Add 'TEST PR' section to README

2026-03-02 17:28:59 -03:30 · 2026-02-03 16:51:05 +01:00
127 changed files with 2467 additions and 898 deletions
--- a/.gitlab-ci/kubevirt.yml
+++ b/.gitlab-ci/kubevirt.yml
@@ -41,8 +41,7 @@ pr:
          - debian12-cilium
          - debian13-cilium
          - fedora39-kube-router
-          - fedora41-kube-router
+          - openeuler24-calico
          - fedora42-calico
          - rockylinux9-cilium
          - rockylinux10-cilium
          - ubuntu22-calico-all-in-one
@@ -50,25 +49,13 @@ pr:
          - ubuntu24-calico-etcd-datastore
          - ubuntu24-calico-all-in-one-hardening
          - ubuntu24-cilium-sep
          - ubuntu24-crio-scale
          - ubuntu24-crio-upgrade
          - ubuntu24-flannel-collection
          - ubuntu24-kube-router-sep
          - ubuntu24-kube-router-svc-proxy
          - ubuntu24-ha-separate-etcd
          - flatcar4081-calico
          - fedora40-flannel-crio-collection-scale
 # This is for flakey test so they don't disrupt the PR worklflow too much.
 # Jobs here MUST have a open issue so we don't lose sight of them
 pr-flakey:
  extends: pr
  retry: 1
  parallel:
    matrix:
      - TESTCASE:
          - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
          - openeuler24-calico # https://github.com/kubernetes-sigs/kubespray/issues/12877
 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:
  stage: deploy-part1
@@ -104,8 +91,6 @@ pr_full:
          - debian12-custom-cni-helm
          - fedora39-calico-swap-selinux
          - fedora39-crio
          - fedora41-calico-swap-selinux
          - fedora41-crio
          - ubuntu24-calico-ha-wireguard
          - ubuntu24-flannel-ha
          - ubuntu24-flannel-ha-once
@@ -165,7 +150,6 @@ periodic:
          - debian12-cilium-svc-proxy
          - fedora39-calico-selinux
          - fedora40-docker-calico
          - fedora41-calico-selinux
          - ubuntu24-calico-etcd-kubeadm-upgrade-ha
          - ubuntu24-calico-ha-recover
          - ubuntu24-calico-ha-recover-noquorum
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,6 +12,7 @@ To install development dependencies you can set up a python virtual env with the
 virtualenv venv
 source venv/bin/activate
 pip install -r tests/requirements.txt
 ansible-galaxy install -r tests/requirements.yml
 ```
 #### Linting
--- a/4
+++ b/4
@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.35.1/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.1/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl
 COPY *.yml ./
--- a/README.md
+++ b/README.md
@@ -1,3 +1,6 @@
 TEST PR 
 # Deploy a Production Ready Kubernetes Cluster
 ![Kubernetes Logo](https://raw.githubusercontent.com/kubernetes-sigs/kubespray/master/docs/img/kubernetes-logo.png)
@@ -89,13 +92,13 @@ vagrant up
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bookworm, Bullseye, Trixie
 - **Ubuntu** 22.04, 24.04
- **CentOS Stream / RHEL** 9, 10
+- **CentOS Stream / RHEL** [9, 10](docs/operating_systems/rhel.md#rhel-8)
- **Fedora** 39, 40, 41, 42
+- **Fedora** 39, 40
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
- **Oracle Linux** 9, 10
+- **Oracle Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
- **Alma Linux** 9, 10
+- **Alma Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
- **Rocky Linux** 9, 10 (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
+- **Rocky Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8) (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/operating_systems/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/operating_systems/amazonlinux.md))
 - **UOS Linux** (experimental: see [uos linux notes](docs/operating_systems/uoslinux.md))
@@ -111,11 +114,11 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.1
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.3
-  - [etcd](https://github.com/etcd-io/etcd) 3.6.8
+  - [etcd](https://github.com/etcd-io/etcd) 3.5.26
  - [docker](https://www.docker.com/) 28.3
  - [containerd](https://containerd.io/) 2.2.1
-  - [cri-o](http://cri-o.io/) 1.35.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) 1.34.4 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
  - [calico](https://github.com/projectcalico/calico) 3.30.6
@@ -127,7 +130,8 @@ Note:
  - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.4
+  - [coredns](https://github.com/coredns/coredns) 1.12.1
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
  - [argocd](https://argoproj.github.io/) 2.14.5
  - [helm](https://helm.sh/) 3.18.4
  - [metallb](https://metallb.universe.tf/) 0.13.9
@@ -201,6 +205,8 @@ See also [Network checker](docs/advanced/netcheck.md).
 ## Ingress Plugins
 - [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
 - [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider.
 ## Community docs and resources
--- a/3
+++ b/3
@@ -35,9 +35,6 @@ SUPPORTED_OS = {
  "fedora40"            => {box: "fedora/40-cloud-base",       user: "vagrant"},
  "fedora39-arm64"      => {box: "bento/fedora-39-arm64",      user: "vagrant"},
  "fedora40-arm64"      => {box: "bento/fedora-40",            user: "vagrant"},
  "fedora41"            => {box: "fedora/41-cloud-base",       user: "vagrant"},
  "fedora42"            => {box: "fedora/42-cloud-base",       user: "vagrant"},
  "fedora41-bento"      => {box: "bento/fedora-41",            user: "vagrant"},
  "opensuse"            => {box: "opensuse/Leap-15.6.x86_64",  user: "vagrant"},
  "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
  "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
--- a/contrib/terraform/gcp/README.md
+++ b/contrib/terraform/gcp/README.md
@@ -51,7 +51,7 @@ To generate kubespray inventory based on the terraform state file you can run th
 You should now have a inventory file named `inventory.ini` that you can use with kubespray, e.g.
 ```bash
-ansible-playbook -i contrib/terraform/gcp/inventory.ini cluster.yml -b -v
+ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
 ```
 ## Variables
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -1006,7 +1006,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
  name              = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
  count             = var.number_of_gfs_nodes_no_floating_ip
  availability_zone = element(var.az_list, count.index)
-  image_id          = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
+  image_name        = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
  flavor_id         = var.flavor_gfs_node
  key_pair          = openstack_compute_keypair_v2.k8s.name
@@ -1078,7 +1078,7 @@ resource "openstack_networking_floatingip_associate_v2" "k8s_nodes" {
  port_id               = openstack_networking_port_v2.k8s_nodes_port[each.key].id
 }
-resource "openstack_blockstorage_volume_v3" "glusterfs_volume" {
+resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
  name        = "${var.cluster_name}-glusterfs_volume-${count.index + 1}"
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  description = "Non-ephemeral volume for GlusterFS"
@@ -1088,5 +1088,5 @@ resource "openstack_blockstorage_volume_v3" "glusterfs_volume" {
 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  instance_id = element(openstack_compute_instance_v2.glusterfs_node_no_floating_ip.*.id, count.index)
-  volume_id   = element(openstack_blockstorage_volume_v3.glusterfs_volume.*.id, count.index)
+  volume_id   = element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)
 }
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -57,6 +57,7 @@
  * [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md)
 * Ingress
  * [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md)
  * [Ingress Nginx](/docs/ingress/ingress_nginx.md)
  * [Kube-vip](/docs/ingress/kube-vip.md)
  * [Metallb](/docs/ingress/metallb.md)
 * Operating Systems
--- a/docs/advanced/cert_manager.md
+++ b/docs/advanced/cert_manager.md
@@ -30,7 +30,14 @@ If you don't have a TLS Root CA certificate and key available, you can create th
 A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
-For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
+To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
 ```ini
 # Nginx ingress controller deployment
 ingress_nginx_enabled: true
 ```
 For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -41,9 +48,9 @@ metadata:
  labels:
    prometheus: k8s
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: ca-issuer
 spec:
  ingressClassName: "traefik"
  tls:
  - hosts:
    - prometheus.example.com
@@ -65,8 +72,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall
 Please consult the official upstream documentation:
- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/)
+- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name)
+- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
 ### ACME
@@ -74,12 +81,12 @@ The ACME Issuer type represents a single account registered with the Automated C
 Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free.
- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/)
+- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/)
+- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
-  - [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/)
+  - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/)
+- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
-  - [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/)
+  - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/)
+- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
 #### ACME With An Internal Certificate Authority
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -30,9 +30,9 @@ If the latest version supported according to pip is 6.7.0 it means you are runni
 Based on the table below and the available python version for your ansible host you should choose the appropriate ansible version to use with kubespray.
-|  Ansible Version  | Python Version |
+| Ansible Version | Python Version |
-|-------------------|----------------|
+|-----------------|----------------|
-| >=2.18.0, <2.19.0 | 3.11-3.13      |
+| >= 2.17.3       | 3.10-3.12      |
 ## Customize Ansible vars
@@ -78,6 +78,7 @@ The following tags are defined in playbooks:
 | crio                           | Configuring crio container engine for hosts           |
 | crun                           | Configuring crun runtime                              |
 | csi-driver                     | Configuring csi driver                                |
 | dashboard                      | Installing and configuring the Kubernetes Dashboard   |
 | dns                            | Remove dns entries when resetting                     |
 | docker                         | Configuring docker engine runtime for hosts           |
 | download                       | Fetching container images to a delegate host          |
--- a/docs/developers/ci-setup.md
+++ b/docs/developers/ci-setup.md
@@ -145,6 +145,7 @@ upstream_dns_servers:
  - 1.0.0.1
 # Extensions
 ingress_nginx_enabled: True
 helm_enabled: True
 cert_manager_enabled: True
 metrics_server_enabled: True
--- a/docs/developers/ci.md
+++ b/docs/developers/ci.md
@@ -13,8 +13,6 @@ debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 debian13 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
@@ -33,14 +31,12 @@ debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ## docker
@@ -53,8 +49,6 @@ debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
--- a/docs/getting_started/getting-started.md
+++ b/docs/getting_started/getting-started.md
@@ -83,6 +83,32 @@ authentication. One can get a kubeconfig from kube_control_plane hosts
 For more information on kubeconfig and accessing a Kubernetes cluster, refer to
 the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
 ## Accessing Kubernetes Dashboard
 Supported version is kubernetes-dashboard v2.0.x :
 - Login option : token/kubeconfig by default
 - Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
 - Only serves over https
 Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/tree/master/docs/user/accessing-dashboard). With kubespray's default deployment in kube-system namespace, instead of kubernetes-dashboard :
 - Proxy URL is <http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#/login>
 - kubectl commands must be run with "-n kube-system"
 Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy  --address="x.x.x.x"` will not work)
 For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace.
 Access can also by achieved via ssh tunnel on a control plane :
 ```bash
 # localhost:8081 will be sent to control-plane-1's own localhost:8081
 ssh -L8001:localhost:8001 user@control-plane-1
 sudo -i
 kubectl proxy
 ```
 ## Accessing Kubernetes API
 The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane
--- a/docs/ingress/ingress_nginx.md
+++ b/docs/ingress/ingress_nginx.md
@@ -0,0 +1,203 @@
 # Installation Guide
 ## Contents
 - [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command)
  - [Provider Specific Steps](#provider-specific-steps)
    - [Docker for Mac](#docker-for-mac)
    - [minikube](#minikube)
    - [AWS](#aws)
    - [GCE - GKE](#gce-gke)
    - [Azure](#azure)
    - [Bare-metal](#bare-metal)
  - [Verify installation](#verify-installation)
  - [Detect installed version](#detect-installed-version)
 - [Using Helm](#using-helm)
 ## Prerequisite Generic Deployment Command
 !!! attention
    The default configuration watches Ingress object from *all the namespaces*.
    To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
 !!! warning
    If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions.
 !!! attention
    If you're using GKE you need to initialize your user as a cluster-admin with the following command:
 ```console
 kubectl create clusterrolebinding cluster-admin-binding \
 --clusterrole cluster-admin \
 --user $(gcloud config get-value account)
 ```
 The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
 ```
 ### Provider Specific Steps
 There are cloud provider specific yaml files.
 #### Docker for Mac
 Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018))
 First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes).
 Then you have to create a service:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### minikube
 For standard usage:
 ```console
 minikube addons enable ingress
 ```
 For development:
 1. Disable the ingress addon:
 ```console
 minikube addons disable ingress
 ```
 1. Execute `make dev-env`
 1. Confirm the `nginx-ingress-controller` deployment exists:
 ```console
 $ kubectl get pods -n ingress-nginx
 NAME                                       READY     STATUS    RESTARTS   AGE
 default-http-backend-66b447d9cf-rrlf9      1/1       Running   0          12s
 nginx-ingress-controller-fdcdcd6dd-vvpgs   1/1       Running   0          11s
 ```
 #### AWS
 In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
 Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
 Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/)
 ##### Elastic Load Balancer - ELB
 This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer:
 - [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443.
 - [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB
 For L4:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml
 ```
 For L7:
 Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"`
 Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml`
 Then execute:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 This example creates an ELB with just two listeners, one in port 80 and another in port 443
 ![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png)
 ##### ELB Idle Timeouts
 In some scenarios users will need to modify the value of the ELB idle timeout.
 Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX.
 By default NGINX `keepalive_timeout` is set to `75s`.
 The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified,
 in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured.
 *Please Note: An idle timeout of `3600s` is recommended when using WebSockets.*
 More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html).
 ##### Network Load Balancer (NLB)
 This type of load balancer is supported since v1.10.0 as an ALPHA feature.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml
 ```
 #### GCE-GKE
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 **Important Note:** proxy protocol is not supported in GCE/GKE
 #### Azure
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### Bare-metal
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
 ```
 !!! tip
    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md).
 ### Verify installation
 To check if the ingress controller pods have started, run the following command:
 ```console
 kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
 ```
 Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`.
 Now, you are ready to create your first ingress.
 ### Detect installed version
 To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command.
 ```console
 POD_NAMESPACE=ingress-nginx
 POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
 ```
 ## Using Helm
 NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
 Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
 To install the chart with the release name `my-nginx`:
 ```console
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm install my-nginx ingress-nginx/ingress-nginx
 ```
 Detect installed version:
 ```console
 POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
 ```
--- a/docs/operating_systems/rhel.md
+++ b/docs/operating_systems/rhel.md
@@ -6,9 +6,9 @@ The documentation also applies to Red Hat derivatives, including Alma Linux, Roc
 The content of this section does not apply to open-source derivatives.
-In order to install packages via yum or dnf, RHEL hosts are required to be registered for a valid Red Hat support subscription.
+In order to install packages via yum or dnf, RHEL 7/8 hosts are required to be registered for a valid Red Hat support subscription.
-You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL hosts provisioned in Production environments.
+You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL 7/8 hosts provisioned in Production environments.
 Once you have a Red Hat support account, simply add the credentials to the Ansible inventory parameters `rh_subscription_username` and `rh_subscription_password` prior to deploying Kubespray. If your company has a Corporate Red Hat support account, then obtain an **Organization ID** and **Activation Key**, and add these to the Ansible inventory parameters `rh_subscription_org_id` and `rh_subscription_activation_key` instead of using your Red Hat support account credentials.
@@ -29,7 +29,15 @@ rh_subscription_role: "Red Hat Enterprise Server"
 rh_subscription_sla: "Self-Support"
 ```
-If the RHEL hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
+If the RHEL 8/9 hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
 ## RHEL 8
 If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),
 you need to ensure they are using iptables-nft.
 An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
 The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
 ## Rocky Linux 10
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -100,6 +100,8 @@ kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
 kubelet_seccomp_default: true
 kubelet_systemd_hardening: true
 # To disable kubelet's staticPodPath (for nodes that don't use static pods like worker nodes)
 kubelet_static_pod_path: ""
 # In case you have multiple interfaces in your
 # control plane nodes and you want to specify the right
 # IP addresses, kubelet_secure_addresses allows you
--- a/docs/operations/offline-environment.md
+++ b/docs/operations/offline-environment.md
@@ -85,7 +85,7 @@ crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_ve
 # If using Calico
 calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_version }}.tar.gz"
 # Containerd
 containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
 runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"
--- a/inventory/sample/group_vars/all/offline.yml
+++ b/inventory/sample/group_vars/all/offline.yml
@@ -44,7 +44,7 @@
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
-# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
 # [Optional] Cilium: If using Cilium network plugin
 # ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -1,4 +1,8 @@
 ---
 # Kubernetes dashboard
 # RBAC required. see docs/getting-started.md for access details.
 # dashboard_enabled: false
 # Helm deployment
 helm_enabled: false
@@ -63,6 +67,39 @@ local_volume_provisioner_enabled: false
 # Gateway API CRDs
 gateway_api_enabled: false
 # Nginx ingress controller deployment
 ingress_nginx_enabled: false
 # ingress_nginx_host_network: false
 # ingress_nginx_service_type: LoadBalancer
 # ingress_nginx_service_annotations:
 #   example.io/loadbalancerIPs: 1.2.3.4
 # ingress_nginx_service_nodeport_http: 30080
 # ingress_nginx_service_nodeport_https: 30081
 ingress_publish_status_address: ""
 # ingress_nginx_nodeselector:
 #   kubernetes.io/os: "linux"
 # ingress_nginx_tolerations:
 #   - key: "node-role.kubernetes.io/control-plane"
 #     operator: "Equal"
 #     value: ""
 #     effect: "NoSchedule"
 # ingress_nginx_namespace: "ingress-nginx"
 # ingress_nginx_insecure_port: 80
 # ingress_nginx_secure_port: 443
 # ingress_nginx_configmap:
 #   map-hash-bucket-size: "128"
 #   ssl-protocols: "TLSv1.2 TLSv1.3"
 # ingress_nginx_configmap_tcp_services:
 #   9000: "default/example-go:8080"
 # ingress_nginx_configmap_udp_services:
 #   53: "kube-system/coredns:53"
 # ingress_nginx_extra_args:
 #   - --default-ssl-certificate=default/foo-tls
 # ingress_nginx_termination_grace_period_seconds: 300
 # ingress_nginx_class: nginx
 # ingress_nginx_without_class: true
 # ingress_nginx_default: false
 # ALB ingress controller deployment
 ingress_alb_enabled: false
 # alb_ingress_aws_region: "us-east-1"
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.18.0,<2.19.0"
+requires_ansible: ">=2.17.3"
--- a/pipeline.Dockerfile
+++ b/pipeline.Dockerfile
@@ -46,8 +46,8 @@ ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
    && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
    && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.35.1/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.35.1/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && echo $(curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl \
    # Install Vagrant
    && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
--- a/playbooks/ansible_version.yml
+++ b/playbooks/ansible_version.yml
@@ -5,8 +5,8 @@
  become: false
  run_once: true
  vars:
-    minimal_ansible_version: 2.18.0
+    minimal_ansible_version: 2.17.3
-    maximal_ansible_version: 2.19.0
+    maximal_ansible_version: 2.18.0
  tags: always
  tasks:
    - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
-ansible==11.13.0
+ansible==10.7.0
 # Needed for community.crypto module
-cryptography==46.0.5
+cryptography==46.0.4
 # Needed for jinja2 json_query templating
 jmespath==1.1.0
 # Needed for ansible.utils.ipaddr
--- a/roles/bastion-ssh-config/defaults/main.yml
+++ b/roles/bastion-ssh-config/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-ssh_bastion_config_name: ssh-bastion.conf
+ssh_bastion_confing__name: ssh-bastion.conf
--- a/roles/bastion-ssh-config/molecule/default/converge.yml
+++ b/roles/bastion-ssh-config/molecule/default/converge.yml
@@ -8,8 +8,8 @@
  tasks:
    - name: Copy config to remote host
      copy:
-        src: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
+        src: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
-        dest: "{{ ssh_bastion_config_name }}"
+        dest: "{{ ssh_bastion_confing__name }}"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: "0644"
--- a/roles/bastion-ssh-config/tasks/main.yml
+++ b/roles/bastion-ssh-config/tasks/main.yml
@@ -17,6 +17,6 @@
  delegate_to: localhost
  connection: local
  template:
-    src: "{{ ssh_bastion_config_name }}.j2"
+    src: "{{ ssh_bastion_confing__name }}.j2"
-    dest: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
+    dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
    mode: "0640"
--- a/roles/container-engine/cri-dockerd/handlers/main.yml
+++ b/roles/container-engine/cri-dockerd/handlers/main.yml
@@ -6,6 +6,12 @@
    masked: false
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | restart docker.service
  service:
    name: docker.service
    state: restarted
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | reload cri-dockerd.socket
  service:
    name: cri-dockerd.socket
--- a/roles/container-engine/docker/templates/docker.service.j2
+++ b/roles/container-engine/docker/templates/docker.service.j2
@@ -30,7 +30,7 @@ LimitCORE=infinity
 TimeoutStartSec=1min
 # restart the docker process if it exits prematurely
 Restart=on-failure
-StartLimitBurst=10
+StartLimitBurst=3
 StartLimitInterval=60s
 # Set the cgroup slice of the service so that kube reserved takes effect
 {% if kube_reserved is defined and kube_reserved|bool %}
--- a/roles/container-engine/meta/main.yml
+++ b/roles/container-engine/meta/main.yml
@@ -0,0 +1,58 @@
 # noqa role-name - this is a meta role that doesn't need a name
 ---
 dependencies:
  - role: container-engine/validate-container-engine
    tags:
      - container-engine
      - validate-container-engine
  - role: container-engine/kata-containers
    when:
      - kata_containers_enabled
    tags:
      - container-engine
      - kata-containers
  - role: container-engine/gvisor
    when:
      - gvisor_enabled
      - container_manager in ['docker', 'containerd']
    tags:
      - container-engine
      - gvisor
  - role: container-engine/crun
    when:
      - crun_enabled
    tags:
      - container-engine
      - crun
  - role: container-engine/youki
    when:
      - youki_enabled
      - container_manager == 'crio'
    tags:
      - container-engine
      - youki
  - role: container-engine/cri-o
    when:
      - container_manager == 'crio'
    tags:
      - container-engine
      - crio
  - role: container-engine/containerd
    when:
      - container_manager == 'containerd'
    tags:
      - container-engine
      - containerd
  - role: container-engine/cri-dockerd
    when:
      - container_manager == 'docker'
    tags:
      - container-engine
      - docker
--- a/roles/container-engine/tasks/main.yml
+++ b/roles/container-engine/tasks/main.yml
@@ -1,48 +0,0 @@
 ---
 - name: Validate container engine
  import_role:
    name: container-engine/validate-container-engine
  tags:
    - container-engine
    - validate-container-engine
 - name: Container runtimes
  include_role:
    name: "container-engine/{{ item.role }}"
    apply:
      tags:
        - container-engine
        - "{{ item.role }}"
  loop:
    - { role: 'kata-containers', enabled: "{{ kata_containers_enabled }}" }
    - { role: 'gvisor', enabled: "{{ gvisor_enabled and container_manager in ['docker', 'containerd'] }}" }
    - { role: 'crun', enabled: "{{ crun_enabled }}" }
    - { role: 'youki', enabled: "{{ youki_enabled and container_manager == 'crio' }}" }
  # TODO: Technically, this is more container-runtime than engine
  when: item.enabled
  tags:
    - container-engine
    - kata-containers
    - gvisor
    - crun
    - youki
 - name: Container Manager
  vars:
    container_manager_role:
      crio: cri-o
      docker: cri-dockerd
      containerd: containerd
  include_role:
    name: "container-engine/{{ container_manager_role[container_manager] }}"
    apply:
      tags:
        - container-engine
        - crio
        - docker
        - containerd
  tags:
    - container-engine
    - crio
    - docker
    - containerd
--- a/roles/etcd/handlers/backup.yml
+++ b/roles/etcd/handlers/backup.yml
@@ -34,7 +34,6 @@
  when:
    - etcd_data_dir_member.stat.exists
    - etcd_cluster_is_healthy.rc == 0
    - etcd_version is version('3.6.0', '<')
  command: >-
    {{ bin_dir }}/etcdctl backup
      --data-dir {{ etcd_data_dir }}
--- a/roles/etcd/tasks/clean_v2_store.yml
+++ b/roles/etcd/tasks/clean_v2_store.yml
@@ -1,43 +0,0 @@
 ---
 # When upgrading from etcd 3.5 to 3.6, need to clean up v2 store before upgrading.
 # Without this, etcd 3.6 will crash with following error:
 #   "panic: detected disallowed v2 WAL for stage --v2-deprecation=write-only [recovered]"
 - name: Cleanup v2 store when upgrade etcd from <3.6 to >=3.6
  when:
    - etcd_cluster_setup
    - etcd_current_version != ''
    - etcd_current_version is version('3.6.0', '<')
    - etcd_version is version('3.6.0', '>=')
  block:
    - name: Ensure etcd version is >=3.5.26
      when:
        - etcd_current_version is version('3.5.26', '<')
      fail:
        msg: "You need to upgrade etcd to 3.5.26 or later before upgrade to 3.6. Current version is {{ etcd_current_version }}."
    # Workarounds:
    # Disable --enable-v2 (recommended in 20289) and do workaround of 20231 (MAX_WALS=1 and SNAPSHOT_COUNT=1)
    # - https://github.com/etcd-io/etcd/issues/20809
    # - https://github.com/etcd-io/etcd/discussions/20231#discussioncomment-13958051
    - name: Change etcd configuration temporally to limit number of WALs and snapshots to clean up v2 store
      ansible.builtin.lineinfile:
        path: /etc/etcd.env
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: '^ETCD_SNAPSHOT_COUNT=', line: 'ETCD_SNAPSHOT_COUNT=1' }
        - { regexp: '^ETCD_MAX_WALS=', line: 'ETCD_MAX_WALS=1' }
        - { regexp: '^ETCD_MAX_SNAPSHOTS=', line: 'ETCD_MAX_SNAPSHOTS=1' }
        - { regexp: '^ETCD_ENABLE_V2=', line: 'ETCD_ENABLE_V2=false' }
    # Restart etcd to apply temporal configuration and prevent some upgrade failures
    # See also: https://etcd.io/blog/2025/upgrade_from_3.5_to_3.6_issue_followup/
    - name: Stop etcd
      service:
        name: etcd
        state: stopped
    - name: Start etcd
      service:
        name: etcd
        state: started
--- a/roles/etcd/tasks/install_docker.yml
+++ b/roles/etcd/tasks/install_docker.yml
@@ -23,14 +23,6 @@
    - etcd_events_cluster_setup
    - etcd_image_tag not in etcd_events_current_docker_image.stdout | default('')
 - name: Get currently-deployed etcd version as x.y.z format
  set_fact:
    etcd_current_version: "{{ (etcd_current_docker_image.stdout | regex_search('.*:v([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
  when: etcd_cluster_setup
 - name: Cleanup v2 store data
  import_tasks: clean_v2_store.yml
 - name: Install etcd launch script
  template:
    src: etcd.j2
--- a/roles/etcd/tasks/install_host.yml
+++ b/roles/etcd/tasks/install_host.yml
@@ -21,14 +21,6 @@
    - etcd_events_cluster_setup
    - etcd_version not in etcd_current_host_version.stdout | default('')
 - name: Get currently-deployed etcd version as x.y.z format
  set_fact:
    etcd_current_version: "{{ (etcd_current_host_version.stdout | regex_search('etcd Version: ([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
  when: etcd_cluster_setup
 - name: Cleanup v2 store data
  import_tasks: clean_v2_store.yml
 - name: Install | Copy etcd binary from download dir
  copy:
    src: "{{ local_release_dir }}/etcd-v{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}"
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -53,12 +53,6 @@
    - control-plane
    - network
 - name: Install etcd
  include_tasks: "install_{{ etcd_deployment_type }}.yml"
  when: ('etcd' in group_names)
  tags:
    - upgrade
 - name: Install etcdctl and etcdutl binary
  import_role:
    name: etcdctl_etcdutl
@@ -70,6 +64,12 @@
    - ('etcd' in group_names)
    - etcd_cluster_setup
 - name: Install etcd
  include_tasks: "install_{{ etcd_deployment_type }}.yml"
  when: ('etcd' in group_names)
  tags:
    - upgrade
 - name: Configure etcd
  include_tasks: configure.yml
  when: ('etcd' in group_names)
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
@@ -25,6 +25,8 @@ ETCD_MAX_REQUEST_BYTES={{ etcd_max_request_bytes }}
 ETCD_LOG_LEVEL={{ etcd_log_level }}
 ETCD_MAX_SNAPSHOTS={{ etcd_max_snapshots }}
 ETCD_MAX_WALS={{ etcd_max_wals }}
 # Flannel need etcd v2 API
 ETCD_ENABLE_V2=true
 # TLS settings
 ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -11,7 +11,6 @@ dns_nodes_per_replica: 16
 dns_cores_per_replica: 256
 dns_prevent_single_point_failure: "{{ 'true' if dns_min_replicas | int > 1 else 'false' }}"
 enable_coredns_reverse_dns_lookups: true
 coredns_svc_name: "coredns"
 coredns_ordinal_suffix: ""
 # dns_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
 coredns_affinity:
@@ -119,5 +118,29 @@ netchecker_agent_log_level: 5
 netchecker_server_log_level: 5
 netchecker_etcd_log_level: info
 # Dashboard
 dashboard_replicas: 1
 # Namespace for dashboard
 dashboard_namespace: kube-system
 # Limits for dashboard
 dashboard_cpu_limit: 100m
 dashboard_memory_limit: 256M
 dashboard_cpu_requests: 50m
 dashboard_memory_requests: 64M
 # Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
 # contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
 dashboard_use_custom_certs: false
 dashboard_certs_secret_name: kubernetes-dashboard-certs
 dashboard_tls_key_file: dashboard.key
 dashboard_tls_cert_file: dashboard.crt
 dashboard_master_toleration: true
 # Override dashboard default settings
 dashboard_token_ttl: 900
 dashboard_skip_login: false
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -109,3 +109,15 @@
    - netchecker-server-clusterrolebinding.yml.j2
    - netchecker-server-deployment.yml.j2
    - netchecker-server-svc.yml.j2
 - name: Kubernetes Apps | Dashboard
  command:
    cmd: "{{ kubectl_apply_stdin }}"
    stdin: "{{ lookup('template', 'dashboard.yml.j2') }}"
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  vars:
    k8s_namespace: "{{ dashboard_namespace }}"
  when: dashboard_enabled
  tags:
    - dashboard
--- a/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ coredns_svc_name }}{{ coredns_ordinal_suffix }}
+  name: coredns{{ coredns_ordinal_suffix }}
  namespace: kube-system
  labels:
    k8s-app: kube-dns{{ coredns_ordinal_suffix }}
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -0,0 +1,323 @@
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Configuration to deploy release version of the Dashboard UI compatible with
 # Kubernetes 1.8.
 #
 # Example usage: kubectl create -f <this_file>
 {% if k8s_namespace != 'kube-system' %}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ k8s_namespace }}
  labels:
    name: {{ k8s_namespace }}
 {% endif %}
 ---
 # ------------------- Dashboard Secrets ------------------- #
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
 type: Opaque
 data:
  csrf: ""
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
 type: Opaque
 ---
 # ------------------- Dashboard ConfigMap ------------------- #
 kind: ConfigMap
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
 ---
 # ------------------- Dashboard Service Account ------------------- #
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 ---
 # ------------------- Dashboard Role & Role Binding ------------------- #
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: {{ k8s_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: {{ k8s_namespace }}
 ---
 # ------------------- Dashboard Deployment ------------------- #
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 spec:
  replicas: {{ dashboard_replicas }}
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      containers:
        - name: kubernetes-dashboard
          image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
          imagePullPolicy: {{ k8s_image_pull_policy }}
          resources:
            limits:
              cpu: {{ dashboard_cpu_limit }}
              memory: {{ dashboard_memory_limit }}
            requests:
              cpu: {{ dashboard_cpu_requests }}
              memory: {{ dashboard_memory_requests }}
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --namespace={{ k8s_namespace }}
 {% if dashboard_use_custom_certs %}
            - --tls-key-file={{ dashboard_tls_key_file }}
            - --tls-cert-file={{ dashboard_tls_cert_file }}
 {% else %}
            - --auto-generate-certificates
 {% endif %}
 {% if dashboard_skip_login %}
            - --enable-skip-login
 {% endif %}
            - --authentication-mode=token
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
            - --token-ttl={{ dashboard_token_ttl }}
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: {{ dashboard_certs_secret_name }}
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
 {% if dashboard_master_toleration %}
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
 {% endif %}
 ---
 # ------------------- Dashboard Service ------------------- #
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
 ---
 # ------------------- Metrics Scraper Service Account ------------------- #
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]
 ---
 # ------------------- Metrics Scraper Service  ------------------- #
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-metrics-scraper
  name: dashboard-metrics-scraper
 spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: kubernetes-metrics-scraper
 ---
 # ------------------- Metrics Scraper Deployment  ------------------- #
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-metrics-scraper
  name: kubernetes-metrics-scraper
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: kubernetes-metrics-scraper
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      containers:
        - name: kubernetes-metrics-scraper
          image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }}
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
      serviceAccountName: kubernetes-dashboard
      volumes:
      - name: tmp-volume
        emptyDir: {}
 {% if dashboard_master_toleration %}
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
 {% endif %}
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
@@ -21,7 +21,7 @@ external_openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
 ##    arg1: "value1"
 ##    arg2: "value2"
 external_openstack_cloud_controller_extra_args: {}
-external_openstack_cloud_controller_image_tag: "v1.35.0"
+external_openstack_cloud_controller_image_tag: "v1.32.0"
 external_openstack_cloud_controller_bind_address: 127.0.0.1
 external_openstack_cloud_controller_dns_policy: ClusterFirst
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml
@@ -0,0 +1,28 @@
 ---
 ingress_nginx_namespace: "ingress-nginx"
 ingress_nginx_host_network: false
 ingress_nginx_service_type: LoadBalancer
 ingress_nginx_service_nodeport_http: ""
 ingress_nginx_service_nodeport_https: ""
 ingress_nginx_service_annotations: {}
 ingress_publish_status_address: ""
 ingress_nginx_publish_service: "{{ ingress_nginx_namespace }}/ingress-nginx"
 ingress_nginx_nodeselector:
  kubernetes.io/os: "linux"
 ingress_nginx_tolerations: []
 ingress_nginx_insecure_port: 80
 ingress_nginx_secure_port: 443
 ingress_nginx_metrics_port: 10254
 ingress_nginx_configmap: {}
 ingress_nginx_configmap_tcp_services: {}
 ingress_nginx_configmap_udp_services: {}
 ingress_nginx_extra_args: []
 ingress_nginx_termination_grace_period_seconds: 300
 ingress_nginx_class: nginx
 ingress_nginx_without_class: true
 ingress_nginx_default: false
 ingress_nginx_webhook_enabled: false
 ingress_nginx_webhook_job_ttl: 1800
 ingress_nginx_opentelemetry_enabled: false
 ingress_nginx_probe_initial_delay_seconds: 10
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
@@ -0,0 +1,69 @@
 ---
 - name: NGINX Ingress Controller | Create addon dir
  file:
    path: "{{ kube_config_dir }}/addons/ingress_nginx"
    state: directory
    owner: root
    group: root
    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
 - name: NGINX Ingress Controller | Templates list
  set_fact:
    ingress_nginx_templates:
      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
      - { name: cm-ingress-nginx, file: cm-ingress-nginx.yml, type: cm }
      - { name: cm-tcp-services, file: cm-tcp-services.yml, type: cm }
      - { name: cm-udp-services, file: cm-udp-services.yml, type: cm }
      - { name: sa-ingress-nginx, file: sa-ingress-nginx.yml, type: sa }
      - { name: clusterrole-ingress-nginx, file: clusterrole-ingress-nginx.yml, type: clusterrole }
      - { name: clusterrolebinding-ingress-nginx, file: clusterrolebinding-ingress-nginx.yml, type: clusterrolebinding }
      - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
      - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
      - { name: ingressclass-nginx, file: ingressclass-nginx.yml, type: ingressclass }
      - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
    ingress_nginx_template_for_service:
      - { name: svc-ingress-nginx, file: svc-ingress-nginx.yml, type: svc }
    ingress_nginx_templates_for_webhook:
      - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
      - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
      - { name: clusterrole-admission-webhook, file: clusterrole-admission-webhook.yml, type: clusterrole }
      - { name: clusterrolebinding-admission-webhook, file: clusterrolebinding-admission-webhook.yml, type: clusterrolebinding }
      - { name: role-admission-webhook, file: role-admission-webhook.yml, type: role }
      - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
      - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
      - { name: svc-ingress-nginx-controller-admission, file: svc-ingress-nginx-controller-admission.yml, type: svc }
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Template list for service
  set_fact:
    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_template_for_service }}"
  when: not ingress_nginx_host_network
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
  set_fact:
    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
  when: ingress_nginx_webhook_enabled
 - name: NGINX Ingress Controller | Create manifests
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
    mode: "0644"
  with_items: "{{ ingress_nginx_templates }}"
  register: ingress_nginx_manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
 - name: NGINX Ingress Controller | Apply manifests
  kube:
    name: "{{ item.item.name }}"
    namespace: "{{ ingress_nginx_namespace }}"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.item.file }}"
    state: "latest"
  with_items: "{{ ingress_nginx_manifests.results }}"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2
@@ -0,0 +1,7 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ ingress_nginx_namespace }}
  labels:
    name: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2
@@ -0,0 +1,30 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: {{ ingress_nginx_namespace }}
      path: /networking/v1/ingresses
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
@@ -0,0 +1,96 @@
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission-create
  namespace: {{ ingress_nginx_namespace }}
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      name: ingress-nginx-admission-create
    spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: create
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission-patch
  namespace: {{ ingress_nginx_namespace }}
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      name: ingress-nginx-admission-patch
    spec:
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2
@@ -0,0 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 rules:
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
@@ -0,0 +1,36 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 rules:
  - apiGroups: [""]
    resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"]
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["list", "watch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2
@@ -0,0 +1,16 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2
@@ -0,0 +1,16 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap %}
 data:
  {{ ingress_nginx_configmap | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: tcp-services
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap_tcp_services %}
 data:
  {{ ingress_nginx_configmap_tcp_services | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: udp-services
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap_udp_services %}
 data:
  {{ ingress_nginx_configmap_udp_services | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
@@ -0,0 +1,201 @@
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: ingress-nginx-controller
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: {{ ingress_nginx_termination_grace_period_seconds }}
 {% if ingress_nginx_opentelemetry_enabled %}
      initContainers:
      - name: opentelemetry
        command:
        - /init_module
        image: {{ ingress_nginx_opentelemetry_image_repo }}:{{ ingress_nginx_opentelemetry_image_tag }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          readOnlyRootFilesystem: false
          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /modules_mount
          name: modules
 {% endif %}
 {% if ingress_nginx_host_network %}
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
 {% endif %}
 {% if ingress_nginx_nodeselector %}
      nodeSelector:
        {{ ingress_nginx_nodeselector | to_nice_yaml | indent(width=8) }}
 {%- endif %}
 {% if ingress_nginx_tolerations %}
      tolerations:
        {{ ingress_nginx_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
 {% endif %}
      priorityClassName: {% if ingress_nginx_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      containers:
        - name: ingress-nginx-controller
          image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }}
          imagePullPolicy: {{ k8s_image_pull_policy }}
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/ingress-nginx
            - --election-id=ingress-controller-leader-{{ ingress_nginx_class }}
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --annotations-prefix=nginx.ingress.kubernetes.io
            - --ingress-class={{ ingress_nginx_class }}
 {% if ingress_nginx_without_class %}
            - --watch-ingress-without-class=true
 {% endif %}
 {% if ingress_publish_status_address != "" %}
            - --publish-status-address={{ ingress_publish_status_address }}
 {% elif ingress_nginx_host_network %}
            - --report-node-internal-ip-address
 {% elif ingress_nginx_publish_service != "" %}
            - --publish-service={{ ingress_nginx_publish_service }}
 {% endif %}
 {% for extra_arg in ingress_nginx_extra_args %}
            - {{ extra_arg }}
 {% endfor %}
 {% if ingress_nginx_webhook_enabled %}
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
 {% endif %}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
              - NET_BIND_SERVICE
              drop:
              - ALL
            readOnlyRootFilesystem: false
            runAsGroup: 82
            runAsNonRoot: true
            runAsUser: 101
            seccompProfile:
              type: RuntimeDefault
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          ports:
            - name: http
              containerPort: 80
              hostPort: {{ ingress_nginx_insecure_port }}
            - name: https
              containerPort: 443
              hostPort: {{ ingress_nginx_secure_port }}
            - name: metrics
              containerPort: 10254
 {% if not ingress_nginx_host_network %}
              hostPort: {{ ingress_nginx_metrics_port }}
 {% endif %}
 {% if ingress_nginx_configmap_tcp_services %}
 {% for port in ingress_nginx_configmap_tcp_services.keys() %}
            - name: tcp-port-{{ port }}
              containerPort: {{ port | int }}
              protocol: TCP
 {% if not ingress_nginx_host_network %}
              hostPort: {{ port | int }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_configmap_udp_services %}
 {% for port in ingress_nginx_configmap_udp_services.keys() %}
            - name: udp-port-{{ port }}
              containerPort: {{ port | int }}
              protocol: UDP
 {% if not ingress_nginx_host_network %}
              hostPort: {{ port | int }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_webhook_enabled %}
            - name: webhook
              containerPort: 8443
              protocol: TCP
 {% endif %}
          livenessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 3
 {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
          volumeMounts:
 {% if ingress_nginx_webhook_enabled %}
            - mountPath: /usr/local/certificates/
              name: webhook-cert
              readOnly: true
 {% endif %}
 {% if ingress_nginx_opentelemetry_enabled %}
            - name: modules
              mountPath: /modules_mount
 {% endif %}
 {% endif %}
 {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
      volumes:
 {% if ingress_nginx_webhook_enabled %}
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
 {% endif %}
 {% if ingress_nginx_opentelemetry_enabled %}
        - name: modules
          emptyDir: {}
 {% endif %}
 {% endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2
@@ -0,0 +1,13 @@
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
  name: {{ ingress_nginx_class }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_default %}
  annotations:
    ingressclass.kubernetes.io/is-default-class: "true"
 {% endif %}
 spec:
  controller: k8s.io/ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2
@@ -0,0 +1,17 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
@@ -0,0 +1,47 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["configmaps", "pods", "secrets", "endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    # Defaults to "<election-id>", defined in
    # ds-ingress-nginx-controller.yml.js
    # by a command-line argument.
    #
    # This is the correct behaviour for ingress-controller
    # version 1.8.1
    resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"]
    verbs: ["get", "update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2
@@ -0,0 +1,17 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2
@@ -0,0 +1,17 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2
@@ -0,0 +1,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2
@@ -0,0 +1,9 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2
@@ -0,0 +1,18 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-controller-admission
  namespace: {{ ingress_nginx_namespace }}
 spec:
  type: ClusterIP
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2
@@ -0,0 +1,50 @@
 {% if not ingress_nginx_host_network %}
 apiVersion: v1
 kind: Service
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_service_annotations %}
  annotations:
    {{ ingress_nginx_service_annotations | to_nice_yaml(indent=2, width=1337) | indent(width=4) }}
 {% endif %}
 spec:
  type: {{ ingress_nginx_service_type }}
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
 {% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_http %}
      nodePort: {{ingress_nginx_service_nodeport_http | int}}
 {% endif %}
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
 {% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_https %}
      nodePort: {{ingress_nginx_service_nodeport_https | int}}
 {% endif %}
 {% if ingress_nginx_configmap_tcp_services %}
 {% for port in ingress_nginx_configmap_tcp_services.keys() %}
    - name: tcp-port-{{ port }}
      port: {{ port | int }}
      targetPort: {{ port | int }}
      protocol: TCP
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_configmap_udp_services %}
 {% for port in ingress_nginx_configmap_udp_services.keys() %}
    - name: udp-port-{{ port }}
      port: {{ port | int }}
      targetPort: {{ port | int }}
      protocol: UDP
 {% endfor %}
 {% endif %}
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% endif %}
--- a/roles/kubernetes-apps/ingress_controller/meta/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/meta/main.yml
@@ -1,5 +1,12 @@
 ---
 dependencies:
  - role: kubernetes-apps/ingress_controller/ingress_nginx
    when: ingress_nginx_enabled
    tags:
      - apps
      - ingress-controller
      - ingress-nginx
  - role: kubernetes-apps/ingress_controller/cert_manager
    when: cert_manager_enabled
    tags:
--- a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2
+++ b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2
@@ -58,6 +58,12 @@ rules:
  verbs:
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - nodes/proxy
  verbs:
  - get
 - apiGroups:
  - topology.node.k8s.io
  resources:
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -114,14 +114,4 @@ rules:
      - update
      # watch for changes
      - watch
  # Services are monitored for service LoadBalancer IP allocation
  - apiGroups: [""]
    resources:
      - services
      - services/status
    verbs:
      - get
      - list
      - update
      - watch
 {% endif %}
--- a/roles/kubernetes-apps/registry/tasks/main.yml
+++ b/roles/kubernetes-apps/registry/tasks/main.yml
@@ -43,12 +43,12 @@
      - { name: registry-cm, file: registry-cm.yml, type: cm }
      - { name: registry-rs, file: registry-rs.yml, type: rs }
- name: Registry | Append ingress templates to Registry Templates list when ALB ingress enabled
+- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
  set_fact:
    registry_templates: "{{ registry_templates + [item] }}"
  with_items:
    - [{ name: registry-ing, file: registry-ing.yml, type: ing }]
-  when: ingress_alb_enabled
+  when: ingress_nginx_enabled or ingress_alb_enabled
 - name: Registry | Create manifests
  template:
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -26,7 +26,7 @@
    mode: "0700"
    state: directory
- name: Write admin kubeconfig to current/ansible become user home
+- name: Copy admin kubeconfig to current/ansible become user home
  copy:
    src: "{{ kube_config_dir }}/admin.conf"
    dest: "{{ ansible_env.HOME | default('/root') }}/.kube/config"
@@ -51,38 +51,41 @@
    port: "{{ kube_apiserver_port }}"
    timeout: 180
- name: Create kubeconfig localhost artifacts
+- name: Get admin kubeconfig from remote host
  slurp:
    src: "{{ kube_config_dir }}/admin.conf"
  run_once: true
  register: raw_admin_kubeconfig
  when: kubeconfig_localhost
  block:
    - name: Generate admin kubeconfig using kubeadm
      command: >-
        {{ bin_dir }}/kubeadm kubeconfig user
        --client-name=kubernetes-admin-{{ cluster_name }}
        --org=kubeadm:cluster-admins
        --config {{ kube_config_dir }}/kubeadm-config.yaml
      register: kubeadm_admin_kubeconfig
      changed_when: false
      run_once: true
      delegate_to: "{{ groups['kube_control_plane'][0] }}"
-    - name: Write admin kubeconfig on ansible host
+- name: Convert kubeconfig to YAML
-      copy:
+  set_fact:
-        content: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml | combine(override, recursive=true) | to_nice_yaml(indent=2) }}"
+    admin_kubeconfig: "{{ raw_admin_kubeconfig.content | b64decode | from_yaml }}"
-        dest: "{{ artifacts_dir }}/admin.conf"
+  when: kubeconfig_localhost
-        mode: "0600"
+
-      vars:
+- name: Override username in kubeconfig
-        admin_kubeconfig: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml }}"
+  set_fact:
-        context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
+    final_admin_kubeconfig: "{{ admin_kubeconfig | combine(override_cluster_name, recursive=true) | combine(override_context, recursive=true) | combine(override_user, recursive=true) }}"
-        override:
+  vars:
-          clusters:
+    cluster_infos: "{{ admin_kubeconfig['clusters'][0]['cluster'] }}"
-            - "{{ admin_kubeconfig['clusters'][0] | combine({'name': cluster_name, 'cluster': admin_kubeconfig['clusters'][0]['cluster'] | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})}, recursive=true) }}"
+    user_certs: "{{ admin_kubeconfig['users'][0]['user'] }}"
-          contexts:
+    username: "kubernetes-admin-{{ cluster_name }}"
-            - "{{ admin_kubeconfig['contexts'][0] | combine({'name': context, 'context': admin_kubeconfig['contexts'][0]['context'] | combine({'cluster': cluster_name})}, recursive=true) }}"
+    context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
-          current-context: "{{ context }}"
+    override_cluster_name: "{{ {'clusters': [{'cluster': (cluster_infos | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})), 'name': cluster_name}]} }}"
-      delegate_to: localhost
+    override_context: "{{ {'contexts': [{'context': {'user': username, 'cluster': cluster_name}, 'name': context}], 'current-context': context} }}"
-      connection: local
+    override_user: "{{ {'users': [{'name': username, 'user': user_certs}]} }}"
-      become: false
+  when: kubeconfig_localhost
-      run_once: true
+
 - name: Write admin kubeconfig on ansible host
  copy:
    content: "{{ final_admin_kubeconfig | to_nice_yaml(indent=2) }}"
    dest: "{{ artifacts_dir }}/admin.conf"
    mode: "0600"
  delegate_to: localhost
  connection: local
  become: false
  run_once: true
  when: kubeconfig_localhost
 - name: Copy kubectl binary to ansible host
  fetch:
--- a/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml
@@ -0,0 +1,17 @@
 ---
 - name: Update server field in component kubeconfigs
  lineinfile:
    dest: "{{ kube_config_dir }}/{{ item }}"
    regexp: '^    server: https'
    line: '    server: {{ kube_apiserver_endpoint }}'
    backup: true
  with_items:
    - admin.conf
    - controller-manager.conf
    - kubelet.conf
    - scheduler.conf
  notify:
    - "Control plane | Restart kube-controller-manager"
    - "Control plane | Restart kube-scheduler"
    - "Control plane | reload kubelet"
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -36,7 +36,7 @@
      - "localhost"
      - "127.0.0.1"
      - "::1"
-      - "{{ apiserver_loadbalancer_domain_name | d('') }}"
+      - "{{ apiserver_loadbalancer_domain_name }}"
      - "{{ loadbalancer_apiserver.address | d('') }}"
      - "{{ supplementary_addresses_in_ssl_keys }}"
      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') }}"
--- a/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml
+++ b/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml
@@ -0,0 +1,18 @@
 ---
 - name: Fixup kubelet client cert rotation 1/2
  lineinfile:
    path: "{{ kube_config_dir }}/kubelet.conf"
    regexp: '^    client-certificate-data: '
    line: '    client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem'
    backup: true
  notify:
    - "Control plane | reload kubelet"
 - name: Fixup kubelet client cert rotation 2/2
  lineinfile:
    path: "{{ kube_config_dir }}/kubelet.conf"
    regexp: '^    client-key-data: '
    line: '    client-key: /var/lib/kubelet/pki/kubelet-client-current.pem'
    backup: true
  notify:
    - "Control plane | reload kubelet"
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -99,6 +99,9 @@
  include_tasks: kubeadm-etcd.yml
  when: etcd_deployment_type == "kubeadm"
 - name: Include kubeadm secondary server apiserver fixes
  include_tasks: kubeadm-fix-apiserver.yml
 - name: Cleanup unused AuthorizationConfiguration file versions
  file:
    path: "{{ kube_config_dir }}/apiserver-authorization-config-{{ item }}.yaml"
@@ -106,6 +109,10 @@
  loop: "{{ ['v1alpha1', 'v1beta1', 'v1'] | reject('equalto', kube_apiserver_authorization_config_api_version) | list }}"
  when: kube_apiserver_use_authorization_config_file
 - name: Include kubelet client cert rotation fixes
  include_tasks: kubelet-fix-client-cert-rotation.yml
  when: kubelet_rotate_certificates
 - name: Install script to renew K8S control plane certificates
  template:
    src: k8s-certs-renew.sh.j2
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
@@ -429,9 +429,6 @@ featureGates:
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 {% if kube_version is version('1.35.0', '>=') %}
 failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
 {% endif %}
 clusterDNS:
 {% for dns_address in kubelet_cluster_dns %}
 - {{ dns_address }}
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -563,9 +563,6 @@ featureGates:
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 {% if kube_version is version('1.35.0', '>=') %}
 failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
 {% endif %}
 clusterDNS:
 {% for dns_address in kubelet_cluster_dns %}
 - {{ dns_address }}
--- a/roles/kubernetes/kubeadm_common/tasks/main.yml
+++ b/roles/kubernetes/kubeadm_common/tasks/main.yml
@@ -3,19 +3,9 @@
  file:
    path: "{{ kubeadm_patches_dir }}"
    state: directory
-    mode: "0750"
+    mode: "0640"
  when: kubeadm_patches | length > 0
 - name: Kubeadm | List existing kubeadm patches
  find:
    paths:
      - "{{ kubeadm_patches_dir }}"
    file_type: file
    use_regex: true
    patterns:
      - '^(kube-apiserver|kube-controller-manager|kube-scheduler|etcd|kubeletconfiguration)[0-9]+\+(strategic|json|merge).yaml$'
  register: existing_kubeadm_patches
 - name: Kubeadm | Copy kubeadm patches from inventory files
  copy:
    content: "{{ item.patch | to_yaml }}"
@@ -25,13 +15,3 @@
  loop: "{{ kubeadm_patches }}"
  loop_control:
    index_var: suffix
  register: current_kubeadm_patches
 - name: Kubeadm | Delete old patches
  loop: "{{ existing_kubeadm_patches.files | map(attribute='path') |
            difference(
            current_kubeadm_patches.results | map(attribute='dest')
            ) }}"
  file:
    state: absent
    path: "{{ item }}"
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -180,6 +180,9 @@ kube_proxy_ipvs_modules:
  - ip_vs_wlc
  - ip_vs_lc
 # Set this option to "" (empty) to disable staticPodPath (See docs/operations/hardening.md)
 kubelet_static_pod_path: "{{ kube_manifest_dir }}"
 ## Enable distributed tracing for kubelet
 kubelet_tracing: false
 kubelet_tracing_endpoint: "[::]:4317"
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -15,9 +15,6 @@ authorization:
 {% else %}
  mode: AlwaysAllow
 {% endif %}
 {% if kube_version is version('1.35.0', '>=') %}
 failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
 {% endif %}
 {% if kubelet_enforce_node_allocatable is defined and kubelet_enforce_node_allocatable != "\"\"" %}
 {% set kubelet_enforce_node_allocatable_list = kubelet_enforce_node_allocatable.split(",") %}
 enforceNodeAllocatable:
@@ -25,7 +22,7 @@ enforceNodeAllocatable:
 - {{ item }}
 {% endfor %}
 {% endif %}
-staticPodPath: {{ kube_manifest_dir }}
+staticPodPath: "{{ kubelet_static_pod_path }}"
 cgroupDriver: {{ kubelet_cgroup_driver | default('systemd') }}
 containerLogMaxFiles: {{ kubelet_logfiles_max_nr }}
 containerLogMaxSize: {{ kubelet_logfiles_max_size }}
--- a/roles/kubernetes/node/templates/node-kubeconfig.yaml.j2
+++ b/roles/kubernetes/node/templates/node-kubeconfig.yaml.j2
@@ -0,0 +1,19 @@
 ---
 apiVersion: v1
 kind: Config
 clusters:
 - name: local
  cluster:
    certificate-authority: {{ kube_cert_dir }}/ca.pem
    server: "{{ kube_apiserver_endpoint }}"
 users:
 - name: kubelet
  user:
    client-certificate: {{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem
    client-key: {{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem
 contexts:
 - context:
    cluster: local
    user: kubelet
  name: kubelet-{{ cluster_name }}
 current-context: kubelet-{{ cluster_name }}
--- a/roles/kubespray_defaults/defaults/main/download.yml
+++ b/roles/kubespray_defaults/defaults/main/download.yml
@@ -159,7 +159,7 @@ kubeadm_download_url: "{{ dl_k8s_io_url }}/release/v{{ kube_version }}/bin/linux
 etcd_download_url: "{{ github_url }}/etcd-io/etcd/releases/download/v{{ etcd_version }}/etcd-v{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
 cni_download_url: "{{ github_url }}/containernetworking/plugins/releases/download/v{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz"
 calicoctl_download_url: "{{ github_url }}/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
-calico_crds_download_url: "{{ github_url }}/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
+calico_crds_download_url: "{{ github_url }}/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
 ciliumcli_download_url: "{{ github_url }}/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
 crictl_download_url: "{{ github_url }}/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
 crio_download_url: "{{ storage_googleapis_url }}/cri-o/artifacts/cri-o.{{ image_arch }}.v{{ crio_version }}.tar.gz"
@@ -237,8 +237,7 @@ netcheck_agent_image_repo: "{{ docker_image_repo }}/mirantis/k8s-netchecker-agen
 netcheck_agent_image_tag: "v{{ netcheck_version }}"
 netcheck_server_image_repo: "{{ docker_image_repo }}/mirantis/k8s-netchecker-server"
 netcheck_server_image_tag: "v{{ netcheck_version }}"
-# netchecker doesn't work with etcd>=3.6 because etcd v2 API is removed
+netcheck_etcd_image_tag: "{{ etcd_image_tag }}"
 netcheck_etcd_image_tag: "v{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 cilium_image_repo: "{{ quay_image_repo }}/cilium/cilium"
 cilium_image_tag: "v{{ cilium_version }}"
 cilium_operator_image_repo: "{{ quay_image_repo }}/cilium/operator"
@@ -264,7 +263,7 @@ kube_router_image_tag: "v{{ kube_router_version }}"
 multus_image_repo: "{{ github_image_repo }}/k8snetworkplumbingwg/multus-cni"
 multus_image_tag: "v{{ multus_version }}"
 external_openstack_cloud_controller_image_repo: "{{ kube_image_repo }}/provider-os/openstack-cloud-controller-manager"
-external_openstack_cloud_controller_image_tag: "v1.35.0"
+external_openstack_cloud_controller_image_tag: "v1.32.0"
 kube_vip_version: 1.0.3
 kube_vip_image_repo: "{{ github_image_repo }}/kube-vip/kube-vip{{ '-iptables' if kube_vip_lb_fwdmethod == 'masquerade' else '' }}"
@@ -278,9 +277,9 @@ haproxy_image_tag: 3.2.4-alpine
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail
 coredns_supported_versions:
  '1.35': 1.12.4
  '1.34': 1.12.1
  '1.33': 1.12.0
  '1.32': 1.11.3
 coredns_version: "{{ coredns_supported_versions[kube_major_version] }}"
 coredns_image_repo: "{{ kube_image_repo }}{{ '/coredns' if coredns_version is version('1.7.1', '>=') else '' }}/coredns"
 coredns_image_tag: "{{ 'v' if coredns_version is version('1.7.1', '>=') else '' }}{{ coredns_version }}"
@@ -310,6 +309,13 @@ local_volume_provisioner_image_tag: "v{{ local_volume_provisioner_version }}"
 local_path_provisioner_version: "0.0.32"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}"
 ingress_nginx_version: "1.13.3"
 ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
 ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry"
 ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}"
 ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5"
 ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
 ingress_nginx_kube_webhook_certgen_image_tag: "v1.6.3"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
 cert_manager_version: "1.15.3"
@@ -334,9 +340,9 @@ csi_livenessprobe_image_repo: "{{ kube_image_repo }}/sig-storage/livenessprobe"
 csi_livenessprobe_image_tag: "v2.11.0"
 snapshot_controller_supported_versions:
  '1.35': "v7.0.2"
  '1.34': "v7.0.2"
  '1.33': "v7.0.2"
  '1.32': "v7.0.2"
 snapshot_controller_image_repo: "{{ kube_image_repo }}/sig-storage/snapshot-controller"
 snapshot_controller_image_tag: "{{ snapshot_controller_supported_versions[kube_major_version] }}"
@@ -370,6 +376,11 @@ gcp_pd_csi_attacher_image_tag: "v2.1.1-gke.0"
 gcp_pd_csi_resizer_image_tag: "v0.4.0-gke.0"
 gcp_pd_csi_registrar_image_tag: "v1.2.0-gke.0"
 dashboard_image_repo: "{{ docker_image_repo }}/kubernetesui/dashboard"
 dashboard_image_tag: "v2.7.0"
 dashboard_metrics_scraper_repo: "{{ docker_image_repo }}/kubernetesui/metrics-scraper"
 dashboard_metrics_scraper_tag: "v1.0.8"
 metallb_speaker_image_repo: "{{ quay_image_repo }}/metallb/speaker"
 metallb_controller_image_repo: "{{ quay_image_repo }}/metallb/controller"
 metallb_version: 0.13.9
@@ -771,9 +782,14 @@ downloads:
  calico_crds:
    file: true
    enabled: "{{ kube_network_plugin == 'calico' and calico_datastore == 'kdd' }}"
-    dest: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crds.yaml"
+    dest: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/{{ calico_version }}.tar.gz"
-    checksum: "{{ calico_crds_checksums.no_arch[calico_version] }}"
+    checksum: "{{ calico_crds_archive_checksums.no_arch[calico_version] }}"
    url: "{{ calico_crds_download_url }}"
    unarchive: true
    unarchive_extra_opts:
      - "--strip=3"
      - "--wildcards"
      - "*/libcalico-go/config/crd/"
    owner: "root"
    mode: "0755"
    groups:
@@ -908,6 +924,15 @@ downloads:
    groups:
      - kube_node
  ingress_nginx_controller:
    enabled: "{{ ingress_nginx_enabled }}"
    container: true
    repo: "{{ ingress_nginx_controller_image_repo }}"
    tag: "{{ ingress_nginx_controller_image_tag }}"
    checksum: "{{ ingress_nginx_controller_digest_checksum | default(None) }}"
    groups:
      - kube_node
  ingress_alb_controller:
    enabled: "{{ ingress_alb_enabled }}"
    container: true
@@ -1049,6 +1074,24 @@ downloads:
    groups:
      - kube_node
  dashboard:
    enabled: "{{ dashboard_enabled }}"
    container: true
    repo: "{{ dashboard_image_repo }}"
    tag: "{{ dashboard_image_tag }}"
    checksum: "{{ dashboard_digest_checksum | default(None) }}"
    groups:
      - kube_control_plane
  dashboard_metrics_scrapper:
    enabled: "{{ dashboard_enabled }}"
    container: true
    repo: "{{ dashboard_metrics_scraper_repo }}"
    tag: "{{ dashboard_metrics_scraper_tag }}"
    checksum: "{{ dashboard_digest_checksum | default(None) }}"
    groups:
      - kube_control_plane
  metallb_speaker:
    enabled: "{{ metallb_speaker_enabled }}"
    container: true
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -17,9 +17,6 @@ kube_api_anonymous_auth: true
 # Default value, but will be set to true automatically if detected
 is_fedora_coreos: false
 # Kubernetes 1.35+: fail on cgroup v1 by default
 kubelet_fail_cgroup_v1: true
 # Swap settings
 kubelet_fail_swap_on: true
 kubelet_swap_behavior: LimitedSwap
@@ -439,6 +436,10 @@ credentials_dir: "{{ inventory_dir }}/credentials"
 # K8s image pull policy (imagePullPolicy)
 k8s_image_pull_policy: IfNotPresent
 # Kubernetes dashboard
 # RBAC required. see docs/getting-started.md for access details.
 dashboard_enabled: false
 # Addons which can be enabled
 helm_enabled: false
 registry_enabled: false
@@ -455,6 +456,7 @@ vsphere_csi_enabled: false
 upcloud_csi_enabled: false
 csi_snapshot_controller_enabled: false
 persistent_volumes_enabled: false
 ingress_nginx_enabled: false
 ingress_alb_enabled: false
 cert_manager_enabled: false
 expand_persistent_volumes: false
--- a/roles/kubespray_defaults/vars/main/checksums.yml
+++ b/roles/kubespray_defaults/vars/main/checksums.yml
@@ -1,27 +1,24 @@
 ---
 crictl_checksums:
  arm64:
    1.35.0: sha256:519071de89b64c43e2a1661bb5489c6c3fd5e9e5fcef75e50e542b0c891f1118
    1.34.0: sha256:c31d252e203df5f4cf37f314bd3092eb79087e791631c1e607087c74b6d0423f
    1.33.0: sha256:e1f34918d77d5b4be85d48f5d713ca617698a371b049ea1486000a5e86ab1ff3
    1.32.0: sha256:f2f4e20658b72d00897f41e4b57093c8080e2d800ee894a5f4351f31d1833e30
  amd64:
    1.35.0: sha256:2e141e5b22cb189c40365a11807d69b76b9b3caced89fac2f4ec879408ce2177
    1.34.0: sha256:a8ff2a3edb37a98daf3aba7c3b284fe0aa5bff24166d896ab9ef64c8913c9f51
    1.33.0: sha256:8307399e714626e69d1213a4cd18c8dec3d0201ecdac009b1802115df8973f0f
    1.32.0: sha256:f050b71d3a73a91a4e0990b90143ed04dcd100cc66f953736fcb6a2730e283c4
  ppc64le:
    1.35.0: sha256:786522b14d684604c8b435312a310972bc1b460cddb1bb216a298098cd86b22e
    1.34.0: sha256:1da50181f2f6f6f6332b9dbc7d7cc020457ccd542620167953c0e288535acc93
    1.33.0: sha256:4224acfef4d1deba2ba456b7d93fa98feb0a96063ef66024375294f1de2b064f
    1.32.0: sha256:4ffaf29bbda8df42ed2dda4f1ad33cc785987701dc8d1e0043c17cfea9af43e0
 crio_archive_checksums:
  arm64:
    1.35.0: sha256:e57175a4d00387b78adfbe248d087d8127bed625afb529e34b2c90d08cfdaf87
    1.34.5: sha256:999a5dc2dc9854222aeff8a20897e0b34f0ba02c9b260b611d66c62e00e279e0
    1.34.4: sha256:d176f6256d606a3fc279f9f2994ef4a4c4cbaaa0601f4d1bba1a19bec5674ce9
    1.34.3: sha256:314595247054b53767a736e24bc3030a5f7c17552944c62b2e190c9e95fe4ca6
    1.34.2: sha256:ac7530f7fc9d531a87bfdfcae9cf8bf81a8bbdb75e63a046ed96911aa7b68ebd
    1.34.1: sha256:41a71cab6a61ae429ec447d572fd1cdea0a7e33d62aaa58c3b07467665b50b9f
    1.34.0: sha256:3006658270477c5fb1e88e9124e40982d2ba7b34495fcc12f0fecd33bbab9a5a
    1.33.9: sha256:bfcd534db3d1a9380dd7007d623e1eb3250ba64f7c4657e79e9e99b1d874f8f1
    1.33.8: sha256:59c91726535dcadd0372df0c6aa8595e4d59590994b598b2d97ea2510b216359
    1.33.7: sha256:af3ea22d3d6944c9a907c6c13d77e9fc4dbcf3972ffbde18dd6f37f1c2ffbd0d
    1.33.6: sha256:6ee49e746d1a5be1a664a6f801c68b169cb181a9aaf12218eed121e2b151bfdb
@@ -31,15 +28,25 @@ crio_archive_checksums:
    1.33.2: sha256:0a161cb1437a50fbdb04bf5ca11dbec8bfc567871d0597a5676737278a945a36
    1.33.1: sha256:6bf135db438937f0ab7a533af64564a0fb1d2079a43723ce9255ecbf9556ae05
    1.33.0: sha256:8a0dbee2879495d5b33e6fdeac32e5d86c356897bdcf3a94cd602851620ce8b5
    1.32.12: sha256:26a5138f4e4f15d370630c3bb8bf04fe28b24c57ce2bb11717a2c9a2e1c54404
    1.32.11: sha256:25c6ccfe9b70bf12222577b4cbf286ade9e2d112ab10c7d4507ba12cbcfad5ba
    1.32.10: sha256:4e8ceb6f2c936e31a9b892a076deecc52be9feac4acf8af242fb6db817fda9b1
    1.32.9: sha256:f854848dc5ae54ea03e48f2bc6d6ffbea2173de45c3d7a2abbc3af3abcb779f9
    1.32.8: sha256:1da6d9bd9e3a7f2d2e17310353c1d41c68d5d77606b8933a95f399db1ec809c7
    1.32.7: sha256:02a0f37f87eda1adf73a2f7145dbead4db9cb7470083cd474fe2970853bb32ff
    1.32.6: sha256:8b9a3a0ec3a7d1476396e4893ae9358eff1448d7631c27725d651cbfc4071902
    1.32.5: sha256:1725d914b2041b428e5346202a4d874796ed146bac0170084e09d8f430af3c2e
    1.32.4: sha256:06ccee8b31963f80c0253bf8c6ba56afa222fc0608ca309b21ace2d8748e3023
    1.32.3: sha256:f196bdc30c8effbbc8ec54f99e2598e34a901a7996a2f8a53f1f9134b0dc1b80
    1.32.2: sha256:627df634df178baf2800c8eb68185489e82f78b0b33ea5bec2bf9ce55ad57647
    1.32.1: sha256:f64da0ef41604575b476ad6d7288ca14f56fc06cc0ca138a5c3dc933427f7b32
    1.32.0: sha256:b092eddabedac98a0f8449dc535acfec0e14c21f59cabe8f9703043d995a1a41
  amd64:
    1.35.0: sha256:55b6d3e9fc9a5864ab5cdf0b24d54b1dcbaf6d4919274b3b9eb37bfc4b0b8cb5
    1.34.5: sha256:d6606fb6d686b8f814dfec801f0f3cf2ded974c194fa90facefda36075b6fab2
    1.34.4: sha256:f6348a781c34b433fe1c5150da3408e51e828b610eacbe734405e9c31136d810
    1.34.3: sha256:e269914f3bc4f36ac87cd593d74daaa43c390571994062180019248be32cc6f7
    1.34.2: sha256:3a0012938ed389e9270a208bb73b250062d5f1be5798472b1728403d55ddc1da
    1.34.1: sha256:22c1e4d68d9339aa58a1b0f1b40a8944102934a7505105abe461dc8a7e3de540
    1.34.0: sha256:5a8bc5c3b8072cb9bde1cf025d5597f75bf21018712c5b72d5cb0657948595c8
    1.33.9: sha256:81c20a12866d9a7c08c6e381ed326141c917454b696a05b46ae27665fe3c5cfa
    1.33.8: sha256:537adda39074377893f1f650a71b576ba487b3c4d2ee55e9b22f4e95fc188594
    1.33.7: sha256:e2999436a272c77370241a4f962c80737698dd8c2400fe75e5c7cf2142c96001
    1.33.6: sha256:4d0d446f73d9db6d5bf2c03ecdc39d9d702836886f4715886c15dc2f461cc810
@@ -49,15 +56,25 @@ crio_archive_checksums:
    1.33.2: sha256:6e82739bbbeae12d571a277a88d85e8a0e23dbc87529414a91ee5f2e23792dcf
    1.33.1: sha256:036063194028d24c75b9ce080e475ad97bacc955de796b7c895845294db8edbf
    1.33.0: sha256:dad0cec9e09368b37b35ce824b0ef517a1b33365c4bb164fe82310c73c886f7e
    1.32.12: sha256:13cb9676686c0ccd6bd7ffef9125f6370f803f08a559cf31f017193619891960
    1.32.11: sha256:98424dbe3eb1377b314bb35b30842987ccc800faa2f8145d52eb2a9c1efa17be
    1.32.10: sha256:b8e66bd33c885baf65535e671a120de4d7675833a75489403a9406e5fd2faa5e
    1.32.9: sha256:59b861b9c8913328c9bc97b3bcb007951b0c3bf6c9f40fbad236be4b31534503
    1.32.8: sha256:39b10999bc26ebea7714fb08d6eaef5f8bac63de3c8bbabae6a7d716c93cdb2e
    1.32.7: sha256:2592c2aad6eabf7109d62f49417c14a78fabedd24eab0915770d92610e032f89
    1.32.6: sha256:430ffcd8a140177b453ff75f4f11c22483378f4751f2e62379526b6ef817d184
    1.32.5: sha256:e31f6d9acb955bb6065ae1bbb4bb71e23ecf61417b4c03ea87e152ff7ae45b5e
    1.32.4: sha256:9934370708bfc641649bef83cd8df0745e8d3a3887b67062ae970d95b58003f4
    1.32.3: sha256:860c53b91dbe547b0cf23837880506a92348783efd9a7003a7da3fff6555fa28
    1.32.2: sha256:3ab6b4cc7641c2d181c2141ca42edecaac837d1409caef9311ebc57fb922fbb6
    1.32.1: sha256:d35de1e765481018c7ccdc92edeb59b25938f3bd9d1670440e7ccd3d599f95a7
    1.32.0: sha256:8f483f1429d2d9cd6bfa6db2e3a4263151701dd4f05f2b1c06cf8e67c44ea67e
  ppc64le:
    1.35.0: sha256:081ab73a6970ac3c68893dea9a03b0732ca22ab44a2aa8794fddac0bd4dfa749
    1.34.5: sha256:3a10d4c1406df01bd9ab88750eabc1273964e9c5f24c7d4a0b719ae77e6cfec2
    1.34.4: sha256:dca59a28fe9b0b9163418eca1545c9ed01cf514179f108d14e462c6074fd103c
    1.34.3: sha256:4dd782484eeb460b9a95e6e2e07474216fc02ad45a27ba871799d18f2b6ee0ae
    1.34.2: sha256:d4c3c9ba24b1b0eabf3c11ddec98801dda7a87b0529706e9ede18b8cc9e4182a
    1.34.1: sha256:cba0ac74e7202fe28cf8aa895b83f7a30d78b148666add78e19215259f629bb0
    1.34.0: sha256:e9e41d14439db0ca88cf2cd8533038203f379c25cd612f37635c17908e050ebf
    1.33.9: sha256:c0a9e60800f66f85c70615128fec5a8358ffde0f715a4058163707dbcca8eb94
    1.33.8: sha256:1d69c01512e8ebdd51fc70fc64473a31d492e8db095c0ee5d3ee58722048150c
    1.33.7: sha256:076e7519bfff72a43fb1121ce836eee3cc1fec5bb5a59a11747c514e9d162d26
    1.33.6: sha256:3643eefe295604288f5b652fb9c672a60f96dc803e63edaf9ee64ed4047a50dd
@@ -67,16 +84,25 @@ crio_archive_checksums:
    1.33.2: sha256:8ed65404a57262a9f8eb75b61afa37fcec134472eb1a6d81f1889a74ff32c651
    1.33.1: sha256:12646aca33f65fe335c27d3af582c599584d3f51185f01044e7ddd0668bb2b4c
    1.33.0: sha256:b4fa46b25538d8145197f8bf2e935486392c0ca2a9fa609aedd02b9f106d37a6
    1.32.12: sha256:9ba4f2c3be48c0f1f3228ef6322aeb3738f3ef461fd483a0cb4c2e5b067f080c
    1.32.11: sha256:6c2036f2ed7134c596b5a453a06fbb7e646db9586bff0d993f5223dccf167420
    1.32.10: sha256:ae4740c6bb6f346338f94508c74d5b1ec94f2691cb12f9a9add437fee5391f8d
    1.32.9: sha256:604bd6f866be327951942656931847c3623cd1e138197f153dd4d5537dd19f11
    1.32.8: sha256:b7be7a811d598c317b04db75769ac2a2e73633b4511513f1851f8f8fed71655e
    1.32.7: sha256:cc4cb9e5337716fbd341e84dfd59e80a4cfd2c28b70a30223a29bbe2a7607203
    1.32.6: sha256:f2b80598398dfbc5672696309dce2cb9c2ae80eda9d9b86141cc80995bc3bb92
    1.32.5: sha256:2886b8392452ee6e91d87e7228d3720a21b89e4398291f7479ec68ddb0f4f7c0
    1.32.4: sha256:533f6a6d252be8e78a9df4c911df5c3f4b361c608939427839fa4db682ade0a2
    1.32.3: sha256:bab472e532ed31307f92781717b32016ad02dc25b9a7facf158eab0ff49531c5
    1.32.2: sha256:680928bbeb84df7e87a17ad059679bb365a8d68781819798175e370629c293e6
    1.32.1: sha256:e59948b183ca87bf3cf4e54ebd5d3ac9418b1e88af4dc92883323003bd16412a
    1.32.0: sha256:e0544544c91f603afaf54ed814c8519883212bcb149f53a8be9bb0c749e9ec86
 kubelet_checksums:
  arm64:
    1.35.1: sha256:73475c6db8fd8a9780b1b378fa2f917875e6146166c24603c1abc6eafd4493a8
    1.35.0: sha256:aa658d077348b43d238f50966a583f4244b2a7d45590c77b3b165b7d44983ab8
    1.34.4: sha256:c78845473c434ee85a2444eeab87f8b20f524e3ab6854a078f79468f44aad8f5
    1.34.3: sha256:765b740e3ad9c590852652a2623424ec60e2dddce2c6280d7f042f56c8c98619
    1.34.2: sha256:3e31b1bee9ab32264a67af8a19679777cd372b1c3a04b5d7621289cf137b357c
    1.34.1: sha256:6a66bc08d6c637fcea50c19063cf49e708fde1630a7f1d4ceca069a45a87e6f1
    1.34.0: sha256:e45a7795391cd62ee226666039153832d3096c0f892266cd968936e18b2b40b0
    1.33.8: sha256:e835f15be6d8b7b27b963a46c4a054f7663c26741f17e003bfcb8271350cf882
    1.33.7: sha256:3035c44e0d429946d6b4b66c593d371cf5bbbfc85df39d7e2a03c422e4fe404a
    1.33.6: sha256:7d8b7c63309cfe2da2331a1ae13cce070b9ba01e487099e7881a4281667c131d
    1.33.5: sha256:c6ad0510c089d49244eede2638b4a4ff125258fd29a0649e7eef05c7f79c737f
@@ -85,15 +111,23 @@ kubelet_checksums:
    1.33.2: sha256:0fa15aca9b90fe7aef1ed3aad31edd1d9944a8c7aae34162963a6aaaf726e065
    1.33.1: sha256:10540261c311ae005b9af514d83c02694e12614406a8524fd2d0bad75296f70d
    1.33.0: sha256:ae5a4fc6d733fc28ff198e2d80334e21fcb5c34e76b411c50fff9cb25accf05a
    1.32.11: sha256:7d1c3aaae0dffa8d5c90bbaed49f25d32f98332801bde55cfea6efaead639491
    1.32.10: sha256:21cc3d98550d3a23052d649e77956f2557e7f6119ff1e27dc82b852d006136cd
    1.32.9: sha256:29037381c79152409adacee83448a2bdb67e113f003613663c7589286200ded8
    1.32.8: sha256:d5527714fac08eac4c1ddcbd8a3c6db35f3acd335d43360219d733273b672cce
    1.32.7: sha256:b862a8d550875924c8abed6c15ba22564f7e232c239aa6a2e88caf069a0ab548
    1.32.6: sha256:b045d4f8f96bf934c894f9704ab2931ffa3c6cf78a8d98e457482a6c455dab6d
    1.32.5: sha256:034753a2e308afeb4ce3cf332d38346c6e660252eac93b268fac0e112a56ff46
    1.32.4: sha256:91117b71eb2bb3dd79ec3ed444e058a347349108bf661838f53ee30d2a0ff168
    1.32.3: sha256:5c3c98e6e0fa35d209595037e05022597954b8d764482417a9588e15218f0fe2
    1.32.2: sha256:d74b659bbde5adf919529d079975900e51e10bc807f0fda9dc9f6bb07c4a3a7b
    1.32.1: sha256:8e6d0eeedd9f0b8b38d4f600ee167816f71cf4dacfa3d9a9bb6c3561cc884e95
    1.32.0: sha256:bda9b2324c96693b38c41ecea051bab4c7c434be5683050b5e19025b50dbc0bf
  amd64:
    1.35.1: sha256:e7343310e03ff0d424df4397bdfa4468947d6d1f0f93dac586c1e8d6e4086d5d
    1.35.0: sha256:2f4ed7778681649b81244426c29c5d98df60ccabf83d561d69e61c1cbb943ddf
    1.34.4: sha256:03b8fea715a7ef82eeaf518dee34c72670c57cc7bc40dc1320c04fbf4f15172f
    1.34.3: sha256:0e759f40bbc717c05227ae3994b77786f58f59ffa0137a34958c6b26fa5bcbbd
    1.34.2: sha256:9c5e717b774ee9b9285ce47e7d2150c29e84837eb19a7eaa24b60b1543c9d58f
    1.34.1: sha256:5a72c596c253ea0b0e5bcc6f29903fd41d1d542a7cadf3700c165a2a041a8d82
    1.34.0: sha256:5c0d28cea2a3a5c91861dda088a29d56c1b027e184dae1d792686f0710750076
    1.33.8: sha256:1caa69c5328cfa774218f75f0621a6f10a1b97e095af85015f468aeb8fdf956a
    1.33.7: sha256:2cea40c8c6929330e799f8fc73233a4b61e63f208739669865e2a23a39c3a007
    1.33.6: sha256:10cd08fe1f9169fd7520123bcdfff87e37b8a4e21c39481faa382f00355b6973
    1.33.5: sha256:8f6106b970259486c5af5cbee404d4f23406d96d99dfb92a6965b299c2a4db0e
@@ -102,15 +136,23 @@ kubelet_checksums:
    1.33.2: sha256:77fa5d29995653fe7e2855759a909caf6869c88092e2f147f0b84cbdba98c8f3
    1.33.1: sha256:f7224648451dd4f9f2c4f79416f9874223c286ce41727788965fd0341ddb59c4
    1.33.0: sha256:dd416d94850c342226d3dcdce838518b040ccea16548bfeaf2595934af88ef60
    1.32.11: sha256:02b25e87a3fe14e9ea74c10d3b1e204d12af30b8ce7ed11af2a985b49ddb0b83
    1.32.10: sha256:bfff8f244992162c0491f8f42d807165ed5c685aecfb3e8000412535ad18a873
    1.32.9: sha256:fd7711d1f0c1e263e9332004858fc4a6c39462e3e2ee485706eea5297966ed9c
    1.32.8: sha256:7dfca4da9cdf592c0f70800e09fb42553765bc0951cade3d6e0c571daf3f23ee
    1.32.7: sha256:7ab96898436475640cbd416b2446f33aba1c2cb62dae876302ff7775d850041c
    1.32.6: sha256:aa37219c4796a2fbf5af7f37fb7f11998947f9fd0d0f30dbeb40c47d4e9c8777
    1.32.5: sha256:2b2988edd1646bf139dee6956d4283c520ff151a36febd10701ffda4852b8250
    1.32.4: sha256:3e0c265fe80f3ea1b7271a00879d4dbd5e6ea1e91ecf067670c983e07c33a6f4
    1.32.3: sha256:024bb7faffa787c7717a2b37398a8c6df35694a8585a73074b052c3f4c4906ce
    1.32.2: sha256:9927fee1678202719075d8d546390bcda86c9e519b811fb7f4820b6823f84cab
    1.32.1: sha256:967dc8984651c48230a2ff5319e22cbf858452e974104a19bbade5d1708f72ad
    1.32.0: sha256:5ad4965598773d56a37a8e8429c3dc3d86b4c5c26d8417ab333ae345c053dae2
  ppc64le:
    1.35.1: sha256:ec8b7f870043f711b5d73e528342af1705d6ad7f8308d7f31d74d967986b54f6
    1.35.0: sha256:f24eb1244878a3876fe180e6052822cc9998033850478b2f4776e5c3b09baecd
    1.34.4: sha256:fab75e3eb1e0edf15aef7e8ba219256b44f047544ac421737d1778784fa46676
    1.34.3: sha256:67dcceb6d91710e4da7af720eda7b20fd4e8c24237fc345602bb54439ad8ccca
    1.34.2: sha256:a195f278b9bac26803f1e26b0f608e0dce66aad033e8c043e8555775612530c9
    1.34.1: sha256:c4782dbf1987680e9b2baa3ecf5db9e66395772e82b251eb73a150fbfbe0b906
    1.34.0: sha256:ed663fa4ff3e305276dd889885303e07989dfab073e95ef2da931b975f6686e8
    1.33.8: sha256:392ed39b6c037bc5c510412c9b5cfd29238d31dd67d1a3cbae7ef4a274304c63
    1.33.7: sha256:f96dd4272ca8eccf1f93fb5162323840b9286c5a42a5305fcc1b4d47889534d3
    1.33.6: sha256:00ae91297503518efd237d40900af4de0067597ae4f2ab8250ddb629ffb6df05
    1.33.5: sha256:1d785ead3f6709f66a105c629a020b9dfe6dff775fae42f7d147edec2d178351
@@ -119,16 +161,24 @@ kubelet_checksums:
    1.33.2: sha256:be8412cb9bf30125e3a88ecb9bfca4df1ff5d4e650947c46222683071f1a17d7
    1.33.1: sha256:c1bc01115a513eaec76d56dc52a52aeb05f866a6d07c55335c1fff56c868543d
    1.33.0: sha256:6fa5abbc14d65b943b00fcfc8a6ac7eb39fd7e924271738c6f17e0b7e74c665b
    1.32.11: sha256:17baef329a468f958658f3e4c3f04689dd2506077214e36d4495b8d0c6776da9
    1.32.10: sha256:277e68bcf192ea91f3426b8fb540c4951e2e3bffc659a7b39b98c749e828acc7
    1.32.9: sha256:81ba713e8b51644336d428dfa5654cc4e2e4a4ea742976b56ddf965a347330e5
    1.32.8: sha256:ec5a2e045dc49b7e1d34a0c78fbc645ce568b2275e807b6313da46e584f56f68
    1.32.7: sha256:4ddc5a0b42100295896a43a1a637180872293c9f7305a90dd3377681b1401469
    1.32.6: sha256:fd0140949b02c82539ff84db15d0d406445f34221d0547e7ee31245cd982ff47
    1.32.5: sha256:b9cb7bf4b5518e1b5542717c82a753663154e08c84e336feba424cf3575313a3
    1.32.4: sha256:62e7854ea84bf0fd5a9c47a1ab7ade7a74b4f160efdf486320ed913b4e8e7f79
    1.32.3: sha256:efc2b01d4ab74f283ab4ff2bad4369e2b9f66fa875673b72627aa6e7a7b507cb
    1.32.2: sha256:3602474e25b0b42a4b0f43ece2ca1e03fe5f3864f0936537256920bbb2eb9acd
    1.32.1: sha256:623889368808042a236d7078d85a23ce5ef0e43b6fadc09bcacfdf704ac876b4
    1.32.0: sha256:99d409a8023224d84c361e29cdf21ac0458a5449f03e12550288aa654539e3a1
 kubectl_checksums:
  arm:
    1.35.1: sha256:dbe14e5b12184d72978b17b167aedc3f42f4a1faf249180025d6359eebcd983e
    1.35.0: sha256:dca28f6af03b31ca6043baa1da7332472c7a3df743606a758534b9ac3ed7ecce
    1.34.4: sha256:3a6e631bdbb79e633d23055dadc97b45f45d325105ddf40e696de2a324a254c0
    1.34.3: sha256:e0cf1eddede6abfd539e30ccbb4e50f65b2d6ff44b3bb9d9107ea8775a90a7e4
    1.34.2: sha256:18e03c1c6ab1dbff6d2a648bf944213f627369d1daeea5b43a7890181ab33abf
    1.34.1: sha256:ca6218ae8bf366bd8ccdcb440b756c67422a4e04936163845f74d8c056e786ee
    1.34.0: sha256:69d2ce88274caf9d9117b359cc27656fb6f9dd6517c266cfd93c6513043968b8
    1.33.8: sha256:734dea07663751c8b45926c843e2c250f13473d65f396555a1ecfe0c9c502fa8
    1.33.7: sha256:f6b9ac99f4efb406c5184d0a51d9ed896690c80155387007291309cbb8cdd847
    1.33.6: sha256:89bcef827ac8662781740d092cff410744c0653d828b68cc14051294fcd717e6
    1.33.5: sha256:5a3a416a85cfc9f7a348c0c0e6334b7449e00a57288ab5a57286ccf68a4d06af
@@ -137,15 +187,23 @@ kubectl_checksums:
    1.33.2: sha256:f3992382aa0ea21f71a976b6fd6a213781c9b58be60c42013950110cf2184f2a
    1.33.1: sha256:6b1cd6e2bf05c6adaa76b952f9c4ea775f5255913974ccdb12145175d4809e93
    1.33.0: sha256:bbb4b4906d483f62b0fc3a0aea3ddac942820984679ad11635b81ee881d69ab3
    1.32.11: sha256:358dafd910cec676f05e04fbed44ea26ec393cd60b5b885bc60c27e1aaf383c9
    1.32.10: sha256:b42bc77586238b43b8c5cdd06086f1ab00190245dd8b66b28822785b177fbde4
    1.32.9: sha256:84629d460b60693ca954e148ce522defd34d18bc5c934836cfaf0268930713dd
    1.32.8: sha256:ed54b52631fdf5ecc4ddb12c47df481f84b5890683beaeaa55dc84e43d2cd023
    1.32.7: sha256:c5416b59afdf897c4fbf08867c8a32b635f83f26e40980d38233fad6b345e37c
    1.32.6: sha256:77fec65c6f08c28f8695de4db877d82d74c881ed3ed110ebfd88cbd4ee3d01dc
    1.32.5: sha256:7270e6ac4b82b5e4bd037dccae1631964634214baa66a9548deb5edd3f79de31
    1.32.4: sha256:bf28793213039690d018bbfa9bcfcfed76a9aa8e18dc299eced8709ca542fcdd
    1.32.3: sha256:f990c878e54e5fac82eac7398ef643acca9807838b19014f1816fa9255b2d3d9
    1.32.2: sha256:e1e6a2fd4571cd66c885aa42b290930660d34a7331ffb576fcab9fd1a0941a83
    1.32.1: sha256:8ccf69be2578d3a324e9fc7d4f3b29bc9743cc02d72f33ba2d0fe30389014bc8
    1.32.0: sha256:6b33ea8c80f785fb07be4d021301199ae9ee4f8d7ea037a8ae544d5a7514684e
  arm64:
    1.35.1: sha256:706256e21a4e9192ee62d1a007ac0bfcff2b0b26e92cc7baad487a6a5d08ff82
    1.35.0: sha256:58f82f9fe796c375c5c4b8439850b0f3f4d401a52434052f2df46035a8789e25
    1.34.4: sha256:5b982c0644ab1e27780246b9085a5886651b4a7ed86243acbb2bacc1bea01dda
    1.34.3: sha256:46913a7aa0327f6cc2e1cc2775d53c4a2af5e52f7fd8dacbfbfd098e757f19e9
    1.34.2: sha256:95df604e914941f3172a93fa8feeb1a1a50f4011dfbe0c01e01b660afc8f9b85
    1.34.1: sha256:420e6110e3ba7ee5a3927b5af868d18df17aae36b720529ffa4e9e945aa95450
    1.34.0: sha256:00b182d103a8a73da7a4d11e7526d0543dcf352f06cc63a1fde25ce9243f49a0
    1.33.8: sha256:76e284669f1f6343bd9fe2a011757809c8c01cf51da9f85ee6ef4eb93c8393a8
    1.33.7: sha256:fa7ee98fdb6fba92ae05b5e0cde0abd5972b2d9a4a084f7052a1fd0dce6bc1de
    1.33.6: sha256:3ab32d945a67a6000ba332bf16382fc3646271da6b7d751608b320819e5b8f38
    1.33.5: sha256:6db7c5d846c3b3ddfd39f3137a93fe96af3938860eefdbf2429805ee1656e381
@@ -154,15 +212,23 @@ kubectl_checksums:
    1.33.2: sha256:54dc02c8365596eaa2b576fae4e3ac521db9130e26912385e1e431d156f8344d
    1.33.1: sha256:d595d1a26b7444e0beb122e25750ee4524e74414bbde070b672b423139295ce6
    1.33.0: sha256:48541d119455ac5bcc5043275ccda792371e0b112483aa0b29378439cf6322b9
    1.32.11: sha256:b1c91c106ec20e61c5dff869e9a39e6af4fb96572bddaac9cce307dfa3ed2348
    1.32.10: sha256:1f4229526e16bf9f5b854fbf3bdb9c7040404a29c1d1e4193258b8a73de06e92
    1.32.9: sha256:d5f6b45ad81b7d199187a28589e65f83406e0610b036491a9abaa49bfd04a708
    1.32.8: sha256:8a7371e54187249389a9aa222b150d61a4a745c121ab24dbcbb56d1ac2d0b912
    1.32.7: sha256:232f6e517633fbb4696c9eb7a0431ee14b3fccbb47360b4843d451e0d8c9a3a2
    1.32.6: sha256:f7bac84f8c35f55fb2c6ad167beb59eba93de5924b50bbaa482caa14ff480eec
    1.32.5: sha256:9edee84103e63c40a37cd15bd11e04e7835f65cb3ff5a50972058ffc343b4d96
    1.32.4: sha256:c6f96d0468d6976224f5f0d81b65e1a63b47195022646be83e49d38389d572c2
    1.32.3: sha256:6c2c91e760efbf3fa111a5f0b99ba8975fb1c58bb3974eca88b6134bcf3717e2
    1.32.2: sha256:7381bea99c83c264100f324c2ca6e7e13738a73b8928477ac805991440a065cd
    1.32.1: sha256:98206fd83a4fd17f013f8c61c33d0ae8ec3a7c53ec59ef3d6a0a9400862dc5b2
    1.32.0: sha256:ba4004f98f3d3a7b7d2954ff0a424caa2c2b06b78c17b1dccf2acc76a311a896
  amd64:
    1.35.1: sha256:36e2f4ac66259232341dd7866952d64a958846470f6a9a6a813b9117bd965207
    1.35.0: sha256:a2e984a18a0c063279d692533031c1eff93a262afcc0afdc517375432d060989
    1.34.4: sha256:d50c359d95e0841eaad08ddc27c7be37cba8fdccfba5c8e2ded65e121ff112db
    1.34.3: sha256:ab60ca5f0fd60c1eb81b52909e67060e3ba0bd27e55a8ac147cbc2172ff14212
    1.34.2: sha256:9591f3d75e1581f3f7392e6ad119aab2f28ae7d6c6e083dc5d22469667f27253
    1.34.1: sha256:7721f265e18709862655affba5343e85e1980639395d5754473dafaadcaa69e3
    1.34.0: sha256:cfda68cba5848bc3b6c6135ae2f20ba2c78de20059f68789c090166d6abc3e2c
    1.33.8: sha256:7f9c3faab7c9f9cc3f318d49eb88efc60eb3b3a7ce9eee5feb39b1280e108a29
    1.33.7: sha256:471d94e208a89be62eb776700fc8206cbef11116a8de2dc06fc0086b0015375b
    1.33.6: sha256:d25d9b63335c038333bed785e9c6c4b0e41d791a09cac5f3e8df9862c684afbe
    1.33.5: sha256:6a12d6c39e4a611a3687ee24d8c733961bb4bae1ae975f5204400c0a6930c6fc
@@ -171,15 +237,23 @@ kubectl_checksums:
    1.33.2: sha256:33d0cdec6967817468f0a4a90f537dfef394dcf815d91966ca651cc118393eea
    1.33.1: sha256:5de4e9f2266738fd112b721265a0c1cd7f4e5208b670f811861f699474a100a3
    1.33.0: sha256:9efe8d3facb23e1618cba36fb1c4e15ac9dc3ed5a2c2e18109e4a66b2bac12dc
    1.32.11: sha256:48581d0e808bd8b7d3c3fc014e86b170e25a987df04c8a879b982b28a5180815
    1.32.10: sha256:6e14ef4e509e9f3d1dfc2815643f832f853d2d9f6622d4a0f83f77c7e4014b57
    1.32.9: sha256:509ae171bac7ad3b98cc49f5594d6bc84900cf6860f155968d1059fde3be5286
    1.32.8: sha256:0fc709a8262be523293a18965771fedfba7466eda7ab4337feaa5c028aa46b1b
    1.32.7: sha256:b8f24d467a8963354b028796a85904824d636132bef00988394cadacffe959c9
    1.32.6: sha256:0e31ebf882578b50e50fe6c43e3a0e3db61f6a41c9cded46485bc74d03d576eb
    1.32.5: sha256:aaa7e6ff3bd28c262f2d95c8c967597e097b092e9b79bcb37de699e7488e3e7b
    1.32.4: sha256:10d739e9af8a59c9e7a730a2445916e04bc9cbb44bc79d22ce460cd329fa076c
    1.32.3: sha256:ab209d0c5134b61486a0486585604a616a5bb2fc07df46d304b3c95817b2d79f
    1.32.2: sha256:4f6a959dcc5b702135f8354cc7109b542a2933c46b808b248a214c1f69f817ea
    1.32.1: sha256:e16c80f1a9f94db31063477eb9e61a2e24c1a4eee09ba776b029048f5369db0c
    1.32.0: sha256:646d58f6d98ee670a71d9cdffbf6625aeea2849d567f214bc43a35f8ccb7bf70
  ppc64le:
    1.35.1: sha256:bced44e491ce52cce11e2b4bd4bd9181f4f963ffe868438778d028d56485c5d9
    1.35.0: sha256:8989809d0ac771244dabe50ed742249ac60eeb6d385cd234ee151eb40b7c32c4
    1.34.4: sha256:b083c39879483816f34d1f7e2e31e70ec48984fcc1753c79f4b846cfedbf41ac
    1.34.3: sha256:ae239b7f6f071e47014e1b5b20aa60626e06b32922a6b5054562ae2c5fa82c18
    1.34.2: sha256:49a985986a9add6c229c628bf2a83addebbdeeef40469fce2a54e51b6f1bb05b
    1.34.1: sha256:45499f0728b4a3428400db289edb444609d41787061f09b66f18028c0a73652f
    1.34.0: sha256:1773805a0c128f4d267b2e11f4c74cac287e9a07fffaecc3f7af6df9c8aaf82c
    1.33.8: sha256:aa079f403c80ba6017449c230733fed4e5d7b0a8700bd6590ee202161b8b12af
    1.33.7: sha256:0807c38a1342ab8dea6435f33d5897a01527d348a968a5c4ca2929769f3d54f2
    1.33.6: sha256:4b056b1749c619fab6a855247c3bd04123f2b61cf136ca6bddf69ff97a727e32
    1.33.5: sha256:37e2204d371bbbb90fd693049a7a45b81991ca8bcc9b8baf041a7c9f23e9035c
@@ -188,16 +262,24 @@ kubectl_checksums:
    1.33.2: sha256:d1cdf13cb786c1ee6d5bf6d85034f496aa2fee97b287028043eb14c5dc74993f
    1.33.1: sha256:f922dd8f558dc616ebaa34908ceb7964ebb8caadd7c48699d0b791ffff2be1aa
    1.33.0: sha256:580d076c891711ec37afaf5994f72a8aad9d45c25413e6e94648e988a5a9933a
    1.32.11: sha256:4310edfc10fbc64cc69a25d27a1a8c4e134ad6642f8c83a8b0b612768ac63e84
    1.32.10: sha256:544722455bc0a3f57b68e9aafe8bffa0af25d4f0f383848f03ba7aff2cab7e10
    1.32.9: sha256:bdc8af9c1aed9737d58442f59034ad0125efe3a2dfad9f6ec14f1264e7020cc3
    1.32.8: sha256:52cc07556a8f0076d4e48003aa416b486c729e9679dbe2ea92bbd88e5be5cc93
    1.32.7: sha256:c0fb655243a98c4b063f39f2208c7b9d3cbe77b302a8b8b683aabe42e47fc556
    1.32.6: sha256:808e2b86128a9f25922bdb099ebf276ba4220dbf53c63a033348ee119697b22a
    1.32.5: sha256:1fc869a9d620982f16104f3b33c393aba54dd41136d18009bf6fc39accf6465c
    1.32.4: sha256:61a8c1f441900b4e61defcb83bb54f61f883f9e75810897cfabfd6860ae7e195
    1.32.3: sha256:11e1a377f404bdab6e3587375f7c2ee432df80b56d7ccf6151d4e48cd8063f55
    1.32.2: sha256:c25500027cd331ae3e65bed2612491c5307721894e9d39e869f24ca14973677f
    1.32.1: sha256:46d98d3463e065dff035d76f6c2b604c990d79634cc574d43b0c21f0367bbf0c
    1.32.0: sha256:9f3f239e2601ce53ec4e70b80b7684f9c89817cc9938ed0bb14f125a3c4f8c8f
 kubeadm_checksums:
  arm64:
    1.35.1: sha256:80097a3c4ef824f4edfe131d2bd429772c4be3a460c42a44f2320164a917de32
    1.35.0: sha256:1dac7dc2c6a56548bbc6bf8a7ecf4734f2e733fb336d7293d84541ebe52d0e50
    1.34.4: sha256:d8028b7e8c8d6c9b3fc3da6bc88d4d0cfb33df1b4b026a7d6e8c35d1471c9f6e
    1.34.3: sha256:697cf3aa54f1a5740b883a3b18a5d051b4032fd68ba89af626781a43ec9bccc3
    1.34.2: sha256:065f7de266c59831676cc48b50f404fd18d1f6464502d53980957158e4cab3a7
    1.34.1: sha256:b0dc5cf091373caf87d069dc3678e661464837e4f10156f1436bd35a9a7db06b
    1.34.0: sha256:6b7108016bb2b74132f7494e200501d6522682c01759db91892051a052079c77
    1.33.8: sha256:b5248b51e66e4716261f2c926fe2f08a293795e6863099e7792b4d57dbb9109e
    1.33.7: sha256:b24eeeff288f9565e11a2527e5aed42c21386596110537adb805a5a2a7b3e9ce
    1.33.6: sha256:ef80c198ca15a0850660323655ebf5c32cc4ab00da7a5a59efe95e4bcf8503ab
    1.33.5: sha256:b1c00657649e35771569d095e531d826bd19baf57bcb53cccf3f91d7d60b7808
@@ -206,15 +288,23 @@ kubeadm_checksums:
    1.33.2: sha256:21efc1ba54a1cf25ac68208b7dde2e67f6d0331259f432947d83e70b975ad4cc
    1.33.1: sha256:5b3e3a1e18d43522fdee0e15be13a42cee316e07ddcf47ef718104836edebb3e
    1.33.0: sha256:746c0ee45f4d32ec5046fb10d4354f145ba1ff0c997f9712d46036650ad26340
    1.32.11: sha256:0190c49b61b065409b1e99c70e5ec3c52576bf8902432fb2c97bf1d0d2777b69
    1.32.10: sha256:a201f246be3d2c35ffa7fc51a1d2596797628f9b1455da52a246b42ce8e1f779
    1.32.9: sha256:377349141e865849355140c78063fa2b87443bf1aecb06319be4de4df8dbd918
    1.32.8: sha256:8dbd3fa2d94335d763b983caaf2798caae2d4183f6a95ebff28289f2e86edf68
    1.32.7: sha256:a2aad7f7b320c3c847dea84c08e977ba8b5c84d4b7102b46ffd09d41af6c4b51
    1.32.6: sha256:f786731c37ce6e89e6b71d5a7518e4d1c633337237e3803615056eb4640bfc8e
    1.32.5: sha256:2956c694ff2891acdc4690b807f87ab48419b4925d3fad2ac52ace2a1160bd17
    1.32.4: sha256:1b9d97b44758dc4da20d31e3b6d46f50af75ac48be887793e16797a43d9c30e7
    1.32.3: sha256:f9d007aaf1468ea862ef2a1a1a3f6f34cc57358742ceaff518e1533f5a794181
    1.32.2: sha256:fd8a8c1c41d719de703bf49c6f56692dd6477188d8f43dcb77019fd8bc30cbd3
    1.32.1: sha256:55a57145708aaa37f716f140ef774ca64b7088b6df5ee8eae182936ad6580328
    1.32.0: sha256:5da9746a449a3b8a8312b6dd8c48dcb861036cf394306cfbc66a298ba1e8fbde
  amd64:
    1.35.1: sha256:8a7ff344eef1bfba88f9a74b3fdc9ea4448c94f1b3cefb8c0aeeaf1f96e05053
    1.35.0: sha256:729e7fb34e4f1bfcf2bdaf2a14891ed64bd18c47aaab42f8cc5030875276cfed
    1.34.4: sha256:b967f1fa0e36621c402d38bb560eb4a943954d5cf5a00e5150842f6f5da73455
    1.34.3: sha256:f9ce265434d306e59d800b26f3049b8430ba71f815947f4bacdcdc33359417fb
    1.34.2: sha256:6a2346006132f6e1ed0b5248e518098cf5abbce25bf11b8926fb1073091b83f4
    1.34.1: sha256:20654fd7c5155057af5c30b86c52c9ba169db6229eee6ac7abab4309df4172e7
    1.34.0: sha256:aecc23726768d1753fd417f6e7395cb1a350373295e8e9d9f80e95ed3618e38e
    1.33.8: sha256:8259af514dc3655e8abec1a69b637f31cce2ecb940a80ae4a268e5287890f009
    1.33.7: sha256:c10813d54f58ef33bbe6675f3d39c8bd401867743ebc729afdd043265040c31d
    1.33.6: sha256:c1b84cb3482dd79e26629012f432541ccb505c17f5073aa1fdbca26b1e4909fd
    1.33.5: sha256:6761219749c6c67a56a5668dfe65d669e0c1f34d4b280b72de6d74d47c601f1e
@@ -223,15 +313,23 @@ kubeadm_checksums:
    1.33.2: sha256:5c623ec9a9b8584beba510da5c2b775c41cf51c0accdfb43af093bc084563845
    1.33.1: sha256:9a481b0a5f1cee1e071bc9a0867ca0aad5524408c2580596c00767ba1a7df0bd
    1.33.0: sha256:5a65cfec0648cabec124c41be8c61040baf2ba27a99f047db9ca08cac9344987
    1.32.11: sha256:5e191b7329897a16ea87aed75b66f561e7243691620d6b792f34d488285484ce
    1.32.10: sha256:1c5033ee113d9072a53ee1ef3a3b18e566721bb3879b49c6813c67066687afbc
    1.32.9: sha256:183b3b12e39b3ed2dc2db25cbc17769610cdd5f02e9d1325ba747d54978d8f5f
    1.32.8: sha256:da4cc996800db14f82fce8813caa55be318e52ef69d82e50e728ef4cfa18b69f
    1.32.7: sha256:dcd40af0042c559f3218dbd23bf318b850a5213528b428e1637ccb357ac32498
    1.32.6: sha256:7092527a63e5380a6be05cf6041c849ba8d13bf41a2adb2a029f44717f53439f
    1.32.5: sha256:9070c3d469f5a3e777948b63a7a5e6c5bd7682c7416547770a78880fe4293ea9
    1.32.4: sha256:445cdebd140dc0a9f4d18505821dcca77d7a21992133bf6731777f5724968255
    1.32.3: sha256:be42caa726b85b7723605ca8fea22e4a26e0d439b789a3d9d6e636a7078b3db4
    1.32.2: sha256:fb3a90f1bfc78146a8a03b50eb59aaf957a023c1c5a2b166062ef9412550bba6
    1.32.1: sha256:5ed13bb4bc1d5fb4579b8cc8c7c2245356837122f9a3fd729c2f6d1338f58dcf
    1.32.0: sha256:8a10abe691a693d6deeeb1c992bc75da9d8c76718a22327688f7eb1d7c15f0d6
  ppc64le:
    1.35.1: sha256:eec12948cfabc18115636c44aca894bf9abef3b2ea73cba180314ee3c218dcca
    1.35.0: sha256:77a466e1b6a8e28362a729541269de0a7c4a6b9e7770cccefcd745502e656b90
    1.34.4: sha256:69f1065e718ef2aa5f0287444ef97bd4a5fb8841fc0662f54ca8992a39865391
    1.34.3: sha256:2b8b48b3b0eb657e04122a158cb7fcad964fba5bd2d8e07f8eeec6f856a63ecf
    1.34.2: sha256:bea4ed6d971523da794a802de15910b08c09e23bc4c850ee3b953c4bdb0b7976
    1.34.1: sha256:ddb6bd80bee0719924ae901672b99205226badab74fb13a9e1bb6d3de49fbb21
    1.34.0: sha256:7201ba36f44187f408a036c4a545e2a3cd12943b1297092687bb66c9a1a9fed6
    1.33.8: sha256:d618fa97b5782b57512e0a8ab9ed17af190236907af7bd3c9c0776d81c78273f
    1.33.7: sha256:db2e20d0c20928ae7d68d7603020f8ffd89dcdac4fdc160ef83f1da663868bed
    1.33.6: sha256:58aaec7b5066b6e3705e0493a2f51c7f101b17165ce714c4d52a2b53861c078b
    1.33.5: sha256:b1e261109a4e22e0a417d10724bed7f71ba12c2acc167a55d89211e49c2e5eee
@@ -240,18 +338,20 @@ kubeadm_checksums:
    1.33.2: sha256:1b818900ac7af72a14f50300d6c6ad600eecdc578c37b75fa488cc654ca08c25
    1.33.1: sha256:a772834ba22478c9119f03ecca2a27a70234623d74ff1d7671ee85675a4e830b
    1.33.0: sha256:26cb7ac57d522a59c84c4784b176097d23c7b4e61874fab84ae719d0e43ac0bc
    1.32.11: sha256:c7bb0bbac734290666f6deaba731f4eae46045c94ae53501153e4167dad51d34
    1.32.10: sha256:5cfda89b98b6308f4d28e77eabc0111c3eb3c7b64baccf644ecdbcac90b258d0
    1.32.9: sha256:fcc5aa3401d130156e0b73dab192631108b77e778f3d87838419993aea1ef8d5
    1.32.8: sha256:b5e4f0da030de98f1179a148f6563d69fbfb4c35c2dd1de1d30f000805d12412
    1.32.7: sha256:d87ec6c40aef05df1cb23298aff4a7a6c5af64c8a7a1671d4274385a0601b6cb
    1.32.6: sha256:ec3fdb5f563b000c824bc4438664ae62797bf75cdcee1448e617f296cbd3e955
    1.32.5: sha256:9ace8b24eba37d960a9cafd947015722c383bd695767b7a7c8449a4f6a3f3e9e
    1.32.4: sha256:fb0223765d57c59ff4202445b3768e848b6d383dfac058b5882696bca0286053
    1.32.3: sha256:68cc7669e47575ead58563c39abf89c7faf1c70fb6733ea9c727f303f2af1abf
    1.32.2: sha256:02573483126e39c6b25c769131cf30ea7c470ad635374be343d5e76845a4ecdb
    1.32.1: sha256:ff7f1dd3f1a6a5c0cf2c9977ec7c474bd22908850e33358dd40aeba17d8375b0
    1.32.0: sha256:d79fe8cbd1d98bcbe56b8c0c3a64716603581cecf274951af49aa07748bf175a
 etcd_binary_checksums:
  arm64:
    3.6.8: sha256:438f56a700d17ce761510a3e63e6fa5c1d587b2dd4d7a22c179c09a649366760
    3.6.7: sha256:ef5fc443cf7cc5b82738f3c28363704896551900af90a6d622cae740b5644270
    3.6.6: sha256:8a15f5427c111ff4692753682374970fb68878401d946c2c28bdad6857db652f
    3.6.5: sha256:7010161787077b07de29b15b76825ceacbbcedcb77fe2e6832f509be102cab6b
    3.6.4: sha256:323421fa279f4f3d7da4c7f2dfa17d9e49529cb2b4cdf40899a7416bccdde42d
    3.6.3: sha256:4b39989093699da7502d1cdd649c412055a2bddd26b3d80ed87d0db31957075c
    3.6.2: sha256:79d0a2488967aa07ecfde79158b1dab458158522f834810c2827eecac4695a31
    3.6.1: sha256:5f8ed6e314df44128c218decbf0d146cf882583d05c6f6d9023ce905d232aaec
    3.6.0: sha256:81477b120ef66ff338fe7de63d894e5feec17e6e1f1d98507676832e089d9b58
    3.5.27: sha256:1277309f540c5a0329c428f95455c9f76d24f768c8d28fd2753e891c379053fa
    3.5.26: sha256:93ac1667df0e178ea6d152476ce4088df4075604fe4bc7f85f4719e863cd030b
    3.5.25: sha256:419dce0b679df31cc45201ef2449b7a6a48e9d241af01741957c9ac86a35badc
    3.5.24: sha256:efc01f6b3fbef0f000cb53bcad4845c116d7fdd8769ca39d9c40d2fe4d2e509f
@@ -274,16 +374,6 @@ etcd_binary_checksums:
    3.5.7: sha256:1a35314900da7db006b198dd917e923459b462128101736c63a3cda57ecdbf51
    3.5.6: sha256:888e25c9c94702ac1254c7655709b44bb3711ebaabd3cb05439f3dd1f2b51a87
  amd64:
    3.6.8: sha256:cf9cfe91a4856cb90eed9c99e6aee4b708db2c7888b88a6f116281f04b0ea693
    3.6.7: sha256:cf8af880c5a01ee5363cefa14a3e0cb7e5308dcf4ed17a6973099c9a7aee5a9a
    3.6.6: sha256:887afaa4a99f22d802ccdfbe65730a5e79aa5c9ce2c8799c67e9d804c50ecedb
    3.6.5: sha256:66bad39ed920f6fc15fd74adcb8bfd38ba9a6412f8c7852d09eb11670e88cac3
    3.6.4: sha256:4d5f3101daa534e45ccaf3eec8d21c19b7222db377bcfd5e5a9144155238c105
    3.6.3: sha256:3f3b4aa9785d86322c50b296eebdc7a0a57b27065190154b5858bf6a7512ac10
    3.6.2: sha256:4b5d55d61e2218fab7c1cc1c00b341c469159ecde8cedd575fa858683f67e9f4
    3.6.1: sha256:1324664bfe56d178d1362a57462ca5a7b26a6d2cbe9e1c94b6820e32cb82d673
    3.6.0: sha256:42305b0dcbba7b6fdff0382d0c7b99c42026c88c44847a619ab58cde216725d9
    3.5.27: sha256:0aad9a9e4e0817a021e933f9806a2b2960a62f949ad5a3d6436d8886945cb1bc
    3.5.26: sha256:0a682a91201dc8351d507210bc30b021a11e254eab806f03224b51e8fad29abb
    3.5.25: sha256:168af82b59772e1811a9af7b358d42f5c6df44e0d9767afb006ecf12c4bbd607
    3.5.24: sha256:042497e2ddcee06f22e5d486d81f58affa26b53ee423e2a6aaca3d3ea98c8191
@@ -306,16 +396,6 @@ etcd_binary_checksums:
    3.5.7: sha256:a43119af79c592a874e8f59c4f23832297849d0c479338f9df36e196b86bc396
    3.5.6: sha256:4db32e3bc06dd0999e2171f76a87c1cffed8369475ec7aa7abee9023635670fb
  ppc64le:
    3.6.8: sha256:3b9bb486b0eb8d79b30410749ec26e174db075956c9ecb533b313b9263e7ba78
    3.6.7: sha256:de3b1ed50fc8868cdd56b12b0cd81d6740bf53edbca570400a78e530e4829b7b
    3.6.6: sha256:e4f528b63a731e9b96f5d10f55ce096223fb4e1bc1778aa2535a3d47e9a129e5
    3.6.5: sha256:3cf99879c7c5b8678a0ec2edf9102b268ea934584db2850f049d89ed8e36b61c
    3.6.4: sha256:2910fc73e42e1eeb9cc7da8080b821c7649558465e0e6122e49afce832e4b9da
    3.6.3: sha256:de8ee412ee2669483fd9c730e915c5bd4fe113ba33be4a70305d13ff35e1f919
    3.6.2: sha256:bf79b9d4c7e9f86e611e73de9fe54a195bc0ad54aeb17200b1c8bda3c4119705
    3.6.1: sha256:bb87fcd0ea4b9fabf502703512c416ca1d9f4082679cb7f6dbc34bed3dfc13f6
    3.6.0: sha256:1180d06e3a3787ab65078d9a488f778a4712c59cc82d614abde80c5d06efe38f
    3.5.27: sha256:b41d488dcd579e780f49f5bd747e9386e17e1376ffb77bfff061f7944818a678
    3.5.26: sha256:9678ddaced9fcd4878b76b0b76c9c2a3638a70bdc362c9f4cb25ecc48de2c6d3
    3.5.25: sha256:0dee64e99a43a06dd9541a40a18b52c7309eb1682a2a32740d4bdf358296c007
    3.5.24: sha256:4b252266a59a00c0f608f481c836fb469d2cd0f60ecbc119c4f1fe0611910ab1
@@ -500,29 +580,29 @@ ciliumcli_binary_checksums:
    0.16.2: sha256:9cfb7ee5b1d6bd125174675e8aab6f9a09283cde699b5ac201475784ecb864f8
    0.16.1: sha256:9c3bb746e554efc788631629932ab00d13979c75799d957f6d3c17219deb6d45
    0.16.0: sha256:da98675f961833d4ffd68b1046d907b228a7d394ded2abd70a50b20eaca171c4
-calico_crds_checksums:
+calico_crds_archive_checksums:
  no_arch:
-    3.30.6: sha256:b0eb83f6d70afac27e8830f22642cd12b0692e4d1a1b5060caa9231a951e736a
+    3.30.6: sha256:d61aa5bcddfc78b0094acd54e0358009fa79e1cbe6d8c23bdacb34ff7a2c6c82
-    3.30.5: sha256:68bbe7f44693374f1379aa3fa55f254e9a689d070c26d0de26b2c9fb8d1166ab
+    3.30.5: sha256:3a38f91596c204b43c70f642a3e686d8c3fbfdfa5caa7824b716aa2f4a4e568b
-    3.30.4: sha256:be1d346a966a0be79cad7c9856ee5fc0eef8d88b70eba8d4d0bc4be057138bd3
+    3.30.4: sha256:a9398f6de6cce8f683e0ad649a21f3d3b8bb5fe4cd26e7b26b33b9a8c740274f
-    3.30.3: sha256:f813232c182229da17658f59db511acb3997e51973eeb293b57ac0dbb5ccf791
+    3.30.3: sha256:36c50905b9b62a78638bcfb9d1c4faf1efa08e2013265dcd694ec4e370b78dd7
-    3.30.2: sha256:57ccedd965f3dcbfd2a38a53b6b9e84e07232205fb83d23ed2afcee94590eed2
+    3.30.2: sha256:40885e201efb3458bb2e145928aadbe63d6a54c00dd505323776cc9cddc02825
-    3.30.1: sha256:af066bd48e68c391dec3645b94d11a1ca513398ee6c56b5a67f0eb13f13fe21e
+    3.30.1: sha256:3040a1d313bafd30e4e2dea24c2155c8d1afbe3c6e961e0a4a52482d12b32490
-    3.30.0: sha256:ee795478b6ab659ee172de74e1cf974871b37f10290dfc75f4d5eae887ba4ce0
+    3.30.0: sha256:7373910b311213d00cb6f079690c90071b68724cd01b1b4eba04831c26454e1a
-    3.29.7: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.7: sha256:d60fd083ad0279a4bd20109d01689e4eecb7a5e8c6d5e8be2b1718e6057f85e9
-    3.29.6: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.6: sha256:927e35d130d0413399735dc401e8448c783794cb8bb9e169ccdc7b00f516a698
-    3.29.5: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.5: sha256:f36d0b31aaa34f648b211d16f864f262e4700aad30ab0889b327d31c115b6a42
-    3.29.4: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.4: sha256:6d2396fde36ba59ad55a92b5b66643adcc9ee13bb2b3986b1014e2f8f95fa861
-    3.29.3: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.3: sha256:66d49b3af986944e58fede252a2c164251a63f43894181ed7401a6e11dcd8421
-    3.29.2: sha256:1620ee6f539de44bbb3ec4aa3c2687b5023d4ee30795b30663ab3423b0c5f5d5
+    3.29.2: sha256:1866b407213b6191627c0ce7be5a0d7c14a016823b3bbc2a6898c57be6c59917
-    3.29.1: sha256:aaa336bf0ef87495eccecae7eb65acaf59508a7f0a44dbeec933e05d73bbe0a0
+    3.29.1: sha256:17894ed9f7487f1418e599fdeff5db9047374dee12d560114e25ff9147a455c3
-    3.29.0: sha256:ed35a2bd383674f4d61b013f2588be1ee08b5e7a26eb3208ba6a5565ebf0175c
+    3.29.0: sha256:403a6b8616c4e97b081d7be27e9024f2f66b2d73a0ea037420a29689205b2064
-    3.28.5: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
+    3.28.5: sha256:c3ca0752eac5cab50dc9ae5bc2e3c2f8eea2d9030c1f9846d2e8563c8a8aec2c
-    3.28.4: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
+    3.28.4: sha256:a296906bd6b38187ba15669139dd6bf8bd26d0b191e9773fa0e85a5cc2d0b5e9
-    3.28.3: sha256:541635bf3e0cd409ff2f5b9b78363ac8901da4565fffaeb4c1507e19461bf4c7
+    3.28.3: sha256:b31d3aa35119359d619004fe0a8e3332529e396e8c57207ad56d58a2ed4cf3fb
-    3.28.2: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
+    3.28.2: sha256:f02a0e99e060850bd9050d4c94d37df899911a5e357e1d26e1b5b79a923bb389
-    3.28.1: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
+    3.28.1: sha256:c56f1530e7ded9d5b4afb9d83a7a24da6d2959ef7ad38521813f1c2bf138182d
-    3.28.0: sha256:f09dbaf5b25419659af654f3b50edb3a2b1ebcfeab80b0e56f7fbc79721e8ec3
+    3.28.0: sha256:ee721337db0cd847e91aae1cdfd420596896ebcb865575fd913c2f12ac2cdb76
 helm_archive_checksums:
  arm:
    3.18.4: sha256:34ea88aef15fd822e839da262176a36e865bb9cfdb89b1f723811c0cc527f981
@@ -582,7 +662,6 @@ helm_archive_checksums:
    3.16.0: sha256:d13a4b87b31a5b50c8d93dd9988dfb312a61e56504102f466a4004e5a3ab8e9e
 cri_dockerd_archive_checksums:
  arm64:
    0.3.24: sha256:c783a03735887c4a8fc894bd4cf7a1c0defef3ecf50a4d79ff31eed45c26b17e
    0.3.23: sha256:a78037d2d2e9c52c48372a5cbba7b94b1c57be5759449beef29cfe03cbe6f14b
    0.3.22: sha256:3260b214c9b12dbf0cbf4d60410c45aacfc31ba52aa7b74164135968e8950cb6
    0.3.21: sha256:35de6b1e8eba11d8ba6d71fa7499cb3d610a1e7b866c9d43b7f87029e3a769cd
@@ -602,7 +681,6 @@ cri_dockerd_archive_checksums:
    0.3.6: sha256:793b8f57cecf734c47bface10387a8e90994c570b516cb755900f21ebd0a663b
    0.3.5: sha256:c20014dc5a71e6991a3bd7e1667c744e3807b5675b1724b26bb7c70093582cfe
  amd64:
    0.3.24: sha256:dd4b7f514c248a3aaca398f467430a4c58aae9a77ea8b96a2f5b5d6fba0948d1
    0.3.23: sha256:c7fe5db7f9396186193b58ded0e62a31eca7b3c58ad8691d57017986f96482ee
    0.3.22: sha256:6621a96a885c82844d12318de00f510eae3459871cf1ad47317f38dd242f9a03
    0.3.21: sha256:6c35838bc4b1aef74f9113670e114ca729a5f295f9457b226791e18e86e91698
@@ -741,9 +819,6 @@ kata_containers_binary_checksums:
    3.5.0: sha256:fa4cf67d010244c4f8d0e6d450d04e28d1bbce5ad1a3cbc0154adff628d56c0c
 gvisor_runsc_binary_checksums:
  arm64:
    '20260209.1': sha512:e95170b4f70688d014c795ffa9b3d583753f865edfd8afb4e2969490869bdb46b60672f641741f788e2ffee8f29751a017e9a68b98c1e44f5194da9a64b0ff28
    '20260202.0': sha512:5fbb9c68efdf3a404217fb57be55051b4b5f8b83ca631101204615b87ff5b6ea8680cd6599e434f1d87fecb9071367b65e90cd8ad5df3f0b9f0101796ecc8c43
    '20260126.0': sha512:c1b42f5789c09a68eb006964048448c058776440477fac83c7fd9cef879cec40878fb2f5f2450315ca0e7f568889f0b52c842b84929784a57023961f6eb77d04
    '20260112.0': sha512:3b7925d26d71fdcb8cb552950c88bcfed658c06ad6b1211906bfe86d13bc56d8005ac90a4d9ab4c8b6a48eb62ec51ebcdfd45a64067ac5190274e710961e51ea
    '20260105.0': sha512:cc98ad73e8d181f4738c97883180bc76cf8b2eb773c11f3a44f1636d0b0e00f2ee9228e4eecd414f94d6410f4877e6c93260b8070130fba767583026115d1038
    '20251215.0': sha512:5e7d6206bce4164c9109d37dfb0b169d1c59cc256910de42799a868c3f9ba5560ef5c05c0de3fad4f0856f906463588ff25c9bce3b25e0d3f20874521dffe767
@@ -773,9 +848,6 @@ gvisor_runsc_binary_checksums:
    '20250414.0': sha512:d1ba68b20057622e58e886f472e021a473222590c936a86951005d7b97366b446ef0342b91457ffc0d7e543d54c9c06a363f2883bdd6c594799c4ca1091dabd5
    '20250407.0': sha512:cb590f72b0fbda45e89a2300e9247f12ff295a8c52653c8cf815c662d3fbbc774f9b915cdd4fad59e30694d8cc8737fe2a1a8186ab5136f7701bd6e6877a1662
  amd64:
    '20260209.1': sha512:1e0e42f7d3f4b3eded4e96be5af4dcdbecc9bca7ce40f5b9fa191210690397d71771c7c0e0835c32221261b004250fe513a9265447e62d9bf92fb6a5f7276a68
    '20260202.0': sha512:f7bb9cc5e3f5e36a6788f959361415f6d7f7cd0225b8b4d99728da4b1ac7e5c7ce9c72b4c61e424ba93db77c983109d56b54907a3b2e2b982b34058410611023
    '20260126.0': sha512:cce974fa832c50d26c6ccc08ce50b4972921cd0818ebe8007587211d360cbc828ceea4ec8296703200afa208b679437d24f27a6dca31887b3c0fc6ee8be5eb05
    '20260112.0': sha512:b36de90cdad4cfe0b9b66318407da79c035dd6dcf4c1374250011f34e511c0a29e335fe04eabb0d3fe7140131925f619f724a4702b37c49557bdeb25924b4dc8
    '20260105.0': sha512:15c8adabc9f1006d469177b0ec3962d4993e01c85be17d381a4979029eacc7db37ef354e3eafd279573135a1adf81baffc5c19f2bbfac932c79386f6ac74e52f
    '20251215.0': sha512:ea82bb66ce61a80adb6edaa61e2f2b1cd6339c504a55dd6663555010ed7f96c6234ac787bd9ecdb29ed4058e806e829fa45f14093466913dafc44d56055a5acb
@@ -806,9 +878,6 @@ gvisor_runsc_binary_checksums:
    '20250407.0': sha512:097259d6d93548bf669e21cfec5ba6a47081e43f61d22c5d8a8a4c0c209c81ac9c4454162b826f98cec49e047bbdc29c270113ab6db5519ef3e6a90f302fa47b
 gvisor_containerd_shim_binary_checksums:
  arm64:
    '20260209.1': sha512:714ad3a53a28aa4acd891553d848278f5a873d0a1733836382eaf2bf701d62ece9cef324390602d2676af5e2e3a3d329486d2b18803c9cef5685220764757eb4
    '20260202.0': sha512:714ad3a53a28aa4acd891553d848278f5a873d0a1733836382eaf2bf701d62ece9cef324390602d2676af5e2e3a3d329486d2b18803c9cef5685220764757eb4
    '20260126.0': sha512:84abf41b68ba450ed2cbbdf544e7d347d30f6fd577572e2e58f2fa8e038689f557953148287e26c8f4ee5040c1e928670f113bebca6d81ed7ce014ec4e0ad256
    '20260112.0': sha512:3215952718bd1636173649c4742e3d8e1978c410abd71bb8252c8ad6d28130cb6d66684aa089f61a0eda0b8786553620a08a9f1b5ab824bb27b1b0cf47bfb25b
    '20260105.0': sha512:cfe8a07c304dca21171e5a76614ac3605f5b1ec8f9ed2eeac014a44bc00821864f219db0e25fcc1c56cedbe335bbf34a7fa6bc57335888dcd04278bc0263f5cc
    '20251215.0': sha512:2b3a00ec2d646a1c26c1944781b5caf039ce7035dd72281ccff8e244af55606e01667de311febee1a0a03ebd2633af6ebb0ad72d27b8a966743ffe31563b3a5a
@@ -838,9 +907,6 @@ gvisor_containerd_shim_binary_checksums:
    '20250414.0': sha512:33b9c67bc7b73ca49154aff48da52029414a707b6a3a25eb4f71e861a94dec8fce220e63a162841670ddd4876f45b0e39abdf9f8c3235019c89f209684d3007d
    '20250407.0': sha512:1c3838e10c905af0cb52697712bf6bd76b94c9e9d3d07a7643cd43dc2f8dab03b4ed4693c117e555e07a158e04ee583b6b1f1cf2fb9705244ffa5fdc4af67248
  amd64:
    '20260209.1': sha512:bd21b80502be25484d8b43168c88d66b6f3e853c78c0ae5b5206c5625e2a365e98c8b3ba259453d18c01d1aa08fb7c8c1e7f122fdcd7ef806bfc2f44f5837b5e
    '20260202.0': sha512:bd21b80502be25484d8b43168c88d66b6f3e853c78c0ae5b5206c5625e2a365e98c8b3ba259453d18c01d1aa08fb7c8c1e7f122fdcd7ef806bfc2f44f5837b5e
    '20260126.0': sha512:51c3b4bc21cb5c3d4e3baf9f43e5fecd86c327abf0c84d492510f480cdfb38c90d43f3b0dbf1887ada8846d3806da79a73729acaedc570894ba6ed7cf9e083ed
    '20260112.0': sha512:89f55750488559796fe51d2c10c289a8b0617fb9f6498714c026825268eeed449941d23e8cd5b285b69c1b032005ddeec278345198301c50d89ff6d3f66871a5
    '20260105.0': sha512:7f3f5a864fda5f4e2de9db20dd5edad60b6aa467cc7c22d13f40cdce811783d66018f2c28fb74b907c6d6ac0e39f6d0e1047f1f33447b8a8682f1fbaa25edeb4
    '20251215.0': sha512:538a04d88a39de1679afd9868806bd5fdc63737a4871955fc8a8c8e183942c6cc3dbd6b34b2f5589f5f474b4826427f149d5c6abec4ca8d09db363ff5f149b4f
@@ -1321,7 +1387,7 @@ yq_checksums:
    4.40.3: sha256:2fe818a0b141913a41548e0e727267479d0f755221c73f9e304788c8e9139a45
 gateway_api_standard_crds_checksums:
  no_arch:
-    1.4.1: sha256:73b91b77f6be023a8c92c969fc664e5bd3b1a28aea59eac9ebc904607354dad2
+    1.4.1: sha256:daa2999f0978ba3e43b65fec179f82a1a690649da10aa5c7c5871165477368f8
    1.4.0: sha256:6a4029e661446d64add866a00ecdc40c14219b68777ab614c5cdaac0adb481f1
    1.3.0: sha256:78796d5c51450fc55d8dc8092ba8137f8c807982d7508d7875d5c537a24082b9
    1.2.1: sha256:97598bf6ab3b33b9b5c5432bdd24de091e4e9c3aa0575ebb0710a2a19cd64d64
@@ -1331,7 +1397,7 @@ gateway_api_standard_crds_checksums:
    1.0.0: sha256:23e4e1095c72a0587474f7fb3f85c319cdec77a083ab91237ffbdec1f1834d2a
 gateway_api_experimental_crds_checksums:
  no_arch:
-    1.4.1: sha256:553327e0ff32a1a2be446bf93823c8413cf9253ac6a6d5407eebd1e8d269f69e
+    1.4.1: sha256:d3c20dd4c0431936567a6917ca931f6dced1310242be62b9eca07bd9892e2025
    1.4.0: sha256:0414b160767377e85fd362855501200c6b83b84758bcd532652e3fe1cc677e49
    1.3.0: sha256:3e7a27e4456ff3d68606a6a8516306aaff354d6f0950b32bb31930669b7bf8b8
    1.2.1: sha256:d3aa6723a3306770cffb601ee22af3d35da43acfa1ca547fc0d3bce08dad66e7
@@ -1341,15 +1407,6 @@ gateway_api_experimental_crds_checksums:
    1.0.0: sha256:6c601dced7872a940d76fa667ae126ba718cb4c6db970d0bab49128ecc1192a3
 prometheus_operator_crds_checksums:
  no_arch:
    0.88.1: sha256:b827b8ec478e6b31cc1b85c1736570a3575953fe9f470fc29d0ffdb2803d94c4
    0.88.0: sha256:11ee66653657f3abc1bc8c41e17aa950eadb66035edb7f84cd3a1cbe4c67b2a4
    0.87.1: sha256:62490f7c1863539d61295f53784e27d70deec96a3b465832ba3cf96120e298b5
    0.87.0: sha256:a5282133ffa634405b0414d2fdc07e6fe393124d1d5072073af363689dac6a62
    0.86.2: sha256:7c9d455333ac5ea7837d5f0e4edd966698e44edd79108bafdd8508f2da503b5b
    0.86.1: sha256:9a30912ba9970a2968d7a8bf030a9f6579a5e8b312961018b5fe4c1153fc5fce
    0.86.0: sha256:0d2a590b288c79a98515e9fc4315451cfbde964c7977eb527696f7c2ebf47f58
    0.85.0: sha256:30e1b1b034ebc750d50a77dc19841176d698d524edf677276a760f9e228e1208
    0.84.1: sha256:f4a186ac58f354793e27a0b4b6f8baf5a31a9d10045e5085c23b0570dbfd30dd
    0.84.0: sha256:8990f6837ccff4461df9abe19d31d532fef11386d85d861b392249fff2502255
 argocd_install_checksums:
  no_arch:
--- a/roles/kubespray_defaults/vars/main/main.yml
+++ b/roles/kubespray_defaults/vars/main/main.yml
@@ -7,14 +7,14 @@ kube_next: "{{ ((kube_version | split('.'))[1] | int) + 1 }}"
 kube_major_next_version: "1.{{ kube_next }}"
 pod_infra_supported_versions:
  '1.35': '3.10.1'
  '1.34': '3.10.1'
  '1.33': '3.10'
  '1.32': '3.10'
 etcd_supported_versions:
  '1.35': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.7', '<'))[0] }}"
  '1.34': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
  '1.33': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
  '1.32': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 # Kubespray constants
 kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}"
--- a/roles/network_plugin/calico/tasks/check.yml
+++ b/roles/network_plugin/calico/tasks/check.yml
@@ -27,8 +27,8 @@
 - name: Stop if supported Calico versions
  assert:
    that:
-      - "calico_version in calico_crds_checksums.no_arch.keys()"
+      - "calico_version in calico_crds_archive_checksums.no_arch.keys()"
-    msg: "Calico version not supported {{ calico_version }} not in {{ calico_crds_checksums.no_arch.keys() }}"
+    msg: "Calico version not supported {{ calico_version }} not in {{ calico_crds_archive_checksums.no_arch.keys() }}"
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -127,10 +127,12 @@
    - calico_datastore == "kdd"
  block:
    - name: Calico | Create calico manifests for kdd
-      copy:
+      assemble:
-        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crds.yaml"
+        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crd/"
        dest: "{{ kube_config_dir }}/kdd-crds.yml"
        mode: "0644"
        delimiter: "---\n"
        regexp: ".*\\.yaml"
        remote_src: true
    - name: Calico | Create Calico Kubernetes datastore resources
--- a/roles/network_plugin/meta/main.yml
+++ b/roles/network_plugin/meta/main.yml
@@ -0,0 +1,44 @@
 ---
 dependencies:
  - role: network_plugin/cni
    when: kube_network_plugin != 'none'
  - role: network_plugin/cilium
    when: kube_network_plugin == 'cilium' or cilium_deploy_additionally
    tags:
      - cilium
  - role: network_plugin/calico
    when: kube_network_plugin == 'calico'
    tags:
      - calico
  - role: network_plugin/flannel
    when: kube_network_plugin == 'flannel'
    tags:
      - flannel
  - role: network_plugin/macvlan
    when: kube_network_plugin == 'macvlan'
    tags:
      - macvlan
  - role: network_plugin/kube-ovn
    when: kube_network_plugin == 'kube-ovn'
    tags:
      - kube-ovn
  - role: network_plugin/kube-router
    when: kube_network_plugin == 'kube-router'
    tags:
      - kube-router
  - role: network_plugin/custom_cni
    when: kube_network_plugin == 'custom_cni'
    tags:
      - custom_cni
  - role: network_plugin/multus
    when: kube_network_plugin_multus
    tags:
      - multus
--- a/roles/network_plugin/tasks/main.yml
+++ b/roles/network_plugin/tasks/main.yml
@@ -1,47 +0,0 @@
 ---
 - name: Container Network Interface plugin
  include_role:
    name: network_plugin/cni
  when: kube_network_plugin != 'none'
 - name: Network plugin
  include_role:
    name: "network_plugin/{{ kube_network_plugin }}"
    apply:
      tags:
        - "{{ kube_network_plugin }}"
        - network
  when:
    - kube_network_plugin != 'none'
  tags:
    - cilium
    - calico
    - flannel
    - macvlan
    - kube-ovn
    - kube-router
    - custom_cni
 - name: Cilium additional
  include_role:
    name: network_plugin/cilium
    apply:
      tags:
        - cilium
        - network
  when:
    - kube_network_plugin != 'cilium'
    - cilium_deploy_additionally
  tags:
    - cilium
 - name: Multus
  include_role:
    name: network_plugin/multus
    apply:
      tags:
        - multus
        - network
  when: kube_network_plugin_multus
  tags:
    - multus
--- a/roles/remove-node/post-remove/tasks/main.yml
+++ b/roles/remove-node/post-remove/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
 - name: Remove-node | Delete node
-  command: "{{ kubectl }} delete node {{ kube_override_hostname }}"
+  command: "{{ kubectl }} delete node {{ kube_override_hostname | default(inventory_hostname) }}"
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  when:
    - groups['kube_control_plane'] | length > 0
    # ignore servers that are not nodes
-    - ('k8s_cluster' in group_names) and kube_override_hostname in nodes.stdout_lines
+    - ('k8s_cluster' in group_names) and kube_override_hostname | default(inventory_hostname) in nodes.stdout_lines
  retries: "{{ delete_node_retries }}"
  # Sometimes the api-server can have a short window of indisponibility when we delete a control plane node
  delay: "{{ delete_node_delay_seconds }}"
--- a/roles/remove-node/remove-etcd-node/tasks/main.yml
+++ b/roles/remove-node/remove-etcd-node/tasks/main.yml
@@ -21,10 +21,6 @@
      - "{{ bin_dir }}/etcdctl"
      - member
      - remove
-      - "{{ '%x' | format(etcd_removed_nodes[0].ID) }}"
+      - "{{ '%x' | format(((etcd_members.stdout | from_json).members | selectattr('peerURLs.0', '==', etcd_peer_url))[0].ID) }}"
    vars:
      etcd_removed_nodes: "{{ (etcd_members.stdout | from_json).members | selectattr('peerURLs.0', '==', etcd_peer_url) }}"
      # This should always have at most one member, since the etcd_peer_url should be unique in the etcd cluster
    when: etcd_removed_nodes != []
    register: etcd_removal_output
    changed_when: "'Removed member' in etcd_removal_output.stdout"
--- a/roles/remove_node/pre_remove/tasks/main.yml
+++ b/roles/remove_node/pre_remove/tasks/main.yml
@@ -16,11 +16,11 @@
      --ignore-daemonsets
      --grace-period {{ drain_grace_period }}
      --timeout {{ drain_timeout }}
-      --delete-emptydir-data {{ kube_override_hostname }}
+      --delete-emptydir-data {{ kube_override_hostname | default(inventory_hostname) }}
  when:
    - groups['kube_control_plane'] | length > 0
    # ignore servers that are not nodes
-    - kube_override_hostname in nodes.stdout_lines
+    - kube_override_hostname | default(inventory_hostname) in nodes.stdout_lines
  register: result
  failed_when: result.rc != 0 and not allow_ungraceful_removal
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
@@ -34,10 +34,10 @@
  register: nodes_with_volumes
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  changed_when: false
-  until: not (kube_override_hostname in nodes_with_volumes.stdout_lines)
+  until: not (kube_override_hostname | default(inventory_hostname) in nodes_with_volumes.stdout_lines)
  retries: 3
  delay: "{{ drain_grace_period }}"
  when:
    - groups['kube_control_plane'] | length > 0
    - not allow_ungraceful_removal
-    - kube_override_hostname in nodes.stdout_lines
+    - kube_override_hostname | default(inventory_hostname) in nodes.stdout_lines
--- a/roles/system_packages/defaults/main.yml
+++ b/roles/system_packages/defaults/main.yml
@@ -1,5 +1,4 @@
 ---
 # number of times package install task should be retried
 pkg_install_retries: 4
 pkg_install_timeout: "{{ 5 * 60 }}"
 yum_repo_dir: /etc/yum.repos.d
--- a/roles/system_packages/tasks/main.yml
+++ b/roles/system_packages/tasks/main.yml
@@ -34,20 +34,9 @@
  tags:
    - bootstrap_os
 # Remove this after ansible-core >= 2.19.0
 # See https://github.com/kubernetes-sigs/kubespray/pull/12138#issuecomment-3019304574
 - name: Install python3-libdnf5 on Fedora >= 41
  raw: >
    dnf install --assumeyes python3-libdnf5
  become: true
  retries: "{{ pkg_install_retries }}"
  when:
    - ansible_distribution == "Fedora"
    - ansible_distribution_major_version | int >= 41
 - name: Manage packages
  package:
-    name: "{{ item.packages }}"
+    name: "{{ item.packages | dict2items | selectattr('value', 'ansible.builtin.all') | map(attribute='key') }}"
    state: "{{ item.state }}"
    update_cache: "{{ true if ansible_pkg_mgr in ['zypper', 'apt', 'dnf'] else omit }}"
    cache_valid_time: "{{ 86400 if ansible_pkg_mgr == 'apt' else omit }}" # 24h
@@ -55,19 +44,11 @@
  until: pkgs_task_result is succeeded
  retries: "{{ pkg_install_retries }}"
  delay: "{{ retry_stagger | random + 3 }}"
-  when:
+  when: not (ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos)
    - ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
    - not is_fedora_coreos
    - item.packages != []
  loop:
-    - packages: "{{ pkgs_to_remove | dict2items | selectattr('value', 'ansible.builtin.all') | map(attribute='key') }}"
+    - { packages: "{{ pkgs_to_remove }}", state: "absent", action_label: "remove" }
-      state: "absent"
+    - { packages: "{{ pkgs }}", state: "present", action_label: "install" }
      action_label: "remove"
    - packages: "{{ pkgs | dict2items | selectattr('value', 'ansible.builtin.all') | map(attribute='key') }}"
      state: "present"
      action_label: "install"
  loop_control:
    label: "{{ item.action_label }}"
  tags:
    - bootstrap_os
  timeout: "{{ pkg_install_timeout }}"
--- a/roles/validate_inventory/tasks/main.yml
+++ b/roles/validate_inventory/tasks/main.yml
@@ -6,17 +6,6 @@
 # -> nothing depending on facts or similar cluster state
 # Checks depending on current state (of the nodes or the cluster)
 # should be in roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
 - name: Fail if removed variables are used
  vars:
    # Always remove items from this list after the release in comments
    removed_vars:
      - kubelet_static_pod_path # 2.31.0
    removed_vars_found: "{{ query('varnames', '^' + (removed_vars | join('|')) + '$') }}"
  assert:
    that: removed_vars_found | length == 0
    fail_msg: "Removed variables present: {{ removed_vars_found | join(', ') }}"
  run_once: true
 - name: Stop if kube_control_plane group is empty
  assert:
    that: groups.get( 'kube_control_plane' )
@@ -78,6 +67,13 @@
    - kube_network_plugin not in ['calico', 'none']
    - ipv4_stack | bool
 - name: Stop if RBAC is not enabled when dashboard is enabled
  assert:
    that: rbac_enabled
  when:
    - dashboard_enabled
    - not ignore_assert_errors
 - name: Check cloud_provider value
  assert:
    that: cloud_provider == 'external'
--- a/scripts/component_hash_update/pyproject.toml
+++ b/scripts/component_hash_update/pyproject.toml
@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "kubespray_component_hash_update"
-version = "1.0.1"
+version = "1.0.0"
 dependencies = [
  "more_itertools",
  "ruamel.yaml",
--- a/scripts/component_hash_update/src/component_hash_update/components.py
+++ b/scripts/component_hash_update/src/component_hash_update/components.py
@@ -7,8 +7,8 @@ infos = {
        "url": "https://github.com/projectcalico/calico/releases/download/v{version}/SHA256SUMS",
        "graphql_id": "R_kgDOA87D0g",
    },
-    "calico_crds": {
+    "calico_crds_archive": {
-        "url": "https://github.com/projectcalico/calico/raw/v{version}/manifests/crds.yaml",
+        "url": "https://github.com/projectcalico/calico/archive/v{version}.tar.gz",
        "graphql_id": "R_kgDOA87D0g",
        "binary": True,
    },
--- a/scripts/component_hash_update/src/component_hash_update/download.py
+++ b/scripts/component_hash_update/src/component_hash_update/download.py
@@ -126,20 +126,15 @@ def download_hash(downloads: {str: {str: Any}}) -> None:
    releases, tags = map(
        dict, partition(lambda r: r[1].get("tags", False), downloads.items())
    )
-    unique_release_ids = list(dict.fromkeys(
+    repos = {
-        r["graphql_id"] for r in releases.values()
+        "with_releases": [r["graphql_id"] for r in releases.values()],
-    ))
+        "with_tags": [t["graphql_id"] for t in tags.values()],
-    unique_tag_ids = list(dict.fromkeys(
+    }
        t["graphql_id"] for t in tags.values()
    ))
    response = s.post(
        "https://api.github.com/graphql",
        json={
            "query": files(__package__).joinpath("list_releases.graphql").read_text(),
-            "variables": {
+            "variables": repos,
                "with_releases": unique_release_ids,
                "with_tags": unique_tag_ids,
            },
        },
        headers={
            "Authorization": f"Bearer {os.environ['API_KEY']}",
@@ -160,30 +155,31 @@ def download_hash(downloads: {str: {str: Any}}) -> None:
        except InvalidVersion:
            return None
-    resp_data = response.json()["data"]
+    repos = response.json()["data"]
-    release_versions_by_id = {
+    github_versions = dict(
-        gql_id: {
+        zip(
-            v
+            chain(releases.keys(), tags.keys()),
-            for r in repo["releases"]["nodes"]
+            [
-            if not r["isPrerelease"]
+                {
-            and (v := valid_version(r["tagName"])) is not None
+                    v
-        }
+                    for r in repo["releases"]["nodes"]
-        for gql_id, repo in zip(unique_release_ids, resp_data["with_releases"])
+                    if not r["isPrerelease"]
-    }
+                    and (v := valid_version(r["tagName"])) is not None
-    tag_versions_by_id = {
+                }
-        gql_id: {
+                for repo in repos["with_releases"]
-            v
+            ]
-            for t in repo["refs"]["nodes"]
+            + [
-            if (v := valid_version(t["name"].removeprefix("release-")))
+                {
-            is not None
+                    v
-        }
+                    for t in repo["refs"]["nodes"]
-        for gql_id, repo in zip(unique_tag_ids, resp_data["with_tags"])
+                    if (v := valid_version(t["name"].removeprefix("release-")))
-    }
+                    is not None
-    github_versions = {}
+                }
-    for name, info in releases.items():
+                for repo in repos["with_tags"]
-        github_versions[name] = release_versions_by_id[info["graphql_id"]]
+            ],
-    for name, info in tags.items():
+            strict=True,
-        github_versions[name] = tag_versions_by_id[info["graphql_id"]]
+        )
    )
    components_supported_arch = {
        component.removesuffix("_checksums"): [a for a in archs.keys()]
--- a/scripts/readme_versions.md.j2
+++ b/scripts/readme_versions.md.j2
@@ -16,6 +16,7 @@
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) {{ cert_manager_version }}
  - [coredns](https://github.com/coredns/coredns) {{ coredns_version }}
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) {{ ingress_nginx_version }}
  - [argocd](https://argoproj.github.io/) {{ argocd_version }}
  - [helm](https://helm.sh/) {{ helm_version }}
  - [metallb](https://metallb.universe.tf/) {{ metallb_version }}
--- a/tests/cloud_playbooks/roles/packet-ci/defaults/main.yml
+++ b/tests/cloud_playbooks/roles/packet-ci/defaults/main.yml
@@ -4,7 +4,7 @@
 vm_cpu_cores: 2
 vm_cpu_sockets: 1
 vm_cpu_threads: 2
-vm_memory: 4096
+vm_memory: 2048
 releases_disk_size: 2Gi
 # Request/Limit allocation settings
--- a/tests/common_vars.yml
+++ b/tests/common_vars.yml
@@ -38,9 +38,3 @@ flannel_image_repo: "{{ quay_image_repo }}/kubespray/flannel"
 flannel_init_image_repo: "{{ quay_image_repo }}/kubespray/flannel-cni-plugin"
 local_release_dir: "{{ '/tmp/releases' if inventory_hostname != 'localhost' else (lookup('env', 'PWD') + '/downloads') }}"
 hydrophone_version: "0.7.0"
 hydrophone_arch: "x86_64"
 hydrophone_checksum: "sha256:15a6c09962f9bd4a1587af068b5edef1072327a77012d8fbb84992c7c87c0475"
 hydrophone_parallel: 1
 hydrophone_path: "{{ bin_dir }}/hydrophone"
--- a/tests/files/almalinux9-calico.yml
+++ b/tests/files/almalinux9-calico.yml
@@ -5,6 +5,8 @@ vm_memory: 3072
 # Kubespray settings
 metrics_server_enabled: true
 dashboard_namespace: "kube-dashboard"
 dashboard_enabled: true
 loadbalancer_apiserver_type: haproxy
 local_path_provisioner_enabled: true
--- a/tests/files/custom_cni/cilium.yaml
+++ b/tests/files/custom_cni/cilium.yaml
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.18.0,<2.19.0"`	`requires_ansible: ">=2.17.3"`