NO-JIRA: Sync main with latest upstream (release-1.35)

Dockerfile

@@ -14,19 +14,19 @@
 ##                               BUILD ARGS                                   ##
 ################################################################################
 # This build arg allows the specification of a custom Golang image.
-ARG GOLANG_IMAGE=golang:1.25.1
+ARG GOLANG_IMAGE=golang:1.25.5
 
 # The distroless image on which the CPI manager image is built.
 #
 # Please do not use "latest". Explicit tags should be used to provide
 # deterministic builds. Follow what kubernetes uses to build
 # kube-controller-manager, for example for 1.27.x:
 # https://github.com/kubernetes/kubernetes/blob/release-1.27/build/common.sh#L99
-ARG DISTROLESS_IMAGE=registry.k8s.io/build-image/go-runner:v2.4.0-go1.25.1-bookworm.0
+ARG DISTROLESS_IMAGE=registry.k8s.io/build-image/go-runner:v2.4.0-go1.25.5-bookworm.0
 
 # We use Alpine as the source for default CA certificates and some output
 # images
-ARG ALPINE_IMAGE=alpine:3.22.1
+ARG ALPINE_IMAGE=alpine:3.23.2
 
 # cinder-csi-plugin uses Debian as a base image
 ARG DEBIAN_IMAGE=registry.k8s.io/build-image/debian-base:bookworm-v1.0.6

charts/cinder-csi-plugin/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: v1.34.0
+appVersion: v1.35.0
 description: Cinder CSI Chart for OpenStack
 name: openstack-cinder-csi
-version: 2.34.0
+version: 2.35.0
 home: https://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml

@@ -23,6 +23,8 @@ spec:
       serviceAccount: csi-cinder-node-sa
       hostNetwork: true
       dnsPolicy: {{ .Values.csi.plugin.nodePlugin.dnsPolicy }}
+      securityContext:
+        {{- toYaml .Values.csi.plugin.nodePlugin.podSecurityContext | nindent 8 }}
       containers:
         - name: node-driver-registrar
           securityContext:

charts/cinder-csi-plugin/values.yaml

@@ -25,7 +25,7 @@ csi:
   snapshotter:
     image:
       repository: registry.k8s.io/sig-storage/csi-snapshotter
-      tag: v8.3.0
+      tag: v8.4.0
       pullPolicy: IfNotPresent
     resources: {}
     extraArgs: {}

charts/manila-csi-plugin/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: v1.34.0
+appVersion: v1.35.0
 description: Manila CSI Chart for OpenStack
 name: openstack-manila-csi
-version: 2.34.0
+version: 2.35.0
 home: http://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/manila-csi-plugin/values.yaml

@@ -100,7 +100,7 @@ controllerplugin:
   snapshotter:
     image:
       repository: registry.k8s.io/sig-storage/csi-snapshotter
-      tag: v8.3.0
+      tag: v8.4.0
       pullPolicy: IfNotPresent
     resources: {}
     extraEnv: []

charts/openstack-cloud-controller-manager/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: v1.34.0
+appVersion: v1.35.0
 description: Openstack Cloud Controller Manager Helm Chart
 icon: https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/OpenStack-Logo-Vertical.png
 home: https://github.com/kubernetes/cloud-provider-openstack
 name: openstack-cloud-controller-manager
-version: 2.34.0
+version: 2.35.0
 maintainers:
   - name: eumel8
     email: f.kloeker@telekom.de

charts/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml

@@ -10,7 +10,7 @@ metadata:
     {{- end }}
 subjects:
 - kind: User
-  name: system:serviceaccount:{{ .Release.Namespace }}:{{ include "occm.name" . }}
+  name: system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccountName }}
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole

charts/openstack-cloud-controller-manager/templates/daemonset.yaml

@@ -46,6 +46,10 @@ spec:
       containers:
         - name: openstack-cloud-controller-manager
           image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           args:
             - /bin/openstack-cloud-controller-manager
             - --v={{ .Values.logVerbosityLevel }}

charts/openstack-cloud-controller-manager/values.yaml

@@ -74,6 +74,16 @@ podSecurityContext:
   # seccompProfile:
   #   type: RuntimeDefault
 
+# Set security settings for the controller container
+# For all available options, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core
+securityContext: {}
+# securityContext:
+#   capabilities:
+#     drop:
+#     - ALL
+#   readOnlyRootFilesystem: true
+#   allowPrivilegeEscalation: false
+
 # List of controllers should be enabled.
 # Use '*' to enable all controllers.
 # Prefix a controller with '-' to disable it.

docs/cinder-csi-plugin/multi-region-clouds.md

@@ -167,7 +167,7 @@ spec:
       - name: liveness-probe
         ...
       - name: cinder-csi-plugin
-        image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.34.1
+        image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0
         args:
         - /bin/cinder-csi-plugin
         - --endpoint=$(CSI_ENDPOINT)
@@ -217,7 +217,7 @@ spec:
       - name: liveness-probe
         ...
       - name: cinder-csi-plugin
-        image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.34.1
+        image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0
         args:
         - /bin/cinder-csi-plugin
         - --endpoint=$(CSI_ENDPOINT)
@@ -283,7 +283,7 @@ spec:
         - Topology=true
         ...
       - name: cinder-csi-plugin
-        image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.34.1
+        image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0
         args:
         - /bin/cinder-csi-plugin
         - --endpoint=$(CSI_ENDPOINT)

docs/keystone-auth/using-keystone-webhook-authenticator-and-authorizer.md

@@ -252,7 +252,7 @@ it as a service. There are several things we need to notice in the
 deployment manifest:
 
 - We are using image
-  `registry.k8s.io/provider-os/k8s-keystone-auth:v1.34.1`
+  `registry.k8s.io/provider-os/k8s-keystone-auth:v1.35.0`
 - We use `k8s-auth-policy` configmap created above.
 - The pod uses service account `keystone-auth` created above.
 - We use `keystone-auth-certs` secret created above to inject the

docs/magnum-auto-healer/using-magnum-auto-healer.md

@@ -73,7 +73,7 @@ user_id=ceb61464a3d341ebabdf97d1d4b97099
 user_project_id=b23a5e41d1af4c20974bf58b4dff8e5a
 password=password
 region=RegionOne
-image=registry.k8s.io/provider-os/magnum-auto-healer:v1.34.1
+image=registry.k8s.io/provider-os/magnum-auto-healer:v1.35.0
 
 cat <<EOF | kubectl apply -f -
 ---

docs/manila-csi-plugin/using-manila-csi-plugin.md

@@ -71,6 +71,7 @@ Parameter | Required | Description
 ----------|----------|------------
 `shareID` | if `shareName` is not given | The UUID of the share
 `shareName` | if `shareID` is not given | The name of the share
+`shareAccessID` | _no_ | The UUID of the access rule for the share. This parameter is being deprecated and replaced by `shareAccessIDs`.
 `shareAccessIDs` | _yes_ | Comma separated UUIDs of access rules for the share
 `cephfs-mounter` | _no_ | Relevant for CephFS Manila shares. Specifies which mounting method to use with the CSI CephFS driver. Available options are `kernel` and `fuse`, defaults to `fuse`. See [CSI CephFS docs](https://github.com/ceph/ceph-csi/blob/csi-v1.0/docs/deploy-cephfs.md#configuration) for further information.
 `cephfs-kernelMountOptions` | _no_ | Relevant for CephFS Manila shares. Specifies mount options for CephFS kernel client. See [CSI CephFS docs](https://github.com/ceph/ceph-csi/blob/csi-v1.0/docs/deploy-cephfs.md#configuration) for further information.

docs/octavia-ingress-controller/using-octavia-ingress-controller.md

@@ -172,7 +172,7 @@ Here are several other config options are not included in the example configurat
 ### Deploy octavia-ingress-controller
 
 ```shell
-image="registry.k8s.io/provider-os/octavia-ingress-controller:v1.34.1"
+image="registry.k8s.io/provider-os/octavia-ingress-controller:v1.35.0"
 
 cat <<EOF > /etc/kubernetes/octavia-ingress-controller/deployment.yaml
 ---

docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md

@@ -156,6 +156,8 @@ The options in `Global` section are used for openstack-cloud-controller-manager
   The secret of an application credential to authenticate with.
 * `tls-insecure`
   If set to `true`, then the server’s certificate will not be verified. Default is `false`.
+* `token`
+  Keystone token.
 
 ###  Networking
 
@@ -265,6 +267,12 @@ Although the openstack-cloud-controller-manager was initially implemented with N
   node-selector="env, region=default"
   ```
 
+  See also the Kubernetes [`node.kubernetes.io/exclude-from-external-load-balancers`](https://kubernetes.io/docs/reference/labels-annotations-taints/#node-kubernetes-io-exclude-from-external-load-balancers) label. When this label is set to `true`, the node is excluded from the LoadBalancer pool.
+
+  This label also triggers the Cloud Controller Manager to execute the `EnsureLoadBalancer` method to reconcile the LoadBalancer. If a node was already part of the cluster and its label was later modified after the service's `node-selector` annotation was changed, you can explicitly assign `node.kubernetes.io/exclude-from-external-load-balancers=false` (the `false` value is supported starting from Kubernetes v1.34) label to a node to force the Cloud Controller Manager to reconcile the LoadBalancer pool.
+
+  For example, if a service has `node-selector="env=production"` and a node is labeled `env=development`, updating the node's label to `env=production` will not automatically add it to the LoadBalancer pool. In such cases, setting `node.kubernetes.io/exclude-from-external-load-balancers=false` label to the node ensures that the Cloud Controller Manager re-evaluates the node's eligibility and updates the LoadBalancer configuration accordingly.
+
 * `cascade-delete`
   Determines whether or not to perform cascade deletion of load balancers. Default: true.
 
@@ -317,7 +325,7 @@ Although the openstack-cloud-controller-manager was initially implemented with N
   call](https://docs.openstack.org/api-ref/load-balancer/v2/?expanded=create-a-load-balancer-detail#creating-a-fully-populated-load-balancer).
   Setting this option to true will create loadbalancers using serial API calls which first create an unpopulated
   loadbalancer, then populate its listeners, pools and members. This is a compatibility option at the expense of
-  increased load on the OpenStack API. Default: false 
+  increased load on the OpenStack API. Default: false
 
 NOTE:
 

examples/webhook/keystone-deployment.yaml

@@ -18,7 +18,7 @@ spec:
       serviceAccountName: k8s-keystone
       containers:
         - name: k8s-keystone-auth
-          image: registry.k8s.io/provider-os/k8s-keystone-auth:v1.34.1
+          image: registry.k8s.io/provider-os/k8s-keystone-auth:v1.35.0
           args:
             - ./bin/k8s-keystone-auth
             - --tls-cert-file