CNTRLPLANE-2207: Upgrade to CAPI 1.11

.codespellignore

@@ -9,4 +9,5 @@ userA
 ser
 MIs
 AfterAll
-SME
+SME
+uptodate

.golangci.yml

@@ -75,6 +75,10 @@ linters:
       - linters:
           - staticcheck
         text: 'SA1019: "github.com/aws/aws-sdk-go'
+      # cluster-api v1beta1 is deprecated but migration to v1beta2 is a separate effort
+      - linters:
+          - staticcheck
+        text: 'SA1019: "sigs.k8s.io/cluster-api/(.*)" is deprecated: This package is deprecated and is going to be removed when support for v1beta1 will be dropped.'
     paths:
       - third_party$
       - builtin$

Makefile

@@ -276,9 +276,8 @@ hypershift-api: $(CONTROLLER_GEN) $(CODE_GEN)
 .PHONY: cluster-api
 cluster-api: $(CONTROLLER_GEN)
 	rm -rf cmd/install/assets/crds/cluster-api/*.yaml
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./vendor/sigs.k8s.io/cluster-api/api/..." output:crd:artifacts:config=cmd/install/assets/crds/cluster-api
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./vendor/sigs.k8s.io/cluster-api/exp/api/..." output:crd:artifacts:config=cmd/install/assets/crds/cluster-api
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./vendor/sigs.k8s.io/cluster-api/exp/ipam/api/..." output:crd:artifacts:config=cmd/install/assets/crds/cluster-api
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./vendor/sigs.k8s.io/cluster-api/api/core/..." output:crd:artifacts:config=cmd/install/assets/crds/cluster-api
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./vendor/sigs.k8s.io/cluster-api/api/ipam/..." output:crd:artifacts:config=cmd/install/assets/crds/cluster-api
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./vendor/sigs.k8s.io/cluster-api/api/addons/..." output:crd:artifacts:config=cmd/install/assets/crds/cluster-api
 
 .PHONY: cluster-api-provider-aws

api/go.mod

@@ -27,5 +27,5 @@ require (
 	k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
 )

api/go.sum

@@ -64,7 +64,7 @@ sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5E
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1 h1:JrhdFMqOd/+3ByqlP2I45kTOZmTRLBUm5pvRjeheg7E=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

api/vendor/modules.txt

@@ -103,6 +103,6 @@ sigs.k8s.io/json/internal/golang/encoding/json
 ## explicit; go 1.18
 sigs.k8s.io/randfill
 sigs.k8s.io/randfill/bytesource
-# sigs.k8s.io/structured-merge-diff/v6 v6.3.1
+# sigs.k8s.io/structured-merge-diff/v6 v6.3.2
 ## explicit; go 1.23
 sigs.k8s.io/structured-merge-diff/v6/value

cmd/cluster/core/dump.go

@@ -56,7 +56,7 @@ import (
 	capikubevirt "sigs.k8s.io/cluster-api-provider-kubevirt/api/v1alpha1"
 	capiopenstackv1alpha1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1alpha1"
 	capiopenstackv1beta1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1beta1"
-	capiv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	capiv1 "sigs.k8s.io/cluster-api/api/core/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	karpenterv1 "sigs.k8s.io/karpenter/pkg/apis/v1"
 	secretsstorev1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"

cmd/install/assets/crds/assets.go

@@ -26,6 +26,28 @@ var CRDS embed.FS
 
 const capiLabel = "cluster.x-k8s.io/v1beta1"
 
+// CAPICRDOverrides configures CAPI CRDs that have both v1beta1 and v1beta2 versions.
+// These CRDs need storage version overrides and conversion webhooks.
+// Key is the CRD name (e.g., "clusters.cluster.x-k8s.io").
+// TODO(bclement): remove StorageVersion override once storage version is v1beta2.
+var CAPICRDOverrides = map[string]struct {
+	StorageVersion  string
+	NeedsConversion bool
+}{
+	"clusterclasses.cluster.x-k8s.io":                    {StorageVersion: "v1beta1", NeedsConversion: true},
+	"clusters.cluster.x-k8s.io":                          {StorageVersion: "v1beta1", NeedsConversion: true},
+	"machinedeployments.cluster.x-k8s.io":                {StorageVersion: "v1beta1", NeedsConversion: true},
+	"machinedrainrules.cluster.x-k8s.io":                 {StorageVersion: "v1beta1", NeedsConversion: true},
+	"machinehealthchecks.cluster.x-k8s.io":               {StorageVersion: "v1beta1", NeedsConversion: true},
+	"machinepools.cluster.x-k8s.io":                      {StorageVersion: "v1beta1", NeedsConversion: true},
+	"machines.cluster.x-k8s.io":                          {StorageVersion: "v1beta1", NeedsConversion: true},
+	"machinesets.cluster.x-k8s.io":                       {StorageVersion: "v1beta1", NeedsConversion: true},
+	"ipaddressclaims.ipam.cluster.x-k8s.io":              {StorageVersion: "v1beta1", NeedsConversion: true},
+	"ipaddresses.ipam.cluster.x-k8s.io":                  {StorageVersion: "v1beta1", NeedsConversion: true},
+	"clusterresourcesetbindings.addons.cluster.x-k8s.io": {StorageVersion: "v1beta1", NeedsConversion: true},
+	"clusterresourcesets.addons.cluster.x-k8s.io":        {StorageVersion: "v1beta1", NeedsConversion: true},
+}
+
 // capiResources specifies which CRDs should get labeled with capiLabel
 // to satisfy CAPI contracts. There might be a way to achieve this during CRD
 // generation, but for now we're just post-processing at runtime here.
@@ -121,5 +143,13 @@ func getCustomResourceDefinition(files embed.FS, file string) *apiextensionsv1.C
 		}
 		crd.Labels[capiLabel] = label
 	}
+
+	// Override storage version if specified in CAPICRDOverrides
+	if override, ok := CAPICRDOverrides[crd.Name]; ok && override.StorageVersion != "" {
+		for i := range crd.Spec.Versions {
+			crd.Spec.Versions[i].Storage = crd.Spec.Versions[i].Name == override.StorageVersion
+		}
+	}
+
 	return &crd
 }

cmd/install/assets/crds/cluster-api-provider-aws/infrastructure.cluster.x-k8s.io_awsclusters.yaml

@@ -2213,8 +2213,44 @@ spec:
                       CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include:
                       "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType
                       "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
-                      "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation
+                      "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot`
                     type: string
+                  cpuOptions:
+                    description: |-
+                      CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                      When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+                    minProperties: 1
+                    properties:
+                      confidentialCompute:
+                        description: |-
+                          ConfidentialCompute specifies whether confidential computing should be enabled for the instance,
+                          and, if so, which confidential computing technology to use.
+                          Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging
+                          When set to Disabled, confidential computing will be disabled for the instance.
+                          When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                          In this case, ensure the following conditions are met:
+                          1) The selected instance type supports AMD SEV-SNP.
+                          2) The selected AWS region supports AMD SEV-SNP.
+                          3) The selected AMI supports AMD SEV-SNP.
+                          More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                          When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+                          which is subject to change without notice. The current default is Disabled.
+                        enum:
+                        - Disabled
+                        - AMDEncryptedVirtualizationNestedPaging
+                        type: string
+                    type: object
+                  dynamicHostAllocation:
+                    description: |-
+                      DynamicHostAllocation enables automatic allocation of dedicated hosts.
+                      This field is mutually exclusive with HostID.
+                    properties:
+                      tags:
+                        additionalProperties:
+                          type: string
+                        description: Tags to apply to the allocated dedicated host.
+                        type: object
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.

cmd/install/assets/crds/cluster-api-provider-aws/infrastructure.cluster.x-k8s.io_awsmachinepools.yaml

@@ -1001,9 +1001,10 @@ spec:
                         type: array
                     type: object
                   version:
-                    default: "2.3"
-                    description: Version defines which version of Ignition will be
-                      used to generate bootstrap data.
+                    description: |-
+                      Version defines which version of Ignition will be used to generate bootstrap data.
+                      Defaults to `2.3` if storageType is set to `ClusterObjectStore`.
+                      It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version.
                     enum:
                     - "2.3"
                     - "3.0"

cmd/install/assets/crds/cluster-api-provider-aws/infrastructure.cluster.x-k8s.io_awsmachines.yaml

@@ -657,7 +657,7 @@ spec:
                   CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include:
                   "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType
                   "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
-                  "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation
+                  "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot`
                 type: string
               cloudInit:
                 description: |-
@@ -692,6 +692,44 @@ spec:
                     - ssm-parameter-store
                     type: string
                 type: object
+              cpuOptions:
+                description: |-
+                  CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                  When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+                minProperties: 1
+                properties:
+                  confidentialCompute:
+                    description: |-
+                      ConfidentialCompute specifies whether confidential computing should be enabled for the instance,
+                      and, if so, which confidential computing technology to use.
+                      Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging
+                      When set to Disabled, confidential computing will be disabled for the instance.
+                      When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                      In this case, ensure the following conditions are met:
+                      1) The selected instance type supports AMD SEV-SNP.
+                      2) The selected AWS region supports AMD SEV-SNP.
+                      3) The selected AMI supports AMD SEV-SNP.
+                      More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                      When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+                      which is subject to change without notice. The current default is Disabled.
+                    enum:
+                    - Disabled
+                    - AMDEncryptedVirtualizationNestedPaging
+                    type: string
+                type: object
+              dynamicHostAllocation:
+                description: |-
+                  DynamicHostAllocation enables automatic allocation of a single dedicated host.
+                  This field is mutually exclusive with HostID and always allocates exactly one host.
+                  Cost effectiveness of allocating a single instance on a dedicated host may vary
+                  depending on the instance type and the region.
+                properties:
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Tags to apply to the allocated dedicated host.
+                    type: object
+                type: object
               elasticIpPool:
                 description: ElasticIPPool is the configuration to allocate Public
                   IPv4 address (Elastic IP/EIP) from user-defined pool.
@@ -722,18 +760,22 @@ spec:
                       rule: self in ['none','amazon-pool']
                 type: object
               hostAffinity:
+                default: host
                 description: |-
                   HostAffinity specifies the dedicated host affinity setting for the instance.
-                  When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped.
-                  When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host.
+                  When HostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped.
+                  When HostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host.
                   When HostAffinity is defined, HostID is required.
                 enum:
                 - default
                 - host
                 type: string
               hostID:
-                description: HostID specifies the Dedicated Host on which the instance
-                  must be started.
+                description: |-
+                  HostID specifies the Dedicated Host on which the instance must be started.
+                  This field is mutually exclusive with DynamicHostAllocation.
+                maxLength: 19
+                pattern: ^h-[0-9a-f]{17}$
                 type: string
               iamInstanceProfile:
                 description: IAMInstanceProfile is a name of an IAM instance profile
@@ -822,9 +864,10 @@ spec:
                         type: array
                     type: object
                   version:
-                    default: "2.3"
-                    description: Version defines which version of Ignition will be
-                      used to generate bootstrap data.
+                    description: |-
+                      Version defines which version of Ignition will be used to generate bootstrap data.
+                      Defaults to `2.3` if storageType is set to `ClusterObjectStore`.
+                      It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version.
                     enum:
                     - "2.3"
                     - "3.0"
@@ -1137,8 +1180,12 @@ spec:
                     type: string
                 type: object
               tenancy:
-                description: Tenancy indicates if instance should run on shared or
-                  single-tenant hardware.
+                description: |-
+                  Tenancy indicates if instance should run on shared or single-tenant hardware.
+                  When Tenancy=host, AWS will attempt to find a suitable host from:
+                  - Preexisting allocated hosts that have auto-placement enabled
+                  - A specific host ID, if configured
+                  - Allocating a new dedicated host if DynamicHostAllocation is configured
                 enum:
                 - default
                 - dedicated
@@ -1241,6 +1288,17 @@ spec:
                   - type
                   type: object
                 type: array
+              dedicatedHost:
+                description: |-
+                  DedicatedHost tracks the dynamically allocated dedicated host.
+                  This field is populated when DynamicHostAllocation is used.
+                properties:
+                  id:
+                    description: |-
+                      ID tracks the dynamically allocated dedicated host ID.
+                      This field is populated when DynamicHostAllocation is used.
+                    type: string
+                type: object
               failureMessage:
                 description: |-
                   FailureMessage will be set in the event that there is a terminal problem