docs: fix release-notes command in release guide (#13211)

The documented example still uses the removed --required-author flag and
misses --repo-path, which breaks with current release-notes binaries.
Update it to use the generate subcommand and point at the local checkout.

Signed-off-by: Kay Yan <kay.yan@daocloud.io>

OWNERS_ALIASES

@@ -8,6 +8,7 @@ aliases:
   kubespray-reviewers:
     - cyclinder
     - erikjiang
+    - guoard
     - mzaian
     - tico88612
     - vannten

README.md

@@ -115,12 +115,12 @@ Note:
   - [etcd](https://github.com/etcd-io/etcd) 3.6.10
   - [docker](https://www.docker.com/) 28.3
   - [containerd](https://containerd.io/) 2.2.3
-  - [cri-o](http://cri-o.io/) 1.35.2 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) 1.35.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
-  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.7
-  - [cilium](https://github.com/cilium/cilium) 1.19.1
-  - [flannel](https://github.com/flannel-io/flannel) 0.27.3
+  - [cni-plugins](https://github.com/containernetworking/plugins) 1.9.1
+  - [calico](https://github.com/projectcalico/calico) 3.31.5
+  - [cilium](https://github.com/cilium/cilium) 1.19.3
+  - [flannel](https://github.com/flannel-io/flannel) 0.28.4
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
   - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) 4.2.2

RELEASE.md

@@ -58,7 +58,7 @@ You can create a release note with:
 export GITHUB_TOKEN=<your-github-token>
 export ORG=kubernetes-sigs
 export REPO=kubespray
-release-notes --start-sha <The start commit-id> --end-sha <The end commit-id> --dependencies=false --output=/tmp/kubespray-release-note --required-author=""
+release-notes generate --org "${ORG}" --repo "${REPO}" --repo-path "${PWD}" --start-sha <The start commit-id> --end-sha <The end commit-id> --dependencies=false --output=/tmp/kubespray-release-note
 ```
 
 If the release note file(/tmp/kubespray-release-note) contains "### Uncategorized" pull requests, those pull requests don't have a valid kind label(`kind/feature`, etc.).

contrib/terraform/openstack/README.md

@@ -134,6 +134,7 @@ Terraform will be used to provision all of the OpenStack resources with base sof
 Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):
 
 ```ShellSession
+CLUSTER=your-cluster-name
 cp -LRp contrib/terraform/openstack/sample-inventory inventory/$CLUSTER
 cd inventory/$CLUSTER
 ln -s ../../contrib/terraform/openstack/hosts
@@ -267,6 +268,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`image_uuid`,`image_gfs_uuid`, `image_master_uuid` | UUID of the image to use in provisioning the compute resources. Should already be loaded into glance. |
 |`ssh_user`,`ssh_user_gfs` | The username to ssh into the image with. This usually depends on the image you have selected |
 |`public_key_path` | Path on your local workstation to the public key file you wish to use in creating the key pairs |
+|`group_vars_path` | path to the inventory group vars directory, `./group_vars` by default |
 |`number_of_k8s_masters`, `number_of_k8s_masters_no_floating_ip` | Number of nodes that serve as both master and etcd. These can be provisioned with or without floating IP addresses|
 |`number_of_k8s_masters_no_etcd`, `number_of_k8s_masters_no_floating_ip_no_etcd` |  Number of nodes that serve as just master with no etcd. These can be provisioned with or without floating IP addresses |
 |`number_of_etcd` | Number of pure etcd nodes |
@@ -616,7 +618,13 @@ Edit `inventory/$CLUSTER/group_vars/all/all.yml`:
 bin_dir: /opt/bin
 ```
 
-- and **cloud_provider**:
+- **external_cloud_provider**:
+
+```yml
+external_cloud_provider: openstack
+```
+
+- **Only if K8s < v1.31 - cloud_provider**:
 
 ```yml
 cloud_provider: openstack
@@ -722,6 +730,12 @@ Basically you will install Gluster as
 ansible-playbook --become -i inventory/$CLUSTER/hosts ./contrib/network-storage/glusterfs/glusterfs.yml
 ```
 
+## Relevant Resources
+
+- [HauptJ - Example cluster.tfvars using floating IPs for all Master and Nodes](https://gist.github.com/HauptJ/d72e2a8fe0698d448283a51e847a5dfa)
+- [openmetal - Deploying a Kubespray cluster to OpenStack using Terraform](https://openmetal.io/docs/manuals/kubernetes-guides/deploying-a-kubespray-cluster-to-openstack-using-terraform/)
+- [Guoqiang Lan - Deploy Kubernetes with Kubespray on OpenStack](https://guoqianglan.github.io/tutorial/cloud/deploy-kubernetes-with-kubespray-on-openstack/)
+
 ## What's next
 
 Try out your new Kubernetes cluster with the [Hello Kubernetes service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/).

docs/CNI/cilium.md

@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.19.1"
+cilium_version: "1.19.3"
 ```
 
 ## Add variable to config

docs/operations/offline-environment.md

@@ -22,6 +22,10 @@ Then you need to setup the following services on your offline environment:
 You can get artifact lists with [generate_list.sh](/contrib/offline/generate_list.sh) script.
 In addition, you can find some tools for offline deployment under [contrib/offline](/contrib/offline/README.md).
 
+## Tip: use the original domains as top directories in the files_repo, i.e `github.com/`, `dl.k8s.io/`, `storage.googleapis.com/`, `get.helm.sh/`
+
+## Tip: for Cilium ensure to mirror <https://helm.cilium.io/index.yaml> and the chart cilium-1.18.2.tgz in files_repo
+
 ## Access Control
 
 ### Note: access controlled files_repo
@@ -44,7 +48,8 @@ files_repo: "https://{{ files_repo_user ~ ':' ~ files_repo_pass ~ '@' ~ files_re
 
 ### Note: access controlled registry
 
-To specify a username and password for "{{ registry_host }}", used to download the container images, you can use url-encoding too.
+Specify a "{{ registry_user }}" and "{{ registry_pass }}" for "{{ registry_addr }}",
+These are used to download the container images. Ensure to encrypt the password (if used) with ansible-vault.
 
 ```yaml
 registry_pass: !vault |
@@ -54,7 +59,30 @@ registry_pass: !vault |
           64653965663965356137333436616536643132336630313235333232336661373761643766356366
           6232353233386534380a373262313634613833623537626132633033373064336261383166323230
           3164
+```
 
+To enable Containerd **2+** to access the private registry:
+
+```yaml
+
+containerd_registries_mirrors:
+  - prefix: docker.io
+    mirrors:
+      - host: https://registry-1.docker.io
+        capabilities: ["pull", "resolve"]
+        skip_verify: false
+  - prefix: "{{ registry_addr }}"
+    mirrors:
+      - host: "https://{{ registry_addr }}"
+        capabilities: ["pull", "resolve"]
+        skip_verify: false
+        header:
+          Authorization: ["Basic {{ (registry_user + ':' + registry_pass) | b64encode }}"]
+```
+
+To enable Containerd **1.7** to access the private registry:
+
+```yaml
 containerd_registry_auth:
   - registry: "{{ registry_host }}"
     username: "{{ registry_user }}"
@@ -73,25 +101,12 @@ gcr_image_repo: "{{ registry_host }}"
 docker_image_repo: "{{ registry_host }}"
 quay_image_repo: "{{ registry_host }}"
 github_image_repo: "{{ registry_host }}"
-
-local_path_provisioner_helper_image_repo: "{{ registry_host }}/busybox"
-kubeadm_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubeadm"
-kubectl_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubectl"
-kubelet_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubelet"
-# etcd is optional if you **DON'T** use etcd_deployment=host
-etcd_download_url: "{{ files_repo }}/kubernetes/etcd/etcd-v{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
-cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz"
-crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
-# If using Calico
-calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
-# If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
-# Containerd
-containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
-runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"
-nerdctl_download_url: "{{ files_repo }}/nerdctl-{{ nerdctl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
+github_url: "{{ files_repo }}/github.com"
+dl_k8s_io_url: "{{ files_repo }}/dl.k8s.io"
+storage_googleapis_url: "{{ files_repo }}/storage.googleapis.com"
 get_helm_url: "{{ files_repo }}/get.helm.sh"
-# Insecure registries for containerd
+local_path_provisioner_helper_image_repo: "{{ registry_host }}/busybox"
+# Insecure registries for containerd (see authenticated example above)
 containerd_registries_mirrors:
   - prefix: "{{ registry_addr }}"
     mirrors:
@@ -99,6 +114,34 @@ containerd_registries_mirrors:
         capabilities: ["pull", "resolve"]
         skip_verify: true
 
+# Cilium
+cilium_install_extra_flags: "--repository {{ files_repo }}/helm.cilium.io/"
+cilium_extra_values:
+  image:
+    useDigest: false
+  hubble:
+    relay:
+      image:
+        useDigest: false
+    ui:
+      backend:
+        image:
+          useDigest: false
+      frontend:
+        image:
+          useDigest: false
+  operator:
+    image:
+      override: "{{ registry_host }}/cilium/operator-generic:v1.18.2"
+      useDigest: false
+      extension: ""
+  certgen:
+    image:
+      useDigest: false
+  envoy:
+    image:
+      useDigest: false
+
 # CentOS/Redhat/AlmaLinux/Rocky Linux
 ## Docker / Containerd
 docker_rh_repo_base_url: "{{ yum_repo }}/docker-ce/$releasever/$basearch"

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -53,6 +53,21 @@ credentials_dir: "{{ inventory_dir }}/credentials"
 # kube_oidc_groups_claim: groups
 # kube_oidc_groups_prefix: 'oidc:'
 
+## Structured AuthenticationConfiguration https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration
+## Note: --authentication-config and --oidc-* flags are mutually exclusive
+# kube_apiserver_use_authentication_config_file: false
+# kube_apiserver_authentication_config_jwt:
+#   - issuer:
+#       url: https://issuer.example.com
+#       audiences:
+#       - my-audience
+#     claimMappings:
+#       username:
+#         expression: 'claims.sub'
+# kube_apiserver_authentication_config_anonymous:
+#   enabled: "{{ kube_api_anonymous_auth }}"
+#   conditions: []
+
 ## Variables to control webhook authn/authz
 # kube_webhook_token_auth: false
 # kube_webhook_token_auth_url: https://...

requirements.txt

@@ -1,6 +1,6 @@
 ansible==11.13.0
 # Needed for community.crypto module
-cryptography==46.0.6
+cryptography==46.0.7
 # Needed for jinja2 json_query templating
 jmespath==1.1.0
 # Needed for ansible.utils.ipaddr

roles/container-engine/kata-containers/templates/configuration-qemu.toml.j2

@@ -678,6 +678,16 @@ experimental=[]
 # (default: false)
 # enable_pprof = true
 
+{% if kata_containers_version is version('3.4.0', '>=') %}
+# Indicates the CreateContainer request timeout needed for the workload(s)
+# It using guest_pull this includes the time to pull the image inside the guest
+# Defaults to 60 second(s)
+# Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config
+# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout.
+# In essence, the timeout used for guest pull=runtime-request-timeout<create_container_timeout?runtime-request-timeout:create_container_timeout.
+create_container_timeout = 60
+{% endif %}
+
 # WARNING: All the options in the following section have not been implemented yet.
 # This section was added as a placeholder. DO NOT USE IT!
 [image]

roles/kubernetes/control-plane/tasks/main.yml

@@ -18,6 +18,19 @@
     mode: "0640"
   when: kube_webhook_authorization | default(false)
 
+- name: Create structured AuthenticationConfiguration file
+  copy:
+    content: "{{ authn_config | to_nice_yaml(indent=2, sort_keys=false) }}"
+    dest: "{{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml"
+    mode: "0640"
+  vars:
+    authn_config:
+      apiVersion: apiserver.config.k8s.io/{{ kube_apiserver_authentication_config_api_version }}
+      kind: AuthenticationConfiguration
+      jwt: "{{ kube_apiserver_authentication_config_jwt }}"
+      anonymous: "{{ kube_apiserver_authentication_config_anonymous }}"
+  when: kube_apiserver_use_authentication_config_file
+
 - name: Create structured AuthorizationConfiguration file
   copy:
     content: "{{ authz_config | to_nice_yaml(indent=2, sort_keys=false) }}"
@@ -99,6 +112,13 @@
   include_tasks: kubeadm-etcd.yml
   when: etcd_deployment_type == "kubeadm"
 
+- name: Cleanup unused AuthenticationConfiguration file versions
+  file:
+    path: "{{ kube_config_dir }}/apiserver-authentication-config-{{ item }}.yaml"
+    state: absent
+  loop: "{{ ['v1alpha1', 'v1beta1', 'v1'] | reject('equalto', kube_apiserver_authentication_config_api_version) | list }}"
+  when: kube_apiserver_use_authentication_config_file
+
 - name: Cleanup unused AuthorizationConfiguration file versions
   file:
     path: "{{ kube_config_dir }}/apiserver-authorization-config-{{ item }}.yaml"

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2

@@ -131,8 +131,7 @@ apiServer:
     value: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
   - name: default-unreachable-toleration-seconds
     value: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
-{% if kube_api_anonymous_auth is defined %}
-{# TODO: rework once suppport for structured auth lands #}
+{% if kube_api_anonymous_auth is defined and not kube_apiserver_use_authentication_config_file %}
   - name: anonymous-auth
     value: "{{ kube_api_anonymous_auth }}"
 {% endif %}
@@ -181,7 +180,7 @@ apiServer:
   - name: service-account-lookup
     value: "{{ kube_apiserver_service_account_lookup }}"
 {% endif %}
-{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
+{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined and not kube_apiserver_use_authentication_config_file %}
   - name: oidc-issuer-url
     value: "{{ kube_oidc_url }}"
   - name: oidc-client-id
@@ -207,6 +206,10 @@ apiServer:
     value: "{{ kube_oidc_groups_prefix }}"
 {%   endif %}
 {% endif %}
+{% if kube_apiserver_use_authentication_config_file %}
+  - name: authentication-config
+    value: "{{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml"
+{% endif %}
 {% if kube_webhook_token_auth %}
   - name: authentication-token-webhook-config-file
     value: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
@@ -279,7 +282,7 @@ apiServer:
   - name: tracing-config-file
     value: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
 {% endif %}
-{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %}
+{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or kube_apiserver_use_authorization_config_file or kube_apiserver_use_authentication_config_file or apiserver_extra_volumes or ssl_ca_dirs | length %}
   extraVolumes:
 {% if kube_token_auth %}
   - name: token-auth-config
@@ -301,6 +304,11 @@ apiServer:
     hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
     mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
 {% endif %}
+{% if kube_apiserver_use_authentication_config_file %}
+  - name: authentication-config
+    hostPath: {{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml
+    mountPath: {{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml
+{% endif %}
 {% if kubernetes_audit or kubernetes_audit_webhook %}
   - name: {{ audit_policy_name }}
     hostPath: {{ audit_policy_hostpath }}

roles/kubernetes/preinstall/tasks/0080-system-configurations.yml

@@ -125,6 +125,27 @@
     - { name: vm.panic_on_oom, value: 0 }
   when: kubelet_protect_kernel_defaults | bool
 
+- name: Read current sysctl values
+  command: sysctl -n {{ item.key }}
+  register: sysctl_settings
+  changed_when: false
+  vars:
+    # For integer sysctls only
+    sysctl_minimum_values:
+      fs.inotify.max_user_instances: 8192
+  loop: "{{ sysctl_minimum_values | dict2items }}"
+
+- name: Increase sysctl value if lower than minimum
+  ansible.posix.sysctl:
+    sysctl_file: "{{ sysctl_file_path }}"
+    name: "{{ item.item.key }}"
+    value: "{{ item.item.value }}"
+    state: present
+    reload: true
+    ignoreerrors: "{{ sysctl_ignore_unknown_keys }}"
+  when: item.stdout | int < item.item.value
+  loop: "{{ sysctl_settings.results }}"
+
 - name: Check dummy module
   community.general.modprobe:
     name: dummy

roles/kubespray_defaults/defaults/main/download.yml

@@ -112,11 +112,11 @@ calico_apiserver_version: "{{ calico_version }}"
 typha_enabled: false
 calico_apiserver_enabled: false
 
-flannel_version: 0.27.3
+flannel_version: 0.28.4
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"
 
-cilium_version: "1.19.1"
+cilium_version: "1.19.3"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false
 
@@ -294,7 +294,7 @@ scheduler_plugins_scheduler_image_tag: "v{{ scheduler_plugins_version }}"
 registry_version: "2.8.1"
 registry_image_repo: "{{ docker_image_repo }}/library/registry"
 registry_image_tag: "{{ registry_version }}"
-metrics_server_version: "0.8.0"
+metrics_server_version: "0.8.1"
 metrics_server_image_repo: "{{ kube_image_repo }}/metrics-server/metrics-server"
 metrics_server_image_tag: "v{{ metrics_server_version }}"
 local_volume_provisioner_version: "2.5.0"

roles/kubespray_defaults/defaults/main/main.yml

@@ -521,6 +521,33 @@ external_hcloud_cloud:
   ##    arg2: "value2"
   controller_extra_args: {}
 
+## Structured authentication config
+## Structured AuthenticationConfiguration (GA in k8s v1.34) configures the API server's authentication with a structured configuration file.
+## Note: The `--authentication-config` and `--oidc-*` flags are mutually exclusive. The two features cannot be used at the same time.
+## Docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration
+## KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration
+## Config API Reference: https://kubernetes.io/docs/reference/config-api/apiserver-config.v1/#apiserver-config-k8s-io-v1-AuthenticationConfiguration
+kube_apiserver_use_authentication_config_file: false
+kube_apiserver_authentication_config_api_version: "{{ 'v1beta1' if kube_version is version('1.34.0', '<') else 'v1' }}"
+kube_apiserver_authentication_config_anonymous:
+  enabled: "{{ kube_api_anonymous_auth }}"
+  conditions: []
+kube_apiserver_authentication_config_jwt: []
+## Example structured authentication issuer config that replicates --oidc-* flag based config by reusing the kube_oidc_* variables
+# kube_apiserver_authentication_config_jwt:
+#   - issuer:
+#       url: "{{ kube_oidc_url }}"
+#       certificateAuthority: "{{ kube_oidc_ca_file }}"
+#       audiences:
+#       - "{{ kube_oidc_client_id }}"
+#     claimMappings:
+#       username:
+#         claim: "{{ kube_oidc_username_claim }}"
+#         prefix: "{{ kube_oidc_username_prefix }}"
+#       groups:
+#         claim: "{{ kube_oidc_groups_claim }}"
+#         prefix: "{{ kube_oidc_groups_prefix }}"
+
 ## List of authorization modes that must be configured for
 ## the k8s cluster. Only 'AlwaysAllow', 'AlwaysDeny', 'Node' and
 ## 'RBAC' modes are tested. Order is important.
@@ -566,21 +593,6 @@ kube_apiserver_authorization_config_authorizers:
 #     - expression: "!('kubeadm:cluster-admins' in request.groups)"
 #     - expression: "!('system:masters' in request.groups)"
 
-## Two workarounds are required to use AuthorizationConfiguration with kubeadm v1.29.x:
-## 1. Enable the StructuredAuthorizationConfiguration feature gate:
-# kube_apiserver_feature_gates:
-# - StructuredAuthorizationConfiguration=true
-## 2. Use the following kubeadm_patches to remove defaulted authorization-mode flags (Workaround for a kubeadm defaulting bug on v1.29.x. fixed in 1.30+ via: https://github.com/kubernetes/kubernetes/pull/123654)
-# kubeadm_patches:
-# - target: kube-apiserver
-#   type: strategic
-#   patch:
-#     spec:
-#       containers:
-#       - name: kube-apiserver
-#         $deleteFromPrimitiveList/command:
-#           - --authorization-mode=Node,RBAC
-
 rbac_enabled: "{{ ('RBAC' in authorization_modes and not kube_apiserver_use_authorization_config_file) or (kube_apiserver_use_authorization_config_file and kube_apiserver_authorization_config_authorizers | selectattr('type', 'equalto', 'RBAC') | list | length > 0) }}"
 
 # When enabled, API bearer tokens (including service account tokens) can be used to authenticate to the kubelet's HTTPS endpoint

roles/kubespray_defaults/vars/main/checksums.yml

@@ -14,19 +14,13 @@ crictl_checksums:
     1.33.0: sha256:4224acfef4d1deba2ba456b7d93fa98feb0a96063ef66024375294f1de2b064f
 crio_archive_checksums:
   arm64:
-    1.35.2: sha256:c51d0a78afa0b267fcadf49ad481f35cce3728a7d09ebd05db7c8fb8417f9ef0
-    1.35.1: sha256:15fe5c7b87c985a3a78324227b920a01f3309fd1aa5eadfaa38fd48a4dd96d17
     1.35.0: sha256:e57175a4d00387b78adfbe248d087d8127bed625afb529e34b2c90d08cfdaf87
-    1.34.7: sha256:5c25e7084f8369f540e236be1a1a7e830fd1fa6256422466d414c2fc20aa0e86
-    1.34.6: sha256:ac189974bcc1cb6829e7b61a39bc3f34fc27a32e5c9d2628bdfc74f88edb6988
     1.34.5: sha256:999a5dc2dc9854222aeff8a20897e0b34f0ba02c9b260b611d66c62e00e279e0
     1.34.4: sha256:d176f6256d606a3fc279f9f2994ef4a4c4cbaaa0601f4d1bba1a19bec5674ce9
     1.34.3: sha256:314595247054b53767a736e24bc3030a5f7c17552944c62b2e190c9e95fe4ca6
     1.34.2: sha256:ac7530f7fc9d531a87bfdfcae9cf8bf81a8bbdb75e63a046ed96911aa7b68ebd
     1.34.1: sha256:41a71cab6a61ae429ec447d572fd1cdea0a7e33d62aaa58c3b07467665b50b9f
     1.34.0: sha256:3006658270477c5fb1e88e9124e40982d2ba7b34495fcc12f0fecd33bbab9a5a
-    1.33.11: sha256:82e2c81f9aee981696304fc50e4dc79a54bf574aa857f62b7fe82ca773c30de5
-    1.33.10: sha256:1fb33599cccf590594b3a29ca1e3f45140bd25bdb836154dbcbd5eb3c4d21ace
     1.33.9: sha256:bfcd534db3d1a9380dd7007d623e1eb3250ba64f7c4657e79e9e99b1d874f8f1
     1.33.8: sha256:59c91726535dcadd0372df0c6aa8595e4d59590994b598b2d97ea2510b216359
     1.33.7: sha256:af3ea22d3d6944c9a907c6c13d77e9fc4dbcf3972ffbde18dd6f37f1c2ffbd0d
@@ -38,19 +32,13 @@ crio_archive_checksums:
     1.33.1: sha256:6bf135db438937f0ab7a533af64564a0fb1d2079a43723ce9255ecbf9556ae05
     1.33.0: sha256:8a0dbee2879495d5b33e6fdeac32e5d86c356897bdcf3a94cd602851620ce8b5
   amd64:
-    1.35.2: sha256:d38771791f2bae086b24400a1e04cffed4eba6c8e9d30b03c625f8aea70921a9
-    1.35.1: sha256:cd819546f01ae9dddd4a85b82f220518b37596053555a85e4b4a3d200a6e9354
     1.35.0: sha256:55b6d3e9fc9a5864ab5cdf0b24d54b1dcbaf6d4919274b3b9eb37bfc4b0b8cb5
-    1.34.7: sha256:8e1d625f6137ee08f669db6ce361cecbd7c5bb52e8e3e314e82999d738570dfa
-    1.34.6: sha256:9f17d9a7dc8d8c4fc16eccca65fe5db8177392f26156335dc6318a14215a5cd1
     1.34.5: sha256:d6606fb6d686b8f814dfec801f0f3cf2ded974c194fa90facefda36075b6fab2
     1.34.4: sha256:f6348a781c34b433fe1c5150da3408e51e828b610eacbe734405e9c31136d810
     1.34.3: sha256:e269914f3bc4f36ac87cd593d74daaa43c390571994062180019248be32cc6f7
     1.34.2: sha256:3a0012938ed389e9270a208bb73b250062d5f1be5798472b1728403d55ddc1da
     1.34.1: sha256:22c1e4d68d9339aa58a1b0f1b40a8944102934a7505105abe461dc8a7e3de540
     1.34.0: sha256:5a8bc5c3b8072cb9bde1cf025d5597f75bf21018712c5b72d5cb0657948595c8
-    1.33.11: sha256:95fd5623e0c904ed0e89164b83a7e6a4f2f6fa6b9a68e99377efc5fffb95f99c
-    1.33.10: sha256:1fcf2f23ef874b3df04957f15789fc14eeb34020550fe4307c9fc81fc0490acd
     1.33.9: sha256:81c20a12866d9a7c08c6e381ed326141c917454b696a05b46ae27665fe3c5cfa
     1.33.8: sha256:537adda39074377893f1f650a71b576ba487b3c4d2ee55e9b22f4e95fc188594
     1.33.7: sha256:e2999436a272c77370241a4f962c80737698dd8c2400fe75e5c7cf2142c96001
@@ -62,19 +50,13 @@ crio_archive_checksums:
     1.33.1: sha256:036063194028d24c75b9ce080e475ad97bacc955de796b7c895845294db8edbf
     1.33.0: sha256:dad0cec9e09368b37b35ce824b0ef517a1b33365c4bb164fe82310c73c886f7e
   ppc64le:
-    1.35.2: sha256:aff7a251a0a8f57c7ce4794d8d28465baa43e49990cd5c9d5958da22e958d5eb
-    1.35.1: sha256:b4a23e9f70297f01da2840f94b82adf2ac67a4017e1d93f0c20526637df282ca
     1.35.0: sha256:081ab73a6970ac3c68893dea9a03b0732ca22ab44a2aa8794fddac0bd4dfa749
-    1.34.7: sha256:9d8c7660d6e4d03f059aa90aba762b94d7b481fff603247b2a8ed9ca8c477c05
-    1.34.6: sha256:395a475c0181a0c82e89e6dd8e258c6c0529f889a7fc9d0a54da3218b76f58f4
     1.34.5: sha256:3a10d4c1406df01bd9ab88750eabc1273964e9c5f24c7d4a0b719ae77e6cfec2
     1.34.4: sha256:dca59a28fe9b0b9163418eca1545c9ed01cf514179f108d14e462c6074fd103c
     1.34.3: sha256:4dd782484eeb460b9a95e6e2e07474216fc02ad45a27ba871799d18f2b6ee0ae
     1.34.2: sha256:d4c3c9ba24b1b0eabf3c11ddec98801dda7a87b0529706e9ede18b8cc9e4182a
     1.34.1: sha256:cba0ac74e7202fe28cf8aa895b83f7a30d78b148666add78e19215259f629bb0
     1.34.0: sha256:e9e41d14439db0ca88cf2cd8533038203f379c25cd612f37635c17908e050ebf
-    1.33.11: sha256:1e1ae1b2b85663b581ccceb0dad3637b020f9662d9c41ebcc7159d7b65729836
-    1.33.10: sha256:da8933e5b90be44e818f2a3d165957897adac3570f42f73131d91edab0201ad5
     1.33.9: sha256:c0a9e60800f66f85c70615128fec5a8358ffde0f715a4058163707dbcca8eb94
     1.33.8: sha256:1d69c01512e8ebdd51fc70fc64473a31d492e8db095c0ee5d3ee58722048150c
     1.33.7: sha256:076e7519bfff72a43fb1121ce836eee3cc1fec5bb5a59a11747c514e9d162d26
@@ -459,27 +441,37 @@ etcd_binary_checksums:
     3.5.6: sha256:e235cb885996b8aac133975e0077eaf0a2f8dc7062ad052fa7395668a365906b
 cni_binary_checksums:
   arm:
+    1.9.1: sha256:21416880bea0541d78afaf106373d6dbb471edb92c0114fa263494fe4aec8d3b
     1.8.0: sha256:7ed51af2ee5c7784c8b978b293ad1cf6c3022d7792a2e79197fb9cdc98f3f752
     1.7.1: sha256:1df4fa20a0fe279bda5a671d172911de2c1a81813bfe8fb0398b46fa9e49d0fb
     1.6.2: sha256:ee31b0117206dc6242a0349443020025a71752d20d683c08caa70b32de179c4b
     1.6.0: sha256:10cd1b6b0f7c1e6faf18b2e46ee338beb1e1cce253efc7086f8bc1f4e1061d1a
   arm64:
+    1.9.1: sha256:56171987d3947707c3563db2f4001bccaf50fd63468611b9f3cbecb1375ee7ec
     1.8.0: sha256:57ce466fc3b79db1f19b8f4c63e07a1112306efa53c94fe810a2150dd9e07ddb
     1.7.1: sha256:119fcb508d1ac2149e49a550752f9cd64d023a1d70e189b59c476e4d2bf7c497
     1.6.2: sha256:01e0e22acc7f7004e4588c1fe1871cc86d7ab562cd858e1761c4641d89ebfaa4
     1.6.0: sha256:db09ab057ecf60b05ba05cbec38d55b95cc139c7f1078e2e4857cc13af158cee
   amd64:
+    1.9.1: sha256:b98f74a0f8522f0a83867178729c1aa70f2158f90c45a2ca8fa791db1c76b303
     1.8.0: sha256:ab3bda535f9d90766cccc90d3dddb5482003dd744d7f22bcf98186bf8eea8be6
     1.7.1: sha256:1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098
     1.6.2: sha256:b8e811578fb66023f90d2e238d80cec3bdfca4b44049af74c374d4fae0f9c090
     1.6.0: sha256:682b49ff8933a997a52107161f1745f8312364b4c7f605ccdf7a77499130d89d
   ppc64le:
+    1.9.1: sha256:44b743ff6e4dc145eb4e5280e49eca182fcc586d8d52ab431d5904b66e5ca6f7
     1.8.0: sha256:63f762df723eb7dbee83e3751167ff1e18cf7b86ef5b48eb620c91af2def434a
     1.7.1: sha256:15a4070b20c4d6c8bc9b3db52d8303d0520ff7a89cd2e87a2fdf1e9b8dd69373
     1.6.2: sha256:66dcb90886a039e919904f2fb761b88e03dedd25fb718196855432771eaaa325
     1.6.0: sha256:d8d4bd74247407c8c73de057bc00adac28bb1ed2d2ee60a9dda278e3b398bcc2
 calicoctl_binary_checksums:
   arm64:
+    3.31.5: sha256:8d9dbdba4a41e490238f01223a768df1858cc19e563562b314489657d1eb5eef
+    3.31.4: sha256:460af7c6dd1b34d0c0f3a3d036ccd0e4d71bd505bb28cbb90aac918232fb2cf2
+    3.31.3: sha256:3cb41949679c963ac42a39c30024b225b53485985b9fb7f1eb6177e86a0ec564
+    3.31.2: sha256:b85133520c21d1195f799de9d123d1bb476eb68f4becc2d9ba0a42259d805192
+    3.31.1: sha256:7d828835f7e578775a8d55dac065a5553324ae486a336a1b7126f519474dabf9
+    3.31.0: sha256:1307df3b220e195fdd57a298997cdc1f1291223622414fdcb40097e86ea8a76a
     3.30.7: sha256:e62d6f909d72bfd8876a363c3f49cda722d7bfdb282a4bbdeca38dd7e26e7578
     3.30.6: sha256:47ecc00bdd797f82e4bac0ff3904c3a5143ba2d61e8ae1cbbce286ca76d3790a
     3.30.5: sha256:7611343e7a56e770b95e2bb882dda787efbbd4331b1dd6316ff8ea189238dfaa
@@ -496,13 +488,13 @@ calicoctl_binary_checksums:
     3.29.2: sha256:3a9b80335338b7f4af762d4a7cf68e67b40839e50711fbe6e67f9a62b69bafdd
     3.29.1: sha256:6f662d316a267854dc5487242ca7ec8ca70c35b52bed258aafb76c2d113643c2
     3.29.0: sha256:ab23afb283fcdffcf0e1156cdced68d05b6c2b70fd4ea2cbc3189d0ecd43bdfd
-    3.28.5: sha256:691baba17e6a50d0ceee7f95569b864729e436f474fce1e9842041b33cc14316
-    3.28.4: sha256:48887a6dd715f7340511788c3f311810326e61dcce5a6c1554e365cd372ffab1
-    3.28.3: sha256:b61b5206bc7795793edf792040acf5c52d48ff5de701001d0dbbd850edd0c077
-    3.28.2: sha256:8ebe965424ac94084499182b2853de62e5d18cdc346a3b8974e991d8b7a9592d
-    3.28.1: sha256:c062d13534498a427c793a4a9190be4df3cf796a3feb29e4a501e1d6f48daa7c
-    3.28.0: sha256:c4ca8563d2a920729116a3a30171c481580c8c447938ce974ce14d7ce25a31bf
   amd64:
+    3.31.5: sha256:d1dd3a3fb2f5640987eab589dc1dcb03c47c11b32bc19a65c45c39421cd887d2
+    3.31.4: sha256:f3a3fe9a7452844be851ca3f804fd616b7df06de741dd40b35331d4503bef76e
+    3.31.3: sha256:dc920efee0045d352780c73cfdd3f6fbd6eab9fdb0675897095c755715a8fc8d
+    3.31.2: sha256:d12c89b7f5a9c2b19deb4cf2e3004a02995e32ed56b10b4bc32fdadbbabc74a2
+    3.31.1: sha256:a37297cc889c78e2884fa4beb24127404949b4018269b0d7530b46279ec523a7
+    3.31.0: sha256:134b323b18ce416a79d8438fe27fb586a79e3ba9bee714dbe723de521327cbb7
     3.30.7: sha256:087e1547878913587ebaa756686f38184a730e9af9b71f3d91b92f6c99b60c11
     3.30.6: sha256:2017e19727dca689d8bb73a9d8dff3c6a8ba7d8c75049f99ee207272161b5749
     3.30.5: sha256:6cdfb17b0276f648f4fdb051a5d75617a50b3c328d4cccfc40d087b96c361d80
@@ -519,13 +511,13 @@ calicoctl_binary_checksums:
     3.29.2: sha256:6076d6745c4d60c0c4322961cbb256a0ffa8476cf7f8dbe5de4ae82c55bca020
     3.29.1: sha256:2ac849181cb1fb40c61c06d075711025cdb909d80562d078cc548d50a0edcd3d
     3.29.0: sha256:df5048549d72a1f7ea4f61c655699d3b16d8a45873f28c3855c39597b73e8a3d
-    3.28.5: sha256:fe4702ce171045728b6c37b2c01e6f903780997aea7e695b35735754eeeeaf64
-    3.28.4: sha256:ff07f5ac4dbf9a849adb12db20e7b35857869fb98b23e802404dbb4a8a98e013
-    3.28.3: sha256:b7dc6d01407ea04c110b8d50312591d7a7c3aa5239c875354ced83ac6b924137
-    3.28.2: sha256:d7f30447f0f59262051b95bdc656407442c4f71066dc37ddd3b676108fab569d
-    3.28.1: sha256:22ec5727c38dbe19001792b4ca64ac760a6e2985d5c1a231d919dbebe5bca171
-    3.28.0: sha256:4ea270699e67ca29e5533ddb0a68d370cb0005475796c7e841f83047da6297b6
   ppc64le:
+    3.31.5: sha256:6592de001ec48307c805d00a678f54674473cddd64cf946e34fc644ef2e5f537
+    3.31.4: sha256:5a89e5bea3ddb83ce311c7f149b755889e82d50c5db5987dc48b264e7637faa2
+    3.31.3: sha256:d7682534cee144c72eeb363798f750f8c44e40dac1ddc20a85b3e10dd164b2cf
+    3.31.2: sha256:51fc81bea42b4be6cb9b8875779e4f96ccd8c09a01134199a791ad19b622c781
+    3.31.1: sha256:cdc5eb8402079ca2cb883ec64a67ce69b810e3ba3007f9d430a3d912443853de
+    3.31.0: sha256:13fe7a02983cc3594073a6de3461d72c58de3dfb781dfc5e84648d8d93de0faf
     3.30.7: sha256:a7a5bbd35abeaa39625d101ddb075ed04f08c1ffb209ef60b3f0204336073379
     3.30.6: sha256:9a9c368499b1e3d08418dfbb566379483e15c50d08dd1bcaf6148c115d82ed36
     3.30.5: sha256:5b6de49da1af2633549bff5e8f4d8a573a175b65c47c29d327ef6a0760d39a93
@@ -542,12 +534,6 @@ calicoctl_binary_checksums:
     3.29.2: sha256:6f3fd72be26fcf52605d9ece716363a73bb194ca59ee34a257156d30fa5c1542
     3.29.1: sha256:ef6064f2ec1a09b5eb8c43ab0c64bd42785c24f5b22b950583fb5074f472c2b7
     3.29.0: sha256:c9c2a29a349c6f681aa79b5f5d6aee738305d95aa7f158b6217f487808758e53
-    3.28.5: sha256:1aa3b36f198aecdad312664c7b2dd2b15daced54fd4e2db56563d57431fb10d3
-    3.28.4: sha256:9646b8b66981ed68017d30291f44e3e4ff1f6ce318c88c1e837097c061e2bb79
-    3.28.3: sha256:08bfe47df894ae22f2a1256f28b46345cc1718cd9c936ca8248ae5b761c33dab
-    3.28.2: sha256:9889a2f9c26ae82a501b33440b3a0772f552a4ece128cd57a21e395452b4238f
-    3.28.1: sha256:985caad36fed7b883a2cd4cf91e556974bcca95fe4e6b7ff4cb64d8d8fbe9223
-    3.28.0: sha256:0789cb0d1478ec3f0a44db265b19042be9dfc18bc1776343c7ea8d246561d12b
 ciliumcli_binary_checksums:
   arm64:
     0.18.9: sha256:eaa2b3570d3737592ec912505a247173e25fc7bca92d16b32d72b3aca94a743f
@@ -625,6 +611,12 @@ ciliumcli_binary_checksums:
     0.16.0: sha256:da98675f961833d4ffd68b1046d907b228a7d394ded2abd70a50b20eaca171c4
 calico_crds_checksums:
   no_arch:
+    3.31.5: sha256:1d6d5e523f92ee1e8227a48c016229c668f94035431b82f19139affeb45dbeff
+    3.31.4: sha256:93422c69713a91fd2bbaeb6f33003e1957cb4a95522b26b9d19dd1d6ed897c5e
+    3.31.3: sha256:476bc19de0408520d6aee0790d51d5a0f31f56ced5c45386779c302717b3493d
+    3.31.2: sha256:476bc19de0408520d6aee0790d51d5a0f31f56ced5c45386779c302717b3493d
+    3.31.1: sha256:476bc19de0408520d6aee0790d51d5a0f31f56ced5c45386779c302717b3493d
+    3.31.0: sha256:1c55e1979a6d8dcb8fcb0dd1b4ebd88c6f59be197b4fe683678e1e184ac5b1f8
     3.30.7: sha256:b0eb83f6d70afac27e8830f22642cd12b0692e4d1a1b5060caa9231a951e736a
     3.30.6: sha256:b0eb83f6d70afac27e8830f22642cd12b0692e4d1a1b5060caa9231a951e736a
     3.30.5: sha256:68bbe7f44693374f1379aa3fa55f254e9a689d070c26d0de26b2c9fb8d1166ab
@@ -641,12 +633,6 @@ calico_crds_checksums:
     3.29.2: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
     3.29.1: sha256:aaa336bf0ef87495eccecae7eb65acaf59508a7f0a44dbeec933e05d73bbe0a0
     3.29.0: sha256:ed35a2bd383674f4d61b013f2588be1ee08b5e7a26eb3208ba6a5565ebf0175c
-    3.28.5: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
-    3.28.4: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
-    3.28.3: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
-    3.28.2: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
-    3.28.1: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
-    3.28.0: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
 helm_archive_checksums:
   arm:
     3.18.4: sha256:34ea88aef15fd822e839da262176a36e865bb9cfdb89b1f723811c0cc527f981
@@ -747,6 +733,9 @@ cri_dockerd_archive_checksums:
     0.3.5: sha256:30d47bd89998526d51a8518f9e8ef10baed408ab273879ee0e30350702092938
 runc_checksums:
   arm64:
+    1.4.2: sha256:ea54032310588e115633aa2f4bba8bf9500257f657e1deca88df5778775138db
+    1.4.1: sha256:80d5757c46152c35151621cf394ee08cec881716169d0fdd40f9ce124d3c85f5
+    1.4.0: sha256:2adbeed4c751d6f2201c642ed06269ff4370fcc4165abd3f323e19c653716c31
     1.3.5: sha256:bd843d75a788e612c9df286b1fa519a44fcbb7a7b8d01e2268431433cc7c718c
     1.3.4: sha256:d6dcab36d1b6af1b72c7f0662e5fcf446a291271ba6006532b95c4144e19d428
     1.3.3: sha256:3c9a8e9e6dafd00db61f4611692447ebab4a56388bae4f82192aed67b66df712
@@ -772,6 +761,9 @@ runc_checksums:
     1.1.9: sha256:b43e9f561e85906f469eef5a7b7992fc586f750f44a0e011da4467e7008c33a0
     1.1.8: sha256:7c22cb618116d1d5216d79e076349f93a672253d564b19928a099c20e4acd658
   amd64:
+    1.4.2: sha256:ac8a90f9e225bb9322189937b230cdc5478d5753f0e31e1bda98a5cf06bd9539
+    1.4.1: sha256:b6d50dad89a420cafcdc0eebf4bed132a45b161d5bc1ba4ddd8cc4422d24a983
+    1.4.0: sha256:c5d4995c5aec204d7e1827d9d9a6b45042602736f7f415f484252e576dcdac28
     1.3.5: sha256:66fa8390be8fb3b23dfbb60c767368bb5b51f1acfa88692bbff1a82953d4d9e9
     1.3.4: sha256:5966ca40b6187b30e33bfc299c5f1fe72e8c1aa01cf3fefdadf391668f47f103
     1.3.3: sha256:8781ab9f71c12f314d21c8e85f13ca1a82d90cf475aa5131a7b543fcc5487543
@@ -797,6 +789,9 @@ runc_checksums:
     1.1.9: sha256:b9bfdd4cb27cddbb6172a442df165a80bfc0538a676fbca1a6a6c8f4c6933b43
     1.1.8: sha256:1d05ed79854efc707841dfc7afbf3b86546fc1d0b3a204435ca921c14af8385b
   ppc64le:
+    1.4.2: sha256:572a4b78f7cb55569f12c4b3999fbc44e6d3c2c7e94ec0024cf7ae09922438b4
+    1.4.1: sha256:9758879188759989fd54fa287af3e51a78cf147309cd0336139685f026f531ed
+    1.4.0: sha256:9effd22d207c80ceab4816ce1736356c6b87ddf687ae1b5d9310523a7da92786
     1.3.5: sha256:62e8f062291c2b2b29bd8ab8c983cef56409063287e256c50ab54fb54f5d98a7
     1.3.4: sha256:268d9be1188f3efa82cad0d8e6b938d8da0d741427660d874ca9386c68d72937
     1.3.3: sha256:c42394e7cf7cd508a91b090b72d57ff4df262effde742d5e29ea607e65f38b43
@@ -868,8 +863,6 @@ kata_containers_binary_checksums:
     3.5.0: sha256:fa4cf67d010244c4f8d0e6d450d04e28d1bbce5ad1a3cbc0154adff628d56c0c
 gvisor_runsc_binary_checksums:
   arm64:
-    '20260406.0': sha512:b2a0bf0096bcff15bcfe097bd16c8c00491578d1dd69309effa3aa3584eab5143b721f79522c217cd76b6c5337eaac7385eb0c6da3413826df228b54a4f02303
-    '20260330.0': sha512:5d289b8528483a4082a74420446e4267558c2e5c0cbe270d29a1a814a0039f9e9797229fec1416119c286621b899cc8a8919514fa60db199e8b05257505c23b1
     '20260323.0': sha512:2aacb4de88e9c4fadceb9c81c47b9aebf3ecb16df4f68d7def428d844bf3bc3ca1cc7d61a30bf73996e2485cea6a8c12ef86823fa473d0eb6489a95898be7d98
     '20260316.0': sha512:d73d7dc4b318b513c0df2e4d568a81d894695ab60a892da670d8fd3502dbe0983aaf450b2bdc5df0940d3c5ca7ff5bee9245893f35f2c54d6a3ecb83c55cdcb5
     '20260309.0': sha512:85d37e7a0b249706f1b3b0ec5d84cc38f4dd53a4e490395f489eb406194529233631405be8bcd1648126db3fc0221a8a1b599743eca2b183b2a35ef3aca638fa
@@ -908,8 +901,6 @@ gvisor_runsc_binary_checksums:
     '20250414.0': sha512:d1ba68b20057622e58e886f472e021a473222590c936a86951005d7b97366b446ef0342b91457ffc0d7e543d54c9c06a363f2883bdd6c594799c4ca1091dabd5
     '20250407.0': sha512:cb590f72b0fbda45e89a2300e9247f12ff295a8c52653c8cf815c662d3fbbc774f9b915cdd4fad59e30694d8cc8737fe2a1a8186ab5136f7701bd6e6877a1662
   amd64:
-    '20260406.0': sha512:daabda0cf22b1f7f7e0c587b625d684cceb6777e08f99d8010d4bc9bbe99a8396cd0590ecd67084f6cbaa05869c2a44249ec40ce6f8262a7010dec5d1df90b39
-    '20260330.0': sha512:12ec9545b7b0d2ab3234f9942dd32965112a459cea597f65bb5e9678608046a7c05b2468b28641c35fce1d40d8b6f68acbe9c067be292817ef17c4a590698a52
     '20260323.0': sha512:8cfc4e0580e49a0463fafd51661305ac4e69d27eea68de4fc569760a55a7f2c4a2cc75d43d7edeae982288ebfdf4644d6840533b95167bb5f0758cb237e49217
     '20260316.0': sha512:224cd1518f43c2b58052f1d15b0ff0736eac07562d0cb584415798b172cc15a18b0a5644cc37916c6759a0860d1c67eb54cede843cfdb94f0b11657d86aa41f4
     '20260309.0': sha512:2f2d5092d53cae40c53006dead1c5b75552f7c901b9f15bd63b967d2444b59953647c029548ee3950adac0de82be6411a7bf199b3aa7a1dfaab59a51509e4768
@@ -949,8 +940,6 @@ gvisor_runsc_binary_checksums:
     '20250407.0': sha512:097259d6d93548bf669e21cfec5ba6a47081e43f61d22c5d8a8a4c0c209c81ac9c4454162b826f98cec49e047bbdc29c270113ab6db5519ef3e6a90f302fa47b
 gvisor_containerd_shim_binary_checksums:
   arm64:
-    '20260406.0': sha512:abd41610cf09e2dbcc2095cc54c2c27047c4b99271d75936475014bb5dd04d24bc5daa912498c91ad86d5e745b4c80b8c7c9feba770a8611d823d7387ba29483
-    '20260330.0': sha512:a79a419e501399ee16398294f68d96e323a2f2d49434ef091766d5be8c90cf12fe935cad9292a816dcdb5a565fd24c44039d997b7421205a93b87e89ab27ac09
     '20260323.0': sha512:b285a1ca814d62e2252b30c5ab00888ca6e5a7f51102b83f10babd903faed5eb922e3a5801e3c970e5e89ff957dcce0f112088aa28f834cc7b155c6bfd37eb35
     '20260316.0': sha512:6959774b99cfad26d588cde8dea4f21a3c9e6cdb1f49ca20bca6a356ef0c17898662ec1eb218c802bb2a034a7a06d3ba458d39ca49327cb838eb3a14ef9e8ddb
     '20260309.0': sha512:43ffb3accd1b4e3d12319824917b3defd268190b1efcdce76bdaea862e7784c598dbd1dd4a3565d12db01452a02609fd1d0b68d9e29c4d26cac5dfde1329a8cb
@@ -989,8 +978,6 @@ gvisor_containerd_shim_binary_checksums:
     '20250414.0': sha512:33b9c67bc7b73ca49154aff48da52029414a707b6a3a25eb4f71e861a94dec8fce220e63a162841670ddd4876f45b0e39abdf9f8c3235019c89f209684d3007d
     '20250407.0': sha512:1c3838e10c905af0cb52697712bf6bd76b94c9e9d3d07a7643cd43dc2f8dab03b4ed4693c117e555e07a158e04ee583b6b1f1cf2fb9705244ffa5fdc4af67248
   amd64:
-    '20260406.0': sha512:2a7c5b2465ab533837710529e9ba5c84a70df5b06d1e782ecf33408b678cf442cae4d600a93e0a9b4d0bf9be3cc64c781b760c3bb29cbee703d6769ef6df7181
-    '20260330.0': sha512:9987505521a22166cbb4e6e736020eb88315642d2b4bab4083e64206151ee69b569eabd2266e424b08f17063ef812dc176e2dfbd7186759767baba7881a4172a
     '20260323.0': sha512:d7cc0c78c8f33c3eafc0424eed6e63e447917350cf04d1db09073ebcc8b3880d3bc853a5abad4bcb2bd5d156aa15c5ff82ae95d243d7bbce62e546bdf63bb15e
     '20260316.0': sha512:427f141f011b79cc68b4b805e2d15f040d96e1b2324d139e16948e4f94e6bb63c40c14111ad9e0c6c319e44da9e5b99c39924a1feef88919fcca2dea55256c90
     '20260309.0': sha512:f5708fd1fdad4da12f440780c2c09ca6f2ca7cb47089e24e536851388bae54228927a462d61c584c3adf3426f03addea9f08e390be39c744cac008a84e7559e9

tests/requirements.txt

@@ -1,4 +1,4 @@
 -r ../requirements.txt
 distlib==0.4.0 # required for building collections
-molecule==26.3.0
+molecule==26.4.0
 pytest-testinfra==10.2.2