Patch versions updates

Currently, if changing the inventory variable `kubeadm_patches`, new
patches will be created, but the existing ones will also be left on the
filesystem, and applied by kubeadm ; this means that removed or changed
configuration can linger.

Cleanup old patches (which are the difference between existing patches
on filesystem and the one created for the current runs).

Co-authored-by: Max Gautier <mg@max.gautier.name>

.ansible-lint

@@ -33,8 +33,6 @@ skip_list:
   # Disable run-once check with free strategy
   # (Disabled in June 2023 after ansible upgrade; FIXME)
   - 'run-once[task]'
-
-  - 'jinja[spacing]'
 exclude_paths:
   # Generated files
   - tests/files/custom_cni/cilium.yaml

.github/workflows/auto-label-os.yml

@@ -13,16 +13,16 @@ jobs:
       issues: write
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
       - name: Parse issue form
-        uses: stefanbuck/github-issue-parser@10dcc54158ba4c137713d9d69d70a2da63b6bda3
+        uses: stefanbuck/github-issue-parser@2ea9b35a8c584529ed00891a8f7e41dc46d0441e
         id: issue-parser
         with:
           template-path: .github/ISSUE_TEMPLATE/bug-report.yaml
 
       - name: Set labels based on OS field
-        uses: redhat-plumbers-in-action/advanced-issue-labeler@b80ae64e3e156e9c111b075bfa04b295d54e8e2e
+        uses: redhat-plumbers-in-action/advanced-issue-labeler@e38e6809c5420d038eed380d49ee9a6ca7c92dbf
         with:
           issue-form: ${{ steps.issue-parser.outputs.jsonString }}
           section: os

.github/workflows/upgrade-patch-versions-schedule.yml

@@ -13,14 +13,14 @@ jobs:
     outputs:
       branches: ${{ steps.get-branches.outputs.data }}
     steps:
-    - uses: octokit/graphql-action@ddde8ebb2493e79f390e6449c725c21663a67505
+    - uses: octokit/graphql-action@8ad880e4d437783ea2ab17010324de1075228110
       id: get-branches
       with:
         query: |
           query get_release_branches($owner:String!, $name:String!) {
             repository(owner:$owner, name:$name) {
               refs(refPrefix: "refs/heads/",
-                   first: 2, # TODO increment once we have release branch with the new checksums format
+                   first: 1, # TODO increment once we have release branch with the new checksums format
                    query: "release-",
                    orderBy: {
                      field: ALPHABETICAL,

.github/workflows/upgrade-patch-versions.yml

@@ -11,7 +11,7 @@ jobs:
   update-patch-versions:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       with:
         ref: ${{ inputs.branch }}
     - uses: actions/setup-python@v6
@@ -22,14 +22,14 @@ jobs:
     - run: update-hashes
       env:
         API_KEY: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/cache@v5
+    - uses: actions/cache@v4
       with:
         key: pre-commit-hook-propagate
         path: |
           ~/.cache/pre-commit
     - run: pre-commit run --all-files propagate-ansible-variables
       continue-on-error: true
-    - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+    - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
       with:
         commit-message: Patch versions updates
         title: Patch versions updates - ${{ inputs.branch }}

.gitlab-ci/kubevirt.yml

@@ -43,7 +43,6 @@ pr:
           - fedora39-kube-router
           - openeuler24-calico
           - rockylinux9-cilium
-          - rockylinux10-cilium
           - ubuntu22-calico-all-in-one
           - ubuntu22-calico-all-in-one-upgrade
           - ubuntu24-calico-etcd-datastore
@@ -128,7 +127,6 @@ pr_extended:
           - debian12-docker
           - debian13-calico
           - rockylinux9-calico
-          - rockylinux10-calico
           - ubuntu22-all-in-one-docker
           - ubuntu24-all-in-one-docker
           - ubuntu24-calico-all-in-one

.gitlab-ci/terraform.yml

@@ -37,7 +37,6 @@ terraform_validate:
           - hetzner
           - vsphere
           - upcloud
-          - nifcloud
 
 .terraform_apply:
   extends: .terraform_install
@@ -89,10 +88,11 @@ tf-elastx_cleanup:
     - ./scripts/openstack-cleanup/main.py
   allow_failure: true
 
-tf-elastx_ubuntu24-calico:
+tf-elastx_ubuntu20-calico:
   extends: .terraform_apply
   stage: deploy-part1
   when: on_success
+  allow_failure: true
   variables:
     <<: *elastx_variables
     PROVIDER: openstack
@@ -115,5 +115,5 @@ tf-elastx_ubuntu24-calico:
     TF_VAR_az_list_node: '["sto1"]'
     TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b    # v1-standard-2
     TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b      # v1-standard-2
-    TF_VAR_image: ubuntu-24.04-server-latest
+    TF_VAR_image: ubuntu-20.04-server-latest
     TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'

.gitlab-ci/vagrant.yml

@@ -36,7 +36,7 @@ vagrant:
     policy: pull-push # TODO: change to "pull" when not on main
   stage: deploy-extended
   rules:
-    - if: $PR_LABELS =~ /.*ci-full.*/
+    - if: $PR_LABELS =~ /.*(ci-extended|ci-full).*/
       when: on_success
     - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
       when: on_success

Dockerfile

@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.34.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.33.8/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.33.8/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl
 
 COPY *.yml ./

README.md

@@ -22,7 +22,7 @@ Ensure you have installed Docker then
 ```ShellSession
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
   --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.30.0 bash
+  quay.io/kubespray/kubespray:v2.29.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```
@@ -89,13 +89,13 @@ vagrant up
 - **Flatcar Container Linux by Kinvolk**
 - **Debian** Bookworm, Bullseye, Trixie
 - **Ubuntu** 22.04, 24.04
-- **CentOS Stream / RHEL** [9, 10](docs/operating_systems/rhel.md#rhel-8)
+- **CentOS/RHEL** [8, 9](docs/operating_systems/rhel.md#rhel-8)
 - **Fedora** 39, 40
 - **Fedora CoreOS** (see [fcos Note](docs/operating_systems/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
-- **Oracle Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
-- **Alma Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8)
-- **Rocky Linux** [9, 10](docs/operating_systems/rhel.md#rhel-8) (experimental in 10: see [Rocky Linux 10 notes](docs/operating_systems/rhel.md#rocky-linux-10))
+- **Oracle Linux** [8, 9](docs/operating_systems/rhel.md#rhel-8)
+- **Alma Linux** [8, 9](docs/operating_systems/rhel.md#rhel-8)
+- **Rocky Linux** [8, 9](docs/operating_systems/rhel.md#rhel-8)
 - **Kylin Linux Advanced Server V10** (experimental: see [kylin linux notes](docs/operating_systems/kylinlinux.md))
 - **Amazon Linux 2** (experimental: see [amazon linux notes](docs/operating_systems/amazonlinux.md))
 - **UOS Linux** (experimental: see [uos linux notes](docs/operating_systems/uoslinux.md))
@@ -111,23 +111,23 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.34.3
-  - [etcd](https://github.com/etcd-io/etcd) 3.5.26
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.33.8
+  - [etcd](https://github.com/etcd-io/etcd) 3.5.27
   - [docker](https://www.docker.com/) 28.3
-  - [containerd](https://containerd.io/) 2.2.1
-  - [cri-o](http://cri-o.io/) 1.34.4 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) 2.1.6
+  - [cri-o](http://cri-o.io/) 1.33.9 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) 1.8.0
   - [calico](https://github.com/projectcalico/calico) 3.30.6
-  - [cilium](https://github.com/cilium/cilium) 1.18.6
+  - [cilium](https://github.com/cilium/cilium) 1.18.5
   - [flannel](https://github.com/flannel-io/flannel) 0.27.3
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1
   - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) 4.2.2
-  - [kube-vip](https://github.com/kube-vip/kube-vip) 1.0.3
+  - [kube-vip](https://github.com/kube-vip/kube-vip) 0.8.0
 - Application
   - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
-  - [coredns](https://github.com/coredns/coredns) 1.12.1
+  - [coredns](https://github.com/coredns/coredns) 1.12.0
   - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
   - [argocd](https://argoproj.github.io/) 2.14.5
   - [helm](https://helm.sh/) 3.18.4

RELEASE.md

@@ -15,7 +15,7 @@ The Kubespray Project is released on an as-needed basis. The process is as follo
 1. The release issue is closed
 1. An announcement email is sent to `dev@kubernetes.io` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
 1. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
-1. Create/Update Issue for upgrading kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)
+1. Create/Update Issue for upgradeing kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)
 
 ## Major/minor releases and milestones
 

contrib/collection.sh

@@ -1,9 +0,0 @@
-#!/bin/bash -eux
-# Install collection from source assuming dependencies are present.
-# Run in SemaphoreUI this bash script can install Kubespray from the repo
-NAMESPACE=kubernetes_sigs
-COLLECTION=kubespray
-MY_VER=$(grep '^version:' galaxy.yml|cut -d: -f2|sed 's/ //')
-
-ansible-galaxy collection build --force --output-path .
-ansible-galaxy collection install --offline --force $NAMESPACE-$COLLECTION-$MY_VER.tar.gz

contrib/offline/manage-offline-container-images.sh

@@ -20,6 +20,7 @@ function create_container_image_tar() {
 
 		kubectl describe cronjobs,jobs,pods --all-namespaces | grep " Image:" | awk '{print $2}' | sort | uniq > "${IMAGES}"
 		# NOTE: etcd and pause cannot be seen as pods.
+		# The pause image is used for --pod-infra-container-image option of kubelet.
 		kubectl cluster-info dump | grep -E "quay.io/coreos/etcd:|registry.k8s.io/pause:" | sed s@\"@@g >> "${IMAGES}"
 	else
 		echo "Getting images from file \"${IMAGES_FROM_FILE}\""

contrib/terraform/nifcloud/.gitignore

@@ -1,5 +0,0 @@
-*.tfstate*
-.terraform.lock.hcl
-.terraform
-
-sample-inventory/inventory.ini

contrib/terraform/nifcloud/README.md

@@ -1,138 +0,0 @@
-# Kubernetes on NIFCLOUD with Terraform
-
-Provision a Kubernetes cluster on [NIFCLOUD](https://pfs.nifcloud.com/) using Terraform and Kubespray
-
-## Overview
-
-The setup looks like following
-
-```text
-                              Kubernetes cluster
-                        +----------------------------+
-+---------------+       |   +--------------------+   |
-|               |       |   | +--------------------+ |
-| API server LB +---------> | |                    | |
-|               |       |   | | Control Plane/etcd | |
-+---------------+       |   | | node(s)            | |
-                        |   +-+                    | |
-                        |     +--------------------+ |
-                        |           ^                |
-                        |           |                |
-                        |           v                |
-                        |   +--------------------+   |
-                        |   | +--------------------+ |
-                        |   | |                    | |
-                        |   | |        Worker      | |
-                        |   | |        node(s)     | |
-                        |   +-+                    | |
-                        |     +--------------------+ |
-                        +----------------------------+
-```
-
-## Requirements
-
-* Terraform 1.3.7
-
-## Quickstart
-
-### Export Variables
-
-* Your NIFCLOUD credentials:
-
-  ```bash
-  export NIFCLOUD_ACCESS_KEY_ID=<YOUR ACCESS KEY>
-  export NIFCLOUD_SECRET_ACCESS_KEY=<YOUR SECRET ACCESS KEY>
-  ```
-
-* The SSH KEY used to connect to the instance:
-  * FYI: [Cloud Help(SSH Key)](https://pfs.nifcloud.com/help/ssh.htm)
-
-  ```bash
-  export TF_VAR_SSHKEY_NAME=<YOUR SSHKEY NAME>
-  ```
-
-* The IP address to connect to bastion server:
-
-  ```bash
-  export TF_VAR_working_instance_ip=$(curl ifconfig.me)
-  ```
-
-### Create The Infrastructure
-
-* Run terraform:
-
-  ```bash
-  terraform init
-  terraform apply -var-file ./sample-inventory/cluster.tfvars
-  ```
-
-### Setup The Kubernetes
-
-* Generate cluster configuration file:
-
-  ```bash
-  ./generate-inventory.sh > sample-inventory/inventory.ini
-  ```
-
-* Export Variables:
-
-  ```bash
-  BASTION_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.bastion_info | to_entries[].value.public_ip')
-  API_LB_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.control_plane_lb')
-  CP01_IP=$(terraform output -json | jq -r '.kubernetes_cluster.value.control_plane_info | to_entries[0].value.private_ip')
-  export ANSIBLE_SSH_ARGS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand=\"ssh root@${BASTION_IP} -W %h:%p\""
-  ```
-
-* Set ssh-agent"
-
-  ```bash
-  eval `ssh-agent`
-  ssh-add <THE PATH TO YOUR SSH KEY>
-  ```
-
-* Run cluster.yml playbook:
-
-  ```bash
-  cd ./../../../
-  ansible-playbook -i contrib/terraform/nifcloud/inventory/inventory.ini cluster.yml
-  ```
-
-### Connecting to Kubernetes
-
-* [Install kubectl](https://kubernetes.io/docs/tasks/tools/) on the localhost
-* Fetching kubeconfig file:
-
-  ```bash
-  mkdir -p ~/.kube
-  scp -o ProxyCommand="ssh root@${BASTION_IP} -W %h:%p" root@${CP01_IP}:/etc/kubernetes/admin.conf ~/.kube/config
-  ```
-
-* Rewrite /etc/hosts
-
-  ```bash
-  sudo echo "${API_LB_IP} lb-apiserver.kubernetes.local" >> /etc/hosts
-  ```
-
-* Run kubectl
-
-  ```bash
-  kubectl get node
-  ```
-
-## Variables
-
-* `region`: Region where to run the cluster
-* `az`: Availability zone where to run the cluster
-* `private_ip_bn`: Private ip address of bastion server
-* `private_network_cidr`:  Subnet of private network
-* `instances_cp`: Machine to provision as Control Plane. Key of this object will be used as part of the machine' name
-  * `private_ip`: private ip address of machine
-* `instances_wk`: Machine to provision as Worker Node. Key of this object will be used as part of the machine' name
-  * `private_ip`: private ip address of machine
-* `instance_key_name`: The key name of the Key Pair to use for the instance
-* `instance_type_bn`: The instance type of bastion server
-* `instance_type_wk`: The instance type of worker node
-* `instance_type_cp`: The instance type of control plane
-* `image_name`: OS image used for the instance
-* `working_instance_ip`: The IP address to connect to bastion server
-* `accounting_type`: Accounting type. (1: monthly, 2: pay per use)

contrib/terraform/nifcloud/generate-inventory.sh

@@ -1,64 +0,0 @@
-#!/bin/bash
-
-#
-# Generates a inventory file based on the terraform output.
-# After provisioning a cluster, simply run this command and supply the terraform state file
-# Default state file is terraform.tfstate
-#
-
-set -e
-
-TF_OUT=$(terraform output -json)
-
-CONTROL_PLANES=$(jq -r '.kubernetes_cluster.value.control_plane_info | to_entries[]'  <(echo "${TF_OUT}"))
-WORKERS=$(jq -r '.kubernetes_cluster.value.worker_info | to_entries[]'  <(echo "${TF_OUT}"))
-mapfile -t CONTROL_PLANE_NAMES < <(jq -r '.key'  <(echo "${CONTROL_PLANES}"))
-mapfile -t WORKER_NAMES < <(jq -r '.key'  <(echo "${WORKERS}"))
-
-API_LB=$(jq -r '.kubernetes_cluster.value.control_plane_lb' <(echo "${TF_OUT}"))
-
-echo "[all]"
-# Generate control plane hosts
-i=1
-for name in "${CONTROL_PLANE_NAMES[@]}"; do
-  private_ip=$(jq -r '. | select( .key=='"\"${name}\""' ) | .value.private_ip'  <(echo "${CONTROL_PLANES}"))
-  echo "${name} ansible_user=root ansible_host=${private_ip} access_ip=${private_ip} ip=${private_ip} etcd_member_name=etcd${i}"
-  i=$(( i + 1 ))
-done
-
-# Generate worker hosts
-for name in "${WORKER_NAMES[@]}"; do
-  private_ip=$(jq -r '. | select( .key=='"\"${name}\""' ) | .value.private_ip'  <(echo "${WORKERS}"))
-  echo "${name} ansible_user=root ansible_host=${private_ip} access_ip=${private_ip} ip=${private_ip}"
-done
-
-API_LB=$(jq -r '.kubernetes_cluster.value.control_plane_lb'  <(echo "${TF_OUT}"))
-
-echo ""
-echo "[all:vars]"
-echo "upstream_dns_servers=['8.8.8.8','8.8.4.4']"
-echo "loadbalancer_apiserver={'address':'${API_LB}','port':'6443'}"
-
-
-echo ""
-echo "[kube_control_plane]"
-for name in "${CONTROL_PLANE_NAMES[@]}"; do
-  echo "${name}"
-done
-
-echo ""
-echo "[etcd]"
-for name in "${CONTROL_PLANE_NAMES[@]}"; do
-  echo "${name}"
-done
-
-echo ""
-echo "[kube_node]"
-for name in "${WORKER_NAMES[@]}"; do
-  echo "${name}"
-done
-
-echo ""
-echo "[k8s_cluster:children]"
-echo "kube_control_plane"
-echo "kube_node"

contrib/terraform/nifcloud/main.tf

@@ -1,36 +0,0 @@
-provider "nifcloud" {
-  region = var.region
-}
-
-module "kubernetes_cluster" {
-  source = "./modules/kubernetes-cluster"
-
-  availability_zone = var.az
-  prefix            = "dev"
-
-  private_network_cidr = var.private_network_cidr
-
-  instance_key_name = var.instance_key_name
-  instances_cp      = var.instances_cp
-  instances_wk      = var.instances_wk
-  image_name        = var.image_name
-
-  instance_type_bn = var.instance_type_bn
-  instance_type_cp = var.instance_type_cp
-  instance_type_wk = var.instance_type_wk
-
-  private_ip_bn = var.private_ip_bn
-
-  additional_lb_filter = [var.working_instance_ip]
-}
-
-resource "nifcloud_security_group_rule" "ssh_from_bastion" {
-  security_group_names = [
-    module.kubernetes_cluster.security_group_name.bastion
-  ]
-  type      = "IN"
-  from_port = 22
-  to_port   = 22
-  protocol  = "TCP"
-  cidr_ip   = var.working_instance_ip
-}

contrib/terraform/nifcloud/modules/kubernetes-cluster/main.tf

@@ -1,301 +0,0 @@
-#################################################
-##
-## Local variables
-##
-locals {
-  # e.g. east-11 is 11
-  az_num = reverse(split("-", var.availability_zone))[0]
-  # e.g. east-11 is e11
-  az_short_name = "${substr(reverse(split("-", var.availability_zone))[1], 0, 1)}${local.az_num}"
-
-  # Port used by the protocol
-  port_ssh     = 22
-  port_kubectl = 6443
-  port_kubelet = 10250
-
-  # calico: https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements#network-requirements
-  port_bgp   = 179
-  port_vxlan = 4789
-  port_etcd  = 2379
-}
-
-#################################################
-##
-## General
-##
-
-# data
-data "nifcloud_image" "this" {
-  image_name = var.image_name
-}
-
-# private lan
-resource "nifcloud_private_lan" "this" {
-  private_lan_name  = "${var.prefix}lan"
-  availability_zone = var.availability_zone
-  cidr_block        = var.private_network_cidr
-  accounting_type   = var.accounting_type
-}
-
-#################################################
-##
-## Bastion
-##
-resource "nifcloud_security_group" "bn" {
-  group_name        = "${var.prefix}bn"
-  description       = "${var.prefix} bastion"
-  availability_zone = var.availability_zone
-}
-
-resource "nifcloud_instance" "bn" {
-
-  instance_id    = "${local.az_short_name}${var.prefix}bn01"
-  security_group = nifcloud_security_group.bn.group_name
-  instance_type  = var.instance_type_bn
-
-  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
-    private_ip_address = var.private_ip_bn
-    ssh_port           = local.port_ssh
-    hostname           = "${local.az_short_name}${var.prefix}bn01"
-  })
-
-  availability_zone = var.availability_zone
-  accounting_type   = var.accounting_type
-  image_id          = data.nifcloud_image.this.image_id
-  key_name          = var.instance_key_name
-
-  network_interface {
-    network_id = "net-COMMON_GLOBAL"
-  }
-  network_interface {
-    network_id = nifcloud_private_lan.this.network_id
-    ip_address = "static"
-  }
-
-  # The image_id changes when the OS image type is demoted from standard to public.
-  lifecycle {
-    ignore_changes = [
-      image_id,
-      user_data,
-    ]
-  }
-}
-
-#################################################
-##
-## Control Plane
-##
-resource "nifcloud_security_group" "cp" {
-  group_name        = "${var.prefix}cp"
-  description       = "${var.prefix} control plane"
-  availability_zone = var.availability_zone
-}
-
-resource "nifcloud_instance" "cp" {
-  for_each = var.instances_cp
-
-  instance_id    = "${local.az_short_name}${var.prefix}${each.key}"
-  security_group = nifcloud_security_group.cp.group_name
-  instance_type  = var.instance_type_cp
-  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
-    private_ip_address = each.value.private_ip
-    ssh_port           = local.port_ssh
-    hostname           = "${local.az_short_name}${var.prefix}${each.key}"
-  })
-
-  availability_zone = var.availability_zone
-  accounting_type   = var.accounting_type
-  image_id          = data.nifcloud_image.this.image_id
-  key_name          = var.instance_key_name
-
-  network_interface {
-    network_id = "net-COMMON_GLOBAL"
-  }
-  network_interface {
-    network_id = nifcloud_private_lan.this.network_id
-    ip_address = "static"
-  }
-
-  # The image_id changes when the OS image type is demoted from standard to public.
-  lifecycle {
-    ignore_changes = [
-      image_id,
-      user_data,
-    ]
-  }
-}
-
-resource "nifcloud_load_balancer" "this" {
-  load_balancer_name = "${local.az_short_name}${var.prefix}cp"
-  accounting_type    = var.accounting_type
-  balancing_type     = 1 // Round-Robin
-  load_balancer_port = local.port_kubectl
-  instance_port      = local.port_kubectl
-  instances          = [for v in nifcloud_instance.cp : v.instance_id]
-  filter = concat(
-    [for k, v in nifcloud_instance.cp : v.public_ip],
-    [for k, v in nifcloud_instance.wk : v.public_ip],
-    var.additional_lb_filter,
-  )
-  filter_type = 1 // Allow
-}
-
-#################################################
-##
-## Worker
-##
-resource "nifcloud_security_group" "wk" {
-  group_name        = "${var.prefix}wk"
-  description       = "${var.prefix} worker"
-  availability_zone = var.availability_zone
-}
-
-resource "nifcloud_instance" "wk" {
-  for_each = var.instances_wk
-
-  instance_id    = "${local.az_short_name}${var.prefix}${each.key}"
-  security_group = nifcloud_security_group.wk.group_name
-  instance_type  = var.instance_type_wk
-  user_data = templatefile("${path.module}/templates/userdata.tftpl", {
-    private_ip_address = each.value.private_ip
-    ssh_port           = local.port_ssh
-    hostname           = "${local.az_short_name}${var.prefix}${each.key}"
-  })
-
-  availability_zone = var.availability_zone
-  accounting_type   = var.accounting_type
-  image_id          = data.nifcloud_image.this.image_id
-  key_name          = var.instance_key_name
-
-  network_interface {
-    network_id = "net-COMMON_GLOBAL"
-  }
-  network_interface {
-    network_id = nifcloud_private_lan.this.network_id
-    ip_address = "static"
-  }
-
-  # The image_id changes when the OS image type is demoted from standard to public.
-  lifecycle {
-    ignore_changes = [
-      image_id,
-      user_data,
-    ]
-  }
-}
-
-#################################################
-##
-## Security Group Rule: Kubernetes
-##
-
-# ssh
-resource "nifcloud_security_group_rule" "ssh_from_bastion" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_ssh
-  to_port                    = local.port_ssh
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.bn.group_name
-}
-
-# kubectl
-resource "nifcloud_security_group_rule" "kubectl_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_kubectl
-  to_port                    = local.port_kubectl
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-# kubelet
-resource "nifcloud_security_group_rule" "kubelet_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_kubelet
-  to_port                    = local.port_kubelet
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-resource "nifcloud_security_group_rule" "kubelet_from_control_plane" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_kubelet
-  to_port                    = local.port_kubelet
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.cp.group_name
-}
-
-#################################################
-##
-## Security Group Rule: calico
-##
-
-# vslan
-resource "nifcloud_security_group_rule" "vxlan_from_control_plane" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_vxlan
-  to_port                    = local.port_vxlan
-  protocol                   = "UDP"
-  source_security_group_name = nifcloud_security_group.cp.group_name
-}
-
-resource "nifcloud_security_group_rule" "vxlan_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_vxlan
-  to_port                    = local.port_vxlan
-  protocol                   = "UDP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-# bgp
-resource "nifcloud_security_group_rule" "bgp_from_control_plane" {
-  security_group_names = [
-    nifcloud_security_group.wk.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_bgp
-  to_port                    = local.port_bgp
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.cp.group_name
-}
-
-resource "nifcloud_security_group_rule" "bgp_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_bgp
-  to_port                    = local.port_bgp
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}
-
-# etcd
-resource "nifcloud_security_group_rule" "etcd_from_worker" {
-  security_group_names = [
-    nifcloud_security_group.cp.group_name,
-  ]
-  type                       = "IN"
-  from_port                  = local.port_etcd
-  to_port                    = local.port_etcd
-  protocol                   = "TCP"
-  source_security_group_name = nifcloud_security_group.wk.group_name
-}

contrib/terraform/nifcloud/modules/kubernetes-cluster/outputs.tf

@@ -1,48 +0,0 @@
-output "control_plane_lb" {
-  description = "The DNS name of LB for control plane"
-  value       = nifcloud_load_balancer.this.dns_name
-}
-
-output "security_group_name" {
-  description = "The security group used in the cluster"
-  value = {
-    bastion       = nifcloud_security_group.bn.group_name,
-    control_plane = nifcloud_security_group.cp.group_name,
-    worker        = nifcloud_security_group.wk.group_name,
-  }
-}
-
-output "private_network_id" {
-  description = "The private network used in the cluster"
-  value       = nifcloud_private_lan.this.id
-}
-
-output "bastion_info" {
-  description = "The basion information in cluster"
-  value = { (nifcloud_instance.bn.instance_id) : {
-    instance_id = nifcloud_instance.bn.instance_id,
-    unique_id   = nifcloud_instance.bn.unique_id,
-    private_ip  = nifcloud_instance.bn.private_ip,
-    public_ip   = nifcloud_instance.bn.public_ip,
-  } }
-}
-
-output "worker_info" {
-  description = "The worker information in cluster"
-  value = { for v in nifcloud_instance.wk : v.instance_id => {
-    instance_id = v.instance_id,
-    unique_id   = v.unique_id,
-    private_ip  = v.private_ip,
-    public_ip   = v.public_ip,
-  } }
-}
-
-output "control_plane_info" {
-  description = "The control plane information in cluster"
-  value = { for v in nifcloud_instance.cp : v.instance_id => {
-    instance_id = v.instance_id,
-    unique_id   = v.unique_id,
-    private_ip  = v.private_ip,
-    public_ip   = v.public_ip,
-  } }
-}

contrib/terraform/nifcloud/modules/kubernetes-cluster/templates/userdata.tftpl

@@ -1,45 +0,0 @@
-#!/bin/bash
-
-#################################################
-##
-## IP Address
-##
-configure_private_ip_address () {
-  cat << EOS > /etc/netplan/01-netcfg.yaml
-network:
-    version: 2
-    renderer: networkd
-    ethernets:
-        ens192:
-            dhcp4: yes
-            dhcp6: yes
-            dhcp-identifier: mac
-        ens224:
-            dhcp4: no
-            dhcp6: no
-            addresses: [${private_ip_address}]
-EOS
-  netplan apply
-}
-configure_private_ip_address
-
-#################################################
-##
-## SSH
-##
-configure_ssh_port () {
-  sed -i 's/^#*Port [0-9]*/Port ${ssh_port}/' /etc/ssh/sshd_config
-}
-configure_ssh_port
-
-#################################################
-##
-## Hostname
-##
-hostnamectl set-hostname ${hostname}
-
-#################################################
-##
-## Disable swap files genereated by systemd-gpt-auto-generator
-##
-systemctl mask "dev-sda3.swap"

contrib/terraform/nifcloud/modules/kubernetes-cluster/terraform.tf

@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">=1.3.7"
-  required_providers {
-    nifcloud = {
-      source  = "nifcloud/nifcloud"
-      version = ">= 1.8.0, < 2.0.0"
-    }
-  }
-}

contrib/terraform/nifcloud/modules/kubernetes-cluster/variables.tf

@@ -1,81 +0,0 @@
-variable "availability_zone" {
-  description = "The availability zone"
-  type        = string
-}
-
-variable "prefix" {
-  description = "The prefix for the entire cluster"
-  type        = string
-  validation {
-    condition     = length(var.prefix) <= 5
-    error_message = "Must be a less than 5 character long."
-  }
-}
-
-variable "private_network_cidr" {
-  description = "The subnet of private network"
-  type        = string
-  validation {
-    condition     = can(cidrnetmask(var.private_network_cidr))
-    error_message = "Must be a valid IPv4 CIDR block address."
-  }
-}
-
-variable "private_ip_bn" {
-  description = "Private IP of bastion server"
-  type        = string
-}
-
-variable "instances_cp" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instances_wk" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instance_key_name" {
-  description = "The key name of the Key Pair to use for the instance"
-  type        = string
-}
-
-variable "instance_type_bn" {
-  description = "The instance type of bastion server"
-  type        = string
-}
-
-variable "instance_type_wk" {
-  description = "The instance type of worker"
-  type        = string
-}
-
-variable "instance_type_cp" {
-  description = "The instance type of control plane"
-  type        = string
-}
-
-variable "image_name" {
-  description = "The name of image"
-  type        = string
-}
-
-variable "additional_lb_filter" {
-  description = "Additional LB filter"
-  type        = list(string)
-}
-
-variable "accounting_type" {
-  type    = string
-  default = "1"
-  validation {
-    condition = anytrue([
-      var.accounting_type == "1", // Monthly
-      var.accounting_type == "2", // Pay per use
-    ])
-    error_message = "Must be a 1 or 2."
-  }
-}

contrib/terraform/nifcloud/output.tf

@@ -1,3 +0,0 @@
-output "kubernetes_cluster" {
-  value = module.kubernetes_cluster
-}

contrib/terraform/nifcloud/sample-inventory/cluster.tfvars

@@ -1,22 +0,0 @@
-region = "jp-west-1"
-az     = "west-11"
-
-instance_key_name = "deployerkey"
-
-instance_type_bn = "e-medium"
-instance_type_cp = "e-medium"
-instance_type_wk = "e-medium"
-
-private_network_cidr = "192.168.30.0/24"
-instances_cp = {
-  "cp01" : { private_ip : "192.168.30.11/24" }
-  "cp02" : { private_ip : "192.168.30.12/24" }
-  "cp03" : { private_ip : "192.168.30.13/24" }
-}
-instances_wk = {
-  "wk01" : { private_ip : "192.168.30.21/24" }
-  "wk02" : { private_ip : "192.168.30.22/24" }
-}
-private_ip_bn = "192.168.30.10/24"
-
-image_name = "Ubuntu Server 22.04 LTS"

contrib/terraform/nifcloud/sample-inventory/group_vars

@@ -1 +0,0 @@
-../../../../inventory/sample/group_vars

contrib/terraform/nifcloud/terraform.tf

@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">=1.3.7"
-  required_providers {
-    nifcloud = {
-      source  = "nifcloud/nifcloud"
-      version = "1.8.0"
-    }
-  }
-}

contrib/terraform/nifcloud/variables.tf

@@ -1,77 +0,0 @@
-variable "region" {
-  description = "The region"
-  type        = string
-}
-
-variable "az" {
-  description = "The availability zone"
-  type        = string
-}
-
-variable "private_ip_bn" {
-  description = "Private IP of bastion server"
-  type        = string
-}
-
-variable "private_network_cidr" {
-  description = "The subnet of private network"
-  type        = string
-  validation {
-    condition     = can(cidrnetmask(var.private_network_cidr))
-    error_message = "Must be a valid IPv4 CIDR block address."
-  }
-}
-
-variable "instances_cp" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instances_wk" {
-  type = map(object({
-    private_ip = string
-  }))
-}
-
-variable "instance_key_name" {
-  description = "The key name of the Key Pair to use for the instance"
-  type        = string
-}
-
-variable "instance_type_bn" {
-  description = "The instance type of bastion server"
-  type        = string
-}
-
-variable "instance_type_wk" {
-  description = "The instance type of worker"
-  type        = string
-}
-
-variable "instance_type_cp" {
-  description = "The instance type of control plane"
-  type        = string
-}
-
-variable "image_name" {
-  description = "The name of image"
-  type        = string
-}
-
-variable "working_instance_ip" {
-  description = "The IP address to connect to bastion server."
-  type        = string
-}
-
-variable "accounting_type" {
-  type    = string
-  default = "2"
-  validation {
-    condition = anytrue([
-      var.accounting_type == "1", // Monthly
-      var.accounting_type == "2", // Pay per use
-    ])
-    error_message = "Must be a 1 or 2."
-  }
-}

contrib/terraform/openstack/README.md

@@ -281,9 +281,9 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`k8s_allowed_remote_ips_ipv6` | List of IPv6 CIDR allowed to initiate a SSH connection, empty by default |
 |`k8s_allowed_egress_ipv6_ips` | List of IPv6 CIDRs allowed for egress traffic, `["::/0"]` by default |
 |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
-|`worker_allowed_ports_ipv6` | List of ports to open on worker nodes for IPv6 CIDR blocks, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "::/0"}, { "protocol" = "ipv6-icmp", "port_range_min" = 0, "port_range_max" = 0, "remote_ip_prefix" = "::/0"}]` by default |
+|`worker_allowed_ports_ipv6` | List of ports to open on worker nodes for IPv6 CIDR blocks, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "::/0"}]` by default |
 |`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default |
-|`master_allowed_ports_ipv6` | List of ports to open on master nodes for IPv6 CIDR blocks, `[{ "protocol" = "ipv6-icmp", "port_range_min" = 0, "port_range_max" = 0, "remote_ip_prefix" = "::/0"}]` by default |
+|`master_allowed_ports_ipv6` | List of ports to open on master nodes for IPv6 CIDR blocks, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "::/0"}]`, empty by default |
 |`node_root_volume_size_in_gb` | Size of the root volume for nodes, 0 to use ephemeral storage |
 |`master_root_volume_size_in_gb` | Size of the root volume for masters, 0 to use ephemeral storage |
 |`master_volume_type` | Volume type of the root volume for control_plane, 'Default' by default |

contrib/terraform/openstack/variables.tf

@@ -271,14 +271,7 @@ variable "master_allowed_ports" {
 variable "master_allowed_ports_ipv6" {
   type = list(any)
 
-  default = [
-    {
-      "protocol"         = "ipv6-icmp"
-      "port_range_min"   = 0
-      "port_range_max"   = 0
-      "remote_ip_prefix" = "::/0"
-    },
-  ]
+  default = []
 }
 
 variable "worker_allowed_ports" {
@@ -304,12 +297,6 @@ variable "worker_allowed_ports_ipv6" {
       "port_range_max"   = 32767
       "remote_ip_prefix" = "::/0"
     },
-    {
-      "protocol"         = "ipv6-icmp"
-      "port_range_min"   = 0
-      "port_range_max"   = 0
-      "remote_ip_prefix" = "::/0"
-    },
   ]
 }
 

contrib/terraform/upcloud/modules/kubernetes-cluster/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>5.29.1"
+      version = "~>5.9.0"
     }
   }
   required_version = ">= 0.13"

contrib/terraform/upcloud/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>5.29.1"
+      version = "~>5.9.0"
     }
   }
   required_version = ">= 0.13"

docs/CNI/cilium.md

@@ -1,13 +1,5 @@
 # Cilium
 
-## Unprivileged agent configuration
-
-By default, Cilium is installed with `securityContext.privileged: false`. You need to set the `kube_owner` variable to `root` in the inventory:
-
-```yml
-kube_owner: root
-```
-
 ## IP Address Management (IPAM)
 
 IP Address Management (IPAM) is responsible for the allocation and management of IP addresses used by network endpoints (container and others) managed by Cilium. The default mode is "Cluster Scope".
@@ -245,7 +237,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.18.6"
+cilium_version: "1.18.5"
 ```
 
 ## Add variable to config

docs/CNI/macvlan.md

@@ -32,7 +32,7 @@ add `kube_proxy_masquerade_all: true` in `group_vars/all/all.yml`
 
 * Disable nodelocaldns
 
-The nodelocal dns IP is not reachable.
+The nodelocal dns IP is not reacheable.
 
 Disable it in `sample/group_vars/k8s_cluster/k8s_cluster.yml`
 

docs/CRI/containerd.md

@@ -65,8 +65,9 @@ In kubespray, the default runtime name is "runc", and it can be configured with
 containerd_runc_runtime:
   name: runc
   type: "io.containerd.runc.v2"
+  engine: ""
+  root: ""
   options:
-    Root: ""
     SystemdCgroup: "false"
     BinaryName: /usr/local/bin/my-runc
   base_runtime_spec: cri-base.json

docs/CRI/cri-o.md

@@ -80,7 +80,7 @@ The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to
 By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.
 
 The `crio_default_capabilities` configure the default containers capabilities for the crio.
-Defaults capabilities are:
+Defaults capabilties are:
 
 ```yaml
 crio_default_capabilities:

docs/_sidebar.md

@@ -6,6 +6,7 @@
   * [Downloads](/docs/advanced/downloads.md)
   * [Gcp-lb](/docs/advanced/gcp-lb.md)
   * [Kubernetes-reliability](/docs/advanced/kubernetes-reliability.md)
+  * [Mitogen](/docs/advanced/mitogen.md)
   * [Netcheck](/docs/advanced/netcheck.md)
   * [Ntp](/docs/advanced/ntp.md)
   * [Proxy](/docs/advanced/proxy.md)

docs/advanced/cert_manager.md

@@ -6,7 +6,7 @@
     - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
       - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
       - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
-      - [Create Certificate Signing Request (CSR) Configuration File](#create-certificate-signing-request-csr-configuration-file)
+      - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
       - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
 
 Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
@@ -134,7 +134,7 @@ $ cat > ca-config.json <<EOF
 EOF
 ```
 
-#### Create Certificate Signing Request (CSR) Configuration File
+#### Create Certficate Signing Request (CSR) Configuration File
 
 The TLS certificate `names` details can be updated to your own specific requirements.
 

docs/advanced/gcp-lb.md

@@ -1,4 +1,4 @@
-# GCP Load Balancers for type=LoadBalancer of Kubernetes Services
+# GCP Load Balancers for type=LoadBalacer of Kubernetes Services
 
 > **Removed**: Since v1.31 (the Kubespray counterpart is v2.27), Kubernetes no longer supports `cloud_provider`. (except external cloud provider)
 

docs/advanced/mitogen.md

@@ -0,0 +1,30 @@
+# Mitogen
+
+*Warning:* Mitogen support is now deprecated in kubespray due to upstream not releasing an updated version to support ansible 4.x (ansible-base 2.11.x) and above. The CI support has been stripped for mitogen and we are no longer validating any support or regressions for it. The supporting mitogen install playbook and integration documentation will be removed in a later version.
+
+[Mitogen for Ansible](https://mitogen.networkgenomics.com/ansible_detailed.html) allow a 1.25x - 7x speedup and a CPU usage reduction of at least 2x, depending on network conditions, modules executed, and time already spent by targets on useful work. Mitogen cannot improve a module once it is executing, it can only ensure the module executes as quickly as possible.
+
+## Install
+
+```ShellSession
+ansible-playbook contrib/mitogen/mitogen.yml
+```
+
+The above playbook sets the ansible `strategy` and `strategy_plugins` in `ansible.cfg` but you can also enable them if you use your own `ansible.cfg` by setting the environment varialbles:
+
+```ShellSession
+export ANSIBLE_STRATEGY=mitogen_linear
+export ANSIBLE_STRATEGY_PLUGINS=plugins/mitogen/ansible_mitogen/plugins/strategy
+```
+
+... or `ansible.cfg` setup:
+
+```ini
+[defaults]
+strategy_plugins = plugins/mitogen/ansible_mitogen/plugins/strategy
+strategy=mitogen_linear
+```
+
+## Limitation
+
+If you are experiencing problems, please see the [documentation](https://mitogen.networkgenomics.com/ansible_detailed.html#noteworthy-differences).

docs/ansible/ansible.md

@@ -42,10 +42,13 @@ Kubespray expects users to use one of the following variables sources for settin
 |----------------------------------------|------------------------------------------------------------------------------|
 | inventory vars                         |                                                                              |
 |  - **inventory group_vars**            | most used                                                                    |
-|  - inventory host_vars                 | host specific vars overrides, group_vars is usually more practical           |
+|  - inventory host_vars                 | host specifc vars overrides, group_vars is usually more practical            |
 | **extra vars** (always win precedence) | override with ``ansible-playbook -e @foo.yml``                               |
 
-> Extra vars are best used to override kubespray internal variables, for instances, roles/vars/. Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray interface. Thus they can change, disappear, or break stuff unexpectedly.
+[!IMPORTANT]
+Extra vars are best used to override kubespray internal variables, for instances, roles/vars/.
+Those vars are usually **not expected** (by Kubespray developers) to be modified by end users, and not part of Kubespray
+interface. Thus they can change, disappear, or break stuff unexpectedly.
 
 ## Ansible tags
 
@@ -119,7 +122,7 @@ The following tags are defined in playbooks:
 | metrics_server                 | Configuring metrics_server                            |
 | netchecker                     | Installing netchecker K8s app                         |
 | network                        | Configuring networking plugins for K8s                |
-| mounts                         | Umount kubelet dirs when resetting                    |
+| mounts                         | Umount kubelet dirs when reseting                     |
 | multus                         | Network plugin multus                                 |
 | nginx                          | Configuring LB for kube-apiserver instances           |
 | node                           | Configuring K8s minion (compute) node role            |
@@ -178,13 +181,17 @@ ansible-playbook -i inventory/sample/hosts.ini cluster.yml \
 
 Note: use `--tags` and `--skip-tags` wisely and only if you're 100% sure what you're doing.
 
+## Mitogen
+
+Mitogen support is deprecated, please see [mitogen related docs](/docs/advanced/mitogen.md) for usage and reasons for deprecation.
+
 ## Troubleshooting Ansible issues
 
 Having the wrong version of ansible, ansible collections or python dependencies can cause issue.
-In particular, Kubespray ship custom modules which Ansible needs to find, for which you should specify [ANSIBLE_LIBRARY](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html#adding-a-module-or-plugin-outside-of-a-collection)
+In particular, Kubespray ship custom modules which Ansible needs to find, for which you should specify [ANSIBLE_LIBRAY](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html#adding-a-module-or-plugin-outside-of-a-collection)
 
 ```ShellSession
-export ANSIBLE_LIBRARY=<kubespray_dir>/library`
+export ANSIBLE_LIBRAY=<kubespray_dir>/library`
 ```
 
 A simple way to ensure you get all the correct version of Ansible is to use
@@ -193,11 +200,11 @@ You will then need to use [bind mounts](https://docs.docker.com/storage/bind-mou
 to access the inventory and SSH key in the container, like this:
 
 ```ShellSession
-git checkout v2.30.0
-docker pull quay.io/kubespray/kubespray:v2.30.0
+git checkout v2.29.0
+docker pull quay.io/kubespray/kubespray:v2.29.0
 docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
   --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
-  quay.io/kubespray/kubespray:v2.30.0 bash
+  quay.io/kubespray/kubespray:v2.29.0 bash
 # Inside the container you may now run the kubespray playbooks:
 ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
 ```

docs/developers/ci-setup.md

@@ -6,7 +6,7 @@ See [.gitlab-ci.yml](/.gitlab-ci.yml) and the included files for an overview.
 
 ## Runners
 
-Kubespray has 2 types of GitLab runners, both deployed on the Kubespray CI cluster (hosted on Oracle Cloud Infrastructure):
+Kubespray has 2 types of GitLab runners, both deployed  on the Kubespray CI cluster (hosted on Oracle Cloud Infrastucture):
 
 - pods: use the [gitlab-ci kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes/)
 - vagrant: custom executor running in pods with access to the libvirt socket on the nodes
@@ -156,7 +156,7 @@ kube_feature_gates:
   - "NodeSwap=True"
 ```
 
-## Additional files
+## Aditional files
 
 This section documents additional files used to complete a deployment of the kubespray CI, these files sit on the control-plane node and assume a working kubernetes cluster.
 

docs/developers/ci.md

@@ -15,8 +15,8 @@ fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x
 fedora40 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
-rockylinux10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+ubuntu20 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu24 |  :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: |
 
@@ -33,8 +33,8 @@ fedora39 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu20 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 
@@ -51,7 +51,7 @@ fedora39 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora40 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 flatcar4081 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 openeuler24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-rockylinux10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 rockylinux9 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
+ubuntu20 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu22 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |
 ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: |

docs/ingress/metallb.md

@@ -21,12 +21,6 @@ metallb_enabled: true
 metallb_speaker_enabled: true
 ```
 
-By default, MetalLB resources are deployed into the `metallb-system` namespace. You can override this namespace using a variable.
-
-```yaml
-metallb_namespace: woodenlb-system
-```
-
 By default only the MetalLB BGP speaker is allowed to run on control plane nodes. If you have a single node cluster or a cluster where control plane are also worker nodes you may need to enable tolerations for the MetalLB controller:
 
 ```yaml
@@ -41,7 +35,7 @@ metallb_config:
       effect: "NoSchedule"
 ```
 
-If you'd like to set additional nodeSelector and tolerations values, you can do so in the following fashion:
+If you'd like to set additional nodeSelector and tolerations values, you can do so in the following fasion:
 
 ```yaml
 metallb_config:

docs/operating_systems/rhel.md

@@ -37,12 +37,4 @@ If you have containers that are using iptables in the host network namespace (`h
 you need to ensure they are using iptables-nft.
 An example how k8s do the autodetection can be found [in this PR](https://github.com/kubernetes/kubernetes/pull/82966)
 
-The kernel version is lower than the kubernetes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).
-
-## Rocky Linux 10
-
-(Experimental in Kubespray CI)
-
-The official Rocky Linux 10 cloud image does not include `kernel-module-extra`. Both Kube Proxy and CNI rely on this package, and since it relates to kernel version compatibility (which may require VM reboots, etc.), we haven't found an ideal solution.
-
-However, some users report that it doesn't affect them (minimal version). Therefore, the Kubespray CI Rocky Linux 10 image is built by Kubespray maintainers using `diskimage-builder`. For detailed methods, please refer to [the comments](https://github.com/kubernetes-sigs/kubespray/pull/12355#issuecomment-3705400093).
+The kernel version is lower than the kubenretes 1.32 system validation, please refer to the [kernel requirements](../operations/kernel-requirements.md).

docs/operations/kernel-requirements.md

@@ -11,7 +11,7 @@ kubeadm_ignore_preflight_errors:
 
 The Kernel Version Matrixs:
 
-| OS Version         | Kernel Version | Kernel >=4.19      |
+| OS Verion          | Kernel Verion  | Kernel >=4.19      |
 |---                 | ---            | ---                |
 | RHEL 9             | 5.14           | :white_check_mark: |
 | RHEL 8             | 4.18           | :x:                |

docs/operations/nodes.md

@@ -31,8 +31,6 @@ That's it.
 
 Append the new host to the inventory and run `cluster.yml`. You can NOT use `scale.yml` for that.
 
-**Note:** When adding new control plane nodes, always append them to the end of the `kube_control_plane` group in your inventory. Adding control plane nodes in the first position is not supported and will cause the playbook to fail.
-
 ### 2) Restart kube-system/nginx-proxy
 
 In all hosts, restart nginx-proxy pod. This pod is a local proxy for the apiserver. Kubespray will update its static config, but it needs to be restarted in order to reload.

galaxy.yml

@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.30.0
+version: 2.29.2
 readme: README.md
 authors:
   - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)

index.html

@@ -38,7 +38,6 @@
     loadSidebar: 'docs/_sidebar.md',
     repo: 'https://github.com/kubernetes-sigs/kubespray',
     auto2top: true,
-    noCompileLinks: ['.*\.ini'],
     logo: '/logo/logo-clear.png'
   }
 </script>

inventory/sample/group_vars/all/containerd.yml

@@ -11,15 +11,15 @@
 # containerd_runc_runtime:
 #   name: runc
 #   type: "io.containerd.runc.v2"
-#   options:
-#     Root: ""
+#   engine: ""
+#   root: ""
 
 # containerd_additional_runtimes:
 # Example for Kata Containers as additional runtime:
 #   - name: kata
 #     type: "io.containerd.kata.v2"
-#     options:
-#       Root: ""
+#     engine: ""
+#     root: ""
 
 # containerd_grpc_max_recv_message_size: 16777216
 # containerd_grpc_max_send_message_size: 16777216

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -22,8 +22,7 @@ local_release_dir: "/tmp/releases"
 # Random shifts for retrying failed ops like pushing/downloading
 retry_stagger: 5
 
-# This is the user that owns the cluster installation.
-# Note: cilium needs to set kube_owner to root https://kubespray.io/#/docs/CNI/cilium?id=unprivileged-agent-configuration
+# This is the user that owns tha cluster installation.
 kube_owner: kube
 
 # This is the group that the cert creation scripts chgrp the

pipeline.Dockerfile

@@ -47,8 +47,8 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && pip install --no-compile --no-cache-dir pip -U \
     && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
     && pip install --no-compile --no-cache-dir -r requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.34.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L https://dl.k8s.io/release/v1.33.8/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.33.8/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \
     # Install Vagrant
     && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \

playbooks/upgrade_cluster.yml

@@ -55,7 +55,7 @@
     - { role: kubernetes-apps/kubelet-csr-approver, tags: kubelet-csr-approver }
     - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
     - { role: kubernetes/node, tags: node }
-    - { role: kubernetes/control-plane, tags: control-plane, upgrade_cluster_setup: true }
+    - { role: kubernetes/control-plane, tags: master, upgrade_cluster_setup: true }
     - { role: kubernetes/client, tags: client }
     - { role: kubernetes/node-label, tags: node-label }
     - { role: kubernetes/node-taint, tags: node-taint }
@@ -100,7 +100,7 @@
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray_defaults }
-    - { role: win_nodes/kubernetes_patch, tags: ["control-plane", "win_nodes"] }
+    - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 
 - name: Install Calico Route Reflector
   hosts: calico_rr

requirements.txt

@@ -1,7 +1,7 @@
 ansible==10.7.0
 # Needed for community.crypto module
-cryptography==46.0.3
+cryptography==46.0.2
 # Needed for jinja2 json_query templating
-jmespath==1.1.0
+jmespath==1.0.1
 # Needed for ansible.utils.ipaddr
 netaddr==1.3.0

roles/adduser/molecule/default/molecule.yml

@@ -9,8 +9,6 @@ platforms:
     vm_memory: 512
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_ROLES_PATH: ../../../
   config_options:
     defaults:
       callbacks_enabled: profile_tasks

roles/bastion-ssh-config/molecule/default/molecule.yml

@@ -9,8 +9,6 @@ platforms:
     vm_memory: 512
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_ROLES_PATH: ../../../
   config_options:
     defaults:
       callbacks_enabled: profile_tasks

roles/bootstrap_os/molecule/default/molecule.yml

@@ -21,8 +21,6 @@ platforms:
     vm_memory: 512
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_ROLES_PATH: ../../../
   config_options:
     defaults:
       callbacks_enabled: profile_tasks

roles/container-engine/containerd/defaults/main.yml

@@ -13,9 +13,10 @@ containerd_snapshotter: "overlayfs"
 containerd_runc_runtime:
   name: runc
   type: "io.containerd.runc.v2"
+  engine: ""
+  root: ""
   base_runtime_spec: cri-base.json
   options:
-    Root: ""
     SystemdCgroup: "{{ containerd_use_systemd_cgroup | ternary('true', 'false') }}"
     BinaryName: "{{ bin_dir }}/runc"
 
@@ -23,8 +24,8 @@ containerd_additional_runtimes: []
 # Example for Kata Containers as additional runtime:
 #  - name: kata
 #    type: "io.containerd.kata.v2"
-#    options:
-#      Root: ""
+#    engine: ""
+#    root: ""
 
 containerd_base_runtime_spec_rlimit_nofile: 65535
 
@@ -35,8 +36,8 @@ containerd_default_base_runtime_spec_patch:
         hard: "{{ containerd_base_runtime_spec_rlimit_nofile }}"
         soft: "{{ containerd_base_runtime_spec_rlimit_nofile }}"
 
-# Only for containerd < 2.1; discard unpacked layers to save disk space
-# https://github.com/containerd/containerd/blob/release/2.1/docs/cri/config.md#image-pull-configuration-since-containerd-v21
+# Can help reduce disk usage
+# https://github.com/containerd/containerd/discussions/6295
 containerd_discard_unpacked_layers: true
 
 containerd_base_runtime_specs:

roles/container-engine/containerd/templates/config.toml.j2

@@ -52,6 +52,8 @@ oom_score = {{ containerd_oom_score }}
 {% for runtime in [containerd_runc_runtime] + containerd_additional_runtimes %}
        [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.{{ runtime.name }}]
          runtime_type = "{{ runtime.type }}"
+         runtime_engine = "{{ runtime.engine }}"
+         runtime_root = "{{ runtime.root }}"
 {% if runtime.base_runtime_spec is defined %}
          base_runtime_spec = "{{ containerd_cfg_dir }}/{{ runtime.base_runtime_spec }}"
 {% endif %}
@@ -76,9 +78,7 @@ oom_score = {{ containerd_oom_score }}
 
   [plugins."io.containerd.cri.v1.images"]
     snapshotter = "{{ containerd_snapshotter }}"
-{% if containerd_discard_unpacked_layers and containerd_version is version('2.1.0', '<') %}
     discard_unpacked_layers = {{ containerd_discard_unpacked_layers | lower }}
-{% endif %}
     image_pull_progress_timeout = "{{ containerd_image_pull_progress_timeout }}"
   [plugins."io.containerd.cri.v1.images".pinned_images]
     sandbox = "{{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"

roles/container-engine/cri-dockerd/molecule/default/molecule.yml

@@ -25,8 +25,6 @@ provisioner:
     group_vars:
       all:
         become: true
-      k8s_cluster:
-        container_manager: docker
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/container-engine/cri-o/defaults/main.yml

@@ -32,8 +32,6 @@ crio_registry_auth: []
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing') | lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
-# Set the pull progress timeout
-crio_pull_progress_timeout: "10s"
 
 # Override system default for storage driver
 # crio_storage_driver: "overlay"

roles/container-engine/cri-o/molecule/default/converge.yml

@@ -2,6 +2,8 @@
 - name: Converge
   hosts: all
   become: true
+  vars:
+    container_manager: crio
   roles:
     - role: kubespray_defaults
     - role: container-engine/cri-o

roles/container-engine/cri-o/molecule/default/molecule.yml

@@ -41,10 +41,6 @@ provisioner:
     defaults:
       callbacks_enabled: profile_tasks
       timeout: 120
-  inventory:
-    group_vars:
-      k8s_cluster:
-        container_manager: crio
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/container-engine/cri-o/molecule/default/verify.yml

@@ -2,6 +2,7 @@
 - name: Test CRI-O cri
   import_playbook: ../../../molecule/test_cri.yml
   vars:
+    container_manager: crio
     cri_socket: unix:///var/run/crio/crio.sock
     cri_name: cri-o
 - name: Test running a container with crun

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -348,12 +348,6 @@ signature_policy = "{{ crio_signature_policy }}"
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"
 
-# The timeout for an image pull to make progress until the pull operation gets
-# canceled. This value will be also used for calculating the pull progress interval
-# to pull_progress_timeout / 10. Can be set to 0 to disable the timeout as well as
-# the progress output.
-pull_progress_timeout = "{{ crio_pull_progress_timeout }}"
-
 # The crio.network table containers settings pertaining to the management of
 # CNI plugins.
 [crio.network]

roles/container-engine/crictl/tasks/crictl.yml

@@ -0,0 +1,22 @@
+---
+- name: Crictl | Download crictl
+  include_tasks: "../../../download/tasks/download_file.yml"
+  vars:
+    download: "{{ download_defaults | combine(downloads.crictl) }}"
+
+- name: Install crictl config
+  template:
+    src: crictl.yaml.j2
+    dest: /etc/crictl.yaml
+    owner: root
+    mode: "0644"
+
+- name: Copy crictl binary from download dir
+  copy:
+    src: "{{ local_release_dir }}/crictl"
+    dest: "{{ bin_dir }}/crictl"
+    mode: "0755"
+    remote_src: true
+  notify:
+    - Get crictl completion
+    - Install crictl completion

roles/container-engine/crictl/tasks/main.yml

@@ -1,22 +1,3 @@
 ---
-- name: Crictl | Download crictl
-  include_tasks: "../../../download/tasks/download_file.yml"
-  vars:
-    download: "{{ download_defaults | combine(downloads.crictl) }}"
-
-- name: Install crictl config
-  template:
-    src: crictl.yaml.j2
-    dest: /etc/crictl.yaml
-    owner: root
-    mode: "0644"
-
-- name: Copy crictl binary from download dir
-  copy:
-    src: "{{ local_release_dir }}/crictl"
-    dest: "{{ bin_dir }}/crictl"
-    mode: "0755"
-    remote_src: true
-  notify:
-    - Get crictl completion
-    - Install crictl completion
+- name: Install crictl
+  include_tasks: crictl.yml

roles/container-engine/gvisor/molecule/default/molecule.yml

@@ -21,11 +21,6 @@ provisioner:
     defaults:
       callbacks_enabled: profile_tasks
       timeout: 120
-  inventory:
-    group_vars:
-      k8s_cluster:
-        gvisor_enabled: true
-        container_manager: containerd
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/container-engine/runc/tasks/main.yml

@@ -12,20 +12,11 @@
     is_ostree: "{{ ostree.stat.exists }}"
 
 - name: Runc | Uninstall runc package managed by package manager
+  package:
+    name: "{{ runc_package_name }}"
+    state: absent
   when:
-    - not is_ostree
-    - ansible_distribution != "Flatcar Container Linux by Kinvolk"
-    - ansible_distribution != "Flatcar"
-  block:
-    - name: Runc | Remove package
-      package:
-        name: "{{ runc_package_name }}"
-        state: absent
-    - name: Runc | Remove orphaned binary
-      file:
-        path: /usr/bin/runc
-        state: absent
-      when: runc_bin_dir != "/usr/bin"
+    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))
 
 - name: Runc | Download runc binary
   include_tasks: "../../../download/tasks/download_file.yml"
@@ -38,3 +29,10 @@
     dest: "{{ runc_bin_dir }}/runc"
     mode: "0755"
     remote_src: true
+
+- name: Runc | Remove orphaned binary
+  file:
+    path: /usr/bin/runc
+    state: absent
+  when: runc_bin_dir != "/usr/bin"
+  ignore_errors: true  # noqa ignore-errors

roles/container-engine/youki/molecule/default/molecule.yml

@@ -21,11 +21,6 @@ provisioner:
     defaults:
       callbacks_enabled: profile_tasks
       timeout: 120
-  inventory:
-    group_vars:
-      k8s_cluster:
-        youki_enabled: true
-        container_manager: crio
   playbooks:
     create: ../../../../../tests/cloud_playbooks/create-kubevirt.yml
     prepare: ../../../molecule/prepare.yml

roles/kubernetes-apps/common_crds/gateway_api/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 gateway_api_enabled: false
+gateway_api_version: 1.2.1
 
 # `gateway_api_channel` default is "standard".
 # "standard" release channel includes all resources that have graduated to GA or beta, including GatewayClass, Gateway, HTTPRoute, and ReferenceGrant.

roles/kubernetes-apps/meta/main.yml

@@ -1,7 +1,5 @@
 ---
 dependencies:
-  - role: kubernetes-apps/utils
-
   - role: kubernetes-apps/ansible
     when:
       - inventory_hostname == groups['kube_control_plane'][0]

roles/kubernetes-apps/metallb/defaults/main.yml

@@ -1,7 +1,6 @@
 ---
 metallb_enabled: false
 metallb_log_level: info
-metallb_namespace: "metallb-system"
 metallb_port: "7472"
 metallb_memberlist_port: "7946"
 metallb_speaker_enabled: "{{ metallb_enabled }}"

roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2

@@ -114,4 +114,14 @@ rules:
       - update
       # watch for changes
       - watch
+  # Services are monitored for service LoadBalancer IP allocation
+  - apiGroups: [""]
+    resources:
+      - services
+      - services/status
+    verbs:
+      - get
+      - list
+      - update
+      - watch
 {% endif %}

roles/kubernetes-apps/utils/vars/main.yml

@@ -1,12 +0,0 @@
----
-_kubectl_apply_stdin:
-- "{{ kubectl }}"
-- apply
-- -f
-- "-"
-- -n
-- "{{ k8s_namespace }}"
-- --server-side="{{ server_side_apply | lower }}"
-# TODO: switch to default SSA
-server_side_apply: false
-kubectl_apply_stdin: "{{ _kubectl_apply_stdin | join(' ') }}"

roles/kubernetes-apps/vars/main.yml

@@ -0,0 +1,2 @@
+---
+kubectl_apply_stdin: "{{ kubectl }} apply -f - -n {{ k8s_namespace }}"

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -243,10 +243,6 @@ auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00"
 # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
 kubeadm_upgrade_auto_cert_renewal: true
 
-# Add Subject Alternative Names to the Kubernetes apiserver certificates.
-# Useful if you access the API from multiples load balancers, for instance.
-supplementary_addresses_in_ssl_keys: []
-
 # Bash alias of kubectl to interact with Kubernetes cluster much easier
 # kubectl_alias: k
 

roles/kubernetes/control-plane/tasks/define-first-kube-control.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Check which kube-control nodes are already members of the cluster
+  command: "{{ bin_dir }}/kubectl get nodes --selector=node-role.kubernetes.io/control-plane -o json"
+  register: kube_control_planes_raw
+  ignore_errors: true
+  changed_when: false
+
+- name: Set fact joined_control_planes
+  set_fact:
+    joined_control_planes: "{{ ((kube_control_planes_raw.stdout | from_json)['items']) | default([]) | map(attribute='metadata') | map(attribute='name') | list }}"
+  delegate_to: "{{ item }}"
+  loop: "{{ groups['kube_control_plane'] }}"
+  when: kube_control_planes_raw is succeeded
+  run_once: true
+
+- name: Set fact first_kube_control_plane
+  set_fact:
+    first_kube_control_plane: "{{ joined_control_planes | default([]) | first | default(groups['kube_control_plane'] | first) }}"

roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml

@@ -11,23 +11,24 @@
   tags:
     - facts
 
-- name: Obtain kubeadm certificate key for joining control planes nodes
+- name: Upload certificates so they are fresh and not expired
+  command: >-
+    {{ bin_dir }}/kubeadm init phase
+    --config {{ kube_config_dir }}/kubeadm-config.yaml
+    upload-certs
+    --upload-certs
+  register: kubeadm_upload_cert
   when:
+    - inventory_hostname == first_kube_control_plane
     - not kube_external_ca_mode
-  run_once: true
-  block:
-    - name: Upload certificates so they are fresh and not expired
-      command: >-
-        {{ bin_dir }}/kubeadm init phase
-        --config {{ kube_config_dir }}/kubeadm-config.yaml
-        upload-certs
-        --upload-certs
-      register: kubeadm_upload_cert
-      delegate_to: "{{ first_kube_control_plane }}"
 
-    - name: Parse certificate key if not set
-      set_fact:
-        kubeadm_certificate_key: "{{ kubeadm_upload_cert.stdout_lines[-1] | trim }}"
+- name: Parse certificate key if not set
+  set_fact:
+    kubeadm_certificate_key: "{{ hostvars[first_kube_control_plane]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
+  run_once: true
+  when:
+    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is defined
+    - hostvars[first_kube_control_plane]['kubeadm_upload_cert'] is not skipped
 
 - name: Wait for k8s apiserver
   wait_for:

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -25,9 +25,9 @@
 
 - name: Kubeadm | aggregate all SANs
   set_fact:
-    apiserver_sans: "{{ _apiserver_sans | flatten | select | unique }}"
+    apiserver_sans: "{{ (sans_base + groups['kube_control_plane'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_ipv4_address + sans_ipv6_address + sans_override + sans_hostname + sans_fqdn + sans_kube_vip_address) | unique }}"
   vars:
-    _apiserver_sans:
+    sans_base:
       - "kubernetes"
       - "kubernetes.default"
       - "kubernetes.default.svc"
@@ -36,17 +36,17 @@
       - "localhost"
       - "127.0.0.1"
       - "::1"
-      - "{{ apiserver_loadbalancer_domain_name }}"
-      - "{{ loadbalancer_apiserver.address | d('') }}"
-      - "{{ supplementary_addresses_in_ssl_keys }}"
-      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') }}"
-      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') }}"
-      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | select('defined') }}"
-      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | select('defined') }}"
-      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_hostname') }}"
-      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_fqdn') }}"
-      - "{{ kube_override_hostname }}"
-      - "{{ kube_vip_address }}"
+    sans_lb: "{{ [apiserver_loadbalancer_domain_name] if apiserver_loadbalancer_domain_name is defined else [] }}"
+    sans_lb_ip: "{{ [loadbalancer_apiserver.address] if loadbalancer_apiserver is defined and loadbalancer_apiserver.address is defined else [] }}"
+    sans_supp: "{{ supplementary_addresses_in_ssl_keys if supplementary_addresses_in_ssl_keys is defined else [] }}"
+    sans_access_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') | list | select('defined') | list }}"
+    sans_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') | list | select('defined') | list }}"
+    sans_ipv4_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list | select('defined') | list }}"
+    sans_ipv6_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | list | select('defined') | list }}"
+    sans_override: "{{ [kube_override_hostname] if kube_override_hostname else [] }}"
+    sans_hostname: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_hostname']) | list | select('defined') | list }}"
+    sans_fqdn: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_fqdn']) | list | select('defined') | list }}"
+    sans_kube_vip_address: "{{ [kube_vip_address] if kube_vip_address is defined and kube_vip_address else [] }}"
   tags: facts
 
 - name: Create audit-policy directory
@@ -179,10 +179,9 @@
       timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
       {{ bin_dir }}/kubeadm init
       --config={{ kube_config_dir }}/kubeadm-config.yaml
-      --ignore-preflight-errors={{ _ignore_errors | flatten | join(',') }}
+      --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
       --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
       {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
-    _ignore_errors: "{{ kubeadm_ignore_preflight_errors }}"
   environment:
     PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
   notify: Control plane | restart kubelet
@@ -196,15 +195,6 @@
     # This retry task is separated from 1st task to show log of failure of 1st task.
     - name: Kubeadm | Initialize first control plane node (retry)
       command: "{{ kubeadm_init_first_control_plane_cmd }}"
-      vars:
-        _errors_from_first_try:
-          - 'FileAvailable--etc-kubernetes-manifests-kube-controller-manager.yaml'
-          - 'FileAvailable--etc-kubernetes-manifests-kube-scheduler.yaml'
-          - 'FileAvailable--etc-kubernetes-manifests-kube-apiserver.yaml'
-          - 'Port-10250'
-        _ignore_errors:
-          - "{{ kubeadm_ignore_preflight_errors }}"
-          - "{{ _errors_from_first_try if 'all' not in kubeadm_ignore_preflight_errors else [] }}"
       register: kubeadm_init
       retries: 2
       until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr

roles/kubernetes/control-plane/tasks/main.yml

@@ -92,6 +92,9 @@
     - upgrade
   ignore_errors: true  # noqa ignore-errors
 
+- name: Define nodes already joined to existing cluster and first_kube_control_plane
+  import_tasks: define-first-kube-control.yml
+
 - name: Include kubeadm setup
   import_tasks: kubeadm-setup.yml
 

roles/kubernetes/kubeadm_common/tasks/main.yml

@@ -3,9 +3,19 @@
   file:
     path: "{{ kubeadm_patches_dir }}"
     state: directory
-    mode: "0640"
+    mode: "0750"
   when: kubeadm_patches | length > 0
 
+- name: Kubeadm | List existing kubeadm patches
+  find:
+    paths:
+      - "{{ kubeadm_patches_dir }}"
+    file_type: file
+    use_regex: true
+    patterns:
+      - '^(kube-apiserver|kube-controller-manager|kube-scheduler|etcd|kubeletconfiguration)[0-9]+\+(strategic|json|merge).yaml$'
+  register: existing_kubeadm_patches
+
 - name: Kubeadm | Copy kubeadm patches from inventory files
   copy:
     content: "{{ item.patch | to_yaml }}"
@@ -15,3 +25,13 @@
   loop: "{{ kubeadm_patches }}"
   loop_control:
     index_var: suffix
+  register: current_kubeadm_patches
+
+- name: Kubeadm | Delete old patches
+  loop: "{{ existing_kubeadm_patches.files | map(attribute='path') |
+            difference(
+            current_kubeadm_patches.results | map(attribute='dest')
+            ) }}"
+  file:
+    state: absent
+    path: "{{ item }}"

roles/kubernetes/node/defaults/main.yml

@@ -61,6 +61,8 @@ eviction_hard_control_plane: {}
 kubelet_status_update_frequency: 10s
 
 # kube-vip
+kube_vip_version: 0.8.0
+
 kube_vip_arp_enabled: false
 kube_vip_interface:
 kube_vip_services_interface:
@@ -78,6 +80,7 @@ kube_vip_bgp_peeraddress:
 kube_vip_bgp_peerpass:
 kube_vip_bgp_peeras: 65000
 kube_vip_bgppeers:
+kube_vip_address:
 kube_vip_enableServicesElection: false
 kube_vip_lb_enable: false
 kube_vip_leasename: plndr-cp-lock

roles/kubernetes/node/tasks/loadbalancer/haproxy.yml

@@ -18,7 +18,14 @@
     owner: root
     mode: "0755"
     backup: true
-  register: haproxy_conf
+
+- name: Haproxy | Get checksum from config
+  stat:
+    path: "{{ haproxy_config_dir }}/haproxy.cfg"
+    get_attributes: false
+    get_checksum: true
+    get_mime: false
+  register: haproxy_stat
 
 - name: Haproxy | Write static pod
   template:

roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml

@@ -18,7 +18,14 @@
     owner: root
     mode: "0755"
     backup: true
-  register: nginx_conf
+
+- name: Nginx-proxy | Get checksum from config
+  stat:
+    path: "{{ nginx_config_dir }}/nginx.conf"
+    get_attributes: false
+    get_checksum: true
+    get_mime: false
+  register: nginx_stat
 
 - name: Nginx-proxy | Write static pod
   template:

roles/kubernetes/node/templates/loadbalancer/haproxy.cfg.j2

@@ -32,7 +32,7 @@ frontend healthz
 frontend kube_api_frontend
   bind 127.0.0.1:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }}
   {% if ipv6_stack -%}
-  bind [::1]:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }}
+  bind [::1]:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }};
   {% endif -%}
   mode tcp
   option tcplog

roles/kubernetes/node/templates/manifests/haproxy.manifest.j2

@@ -7,7 +7,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
     k8s-app: kube-haproxy
   annotations:
-    haproxy-cfg-checksum: "{{ haproxy_conf.checksum }}"
+    haproxy-cfg-checksum: "{{ haproxy_stat.stat.checksum }}"
 spec:
   hostNetwork: true
   dnsPolicy: ClusterFirstWithHostNet

roles/kubernetes/node/templates/manifests/kube-vip.manifest.j2

@@ -1,4 +1,4 @@
-# Inspired by https://github.com/kube-vip/kube-vip/blob/v1.0.3/pkg/kubevip/config_generator.go#L103
+# Inspired by https://github.com/kube-vip/kube-vip/blob/v0.8.0/pkg/kubevip/config_generator.go#L103
 apiVersion: v1
 kind: Pod
 metadata:
@@ -27,7 +27,7 @@ spec:
       value: {{ kube_vip_services_interface | string | to_json }}
 {% endif %}
 {% if kube_vip_cidr %}
-    - name: vip_{{ "subnet" if kube_vip_version is version('0.9.0', '>=') else "cidr" }}
+    - name: vip_cidr
       value: {{ kube_vip_cidr | string | to_json }}
 {% endif %}
 {% if kube_vip_dns_mode %}
@@ -113,8 +113,6 @@ spec:
         add:
         - NET_ADMIN
         - NET_RAW
-        drop:
-        - ALL
 {% endif %}
     volumeMounts:
     - mountPath: /etc/kubernetes/admin.conf

roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2

@@ -7,7 +7,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
     k8s-app: kube-nginx
   annotations:
-    nginx-cfg-checksum: "{{ nginx_conf.checksum }}"
+    nginx-cfg-checksum: "{{ nginx_stat.stat.checksum }}"
 spec:
   hostNetwork: true
   dnsPolicy: ClusterFirstWithHostNet

roles/kubernetes/preinstall/tasks/0081-ntp-configurations.yml

@@ -74,34 +74,8 @@
     - not is_fedora_coreos
     - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
 
-- name: Gather selinux facts
-  ansible.builtin.setup:
-    gather_subset: selinux
-  when:
-    - ntp_timezone
-    - ansible_os_family == "RedHat"
-
-- name: Put SELinux in permissive mode, logging actions that would be blocked.
-  ansible.posix.selinux:
-    policy: targeted
-    state: permissive
-  when:
-    - ntp_timezone
-    - ansible_os_family == "RedHat"
-    - ansible_facts.selinux.status == 'enabled'
-    - ansible_facts.selinux.mode == 'enforcing'
-
-- name: Set ntp_timezone
+- name: Set timezone
   community.general.timezone:
     name: "{{ ntp_timezone }}"
   when:
     - ntp_timezone
-
-- name: Re-enable SELinux
-  ansible.posix.selinux:
-    policy: targeted
-    state: "{{ preinstall_selinux_state }}"
-  when:
-    - ntp_timezone
-    - ansible_os_family == "RedHat"
-    - ansible_facts.selinux.status == 'enabled'

roles/kubespray_defaults/defaults/main/download.yml

@@ -116,7 +116,7 @@ flannel_version: 0.27.3
 flannel_cni_version: 1.7.1-flannel1
 cni_version: "{{ (cni_binary_checksums['amd64'] | dict2items)[0].key }}"
 
-cilium_version: "1.18.6"
+cilium_version: "1.18.5"
 cilium_cli_version: "{{ (ciliumcli_binary_checksums['amd64'] | dict2items)[0].key }}"
 cilium_enable_hubble: false
 
@@ -142,7 +142,7 @@ scheduler_plugins_version: "{{ scheduler_plugins_supported_versions[kube_major_v
 
 yq_version: "{{ (yq_checksums['amd64'] | dict2items)[0].key }}"
 
-gateway_api_version: "{{ (gateway_api_standard_crds_checksums.no_arch | dict2items)[0].key }}"
+gateway_api_version: "1.2.1"
 gateway_api_channel: "standard"
 
 prometheus_operator_crds_version: "{{ (prometheus_operator_crds_checksums.no_arch | dict2items)[0].key }}"
@@ -265,9 +265,8 @@ multus_image_tag: "v{{ multus_version }}"
 external_openstack_cloud_controller_image_repo: "{{ kube_image_repo }}/provider-os/openstack-cloud-controller-manager"
 external_openstack_cloud_controller_image_tag: "v1.32.0"
 
-kube_vip_version: 1.0.3
 kube_vip_image_repo: "{{ github_image_repo }}/kube-vip/kube-vip{{ '-iptables' if kube_vip_lb_fwdmethod == 'masquerade' else '' }}"
-kube_vip_image_tag: "v{{ kube_vip_version }}"
+kube_vip_image_tag: v0.8.9
 nginx_image_repo: "{{ docker_image_repo }}/library/nginx"
 nginx_image_tag: 1.28.0-alpine
 haproxy_image_repo: "{{ docker_image_repo }}/library/haproxy"
@@ -277,9 +276,9 @@ haproxy_image_tag: 3.2.4-alpine
 # bundle with kubeadm; if not 'basic' upgrade can sometimes fail
 
 coredns_supported_versions:
-  '1.34': 1.12.1
   '1.33': 1.12.0
   '1.32': 1.11.3
+  '1.31': 1.11.3
 coredns_version: "{{ coredns_supported_versions[kube_major_version] }}"
 coredns_image_repo: "{{ kube_image_repo }}{{ '/coredns' if coredns_version is version('1.7.1', '>=') else '' }}/coredns"
 coredns_image_tag: "{{ 'v' if coredns_version is version('1.7.1', '>=') else '' }}{{ coredns_version }}"
@@ -327,22 +326,22 @@ cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-we
 cert_manager_webhook_image_tag: "v{{ cert_manager_version }}"
 
 csi_attacher_image_repo: "{{ kube_image_repo }}/sig-storage/csi-attacher"
-csi_attacher_image_tag: "v4.4.2"
+csi_attacher_image_tag: "v3.3.0"
 csi_provisioner_image_repo: "{{ kube_image_repo }}/sig-storage/csi-provisioner"
-csi_provisioner_image_tag: "v3.6.2"
+csi_provisioner_image_tag: "v3.0.0"
 csi_snapshotter_image_repo: "{{ kube_image_repo }}/sig-storage/csi-snapshotter"
-csi_snapshotter_image_tag: "v6.3.2"
+csi_snapshotter_image_tag: "v5.0.0"
 csi_resizer_image_repo: "{{ kube_image_repo }}/sig-storage/csi-resizer"
-csi_resizer_image_tag: "v1.9.2"
+csi_resizer_image_tag: "v1.3.0"
 csi_node_driver_registrar_image_repo: "{{ kube_image_repo }}/sig-storage/csi-node-driver-registrar"
 csi_node_driver_registrar_image_tag: "v2.4.0"
 csi_livenessprobe_image_repo: "{{ kube_image_repo }}/sig-storage/livenessprobe"
-csi_livenessprobe_image_tag: "v2.11.0"
+csi_livenessprobe_image_tag: "v2.5.0"
 
 snapshot_controller_supported_versions:
-  '1.34': "v7.0.2"
   '1.33': "v7.0.2"
   '1.32': "v7.0.2"
+  '1.31': "v7.0.2"
 snapshot_controller_image_repo: "{{ kube_image_repo }}/sig-storage/snapshot-controller"
 snapshot_controller_image_tag: "{{ snapshot_controller_supported_versions[kube_major_version] }}"
 
@@ -787,9 +786,9 @@ downloads:
     url: "{{ calico_crds_download_url }}"
     unarchive: true
     unarchive_extra_opts:
-      - "--strip=3"
+      - "{{ '--strip=6' if (calico_version is version('3.22.3', '<')) else '--strip=3' }}"
       - "--wildcards"
-      - "*/libcalico-go/config/crd/"
+      - "{{ '*/_includes/charts/calico/crds/kdd/' if (calico_version is version('3.22.3', '<')) else '*/libcalico-go/config/crd/' }}"
     owner: "root"
     mode: "0755"
     groups:
@@ -1038,15 +1037,6 @@ downloads:
     groups:
       - kube_node
 
-  csi_livenessprobe:
-    enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
-    container: true
-    repo: "{{ csi_livenessprobe_image_repo }}"
-    tag: "{{ csi_livenessprobe_image_tag }}"
-    checksum: "{{ csi_livenessprobe_digest_checksum | default(None) }}"
-    groups:
-      - kube_node
-
   csi_node_driver_registrar:
     enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
     container: true

roles/kubespray_defaults/defaults/main/main.yml

@@ -96,7 +96,6 @@ ignore_assert_errors: false
 # kube-vip
 kube_vip_enabled: false
 kube_vip_lb_fwdmethod: local
-kube_vip_address:
 
 # nginx-proxy configure
 nginx_config_dir: "/etc/nginx"
@@ -633,8 +632,6 @@ ssl_ca_dirs: |-
   {% endif -%}
   ]
 
-# used for delegating tasks on a working control plane node
-first_kube_control_plane: "{{ groups['kube_control_plane'] | first }}"
 # Vars for pointing to kubernetes api endpoints
 kube_apiserver_count: "{{ groups['kube_control_plane'] | length }}"
 kube_apiserver_address: "{{ hostvars[inventory_hostname]['main_ip'] }}"
@@ -647,8 +644,8 @@ apiserver_loadbalancer_domain_name: "{{ 'localhost' if loadbalancer_apiserver_lo
 kube_apiserver_global_endpoint: |-
   {% if loadbalancer_apiserver is defined -%}
       https://{{ apiserver_loadbalancer_domain_name | ansible.utils.ipwrap }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
-  {%- elif loadbalancer_apiserver_localhost -%}
-      https://localhost:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }}
+  {%- elif loadbalancer_apiserver_localhost and (loadbalancer_apiserver_port is not defined or loadbalancer_apiserver_port == kube_apiserver_port) -%}
+      https://localhost:{{ kube_apiserver_port }}
   {%- else -%}
       https://{{ first_kube_control_plane_address | ansible.utils.ipwrap }}:{{ kube_apiserver_port }}
   {%- endif %}

roles/kubespray_defaults/vars/main/main.yml

@@ -7,14 +7,14 @@ kube_next: "{{ ((kube_version | split('.'))[1] | int) + 1 }}"
 kube_major_next_version: "1.{{ kube_next }}"
 
 pod_infra_supported_versions:
-  '1.34': '3.10.1'
   '1.33': '3.10'
   '1.32': '3.10'
+  '1.31': '3.10'
 
 etcd_supported_versions:
-  '1.34': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
   '1.33': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
   '1.32': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
+  '1.31': "{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 # Kubespray constants
 
 kube_proxy_deployed: "{{ 'addon/kube-proxy' not in kubeadm_init_phases_skip }}"

roles/network_plugin/calico/tasks/check.yml

@@ -61,7 +61,6 @@
         executable: /bin/bash
       register: calico_version_on_server
       changed_when: false
-      check_mode: false
 
     - name: Assert that current calico version is enough for upgrade
       assert:

roles/network_plugin/calico/tasks/install.yml

@@ -126,9 +126,23 @@
     - ('kube_control_plane' in group_names)
     - calico_datastore == "kdd"
   block:
+    - name: Calico | Check if extra directory is needed
+      stat:
+        path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/{{ 'kdd' if (calico_version is version('3.22.3', '<')) else 'crd' }}"
+      register: kdd_path
+    - name: Calico | Set kdd path when calico < v3.22.3
+      set_fact:
+        calico_kdd_path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds{{ '/kdd' if kdd_path.stat.exists is defined and kdd_path.stat.exists }}"
+      when:
+        - calico_version is version('3.22.3', '<')
+    - name: Calico | Set kdd path when calico > 3.22.2
+      set_fact:
+        calico_kdd_path: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds{{ '/crd' if kdd_path.stat.exists is defined and kdd_path.stat.exists }}"
+      when:
+        - calico_version is version('3.22.2', '>')
     - name: Calico | Create calico manifests for kdd
       assemble:
-        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds/crd/"
+        src: "{{ calico_kdd_path }}"
         dest: "{{ kube_config_dir }}/kdd-crds.yml"
         mode: "0644"
         delimiter: "---\n"

roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   name: kubernetes-services-endpoint
 data:
-{% if calico_bpf_enabled or loadbalancer_apiserver_localhost %}
+{% if calico_bpf_enabled %}
   KUBERNETES_SERVICE_HOST: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
   KUBERNETES_SERVICE_PORT: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
 {% endif %}

roles/network_plugin/cilium/defaults/main.yml

@@ -1,6 +1,8 @@
 ---
 cilium_min_version_required: "1.15"
 
+# remove migrate after 2.29 released
+cilium_remove_old_resources: false
 # Log-level
 cilium_debug: false
 

roles/network_plugin/cilium/tasks/install.yml

@@ -30,6 +30,13 @@
   when:
     - cilium_identity_allocation_mode == "kvstore"
 
+- name: Cilium | Enable portmap addon
+  template:
+    src: 000-cilium-portmap.conflist.j2
+    dest: /etc/cni/net.d/000-cilium-portmap.conflist
+    mode: "0644"
+  when: cilium_enable_portmap
+
 - name: Cilium | Render values
   template:
     src: values.yaml.j2

roles/network_plugin/cilium/tasks/main.yml

@@ -5,5 +5,10 @@
 - name: Cilium install
   include_tasks: install.yml
 
+# Remove after 2.29 released
+- name: Cilium remove old resources
+  when: cilium_remove_old_resources
+  include_tasks: remove_old_resources.yml
+
 - name: Cilium apply
   include_tasks: apply.yml

roles/network_plugin/cilium/tasks/remove_old_resources.yml

@@ -0,0 +1,45 @@
+---
+# Remove after 2.29 released
+- name: Cilium | Delete Old Resource
+  command: |
+    {{ kubectl }} delete {{ item.kind | lower }} {{ item.name }} \
+    {{ '-n kube-system' if item.kind not in ['ClusterRole', 'ClusterRoleBinding'] else '' }} \
+  loop:
+    - { kind: ServiceAccount, name: cilium }
+    - { kind: ServiceAccount, name: cilium-operator }
+    - { kind: ServiceAccount, name: hubble-generate-certs }
+    - { kind: ServiceAccount, name: hubble-relay }
+    - { kind: ServiceAccount, name: hubble-ui }
+    - { kind: Service, name: hubble-metrics }
+    - { kind: Service, name: hubble-relay-metrics }
+    - { kind: Service, name: hubble-relay }
+    - { kind: Service, name: hubble-ui }
+    - { kind: Service, name: hubble-peer }
+    - { kind: Deployment, name: cilium-operator }
+    - { kind: Deployment, name: hubble-relay }
+    - { kind: Deployment, name: hubble-ui }
+    - { kind: DaemonSet, name: cilium }
+    - { kind: CronJob, name: hubble-generate-certs }
+    - { kind: Job, name: hubble-generate-certs }
+    - { kind: ConfigMap, name: cilium-config }
+    - { kind: ConfigMap, name: ip-masq-agent }
+    - { kind: ConfigMap, name: hubble-relay-config }
+    - { kind: ConfigMap, name: hubble-ui-nginx }
+    - { kind: ClusterRole, name: cilium }
+    - { kind: ClusterRole, name: cilium-operator }
+    - { kind: ClusterRole, name: hubble-generate-certs }
+    - { kind: ClusterRole, name: hubble-relay }
+    - { kind: ClusterRole, name: hubble-ui }
+    - { kind: ClusterRoleBinding, name: cilium }
+    - { kind: ClusterRoleBinding, name: cilium-operator }
+    - { kind: ClusterRoleBinding, name: hubble-generate-certs }
+    - { kind: ClusterRoleBinding, name: hubble-relay }
+    - { kind: ClusterRoleBinding, name: hubble-ui }
+    - { kind: Secret, name: hubble-ca-secret }
+    - { kind: Secret, name: hubble-relay-client-certs }
+    - { kind: Secret, name: hubble-server-certs }
+  register: patch_result
+  when: inventory_hostname == groups['kube_control_plane'][0]
+  failed_when:
+    - patch_result.rc != 0
+    - "'not found' not in patch_result.stderr"