Patch versions updates

Align nginx worker_rlimit_nofile with containerd defaults (#13255 )
Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>
2026-05-22 04:42:54 +03:00 · 2026-05-21 11:50:17 +00:00 · 2026-05-21 17:10:48 +05:30 · 2026-05-21 14:16:46 +05:30 · 2026-05-21 13:30:47 +05:30 · 2026-05-19 11:15:02 +05:30
240 changed files with 2257 additions and 4742 deletions
@@ -16,7 +16,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@10dcc54158ba4c137713d9d69d70a2da63b6bda3
+        uses: stefanbuck/github-issue-parser@cb6e97157cbf851e3a393ff8d57c93a484cc323f
        id: issue-parser
        with:
          template-path: .github/ISSUE_TEMPLATE/bug-report.yaml
@@ -20,7 +20,7 @@ jobs:
          query get_release_branches($owner:String!, $name:String!) {
            repository(owner:$owner, name:$name) {
              refs(refPrefix: "refs/heads/",
-                   first: 2, # TODO increment once we have release branch with the new checksums format
+                   first: 3,
                   query: "release-",
                   orderBy: {
                     field: ALPHABETICAL,
@@ -14,7 +14,7 @@ jobs:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        ref: ${{ inputs.branch }}
-    - uses: actions/setup-python@v6
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.13'
        cache: 'pip'
@@ -22,14 +22,14 @@ jobs:
    - run: update-hashes
      env:
        API_KEY: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/cache@v5
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        key: pre-commit-hook-propagate
        path: |
          ~/.cache/pre-commit
    - run: pre-commit run --all-files propagate-ansible-variables
      continue-on-error: true
-    - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+    - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
      with:
        commit-message: Patch versions updates
        title: Patch versions updates - ${{ inputs.branch }}
@@ -40,8 +40,9 @@ pr:
          - debian11-macvlan
          - debian12-cilium
          - debian13-cilium
-          - fedora39-kube-router
-          - openeuler24-calico
+          - fedora42-kube-router
+          - fedora43-kube-router
+          - fedora42-calico
          - rockylinux9-cilium
          - rockylinux10-cilium
          - ubuntu22-calico-all-in-one
@@ -49,12 +50,27 @@ pr:
          - ubuntu24-calico-etcd-datastore
          - ubuntu24-calico-all-in-one-hardening
          - ubuntu24-cilium-sep
+          - ubuntu24-crio-scale
+          - ubuntu24-crio-upgrade
          - ubuntu24-flannel-collection
          - ubuntu24-kube-router-sep
          - ubuntu24-kube-router-svc-proxy
          - ubuntu24-ha-separate-etcd
-          - flatcar4081-calico
-          - fedora40-flannel-crio-collection-scale
+          - fedora43-flannel-crio-collection-scale
+
+# This is for flakey test so they don't disrupt the PR worklflow too much.
+# Jobs here MUST have a open issue so we don't lose sight of them
+pr-flakey:
+  extends: pr
+  rules:
+    - if: $PR_LABELS =~ /.*(ci-extended|ci-full).*/
+      when: on_success
+  retry: 2
+  parallel:
+    matrix:
+      - TESTCASE:
+          - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
+          - openeuler24-calico # https://github.com/kubernetes-sigs/kubespray/issues/12877

 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:
@@ -89,8 +105,10 @@ pr_full:
          - debian11-custom-cni
          - debian11-kubelet-csr-approver
          - debian12-custom-cni-helm
-          - fedora39-calico-swap-selinux
-          - fedora39-crio
+          - fedora42-calico-swap-selinux
+          - fedora42-crio
+          - fedora43-calico-swap-selinux
+          - fedora43-crio
          - ubuntu24-calico-ha-wireguard
          - ubuntu24-flannel-ha
          - ubuntu24-flannel-ha-once
@@ -148,8 +166,9 @@ periodic:
          - debian11-calico-upgrade
          - debian11-calico-upgrade-once
          - debian12-cilium-svc-proxy
-          - fedora39-calico-selinux
-          - fedora40-docker-calico
+          - fedora42-calico-selinux
+          - fedora43-calico-selinux
+          - fedora43-docker-calico
          - ubuntu24-calico-etcd-kubeadm-upgrade-ha
          - ubuntu24-calico-ha-recover
          - ubuntu24-calico-ha-recover-noquorum
@@ -35,7 +35,6 @@ molecule:
      - container-engine/containerd
      - container-engine/cri-o
      - container-engine/gvisor
-      - container-engine/youki
      - adduser
      - bastion-ssh-config
      - bootstrap_os
@@ -53,3 +52,5 @@ molecule_full:
    - ROLE:
      # FIXME : tests below are perma-failing
      - container-engine/kata-containers
+      # FIXME: until youki release 0.6.1
+      - container-engine/youki
@@ -37,7 +37,6 @@ terraform_validate:
          - hetzner
          - vsphere
          - upcloud
-          - nifcloud

 .terraform_apply:
  extends: .terraform_install
@@ -117,3 +116,4 @@ tf-elastx_ubuntu24-calico:
    TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
    TF_VAR_image: ubuntu-24.04-server-latest
    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
+    TESTCASE: $CI_JOB_NAME
@@ -12,7 +12,6 @@ To install development dependencies you can set up a python virtual env with the
 virtualenv venv
 source venv/bin/activate
 pip install -r tests/requirements.txt
-ansible-galaxy install -r tests/requirements.yml
 ```

 #### Linting
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1

-# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
-FROM ubuntu:22.04@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37
+# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
+FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b

 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
@@ -29,14 +29,14 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \

 RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
    --mount=type=cache,sharing=locked,id=pipcache,mode=0777,target=/root/.cache/pip \
-    pip install --no-compile --no-cache-dir -r requirements.txt \
+    pip install --break-system-packages --no-compile --no-cache-dir -r requirements.txt \
    && find /usr -type d -name '*__pycache__' -prune -exec rm -rf {} \;

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.36.1/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.36.1/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl

 COPY *.yml ./
@@ -8,6 +8,7 @@ aliases:
  kubespray-reviewers:
    - cyclinder
    - erikjiang
+    - guoard
    - mzaian
    - tico88612
    - vannten
@@ -22,7 +22,7 @@ Ensure you have installed Docker then
 ```ShellSession
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.30.0 bash
+  quay.io/kubespray/kubespray:v2.31.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
@@ -89,13 +89,13 @@ vagrant up
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bookworm, Bullseye, Trixie
 - **Ubuntu** 22.04, 24.04
- **CentOS Stream / RHEL** [9, 10](docs/operating_systems/rhel.md#rhel-8)
- **Fedora** 39, 40
+- **CentOS Stream / RHEL** 9, 10
+- **Fedora** 39, 40, 41, 42
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
- **Oracle Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
- **Alma Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
- **Rocky Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8) (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
+- **Oracle Linux** 9, 10
+- **Alma Linux** 9, 10
+- **Rocky Linux** 9, 10 (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/operating_systems/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/operating_systems/amazonlinux.md))
 - **UOS Linux** (experimental: see [uos linux notes](docs/operating_systems/uoslinux.md))
@@ -111,24 +111,23 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->

 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.3
-  - [etcd](https://github.com/etcd-io/etcd) 3.5.26
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.36.1
+  - [etcd](https://github.com/etcd-io/etcd) 3.6.11
  - [docker](https://www.docker.com/) 28.3
-  - [containerd](https://containerd.io/) 2.2.1
-  - [cri-o](http://cri-o.io/) 1.34.4 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) 2.2.4
+  - [cri-o](https://cri-o.io/) 1.36.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
-  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.6
-  - [cilium](https://github.com/cilium/cilium) 1.18.6
-  - [flannel](https://github.com/flannel-io/flannel) 0.27.3
+  - [cni-plugins](https://github.com/containernetworking/plugins) 1.9.1
+  - [calico](https://github.com/projectcalico/calico) 3.31.5
+  - [cilium](https://github.com/cilium/cilium) 1.19.4
+  - [flannel](https://github.com/flannel-io/flannel) 0.28.4
  - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
  - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
  - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) 4.2.2
  - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.1
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
+  - [coredns](https://github.com/coredns/coredns) 1.14.2
  - [argocd](https://argoproj.github.io/) 2.14.5
  - [helm](https://helm.sh/) 3.18.4
  - [metallb](https://metallb.universe.tf/) 0.13.9
@@ -202,8 +201,6 @@ See also [Network checker](docs/advanced/netcheck.md).

 ## Ingress Plugins

- [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
-
 - [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider.

 ## Community docs and resources
@@ -58,7 +58,7 @@ You can create a release note with:
 export GITHUB_TOKEN=<your-github-token>
 export ORG=kubernetes-sigs
 export REPO=kubespray
-release-notes --start-sha <The start commit-id> --end-sha <The end commit-id> --dependencies=false --output=/tmp/kubespray-release-note --required-author=""
+release-notes generate --org "${ORG}" --repo "${REPO}" --repo-path "${PWD}" --start-sha <The start commit-id> --end-sha <The end commit-id> --dependencies=false --output=/tmp/kubespray-release-note
 ```

 If the release note file(/tmp/kubespray-release-note) contains "### Uncategorized" pull requests, those pull requests don't have a valid kind label(`kind/feature`, etc.).
@@ -35,6 +35,9 @@ SUPPORTED_OS = {
  "fedora40"            => {box: "fedora/40-cloud-base",       user: "vagrant"},
  "fedora39-arm64"      => {box: "bento/fedora-39-arm64",      user: "vagrant"},
  "fedora40-arm64"      => {box: "bento/fedora-40",            user: "vagrant"},
+  "fedora41"            => {box: "fedora/41-cloud-base",       user: "vagrant"},
+  "fedora42"            => {box: "fedora/42-cloud-base",       user: "vagrant"},
+  "fedora41-bento"      => {box: "bento/fedora-41",            user: "vagrant"},
  "opensuse"            => {box: "opensuse/Leap-15.6.x86_64",  user: "vagrant"},
  "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
  "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
@@ -51,7 +51,7 @@ To generate kubespray inventory based on the terraform state file you can run th
 You should now have a inventory file named `inventory.ini` that you can use with kubespray, e.g.

 ```bash
-ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
+ansible-playbook -i contrib/terraform/gcp/inventory.ini cluster.yml -b -v
 ```

 ## Variables
@@ -1,5 +0,0 @@
-*.tfstate*
-.terraform.lock.hcl
-.terraform
-
-sample-inventory/inventory.ini
@@ -1,138 +0,0 @@
-# Kubernetes on NIFCLOUD with Terraform
-
-Provision a Kubernetes cluster on [NIFCLOUD](https://pfs.nifcloud.com/) using Terraform and Kubespray
-
-## Overview
-
-The setup looks like following
-
-```text
-                              Kubernetes cluster
-                        +----------------------------+
-+---------------+       |   +--------------------+   |
-|               |       |   | +--------------------+ |
-| API server LB +---------> | |                    | |
-|               |       |   | | Control Plane/etcd | |
-+---------------+       |   | | node(s)            | |
-                        |   +-+                    | |
-                        |     +--------------------+ |
-                        |           ^                |
-                        |           |                |
-                        |           v                |
-                        |   +--------------------+   |
-                        |   | +--------------------+ |
-                        |   | |                    | |
-                        |   | |        Worker      | |
-                        |   | |        node(s)     | |
-                        |   +-+                    | |
-                        |     +--------------------+ |
-                        +----------------------------+
-```
-
-## Requirements
-
-* Terraform 1.3.7
-
-## Quickstart
-
-### Export Variables
-
-* Your NIFCLOUD credentials:
-
-  ```bash
-  export NIFCLOUD_ACCESS_KEY_ID=<YOUR ACCESS KEY>
-  export NIFCLOUD_SECRET_ACCESS_KEY=<YOUR SECRET ACCESS KEY>
-  ```
-
-* The SSH KEY used to connect to the instance:
-  * FYI: [Cloud Help(SSH Key)](https://pfs.nifcloud.com/help/ssh.htm)
-
-  ```bash
-  export TF_VAR_SSHKEY_NAME=<YOUR SSHKEY NAME>
-  ```
-
-* The IP address to connect to bastion server:
-
-  ```bash
-  export TF_VAR_working_instance_ip=$(curl ifconfig.me)
-  ```
-
-### Create The Infrastructure
-
-* Run terraform:
-
-  ```bash
-  terraform init
-  terraform apply -var-file ./sample-inventory/cluster.tfvars
-  ```
-
-### Setup The Kubernetes
-
-* Generate cluster configuration file:
-
-  ```bash
-  ./generate-inventory.sh > sample-inventory/inventory.ini
-  ```
-
-* Export Variables:
-
-  ```bash
-  BASTION_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.bastion_info | to_entries[].value.public_ip')
-  API_LB_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.control_plane_lb')
-  CP01_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.control_plane_info | to_entries[0].value.private_ip')
-  export ANSIBLE_SSH_ARGS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand=\"ssh root@${BASTION_IP} -W %h:%p\""
-  ```
-
-* Set ssh-agent"
-
-  ```bash
-  eval `ssh-agent`
-  ssh-add <THE PATH TO YOUR SSH KEY>
-  ```
-
-* Run cluster.yml playbook:
-
-  ```bash
-  cd ./../../../
-  ansible-playbook -i contrib/terraform/nifcloud/inventory/inventory.ini cluster.yml
-  ```
-
-### Connecting to Kubernetes
-
-* [Install kubectl](https://kubernetes.io/docs/tasks/tools/) on the localhost
-* Fetching kubeconfig file:
-
-  ```bash
-  mkdir -p ~/.kube
-  scp -o ProxyCommand="ssh root@${BASTION_IP} -W %h:%p" root@${CP01_IP}:/etc/kubernetes/admin.conf ~/.kube/config
-  ```
-
-* Rewrite /etc/hosts
-
-  ```bash
-  sudo echo "${API_LB_IP} lb-apiserver.kubernetes.local" >> /etc/hosts
-  ```
-
-* Run kubectl
-
-  ```bash
-  kubectl get node
-  ```
-
-## Variables
-
-* `region`: Region where to run the cluster
-* `az`: Availability zone where to run the cluster
-* `private_ip_bn`: Private ip address of bastion server
-* `private_network_cidr`:  Subnet of private network
-* `instances_cp`: Machine to provision as Control Plane. Key of this object will be used as part of the machine' name
-  * `private_ip`: private ip address of machine
-* `instances_wk`: Machine to provision as Worker Node. Key of this object will be used as part of the machine' name
-  * `private_ip`: private ip address of machine
-* `instance_key_name`: The key name of the Key Pair to use for the instance
-* `instance_type_bn`: The instance type of bastion server
-* `instance_type_wk`: The instance type of worker node
-* `instance_type_cp`: The instance type of control plane
-* `image_name`: OS image used for the instance
-* `working_instance_ip`: The IP address to connect to bastion server
-* `accounting_type`: Accounting type. (1: monthly, 2: pay per use)
@@ -1,64 +0,0 @@
-#!/bin/bash
-
-#
-# Generates a inventory file based on the terraform output.
-# After provisioning a cluster, simply run this command and supply the terraform state file
-# Default state file is terraform.tfstate
-#
-
-set -e
-
-TF_OUT=$(terraform output -json)
-
-CONTROL_PLANES=$(jq -r '.kubernetes_cluster.value.control_plane_info | to_entries[]'  <(echo "${TF_OUT}"))
-WORKERS=$(jq -r '.kubernetes_cluster.value.worker_info | to_entries[]'  <(echo "${TF_OUT}"))
-mapfile -t CONTROL_PLANE_NAMES < <(jq -r '.key'  <(echo "${CONTROL_PLANES}"))
-mapfile -t WORKER_NAMES < <(jq -r '.key'  <(echo "${WORKERS}"))
-
-API_LB=$(jq -r '.kubernetes_cluster.value.control_plane_lb' <(echo "${TF_OUT}"))
-
-echo "[all]"
-# Generate control plane hosts
-i=1
-for name in "${CONTROL_PLANE_NAMES[@]}"; do
-  private_ip=$(jq -r '. | select( .key=='"\"${name}\""' ) | .value.private_ip'  <(echo "${CONTROL_PLANES}"))
-  echo "${name} ansible_user=root ansible_host=${private_ip} access_ip=${private_ip} ip=${private_ip} etcd_member_name=etcd${i}"
-  i=$(( i + 1 ))
-done
-
-# Generate worker hosts
-for name in "${WORKER_NAMES[@]}"; do
-  private_ip=$(jq -r '. | select( .key=='"\"${name}\""' ) | .value.private_ip'  <(echo "${WORKERS}"))
-  echo "${name} ansible_user=root ansible_host=${private_ip} access_ip=${private_ip} ip=${private_ip}"
-done
-
-API_LB=$(jq -r '.kubernetes_cluster.value.control_plane_lb'  <(echo "${TF_OUT}"))
-
-echo ""
-echo "[all:vars]"
-echo "upstream_dns_servers=['8.8.8.8','8.8.4.4']"
-echo "loadbalancer_apiserver={'address':'${API_LB}','port':'6443'}"
-
-
-echo ""
-echo "[kube_control_plane]"
-for name in "${CONTROL_PLANE_NAMES[@]}"; do
-  echo "${name}"
-done
-
-echo ""
-echo "[etcd]"
-for name in "${CONTROL_PLANE_NAMES[@]}"; do
-  echo "${name}"
-done
-
-echo ""
-echo "[kube_node]"
-for name in "${WORKER_NAMES[@]}"; do
-  echo "${name}"
-done
-
-echo ""
-echo "[k8s_cluster:children]"
-echo "kube_control_plane"
-echo "kube_node"
@@ -1,36 +0,0 @@
-provider "nifcloud" {
-  region = var.region
-}
-
-module "kubernetes_cluster" {
-  source = "./modules/kubernetes-cluster"
-
-  availability_zone = var.az
-  prefix            = "dev"
-
-  private_network_cidr = var.private_network_cidr
-
-  instance_key_name = var.instance_key_name
-  instances_cp      = var.instances_cp
-  instances_wk      = var.instances_wk
-  image_name        = var.image_name
-
-  instance_type_bn = var.instance_type_bn
-  instance_type_cp = var.instance_type_cp
-  instance_type_wk = var.instance_type_wk
-
-  private_ip_bn = var.private_ip_bn
-
-  additional_lb_filter = [var.working_instance_ip]
-}
-
-resource "nifcloud_security_group_rule" "ssh_from_bastion" {
-  security_group_names = [
-    module.kubernetes_cluster.security_group_name.bastion
-  ]
-  type      = "IN"
-  from_port = 22
-  to_port   = 22
-  protocol  = "TCP"
-  cidr_ip   = var.working_instance_ip
-}
@@ -1,301 +0,0 @@
-#################################################
-##
-## Local variables
-##
-locals {
-  # e.g. east-11 is 11
-  az_num = reverse(split("-", var.availability_zone))[0]
-  # e.g. east-11 is e11
-  az_short_name = "${substr(reverse(split("-", var.availability_zone))[1], 0, 1)}${local.az_num}"
-
-  # Port used by the protocol
-  port_ssh     = 22
-  port_kubectl = 6443
-  port_kubelet = 10250
-
-  # calico: https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements#network-requirements
-  port_bgp   = 179
-  port_vxlan = 4789
-  port_etcd  = 2379
-}
-
-#################################################
-##
-## General
-##
-
-# data
-data "nifcloud_image" "this" {
-  image_name = var.image_name
-}
-
-# private lan
-resource "nifcloud_private_lan" "this" {
-  private_lan_name  = "${var.prefix}lan"
-  availability_zone = var.availability_zone
-  cidr_block        = var.private_network_cidr
-  accounting_type   = var.accounting_type
-}
-
-#################################################
-##
-## Bastion
-##
-resource "nifcloud_security_group" "bn" {
-  group_name        = "${var.prefix}bn"
-  description       = "${var.prefix} bastion"
-  availability_zone = var.availability_zone
-}
-
-resource "nifcloud_instance" "bn" {
-
-  instance_id    = "${local.az_short_name}${var.prefix}bn01"
-  security_group = nifcloud_security_group.bn.group_name
-  instance_type  = var.instance_type_bn
-
-  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
-    private_ip_address = var.private_ip_bn
-    ssh_port           = local.port_ssh
-    hostname           = "${local.az_short_name}${var.prefix}bn01"
-  })
-
-  availability_zone = var.availability_zone
-  accounting_type   = var.accounting_type
-  image_id          = data.nifcloud_image.this.image_id
-  key_name          = var.instance_key_name
-
-  network_interface {
-    network_id = "net-COMMON_GLOBAL"
-  }
-  network_interface {
-    network_id = nifcloud_private_lan.this.network_id
-    ip_address = "static"
-  }
-
-  # The image_id changes when the OS image type is demoted from standard to public.
-  lifecycle {
-    ignore_changes = [
-      image_id,
-      user_data,
-    ]
-  }
-}
-
-#################################################
-##
-## Control Plane
-##
-resource "nifcloud_security_group" "cp" {
-  group_name        = "${var.prefix}cp"
-  description       = "${var.prefix} control plane"
-  availability_zone = var.availability_zone
-}
-
-resource "nifcloud_instance" "cp" {
-  for_each = var.instances_cp
-
-  instance_id    = "${local.az_short_name}${var.prefix}${each.key}"
-  security_group = nifcloud_security_group.cp.group_name
-  instance_type  = var.instance_type_cp
-  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
-    private_ip_address = each.value.private_ip
-    ssh_port           = local.port_ssh
-    hostname           = "${local.az_short_name}${var.prefix}${each.key}"
-  })
-
-  availability_zone = var.availability_zone
-  accounting_type   = var.accounting_type
-  image_id          = data.nifcloud_image.this.image_id
-  key_name          = var.instance_key_name
-
-  network_interface {
-    network_id = "net-COMMON_GLOBAL"
-  }
-  network_interface {
-    network_id = nifcloud_private_lan.this.network_id
-    ip_address = "static"
-  }
-
-  # The image_id changes when the OS image type is demoted from standard to public.
-  lifecycle {
-    ignore_changes = [
-      image_id,
-      user_data,
-    ]
-  }
-}
-
-resource "nifcloud_load_balancer" "this" {
-  load_balancer_name = "${local.az_short_name}${var.prefix}cp"
-  accounting_type    = var.accounting_type
-  balancing_type     = 1 // Round-Robin
-  load_balancer_port = local.port_kubectl
-  instance_port      = local.port_kubectl
-  instances          = [for v in nifcloud_instance.cp : v.instance_id]
-  filter = concat(
-    [for k, v in nifcloud_instance.cp : v.public_ip],
-    [for k, v in nifcloud_instance.wk : v.public_ip],
-    var.additional_lb_filter,
-  )
-  filter_type = 1 // Allow
-}
-
-#################################################
-##
-## Worker
-##
-resource "nifcloud_security_group" "wk" {
-  group_name        = "${var.prefix}wk"
-  description       = "${var.prefix} worker"
-  availability_zone = var.availability_zone
-}
-
-resource "nifcloud_instance" "wk" {
-  for_each = var.instances_wk
-
-  instance_id    = "${local.az_short_name}${var.prefix}${each.key}"
-  security_group = nifcloud_security_group.wk.group_name
-  instance_type  = var.instance_type_wk
-  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
-    private_ip_address = each.value.private_ip
-    ssh_port           = local.port_ssh
-    hostname           = "${local.az_short_name}${var.prefix}${each.key}"
-  })
-
-  availability_zone = var.availability_zone
-  accounting_type   = var.accounting_type
-  image_id          = data.nifcloud_image.this.image_id
-  key_name          = var.instance_key_name
-
-  network_interface {
-    network_id = "net-COMMON_GLOBAL"
-  }
-  network_interface {
-    network_id = nifcloud_private_lan.this.network_id
-    ip_address = "static"
-  }
-
-  # The image_id changes when the OS image type is demoted from standard to public.
-  lifecycle {
-    ignore_changes = [
-      image_id,
-      user_data,
-    ]
-  }
-}
-
-#################################################
-##
-## Security Group Rule: Kubernetes
-##
-
-# ssh
-resource "nifcloud_security_group_rule" "ssh_from_bastion" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_ssh
-  to_port                    = local.port_ssh
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.bn.group_name
-}
-
-# kubectl
-resource "nifcloud_security_group_rule" "kubectl_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_kubectl
-  to_port                    = local.port_kubectl
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-# kubelet
-resource "nifcloud_security_group_rule" "kubelet_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_kubelet
-  to_port                    = local.port_kubelet
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-resource "nifcloud_security_group_rule" "kubelet_from_control_plane" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_kubelet
-  to_port                    = local.port_kubelet
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.cp.group_name
-}
-
-#################################################
-##
-## Security Group Rule: calico
-##
-
-# vslan
-resource "nifcloud_security_group_rule" "vxlan_from_control_plane" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_vxlan
-  to_port                    = local.port_vxlan
-  protocol                   = "UDP"
-  source_security_group_name = nifcloud_security_group.cp.group_name
-}
-
-resource "nifcloud_security_group_rule" "vxlan_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_vxlan
-  to_port                    = local.port_vxlan
-  protocol                   = "UDP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-# bgp
-resource "nifcloud_security_group_rule" "bgp_from_control_plane" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_bgp
-  to_port                    = local.port_bgp
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.cp.group_name
-}
-
-resource "nifcloud_security_group_rule" "bgp_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_bgp
-  to_port                    = local.port_bgp
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-# etcd
-resource "nifcloud_security_group_rule" "etcd_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_etcd
-  to_port                    = local.port_etcd
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
@@ -1,48 +0,0 @@
-output "control_plane_lb" {
-  description = "The DNS name of LB for control plane"
-  value       = nifcloud_load_balancer.this.dns_name
-}
-
-output "security_group_name" {
-  description = "The security group used in the cluster"
-  value = {
-    bastion       = nifcloud_security_group.bn.group_name,
-    control_plane = nifcloud_security_group.cp.group_name,
-    worker        = nifcloud_security_group.wk.group_name,
-  }
-}
-
-output "private_network_id" {
-  description = "The private network used in the cluster"
-  value       = nifcloud_private_lan.this.id
-}
-
-output "bastion_info" {
-  description = "The basion information in cluster"
-  value = { (nifcloud_instance.bn.instance_id) : {
-    instance_id = nifcloud_instance.bn.instance_id,
-    unique_id   = nifcloud_instance.bn.unique_id,
-    private_ip  = nifcloud_instance.bn.private_ip,
-    public_ip   = nifcloud_instance.bn.public_ip,
-  } }
-}
-
-output "worker_info" {
-  description = "The worker information in cluster"
-  value = { for v in nifcloud_instance.wk : v.instance_id => {
-    instance_id = v.instance_id,
-    unique_id   = v.unique_id,
-    private_ip  = v.private_ip,
-    public_ip   = v.public_ip,
-  } }
-}
-
-output "control_plane_info" {
-  description = "The control plane information in cluster"
-  value = { for v in nifcloud_instance.cp : v.instance_id => {
-    instance_id = v.instance_id,
-    unique_id   = v.unique_id,
-    private_ip  = v.private_ip,
-    public_ip   = v.public_ip,
-  } }
-}
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-#################################################
-##
-## IP Address
-##
-configure_private_ip_address () {
-  cat << EOS > /etc/netplan/01-netcfg.yaml
-network:
-    version: 2
-    renderer: networkd
-    ethernets:
-        ens192:
-            dhcp4: yes
-            dhcp6: yes
-            dhcp-identifier: mac
-        ens224:
-            dhcp4: no
-            dhcp6: no
-            addresses: [${private_ip_address}]
-EOS
-  netplan apply
-}
-configure_private_ip_address
-
-#################################################
-##
-## SSH
-##
-configure_ssh_port () {
-  sed -i 's/^#*Port [0-9]*/Port ${ssh_port}/' /etc/ssh/sshd_config
-}
-configure_ssh_port
-
-#################################################
-##
-## Hostname
-##
-hostnamectl set-hostname ${hostname}
-
-#################################################
-##
-## Disable swap files genereated by systemd-gpt-auto-generator
-##
-systemctl mask "dev-sda3.swap"
@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">=1.3.7"
-  required_providers {
-    nifcloud = {
-      source  = "nifcloud/nifcloud"
-      version = ">= 1.8.0, < 2.0.0"
-    }
-  }
-}
@@ -1,81 +0,0 @@
-variable "availability_zone" {
-  description = "The availability zone"
-  type        = string
-}
-
-variable "prefix" {
-  description = "The prefix for the entire cluster"
-  type        = string
-  validation {
-    condition     = length(var.prefix) <= 5
-    error_message = "Must be a less than 5 character long."
-  }
-}
-
-variable "private_network_cidr" {
-  description = "The subnet of private network"
-  type        = string
-  validation {
-    condition     = can(cidrnetmask(var.private_network_cidr))
-    error_message = "Must be a valid IPv4 CIDR block address."
-  }
-}
-
-variable "private_ip_bn" {
-  description = "Private IP of bastion server"
-  type        = string
-}
-
-variable "instances_cp" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instances_wk" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instance_key_name" {
-  description = "The key name of the Key Pair to use for the instance"
-  type        = string
-}
-
-variable "instance_type_bn" {
-  description = "The instance type of bastion server"
-  type        = string
-}
-
-variable "instance_type_wk" {
-  description = "The instance type of worker"
-  type        = string
-}
-
-variable "instance_type_cp" {
-  description = "The instance type of control plane"
-  type        = string
-}
-
-variable "image_name" {
-  description = "The name of image"
-  type        = string
-}
-
-variable "additional_lb_filter" {
-  description = "Additional LB filter"
-  type        = list(string)
-}
-
-variable "accounting_type" {
-  type    = string
-  default = "1"
-  validation {
-    condition = anytrue([
-      var.accounting_type == "1", // Monthly
-      var.accounting_type == "2", // Pay per use
-    ])
-    error_message = "Must be a 1 or 2."
-  }
-}
@@ -1,3 +0,0 @@
-output "kubernetes_cluster" {
-  value = module.kubernetes_cluster
-}
@@ -1,22 +0,0 @@
-region = "jp-west-1"
-az     = "west-11"
-
-instance_key_name = "deployerkey"
-
-instance_type_bn = "e-medium"
-instance_type_cp = "e-medium"
-instance_type_wk = "e-medium"
-
-private_network_cidr = "192.168.30.0/24"
-instances_cp = {
-  "cp01" : { private_ip : "192.168.30.11/24" }
-  "cp02" : { private_ip : "192.168.30.12/24" }
-  "cp03" : { private_ip : "192.168.30.13/24" }
-}
-instances_wk = {
-  "wk01" : { private_ip : "192.168.30.21/24" }
-  "wk02" : { private_ip : "192.168.30.22/24" }
-}
-private_ip_bn = "192.168.30.10/24"
-
-image_name = "Ubuntu Server 22.04 LTS"
@@ -1 +0,0 @@
-../../../../inventory/sample/group_vars
@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">=1.3.7"
-  required_providers {
-    nifcloud = {
-      source  = "nifcloud/nifcloud"
-      version = "1.8.0"
-    }
-  }
-}
@@ -1,77 +0,0 @@
-variable "region" {
-  description = "The region"
-  type        = string
-}
-
-variable "az" {
-  description = "The availability zone"
-  type        = string
-}
-
-variable "private_ip_bn" {
-  description = "Private IP of bastion server"
-  type        = string
-}
-
-variable "private_network_cidr" {
-  description = "The subnet of private network"
-  type        = string
-  validation {
-    condition     = can(cidrnetmask(var.private_network_cidr))
-    error_message = "Must be a valid IPv4 CIDR block address."
-  }
-}
-
-variable "instances_cp" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instances_wk" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instance_key_name" {
-  description = "The key name of the Key Pair to use for the instance"
-  type        = string
-}
-
-variable "instance_type_bn" {
-  description = "The instance type of bastion server"
-  type        = string
-}
-
-variable "instance_type_wk" {
-  description = "The instance type of worker"
-  type        = string
-}
-
-variable "instance_type_cp" {
-  description = "The instance type of control plane"
-  type        = string
-}
-
-variable "image_name" {
-  description = "The name of image"
-  type        = string
-}
-
-variable "working_instance_ip" {
-  description = "The IP address to connect to bastion server."
-  type        = string
-}
-
-variable "accounting_type" {
-  type    = string
-  default = "2"
-  validation {
-    condition = anytrue([
-      var.accounting_type == "1", // Monthly
-      var.accounting_type == "2", // Pay per use
-    ])
-    error_message = "Must be a 1 or 2."
-  }
-}
@@ -8,6 +8,11 @@ OpenStack.
 This will install a Kubernetes cluster on an OpenStack Cloud. It should work on
 most modern installs of OpenStack that support the basic services.

+## OpenStack Support Documentation
+
+For OpenStack cloud provider configuration (Octavia load balancers, Cinder CSI storage,
+network plugins like Calico), see the [main OpenStack documentation](../../../docs/cloud_controllers/openstack.md).
+
 ### Known compatible public clouds

 - [Auro](https://auro.io/)
@@ -89,8 +94,8 @@ binaries available on hyperkube v1.4.3_coreos.0 or higher.

 ## Requirements

- [Install Terraform](https://www.terraform.io/intro/getting-started/install.html) 0.14 or later
- [Install Ansible](http://docs.ansible.com/ansible/latest/intro_installation.html)
+- [Install OpenTofu](https://opentofu.org/docs/intro/install/) 1.9.0 or later
+- [Install Ansible](https://docs.ansible.com/ansible/latest/intro_installation.html)
 - you already have a suitable OS image in Glance
 - you already have a floating IP pool created
 - you have security groups enabled
@@ -129,6 +134,7 @@ Terraform will be used to provision all of the OpenStack resources with base sof
 Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):

 ```ShellSession
+CLUSTER=your-cluster-name
 cp -LRp contrib/terraform/openstack/sample-inventory inventory/$CLUSTER
 cd inventory/$CLUSTER
 ln -s ../../contrib/terraform/openstack/hosts
@@ -146,7 +152,7 @@ different OpenStack environments may support Identity API version 2 or 3.

 These are examples and may vary depending on your OpenStack cloud provider,
 for an exhaustive list on how to authenticate on OpenStack with Terraform
-please read the [OpenStack provider documentation](https://www.terraform.io/docs/providers/openstack/).
+please read the [OpenStack provider documentation](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs).

 ##### Declarative method (recommended)

@@ -262,6 +268,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`image_uuid`,`image_gfs_uuid`, `image_master_uuid` | UUID of the image to use in provisioning the compute resources. Should already be loaded into glance. |
 |`ssh_user`,`ssh_user_gfs` | The username to ssh into the image with. This usually depends on the image you have selected |
 |`public_key_path` | Path on your local workstation to the public key file you wish to use in creating the key pairs |
+|`group_vars_path` | path to the inventory group vars directory, `./group_vars` by default |
 |`number_of_k8s_masters`, `number_of_k8s_masters_no_floating_ip` | Number of nodes that serve as both master and etcd. These can be provisioned with or without floating IP addresses|
 |`number_of_k8s_masters_no_etcd`, `number_of_k8s_masters_no_floating_ip_no_etcd` |  Number of nodes that serve as just master with no etcd. These can be provisioned with or without floating IP addresses |
 |`number_of_etcd` | Number of pure etcd nodes |
@@ -611,7 +618,13 @@ Edit `inventory/$CLUSTER/group_vars/all/all.yml`:
 bin_dir: /opt/bin
 ```

- and **cloud_provider**:
+- **external_cloud_provider**:
+
+```yml
+external_cloud_provider: openstack
+```
+
+- **Only if K8s < v1.31 - cloud_provider**:

 ```yml
 cloud_provider: openstack
@@ -717,6 +730,12 @@ Basically you will install Gluster as
 ansible-playbook --become -i inventory/$CLUSTER/hosts ./contrib/network-storage/glusterfs/glusterfs.yml
 ```

+## Relevant Resources
+
+- [HauptJ - Example cluster.tfvars using floating IPs for all Master and Nodes](https://gist.github.com/HauptJ/d72e2a8fe0698d448283a51e847a5dfa)
+- [openmetal - Deploying a Kubespray cluster to OpenStack using Terraform](https://openmetal.io/docs/manuals/kubernetes-guides/deploying-a-kubespray-cluster-to-openstack-using-terraform/)
+- [Guoqiang Lan - Deploy Kubernetes with Kubespray on OpenStack](https://guoqianglan.github.io/tutorial/cloud/deploy-kubernetes-with-kubespray-on-openstack/)
+
 ## What's next

 Try out your new Kubernetes cluster with the [Hello Kubernetes service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/).
@@ -1006,7 +1006,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
  name              = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
  count             = var.number_of_gfs_nodes_no_floating_ip
  availability_zone = element(var.az_list, count.index)
-  image_name        = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
+  image_id          = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
  flavor_id         = var.flavor_gfs_node
  key_pair          = openstack_compute_keypair_v2.k8s.name

@@ -1078,7 +1078,7 @@ resource "openstack_networking_floatingip_associate_v2" "k8s_nodes" {
  port_id               = openstack_networking_port_v2.k8s_nodes_port[each.key].id
 }

-resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
+resource "openstack_blockstorage_volume_v3" "glusterfs_volume" {
  name        = "${var.cluster_name}-glusterfs_volume-${count.index + 1}"
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  description = "Non-ephemeral volume for GlusterFS"
@@ -1088,5 +1088,5 @@ resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  instance_id = element(openstack_compute_instance_v2.glusterfs_node_no_floating_ip.*.id, count.index)
-  volume_id   = element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)
+  volume_id   = element(openstack_blockstorage_volume_v3.glusterfs_volume.*.id, count.index)
 }
@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version

 ```yml
-cilium_version: "1.18.6"
+cilium_version: "1.19.4"
 ```

 ## Add variable to config
@@ -57,7 +57,6 @@
  * [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md)
 * Ingress
  * [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md)
-  * [Ingress Nginx](/docs/ingress/ingress_nginx.md)
  * [Kube-vip](/docs/ingress/kube-vip.md)
  * [Metallb](/docs/ingress/metallb.md)
 * Operating Systems
@@ -30,14 +30,7 @@ If you don't have a TLS Root CA certificate and key available, you can create th

 A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.

-To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
-
-```ini
-# Nginx ingress controller deployment
-ingress_nginx_enabled: true
-```
-
-For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
+For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.

 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -48,9 +41,9 @@ metadata:
  labels:
    prometheus: k8s
  annotations:
-    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: ca-issuer
 spec:
+  ingressClassName: "traefik"
  tls:
  - hosts:
    - prometheus.example.com
@@ -72,8 +65,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall

 Please consult the official upstream documentation:

- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
+- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/)
+- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name)

 ### ACME

@@ -81,12 +74,12 @@ The ACME Issuer type represents a single account registered with the Automated C

 Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free.

- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
-  - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
-  - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
+- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/)
+- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/)
+  - [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/)
+- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/)
+  - [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/)
+- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/)

 #### ACME With An Internal Certificate Authority

@@ -30,9 +30,9 @@ If the latest version supported according to pip is 6.7.0 it means you are runni

 Based on the table below and the available python version for your ansible host you should choose the appropriate ansible version to use with kubespray.

-| Ansible Version | Python Version |
-|-----------------|----------------|
-| >= 2.17.3       | 3.10-3.12      |
+|  Ansible Version  | Python Version |
+|-------------------|----------------|
+| >=2.18.0, <2.19.0 | 3.11-3.13      |

 ## Customize Ansible vars

@@ -78,7 +78,6 @@ The following tags are defined in playbooks:
 | crio                           | Configuring crio container engine for hosts           |
 | crun                           | Configuring crun runtime                              |
 | csi-driver                     | Configuring csi driver                                |
-| dashboard                      | Installing and configuring the Kubernetes Dashboard   |
 | dns                            | Remove dns entries when resetting                     |
 | docker                         | Configuring docker engine runtime for hosts           |
 | download                       | Fetching container images to a delegate host          |
@@ -158,20 +157,20 @@ Example command to filter and apply only DNS configuration tasks and skip
 everything else related to host OS configuration and downloading images of containers:

 ```ShellSession
-ansible-playbook -i inventory/sample/hosts.ini cluster.yml --tags preinstall,facts --skip-tags=download,bootstrap_os
+ansible-playbook -i inventory/sample/inventory.ini cluster.yml --tags preinstall,facts --skip-tags=download,bootstrap_os
 ```

 And this play only removes the K8s cluster DNS resolver IP from hosts' /etc/resolv.conf files:

 ```ShellSession
-ansible-playbook -i inventory/sample/hosts.ini -e dns_mode='none' cluster.yml --tags resolvconf
+ansible-playbook -i inventory/sample/inventory.ini -e dns_mode='none' cluster.yml --tags resolvconf
 ```

 And this prepares all container images locally (at the ansible runner node) without installing
 or upgrading related stuff or trying to upload container to K8s cluster nodes:

 ```ShellSession
-ansible-playbook -i inventory/sample/hosts.ini cluster.yml \
+ansible-playbook -i inventory/sample/inventory.ini cluster.yml \
    -e download_run_once=true -e download_localhost=true \
    --tags download --skip-tags upload,upgrade
 ```
@@ -62,7 +62,7 @@ Once the configuration is set, you can execute the playbook again to apply the n

 ```ShellSession
 cd kubespray
-ansible-playbook -i inventory/sample/hosts.ini -b -v cluster.yml
+ansible-playbook -i inventory/sample/inventory.ini -b -v cluster.yml
 ```

 You'll find some useful examples [here](https://github.com/kubernetes/cloud-provider-vsphere/blob/master/docs/book/tutorials/kubernetes-on-vsphere-with-kubeadm.md#sample-manifests-to-test-csi-driver-functionality) to test your configuration.
@@ -82,7 +82,7 @@ If you intend to leverage the [zone and region node labeling](https://kubernetes

 ### Kubespray configuration (deprecated)

-First you must define the cloud provider in `inventory/sample/group_vars/all.yml` and set it to `vsphere`.
+First you must define the cloud provider in `inventory/sample/group_vars/all/all.yml` and set it to `vsphere`.

 ```yml
 cloud_provider: vsphere
@@ -128,7 +128,7 @@ Once the configuration is set, you can execute the playbook again to apply the n

 ```ShellSession
 cd kubespray
-ansible-playbook -i inventory/sample/hosts.ini -b -v cluster.yml
+ansible-playbook -i inventory/sample/inventory.ini -b -v cluster.yml
 ```

 You'll find some useful examples [here](https://github.com/kubernetes/examples/tree/master/staging/volumes/vsphere) to test your configuration.
@@ -11,5 +11,5 @@ You can deploy instances in your cloud environment in several ways. Examples inc
 With ansible-playbook command

 ```ShellSession
-ansible-playbook -u smana -e ansible_ssh_user=admin -e cloud_provider=[aws|gce] -b --become-user=root -i inventory/single.cfg cluster.yml
+ansible-playbook -u smana -e ansible_ssh_user=admin -e cloud_provider=[aws|gce] -b --become-user=root -i inventory/sample/inventory.ini cluster.yml
 ```
@@ -145,7 +145,6 @@ upstream_dns_servers:
  - 1.0.0.1

 # Extensions
-ingress_nginx_enabled: True
 helm_enabled: True
 cert_manager_enabled: True
 metrics_server_enabled: True
@@ -11,8 +11,8 @@ amazon |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: |
 debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: |
 debian13 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
-fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
-fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
+fedora43 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
@@ -29,14 +29,14 @@ amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora43 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |

 ## docker

@@ -47,8 +47,8 @@ amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora43 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
@@ -15,16 +15,15 @@ and [details on the inventory structure expected by Kubespray](/docs/ansible/inv
 <your-favorite-editor> inventory/mycluster/inventory.ini

 # Review and change parameters under ``inventory/mycluster/group_vars``
-<your-favorite-editor> inventory/mycluster/group_vars/all.yml # for every node, including etcd
-<your-favorite-editor> inventory/mycluster/group_vars/k8s_cluster.yml # for every node in the cluster (not etcd when it's separate)
-<your-favorite-editor> inventory/mycluster/group_vars/kube_control_plane.yml # for the control plane
-<your-favorite-editor> inventory/myclsuter/group_vars/kube_node.yml # for worker nodes
+<your-favorite-editor> inventory/mycluster/group_vars/all/all.yml # for every node, including etcd
+<your-favorite-editor> inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml # for every node in the cluster (not etcd when it's separate)
+<your-favorite-editor> inventory/mycluster/group_vars/k8s_cluster/kube_control_plane.yml # for the control plane
 ```

 ## Installing the cluster

 ```ShellSession
-ansible-playbook -i inventory/mycluster/ cluster.yml -b -v \
+ansible-playbook -i inventory/mycluster/inventory.ini cluster.yml -b -v \
  --private-key=~/.ssh/private_key
 ```

@@ -36,7 +35,7 @@ You may want to add worker, control plane or etcd nodes to your existing cluster
 - Run the ansible-playbook command, substituting `cluster.yml` for `scale.yml`:

 ```ShellSession
-ansible-playbook -i inventory/mycluster/hosts.yml scale.yml -b -v \
+ansible-playbook -i inventory/mycluster/inventory.ini scale.yml -b -v \
  --private-key=~/.ssh/private_key
 ```

@@ -54,7 +53,7 @@ is not working, you can remove the node and install it again.
 Use `--extra-vars "node=<nodename>,<nodename2>"` to select the node(s) you want to delete.

 ```ShellSession
-ansible-playbook -i inventory/mycluster/hosts.yml remove-node.yml -b -v \
+ansible-playbook -i inventory/mycluster/inventory.ini remove-node.yml -b -v \
 --private-key=~/.ssh/private_key \
 --extra-vars "node=nodename,nodename2"
 ```
@@ -83,37 +82,11 @@ authentication. One can get a kubeconfig from kube_control_plane hosts
 For more information on kubeconfig and accessing a Kubernetes cluster, refer to
 the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).

-## Accessing Kubernetes Dashboard
-
-Supported version is kubernetes-dashboard v2.0.x :
-
- Login option : token/kubeconfig by default
- Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
- Only serves over https
-
-Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/tree/master/docs/user/accessing-dashboard). With kubespray's default deployment in kube-system namespace, instead of kubernetes-dashboard :
-
- Proxy URL is <http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#/login>
- kubectl commands must be run with "-n kube-system"
-
-Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy  --address="x.x.x.x"` will not work)
-
-For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace.
-
-Access can also by achieved via ssh tunnel on a control plane :
-
-```bash
-# localhost:8081 will be sent to control-plane-1's own localhost:8081
-ssh -L8001:localhost:8001 user@control-plane-1
-sudo -i
-kubectl proxy
-```
-
 ## Accessing Kubernetes API

 The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane
 host and can optionally be configured on your ansible host by setting
-`kubectl_localhost: true` and `kubeconfig_localhost: true` in the configuration:
+`kubectl_localhost: true` and `kubeconfig_localhost: true` in `inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml`:

 - If `kubectl_localhost` enabled, `kubectl` will download onto `/usr/local/bin/` and setup with bash completion. A helper script `inventory/mycluster/artifacts/kubectl.sh` also created for setup with below `admin.conf`.
 - If `kubeconfig_localhost` enabled `admin.conf` will appear in the `inventory/mycluster/artifacts/` directory after deployment.
@@ -223,7 +223,7 @@ that controller-0, controller-1 and controller-2 in the `kube_control_plane` gro
 worker-0, worker-1 and worker-2 in the `kube_node` group. Add respective `ip` to the respective local VPC IP for each node.

 The main configuration for the cluster is stored in
-`inventory/mycluster/group_vars/k8s_cluster/k8s_cluster.yml`. In this file we
+`inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml`. In this file we
 will update the `supplementary_addresses_in_ssl_keys` with a list of the IP
 addresses of the controller nodes. In that way we can access the
  kubernetes API server as an administrator from outside the VPC network. You
@@ -240,7 +240,7 @@ the kubernetes cluster, just change the 'false' to 'true' for
 Now we will deploy the configuration:

 ```ShellSession
-ansible-playbook -i inventory/mycluster/ -u $USERNAME -b -v --private-key=~/.ssh/id_rsa cluster.yml
+ansible-playbook -i inventory/mycluster/inventory.ini -u $USERNAME -b -v --private-key=~/.ssh/id_rsa cluster.yml
 ```

 Ansible will now execute the playbook, this can take up to 20 minutes.
@@ -594,7 +594,7 @@ If you want to keep the VMs and just remove the cluster state, you can simply
 run another Ansible playbook:

 ```ShellSession
-ansible-playbook -i inventory/mycluster/ -u $USERNAME -b -v --private-key=~/.ssh/id_rsa reset.yml
+ansible-playbook -i inventory/mycluster/inventory.ini -u $USERNAME -b -v --private-key=~/.ssh/id_rsa reset.yml
 ```

 Resetting the cluster to the VMs original state usually takes about a couple
@@ -1,203 +0,0 @@
-# Installation Guide
-
-## Contents
-
- [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command)
-  - [Provider Specific Steps](#provider-specific-steps)
-    - [Docker for Mac](#docker-for-mac)
-    - [minikube](#minikube)
-    - [AWS](#aws)
-    - [GCE - GKE](#gce-gke)
-    - [Azure](#azure)
-    - [Bare-metal](#bare-metal)
-  - [Verify installation](#verify-installation)
-  - [Detect installed version](#detect-installed-version)
- [Using Helm](#using-helm)
-
-## Prerequisite Generic Deployment Command
-
-!!! attention
-    The default configuration watches Ingress object from *all the namespaces*.
-    To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
-
-!!! warning
-    If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions.
-
-!!! attention
-    If you're using GKE you need to initialize your user as a cluster-admin with the following command:
-
-```console
-kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud config get-value account)
-```
-
-The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
-```
-
-### Provider Specific Steps
-
-There are cloud provider specific yaml files.
-
-#### Docker for Mac
-
-Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018))
-
-First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes).
-
-Then you have to create a service:
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
-```
-
-#### minikube
-
-For standard usage:
-
-```console
-minikube addons enable ingress
-```
-
-For development:
-
-1. Disable the ingress addon:
-
-```console
-minikube addons disable ingress
-```
-
-1. Execute `make dev-env`
-1. Confirm the `nginx-ingress-controller` deployment exists:
-
-```console
-$ kubectl get pods -n ingress-nginx
-NAME                                       READY     STATUS    RESTARTS   AGE
-default-http-backend-66b447d9cf-rrlf9      1/1       Running   0          12s
-nginx-ingress-controller-fdcdcd6dd-vvpgs   1/1       Running   0          11s
-```
-
-#### AWS
-
-In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
-Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
-Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/)
-
-##### Elastic Load Balancer - ELB
-
-This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer:
-
- [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443.
- [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB
-
-For L4:
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml
-```
-
-For L7:
-
-Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"`
-
-Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml`
-
-Then execute:
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml
-```
-
-This example creates an ELB with just two listeners, one in port 80 and another in port 443
-
-![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png)
-
-##### ELB Idle Timeouts
-
-In some scenarios users will need to modify the value of the ELB idle timeout.
-Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX.
-By default NGINX `keepalive_timeout` is set to `75s`.
-
-The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified,
-in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured.
-
-*Please Note: An idle timeout of `3600s` is recommended when using WebSockets.*
-
-More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html).
-
-##### Network Load Balancer (NLB)
-
-This type of load balancer is supported since v1.10.0 as an ALPHA feature.
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml
-```
-
-#### GCE-GKE
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
-```
-
-**Important Note:** proxy protocol is not supported in GCE/GKE
-
-#### Azure
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
-```
-
-#### Bare-metal
-
-Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
-```
-
-!!! tip
-    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md).
-
-### Verify installation
-
-To check if the ingress controller pods have started, run the following command:
-
-```console
-kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
-```
-
-Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`.
-Now, you are ready to create your first ingress.
-
-### Detect installed version
-
-To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command.
-
-```console
-POD_NAMESPACE=ingress-nginx
-POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
-
-kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
-```
-
-## Using Helm
-
-NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
-Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
-
-To install the chart with the release name `my-nginx`:
-
-```console
-helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-helm install my-nginx ingress-nginx/ingress-nginx
-```
-
-Detect installed version:
-
-```console
-POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
-kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
-```
@@ -63,6 +63,8 @@ kube_vip_bgppeers:
 # kube_vip_bgp_peeraddress:
 # kube_vip_bgp_peerpass:
 # kube_vip_bgp_peeras:
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
 ```

 If using [control plane load-balancing](https://kube-vip.io/docs/about/architecture/#control-plane-load-balancing):
@@ -84,3 +86,12 @@ kube_vip_leaseduration: 30
 kube_vip_renewdeadline: 20
 kube_vip_retryperiod: 4
 ```
+
+To expose [Prometheus metrics](https://kube-vip.io/docs/installation/flags/#environment-variables) from the kube-vip static pod, set `kube_vip_metrics_enabled`. `kube_vip_metrics_port` is an integer; the manifest sets `prometheus_server` to `:PORT` because kube-vip passes that value to Go's HTTP listen address (see [`servePrometheusHTTPServer` in kube-vip](https://github.com/kube-vip/kube-vip/blob/main/cmd/kube-vip.go)). The manifest `ports` entry uses the same number for tooling that reads the pod spec.
+
+Kubespray defaults `kube_vip_metrics_port` to `2112`, matching upstream kube-vip's `--prometheusHTTPServer` default. Override it if your scrape config expects another port.
+
+```yaml
+kube_vip_metrics_enabled: true
+# kube_vip_metrics_port: 2112
+```
@@ -6,9 +6,9 @@ The documentation also applies to Red Hat derivatives, including Alma Linux, Roc

 The content of this section does not apply to open-source derivatives.

-In order to install packages via yum or dnf, RHEL 7/8 hosts are required to be registered for a valid Red Hat support subscription.
+In order to install packages via yum or dnf, RHEL hosts are required to be registered for a valid Red Hat support subscription.

-You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL 7/8 hosts provisioned in Production environments.
+You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL hosts provisioned in Production environments.

 Once you have a Red Hat support account, simply add the credentials to the Ansible inventory parameters `rh_subscription_username` and `rh_subscription_password` prior to deploying Kubespray. If your company has a Corporate Red Hat support account, then obtain an **Organization ID** and **Activation Key**, and add these to the Ansible inventory parameters `rh_subscription_org_id` and `rh_subscription_activation_key` instead of using your Red Hat support account credentials.

@@ -29,15 +29,7 @@ rh_subscription_role: "Red Hat Enterprise Server"
 rh_subscription_sla: "Self-Support"
 ```

-If the RHEL 8/9 hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
-
-## RHEL 8
-
-If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),
-you need to ensure they are using iptables-nft.
-An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
-
-The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
+If the RHEL hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.

 ## Rocky Linux 10

@@ -32,12 +32,12 @@ etcd_metrics_service_labels:
  k8s-app: etcd
  app.kubernetes.io/managed-by: Kubespray
  app: kube-prometheus-stack-kube-etcd
-  release: prometheus-stack
+  release: kube-prometheus-stack
 ```

 The last two labels in the above example allows to scrape the metrics from the
 [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
-chart with the following Helm `values.yaml` :
+chart when it is installed with the release name `kube-prometheus-stack` and the following Helm `values.yaml`:

 ```yaml
 kubeEtcd:
@@ -45,8 +45,22 @@ kubeEtcd:
    enabled: false
 ```

-To fully override metrics exposition urls, define it in the inventory with:
+If your Helm release name is different, adjust the `release` label accordingly.
+
+To fully override metrics exposition URLs, define it in the inventory with:

 ```yaml
 etcd_listen_metrics_urls: "http://0.0.0.0:2381"
 ```
+
+If you choose to expose metrics on specific node IPs (for example `10.141.4.22`, `10.141.4.23`, `10.141.4.24`) in `etcd_listen_metrics_urls`,
+you can configure kube-prometheus-stack to scrape those endpoints directly with:
+
+```yaml
+kubeEtcd:
+  enabled: true
+  endpoints:
+    - 10.141.4.22
+    - 10.141.4.23
+    - 10.141.4.24
+```
@@ -100,8 +100,6 @@ kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
 kubelet_seccomp_default: true
 kubelet_systemd_hardening: true
-# To disable kubelet's staticPodPath (for nodes that don't use static pods like worker nodes)
-kubelet_static_pod_path: ""
 # In case you have multiple interfaces in your
 # control plane nodes and you want to specify the right
 # IP addresses, kubelet_secure_addresses allows you
@@ -22,6 +22,10 @@ Then you need to setup the following services on your offline environment:
 You can get artifact lists with [generate_list.sh](/contrib/offline/generate_list.sh) script.
 In addition, you can find some tools for offline deployment under [contrib/offline](/contrib/offline/README.md).

+## Tip: use the original domains as top directories in the files_repo, i.e `github.com/`, `dl.k8s.io/`, `storage.googleapis.com/`, `get.helm.sh/`
+
+## Tip: for Cilium ensure to mirror <https://helm.cilium.io/index.yaml> and the chart cilium-1.18.2.tgz in files_repo
+
 ## Access Control

 ### Note: access controlled files_repo
@@ -44,7 +48,8 @@ files_repo: "https://{{ files_repo_user ~ ':' ~ files_repo_pass ~ '@' ~ files_re

 ### Note: access controlled registry

-To specify a username and password for "{{ registry_host }}", used to download the container images, you can use url-encoding too.
+Specify a "{{ registry_user }}" and "{{ registry_pass }}" for "{{ registry_addr }}",
+These are used to download the container images. Ensure to encrypt the password (if used) with ansible-vault.

 ```yaml
 registry_pass: !vault |
@@ -54,7 +59,30 @@ registry_pass: !vault |
          64653965663965356137333436616536643132336630313235333232336661373761643766356366
          6232353233386534380a373262313634613833623537626132633033373064336261383166323230
          3164
+```

+To enable Containerd **2+** to access the private registry:
+
+```yaml
+
+containerd_registries_mirrors:
+  - prefix: docker.io
+    mirrors:
+      - host: https://registry-1.docker.io
+        capabilities: ["pull", "resolve"]
+        skip_verify: false
+  - prefix: "{{ registry_addr }}"
+    mirrors:
+      - host: "https://{{ registry_addr }}"
+        capabilities: ["pull", "resolve"]
+        skip_verify: false
+        header:
+          Authorization: ["Basic {{ (registry_user + ':' + registry_pass) | b64encode }}"]
+```
+
+To enable Containerd **1.7** to access the private registry:
+
+```yaml
 containerd_registry_auth:
  - registry: "{{ registry_host }}"
    username: "{{ registry_user }}"
@@ -73,25 +101,12 @@ gcr_image_repo: "{{ registry_host }}"
 docker_image_repo: "{{ registry_host }}"
 quay_image_repo: "{{ registry_host }}"
 github_image_repo: "{{ registry_host }}"
-
-local_path_provisioner_helper_image_repo: "{{ registry_host }}/busybox"
-kubeadm_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubeadm"
-kubectl_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubectl"
-kubelet_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubelet"
-# etcd is optional if you **DON'T** use etcd_deployment=host
-etcd_download_url: "{{ files_repo }}/kubernetes/etcd/etcd-v{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
-cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz"
-crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
-# If using Calico
-calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
-# If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_version }}.tar.gz"
-# Containerd
-containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
-runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"
-nerdctl_download_url: "{{ files_repo }}/nerdctl-{{ nerdctl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
+github_url: "{{ files_repo }}/github.com"
+dl_k8s_io_url: "{{ files_repo }}/dl.k8s.io"
+storage_googleapis_url: "{{ files_repo }}/storage.googleapis.com"
 get_helm_url: "{{ files_repo }}/get.helm.sh"
-# Insecure registries for containerd
+local_path_provisioner_helper_image_repo: "{{ registry_host }}/busybox"
+# Insecure registries for containerd (see authenticated example above)
 containerd_registries_mirrors:
  - prefix: "{{ registry_addr }}"
    mirrors:
@@ -99,6 +114,34 @@ containerd_registries_mirrors:
        capabilities: ["pull", "resolve"]
        skip_verify: true

+# Cilium
+cilium_install_extra_flags: "--repository {{ files_repo }}/helm.cilium.io/"
+cilium_extra_values:
+  image:
+    useDigest: false
+  hubble:
+    relay:
+      image:
+        useDigest: false
+    ui:
+      backend:
+        image:
+          useDigest: false
+      frontend:
+        image:
+          useDigest: false
+  operator:
+    image:
+      override: "{{ registry_host }}/cilium/operator-generic:v1.18.2"
+      useDigest: false
+      extension: ""
+  certgen:
+    image:
+      useDigest: false
+  envoy:
+    image:
+      useDigest: false
+
 # CentOS/Redhat/AlmaLinux/Rocky Linux
 ## Docker / Containerd
 docker_rh_repo_base_url: "{{ yum_repo }}/docker-ce/$releasever/$basearch"
@@ -26,13 +26,13 @@ If you wanted to upgrade just kube_version from v1.18.10 to v1.19.7, you could
 deploy the following way:

 ```ShellSession
-ansible-playbook cluster.yml -i inventory/sample/hosts.ini -e kube_version=1.18.10 -e upgrade_cluster_setup=true
+ansible-playbook cluster.yml -i inventory/sample/inventory.ini -e kube_version=1.18.10 -e upgrade_cluster_setup=true
 ```

 And then repeat with 1.19.7 as kube_version:

 ```ShellSession
-ansible-playbook cluster.yml -i inventory/sample/hosts.ini -e kube_version=1.19.7 -e upgrade_cluster_setup=true
+ansible-playbook cluster.yml -i inventory/sample/inventory.ini -e kube_version=1.19.7 -e upgrade_cluster_setup=true
 ```

 The var ```-e upgrade_cluster_setup=true``` is needed to be set in order to migrate the deploys of e.g kube-apiserver inside the cluster immediately which is usually only done in the graceful upgrade. (Refer to [#4139](https://github.com/kubernetes-sigs/kubespray/issues/4139) and [#4736](https://github.com/kubernetes-sigs/kubespray/issues/4736))
@@ -46,7 +46,7 @@ existing cluster. That means there must be at least 1 kube_control_plane already
 deployed.

 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.19.7
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.19.7
 ```

 After a successful upgrade, the Server Version should be updated:
@@ -60,7 +60,7 @@ Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCom
 You can control how many nodes are upgraded at the same time by modifying the ansible variable named `serial`, as explained [here](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_strategies.html#setting-the-batch-size-with-serial). If you don't set this variable, it will upgrade the cluster nodes in batches of  20% of the available nodes. Setting `serial=1` would mean upgrade one node at a time.

 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 -e "serial=1"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 -e "serial=1"
 ```

 ### Pausing the upgrade
@@ -82,20 +82,20 @@ If you don't want to upgrade all nodes in one run, you can use `--limit` [patter
 Before using `--limit` run playbook `facts.yml` without the limit to refresh facts cache for all nodes:

 ```ShellSession
-ansible-playbook playbooks/facts.yml -b -i inventory/sample/hosts.ini
+ansible-playbook playbooks/facts.yml -b -i inventory/sample/inventory.ini
 ```

 After this upgrade control plane and etcd groups [#5147](https://github.com/kubernetes-sigs/kubespray/issues/5147):

 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 --limit "kube_control_plane:etcd"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 --limit "kube_control_plane:etcd"
 ```

 Now you can upgrade other nodes in any order and quantity:

 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 --limit "node4:node6:node7:node12"
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e kube_version=1.20.7 --limit "node5*"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 --limit "node4:node6:node7:node12"
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e kube_version=1.20.7 --limit "node5*"
 ```

 ## Multiple upgrades
@@ -122,9 +122,9 @@ v2.24.0
 v2.22.0 -> v2.23.2 -> v2.24.0 : ✓
 v.22.0 -> v2.24.0 : ✕

-Assuming you don't explicitly define a kubernetes version in your k8s_cluster.yml, you simply check out the next tag and run the upgrade-cluster.yml playbook
+Assuming you don't explicitly define a kubernetes version in your group_vars/k8s_cluster/k8s-cluster.yml, you simply check out the next tag and run the upgrade-cluster.yml playbook

-* If you do define kubernetes version in your inventory (e.g. group_vars/k8s_cluster.yml) then either make sure to update it before running upgrade-cluster, or specify the new version you're upgrading to: `ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml -e kube_version=1.11.3`
+* If you do define kubernetes version in your inventory (e.g. group_vars/k8s_cluster/k8s-cluster.yml) then either make sure to update it before running upgrade-cluster, or specify the new version you're upgrading to: `ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml -e kube_version=1.11.3`

  Otherwise, the upgrade will leave your cluster at the same k8s version defined in your inventory vars.

@@ -155,7 +155,7 @@ HEAD is now at 05dabb7e Fix Bionic networking restart error #3430 (#3431)

 # NOTE: May need to `pip3 install -r requirements.txt` when upgrading.

-ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml

 ...

@@ -178,7 +178,7 @@ Some deprecations between versions that mean you can't just upgrade straight fro
 In this case, I set "kubeadm_enabled" to false, knowing that it is deprecated and removed by 2.9.0, to delay converting the cluster to kubeadm as long as I could.

 ```ShellSession
-$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
 ...
    "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -196,7 +196,7 @@ $ git checkout v2.8.1
 Previous HEAD position was 9051aa52 Fix ubuntu-contiv test failed (#3808)
 HEAD is now at 2ac1c756 More Feature/2.8 backports for 2.8.1 (#3911)

-$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
 ...
    "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -214,7 +214,7 @@ $ git checkout v2.8.2
 Previous HEAD position was 2ac1c756 More Feature/2.8 backports for 2.8.1 (#3911)
 HEAD is now at 4167807f Upgrade to 1.12.5 (#4066)

-$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
 ...
    "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -232,7 +232,7 @@ $ git checkout v2.8.3
 Previous HEAD position was 4167807f Upgrade to 1.12.5 (#4066)
 HEAD is now at ea41fc5e backport cve-2019-5736 to release-2.8 (#4234)

-$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
 ...
    "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -250,7 +250,7 @@ $ git checkout v2.8.4
 Previous HEAD position was ea41fc5e backport cve-2019-5736 to release-2.8 (#4234)
 HEAD is now at 3901480b go to k8s 1.12.7 (#4400)

-$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
 ...
    "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -268,7 +268,7 @@ $ git checkout v2.8.5
 Previous HEAD position was 3901480b go to k8s 1.12.7 (#4400)
 HEAD is now at 6f97687d Release 2.8 robust san handling (#4478)

-$ ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+$ ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml
 ...
    "msg": "DEPRECATION: non-kubeadm deployment is deprecated from v2.9. Will be removed in next release."
 ...
@@ -288,14 +288,14 @@ HEAD is now at a4e65c7c Upgrade to Ansible >2.7.0 (#4471)
 ```

 > **Warning**
-> IMPORTANT: Some variable formats changed in the k8s_cluster.yml between 2.8.5 and 2.9.0
+> IMPORTANT: Some variable formats changed in the group_vars/k8s_cluster/k8s-cluster.yml between 2.8.5 and 2.9.0

 If you do not keep your inventory copy up to date, **your upgrade will fail** and your first master will be left non-functional until fixed and re-run.

 It is at this point the cluster was upgraded from non-kubeadm to kubeadm as per the deprecation warning.

 ```ShellSession
-ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml

 ...

@@ -320,7 +320,7 @@ $ git checkout v2.10.0
 Previous HEAD position was a4e65c7c Upgrade to Ansible >2.7.0 (#4471)
 HEAD is now at dcd9c950 Add etcd role dependency on kube user to avoid etcd role failure when running scale.yml with a fresh node. (#3240) (#4479)

-ansible-playbook -i inventory/mycluster/hosts.ini -b upgrade-cluster.yml
+ansible-playbook -i inventory/mycluster/inventory.ini -b upgrade-cluster.yml

 ...

@@ -372,49 +372,49 @@ hosts.
 Upgrade docker:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=docker
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=docker
 ```

 Upgrade etcd:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=etcd
 ```

 Upgrade etcd without rotating etcd certs:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd --limit=etcd --skip-tags=etcd-secrets
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=etcd --limit=etcd --skip-tags=etcd-secrets
 ```

 Upgrade kubelet:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
 ```

 Upgrade Kubernetes master components:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=master
 ```

 Upgrade network plugins:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=network
 ```

 Upgrade all add-ons:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=apps
 ```

 Upgrade just helm (assuming `helm_enabled` is true):

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm
+ansible-playbook -b -i inventory/sample/inventory.ini cluster.yml --tags=helm
 ```

 ## Migrate from Docker to Containerd
@@ -430,7 +430,7 @@ As of Kubespray 2.18.0, containerd is already the default container engine. If y
 If you want to upgrade the APT or YUM packages while the nodes are cordoned, you can use:

 ```ShellSession
-ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e system_upgrade=true
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/inventory.ini -e system_upgrade=true
 ```

 Nodes will be rebooted when there are package upgrades (`system_upgrade_reboot: on-upgrade`).
@@ -28,11 +28,11 @@ Everything done here requires full root access to every node.
 Before you begin, adjust your inventory:

 ```yaml
-# Filename: k8s_cluster/k8s-cluster.yml
+# Filename: group_vars/k8s_cluster/k8s-cluster.yml
 resolvconf_mode: host_resolvconf
 container_manager: containerd

-# Filename: etcd.yml
+# Filename: group_vars/all/etcd.yml
 etcd_deployment_type: host
 ```

@@ -66,7 +66,7 @@ apt-get install pigz
 ### 5) Run `cluster.yml` playbook with `--limit`

 ```commandline
-ansible-playbook -i inventory/sample/hosts.ini cluster.yml --limit=NODENAME
+ansible-playbook -i inventory/sample/inventory.ini cluster.yml --limit=NODENAME
 ```

 This effectively reinstalls containerd and seems to place all config files in the right place. When this completes, kubelet will immediately pick up the new container engine and start spinning up DaemonSets and kube-system Pods.
@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.30.0
+version: 2.32.0
 readme: README.md
 authors:
  - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)
@@ -44,7 +44,7 @@
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
-# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
+# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"

 # [Optional] Cilium: If using Cilium network plugin
 # ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
@@ -1,8 +1,4 @@
 ---
-# Kubernetes dashboard
-# RBAC required. see docs/getting-started.md for access details.
-# dashboard_enabled: false
-
 # Helm deployment
 helm_enabled: false

@@ -67,39 +63,6 @@ local_volume_provisioner_enabled: false
 # Gateway API CRDs
 gateway_api_enabled: false

-# Nginx ingress controller deployment
-ingress_nginx_enabled: false
-# ingress_nginx_host_network: false
-# ingress_nginx_service_type: LoadBalancer
-# ingress_nginx_service_annotations:
-#   example.io/loadbalancerIPs: 1.2.3.4
-# ingress_nginx_service_nodeport_http: 30080
-# ingress_nginx_service_nodeport_https: 30081
-ingress_publish_status_address: ""
-# ingress_nginx_nodeselector:
-#   kubernetes.io/os: "linux"
-# ingress_nginx_tolerations:
-#   - key: "node-role.kubernetes.io/control-plane"
-#     operator: "Equal"
-#     value: ""
-#     effect: "NoSchedule"
-# ingress_nginx_namespace: "ingress-nginx"
-# ingress_nginx_insecure_port: 80
-# ingress_nginx_secure_port: 443
-# ingress_nginx_configmap:
-#   map-hash-bucket-size: "128"
-#   ssl-protocols: "TLSv1.2 TLSv1.3"
-# ingress_nginx_configmap_tcp_services:
-#   9000: "default/example-go:8080"
-# ingress_nginx_configmap_udp_services:
-#   53: "kube-system/coredns:53"
-# ingress_nginx_extra_args:
-#   - --default-ssl-certificate=default/foo-tls
-# ingress_nginx_termination_grace_period_seconds: 300
-# ingress_nginx_class: nginx
-# ingress_nginx_without_class: true
-# ingress_nginx_default: false
-
 # ALB ingress controller deployment
 ingress_alb_enabled: false
 # alb_ingress_aws_region: "us-east-1"
@@ -236,6 +199,10 @@ kube_vip_enabled: false
 # kube_vip_leasename: plndr-cp-lock
 # kube_vip_enable_node_labeling: false
 # kube_vip_lb_fwdmethod: local
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
+# kube_vip_metrics_enabled: false
+# kube_vip_metrics_port: 2112

 # Node Feature Discovery
 node_feature_discovery_enabled: false
@@ -53,6 +53,21 @@ credentials_dir: "{{ inventory_dir }}/credentials"
 # kube_oidc_groups_claim: groups
 # kube_oidc_groups_prefix: 'oidc:'

+## Structured AuthenticationConfiguration https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration
+## Note: --authentication-config and --oidc-* flags are mutually exclusive
+# kube_apiserver_use_authentication_config_file: false
+# kube_apiserver_authentication_config_jwt:
+#   - issuer:
+#       url: https://issuer.example.com
+#       audiences:
+#       - my-audience
+#     claimMappings:
+#       username:
+#         expression: 'claims.sub'
+# kube_apiserver_authentication_config_anonymous:
+#   enabled: "{{ kube_api_anonymous_auth }}"
+#   conditions: []
+
 ## Variables to control webhook authn/authz
 # kube_webhook_token_auth: false
 # kube_webhook_token_auth_url: https://...
@@ -361,8 +361,6 @@ cilium_l2announcements: false
 # -- Enable the use of well-known identities.
 # cilium_enable_well_known_identities: false

-# cilium_enable_bpf_clock_probe: true
-
 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.17.3"
+requires_ansible: ">=2.18.0,<2.19.0"
@@ -1,5 +1,5 @@
-# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
-FROM ubuntu:jammy-20230308
+# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
+FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
 # (and potentially other packages)
@@ -27,14 +27,14 @@ RUN apt update -q \
         ca-certificates \
         curl \
         gnupg2 \
-         software-properties-common \
         unzip \
         libvirt-clients \
         qemu-utils \
         qemu-kvm \
         dnsmasq \
-    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
-    && add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
+        && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
+        && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+            $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | tee /etc/apt/sources.list.d/docker.list \
    && apt update -q \
    && apt install --no-install-recommends -yq docker-ce \
    && apt autoremove -yqq --purge && apt clean && rm -rf /var/lib/apt/lists/* /var/log/*
@@ -44,11 +44,10 @@ ADD ./requirements.txt  /kubespray/requirements.txt
 ADD ./tests/requirements.txt /kubespray/tests/requirements.txt

 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
-    && pip install --no-compile --no-cache-dir pip -U \
-    && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
-    && pip install --no-compile --no-cache-dir -r requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
+    && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
+    && curl -L https://dl.k8s.io/release/v1.36.1/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.36.1/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl \
    # Install Vagrant
    && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
@@ -56,5 +55,5 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
    && rm vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
    && vagrant plugin install vagrant-libvirt \
    # Install Kubernetes collections
-    && pip install --no-compile --no-cache-dir kubernetes \
+    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes \
    && ansible-galaxy collection install kubernetes.core
@@ -5,8 +5,8 @@
  become: false
  run_once: true
  vars:
-    minimal_ansible_version: 2.17.3
-    maximal_ansible_version: 2.18.0
+    minimal_ansible_version: 2.18.0
+    maximal_ansible_version: 2.19.0
  tags: always
  tasks:
    - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"
@@ -16,6 +16,8 @@
    - name: Gather and compute network facts
      import_role:
        name: network_facts
+      tags:
+        - always
    - name: Gather minimal facts
      setup:
        gather_subset: '!all'
@@ -1,6 +1,6 @@
-ansible==10.7.0
+ansible==11.13.0
 # Needed for community.crypto module
-cryptography==46.0.3
+cryptography==48.0.0
 # Needed for jinja2 json_query templating
 jmespath==1.1.0
 # Needed for ansible.utils.ipaddr
@@ -1,2 +1,2 @@
 ---
-ssh_bastion_confing__name: ssh-bastion.conf
+ssh_bastion_config_name: ssh-bastion.conf
@@ -8,8 +8,8 @@
  tasks:
    - name: Copy config to remote host
      copy:
-        src: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
-        dest: "{{ ssh_bastion_confing__name }}"
+        src: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
+        dest: "{{ ssh_bastion_config_name }}"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: "0644"
@@ -17,6 +17,6 @@
  delegate_to: localhost
  connection: local
  template:
-    src: "{{ ssh_bastion_confing__name }}.j2"
-    dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
+    src: "{{ ssh_bastion_config_name }}.j2"
+    dest: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
    mode: "0640"
@@ -12,10 +12,18 @@ coreos_locksmithd_disable: false
 # Install epel repo on Centos/RHEL
 epel_enabled: false

+## openEuler specific variables
+# Enable metalink for openEuler repos (auto-selects fastest mirror by location)
+openeuler_metalink_enabled: false
+
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true

+## RHEL specific variables
+# Enable RHEL subscription repos
+rhel_enable_repos: true
+
 ## Ubuntu specific variables
 # Disable unattended-upgrades for Linux kernel and all packages start with linux- on Ubuntu
 ubuntu_kernel_unattended_upgrades_disabled: false
@@ -23,7 +23,7 @@
    name: "oracle-epel-release-el{{ ansible_distribution_major_version }}"
    state: present
  when:
-    - use_oracle_public_repo | default(true)
+    - use_oracle_public_repo
    - '''ID="ol"'' in os_release.stdout_lines'
    - (ansible_distribution_version | float) >= 7.6

@@ -39,7 +39,7 @@
    - { option: "enabled", value: "1" }
    - { option: "baseurl", value: "http://yum.oracle.com/repo/OracleLinux/OL{{ ansible_distribution_major_version }}/addons/$basearch/" }
  when:
-    - use_oracle_public_repo | default(true)
+    - use_oracle_public_repo
    - '''ID="ol"'' in os_release.stdout_lines'
    - (ansible_distribution_version | float) >= 7.6

@@ -56,7 +56,7 @@
    - { option: "gpgcheck", value: "0" }
    - { option: "baseurl", value: "http://mirror.centos.org/centos/{{ ansible_distribution_major_version }}/extras/$basearch/os/" }
  when:
-    - use_oracle_public_repo | default(true)
+    - use_oracle_public_repo
    - '''ID="ol"'' in os_release.stdout_lines'
    - (ansible_distribution_version | float) >= 7.6
    - (ansible_distribution_version | float) < 9
@@ -1,3 +1,62 @@
 ---
- name: Import Centos boostrap for openEuler
-  import_tasks: centos.yml
+- name: Import CentOS bootstrap for openEuler
+  ansible.builtin.import_tasks: centos.yml
+
+- name: Read openEuler release string
+  ansible.builtin.command: cat /etc/openEuler-release
+  register: _openeuler_release_raw
+  changed_when: false
+  check_mode: false
+  become: true
+  when: openeuler_metalink_enabled
+
+# /etc/openEuler-release contains e.g. "openEuler release 24.03 (LTS)"
+# The metalink server expects "24.03LTS" (no spaces/parens/dashes),
+# but DNF's $releasever resolves to just "24.03", causing "invalid repo or arch".
+- name: Set openEuler metalink releasever
+  ansible.builtin.set_fact:
+    _openeuler_releasever: >-
+      {{ _openeuler_release_raw.stdout
+         | regex_replace('.*release\s+', '')
+         | regex_replace('[() -]', '') }}
+  when: openeuler_metalink_enabled
+
+- name: Get existing openEuler repo sections
+  ansible.builtin.shell:
+    cmd: "set -o pipefail && grep '^\\[' /etc/yum.repos.d/openEuler.repo | tr -d '[]'"
+    executable: /bin/bash
+  register: _openeuler_repo_sections
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  become: true
+  when: openeuler_metalink_enabled
+
+- name: Enable metalink for openEuler repos
+  community.general.ini_file:
+    path: /etc/yum.repos.d/openEuler.repo
+    section: "{{ item.key }}"
+    option: metalink
+    value: "{{ item.value }}"
+    no_extra_spaces: true
+    mode: "0644"
+  loop: "{{ _openeuler_metalink_repos | dict2items | selectattr('key', 'in', _openeuler_repo_sections.stdout_lines | default([])) }}"
+  become: true
+  when: openeuler_metalink_enabled
+  register: _openeuler_metalink_result
+  vars:
+    _openeuler_metalink_repos:
+      OS: "https://mirrors.openeuler.org/metalink?repo={{ _openeuler_releasever }}/OS&arch=$basearch"
+      everything: "https://mirrors.openeuler.org/metalink?repo={{ _openeuler_releasever }}/everything&arch=$basearch"
+      EPOL: "https://mirrors.openeuler.org/metalink?repo={{ _openeuler_releasever }}/EPOL/main&arch=$basearch"
+      debuginfo: "https://mirrors.openeuler.org/metalink?repo={{ _openeuler_releasever }}/debuginfo&arch=$basearch"
+      source: "https://mirrors.openeuler.org/metalink?repo={{ _openeuler_releasever }}&arch=source"
+      update: "https://mirrors.openeuler.org/metalink?repo={{ _openeuler_releasever }}/update&arch=$basearch"
+      update-source: "https://mirrors.openeuler.org/metalink?repo={{ _openeuler_releasever }}/update&arch=source"
+
+- name: Clean dnf metadata cache to apply metalink mirror selection
+  ansible.builtin.command: dnf clean metadata
+  become: true
+  when:
+    - openeuler_metalink_enabled
+    - _openeuler_metalink_result.changed
@@ -69,7 +69,7 @@
    name:
      - "rhel-8-for-*-baseos-rpms"
      - "rhel-8-for-*-appstream-rpms"
-    state: "{{ 'enabled' if (rhel_enable_repos | default(True) | bool) else 'disabled' }}"
+    state: "{{ 'enabled' if (rhel_enable_repos | bool) else 'disabled' }}"
  when:
    - ansible_distribution_major_version == "8"
    - (not rh_subscription_status.changed) or (rh_subscription_username is defined) or (rh_subscription_org_id is defined)
@@ -6,12 +6,6 @@
    masked: false
  listen: Restart and enable cri-dockerd

- name: Cri-dockerd | restart docker.service
-  service:
-    name: docker.service
-    state: restarted
-  listen: Restart and enable cri-dockerd
-
 - name: Cri-dockerd | reload cri-dockerd.socket
  service:
    name: cri-dockerd.socket
@@ -55,7 +55,7 @@
  register: keyserver_task_result
  until: keyserver_task_result is succeeded
  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
+  delay: "{{ retry_stagger }}"
  with_items: "{{ docker_repo_key_info.repo_keys }}"
  environment: "{{ proxy_env }}"
  when: ansible_pkg_mgr == 'apt'
@@ -128,7 +128,7 @@
  register: docker_task_result
  until: docker_task_result is succeeded
  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
+  delay: "{{ retry_stagger }}"
  notify: Restart docker
  when:
    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
@@ -30,7 +30,7 @@ LimitCORE=infinity
 TimeoutStartSec=1min
 # restart the docker process if it exits prematurely
 Restart=on-failure
-StartLimitBurst=3
+StartLimitBurst=10
 StartLimitInterval=60s
 # Set the cgroup slice of the service so that kube reserved takes effect
 {% if kube_reserved is defined and kube_reserved|bool %}
@@ -678,6 +678,16 @@ experimental=[]
 # (default: false)
 # enable_pprof = true

+{% if kata_containers_version is version('3.4.0', '>=') %}
+# Indicates the CreateContainer request timeout needed for the workload(s)
+# It using guest_pull this includes the time to pull the image inside the guest
+# Defaults to 60 second(s)
+# Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config
+# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout.
+# In essence, the timeout used for guest pull=runtime-request-timeout<create_container_timeout?runtime-request-timeout:create_container_timeout.
+create_container_timeout = 60
+{% endif %}
+
 # WARNING: All the options in the following section have not been implemented yet.
 # This section was added as a placeholder. DO NOT USE IT!
 [image]
@@ -1,58 +0,0 @@
-# noqa role-name - this is a meta role that doesn't need a name
---
-dependencies:
-  - role: container-engine/validate-container-engine
-    tags:
-      - container-engine
-      - validate-container-engine
-
-  - role: container-engine/kata-containers
-    when:
-      - kata_containers_enabled
-    tags:
-      - container-engine
-      - kata-containers
-
-  - role: container-engine/gvisor
-    when:
-      - gvisor_enabled
-      - container_manager in ['docker', 'containerd']
-    tags:
-      - container-engine
-      - gvisor
-
-  - role: container-engine/crun
-    when:
-      - crun_enabled
-    tags:
-      - container-engine
-      - crun
-
-  - role: container-engine/youki
-    when:
-      - youki_enabled
-      - container_manager == 'crio'
-    tags:
-      - container-engine
-      - youki
-
-  - role: container-engine/cri-o
-    when:
-      - container_manager == 'crio'
-    tags:
-      - container-engine
-      - crio
-
-  - role: container-engine/containerd
-    when:
-      - container_manager == 'containerd'
-    tags:
-      - container-engine
-      - containerd
-
-  - role: container-engine/cri-dockerd
-    when:
-      - container_manager == 'docker'
-    tags:
-      - container-engine
-      - docker
@@ -0,0 +1,48 @@
+---
+- name: Validate container engine
+  import_role:
+    name: container-engine/validate-container-engine
+  tags:
+    - container-engine
+    - validate-container-engine
+
+- name: Container runtimes
+  include_role:
+    name: "container-engine/{{ item.role }}"
+    apply:
+      tags:
+        - container-engine
+        - "{{ item.role }}"
+  loop:
+    - { role: 'kata-containers', enabled: "{{ kata_containers_enabled }}" }
+    - { role: 'gvisor', enabled: "{{ gvisor_enabled and container_manager in ['docker', 'containerd'] }}" }
+    - { role: 'crun', enabled: "{{ crun_enabled }}" }
+    - { role: 'youki', enabled: "{{ youki_enabled and container_manager == 'crio' }}" }
+  # TODO: Technically, this is more container-runtime than engine
+  when: item.enabled
+  tags:
+    - container-engine
+    - kata-containers
+    - gvisor
+    - crun
+    - youki
+
+- name: Container Manager
+  vars:
+    container_manager_role:
+      crio: cri-o
+      docker: cri-dockerd
+      containerd: containerd
+  include_role:
+    name: "container-engine/{{ container_manager_role[container_manager] }}"
+    apply:
+      tags:
+        - container-engine
+        - crio
+        - docker
+        - containerd
+  tags:
+    - container-engine
+    - crio
+    - docker
+    - containerd
@@ -1,9 +1,9 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: InitConfiguration
 nodeRegistration:
  criSocket: {{ cri_socket }}
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 imageRepository: {{ kubeadm_image_repo }}
 kubernetesVersion: v{{ kube_version }}
@@ -34,6 +34,7 @@
  when:
    - etcd_data_dir_member.stat.exists
    - etcd_cluster_is_healthy.rc == 0
+    - etcd_version is version('3.6.0', '<')
  command: >-
    {{ bin_dir }}/etcdctl backup
      --data-dir {{ etcd_data_dir }}
@@ -13,6 +13,8 @@
    sync_certs: false
    gen_certs: false
    etcd_secret_changed: false
+    etcd_member_requires_sync: false
+    kubernetes_host_requires_sync: false

 - name: "Check certs | Register ca and etcd admin/member certs on etcd hosts"
  stat:
@@ -128,7 +130,7 @@
  set_fact:
    sync_certs: true
  when:
-    - etcd_member_requires_sync | default(false) or
-      kubernetes_host_requires_sync | default(false) or
+    - etcd_member_requires_sync or
+      kubernetes_host_requires_sync or
      'gen_master_certs_True' in group_names or
      'gen_node_certs_True' in group_names
@@ -0,0 +1,43 @@
+---
+# When upgrading from etcd 3.5 to 3.6, need to clean up v2 store before upgrading.
+# Without this, etcd 3.6 will crash with following error:
+#   "panic: detected disallowed v2 WAL for stage --v2-deprecation=write-only [recovered]"
+- name: Cleanup v2 store when upgrade etcd from <3.6 to >=3.6
+  when:
+    - etcd_cluster_setup
+    - etcd_current_version != ''
+    - etcd_current_version is version('3.6.0', '<')
+    - etcd_version is version('3.6.0', '>=')
+  block:
+    - name: Ensure etcd version is >=3.5.26
+      when:
+        - etcd_current_version is version('3.5.26', '<')
+      fail:
+        msg: "You need to upgrade etcd to 3.5.26 or later before upgrade to 3.6. Current version is {{ etcd_current_version }}."
+
+    # Workarounds:
+    # Disable --enable-v2 (recommended in 20289) and do workaround of 20231 (MAX_WALS=1 and SNAPSHOT_COUNT=1)
+    # - https://github.com/etcd-io/etcd/issues/20809
+    # - https://github.com/etcd-io/etcd/discussions/20231#discussioncomment-13958051
+    - name: Change etcd configuration temporally to limit number of WALs and snapshots to clean up v2 store
+      ansible.builtin.lineinfile:
+        path: /etc/etcd.env
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+      loop:
+        - { regexp: '^ETCD_SNAPSHOT_COUNT=', line: 'ETCD_SNAPSHOT_COUNT=1' }
+        - { regexp: '^ETCD_MAX_WALS=', line: 'ETCD_MAX_WALS=1' }
+        - { regexp: '^ETCD_MAX_SNAPSHOTS=', line: 'ETCD_MAX_SNAPSHOTS=1' }
+        - { regexp: '^ETCD_ENABLE_V2=', line: 'ETCD_ENABLE_V2=false' }
+
+    # Restart etcd to apply temporal configuration and prevent some upgrade failures
+    # See also: https://etcd.io/blog/2025/upgrade_from_3.5_to_3.6_issue_followup/
+    - name: Stop etcd
+      service:
+        name: etcd
+        state: stopped
+
+    - name: Start etcd
+      service:
+        name: etcd
+        state: started
@@ -24,7 +24,7 @@
  run_once: true
  delegate_to: "{{ groups['etcd'][0] }}"
  when:
-    - gen_certs | default(false)
+    - gen_certs
    - inventory_hostname == groups['etcd'][0]

 - name: Gen_certs | copy certs generation script
@@ -43,7 +43,7 @@
    HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['kube_control_plane']) | join(' ') }}"
  run_once: true
  delegate_to: "{{ groups['etcd'][0] }}"
-  when: gen_certs | default(false)
+  when: gen_certs
  notify: Set etcd_secret_changed

 - name: Gen_certs | run cert generation script for all clients
@@ -55,7 +55,7 @@
  when:
    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally
    - kube_network_plugin != "calico" or calico_datastore == "etcd"
-    - gen_certs | default(false)
+    - gen_certs
  notify: Set etcd_secret_changed

 - name: Gen_certs | Gather etcd member/admin and kube_control_plane client certs from first etcd node
@@ -78,7 +78,7 @@
  delegate_to: "{{ groups['etcd'][0] }}"
  when:
    - ('etcd' in group_names)
-    - sync_certs | default(false)
+    - sync_certs
    - inventory_hostname != groups['etcd'][0]
  notify: Set etcd_secret_changed

@@ -92,7 +92,7 @@
  with_items: "{{ etcd_master_certs.results }}"
  when:
    - ('etcd' in group_names)
-    - sync_certs | default(false)
+    - sync_certs
    - inventory_hostname != groups['etcd'][0]
  loop_control:
    label: "{{ item.item }}"
@@ -134,7 +134,7 @@
  include_tasks: gen_nodes_certs_script.yml
  when:
    - ('kube_control_plane' in group_names) and
-        sync_certs | default(false) and inventory_hostname not in groups['etcd']
+        sync_certs and inventory_hostname not in groups['etcd']

 - name: Gen_certs | Generate etcd certs on nodes if needed
  include_tasks: gen_nodes_certs_script.yml
@@ -142,7 +142,7 @@
    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally
    - kube_network_plugin != "calico" or calico_datastore == "etcd"
    - ('k8s_cluster' in group_names) and
-        sync_certs | default(false) and inventory_hostname not in groups['etcd']
+        sync_certs and inventory_hostname not in groups['etcd']

 # This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
 # TODO: fix certs generation to have the same file everywhere
@@ -23,6 +23,14 @@
    - etcd_events_cluster_setup
    - etcd_image_tag not in etcd_events_current_docker_image.stdout | default('')

+- name: Get currently-deployed etcd version as x.y.z format
+  set_fact:
+    etcd_current_version: "{{ (etcd_current_docker_image.stdout | regex_search('.*:v([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
+  when: etcd_cluster_setup
+
+- name: Cleanup v2 store data
+  import_tasks: clean_v2_store.yml
+
 - name: Install etcd launch script
  template:
    src: etcd.j2
@@ -21,6 +21,14 @@
    - etcd_events_cluster_setup
    - etcd_version not in etcd_current_host_version.stdout | default('')

+- name: Get currently-deployed etcd version as x.y.z format
+  set_fact:
+    etcd_current_version: "{{ (etcd_current_host_version.stdout | regex_search('etcd Version: ([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
+  when: etcd_cluster_setup
+
+- name: Cleanup v2 store data
+  import_tasks: clean_v2_store.yml
+
 - name: Install | Copy etcd binary from download dir
  copy:
    src: "{{ local_release_dir }}/etcd-v{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}"
@@ -53,6 +53,12 @@
    - control-plane
    - network

+- name: Install etcd
+  include_tasks: "install_{{ etcd_deployment_type }}.yml"
+  when: ('etcd' in group_names)
+  tags:
+    - upgrade
+
 - name: Install etcdctl and etcdutl binary
  import_role:
    name: etcdctl_etcdutl
@@ -64,12 +70,6 @@
    - ('etcd' in group_names)
    - etcd_cluster_setup

- name: Install etcd
-  include_tasks: "install_{{ etcd_deployment_type }}.yml"
-  when: ('etcd' in group_names)
-  tags:
-    - upgrade
-
 - name: Configure etcd
  include_tasks: configure.yml
  when: ('etcd' in group_names)
@@ -84,7 +84,7 @@
  when:
    - ('etcd' in group_names)
    - etcd_cluster_setup
-    - etcd_secret_changed | default(false)
+    - etcd_secret_changed

 - name: Restart etcd-events if certs changed
  command: /bin/true
@@ -92,7 +92,7 @@
  when:
    - ('etcd' in group_names)
    - etcd_events_cluster_setup
-    - etcd_secret_changed | default(false)
+    - etcd_secret_changed

 # After etcd cluster is assembled, make sure that
 # initial state of the cluster is in `existing`
@@ -25,8 +25,6 @@ ETCD_MAX_REQUEST_BYTES={{ etcd_max_request_bytes }}
 ETCD_LOG_LEVEL={{ etcd_log_level }}
 ETCD_MAX_SNAPSHOTS={{ etcd_max_snapshots }}
 ETCD_MAX_WALS={{ etcd_max_wals }}
-# Flannel need etcd v2 API
-ETCD_ENABLE_V2=true

 # TLS settings
 ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
@@ -1,9 +1,11 @@
 ---
 - name: Add Helm repositories
+  environment: "{{ proxy_env }}"
  kubernetes.core.helm_repository: "{{ helm_repository_defaults | combine(item) }}"  # noqa args[module]
  loop: "{{ repositories }}"

 - name: Update Helm repositories
+  environment: "{{ proxy_env }}"
  kubernetes.core.helm:
    state: absent
    binary_path: "{{ bin_dir }}/helm"
@@ -15,5 +17,6 @@
    - helm_update

 - name: Install Helm Applications
+  environment: "{{ proxy_env }}"
  kubernetes.core.helm: "{{ helm_defaults | combine(release_common_opts, item) }}"  # noqa args[module]
  loop: "{{ releases }}"
@@ -11,6 +11,7 @@ dns_nodes_per_replica: 16
 dns_cores_per_replica: 256
 dns_prevent_single_point_failure: "{{ 'true' if dns_min_replicas | int > 1 else 'false' }}"
 enable_coredns_reverse_dns_lookups: true
+coredns_svc_name: "coredns"
 coredns_ordinal_suffix: ""
 # dns_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
 coredns_affinity:
@@ -87,60 +88,5 @@ dns_autoscaler_affinity: {}
 #   app: kube-prometheus-stack-kube-etcd
 #   release: prometheus-stack

-# Netchecker
-deploy_netchecker: false
-netchecker_port: 31081
-agent_report_interval: 15
-netcheck_namespace: default
-
-# Limits for netchecker apps
-netchecker_agent_cpu_limit: 30m
-netchecker_agent_memory_limit: 100M
-netchecker_agent_cpu_requests: 15m
-netchecker_agent_memory_requests: 64M
-netchecker_server_cpu_limit: 100m
-netchecker_server_memory_limit: 256M
-netchecker_server_cpu_requests: 50m
-netchecker_server_memory_requests: 64M
-netchecker_etcd_cpu_limit: 200m
-netchecker_etcd_memory_limit: 256M
-netchecker_etcd_cpu_requests: 100m
-netchecker_etcd_memory_requests: 128M
-
-# SecurityContext (user/group)
-netchecker_agent_user: 1000
-netchecker_server_user: 1000
-netchecker_agent_group: 1000
-netchecker_server_group: 1000
-
-# Log levels
-netchecker_agent_log_level: 5
-netchecker_server_log_level: 5
-netchecker_etcd_log_level: info
-
-# Dashboard
-dashboard_replicas: 1
-
-# Namespace for dashboard
-dashboard_namespace: kube-system
-
-# Limits for dashboard
-dashboard_cpu_limit: 100m
-dashboard_memory_limit: 256M
-dashboard_cpu_requests: 50m
-dashboard_memory_requests: 64M
-
-# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
-# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
-dashboard_use_custom_certs: false
-dashboard_certs_secret_name: kubernetes-dashboard-certs
-dashboard_tls_key_file: dashboard.key
-dashboard_tls_cert_file: dashboard.crt
-dashboard_master_toleration: true
-
-# Override dashboard default settings
-dashboard_token_ttl: 900
-dashboard_skip_login: false
-
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
@@ -87,37 +87,3 @@
  when: etcd_metrics_port is defined and etcd_metrics_service_labels is defined
  tags:
    - etcd_metrics
-
- name: Kubernetes Apps | Netchecker
-  command:
-    cmd: "{{ kubectl_apply_stdin }}"
-    stdin: "{{ lookup('template', item) }}"
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  vars:
-    k8s_namespace: "{{ netcheck_namespace }}"
-  when: deploy_netchecker
-  tags:
-    - netchecker
-  loop:
-    - netchecker-ns.yml.j2
-    - netchecker-agent-sa.yml.j2
-    - netchecker-agent-ds.yml.j2
-    - netchecker-agent-hostnet-ds.yml.j2
-    - netchecker-server-sa.yml.j2
-    - netchecker-server-clusterrole.yml.j2
-    - netchecker-server-clusterrolebinding.yml.j2
-    - netchecker-server-deployment.yml.j2
-    - netchecker-server-svc.yml.j2
-
- name: Kubernetes Apps | Dashboard
-  command:
-    cmd: "{{ kubectl_apply_stdin }}"
-    stdin: "{{ lookup('template', 'dashboard.yml.j2') }}"
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  vars:
-    k8s_namespace: "{{ dashboard_namespace }}"
-  when: dashboard_enabled
-  tags:
-    - dashboard
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: coredns{{ coredns_ordinal_suffix }}
+  name: {{ coredns_svc_name }}{{ coredns_ordinal_suffix }}
  namespace: kube-system
  labels:
    k8s-app: kube-dns{{ coredns_ordinal_suffix }}
@@ -1,323 +0,0 @@
-# Copyright 2017 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Configuration to deploy release version of the Dashboard UI compatible with
-# Kubernetes 1.8.
-#
-# Example usage: kubectl create -f <this_file>
-
-{% if k8s_namespace != 'kube-system' %}
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ k8s_namespace }}
-  labels:
-    name: {{ k8s_namespace }}
-{% endif %}
---
-# ------------------- Dashboard Secrets ------------------- #
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-certs
-type: Opaque
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-csrf
-type: Opaque
-data:
-  csrf: ""
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-key-holder
-type: Opaque
-
---
-# ------------------- Dashboard ConfigMap ------------------- #
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-settings
-
---
-# ------------------- Dashboard Service Account ------------------- #
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-
---
-# ------------------- Dashboard Role & Role Binding ------------------- #
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-rules:
-  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
-    verbs: ["get", "update", "delete"]
-    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["kubernetes-dashboard-settings"]
-    verbs: ["get", "update"]
-    # Allow Dashboard to get metrics.
-  - apiGroups: [""]
-    resources: ["services"]
-    resourceNames: ["heapster", "dashboard-metrics-scraper"]
-    verbs: ["proxy"]
-  - apiGroups: [""]
-    resources: ["services/proxy"]
-    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
-    verbs: ["get"]
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubernetes-dashboard
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: {{ k8s_namespace }}
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubernetes-dashboard
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: {{ k8s_namespace }}
-
---
-# ------------------- Dashboard Deployment ------------------- #
-
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-spec:
-  replicas: {{ dashboard_replicas }}
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      k8s-app: kubernetes-dashboard
-  template:
-    metadata:
-      labels:
-        k8s-app: kubernetes-dashboard
-    spec:
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      priorityClassName: system-cluster-critical
-      containers:
-        - name: kubernetes-dashboard
-          image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          resources:
-            limits:
-              cpu: {{ dashboard_cpu_limit }}
-              memory: {{ dashboard_memory_limit }}
-            requests:
-              cpu: {{ dashboard_cpu_requests }}
-              memory: {{ dashboard_memory_requests }}
-          ports:
-            - containerPort: 8443
-              protocol: TCP
-          args:
-            - --namespace={{ k8s_namespace }}
-{% if dashboard_use_custom_certs %}
-            - --tls-key-file={{ dashboard_tls_key_file }}
-            - --tls-cert-file={{ dashboard_tls_cert_file }}
-{% else %}
-            - --auto-generate-certificates
-{% endif %}
-{% if dashboard_skip_login %}
-            - --enable-skip-login
-{% endif %}
-            - --authentication-mode=token
-            # Uncomment the following line to manually specify Kubernetes API server Host
-            # If not specified, Dashboard will attempt to auto discover the API server and connect
-            # to it. Uncomment only if the default does not work.
-            # - --apiserver-host=http://my-address:port
-            - --token-ttl={{ dashboard_token_ttl }}
-          volumeMounts:
-            - name: kubernetes-dashboard-certs
-              mountPath: /certs
-              # Create on-disk volume to store exec logs
-            - mountPath: /tmp
-              name: tmp-volume
-          livenessProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /
-              port: 8443
-            initialDelaySeconds: 30
-            timeoutSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsUser: 1001
-            runAsGroup: 2001
-      volumes:
-        - name: kubernetes-dashboard-certs
-          secret:
-            secretName: {{ dashboard_certs_secret_name }}
-        - name: tmp-volume
-          emptyDir: {}
-      serviceAccountName: kubernetes-dashboard
-{% if dashboard_master_toleration %}
-      tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-{% endif %}
-
---
-# ------------------- Dashboard Service ------------------- #
-
-kind: Service
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-spec:
-  ports:
-    - port: 443
-      targetPort: 8443
-  selector:
-    k8s-app: kubernetes-dashboard
-
---
-# ------------------- Metrics Scraper Service Account ------------------- #
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-rules:
-  # Allow Metrics Scraper to get metrics from the Metrics server
-  - apiGroups: ["metrics.k8s.io"]
-    resources: ["pods", "nodes"]
-    verbs: ["get", "list", "watch"]
-
---
-
-# ------------------- Metrics Scraper Service  ------------------- #
-kind: Service
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-metrics-scraper
-  name: dashboard-metrics-scraper
-spec:
-  ports:
-    - port: 8000
-      targetPort: 8000
-  selector:
-    k8s-app: kubernetes-metrics-scraper
-
---
-
-# ------------------- Metrics Scraper Deployment  ------------------- #
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-metrics-scraper
-  name: kubernetes-metrics-scraper
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      k8s-app: kubernetes-metrics-scraper
-  template:
-    metadata:
-      labels:
-        k8s-app: kubernetes-metrics-scraper
-    spec:
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      priorityClassName: system-cluster-critical
-      containers:
-        - name: kubernetes-metrics-scraper
-          image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }}
-          ports:
-            - containerPort: 8000
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              scheme: HTTP
-              path: /
-              port: 8000
-            initialDelaySeconds: 30
-            timeoutSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsUser: 1001
-            runAsGroup: 2001
-          volumeMounts:
-          - mountPath: /tmp
-            name: tmp-volume
-      serviceAccountName: kubernetes-dashboard
-      volumes:
-      - name: tmp-volume
-        emptyDir: {}
-{% if dashboard_master_toleration %}
-      tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-{% endif %}
@@ -1,56 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app: netchecker-agent
-  name: netchecker-agent
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    matchLabels:
-      app: netchecker-agent
-  template:
-    metadata:
-      name: netchecker-agent
-      labels:
-        app: netchecker-agent
-    spec:
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      nodeSelector:
-        kubernetes.io/os: linux
-      containers:
-        - name: netchecker-agent
-          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: MY_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: MY_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          args:
-            - "-v={{ netchecker_agent_log_level }}"
-            - "-alsologtostderr=true"
-            - "-serverendpoint=netchecker-service:8081"
-            - "-reportinterval={{ agent_report_interval }}"
-          resources:
-            limits:
-              cpu: {{ netchecker_agent_cpu_limit }}
-              memory: {{ netchecker_agent_memory_limit }}
-            requests:
-              cpu: {{ netchecker_agent_cpu_requests }}
-              memory: {{ netchecker_agent_memory_requests }}
-          securityContext:
-            runAsUser: {{ netchecker_agent_user | default('0') }}
-            runAsGroup: {{ netchecker_agent_group | default('0') }}
-      serviceAccountName: netchecker-agent
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 100%
-    type: RollingUpdate
@@ -1,58 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app: netchecker-agent-hostnet
-  name: netchecker-agent-hostnet
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    matchLabels:
-      app: netchecker-agent-hostnet
-  template:
-    metadata:
-      name: netchecker-agent-hostnet
-      labels:
-        app: netchecker-agent-hostnet
-    spec:
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      nodeSelector:
-        kubernetes.io/os: linux
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      containers:
-        - name: netchecker-agent
-          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: MY_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: MY_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          args:
-            - "-v={{ netchecker_agent_log_level }}"
-            - "-alsologtostderr=true"
-            - "-serverendpoint=netchecker-service:8081"
-            - "-reportinterval={{ agent_report_interval }}"
-          resources:
-            limits:
-              cpu: {{ netchecker_agent_cpu_limit }}
-              memory: {{ netchecker_agent_memory_limit }}
-            requests:
-              cpu: {{ netchecker_agent_cpu_requests }}
-              memory: {{ netchecker_agent_memory_requests }}
-          securityContext:
-            runAsUser: {{ netchecker_agent_user | default('0') }}
-            runAsGroup: {{ netchecker_agent_group | default('0') }}
-      serviceAccountName: netchecker-agent
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 100%
-    type: RollingUpdate
@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netchecker-agent
-  namespace: {{ netcheck_namespace }}
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: "{{ netcheck_namespace }}"
-  labels:
-    name: "{{ netcheck_namespace }}"
@@ -1,9 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["list", "get"]
@@ -1,13 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: netchecker-server
-    namespace: {{ netcheck_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: netchecker-server
-  apiGroup: rbac.authorization.k8s.io
@@ -1,86 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-  labels:
-    app: netchecker-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: netchecker-server
-  template:
-    metadata:
-      name: netchecker-server
-      labels:
-        app: netchecker-server
-    spec:
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      volumes:
-        - name: etcd-data
-          emptyDir: {}
-      containers:
-        - name: netchecker-server
-          image: "{{ netcheck_server_image_repo }}:{{ netcheck_server_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          resources:
-            limits:
-              cpu: {{ netchecker_server_cpu_limit }}
-              memory: {{ netchecker_server_memory_limit }}
-            requests:
-              cpu: {{ netchecker_server_cpu_requests }}
-              memory: {{ netchecker_server_memory_requests }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ['ALL']
-            runAsUser: {{ netchecker_server_user | default('0') }}
-            runAsGroup: {{ netchecker_server_group | default('0') }}
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          ports:
-            - containerPort: 8081
-          args:
-            - -v={{ netchecker_server_log_level }}
-            - -logtostderr
-            - -kubeproxyinit=false
-            - -endpoint=0.0.0.0:8081
-            - -etcd-endpoints=http://127.0.0.1:2379
-        - name: etcd
-          image: "{{ etcd_image_repo }}:{{ netcheck_etcd_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: ETCD_LOG_LEVEL
-              value: "{{ netchecker_etcd_log_level }}"
-          command:
-            - etcd
-            - --listen-client-urls=http://127.0.0.1:2379
-            - --advertise-client-urls=http://127.0.0.1:2379
-            - --data-dir=/var/lib/etcd
-            - --enable-v2
-            - --force-new-cluster
-          volumeMounts:
-            - mountPath: /var/lib/etcd
-              name: etcd-data
-          resources:
-            limits:
-              cpu: {{ netchecker_etcd_cpu_limit }}
-              memory: {{ netchecker_etcd_memory_limit }}
-            requests:
-              cpu: {{ netchecker_etcd_cpu_requests }}
-              memory: {{ netchecker_etcd_memory_requests }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ['ALL']
-            runAsUser: {{ netchecker_server_user | default('0') }}
-            runAsGroup: {{ netchecker_server_group | default('0') }}
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      serviceAccountName: netchecker-server
@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: netchecker-service
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    app: netchecker-server
-  ports:
-    -
-      protocol: TCP
-      port: 8081
-      targetPort: 8081
-      nodePort: {{ netchecker_port }}
-  type: NodePort
@@ -45,7 +45,7 @@ data:
            force_tcp
        }
        prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_health_port }}
 {% if dns_etchosts | default(None) %}
        hosts /etc/coredns/hosts {
          fallthrough
@@ -132,7 +132,7 @@ data:
            force_tcp
        }
        prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_secondary_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_second_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_second_health_port }}
 {% if dns_etchosts | default(None) %}
        hosts /etc/coredns/hosts {
          fallthrough
@@ -20,7 +20,7 @@

 - name: External OCI Cloud Controller Manager | Get base64 cloud-config
  set_fact:
-    external_oracle_cloud_config_secret: "{{ lookup('template', 'external-oci-cloud-config.j2') | b64encode }}"
+    external_oracle_cloud_config_secret: "{{ lookup('template', 'external-oci-cloud-config.yml.j2') | b64encode }}"
  when: inventory_hostname == groups['kube_control_plane'][0]
  tags: external-oci

@@ -21,7 +21,7 @@ external_openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
 ##    arg1: "value1"
 ##    arg2: "value2"
 external_openstack_cloud_controller_extra_args: {}
-external_openstack_cloud_controller_image_tag: "v1.32.0"
+external_openstack_cloud_controller_image_tag: "v1.35.0"
 external_openstack_cloud_controller_bind_address: 127.0.0.1
 external_openstack_cloud_controller_dns_policy: ClusterFirst

@@ -8,3 +8,4 @@ local_path_provisioner_is_default_storageclass: "true"
 local_path_provisioner_debug: false
 local_path_provisioner_helper_image_repo: "busybox"
 local_path_provisioner_helper_image_tag: "latest"
+local_path_provisioner_resources: {}
@@ -35,6 +35,10 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
+{% if local_path_provisioner_resources %}
+        resources:
+          {{ local_path_provisioner_resources | to_nice_yaml | indent(10) | trim }}
+{% endif %}
      volumes:
        - name: config-volume
          configMap:
@@ -1,28 +0,0 @@
---
-ingress_nginx_namespace: "ingress-nginx"
-ingress_nginx_host_network: false
-ingress_nginx_service_type: LoadBalancer
-ingress_nginx_service_nodeport_http: ""
-ingress_nginx_service_nodeport_https: ""
-ingress_nginx_service_annotations: {}
-ingress_publish_status_address: ""
-ingress_nginx_publish_service: "{{ ingress_nginx_namespace }}/ingress-nginx"
-ingress_nginx_nodeselector:
-  kubernetes.io/os: "linux"
-ingress_nginx_tolerations: []
-ingress_nginx_insecure_port: 80
-ingress_nginx_secure_port: 443
-ingress_nginx_metrics_port: 10254
-ingress_nginx_configmap: {}
-ingress_nginx_configmap_tcp_services: {}
-ingress_nginx_configmap_udp_services: {}
-ingress_nginx_extra_args: []
-ingress_nginx_termination_grace_period_seconds: 300
-ingress_nginx_class: nginx
-ingress_nginx_without_class: true
-ingress_nginx_default: false
-ingress_nginx_webhook_enabled: false
-ingress_nginx_webhook_job_ttl: 1800
-ingress_nginx_opentelemetry_enabled: false
-
-ingress_nginx_probe_initial_delay_seconds: 10
@@ -1,69 +0,0 @@
---
-
- name: NGINX Ingress Controller | Create addon dir
-  file:
-    path: "{{ kube_config_dir }}/addons/ingress_nginx"
-    state: directory
-    owner: root
-    group: root
-    mode: "0755"
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-
- name: NGINX Ingress Controller | Templates list
-  set_fact:
-    ingress_nginx_templates:
-      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
-      - { name: cm-ingress-nginx, file: cm-ingress-nginx.yml, type: cm }
-      - { name: cm-tcp-services, file: cm-tcp-services.yml, type: cm }
-      - { name: cm-udp-services, file: cm-udp-services.yml, type: cm }
-      - { name: sa-ingress-nginx, file: sa-ingress-nginx.yml, type: sa }
-      - { name: clusterrole-ingress-nginx, file: clusterrole-ingress-nginx.yml, type: clusterrole }
-      - { name: clusterrolebinding-ingress-nginx, file: clusterrolebinding-ingress-nginx.yml, type: clusterrolebinding }
-      - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
-      - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
-      - { name: ingressclass-nginx, file: ingressclass-nginx.yml, type: ingressclass }
-      - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
-    ingress_nginx_template_for_service:
-      - { name: svc-ingress-nginx, file: svc-ingress-nginx.yml, type: svc }
-    ingress_nginx_templates_for_webhook:
-      - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
-      - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
-      - { name: clusterrole-admission-webhook, file: clusterrole-admission-webhook.yml, type: clusterrole }
-      - { name: clusterrolebinding-admission-webhook, file: clusterrolebinding-admission-webhook.yml, type: clusterrolebinding }
-      - { name: role-admission-webhook, file: role-admission-webhook.yml, type: role }
-      - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
-      - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
-      - { name: svc-ingress-nginx-controller-admission, file: svc-ingress-nginx-controller-admission.yml, type: svc }
-
- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Template list for service
-  set_fact:
-    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_template_for_service }}"
-  when: not ingress_nginx_host_network
-
- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
-  set_fact:
-    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
-  when: ingress_nginx_webhook_enabled
-
- name: NGINX Ingress Controller | Create manifests
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
-    mode: "0644"
-  with_items: "{{ ingress_nginx_templates }}"
-  register: ingress_nginx_manifests
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-
- name: NGINX Ingress Controller | Apply manifests
-  kube:
-    name: "{{ item.item.name }}"
-    namespace: "{{ ingress_nginx_namespace }}"
-    kubectl: "{{ bin_dir }}/kubectl"
-    resource: "{{ item.item.type }}"
-    filename: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.item.file }}"
-    state: "latest"
-  with_items: "{{ ingress_nginx_manifests.results }}"
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
--- a/Show More
+++ b/Show More