0,0 +1,44 @@
 #!/bin/bash
 CURRENT_DIR=$( dirname "$(readlink -f "$0")" )
 OFFLINE_FILES_DIR_NAME="offline-files"
 OFFLINE_FILES_DIR="${CURRENT_DIR}/${OFFLINE_FILES_DIR_NAME}"
 OFFLINE_FILES_ARCHIVE="${CURRENT_DIR}/offline-files.tar.gz"
 FILES_LIST=${FILES_LIST:-"${CURRENT_DIR}/temp/files.list"}
 NGINX_PORT=8080
 # download files
 if [ ! -f "${FILES_LIST}" ]; then
    echo "${FILES_LIST} should exist, run ./generate_list.sh first."
    exit 1
 fi
 rm -rf "${OFFLINE_FILES_DIR}"
 rm "${OFFLINE_FILES_ARCHIVE}"
 mkdir  "${OFFLINE_FILES_DIR}"
 wget -x -P "${OFFLINE_FILES_DIR}" -i "${FILES_LIST}"
 tar -czvf "${OFFLINE_FILES_ARCHIVE}"  "${OFFLINE_FILES_DIR_NAME}"
 [ -n "$NO_HTTP_SERVER" ] && echo "skip to run nginx" && exit 0
 # run nginx container server
 if command -v nerdctl 1>/dev/null 2>&1; then
    runtime="nerdctl"
 elif command -v podman 1>/dev/null 2>&1; then
    runtime="podman"
 elif command -v docker 1>/dev/null 2>&1; then
    runtime="docker"
 else
    echo "No supported container runtime found"
    exit 1
 fi
 sudo "${runtime}" container inspect nginx >/dev/null 2>&1
 if [ $? -ne 0 ]; then
    sudo "${runtime}" run \
        --restart=always -d -p ${NGINX_PORT}:80 \
        --volume "${OFFLINE_FILES_DIR}:/usr/share/nginx/html/download" \
        --volume "$(pwd)"/nginx.conf:/etc/nginx/nginx.conf \
        --name nginx nginx:alpine
 fi
--- a/contrib/offline/nginx.conf
+++ b/contrib/offline/nginx.conf
@@ -0,0 +1,39 @@
 user nginx;
 worker_processes auto;
 error_log /var/log/nginx/error.log;
 pid /run/nginx.pid;
 include /usr/share/nginx/modules/*.conf;
 events {
    worker_connections 1024;
 }
 http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        include /etc/nginx/default.d/*.conf;
        location / {
            root    /usr/share/nginx/html/download;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
 }
--- a/contrib/terraform/aws/README.md
+++ b/contrib/terraform/aws/README.md
@@ -36,8 +36,7 @@ terraform apply -var-file=credentials.tfvars
 ```
 - Terraform automatically creates an Ansible Inventory file called `hosts` with the created infrastructure in the directory `inventory`
- Ansible will automatically generate an ssh config file for your bastion hosts. To connect to hosts with ssh using bastion host use generated ssh-bastion.conf.
+- Ansible will automatically generate an ssh config file for your bastion hosts. To connect to hosts with ssh using bastion host use generated `ssh-bastion.conf`. Ansible automatically detects bastion and changes `ssh_args`
  Ansible automatically detects bastion and changes ssh_args  
 ```commandline
 ssh -F ./ssh-bastion.conf user@$ip
--- a/contrib/terraform/aws/create-infrastructure.tf
+++ b/contrib/terraform/aws/create-infrastructure.tf
@@ -20,20 +20,20 @@ module "aws-vpc" {
  aws_cluster_name         = var.aws_cluster_name
  aws_vpc_cidr_block       = var.aws_vpc_cidr_block
-  aws_avail_zones          = slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names))
+  aws_avail_zones          = data.aws_availability_zones.available.names
  aws_cidr_subnets_private = var.aws_cidr_subnets_private
  aws_cidr_subnets_public  = var.aws_cidr_subnets_public
  default_tags             = var.default_tags
 }
-module "aws-elb" {
+module "aws-nlb" {
-  source = "./modules/elb"
+  source = "./modules/nlb"
  aws_cluster_name      = var.aws_cluster_name
  aws_vpc_id            = module.aws-vpc.aws_vpc_id
-  aws_avail_zones       = slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names))
+  aws_avail_zones       = data.aws_availability_zones.available.names
  aws_subnet_ids_public = module.aws-vpc.aws_subnet_ids_public
-  aws_elb_api_port      = var.aws_elb_api_port
+  aws_nlb_api_port      = var.aws_nlb_api_port
  k8s_secure_api_port   = var.k8s_secure_api_port
  default_tags          = var.default_tags
 }
@@ -54,7 +54,6 @@ resource "aws_instance" "bastion-server" {
  instance_type               = var.aws_bastion_size
  count                       = var.aws_bastion_num
  associate_public_ip_address = true
  availability_zone           = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
  subnet_id                   = element(module.aws-vpc.aws_subnet_ids_public, count.index)
  vpc_security_group_ids = module.aws-vpc.aws_security_group
@@ -79,8 +78,7 @@ resource "aws_instance" "k8s-master" {
  count = var.aws_kube_master_num
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
+  subnet_id = element(module.aws-vpc.aws_subnet_ids_private, count.index)
  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
  vpc_security_group_ids = module.aws-vpc.aws_security_group
@@ -98,10 +96,10 @@ resource "aws_instance" "k8s-master" {
  }))
 }
-resource "aws_elb_attachment" "attach_master_nodes" {
+resource "aws_lb_target_group_attachment" "tg-attach_master_nodes" {
-  count    = var.aws_kube_master_num
+  count            = var.aws_kube_master_num
-  elb      = module.aws-elb.aws_elb_api_id
+  target_group_arn = module.aws-nlb.aws_nlb_api_tg_arn
-  instance = element(aws_instance.k8s-master.*.id, count.index)
+  target_id        = element(aws_instance.k8s-master.*.private_ip, count.index)
 }
 resource "aws_instance" "k8s-etcd" {
@@ -110,8 +108,7 @@ resource "aws_instance" "k8s-etcd" {
  count = var.aws_etcd_num
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
+  subnet_id = element(module.aws-vpc.aws_subnet_ids_private, count.index)
  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
  vpc_security_group_ids = module.aws-vpc.aws_security_group
@@ -134,8 +131,7 @@ resource "aws_instance" "k8s-worker" {
  count = var.aws_kube_worker_num
-  availability_zone = element(slice(data.aws_availability_zones.available.names, 0, length(var.aws_cidr_subnets_public) <= length(data.aws_availability_zones.available.names) ? length(var.aws_cidr_subnets_public) : length(data.aws_availability_zones.available.names)), count.index)
+  subnet_id = element(module.aws-vpc.aws_subnet_ids_private, count.index)
  subnet_id         = element(module.aws-vpc.aws_subnet_ids_private, count.index)
  vpc_security_group_ids = module.aws-vpc.aws_security_group
@@ -168,7 +164,7 @@ data "template_file" "inventory" {
    list_node                 = join("\n", aws_instance.k8s-worker.*.private_dns)
    connection_strings_etcd   = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.private_dns, aws_instance.k8s-etcd.*.private_ip))
    list_etcd                 = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_dns) : (aws_instance.k8s-master.*.private_dns)))
-    elb_api_fqdn              = "apiserver_loadbalancer_domain_name=\"${module.aws-elb.aws_elb_api_fqdn}\""
+    nlb_api_fqdn              = "apiserver_loadbalancer_domain_name=\"${module.aws-nlb.aws_nlb_api_fqdn}\""
  }
 }
--- a/contrib/terraform/aws/modules/elb/main.tf
+++ b/contrib/terraform/aws/modules/elb/main.tf
@@ -1,57 +0,0 @@
 resource "aws_security_group" "aws-elb" {
  name   = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
  vpc_id = var.aws_vpc_id
  tags = merge(var.default_tags, tomap({
    Name = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
  }))
 }
 resource "aws_security_group_rule" "aws-allow-api-access" {
  type              = "ingress"
  from_port         = var.aws_elb_api_port
  to_port           = var.k8s_secure_api_port
  protocol          = "TCP"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.aws-elb.id
 }
 resource "aws_security_group_rule" "aws-allow-api-egress" {
  type              = "egress"
  from_port         = 0
  to_port           = 65535
  protocol          = "TCP"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.aws-elb.id
 }
 # Create a new AWS ELB for K8S API
 resource "aws_elb" "aws-elb-api" {
  name            = "kubernetes-elb-${var.aws_cluster_name}"
  subnets         = var.aws_subnet_ids_public
  security_groups = [aws_security_group.aws-elb.id]
  listener {
    instance_port     = var.k8s_secure_api_port
    instance_protocol = "tcp"
    lb_port           = var.aws_elb_api_port
    lb_protocol       = "tcp"
  }
  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 3
    target              = "HTTPS:${var.k8s_secure_api_port}/healthz"
    interval            = 30
  }
  cross_zone_load_balancing   = true
  idle_timeout                = 400
  connection_draining         = true
  connection_draining_timeout = 400
  tags = merge(var.default_tags, tomap({
    Name = "kubernetes-${var.aws_cluster_name}-elb-api"
  }))
 }
--- a/contrib/terraform/aws/modules/elb/outputs.tf
+++ b/contrib/terraform/aws/modules/elb/outputs.tf
@@ -1,7 +0,0 @@
 output "aws_elb_api_id" {
  value = aws_elb.aws-elb-api.id
 }
 output "aws_elb_api_fqdn" {
  value = aws_elb.aws-elb-api.dns_name
 }
--- a/contrib/terraform/aws/modules/nlb/main.tf
+++ b/contrib/terraform/aws/modules/nlb/main.tf
@@ -0,0 +1,41 @@
 # Create a new AWS NLB for K8S API
 resource "aws_lb" "aws-nlb-api" {
  name                             = "kubernetes-nlb-${var.aws_cluster_name}"
  load_balancer_type               = "network"
  subnets                          = length(var.aws_subnet_ids_public) <= length(var.aws_avail_zones) ? var.aws_subnet_ids_public : slice(var.aws_subnet_ids_public, 0, length(var.aws_avail_zones))
  idle_timeout                     = 400
  enable_cross_zone_load_balancing = true
  tags = merge(var.default_tags, tomap({
    Name = "kubernetes-${var.aws_cluster_name}-nlb-api"
  }))
 }
 # Create a new AWS NLB Instance Target Group
 resource "aws_lb_target_group" "aws-nlb-api-tg" {
  name        = "kubernetes-nlb-tg-${var.aws_cluster_name}"
  port        = var.k8s_secure_api_port
  protocol    = "TCP"
  target_type = "ip"
  vpc_id      = var.aws_vpc_id
  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    interval            = 30
    protocol            = "HTTPS"
    path                = "/healthz"
  }
 }
 # Create a new AWS NLB Listener listen to target group
 resource "aws_lb_listener" "aws-nlb-api-listener" {
  load_balancer_arn = aws_lb.aws-nlb-api.arn
  port              = var.aws_nlb_api_port
  protocol          = "TCP"
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.aws-nlb-api-tg.arn
  }
 }
--- a/contrib/terraform/aws/modules/nlb/outputs.tf
+++ b/contrib/terraform/aws/modules/nlb/outputs.tf
@@ -0,0 +1,11 @@
 output "aws_nlb_api_id" {
  value = aws_lb.aws-nlb-api.id
 }
 output "aws_nlb_api_fqdn" {
  value = aws_lb.aws-nlb-api.dns_name
 }
 output "aws_nlb_api_tg_arn" {
  value = aws_lb_target_group.aws-nlb-api-tg.arn
 }
--- a/contrib/terraform/aws/modules/nlb/variables.tf
+++ b/contrib/terraform/aws/modules/nlb/variables.tf
@@ -6,8 +6,8 @@ variable "aws_vpc_id" {
  description = "AWS VPC ID"
 }
-variable "aws_elb_api_port" {
+variable "aws_nlb_api_port" {
-  description = "Port for AWS ELB"
+  description = "Port for AWS NLB"
 }
 variable "k8s_secure_api_port" {
--- a/contrib/terraform/aws/modules/vpc/main.tf
+++ b/contrib/terraform/aws/modules/vpc/main.tf
@@ -25,13 +25,14 @@ resource "aws_internet_gateway" "cluster-vpc-internetgw" {
 resource "aws_subnet" "cluster-vpc-subnets-public" {
  vpc_id            = aws_vpc.cluster-vpc.id
-  count             = length(var.aws_avail_zones)
+  count             = length(var.aws_cidr_subnets_public)
-  availability_zone = element(var.aws_avail_zones, count.index)
+  availability_zone = element(var.aws_avail_zones, count.index % length(var.aws_avail_zones))
  cidr_block        = element(var.aws_cidr_subnets_public, count.index)
  tags = merge(var.default_tags, tomap({
    Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-public"
-    "kubernetes.io/cluster/${var.aws_cluster_name}" = "member"
+    "kubernetes.io/cluster/${var.aws_cluster_name}" = "shared"
    "kubernetes.io/role/elb" = "1"
  }))
 }
@@ -43,12 +44,14 @@ resource "aws_nat_gateway" "cluster-nat-gateway" {
 resource "aws_subnet" "cluster-vpc-subnets-private" {
  vpc_id            = aws_vpc.cluster-vpc.id
-  count             = length(var.aws_avail_zones)
+  count             = length(var.aws_cidr_subnets_private)
-  availability_zone = element(var.aws_avail_zones, count.index)
+  availability_zone = element(var.aws_avail_zones, count.index % length(var.aws_avail_zones))
  cidr_block        = element(var.aws_cidr_subnets_private, count.index)
  tags = merge(var.default_tags, tomap({
    Name = "kubernetes-${var.aws_cluster_name}-${element(var.aws_avail_zones, count.index)}-private"
    "kubernetes.io/cluster/${var.aws_cluster_name}" = "shared"
    "kubernetes.io/role/internal-elb" = "1"
  }))
 }
--- a/contrib/terraform/aws/output.tf
+++ b/contrib/terraform/aws/output.tf
@@ -14,8 +14,8 @@ output "etcd" {
  value = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_ip) : (aws_instance.k8s-master.*.private_ip)))
 }
-output "aws_elb_api_fqdn" {
+output "aws_nlb_api_fqdn" {
-  value = "${module.aws-elb.aws_elb_api_fqdn}:${var.aws_elb_api_port}"
+  value = "${module.aws-nlb.aws_nlb_api_fqdn}:${var.aws_nlb_api_port}"
 }
 output "inventory" {
--- a/contrib/terraform/aws/sample-inventory/cluster.tfvars
+++ b/contrib/terraform/aws/sample-inventory/cluster.tfvars
@@ -33,9 +33,9 @@ aws_kube_worker_size = "t2.medium"
 aws_kube_worker_disk_size = 50
-#Settings AWS ELB
+#Settings AWS NLB
-aws_elb_api_port = 6443
+aws_nlb_api_port = 6443
 k8s_secure_api_port = 6443
--- a/contrib/terraform/aws/templates/inventory.tpl
+++ b/contrib/terraform/aws/templates/inventory.tpl
@@ -24,4 +24,4 @@ kube_control_plane
 calico_rr
 [k8s_cluster:vars]
-${elb_api_fqdn}
+${nlb_api_fqdn}
--- a/contrib/terraform/aws/terraform.tfvars
+++ b/contrib/terraform/aws/terraform.tfvars
@@ -32,7 +32,7 @@ aws_kube_worker_size      = "t3.medium"
 aws_kube_worker_disk_size = 50
 #Settings AWS ELB
-aws_elb_api_port    = 6443
+aws_nlb_api_port    = 6443
 k8s_secure_api_port = 6443
 default_tags = {
--- a/contrib/terraform/aws/terraform.tfvars.example
+++ b/contrib/terraform/aws/terraform.tfvars.example
@@ -25,7 +25,7 @@ aws_kube_worker_size = "t3.medium"
 aws_kube_worker_disk_size = 50
 #Settings AWS ELB
-aws_elb_api_port = 6443
+aws_nlb_api_port = 6443
 k8s_secure_api_port = 6443
 default_tags = { }
--- a/contrib/terraform/aws/variables.tf
+++ b/contrib/terraform/aws/variables.tf
@@ -104,11 +104,11 @@ variable "aws_kube_worker_size" {
 }
 /*
-* AWS ELB Settings
+* AWS NLB Settings
 *
 */
-variable "aws_elb_api_port" {
+variable "aws_nlb_api_port" {
-  description = "Port for AWS ELB"
+  description = "Port for AWS NLB"
 }
 variable "k8s_secure_api_port" {
--- a/contrib/terraform/equinix/README.md
+++ b/contrib/terraform/equinix/README.md
@@ -12,7 +12,7 @@ This will install a Kubernetes cluster on Equinix Metal. It should work in all l
 The terraform configuration inspects variables found in
 [variables.tf](variables.tf) to create resources in your Equinix Metal project.
 There is a [python script](../terraform.py) that reads the generated`.tfstate`
-file to generate a dynamic inventory that is consumed by [cluster.yml](../../..//cluster.yml)
+file to generate a dynamic inventory that is consumed by [cluster.yml](../../../cluster.yml)
 to actually install Kubernetes with Kubespray.
 ### Kubernetes Nodes
@@ -35,7 +35,7 @@ now six total etcd replicas.
 ## Requirements
 - [Install Terraform](https://www.terraform.io/intro/getting-started/install.html)
- Install dependencies: `sudo pip install -r requirements.txt`
+- [Install Ansible dependencies](/docs/ansible.md#installing-ansible)
 - Account with Equinix Metal
 - An SSH key pair
@@ -60,16 +60,16 @@ Terraform will be used to provision all of the Equinix Metal resources with base
 Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):
 ```ShellSession
-cp -LRp contrib/terraform/packet/sample-inventory inventory/$CLUSTER
+cp -LRp contrib/terraform/equinix/sample-inventory inventory/$CLUSTER
 cd inventory/$CLUSTER
-ln -s ../../contrib/terraform/packet/hosts
+ln -s ../../contrib/terraform/equinix/hosts
 ```
 This will be the base for subsequent Terraform commands.
 #### Equinix Metal API access
-Your Equinix Metal API key must be available in the `PACKET_AUTH_TOKEN` environment variable.
+Your Equinix Metal API key must be available in the `METAL_AUTH_TOKEN` environment variable.
 This key is typically stored outside of the code repo since it is considered secret.
 If someone gets this key, they can startup/shutdown hosts in your project!
@@ -80,10 +80,12 @@ The Equinix Metal Project ID associated with the key will be set later in `clust
 For more information about the API, please see [Equinix Metal API](https://metal.equinix.com/developers/api/).
 For more information about terraform provider authentication, please see [the equinix provider documentation](https://registry.terraform.io/providers/equinix/equinix/latest/docs).
 Example:
 ```ShellSession
-export PACKET_AUTH_TOKEN="Example-API-Token"
+export METAL_AUTH_TOKEN="Example-API-Token"
 ```
 Note that to deploy several clusters within the same project you need to use [terraform workspace](https://www.terraform.io/docs/state/workspaces.html#using-workspaces).
@@ -101,7 +103,7 @@ This helps when identifying which hosts are associated with each cluster.
 While the defaults in variables.tf will successfully deploy a cluster, it is recommended to set the following values:
 - cluster_name = the name of the inventory directory created above as $CLUSTER
- packet_project_id = the Equinix Metal Project ID associated with the Equinix Metal API token above
+- equinix_metal_project_id = the Equinix Metal Project ID associated with the Equinix Metal API token above
 #### Enable localhost access
@@ -119,12 +121,13 @@ Once the Kubespray playbooks are run, a Kubernetes configuration file will be wr
 In the cluster's inventory folder, the following files might be created (either by Terraform
 or manually), to prevent you from pushing them accidentally they are in a
-`.gitignore` file in the `terraform/packet` directory :
+`.gitignore` file in the `contrib/terraform/equinix` directory :
 - `.terraform`
 - `.tfvars`
 - `.tfstate`
 - `.tfstate.backup`
 - `.lock.hcl`
 You can still add them manually if you want to.
@@ -135,7 +138,7 @@ plugins. This is accomplished as follows:
 ```ShellSession
 cd inventory/$CLUSTER
-terraform init ../../contrib/terraform/packet
+terraform -chdir=../../contrib/terraform/metal init -var-file=cluster.tfvars
 ```
 This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
@@ -146,7 +149,7 @@ You can apply the Terraform configuration to your cluster with the following com
 issued from your cluster's inventory directory (`inventory/$CLUSTER`):
 ```ShellSession
-terraform apply -var-file=cluster.tfvars ../../contrib/terraform/packet
+terraform -chdir=../../contrib/terraform/equinix apply -var-file=cluster.tfvars
 export ANSIBLE_HOST_KEY_CHECKING=False
 ansible-playbook -i hosts ../../cluster.yml
 ```
@@ -156,7 +159,7 @@ ansible-playbook -i hosts ../../cluster.yml
 You can destroy your new cluster with the following command issued from the cluster's inventory directory:
 ```ShellSession
-terraform destroy -var-file=cluster.tfvars ../../contrib/terraform/packet
+terraform -chdir=../../contrib/terraform/equinix destroy -var-file=cluster.tfvars
 ```
 If you've started the Ansible run, it may also be a good idea to do some manual cleanup:
--- a/contrib/terraform/equinix/hosts
+++ b/contrib/terraform/equinix/hosts
--- a/contrib/terraform/equinix/kubespray.tf
+++ b/contrib/terraform/equinix/kubespray.tf
@@ -1,63 +1,57 @@
-# Configure the Equinix Metal Provider
+resource "equinix_metal_ssh_key" "k8s" {
 provider "packet" {
  version = "~> 2.0"
 }
 resource "packet_ssh_key" "k8s" {
  count      = var.public_key_path != "" ? 1 : 0
  name       = "kubernetes-${var.cluster_name}"
  public_key = chomp(file(var.public_key_path))
 }
-resource "packet_device" "k8s_master" {
+resource "equinix_metal_device" "k8s_master" {
-  depends_on = [packet_ssh_key.k8s]
+  depends_on = [equinix_metal_ssh_key.k8s]
  count            = var.number_of_k8s_masters
  hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
  plan             = var.plan_k8s_masters
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane", "etcd", "kube_node"]
 }
-resource "packet_device" "k8s_master_no_etcd" {
+resource "equinix_metal_device" "k8s_master_no_etcd" {
-  depends_on = [packet_ssh_key.k8s]
+  depends_on = [equinix_metal_ssh_key.k8s]
  count            = var.number_of_k8s_masters_no_etcd
  hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
  plan             = var.plan_k8s_masters_no_etcd
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane"]
 }
-resource "packet_device" "k8s_etcd" {
+resource "equinix_metal_device" "k8s_etcd" {
-  depends_on = [packet_ssh_key.k8s]
+  depends_on = [equinix_metal_ssh_key.k8s]
  count            = var.number_of_etcd
  hostname         = "${var.cluster_name}-etcd-${count.index + 1}"
  plan             = var.plan_etcd
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "etcd"]
 }
-resource "packet_device" "k8s_node" {
+resource "equinix_metal_device" "k8s_node" {
-  depends_on = [packet_ssh_key.k8s]
+  depends_on = [equinix_metal_ssh_key.k8s]
  count            = var.number_of_k8s_nodes
  hostname         = "${var.cluster_name}-k8s-node-${count.index + 1}"
  plan             = var.plan_k8s_nodes
-  facilities       = [var.facility]
+  metro            = var.metro
  operating_system = var.operating_system
  billing_cycle    = var.billing_cycle
-  project_id       = var.packet_project_id
+  project_id       = var.equinix_metal_project_id
  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_node"]
 }
--- a/contrib/terraform/equinix/output.tf
+++ b/contrib/terraform/equinix/output.tf
@@ -0,0 +1,15 @@
 output "k8s_masters" {
  value = equinix_metal_device.k8s_master.*.access_public_ipv4
 }
 output "k8s_masters_no_etc" {
  value = equinix_metal_device.k8s_master_no_etcd.*.access_public_ipv4
 }
 output "k8s_etcds" {
  value = equinix_metal_device.k8s_etcd.*.access_public_ipv4
 }
 output "k8s_nodes" {
  value = equinix_metal_device.k8s_node.*.access_public_ipv4
 }
--- a/contrib/terraform/equinix/provider.tf
+++ b/contrib/terraform/equinix/provider.tf
@@ -0,0 +1,17 @@
 terraform {
  required_version = ">= 1.0.0"
  provider_meta "equinix" {
    module_name = "kubespray"
  }
  required_providers {
    equinix = {
      source  = "equinix/equinix"
      version = "~> 1.14"
    }
  }
 }
 # Configure the Equinix Metal Provider
 provider "equinix" {
 }
--- a/contrib/terraform/equinix/sample-inventory/cluster.tfvars
+++ b/contrib/terraform/equinix/sample-inventory/cluster.tfvars
@@ -1,16 +1,19 @@
 # your Kubernetes cluster name here
 cluster_name = "mycluster"
-# Your Equinix Metal project ID. See hhttps://metal.equinix.com/developers/docs/accounts/
+# Your Equinix Metal project ID. See https://metal.equinix.com/developers/docs/accounts/
-packet_project_id = "Example-API-Token"
+equinix_metal_project_id = "Example-Project-Id"
 # The public SSH key to be uploaded into authorized_keys in bare metal Equinix Metal nodes provisioned
 # leave this value blank if the public key is already setup in the Equinix Metal project
 # Terraform will complain if the public key is setup in Equinix Metal
 public_key_path = "~/.ssh/id_rsa.pub"
-# cluster location
+# Equinix interconnected bare metal across our global metros.
-facility = "ewr1"
+metro = "da"
 # operating_system
 operating_system = "ubuntu_22_04"
 # standalone etcds
 number_of_etcd = 0
--- a/contrib/terraform/equinix/sample-inventory/group_vars
+++ b/contrib/terraform/equinix/sample-inventory/group_vars
--- a/contrib/terraform/equinix/variables.tf
+++ b/contrib/terraform/equinix/variables.tf
@@ -2,12 +2,12 @@ variable "cluster_name" {
  default = "kubespray"
 }
-variable "packet_project_id" {
+variable "equinix_metal_project_id" {
  description = "Your Equinix Metal project ID. See https://metal.equinix.com/developers/docs/accounts/"
 }
 variable "operating_system" {
-  default = "ubuntu_16_04"
+  default = "ubuntu_22_04"
 }
 variable "public_key_path" {
@@ -19,28 +19,28 @@ variable "billing_cycle" {
  default = "hourly"
 }
-variable "facility" {
+variable "metro" {
-  default = "dfw2"
+  default = "da"
 }
 variable "plan_k8s_masters" {
-  default = "c2.medium.x86"
+  default = "c3.small.x86"
 }
 variable "plan_k8s_masters_no_etcd" {
-  default = "c2.medium.x86"
+  default = "c3.small.x86"
 }
 variable "plan_etcd" {
-  default = "c2.medium.x86"
+  default = "c3.small.x86"
 }
 variable "plan_k8s_nodes" {
-  default = "c2.medium.x86"
+  default = "c3.medium.x86"
 }
 variable "number_of_k8s_masters" {
-  default = 0
+  default = 1
 }
 variable "number_of_k8s_masters_no_etcd" {
@@ -52,6 +52,5 @@ variable "number_of_etcd" {
 }
 variable "number_of_k8s_nodes" {
-  default = 0
+  default = 1
 }
--- a/contrib/terraform/exoscale/README.md
+++ b/contrib/terraform/exoscale/README.md
@@ -31,9 +31,7 @@ The setup looks like following
 ## Requirements
-* Terraform 0.13.0 or newer
+* Terraform 0.13.0 or newer (0.12 also works if you modify the provider block to include version and remove all `versions.tf` files)
 *0.12 also works if you modify the provider block to include version and remove all `versions.tf` files*
 ## Quickstart
--- a/contrib/terraform/exoscale/main.tf
+++ b/contrib/terraform/exoscale/main.tf
@@ -3,8 +3,8 @@ provider "exoscale" {}
 module "kubernetes" {
  source = "./modules/kubernetes-cluster"
-  prefix = var.prefix
+  prefix   = var.prefix
-
+  zone     = var.zone
  machines = var.machines
  ssh_public_keys = var.ssh_public_keys
--- a/contrib/terraform/gcp/README.md
+++ b/contrib/terraform/gcp/README.md
@@ -74,14 +74,28 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
 * `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
 * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
 * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
 * `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
 * `extra_ingress_firewalls`: Additional ingress firewall rules. Key will be used as the name of the rule
  * `source_ranges`: List of IP ranges (CIDR). Example: `["8.8.8.8"]`
  * `protocol`: Protocol. Example `"tcp"`
  * `ports`: List of ports, as string. Example `["53"]`
  * `target_tags`: List of target tag (either the machine name or `control-plane` or `worker`). Example: `["control-plane", "worker-0"]`
 ### Optional
 * `prefix`: Prefix to use for all resources, required to be unique for all clusters in the same project *(Defaults to `default`)*
-* `master_sa_email`: Service account email to use for the master nodes *(Defaults to `""`, auto generate one)*
+* `master_sa_email`: Service account email to use for the control plane nodes *(Defaults to `""`, auto generate one)*
-* `master_sa_scopes`: Service account email to use for the master nodes *(Defaults to `["https://www.googleapis.com/auth/cloud-platform"]`)*
+* `master_sa_scopes`: Service account email to use for the control plane nodes *(Defaults to `["https://www.googleapis.com/auth/cloud-platform"]`)*
 * `master_preemptible`: Enable [preemptible](https://cloud.google.com/compute/docs/instances/preemptible)
  for the control plane nodes *(Defaults to `false`)*
 * `master_additional_disk_type`: [Disk type](https://cloud.google.com/compute/docs/disks/#disk-types)
  for extra disks added on the control plane nodes *(Defaults to `"pd-ssd"`)*
 * `worker_sa_email`: Service account email to use for the worker nodes *(Defaults to `""`, auto generate one)*
 * `worker_sa_scopes`: Service account email to use for the worker nodes *(Defaults to `["https://www.googleapis.com/auth/cloud-platform"]`)*
 * `worker_preemptible`: Enable [preemptible](https://cloud.google.com/compute/docs/instances/preemptible)
  for the worker nodes *(Defaults to `false`)*
 * `worker_additional_disk_type`: [Disk type](https://cloud.google.com/compute/docs/disks/#disk-types)
  for extra disks added on the worker nodes *(Defaults to `"pd-ssd"`)*
 An example variables file can be found `tfvars.json`
--- a/contrib/terraform/gcp/main.tf
+++ b/contrib/terraform/gcp/main.tf
@@ -1,8 +1,16 @@
 terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 4.0"
    }
  }
 }
 provider "google" {
  credentials = file(var.keyfile_location)
  region      = var.region
  project     = var.gcp_project_id
  version     = "~> 3.48"
 }
 module "kubernetes" {
@@ -13,12 +21,19 @@ module "kubernetes" {
  machines    = var.machines
  ssh_pub_key = var.ssh_pub_key
-  master_sa_email  = var.master_sa_email
+  master_sa_email    = var.master_sa_email
-  master_sa_scopes = var.master_sa_scopes
+  master_sa_scopes   = var.master_sa_scopes
-  worker_sa_email  = var.worker_sa_email
+  master_preemptible = var.master_preemptible
-  worker_sa_scopes = var.worker_sa_scopes
+  master_additional_disk_type = var.master_additional_disk_type
  worker_sa_email    = var.worker_sa_email
  worker_sa_scopes   = var.worker_sa_scopes
  worker_preemptible = var.worker_preemptible
  worker_additional_disk_type = var.worker_additional_disk_type
  ssh_whitelist        = var.ssh_whitelist
  api_server_whitelist = var.api_server_whitelist
  nodeport_whitelist   = var.nodeport_whitelist
  ingress_whitelist    = var.ingress_whitelist
  extra_ingress_firewalls = var.extra_ingress_firewalls
 }
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf
@@ -5,6 +5,8 @@
 resource "google_compute_network" "main" {
  name = "${var.prefix}-network"
  auto_create_subnetworks = false
 }
 resource "google_compute_subnetwork" "main" {
@@ -20,6 +22,8 @@ resource "google_compute_firewall" "deny_all" {
  priority = 1000
  source_ranges = ["0.0.0.0/0"]
  deny {
    protocol = "all"
  }
@@ -39,6 +43,8 @@ resource "google_compute_firewall" "allow_internal" {
 }
 resource "google_compute_firewall" "ssh" {
  count = length(var.ssh_whitelist) > 0 ? 1 : 0
  name    = "${var.prefix}-ssh-firewall"
  network = google_compute_network.main.name
@@ -53,6 +59,8 @@ resource "google_compute_firewall" "ssh" {
 }
 resource "google_compute_firewall" "api_server" {
  count = length(var.api_server_whitelist) > 0 ? 1 : 0
  name    = "${var.prefix}-api-server-firewall"
  network = google_compute_network.main.name
@@ -67,6 +75,8 @@ resource "google_compute_firewall" "api_server" {
 }
 resource "google_compute_firewall" "nodeport" {
  count = length(var.nodeport_whitelist) > 0 ? 1 : 0
  name    = "${var.prefix}-nodeport-firewall"
  network = google_compute_network.main.name
@@ -81,11 +91,15 @@ resource "google_compute_firewall" "nodeport" {
 }
 resource "google_compute_firewall" "ingress_http" {
  count = length(var.ingress_whitelist) > 0 ? 1 : 0
  name    = "${var.prefix}-http-ingress-firewall"
  network = google_compute_network.main.name
  priority = 100
  source_ranges = var.ingress_whitelist
  allow {
    protocol = "tcp"
    ports    = ["80"]
@@ -93,11 +107,15 @@ resource "google_compute_firewall" "ingress_http" {
 }
 resource "google_compute_firewall" "ingress_https" {
  count = length(var.ingress_whitelist) > 0 ? 1 : 0
  name    = "${var.prefix}-https-ingress-firewall"
  network = google_compute_network.main.name
  priority = 100
  source_ranges = var.ingress_whitelist
  allow {
    protocol = "tcp"
    ports    = ["443"]
@@ -173,7 +191,7 @@ resource "google_compute_disk" "master" {
   }
  name = "${var.prefix}-${each.key}"
-  type = "pd-ssd"
+  type = var.master_additional_disk_type
  zone = each.value.machine.zone
  size = each.value.disk_size
@@ -201,7 +219,7 @@ resource "google_compute_instance" "master" {
  machine_type = each.value.size
  zone         = each.value.zone
-  tags = ["master"]
+  tags = ["control-plane", "master", each.key]
  boot_disk {
    initialize_params {
@@ -229,19 +247,28 @@ resource "google_compute_instance" "master" {
  # Since we use google_compute_attached_disk we need to ignore this
  lifecycle {
-    ignore_changes = ["attached_disk"]
+    ignore_changes = [attached_disk]
  }
  scheduling {
    preemptible = var.master_preemptible
    automatic_restart = !var.master_preemptible
  }
 }
 resource "google_compute_forwarding_rule" "master_lb" {
  count = length(var.api_server_whitelist) > 0 ? 1 : 0
  name = "${var.prefix}-master-lb-forward-rule"
  port_range = "6443"
-  target = google_compute_target_pool.master_lb.id
+  target = google_compute_target_pool.master_lb[count.index].id
 }
 resource "google_compute_target_pool" "master_lb" {
  count = length(var.api_server_whitelist) > 0 ? 1 : 0
  name      = "${var.prefix}-master-lb-pool"
  instances = local.master_target_list
 }
@@ -258,7 +285,7 @@ resource "google_compute_disk" "worker" {
   }
  name = "${var.prefix}-${each.key}"
-  type = "pd-ssd"
+  type = var.worker_additional_disk_type
  zone = each.value.machine.zone
  size = each.value.disk_size
@@ -298,7 +325,7 @@ resource "google_compute_instance" "worker" {
  machine_type = each.value.size
  zone         = each.value.zone
-  tags = ["worker"]
+  tags = ["worker", each.key]
  boot_disk {
    initialize_params {
@@ -326,35 +353,69 @@ resource "google_compute_instance" "worker" {
  # Since we use google_compute_attached_disk we need to ignore this
  lifecycle {
-    ignore_changes = ["attached_disk"]
+    ignore_changes = [attached_disk]
  }
  scheduling {
    preemptible = var.worker_preemptible
    automatic_restart = !var.worker_preemptible
  }
 }
 resource "google_compute_address" "worker_lb" {
  count = length(var.ingress_whitelist) > 0 ? 1 : 0
  name         = "${var.prefix}-worker-lb-address"
  address_type = "EXTERNAL"
  region       = var.region
 }
 resource "google_compute_forwarding_rule" "worker_http_lb" {
  count = length(var.ingress_whitelist) > 0 ? 1 : 0
  name = "${var.prefix}-worker-http-lb-forward-rule"
-  ip_address = google_compute_address.worker_lb.address
+  ip_address = google_compute_address.worker_lb[count.index].address
  port_range = "80"
-  target = google_compute_target_pool.worker_lb.id
+  target = google_compute_target_pool.worker_lb[count.index].id
 }
 resource "google_compute_forwarding_rule" "worker_https_lb" {
  count = length(var.ingress_whitelist) > 0 ? 1 : 0
  name = "${var.prefix}-worker-https-lb-forward-rule"
-  ip_address = google_compute_address.worker_lb.address
+  ip_address = google_compute_address.worker_lb[count.index].address
  port_range = "443"
-  target = google_compute_target_pool.worker_lb.id
+  target = google_compute_target_pool.worker_lb[count.index].id
 }
 resource "google_compute_target_pool" "worker_lb" {
  count = length(var.ingress_whitelist) > 0 ? 1 : 0
  name      = "${var.prefix}-worker-lb-pool"
  instances = local.worker_target_list
 }
 resource "google_compute_firewall" "extra_ingress_firewall" {
  for_each = {
    for name, firewall in var.extra_ingress_firewalls :
    name => firewall
  }
  name    = "${var.prefix}-${each.key}-ingress"
  network = google_compute_network.main.name
  priority = 100
  source_ranges = each.value.source_ranges
  target_tags = each.value.target_tags
  allow {
    protocol = each.value.protocol
    ports    = each.value.ports
  }
 }
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf
@@ -19,9 +19,9 @@ output "worker_ip_addresses" {
 }
 output "ingress_controller_lb_ip_address" {
-  value = google_compute_address.worker_lb.address
+  value = length(var.ingress_whitelist) > 0 ? google_compute_address.worker_lb.0.address : ""
 }
 output "control_plane_lb_ip_address" {
-  value = google_compute_forwarding_rule.master_lb.ip_address
+  value = length(var.api_server_whitelist) > 0 ? google_compute_forwarding_rule.master_lb.0.ip_address : ""
 }
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf
@@ -14,7 +14,7 @@ variable "machines" {
    }))
    boot_disk = object({
      image_name = string
-      size = number
+      size       = number
    })
  }))
 }
@@ -27,6 +27,14 @@ variable "master_sa_scopes" {
  type = list(string)
 }
 variable "master_preemptible" {
  type = bool
 }
 variable "master_additional_disk_type" {
  type = string
 }
 variable "worker_sa_email" {
  type = string
 }
@@ -35,6 +43,14 @@ variable "worker_sa_scopes" {
  type = list(string)
 }
 variable "worker_preemptible" {
  type = bool
 }
 variable "worker_additional_disk_type" {
  type = string
 }
 variable "ssh_pub_key" {}
 variable "ssh_whitelist" {
@@ -49,6 +65,22 @@ variable "nodeport_whitelist" {
  type = list(string)
 }
 variable "ingress_whitelist" {
  type = list(string)
  default = ["0.0.0.0/0"]
 }
 variable "private_network_cidr" {
  default = "10.0.10.0/24"
 }
 variable "extra_ingress_firewalls" {
  type = map(object({
    source_ranges = set(string)
    protocol      = string
    ports         = list(string)
    target_tags   = set(string)
  }))
  default = {}
 }
--- a/contrib/terraform/gcp/tfvars.json
+++ b/contrib/terraform/gcp/tfvars.json
@@ -16,6 +16,9 @@
  "nodeport_whitelist": [
    "1.2.3.4/32"
  ],
  "ingress_whitelist": [
    "0.0.0.0/0"
  ],
  "machines": {
    "master-0": {
@@ -24,7 +27,7 @@
      "zone": "us-central1-a",
      "additional_disks": {},
      "boot_disk": {
-        "image_name": "ubuntu-os-cloud/ubuntu-1804-bionic-v20201116",
+        "image_name": "ubuntu-os-cloud/ubuntu-2004-focal-v20220118",
        "size": 50
      }
    },
@@ -38,7 +41,7 @@
        }
      },
      "boot_disk": {
-        "image_name": "ubuntu-os-cloud/ubuntu-1804-bionic-v20201116",
+        "image_name": "ubuntu-os-cloud/ubuntu-2004-focal-v20220118",
        "size": 50
      }
    },
@@ -52,7 +55,7 @@
        }
      },
      "boot_disk": {
-        "image_name": "ubuntu-os-cloud/ubuntu-1804-bionic-v20201116",
+        "image_name": "ubuntu-os-cloud/ubuntu-2004-focal-v20220118",
        "size": 50
      }
    }
--- a/contrib/terraform/gcp/variables.tf
+++ b/contrib/terraform/gcp/variables.tf
@@ -44,6 +44,16 @@ variable "master_sa_scopes" {
  default = ["https://www.googleapis.com/auth/cloud-platform"]
 }
 variable "master_preemptible" {
  type    = bool
  default = false
 }
 variable "master_additional_disk_type" {
  type = string
  default = "pd-ssd"
 }
 variable "worker_sa_email" {
  type    = string
  default = ""
@@ -54,6 +64,16 @@ variable "worker_sa_scopes" {
  default = ["https://www.googleapis.com/auth/cloud-platform"]
 }
 variable "worker_preemptible" {
  type    = bool
  default = false
 }
 variable "worker_additional_disk_type" {
  type = string
  default = "pd-ssd"
 }
 variable ssh_pub_key {
  description = "Path to public SSH key file which is injected into the VMs."
  type        = string
@@ -70,3 +90,19 @@ variable api_server_whitelist {
 variable nodeport_whitelist {
  type = list(string)
 }
 variable "ingress_whitelist" {
  type = list(string)
  default = ["0.0.0.0/0"]
 }
 variable "extra_ingress_firewalls" {
  type = map(object({
    source_ranges = set(string)
    protocol      = string
    ports         = list(string)
    target_tags   = set(string)
  }))
  default = {}
 }
--- a/contrib/terraform/hetzner/README.md
+++ b/contrib/terraform/hetzner/README.md
@@ -56,11 +56,24 @@ cd inventory/$CLUSTER
 Edit `default.tfvars` to match your requirement.
 Flatcar Container Linux instead of the basic Hetzner Images.
 ```bash
 cd ../../contrib/terraform/hetzner
 ```
 Edit `main.tf` and reactivate the module `source = "./modules/kubernetes-cluster-flatcar"`and
 comment out the `#source = "./modules/kubernetes-cluster"`.
 activate `ssh_private_key_path = var.ssh_private_key_path`. The VM boots into
 Rescue-Mode with the selected image of the `var.machines` but installs Flatcar instead.
 Run Terraform to create the infrastructure.
 ```bash
-terraform init ../../contrib/terraform/hetzner
+cd ./kubespray
-terraform apply --var-file default.tfvars ../../contrib/terraform/hetzner/
+terraform -chdir=./contrib/terraform/hetzner/ init
 terraform -chdir=./contrib/terraform/hetzner/ apply --var-file=../../../inventory/$CLUSTER/default.tfvars
 ```
 You should now have a inventory file named `inventory.ini` that you can use with kubespray.
@@ -97,6 +110,7 @@ terraform destroy --var-file default.tfvars ../../contrib/terraform/hetzner
 * `prefix`: Prefix to add to all resources, if set to "" don't set any prefix
 * `ssh_public_keys`: List of public SSH keys to install on all machines
 * `zone`: The zone where to run the cluster
 * `network_zone`: the network zone where the cluster is running
 * `machines`: Machines to provision. Key of this object will be used as the name of the machine
  * `node_type`: The role of this node *(master|worker)*
  * `size`: Size of the VM
--- a/contrib/terraform/hetzner/default.tfvars
+++ b/contrib/terraform/hetzner/default.tfvars
@@ -1,6 +1,6 @@
-prefix = "default"
+prefix         = "default"
-zone   = "hel1"
+zone           = "hel1"
-
+network_zone   = "eu-central"
 inventory_file = "inventory.ini"
 ssh_public_keys = [
@@ -9,21 +9,23 @@ ssh_public_keys = [
  "ssh-rsa I-did-not-read-the-docs 2",
 ]
 ssh_private_key_path = "~/.ssh/id_rsa"
 machines = {
  "master-0" : {
    "node_type" : "master",
    "size" : "cx21",
-    "image" : "ubuntu-20.04",
+    "image" : "ubuntu-22.04",
  },
  "worker-0" : {
    "node_type" : "worker",
    "size" : "cx21",
-    "image" : "ubuntu-20.04",
+    "image" : "ubuntu-22.04",
  },
  "worker-1" : {
    "node_type" : "worker",
    "size" : "cx21",
-    "image" : "ubuntu-20.04",
+    "image" : "ubuntu-22.04",
  }
 }
--- a/contrib/terraform/hetzner/main.tf
+++ b/contrib/terraform/hetzner/main.tf
@@ -2,6 +2,7 @@ provider "hcloud" {}
 module "kubernetes" {
  source = "./modules/kubernetes-cluster"
  # source = "./modules/kubernetes-cluster-flatcar"
  prefix = var.prefix
@@ -9,7 +10,11 @@ module "kubernetes" {
  machines = var.machines
  #only for flatcar
  #ssh_private_key_path = var.ssh_private_key_path
  ssh_public_keys = var.ssh_public_keys
  network_zone    = var.network_zone
  ssh_whitelist        = var.ssh_whitelist
  api_server_whitelist = var.api_server_whitelist
@@ -21,31 +26,32 @@ module "kubernetes" {
 # Generate ansible inventory
 #
-data "template_file" "inventory" {
+locals {
-  template = file("${path.module}/templates/inventory.tpl")
+  inventory = templatefile(
-
+    "${path.module}/templates/inventory.tpl",
-  vars = {
+    {
-    connection_strings_master = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s etcd_member_name=etcd%d",
+      connection_strings_master = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s etcd_member_name=etcd%d",
-      keys(module.kubernetes.master_ip_addresses),
+        keys(module.kubernetes.master_ip_addresses),
-      values(module.kubernetes.master_ip_addresses).*.public_ip,
+        values(module.kubernetes.master_ip_addresses).*.public_ip,
-      values(module.kubernetes.master_ip_addresses).*.private_ip,
+        values(module.kubernetes.master_ip_addresses).*.private_ip,
-    range(1, length(module.kubernetes.master_ip_addresses) + 1)))
+      range(1, length(module.kubernetes.master_ip_addresses) + 1)))
-    connection_strings_worker = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s",
+      connection_strings_worker = join("\n", formatlist("%s ansible_user=ubuntu ansible_host=%s ip=%s",
-      keys(module.kubernetes.worker_ip_addresses),
+        keys(module.kubernetes.worker_ip_addresses),
-      values(module.kubernetes.worker_ip_addresses).*.public_ip,
+        values(module.kubernetes.worker_ip_addresses).*.public_ip,
-    values(module.kubernetes.worker_ip_addresses).*.private_ip))
+      values(module.kubernetes.worker_ip_addresses).*.private_ip))
-
+      list_master = join("\n", keys(module.kubernetes.master_ip_addresses))
-    list_master = join("\n", keys(module.kubernetes.master_ip_addresses))
+      list_worker = join("\n", keys(module.kubernetes.worker_ip_addresses))
-    list_worker = join("\n", keys(module.kubernetes.worker_ip_addresses))
+      network_id  = module.kubernetes.network_id
-  }
+    }
  )
 }
 resource "null_resource" "inventories" {
  provisioner "local-exec" {
-    command = "echo '${data.template_file.inventory.rendered}' > ${var.inventory_file}"
+    command = "echo '${local.inventory}' > ${var.inventory_file}"
  }
  triggers = {
-    template = data.template_file.inventory.rendered
+    template = local.inventory
  }
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/main.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/main.tf
@@ -0,0 +1,144 @@
 resource "hcloud_network" "kubernetes" {
  name     = "${var.prefix}-network"
  ip_range = var.private_network_cidr
 }
 resource "hcloud_network_subnet" "kubernetes" {
  type         = "cloud"
  network_id   = hcloud_network.kubernetes.id
  network_zone = var.network_zone
  ip_range     = var.private_subnet_cidr
 }
 resource "hcloud_ssh_key" "first" {
  name       = var.prefix
  public_key = var.ssh_public_keys.0
 }
 resource "hcloud_server" "machine" {
  for_each = {
    for name, machine in var.machines :
    name => machine
  }
  name     = "${var.prefix}-${each.key}"
  ssh_keys = [hcloud_ssh_key.first.id]
  # boot into rescue OS
  rescue = "linux64"
  # dummy value for the OS because Flatcar is not available
  image       = each.value.image
  server_type = each.value.size
  location    = var.zone
  connection {
    host        = self.ipv4_address
    timeout     = "5m"
    private_key = file(var.ssh_private_key_path)
  }
  firewall_ids = each.value.node_type == "master" ? [hcloud_firewall.master.id] : [hcloud_firewall.worker.id]
  provisioner "file" {
    content     = data.ct_config.machine-ignitions[each.key].rendered
    destination = "/root/ignition.json"
  }
  provisioner "remote-exec" {
    inline = [
      "set -ex",
      "apt update",
      "apt install -y gawk",
      "curl -fsSLO --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 https://raw.githubusercontent.com/flatcar/init/flatcar-master/bin/flatcar-install",
      "chmod +x flatcar-install",
      "./flatcar-install -s -i /root/ignition.json -C stable",
      "shutdown -r +1",
    ]
  }
  # optional:
  provisioner "remote-exec" {
    connection {
      host        = self.ipv4_address
      private_key = file(var.ssh_private_key_path)
      timeout     = "3m"
      user        = var.user_flatcar
    }
    inline = [
      "sudo hostnamectl set-hostname ${self.name}",
    ]
  }
 }
 resource "hcloud_server_network" "machine" {
  for_each = {
    for name, machine in var.machines :
    name => hcloud_server.machine[name]
  }
  server_id = each.value.id
  subnet_id = hcloud_network_subnet.kubernetes.id
 }
 data "ct_config" "machine-ignitions" {
  for_each = {
    for name, machine in var.machines :
    name => machine
  }
  strict = false
  content = templatefile(
    "${path.module}/templates/machine.yaml.tmpl",
    {
      ssh_keys     = jsonencode(var.ssh_public_keys)
      user_flatcar = var.user_flatcar
      name         = each.key
    }
  )
 }
 resource "hcloud_firewall" "master" {
  name = "${var.prefix}-master-firewall"
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = var.ssh_whitelist
  }
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "6443"
    source_ips = var.api_server_whitelist
  }
 }
 resource "hcloud_firewall" "worker" {
  name = "${var.prefix}-worker-firewall"
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = var.ssh_whitelist
  }
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "80"
    source_ips = var.ingress_whitelist
  }
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
    source_ips = var.ingress_whitelist
  }
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "30000-32767"
    source_ips = var.nodeport_whitelist
  }
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/outputs.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/outputs.tf
@@ -0,0 +1,29 @@
 output "master_ip_addresses" {
  value = {
    for name, machine in var.machines :
      name => {
        "private_ip" = hcloud_server_network.machine[name].ip
        "public_ip"  = hcloud_server.machine[name].ipv4_address
      }
      if machine.node_type == "master"
  }
 }
 output "worker_ip_addresses" {
  value = {
    for name, machine in var.machines :
      name => {
        "private_ip" = hcloud_server_network.machine[name].ip
        "public_ip"  = hcloud_server.machine[name].ipv4_address
      }
      if machine.node_type == "worker"
  }
 }
 output "cluster_private_network_cidr" {
  value = var.private_subnet_cidr
 }
 output "network_id" {
  value = hcloud_network.kubernetes.id
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/templates/machine.yaml.tmpl
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/templates/machine.yaml.tmpl
@@ -0,0 +1,19 @@
 variant: flatcar
 version: 1.0.0
 passwd:
  users:
    - name: ${user_flatcar}
      ssh_authorized_keys: ${ssh_keys}
 storage:
  files:
    - path: /home/core/works
      filesystem: root
      mode: 0755
      contents:
        inline: |
          #!/bin/bash
          set -euo pipefail
          hostname="$(hostname)"
          echo My name is ${name} and the hostname is $${hostname}
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/variables.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/variables.tf
@@ -0,0 +1,60 @@
 variable "zone" {
  type    = string
  default = "fsn1"
 }
 variable "prefix" {
  default = "k8s"
 }
 variable "user_flatcar" {
  type    = string
  default = "core"
 }
 variable "machines" {
  type = map(object({
    node_type = string
    size      = string
    image     = string
  }))
 }
 variable "ssh_public_keys" {
  type = list(string)
 }
 variable "ssh_private_key_path" {
  type    = string
  default = "~/.ssh/id_rsa"
 }
 variable "ssh_whitelist" {
  type = list(string)
 }
 variable "api_server_whitelist" {
  type = list(string)
 }
 variable "nodeport_whitelist" {
  type = list(string)
 }
 variable "ingress_whitelist" {
  type = list(string)
 }
 variable "private_network_cidr" {
  default = "10.0.0.0/16"
 }
 variable "private_subnet_cidr" {
  default = "10.0.10.0/24"
 }
 variable "network_zone" {
  default = "eu-central"
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/versions.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster-flatcar/versions.tf
@@ -0,0 +1,14 @@
 terraform {
  required_providers {
    hcloud = {
      source = "hetznercloud/hcloud"
    }
    ct = {
      source  = "poseidon/ct"
      version = "0.11.0"
    }
    null = {
      source = "hashicorp/null"
    }
  }
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster/main.tf
@@ -6,7 +6,7 @@ resource "hcloud_network" "kubernetes" {
 resource "hcloud_network_subnet" "kubernetes" {
  type         = "cloud"
  network_id   = hcloud_network.kubernetes.id
-  network_zone = "eu-central"
+  network_zone = var.network_zone
  ip_range     = var.private_subnet_cidr
 }
@@ -75,17 +75,17 @@ resource "hcloud_firewall" "master" {
  name = "${var.prefix}-master-firewall"
  rule {
-   direction = "in"
+    direction  = "in"
-   protocol = "tcp"
+    protocol   = "tcp"
-   port = "22"
+    port       = "22"
-   source_ips = var.ssh_whitelist
+    source_ips = var.ssh_whitelist
  }
  rule {
-   direction = "in"
+    direction  = "in"
-   protocol = "tcp"
+    protocol   = "tcp"
-   port = "6443"
+    port       = "6443"
-   source_ips = var.api_server_whitelist
+    source_ips = var.api_server_whitelist
  }
 }
@@ -93,30 +93,30 @@ resource "hcloud_firewall" "worker" {
  name = "${var.prefix}-worker-firewall"
  rule {
-   direction = "in"
+    direction  = "in"
-   protocol = "tcp"
+    protocol   = "tcp"
-   port = "22"
+    port       = "22"
-   source_ips = var.ssh_whitelist
+    source_ips = var.ssh_whitelist
  }
  rule {
-   direction = "in"
+    direction  = "in"
-   protocol = "tcp"
+    protocol   = "tcp"
-   port = "80"
+    port       = "80"
-   source_ips = var.ingress_whitelist
+    source_ips = var.ingress_whitelist
  }
  rule {
-   direction = "in"
+    direction  = "in"
-   protocol = "tcp"
+    protocol   = "tcp"
-   port = "443"
+    port       = "443"
-   source_ips = var.ingress_whitelist
+    source_ips = var.ingress_whitelist
  }
  rule {
-   direction = "in"
+    direction  = "in"
-   protocol = "tcp"
+    protocol   = "tcp"
-   port = "30000-32767"
+    port       = "30000-32767"
-   source_ips = var.nodeport_whitelist
+    source_ips = var.nodeport_whitelist
  }
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster/output.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster/output.tf
@@ -21,3 +21,7 @@ output "worker_ip_addresses" {
 output "cluster_private_network_cidr" {
  value = var.private_subnet_cidr
 }
 output "network_id" {
  value = hcloud_network.kubernetes.id
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster/templates/cloud-init.tmpl
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster/templates/cloud-init.tmpl
@@ -14,4 +14,3 @@ ssh_authorized_keys:
 %{ for ssh_public_key in ssh_public_keys ~}
  - ${ssh_public_key}
 %{ endfor ~}
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster/variables.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster/variables.tf
@@ -39,3 +39,6 @@ variable "private_network_cidr" {
 variable "private_subnet_cidr" {
  default = "10.0.10.0/24"
 }
 variable "network_zone" {
  default = "eu-central"
 }
--- a/contrib/terraform/hetzner/modules/kubernetes-cluster/versions.tf
+++ b/contrib/terraform/hetzner/modules/kubernetes-cluster/versions.tf
@@ -1,8 +1,8 @@
 terraform {
  required_providers {
    hcloud = {
-      source = "hetznercloud/hcloud"
+      source  = "hetznercloud/hcloud"
-      version = "1.31.1"
+      version = "1.38.2"
    }
  }
  required_version = ">= 0.14"
--- a/contrib/terraform/hetzner/sample-inventory/cluster.tfvars
+++ b/contrib/terraform/hetzner/sample-inventory/cluster.tfvars
@@ -0,0 +1,46 @@
 prefix         = "default"
 zone           = "hel1"
 network_zone   = "eu-central"
 inventory_file = "inventory.ini"
 ssh_public_keys = [
  # Put your public SSH key here
  "ssh-rsa I-did-not-read-the-docs",
  "ssh-rsa I-did-not-read-the-docs 2",
 ]
 ssh_private_key_path = "~/.ssh/id_rsa"
 machines = {
  "master-0" : {
    "node_type" : "master",
    "size" : "cx21",
    "image" : "ubuntu-22.04",
  },
  "worker-0" : {
    "node_type" : "worker",
    "size" : "cx21",
    "image" : "ubuntu-22.04",
  },
  "worker-1" : {
    "node_type" : "worker",
    "size" : "cx21",
    "image" : "ubuntu-22.04",
  }
 }
 nodeport_whitelist = [
  "0.0.0.0/0"
 ]
 ingress_whitelist = [
  "0.0.0.0/0"
 ]
 ssh_whitelist = [
  "0.0.0.0/0"
 ]
 api_server_whitelist = [
  "0.0.0.0/0"
 ]
--- a/contrib/terraform/hetzner/sample-inventory/group_vars
+++ b/contrib/terraform/hetzner/sample-inventory/group_vars
@@ -0,0 +1 @@
 ../../../../inventory/sample/group_vars
--- a/contrib/terraform/hetzner/templates/inventory.tpl
+++ b/contrib/terraform/hetzner/templates/inventory.tpl
@@ -2,15 +2,18 @@
 ${connection_strings_master}
 ${connection_strings_worker}
-[kube-master]
+[kube_control_plane]
 ${list_master}
 [etcd]
 ${list_master}
-[kube-node]
+[kube_node]
 ${list_worker}
-[k8s-cluster:children]
+[k8s_cluster:children]
 kube-master
 kube-node
 [k8s_cluster:vars]
 network_id=${network_id}
--- a/contrib/terraform/hetzner/variables.tf
+++ b/contrib/terraform/hetzner/variables.tf
@@ -1,6 +1,10 @@
 variable "zone" {
  description = "The zone where to run the cluster"
 }
 variable "network_zone" {
  description = "The network zone where the cluster is running"
  default     = "eu-central"
 }
 variable "prefix" {
  description = "Prefix for resource names"
@@ -21,6 +25,12 @@ variable "ssh_public_keys" {
  type        = list(string)
 }
 variable "ssh_private_key_path" {
  description = "Private SSH key which connect to the VMs."
  type        = string
  default     = "~/.ssh/id_rsa"
 }
 variable "ssh_whitelist" {
  description = "List of IP ranges (CIDR) to whitelist for ssh"
  type        = list(string)
--- a/contrib/terraform/hetzner/versions.tf
+++ b/contrib/terraform/hetzner/versions.tf
@@ -2,14 +2,11 @@ terraform {
  required_providers {
    hcloud = {
      source  = "hetznercloud/hcloud"
-      version = "1.31.1"
+      version = "1.38.2"
    }
    null = {
      source = "hashicorp/null"
    }
    template = {
      source = "hashicorp/template"
    }
  }
  required_version = ">= 0.14"
 }
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -17,9 +17,10 @@ most modern installs of OpenStack that support the basic services.
 - [ELASTX](https://elastx.se/)
 - [EnterCloudSuite](https://www.entercloudsuite.com/)
 - [FugaCloud](https://fuga.cloud/)
- [Open Telekom Cloud](https://cloud.telekom.de/) : requires to set the variable `wait_for_floatingip = "true"` in your cluster.tfvars
+- [Open Telekom Cloud](https://cloud.telekom.de/)
 - [OVH](https://www.ovh.com/)
 - [Rackspace](https://www.rackspace.com/)
 - [Safespring](https://www.safespring.com)
 - [Ultimum](https://ultimum.io/)
 - [VexxHost](https://vexxhost.com/)
 - [Zetta](https://www.zetta.io/)
@@ -87,7 +88,7 @@ binaries available on hyperkube v1.4.3_coreos.0 or higher.
 ## Requirements
- [Install Terraform](https://www.terraform.io/intro/getting-started/install.html) 0.12 or later
+- [Install Terraform](https://www.terraform.io/intro/getting-started/install.html) 0.14 or later
 - [Install Ansible](http://docs.ansible.com/ansible/latest/intro_installation.html)
 - you already have a suitable OS image in Glance
 - you already have a floating IP pool created
@@ -247,6 +248,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`cluster_name` | All OpenStack resources will use the Terraform variable`cluster_name` (default`example`) in their name to make it easier to track. For example the first compute resource will be named`example-kubernetes-1`. |
 |`az_list` | List of Availability Zones available in your OpenStack cluster. |
 |`network_name` | The name to be given to the internal network that will be generated |
 |`use_existing_network`| Use an existing network with the name of `network_name`. `false` by default |
 |`network_dns_domain` | (Optional) The dns_domain for the internal network that will be generated |
 |`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. |
 |`floatingip_pool` | Name of the pool from which floating IPs will be allocated |
@@ -268,10 +270,10 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube_ingress` for running ingress controller pods, empty by default. |
 |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
 |`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default |
 |`bastion_allowed_ports` | List of ports to open on bastion node, `[]` by default |
 |`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
 |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
 |`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default |
 |`wait_for_floatingip` | Let Terraform poll the instance until the floating IP has been associated, `false` by default. |
 |`node_root_volume_size_in_gb` | Size of the root volume for nodes, 0 to use ephemeral storage |
 |`master_root_volume_size_in_gb` | Size of the root volume for masters, 0 to use ephemeral storage |
 |`master_volume_type` | Volume type of the root volume for control_plane, 'Default' by default |
@@ -282,15 +284,41 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`master_server_group_policy` | Enable and use openstack nova servergroups for masters with set policy, default: "" (disabled) |
 |`node_server_group_policy` | Enable and use openstack nova servergroups for nodes with set policy, default: "" (disabled) |
 |`etcd_server_group_policy` | Enable and use openstack nova servergroups for etcd with set policy, default: "" (disabled) |
 |`additional_server_groups` | Extra server groups to create. Set "policy" to the policy for the group, expected format is `{"new-server-group" = {"policy" = "anti-affinity"}}`, default: {} (to not create any extra groups) |
 |`use_access_ip` | If 1, nodes with floating IPs will transmit internal cluster traffic via floating IPs; if 0 private IPs will be used instead. Default value is 1. |
 |`port_security_enabled` | Allow to disable port security by setting this to `false`. `true` by default |
 |`force_null_port_security` | Set `null` instead of `true` or `false` for `port_security`. `false` by default |
 |`k8s_nodes` | Map containing worker node definition, see explanation below |
 |`k8s_masters` | Map containing master node definition, see explanation for k8s_nodes and `sample-inventory/cluster.tfvars` |
 ##### k8s_nodes
-Allows a custom definition of worker nodes giving the operator full control over individual node flavor and
+Allows a custom definition of worker nodes giving the operator full control over individual node flavor and availability zone placement.
-availability zone placement. To enable the use of this mode set the `number_of_k8s_nodes` and
+To enable the use of this mode set the `number_of_k8s_nodes` and `number_of_k8s_nodes_no_floating_ip` variables to 0.
-`number_of_k8s_nodes_no_floating_ip` variables to 0. Then define your desired worker node configuration
+Then define your desired worker node configuration using the `k8s_nodes` variable.
-using the `k8s_nodes` variable.
+The `az`, `flavor` and `floating_ip` parameters are mandatory.
 The optional parameter `extra_groups` (a comma-delimited string) can be used to define extra inventory group memberships for specific nodes.
 ```yaml
 k8s_nodes:
   node-name:
    az: string # Name of the AZ
    flavor: string # Flavor ID to use
    floating_ip: bool # If floating IPs should be created or not
    extra_groups: string # (optional) Additional groups to add for kubespray, defaults to no groups
    image_id: string # (optional) Image ID to use, defaults to var.image_id or var.image
    root_volume_size_in_gb: number # (optional) Size of the block storage to use as root disk, defaults to var.node_root_volume_size_in_gb or to use volume from flavor otherwise
    volume_type: string # (optional) Volume type to use, defaults to var.node_volume_type
    network_id: string # (optional) Use this network_id for the node, defaults to either var.network_id or ID of var.network_name
    server_group: string # (optional) Server group to add this node to. If set, this has to be one specified in additional_server_groups, defaults to use the server group specified in node_server_group_policy
    cloudinit: # (optional) Options for cloud-init
      extra_partitions: # List of extra partitions (other than the root partition) to setup during creation
        volume_path: string # Path to the volume to create partition for (e.g. /dev/vda )
        partition_path: string # Path to the partition (e.g. /dev/vda2 )
        mount_path: string # Path to where the partition should be mounted
        partition_start: string # Where the partition should start (e.g. 10GB ). Note, if you set the partition_start to 0 there will be no space left for the root partition
        partition_end: string # Where the partition should end (e.g. 10GB or -1 for end of volume)
 ```
 For example:
@@ -310,6 +338,7 @@ k8s_nodes = {
    "az" = "sto3"
    "flavor" = "83d8b44a-26a0-4f02-a981-079446926445"
    "floating_ip" = true
    "extra_groups" = "calico_rr"
  }
 }
 ```
@@ -411,18 +440,39 @@ plugins. This is accomplished as follows:
 ```ShellSession
 cd inventory/$CLUSTER
-terraform init ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" init
 ```
 This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
 ### Customizing with cloud-init
 You can apply cloud-init based customization for the openstack instances before provisioning your cluster.
 One common template is used for all instances. Adjust the file shown below:
 `contrib/terraform/openstack/modules/compute/templates/cloudinit.yaml.tmpl`
 For example, to enable openstack novnc access and ansible_user=root SSH access:
 ```ShellSession
 #cloud-config
 ## in some cases novnc console access is required
 ## it requires ssh password to be set
 ssh_pwauth: yes
 chpasswd:
  list: |
    root:secret
  expire: False
 ## in some cases direct root ssh access via ssh key is required
 disable_root: false
 ```
 ### Provisioning cluster
 You can apply the Terraform configuration to your cluster with the following command
 issued from your cluster's inventory directory (`inventory/$CLUSTER`):
 ```ShellSession
-terraform apply -var-file=cluster.tfvars ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" apply -var-file=cluster.tfvars
 ```
 if you chose to create a bastion host, this script will create
@@ -437,7 +487,7 @@ pick it up automatically.
 You can destroy your new cluster with the following command issued from the cluster's inventory directory:
 ```ShellSession
-terraform destroy -var-file=cluster.tfvars ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" destroy -var-file=cluster.tfvars
 ```
 If you've started the Ansible run, it may also be a good idea to do some manual cleanup:
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -1,14 +1,15 @@
 module "network" {
  source = "./modules/network"
-  external_net       = var.external_net
+  external_net          = var.external_net
-  network_name       = var.network_name
+  network_name          = var.network_name
-  subnet_cidr        = var.subnet_cidr
+  subnet_cidr           = var.subnet_cidr
-  cluster_name       = var.cluster_name
+  cluster_name          = var.cluster_name
-  dns_nameservers    = var.dns_nameservers
+  dns_nameservers       = var.dns_nameservers
-  network_dns_domain = var.network_dns_domain
+  network_dns_domain    = var.network_dns_domain
-  use_neutron        = var.use_neutron
+  use_neutron           = var.use_neutron
-  router_id          = var.router_id
+  port_security_enabled = var.port_security_enabled
  router_id             = var.router_id
 }
 module "ips" {
@@ -23,6 +24,7 @@ module "ips" {
  network_name                  = var.network_name
  router_id                     = module.network.router_id
  k8s_nodes                     = var.k8s_nodes
  k8s_masters                   = var.k8s_masters
  k8s_master_fips               = var.k8s_master_fips
  bastion_fips                  = var.bastion_fips
  router_internal_port_id       = module.network.router_internal_port_id
@@ -43,6 +45,7 @@ module "compute" {
  number_of_bastions                           = var.number_of_bastions
  number_of_k8s_nodes_no_floating_ip           = var.number_of_k8s_nodes_no_floating_ip
  number_of_gfs_nodes_no_floating_ip           = var.number_of_gfs_nodes_no_floating_ip
  k8s_masters                                  = var.k8s_masters
  k8s_nodes                                    = var.k8s_nodes
  bastion_root_volume_size_in_gb               = var.bastion_root_volume_size_in_gb
  etcd_root_volume_size_in_gb                  = var.etcd_root_volume_size_in_gb
@@ -69,6 +72,7 @@ module "compute" {
  flavor_bastion                               = var.flavor_bastion
  k8s_master_fips                              = module.ips.k8s_master_fips
  k8s_master_no_etcd_fips                      = module.ips.k8s_master_no_etcd_fips
  k8s_masters_fips                             = module.ips.k8s_masters_fips
  k8s_node_fips                                = module.ips.k8s_node_fips
  k8s_nodes_fips                               = module.ips.k8s_nodes_fips
  bastion_fips                                 = module.ips.bastion_fips
@@ -80,7 +84,7 @@ module "compute" {
  supplementary_node_groups                    = var.supplementary_node_groups
  master_allowed_ports                         = var.master_allowed_ports
  worker_allowed_ports                         = var.worker_allowed_ports
-  wait_for_floatingip                          = var.wait_for_floatingip
+  bastion_allowed_ports                        = var.bastion_allowed_ports
  use_access_ip                                = var.use_access_ip
  master_server_group_policy                   = var.master_server_group_policy
  node_server_group_policy                     = var.node_server_group_policy
@@ -88,8 +92,17 @@ module "compute" {
  extra_sec_groups                             = var.extra_sec_groups
  extra_sec_groups_name                        = var.extra_sec_groups_name
  group_vars_path                              = var.group_vars_path
  port_security_enabled                        = var.port_security_enabled
  force_null_port_security                     = var.force_null_port_security
  network_router_id                            = module.network.router_id
  network_id                                   = module.network.network_id
  use_existing_network                         = var.use_existing_network
  private_subnet_id                            = module.network.subnet_id
  additional_server_groups                     = var.additional_server_groups
-  network_id = module.network.router_id
+  depends_on = [
    module.network.subnet_id
  ]
 }
 output "private_subnet_id" {
@@ -105,7 +118,7 @@ output "router_id" {
 }
 output "k8s_master_fips" {
-  value = concat(module.ips.k8s_master_fips, module.ips.k8s_master_no_etcd_fips)
+  value = var.number_of_k8s_masters + var.number_of_k8s_masters_no_etcd > 0 ? concat(module.ips.k8s_master_fips, module.ips.k8s_master_no_etcd_fips) : [for key, value in module.ips.k8s_masters_fips : value.address]
 }
 output "k8s_node_fips" {
--- a/contrib/terraform/openstack/modules/compute/ansible_bastion_template.txt
+++ b/contrib/terraform/openstack/modules/compute/ansible_bastion_template.txt
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -15,6 +15,21 @@ data "openstack_images_image_v2" "image_master" {
  name = var.image_master == "" ? var.image : var.image_master
 }
 data "cloudinit_config" "cloudinit" {
  part {
    content_type =  "text/cloud-config"
    content = templatefile("${path.module}/templates/cloudinit.yaml.tmpl", {
      # template_file doesn't support lists
      extra_partitions = ""
    })
  }
 }
 data "openstack_networking_network_v2" "k8s_network" {
  count = var.use_existing_network ? 1 : 0
  name  = var.network_name
 }
 resource "openstack_compute_keypair_v2" "k8s" {
  name       = "kubernetes-${var.cluster_name}"
  public_key = chomp(file(var.public_key_path))
@@ -73,6 +88,17 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" {
  security_group_id = openstack_networking_secgroup_v2.bastion[0].id
 }
 resource "openstack_networking_secgroup_rule_v2" "k8s_bastion_ports" {
  count             = length(var.bastion_allowed_ports)
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = lookup(var.bastion_allowed_ports[count.index], "protocol", "tcp")
  port_range_min    = lookup(var.bastion_allowed_ports[count.index], "port_range_min")
  port_range_max    = lookup(var.bastion_allowed_ports[count.index], "port_range_max")
  remote_ip_prefix  = lookup(var.bastion_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0")
  security_group_id = openstack_networking_secgroup_v2.bastion[0].id
 }
 resource "openstack_networking_secgroup_v2" "k8s" {
  name                 = "${var.cluster_name}-k8s"
  description          = "${var.cluster_name} - Kubernetes"
@@ -147,19 +173,34 @@ resource "openstack_compute_servergroup_v2" "k8s_etcd" {
  policies = [var.etcd_server_group_policy]
 }
 resource "openstack_compute_servergroup_v2" "k8s_node_additional" {
  for_each = var.additional_server_groups
  name     = "k8s-${each.key}-srvgrp"
  policies = [each.value.policy]
 }
 locals {
 # master groups
  master_sec_groups = compact([
-    openstack_networking_secgroup_v2.k8s_master.name,
+    openstack_networking_secgroup_v2.k8s_master.id,
-    openstack_networking_secgroup_v2.k8s.name,
+    openstack_networking_secgroup_v2.k8s.id,
-    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].id : "",
  ])
 # worker groups
  worker_sec_groups = compact([
-    openstack_networking_secgroup_v2.k8s.name,
+    openstack_networking_secgroup_v2.k8s.id,
-    openstack_networking_secgroup_v2.worker.name,
+    openstack_networking_secgroup_v2.worker.id,
-    var.extra_sec_groups ? openstack_networking_secgroup_v2.worker_extra[0].name : "",
+    var.extra_sec_groups ? openstack_networking_secgroup_v2.worker_extra[0].id : "",
  ])
 # bastion groups
  bastion_sec_groups = compact(concat([
    openstack_networking_secgroup_v2.k8s.id,
    openstack_networking_secgroup_v2.bastion[0].id,
  ]))
 # etcd groups
  etcd_sec_groups = compact([openstack_networking_secgroup_v2.k8s.id])
 # glusterfs groups
  gfs_sec_groups = compact([openstack_networking_secgroup_v2.k8s.id])
 # Image uuid
  image_to_use_node = var.image_uuid != "" ? var.image_uuid : data.openstack_images_image_v2.vm_image[0].id
@@ -167,6 +208,49 @@ locals {
  image_to_use_gfs = var.image_gfs_uuid != "" ? var.image_gfs_uuid : var.image_uuid != "" ? var.image_uuid : data.openstack_images_image_v2.gfs_image[0].id
 # image_master uuidimage_gfs_uuid
  image_to_use_master = var.image_master_uuid != "" ? var.image_master_uuid : var.image_uuid != "" ? var.image_uuid : data.openstack_images_image_v2.image_master[0].id
  k8s_nodes_settings = {
    for name, node in var.k8s_nodes :
      name => {
        "use_local_disk" = (node.root_volume_size_in_gb != null ? node.root_volume_size_in_gb : var.node_root_volume_size_in_gb) == 0,
        "image_id"       = node.image_id != null ? node.image_id : local.image_to_use_node,
        "volume_size"    = node.root_volume_size_in_gb != null ? node.root_volume_size_in_gb : var.node_root_volume_size_in_gb,
        "volume_type"    = node.volume_type != null ? node.volume_type : var.node_volume_type,
        "network_id"     = node.network_id != null ? node.network_id : (var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id)
        "server_group"   = node.server_group != null ? [openstack_compute_servergroup_v2.k8s_node_additional[node.server_group].id] : (var.node_server_group_policy != ""  ? [openstack_compute_servergroup_v2.k8s_node[0].id] : [])
      }
  }
  k8s_masters_settings = {
    for name, node in var.k8s_masters :
      name => {
        "use_local_disk" = (node.root_volume_size_in_gb != null ? node.root_volume_size_in_gb : var.master_root_volume_size_in_gb) == 0,
        "image_id"       = node.image_id != null ? node.image_id : local.image_to_use_master,
        "volume_size"    = node.root_volume_size_in_gb != null ? node.root_volume_size_in_gb : var.master_root_volume_size_in_gb,
        "volume_type"    = node.volume_type != null ? node.volume_type : var.master_volume_type,
        "network_id"     = node.network_id != null ? node.network_id : (var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id)
      }
  }
 }
 resource "openstack_networking_port_v2" "bastion_port" {
  count                 = var.number_of_bastions
  name                  = "${var.cluster_name}-bastion-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.bastion_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "bastion" {
@@ -175,6 +259,7 @@ resource "openstack_compute_instance_v2" "bastion" {
  image_id   = var.bastion_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
  flavor_id  = var.flavor_bastion
  key_pair   = openstack_compute_keypair_v2.k8s.name
  user_data  = data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
    for_each = var.bastion_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
@@ -189,25 +274,41 @@ resource "openstack_compute_instance_v2" "bastion" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.bastion_port.*.id, count.index)
  }
  security_groups = [openstack_networking_secgroup_v2.k8s.name,
    element(openstack_networking_secgroup_v2.bastion.*.name, count.index),
  ]
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "bastion"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
  provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${var.bastion_fips[0]}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${var.bastion_fips[0]}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
  }
 }
 resource "openstack_networking_port_v2" "k8s_master_port" {
  count                 = var.number_of_k8s_masters
  name                  = "${var.cluster_name}-k8s-master-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_master" {
  name              = "${var.cluster_name}-k8s-master-${count.index + 1}"
  count             = var.number_of_k8s_masters
@@ -215,6 +316,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
  image_id          = var.master_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
  flavor_id         = var.flavor_k8s_master
  key_pair          = openstack_compute_keypair_v2.k8s.name
  user_data         = data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
@@ -231,11 +333,9 @@ resource "openstack_compute_instance_v2" "k8s_master" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_port.*.id, count.index)
  }
  security_groups = local.master_sec_groups
  dynamic "scheduler_hints" {
    for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
    content {
@@ -246,15 +346,99 @@ resource "openstack_compute_instance_v2" "k8s_master" {
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "etcd,kube_control_plane,${var.supplementary_master_groups},k8s_cluster"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
  provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
  }
 }
 resource "openstack_networking_port_v2" "k8s_masters_port" {
  for_each              = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 && var.number_of_k8s_masters_no_floating_ip == 0 && var.number_of_k8s_masters_no_floating_ip_no_etcd == 0 ? var.k8s_masters : {}
  name                  = "${var.cluster_name}-k8s-${each.key}"
  network_id            = local.k8s_masters_settings[each.key].network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_masters" {
  for_each          = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 && var.number_of_k8s_masters_no_floating_ip == 0 && var.number_of_k8s_masters_no_floating_ip_no_etcd == 0 ? var.k8s_masters : {}
  name              = "${var.cluster_name}-k8s-${each.key}"
  availability_zone = each.value.az
  image_id          = local.k8s_masters_settings[each.key].use_local_disk ? local.k8s_masters_settings[each.key].image_id : null
  flavor_id         = each.value.flavor
  key_pair          = openstack_compute_keypair_v2.k8s.name
  dynamic "block_device" {
    for_each = !local.k8s_masters_settings[each.key].use_local_disk ? [local.k8s_masters_settings[each.key].image_id] : []
    content {
      uuid                  = block_device.value
      source_type           = "image"
      volume_size           = local.k8s_masters_settings[each.key].volume_size
      volume_type           = local.k8s_masters_settings[each.key].volume_type
      boot_index            = 0
      destination_type      = "volume"
      delete_on_termination = true
    }
  }
  network {
    port = openstack_networking_port_v2.k8s_masters_port[each.key].id
  }
  dynamic "scheduler_hints" {
    for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
    content {
      group = openstack_compute_servergroup_v2.k8s_master[0].id
    }
  }
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "%{if each.value.etcd == true}etcd,%{endif}kube_control_plane,${var.supplementary_master_groups},k8s_cluster%{if each.value.floating_ip == false},no_floating%{endif}"
    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
  provisioner "local-exec" {
    command = "%{if each.value.floating_ip}sed s/USER/${var.ssh_user}/ ${path.module}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, [for key, value in var.k8s_masters_fips : value.address]), 0)}/ > ${var.group_vars_path}/no_floating.yml%{else}true%{endif}"
  }
 }
 resource "openstack_networking_port_v2" "k8s_master_no_etcd_port" {
  count                 = var.number_of_k8s_masters_no_etcd
  name                  = "${var.cluster_name}-k8s-master-ne-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
  name              = "${var.cluster_name}-k8s-master-ne-${count.index + 1}"
  count             = var.number_of_k8s_masters_no_etcd
@@ -262,6 +446,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
  image_id          = var.master_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
  flavor_id         = var.flavor_k8s_master
  key_pair          = openstack_compute_keypair_v2.k8s.name
  user_data         = data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
@@ -278,11 +463,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_no_etcd_port.*.id, count.index)
  }
  security_groups = local.master_sec_groups
  dynamic "scheduler_hints" {
    for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
    content {
@@ -293,15 +476,35 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "kube_control_plane,${var.supplementary_master_groups},k8s_cluster"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
  provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_master_fips), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
  }
 }
 resource "openstack_networking_port_v2" "etcd_port" {
  count                 = var.number_of_etcd
  name                  = "${var.cluster_name}-etcd-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.etcd_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "etcd" {
  name              = "${var.cluster_name}-etcd-${count.index + 1}"
  count             = var.number_of_etcd
@@ -309,6 +512,7 @@ resource "openstack_compute_instance_v2" "etcd" {
  image_id          = var.etcd_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
  flavor_id         = var.flavor_etcd
  key_pair          = openstack_compute_keypair_v2.k8s.name
  user_data         = data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
    for_each = var.etcd_root_volume_size_in_gb > 0 ? [local.image_to_use_master] : []
@@ -323,13 +527,11 @@ resource "openstack_compute_instance_v2" "etcd" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.etcd_port.*.id, count.index)
  }
  security_groups = [openstack_networking_secgroup_v2.k8s.name]
  dynamic "scheduler_hints" {
-    for_each = var.etcd_server_group_policy ? [openstack_compute_servergroup_v2.k8s_etcd[0]] : []
+    for_each = var.etcd_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_etcd[0]] : []
    content {
      group = openstack_compute_servergroup_v2.k8s_etcd[0].id
    }
@@ -338,11 +540,31 @@ resource "openstack_compute_instance_v2" "etcd" {
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "etcd,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
 }
 resource "openstack_networking_port_v2" "k8s_master_no_floating_ip_port" {
  count                 = var.number_of_k8s_masters_no_floating_ip
  name                  = "${var.cluster_name}-k8s-master-nf-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
  name              = "${var.cluster_name}-k8s-master-nf-${count.index + 1}"
  count             = var.number_of_k8s_masters_no_floating_ip
@@ -365,11 +587,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_no_floating_ip_port.*.id, count.index)
  }
  security_groups = local.master_sec_groups
  dynamic "scheduler_hints" {
    for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
    content {
@@ -380,11 +600,31 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "etcd,kube_control_plane,${var.supplementary_master_groups},k8s_cluster,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
 }
 resource "openstack_networking_port_v2" "k8s_master_no_floating_ip_no_etcd_port" {
  count                 = var.number_of_k8s_masters_no_floating_ip_no_etcd
  name                  = "${var.cluster_name}-k8s-master-ne-nf-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
  name              = "${var.cluster_name}-k8s-master-ne-nf-${count.index + 1}"
  count             = var.number_of_k8s_masters_no_floating_ip_no_etcd
@@ -392,6 +632,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
  image_id          = var.master_root_volume_size_in_gb == 0 ? local.image_to_use_master : null
  flavor_id         = var.flavor_k8s_master
  key_pair          = openstack_compute_keypair_v2.k8s.name
  user_data         = data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
    for_each = var.master_root_volume_size_in_gb > 0 ? [local.image_to_use_master] : []
@@ -407,11 +648,9 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_master_no_floating_ip_no_etcd_port.*.id, count.index)
  }
  security_groups = local.master_sec_groups
  dynamic "scheduler_hints" {
    for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
    content {
@@ -422,11 +661,31 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "kube_control_plane,${var.supplementary_master_groups},k8s_cluster,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
 }
 resource "openstack_networking_port_v2" "k8s_node_port" {
  count                 = var.number_of_k8s_nodes
  name                  = "${var.cluster_name}-k8s-node-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_node" {
  name              = "${var.cluster_name}-k8s-node-${count.index + 1}"
  count             = var.number_of_k8s_nodes
@@ -434,6 +693,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
  image_id          = var.node_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
  flavor_id         = var.flavor_k8s_node
  key_pair          = openstack_compute_keypair_v2.k8s.name
  user_data         = data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
    for_each = var.node_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
@@ -449,10 +709,9 @@ resource "openstack_compute_instance_v2" "k8s_node" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_node_port.*.id, count.index)
  }
  security_groups = local.worker_sec_groups
  dynamic "scheduler_hints" {
    for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -464,15 +723,35 @@ resource "openstack_compute_instance_v2" "k8s_node" {
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "kube_node,k8s_cluster,${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
  provisioner "local-exec" {
-    command = "sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_node_fips), 0)}/ > ${var.group_vars_path}/no_floating.yml"
+    command = "sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, var.k8s_node_fips), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml"
  }
 }
 resource "openstack_networking_port_v2" "k8s_node_no_floating_ip_port" {
  count                 = var.number_of_k8s_nodes_no_floating_ip
  name                  = "${var.cluster_name}-k8s-node-nf-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
  name              = "${var.cluster_name}-k8s-node-nf-${count.index + 1}"
  count             = var.number_of_k8s_nodes_no_floating_ip
@@ -480,6 +759,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
  image_id          = var.node_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
  flavor_id         = var.flavor_k8s_node
  key_pair          = openstack_compute_keypair_v2.k8s.name
  user_data         = data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
    for_each = var.node_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
@@ -495,41 +775,62 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.k8s_node_no_floating_ip_port.*.id, count.index)
  }
  security_groups = local.worker_sec_groups
  dynamic "scheduler_hints" {
-    for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
+    for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0].id] : []
    content {
-      group = openstack_compute_servergroup_v2.k8s_node[0].id
+      group = scheduler_hints.value
    }
  }
  metadata = {
    ssh_user         = var.ssh_user
    kubespray_groups = "kube_node,k8s_cluster,no_floating,${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
 }
 resource "openstack_networking_port_v2" "k8s_nodes_port" {
  for_each              = var.number_of_k8s_nodes == 0 && var.number_of_k8s_nodes_no_floating_ip == 0 ? var.k8s_nodes : {}
  name                  = "${var.cluster_name}-k8s-node-${each.key}"
  network_id            = local.k8s_nodes_settings[each.key].network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "k8s_nodes" {
  for_each          = var.number_of_k8s_nodes == 0 && var.number_of_k8s_nodes_no_floating_ip == 0 ? var.k8s_nodes : {}
  name              = "${var.cluster_name}-k8s-node-${each.key}"
  availability_zone = each.value.az
-  image_id          = var.node_root_volume_size_in_gb == 0 ? local.image_to_use_node : null
+  image_id          = local.k8s_nodes_settings[each.key].use_local_disk ? local.k8s_nodes_settings[each.key].image_id : null
  flavor_id         = each.value.flavor
  key_pair          = openstack_compute_keypair_v2.k8s.name
  user_data         = each.value.cloudinit != null ? templatefile("${path.module}/templates/cloudinit.yaml.tmpl", {
    extra_partitions = each.value.cloudinit.extra_partitions
  }) : data.cloudinit_config.cloudinit.rendered
  dynamic "block_device" {
-    for_each = var.node_root_volume_size_in_gb > 0 ? [local.image_to_use_node] : []
+    for_each = !local.k8s_nodes_settings[each.key].use_local_disk ? [local.k8s_nodes_settings[each.key].image_id] : []
    content {
-      uuid                  = local.image_to_use_node
+      uuid                  = block_device.value
      source_type           = "image"
-      volume_size           = var.node_root_volume_size_in_gb
+      volume_size           = local.k8s_nodes_settings[each.key].volume_size
-      volume_type           = var.node_volume_type
+      volume_type           = local.k8s_nodes_settings[each.key].volume_type
      boot_index            = 0
      destination_type      = "volume"
      delete_on_termination = true
@@ -537,30 +838,48 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
  }
  network {
-    name = var.network_name
+    port = openstack_networking_port_v2.k8s_nodes_port[each.key].id
  }
  security_groups = local.worker_sec_groups
  dynamic "scheduler_hints" {
-    for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
+    for_each = local.k8s_nodes_settings[each.key].server_group
    content {
-      group = openstack_compute_servergroup_v2.k8s_node[0].id
+      group = scheduler_hints.value
    }
  }
  metadata = {
    ssh_user         = var.ssh_user
-    kubespray_groups = "kube_node,k8s_cluster,%{if each.value.floating_ip == false}no_floating,%{endif}${var.supplementary_node_groups}"
+    kubespray_groups = "kube_node,k8s_cluster,%{if each.value.floating_ip == false}no_floating,%{endif}${var.supplementary_node_groups}${each.value.extra_groups != null ? ",${each.value.extra_groups}" : ""}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
  provisioner "local-exec" {
-    command = "%{if each.value.floating_ip}sed s/USER/${var.ssh_user}/ ${path.root}/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element(concat(var.bastion_fips, [for key, value in var.k8s_nodes_fips : value.address]), 0)}/ > ${var.group_vars_path}/no_floating.yml%{else}true%{endif}"
+    command = "%{if each.value.floating_ip}sed -e s/USER/${var.ssh_user}/ -e s/BASTION_ADDRESS/${element(concat(var.bastion_fips, [for key, value in var.k8s_nodes_fips : value.address]), 0)}/ ${path.module}/ansible_bastion_template.txt > ${var.group_vars_path}/no_floating.yml%{else}true%{endif}"
  }
 }
 resource "openstack_networking_port_v2" "glusterfs_node_no_floating_ip_port" {
  count                 = var.number_of_gfs_nodes_no_floating_ip
  name                  = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
  admin_state_up        = "true"
  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
  security_group_ids    = var.port_security_enabled ? local.gfs_sec_groups : null
  no_security_groups    = var.port_security_enabled ? null : false
  dynamic "fixed_ip" {
    for_each = var.private_subnet_id == "" ? [] : [true]
    content {
      subnet_id = var.private_subnet_id
    }
  }
  depends_on = [
    var.network_router_id
  ]
 }
 resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
  name              = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
  count             = var.number_of_gfs_nodes_no_floating_ip
@@ -582,11 +901,9 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
  }
  network {
-    name = var.network_name
+    port = element(openstack_networking_port_v2.glusterfs_node_no_floating_ip_port.*.id, count.index)
  }
  security_groups = [openstack_networking_secgroup_v2.k8s.name]
  dynamic "scheduler_hints" {
    for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
    content {
@@ -597,44 +914,46 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
  metadata = {
    ssh_user         = var.ssh_user_gfs
    kubespray_groups = "gfs-cluster,network-storage,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
    use_access_ip    = var.use_access_ip
  }
 }
-resource "openstack_compute_floatingip_associate_v2" "bastion" {
+resource "openstack_networking_floatingip_associate_v2" "bastion" {
  count                 = var.number_of_bastions
  floating_ip           = var.bastion_fips[count.index]
-  instance_id           = element(openstack_compute_instance_v2.bastion.*.id, count.index)
+  port_id               = element(openstack_networking_port_v2.bastion_port.*.id, count.index)
  wait_until_associated = var.wait_for_floatingip
 }
-resource "openstack_compute_floatingip_associate_v2" "k8s_master" {
+resource "openstack_networking_floatingip_associate_v2" "k8s_master" {
  count                 = var.number_of_k8s_masters
  instance_id           = element(openstack_compute_instance_v2.k8s_master.*.id, count.index)
  floating_ip           = var.k8s_master_fips[count.index]
-  wait_until_associated = var.wait_for_floatingip
+  port_id               = element(openstack_networking_port_v2.k8s_master_port.*.id, count.index)
 }
-resource "openstack_compute_floatingip_associate_v2" "k8s_master_no_etcd" {
+resource "openstack_networking_floatingip_associate_v2" "k8s_masters" {
-  count       = var.master_root_volume_size_in_gb == 0 ? var.number_of_k8s_masters_no_etcd : 0
+  for_each              = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 && var.number_of_k8s_masters_no_floating_ip == 0 && var.number_of_k8s_masters_no_floating_ip_no_etcd == 0 ? { for key, value in var.k8s_masters : key => value if value.floating_ip } : {}
-  instance_id = element(openstack_compute_instance_v2.k8s_master_no_etcd.*.id, count.index)
+  floating_ip           = var.k8s_masters_fips[each.key].address
-  floating_ip = var.k8s_master_no_etcd_fips[count.index]
+  port_id               = openstack_networking_port_v2.k8s_masters_port[each.key].id
 }
-resource "openstack_compute_floatingip_associate_v2" "k8s_node" {
+resource "openstack_networking_floatingip_associate_v2" "k8s_master_no_etcd" {
  count                 = var.master_root_volume_size_in_gb == 0 ? var.number_of_k8s_masters_no_etcd : 0
  floating_ip           = var.k8s_master_no_etcd_fips[count.index]
  port_id               = element(openstack_networking_port_v2.k8s_master_no_etcd_port.*.id, count.index)
 }
 resource "openstack_networking_floatingip_associate_v2" "k8s_node" {
  count                 = var.node_root_volume_size_in_gb == 0 ? var.number_of_k8s_nodes : 0
  floating_ip           = var.k8s_node_fips[count.index]
-  instance_id           = element(openstack_compute_instance_v2.k8s_node[*].id, count.index)
+  port_id               = element(openstack_networking_port_v2.k8s_node_port.*.id, count.index)
  wait_until_associated = var.wait_for_floatingip
 }
-resource "openstack_compute_floatingip_associate_v2" "k8s_nodes" {
+resource "openstack_networking_floatingip_associate_v2" "k8s_nodes" {
  for_each              = var.number_of_k8s_nodes == 0 && var.number_of_k8s_nodes_no_floating_ip == 0 ? { for key, value in var.k8s_nodes : key => value if value.floating_ip } : {}
  floating_ip           = var.k8s_nodes_fips[each.key].address
-  instance_id           = openstack_compute_instance_v2.k8s_nodes[each.key].id
+  port_id               = openstack_networking_port_v2.k8s_nodes_port[each.key].id
  wait_until_associated = var.wait_for_floatingip
 }
 resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
--- a/contrib/terraform/openstack/modules/compute/templates/cloudinit.yaml.tmpl
+++ b/contrib/terraform/openstack/modules/compute/templates/cloudinit.yaml.tmpl
@@ -0,0 +1,39 @@
 %{~ if length(extra_partitions) > 0 }
 #cloud-config
 bootcmd:
 %{~ for idx, partition in extra_partitions }
 - [ cloud-init-per, once, move-second-header, sgdisk, --move-second-header, ${partition.volume_path} ]
 - [ cloud-init-per, once, create-part-${idx}, parted, --script, ${partition.volume_path}, 'mkpart extended ext4 ${partition.partition_start} ${partition.partition_end}' ]
 - [ cloud-init-per, once, create-fs-part-${idx}, mkfs.ext4, ${partition.partition_path} ]
 %{~ endfor }
 runcmd:
 %{~ for idx, partition in extra_partitions }
  - mkdir -p ${partition.mount_path}
  - chown nobody:nogroup ${partition.mount_path}
  - mount ${partition.partition_path} ${partition.mount_path}
 %{~ endfor }
 mounts:
 %{~ for idx, partition in extra_partitions }
  - [ ${partition.partition_path}, ${partition.mount_path} ]
 %{~ endfor }
 %{~ else ~}
 # yamllint disable rule:comments
 #cloud-config
 ## in some cases novnc console access is required
 ## it requires ssh password to be set
 #ssh_pwauth: yes
 #chpasswd:
 #  list: |
 #    root:secret
 #  expire: False
 ## in some cases direct root ssh access via ssh key is required
 #disable_root: false
 ## in some cases additional CA certs are required
 #ca-certs:
 #  trusted: |
 #      -----BEGIN CERTIFICATE-----
 %{~ endif }
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -68,6 +68,14 @@ variable "network_id" {
  default = ""
 }
 variable "use_existing_network" {
  type = bool
 }
 variable "network_router_id" {
  default = ""
 }
 variable "k8s_master_fips" {
  type = list
 }
@@ -80,6 +88,10 @@ variable "k8s_node_fips" {
  type = list
 }
 variable "k8s_masters_fips" {
  type = map
 }
 variable "k8s_nodes_fips" {
  type = map
 }
@@ -104,9 +116,48 @@ variable "k8s_allowed_egress_ips" {
  type = list
 }
-variable "k8s_nodes" {}
+variable "k8s_masters" {
  type = map(object({
    az                     = string
    flavor                 = string
    floating_ip            = bool
    etcd                   = bool
    image_id               = optional(string)
    root_volume_size_in_gb = optional(number)
    volume_type            = optional(string)
    network_id             = optional(string)
  }))
 }
-variable "wait_for_floatingip" {}
+variable "k8s_nodes" {
  type = map(object({
    az                     = string
    flavor                 = string
    floating_ip            = bool
    extra_groups           = optional(string)
    image_id               = optional(string)
    root_volume_size_in_gb = optional(number)
    volume_type            = optional(string)
    network_id             = optional(string)
    additional_server_groups = optional(list(string))
    server_group           = optional(string)
    cloudinit              = optional(object({
      extra_partitions = list(object({
        volume_path     = string
        partition_path  = string
        partition_start = string
        partition_end   = string
        mount_path      = string
      }))
    }))
  }))
 }
 variable "additional_server_groups" {
  type = map(object({
    policy = string
  }))
 }
 variable "supplementary_master_groups" {
  default = ""
@@ -124,6 +175,10 @@ variable "worker_allowed_ports" {
  type = list
 }
 variable "bastion_allowed_ports" {
  type = list
 }
 variable "use_access_ip" {}
 variable "master_server_group_policy" {
@@ -165,3 +220,15 @@ variable "image_master_uuid" {
 variable "group_vars_path" {
  type = string
 }
 variable "port_security_enabled" {
  type = bool
 }
 variable "force_null_port_security" {
  type = bool
 }
 variable "private_subnet_id" {
  type = string
 }
--- a/contrib/terraform/openstack/modules/compute/versions.tf
+++ b/contrib/terraform/openstack/modules/compute/versions.tf
@@ -4,5 +4,5 @@ terraform {
      source = "terraform-provider-openstack/openstack"
    }
  }
-  required_version = ">= 0.12.26"
+  required_version = ">= 1.3.0"
 }
--- a/contrib/terraform/openstack/modules/ips/main.tf
+++ b/contrib/terraform/openstack/modules/ips/main.tf
@@ -14,6 +14,12 @@ resource "openstack_networking_floatingip_v2" "k8s_master" {
  depends_on = [null_resource.dummy_dependency]
 }
 resource "openstack_networking_floatingip_v2" "k8s_masters" {
  for_each   = var.number_of_k8s_masters == 0 && var.number_of_k8s_masters_no_etcd == 0 ? { for key, value in var.k8s_masters : key => value if value.floating_ip } : {}
  pool       = var.floatingip_pool
  depends_on = [null_resource.dummy_dependency]
 }
 # If user specifies pre-existing IPs to use in k8s_master_fips, do not create new ones.
 resource "openstack_networking_floatingip_v2" "k8s_master_no_etcd" {
  count      = length(var.k8s_master_fips) > 0 ? 0 : var.number_of_k8s_masters_no_etcd
@@ -38,4 +44,3 @@ resource "openstack_networking_floatingip_v2" "k8s_nodes" {
  pool       = var.floatingip_pool
  depends_on = [null_resource.dummy_dependency]
 }
--- a/Show More
+++ b/Show More
`@@ -1,3 +1,2 @@`
	`#k8s_deployment_user: kubespray`	`#k8s_deployment_user: kubespray`
	`#k8s_deployment_user_pkey_path: /tmp/ssh_rsa`	`#k8s_deployment_user_pkey_path: /tmp/ssh_rsa`
`@@ -41,4 +41,3 @@`

	`# [network-storage:children]`	`# [network-storage:children]`
	`# gfs-cluster`	`# gfs-cluster`