[2.26] Update to last patch versions (runc, nerdctl, etcd) (#11576) (#12817)

* Update etcd, containerd, runc, nerdctl versions

* Update etcd and containerd versions in README

Co-authored-by: janosbabik <143906591+janosbabik@users.noreply.github.com>

.github/dependabot.yml

@@ -4,4 +4,6 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    labels: [ "dependencies" ]
+    labels:
+      - dependencies
+      - release-note-none

.gitlab-ci.yml

@@ -6,7 +6,7 @@ stages:
   - deploy-extended
 
 variables:
-  KUBESPRAY_VERSION: v2.24.1
+  KUBESPRAY_VERSION: v2.25.0
   FAILFASTCI_NAMESPACE: 'kargo-ci'
   GITLAB_REPOSITORY: 'kargo-ci/kubernetes-sigs-kubespray'
   ANSIBLE_FORCE_COLOR: "true"

.gitlab-ci/packet.yml

@@ -88,6 +88,11 @@ packet_ubuntu20-crio:
 packet_ubuntu22-calico-all-in-one:
   extends: .packet_pr
 
+packet_ubuntu22-calico-all-in-one-upgrade:
+  extends: .packet_pr
+  variables:
+    UPGRADE_TEST: graceful
+
 packet_ubuntu24-calico-etcd-datastore:
   extends: .packet_pr
 
@@ -114,8 +119,13 @@ packet_rockylinux9-cilium:
   variables:
     RESET_CHECK: "true"
 
+# Need an update of the container image to use schema v2
+# update: quay.io/kubespray/vm-amazon-linux-2:latest
 packet_amazon-linux-2-all-in-one:
-  extends: .packet_pr
+  extends: .packet_pr_manual
+  rules:
+    - when: manual
+      allow_failure: true
 
 packet_opensuse-docker-cilium:
   extends: .packet_pr

.pre-commit-config.yaml

@@ -39,14 +39,14 @@ repos:
     hooks:
       - id: ansible-lint
         additional_dependencies:
-          - ansible==9.5.1
+          - ansible==9.8.0
           - jsonschema==4.22.0
           - jmespath==1.0.1
-          - netaddr==1.2.1
+          - netaddr==1.3.0
+          - distlib
 
-  - repo: https://github.com/VannTen/misspell
-    # Waiting on https://github.com/golangci/misspell/pull/19 to get merged
-    rev: 8592a4e
+  - repo: https://github.com/golangci/misspell
+    rev: v0.6.0
     hooks:
       - id: misspell
         exclude: "OWNERS_ALIASES$"
@@ -61,14 +61,6 @@ repos:
         additional_dependencies:
           - ansible==9.5.1
 
-      - id: tox-inventory-builder
-        name: tox-inventory-builder
-        entry: bash -c "cd contrib/inventory_builder && tox"
-        language: python
-        pass_filenames: false
-        additional_dependencies:
-          - tox==4.15.0
-
       - id: check-readme-versions
         name: check-readme-versions
         entry: tests/scripts/check_readme_versions.sh
@@ -80,6 +72,7 @@ repos:
         language: python
         additional_dependencies:
           - ansible-core>=2.16.4
+          - distlib
         entry: tests/scripts/collection-build-install.sh
         pass_filenames: false
 

.yamllint

@@ -6,7 +6,7 @@ ignore: |
   .github/
   # Generated file
   tests/files/custom_cni/cilium.yaml
-
+# https://ansible.readthedocs.io/projects/lint/rules/yaml/
 rules:
   braces:
     min-spaces-inside: 0
@@ -14,9 +14,15 @@ rules:
   brackets:
     min-spaces-inside: 0
     max-spaces-inside: 1
+  comments:
+    min-spaces-from-content: 1
+  # https://github.com/adrienverge/yamllint/issues/384
+  comments-indentation: false
   indentation:
     spaces: 2
     indent-sequences: consistent
   line-length: disable
   new-line-at-end-of-file: disable
-  truthy: disable
+  octal-values:
+    forbid-implicit-octal: true # yamllint defaults to false
+    forbid-explicit-octal: true # yamllint defaults to false

README.md

@@ -75,11 +75,11 @@ You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mou
 to access the inventory and SSH key in the container, like this:
 
 ```ShellSession
-git checkout v2.25.1
-docker pull quay.io/kubespray/kubespray:v2.25.1
+git checkout v2.25.0
+docker pull quay.io/kubespray/kubespray:v2.25.0
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
   --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.25.1 bash
+  quay.io/kubespray/kubespray:v2.25.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
@@ -143,11 +143,11 @@ vagrant up
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bookworm, Bullseye
 - **Ubuntu** 20.04, 22.04, 24.04
-- **CentOS/RHEL** 7, [8, 9](docs/operating_systems/centos.md#centos-8)
+- **CentOS/RHEL** [8, 9](docs/operating_systems/centos.md#centos-8)
 - **Fedora** 37, 38
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
-- **Oracle Linux** 7, [8, 9](docs/operating_systems/centos.md#centos-8)
+- **Oracle Linux** [8, 9](docs/operating_systems/centos.md#centos-8)
 - **Alma Linux** [8, 9](docs/operating_systems/centos.md#centos-8)
 - **Rocky Linux** [8, 9](docs/operating_systems/centos.md#centos-8)
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/operating_systems/kylinlinux.md))
@@ -160,28 +160,28 @@ Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.29.10
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.30.6
   - [etcd](https://github.com/etcd-io/etcd) v3.5.16
   - [docker](https://www.docker.com/) v26.1
-  - [containerd](https://containerd.io/) v1.7.22
-  - [cri-o](http://cri-o.io/) v1.29.1 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) v1.7.23
+  - [cri-o](http://cri-o.io/) v1.30.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
-  - [calico](https://github.com/projectcalico/calico) v3.27.4
+  - [calico](https://github.com/projectcalico/calico) v3.28.1
   - [cilium](https://github.com/cilium/cilium) v1.15.4
   - [flannel](https://github.com/flannel-io/flannel) v0.22.0
-  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0
   - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8
-  - [weave](https://github.com/weaveworks/weave) v2.8.1
+  - [weave](https://github.com/rajch/weave) v2.8.7
   - [kube-vip](https://github.com/kube-vip/kube-vip) v0.8.0
 - Application
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.13.2
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.14.7
   - [coredns](https://github.com/coredns/coredns) v1.11.1
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.2
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.11.5
   - [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
   - [argocd](https://argoproj.github.io/) v2.11.0
-  - [helm](https://helm.sh/) v3.14.4
+  - [helm](https://helm.sh/) v3.15.4
   - [metallb](https://metallb.universe.tf/)  v0.13.9
   - [registry](https://github.com/distribution/distribution) v2.8.1
 - Storage Plugin
@@ -189,11 +189,11 @@ Note: Upstart/SysV init based OS types are not supported.
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
   - [aws-ebs-csi-plugin](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) v0.5.0
   - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
-  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.29.0
+  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.30.0
   - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2
   - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24
   - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0
-  - [node-feature-discovery](https://github.com/kubernetes-sigs/node-feature-discovery) v0.14.2
+  - [node-feature-discovery](https://github.com/kubernetes-sigs/node-feature-discovery) v0.16.4
 
 ## Container Runtime Notes
 
@@ -201,7 +201,7 @@ Note: Upstart/SysV init based OS types are not supported.
 
 ## Requirements
 
-- **Minimum required version of Kubernetes is v1.27**
+- **Minimum required version of Kubernetes is v1.28**
 - **Ansible v2.14+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands**
 - The target servers must have **access to the Internet** in order to pull docker images. Otherwise, additional configuration is required (See [Offline Environment](docs/operations/offline-environment.md))
 - The target servers are configured to allow **IPv4 forwarding**.

RELEASE.md

@@ -16,6 +16,7 @@ The Kubespray Project is released on an as-needed basis. The process is as follo
 1. The release issue is closed
 1. An announcement email is sent to `dev@kubernetes.io` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
 1. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
+1. Create/Update Issue for upgradeing kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)
 
 ## Major/minor releases and milestones
 

Vagrantfile

@@ -1,7 +1,7 @@
 # -*- mode: ruby -*-
 # # vi: set ft=ruby :
 
-# For help on using kubespray with vagrant, check out docs/vagrant.md
+# For help on using kubespray with vagrant, check out docs/developers/vagrant.md
 
 require 'fileutils'
 
@@ -22,8 +22,6 @@ SUPPORTED_OS = {
   "ubuntu2004"          => {box: "generic/ubuntu2004",         user: "vagrant"},
   "ubuntu2204"          => {box: "generic/ubuntu2204",         user: "vagrant"},
   "ubuntu2404"          => {box: "bento/ubuntu-24.04",         user: "vagrant"},
-  "centos"              => {box: "centos/7",                   user: "vagrant"},
-  "centos-bento"        => {box: "bento/centos-7.6",           user: "vagrant"},
   "centos8"             => {box: "centos/8",                   user: "vagrant"},
   "centos8-bento"       => {box: "bento/centos-8",             user: "vagrant"},
   "almalinux8"          => {box: "almalinux/8",                user: "vagrant"},
@@ -36,7 +34,6 @@ SUPPORTED_OS = {
   "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
   "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
   "oraclelinux8"        => {box: "generic/oracle8",            user: "vagrant"},
-  "rhel7"               => {box: "generic/rhel7",              user: "vagrant"},
   "rhel8"               => {box: "generic/rhel8",              user: "vagrant"},
   "debian11"            => {box: "debian/bullseye64",          user: "vagrant"},
   "debian12"            => {box: "debian/bookworm64",          user: "vagrant"},

ansible.cfg

@@ -11,6 +11,7 @@ gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = /tmp
 fact_caching_timeout = 86400
+timeout = 300
 stdout_callback = default
 display_skipped_hosts = no
 library = ./library

contrib/azurerm/generate-inventory.yml

@@ -1,6 +1,6 @@
 ---
 - name: Generate Azure inventory
   hosts: localhost
-  gather_facts: False
+  gather_facts: false
   roles:
     - generate-inventory

contrib/azurerm/generate-inventory_2.yml

@@ -1,6 +1,6 @@
 ---
 - name: Generate Azure inventory
   hosts: localhost
-  gather_facts: False
+  gather_facts: false
   roles:
     - generate-inventory_2

contrib/azurerm/generate-templates.yml

@@ -1,6 +1,6 @@
 ---
 - name: Generate Azure templates
   hosts: localhost
-  gather_facts: False
+  gather_facts: false
   roles:
     - generate-templates

contrib/azurerm/roles/generate-inventory/tasks/main.yml

@@ -12,4 +12,4 @@
   template:
     src: inventory.j2
     dest: "{{ playbook_dir }}/inventory"
-    mode: 0644
+    mode: "0644"

contrib/azurerm/roles/generate-inventory_2/tasks/main.yml

@@ -22,10 +22,10 @@
   template:
     src: inventory.j2
     dest: "{{ playbook_dir }}/inventory"
-    mode: 0644
+    mode: "0644"
 
 - name: Generate Load Balancer variables
   template:
     src: loadbalancer_vars.j2
     dest: "{{ playbook_dir }}/loadbalancer_vars.yml"
-    mode: 0644
+    mode: "0644"

contrib/azurerm/roles/generate-templates/tasks/main.yml

@@ -8,13 +8,13 @@
     path: "{{ base_dir }}"
     state: directory
     recurse: true
-    mode: 0755
+    mode: "0755"
 
 - name: Store json files in base_dir
   template:
     src: "{{ item }}"
     dest: "{{ base_dir }}/{{ item }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - network.json
     - storage.json

contrib/dind/dind-cluster.yaml

@@ -1,7 +1,7 @@
 ---
 - name: Create nodes as docker containers
   hosts: localhost
-  gather_facts: False
+  gather_facts: false
   roles:
     - { role: dind-host }
 

contrib/dind/group_vars/all/distro.yaml

@@ -18,7 +18,7 @@ distro_settings:
     init: |
       /sbin/init
   centos: &CENTOS
-    image: "centos:7"
+    image: "centos:8"
     user: "centos"
     pid1_exe: /usr/lib/systemd/systemd
     init: |

contrib/dind/kubespray-dind.yaml

@@ -15,7 +15,7 @@ docker_storage_options: -s overlay2 --storage-opt overlay2.override_kernel_check
 
 dns_mode: coredns
 
-deploy_netchecker: True
+deploy_netchecker: true
 netcheck_agent_image_repo: quay.io/l23network/k8s-netchecker-agent
 netcheck_server_image_repo: quay.io/l23network/k8s-netchecker-server
 netcheck_agent_image_tag: v1.0

contrib/dind/roles/dind-cluster/tasks/main.yaml

@@ -14,7 +14,7 @@
     src: "/bin/true"
     dest: "{{ item }}"
     state: link
-    force: yes
+    force: true
   with_items:
     # DIND box may have swap enable, don't bother
     - /sbin/swapoff
@@ -35,7 +35,7 @@
       path-exclude=/usr/share/doc/*
       path-include=/usr/share/doc/*/copyright
     dest: /etc/dpkg/dpkg.cfg.d/01_nodoc
-    mode: 0644
+    mode: "0644"
   when:
     - ansible_os_family == 'Debian'
 
@@ -58,13 +58,13 @@
     name: "{{ distro_user }}"
     uid: 1000
     # groups: sudo
-    append: yes
+    append: true
 
 - name: Allow password-less sudo to "{{ distro_user }}"
   copy:
     content: "{{ distro_user }} ALL=(ALL) NOPASSWD:ALL"
     dest: "/etc/sudoers.d/{{ distro_user }}"
-    mode: 0640
+    mode: "0640"
 
 - name: "Add my pubkey to {{ distro_user }} user authorized keys"
   ansible.posix.authorized_key:

contrib/dind/roles/dind-host/tasks/main.yaml

@@ -19,7 +19,7 @@
     state: started
     hostname: "{{ item }}"
     command: "{{ distro_init }}"
-    # recreate: yes
+    # recreate: true
     privileged: true
     tmpfs:
       - /sys/module/nf_conntrack/parameters
@@ -42,7 +42,7 @@
   template:
     src: inventory_builder.sh.j2
     dest: /tmp/kubespray.dind.inventory_builder.sh
-    mode: 0755
+    mode: "0755"
   tags:
     - addresses
 

contrib/kvm-setup/kvm-setup.yml

@@ -1,8 +1,8 @@
 ---
 - name: Prepare Hypervisor to later install kubespray VMs
   hosts: localhost
-  gather_facts: False
-  become: yes
+  gather_facts: false
+  become: true
   vars:
     bootstrap_os: none
   roles:

contrib/kvm-setup/roles/kvm-setup/tasks/main.yml

@@ -11,12 +11,12 @@
 
 - name: Install required packages
   apt:
-    upgrade: yes
-    update_cache: yes
+    upgrade: true
+    update_cache: true
     cache_valid_time: 3600
     name: "{{ item }}"
     state: present
-    install_recommends: no
+    install_recommends: false
   with_items:
     - dnsutils
     - ntp

contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml

@@ -20,7 +20,7 @@
       br-netfilter
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   when: br_netfilter is defined
 
 
@@ -30,7 +30,7 @@
     value: 1
     sysctl_file: "{{ sysctl_file_path }}"
     state: present
-    reload: yes
+    reload: true
 
 - name: Set bridge-nf-call-{arptables,iptables} to 0
   ansible.posix.sysctl:
@@ -38,7 +38,7 @@
     state: present
     value: 0
     sysctl_file: "{{ sysctl_file_path }}"
-    reload: yes
+    reload: true
   with_items:
     - net.bridge.bridge-nf-call-arptables
     - net.bridge.bridge-nf-call-ip6tables

contrib/kvm-setup/roles/kvm-setup/tasks/user.yml

@@ -11,7 +11,7 @@
     state: directory
     owner: "{{ k8s_deployment_user }}"
     group: "{{ k8s_deployment_user }}"
-    mode: 0700
+    mode: "0700"
 
 - name: Configure sudo for deployment user
   copy:
@@ -20,13 +20,13 @@
     dest: "/etc/sudoers.d/55-k8s-deployment"
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
 
 - name: Write private SSH key
   copy:
     src: "{{ k8s_deployment_user_pkey_path }}"
     dest: "/home/{{ k8s_deployment_user }}/.ssh/id_rsa"
-    mode: 0400
+    mode: "0400"
     owner: "{{ k8s_deployment_user }}"
     group: "{{ k8s_deployment_user }}"
   when: k8s_deployment_user_pkey_path is defined
@@ -41,7 +41,7 @@
 - name: Fix ssh-pub-key permissions
   file:
     path: "/home/{{ k8s_deployment_user }}/.ssh/authorized_keys"
-    mode: 0600
+    mode: "0600"
     owner: "{{ k8s_deployment_user }}"
     group: "{{ k8s_deployment_user }}"
   when: k8s_deployment_user_pkey_path is defined

contrib/mitogen/mitogen.yml

@@ -14,7 +14,7 @@
       file:
         path: "{{ item }}"
         state: directory
-        mode: 0755
+        mode: "0755"
       become: false
       loop:
         - "{{ playbook_dir }}/plugins/mitogen"
@@ -25,7 +25,7 @@
         url: "{{ mitogen_url }}"
         dest: "{{ playbook_dir }}/dist/mitogen_{{ mitogen_version }}.tar.gz"
         validate_certs: true
-        mode: 0644
+        mode: "0644"
 
     - name: Extract archive
       unarchive:
@@ -40,7 +40,7 @@
     - name: Add strategy to ansible.cfg
       community.general.ini_file:
         path: ansible.cfg
-        mode: 0644
+        mode: "0644"
         section: "{{ item.section | d('defaults') }}"
         option: "{{ item.option }}"
         value: "{{ item.value }}"

contrib/network-storage/glusterfs/roles/glusterfs/README.md

@@ -21,7 +21,7 @@ glusterfs_default_release: ""
 You can specify a `default_release` for apt on Debian/Ubuntu by overriding this variable. This is helpful if you need a different package or version for the main GlusterFS packages (e.g. GlusterFS 3.5.x instead of 3.2.x with the `wheezy-backports` default release on Debian Wheezy).
 
 ```yaml
-glusterfs_ppa_use: yes
+glusterfs_ppa_use: true
 glusterfs_ppa_version: "3.5"
 ```
 

contrib/network-storage/glusterfs/roles/glusterfs/client/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 # For Ubuntu.
 glusterfs_default_release: ""
-glusterfs_ppa_use: yes
+glusterfs_ppa_use: true
 glusterfs_ppa_version: "4.1"
 
 # Gluster configuration.

contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/main.yml

@@ -15,7 +15,7 @@
   file:
     path: "{{ item }}"
     state: directory
-    mode: 0775
+    mode: "0775"
   with_items:
     - "{{ gluster_mount_dir }}"
   when: ansible_os_family in ["Debian","RedHat"] and groups['gfs-cluster'] is defined

contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/setup-Debian.yml

@@ -3,7 +3,7 @@
   apt_repository:
     repo: 'ppa:gluster/glusterfs-{{ glusterfs_ppa_version }}'
     state: present
-    update_cache: yes
+    update_cache: true
   register: glusterfs_ppa_added
   when: glusterfs_ppa_use
 

contrib/network-storage/glusterfs/roles/glusterfs/server/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 # For Ubuntu.
 glusterfs_default_release: ""
-glusterfs_ppa_use: yes
+glusterfs_ppa_use: true
 glusterfs_ppa_version: "3.12"
 
 # Gluster configuration.

contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml

@@ -43,13 +43,13 @@
   service:
     name: "{{ glusterfs_daemon }}"
     state: started
-    enabled: yes
+    enabled: true
 
 - name: Ensure Gluster brick and mount directories exist.
   file:
     path: "{{ item }}"
     state: directory
-    mode: 0775
+    mode: "0775"
   with_items:
     - "{{ gluster_brick_dir }}"
     - "{{ gluster_mount_dir }}"
@@ -62,7 +62,7 @@
     replicas: "{{ groups['gfs-cluster'] | length }}"
     cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}"
     host: "{{ inventory_hostname }}"
-    force: yes
+    force: true
   run_once: true
   when: groups['gfs-cluster'] | length > 1
 
@@ -73,7 +73,7 @@
     brick: "{{ gluster_brick_dir }}"
     cluster: "{% for item in groups['gfs-cluster'] -%}{{ hostvars[item]['ip'] | default(hostvars[item].ansible_default_ipv4['address']) }}{% if not loop.last %},{% endif %}{%- endfor %}"
     host: "{{ inventory_hostname }}"
-    force: yes
+    force: true
   run_once: true
   when: groups['gfs-cluster'] | length <= 1
 
@@ -101,7 +101,7 @@
   template:
     dest: "{{ gluster_mount_dir }}/.test-file.txt"
     src: test-file.txt
-    mode: 0644
+    mode: "0644"
   when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]
 
 - name: Unmount glusterfs

contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/setup-Debian.yml

@@ -3,7 +3,7 @@
   apt_repository:
     repo: 'ppa:gluster/glusterfs-{{ glusterfs_ppa_version }}'
     state: present
-    update_cache: yes
+    update_cache: true
   register: glusterfs_ppa_added
   when: glusterfs_ppa_use
 

contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml

@@ -3,7 +3,7 @@
   template:
     src: "{{ item.file }}"
     dest: "{{ kube_config_dir }}/{{ item.dest }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - { file: glusterfs-kubernetes-endpoint.json.j2, type: ep, dest: glusterfs-kubernetes-endpoint.json}
     - { file: glusterfs-kubernetes-pv.yml.j2, type: pv, dest: glusterfs-kubernetes-pv.yml}

contrib/network-storage/heketi/heketi-tear-down.yml

@@ -6,6 +6,6 @@
 
 - name: Teardown disks in heketi
   hosts: heketi-node
-  become: yes
+  become: true
   roles:
     - { role: tear-down-disks }

contrib/network-storage/heketi/roles/provision/tasks/bootstrap/deploy.yml

@@ -4,7 +4,7 @@
   template:
     src: "heketi-bootstrap.json.j2"
     dest: "{{ kube_config_dir }}/heketi-bootstrap.json"
-    mode: 0640
+    mode: "0640"
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Bootstrap"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/bootstrap/topology.yml

@@ -10,7 +10,7 @@
   template:
     src: "topology.json.j2"
     dest: "{{ kube_config_dir }}/topology.json"
-    mode: 0644
+    mode: "0644"
 - name: "Copy topology configuration into container."
   changed_when: false
   command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ initial_heketi_pod_name }}:/tmp/topology.json"

contrib/network-storage/heketi/roles/provision/tasks/glusterfs.yml

@@ -3,7 +3,7 @@
   template:
     src: "glusterfs-daemonset.json.j2"
     dest: "{{ kube_config_dir }}/glusterfs-daemonset.json"
-    mode: 0644
+    mode: "0644"
   become: true
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure GlusterFS daemonset"
@@ -33,7 +33,7 @@
   template:
     src: "heketi-service-account.json.j2"
     dest: "{{ kube_config_dir }}/heketi-service-account.json"
-    mode: 0644
+    mode: "0644"
   become: true
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Service Account"

contrib/network-storage/heketi/roles/provision/tasks/heketi.yml

@@ -4,7 +4,7 @@
   template:
     src: "heketi-deployment.json.j2"
     dest: "{{ kube_config_dir }}/heketi-deployment.json"
-    mode: 0644
+    mode: "0644"
   register: "rendering"
 
 - name: "Kubernetes Apps | Install and configure Heketi"

contrib/network-storage/heketi/roles/provision/tasks/secret.yml

@@ -28,7 +28,7 @@
   template:
     src: "heketi.json.j2"
     dest: "{{ kube_config_dir }}/heketi.json"
-    mode: 0644
+    mode: "0644"
 
 - name: "Deploy Heketi config secret"
   when: "secret_state.stdout | length == 0"

contrib/network-storage/heketi/roles/provision/tasks/storage.yml

@@ -5,7 +5,7 @@
   template:
     src: "heketi-storage.json.j2"
     dest: "{{ kube_config_dir }}/heketi-storage.json"
-    mode: 0644
+    mode: "0644"
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Storage"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/storageclass.yml

@@ -16,7 +16,7 @@
   template:
     src: "storageclass.yml.j2"
     dest: "{{ kube_config_dir }}/storageclass.yml"
-    mode: 0644
+    mode: "0644"
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Storace Class"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/topology.yml

@@ -10,7 +10,7 @@
   template:
     src: "topology.json.j2"
     dest: "{{ kube_config_dir }}/topology.json"
-    mode: 0644
+    mode: "0644"
 - name: "Copy topology configuration into container."  # noqa no-handler
   when: "rendering.changed"
   command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ heketi_pod_name }}:/tmp/topology.json"

contrib/offline/generate_list.yml

@@ -1,7 +1,7 @@
 ---
 - name: Collect container images for offline deployment
   hosts: localhost
-  become: no
+  become: false
 
   roles:
     # Just load default variables from roles.
@@ -16,7 +16,7 @@
       template:
         src: ./contrib/offline/temp/{{ item }}.list.template
         dest: ./contrib/offline/temp/{{ item }}.list
-        mode: 0644
+        mode: "0644"
       with_items:
         - files
         - images

contrib/offline/manage-offline-container-images.sh

@@ -146,7 +146,7 @@ function register_container_images() {
 		if [ "${org_image}" == "ID:" ]; then
 		  org_image=$(echo "${load_image}"  | awk '{print $4}')
 		fi
-		image_id=$(sudo ${runtime} image inspect ${org_image} | grep "\"Id\":" | awk -F: '{print $3}'| sed s/'\",'//)
+		image_id=$(sudo ${runtime} image inspect --format "{{.Id}}" "${org_image}")
 		if [ -z "${file_name}" ]; then
 			echo "Failed to get file_name for line ${line}"
 			exit 1

contrib/os-services/roles/prepare/tasks/main.yml

@@ -7,17 +7,17 @@
     service_facts:
 
   - name: Disable service firewalld
-    systemd:
+    systemd_service:
       name: firewalld
       state: stopped
-      enabled: no
+      enabled: false
     when:
       "'firewalld.service' in services and services['firewalld.service'].status != 'not-found'"
 
   - name: Disable service ufw
-    systemd:
+    systemd_service:
       name: ufw
       state: stopped
-      enabled: no
+      enabled: false
     when:
       "'ufw.service' in services and services['ufw.service'].status != 'not-found'"

contrib/terraform/aws/create-infrastructure.tf

@@ -1,5 +1,11 @@
 terraform {
   required_version = ">= 0.12.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
 }
 
 provider "aws" {

contrib/terraform/hetzner/templates/inventory.tpl

@@ -12,8 +12,8 @@ ${list_master}
 ${list_worker}
 
 [k8s_cluster:children]
-kube-master
-kube-node
+kube_control_plane
+kube_node
 
 [k8s_cluster:vars]
 network_id=${network_id}

contrib/terraform/terraform.py

@@ -368,7 +368,7 @@ def iter_host_ips(hosts, ips):
                 'ansible_host': ip,
             })
 
-        if 'use_access_ip' in host[1]['metadata'] and host[1]['metadata']['use_access_ip'] == "0":
+        if 'use_access_ip' in host[1]['metadata'] and host[1]['metadata']['use_access_ip'] == "0" and 'access_ip' in host[1]:
                 host[1].pop('access_ip')
 
         yield host

contrib/terraform/upcloud/cluster-settings.tfvars

@@ -1,5 +1,11 @@
 # See: https://developers.upcloud.com/1.3/5-zones/
-zone     = "fi-hel1"
+zone          = "fi-hel1"
+private_cloud = false
+
+# Only used if private_cloud = true, public zone equivalent
+# For example use finnish public zone for finnish private zone
+public_zone = "fi-hel2"
+
 username = "ubuntu"
 
 # Prefix to use for all resources to separate them from other resources

contrib/terraform/upcloud/main.tf

@@ -11,8 +11,10 @@ provider "upcloud" {
 module "kubernetes" {
   source = "./modules/kubernetes-cluster"
 
-  prefix = var.prefix
-  zone   = var.zone
+  prefix        = var.prefix
+  zone          = var.zone
+  private_cloud = var.private_cloud
+  public_zone   = var.public_zone
 
   template_name = var.template_name
   username      = var.username

contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf

@@ -54,11 +54,12 @@ resource "upcloud_server" "master" {
     if machine.node_type == "master"
   }
 
-  hostname = "${local.resource-prefix}${each.key}"
-  plan     = each.value.plan
-  cpu      = each.value.plan == null ? each.value.cpu : null
-  mem      = each.value.plan == null ? each.value.mem : null
-  zone     = var.zone
+  hostname     = "${local.resource-prefix}${each.key}"
+  plan         = each.value.plan
+  cpu          = each.value.plan == null ? null : each.value.cpu
+  mem          = each.value.plan == null ? null : each.value.mem
+  zone         = var.zone
+  server_group = each.value.server_group == null ? null : upcloud_server_group.server_groups[each.value.server_group].id
 
   template {
     storage = var.template_name
@@ -111,11 +112,13 @@ resource "upcloud_server" "worker" {
     if machine.node_type == "worker"
   }
 
-  hostname = "${local.resource-prefix}${each.key}"
-  plan     = each.value.plan
-  cpu      = each.value.plan == null ? each.value.cpu : null
-  mem      = each.value.plan == null ? each.value.mem : null
-  zone     = var.zone
+  hostname     = "${local.resource-prefix}${each.key}"
+  plan         = each.value.plan
+  cpu          = each.value.plan == null ? null : each.value.cpu
+  mem          = each.value.plan == null ? null : each.value.mem
+  zone         = var.zone
+  server_group = each.value.server_group == null ? null : upcloud_server_group.server_groups[each.value.server_group].id
+
 
   template {
     storage = var.template_name
@@ -512,8 +515,18 @@ resource "upcloud_loadbalancer" "lb" {
   configured_status = "started"
   name              = "${local.resource-prefix}lb"
   plan              = var.loadbalancer_plan
-  zone              = var.zone
-  network           = upcloud_network.private.id
+  zone              = var.private_cloud ? var.public_zone : var.zone
+  networks {
+    name    = "Private-Net"
+    type    = "private"
+    family  = "IPv4"
+    network = upcloud_network.private.id
+  }
+  networks {
+    name   = "Public-Net"
+    type   = "public"
+    family = "IPv4"
+  }
 }
 
 resource "upcloud_loadbalancer_backend" "lb_backend" {
@@ -534,6 +547,9 @@ resource "upcloud_loadbalancer_frontend" "lb_frontend" {
   mode                 = "tcp"
   port                 = each.value.port
   default_backend_name = upcloud_loadbalancer_backend.lb_backend[each.key].name
+  networks {
+    name = "Public-Net"
+  }
 }
 
 resource "upcloud_loadbalancer_static_backend_member" "lb_backend_member" {
@@ -557,5 +573,9 @@ resource "upcloud_server_group" "server_groups" {
   title                = each.key
   anti_affinity_policy = each.value.anti_affinity_policy
   labels               = {}
-  members              = [for server in each.value.servers : merge(upcloud_server.master, upcloud_server.worker)[server].id]
+  # Managed upstream via upcloud_server resource
+  members              = []
+  lifecycle {
+    ignore_changes = [members]
+  }
 }

contrib/terraform/upcloud/modules/kubernetes-cluster/variables.tf

@@ -6,6 +6,14 @@ variable "zone" {
   type = string
 }
 
+variable "private_cloud" {
+  type = bool
+}
+
+variable "public_zone" {
+  type = string
+}
+
 variable "template_name" {}
 
 variable "username" {}
@@ -20,6 +28,7 @@ variable "machines" {
     cpu       = string
     mem       = string
     disk_size = number
+    server_group : string
     additional_disks = map(object({
       size = number
       tier = string
@@ -104,6 +113,5 @@ variable "server_groups" {
 
   type = map(object({
     anti_affinity_policy = string
-    servers              = list(string)
   }))
 }

contrib/terraform/upcloud/modules/kubernetes-cluster/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>2.12.0"
+      version = "~>5.6.0"
     }
   }
   required_version = ">= 0.13"

contrib/terraform/upcloud/variables.tf

@@ -9,6 +9,15 @@ variable "zone" {
   description = "The zone where to run the cluster"
 }
 
+variable "private_cloud" {
+  description = "Whether the environment is in the private cloud region"
+  default     = false
+}
+
+variable "public_zone" {
+  description = "The public zone equivalent if the cluster is running in a private cloud zone"
+}
+
 variable "template_name" {
   description = "Block describing the preconfigured operating system"
 }
@@ -32,6 +41,7 @@ variable "machines" {
     cpu       = string
     mem       = string
     disk_size = number
+    server_group : string
     additional_disks = map(object({
       size = number
       tier = string
@@ -142,7 +152,6 @@ variable "server_groups" {
 
   type = map(object({
     anti_affinity_policy = string
-    servers              = list(string)
   }))
 
   default = {}

contrib/terraform/upcloud/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>2.12.0"
+      version = "~>5.6.0"
     }
   }
   required_version = ">= 0.13"

docs/CNI/calico.md

@@ -424,7 +424,7 @@ calico_wireguard_enabled: true
 
 The following OSes will require enabling the EPEL repo in order to bring in wireguard tools:
 
-* CentOS 7 & 8
+* CentOS 8
 * AlmaLinux 8
 * Rocky Linux 8
 * Amazon Linux 2

docs/CNI/cilium.md

@@ -132,7 +132,7 @@ Wireguard option is only available in Cilium 1.10.0 and newer.
 
 ### IPsec Encryption
 
-For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/gettingstarted/encryption-ipsec/)
+For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/security/network/encryption-ipsec/)
 
 To enable IPsec encryption, you just need to set three variables.
 
@@ -157,7 +157,7 @@ echo "cilium_ipsec_key: "$(echo -n "3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/uran
 
 ### Wireguard Encryption
 
-For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/gettingstarted/encryption-wireguard/)
+For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/)
 
 To enable Wireguard encryption, you just need to set two variables.
 

docs/CRI/docker.md

@@ -16,14 +16,6 @@ Enabling the `overlay2` graph driver:
 docker_storage_options: -s overlay2
 ```
 
-Enabling `docker_container_storage_setup`, it will configure devicemapper driver on Centos7 or RedHat7.
-Deployers must be define a disk path for `docker_container_storage_setup_devs`, otherwise docker-storage-setup will be executed incorrectly.
-
-```yaml
-docker_container_storage_setup: true
-docker_container_storage_setup_devs: /dev/vdb
-```
-
 Changing the Docker cgroup driver (native.cgroupdriver); valid options are `systemd` or `cgroupfs`, default is `systemd`:
 
 ```yaml

docs/ansible/ansible.md

@@ -231,6 +231,7 @@ The following tags are defined in playbooks:
 | services                       | Remove services (etcd, kubelet etc...) when resetting |
 | snapshot                       | Enabling csi snapshot                                 |
 | snapshot-controller            | Configuring csi snapshot controller                   |
+| system-packages                | Install packages using OS package manager             |
 | upgrade                        | Upgrading, f.e. container images/binaries             |
 | upload                         | Distributing images/binaries across hosts             |
 | vsphere-csi-driver             | Configuring csi driver: vsphere                       |

docs/ansible/vars.md

@@ -216,6 +216,8 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
   The percent is calculated by dividing this field value by 100, so the field value must be between 0 and 100, inclusive.
   When specified, the value must be less than imageGCHighThresholdPercent. Default: 80
 
+* *kubelet_max_parallel_image_pulls* - Sets the maximum number of image pulls in parallel. The value is `1` by default which means the default is serial image pulling, set it to a integer great than `1` to enable image pulling in parallel.
+
 * *kubelet_make_iptables_util_chains* - If `true`, causes the kubelet ensures a set of `iptables` rules are present on host.
 
 * *kubelet_cpu_manager_policy* -  If set to `static`, allows pods with certain resource characteristics to be granted increased CPU affinity and exclusivity on the node. And it should be set with `kube_reserved` or `system-reserved`, enable this with the following guide:[Control CPU Management Policies on the Node](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/)
@@ -243,6 +245,10 @@ kubelet_cpu_manager_policy_options:
 
     By default the `kubelet_secure_addresses` is set with the `10.0.0.110` the ansible control host uses `eth0` to  connect to the machine. In case you want to use `eth1` as the outgoing interface on which `kube-apiserver` connects to the `kubelet`s, you should override the variable in this way: `kubelet_secure_addresses: "192.168.1.110"`.
 
+* *kubelet_systemd_wants_dependencies* - List of kubelet service dependencies, other than container runtime.
+
+  If you use nfs dynamically mounted volumes, sometimes rpc-statd does not start within the kubelet. You can fix it with this parameter : `kubelet_systemd_wants_dependencies: ["rpc-statd.service"]` This will add `Wants=rpc-statd.service` in `[Unit]` section of /etc/systemd/system/kubelet.service
+
 * *node_labels* - Labels applied to nodes via `kubectl label node`.
   For example, labels can be set in the inventory as variables or more widely in group_vars.
   *node_labels* can only be defined as a dict:

docs/developers/ci.md

@@ -8,7 +8,7 @@ To generate this Matrix run `./tests/scripts/md-table/main.py`
 |---| --- | --- | --- | --- | --- | --- | --- | --- |
 almalinux8 |  :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: |
 amazon |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-centos7 |  :white_check_mark: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: |
+centos8 |  :white_check_mark: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: |
 debian11 |  :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: |
 debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 fedora37 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: |
@@ -26,7 +26,7 @@ ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 |---| --- | --- | --- | --- | --- | --- | --- | --- |
 almalinux8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-centos7 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+centos8 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora37 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
@@ -44,7 +44,7 @@ ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 |---| --- | --- | --- | --- | --- | --- | --- | --- |
 almalinux8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-centos7 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+centos8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora37 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |

docs/developers/vagrant.md

@@ -80,7 +80,7 @@ cat << EOF > vagrant/config.rb
 \$instance_name_prefix = "kub"
 \$vm_cpus = 1
 \$num_instances = 3
-\$os = "centos-bento"
+\$os = "centos8-bento"
 \$subnet = "10.0.20"
 \$network_plugin = "flannel"
 \$inventory = "$INV"

docs/operating_systems/centos.md

@@ -1,10 +1,5 @@
 # CentOS and derivatives
 
-## CentOS 7
-
-The maximum python version officially supported in CentOS is 3.6. Ansible as of version 5 (ansible core 2.12.x) increased their python requirement to python 3.8 and above.
-Kubespray supports multiple ansible versions but only the default (5.x) gets wide testing coverage. If your deployment host is CentOS 7 it is recommended to use one of the earlier versions still supported.
-
 ## CentOS 8
 
 If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),

docs/operations/cgroups.md

@@ -1,6 +1,6 @@
 # cgroups
 
-To avoid the rivals for resources between containers or the impact on the host in Kubernetes, the kubelet components will rely on cgroups to limit the container’s resources usage.
+To avoid resource contention between containers and host daemons in Kubernetes, the kubelet components can use cgroups to limit resource usage.
 
 ## Enforcing Node Allocatable
 
@@ -20,8 +20,9 @@ Here is an example:
 ```yaml
 kubelet_enforce_node_allocatable: "pods,kube-reserved,system-reserved"
 
-# Reserve this space for kube resources
-# Set to true to reserve resources for kube daemons
+# Set kube_reserved to true to run kubelet and container-engine daemons in a dedicated cgroup.
+# This is required if you want to enforce limits on the resource usage of these daemons.
+# It is not required if you just want to make resource reservations (kube_memory_reserved, kube_cpu_reserved, etc.)
 kube_reserved: true
 kube_reserved_cgroups_for_service_slice: kube.slice
 kube_reserved_cgroups: "/{{ kube_reserved_cgroups_for_service_slice }}"

docs/operations/ha-mode.md

@@ -30,12 +30,12 @@ loadbalancer.  If you wish to control the name of the loadbalancer container,
 you can set the variable `loadbalancer_apiserver_pod_name`.
 
 If you choose to NOT use the local internal loadbalancer, you will need to
-use the [kube-vip](kube-vip.md) ansible role or configure your own loadbalancer to achieve HA. By default, it only configures a non-HA endpoint, which points to the
+use the [kube-vip](/docs/ingress/kube-vip.md) ansible role or configure your own loadbalancer to achieve HA. By default, it only configures a non-HA endpoint, which points to the
 `access_ip` or IP address of the first server node in the `kube_control_plane` group.
 It can also configure clients to use endpoints for a given loadbalancer type.
 The following diagram shows how traffic to the apiserver is directed.
 
-![Image](figures/loadbalancer_localhost.png?raw=true)
+![Image](/docs/figures/loadbalancer_localhost.png?raw=true)
 
 A user may opt to use an external loadbalancer (LB) instead. An external LB
 provides access for external clients, while the internal LB accepts client

docs/operations/offline-environment.md

@@ -103,7 +103,9 @@ If you use the settings like the one above, you'll need to define in your invent
   can store them anywhere as long as it's accessible by kubespray. It's recommended to use `*_version` in the path so
   that you don't need to modify this setting everytime kubespray upgrades one of these components.
 * `yum_repo`/`debian_repo`/`ubuntu_repo`: OS package repository depending on your OS, should point to your internal
-  repository. Adjust the path accordingly.
+  repository. Adjust the path accordingly. Used only for Docker/Containerd packages (if needed); other packages might
+  be installed from other repositories. You might disable installing packages from other repositories by skipping
+  the `system-packages` tag
 
 ## Install Kubespray Python Packages
 

extra_playbooks/upgrade-only-k8s.yml

@@ -12,7 +12,7 @@
 
 - name: Setup ssh config to use the bastion
   hosts: localhost
-  gather_facts: False
+  gather_facts: false
   roles:
     - { role: kubespray-defaults}
     - { role: bastion-ssh-config, tags: ["localhost", "bastion"]}

galaxy.yml

@@ -2,49 +2,24 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.25.2
+version: 2.26.0
 readme: README.md
 authors:
   - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)
 tags:
   - infrastructure
 repository: https://github.com/kubernetes-sigs/kubespray
+issues: https://github.com/kubernetes-sigs/kubespray/issues
+documentation: https://kubespray.io
 license_file: LICENSE
 dependencies:
   ansible.utils: '>=2.5.0'
-  community.general: '>=3.0.0'
-build_ignore:
-  - .github
-  - '*.tar.gz'
-  - extra_playbooks
-  - inventory
-  - scripts
-  - test-infra
-  - .ansible-lint
-  - .editorconfig
-  - .gitignore
-  - .gitlab-ci
-  - .gitlab-ci.yml
-  - .gitmodules
-  - .markdownlint.yaml
-  - .nojekyll
-  - .pre-commit-config.yaml
-  - .yamllint
-  - Dockerfile
-  - FILES.json
-  - MANIFEST.json
-  - Makefile
-  - Vagrantfile
-  - _config.yml
-  - ansible.cfg
-  - requirements*txt
-  - setup.cfg
-  - setup.py
-  - index.html
-  - reset.yml
-  - cluster.yml
-  - scale.yml
-  - recover-control-plane.yml
-  - remove-node.yml
-  - upgrade-cluster.yml
-  - library
+  community.general: '>=7.0.0'
+  ansible.netcommon: '>=5.3.0'
+  ansible.posix: '>=1.5.4'
+  community.docker: '>=3.11.0'
+  kubernetes.core: '>=2.4.2'
+manifest:
+  directives:
+    - recursive-exclude tests **
+    - recursive-include roles **/files/*

inventory/sample/group_vars/all/containerd.yml

@@ -24,8 +24,21 @@
 # containerd_grpc_max_recv_message_size: 16777216
 # containerd_grpc_max_send_message_size: 16777216
 
+# Containerd debug socket location: unix or tcp format
+# containerd_debug_address: ""
+
+# Containerd log level
 # containerd_debug_level: "info"
 
+# Containerd logs format, supported values: text, json
+# containerd_debug_format: ""
+
+# Containerd debug socket UID
+# containerd_debug_uid: 0
+
+# Containerd debug socket GID
+# containerd_debug_gid: 0
+
 # containerd_metrics_address: ""
 
 # containerd_metrics_grpc_histogram: false

inventory/sample/group_vars/all/offline.yml

@@ -18,7 +18,7 @@
 # quay_image_repo: "{{ registry_host }}"
 
 ## Kubernetes components
-# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
+# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubeadm"
 # kubectl_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubectl"
 # kubelet_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubelet"
 
@@ -82,7 +82,7 @@
 # krew_download_url: "{{ files_repo }}/github.com/kubernetes-sigs/krew/releases/download/{{ krew_version }}/krew-{{ host_os }}_{{ image_arch }}.tar.gz"
 
 ## CentOS/Redhat/AlmaLinux
-### For EL7, base and extras repo must be available, for EL8, baseos and appstream
+### For EL8, baseos and appstream must be available,
 ### By default we enable those repo automatically
 # rhel_enable_repos: false
 ### Docker / Containerd

inventory/sample/group_vars/etcd.yml

@@ -33,3 +33,6 @@
 # etcd_experimental_distributed_tracing_sample_rate: 100
 # etcd_experimental_distributed_tracing_address: "localhost:4317"
 # etcd_experimental_distributed_tracing_service_name: etcd
+
+## The interval for etcd watch progress notify events
+# etcd_experimental_watch_progress_notify_interval: 5s

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -96,6 +96,10 @@ rbd_provisioner_enabled: false
 # rbd_provisioner_storage_class: rbd
 # rbd_provisioner_reclaim_policy: Delete
 
+# Gateway API CRDs
+gateway_api_enabled: false
+# gateway_api_experimental_channel: false
+
 # Nginx ingress controller deployment
 ingress_nginx_enabled: false
 # ingress_nginx_host_network: false

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -17,7 +17,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.29.10
+kube_version: v1.30.4
 
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
@@ -262,7 +262,7 @@ default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"
 # kubelet_runtime_cgroups_cgroupfs: "/system.slice/{{ container_manager }}.service"
 # kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
 
-# Optionally reserve this space for kube daemons.
+# Whether to run kubelet and container-engine daemons in a dedicated cgroup.
 # kube_reserved: false
 ## Uncomment to override default values
 ## The following two items need to be set when kube_reserved is true

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -163,6 +163,13 @@ cilium_l2announcements: false
 ### Enable auto generate certs if cilium_hubble_install: true
 # cilium_hubble_tls_generate: false
 
+### Tune cilium_hubble_event_buffer_capacity & cilium_hubble_event_queue_size values to avoid dropping events when hubble is under heavy load
+### Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535
+### (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)
+# cilium_hubble_event_buffer_capacity: 4095
+### Buffer size of the channel to receive monitor events.
+# cilium_hubble_event_queue_size: 50
+
 # IP address management mode for v1.9+.
 # https://docs.cilium.io/en/v1.9/concepts/networking/ipam/
 # cilium_ipam_mode: kubernetes

playbooks/ansible_version.yml

@@ -2,7 +2,7 @@
 - name: Check Ansible version
   hosts: all
   gather_facts: false
-  become: no
+  become: false
   run_once: true
   vars:
     minimal_ansible_version: 2.16.4
@@ -25,7 +25,6 @@
       tags:
         - check
 
-    # CentOS 7 provides too old jinja version
     - name: "Check that jinja is not too old (install via pip)"
       assert:
         msg: "Your Jinja version is too old, install via pip"

playbooks/boilerplate.yml

@@ -51,7 +51,7 @@
 
 - name: Install bastion ssh config
   hosts: bastion[0]
-  gather_facts: False
+  gather_facts: false
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray-defaults }

playbooks/cluster.yml

@@ -7,7 +7,7 @@
 
 - name: Prepare for etcd install
   hosts: k8s_cluster:etcd
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -21,7 +21,7 @@
 
 - name: Install Kubernetes nodes
   hosts: k8s_cluster
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -30,7 +30,7 @@
 
 - name: Install the control plane
   hosts: kube_control_plane
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -41,7 +41,7 @@
 
 - name: Invoke kubeadm and install a CNI
   hosts: k8s_cluster
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -54,7 +54,7 @@
 
 - name: Install Calico Route Reflector
   hosts: calico_rr
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -63,7 +63,7 @@
 
 - name: Patch Kubernetes for Windows
   hosts: kube_control_plane[0]
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -72,7 +72,7 @@
 
 - name: Install Kubernetes apps
   hosts: kube_control_plane
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -86,7 +86,7 @@
 
 - name: Apply resolv.conf changes now that cluster DNS is up
   hosts: k8s_cluster
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:

playbooks/facts.yml

@@ -15,7 +15,7 @@
 
 - name: Gather facts
   hosts: k8s_cluster:etcd:calico_rr
-  gather_facts: False
+  gather_facts: false
   tags: always
   tasks:
     - name: Gather minimal facts

playbooks/install_etcd.yml

@@ -16,7 +16,7 @@
 
 - name: Install etcd
   hosts: etcd:kube_control_plane:_kubespray_needs_etcd
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:

playbooks/remove_node.yml

@@ -4,13 +4,13 @@
 
 - name: Confirm node removal
   hosts: "{{ node | default('etcd:k8s_cluster:calico_rr') }}"
-  gather_facts: no
+  gather_facts: false
   tasks:
     - name: Confirm Execution
       pause:
         prompt: "Are you sure you want to delete nodes state? Type 'yes' to delete nodes."
       register: pause_result
-      run_once: True
+      run_once: true
       when:
         - not (skip_confirmation | default(false) | bool)
 
@@ -25,7 +25,7 @@
 
 - name: Reset node
   hosts: "{{ node | default('kube_node') }}"
-  gather_facts: no
+  gather_facts: false
   environment: "{{ proxy_disable_env }}"
   pre_tasks:
     - name: Gather information about installed services
@@ -40,7 +40,7 @@
 # Currently cannot remove first master or etcd
 - name: Post node removal
   hosts: "{{ node | default('kube_control_plane[1:]:etcd[1:]') }}"
-  gather_facts: no
+  gather_facts: false
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray-defaults, when: reset_nodes | default(True) | bool }

playbooks/reset.yml

@@ -7,13 +7,13 @@
 
 - name: Reset cluster
   hosts: etcd:k8s_cluster:calico_rr
-  gather_facts: False
+  gather_facts: false
   pre_tasks:
     - name: Reset Confirmation
       pause:
         prompt: "Are you sure you want to reset cluster state? Type 'yes' to reset your cluster."
       register: reset_confirmation_prompt
-      run_once: True
+      run_once: true
       when:
         - not (skip_confirmation | default(false) | bool)
         - reset_confirmation is not defined

playbooks/scale.yml

@@ -7,7 +7,7 @@
 
 - name: Generate the etcd certificates beforehand
   hosts: etcd:kube_control_plane
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -24,7 +24,7 @@
 
 - name: Download images to ansible host cache via first kube_control_plane node
   hosts: kube_control_plane[0]
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -34,7 +34,7 @@
 
 - name: Target only workers to get kubelet installed and checking in on any new nodes(engine)
   hosts: kube_node
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -53,7 +53,7 @@
 
 - name: Target only workers to get kubelet installed and checking in on any new nodes(node)
   hosts: kube_node
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -63,7 +63,7 @@
 - name: Upload control plane certs and retrieve encryption key
   hosts: kube_control_plane | first
   environment: "{{ proxy_disable_env }}"
-  gather_facts: False
+  gather_facts: false
   tags: kubeadm
   roles:
     - { role: kubespray-defaults }
@@ -84,7 +84,7 @@
 
 - name: Target only workers to get kubelet installed and checking in on any new nodes(network)
   hosts: kube_node
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -96,7 +96,7 @@
 
 - name: Apply resolv.conf changes now that cluster DNS is up
   hosts: k8s_cluster
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:

playbooks/upgrade_cluster.yml

@@ -7,7 +7,7 @@
 
 - name: Download images to ansible host cache via first kube_control_plane node
   hosts: kube_control_plane[0]
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -17,7 +17,7 @@
 
 - name: Prepare nodes for upgrade
   hosts: k8s_cluster:etcd:calico_rr
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -27,7 +27,7 @@
 
 - name: Upgrade container engine on non-cluster nodes
   hosts: etcd:calico_rr:!k8s_cluster
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   serial: "{{ serial | default('20%') }}"
@@ -39,7 +39,7 @@
   import_playbook: install_etcd.yml
 
 - name: Handle upgrades to master components first to maintain backwards compat.
-  gather_facts: False
+  gather_facts: false
   hosts: kube_control_plane
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
@@ -62,7 +62,7 @@
 
 - name: Upgrade calico and external cloud provider on all masters, calico-rrs, and nodes
   hosts: kube_control_plane:calico_rr:kube_node
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   serial: "{{ serial | default('20%') }}"
   environment: "{{ proxy_disable_env }}"
@@ -75,7 +75,7 @@
 
 - name: Finally handle worker upgrades, based on given batch size
   hosts: kube_node:calico_rr:!kube_control_plane
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   serial: "{{ serial | default('20%') }}"
@@ -93,7 +93,7 @@
 
 - name: Patch Kubernetes for Windows
   hosts: kube_control_plane[0]
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: true
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -102,7 +102,7 @@
 
 - name: Install Calico Route Reflector
   hosts: calico_rr
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -111,7 +111,7 @@
 
 - name: Install Kubernetes apps
   hosts: kube_control_plane
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
@@ -122,7 +122,7 @@
 
 - name: Apply resolv.conf changes now that cluster DNS is up
   hosts: k8s_cluster
-  gather_facts: False
+  gather_facts: false
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:

requirements.txt

@@ -1,10 +1,7 @@
-ansible==9.5.1
-cryptography==42.0.7
-jinja2==3.1.4
+ansible==9.8.0
+# Needed for jinja2 json_query templating
 jmespath==1.0.1
-jsonschema==4.22.0
-MarkupSafe==2.1.5
-netaddr==1.2.1
-pbr==6.0.0
-ruamel.yaml==0.18.6
-ruamel.yaml.clib==0.2.8
+# Needed for ansible.utils.validate module
+jsonschema==4.23.0
+# Needed for ansible.utils.ipaddr
+netaddr==1.3.0

roles/adduser/defaults/main.yml

@@ -7,14 +7,14 @@ addusers:
   etcd:
     name: etcd
     comment: "Etcd user"
-    create_home: no
-    system: yes
+    create_home: false
+    system: true
     shell: /sbin/nologin
   kube:
     name: kube
     comment: "Kubernetes user"
-    create_home: no
-    system: yes
+    create_home: false
+    system: true
     shell: /sbin/nologin
     group: "{{ kube_cert_group }}"
 

roles/adduser/vars/coreos.yml

@@ -3,6 +3,6 @@ addusers:
   - name: kube
     comment: "Kubernetes user"
     shell: /sbin/nologin
-    system: yes
+    system: true
     group: "{{ kube_cert_group }}"
-    create_home: no
+    create_home: false

roles/adduser/vars/debian.yml

@@ -2,14 +2,14 @@
 addusers:
   - name: etcd
     comment: "Etcd user"
-    create_home: yes
+    create_home: true
     home: "{{ etcd_data_dir }}"
-    system: yes
+    system: true
     shell: /sbin/nologin
 
   - name: kube
     comment: "Kubernetes user"
-    create_home: no
-    system: yes
+    create_home: false
+    system: true
     shell: /sbin/nologin
     group: "{{ kube_cert_group }}"

roles/adduser/vars/redhat.yml

@@ -2,14 +2,14 @@
 addusers:
   - name: etcd
     comment: "Etcd user"
-    create_home: yes
+    create_home: true
     home: "{{ etcd_data_dir }}"
-    system: yes
+    system: true
     shell: /sbin/nologin
 
   - name: kube
     comment: "Kubernetes user"
-    create_home: no
-    system: yes
+    create_home: false
+    system: true
     shell: /sbin/nologin
     group: "{{ kube_cert_group }}"

roles/bastion-ssh-config/molecule/default/converge.yml

@@ -12,4 +12,4 @@
         dest: "{{ ssh_bastion_confing__name }}"
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
-        mode: 0644
+        mode: "0644"

roles/bastion-ssh-config/tasks/main.yml

@@ -19,4 +19,4 @@
   template:
     src: "{{ ssh_bastion_confing__name }}.j2"
     dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
-    mode: 0640
+    mode: "0640"

roles/bootstrap-os/defaults/main.yml

@@ -11,6 +11,10 @@ coreos_locksmithd_disable: false
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true
 
+## Ubuntu specific variables
+# Disable unattended-upgrades for Linux kernel and all packages start with linux- on Ubuntu
+ubuntu_kernel_unattended_upgrades_disabled: false
+
 fedora_coreos_packages:
   - python
   - python3-libselinux

roles/bootstrap-os/molecule/default/converge.yml

@@ -1,6 +1,6 @@
 ---
 - name: Converge
   hosts: all
-  gather_facts: no
+  gather_facts: false
   roles:
     - role: bootstrap-os

roles/bootstrap-os/molecule/default/molecule.yml

@@ -19,12 +19,6 @@ platforms:
     memory: 1024
     provider_options:
       driver: kvm
-  - name: centos7
-    box: centos/7
-    cpus: 1
-    memory: 512
-    provider_options:
-      driver: kvm
   - name: almalinux8
     box: almalinux/8
     cpus: 1

roles/bootstrap-os/tasks/amzn.yml

@@ -8,9 +8,9 @@
     file: epel
     description: Extra Packages for Enterprise Linux 7 - $basearch
     baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
-    gpgcheck: yes
+    gpgcheck: true
     gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
-    skip_if_unavailable: yes
-    enabled: yes
-    repo_gpgcheck: no
+    skip_if_unavailable: true
+    enabled: true
+    repo_gpgcheck: false
   when: epel_enabled

roles/bootstrap-os/tasks/centos.yml

@@ -12,7 +12,7 @@
     value: "{{ http_proxy | default(omit) }}"
     state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
     no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
   become: true
   when: not skip_http_proxy_on_os_packages
 
@@ -21,7 +21,7 @@
   get_url:
     url: https://yum.oracle.com/public-yum-ol7.repo
     dest: /etc/yum.repos.d/public-yum-ol7.repo
-    mode: 0644
+    mode: "0644"
   when:
     - use_oracle_public_repo | default(true)
     - '''ID="ol"'' in os_release.stdout_lines'
@@ -34,7 +34,7 @@
     section: "{{ item }}"
     option: enabled
     value: "1"
-    mode: 0644
+    mode: "0644"
   with_items:
     - ol7_latest
     - ol7_addons
@@ -59,7 +59,7 @@
     section: "ol{{ ansible_distribution_major_version }}_addons"
     option: "{{ item.option }}"
     value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - { option: "name", value: "ol{{ ansible_distribution_major_version }}_addons" }
     - { option: "enabled", value: "1" }
@@ -75,53 +75,26 @@
     section: "extras"
     option: "{{ item.option }}"
     value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - { option: "name", value: "CentOS-{{ ansible_distribution_major_version }} - Extras" }
     - { option: "enabled", value: "1" }
     - { option: "gpgcheck", value: "0" }
-    - { option: "baseurl", value: "http://vault.centos.org/{{ 'altarch' if (ansible_distribution_major_version | int) <= 7 and ansible_architecture == 'aarch64' else 'centos' }}/{{ ansible_distribution_major_version }}/extras/$basearch/{% if ansible_distribution_major_version | int > 7 %}os/{% endif %}" }
+    - { option: "baseurl", value: "http://mirror.centos.org/centos/{{ ansible_distribution_major_version }}/extras/$basearch/os/" }
   when:
     - use_oracle_public_repo | default(true)
     - '''ID="ol"'' in os_release.stdout_lines'
     - (ansible_distribution_version | float) >= 7.6
     - (ansible_distribution_version | float) < 9
 
-# CentOS 7 EOL at July 1, 2024.
-- name: Check CentOS-Base.repo exists for CentOS 7
-  stat:
-    path: /etc/yum.repos.d/CentOS-Base.repo
-  register: centos_base_repo_stat
-  when:
-    - ansible_distribution_major_version == "7"
-
-# CentOS 7 EOL at July 1, 2024.
-- name: Update CentOS 7 CentOS-Base.repo
-  when:
-    - ansible_distribution_major_version == "7"
-    - centos_base_repo_stat.stat.exists
-  become: true
-  block:
-    - name: Disable CentOS 7 mirrorlist in CentOS-Base.repo
-      replace:
-        path: "{{ centos_base_repo_stat.stat.path }}"
-        regexp: '^mirrorlist='
-        replace: '#mirrorlist='
-
-    - name: Update CentOS 7 baseurl in CentOS-Base.repo
-      replace:
-        path: "{{ centos_base_repo_stat.stat.path }}"
-        regexp: '^#baseurl=http:\/\/mirror.centos.org'
-        replace: 'baseurl=http:\/\/vault.centos.org'
-
 # CentOS ships with python installed
 
 - name: Check presence of fastestmirror.conf
   stat:
     path: /etc/yum/pluginconf.d/fastestmirror.conf
-    get_attributes: no
-    get_checksum: no
-    get_mime: no
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
   register: fastestmirror
 
 # the fastestmirror plugin can actually slow down Ansible deployments

roles/bootstrap-os/tasks/clear-linux-os.yml

@@ -7,7 +7,7 @@
     state: present
 
 - name: Make sure docker service is enabled
-  systemd:
+  systemd_service:
     name: docker
     masked: false
     enabled: true

roles/bootstrap-os/tasks/fedora-coreos.yml

@@ -28,7 +28,7 @@
   raw: "nohup bash -c 'sleep 5s && shutdown -r now'"
   become: true
   ignore_errors: true  # noqa ignore-errors
-  ignore_unreachable: yes
+  ignore_unreachable: true
   when: need_bootstrap.rc != 0
 
 - name: Wait for the reboot to complete

roles/bootstrap-os/tasks/fedora.yml

@@ -17,7 +17,7 @@
     value: "{{ http_proxy | default(omit) }}"
     state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
     no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
   become: true
   when: not skip_http_proxy_on_os_packages
 

roles/bootstrap-os/tasks/flatcar.yml

@@ -26,7 +26,7 @@
     ansible_interpreter_python_fallback: "{{ ansible_interpreter_python_fallback + [ '/opt/bin/python' ] }}"
 
 - name: Disable auto-upgrade
-  systemd:
+  systemd_service:
     name: locksmithd.service
     masked: true
     state: stopped

roles/bootstrap-os/tasks/main.yml

@@ -22,7 +22,7 @@
       - "{{ os_release_dict['ID'] }}.yml"
       paths:
       - vars/
-      skip: True
+      skip: true
   - name: Include tasks
     include_tasks: "{{ included_tasks_file }}"
     with_first_found:
@@ -36,7 +36,7 @@
   file:
     path: "{{ ansible_remote_tmp | default('~/.ansible/tmp') }}"
     state: directory
-    mode: 0700
+    mode: "0700"
 
 - name: Gather facts
   setup:
@@ -61,4 +61,4 @@
     state: directory
     owner: root
     group: root
-    mode: 0755
+    mode: "0755"