fix: skip multus when not defined (#10934)

fix task failure:
TASK [kubernetes-apps/network_plugin/multus : Multus | Start resources] ************************************************
fatal: [hfal12k8n1 -> {{ groups['kube_control_plane'][0] }}]: FAILED! => {"msg": "Error in jmespath.search in json_query filter plugin:\n'ansible.vars.hostvars.HostVarsVars object' has no attribute 'multus_manifest_2'"}

.github/dependabot.yml

@@ -4,4 +4,6 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    labels: [ "dependencies" ]
+    labels:
+      - dependencies
+      - release-note-none

.gitlab-ci.yml

@@ -1,12 +1,9 @@
 ---
 stages:
   - build
-  - unit-tests
+  - test
   - deploy-part1
-  - moderator
-  - deploy-part2
-  - deploy-part3
-  - deploy-special
+  - deploy-extended
 
 variables:
   KUBESPRAY_VERSION: v2.25.0
@@ -43,15 +40,26 @@ before_script:
 
 .job: &job
   tags:
-    - packet
+    - ffci
   image: $PIPELINE_IMAGE
   artifacts:
     when: always
     paths:
       - cluster-dump/
+  needs:
+    - pipeline-image
+
+.job-moderated:
+  extends: .job
+  needs:
+    - pipeline-image
+    - ci-not-authorized
+    - check-galaxy-version  # lint
+    - pre-commit            # lint
+    - vagrant-validate      # lint
 
 .testcases: &testcases
-  <<: *job
+  extends: .job-moderated
   retry: 1
   interruptible: true
   before_script:
@@ -61,18 +69,34 @@ before_script:
   script:
     - ./tests/scripts/testcases_run.sh
   after_script:
-    - chronic ./tests/scripts/testcases_cleanup.sh
+    - ./tests/scripts/testcases_cleanup.sh
 
 # For failfast, at least 1 job must be defined in .gitlab-ci.yml
 # Premoderated with manual actions
-ci-authorized:
-  extends: .job
-  stage: moderator
+ci-not-authorized:
+  stage: build
+  before_script: []
+  after_script: []
+  rules:
+    # LGTM or ok-to-test labels
+    - if: $PR_LABELS =~ /.*,(lgtm|approved|ok-to-test).*|^(lgtm|approved|ok-to-test).*/i
+      variables:
+        CI_OK_TO_TEST: '0'
+      when: always
+    - if: $CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "trigger"
+      variables:
+        CI_OK_TO_TEST: '0'
+    - if: $CI_COMMIT_BRANCH == "master"
+      variables:
+        CI_OK_TO_TEST: '0'
+    - when: always
+      variables:
+        CI_OK_TO_TEST: '1'
   script:
-    - /bin/sh scripts/premoderator.sh
-  except: ['triggers', 'master']
-  # Disable ci moderator
-  only: []
+    - exit $CI_OK_TO_TEST
+  tags:
+    - ffci
+  needs: []
 
 include:
   - .gitlab-ci/build.yml

.gitlab-ci/build.yml

@@ -1,40 +1,32 @@
 ---
-.build:
+.build-container:
+  cache:
+    key: $CI_COMMIT_REF_SLUG
+    paths:
+      - image-cache
+  tags:
+    - ffci
   stage: build
   image:
-    name: moby/buildkit:rootless
-    entrypoint: [""]
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: ['']
   variables:
-    BUILDKITD_FLAGS: --oci-worker-no-process-sandbox
+    TAG: $CI_COMMIT_SHORT_SHA
+    PROJECT_DIR: $CI_PROJECT_DIR
+    DOCKERFILE: Dockerfile
+    GODEBUG: "http2client=0"
   before_script:
-    - mkdir ~/.docker
-    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > ~/.docker/config.json
-
-pipeline image:
-  extends: .build
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json
   script:
-    - |
-      buildctl-daemonless.sh build \
-        --frontend=dockerfile.v0 \
-        --local context=. \
-        --local dockerfile=. \
-        --opt filename=./pipeline.Dockerfile \
-        --output type=image,name=$PIPELINE_IMAGE,push=true \
-        --import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache
-  rules:
-    - if: '$CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
+    - /kaniko/executor --cache=true
+                       --cache-dir=image-cache
+                       --context $PROJECT_DIR
+                       --dockerfile $PROJECT_DIR/$DOCKERFILE
+                       --label 'git-branch'=$CI_COMMIT_REF_SLUG
+                       --label 'git-tag=$CI_COMMIT_TAG'
+                       --destination $PIPELINE_IMAGE
 
-pipeline image and build cache:
-  extends: .build
-  script:
-    - |
-      buildctl-daemonless.sh build \
-        --frontend=dockerfile.v0 \
-        --local context=. \
-        --local dockerfile=. \
-        --opt filename=./pipeline.Dockerfile \
-        --output type=image,name=$PIPELINE_IMAGE,push=true \
-        --import-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache \
-        --export-cache type=registry,ref=$CI_REGISTRY_IMAGE/pipeline:cache,mode=max
-  rules:
-    - if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
+pipeline-image:
+  extends: .build-container
+  variables:
+    DOCKERFILE: pipeline.Dockerfile

.gitlab-ci/lint.yml

@@ -1,40 +1,35 @@
 ---
-generate-pre-commit:
-  image: 'mikefarah/yq@sha256:bcb889a1f9bdb0613c8a054542d02360c2b1b35521041be3e1bd8fbd0534d411'
-  stage: build
-  before_script: []
+pre-commit:
+  stage: test
+  tags:
+  - ffci
+  image: 'ghcr.io/pre-commit-ci/runner-image@sha256:aaf2c7b38b22286f2d381c11673bec571c28f61dd086d11b43a1c9444a813cef'
+  variables:
+    PRE_COMMIT_HOME: /pre-commit-cache
   script:
-    - >
-      yq -r < .pre-commit-config.yaml '.repos[].hooks[].id' |
-      sed 's/^/      - /' |
-      cat .gitlab-ci/pre-commit-dynamic-stub.yml - > pre-commit-generated.yml
-  artifacts:
+  - pre-commit run --all-files
+  cache:
+    key: pre-commit-all
     paths:
-      - pre-commit-generated.yml
-
-run-pre-commit:
-  stage: unit-tests
-  trigger:
-    include:
-      - artifact: pre-commit-generated.yml
-        job: generate-pre-commit
-    strategy: depend
+    - /pre-commit-cache
+  needs: []
 
 vagrant-validate:
   extends: .job
-  stage: unit-tests
-  tags: [light]
+  stage: test
+  tags: [ffci]
   variables:
     VAGRANT_VERSION: 2.3.7
   script:
-    - ./tests/scripts/vagrant-validate.sh
+  - ./tests/scripts/vagrant-validate.sh
   except: ['triggers', 'master']
 
 
 # TODO: convert to pre-commit hook
 check-galaxy-version:
-  stage: unit-tests
-  tags: [light]
+  needs: []
+  stage: test
+  tags: [ffci]
   image: python:3
   script:
-    - tests/scripts/check_galaxy_version.sh
+  - tests/scripts/check_galaxy_version.sh

.gitlab-ci/molecule.yml

@@ -1,30 +1,42 @@
 ---
-
 .molecule:
-  tags: [c3.small.x86]
+  tags: [ffci-vm-med]
   only: [/^pr-.*$/]
   except: ['triggers']
-  image: $PIPELINE_IMAGE
+  image: quay.io/kubespray/vm-kubespray-ci:v6
   services: []
   stage: deploy-part1
+  needs: []
+  # - ci-not-authorized
+  variables:
+    VAGRANT_DEFAULT_PROVIDER: "libvirt"
   before_script:
-    - tests/scripts/rebase.sh
-    - ./tests/scripts/vagrant_clean.sh
+  - groups
+  - python3 -m venv citest
+  - source citest/bin/activate
+  - vagrant plugin expunge --reinstall --force --no-tty
+  - vagrant plugin install vagrant-libvirt
+  - pip install --no-compile --no-cache-dir pip -U
+  - pip install --no-compile --no-cache-dir -r $CI_PROJECT_DIR/requirements.txt
+  - pip install --no-compile --no-cache-dir -r $CI_PROJECT_DIR/tests/requirements.txt
+  - ./tests/scripts/rebase.sh
+  - ./tests/scripts/vagrant_clean.sh
   script:
-    - ./tests/scripts/molecule_run.sh
+  - ./tests/scripts/molecule_run.sh
   after_script:
-    - chronic ./tests/scripts/molecule_logs.sh
+  - ./tests/scripts/molecule_logs.sh
   artifacts:
     when: always
     paths:
-      - molecule_logs/
+    - molecule_logs/
 
 # CI template for periodic CI jobs
 # Enabled when PERIODIC_CI_ENABLED var is set
+
 .molecule_periodic:
   only:
     variables:
-      - $PERIODIC_CI_ENABLED
+    - $PERIODIC_CI_ENABLED
   allow_failure: true
   extends: .molecule
 
@@ -34,50 +46,50 @@ molecule_full:
 molecule_no_container_engines:
   extends: .molecule
   script:
-    - ./tests/scripts/molecule_run.sh -e container-engine
+  - ./tests/scripts/molecule_run.sh -e container-engine
   when: on_success
 
 molecule_docker:
   extends: .molecule
   script:
-    - ./tests/scripts/molecule_run.sh -i container-engine/cri-dockerd
+  - ./tests/scripts/molecule_run.sh -i container-engine/cri-dockerd
   when: on_success
 
 molecule_containerd:
   extends: .molecule
   script:
-    - ./tests/scripts/molecule_run.sh -i container-engine/containerd
+  - ./tests/scripts/molecule_run.sh -i container-engine/containerd
   when: on_success
 
 molecule_cri-o:
   extends: .molecule
-  stage: deploy-part2
+  stage: deploy-part1
   script:
-    - ./tests/scripts/molecule_run.sh -i container-engine/cri-o
+  - ./tests/scripts/molecule_run.sh -i container-engine/cri-o
   allow_failure: true
   when: on_success
 
-# Stage 3 container engines don't get as much attention so allow them to fail
-molecule_kata:
-  extends: .molecule
-  stage: deploy-part3
-  script:
-    - ./tests/scripts/molecule_run.sh -i container-engine/kata-containers
-  when: manual
-# FIXME: this test is broken (perma-failing)
+# # Stage 3 container engines don't get as much attention so allow them to fail
+# molecule_kata:
+#   extends: .molecule
+#   stage: deploy-extended
+#   script:
+#     - ./tests/scripts/molecule_run.sh -i container-engine/kata-containers
+#   when: manual
+# # FIXME: this test is broken (perma-failing)
 
 molecule_gvisor:
   extends: .molecule
-  stage: deploy-part3
+  stage: deploy-extended
   script:
-    - ./tests/scripts/molecule_run.sh -i container-engine/gvisor
+  - ./tests/scripts/molecule_run.sh -i container-engine/gvisor
   when: manual
 # FIXME: this test is broken (perma-failing)
 
 molecule_youki:
   extends: .molecule
-  stage: deploy-part3
+  stage: deploy-extended
   script:
-    - ./tests/scripts/molecule_run.sh -i container-engine/youki
+  - ./tests/scripts/molecule_run.sh -i container-engine/youki
   when: manual
 # FIXME: this test is broken (perma-failing)

.gitlab-ci/packet.yml

@@ -6,14 +6,56 @@
     CI_PLATFORM: packet
     SSH_USER: kubespray
   tags:
-    - packet
-  except: [triggers]
+    - ffci
+  needs:
+    - pipeline-image
+    - ci-not-authorized
 
 # CI template for PRs
 .packet_pr:
-  only: [/^pr-.*$/]
+  stage: deploy-part1
+  rules:
+    - if: $PR_LABELS =~ /.*ci-short.*/
+      when: manual
+      allow_failure: true
+    - if: $CI_COMMIT_BRANCH =~ /^pr-.*$/
+      when: on_success
+    - when: manual
+      allow_failure: true
   extends: .packet
 
+  ## Uncomment this to have multiple stages
+  # needs:
+  #   - packet_ubuntu20-calico-all-in-one
+
+.packet_pr_short:
+  stage: deploy-part1
+  extends: .packet
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^pr-.*$/
+      when: on_success
+    - when: manual
+      allow_failure: true
+
+.packet_pr_manual:
+  extends: .packet_pr
+  stage: deploy-extended
+  rules:
+    - if: $PR_LABELS =~ /.*ci-full.*/
+      when: on_success
+    # Else run as manual
+    - when: manual
+      allow_failure: true
+
+.packet_pr_extended:
+  extends: .packet_pr
+  stage: deploy-extended
+  rules:
+    - if: $PR_LABELS =~ /.*(ci-extended|ci-full).*/
+      when: on_success
+    - when: manual
+      allow_failure: true
+
 # CI template for periodic CI jobs
 # Enabled when PERIODIC_CI_ENABLED var is set
 .packet_periodic:
@@ -34,314 +76,172 @@ packet_cleanup_old:
 # The ubuntu20-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 packet_ubuntu20-calico-all-in-one:
   stage: deploy-part1
-  extends: .packet_pr
-  when: on_success
+  extends: .packet_pr_short
   variables:
     RESET_CHECK: "true"
 
 # ### PR JOBS PART2
 
-packet_ubuntu20-all-in-one-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_ubuntu20-calico-all-in-one-hardening:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_ubuntu22-all-in-one-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
+packet_ubuntu20-crio:
+  extends: .packet_pr_manual
 
 packet_ubuntu22-calico-all-in-one:
-  stage: deploy-part2
   extends: .packet_pr
-  when: on_success
-
-packet_ubuntu24-all-in-one-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_ubuntu24-calico-all-in-one:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
 
 packet_ubuntu24-calico-etcd-datastore:
-  stage: deploy-part2
   extends: .packet_pr
-  when: on_success
-
-packet_centos7-flannel-addons-ha:
-  extends: .packet_pr
-  stage: deploy-part2
-  when: on_success
 
 packet_almalinux8-crio:
   extends: .packet_pr
-  stage: deploy-part2
-  when: on_success
-  allow_failure: true
-
-packet_ubuntu20-crio:
-  extends: .packet_pr
-  stage: deploy-part2
-  when: manual
-
-packet_fedora37-crio:
-  extends: .packet_pr
-  stage: deploy-part2
-  when: manual
-
-packet_ubuntu20-flannel-ha:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_debian10-cilium-svc-proxy:
-  stage: deploy-part2
-  extends: .packet_periodic
-  when: on_success
-
-packet_debian10-calico:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_debian10-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_debian11-calico:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_debian11-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_debian12-calico:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_debian12-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
-packet_debian12-cilium:
-  stage: deploy-part2
-  extends: .packet_periodic
-  when: on_success
-
-packet_centos7-calico-ha-once-localhost:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-  variables:
-    # This will instruct Docker not to start over TLS.
-    DOCKER_TLS_CERTDIR: ""
-  services:
-    - docker:19.03.9-dind
 
 packet_almalinux8-kube-ovn:
-  stage: deploy-part2
   extends: .packet_pr
-  when: on_success
 
-packet_almalinux8-calico:
-  stage: deploy-part2
+packet_debian11-calico:
+  extends: .packet_pr
+
+packet_debian11-macvlan:
+  extends: .packet_pr
+
+packet_debian12-cilium:
   extends: .packet_pr
-  when: on_success
 
 packet_rockylinux8-calico:
-  stage: deploy-part2
   extends: .packet_pr
-  when: on_success
-
-packet_rockylinux9-calico:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
 
 packet_rockylinux9-cilium:
-  stage: deploy-part2
   extends: .packet_pr
-  when: on_success
   variables:
     RESET_CHECK: "true"
 
-packet_almalinux8-docker:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-
 packet_amazon-linux-2-all-in-one:
-  stage: deploy-part2
   extends: .packet_pr
-  when: on_success
-
-packet_fedora38-docker-weave:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: on_success
-  allow_failure: true
 
 packet_opensuse-docker-cilium:
-  stage: deploy-part2
   extends: .packet_pr
-  when: on_success
-
-# ### MANUAL JOBS
-
-packet_ubuntu20-docker-weave-sep:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
 
 packet_ubuntu20-cilium-sep:
-  stage: deploy-special
   extends: .packet_pr
-  when: manual
 
-packet_ubuntu20-flannel-ha-once:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
+## Extended
+packet_debian11-docker:
+  extends: .packet_pr_extended
 
-# Calico HA eBPF
-packet_almalinux8-calico-ha-ebpf:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
+packet_debian12-docker:
+  extends: .packet_pr_extended
 
-packet_debian10-macvlan:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_centos7-calico-ha:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_centos7-multus-calico:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_fedora38-docker-calico:
-  stage: deploy-part2
-  extends: .packet_periodic
-  when: on_success
-  variables:
-    RESET_CHECK: "true"
-
-packet_fedora37-calico-selinux:
-  stage: deploy-part2
-  extends: .packet_periodic
-  when: on_success
-
-packet_fedora37-calico-swap-selinux:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_almalinux8-calico-nodelocaldns-secondary:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_fedora38-kube-ovn:
-  stage: deploy-part2
-  extends: .packet_periodic
-  when: on_success
-
-packet_debian11-custom-cni:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_debian11-kubelet-csr-approver:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_debian12-custom-cni-helm:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-# ### PR JOBS PART3
-# Long jobs (45min+)
-
-packet_centos7-weave-upgrade-ha:
-  stage: deploy-part3
-  extends: .packet_periodic
-  when: on_success
-  variables:
-    UPGRADE_TEST: basic
-
-packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha:
-  stage: deploy-part3
-  extends: .packet_periodic
-  when: on_success
-  variables:
-    UPGRADE_TEST: basic
-
-# Calico HA Wireguard
-packet_ubuntu20-calico-ha-wireguard:
-  stage: deploy-part2
-  extends: .packet_pr
-  when: manual
-
-packet_debian11-calico-upgrade:
-  stage: deploy-part3
-  extends: .packet_pr
-  when: on_success
-  variables:
-    UPGRADE_TEST: graceful
+packet_debian12-calico:
+  extends: .packet_pr_extended
 
 packet_almalinux8-calico-remove-node:
-  stage: deploy-part3
-  extends: .packet_pr
-  when: on_success
+  extends: .packet_pr_extended
   variables:
     REMOVE_NODE_CHECK: "true"
     REMOVE_NODE_NAME: "instance-3"
 
+packet_rockylinux9-calico:
+  extends: .packet_pr_extended
+
+packet_almalinux8-calico:
+  extends: .packet_pr_extended
+
+packet_almalinux8-docker:
+  extends: .packet_pr_extended
+
+packet_ubuntu20-calico-all-in-one-hardening:
+  extends: .packet_pr_extended
+
+packet_ubuntu24-calico-all-in-one:
+  extends: .packet_pr_extended
+
 packet_ubuntu20-calico-etcd-kubeadm:
-  stage: deploy-part3
-  extends: .packet_pr
-  when: on_success
+  extends: .packet_pr_extended
+
+packet_ubuntu24-all-in-one-docker:
+  extends: .packet_pr_extended
+
+packet_ubuntu22-all-in-one-docker:
+  extends: .packet_pr_extended
+
+# ### MANUAL JOBS
+packet_fedora37-crio:
+  extends: .packet_pr_manual
+
+packet_ubuntu20-flannel-ha:
+  extends: .packet_pr_manual
+
+packet_ubuntu20-all-in-one-docker:
+  extends: .packet_pr_manual
+
+packet_ubuntu20-flannel-ha-once:
+  extends: .packet_pr_manual
+
+packet_fedora37-calico-swap-selinux:
+  extends: .packet_pr_manual
+
+packet_almalinux8-calico-ha-ebpf:
+  extends: .packet_pr_manual
+
+packet_almalinux8-calico-nodelocaldns-secondary:
+  extends: .packet_pr_manual
+
+packet_debian11-custom-cni:
+  extends: .packet_pr_manual
+
+packet_debian11-kubelet-csr-approver:
+  extends: .packet_pr_manual
+
+packet_debian12-custom-cni-helm:
+  extends: .packet_pr_manual
+
+packet_ubuntu20-calico-ha-wireguard:
+  extends: .packet_pr_manual
+
+# PERIODIC
+packet_fedora38-docker-calico:
+  stage: deploy-extended
+  extends: .packet_periodic
+  variables:
+    RESET_CHECK: "true"
+
+packet_fedora37-calico-selinux:
+  stage: deploy-extended
+  extends: .packet_periodic
+
+
+packet_ubuntu20-calico-etcd-kubeadm-upgrade-ha:
+  stage: deploy-extended
+  extends: .packet_periodic
+  variables:
+    UPGRADE_TEST: basic
+
 
 packet_debian11-calico-upgrade-once:
-  stage: deploy-part3
+  stage: deploy-extended
   extends: .packet_periodic
-  when: on_success
   variables:
     UPGRADE_TEST: graceful
 
 packet_ubuntu20-calico-ha-recover:
-  stage: deploy-part3
+  stage: deploy-extended
   extends: .packet_periodic
-  when: on_success
   variables:
     RECOVER_CONTROL_PLANE_TEST: "true"
     RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[2:]:kube_control_plane[1:]"
 
 packet_ubuntu20-calico-ha-recover-noquorum:
-  stage: deploy-part3
+  stage: deploy-extended
   extends: .packet_periodic
-  when: on_success
   variables:
     RECOVER_CONTROL_PLANE_TEST: "true"
     RECOVER_CONTROL_PLANE_TEST_GROUPS: "etcd[1:]:kube_control_plane[1:]"
+
+packet_debian11-calico-upgrade:
+  stage: deploy-extended
+  extends: .packet_periodic
+  variables:
+    UPGRADE_TEST: graceful
+
+packet_debian12-cilium-svc-proxy:
+  stage: deploy-extended
+  extends: .packet_periodic

.gitlab-ci/pre-commit-dynamic-stub.yml

@@ -7,7 +7,7 @@ pre-commit:
   variables:
     PRE_COMMIT_HOME: /pre-commit-cache
   script:
-  - pre-commit run -a $HOOK_ID
+  - pre-commit run --all-files
   cache:
     key: pre-commit-$HOOK_ID
     paths:

.gitlab-ci/terraform.yml

@@ -2,6 +2,10 @@
 # Tests for contrib/terraform/
 .terraform_install:
   extends: .job
+  needs:
+    - ci-not-authorized
+    - pipeline-image
+  stage: deploy-part1
   before_script:
     - update-alternatives --install /usr/bin/python python /usr/bin/python3 1
     - ./tests/scripts/rebase.sh
@@ -24,17 +28,19 @@
 
 .terraform_validate:
   extends: .terraform_install
-  stage: unit-tests
-  tags: [light]
+  tags: [ffci]
   only: ['master', /^pr-.*$/]
   script:
     - terraform -chdir="contrib/terraform/$PROVIDER" validate
     - terraform -chdir="contrib/terraform/$PROVIDER" fmt -check -diff
+  stage: test
+  needs:
+    - pipeline-image
 
 .terraform_apply:
   extends: .terraform_install
-  tags: [light]
-  stage: deploy-part3
+  tags: [ffci]
+  stage: deploy-extended
   when: manual
   only: [/^pr-.*$/]
   artifacts:
@@ -51,7 +57,7 @@
     - tests/scripts/testcases_run.sh
   after_script:
     # Cleanup regardless of exit code
-    - chronic ./tests/scripts/testcases_cleanup.sh
+    - ./tests/scripts/testcases_cleanup.sh
 
 tf-validate-openstack:
   extends: .terraform_validate
@@ -146,8 +152,7 @@ tf-validate-nifcloud:
   TF_VAR_router_id: "ab95917c-41fb-4881-b507-3a6dfe9403df"
 
 tf-elastx_cleanup:
-  stage: unit-tests
-  tags: [light]
+  tags: [ffci]
   image: python
   variables:
     <<: *elastx_variables
@@ -155,10 +160,11 @@ tf-elastx_cleanup:
     - pip install -r scripts/openstack-cleanup/requirements.txt
   script:
     - ./scripts/openstack-cleanup/main.py
+  allow_failure: true
 
 tf-elastx_ubuntu20-calico:
   extends: .terraform_apply
-  stage: deploy-part3
+  stage: deploy-part1
   when: on_success
   allow_failure: true
   variables:

.gitlab-ci/vagrant.yml

@@ -1,64 +1,63 @@
 ---
-
 .vagrant:
   extends: .testcases
+  needs:
+    - ci-not-authorized
   variables:
     CI_PLATFORM: "vagrant"
     SSH_USER: "vagrant"
     VAGRANT_DEFAULT_PROVIDER: "libvirt"
     KUBESPRAY_VAGRANT_CONFIG: tests/files/${CI_JOB_NAME}.rb
-  tags: [c3.small.x86]
-  only: [/^pr-.*$/]
-  except: ['triggers']
-  image: $PIPELINE_IMAGE
+    DOCKER_NAME: vagrant
+    VAGRANT_ANSIBLE_TAGS: facts
+  tags: [ffci-vm-large]
+  # only: [/^pr-.*$/]
+  # except: ['triggers']
+  image: quay.io/kubespray/vm-kubespray-ci:v6
   services: []
   before_script:
+    - echo $USER
+    - python3 -m venv citest
+    - source citest/bin/activate
+    - vagrant plugin expunge --reinstall --force --no-tty
+    - vagrant plugin install vagrant-libvirt
+    - pip install --no-compile --no-cache-dir pip -U
+    - pip install --no-compile --no-cache-dir -r $CI_PROJECT_DIR/requirements.txt
+    - pip install --no-compile --no-cache-dir -r $CI_PROJECT_DIR/tests/requirements.txt
     - ./tests/scripts/vagrant_clean.sh
   script:
     - ./tests/scripts/testcases_run.sh
-  after_script:
-    - chronic ./tests/scripts/testcases_cleanup.sh
 
 vagrant_ubuntu20-calico-dual-stack:
-  stage: deploy-part2
+  stage: deploy-extended
   extends: .vagrant
   when: manual
 # FIXME: this test if broken (perma-failing)
 
-vagrant_ubuntu20-weave-medium:
-  stage: deploy-part2
-  extends: .vagrant
-  when: manual
-
 vagrant_ubuntu20-flannel:
-  stage: deploy-part2
+  stage: deploy-part1
   extends: .vagrant
   when: on_success
   allow_failure: false
 
 vagrant_ubuntu20-flannel-collection:
-  stage: deploy-part2
+  stage: deploy-extended
   extends: .vagrant
-  when: on_success
+  when: manual
 
 vagrant_ubuntu20-kube-router-sep:
-  stage: deploy-part2
+  stage: deploy-extended
   extends: .vagrant
   when: manual
 
 # Service proxy test fails connectivity testing
 vagrant_ubuntu20-kube-router-svc-proxy:
-  stage: deploy-part2
+  stage: deploy-extended
   extends: .vagrant
   when: manual
 
 vagrant_fedora37-kube-router:
-  stage: deploy-part2
+  stage: deploy-extended
   extends: .vagrant
   when: manual
 # FIXME: this test if broken (perma-failing)
-
-vagrant_centos7-kube-router:
-  stage: deploy-part2
-  extends: .vagrant
-  when: manual

.pre-commit-config.yaml

@@ -39,14 +39,14 @@ repos:
     hooks:
       - id: ansible-lint
         additional_dependencies:
-          - ansible==9.5.1
+          - ansible==9.8.0
           - jsonschema==4.22.0
           - jmespath==1.0.1
-          - netaddr==1.2.1
+          - netaddr==1.3.0
+          - distlib
 
-  - repo: https://github.com/VannTen/misspell
-    # Waiting on https://github.com/golangci/misspell/pull/19 to get merged
-    rev: 8592a4e
+  - repo: https://github.com/golangci/misspell
+    rev: v0.6.0
     hooks:
       - id: misspell
         exclude: "OWNERS_ALIASES$"
@@ -80,6 +80,7 @@ repos:
         language: python
         additional_dependencies:
           - ansible-core>=2.16.4
+          - distlib
         entry: tests/scripts/collection-build-install.sh
         pass_filenames: false
 

.yamllint

@@ -6,7 +6,7 @@ ignore: |
   .github/
   # Generated file
   tests/files/custom_cni/cilium.yaml
-
+# https://ansible.readthedocs.io/projects/lint/rules/yaml/
 rules:
   braces:
     min-spaces-inside: 0
@@ -14,9 +14,16 @@ rules:
   brackets:
     min-spaces-inside: 0
     max-spaces-inside: 1
+  comments:
+    min-spaces-from-content: 1
+  # https://github.com/adrienverge/yamllint/issues/384
+  comments-indentation: false
   indentation:
     spaces: 2
     indent-sequences: consistent
   line-length: disable
   new-line-at-end-of-file: disable
+  octal-values:
+    forbid-implicit-octal: true # yamllint defaults to false
+    forbid-explicit-octal: true # yamllint defaults to false
   truthy: disable

OWNERS_ALIASES

@@ -6,6 +6,7 @@ aliases:
     - mzaian
     - oomichi
     - yankay
+    - ant31
   kubespray-reviewers:
     - cyclinder
     - erikjiang
@@ -14,7 +15,6 @@ aliases:
     - vannten
     - yankay
   kubespray-emeritus_approvers:
-    - ant31
     - atoms
     - chadswen
     - luckysb

README.md

@@ -141,7 +141,7 @@ vagrant up
 ## Supported Linux Distributions
 
 - **Flatcar Container Linux by Kinvolk**
-- **Debian** Bookworm, Bullseye, Buster
+- **Debian** Bookworm, Bullseye
 - **Ubuntu** 20.04, 22.04, 24.04
 - **CentOS/RHEL** 7, [8, 9](docs/operating_systems/centos.md#centos-8)
 - **Fedora** 37, 38
@@ -160,11 +160,11 @@ Note: Upstart/SysV init based OS types are not supported.
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.29.5
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.30.3
   - [etcd](https://github.com/etcd-io/etcd) v3.5.12
   - [docker](https://www.docker.com/) v26.1
-  - [containerd](https://containerd.io/) v1.7.16
-  - [cri-o](http://cri-o.io/) v1.29.1 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
+  - [containerd](https://containerd.io/) v1.7.20
+  - [cri-o](http://cri-o.io/) v1.30.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
   - [calico](https://github.com/projectcalico/calico) v3.27.3
@@ -173,10 +173,10 @@ Note: Upstart/SysV init based OS types are not supported.
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
   - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0
   - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8
-  - [weave](https://github.com/weaveworks/weave) v2.8.1
+  - [weave](https://github.com/rajch/weave) v2.8.7
   - [kube-vip](https://github.com/kube-vip/kube-vip) v0.8.0
 - Application
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.13.2
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.14.7
   - [coredns](https://github.com/coredns/coredns) v1.11.1
   - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.10.1
   - [krew](https://github.com/kubernetes-sigs/krew) v0.4.4
@@ -189,7 +189,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
   - [aws-ebs-csi-plugin](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) v0.5.0
   - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
-  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.29.0
+  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.30.0
   - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2
   - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24
   - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0

RELEASE.md

@@ -16,6 +16,7 @@ The Kubespray Project is released on an as-needed basis. The process is as follo
 1. The release issue is closed
 1. An announcement email is sent to `dev@kubernetes.io` with the subject `[ANNOUNCE] Kubespray $VERSION is released`
 1. The topic of the #kubespray channel is updated with `vX.Y.Z is released! | ...`
+1. Create/Update Issue for upgradeing kubernetes and [k8s-conformance](https://github.com/cncf/k8s-conformance)
 
 ## Major/minor releases and milestones
 

Vagrantfile

@@ -1,7 +1,7 @@
 # -*- mode: ruby -*-
 # # vi: set ft=ruby :
 
-# For help on using kubespray with vagrant, check out docs/vagrant.md
+# For help on using kubespray with vagrant, check out docs/developers/vagrant.md
 
 require 'fileutils'
 
@@ -278,6 +278,7 @@ Vagrant.configure("2") do |config|
         "local_path_provisioner_enabled": "#{$local_path_provisioner_enabled}",
         "local_path_provisioner_claim_root": "#{$local_path_provisioner_claim_root}",
         "ansible_ssh_user": SUPPORTED_OS[$os][:user],
+        "ansible_ssh_private_key_file": File.join(Dir.home, ".vagrant.d", "insecure_private_key"),
         "unsafe_show_logs": "True"
       }
 

ansible.cfg

@@ -11,6 +11,7 @@ gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = /tmp
 fact_caching_timeout = 86400
+timeout = 300
 stdout_callback = default
 display_skipped_hosts = no
 library = ./library

contrib/azurerm/roles/generate-inventory/tasks/main.yml

@@ -12,4 +12,4 @@
   template:
     src: inventory.j2
     dest: "{{ playbook_dir }}/inventory"
-    mode: 0644
+    mode: "0644"

contrib/azurerm/roles/generate-inventory_2/tasks/main.yml

@@ -22,10 +22,10 @@
   template:
     src: inventory.j2
     dest: "{{ playbook_dir }}/inventory"
-    mode: 0644
+    mode: "0644"
 
 - name: Generate Load Balancer variables
   template:
     src: loadbalancer_vars.j2
     dest: "{{ playbook_dir }}/loadbalancer_vars.yml"
-    mode: 0644
+    mode: "0644"

contrib/azurerm/roles/generate-templates/tasks/main.yml

@@ -8,13 +8,13 @@
     path: "{{ base_dir }}"
     state: directory
     recurse: true
-    mode: 0755
+    mode: "0755"
 
 - name: Store json files in base_dir
   template:
     src: "{{ item }}"
     dest: "{{ base_dir }}/{{ item }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - network.json
     - storage.json

contrib/dind/roles/dind-cluster/tasks/main.yaml

@@ -35,7 +35,7 @@
       path-exclude=/usr/share/doc/*
       path-include=/usr/share/doc/*/copyright
     dest: /etc/dpkg/dpkg.cfg.d/01_nodoc
-    mode: 0644
+    mode: "0644"
   when:
     - ansible_os_family == 'Debian'
 
@@ -64,7 +64,7 @@
   copy:
     content: "{{ distro_user }} ALL=(ALL) NOPASSWD:ALL"
     dest: "/etc/sudoers.d/{{ distro_user }}"
-    mode: 0640
+    mode: "0640"
 
 - name: "Add my pubkey to {{ distro_user }} user authorized keys"
   ansible.posix.authorized_key:

contrib/dind/roles/dind-host/tasks/main.yaml

@@ -42,7 +42,7 @@
   template:
     src: inventory_builder.sh.j2
     dest: /tmp/kubespray.dind.inventory_builder.sh
-    mode: 0755
+    mode: "0755"
   tags:
     - addresses
 

contrib/kvm-setup/roles/kvm-setup/tasks/sysctl.yml

@@ -20,7 +20,7 @@
       br-netfilter
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   when: br_netfilter is defined
 
 

contrib/kvm-setup/roles/kvm-setup/tasks/user.yml

@@ -11,7 +11,7 @@
     state: directory
     owner: "{{ k8s_deployment_user }}"
     group: "{{ k8s_deployment_user }}"
-    mode: 0700
+    mode: "0700"
 
 - name: Configure sudo for deployment user
   copy:
@@ -20,13 +20,13 @@
     dest: "/etc/sudoers.d/55-k8s-deployment"
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
 
 - name: Write private SSH key
   copy:
     src: "{{ k8s_deployment_user_pkey_path }}"
     dest: "/home/{{ k8s_deployment_user }}/.ssh/id_rsa"
-    mode: 0400
+    mode: "0400"
     owner: "{{ k8s_deployment_user }}"
     group: "{{ k8s_deployment_user }}"
   when: k8s_deployment_user_pkey_path is defined
@@ -41,7 +41,7 @@
 - name: Fix ssh-pub-key permissions
   file:
     path: "/home/{{ k8s_deployment_user }}/.ssh/authorized_keys"
-    mode: 0600
+    mode: "0600"
     owner: "{{ k8s_deployment_user }}"
     group: "{{ k8s_deployment_user }}"
   when: k8s_deployment_user_pkey_path is defined

contrib/mitogen/mitogen.yml

@@ -14,7 +14,7 @@
       file:
         path: "{{ item }}"
         state: directory
-        mode: 0755
+        mode: "0755"
       become: false
       loop:
         - "{{ playbook_dir }}/plugins/mitogen"
@@ -25,7 +25,7 @@
         url: "{{ mitogen_url }}"
         dest: "{{ playbook_dir }}/dist/mitogen_{{ mitogen_version }}.tar.gz"
         validate_certs: true
-        mode: 0644
+        mode: "0644"
 
     - name: Extract archive
       unarchive:
@@ -40,7 +40,7 @@
     - name: Add strategy to ansible.cfg
       community.general.ini_file:
         path: ansible.cfg
-        mode: 0644
+        mode: "0644"
         section: "{{ item.section | d('defaults') }}"
         option: "{{ item.option }}"
         value: "{{ item.value }}"

contrib/network-storage/glusterfs/roles/glusterfs/client/tasks/main.yml

@@ -15,7 +15,7 @@
   file:
     path: "{{ item }}"
     state: directory
-    mode: 0775
+    mode: "0775"
   with_items:
     - "{{ gluster_mount_dir }}"
   when: ansible_os_family in ["Debian","RedHat"] and groups['gfs-cluster'] is defined

contrib/network-storage/glusterfs/roles/glusterfs/server/tasks/main.yml

@@ -49,7 +49,7 @@
   file:
     path: "{{ item }}"
     state: directory
-    mode: 0775
+    mode: "0775"
   with_items:
     - "{{ gluster_brick_dir }}"
     - "{{ gluster_mount_dir }}"
@@ -101,7 +101,7 @@
   template:
     dest: "{{ gluster_mount_dir }}/.test-file.txt"
     src: test-file.txt
-    mode: 0644
+    mode: "0644"
   when: groups['gfs-cluster'] is defined and inventory_hostname == groups['gfs-cluster'][0]
 
 - name: Unmount glusterfs

contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml

@@ -3,7 +3,7 @@
   template:
     src: "{{ item.file }}"
     dest: "{{ kube_config_dir }}/{{ item.dest }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - { file: glusterfs-kubernetes-endpoint.json.j2, type: ep, dest: glusterfs-kubernetes-endpoint.json}
     - { file: glusterfs-kubernetes-pv.yml.j2, type: pv, dest: glusterfs-kubernetes-pv.yml}

contrib/network-storage/heketi/roles/provision/tasks/bootstrap/deploy.yml

@@ -4,7 +4,7 @@
   template:
     src: "heketi-bootstrap.json.j2"
     dest: "{{ kube_config_dir }}/heketi-bootstrap.json"
-    mode: 0640
+    mode: "0640"
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Bootstrap"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/bootstrap/topology.yml

@@ -10,7 +10,7 @@
   template:
     src: "topology.json.j2"
     dest: "{{ kube_config_dir }}/topology.json"
-    mode: 0644
+    mode: "0644"
 - name: "Copy topology configuration into container."
   changed_when: false
   command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ initial_heketi_pod_name }}:/tmp/topology.json"

contrib/network-storage/heketi/roles/provision/tasks/glusterfs.yml

@@ -3,7 +3,7 @@
   template:
     src: "glusterfs-daemonset.json.j2"
     dest: "{{ kube_config_dir }}/glusterfs-daemonset.json"
-    mode: 0644
+    mode: "0644"
   become: true
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure GlusterFS daemonset"
@@ -33,7 +33,7 @@
   template:
     src: "heketi-service-account.json.j2"
     dest: "{{ kube_config_dir }}/heketi-service-account.json"
-    mode: 0644
+    mode: "0644"
   become: true
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Service Account"

contrib/network-storage/heketi/roles/provision/tasks/heketi.yml

@@ -4,7 +4,7 @@
   template:
     src: "heketi-deployment.json.j2"
     dest: "{{ kube_config_dir }}/heketi-deployment.json"
-    mode: 0644
+    mode: "0644"
   register: "rendering"
 
 - name: "Kubernetes Apps | Install and configure Heketi"

contrib/network-storage/heketi/roles/provision/tasks/secret.yml

@@ -28,7 +28,7 @@
   template:
     src: "heketi.json.j2"
     dest: "{{ kube_config_dir }}/heketi.json"
-    mode: 0644
+    mode: "0644"
 
 - name: "Deploy Heketi config secret"
   when: "secret_state.stdout | length == 0"

contrib/network-storage/heketi/roles/provision/tasks/storage.yml

@@ -5,7 +5,7 @@
   template:
     src: "heketi-storage.json.j2"
     dest: "{{ kube_config_dir }}/heketi-storage.json"
-    mode: 0644
+    mode: "0644"
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Heketi Storage"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/storageclass.yml

@@ -16,7 +16,7 @@
   template:
     src: "storageclass.yml.j2"
     dest: "{{ kube_config_dir }}/storageclass.yml"
-    mode: 0644
+    mode: "0644"
   register: "rendering"
 - name: "Kubernetes Apps | Install and configure Storace Class"
   kube:

contrib/network-storage/heketi/roles/provision/tasks/topology.yml

@@ -10,7 +10,7 @@
   template:
     src: "topology.json.j2"
     dest: "{{ kube_config_dir }}/topology.json"
-    mode: 0644
+    mode: "0644"
 - name: "Copy topology configuration into container."  # noqa no-handler
   when: "rendering.changed"
   command: "{{ bin_dir }}/kubectl cp {{ kube_config_dir }}/topology.json {{ heketi_pod_name }}:/tmp/topology.json"

contrib/offline/generate_list.yml

@@ -16,7 +16,7 @@
       template:
         src: ./contrib/offline/temp/{{ item }}.list.template
         dest: ./contrib/offline/temp/{{ item }}.list
-        mode: 0644
+        mode: "0644"
       with_items:
         - files
         - images

contrib/os-services/roles/prepare/tasks/main.yml

@@ -7,7 +7,7 @@
     service_facts:
 
   - name: Disable service firewalld
-    systemd:
+    systemd_service:
       name: firewalld
       state: stopped
       enabled: no
@@ -15,7 +15,7 @@
       "'firewalld.service' in services and services['firewalld.service'].status != 'not-found'"
 
   - name: Disable service ufw
-    systemd:
+    systemd_service:
       name: ufw
       state: stopped
       enabled: no

contrib/terraform/hetzner/templates/inventory.tpl

@@ -12,8 +12,8 @@ ${list_master}
 ${list_worker}
 
 [k8s_cluster:children]
-kube-master
-kube-node
+kube_control_plane
+kube_node
 
 [k8s_cluster:vars]
 network_id=${network_id}

contrib/terraform/upcloud/cluster-settings.tfvars

@@ -1,5 +1,11 @@
 # See: https://developers.upcloud.com/1.3/5-zones/
-zone     = "fi-hel1"
+zone          = "fi-hel1"
+private_cloud = false
+
+# Only used if private_cloud = true, public zone equivalent
+# For example use finnish public zone for finnish private zone
+public_zone = "fi-hel2"
+
 username = "ubuntu"
 
 # Prefix to use for all resources to separate them from other resources

contrib/terraform/upcloud/main.tf

@@ -11,8 +11,10 @@ provider "upcloud" {
 module "kubernetes" {
   source = "./modules/kubernetes-cluster"
 
-  prefix = var.prefix
-  zone   = var.zone
+  prefix        = var.prefix
+  zone          = var.zone
+  private_cloud = var.private_cloud
+  public_zone   = var.public_zone
 
   template_name = var.template_name
   username      = var.username

contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf

@@ -54,11 +54,12 @@ resource "upcloud_server" "master" {
     if machine.node_type == "master"
   }
 
-  hostname = "${local.resource-prefix}${each.key}"
-  plan     = each.value.plan
-  cpu      = each.value.plan == null ? each.value.cpu : null
-  mem      = each.value.plan == null ? each.value.mem : null
-  zone     = var.zone
+  hostname     = "${local.resource-prefix}${each.key}"
+  plan         = each.value.plan
+  cpu          = each.value.plan == null ? null : each.value.cpu
+  mem          = each.value.plan == null ? null : each.value.mem
+  zone         = var.zone
+  server_group = each.value.server_group == null ? null : upcloud_server_group.server_groups[each.value.server_group].id
 
   template {
     storage = var.template_name
@@ -111,11 +112,13 @@ resource "upcloud_server" "worker" {
     if machine.node_type == "worker"
   }
 
-  hostname = "${local.resource-prefix}${each.key}"
-  plan     = each.value.plan
-  cpu      = each.value.plan == null ? each.value.cpu : null
-  mem      = each.value.plan == null ? each.value.mem : null
-  zone     = var.zone
+  hostname     = "${local.resource-prefix}${each.key}"
+  plan         = each.value.plan
+  cpu          = each.value.plan == null ? null : each.value.cpu
+  mem          = each.value.plan == null ? null : each.value.mem
+  zone         = var.zone
+  server_group = each.value.server_group == null ? null : upcloud_server_group.server_groups[each.value.server_group].id
+
 
   template {
     storage = var.template_name
@@ -512,8 +515,18 @@ resource "upcloud_loadbalancer" "lb" {
   configured_status = "started"
   name              = "${local.resource-prefix}lb"
   plan              = var.loadbalancer_plan
-  zone              = var.zone
-  network           = upcloud_network.private.id
+  zone              = var.private_cloud ? var.public_zone : var.zone
+  networks {
+    name    = "Private-Net"
+    type    = "private"
+    family  = "IPv4"
+    network = upcloud_network.private.id
+  }
+  networks {
+    name   = "Public-Net"
+    type   = "public"
+    family = "IPv4"
+  }
 }
 
 resource "upcloud_loadbalancer_backend" "lb_backend" {
@@ -534,6 +547,9 @@ resource "upcloud_loadbalancer_frontend" "lb_frontend" {
   mode                 = "tcp"
   port                 = each.value.port
   default_backend_name = upcloud_loadbalancer_backend.lb_backend[each.key].name
+  networks {
+    name = "Public-Net"
+  }
 }
 
 resource "upcloud_loadbalancer_static_backend_member" "lb_backend_member" {
@@ -557,5 +573,9 @@ resource "upcloud_server_group" "server_groups" {
   title                = each.key
   anti_affinity_policy = each.value.anti_affinity_policy
   labels               = {}
-  members              = [for server in each.value.servers : merge(upcloud_server.master, upcloud_server.worker)[server].id]
+  # Managed upstream via upcloud_server resource
+  members              = []
+  lifecycle {
+    ignore_changes = [members]
+  }
 }

contrib/terraform/upcloud/modules/kubernetes-cluster/variables.tf

@@ -6,6 +6,14 @@ variable "zone" {
   type = string
 }
 
+variable "private_cloud" {
+  type = bool
+}
+
+variable "public_zone" {
+  type = string
+}
+
 variable "template_name" {}
 
 variable "username" {}
@@ -20,6 +28,7 @@ variable "machines" {
     cpu       = string
     mem       = string
     disk_size = number
+    server_group : string
     additional_disks = map(object({
       size = number
       tier = string
@@ -104,6 +113,5 @@ variable "server_groups" {
 
   type = map(object({
     anti_affinity_policy = string
-    servers              = list(string)
   }))
 }

contrib/terraform/upcloud/modules/kubernetes-cluster/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>2.12.0"
+      version = "~>5.6.0"
     }
   }
   required_version = ">= 0.13"

contrib/terraform/upcloud/variables.tf

@@ -9,6 +9,15 @@ variable "zone" {
   description = "The zone where to run the cluster"
 }
 
+variable "private_cloud" {
+  description = "Whether the environment is in the private cloud region"
+  default     = false
+}
+
+variable "public_zone" {
+  description = "The public zone equivalent if the cluster is running in a private cloud zone"
+}
+
 variable "template_name" {
   description = "Block describing the preconfigured operating system"
 }
@@ -32,6 +41,7 @@ variable "machines" {
     cpu       = string
     mem       = string
     disk_size = number
+    server_group : string
     additional_disks = map(object({
       size = number
       tier = string
@@ -142,7 +152,6 @@ variable "server_groups" {
 
   type = map(object({
     anti_affinity_policy = string
-    servers              = list(string)
   }))
 
   default = {}

contrib/terraform/upcloud/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     upcloud = {
       source  = "UpCloudLtd/upcloud"
-      version = "~>2.12.0"
+      version = "~>5.6.0"
     }
   }
   required_version = ">= 0.13"

docs/CNI/cilium.md

@@ -132,7 +132,7 @@ Wireguard option is only available in Cilium 1.10.0 and newer.
 
 ### IPsec Encryption
 
-For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/gettingstarted/encryption-ipsec/)
+For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/security/network/encryption-ipsec/)
 
 To enable IPsec encryption, you just need to set three variables.
 
@@ -157,7 +157,7 @@ echo "cilium_ipsec_key: "$(echo -n "3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/uran
 
 ### Wireguard Encryption
 
-For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/gettingstarted/encryption-wireguard/)
+For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/)
 
 To enable Wireguard encryption, you just need to set two variables.
 

docs/ansible/ansible.md

@@ -231,6 +231,7 @@ The following tags are defined in playbooks:
 | services                       | Remove services (etcd, kubelet etc...) when resetting |
 | snapshot                       | Enabling csi snapshot                                 |
 | snapshot-controller            | Configuring csi snapshot controller                   |
+| system-packages                | Install packages using OS package manager             |
 | upgrade                        | Upgrading, f.e. container images/binaries             |
 | upload                         | Distributing images/binaries across hosts             |
 | vsphere-csi-driver             | Configuring csi driver: vsphere                       |

docs/ansible/vars.md

@@ -216,6 +216,8 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
   The percent is calculated by dividing this field value by 100, so the field value must be between 0 and 100, inclusive.
   When specified, the value must be less than imageGCHighThresholdPercent. Default: 80
 
+* *kubelet_max_parallel_image_pulls* - Sets the maximum number of image pulls in parallel. The value is `1` by default which means the default is serial image pulling, set it to a integer great than `1` to enable image pulling in parallel.
+
 * *kubelet_make_iptables_util_chains* - If `true`, causes the kubelet ensures a set of `iptables` rules are present on host.
 
 * *kubelet_cpu_manager_policy* -  If set to `static`, allows pods with certain resource characteristics to be granted increased CPU affinity and exclusivity on the node. And it should be set with `kube_reserved` or `system-reserved`, enable this with the following guide:[Control CPU Management Policies on the Node](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/)
@@ -243,6 +245,10 @@ kubelet_cpu_manager_policy_options:
 
     By default the `kubelet_secure_addresses` is set with the `10.0.0.110` the ansible control host uses `eth0` to  connect to the machine. In case you want to use `eth1` as the outgoing interface on which `kube-apiserver` connects to the `kubelet`s, you should override the variable in this way: `kubelet_secure_addresses: "192.168.1.110"`.
 
+* *kubelet_systemd_wants_dependencies* - List of kubelet service dependencies, other than container runtime.
+
+  If you use nfs dynamically mounted volumes, sometimes rpc-statd does not start within the kubelet. You can fix it with this parameter : `kubelet_systemd_wants_dependencies: ["rpc-statd.service"]` This will add `Wants=rpc-statd.service` in `[Unit]` section of /etc/systemd/system/kubelet.service
+
 * *node_labels* - Labels applied to nodes via `kubectl label node`.
   For example, labels can be set in the inventory as variables or more widely in group_vars.
   *node_labels* can only be defined as a dict:

docs/developers/ci-setup.md

@@ -5,8 +5,8 @@
 1. build: build a docker image to be used in the pipeline
 2. unit-tests: fast jobs for fast feedback (linting, etc...)
 3. deploy-part1: small number of jobs to test if the PR works with default settings
-4. deploy-part2: slow jobs testing different platforms, OS, settings, CNI, etc...
-5. deploy-part3: very slow jobs (upgrades, etc...)
+4. deploy-extended: slow jobs testing different platforms, OS, settings, CNI, etc...
+5. deploy-extended: very slow jobs (upgrades, etc...)
 
 ## Runners
 

docs/developers/ci.md

@@ -9,8 +9,7 @@ To generate this Matrix run `./tests/scripts/md-table/main.py`
 almalinux8 |  :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: |
 amazon |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 centos7 |  :white_check_mark: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: |
-debian10 |  :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
-debian11 |  :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+debian11 |  :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: |
 debian12 |  :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
 fedora37 |  :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: |
 fedora38 |  :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | :x: |
@@ -28,7 +27,6 @@ ubuntu24 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 almalinux8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 centos7 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-debian10 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora37 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
@@ -47,7 +45,6 @@ ubuntu24 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 almalinux8 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 amazon |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 centos7 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
-debian10 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian11 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 debian12 |  :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |
 fedora37 |  :x: | :x: | :x: | :x: | :x: | :x: | :x: | :x: |

docs/operations/cgroups.md

@@ -1,6 +1,6 @@
 # cgroups
 
-To avoid the rivals for resources between containers or the impact on the host in Kubernetes, the kubelet components will rely on cgroups to limit the container’s resources usage.
+To avoid resource contention between containers and host daemons in Kubernetes, the kubelet components can use cgroups to limit resource usage.
 
 ## Enforcing Node Allocatable
 
@@ -20,8 +20,9 @@ Here is an example:
 ```yaml
 kubelet_enforce_node_allocatable: "pods,kube-reserved,system-reserved"
 
-# Reserve this space for kube resources
-# Set to true to reserve resources for kube daemons
+# Set kube_reserved to true to run kubelet and container-engine daemons in a dedicated cgroup.
+# This is required if you want to enforce limits on the resource usage of these daemons.
+# It is not required if you just want to make resource reservations (kube_memory_reserved, kube_cpu_reserved, etc.)
 kube_reserved: true
 kube_reserved_cgroups_for_service_slice: kube.slice
 kube_reserved_cgroups: "/{{ kube_reserved_cgroups_for_service_slice }}"

docs/operations/ha-mode.md

@@ -30,12 +30,12 @@ loadbalancer.  If you wish to control the name of the loadbalancer container,
 you can set the variable `loadbalancer_apiserver_pod_name`.
 
 If you choose to NOT use the local internal loadbalancer, you will need to
-use the [kube-vip](kube-vip.md) ansible role or configure your own loadbalancer to achieve HA. By default, it only configures a non-HA endpoint, which points to the
+use the [kube-vip](/docs/ingress/kube-vip.md) ansible role or configure your own loadbalancer to achieve HA. By default, it only configures a non-HA endpoint, which points to the
 `access_ip` or IP address of the first server node in the `kube_control_plane` group.
 It can also configure clients to use endpoints for a given loadbalancer type.
 The following diagram shows how traffic to the apiserver is directed.
 
-![Image](figures/loadbalancer_localhost.png?raw=true)
+![Image](/docs/figures/loadbalancer_localhost.png?raw=true)
 
 A user may opt to use an external loadbalancer (LB) instead. An external LB
 provides access for external clients, while the internal LB accepts client

docs/operations/offline-environment.md

@@ -103,7 +103,9 @@ If you use the settings like the one above, you'll need to define in your invent
   can store them anywhere as long as it's accessible by kubespray. It's recommended to use `*_version` in the path so
   that you don't need to modify this setting everytime kubespray upgrades one of these components.
 * `yum_repo`/`debian_repo`/`ubuntu_repo`: OS package repository depending on your OS, should point to your internal
-  repository. Adjust the path accordingly.
+  repository. Adjust the path accordingly. Used only for Docker/Containerd packages (if needed); other packages might
+  be installed from other repositories. You might disable installing packages from other repositories by skipping
+  the `system-packages` tag
 
 ## Install Kubespray Python Packages
 

galaxy.yml

@@ -9,42 +9,16 @@ authors:
 tags:
   - infrastructure
 repository: https://github.com/kubernetes-sigs/kubespray
+issues: https://github.com/kubernetes-sigs/kubespray/issues
+documentation: https://kubespray.io
 license_file: LICENSE
 dependencies:
   ansible.utils: '>=2.5.0'
   community.general: '>=3.0.0'
-build_ignore:
-  - .github
-  - '*.tar.gz'
-  - extra_playbooks
-  - inventory
-  - scripts
-  - test-infra
-  - .ansible-lint
-  - .editorconfig
-  - .gitignore
-  - .gitlab-ci
-  - .gitlab-ci.yml
-  - .gitmodules
-  - .markdownlint.yaml
-  - .nojekyll
-  - .pre-commit-config.yaml
-  - .yamllint
-  - Dockerfile
-  - FILES.json
-  - MANIFEST.json
-  - Makefile
-  - Vagrantfile
-  - _config.yml
-  - ansible.cfg
-  - requirements*txt
-  - setup.cfg
-  - setup.py
-  - index.html
-  - reset.yml
-  - cluster.yml
-  - scale.yml
-  - recover-control-plane.yml
-  - remove-node.yml
-  - upgrade-cluster.yml
-  - library
+  ansible.netcommon: '>=5.3.0'
+  ansible.posix: '>=1.5.4'
+  community.docker: '>=3.11.0'
+  kubernetes.core: '>=2.4.2'
+manifest:
+  directives:
+    - recursive-exclude tests **

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -100,6 +100,8 @@ rbd_provisioner_enabled: false
 ingress_nginx_enabled: false
 # ingress_nginx_host_network: false
 # ingress_nginx_service_type: LoadBalancer
+# ingress_nginx_service_nodeport_http: 30080
+# ingress_nginx_service_nodeport_https: 30081
 ingress_publish_status_address: ""
 # ingress_nginx_nodeselector:
 #   kubernetes.io/os: "linux"

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -17,7 +17,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.29.5
+kube_version: v1.30.3
 
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
@@ -262,7 +262,7 @@ default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"
 # kubelet_runtime_cgroups_cgroupfs: "/system.slice/{{ container_manager }}.service"
 # kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
 
-# Optionally reserve this space for kube daemons.
+# Whether to run kubelet and container-engine daemons in a dedicated cgroup.
 # kube_reserved: false
 ## Uncomment to override default values
 ## The following two items need to be set when kube_reserved is true

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -163,6 +163,13 @@ cilium_l2announcements: false
 ### Enable auto generate certs if cilium_hubble_install: true
 # cilium_hubble_tls_generate: false
 
+### Tune cilium_hubble_event_buffer_capacity & cilium_hubble_event_queue_size values to avoid dropping events when hubble is under heavy load
+### Capacity of Hubble events buffer. The provided value must be one less than an integer power of two and no larger than 65535
+### (ie: 1, 3, ..., 2047, 4095, ..., 65535) (default 4095)
+# cilium_hubble_event_buffer_capacity: 4095
+### Buffer size of the channel to receive monitor events.
+# cilium_hubble_event_queue_size: 50
+
 # IP address management mode for v1.9+.
 # https://docs.cilium.io/en/v1.9/concepts/networking/ipam/
 # cilium_ipam_mode: kubernetes

pipeline.Dockerfile

@@ -4,7 +4,7 @@ FROM ubuntu:jammy-20230308
 # Pip needs this as well at the moment to install ansible
 # (and potentially other packages)
 # See: https://github.com/pypa/pip/issues/10219
-ENV VAGRANT_VERSION=2.3.7 \
+ENV VAGRANT_VERSION=2.4.1 \
     VAGRANT_DEFAULT_PROVIDER=libvirt \
     VAGRANT_ANSIBLE_TAGS=facts \
     LANG=C.UTF-8 \
@@ -30,6 +30,9 @@ RUN apt update -q \
          software-properties-common \
          unzip \
          libvirt-clients \
+         qemu-utils \
+         qemu-kvm \
+         dnsmasq \
     && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
     && add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
     && apt update -q \
@@ -37,13 +40,15 @@ RUN apt update -q \
     && apt autoremove -yqq --purge && apt clean && rm -rf /var/lib/apt/lists/* /var/log/*
 
 WORKDIR /kubespray
+ADD ./requirements.txt  /kubespray/requirements.txt
+ADD ./tests/requirements.txt /kubespray/tests/requirements.txt
+ADD ./roles/kubespray-defaults/defaults/main/main.yml /kubespray/roles/kubespray-defaults/defaults/main/main.yml
 
-RUN --mount=type=bind,target=./requirements.txt,src=./requirements.txt \
-    --mount=type=bind,target=./tests/requirements.txt,src=./tests/requirements.txt \
-    --mount=type=bind,target=./roles/kubespray-defaults/defaults/main/main.yml,src=./roles/kubespray-defaults/defaults/main/main.yml \
-    update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
+
+RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && pip install --no-compile --no-cache-dir pip -U \
     && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
+    && pip install --no-compile --no-cache-dir -r requirements.txt \
     && KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main/main.yml) \
     && curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
     && echo $(curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \

requirements.txt

@@ -1,10 +1,7 @@
-ansible==9.5.1
-cryptography==42.0.7
-jinja2==3.1.4
+ansible==9.8.0
+# Needed for jinja2 json_query templating
 jmespath==1.0.1
-jsonschema==4.22.0
-MarkupSafe==2.1.5
-netaddr==1.2.1
-pbr==6.0.0
-ruamel.yaml==0.18.6
-ruamel.yaml.clib==0.2.8
+# Needed for ansible.utils.validate module
+jsonschema==4.23.0
+# Needed for ansible.utils.ipaddr
+netaddr==1.3.0

roles/bastion-ssh-config/molecule/default/converge.yml

@@ -12,4 +12,4 @@
         dest: "{{ ssh_bastion_confing__name }}"
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
-        mode: 0644
+        mode: "0644"

roles/bastion-ssh-config/tasks/main.yml

@@ -19,4 +19,4 @@
   template:
     src: "{{ ssh_bastion_confing__name }}.j2"
     dest: "{{ playbook_dir }}/{{ ssh_bastion_confing__name }}"
-    mode: 0640
+    mode: "0640"

roles/bootstrap-os/defaults/main.yml

@@ -11,6 +11,10 @@ coreos_locksmithd_disable: false
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true
 
+## Ubuntu specific variables
+# Disable unattended-upgrades for Linux kernel and all packages start with linux- on Ubuntu
+ubuntu_kernel_unattended_upgrades_disabled: false
+
 fedora_coreos_packages:
   - python
   - python3-libselinux

roles/bootstrap-os/tasks/centos.yml

@@ -12,7 +12,7 @@
     value: "{{ http_proxy | default(omit) }}"
     state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
     no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
   become: true
   when: not skip_http_proxy_on_os_packages
 
@@ -21,7 +21,7 @@
   get_url:
     url: https://yum.oracle.com/public-yum-ol7.repo
     dest: /etc/yum.repos.d/public-yum-ol7.repo
-    mode: 0644
+    mode: "0644"
   when:
     - use_oracle_public_repo | default(true)
     - '''ID="ol"'' in os_release.stdout_lines'
@@ -34,7 +34,7 @@
     section: "{{ item }}"
     option: enabled
     value: "1"
-    mode: 0644
+    mode: "0644"
   with_items:
     - ol7_latest
     - ol7_addons
@@ -59,7 +59,7 @@
     section: "ol{{ ansible_distribution_major_version }}_addons"
     option: "{{ item.option }}"
     value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - { option: "name", value: "ol{{ ansible_distribution_major_version }}_addons" }
     - { option: "enabled", value: "1" }
@@ -75,18 +75,45 @@
     section: "extras"
     option: "{{ item.option }}"
     value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - { option: "name", value: "CentOS-{{ ansible_distribution_major_version }} - Extras" }
     - { option: "enabled", value: "1" }
     - { option: "gpgcheck", value: "0" }
-    - { option: "baseurl", value: "http://mirror.centos.org/{{ 'altarch' if (ansible_distribution_major_version | int) <= 7 and ansible_architecture == 'aarch64' else 'centos' }}/{{ ansible_distribution_major_version }}/extras/$basearch/{% if ansible_distribution_major_version | int > 7 %}os/{% endif %}" }
+    - { option: "baseurl", value: "http://vault.centos.org/{{ 'altarch' if (ansible_distribution_major_version | int) <= 7 and ansible_architecture == 'aarch64' else 'centos' }}/{{ ansible_distribution_major_version }}/extras/$basearch/{% if ansible_distribution_major_version | int > 7 %}os/{% endif %}" }
   when:
     - use_oracle_public_repo | default(true)
     - '''ID="ol"'' in os_release.stdout_lines'
     - (ansible_distribution_version | float) >= 7.6
     - (ansible_distribution_version | float) < 9
 
+# CentOS 7 EOL at July 1, 2024.
+- name: Check CentOS-Base.repo exists for CentOS 7
+  stat:
+    path: /etc/yum.repos.d/CentOS-Base.repo
+  register: centos_base_repo_stat
+  when:
+    - ansible_distribution_major_version == "7"
+
+# CentOS 7 EOL at July 1, 2024.
+- name: Update CentOS 7 CentOS-Base.repo
+  when:
+    - ansible_distribution_major_version == "7"
+    - centos_base_repo_stat.stat.exists
+  become: true
+  block:
+    - name: Disable CentOS 7 mirrorlist in CentOS-Base.repo
+      replace:
+        path: "{{ centos_base_repo_stat.stat.path }}"
+        regexp: '^mirrorlist='
+        replace: '#mirrorlist='
+
+    - name: Update CentOS 7 baseurl in CentOS-Base.repo
+      replace:
+        path: "{{ centos_base_repo_stat.stat.path }}"
+        regexp: '^#baseurl=http:\/\/mirror.centos.org'
+        replace: 'baseurl=http:\/\/vault.centos.org'
+
 # CentOS ships with python installed
 
 - name: Check presence of fastestmirror.conf

roles/bootstrap-os/tasks/clearlinux.yml

@@ -7,7 +7,7 @@
     state: present
 
 - name: Make sure docker service is enabled
-  systemd:
+  systemd_service:
     name: docker
     masked: false
     enabled: true

roles/bootstrap-os/tasks/debian.yml

@@ -62,3 +62,14 @@
     - '"changed its" in bootstrap_update_apt_result.stdout'
     - '"value from" in bootstrap_update_apt_result.stdout'
   ignore_errors: true
+
+- name: Disable kernel unattended-upgrades
+  lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    insertafter: "Unattended-Upgrade::Package-Blacklist"
+    line: '"linux-";'
+    state: present
+  become: true
+  when:
+    - os_release_dict['ID'] == 'ubuntu'
+    - ubuntu_kernel_unattended_upgrades_disabled

roles/bootstrap-os/tasks/fedora.yml

@@ -17,7 +17,7 @@
     value: "{{ http_proxy | default(omit) }}"
     state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
     no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
   become: true
   when: not skip_http_proxy_on_os_packages
 

roles/bootstrap-os/tasks/flatcar.yml

@@ -26,7 +26,7 @@
     ansible_interpreter_python_fallback: "{{ ansible_interpreter_python_fallback + [ '/opt/bin/python' ] }}"
 
 - name: Disable auto-upgrade
-  systemd:
+  systemd_service:
     name: locksmithd.service
     masked: true
     state: stopped

roles/bootstrap-os/tasks/main.yml

@@ -36,7 +36,7 @@
   file:
     path: "{{ ansible_remote_tmp | default('~/.ansible/tmp') }}"
     state: directory
-    mode: 0700
+    mode: "0700"
 
 - name: Gather facts
   setup:
@@ -61,4 +61,4 @@
     state: directory
     owner: root
     group: root
-    mode: 0755
+    mode: "0755"

roles/bootstrap-os/tasks/redhat.yml

@@ -12,7 +12,7 @@
     value: "{{ http_proxy | default(omit) }}"
     state: "{{ http_proxy | default(False) | ternary('present', 'absent') }}"
     no_extra_spaces: true
-    mode: 0644
+    mode: "0644"
   become: true
   when: not skip_http_proxy_on_os_packages
 

roles/container-engine/containerd/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Containerd | restart containerd
-  systemd:
+  systemd_service:
     name: containerd
     state: restarted
     enabled: yes

roles/container-engine/containerd/tasks/main.yml

@@ -35,7 +35,7 @@
   unarchive:
     src: "{{ downloads.containerd.dest }}"
     dest: "{{ containerd_bin_dir }}"
-    mode: 0755
+    mode: "0755"
     remote_src: yes
     extra_opts:
       - --strip-components=1
@@ -60,7 +60,7 @@
   template:
     src: containerd.service.j2
     dest: /etc/systemd/system/containerd.service
-    mode: 0644
+    mode: "0644"
     validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:containerd.service'"
     # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
     # Remove once we drop support for systemd < 250
@@ -70,7 +70,7 @@
   file:
     dest: "{{ item }}"
     state: directory
-    mode: 0755
+    mode: "0755"
     owner: root
     group: root
   with_items:
@@ -83,7 +83,7 @@
   template:
     src: http-proxy.conf.j2
     dest: "{{ containerd_systemd_dir }}/http-proxy.conf"
-    mode: 0644
+    mode: "0644"
   notify: Restart containerd
   when: http_proxy is defined or https_proxy is defined
 
@@ -102,7 +102,7 @@
     content: "{{ item.value }}"
     dest: "{{ containerd_cfg_dir }}/{{ item.key }}"
     owner: "root"
-    mode: 0644
+    mode: "0644"
   with_dict: "{{ containerd_base_runtime_specs | default({}) }}"
   notify: Restart containerd
 
@@ -111,7 +111,7 @@
     src: config.toml.j2
     dest: "{{ containerd_cfg_dir }}/config.toml"
     owner: "root"
-    mode: 0640
+    mode: "0640"
   notify: Restart containerd
 
 - name: Containerd | Configure containerd registries
@@ -121,13 +121,13 @@
       file:
         path: "{{ containerd_cfg_dir }}/certs.d/{{ item.prefix }}"
         state: directory
-        mode: 0755
+        mode: "0755"
       loop: "{{ containerd_registries_mirrors }}"
     - name: Containerd | Write hosts.toml file
       template:
         src: hosts.toml.j2
         dest: "{{ containerd_cfg_dir }}/certs.d/{{ item.prefix }}/hosts.toml"
-        mode: 0640
+        mode: "0640"
       loop: "{{ containerd_registries_mirrors }}"
 
 # you can sometimes end up in a state where everything is installed
@@ -136,7 +136,7 @@
   meta: flush_handlers
 
 - name: Containerd | Ensure containerd is started and enabled
-  systemd:
+  systemd_service:
     name: containerd
     daemon_reload: yes
     enabled: yes

roles/container-engine/containerd/templates/config.toml.j2

@@ -100,9 +100,9 @@ oom_score = {{ containerd_oom_score }}
   [plugins."io.containerd.tracing.processor.v1.otlp"]
     endpoint = "{{ containerd_tracing_endpoint }}"
     protocol = "{{ containerd_tracing_protocol }}"
-    {% if containerd_tracing_protocol == "grpc" %}
+{% if containerd_tracing_protocol == "grpc" %}
     insecure = false
-    {% endif %}
+{% endif %}
   [plugins."io.containerd.internal.v1.tracing"]
     sampling_ratio = {{ containerd_tracing_sampling_ratio }}
     service_name = "{{ containerd_tracing_service_name }}"

roles/container-engine/cri-dockerd/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Cri-dockerd | reload systemd
-  systemd:
+  systemd_service:
     name: cri-dockerd
     daemon_reload: true
     masked: no

roles/container-engine/cri-dockerd/molecule/default/prepare.yml

@@ -28,7 +28,7 @@
         src: "{{ item }}"
         dest: "/tmp/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - container.json
         - sandbox.json
@@ -37,12 +37,12 @@
         path: /etc/cni/net.d
         state: directory
         owner: "{{ kube_owner }}"
-        mode: 0755
+        mode: "0755"
     - name: Setup CNI
       copy:
         src: "{{ item }}"
         dest: "/etc/cni/net.d/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - 10-mynet.conf

roles/container-engine/cri-dockerd/tasks/main.yml

@@ -8,7 +8,7 @@
   copy:
     src: "{{ local_release_dir }}/cri-dockerd"
     dest: "{{ bin_dir }}/cri-dockerd"
-    mode: 0755
+    mode: "0755"
     remote_src: true
   notify:
     - Restart and enable cri-dockerd
@@ -17,7 +17,7 @@
   template:
     src: "{{ item }}.j2"
     dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
+    mode: "0644"
     validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:{{ item }}'"
     # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
     # Remove once we drop support for systemd < 250

roles/container-engine/cri-o/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: CRI-O | reload systemd
-  systemd:
+  systemd_service:
     daemon_reload: true
   listen: Restart crio
 

roles/container-engine/cri-o/molecule/default/prepare.yml

@@ -33,7 +33,7 @@
         src: "{{ item }}"
         dest: "/tmp/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - container.json
         - sandbox.json
@@ -42,12 +42,12 @@
         path: /etc/cni/net.d
         state: directory
         owner: "{{ kube_owner }}"
-        mode: 0755
+        mode: "0755"
     - name: Setup CNI
       copy:
         src: "{{ item }}"
         dest: "/etc/cni/net.d/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - 10-mynet.conf

roles/container-engine/cri-o/tasks/main.yaml

@@ -56,27 +56,27 @@
   file:
     path: "{{ item }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: Cri-o | install cri-o config
   template:
     src: crio.conf.j2
     dest: /etc/crio/crio.conf
-    mode: 0644
+    mode: "0644"
   register: config_install
 
 - name: Cri-o | install config.json
   template:
     src: config.json.j2
     dest: /etc/crio/config.json
-    mode: 0644
+    mode: "0644"
   register: reg_auth_install
 
 - name: Cri-o | copy binaries
   copy:
     src: "{{ local_release_dir }}/cri-o/bin/{{ item }}"
     dest: "{{ bin_dir }}/{{ item }}"
-    mode: 0755
+    mode: "0755"
     remote_src: true
   with_items:
     - "{{ crio_bin_files }}"
@@ -86,7 +86,7 @@
   copy:
     src: "{{ local_release_dir }}/cri-o/contrib/crio.service"
     dest: /etc/systemd/system/crio.service
-    mode: 0755
+    mode: "0755"
     remote_src: true
   notify: Restart crio
 
@@ -115,7 +115,7 @@
   copy:
     src: "{{ local_release_dir }}/cri-o/contrib/policy.json"
     dest: /etc/containers/policy.json
-    mode: 0755
+    mode: "0755"
     remote_src: true
   notify: Restart crio
 
@@ -123,7 +123,7 @@
   copy:
     src: mounts.conf
     dest: /etc/containers/mounts.conf
-    mode: 0644
+    mode: "0644"
   when:
     - ansible_os_family == 'RedHat'
   notify: Restart crio
@@ -133,7 +133,7 @@
     path: /etc/containers/oci/hooks.d
     state: directory
     owner: root
-    mode: 0755
+    mode: "0755"
 
 - name: Cri-o | set overlay driver
   community.general.ini_file:
@@ -141,7 +141,7 @@
     section: storage
     option: "{{ item.option }}"
     value: "{{ item.value }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - option: driver
       value: '"overlay"'
@@ -157,20 +157,20 @@
     section: storage.options.overlay
     option: mountopt
     value: '{{ ''"nodev"'' if ansible_kernel is version_compare(("4.18" if ansible_os_family == "RedHat" else "4.19"), "<") else ''"nodev,metacopy=on"'' }}'
-    mode: 0644
+    mode: "0644"
 
 - name: Cri-o | create directory registries configs
   file:
     path: /etc/containers/registries.conf.d
     state: directory
     owner: root
-    mode: 0755
+    mode: "0755"
 
 - name: Cri-o | write registries configs
   template:
     src: registry.conf.j2
     dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':|/', '_') }}.conf"
-    mode: 0644
+    mode: "0644"
   loop: "{{ crio_registries }}"
   notify: Restart crio
 
@@ -178,14 +178,14 @@
   template:
     src: unqualified.conf.j2
     dest: "/etc/containers/registries.conf.d/01-unqualified.conf"
-    mode: 0644
+    mode: "0644"
   notify: Restart crio
 
 - name: Cri-o | write cri-o proxy drop-in
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/crio.service.d/http-proxy.conf
-    mode: 0644
+    mode: "0644"
   notify: Restart crio
   when: http_proxy is defined or https_proxy is defined
 

roles/container-engine/cri-o/tasks/setup-amazon.yaml

@@ -20,7 +20,7 @@
     option: enabled
     value: "0"
     backup: yes
-    mode: 0644
+    mode: "0644"
   when:
     - amzn2_extras_file_stat.stat.exists
     - not amzn2_extras_docker_repo.changed

roles/container-engine/crictl/handlers/main.yml

@@ -9,4 +9,4 @@
   copy:
     dest: /etc/bash_completion.d/crictl
     content: "{{ cri_completion.stdout }}"
-    mode: 0644
+    mode: "0644"

roles/container-engine/crictl/tasks/crictl.yml

@@ -9,13 +9,13 @@
     src: crictl.yaml.j2
     dest: /etc/crictl.yaml
     owner: root
-    mode: 0644
+    mode: "0644"
 
 - name: Copy crictl binary from download dir
   copy:
     src: "{{ local_release_dir }}/crictl"
     dest: "{{ bin_dir }}/crictl"
-    mode: 0755
+    mode: "0755"
     remote_src: true
   notify:
     - Get crictl completion

roles/container-engine/crun/tasks/main.yml

@@ -8,5 +8,5 @@
   copy:
     src: "{{ downloads.crun.dest }}"
     dest: "{{ bin_dir }}/crun"
-    mode: 0755
+    mode: "0755"
     remote_src: true

roles/container-engine/docker-storage/tasks/main.yml

@@ -10,12 +10,12 @@
   template:
     src: docker-storage-setup.j2
     dest: /etc/sysconfig/docker-storage-setup
-    mode: 0644
+    mode: "0644"
 
 - name: Docker-storage-override-directory | docker service storage-setup override dir
   file:
     dest: /etc/systemd/system/docker.service.d
-    mode: 0755
+    mode: "0755"
     owner: root
     group: root
     state: directory
@@ -30,7 +30,7 @@
 
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
 
 # https://docs.docker.com/engine/installation/linux/docker-ce/centos/#install-using-the-repository
 - name: Docker-storage-setup | install lvm2

roles/container-engine/docker/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Docker | reload systemd
-  systemd:
+  systemd_service:
     name: docker
     daemon_reload: true
     masked: no

roles/container-engine/docker/tasks/main.yml

@@ -82,14 +82,14 @@
   template:
     src: "fedora_docker.repo.j2"
     dest: "{{ yum_repo_dir }}/docker.repo"
-    mode: 0644
+    mode: "0644"
   when: ansible_distribution == "Fedora" and not is_ostree
 
 - name: Configure docker repository on RedHat/CentOS/OracleLinux/AlmaLinux/KylinLinux
   template:
     src: "rh_docker.repo.j2"
     dest: "{{ yum_repo_dir }}/docker-ce.repo"
-    mode: 0644
+    mode: "0644"
   when:
     - ansible_os_family == "RedHat"
     - ansible_distribution != "Fedora"

roles/container-engine/docker/tasks/reset.yml

@@ -102,5 +102,5 @@
   ignore_errors: true  # noqa ignore-errors
 
 - name: Docker | systemctl daemon-reload  # noqa no-handler
-  systemd:
+  systemd_service:
     daemon_reload: true

roles/container-engine/docker/tasks/systemd.yml

@@ -3,13 +3,13 @@
   file:
     path: /etc/systemd/system/docker.service.d
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: Write docker proxy drop-in
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/docker.service.d/http-proxy.conf
-    mode: 0644
+    mode: "0644"
   notify: Restart docker
   when: http_proxy is defined or https_proxy is defined
 
@@ -27,7 +27,7 @@
   template:
     src: docker.service.j2
     dest: /etc/systemd/system/docker.service
-    mode: 0644
+    mode: "0644"
   register: docker_service_file
   notify: Restart docker
   when:
@@ -38,14 +38,14 @@
   template:
     src: docker-options.conf.j2
     dest: "/etc/systemd/system/docker.service.d/docker-options.conf"
-    mode: 0644
+    mode: "0644"
   notify: Restart docker
 
 - name: Write docker dns systemd drop-in
   template:
     src: docker-dns.conf.j2
     dest: "/etc/systemd/system/docker.service.d/docker-dns.conf"
-    mode: 0644
+    mode: "0644"
   notify: Restart docker
   when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
 
@@ -53,14 +53,14 @@
   copy:
     src: cleanup-docker-orphans.sh
     dest: "{{ bin_dir }}/cleanup-docker-orphans.sh"
-    mode: 0755
+    mode: "0755"
   when: docker_orphan_clean_up | bool
 
 - name: Write docker orphan clean up systemd drop-in
   template:
     src: docker-orphan-cleanup.conf.j2
     dest: "/etc/systemd/system/docker.service.d/docker-orphan-cleanup.conf"
-    mode: 0644
+    mode: "0644"
   notify: Restart docker
   when: docker_orphan_clean_up | bool
 

roles/container-engine/docker/vars/debian.yml

@@ -24,8 +24,9 @@ containerd_versioned_pkg:
   '1.6.18': "{{ containerd_package }}=1.6.18-1"
   '1.6.28': "{{ containerd_package }}=1.6.28-2"
   '1.6.31': "{{ containerd_package }}=1.6.31-1"
-  'stable': "{{ containerd_package }}=1.6.31-1"
-  'edge': "{{ containerd_package }}=1.6.31-1"
+  '1.6.32': "{{ containerd_package }}=1.6.32-1"
+  'stable': "{{ containerd_package }}=1.6.32-1"
+  'edge': "{{ containerd_package }}=1.6.32-1"
 
 # https://download.docker.com/linux/debian/
 docker_versioned_pkg:

roles/container-engine/docker/vars/fedora.yml

@@ -24,8 +24,9 @@ containerd_versioned_pkg:
   '1.6.18': "{{ containerd_package }}-1.6.18-3.1.fc{{ ansible_distribution_major_version }}"
   '1.6.28': "{{ containerd_package }}-1.6.28-3.2.fc{{ ansible_distribution_major_version }}"
   '1.6.31': "{{ containerd_package }}-1.6.31-3.1.fc{{ ansible_distribution_major_version }}"
-  'stable': "{{ containerd_package }}-1.6.31-3.1.fc{{ ansible_distribution_major_version }}"
-  'edge': "{{ containerd_package }}-1.6.31-3.1.fc{{ ansible_distribution_major_version }}"
+  '1.6.32': "{{ containerd_package }}-1.6.32-3.1.fc{{ ansible_distribution_major_version }}"
+  'stable': "{{ containerd_package }}-1.6.32-3.1.fc{{ ansible_distribution_major_version }}"
+  'edge': "{{ containerd_package }}-1.6.32-3.1.fc{{ ansible_distribution_major_version }}"
 
 # https://docs.docker.com/install/linux/docker-ce/fedora/
 # https://download.docker.com/linux/fedora/<fedora-version>/x86_64/stable/Packages/

roles/container-engine/docker/vars/kylin.yml

@@ -29,8 +29,9 @@ containerd_versioned_pkg:
   '1.6.18': "{{ containerd_package }}-1.6.18-3.1.el8"
   '1.6.28': "{{ containerd_package }}-1.6.28-3.1.el8"
   '1.6.31': "{{ containerd_package }}-1.6.31-3.1.el8"
-  'stable': "{{ containerd_package }}-1.6.31-3.1.el8"
-  'edge': "{{ containerd_package }}-1.6.31-3.1.el8"
+  '1.6.32': "{{ containerd_package }}-1.6.32-3.1.el8"
+  'stable': "{{ containerd_package }}-1.6.32-3.1.el8"
+  'edge': "{{ containerd_package }}-1.6.32-3.1.el8"
 
 # https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
 # https://download.docker.com/linux/centos/8/x86_64/stable/Packages/

roles/container-engine/docker/vars/redhat-7.yml

@@ -24,8 +24,9 @@ containerd_versioned_pkg:
   '1.6.18': "{{ containerd_package }}-1.6.18-3.1.el7"
   '1.6.28': "{{ containerd_package }}-1.6.28-3.1.el7"
   '1.6.31': "{{ containerd_package }}-1.6.31-3.1.el7"
-  'stable': "{{ containerd_package }}-1.6.31-3.1.el7"
-  'edge': "{{ containerd_package }}-1.6.31-3.1.el7"
+  '1.6.32': "{{ containerd_package }}-1.6.32-3.1.el7"
+  'stable': "{{ containerd_package }}-1.6.32-3.1.el7"
+  'edge': "{{ containerd_package }}-1.6.32-3.1.el7"
 
 # https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
 # https://download.docker.com/linux/centos/<centos_version>>/x86_64/stable/Packages/

roles/container-engine/docker/vars/redhat.yml

@@ -24,8 +24,9 @@ containerd_versioned_pkg:
   '1.6.18': "{{ containerd_package }}-1.6.18-3.1.el{{ ansible_distribution_major_version }}"
   '1.6.28': "{{ containerd_package }}-1.6.28-3.1.el{{ ansible_distribution_major_version }}"
   '1.6.31': "{{ containerd_package }}-1.6.31-3.1.el{{ ansible_distribution_major_version }}"
-  'stable': "{{ containerd_package }}-1.6.31-3.1.el{{ ansible_distribution_major_version }}"
-  'edge': "{{ containerd_package }}-1.6.31-3.1.el{{ ansible_distribution_major_version }}"
+  '1.6.32': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
+  'stable': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
+  'edge': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
 
 # https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
 # https://download.docker.com/linux/centos/<centos_version>>/x86_64/stable/Packages/

roles/container-engine/docker/vars/ubuntu.yml

@@ -24,8 +24,9 @@ containerd_versioned_pkg:
   '1.6.18': "{{ containerd_package }}=1.6.18-1"
   '1.6.28': "{{ containerd_package }}=1.6.28-2"
   '1.6.31': "{{ containerd_package }}=1.6.31-1"
-  'stable': "{{ containerd_package }}=1.6.31-1"
-  'edge': "{{ containerd_package }}=1.6.31-1"
+  '1.6.32': "{{ containerd_package }}=1.6.32-1"
+  'stable': "{{ containerd_package }}=1.6.32-1"
+  'edge': "{{ containerd_package }}=1.6.32-1"
 
 # https://download.docker.com/linux/ubuntu/
 docker_versioned_pkg:
@@ -49,8 +50,8 @@ docker_cli_versioned_pkg:
   '24.0': docker-ce-cli=5:24.0.9-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
   '26.0': docker-ce-cli=5:26.0.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
   '26.1': docker-ce-cli=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  'stable': docker-ce-cli=5:24.0.9-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
-  'edge': docker-ce-cli=5:24.0.9-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  'stable': docker-ce-cli=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
+  'edge': docker-ce-cli=5:26.1.2-1~ubuntu.{{ ansible_distribution_version }}~{{ ansible_distribution_release | lower }}
 
 docker_package_info:
   pkgs:

roles/container-engine/docker/vars/uniontech.yml

@@ -21,8 +21,9 @@ containerd_versioned_pkg:
   '1.6.16': "{{ containerd_package }}-1.6.16-3.1.el{{ ansible_distribution_major_version }}"
   '1.6.18': "{{ containerd_package }}-1.6.18-3.1.el{{ ansible_distribution_major_version }}"
   '1.6.28': "{{ containerd_package }}-1.6.28-3.1.el{{ ansible_distribution_major_version }}"
-  'stable': "{{ containerd_package }}-1.6.28-3.1.el{{ ansible_distribution_major_version }}"
-  'edge': "{{ containerd_package }}-1.6.28-3.1.el{{ ansible_distribution_major_version }}"
+  '1.6.32': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
+  'stable': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
+  'edge': "{{ containerd_package }}-1.6.32-3.1.el{{ ansible_distribution_major_version }}"
 
 docker_version: 19.03
 docker_cli_version: 19.03

roles/container-engine/gvisor/molecule/default/prepare.yml

@@ -29,7 +29,7 @@
         src: "{{ item }}"
         dest: "/tmp/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - container.json
         - sandbox.json
@@ -38,12 +38,12 @@
         path: /etc/cni/net.d
         state: directory
         owner: root
-        mode: 0755
+        mode: "0755"
     - name: Setup CNI
       copy:
         src: "{{ item }}"
         dest: "/etc/cni/net.d/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - 10-mynet.conf

roles/container-engine/gvisor/tasks/main.yml

@@ -13,7 +13,7 @@
   copy:
     src: "{{ item.src }}"
     dest: "{{ bin_dir }}/{{ item.dest }}"
-    mode: 0755
+    mode: "0755"
     remote_src: yes
   with_items:
     - { src: "{{ downloads.gvisor_runsc.dest }}", dest: "runsc" }

roles/container-engine/kata-containers/molecule/default/prepare.yml

@@ -29,7 +29,7 @@
         src: "{{ item }}"
         dest: "/tmp/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - container.json
         - sandbox.json
@@ -38,12 +38,12 @@
         path: /etc/cni/net.d
         state: directory
         owner: "{{ kube_owner }}"
-        mode: 0755
+        mode: "0755"
     - name: Setup CNI
       copy:
         src: "{{ item }}"
         dest: "/etc/cni/net.d/{{ item }}"
         owner: root
-        mode: 0644
+        mode: "0644"
       with_items:
         - 10-mynet.conf

roles/container-engine/kata-containers/tasks/main.yml

@@ -8,7 +8,7 @@
   unarchive:
     src: "{{ downloads.kata_containers.dest }}"
     dest: "/"
-    mode: 0755
+    mode: "0755"
     owner: root
     group: root
     remote_src: yes
@@ -17,13 +17,13 @@
   file:
     path: "{{ kata_containers_config_dir }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: Kata-containers | Set configuration
   template:
     src: "{{ item }}.j2"
     dest: "{{ kata_containers_config_dir }}/{{ item }}"
-    mode: 0644
+    mode: "0644"
   with_items:
     - configuration-qemu.toml
 
@@ -33,7 +33,7 @@
   template:
     dest: "{{ kata_containers_containerd_bin_dir }}/containerd-shim-kata-{{ item }}-v2"
     src: containerd-shim-kata-v2.j2
-    mode: 0755
+    mode: "0755"
   with_items:
     - qemu
 
@@ -48,7 +48,7 @@
 - name: Kata-containers | Persist vhost kernel modules
   copy:
     dest: /etc/modules-load.d/kubespray-kata-containers.conf
-    mode: 0644
+    mode: "0644"
     content: |
       vhost_vsock
       vhost_net

roles/container-engine/nerdctl/handlers/main.yml

@@ -9,4 +9,4 @@
   copy:
     dest: /etc/bash_completion.d/nerdctl
     content: "{{ nerdctl_completion.stdout }}"
-    mode: 0644
+    mode: "0644"

roles/container-engine/nerdctl/tasks/main.yml

@@ -8,7 +8,7 @@
   copy:
     src: "{{ local_release_dir }}/nerdctl"
     dest: "{{ bin_dir }}/nerdctl"
-    mode: 0755
+    mode: "0755"
     remote_src: true
     owner: root
     group: root
@@ -21,7 +21,7 @@
   file:
     path: /etc/nerdctl
     state: directory
-    mode: 0755
+    mode: "0755"
     owner: root
     group: root
   become: true
@@ -30,7 +30,7 @@
   template:
     src: nerdctl.toml.j2
     dest: /etc/nerdctl/nerdctl.toml
-    mode: 0644
+    mode: "0644"
     owner: root
     group: root
   become: true