Patch versions updates

Document the KubeVirt image build process used by Kubespray CI,
including prerequisites, usage instructions, and how to add new
OS images.

Ref: https://github.com/kubernetes-sigs/kubespray/issues/12383

Made-with: Cursor

Signed-off-by: Kay Yan <kay.yan@daocloud.io>

.github/workflows/upgrade-patch-versions-schedule.yml

@@ -20,7 +20,7 @@ jobs:
           query get_release_branches($owner:String!, $name:String!) {
             repository(owner:$owner, name:$name) {
               refs(refPrefix: "refs/heads/",
-                   first: 2, # TODO increment once we have release branch with the new checksums format
+                   first: 3,
                    query: "release-",
                    orderBy: {
                      field: ALPHABETICAL,

.gitlab-ci/kubevirt.yml

@@ -41,7 +41,8 @@ pr:
           - debian12-cilium
           - debian13-cilium
           - fedora39-kube-router
-          - openeuler24-calico
+          - fedora41-kube-router
+          - fedora42-calico
           - rockylinux9-cilium
           - rockylinux10-cilium
           - ubuntu22-calico-all-in-one
@@ -49,12 +50,24 @@ pr:
           - ubuntu24-calico-etcd-datastore
           - ubuntu24-calico-all-in-one-hardening
           - ubuntu24-cilium-sep
+          - ubuntu24-crio-scale
+          - ubuntu24-crio-upgrade
           - ubuntu24-flannel-collection
           - ubuntu24-kube-router-sep
           - ubuntu24-kube-router-svc-proxy
           - ubuntu24-ha-separate-etcd
-          - flatcar4081-calico
           - fedora40-flannel-crio-collection-scale
+          - openeuler24-calico
+
+# This is for flakey test so they don't disrupt the PR worklflow too much.
+# Jobs here MUST have a open issue so we don't lose sight of them
+pr-flakey:
+  extends: pr
+  retry: 1
+  parallel:
+    matrix:
+      - TESTCASE:
+          - flatcar4081-calico # https://github.com/kubernetes-sigs/kubespray/issues/12309
 
 # The ubuntu24-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu24-calico-all-in-one:
@@ -91,6 +104,8 @@ pr_full:
           - debian12-custom-cni-helm
           - fedora39-calico-swap-selinux
           - fedora39-crio
+          - fedora41-calico-swap-selinux
+          - fedora41-crio
           - ubuntu24-calico-ha-wireguard
           - ubuntu24-flannel-ha
           - ubuntu24-flannel-ha-once
@@ -150,6 +165,7 @@ periodic:
           - debian12-cilium-svc-proxy
           - fedora39-calico-selinux
           - fedora40-docker-calico
+          - fedora41-calico-selinux
           - ubuntu24-calico-etcd-kubeadm-upgrade-ha
           - ubuntu24-calico-ha-recover
           - ubuntu24-calico-ha-recover-noquorum

.gitlab-ci/terraform.yml

@@ -116,3 +116,4 @@ tf-elastx_ubuntu24-calico:
     TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
     TF_VAR_image: ubuntu-24.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
+    TESTCASE: $CI_JOB_NAME

CONTRIBUTING.md

@@ -12,7 +12,6 @@ To install development dependencies you can set up a python virtual env with the
 virtualenv venv
 source venv/bin/activate
 pip install -r tests/requirements.txt
-ansible-galaxy install -r tests/requirements.yml
 ```
 
 #### Linting

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
-FROM ubuntu:22.04@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37
+# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
+FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
 
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
@@ -29,14 +29,14 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 
 RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
     --mount=type=cache,sharing=locked,id=pipcache,mode=0777,target=/root/.cache/pip \
-    pip install --no-compile --no-cache-dir -r requirements.txt \
+    pip install --break-system-packages --no-compile --no-cache-dir -r requirements.txt \
     && find /usr -type d -name '*__pycache__' -prune -exec rm -rf {} \;
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.34.5/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.5/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.35.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.35.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl
 
 COPY *.yml ./

README.md

@@ -89,13 +89,13 @@ vagrant up
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bookworm, Bullseye, Trixie
 - **Ubuntu** 22.04, 24.04
-- **CentOS Stream / RHEL** [9, 10](docs/operating_systems/rhel.md#rhel-8)
-- **Fedora** 39, 40
+- **CentOS Stream / RHEL** 9, 10
+- **Fedora** 39, 40, 41, 42
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
-- **Oracle Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
-- **Alma Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
-- **Rocky Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8) (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
+- **Oracle Linux** 9, 10
+- **Alma Linux** 9, 10
+- **Rocky Linux** 9, 10 (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/operating_systems/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/operating_systems/amazonlinux.md))
 - **UOS Linux** (experimental: see [uos linux notes](docs/operating_systems/uoslinux.md))
@@ -111,15 +111,15 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.5
-  - [etcd](https://github.com/etcd-io/etcd) 3.5.27
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.35.3
+  - [etcd](https://github.com/etcd-io/etcd) 3.6.8
   - [docker](https://www.docker.com/) 28.3
   - [containerd](https://containerd.io/) 2.2.2
-  - [cri-o](http://cri-o.io/) 1.34.6 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [cri-o](http://cri-o.io/) 1.35.1 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
-  - [calico](https://github.com/projectcalico/calico) 3.30.6
-  - [cilium](https://github.com/cilium/cilium) 1.18.6
+  - [calico](https://github.com/projectcalico/calico) 3.30.7
+  - [cilium](https://github.com/cilium/cilium) 1.19.1
   - [flannel](https://github.com/flannel-io/flannel) 0.27.3
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
@@ -127,8 +127,7 @@ Note:
   - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
 - Application
   - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.1
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
+  - [coredns](https://github.com/coredns/coredns) 1.12.4
   - [argocd](https://argoproj.github.io/) 2.14.5
   - [helm](https://helm.sh/) 3.18.4
   - [metallb](https://metallb.universe.tf/) 0.13.9
@@ -202,8 +201,6 @@ See also [Network checker](docs/advanced/netcheck.md).
 
 ## Ingress Plugins
 
-- [nginx](https://kubernetes.github.io/ingress-nginx): the NGINX Ingress Controller.
-
 - [metallb](docs/ingress/metallb.md): the MetalLB bare-metal service LoadBalancer provider.
 
 ## Community docs and resources

Vagrantfile

@@ -35,6 +35,9 @@ SUPPORTED_OS = {
   "fedora40"            => {box: "fedora/40-cloud-base",       user: "vagrant"},
   "fedora39-arm64"      => {box: "bento/fedora-39-arm64",      user: "vagrant"},
   "fedora40-arm64"      => {box: "bento/fedora-40",            user: "vagrant"},
+  "fedora41"            => {box: "fedora/41-cloud-base",       user: "vagrant"},
+  "fedora42"            => {box: "fedora/42-cloud-base",       user: "vagrant"},
+  "fedora41-bento"      => {box: "bento/fedora-41",            user: "vagrant"},
   "opensuse"            => {box: "opensuse/Leap-15.6.x86_64",  user: "vagrant"},
   "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
   "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},

contrib/terraform/gcp/README.md

@@ -51,7 +51,7 @@ To generate kubespray inventory based on the terraform state file you can run th
 You should now have a inventory file named `inventory.ini` that you can use with kubespray, e.g.
 
 ```bash
-ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
+ansible-playbook -i contrib/terraform/gcp/inventory.ini cluster.yml -b -v
 ```
 
 ## Variables

contrib/terraform/openstack/modules/compute/main.tf

@@ -1006,7 +1006,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
   name              = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
   count             = var.number_of_gfs_nodes_no_floating_ip
   availability_zone = element(var.az_list, count.index)
-  image_name        = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
+  image_id          = var.gfs_root_volume_size_in_gb == 0 ? local.image_to_use_gfs : null
   flavor_id         = var.flavor_gfs_node
   key_pair          = openstack_compute_keypair_v2.k8s.name
 
@@ -1078,7 +1078,7 @@ resource "openstack_networking_floatingip_associate_v2" "k8s_nodes" {
   port_id               = openstack_networking_port_v2.k8s_nodes_port[each.key].id
 }
 
-resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
+resource "openstack_blockstorage_volume_v3" "glusterfs_volume" {
   name        = "${var.cluster_name}-glusterfs_volume-${count.index + 1}"
   count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
   description = "Non-ephemeral volume for GlusterFS"
@@ -1088,5 +1088,5 @@ resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
 resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {
   count       = var.gfs_root_volume_size_in_gb == 0 ? var.number_of_gfs_nodes_no_floating_ip : 0
   instance_id = element(openstack_compute_instance_v2.glusterfs_node_no_floating_ip.*.id, count.index)
-  volume_id   = element(openstack_blockstorage_volume_v2.glusterfs_volume.*.id, count.index)
+  volume_id   = element(openstack_blockstorage_volume_v3.glusterfs_volume.*.id, count.index)
 }

docs/CNI/cilium.md

@@ -245,7 +245,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.18.6"
+cilium_version: "1.19.1"
 ```
 
 ## Add variable to config

docs/_sidebar.md

@@ -57,7 +57,6 @@
   * [Setting-up-your-first-cluster](/docs/getting_started/setting-up-your-first-cluster.md)
 * Ingress
   * [Alb Ingress Controller](/docs/ingress/alb_ingress_controller.md)
-  * [Ingress Nginx](/docs/ingress/ingress_nginx.md)
   * [Kube-vip](/docs/ingress/kube-vip.md)
   * [Metallb](/docs/ingress/metallb.md)
 * Operating Systems

docs/advanced/cert_manager.md

@@ -30,14 +30,7 @@ If you don't have a TLS Root CA certificate and key available, you can create th
 
 A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
 
-To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
-
-```ini
-# Nginx ingress controller deployment
-ingress_nginx_enabled: true
-```
-
-For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
+For example, if you're using the Traefik ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
 
 ```yaml
 apiVersion: networking.k8s.io/v1
@@ -48,9 +41,9 @@ metadata:
   labels:
     prometheus: k8s
   annotations:
-    kubernetes.io/ingress.class: "nginx"
     cert-manager.io/cluster-issuer: ca-issuer
 spec:
+  ingressClassName: "traefik"
   tls:
   - hosts:
     - prometheus.example.com
@@ -72,8 +65,8 @@ Once deployed to your K8s cluster, every 3 months cert-manager will automaticall
 
 Please consult the official upstream documentation:
 
-- [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
-- [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
+- [cert-manager Ingress Usage](https://cert-manager.io/usage/ingress/)
+- [cert-manager Ingress Tutorial](https://cert-manager.io/tutorials/acme/ingress/#step-3-assign-a-dns-name)
 
 ### ACME
 
@@ -81,12 +74,12 @@ The ACME Issuer type represents a single account registered with the Automated C
 
 Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free.
 
-- [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
-- [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
-  - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
-- [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
-  - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
-- [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
+- [ACME Configuration](https://cert-manager.io/docs/configuration/acme/)
+- [ACME HTTP Validation](https://cert-manager.io/docs/tutorials/acme/http-validation/)
+  - [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/)
+- [ACME DNS Validation](https://cert-manager.io/docs/tutorials/acme/dns-validation/)
+  - [DNS01 Challenges](https://cert-manager.io/docs/configuration/acme/dns01/)
+- [ACME FAQ](https://cert-manager.io/docs/troubleshooting/acme/)
 
 #### ACME With An Internal Certificate Authority
 

docs/ansible/ansible.md

@@ -30,9 +30,9 @@ If the latest version supported according to pip is 6.7.0 it means you are runni
 
 Based on the table below and the available python version for your ansible host you should choose the appropriate ansible version to use with kubespray.
 
-| Ansible Version | Python Version |
-|-----------------|----------------|
-| >= 2.17.3       | 3.10-3.12      |
+|  Ansible Version  | Python Version |
+|-------------------|----------------|
+| >=2.18.0, <2.19.0 | 3.11-3.13      |
 
 ## Customize Ansible vars
 
@@ -78,7 +78,6 @@ The following tags are defined in playbooks:
 | crio                           | Configuring crio container engine for hosts           |
 | crun                           | Configuring crun runtime                              |
 | csi-driver                     | Configuring csi driver                                |
-| dashboard                      | Installing and configuring the Kubernetes Dashboard   |
 | dns                            | Remove dns entries when resetting                     |
 | docker                         | Configuring docker engine runtime for hosts           |
 | download                       | Fetching container images to a delegate host          |

docs/developers/ci-setup.md

@@ -145,7 +145,6 @@ upstream_dns_servers:
   - 1.0.0.1
 
 # Extensions
-ingress_nginx_enabled: True
 helm_enabled: True
 cert_manager_enabled: True
 metrics_server_enabled: True

docs/developers/ci.md

@@ -13,6 +13,8 @@ debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 debian13 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
+fedora42 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
@@ -31,12 +33,14 @@ debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora41 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 
 ## docker
 
@@ -49,6 +53,8 @@ debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian13 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora41 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+fedora42 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |

docs/getting_started/getting-started.md

@@ -83,32 +83,6 @@ authentication. One can get a kubeconfig from kube_control_plane hosts
 For more information on kubeconfig and accessing a Kubernetes cluster, refer to
 the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
 
-## Accessing Kubernetes Dashboard
-
-Supported version is kubernetes-dashboard v2.0.x :
-
-- Login option : token/kubeconfig by default
-- Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
-- Only serves over https
-
-Access is described in [dashboard docs](https://github.com/kubernetes/dashboard/tree/master/docs/user/accessing-dashboard). With kubespray's default deployment in kube-system namespace, instead of kubernetes-dashboard :
-
-- Proxy URL is <http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#/login>
-- kubectl commands must be run with "-n kube-system"
-
-Accessing through Ingress is highly recommended. For proxy access, please note that proxy must listen to [localhost](https://github.com/kubernetes/dashboard/issues/692#issuecomment-220492484) (`proxy  --address="x.x.x.x"` will not work)
-
-For token authentication, guide to create Service Account is provided in [dashboard sample user](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md) doc. Still take care of default namespace.
-
-Access can also by achieved via ssh tunnel on a control plane :
-
-```bash
-# localhost:8081 will be sent to control-plane-1's own localhost:8081
-ssh -L8001:localhost:8001 user@control-plane-1
-sudo -i
-kubectl proxy
-```
-
 ## Accessing Kubernetes API
 
 The main client of Kubernetes is `kubectl`. It is installed on each kube_control_plane

docs/ingress/ingress_nginx.md

@@ -1,203 +0,0 @@
-# Installation Guide
-
-## Contents
-
-- [Prerequisite Generic Deployment Command](#prerequisite-generic-deployment-command)
-  - [Provider Specific Steps](#provider-specific-steps)
-    - [Docker for Mac](#docker-for-mac)
-    - [minikube](#minikube)
-    - [AWS](#aws)
-    - [GCE - GKE](#gce-gke)
-    - [Azure](#azure)
-    - [Bare-metal](#bare-metal)
-  - [Verify installation](#verify-installation)
-  - [Detect installed version](#detect-installed-version)
-- [Using Helm](#using-helm)
-
-## Prerequisite Generic Deployment Command
-
-!!! attention
-    The default configuration watches Ingress object from *all the namespaces*.
-    To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
-
-!!! warning
-    If multiple Ingresses define different paths for the same host, the ingress controller will merge the definitions.
-
-!!! attention
-    If you're using GKE you need to initialize your user as a cluster-admin with the following command:
-
-```console
-kubectl create clusterrolebinding cluster-admin-binding \
---clusterrole cluster-admin \
---user $(gcloud config get-value account)
-```
-
-The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
-```
-
-### Provider Specific Steps
-
-There are cloud provider specific yaml files.
-
-#### Docker for Mac
-
-Kubernetes is available in Docker for Mac (from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018))
-
-First you need to [enable kubernetes](https://docs.docker.com/docker-for-mac/#kubernetes).
-
-Then you have to create a service:
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
-```
-
-#### minikube
-
-For standard usage:
-
-```console
-minikube addons enable ingress
-```
-
-For development:
-
-1. Disable the ingress addon:
-
-```console
-minikube addons disable ingress
-```
-
-1. Execute `make dev-env`
-1. Confirm the `nginx-ingress-controller` deployment exists:
-
-```console
-$ kubectl get pods -n ingress-nginx
-NAME                                       READY     STATUS    RESTARTS   AGE
-default-http-backend-66b447d9cf-rrlf9      1/1       Running   0          12s
-nginx-ingress-controller-fdcdcd6dd-vvpgs   1/1       Running   0          11s
-```
-
-#### AWS
-
-In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
-Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
-Please check the [elastic load balancing AWS details page](https://aws.amazon.com/elasticloadbalancing/details/)
-
-##### Elastic Load Balancer - ELB
-
-This setup requires to choose in which layer (L4 or L7) we want to configure the Load Balancer:
-
-- [Layer 4](https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer): Use an Network Load Balancer (NLB) with TCP as the listener protocol for ports 80 and 443.
-- [Layer 7](https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer): Use an Elastic Load Balancer (ELB) with HTTP as the listener protocol for port 80 and terminate TLS in the ELB
-
-For L4:
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml
-```
-
-For L7:
-
-Change the value of `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` in the file `provider/aws/deploy-tls-termination.yaml` replacing the dummy id with a valid one. The dummy value is `"arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"`
-
-Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the [ELB Idle Timeouts section](#elb-idle-timeouts) for additional information. If a change is required, users will need to update the value of `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` in `provider/aws/deploy-tls-termination.yaml`
-
-Then execute:
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy-tls-termination.yaml
-```
-
-This example creates an ELB with just two listeners, one in port 80 and another in port 443
-
-![Listeners](https://github.com/kubernetes/ingress-nginx/blob/main/docs/images/elb-l7-listener.png)
-
-##### ELB Idle Timeouts
-
-In some scenarios users will need to modify the value of the ELB idle timeout.
-Users need to ensure the idle timeout is less than the [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) that is configured for NGINX.
-By default NGINX `keepalive_timeout` is set to `75s`.
-
-The default ELB idle timeout will work for most scenarios, unless the NGINX [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) has been modified,
-in which case `service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout` will need to be modified to ensure it is less than the `keepalive_timeout` the user has configured.
-
-*Please Note: An idle timeout of `3600s` is recommended when using WebSockets.*
-
-More information with regards to idle timeouts for your Load Balancer can be found in the [official AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html).
-
-##### Network Load Balancer (NLB)
-
-This type of load balancer is supported since v1.10.0 as an ALPHA feature.
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml
-```
-
-#### GCE-GKE
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
-```
-
-**Important Note:** proxy protocol is not supported in GCE/GKE
-
-#### Azure
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
-```
-
-#### Bare-metal
-
-Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
-
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
-```
-
-!!! tip
-    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md).
-
-### Verify installation
-
-To check if the ingress controller pods have started, run the following command:
-
-```console
-kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
-```
-
-Once the operator pods are running, you can cancel the above command by typing `Ctrl+C`.
-Now, you are ready to create your first ingress.
-
-### Detect installed version
-
-To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller version` command.
-
-```console
-POD_NAMESPACE=ingress-nginx
-POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
-
-kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
-```
-
-## Using Helm
-
-NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
-Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
-
-To install the chart with the release name `my-nginx`:
-
-```console
-helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-helm install my-nginx ingress-nginx/ingress-nginx
-```
-
-Detect installed version:
-
-```console
-POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
-kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
-```

docs/ingress/kube-vip.md

@@ -63,6 +63,8 @@ kube_vip_bgppeers:
 # kube_vip_bgp_peeraddress:
 # kube_vip_bgp_peerpass:
 # kube_vip_bgp_peeras:
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
 ```
 
 If using [control plane load-balancing](https://kube-vip.io/docs/about/architecture/#control-plane-load-balancing):

docs/operating_systems/rhel.md

@@ -6,9 +6,9 @@ The documentation also applies to Red Hat derivatives, including Alma Linux, Roc
 
 The content of this section does not apply to open-source derivatives.
 
-In order to install packages via yum or dnf, RHEL 7/8 hosts are required to be registered for a valid Red Hat support subscription.
+In order to install packages via yum or dnf, RHEL hosts are required to be registered for a valid Red Hat support subscription.
 
-You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL 7/8 hosts provisioned in Production environments.
+You can apply for a 1-year Development support subscription by creating a [Red Hat Developers](https://developers.redhat.com/) account. Be aware though that as the Red Hat Developers subscription is limited to only 1 year, it should not be used to register RHEL hosts provisioned in Production environments.
 
 Once you have a Red Hat support account, simply add the credentials to the Ansible inventory parameters `rh_subscription_username` and `rh_subscription_password` prior to deploying Kubespray. If your company has a Corporate Red Hat support account, then obtain an **Organization ID** and **Activation Key**, and add these to the Ansible inventory parameters `rh_subscription_org_id` and `rh_subscription_activation_key` instead of using your Red Hat support account credentials.
 
@@ -29,15 +29,7 @@ rh_subscription_role: "Red Hat Enterprise Server"
 rh_subscription_sla: "Self-Support"
 ```
 
-If the RHEL 8/9 hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
-
-## RHEL 8
-
-If you have containers that are using iptables in the host network namespace (`hostNetwork=true`),
-you need to ensure they are using iptables-nft.
-An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
-
-The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
+If the RHEL hosts are already registered to a valid Red Hat support subscription via an alternative configuration management approach prior to the deployment of Kubespray, the successful RHEL `subscription-manager` status check will simply result in the RHEL subscription registration tasks being skipped.
 
 ## Rocky Linux 10
 

docs/operations/etcd.md

@@ -32,12 +32,12 @@ etcd_metrics_service_labels:
   k8s-app: etcd
   app.kubernetes.io/managed-by: Kubespray
   app: kube-prometheus-stack-kube-etcd
-  release: prometheus-stack
+  release: kube-prometheus-stack
 ```
 
 The last two labels in the above example allows to scrape the metrics from the
 [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
-chart with the following Helm `values.yaml` :
+chart when it is installed with the release name `kube-prometheus-stack` and the following Helm `values.yaml`:
 
 ```yaml
 kubeEtcd:
@@ -45,8 +45,22 @@ kubeEtcd:
     enabled: false
 ```
 
-To fully override metrics exposition urls, define it in the inventory with:
+If your Helm release name is different, adjust the `release` label accordingly.
+
+To fully override metrics exposition URLs, define it in the inventory with:
 
 ```yaml
 etcd_listen_metrics_urls: "http://0.0.0.0:2381"
 ```
+
+If you choose to expose metrics on specific node IPs (for example `10.141.4.22`, `10.141.4.23`, `10.141.4.24`) in `etcd_listen_metrics_urls`,
+you can configure kube-prometheus-stack to scrape those endpoints directly with:
+
+```yaml
+kubeEtcd:
+  enabled: true
+  endpoints:
+    - 10.141.4.22
+    - 10.141.4.23
+    - 10.141.4.24
+```

docs/operations/hardening.md

@@ -100,8 +100,6 @@ kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
 kubelet_seccomp_default: true
 kubelet_systemd_hardening: true
-# To disable kubelet's staticPodPath (for nodes that don't use static pods like worker nodes)
-kubelet_static_pod_path: ""
 # In case you have multiple interfaces in your
 # control plane nodes and you want to specify the right
 # IP addresses, kubelet_secure_addresses allows you

docs/operations/offline-environment.md

@@ -85,7 +85,7 @@ crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_ve
 # If using Calico
 calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_version }}.tar.gz"
+calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
 # Containerd
 containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
 runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"

galaxy.yml

@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.30.1
+version: 2.31.0
 readme: README.md
 authors:
   - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)

inventory/sample/group_vars/all/offline.yml

@@ -44,7 +44,7 @@
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
-# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
+# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/raw/v{{ calico_version }}/manifests/crds.yaml"
 
 # [Optional] Cilium: If using Cilium network plugin
 # ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -1,8 +1,4 @@
 ---
-# Kubernetes dashboard
-# RBAC required. see docs/getting-started.md for access details.
-# dashboard_enabled: false
-
 # Helm deployment
 helm_enabled: false
 
@@ -67,39 +63,6 @@ local_volume_provisioner_enabled: false
 # Gateway API CRDs
 gateway_api_enabled: false
 
-# Nginx ingress controller deployment
-ingress_nginx_enabled: false
-# ingress_nginx_host_network: false
-# ingress_nginx_service_type: LoadBalancer
-# ingress_nginx_service_annotations:
-#   example.io/loadbalancerIPs: 1.2.3.4
-# ingress_nginx_service_nodeport_http: 30080
-# ingress_nginx_service_nodeport_https: 30081
-ingress_publish_status_address: ""
-# ingress_nginx_nodeselector:
-#   kubernetes.io/os: "linux"
-# ingress_nginx_tolerations:
-#   - key: "node-role.kubernetes.io/control-plane"
-#     operator: "Equal"
-#     value: ""
-#     effect: "NoSchedule"
-# ingress_nginx_namespace: "ingress-nginx"
-# ingress_nginx_insecure_port: 80
-# ingress_nginx_secure_port: 443
-# ingress_nginx_configmap:
-#   map-hash-bucket-size: "128"
-#   ssl-protocols: "TLSv1.2 TLSv1.3"
-# ingress_nginx_configmap_tcp_services:
-#   9000: "default/example-go:8080"
-# ingress_nginx_configmap_udp_services:
-#   53: "kube-system/coredns:53"
-# ingress_nginx_extra_args:
-#   - --default-ssl-certificate=default/foo-tls
-# ingress_nginx_termination_grace_period_seconds: 300
-# ingress_nginx_class: nginx
-# ingress_nginx_without_class: true
-# ingress_nginx_default: false
-
 # ALB ingress controller deployment
 ingress_alb_enabled: false
 # alb_ingress_aws_region: "us-east-1"
@@ -236,6 +199,8 @@ kube_vip_enabled: false
 # kube_vip_leasename: plndr-cp-lock
 # kube_vip_enable_node_labeling: false
 # kube_vip_lb_fwdmethod: local
+# kube_vip_bgp_sourceip:
+# kube_vip_bgp_sourceif:
 
 # Node Feature Discovery
 node_feature_discovery_enabled: false

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -361,8 +361,6 @@ cilium_l2announcements: false
 # -- Enable the use of well-known identities.
 # cilium_enable_well_known_identities: false
 
-# cilium_enable_bpf_clock_probe: true
-
 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true
 

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.17.3"
+requires_ansible: ">=2.18.0,<2.19.0"

pipeline.Dockerfile

@@ -1,5 +1,5 @@
-# Use immutable image tags rather than mutable tags (like ubuntu:22.04)
-FROM ubuntu:jammy-20230308
+# Use immutable image tags rather than mutable tags (like ubuntu:24.04)
+FROM ubuntu:noble-20260113@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
 # Some tools like yamllint need this
 # Pip needs this as well at the moment to install ansible
 # (and potentially other packages)
@@ -27,14 +27,14 @@ RUN apt update -q \
          ca-certificates \
          curl \
          gnupg2 \
-         software-properties-common \
          unzip \
          libvirt-clients \
          qemu-utils \
          qemu-kvm \
          dnsmasq \
-    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
-    && add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
+        && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
+        && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+            $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | tee /etc/apt/sources.list.d/docker.list \
     && apt update -q \
     && apt install --no-install-recommends -yq docker-ce \
     && apt autoremove -yqq --purge && apt clean && rm -rf /var/lib/apt/lists/* /var/log/*
@@ -44,11 +44,10 @@ ADD ./requirements.txt  /kubespray/requirements.txt
 ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
 
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
-    && pip install --no-compile --no-cache-dir pip -U \
-    && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
-    && pip install --no-compile --no-cache-dir -r requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.34.5/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.34.5/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && pip install --break-system-packages --ignore-installed --no-compile --no-cache-dir pip -U \
+    && pip install --break-system-packages --no-compile --no-cache-dir -r tests/requirements.txt \
+    && curl -L https://dl.k8s.io/release/v1.35.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.35.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \
     # Install Vagrant
     && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
@@ -56,5 +55,5 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && rm vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \
     && vagrant plugin install vagrant-libvirt \
     # Install Kubernetes collections
-    && pip install --no-compile --no-cache-dir kubernetes \
+    && pip install --break-system-packages --no-compile --no-cache-dir kubernetes \
     && ansible-galaxy collection install kubernetes.core

playbooks/ansible_version.yml

@@ -5,8 +5,8 @@
   become: false
   run_once: true
   vars:
-    minimal_ansible_version: 2.17.3
-    maximal_ansible_version: 2.18.0
+    minimal_ansible_version: 2.18.0
+    maximal_ansible_version: 2.19.0
   tags: always
   tasks:
     - name: "Check {{ minimal_ansible_version }} <= Ansible version < {{ maximal_ansible_version }}"

requirements.txt

@@ -1,6 +1,6 @@
-ansible==10.7.0
+ansible==11.13.0
 # Needed for community.crypto module
-cryptography==46.0.3
+cryptography==46.0.5
 # Needed for jinja2 json_query templating
 jmespath==1.1.0
 # Needed for ansible.utils.ipaddr

roles/bastion-ssh-config/defaults/main.yml

@@ -1,2 +1,2 @@
 ---
-ssh_bastion_confing__name: ssh-bastion.conf
+ssh_bastion_config_name: ssh-bastion.conf

roles/bastion-ssh-config/molecule/default/converge.yml

@@ -8,8 +8,8 @@
   tasks:
     - name: Copy config to remote host
       copy:
-        src: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
-        dest: "{{ ssh_bastion_confing__name }}"
+        src: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
+        dest: "{{ ssh_bastion_config_name }}"
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
         mode: "0644"

roles/bastion-ssh-config/tasks/main.yml

@@ -17,6 +17,6 @@
   delegate_to: localhost
   connection: local
   template:
-    src: "{{ ssh_bastion_confing__name }}.j2"
-    dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
+    src: "{{ ssh_bastion_config_name }}.j2"
+    dest: "{{ playbook_dir }}/{{ ssh_bastion_config_name }}"
     mode: "0640"

roles/bootstrap_os/defaults/main.yml

@@ -12,6 +12,10 @@ coreos_locksmithd_disable: false
 # Install epel repo on Centos/RHEL
 epel_enabled: false
 
+## openEuler specific variables
+# Enable metalink for openEuler repos (auto-selects fastest mirror by location)
+openeuler_metalink_enabled: false
+
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true

roles/bootstrap_os/tasks/openEuler.yml

@@ -1,3 +1,43 @@
 ---
-- name: Import Centos boostrap for openEuler
-  import_tasks: centos.yml
+- name: Import CentOS bootstrap for openEuler
+  ansible.builtin.import_tasks: centos.yml
+
+- name: Get existing openEuler repo sections
+  ansible.builtin.shell:
+    cmd: "set -o pipefail && grep '^\\[' /etc/yum.repos.d/openEuler.repo | tr -d '[]'"
+    executable: /bin/bash
+  register: _openeuler_repo_sections
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  become: true
+  when: openeuler_metalink_enabled
+
+- name: Enable metalink for openEuler repos
+  community.general.ini_file:
+    path: /etc/yum.repos.d/openEuler.repo
+    section: "{{ item.key }}"
+    option: metalink
+    value: "{{ item.value }}"
+    no_extra_spaces: true
+    mode: "0644"
+  loop: "{{ _openeuler_metalink_repos | dict2items | selectattr('key', 'in', _openeuler_repo_sections.stdout_lines | default([])) }}"
+  become: true
+  when: openeuler_metalink_enabled
+  register: _openeuler_metalink_result
+  vars:
+    _openeuler_metalink_repos:
+      OS: "https://mirrors.openeuler.org/metalink?repo=$releasever/OS&arch=$basearch"
+      everything: "https://mirrors.openeuler.org/metalink?repo=$releasever/everything&arch=$basearch"
+      EPOL: "https://mirrors.openeuler.org/metalink?repo=$releasever/EPOL/main&arch=$basearch"
+      debuginfo: "https://mirrors.openeuler.org/metalink?repo=$releasever/debuginfo&arch=$basearch"
+      source: "https://mirrors.openeuler.org/metalink?repo=$releasever&arch=source"
+      update: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=$basearch"
+      update-source: "https://mirrors.openeuler.org/metalink?repo=$releasever/update&arch=source"
+
+- name: Clean dnf cache to apply metalink mirror selection
+  ansible.builtin.command: dnf clean all
+  become: true
+  when:
+    - openeuler_metalink_enabled
+    - _openeuler_metalink_result.changed

roles/container-engine/cri-dockerd/handlers/main.yml

@@ -6,12 +6,6 @@
     masked: false
   listen: Restart and enable cri-dockerd
 
-- name: Cri-dockerd | restart docker.service
-  service:
-    name: docker.service
-    state: restarted
-  listen: Restart and enable cri-dockerd
-
 - name: Cri-dockerd | reload cri-dockerd.socket
   service:
     name: cri-dockerd.socket

roles/container-engine/docker/tasks/main.yml

@@ -55,7 +55,7 @@
   register: keyserver_task_result
   until: keyserver_task_result is succeeded
   retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
+  delay: "{{ retry_stagger }}"
   with_items: "{{ docker_repo_key_info.repo_keys }}"
   environment: "{{ proxy_env }}"
   when: ansible_pkg_mgr == 'apt'
@@ -128,7 +128,7 @@
   register: docker_task_result
   until: docker_task_result is succeeded
   retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
+  delay: "{{ retry_stagger }}"
   notify: Restart docker
   when:
     - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]

roles/container-engine/docker/templates/docker.service.j2

@@ -30,7 +30,7 @@ LimitCORE=infinity
 TimeoutStartSec=1min
 # restart the docker process if it exits prematurely
 Restart=on-failure
-StartLimitBurst=3
+StartLimitBurst=10
 StartLimitInterval=60s
 # Set the cgroup slice of the service so that kube reserved takes effect
 {% if kube_reserved is defined and kube_reserved|bool %}

roles/container-engine/meta/main.yml

@@ -1,58 +0,0 @@
-# noqa role-name - this is a meta role that doesn't need a name
----
-dependencies:
-  - role: container-engine/validate-container-engine
-    tags:
-      - container-engine
-      - validate-container-engine
-
-  - role: container-engine/kata-containers
-    when:
-      - kata_containers_enabled
-    tags:
-      - container-engine
-      - kata-containers
-
-  - role: container-engine/gvisor
-    when:
-      - gvisor_enabled
-      - container_manager in ['docker', 'containerd']
-    tags:
-      - container-engine
-      - gvisor
-
-  - role: container-engine/crun
-    when:
-      - crun_enabled
-    tags:
-      - container-engine
-      - crun
-
-  - role: container-engine/youki
-    when:
-      - youki_enabled
-      - container_manager == 'crio'
-    tags:
-      - container-engine
-      - youki
-
-  - role: container-engine/cri-o
-    when:
-      - container_manager == 'crio'
-    tags:
-      - container-engine
-      - crio
-
-  - role: container-engine/containerd
-    when:
-      - container_manager == 'containerd'
-    tags:
-      - container-engine
-      - containerd
-
-  - role: container-engine/cri-dockerd
-    when:
-      - container_manager == 'docker'
-    tags:
-      - container-engine
-      - docker

roles/container-engine/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+- name: Validate container engine
+  import_role:
+    name: container-engine/validate-container-engine
+  tags:
+    - container-engine
+    - validate-container-engine
+
+- name: Container runtimes
+  include_role:
+    name: "container-engine/{{ item.role }}"
+    apply:
+      tags:
+        - container-engine
+        - "{{ item.role }}"
+  loop:
+    - { role: 'kata-containers', enabled: "{{ kata_containers_enabled }}" }
+    - { role: 'gvisor', enabled: "{{ gvisor_enabled and container_manager in ['docker', 'containerd'] }}" }
+    - { role: 'crun', enabled: "{{ crun_enabled }}" }
+    - { role: 'youki', enabled: "{{ youki_enabled and container_manager == 'crio' }}" }
+  # TODO: Technically, this is more container-runtime than engine
+  when: item.enabled
+  tags:
+    - container-engine
+    - kata-containers
+    - gvisor
+    - crun
+    - youki
+
+- name: Container Manager
+  vars:
+    container_manager_role:
+      crio: cri-o
+      docker: cri-dockerd
+      containerd: containerd
+  include_role:
+    name: "container-engine/{{ container_manager_role[container_manager] }}"
+    apply:
+      tags:
+        - container-engine
+        - crio
+        - docker
+        - containerd
+  tags:
+    - container-engine
+    - crio
+    - docker
+    - containerd

roles/download/templates/kubeadm-images.yaml.j2

@@ -1,9 +1,9 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: InitConfiguration
 nodeRegistration:
   criSocket: {{ cri_socket }}
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 imageRepository: {{ kubeadm_image_repo }}
 kubernetesVersion: v{{ kube_version }}

roles/etcd/handlers/backup.yml

@@ -34,6 +34,7 @@
   when:
     - etcd_data_dir_member.stat.exists
     - etcd_cluster_is_healthy.rc == 0
+    - etcd_version is version('3.6.0', '<')
   command: >-
     {{ bin_dir }}/etcdctl backup
       --data-dir {{ etcd_data_dir }}

roles/etcd/tasks/clean_v2_store.yml

@@ -0,0 +1,43 @@
+---
+# When upgrading from etcd 3.5 to 3.6, need to clean up v2 store before upgrading.
+# Without this, etcd 3.6 will crash with following error:
+#   "panic: detected disallowed v2 WAL for stage --v2-deprecation=write-only [recovered]"
+- name: Cleanup v2 store when upgrade etcd from <3.6 to >=3.6
+  when:
+    - etcd_cluster_setup
+    - etcd_current_version != ''
+    - etcd_current_version is version('3.6.0', '<')
+    - etcd_version is version('3.6.0', '>=')
+  block:
+    - name: Ensure etcd version is >=3.5.26
+      when:
+        - etcd_current_version is version('3.5.26', '<')
+      fail:
+        msg: "You need to upgrade etcd to 3.5.26 or later before upgrade to 3.6. Current version is {{ etcd_current_version }}."
+
+    # Workarounds:
+    # Disable --enable-v2 (recommended in 20289) and do workaround of 20231 (MAX_WALS=1 and SNAPSHOT_COUNT=1)
+    # - https://github.com/etcd-io/etcd/issues/20809
+    # - https://github.com/etcd-io/etcd/discussions/20231#discussioncomment-13958051
+    - name: Change etcd configuration temporally to limit number of WALs and snapshots to clean up v2 store
+      ansible.builtin.lineinfile:
+        path: /etc/etcd.env
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+      loop:
+        - { regexp: '^ETCD_SNAPSHOT_COUNT=', line: 'ETCD_SNAPSHOT_COUNT=1' }
+        - { regexp: '^ETCD_MAX_WALS=', line: 'ETCD_MAX_WALS=1' }
+        - { regexp: '^ETCD_MAX_SNAPSHOTS=', line: 'ETCD_MAX_SNAPSHOTS=1' }
+        - { regexp: '^ETCD_ENABLE_V2=', line: 'ETCD_ENABLE_V2=false' }
+
+    # Restart etcd to apply temporal configuration and prevent some upgrade failures
+    # See also: https://etcd.io/blog/2025/upgrade_from_3.5_to_3.6_issue_followup/
+    - name: Stop etcd
+      service:
+        name: etcd
+        state: stopped
+
+    - name: Start etcd
+      service:
+        name: etcd
+        state: started

roles/etcd/tasks/install_docker.yml

@@ -23,6 +23,14 @@
     - etcd_events_cluster_setup
     - etcd_image_tag not in etcd_events_current_docker_image.stdout | default('')
 
+- name: Get currently-deployed etcd version as x.y.z format
+  set_fact:
+    etcd_current_version: "{{ (etcd_current_docker_image.stdout | regex_search('.*:v([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
+  when: etcd_cluster_setup
+
+- name: Cleanup v2 store data
+  import_tasks: clean_v2_store.yml
+
 - name: Install etcd launch script
   template:
     src: etcd.j2

roles/etcd/tasks/install_host.yml

@@ -21,6 +21,14 @@
     - etcd_events_cluster_setup
     - etcd_version not in etcd_current_host_version.stdout | default('')
 
+- name: Get currently-deployed etcd version as x.y.z format
+  set_fact:
+    etcd_current_version: "{{ (etcd_current_host_version.stdout | regex_search('etcd Version: ([0-9]+\\.[0-9]+\\.[0-9]+)', '\\1'))[0] | default('') }}"
+  when: etcd_cluster_setup
+
+- name: Cleanup v2 store data
+  import_tasks: clean_v2_store.yml
+
 - name: Install | Copy etcd binary from download dir
   copy:
     src: "{{ local_release_dir }}/etcd-v{{ etcd_version }}-linux-{{ host_architecture }}/{{ item }}"

roles/etcd/tasks/main.yml

@@ -53,6 +53,12 @@
     - control-plane
     - network
 
+- name: Install etcd
+  include_tasks: "install_{{ etcd_deployment_type }}.yml"
+  when: ('etcd' in group_names)
+  tags:
+    - upgrade
+
 - name: Install etcdctl and etcdutl binary
   import_role:
     name: etcdctl_etcdutl
@@ -64,12 +70,6 @@
     - ('etcd' in group_names)
     - etcd_cluster_setup
 
-- name: Install etcd
-  include_tasks: "install_{{ etcd_deployment_type }}.yml"
-  when: ('etcd' in group_names)
-  tags:
-    - upgrade
-
 - name: Configure etcd
   include_tasks: configure.yml
   when: ('etcd' in group_names)

roles/etcd/templates/etcd.env.j2

@@ -25,8 +25,6 @@ ETCD_MAX_REQUEST_BYTES={{ etcd_max_request_bytes }}
 ETCD_LOG_LEVEL={{ etcd_log_level }}
 ETCD_MAX_SNAPSHOTS={{ etcd_max_snapshots }}
 ETCD_MAX_WALS={{ etcd_max_wals }}
-# Flannel need etcd v2 API
-ETCD_ENABLE_V2=true
 
 # TLS settings
 ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -11,6 +11,7 @@ dns_nodes_per_replica: 16
 dns_cores_per_replica: 256
 dns_prevent_single_point_failure: "{{ 'true' if dns_min_replicas | int > 1 else 'false' }}"
 enable_coredns_reverse_dns_lookups: true
+coredns_svc_name: "coredns"
 coredns_ordinal_suffix: ""
 # dns_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
 coredns_affinity:
@@ -87,60 +88,5 @@ dns_autoscaler_affinity: {}
 #   app: kube-prometheus-stack-kube-etcd
 #   release: prometheus-stack
 
-# Netchecker
-deploy_netchecker: false
-netchecker_port: 31081
-agent_report_interval: 15
-netcheck_namespace: default
-
-# Limits for netchecker apps
-netchecker_agent_cpu_limit: 30m
-netchecker_agent_memory_limit: 100M
-netchecker_agent_cpu_requests: 15m
-netchecker_agent_memory_requests: 64M
-netchecker_server_cpu_limit: 100m
-netchecker_server_memory_limit: 256M
-netchecker_server_cpu_requests: 50m
-netchecker_server_memory_requests: 64M
-netchecker_etcd_cpu_limit: 200m
-netchecker_etcd_memory_limit: 256M
-netchecker_etcd_cpu_requests: 100m
-netchecker_etcd_memory_requests: 128M
-
-# SecurityContext (user/group)
-netchecker_agent_user: 1000
-netchecker_server_user: 1000
-netchecker_agent_group: 1000
-netchecker_server_group: 1000
-
-# Log levels
-netchecker_agent_log_level: 5
-netchecker_server_log_level: 5
-netchecker_etcd_log_level: info
-
-# Dashboard
-dashboard_replicas: 1
-
-# Namespace for dashboard
-dashboard_namespace: kube-system
-
-# Limits for dashboard
-dashboard_cpu_limit: 100m
-dashboard_memory_limit: 256M
-dashboard_cpu_requests: 50m
-dashboard_memory_requests: 64M
-
-# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
-# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
-dashboard_use_custom_certs: false
-dashboard_certs_secret_name: kubernetes-dashboard-certs
-dashboard_tls_key_file: dashboard.key
-dashboard_tls_cert_file: dashboard.crt
-dashboard_master_toleration: true
-
-# Override dashboard default settings
-dashboard_token_ttl: 900
-dashboard_skip_login: false
-
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]

roles/kubernetes-apps/ansible/tasks/main.yml

@@ -87,37 +87,3 @@
   when: etcd_metrics_port is defined and etcd_metrics_service_labels is defined
   tags:
     - etcd_metrics
-
-- name: Kubernetes Apps | Netchecker
-  command:
-    cmd: "{{ kubectl_apply_stdin }}"
-    stdin: "{{ lookup('template', item) }}"
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  vars:
-    k8s_namespace: "{{ netcheck_namespace }}"
-  when: deploy_netchecker
-  tags:
-    - netchecker
-  loop:
-    - netchecker-ns.yml.j2
-    - netchecker-agent-sa.yml.j2
-    - netchecker-agent-ds.yml.j2
-    - netchecker-agent-hostnet-ds.yml.j2
-    - netchecker-server-sa.yml.j2
-    - netchecker-server-clusterrole.yml.j2
-    - netchecker-server-clusterrolebinding.yml.j2
-    - netchecker-server-deployment.yml.j2
-    - netchecker-server-svc.yml.j2
-
-- name: Kubernetes Apps | Dashboard
-  command:
-    cmd: "{{ kubectl_apply_stdin }}"
-    stdin: "{{ lookup('template', 'dashboard.yml.j2') }}"
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  vars:
-    k8s_namespace: "{{ dashboard_namespace }}"
-  when: dashboard_enabled
-  tags:
-    - dashboard

roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: coredns{{ coredns_ordinal_suffix }}
+  name: {{ coredns_svc_name }}{{ coredns_ordinal_suffix }}
   namespace: kube-system
   labels:
     k8s-app: kube-dns{{ coredns_ordinal_suffix }}

roles/kubernetes-apps/ansible/templates/dashboard.yml.j2

@@ -1,323 +0,0 @@
-# Copyright 2017 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Configuration to deploy release version of the Dashboard UI compatible with
-# Kubernetes 1.8.
-#
-# Example usage: kubectl create -f <this_file>
-
-{% if k8s_namespace != 'kube-system' %}
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ k8s_namespace }}
-  labels:
-    name: {{ k8s_namespace }}
-{% endif %}
----
-# ------------------- Dashboard Secrets ------------------- #
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-certs
-type: Opaque
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-csrf
-type: Opaque
-data:
-  csrf: ""
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-key-holder
-type: Opaque
-
----
-# ------------------- Dashboard ConfigMap ------------------- #
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard-settings
-
----
-# ------------------- Dashboard Service Account ------------------- #
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-
----
-# ------------------- Dashboard Role & Role Binding ------------------- #
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-rules:
-  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
-    verbs: ["get", "update", "delete"]
-    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["kubernetes-dashboard-settings"]
-    verbs: ["get", "update"]
-    # Allow Dashboard to get metrics.
-  - apiGroups: [""]
-    resources: ["services"]
-    resourceNames: ["heapster", "dashboard-metrics-scraper"]
-    verbs: ["proxy"]
-  - apiGroups: [""]
-    resources: ["services/proxy"]
-    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
-    verbs: ["get"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubernetes-dashboard
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: {{ k8s_namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubernetes-dashboard
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: {{ k8s_namespace }}
-
----
-# ------------------- Dashboard Deployment ------------------- #
-
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-spec:
-  replicas: {{ dashboard_replicas }}
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      k8s-app: kubernetes-dashboard
-  template:
-    metadata:
-      labels:
-        k8s-app: kubernetes-dashboard
-    spec:
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      priorityClassName: system-cluster-critical
-      containers:
-        - name: kubernetes-dashboard
-          image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          resources:
-            limits:
-              cpu: {{ dashboard_cpu_limit }}
-              memory: {{ dashboard_memory_limit }}
-            requests:
-              cpu: {{ dashboard_cpu_requests }}
-              memory: {{ dashboard_memory_requests }}
-          ports:
-            - containerPort: 8443
-              protocol: TCP
-          args:
-            - --namespace={{ k8s_namespace }}
-{% if dashboard_use_custom_certs %}
-            - --tls-key-file={{ dashboard_tls_key_file }}
-            - --tls-cert-file={{ dashboard_tls_cert_file }}
-{% else %}
-            - --auto-generate-certificates
-{% endif %}
-{% if dashboard_skip_login %}
-            - --enable-skip-login
-{% endif %}
-            - --authentication-mode=token
-            # Uncomment the following line to manually specify Kubernetes API server Host
-            # If not specified, Dashboard will attempt to auto discover the API server and connect
-            # to it. Uncomment only if the default does not work.
-            # - --apiserver-host=http://my-address:port
-            - --token-ttl={{ dashboard_token_ttl }}
-          volumeMounts:
-            - name: kubernetes-dashboard-certs
-              mountPath: /certs
-              # Create on-disk volume to store exec logs
-            - mountPath: /tmp
-              name: tmp-volume
-          livenessProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /
-              port: 8443
-            initialDelaySeconds: 30
-            timeoutSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsUser: 1001
-            runAsGroup: 2001
-      volumes:
-        - name: kubernetes-dashboard-certs
-          secret:
-            secretName: {{ dashboard_certs_secret_name }}
-        - name: tmp-volume
-          emptyDir: {}
-      serviceAccountName: kubernetes-dashboard
-{% if dashboard_master_toleration %}
-      tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-{% endif %}
-
----
-# ------------------- Dashboard Service ------------------- #
-
-kind: Service
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-spec:
-  ports:
-    - port: 443
-      targetPort: 8443
-  selector:
-    k8s-app: kubernetes-dashboard
-
----
-# ------------------- Metrics Scraper Service Account ------------------- #
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-rules:
-  # Allow Metrics Scraper to get metrics from the Metrics server
-  - apiGroups: ["metrics.k8s.io"]
-    resources: ["pods", "nodes"]
-    verbs: ["get", "list", "watch"]
-
----
-
-# ------------------- Metrics Scraper Service  ------------------- #
-kind: Service
-apiVersion: v1
-metadata:
-  labels:
-    k8s-app: kubernetes-metrics-scraper
-  name: dashboard-metrics-scraper
-spec:
-  ports:
-    - port: 8000
-      targetPort: 8000
-  selector:
-    k8s-app: kubernetes-metrics-scraper
-
----
-
-# ------------------- Metrics Scraper Deployment  ------------------- #
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  labels:
-    k8s-app: kubernetes-metrics-scraper
-  name: kubernetes-metrics-scraper
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      k8s-app: kubernetes-metrics-scraper
-  template:
-    metadata:
-      labels:
-        k8s-app: kubernetes-metrics-scraper
-    spec:
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      priorityClassName: system-cluster-critical
-      containers:
-        - name: kubernetes-metrics-scraper
-          image: {{ dashboard_metrics_scraper_repo }}:{{ dashboard_metrics_scraper_tag }}
-          ports:
-            - containerPort: 8000
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              scheme: HTTP
-              path: /
-              port: 8000
-            initialDelaySeconds: 30
-            timeoutSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsUser: 1001
-            runAsGroup: 2001
-          volumeMounts:
-          - mountPath: /tmp
-            name: tmp-volume
-      serviceAccountName: kubernetes-dashboard
-      volumes:
-      - name: tmp-volume
-        emptyDir: {}
-{% if dashboard_master_toleration %}
-      tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-{% endif %}

roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2

@@ -1,56 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app: netchecker-agent
-  name: netchecker-agent
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    matchLabels:
-      app: netchecker-agent
-  template:
-    metadata:
-      name: netchecker-agent
-      labels:
-        app: netchecker-agent
-    spec:
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      nodeSelector:
-        kubernetes.io/os: linux
-      containers:
-        - name: netchecker-agent
-          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: MY_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: MY_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          args:
-            - "-v={{ netchecker_agent_log_level }}"
-            - "-alsologtostderr=true"
-            - "-serverendpoint=netchecker-service:8081"
-            - "-reportinterval={{ agent_report_interval }}"
-          resources:
-            limits:
-              cpu: {{ netchecker_agent_cpu_limit }}
-              memory: {{ netchecker_agent_memory_limit }}
-            requests:
-              cpu: {{ netchecker_agent_cpu_requests }}
-              memory: {{ netchecker_agent_memory_requests }}
-          securityContext:
-            runAsUser: {{ netchecker_agent_user | default('0') }}
-            runAsGroup: {{ netchecker_agent_group | default('0') }}
-      serviceAccountName: netchecker-agent
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 100%
-    type: RollingUpdate

roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2

@@ -1,58 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app: netchecker-agent-hostnet
-  name: netchecker-agent-hostnet
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    matchLabels:
-      app: netchecker-agent-hostnet
-  template:
-    metadata:
-      name: netchecker-agent-hostnet
-      labels:
-        app: netchecker-agent-hostnet
-    spec:
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      nodeSelector:
-        kubernetes.io/os: linux
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      containers:
-        - name: netchecker-agent
-          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: MY_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: MY_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          args:
-            - "-v={{ netchecker_agent_log_level }}"
-            - "-alsologtostderr=true"
-            - "-serverendpoint=netchecker-service:8081"
-            - "-reportinterval={{ agent_report_interval }}"
-          resources:
-            limits:
-              cpu: {{ netchecker_agent_cpu_limit }}
-              memory: {{ netchecker_agent_memory_limit }}
-            requests:
-              cpu: {{ netchecker_agent_cpu_requests }}
-              memory: {{ netchecker_agent_memory_requests }}
-          securityContext:
-            runAsUser: {{ netchecker_agent_user | default('0') }}
-            runAsGroup: {{ netchecker_agent_group | default('0') }}
-      serviceAccountName: netchecker-agent
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 100%
-    type: RollingUpdate

roles/kubernetes-apps/ansible/templates/netchecker-agent-sa.yml.j2

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netchecker-agent
-  namespace: {{ netcheck_namespace }}

roles/kubernetes-apps/ansible/templates/netchecker-ns.yml.j2

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: "{{ netcheck_namespace }}"
-  labels:
-    name: "{{ netcheck_namespace }}"

roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2

@@ -1,9 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["list", "get"]

roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2

@@ -1,13 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: netchecker-server
-    namespace: {{ netcheck_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: netchecker-server
-  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2

@@ -1,86 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}
-  labels:
-    app: netchecker-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: netchecker-server
-  template:
-    metadata:
-      name: netchecker-server
-      labels:
-        app: netchecker-server
-    spec:
-      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      volumes:
-        - name: etcd-data
-          emptyDir: {}
-      containers:
-        - name: netchecker-server
-          image: "{{ netcheck_server_image_repo }}:{{ netcheck_server_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          resources:
-            limits:
-              cpu: {{ netchecker_server_cpu_limit }}
-              memory: {{ netchecker_server_memory_limit }}
-            requests:
-              cpu: {{ netchecker_server_cpu_requests }}
-              memory: {{ netchecker_server_memory_requests }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ['ALL']
-            runAsUser: {{ netchecker_server_user | default('0') }}
-            runAsGroup: {{ netchecker_server_group | default('0') }}
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          ports:
-            - containerPort: 8081
-          args:
-            - -v={{ netchecker_server_log_level }}
-            - -logtostderr
-            - -kubeproxyinit=false
-            - -endpoint=0.0.0.0:8081
-            - -etcd-endpoints=http://127.0.0.1:2379
-        - name: etcd
-          image: "{{ etcd_image_repo }}:{{ netcheck_etcd_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          env:
-            - name: ETCD_LOG_LEVEL
-              value: "{{ netchecker_etcd_log_level }}"
-          command:
-            - etcd
-            - --listen-client-urls=http://127.0.0.1:2379
-            - --advertise-client-urls=http://127.0.0.1:2379
-            - --data-dir=/var/lib/etcd
-            - --enable-v2
-            - --force-new-cluster
-          volumeMounts:
-            - mountPath: /var/lib/etcd
-              name: etcd-data
-          resources:
-            limits:
-              cpu: {{ netchecker_etcd_cpu_limit }}
-              memory: {{ netchecker_etcd_memory_limit }}
-            requests:
-              cpu: {{ netchecker_etcd_cpu_requests }}
-              memory: {{ netchecker_etcd_memory_requests }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ['ALL']
-            runAsUser: {{ netchecker_server_user | default('0') }}
-            runAsGroup: {{ netchecker_server_group | default('0') }}
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-      serviceAccountName: netchecker-server

roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: netchecker-server
-  namespace: {{ netcheck_namespace }}

roles/kubernetes-apps/ansible/templates/netchecker-server-svc.yml.j2

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: netchecker-service
-  namespace: {{ netcheck_namespace }}
-spec:
-  selector:
-    app: netchecker-server
-  ports:
-    -
-      protocol: TCP
-      port: 8081
-      targetPort: 8081
-      nodePort: {{ netchecker_port }}
-  type: NodePort

roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2

@@ -45,7 +45,7 @@ data:
             force_tcp
         }
         prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_health_port }}
 {% if dns_etchosts | default(None) %}
         hosts /etc/coredns/hosts {
           fallthrough
@@ -132,7 +132,7 @@ data:
             force_tcp
         }
         prometheus {% if nodelocaldns_bind_metrics_host_ip %}{$MY_HOST_IP}{% endif %}:{{ nodelocaldns_secondary_prometheus_port }}
-        health {{ nodelocaldns_ip }}:{{ nodelocaldns_second_health_port }}
+        health {{ nodelocaldns_ip | ansible.utils.ipwrap }}:{{ nodelocaldns_second_health_port }}
 {% if dns_etchosts | default(None) %}
         hosts /etc/coredns/hosts {
           fallthrough

roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml

@@ -21,7 +21,7 @@ external_openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
 ##    arg1: "value1"
 ##    arg2: "value2"
 external_openstack_cloud_controller_extra_args: {}
-external_openstack_cloud_controller_image_tag: "v1.32.0"
+external_openstack_cloud_controller_image_tag: "v1.35.0"
 external_openstack_cloud_controller_bind_address: 127.0.0.1
 external_openstack_cloud_controller_dns_policy: ClusterFirst
 

roles/kubernetes-apps/external_provisioner/local_path_provisioner/defaults/main.yml

@@ -8,3 +8,4 @@ local_path_provisioner_is_default_storageclass: "true"
 local_path_provisioner_debug: false
 local_path_provisioner_helper_image_repo: "busybox"
 local_path_provisioner_helper_image_tag: "latest"
+local_path_provisioner_resources: {}

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2

@@ -35,6 +35,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+{% if local_path_provisioner_resources %}
+        resources:
+          {{ local_path_provisioner_resources | to_nice_yaml | indent(10) | trim }}
+{% endif %}
       volumes:
         - name: config-volume
           configMap:

roles/kubernetes-apps/ingress_controller/ingress_nginx/defaults/main.yml

@@ -1,28 +0,0 @@
----
-ingress_nginx_namespace: "ingress-nginx"
-ingress_nginx_host_network: false
-ingress_nginx_service_type: LoadBalancer
-ingress_nginx_service_nodeport_http: ""
-ingress_nginx_service_nodeport_https: ""
-ingress_nginx_service_annotations: {}
-ingress_publish_status_address: ""
-ingress_nginx_publish_service: "{{ ingress_nginx_namespace }}/ingress-nginx"
-ingress_nginx_nodeselector:
-  kubernetes.io/os: "linux"
-ingress_nginx_tolerations: []
-ingress_nginx_insecure_port: 80
-ingress_nginx_secure_port: 443
-ingress_nginx_metrics_port: 10254
-ingress_nginx_configmap: {}
-ingress_nginx_configmap_tcp_services: {}
-ingress_nginx_configmap_udp_services: {}
-ingress_nginx_extra_args: []
-ingress_nginx_termination_grace_period_seconds: 300
-ingress_nginx_class: nginx
-ingress_nginx_without_class: true
-ingress_nginx_default: false
-ingress_nginx_webhook_enabled: false
-ingress_nginx_webhook_job_ttl: 1800
-ingress_nginx_opentelemetry_enabled: false
-
-ingress_nginx_probe_initial_delay_seconds: 10

roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml

@@ -1,69 +0,0 @@
----
-
-- name: NGINX Ingress Controller | Create addon dir
-  file:
-    path: "{{ kube_config_dir }}/addons/ingress_nginx"
-    state: directory
-    owner: root
-    group: root
-    mode: "0755"
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-
-- name: NGINX Ingress Controller | Templates list
-  set_fact:
-    ingress_nginx_templates:
-      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
-      - { name: cm-ingress-nginx, file: cm-ingress-nginx.yml, type: cm }
-      - { name: cm-tcp-services, file: cm-tcp-services.yml, type: cm }
-      - { name: cm-udp-services, file: cm-udp-services.yml, type: cm }
-      - { name: sa-ingress-nginx, file: sa-ingress-nginx.yml, type: sa }
-      - { name: clusterrole-ingress-nginx, file: clusterrole-ingress-nginx.yml, type: clusterrole }
-      - { name: clusterrolebinding-ingress-nginx, file: clusterrolebinding-ingress-nginx.yml, type: clusterrolebinding }
-      - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
-      - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
-      - { name: ingressclass-nginx, file: ingressclass-nginx.yml, type: ingressclass }
-      - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
-    ingress_nginx_template_for_service:
-      - { name: svc-ingress-nginx, file: svc-ingress-nginx.yml, type: svc }
-    ingress_nginx_templates_for_webhook:
-      - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
-      - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
-      - { name: clusterrole-admission-webhook, file: clusterrole-admission-webhook.yml, type: clusterrole }
-      - { name: clusterrolebinding-admission-webhook, file: clusterrolebinding-admission-webhook.yml, type: clusterrolebinding }
-      - { name: role-admission-webhook, file: role-admission-webhook.yml, type: role }
-      - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
-      - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
-      - { name: svc-ingress-nginx-controller-admission, file: svc-ingress-nginx-controller-admission.yml, type: svc }
-
-- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Template list for service
-  set_fact:
-    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_template_for_service }}"
-  when: not ingress_nginx_host_network
-
-- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
-  set_fact:
-    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
-  when: ingress_nginx_webhook_enabled
-
-- name: NGINX Ingress Controller | Create manifests
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
-    mode: "0644"
-  with_items: "{{ ingress_nginx_templates }}"
-  register: ingress_nginx_manifests
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-
-- name: NGINX Ingress Controller | Apply manifests
-  kube:
-    name: "{{ item.item.name }}"
-    namespace: "{{ ingress_nginx_namespace }}"
-    kubectl: "{{ bin_dir }}/kubectl"
-    resource: "{{ item.item.type }}"
-    filename: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.item.file }}"
-    state: "latest"
-  with_items: "{{ ingress_nginx_manifests.results }}"
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/00-namespace.yml.j2

@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ ingress_nginx_namespace }}
-  labels:
-    name: {{ ingress_nginx_namespace }}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-configuration.yml.j2

@@ -1,30 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-admission
-webhooks:
-- admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: ingress-nginx-controller-admission
-      namespace: {{ ingress_nginx_namespace }}
-      path: /networking/v1/ingresses
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: validate.nginx.ingress.kubernetes.io
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - ingresses
-  sideEffects: None

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2

@@ -1,96 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-admission-create
-  namespace: {{ ingress_nginx_namespace }}
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/part-of: ingress-nginx
-      name: ingress-nginx-admission-create
-    spec:
-      containers:
-      - args:
-        - create
-        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-        - --namespace=$(POD_NAMESPACE)
-        - --secret-name=ingress-nginx-admission
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
-        imagePullPolicy: {{ k8s_image_pull_policy }}
-        name: create
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsGroup: 65532
-          runAsNonRoot: true
-          runAsUser: 65532
-          seccompProfile:
-            type: RuntimeDefault
-      nodeSelector:
-        kubernetes.io/os: linux
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
-  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-admission-patch
-  namespace: {{ ingress_nginx_namespace }}
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/part-of: ingress-nginx
-      name: ingress-nginx-admission-patch
-    spec:
-      containers:
-      - args:
-        - patch
-        - --webhook-name=ingress-nginx-admission
-        - --namespace=$(POD_NAMESPACE)
-        - --patch-mutating=false
-        - --secret-name=ingress-nginx-admission
-        - --patch-failure-policy=Fail
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
-        imagePullPolicy: {{ k8s_image_pull_policy }}
-        name: patch
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsGroup: 65532
-          runAsNonRoot: true
-          runAsUser: 65532
-          seccompProfile:
-            type: RuntimeDefault
-      nodeSelector:
-        kubernetes.io/os: linux
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
-  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-admission-webhook.yml.j2

@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-admission
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - update

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2

@@ -1,36 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"]
-    verbs: ["list", "watch"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses/status"]
-    verbs: ["update"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingressclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["list", "watch"]
-  - apiGroups: ["discovery.k8s.io"]
-    resources: ["endpointslices"]
-    verbs: ["get", "list", "watch"]

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-admission-webhook.yml.j2

@@ -1,16 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-admission
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: {{ ingress_nginx_namespace }}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrolebinding-ingress-nginx.yml.j2

@@ -1,16 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: {{ ingress_nginx_namespace }}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-ingress-nginx.yml.j2

@@ -1,13 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ingress-nginx
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-{% if ingress_nginx_configmap %}
-data:
-  {{ ingress_nginx_configmap | to_nice_yaml | indent(2) }}
-{%- endif %}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-tcp-services.yml.j2

@@ -1,13 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: tcp-services
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-{% if ingress_nginx_configmap_tcp_services %}
-data:
-  {{ ingress_nginx_configmap_tcp_services | to_nice_yaml | indent(2) }}
-{%- endif %}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/cm-udp-services.yml.j2

@@ -1,13 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: udp-services
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-{% if ingress_nginx_configmap_udp_services %}
-data:
-  {{ ingress_nginx_configmap_udp_services | to_nice_yaml | indent(2) }}
-{%- endif %}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2

@@ -1,201 +0,0 @@
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: ingress-nginx-controller
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/part-of: ingress-nginx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/part-of: ingress-nginx
-      annotations:
-        prometheus.io/port: "10254"
-        prometheus.io/scrape: "true"
-    spec:
-      serviceAccountName: ingress-nginx
-      terminationGracePeriodSeconds: {{ ingress_nginx_termination_grace_period_seconds }}
-{% if ingress_nginx_opentelemetry_enabled %}
-      initContainers:
-      - name: opentelemetry
-        command:
-        - /init_module
-        image: {{ ingress_nginx_opentelemetry_image_repo }}:{{ ingress_nginx_opentelemetry_image_tag }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-            drop:
-            - ALL
-          readOnlyRootFilesystem: false
-          runAsGroup: 82
-          runAsNonRoot: true
-          runAsUser: 101
-          seccompProfile:
-            type: RuntimeDefault
-        volumeMounts:
-        - mountPath: /modules_mount
-          name: modules
-{% endif %}
-{% if ingress_nginx_host_network %}
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-{% endif %}
-{% if ingress_nginx_nodeselector %}
-      nodeSelector:
-        {{ ingress_nginx_nodeselector | to_nice_yaml | indent(width=8) }}
-{%- endif %}
-{% if ingress_nginx_tolerations %}
-      tolerations:
-        {{ ingress_nginx_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
-{% endif %}
-      priorityClassName: {% if ingress_nginx_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
-      containers:
-        - name: ingress-nginx-controller
-          image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }}
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx
-            - --election-id=ingress-controller-leader-{{ ingress_nginx_class }}
-            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
-            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
-            - --annotations-prefix=nginx.ingress.kubernetes.io
-            - --ingress-class={{ ingress_nginx_class }}
-{% if ingress_nginx_without_class %}
-            - --watch-ingress-without-class=true
-{% endif %}
-{% if ingress_publish_status_address != "" %}
-            - --publish-status-address={{ ingress_publish_status_address }}
-{% elif ingress_nginx_host_network %}
-            - --report-node-internal-ip-address
-{% elif ingress_nginx_publish_service != "" %}
-            - --publish-service={{ ingress_nginx_publish_service }}
-{% endif %}
-{% for extra_arg in ingress_nginx_extra_args %}
-            - {{ extra_arg }}
-{% endfor %}
-{% if ingress_nginx_webhook_enabled %}
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-{% endif %}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              add:
-              - NET_BIND_SERVICE
-              drop:
-              - ALL
-            readOnlyRootFilesystem: false
-            runAsGroup: 82
-            runAsNonRoot: true
-            runAsUser: 101
-            seccompProfile:
-              type: RuntimeDefault
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          ports:
-            - name: http
-              containerPort: 80
-              hostPort: {{ ingress_nginx_insecure_port }}
-            - name: https
-              containerPort: 443
-              hostPort: {{ ingress_nginx_secure_port }}
-            - name: metrics
-              containerPort: 10254
-{% if not ingress_nginx_host_network %}
-              hostPort: {{ ingress_nginx_metrics_port }}
-{% endif %}
-{% if ingress_nginx_configmap_tcp_services %}
-{% for port in ingress_nginx_configmap_tcp_services.keys() %}
-            - name: tcp-port-{{ port }}
-              containerPort: {{ port | int }}
-              protocol: TCP
-{% if not ingress_nginx_host_network %}
-              hostPort: {{ port | int }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if ingress_nginx_configmap_udp_services %}
-{% for port in ingress_nginx_configmap_udp_services.keys() %}
-            - name: udp-port-{{ port }}
-              containerPort: {{ port | int }}
-              protocol: UDP
-{% if not ingress_nginx_host_network %}
-              hostPort: {{ port | int }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if ingress_nginx_webhook_enabled %}
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-{% endif %}
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
-            periodSeconds: 10
-            timeoutSeconds: 5
-            successThreshold: 1
-            failureThreshold: 3
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }}
-            periodSeconds: 10
-            timeoutSeconds: 5
-            successThreshold: 1
-            failureThreshold: 3
-{% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
-          volumeMounts:
-{% if ingress_nginx_webhook_enabled %}
-            - mountPath: /usr/local/certificates/
-              name: webhook-cert
-              readOnly: true
-{% endif %}
-{% if ingress_nginx_opentelemetry_enabled %}
-            - name: modules
-              mountPath: /modules_mount
-{% endif %}
-{% endif %}
-{% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %}
-      volumes:
-{% if ingress_nginx_webhook_enabled %}
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
-{% endif %}
-{% if ingress_nginx_opentelemetry_enabled %}
-        - name: modules
-          emptyDir: {}
-{% endif %}
-{% endif %}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingressclass-nginx.yml.j2

@@ -1,13 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  name: {{ ingress_nginx_class }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-{% if ingress_nginx_default %}
-  annotations:
-    ingressclass.kubernetes.io/is-default-class: "true"
-{% endif %}
-spec:
-  controller: k8s.io/ingress-nginx

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-admission-webhook.yml.j2

@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-admission
-  namespace: {{ ingress_nginx_namespace }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2

@@ -1,47 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-rules:
-  - apiGroups: [""]
-    resources: ["namespaces"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["configmaps", "pods", "secrets", "endpoints"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses/status"]
-    verbs: ["update"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingressclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    # Defaults to "<election-id>", defined in
-    # ds-ingress-nginx-controller.yml.js
-    # by a command-line argument.
-    #
-    # This is the correct behaviour for ingress-controller
-    # version 1.8.1
-    resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"]
-    verbs: ["get", "update"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["create"]
-  - apiGroups: ["discovery.k8s.io"]
-    resources: ["endpointslices"]
-    verbs: ["get", "list", "watch"]

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-admission-webhook.yml.j2

@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-admission
-  namespace: {{ ingress_nginx_namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-- kind: ServiceAccount
-  name: ingress-nginx-admission
-  namespace: {{ ingress_nginx_namespace }}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/rolebinding-ingress-nginx.yml.j2

@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: {{ ingress_nginx_namespace }}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-admission-webhook.yml.j2

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/sa-ingress-nginx.yml.j2

@@ -1,9 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx-controller-admission.yml.j2

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx-controller-admission
-  namespace: {{ ingress_nginx_namespace }}
-spec:
-  type: ClusterIP
-  ports:
-  - appProtocol: https
-    name: https-webhook
-    port: 443
-    targetPort: webhook
-  selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/svc-ingress-nginx.yml.j2

@@ -1,50 +0,0 @@
-{% if not ingress_nginx_host_network %}
-apiVersion: v1
-kind: Service
-metadata:
-  name: ingress-nginx
-  namespace: {{ ingress_nginx_namespace }}
-  labels:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-{% if ingress_nginx_service_annotations %}
-  annotations:
-    {{ ingress_nginx_service_annotations | to_nice_yaml(indent=2, width=1337) | indent(width=4) }}
-{% endif %}
-spec:
-  type: {{ ingress_nginx_service_type }}
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-      protocol: TCP
-{% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_http %}
-      nodePort: {{ingress_nginx_service_nodeport_http | int}}
-{% endif %}
-    - name: https
-      port: 443
-      targetPort: 443
-      protocol: TCP
-{% if (ingress_nginx_service_type == 'NodePort' or ingress_nginx_service_type == 'LoadBalancer') and ingress_nginx_service_nodeport_https %}
-      nodePort: {{ingress_nginx_service_nodeport_https | int}}
-{% endif %}
-{% if ingress_nginx_configmap_tcp_services %}
-{% for port in ingress_nginx_configmap_tcp_services.keys() %}
-    - name: tcp-port-{{ port }}
-      port: {{ port | int }}
-      targetPort: {{ port | int }}
-      protocol: TCP
-{% endfor %}
-{% endif %}
-{% if ingress_nginx_configmap_udp_services %}
-{% for port in ingress_nginx_configmap_udp_services.keys() %}
-    - name: udp-port-{{ port }}
-      port: {{ port | int }}
-      targetPort: {{ port | int }}
-      protocol: UDP
-{% endfor %}
-{% endif %}
-  selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-{% endif %}

roles/kubernetes-apps/ingress_controller/meta/main.yml

@@ -1,12 +1,5 @@
 ---
 dependencies:
-  - role: kubernetes-apps/ingress_controller/ingress_nginx
-    when: ingress_nginx_enabled
-    tags:
-      - apps
-      - ingress-controller
-      - ingress-nginx
-
   - role: kubernetes-apps/ingress_controller/cert_manager
     when: cert_manager_enabled
     tags:

roles/kubernetes-apps/node_feature_discovery/templates/nfd-clusterrole.yaml.j2

@@ -58,12 +58,6 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes/proxy
-  verbs:
-  - get
 - apiGroups:
   - topology.node.k8s.io
   resources:

roles/kubernetes-apps/registry/tasks/main.yml

@@ -43,12 +43,12 @@
       - { name: registry-cm, file: registry-cm.yml, type: cm }
       - { name: registry-rs, file: registry-rs.yml, type: rs }
 
-- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
+- name: Registry | Append ingress templates to Registry Templates list when ALB ingress enabled
   set_fact:
     registry_templates: "{{ registry_templates + [item] }}"
   with_items:
     - [{ name: registry-ing, file: registry-ing.yml, type: ing }]
-  when: ingress_nginx_enabled or ingress_alb_enabled
+  when: ingress_alb_enabled
 
 - name: Registry | Create manifests
   template:

roles/kubernetes-apps/snapshots/cinder-csi/templates/cinder-csi-snapshot-class.yml.j2

@@ -1,7 +1,7 @@
 {% for class in snapshot_classes %}
 ---
 kind: VolumeSnapshotClass
-apiVersion: snapshot.storage.k8s.io/v1beta1
+apiVersion: snapshot.storage.k8s.io/v1
 metadata:
   name: "{{ class.name }}"
   annotations:

roles/kubernetes/client/tasks/main.yml

@@ -26,7 +26,7 @@
     mode: "0700"
     state: directory
 
-- name: Copy admin kubeconfig to current/ansible become user home
+- name: Write admin kubeconfig to current/ansible become user home
   copy:
     src: "{{ kube_config_dir }}/admin.conf"
     dest: "{{ ansible_env.HOME | default('/root') }}/.kube/config"
@@ -51,41 +51,38 @@
     port: "{{ kube_apiserver_port }}"
     timeout: 180
 
-- name: Get admin kubeconfig from remote host
-  slurp:
-    src: "{{ kube_config_dir }}/admin.conf"
-  run_once: true
-  register: raw_admin_kubeconfig
+- name: Create kubeconfig localhost artifacts
   when: kubeconfig_localhost
+  block:
+    - name: Generate admin kubeconfig using kubeadm
+      command: >-
+        {{ bin_dir }}/kubeadm kubeconfig user
+        --client-name=kubernetes-admin-{{ cluster_name }}
+        --org=kubeadm:cluster-admins
+        --config {{ kube_config_dir }}/kubeadm-config.yaml
+      register: kubeadm_admin_kubeconfig
+      changed_when: false
+      run_once: true
+      delegate_to: "{{ groups['kube_control_plane'][0] }}"
 
-- name: Convert kubeconfig to YAML
-  set_fact:
-    admin_kubeconfig: "{{ raw_admin_kubeconfig.content | b64decode | from_yaml }}"
-  when: kubeconfig_localhost
-
-- name: Override username in kubeconfig
-  set_fact:
-    final_admin_kubeconfig: "{{ admin_kubeconfig | combine(override_cluster_name, recursive=true) | combine(override_context, recursive=true) | combine(override_user, recursive=true) }}"
-  vars:
-    cluster_infos: "{{ admin_kubeconfig['clusters'][0]['cluster'] }}"
-    user_certs: "{{ admin_kubeconfig['users'][0]['user'] }}"
-    username: "kubernetes-admin-{{ cluster_name }}"
-    context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
-    override_cluster_name: "{{ {'clusters': [{'cluster': (cluster_infos | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})), 'name': cluster_name}]} }}"
-    override_context: "{{ {'contexts': [{'context': {'user': username, 'cluster': cluster_name}, 'name': context}], 'current-context': context} }}"
-    override_user: "{{ {'users': [{'name': username, 'user': user_certs}]} }}"
-  when: kubeconfig_localhost
-
-- name: Write admin kubeconfig on ansible host
-  copy:
-    content: "{{ final_admin_kubeconfig | to_nice_yaml(indent=2) }}"
-    dest: "{{ artifacts_dir }}/admin.conf"
-    mode: "0600"
-  delegate_to: localhost
-  connection: local
-  become: false
-  run_once: true
-  when: kubeconfig_localhost
+    - name: Write admin kubeconfig on ansible host
+      copy:
+        content: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml | combine(override, recursive=true) | to_nice_yaml(indent=2) }}"
+        dest: "{{ artifacts_dir }}/admin.conf"
+        mode: "0600"
+      vars:
+        admin_kubeconfig: "{{ kubeadm_admin_kubeconfig.stdout | from_yaml }}"
+        context: "kubernetes-admin-{{ cluster_name }}@{{ cluster_name }}"
+        override:
+          clusters:
+            - "{{ admin_kubeconfig['clusters'][0] | combine({'name': cluster_name, 'cluster': admin_kubeconfig['clusters'][0]['cluster'] | combine({'server': 'https://' + (external_apiserver_address | ansible.utils.ipwrap) + ':' + (external_apiserver_port | string)})}, recursive=true) }}"
+          contexts:
+            - "{{ admin_kubeconfig['contexts'][0] | combine({'name': context, 'context': admin_kubeconfig['contexts'][0]['context'] | combine({'cluster': cluster_name})}, recursive=true) }}"
+          current-context: "{{ context }}"
+      delegate_to: localhost
+      connection: local
+      become: false
+      run_once: true
 
 - name: Copy kubectl binary to ansible host
   fetch:

roles/kubernetes/control-plane/tasks/kubeadm-fix-apiserver.yml

@@ -1,17 +0,0 @@
----
-
-- name: Update server field in component kubeconfigs
-  lineinfile:
-    dest: "{{ kube_config_dir }}/{{ item }}"
-    regexp: '^    server: https'
-    line: '    server: {{ kube_apiserver_endpoint }}'
-    backup: true
-  with_items:
-    - admin.conf
-    - controller-manager.conf
-    - kubelet.conf
-    - scheduler.conf
-  notify:
-    - "Control plane | Restart kube-controller-manager"
-    - "Control plane | Restart kube-scheduler"
-    - "Control plane | reload kubelet"

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -95,7 +95,7 @@
 
 - name: Kubeadm | Create kubeadm config
   template:
-    src: "kubeadm-config.{{ kubeadm_config_api_version }}.yaml.j2"
+    src: "kubeadm-config.v1beta4.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
     mode: "0640"
     validate: "{{ kubeadm_config_validate_enabled | ternary(bin_dir + '/kubeadm config validate --config %s', omit) }}"

roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml

@@ -2,44 +2,21 @@
 - name: Ensure kube-apiserver is up before upgrade
   import_tasks: check-api.yml
 
-  # kubeadm-config.v1beta4 with UpgradeConfiguration requires some values that were previously allowed as args to be specified in the config file
-  # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases
 - name: Kubeadm | Upgrade first control plane node to {{ kube_version }}
   command: >-
     timeout -k 600s 600s
     {{ bin_dir }}/kubeadm upgrade apply -y v{{ kube_version }}
-    {%- if kubeadm_config_api_version == 'v1beta3' %}
-    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --allow-experimental-upgrades
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
-    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
-    --force
-    {%- else %}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    {%- endif %}
-    {%- if kube_version is version('1.32.0', '>=') %}
-    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
-    {%- endif %}
   register: kubeadm_upgrade
   when: inventory_hostname == first_kube_control_plane
   failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
   environment:
     PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
 
-# TODO: When we retire kubeadm-config.v1beta3, remove --certificate-renewal, --ignore-preflight-errors, --etcd-upgrade, --patches, and --skip-phases from command, since v1beta4+ supports these in UpgradeConfiguration.node
 - name: Kubeadm | Upgrade other control plane nodes to {{ kube_version }}
   command: >-
     {{ bin_dir }}/kubeadm upgrade node
-    {%- if kubeadm_config_api_version == 'v1beta3' %}
-    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
-    {% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
-    {%- else %}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
-    {%- endif %}
-    --skip-phases={{ kubeadm_upgrade_node_phases_skip | join(',') }}
   register: kubeadm_upgrade
   when: inventory_hostname != first_kube_control_plane
   failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr

roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml

@@ -1,18 +0,0 @@
----
-- name: Fixup kubelet client cert rotation 1/2
-  lineinfile:
-    path: "{{ kube_config_dir }}/kubelet.conf"
-    regexp: '^    client-certificate-data: '
-    line: '    client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem'
-    backup: true
-  notify:
-    - "Control plane | reload kubelet"
-
-- name: Fixup kubelet client cert rotation 2/2
-  lineinfile:
-    path: "{{ kube_config_dir }}/kubelet.conf"
-    regexp: '^    client-key-data: '
-    line: '    client-key: /var/lib/kubelet/pki/kubelet-client-current.pem'
-    backup: true
-  notify:
-    - "Control plane | reload kubelet"

roles/kubernetes/control-plane/tasks/main.yml

@@ -99,9 +99,6 @@
   include_tasks: kubeadm-etcd.yml
   when: etcd_deployment_type == "kubeadm"
 
-- name: Include kubeadm secondary server apiserver fixes
-  include_tasks: kubeadm-fix-apiserver.yml
-
 - name: Cleanup unused AuthorizationConfiguration file versions
   file:
     path: "{{ kube_config_dir }}/apiserver-authorization-config-{{ item }}.yaml"
@@ -109,10 +106,6 @@
   loop: "{{ ['v1alpha1', 'v1beta1', 'v1'] | reject('equalto', kube_apiserver_authorization_config_api_version) | list }}"
   when: kube_apiserver_use_authorization_config_file
 
-- name: Include kubelet client cert rotation fixes
-  include_tasks: kubelet-fix-client-cert-rotation.yml
-  when: kubelet_rotate_certificates
-
 - name: Install script to renew K8S control plane certificates
   template:
     src: k8s-certs-renew.sh.j2

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2

@@ -1,442 +0,0 @@
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: InitConfiguration
-{% if kubeadm_token is defined %}
-bootstrapTokens:
-- token: "{{ kubeadm_token }}"
-  description: "kubespray kubeadm bootstrap token"
-  ttl: "24h"
-{% endif %}
-localAPIEndpoint:
-  advertiseAddress: "{{ kube_apiserver_address }}"
-  bindPort: {{ kube_apiserver_port }}
-{% if kubeadm_certificate_key is defined %}
-certificateKey: {{ kubeadm_certificate_key }}
-{% endif %}
-nodeRegistration:
-{% if kube_override_hostname | default('') %}
-  name: "{{ kube_override_hostname }}"
-{% endif %}
-{% if 'kube_control_plane' in group_names and 'kube_node' not in group_names %}
-  taints:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/control-plane
-{% else %}
-  taints: []
-{% endif %}
-  criSocket: {{ cri_socket }}
-{% if cloud_provider == "external" %}
-  kubeletExtraArgs:
-    cloud-provider: external
-{% endif %}
-{% if kubeadm_patches | length > 0 %}
-patches:
-  directory: {{ kubeadm_patches_dir }}
-{% endif %}
----
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: ClusterConfiguration
-clusterName: {{ cluster_name }}
-etcd:
-{% if etcd_deployment_type != "kubeadm" %}
-  external:
-      endpoints:
-{% for endpoint in etcd_access_addresses.split(',') %}
-      - "{{ endpoint }}"
-{% endfor %}
-      caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
-      certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
-      keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
-{% elif etcd_deployment_type == "kubeadm" %}
-  local:
-    imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
-    imageTag: "{{ etcd_image_tag }}"
-    dataDir: "{{ etcd_data_dir }}"
-    extraArgs:
-      metrics: {{ etcd_metrics }}
-      election-timeout: "{{ etcd_election_timeout }}"
-      heartbeat-interval: "{{ etcd_heartbeat_interval }}"
-      auto-compaction-retention: "{{ etcd_compaction_retention }}"
-{% if etcd_listen_metrics_urls is defined %}
-      listen-metrics-urls: "{{ etcd_listen_metrics_urls }}"
-{% endif %}
-      snapshot-count: "{{ etcd_snapshot_count }}"
-      quota-backend-bytes: "{{ etcd_quota_backend_bytes }}"
-      max-request-bytes: "{{ etcd_max_request_bytes }}"
-      log-level: "{{ etcd_log_level }}"
-{% for key, value in etcd_extra_vars.items() %}
-      {{ key }}: "{{ value }}"
-{% endfor %}
-    serverCertSANs:
-{% for san in etcd_cert_alt_names %}
-      - "{{ san }}"
-{% endfor %}
-{% for san in etcd_cert_alt_ips %}
-      - "{{ san }}"
-{% endfor %}
-    peerCertSANs:
-{% for san in etcd_cert_alt_names %}
-      - "{{ san }}"
-{% endfor %}
-{% for san in etcd_cert_alt_ips %}
-      - "{{ san }}"
-{% endfor %}
-{% endif %}
-dns:
-  imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$', '') }}
-  imageTag: {{ coredns_image_tag }}
-networking:
-  dnsDomain: {{ dns_domain }}
-  serviceSubnet: "{{ kube_service_subnets }}"
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-  podSubnet: "{{ kube_pods_subnets }}"
-{% endif %}
-{% if kubeadm_feature_gates %}
-featureGates:
-{%   for feature in kubeadm_feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}
-kubernetesVersion: v{{ kube_version }}
-{% if kubeadm_config_api_fqdn is defined %}
-controlPlaneEndpoint: "{{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}"
-{% else %}
-controlPlaneEndpoint: "{{ main_ip | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}"
-{% endif %}
-certificatesDir: {{ kube_cert_dir }}
-imageRepository: {{ kubeadm_image_repo }}
-apiServer:
-  extraArgs:
-    etcd-compaction-interval: "{{ kube_apiserver_etcd_compaction_interval }}"
-    default-not-ready-toleration-seconds: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
-    default-unreachable-toleration-seconds: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
-{% if kube_api_anonymous_auth is defined %}
-{# TODO: rework once suppport for structured auth lands #}
-    anonymous-auth: "{{ kube_api_anonymous_auth }}"
-{% endif %}
-{% if kube_apiserver_use_authorization_config_file %}
-    authorization-config: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
-{% else %}
-    authorization-mode: {{ authorization_modes | join(',') }}
-{% endif %}
-    bind-address: "{{ kube_apiserver_bind_address }}"
-{% if kube_apiserver_enable_admission_plugins | length > 0 %}
-    enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
-{% endif %}
-{% if kube_apiserver_admission_control_config_file %}
-    admission-control-config-file: {{ kube_config_dir }}/admission-controls.yaml
-{% endif %}
-{% if kube_apiserver_disable_admission_plugins | length > 0 %}
-    disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
-{% endif %}
-    apiserver-count: "{{ kube_apiserver_count }}"
-    endpoint-reconciler-type: lease
-{% if etcd_events_cluster_enabled %}
-    etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
-{% endif %}
-    service-node-port-range: {{ kube_apiserver_node_port_range }}
-    service-cluster-ip-range: "{{ kube_service_subnets }}"
-    kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
-    profiling: "{{ kube_profiling }}"
-    request-timeout: "{{ kube_apiserver_request_timeout }}"
-    enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
-{% if kube_token_auth %}
-    token-auth-file: {{ kube_token_dir }}/known_tokens.csv
-{% endif %}
-{% if kube_apiserver_service_account_lookup %}
-    service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
-{% endif %}
-{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
-    oidc-issuer-url: "{{ kube_oidc_url }}"
-    oidc-client-id: "{{ kube_oidc_client_id }}"
-{%   if kube_oidc_ca_file is defined %}
-    oidc-ca-file: "{{ kube_oidc_ca_file }}"
-{%   endif %}
-{%   if kube_oidc_username_claim is defined %}
-    oidc-username-claim: "{{ kube_oidc_username_claim }}"
-{%   endif %}
-{%   if kube_oidc_groups_claim is defined %}
-    oidc-groups-claim: "{{ kube_oidc_groups_claim }}"
-{%   endif %}
-{%   if kube_oidc_username_prefix is defined %}
-    oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
-{%   endif %}
-{%   if kube_oidc_groups_prefix is defined %}
-    oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
-{%   endif %}
-{% endif %}
-{% if kube_webhook_token_auth %}
-    authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kube_webhook_authorization and not kube_apiserver_use_authorization_config_file %}
-    authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
-{% endif %}
-{% if kube_encrypt_secret_data %}
-    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
-{% endif %}
-    storage-backend: {{ kube_apiserver_storage_backend }}
-{% if kube_api_runtime_config | length > 0 %}
-    runtime-config: {{ kube_api_runtime_config | join(',') }}
-{% endif %}
-    allow-privileged: "true"
-{% if kubernetes_audit or kubernetes_audit_webhook %}
-    audit-policy-file: {{ audit_policy_file }}
-{% endif %}
-{% if kubernetes_audit %}
-    audit-log-path: "{{ audit_log_path }}"
-    audit-log-maxage: "{{ audit_log_maxage }}"
-    audit-log-maxbackup: "{{ audit_log_maxbackups }}"
-    audit-log-maxsize: "{{ audit_log_maxsize }}"
-{% endif %}
-{% if kubernetes_audit_webhook %}
-    audit-webhook-config-file: {{ audit_webhook_config_file }}
-    audit-webhook-mode: {{ audit_webhook_mode }}
-{% if audit_webhook_mode == "batch" %}
-    audit-webhook-batch-max-size: "{{ audit_webhook_batch_max_size }}"
-    audit-webhook-batch-max-wait: "{{ audit_webhook_batch_max_wait }}"
-{% endif %}
-{% endif %}
-{% for key in kube_kubeadm_apiserver_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
-{% endfor %}
-{% if kube_apiserver_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_apiserver_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-    event-ttl: {{ event_ttl_duration }}
-{% if kubelet_rotate_server_certificates %}
-    kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
-{% endif %}
-{% if kube_apiserver_tracing %}
-    tracing-config-file: {{ kube_config_dir }}/tracing/apiserver-tracing.yaml
-{% endif %}
-{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %}
-  extraVolumes:
-{% if kube_token_auth %}
-  - name: token-auth-config
-    hostPath: {{ kube_token_dir }}
-    mountPath: {{ kube_token_dir }}
-{% endif %}
-{% if kube_webhook_token_auth %}
-  - name: webhook-token-auth-config
-    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
-{% endif %}
-{% if kube_webhook_authorization %}
-  - name: webhook-authorization-config
-    hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
-    mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
-{% endif %}
-{% if kube_apiserver_use_authorization_config_file %}
-  - name: authorization-config
-    hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
-    mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
-{% endif %}
-{% if kubernetes_audit or kubernetes_audit_webhook %}
-  - name: {{ audit_policy_name }}
-    hostPath: {{ audit_policy_hostpath }}
-    mountPath: {{ audit_policy_mountpath }}
-{% if audit_log_path != "-" %}
-  - name: {{ audit_log_name }}
-    hostPath: {{ audit_log_hostpath }}
-    mountPath: {{ audit_log_mountpath }}
-    readOnly: false
-{% endif %}
-{% endif %}
-{% if kube_apiserver_admission_control_config_file %}
-  - name: admission-control-configs
-    hostPath: {{ kube_config_dir }}/admission-controls
-    mountPath: {{ kube_config_dir }}
-    readOnly: false
-    pathType: DirectoryOrCreate
-{% endif %}
-{% if kube_apiserver_tracing %}
-  - name: tracing
-    hostPath: {{ kube_config_dir }}/tracing
-    mountPath: {{ kube_config_dir }}/tracing
-    readOnly: true
-    pathType: DirectoryOrCreate
-{% endif %}
-{% for volume in apiserver_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% if ssl_ca_dirs | length %}
-{% for dir in ssl_ca_dirs %}
-  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
-    hostPath: {{ dir }}
-    mountPath: {{ dir }}
-    readOnly: true
-{% endfor %}
-{% endif %}
-{% endif %}
-  certSANs:
-{% for san in apiserver_sans %}
-  - "{{ san }}"
-{% endfor %}
-  timeoutForControlPlane: 5m0s
-controllerManager:
-  extraArgs:
-    node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
-    node-monitor-period: {{ kube_controller_node_monitor_period }}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-    cluster-cidr: "{{ kube_pods_subnets }}"
-{% endif %}
-    service-cluster-ip-range: "{{ kube_service_subnets }}"
-{% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %}
-    allocate-node-cidrs: "false"
-{% else %}
-{% if ipv4_stack %}
-    node-cidr-mask-size-ipv4: "{{ kube_network_node_prefix }}"
-{% endif %}
-{% if ipv6_stack %}
-    node-cidr-mask-size-ipv6: "{{ kube_network_node_prefix_ipv6 }}"
-{% endif %}
-{% endif %}
-    profiling: "{{ kube_profiling }}"
-    terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
-    bind-address: "{{ kube_controller_manager_bind_address }}"
-    leader-elect-lease-duration: {{ kube_controller_manager_leader_elect_lease_duration }}
-    leader-elect-renew-deadline: {{ kube_controller_manager_leader_elect_renew_deadline }}
-{% if kube_controller_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_controller_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-{% for key in kube_kubeadm_controller_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
-{% endfor %}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
-    configure-cloud-routes: "false"
-{% endif %}
-{% if kubelet_flexvolumes_plugins_dir is defined %}
-    flex-volume-plugin-dir: {{ kubelet_flexvolumes_plugins_dir }}
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-{% if controller_manager_extra_volumes %}
-  extraVolumes:
-{% for volume in controller_manager_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% endif %}
-scheduler:
-  extraArgs:
-    bind-address: "{{ kube_scheduler_bind_address }}"
-    config: {{ kube_config_dir }}/kubescheduler-config.yaml
-{% if kube_scheduler_feature_gates or kube_feature_gates %}
-    feature-gates: "{{ kube_scheduler_feature_gates | default(kube_feature_gates, true) | join(',') }}"
-{% endif %}
-    profiling: "{{ kube_profiling }}"
-{% if kube_kubeadm_scheduler_extra_args | length > 0 %}
-{% for key in kube_kubeadm_scheduler_extra_args %}
-    {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
-{% endfor %}
-{% endif %}
-{% if tls_min_version is defined %}
-    tls-min-version: {{ tls_min_version }}
-{% endif %}
-{% if tls_cipher_suites is defined %}
-    tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
-
-{% endif %}
-  extraVolumes:
-  - name: kubescheduler-config
-    hostPath: {{ kube_config_dir }}/kubescheduler-config.yaml
-    mountPath: {{ kube_config_dir }}/kubescheduler-config.yaml
-    readOnly: true
-{% if scheduler_extra_volumes %}
-{% for volume in scheduler_extra_volumes %}
-  - name: {{ volume.name }}
-    hostPath: {{ volume.hostPath }}
-    mountPath: {{ volume.mountPath }}
-    readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
-{% endfor %}
-{% endif %}
----
-apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
-bindAddress: "{{ kube_proxy_bind_address }}"
-clientConnection:
-  acceptContentTypes: {{ kube_proxy_client_accept_content_types }}
-  burst: {{ kube_proxy_client_burst }}
-  contentType: {{ kube_proxy_client_content_type }}
-  kubeconfig: {{ kube_proxy_client_kubeconfig }}
-  qps: {{ kube_proxy_client_qps }}
-{% if kube_network_plugin is defined and kube_network_plugin not in ["kube-ovn"] %}
-clusterCIDR: "{{ kube_pods_subnets }}"
-{% endif %}
-configSyncPeriod: {{ kube_proxy_config_sync_period }}
-conntrack:
-  maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
-  min: {{ kube_proxy_conntrack_min }}
-  tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
-  tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }}
-enableProfiling: {{ kube_proxy_enable_profiling }}
-healthzBindAddress: "{{ kube_proxy_healthz_bind_address }}"
-hostnameOverride: "{{ kube_override_hostname }}"
-iptables:
-  masqueradeAll: {{ kube_proxy_masquerade_all }}
-  masqueradeBit: {{ kube_proxy_masquerade_bit }}
-  minSyncPeriod: {{ kube_proxy_min_sync_period }}
-  syncPeriod: {{ kube_proxy_sync_period }}
-ipvs:
-  excludeCIDRs: {{ kube_proxy_exclude_cidrs }}
-  minSyncPeriod: {{ kube_proxy_min_sync_period }}
-  scheduler: {{ kube_proxy_scheduler }}
-  syncPeriod: {{ kube_proxy_sync_period }}
-  strictARP: {{ kube_proxy_strict_arp }}
-  tcpTimeout: {{ kube_proxy_tcp_timeout }}
-  tcpFinTimeout: {{ kube_proxy_tcp_fin_timeout }}
-  udpTimeout: {{ kube_proxy_udp_timeout }}
-metricsBindAddress: "{{ kube_proxy_metrics_bind_address }}"
-mode: {{ kube_proxy_mode }}
-nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
-oomScoreAdj: {{ kube_proxy_oom_score_adj }}
-portRange: {{ kube_proxy_port_range }}
-{% if kube_proxy_feature_gates or kube_feature_gates %}
-{% set feature_gates = ( kube_proxy_feature_gates | default(kube_feature_gates, true) ) %}
-featureGates:
-{%   for feature in feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}
-{# DNS settings for kubelet #}
-{% if enable_nodelocaldns %}
-{% set kubelet_cluster_dns = [nodelocaldns_ip] %}
-{% elif dns_mode in ['coredns'] %}
-{% set kubelet_cluster_dns = [skydns_server] %}
-{% elif dns_mode == 'coredns_dual' %}
-{% set kubelet_cluster_dns = [skydns_server,skydns_server_secondary] %}
-{% elif dns_mode == 'manual' %}
-{% set kubelet_cluster_dns = [manual_dns_server] %}
-{% else %}
-{% set kubelet_cluster_dns = [] %}
-{% endif %}
----
-apiVersion: kubelet.config.k8s.io/v1beta1
-kind: KubeletConfiguration
-clusterDNS:
-{% for dns_address in kubelet_cluster_dns %}
-- {{ dns_address }}
-{% endfor %}
-{% if kubelet_feature_gates or kube_feature_gates %}
-{% set feature_gates = ( kubelet_feature_gates | default(kube_feature_gates, true) ) %}
-featureGates:
-{%   for feature in feature_gates %}
-  {{ feature | replace("=", ": ") }}
-{%   endfor %}
-{% endif %}

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2

@@ -563,6 +563,9 @@ featureGates:
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
+{% if kube_version is version('1.35.0', '>=') %}
+failCgroupV1: {{ kubelet_fail_cgroup_v1 }}
+{% endif %}
 clusterDNS:
 {% for dns_address in kubelet_cluster_dns %}
 - {{ dns_address }}

roles/kubernetes/control-plane/templates/kubeadm-controlplane.yaml.j2

@@ -1,4 +1,4 @@
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -15,13 +15,8 @@ discovery:
     unsafeSkipCAVerification: true
 {% endif %}
   tlsBootstrapToken: {{ kubeadm_token }}
-{# TODO: drop the if when we drop support for k8s<1.31 #}
-{% if kubeadm_config_api_version == 'v1beta3' %}
-  timeout: {{ discovery_timeout }}
-{% else %}
 timeouts:
   discovery: {{ discovery_timeout }}
-{% endif %}
 controlPlane:
   localAPIEndpoint:
     advertiseAddress: "{{ kube_apiserver_address }}"

roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2

@@ -1,5 +1,5 @@
 ---
-apiVersion: kubeadm.k8s.io/{{ kubeadm_config_api_version }}
+apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration
 discovery:
 {% if kubeadm_use_file_discovery %}
@@ -21,13 +21,8 @@ discovery:
 {% endif %}
 {% endif %}
   tlsBootstrapToken: {{ kubeadm_token }}
-{# TODO: drop the if when we drop support for k8s<1.31 #}
-{% if kubeadm_config_api_version == 'v1beta3' %}
-  timeout: {{ discovery_timeout }}
-{% else %}
 timeouts:
   discovery: {{ discovery_timeout }}
-{% endif %}
 caCertPath: {{ kube_cert_dir }}/ca.crt
 {% if kubeadm_cert_controlplane is defined and kubeadm_cert_controlplane %}
 controlPlane: