Patch versions updates

docs: add README for test-infra/image-builder (#13106 )
Document the KubeVirt image build process used by Kubespray CI, including prerequisites, usage instructions, and how to add new OS images. Ref: https://github.com/kubernetes-sigs/kubespray/issues/12383 Made-with: Cursor Signed-off-by: Kay Yan <kay.yan@daocloud.io>
2026-03-19 09:57:37 -02:30 · 2026-03-19 03:23:15 +00:00 · 2026-03-19 08:48:30 +05:30 · 2026-03-18 12:43:42 +05:30 · 2026-03-17 16:19:50 +05:30 · 2026-03-17 16:19:42 +05:30
166 changed files with 1065 additions and 3416 deletions
--- a/.github/workflows/upgrade-patch-versions-schedule.yml
+++ b/.github/workflows/upgrade-patch-versions-schedule.yml
@@ -20,7 +20,7 @@ jobs:
          query get_release_branches($owner:String!, $name:String!) {
            repository(owner:$owner, name:$name) {
              refs(refPrefix: "refs/heads/",
-                   first: 2, # TODO increment once we have release branch with the new checksums format
+                   first: 3,
                   query: "release-",
                   orderBy: {
                     field: ALPHABETICAL,
--- a/.gitlab-ci/kubevirt.yml
+++ b/.gitlab-ci/kubevirt.yml
@@ -41,7 +41,8 @@ pr:
          - debian12-cilium
          - debian13-cilium
          - fedora39-kube-router
-          - openeuler24-calico
+          - fedora41-kube-router
          - fedora42-calico
          - rockylinux9-cilium
          - rockylinux10-cilium
          - ubuntu22-calico-all-in-one
@@ -49,12 +50,24 @@ pr:
          - ubuntu24-calico-etcd-datastore
          - ubuntu24-calico-all-in-one-hardening
          - ubuntu24-cilium-sep
          - ubuntu24-crio-scale
          - ubuntu24-crio-upgrade
          - ubuntu24-flannel-collection
          - ubuntu24-kube-router-sep
          - ubuntu24-kube-router-svc-proxy
          - ubuntu24-ha-separate-etcd
          - flatcar4081-calico
          - fedora40-flannel-crio-collection-scale
          - openeuler24-calico
 # This is for flakey test so they don't disrupt the PR worklflow too much.
 # Jobs here MUST have a open issue so we don't lose sight of them
 pr-flakey:
  extends: pr
  retry: 1
  parallel:
    matrix:
      - TESTCASE:
          - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:
@@ -91,6 +104,8 @@ pr_full:
          - debian12-custom-cni-helm
          - fedora39-calico-swap-selinux
          - fedora39-crio
          - fedora41-calico-swap-selinux
          - fedora41-crio
          - ubuntu24-calico-ha-wireguard
          - ubuntu24-flannel-ha
          - ubuntu24-flannel-ha-once
@@ -150,6 +165,7 @@ periodic:
          - debian12-cilium-svc-proxy
          - fedora39-calico-selinux
          - fedora40-docker-calico
          - fedora41-calico-selinux
          - ubuntu24-calico-etcd-kubeadm-upgrade-ha
          - ubuntu24-calico-ha-recover
          - ubuntu24-calico-ha-recover-noquorum
--- a/.gitlab-ci/terraform.yml
+++ b/.gitlab-ci/terraform.yml
@@ -116,3 +116,4 @@ tf-elastx_ubuntu24-calico:
    TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
    TF_VAR_image: ubuntu-24.04-server-latest
    TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
    TESTCASE: $CI_JOB_NAME
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,7 +12,6 @@ To install development dependencies you can set up a python virtual env with the
 virtualenv venv
 source venv/bin/activate
 pip install -r tests/requirements.txt
 ansible-galaxy install -r tests/requirements.yml
 ```
 #### Linting
--- a/10
+++ b/10
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
-# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
+# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
-FROM ubuntu:22.04@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37
+FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
@@ -29,14 +29,14 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
    --mount=type=cache,sharing=locked,id=pipcache,mode=0777,target=/root/.cache/pip \
-    pip install --no-compile --no-cache-dir -r requirements.txt \
+    pip install --break-system-packages --no-compile --no-cache-dir -r requirements.txt \
    && find /usr -type d -name '*__pycache__' -prune -exec rm -rf {} \;
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.34.5/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && curl -L "https://dl.k8s.io/release/v1.35.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.5/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl
 COPY *.yml ./
--- a/README.md
+++ b/README.md
@@ -89,13 +89,13 @@ vagrant up
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bookworm, Bullseye, Trixie
 - **Ubuntu** 22.04, 24.04
- **CentOS Stream / RHEL** [9, 10](docs/operating_systems/rhel.md#rhel-8)
+- **CentOS Stream / RHEL** 9, 10
- **Fedora** 39, 40
+- **Fedora** 39, 40, 41, 42
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
- **Oracle Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
+- **Oracle Linux** 9, 10
- **Alma Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
+- **Alma Linux** 9, 10
- **Rocky Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8) (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
+- **Rocky Linux** 9, 10 (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/operating_systems/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/operating_systems/amazonlinux.md))
 - **UOS Linux** (experimental: see [uos linux notes](docs/operating_systems/uoslinux.md))
@@ -111,15 +111,15 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.5
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.3
-  - [etcd](https://github.com/etcd-io/etcd) 3.5.27
+  - [etcd](https://github.com/etcd-io/etcd) 3.6.8
  - [docker](https://www.docker.com/) 28.3
  - [containerd](https://containerd.io/) 2.2.2
-  - [cri-o](http://cri-o.io/) 1.34.6 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) 1.35.1 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.6
+  - [calico](https://github.com/projectcalico/calico) 3.30.7
-  - [cilium](https://github.com/cilium/cilium) 1.18.6
+  - [cilium](https://github.com/cilium/cilium) 1.19.1
  - [flannel](https://github.com/flannel-io/flannel) 0.27.3
  - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
  - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
@@ -127,8 +127,7 @@ Note:
  - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.1
+  - [coredns](https://github.com/coredns/coredns) 1.12.4
  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
  - [argocd](https://argoproj.github.io/) 2.14.5
  - [helm](https://helm.sh/) 3.18.4
  - [metallb](https://metallb.universe.tf/) 0.13.9
@@ -202,8 +201,6 @@ See also [Network checker](docs/advanced/netcheck.md).
 ## Ingress Plugins
 - [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
 - [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider.
 ## Community docs and resources
--- a/3
+++ b/3
@@ -35,6 +35,9 @@ SUPPORTED_OS = {
  "fedora40"            => {box: "fedora/40-cloud-base",       user: "vagrant"},
  "fedora39-arm64"      => {box: "bento/fedora-39-arm64",      user: "vagrant"},
  "fedora40-arm64"      => {box: "bento/fedora-40",            user: "vagrant"},
  "fedora41"            => {box: "fedora/41-cloud-base",       user: "vagrant"},
  "fedora42"            => {box: "fedora/42-cloud-base",       user: "vagrant"},
  "fedora41-bento"      => {box: "bento/fedora-41",            user: "vagrant"},
  "opensuse"            => {box: "opensuse/Leap-15.6.x86_64",  user: "vagrant"},
  "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
  "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
--- a/contrib/terraform/gcp/README.md
+++ b/contrib/terraform/gcp/README.md
@@ -51,7 +51,7 @@ To generate kubespray inventory based on the terraform state file you can run th
 You should now have a inventory file named `inventory.ini` that you can use with kubespray, e.g.
 ```bash
-ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
+ansible-playbook -i contrib/terraform/gcp/inventory.ini cluster.yml -b -v
 ```
 ## Variables
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -1006,7 +1006,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
  name              = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
  count             = var.number_of_gfs_nodes_no_floating_ip
  availability_zone = element(var.az_list, count.index)
-  image_name        = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
+  image_id          = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
  flavor_id         = var.flavor_gfs_node
  key_pair          = openstack_compute_keypair_v2.k8s.name
@@ -1078,7 +1078,7 @@ resource "openstack_networking_floatingip_associate_v2" "k8s_nodes" {
  port_id               = openstack_networking_port_v2.k8s_nodes_port[each.key].id
 }
-resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
+resource "openstack_blockstorage_volume_v3" "glusterfs_volume" {
  name        = "${var.cluster_name}-glusterfs_volume-${count.index + 1}"
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  description = "Non-ephemeral volume for GlusterFS"
@@ -1088,5 +1088,5 @@ resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
  count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
  instance_id = element(openstack_compute_instance_v2.glusterfs_node_no_floating_ip.*.id, count.index)
-  volume_id   = element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)
+  volume_id   = element(openstack_blockstorage_volume_v3.glusterfs_volume.*.id, count.index)
 }
--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 ```yml
-cilium_version: "1.18.6"
+cilium_version: "1.19.1"
 ```
 ## Add variable to config
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -57,7 +57,6 @@
  * [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md)
 * Ingress
  * [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md)
  * [Ingress Nginx](/docs/ingress/ingress_nginx.md)
  * [Kube-vip](/docs/ingress/kube-vip.md)
  * [Metallb](/docs/ingress/metallb.md)
 * Operating Systems
--- a/docs/advanced/cert_manager.md
+++ b/docs/advanced/cert_manager.md
@@ -30,14 +30,7 @@ If you don't have a TLS Root CA certificate and key available, you can create th
 A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
-To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
+For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
 ```ini
 # Nginx ingress controller deployment
 ingress_nginx_enabled: true
 ```
 For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -48,9 +41,9 @@ metadata:
  labels:
    prometheus: k8s
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: ca-issuer
 spec:
  ingressClassName: "traefik"
  tls:
  - hosts:
    - prometheus.example.com
@@ -72,8 +65,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall
 Please consult the official upstream documentation:
- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
+- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/)
- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
+- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name)
 ### ACME
@@ -81,12 +74,12 @@ The ACME Issuer type represents a single account registered with the Automated C
 Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free.
- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
+- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/)
- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
+- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/)
-  - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
+  - [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/)
- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
+- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/)
-  - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
+  - [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/)
- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
+- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/)
 #### ACME With An Internal Certificate Authority
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -30,9 +30,9 @@ If the latest version supported according to pip is 6.7.0 it means you are runni
 Based on the table below and the available python version for your ansible host you should choose the appropriate ansible version to use with kubespray.
-| Ansible Version | Python Version |
+|  Ansible Version  | Python Version |
-|-----------------|----------------|
+|-------------------|----------------|
-| >= 2.17.3       | 3.10-3.12      |
+| >=2.18.0, <2.19.0 | 3.11-3.13      |
 ## Customize Ansible vars
@@ -78,7 +78,6 @@ The following tags are defined in playbooks:
 | crio                           | Configuring crio container engine for hosts           |
 | crun                           | Configuring crun runtime                              |
 | csi-driver                     | Configuring csi driver                                |
 | dashboard                      | Installing and configuring the Kubernetes Dashboard   |
 | dns                            | Remove dns entries when resetting                     |
 | docker                         | Configuring docker engine runtime for hosts           |
 | download                       | Fetching container images to a delegate host          |
--- a/docs/developers/ci-setup.md
+++ b/docs/developers/ci-setup.md
@@ -145,7 +145,6 @@ upstream_dns_servers:
  - 1.0.0.1
 # Extensions
 ingress_nginx_enabled: True
 helm_enabled: True
 cert_manager_enabled: True
 metrics_server_enabled: True
--- a/docs/developers/ci.md
+++ b/docs/developers/ci.md
@@ -13,6 +13,8 @@ debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 debian13 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
@@ -31,12 +33,14 @@ debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ## docker
@@ -49,6 +53,8 @@ debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora41 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
--- a/docs/getting_started/getting-started.md
+++ b/docs/getting_started/getting-started.md
@@ -83,32 +83,6 @@ authentication. One can get a kubeconfig from kube_control_plane hosts
 For more information on kubeconfig and accessing a Kubernetes cluster, refer to
 the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
 ## Accessing Kubernetes Dashboard
 Supported version is kubernetes-dashboard v2.0.x :
 - Login option : token/kubeconfig by default
 - Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
 - Only serves over https
 Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/tree/master/docs/user/accessing-dashboard). With kubespray's default deployment in kube-system namespace, instead of kubernetes-dashboard :
 - Proxy URL is <http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#/login>
 - kubectl commands must be run with "-n kube-system"
 Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy  --address="x.x.x.x"` will not work)
 For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace.
 Access can also by achieved via ssh tunnel on a control plane :
 ```bash
 # localhost:8081 will be sent to control-plane-1's own localhost:8081
 ssh -L8001:localhost:8001 user@control-plane-1
 sudo -i
 kubectl proxy
 ```
 ## Accessing Kubernetes API
 The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane
--- a/docs/ingress/ingress_nginx.md
+++ b/docs/ingress/ingress_nginx.md
@@ -1,203 +0,0 @@
 # Installation Guide
 ## Contents
 - [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command)
  - [Provider Specific Steps](#provider-specific-steps)
    - [Docker for Mac](#docker-for-mac)
    - [minikube](#minikube)
    - [AWS](#aws)
    - [GCE - GKE](#gce-gke)
    - [Azure](#azure)
    - [Bare-metal](#bare-metal)
  - [Verify installation](#verify-installation)
  - [Detect installed version](#detect-installed-version)
 - [Using Helm](#using-helm)
 ## Prerequisite Generic Deployment Command
 !!! attention
    The default configuration watches Ingress object from *all the namespaces*.
    To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
 !!! warning
    If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions.
 !!! attention
    If you're using GKE you need to initialize your user as a cluster-admin with the following command:
 ```console
 kubectl create clusterrolebinding cluster-admin-binding \
 --clusterrole cluster-admin \
 --user $(gcloud config get-value account)
 ```
 The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
 ```
 ### Provider Specific Steps
 There are cloud provider specific yaml files.
 #### Docker for Mac
 Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018))
 First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes).
 Then you have to create a service:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### minikube
 For standard usage:
 ```console
 minikube addons enable ingress
 ```
 For development:
 1. Disable the ingress addon:
 ```console
 minikube addons disable ingress
 ```
 1. Execute `make dev-env`
 1. Confirm the `nginx-ingress-controller` deployment exists:
 ```console
 $ kubectl get pods -n ingress-nginx
 NAME                                       READY     STATUS    RESTARTS   AGE
 default-http-backend-66b447d9cf-rrlf9      1/1       Running   0          12s
 nginx-ingress-controller-fdcdcd6dd-vvpgs   1/1       Running   0          11s
 ```
 #### AWS
 In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
 Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
 Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/)
 ##### Elastic Load Balancer - ELB
 This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer:
 - [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443.
 - [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB
 For L4:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml
 ```
 For L7:
 Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"`
 Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml`
 Then execute:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 This example creates an ELB with just two listeners, one in port 80 and another in port 443
 ![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png)
 ##### ELB Idle Timeouts
 In some scenarios users will need to modify the value of the ELB idle timeout.
 Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX.
 By default NGINX `keepalive_timeout` is set to `75s`.
 The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified,
 in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured.
 *Please Note: An idle timeout of `3600s` is recommended when using WebSockets.*
 More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html).
 ##### Network Load Balancer (NLB)
 This type of load balancer is supported since v1.10.0 as an ALPHA feature.
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml
 ```
 #### GCE-GKE
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 **Important Note:** proxy protocol is not supported in GCE/GKE
 #### Azure
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
 ```
 #### Bare-metal
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
 ```
 !!! tip
    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md).
 ### Verify installation
 To check if the ingress controller pods have started, run the following command:
 ```console
 kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
 ```
 Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`.
 Now, you are ready to create your first ingress.
 ### Detect installed version
 To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command.
 ```console
 POD_NAMESPACE=ingress-nginx
 POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
 ```
 ## Using Helm
 NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
 Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
 To install the chart with the release name `my-nginx`:
 ```console
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm install my-nginx ingress-nginx/ingress-nginx
 ```
 Detect installed version:
 ```console
 POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
 ```
--- a/docs/ingress/kube-vip.md
+++ b/docs/ingress/kube-vip.md
@@ -63,6 +63,8 @@ kube_vip_bgppeers:
 # kube_vip_bgp_peeraddress:
 # kube_vip_bgp_peerpass:
 # kube_vip_bgp_peeras:
 # kube_vip_bgp_sourceip:
 # kube_vip_bgp_sourceif:
 ```
 If using [control plane load-balancing](https://kube-vip.io/docs/about/architecture/#control-plane-load-balancing):
--- a/docs/operating_systems/rhel.md
+++ b/docs/operating_systems/rhel.md
@@ -6,9 +6,9 @@ The documentation also applies to Red Hat derivatives, including Alma Linux, Roc
 The content of this section does not apply to open-source derivatives.
-In order to install packages via yum or dnf, RHEL 7/8 hosts are required to be registered for a valid Red Hat support subscription.
+In order to install packages via yum or dnf, RHEL hosts are required to be registered for a valid Red Hat support subscription.
-You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL 7/8 hosts provisioned in Production environments.
+You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL hosts provisioned in Production environments.
 Once you have a Red Hat support account, simply add the credentials to the Ansible inventory parameters `rh_subscription_username` and `rh_subscription_password` prior to deploying Kubespray. If your company has a Corporate Red Hat support account, then obtain an **Organization ID** and **Activation Key**, and add these to the Ansible inventory parameters `rh_subscription_org_id` and `rh_subscription_activation_key` instead of using your Red Hat support account credentials.
@@ -29,15 +29,7 @@ rh_subscription_role: "Red Hat Enterprise Server"
 rh_subscription_sla: "Self-Support"
 ```
-If the RHEL 8/9 hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
+If the RHEL hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
 ## RHEL 8
 If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),
 you need to ensure they are using iptables-nft.
 An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
 The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
 ## Rocky Linux 10
--- a/docs/operations/etcd.md
+++ b/docs/operations/etcd.md
@@ -32,12 +32,12 @@ etcd_metrics_service_labels:
  k8s-app: etcd
  app.kubernetes.io/managed-by: Kubespray
  app: kube-prometheus-stack-kube-etcd
-  release: prometheus-stack
+  release: kube-prometheus-stack
 ```
 The last two labels in the above example allows to scrape the metrics from the
 [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
-chart with the following Helm `values.yaml` :
+chart when it is installed with the release name `kube-prometheus-stack` and the following Helm `values.yaml`:
 ```yaml
 kubeEtcd:
@@ -45,8 +45,22 @@ kubeEtcd:
    enabled: false
 ```
-To fully override metrics exposition urls, define it in the inventory with:
+If your Helm release name is different, adjust the `release` label accordingly.
 To fully override metrics exposition URLs, define it in the inventory with:
 ```yaml
 etcd_listen_metrics_urls: "http://0.0.0.0:2381"
 ```
 If you choose to expose metrics on specific node IPs (for example `10.141.4.22`, `10.141.4.23`, `10.141.4.24`) in `etcd_listen_metrics_urls`,
 you can configure kube-prometheus-stack to scrape those endpoints directly with:
 ```yaml
 kubeEtcd:
  enabled: true
  endpoints:
    - 10.141.4.22
    - 10.141.4.23
    - 10.141.4.24
 ```
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -100,8 +100,6 @@ kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
 kubelet_seccomp_default: true
 kubelet_systemd_hardening: true
 # To disable kubelet's staticPodPath (for nodes that don't use static pods like worker nodes)
 kubelet_static_pod_path: ""
 # In case you have multiple interfaces in your
 # control plane nodes and you want to specify the right
 # IP addresses, kubelet_secure_addresses allows you
--- a/docs/operations/offline-environment.md
+++ b/docs/operations/offline-environment.md
@@ -85,7 +85,7 @@ crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_ve
 # If using Calico
 calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_version }}.tar.gz"
+calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
 # Containerd
 containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
 runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.30.1
+version: 2.31.0
 readme: README.md
 authors:
  - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)
--- a/inventory/sample/group_vars/all/offline.yml
+++ b/inventory/sample/group_vars/all/offline.yml
@@ -44,7 +44,7 @@
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
-# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
+# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
 # [Optional] Cilium: If using Cilium network plugin
 # ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -1,8 +1,4 @@
 ---
 # Kubernetes dashboard
 # RBAC required. see docs/getting-started.md for access details.
 # dashboard_enabled: false
 # Helm deployment
 helm_enabled: false
@@ -67,39 +63,6 @@ local_volume_provisioner_enabled: false
 # Gateway API CRDs
 gateway_api_enabled: false
 # Nginx ingress controller deployment
 ingress_nginx_enabled: false
 # ingress_nginx_host_network: false
 # ingress_nginx_service_type: LoadBalancer
 # ingress_nginx_service_annotations:
 #   example.io/loadbalancerIPs: 1.2.3.4
 # ingress_nginx_service_nodeport_http: 30080
 # ingress_nginx_service_nodeport_https: 30081
 ingress_publish_status_address: ""
 # ingress_nginx_nodeselector:
 #   kubernetes.io/os: "linux"
 # ingress_nginx_tolerations:
 #   - key: "node-role.kubernetes.io/control-plane"
 #     operator: "Equal"
 #     value: ""
 #     effect: "NoSchedule"
 # ingress_nginx_namespace: "ingress-nginx"
 # ingress_nginx_insecure_port: 80
 # ingress_nginx_secure_port: 443
 # ingress_nginx_configmap:
 #   map-hash-bucket-size: "128"
 #   ssl-protocols: "TLSv1.2 TLSv1.3"
 # ingress_nginx_configmap_tcp_services:
 #   9000: "default/example-go:8080"
 # ingress_nginx_configmap_udp_services:
 #   53: "kube-system/coredns:53"
 # ingress_nginx_extra_args:
 #   - --default-ssl-certificate=default/foo-tls
 # ingress_nginx_termination_grace_period_seconds: 300
 # ingress_nginx_class: nginx
 # ingress_nginx_without_class: true
 # ingress_nginx_default: false
 # ALB ingress controller deployment
 ingress_alb_enabled: false
 # alb_ingress_aws_region: "us-east-1"
@@ -236,6 +199,8 @@ kube_vip_enabled: false
 # kube_vip_leasename: plndr-cp-lock
 # kube_vip_enable_node_labeling: false
 # kube_vip_lb_fwdmethod: local
 # kube_vip_bgp_sourceip:
 # kube_vip_bgp_sourceif:
 # Node Feature Discovery
 node_feature_discovery_enabled: false
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -361,8 +361,6 @@ cilium_l2announcements: false
 # -- Enable the use of well-known identities.
 # cilium_enable_well_known_identities: false
 # cilium_enable_bpf_clock_probe: true
 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.17.3"
+requires_ansible: ">=2.18.0,<2.19.0"
--- a/pipeline.Dockerfile
+++ b/pipeline.Dockerfile
@@ -1,5 +1,5 @@
-# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
+# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
-FROM ubuntu:jammy-20230308
+FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
 # (and potentially other packages)
@@ -27,14 +27,14 @@ RUN apt update -q \
         ca-certificates \
         curl \
         gnupg2 \
         software-properties-common \
         unzip \
         libvirt-clients \
         qemu-utils \
         qemu-kvm \
         dnsmasq \
-    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
+        && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
-    && add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
+        && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
            $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | tee /etc/apt/sources.list.d/docker.list \
    && apt update -q \
    && apt install --no-install-recommends -yq docker-ce \
    && apt autoremove -yqq --purge && apt clean && rm -rf /var/lib/apt/lists/* /var/log/*
@@ -44,11 +44,10 @@ ADD ./requirements.txt  /kubespray/requirements.txt
 ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
-    && pip install --no-compile --no-cache-dir pip -U \
+    && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
-    && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
+    && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
-    && pip install --no-compile --no-cache-dir -r requirements.txt \
+    && curl -L https://dl.k8s.io/release/v1.35.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && curl -L https://dl.k8s.io/release/v1.34.5/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.35.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && echo $(curl -L https://dl.k8s.io/release/v1.34.5/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
    && chmod a+x /usr/local/bin/kubectl \
    # Install Vagrant
    && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
@@ -56,5 +55,5 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
    && rm vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
    && vagrant plugin install vagrant-libvirt \
    # Install Kubernetes collections
-    && pip install --no-compile --no-cache-dir kubernetes \
+    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes \
    && ansible-galaxy collection install kubernetes.core
--- a/playbooks/ansible_version.yml
+++ b/playbooks/ansible_version.yml
@@ -5,8 +5,8 @@
  become: false
  run_once: true
  vars:
-    minimal_ansible_version: 2.17.3
+    minimal_ansible_version: 2.18.0
-    maximal_ansible_version: 2.18.0
+    maximal_ansible_version: 2.19.0
  tags: always
  tasks:
    - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
-ansible==10.7.0
+ansible==11.13.0
 # Needed for community.crypto module
-cryptography==46.0.3
+cryptography==46.0.5
 # Needed for jinja2 json_query templating
 jmespath==1.1.0
 # Needed for ansible.utils.ipaddr
--- a/roles/bastion-ssh-config/defaults/main.yml
+++ b/roles/bastion-ssh-config/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-ssh_bastion_confing__name: ssh-bastion.conf
+ssh_bastion_config_name: ssh-bastion.conf
--- a/roles/bastion-ssh-config/molecule/default/converge.yml
+++ b/roles/bastion-ssh-config/molecule/default/converge.yml
@@ -8,8 +8,8 @@
  tasks:
    - name: Copy config to remote host
      copy:
-        src: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
+        src: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
-        dest: "{{ ssh_bastion_confing__name }}"
+        dest: "{{ ssh_bastion_config_name }}"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: "0644"
--- a/roles/bastion-ssh-config/tasks/main.yml
+++ b/roles/bastion-ssh-config/tasks/main.yml
@@ -17,6 +17,6 @@
  delegate_to: localhost
  connection: local
  template:
-    src: "{{ ssh_bastion_confing__name }}.j2"
+    src: "{{ ssh_bastion_config_name }}.j2"
-    dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
+    dest: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
    mode: "0640"
--- a/roles/bootstrap_os/defaults/main.yml
+++ b/roles/bootstrap_os/defaults/main.yml
@@ -12,6 +12,10 @@ coreos_locksmithd_disable: false
 # Install epel repo on Centos/RHEL
 epel_enabled: false
 ## openEuler specific variables
 # Enable metalink for openEuler repos (auto-selects fastest mirror by location)
 openeuler_metalink_enabled: false
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true
--- a/roles/bootstrap_os/tasks/openEuler.yml
+++ b/roles/bootstrap_os/tasks/openEuler.yml
@@ -1,3 +1,43 @@
 ---
- name: Import Centos boostrap for openEuler
+- name: Import CentOS bootstrap for openEuler
-  import_tasks: centos.yml
+  ansible.builtin.import_tasks: centos.yml
 - name: Get existing openEuler repo sections
  ansible.builtin.shell:
    cmd: "set -o pipefail && grep '^\\[' /etc/yum.repos.d/openEuler.repo | tr -d '[]'"
    executable: /bin/bash
  register: _openeuler_repo_sections
  changed_when: false
  failed_when: false
  check_mode: false
  become: true
  when: openeuler_metalink_enabled
 - name: Enable metalink for openEuler repos
  community.general.ini_file:
    path: /etc/yum.repos.d/openEuler.repo
    section: "{{ item.key }}"
    option: metalink
    value: "{{ item.value }}"
    no_extra_spaces: true
    mode: "0644"
  loop: "{{ _openeuler_metalink_repos | dict2items | selectattr('key', 'in', _openeuler_repo_sections.stdout_lines | default([])) }}"
  become: true
  when: openeuler_metalink_enabled
  register: _openeuler_metalink_result
  vars:
    _openeuler_metalink_repos:
      OS: "https://mirrors.openeuler.org/metalink?repo=$releasever/OS&arch=$basearch"
      everything: "https://mirrors.openeuler.org/metalink?repo=$releasever/everything&arch=$basearch"
      EPOL: "https://mirrors.openeuler.org/metalink?repo=$releasever/EPOL/main&arch=$basearch"
      debuginfo: "https://mirrors.openeuler.org/metalink?repo=$releasever/debuginfo&arch=$basearch"
      source: "https://mirrors.openeuler.org/metalink?repo=$releasever&arch=source"
      update: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=$basearch"
      update-source: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=source"
 - name: Clean dnf cache to apply metalink mirror selection
  ansible.builtin.command: dnf clean all
  become: true
  when:
    - openeuler_metalink_enabled
    - _openeuler_metalink_result.changed
--- a/roles/container-engine/cri-dockerd/handlers/main.yml
+++ b/roles/container-engine/cri-dockerd/handlers/main.yml
@@ -6,12 +6,6 @@
    masked: false
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | restart docker.service
  service:
    name: docker.service
    state: restarted
  listen: Restart and enable cri-dockerd
 - name: Cri-dockerd | reload cri-dockerd.socket
  service:
    name: cri-dockerd.socket
--- a/roles/container-engine/docker/tasks/main.yml
+++ b/roles/container-engine/docker/tasks/main.yml
@@ -55,7 +55,7 @@
  register: keyserver_task_result
  until: keyserver_task_result is succeeded
  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
+  delay: "{{ retry_stagger }}"
  with_items: "{{ docker_repo_key_info.repo_keys }}"
  environment: "{{ proxy_env }}"
  when: ansible_pkg_mgr == 'apt'
@@ -128,7 +128,7 @@
  register: docker_task_result
  until: docker_task_result is succeeded
  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
+  delay: "{{ retry_stagger }}"
  notify: Restart docker
  when:
    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
--- a/roles/container-engine/docker/templates/docker.service.j2
+++ b/roles/container-engine/docker/templates/docker.service.j2
@@ -30,7 +30,7 @@ LimitCORE=infinity
 TimeoutStartSec=1min
 # restart the docker process if it exits prematurely
 Restart=on-failure
-StartLimitBurst=3
+StartLimitBurst=10
 StartLimitInterval=60s
 # Set the cgroup slice of the service so that kube reserved takes effect
 {% if kube_reserved is defined and kube_reserved|bool %}
--- a/roles/container-engine/meta/main.yml
+++ b/roles/container-engine/meta/main.yml
@@ -1,58 +0,0 @@
 # noqa role-name - this is a meta role that doesn't need a name
 ---
 dependencies:
  - role: container-engine/validate-container-engine
    tags:
      - container-engine
      - validate-container-engine
  - role: container-engine/kata-containers
    when:
      - kata_containers_enabled
    tags:
      - container-engine
      - kata-containers
  - role: container-engine/gvisor
    when:
      - gvisor_enabled
      - container_manager in ['docker', 'containerd']
    tags:
      - container-engine
      - gvisor
  - role: container-engine/crun
    when:
      - crun_enabled
    tags:
      - container-engine
      - crun
  - role: container-engine/youki
    when:
      - youki_enabled
      - container_manager == 'crio'
    tags:
      - container-engine
      - youki
  - role: container-engine/cri-o
    when:
      - container_manager == 'crio'
    tags:
      - container-engine
      - crio
  - role: container-engine/containerd
    when:
      - container_manager == 'containerd'
    tags:
      - container-engine
      - containerd
  - role: container-engine/cri-dockerd
    when:
      - container_manager == 'docker'
    tags:
      - container-engine
      - docker
--- a/roles/container-engine/tasks/main.yml
+++ b/roles/container-engine/tasks/main.yml
@@ -0,0 +1,48 @@
 ---
 - name: Validate container engine
  import_role:
    name: container-engine/validate-container-engine
  tags:
    - container-engine
    - validate-container-engine
 - name: Container runtimes
  include_role:
    name: "container-engine/{{ item.role }}"
    apply:
      tags:
        - container-engine
        - "{{ item.role }}"
  loop:
    - { role: 'kata-containers', enabled: "{{ kata_containers_enabled }}" }
    - { role: 'gvisor', enabled: "{{ gvisor_enabled and container_manager in ['docker', 'containerd'] }}" }
    - { role: 'crun', enabled: "{{ crun_enabled }}" }
    - { role: 'youki', enabled: "{{ youki_enabled and container_manager == 'crio' }}" }
  # TODO: Technically, this is more container-runtime than engine
  when: item.enabled
  tags:
    - container-engine
    - kata-containers
    - gvisor
    - crun
    - youki
 - name: Container Manager
  vars:
    container_manager_role:
      crio: cri-o
      docker: cri-dockerd
      containerd: containerd
  include_role:
    name: "container-engine/{{ container_manager_role[container_manager] }}"
    apply:
      tags:
        - container-engine
        - crio
        - docker
        - containerd
  tags:
    - container-engine
    - crio
    - docker
    - containerd
--- a/roles/download/templates/kubeadm-images.yaml.j2
+++ b/roles/download/templates/kubeadm-images.yaml.j2
@@ -1,9 +1,9 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: InitConfiguration
 nodeRegistration:
  criSocket: {{ cri_socket }}
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 imageRepository: {{ kubeadm_image_repo }}
 kubernetesVersion: v{{ kube_version }}
--- a/roles/etcd/handlers/backup.yml
+++ b/roles/etcd/handlers/backup.yml
@@ -34,6 +34,7 @@
  when:
    - etcd_data_dir_member.stat.exists
    - etcd_cluster_is_healthy.rc == 0
    - etcd_version is version('3.6.0', '<')
  command: >-
    {{ bin_dir }}/etcdctl backup
      --data-dir {{ etcd_data_dir }}
--- a/roles/etcd/tasks/clean_v2_store.yml
+++ b/roles/etcd/tasks/clean_v2_store.yml
@@ -0,0 +1,43 @@
 ---
 # When upgrading from etcd 3.5 to 3.6, need to clean up v2 store before upgrading.
 # Without this, etcd 3.6 will crash with following error:
 #   "panic: detected disallowed v2 WAL for stage --v2-deprecation=write-only [recovered]"
 - name: Cleanup v2 store when upgrade etcd from <3.6 to >=3.6
  when:
    - etcd_cluster_setup
    - etcd_current_version != ''
    - etcd_current_version is version('3.6.0', '<')
    - etcd_version is version('3.6.0', '>=')
  block:
    - name: Ensure etcd version is >=3.5.26
      when:
        - etcd_current_version is version('3.5.26', '<')
      fail:
        msg: "You need to upgrade etcd to 3.5.26 or later before upgrade to 3.6. Current version is {{ etcd_current_version }}."
    # Workarounds:
    # Disable --enable-v2 (recommended in 20289) and do workaround of 20231 (MAX_WALS=1 and SNAPSHOT_COUNT=1)
    # - https://github.com/etcd-io/etcd/issues/20809
    # - https://github.com/etcd-io/etcd/discussions/20231#discussioncomment-13958051
    - name: Change etcd configuration temporally to limit number of WALs and snapshots to clean up v2 store
      ansible.builtin.lineinfile:
        path: /etc/etcd.env
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: '^ETCD_SNAPSHOT_COUNT=', line: 'ETCD_SNAPSHOT_COUNT=1' }
        - { regexp: '^ETCD_MAX_WALS=', line: 'ETCD_MAX_WALS=1' }
        - { regexp: '^ETCD_MAX_SNAPSHOTS=', line: 'ETCD_MAX_SNAPSHOTS=1' }
        - { regexp: '^ETCD_ENABLE_V2=', line: 'ETCD_ENABLE_V2=false' }
    # Restart etcd to apply temporal configuration and prevent some upgrade failures
    # See also: https://etcd.io/blog/2025/upgrade_from_3.5_to_3.6_issue_followup/
    - name: Stop etcd
      service:
        name: etcd
        state: stopped
    - name: Start etcd
      service:
        name: etcd
        state: started
--- a/roles/etcd/tasks/install_docker.yml
+++ b/roles/etcd/tasks/install_docker.yml
@@ -23,6 +23,14 @@
    - etcd_events_cluster_setup
    - etcd_image_tag not in etcd_events_current_docker_image.stdout | default('')
 - name: Get currently-deployed etcd version as x.y.z format
  set_fact:
    etcd_current_version: "{{ (etcd_current_docker_image.stdout | regex_search('.*:v([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
  when: etcd_cluster_setup
 - name: Cleanup v2 store data
  import_tasks: clean_v2_store.yml
 - name: Install etcd launch script
  template:
    src: etcd.j2
--- a/roles/etcd/tasks/install_host.yml
+++ b/roles/etcd/tasks/install_host.yml
@@ -21,6 +21,14 @@
    - etcd_events_cluster_setup
    - etcd_version not in etcd_current_host_version.stdout | default('')
 - name: Get currently-deployed etcd version as x.y.z format
  set_fact:
    etcd_current_version: "{{ (etcd_current_host_version.stdout | regex_search('etcd Version: ([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
  when: etcd_cluster_setup
 - name: Cleanup v2 store data
  import_tasks: clean_v2_store.yml
 - name: Install | Copy etcd binary from download dir
  copy:
    src: "{{ local_release_dir }}/etcd-v{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}"
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -53,6 +53,12 @@
    - control-plane
    - network
 - name: Install etcd
  include_tasks: "install_{{ etcd_deployment_type }}.yml"
  when: ('etcd' in group_names)
  tags:
    - upgrade
 - name: Install etcdctl and etcdutl binary
  import_role:
    name: etcdctl_etcdutl
@@ -64,12 +70,6 @@
    - ('etcd' in group_names)
    - etcd_cluster_setup
 - name: Install etcd
  include_tasks: "install_{{ etcd_deployment_type }}.yml"
  when: ('etcd' in group_names)
  tags:
    - upgrade
 - name: Configure etcd
  include_tasks: configure.yml
  when: ('etcd' in group_names)
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
@@ -25,8 +25,6 @@ ETCD_MAX_REQUEST_BYTES={{ etcd_max_request_bytes }}
 ETCD_LOG_LEVEL={{ etcd_log_level }}
 ETCD_MAX_SNAPSHOTS={{ etcd_max_snapshots }}
 ETCD_MAX_WALS={{ etcd_max_wals }}
 # Flannel need etcd v2 API
 ETCD_ENABLE_V2=true
 # TLS settings
 ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -11,6 +11,7 @@ dns_nodes_per_replica: 16
 dns_cores_per_replica: 256
 dns_prevent_single_point_failure: "{{ 'true' if dns_min_replicas | int > 1 else 'false' }}"
 enable_coredns_reverse_dns_lookups: true
 coredns_svc_name: "coredns"
 coredns_ordinal_suffix: ""
 # dns_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
 coredns_affinity:
@@ -87,60 +88,5 @@ dns_autoscaler_affinity: {}
 #   app: kube-prometheus-stack-kube-etcd
 #   release: prometheus-stack
 # Netchecker
 deploy_netchecker: false
 netchecker_port: 31081
 agent_report_interval: 15
 netcheck_namespace: default
 # Limits for netchecker apps
 netchecker_agent_cpu_limit: 30m
 netchecker_agent_memory_limit: 100M
 netchecker_agent_cpu_requests: 15m
 netchecker_agent_memory_requests: 64M
 netchecker_server_cpu_limit: 100m
 netchecker_server_memory_limit: 256M
 netchecker_server_cpu_requests: 50m
 netchecker_server_memory_requests: 64M
 netchecker_etcd_cpu_limit: 200m
 netchecker_etcd_memory_limit: 256M
 netchecker_etcd_cpu_requests: 100m
 netchecker_etcd_memory_requests: 128M
 # SecurityContext (user/group)
 netchecker_agent_user: 1000
 netchecker_server_user: 1000
 netchecker_agent_group: 1000
 netchecker_server_group: 1000
 # Log levels
 netchecker_agent_log_level: 5
 netchecker_server_log_level: 5
 netchecker_etcd_log_level: info
 # Dashboard
 dashboard_replicas: 1
 # Namespace for dashboard
 dashboard_namespace: kube-system
 # Limits for dashboard
 dashboard_cpu_limit: 100m
 dashboard_memory_limit: 256M
 dashboard_cpu_requests: 50m
 dashboard_memory_requests: 64M
 # Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
 # contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
 dashboard_use_custom_certs: false
 dashboard_certs_secret_name: kubernetes-dashboard-certs
 dashboard_tls_key_file: dashboard.key
 dashboard_tls_cert_file: dashboard.crt
 dashboard_master_toleration: true
 # Override dashboard default settings
 dashboard_token_ttl: 900
 dashboard_skip_login: false
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -87,37 +87,3 @@
  when: etcd_metrics_port is defined and etcd_metrics_service_labels is defined
  tags:
    - etcd_metrics
 - name: Kubernetes Apps | Netchecker
  command:
    cmd: "{{ kubectl_apply_stdin }}"
    stdin: "{{ lookup('template', item) }}"
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  vars:
    k8s_namespace: "{{ netcheck_namespace }}"
  when: deploy_netchecker
  tags:
    - netchecker
  loop:
    - netchecker-ns.yml.j2
    - netchecker-agent-sa.yml.j2
    - netchecker-agent-ds.yml.j2
    - netchecker-agent-hostnet-ds.yml.j2
    - netchecker-server-sa.yml.j2
    - netchecker-server-clusterrole.yml.j2
    - netchecker-server-clusterrolebinding.yml.j2
    - netchecker-server-deployment.yml.j2
    - netchecker-server-svc.yml.j2
 - name: Kubernetes Apps | Dashboard
  command:
    cmd: "{{ kubectl_apply_stdin }}"
    stdin: "{{ lookup('template', 'dashboard.yml.j2') }}"
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  vars:
    k8s_namespace: "{{ dashboard_namespace }}"
  when: dashboard_enabled
  tags:
    - dashboard
--- a/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: coredns{{ coredns_ordinal_suffix }}
+  name: {{ coredns_svc_name }}{{ coredns_ordinal_suffix }}
  namespace: kube-system
  labels:
    k8s-app: kube-dns{{ coredns_ordinal_suffix }}
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -1,323 +0,0 @@
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Configuration to deploy release version of the Dashboard UI compatible with
 # Kubernetes 1.8.
 #
 # Example usage: kubectl create -f <this_file>
 {% if k8s_namespace != 'kube-system' %}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ k8s_namespace }}
  labels:
    name: {{ k8s_namespace }}
 {% endif %}
 ---
 # ------------------- Dashboard Secrets ------------------- #
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
 type: Opaque
 data:
  csrf: ""
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
 type: Opaque
 ---
 # ------------------- Dashboard ConfigMap ------------------- #
 kind: ConfigMap
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
 ---
 # ------------------- Dashboard Service Account ------------------- #
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 ---
 # ------------------- Dashboard Role & Role Binding ------------------- #
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: {{ k8s_namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: {{ k8s_namespace }}
 ---
 # ------------------- Dashboard Deployment ------------------- #
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 spec:
  replicas: {{ dashboard_replicas }}
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      containers:
        - name: kubernetes-dashboard
          image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
          imagePullPolicy: {{ k8s_image_pull_policy }}
          resources:
            limits:
              cpu: {{ dashboard_cpu_limit }}
              memory: {{ dashboard_memory_limit }}
            requests:
              cpu: {{ dashboard_cpu_requests }}
              memory: {{ dashboard_memory_requests }}
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --namespace={{ k8s_namespace }}
 {% if dashboard_use_custom_certs %}
            - --tls-key-file={{ dashboard_tls_key_file }}
            - --tls-cert-file={{ dashboard_tls_cert_file }}
 {% else %}
            - --auto-generate-certificates
 {% endif %}
 {% if dashboard_skip_login %}
            - --enable-skip-login
 {% endif %}
            - --authentication-mode=token
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
            - --token-ttl={{ dashboard_token_ttl }}
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: {{ dashboard_certs_secret_name }}
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
 {% if dashboard_master_toleration %}
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
 {% endif %}
 ---
 # ------------------- Dashboard Service ------------------- #
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
 ---
 # ------------------- Metrics Scraper Service Account ------------------- #
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]
 ---
 # ------------------- Metrics Scraper Service  ------------------- #
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-metrics-scraper
  name: dashboard-metrics-scraper
 spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: kubernetes-metrics-scraper
 ---
 # ------------------- Metrics Scraper Deployment  ------------------- #
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-metrics-scraper
  name: kubernetes-metrics-scraper
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: kubernetes-metrics-scraper
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      containers:
        - name: kubernetes-metrics-scraper
          image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }}
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
      serviceAccountName: kubernetes-dashboard
      volumes:
      - name: tmp-volume
        emptyDir: {}
 {% if dashboard_master_toleration %}
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
 {% endif %}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2
@@ -1,56 +0,0 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
    app: netchecker-agent
  name: netchecker-agent
  namespace: {{ netcheck_namespace }}
 spec:
  selector:
    matchLabels:
      app: netchecker-agent
  template:
    metadata:
      name: netchecker-agent
      labels:
        app: netchecker-agent
    spec:
      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      tolerations:
        - effect: NoSchedule
          operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
      containers:
        - name: netchecker-agent
          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          env:
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: MY_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          args:
            - "-v={{ netchecker_agent_log_level }}"
            - "-alsologtostderr=true"
            - "-serverendpoint=netchecker-service:8081"
            - "-reportinterval={{ agent_report_interval }}"
          resources:
            limits:
              cpu: {{ netchecker_agent_cpu_limit }}
              memory: {{ netchecker_agent_memory_limit }}
            requests:
              cpu: {{ netchecker_agent_cpu_requests }}
              memory: {{ netchecker_agent_memory_requests }}
          securityContext:
            runAsUser: {{ netchecker_agent_user | default('0') }}
            runAsGroup: {{ netchecker_agent_group | default('0') }}
      serviceAccountName: netchecker-agent
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 100%
    type: RollingUpdate
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2
@@ -1,58 +0,0 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
    app: netchecker-agent-hostnet
  name: netchecker-agent-hostnet
  namespace: {{ netcheck_namespace }}
 spec:
  selector:
    matchLabels:
      app: netchecker-agent-hostnet
  template:
    metadata:
      name: netchecker-agent-hostnet
      labels:
        app: netchecker-agent-hostnet
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      tolerations:
        - effect: NoSchedule
          operator: Exists
      containers:
        - name: netchecker-agent
          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          env:
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: MY_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          args:
            - "-v={{ netchecker_agent_log_level }}"
            - "-alsologtostderr=true"
            - "-serverendpoint=netchecker-service:8081"
            - "-reportinterval={{ agent_report_interval }}"
          resources:
            limits:
              cpu: {{ netchecker_agent_cpu_limit }}
              memory: {{ netchecker_agent_memory_limit }}
            requests:
              cpu: {{ netchecker_agent_cpu_requests }}
              memory: {{ netchecker_agent_memory_requests }}
          securityContext:
            runAsUser: {{ netchecker_agent_user | default('0') }}
            runAsGroup: {{ netchecker_agent_group | default('0') }}
      serviceAccountName: netchecker-agent
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 100%
    type: RollingUpdate
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-sa.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-sa.yml.j2
@@ -1,5 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: netchecker-agent
  namespace: {{ netcheck_namespace }}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-ns.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-ns.yml.j2
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "{{ netcheck_namespace }}"
  labels:
    name: "{{ netcheck_namespace }}"
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2
@@ -1,9 +0,0 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
 rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get"]
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2
@@ -1,13 +0,0 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
 subjects:
  - kind: ServiceAccount
    name: netchecker-server
    namespace: {{ netcheck_namespace }}
 roleRef:
  kind: ClusterRole
  name: netchecker-server
  apiGroup: rbac.authorization.k8s.io
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
@@ -1,86 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
  labels:
    app: netchecker-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: netchecker-server
  template:
    metadata:
      name: netchecker-server
      labels:
        app: netchecker-server
    spec:
      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      volumes:
        - name: etcd-data
          emptyDir: {}
      containers:
        - name: netchecker-server
          image: "{{ netcheck_server_image_repo }}:{{ netcheck_server_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          resources:
            limits:
              cpu: {{ netchecker_server_cpu_limit }}
              memory: {{ netchecker_server_memory_limit }}
            requests:
              cpu: {{ netchecker_server_cpu_requests }}
              memory: {{ netchecker_server_memory_requests }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ['ALL']
            runAsUser: {{ netchecker_server_user | default('0') }}
            runAsGroup: {{ netchecker_server_group | default('0') }}
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          ports:
            - containerPort: 8081
          args:
            - -v={{ netchecker_server_log_level }}
            - -logtostderr
            - -kubeproxyinit=false
            - -endpoint=0.0.0.0:8081
            - -etcd-endpoints=http://127.0.0.1:2379
        - name: etcd
          image: "{{ etcd_image_repo }}:{{ netcheck_etcd_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          env:
            - name: ETCD_LOG_LEVEL
              value: "{{ netchecker_etcd_log_level }}"
          command:
            - etcd
            - --listen-client-urls=http://127.0.0.1:2379
            - --advertise-client-urls=http://127.0.0.1:2379
            - --data-dir=/var/lib/etcd
            - --enable-v2
            - --force-new-cluster
          volumeMounts:
            - mountPath: /var/lib/etcd
              name: etcd-data
          resources:
            limits:
              cpu: {{ netchecker_etcd_cpu_limit }}
              memory: {{ netchecker_etcd_memory_limit }}
            requests:
              cpu: {{ netchecker_etcd_cpu_requests }}
              memory: {{ netchecker_etcd_memory_requests }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ['ALL']
            runAsUser: {{ netchecker_server_user | default('0') }}
            runAsGroup: {{ netchecker_server_group | default('0') }}
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      tolerations:
        - effect: NoSchedule
          operator: Exists
      serviceAccountName: netchecker-server
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2
@@ -1,5 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: netchecker-server
  namespace: {{ netcheck_namespace }}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-svc.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-svc.yml.j2
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: netchecker-service
  namespace: {{ netcheck_namespace }}
 spec:
  selector:
    app: netchecker-server
  ports:
    -
      protocol: TCP
      port: 8081
      targetPort: 8081
      nodePort: {{ netchecker_port }}
  type: NodePort
--- a/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2
@@ -45,7 +45,7 @@ data:
            force_tcp
        }
        prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_health_port }}
 {% if dns_etchosts | default(None) %}
        hosts /etc/coredns/hosts {
          fallthrough
@@ -132,7 +132,7 @@ data:
            force_tcp
        }
        prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_secondary_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_second_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_second_health_port }}
 {% if dns_etchosts | default(None) %}
        hosts /etc/coredns/hosts {
          fallthrough
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml
@@ -21,7 +21,7 @@ external_openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
 ##    arg1: "value1"
 ##    arg2: "value2"
 external_openstack_cloud_controller_extra_args: {}
-external_openstack_cloud_controller_image_tag: "v1.32.0"
+external_openstack_cloud_controller_image_tag: "v1.35.0"
 external_openstack_cloud_controller_bind_address: 127.0.0.1
 external_openstack_cloud_controller_dns_policy: ClusterFirst
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/defaults/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/defaults/main.yml
@@ -8,3 +8,4 @@ local_path_provisioner_is_default_storageclass: "true"
 local_path_provisioner_debug: false
 local_path_provisioner_helper_image_repo: "busybox"
 local_path_provisioner_helper_image_tag: "latest"
 local_path_provisioner_resources: {}
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2
@@ -35,6 +35,10 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
 {% if local_path_provisioner_resources %}
        resources:
          {{ local_path_provisioner_resources | to_nice_yaml | indent(10) | trim }}
 {% endif %}
      volumes:
        - name: config-volume
          configMap:
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml
@@ -1,28 +0,0 @@
 ---
 ingress_nginx_namespace: "ingress-nginx"
 ingress_nginx_host_network: false
 ingress_nginx_service_type: LoadBalancer
 ingress_nginx_service_nodeport_http: ""
 ingress_nginx_service_nodeport_https: ""
 ingress_nginx_service_annotations: {}
 ingress_publish_status_address: ""
 ingress_nginx_publish_service: "{{ ingress_nginx_namespace }}/ingress-nginx"
 ingress_nginx_nodeselector:
  kubernetes.io/os: "linux"
 ingress_nginx_tolerations: []
 ingress_nginx_insecure_port: 80
 ingress_nginx_secure_port: 443
 ingress_nginx_metrics_port: 10254
 ingress_nginx_configmap: {}
 ingress_nginx_configmap_tcp_services: {}
 ingress_nginx_configmap_udp_services: {}
 ingress_nginx_extra_args: []
 ingress_nginx_termination_grace_period_seconds: 300
 ingress_nginx_class: nginx
 ingress_nginx_without_class: true
 ingress_nginx_default: false
 ingress_nginx_webhook_enabled: false
 ingress_nginx_webhook_job_ttl: 1800
 ingress_nginx_opentelemetry_enabled: false
 ingress_nginx_probe_initial_delay_seconds: 10
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
@@ -1,69 +0,0 @@
 ---
 - name: NGINX Ingress Controller | Create addon dir
  file:
    path: "{{ kube_config_dir }}/addons/ingress_nginx"
    state: directory
    owner: root
    group: root
    mode: "0755"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
 - name: NGINX Ingress Controller | Templates list
  set_fact:
    ingress_nginx_templates:
      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
      - { name: cm-ingress-nginx, file: cm-ingress-nginx.yml, type: cm }
      - { name: cm-tcp-services, file: cm-tcp-services.yml, type: cm }
      - { name: cm-udp-services, file: cm-udp-services.yml, type: cm }
      - { name: sa-ingress-nginx, file: sa-ingress-nginx.yml, type: sa }
      - { name: clusterrole-ingress-nginx, file: clusterrole-ingress-nginx.yml, type: clusterrole }
      - { name: clusterrolebinding-ingress-nginx, file: clusterrolebinding-ingress-nginx.yml, type: clusterrolebinding }
      - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
      - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
      - { name: ingressclass-nginx, file: ingressclass-nginx.yml, type: ingressclass }
      - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
    ingress_nginx_template_for_service:
      - { name: svc-ingress-nginx, file: svc-ingress-nginx.yml, type: svc }
    ingress_nginx_templates_for_webhook:
      - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
      - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
      - { name: clusterrole-admission-webhook, file: clusterrole-admission-webhook.yml, type: clusterrole }
      - { name: clusterrolebinding-admission-webhook, file: clusterrolebinding-admission-webhook.yml, type: clusterrolebinding }
      - { name: role-admission-webhook, file: role-admission-webhook.yml, type: role }
      - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
      - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
      - { name: svc-ingress-nginx-controller-admission, file: svc-ingress-nginx-controller-admission.yml, type: svc }
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Template list for service
  set_fact:
    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_template_for_service }}"
  when: not ingress_nginx_host_network
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
  set_fact:
    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
  when: ingress_nginx_webhook_enabled
 - name: NGINX Ingress Controller | Create manifests
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
    mode: "0644"
  with_items: "{{ ingress_nginx_templates }}"
  register: ingress_nginx_manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
 - name: NGINX Ingress Controller | Apply manifests
  kube:
    name: "{{ item.item.name }}"
    namespace: "{{ ingress_nginx_namespace }}"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.item.file }}"
    state: "latest"
  with_items: "{{ ingress_nginx_manifests.results }}"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2
@@ -1,7 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ ingress_nginx_namespace }}
  labels:
    name: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2
@@ -1,30 +0,0 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: {{ ingress_nginx_namespace }}
      path: /networking/v1/ingresses
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
@@ -1,96 +0,0 @@
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission-create
  namespace: {{ ingress_nginx_namespace }}
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      name: ingress-nginx-admission-create
    spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: create
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission-patch
  namespace: {{ ingress_nginx_namespace }}
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      name: ingress-nginx-admission-patch
    spec:
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
          seccompProfile:
            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2
@@ -1,15 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 rules:
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
@@ -1,36 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 rules:
  - apiGroups: [""]
    resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"]
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["list", "watch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2
@@ -1,16 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2
@@ -1,16 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2
@@ -1,13 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap %}
 data:
  {{ ingress_nginx_configmap | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2
@@ -1,13 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: tcp-services
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap_tcp_services %}
 data:
  {{ ingress_nginx_configmap_tcp_services | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2
@@ -1,13 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: udp-services
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_configmap_udp_services %}
 data:
  {{ ingress_nginx_configmap_udp_services | to_nice_yaml | indent(2) }}
 {%- endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
@@ -1,201 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: ingress-nginx-controller
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: {{ ingress_nginx_termination_grace_period_seconds }}
 {% if ingress_nginx_opentelemetry_enabled %}
      initContainers:
      - name: opentelemetry
        command:
        - /init_module
        image: {{ ingress_nginx_opentelemetry_image_repo }}:{{ ingress_nginx_opentelemetry_image_tag }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          readOnlyRootFilesystem: false
          runAsGroup: 82
          runAsNonRoot: true
          runAsUser: 101
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /modules_mount
          name: modules
 {% endif %}
 {% if ingress_nginx_host_network %}
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
 {% endif %}
 {% if ingress_nginx_nodeselector %}
      nodeSelector:
        {{ ingress_nginx_nodeselector | to_nice_yaml | indent(width=8) }}
 {%- endif %}
 {% if ingress_nginx_tolerations %}
      tolerations:
        {{ ingress_nginx_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
 {% endif %}
      priorityClassName: {% if ingress_nginx_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
      containers:
        - name: ingress-nginx-controller
          image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }}
          imagePullPolicy: {{ k8s_image_pull_policy }}
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/ingress-nginx
            - --election-id=ingress-controller-leader-{{ ingress_nginx_class }}
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --annotations-prefix=nginx.ingress.kubernetes.io
            - --ingress-class={{ ingress_nginx_class }}
 {% if ingress_nginx_without_class %}
            - --watch-ingress-without-class=true
 {% endif %}
 {% if ingress_publish_status_address != "" %}
            - --publish-status-address={{ ingress_publish_status_address }}
 {% elif ingress_nginx_host_network %}
            - --report-node-internal-ip-address
 {% elif ingress_nginx_publish_service != "" %}
            - --publish-service={{ ingress_nginx_publish_service }}
 {% endif %}
 {% for extra_arg in ingress_nginx_extra_args %}
            - {{ extra_arg }}
 {% endfor %}
 {% if ingress_nginx_webhook_enabled %}
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
 {% endif %}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
              - NET_BIND_SERVICE
              drop:
              - ALL
            readOnlyRootFilesystem: false
            runAsGroup: 82
            runAsNonRoot: true
            runAsUser: 101
            seccompProfile:
              type: RuntimeDefault
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          ports:
            - name: http
              containerPort: 80
              hostPort: {{ ingress_nginx_insecure_port }}
            - name: https
              containerPort: 443
              hostPort: {{ ingress_nginx_secure_port }}
            - name: metrics
              containerPort: 10254
 {% if not ingress_nginx_host_network %}
              hostPort: {{ ingress_nginx_metrics_port }}
 {% endif %}
 {% if ingress_nginx_configmap_tcp_services %}
 {% for port in ingress_nginx_configmap_tcp_services.keys() %}
            - name: tcp-port-{{ port }}
              containerPort: {{ port | int }}
              protocol: TCP
 {% if not ingress_nginx_host_network %}
              hostPort: {{ port | int }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_configmap_udp_services %}
 {% for port in ingress_nginx_configmap_udp_services.keys() %}
            - name: udp-port-{{ port }}
              containerPort: {{ port | int }}
              protocol: UDP
 {% if not ingress_nginx_host_network %}
              hostPort: {{ port | int }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_webhook_enabled %}
            - name: webhook
              containerPort: 8443
              protocol: TCP
 {% endif %}
          livenessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 3
 {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
          volumeMounts:
 {% if ingress_nginx_webhook_enabled %}
            - mountPath: /usr/local/certificates/
              name: webhook-cert
              readOnly: true
 {% endif %}
 {% if ingress_nginx_opentelemetry_enabled %}
            - name: modules
              mountPath: /modules_mount
 {% endif %}
 {% endif %}
 {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
      volumes:
 {% if ingress_nginx_webhook_enabled %}
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
 {% endif %}
 {% if ingress_nginx_opentelemetry_enabled %}
        - name: modules
          emptyDir: {}
 {% endif %}
 {% endif %}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2
@@ -1,13 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
  name: {{ ingress_nginx_class }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_default %}
  annotations:
    ingressclass.kubernetes.io/is-default-class: "true"
 {% endif %}
 spec:
  controller: k8s.io/ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2
@@ -1,17 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
@@ -1,47 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["configmaps", "pods", "secrets", "endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    # Defaults to "<election-id>", defined in
    # ds-ingress-nginx-controller.yml.js
    # by a command-line argument.
    #
    # This is the correct behaviour for ingress-controller
    # version 1.8.1
    resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"]
    verbs: ["get", "update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2
@@ -1,17 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2
@@ -1,17 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
 subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: {{ ingress_nginx_namespace }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2
@@ -1,8 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ingress-nginx-admission
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2
@@ -1,9 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2
@@ -1,18 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx-controller-admission
  namespace: {{ ingress_nginx_namespace }}
 spec:
  type: ClusterIP
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2
@@ -1,50 +0,0 @@
 {% if not ingress_nginx_host_network %}
 apiVersion: v1
 kind: Service
 metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% if ingress_nginx_service_annotations %}
  annotations:
    {{ ingress_nginx_service_annotations | to_nice_yaml(indent=2, width=1337) | indent(width=4) }}
 {% endif %}
 spec:
  type: {{ ingress_nginx_service_type }}
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
 {% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_http %}
      nodePort: {{ingress_nginx_service_nodeport_http | int}}
 {% endif %}
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
 {% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_https %}
      nodePort: {{ingress_nginx_service_nodeport_https | int}}
 {% endif %}
 {% if ingress_nginx_configmap_tcp_services %}
 {% for port in ingress_nginx_configmap_tcp_services.keys() %}
    - name: tcp-port-{{ port }}
      port: {{ port | int }}
      targetPort: {{ port | int }}
      protocol: TCP
 {% endfor %}
 {% endif %}
 {% if ingress_nginx_configmap_udp_services %}
 {% for port in ingress_nginx_configmap_udp_services.keys() %}
    - name: udp-port-{{ port }}
      port: {{ port | int }}
      targetPort: {{ port | int }}
      protocol: UDP
 {% endfor %}
 {% endif %}
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 {% endif %}
--- a/roles/kubernetes-apps/ingress_controller/meta/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/meta/main.yml
@@ -1,12 +1,5 @@
 ---
 dependencies:
  - role: kubernetes-apps/ingress_controller/ingress_nginx
    when: ingress_nginx_enabled
    tags:
      - apps
      - ingress-controller
      - ingress-nginx
  - role: kubernetes-apps/ingress_controller/cert_manager
    when: cert_manager_enabled
    tags:
--- a/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2
+++ b/roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2
@@ -58,12 +58,6 @@ rules:
  verbs:
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - nodes/proxy
  verbs:
  - get
 - apiGroups:
  - topology.node.k8s.io
  resources:
--- a/roles/kubernetes-apps/registry/tasks/main.yml
+++ b/roles/kubernetes-apps/registry/tasks/main.yml
@@ -43,12 +43,12 @@
      - { name: registry-cm, file: registry-cm.yml, type: cm }
      - { name: registry-rs, file: registry-rs.yml, type: rs }
- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
+- name: Registry | Append ingress templates to Registry Templates list when ALB ingress enabled
  set_fact:
    registry_templates: "{{ registry_templates + [item] }}"
  with_items:
    - [{ name: registry-ing, file: registry-ing.yml, type: ing }]
-  when: ingress_nginx_enabled or ingress_alb_enabled
+  when: ingress_alb_enabled
 - name: Registry | Create manifests
  template:
--- a/roles/kubernetes-apps/snapshots/cinder-csi/templates/cinder-csi-snapshot-class.yml.j2
+++ b/roles/kubernetes-apps/snapshots/cinder-csi/templates/cinder-csi-snapshot-class.yml.j2
@@ -1,7 +1,7 @@
 {% for class in snapshot_classes %}
 ---
 kind: VolumeSnapshotClass
-apiVersion: snapshot.storage.k8s.io/v1beta1
+apiVersion: snapshot.storage.k8s.io/v1
 metadata:
  name: "{{ class.name }}"
  annotations:
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -26,7 +26,7 @@
    mode: "0700"
    state: directory
- name: Copy admin kubeconfig to current/ansible become user home
+- name: Write admin kubeconfig to current/ansible become user home
  copy:
    src: "{{ kube_config_dir }}/admin.conf"
    dest: "{{ ansible_env.HOME | default('/root') }}/.kube/config"
@@ -51,41 +51,38 @@
    port: "{{ kube_apiserver_port }}"
    timeout: 180
- name: Get admin kubeconfig from remote host
+- name: Create kubeconfig localhost artifacts
  slurp:
    src: "{{ kube_config_dir }}/admin.conf"
  run_once: true
  register: raw_admin_kubeconfig
  when: kubeconfig_localhost
  block:
    - name: Generate admin kubeconfig using kubeadm
      command: >-
        {{ bin_dir }}/kubeadm kubeconfig user
        --client-name=kubernetes-admin-{{ cluster_name }}
        --org=kubeadm:cluster-admins
        --config {{ kube_config_dir }}/kubeadm-config.yaml
      register: kubeadm_admin_kubeconfig
      changed_when: false
      run_once: true
      delegate_to: "{{ groups['kube_control_plane'][0] }}"
- name: Convert kubeconfig to YAML
+    - name: Write admin kubeconfig on ansible host
-  set_fact:
+      copy:
-    admin_kubeconfig: "{{ raw_admin_kubeconfig.content | b64decode | from_yaml }}"
+        content: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml | combine(override, recursive=true) | to_nice_yaml(indent=2) }}"
-  when: kubeconfig_localhost
+        dest: "{{ artifacts_dir }}/admin.conf"
-
+        mode: "0600"
- name: Override username in kubeconfig
+      vars:
-  set_fact:
+        admin_kubeconfig: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml }}"
-    final_admin_kubeconfig: "{{ admin_kubeconfig | combine(override_cluster_name, recursive=true) | combine(override_context, recursive=true) | combine(override_user, recursive=true) }}"
+        context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
-  vars:
+        override:
-    cluster_infos: "{{ admin_kubeconfig['clusters'][0]['cluster'] }}"
+          clusters:
-    user_certs: "{{ admin_kubeconfig['users'][0]['user'] }}"
+            - "{{ admin_kubeconfig['clusters'][0] | combine({'name': cluster_name, 'cluster': admin_kubeconfig['clusters'][0]['cluster'] | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})}, recursive=true) }}"
-    username: "kubernetes-admin-{{ cluster_name }}"
+          contexts:
-    context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
+            - "{{ admin_kubeconfig['contexts'][0] | combine({'name': context, 'context': admin_kubeconfig['contexts'][0]['context'] | combine({'cluster': cluster_name})}, recursive=true) }}"
-    override_cluster_name: "{{ {'clusters': [{'cluster': (cluster_infos | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})), 'name': cluster_name}]} }}"
+          current-context: "{{ context }}"
-    override_context: "{{ {'contexts': [{'context': {'user': username, 'cluster': cluster_name}, 'name': context}], 'current-context': context} }}"
+      delegate_to: localhost
-    override_user: "{{ {'users': [{'name': username, 'user': user_certs}]} }}"
+      connection: local
-  when: kubeconfig_localhost
+      become: false
-
+      run_once: true
 - name: Write admin kubeconfig on ansible host
  copy:
    content: "{{ final_admin_kubeconfig | to_nice_yaml(indent=2) }}"
    dest: "{{ artifacts_dir }}/admin.conf"
    mode: "0600"
  delegate_to: localhost
  connection: local
  become: false
  run_once: true
  when: kubeconfig_localhost
 - name: Copy kubectl binary to ansible host
  fetch:
--- a/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml
@@ -1,17 +0,0 @@
 ---
 - name: Update server field in component kubeconfigs
  lineinfile:
    dest: "{{ kube_config_dir }}/{{ item }}"
    regexp: '^    server: https'
    line: '    server: {{ kube_apiserver_endpoint }}'
    backup: true
  with_items:
    - admin.conf
    - controller-manager.conf
    - kubelet.conf
    - scheduler.conf
  notify:
    - "Control plane | Restart kube-controller-manager"
    - "Control plane | Restart kube-scheduler"
    - "Control plane | reload kubelet"
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -95,7 +95,7 @@
 - name: Kubeadm | Create kubeadm config
  template:
-    src: "kubeadm-config.{{ kubeadm_config_api_version }}.yaml.j2"
+    src: "kubeadm-config.v1beta4.yaml.j2"
    dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
    mode: "0640"
    validate: "{{ kubeadm_config_validate_enabled | ternary(bin_dir + '/kubeadm config validate --config %s', omit) }}"
--- a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
@@ -2,44 +2,21 @@
 - name: Ensure kube-apiserver is up before upgrade
  import_tasks: check-api.yml
  # kubeadm-config.v1beta4 with UpgradeConfiguration requires some values that were previously allowed as args to be specified in the config file
  # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases
 - name: Kubeadm | Upgrade first control plane node to {{ kube_version }}
  command: >-
    timeout -k 600s 600s
    {{ bin_dir }}/kubeadm upgrade apply -y v{{ kube_version }}
    {%- if kubeadm_config_api_version == 'v1beta3' %}
    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
    --allow-experimental-upgrades
    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
    --force
    {%- else %}
    --config={{ kube_config_dir }}/kubeadm-config.yaml
    {%- endif %}
    {%- if kube_version is version('1.32.0', '>=') %}
    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
    {%- endif %}
  register: kubeadm_upgrade
  when: inventory_hostname == first_kube_control_plane
  failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
  environment:
    PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
 # TODO: When we retire kubeadm-config.v1beta3, remove --certificate-renewal, --ignore-preflight-errors, --etcd-upgrade, --patches, and --skip-phases from command, since v1beta4+ supports these in UpgradeConfiguration.node
 - name: Kubeadm | Upgrade other control plane nodes to {{ kube_version }}
  command: >-
    {{ bin_dir }}/kubeadm upgrade node
    {%- if kubeadm_config_api_version == 'v1beta3' %}
    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
    {%- else %}
    --config={{ kube_config_dir }}/kubeadm-config.yaml
    {%- endif %}
    --skip-phases={{ kubeadm_upgrade_node_phases_skip | join(',') }}
  register: kubeadm_upgrade
  when: inventory_hostname != first_kube_control_plane
  failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
--- a/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml
+++ b/roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml
@@ -1,18 +0,0 @@
 ---
 - name: Fixup kubelet client cert rotation 1/2
  lineinfile:
    path: "{{ kube_config_dir }}/kubelet.conf"
    regexp: '^    client-certificate-data: '
    line: '    client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem'
    backup: true
  notify:
    - "Control plane | reload kubelet"
 - name: Fixup kubelet client cert rotation 2/2
  lineinfile:
    path: "{{ kube_config_dir }}/kubelet.conf"
    regexp: '^    client-key-data: '
    line: '    client-key: /var/lib/kubelet/pki/kubelet-client-current.pem'
    backup: true
  notify:
    - "Control plane | reload kubelet"
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -99,9 +99,6 @@
  include_tasks: kubeadm-etcd.yml
  when: etcd_deployment_type == "kubeadm"
 - name: Include kubeadm secondary server apiserver fixes
  include_tasks: kubeadm-fix-apiserver.yml
 - name: Cleanup unused AuthorizationConfiguration file versions
  file:
    path: "{{ kube_config_dir }}/apiserver-authorization-config-{{ item }}.yaml"
@@ -109,10 +106,6 @@
  loop: "{{ ['v1alpha1', 'v1beta1', 'v1'] | reject('equalto', kube_apiserver_authorization_config_api_version) | list }}"
  when: kube_apiserver_use_authorization_config_file
 - name: Include kubelet client cert rotation fixes
  include_tasks: kubelet-fix-client-cert-rotation.yml
  when: kubelet_rotate_certificates
 - name: Install script to renew K8S control plane certificates
  template:
    src: k8s-certs-renew.sh.j2
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
@@ -1,442 +0,0 @@
 apiVersion: kubeadm.k8s.io/v1beta3
 kind: InitConfiguration
 {% if kubeadm_token is defined %}
 bootstrapTokens:
 - token: "{{ kubeadm_token }}"
  description: "kubespray kubeadm bootstrap token"
  ttl: "24h"
 {% endif %}
 localAPIEndpoint:
  advertiseAddress: "{{ kube_apiserver_address }}"
  bindPort: {{ kube_apiserver_port }}
 {% if kubeadm_certificate_key is defined %}
 certificateKey: {{ kubeadm_certificate_key }}
 {% endif %}
 nodeRegistration:
 {% if kube_override_hostname | default('') %}
  name: "{{ kube_override_hostname }}"
 {% endif %}
 {% if 'kube_control_plane' in group_names and 'kube_node' not in group_names %}
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane
 {% else %}
  taints: []
 {% endif %}
  criSocket: {{ cri_socket }}
 {% if cloud_provider == "external" %}
  kubeletExtraArgs:
    cloud-provider: external
 {% endif %}
 {% if kubeadm_patches | length > 0 %}
 patches:
  directory: {{ kubeadm_patches_dir }}
 {% endif %}
 ---
 apiVersion: kubeadm.k8s.io/v1beta3
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
  external:
      endpoints:
 {% for endpoint in etcd_access_addresses.split(',') %}
      - "{{ endpoint }}"
 {% endfor %}
      caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
      certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
      keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
 {% elif etcd_deployment_type == "kubeadm" %}
  local:
    imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
    imageTag: "{{ etcd_image_tag }}"
    dataDir: "{{ etcd_data_dir }}"
    extraArgs:
      metrics: {{ etcd_metrics }}
      election-timeout: "{{ etcd_election_timeout }}"
      heartbeat-interval: "{{ etcd_heartbeat_interval }}"
      auto-compaction-retention: "{{ etcd_compaction_retention }}"
 {% if etcd_listen_metrics_urls is defined %}
      listen-metrics-urls: "{{ etcd_listen_metrics_urls }}"
 {% endif %}
      snapshot-count: "{{ etcd_snapshot_count }}"
      quota-backend-bytes: "{{ etcd_quota_backend_bytes }}"
      max-request-bytes: "{{ etcd_max_request_bytes }}"
      log-level: "{{ etcd_log_level }}"
 {% for key, value in etcd_extra_vars.items() %}
      {{ key }}: "{{ value }}"
 {% endfor %}
    serverCertSANs:
 {% for san in etcd_cert_alt_names %}
      - "{{ san }}"
 {% endfor %}
 {% for san in etcd_cert_alt_ips %}
      - "{{ san }}"
 {% endfor %}
    peerCertSANs:
 {% for san in etcd_cert_alt_names %}
      - "{{ san }}"
 {% endfor %}
 {% for san in etcd_cert_alt_ips %}
      - "{{ san }}"
 {% endfor %}
 {% endif %}
 dns:
  imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$', '') }}
  imageTag: {{ coredns_image_tag }}
 networking:
  dnsDomain: {{ dns_domain }}
  serviceSubnet: "{{ kube_service_subnets }}"
 {% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
  podSubnet: "{{ kube_pods_subnets }}"
 {% endif %}
 {% if kubeadm_feature_gates %}
 featureGates:
 {%   for feature in kubeadm_feature_gates %}
  {{ feature | replace("=", ": ") }}
 {%   endfor %}
 {% endif %}
 kubernetesVersion: v{{ kube_version }}
 {% if kubeadm_config_api_fqdn is defined %}
 controlPlaneEndpoint: "{{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}"
 {% else %}
 controlPlaneEndpoint: "{{ main_ip | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}"
 {% endif %}
 certificatesDir: {{ kube_cert_dir }}
 imageRepository: {{ kubeadm_image_repo }}
 apiServer:
  extraArgs:
    etcd-compaction-interval: "{{ kube_apiserver_etcd_compaction_interval }}"
    default-not-ready-toleration-seconds: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
    default-unreachable-toleration-seconds: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
 {% if kube_api_anonymous_auth is defined %}
 {# TODO: rework once suppport for structured auth lands #}
    anonymous-auth: "{{ kube_api_anonymous_auth }}"
 {% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
    authorization-config: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
 {% else %}
    authorization-mode: {{ authorization_modes | join(',') }}
 {% endif %}
    bind-address: "{{ kube_apiserver_bind_address }}"
 {% if kube_apiserver_enable_admission_plugins | length > 0 %}
    enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
 {% endif %}
 {% if kube_apiserver_admission_control_config_file %}
    admission-control-config-file: {{ kube_config_dir }}/admission-controls.yaml
 {% endif %}
 {% if kube_apiserver_disable_admission_plugins | length > 0 %}
    disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
 {% endif %}
    apiserver-count: "{{ kube_apiserver_count }}"
    endpoint-reconciler-type: lease
 {% if etcd_events_cluster_enabled %}
    etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
 {% endif %}
    service-node-port-range: {{ kube_apiserver_node_port_range }}
    service-cluster-ip-range: "{{ kube_service_subnets }}"
    kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
    profiling: "{{ kube_profiling }}"
    request-timeout: "{{ kube_apiserver_request_timeout }}"
    enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
 {% if kube_token_auth %}
    token-auth-file: {{ kube_token_dir }}/known_tokens.csv
 {% endif %}
 {% if kube_apiserver_service_account_lookup %}
    service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
 {% endif %}
 {% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
    oidc-issuer-url: "{{ kube_oidc_url }}"
    oidc-client-id: "{{ kube_oidc_client_id }}"
 {%   if kube_oidc_ca_file is defined %}
    oidc-ca-file: "{{ kube_oidc_ca_file }}"
 {%   endif %}
 {%   if kube_oidc_username_claim is defined %}
    oidc-username-claim: "{{ kube_oidc_username_claim }}"
 {%   endif %}
 {%   if kube_oidc_groups_claim is defined %}
    oidc-groups-claim: "{{ kube_oidc_groups_claim }}"
 {%   endif %}
 {%   if kube_oidc_username_prefix is defined %}
    oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
 {%   endif %}
 {%   if kube_oidc_groups_prefix is defined %}
    oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
 {%   endif %}
 {% endif %}
 {% if kube_webhook_token_auth %}
    authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
 {% if kube_webhook_authorization and not kube_apiserver_use_authorization_config_file %}
    authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
 {% endif %}
 {% if kube_encrypt_secret_data %}
    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
    storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config | length > 0 %}
    runtime-config: {{ kube_api_runtime_config | join(',') }}
 {% endif %}
    allow-privileged: "true"
 {% if kubernetes_audit or kubernetes_audit_webhook %}
    audit-policy-file: {{ audit_policy_file }}
 {% endif %}
 {% if kubernetes_audit %}
    audit-log-path: "{{ audit_log_path }}"
    audit-log-maxage: "{{ audit_log_maxage }}"
    audit-log-maxbackup: "{{ audit_log_maxbackups }}"
    audit-log-maxsize: "{{ audit_log_maxsize }}"
 {% endif %}
 {% if kubernetes_audit_webhook %}
    audit-webhook-config-file: {{ audit_webhook_config_file }}
    audit-webhook-mode: {{ audit_webhook_mode }}
 {% if audit_webhook_mode == "batch" %}
    audit-webhook-batch-max-size: "{{ audit_webhook_batch_max_size }}"
    audit-webhook-batch-max-wait: "{{ audit_webhook_batch_max_wait }}"
 {% endif %}
 {% endif %}
 {% for key in kube_kubeadm_apiserver_extra_args %}
    {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
 {% endfor %}
 {% if kube_apiserver_feature_gates or kube_feature_gates %}
    feature-gates: "{{ kube_apiserver_feature_gates | default(kube_feature_gates, true) | join(',') }}"
 {% endif %}
 {% if tls_min_version is defined %}
    tls-min-version: {{ tls_min_version }}
 {% endif %}
 {% if tls_cipher_suites is defined %}
    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
 {% endif %}
    event-ttl: {{ event_ttl_duration }}
 {% if kubelet_rotate_server_certificates %}
    kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
 {% endif %}
 {% if kube_apiserver_tracing %}
    tracing-config-file: {{ kube_config_dir }}/tracing/apiserver-tracing.yaml
 {% endif %}
 {% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %}
  extraVolumes:
 {% if kube_token_auth %}
  - name: token-auth-config
    hostPath: {{ kube_token_dir }}
    mountPath: {{ kube_token_dir }}
 {% endif %}
 {% if kube_webhook_token_auth %}
  - name: webhook-token-auth-config
    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
 {% if kube_webhook_authorization %}
  - name: webhook-authorization-config
    hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
    mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
 {% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
  - name: authorization-config
    hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
    mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
 {% endif %}
 {% if kubernetes_audit or kubernetes_audit_webhook %}
  - name: {{ audit_policy_name }}
    hostPath: {{ audit_policy_hostpath }}
    mountPath: {{ audit_policy_mountpath }}
 {% if audit_log_path != "-" %}
  - name: {{ audit_log_name }}
    hostPath: {{ audit_log_hostpath }}
    mountPath: {{ audit_log_mountpath }}
    readOnly: false
 {% endif %}
 {% endif %}
 {% if kube_apiserver_admission_control_config_file %}
  - name: admission-control-configs
    hostPath: {{ kube_config_dir }}/admission-controls
    mountPath: {{ kube_config_dir }}
    readOnly: false
    pathType: DirectoryOrCreate
 {% endif %}
 {% if kube_apiserver_tracing %}
  - name: tracing
    hostPath: {{ kube_config_dir }}/tracing
    mountPath: {{ kube_config_dir }}/tracing
    readOnly: true
    pathType: DirectoryOrCreate
 {% endif %}
 {% for volume in apiserver_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
 {% endfor %}
 {% if ssl_ca_dirs | length %}
 {% for dir in ssl_ca_dirs %}
  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
    hostPath: {{ dir }}
    mountPath: {{ dir }}
    readOnly: true
 {% endfor %}
 {% endif %}
 {% endif %}
  certSANs:
 {% for san in apiserver_sans %}
  - "{{ san }}"
 {% endfor %}
  timeoutForControlPlane: 5m0s
 controllerManager:
  extraArgs:
    node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
    node-monitor-period: {{ kube_controller_node_monitor_period }}
 {% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
    cluster-cidr: "{{ kube_pods_subnets }}"
 {% endif %}
    service-cluster-ip-range: "{{ kube_service_subnets }}"
 {% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %}
    allocate-node-cidrs: "false"
 {% else %}
 {% if ipv4_stack %}
    node-cidr-mask-size-ipv4: "{{ kube_network_node_prefix }}"
 {% endif %}
 {% if ipv6_stack %}
    node-cidr-mask-size-ipv6: "{{ kube_network_node_prefix_ipv6 }}"
 {% endif %}
 {% endif %}
    profiling: "{{ kube_profiling }}"
    terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
    bind-address: "{{ kube_controller_manager_bind_address }}"
    leader-elect-lease-duration: {{ kube_controller_manager_leader_elect_lease_duration }}
    leader-elect-renew-deadline: {{ kube_controller_manager_leader_elect_renew_deadline }}
 {% if kube_controller_feature_gates or kube_feature_gates %}
    feature-gates: "{{ kube_controller_feature_gates | default(kube_feature_gates, true) | join(',') }}"
 {% endif %}
 {% for key in kube_kubeadm_controller_extra_args %}
    {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
 {% endfor %}
 {% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
    configure-cloud-routes: "false"
 {% endif %}
 {% if kubelet_flexvolumes_plugins_dir is defined %}
    flex-volume-plugin-dir: {{ kubelet_flexvolumes_plugins_dir }}
 {% endif %}
 {% if tls_min_version is defined %}
    tls-min-version: {{ tls_min_version }}
 {% endif %}
 {% if tls_cipher_suites is defined %}
    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
 {% endif %}
 {% if controller_manager_extra_volumes %}
  extraVolumes:
 {% for volume in controller_manager_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
 {% endfor %}
 {% endif %}
 scheduler:
  extraArgs:
    bind-address: "{{ kube_scheduler_bind_address }}"
    config: {{ kube_config_dir }}/kubescheduler-config.yaml
 {% if kube_scheduler_feature_gates or kube_feature_gates %}
    feature-gates: "{{ kube_scheduler_feature_gates | default(kube_feature_gates, true) | join(',') }}"
 {% endif %}
    profiling: "{{ kube_profiling }}"
 {% if kube_kubeadm_scheduler_extra_args | length > 0 %}
 {% for key in kube_kubeadm_scheduler_extra_args %}
    {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
 {% endfor %}
 {% endif %}
 {% if tls_min_version is defined %}
    tls-min-version: {{ tls_min_version }}
 {% endif %}
 {% if tls_cipher_suites is defined %}
    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
 {% endif %}
  extraVolumes:
  - name: kubescheduler-config
    hostPath: {{ kube_config_dir }}/kubescheduler-config.yaml
    mountPath: {{ kube_config_dir }}/kubescheduler-config.yaml
    readOnly: true
 {% if scheduler_extra_volumes %}
 {% for volume in scheduler_extra_volumes %}
  - name: {{ volume.name }}
    hostPath: {{ volume.hostPath }}
    mountPath: {{ volume.mountPath }}
    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
 {% endfor %}
 {% endif %}
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 bindAddress: "{{ kube_proxy_bind_address }}"
 clientConnection:
  acceptContentTypes: {{ kube_proxy_client_accept_content_types }}
  burst: {{ kube_proxy_client_burst }}
  contentType: {{ kube_proxy_client_content_type }}
  kubeconfig: {{ kube_proxy_client_kubeconfig }}
  qps: {{ kube_proxy_client_qps }}
 {% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
 clusterCIDR: "{{ kube_pods_subnets }}"
 {% endif %}
 configSyncPeriod: {{ kube_proxy_config_sync_period }}
 conntrack:
  maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
  min: {{ kube_proxy_conntrack_min }}
  tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
  tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }}
 enableProfiling: {{ kube_proxy_enable_profiling }}
 healthzBindAddress: "{{ kube_proxy_healthz_bind_address }}"
 hostnameOverride: "{{ kube_override_hostname }}"
 iptables:
  masqueradeAll: {{ kube_proxy_masquerade_all }}
  masqueradeBit: {{ kube_proxy_masquerade_bit }}
  minSyncPeriod: {{ kube_proxy_min_sync_period }}
  syncPeriod: {{ kube_proxy_sync_period }}
 ipvs:
  excludeCIDRs: {{ kube_proxy_exclude_cidrs }}
  minSyncPeriod: {{ kube_proxy_min_sync_period }}
  scheduler: {{ kube_proxy_scheduler }}
  syncPeriod: {{ kube_proxy_sync_period }}
  strictARP: {{ kube_proxy_strict_arp }}
  tcpTimeout: {{ kube_proxy_tcp_timeout }}
  tcpFinTimeout: {{ kube_proxy_tcp_fin_timeout }}
  udpTimeout: {{ kube_proxy_udp_timeout }}
 metricsBindAddress: "{{ kube_proxy_metrics_bind_address }}"
 mode: {{ kube_proxy_mode }}
 nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
 oomScoreAdj: {{ kube_proxy_oom_score_adj }}
 portRange: {{ kube_proxy_port_range }}
 {% if kube_proxy_feature_gates or kube_feature_gates %}
 {% set feature_gates = ( kube_proxy_feature_gates | default(kube_feature_gates, true) ) %}
 featureGates:
 {%   for feature in feature_gates %}
  {{ feature | replace("=", ": ") }}
 {%   endfor %}
 {% endif %}
 {# DNS settings for kubelet #}
 {% if enable_nodelocaldns %}
 {% set kubelet_cluster_dns = [nodelocaldns_ip] %}
 {% elif dns_mode in ['coredns'] %}
 {% set kubelet_cluster_dns = [skydns_server] %}
 {% elif dns_mode == 'coredns_dual' %}
 {% set kubelet_cluster_dns = [skydns_server,skydns_server_secondary] %}
 {% elif dns_mode == 'manual' %}
 {% set kubelet_cluster_dns = [manual_dns_server] %}
 {% else %}
 {% set kubelet_cluster_dns = [] %}
 {% endif %}
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 clusterDNS:
 {% for dns_address in kubelet_cluster_dns %}
 - {{ dns_address }}
 {% endfor %}
 {% if kubelet_feature_gates or kube_feature_gates %}
 {% set feature_gates = ( kubelet_feature_gates | default(kube_feature_gates, true) ) %}
 featureGates:
 {%   for feature in feature_gates %}
  {{ feature | replace("=", ": ") }}
 {%   endfor %}
 {% endif %}
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -563,6 +563,9 @@ featureGates:
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 {% if kube_version is version('1.35.0', '>=') %}
 failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
 {% endif %}
 clusterDNS:
 {% for dns_address in kubelet_cluster_dns %}
 - {{ dns_address }}
--- a/roles/kubernetes/control-plane/templates/kubeadm-controlplane.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-controlplane.yaml.j2
@@ -1,4 +1,4 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -15,13 +15,8 @@ discovery:
    unsafeSkipCAVerification: true
 {% endif %}
  tlsBootstrapToken: {{ kubeadm_token }}
 {# TODO: drop the if when we drop support for k8s<1.31 #}
 {% if kubeadm_config_api_version == 'v1beta3' %}
  timeout: {{ discovery_timeout }}
 {% else %}
 timeouts:
  discovery: {{ discovery_timeout }}
 {% endif %}
 controlPlane:
  localAPIEndpoint:
    advertiseAddress: "{{ kube_apiserver_address }}"
--- a/roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2
+++ b/roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2
@@ -1,5 +1,5 @@
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -21,13 +21,8 @@ discovery:
 {% endif %}
 {% endif %}
  tlsBootstrapToken: {{ kubeadm_token }}
 {# TODO: drop the if when we drop support for k8s<1.31 #}
 {% if kubeadm_config_api_version == 'v1beta3' %}
  timeout: {{ discovery_timeout }}
 {% else %}
 timeouts:
  discovery: {{ discovery_timeout }}
 {% endif %}
 caCertPath: {{ kube_cert_dir }}/ca.crt
 {% if kubeadm_cert_controlplane is defined and kubeadm_cert_controlplane %}
 controlPlane:
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.17.3"`	`requires_ansible: ">=2.18.0,<2.19.0"`