Merge https://github.com/kubernetes-sigs/cluster-api:v1.13.3 (cf0f6c0) into main

.dockerignore

@@ -58,4 +58,4 @@ go.work.sum
 **/.DS_Store
 **/*.swp
 
-tmp/
+tmp/

.github/workflows/pr-md-link-check.yaml

@@ -14,7 +14,7 @@ jobs:
     name: Broken Links
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
     - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # tag=1.0.17
       with:
         use-quiet-mode: 'yes'

.github/workflows/release.yaml

@@ -17,12 +17,12 @@ jobs:
       release_tag: ${{ steps.release-version.outputs.release_version }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
         with:
           fetch-depth: 0
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # tag=v47.0.0
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # tag=v47.0.5
       - name: Get release version
         id: release-version
         run: |
@@ -88,14 +88,14 @@ jobs:
         env:
           RELEASE_TAG: ${{needs.push_release_tags.outputs.release_tag}}
       - name: checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
         with:
           fetch-depth: 0
           ref: ${{ env.RELEASE_TAG }}
       - name: Calculate go version
         run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # tag=v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
         with:
           go-version: ${{ env.go_version }}
       - name: generate release artifacts
@@ -106,7 +106,7 @@ jobs:
           curl -L "https://raw.githubusercontent.com/${{ github.repository }}/main/CHANGELOG/${{ env.RELEASE_TAG }}.md" \
           -o "${{ env.RELEASE_TAG }}.md"
       - name: Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # tag=v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # tag=v2.6.1
         with:
           draft: true
           files: out/*

.github/workflows/weekly-md-link-check.yaml

@@ -14,10 +14,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        branch: [ main, release-1.11, release-1.10, release-1.9 ]
+        branch: [ main, release-1.12, release-1.11 ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
         with:
           ref: ${{ matrix.branch }}
       - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # tag=1.0.17

.github/workflows/weekly-security-scan.yaml

@@ -13,19 +13,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        branch: [ main, release-1.11, release-1.10, release-1.9 ]
+        branch: [ main, release-1.12, release-1.11 ]
     name: Trivy
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
       with:
         ref: ${{ matrix.branch }}
     - name: Calculate go version
       id: vars
       run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
     - name: Set up Go
-      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # tag=v6.1.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
     - name: Run verify security target

.github/workflows/weekly-test-release.yaml

@@ -17,10 +17,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        branch: [ main, release-1.11, release-1.10, release-1.9 ]
+        branch: [ main, release-1.12, release-1.11 ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
         with:
           ref: ${{ matrix.branch }}
           fetch-depth: 0
@@ -32,7 +32,7 @@ jobs:
       - name: Calculate go version
         run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # tag=v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
         with:
           go-version: ${{ env.go_version }}
       - name: Test release

.golangci-kal.yml

@@ -1,6 +1,6 @@
 version: "2"
 run:
-  go: "1.24"
+  go: "1.25"
   allow-parallel-runners: true
 linters:
   default: none
@@ -75,8 +75,6 @@ linters:
     paths:
       - zz_generated.*\.go$
       - vendored_openapi\.go$
-      # We don't want to invest time to fix new linter findings in old API types.
-      - internal/api/.*
       - ".*_test.go"  # Exclude test files.
     rules:
     ## KAL should only run on API folders.

.golangci.yml

@@ -1,7 +1,7 @@
 version: "2"
 run:
   timeout: 10m
-  go: "1.24"
+  go: "1.25"
   build-tags:
     - tools
     - e2e
@@ -115,37 +115,21 @@ linters:
         - pkg: sigs.k8s.io/controller-runtime
           alias: ctrl
         # CABPK
-        - pkg: sigs.k8s.io/cluster-api/internal/api/bootstrap/kubeadm/v1alpha3
-          alias: bootstrapv1alpha3
-        - pkg: sigs.k8s.io/cluster-api/internal/api/bootstrap/kubeadm/v1alpha4
-          alias: bootstrapv1alpha4
         - pkg: sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta1
           alias: bootstrapv1beta1
         - pkg: sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2
           alias: bootstrapv1
         # KCP
-        - pkg: sigs.k8s.io/cluster-api/internal/api/controlplane/kubeadm/v1alpha3
-          alias: controlplanev1alpha3
-        - pkg: sigs.k8s.io/cluster-api/internal/api/controlplane/kubeadm/v1alpha4
-          alias: controlplanev1alpha4
         - pkg: sigs.k8s.io/cluster-api/api/controlplane/kubeadm/v1beta1
           alias: controlplanev1beta1
         - pkg: sigs.k8s.io/cluster-api/api/controlplane/kubeadm/v1beta2
           alias: controlplanev1
         # CAPI
-        - pkg: sigs.k8s.io/cluster-api/internal/api/core/v1alpha3
-          alias: clusterv1alpha3
-        - pkg: sigs.k8s.io/cluster-api/internal/api/core/v1alpha4
-          alias: clusterv1alpha4
         - pkg: sigs.k8s.io/cluster-api/api/core/v1beta1
           alias: clusterv1beta1
         - pkg: sigs.k8s.io/cluster-api/api/core/v1beta2
           alias: clusterv1
         # CAPI exp addons
-        - pkg: sigs.k8s.io/cluster-api/internal/api/addons/v1alpha3
-          alias: addonsv1alpha3
-        - pkg: sigs.k8s.io/cluster-api/internal/api/addons/v1alpha4
-          alias: addonsv1alpha4
         - pkg: sigs.k8s.io/cluster-api/api/addons/v1beta1
           alias: addonsv1beta1
         - pkg: sigs.k8s.io/cluster-api/api/addons/v1beta2
@@ -185,22 +169,14 @@ linters:
           alias: topologynames
         - pkg: sigs.k8s.io/cluster-api/internal/util/client
           alias: "clientutil"
-        - pkg: sigs.k8s.io/cluster-api/internal/util/controller
+        - pkg: sigs.k8s.io/cluster-api/util/controller
           alias: "capicontrollerutil"
         # CAPD
-        - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/api/v1alpha3
-          alias: infrav1alpha3
-        - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/api/v1alpha4
-          alias: infrav1alpha4
         - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/api/v1beta1
           alias: infrav1beta1
         - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/api/v1beta2
           alias: infrav1
         # CAPD exp
-        - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/exp/api/v1alpha3
-          alias: infraexpv1alpha3
-        - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/exp/api/v1alpha4
-          alias: infraexpv1alpha4
         - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/exp/api/v1beta1
           alias: infraexpv1beta1
         - pkg: sigs.k8s.io/cluster-api/test/infrastructure/docker/exp/api/v1beta2
@@ -246,13 +222,12 @@ linters:
     paths:
       - zz_generated.*\.go$
       - vendored_openapi\.go$
-      - internal/api/.*
     rules:
     # Specific exclude rules for deprecated fields that are still part of the codebase. These
     # should be removed as the referenced deprecated item is removed from the project.
       - linters:
           - staticcheck
-        text: 'SA1019: (bootstrapv1.ClusterStatus|DockerMachine.Spec.Bootstrapped|machineStatus.Bootstrapped|dockerMachine.Spec.Backend.Docker.Bootstrapped|dockerMachine.Spec.Bootstrapped|devMachine.Spec.Backend.Docker.Bootstrapped|clusterv1.ClusterClassVariableMetadata|clusterv1beta1.ClusterClassVariableMetadata|(variable|currentDefinition|specVar|newVariableDefinition|statusVarDefinition|out).DeprecatedV1Beta1Metadata) is deprecated'
+        text: 'SA1019: (bootstrapv1.ClusterStatus|DockerMachine.Spec.Bootstrapped|machineStatus.Bootstrapped|dockerMachine.Spec.Backend.Docker.Bootstrapped|dockerMachine.Spec.Bootstrapped|devMachine.Spec.Backend.Docker.Bootstrapped|clusterv1.ClusterClassVariableMetadata|(variable|currentDefinition|specVar|newVariableDefinition|statusVarDefinition|out).DeprecatedV1Beta1Metadata) is deprecated'
         # Deprecations for MHC MaxUnhealthy, UnhealthyRange
       - linters:
           - staticcheck
@@ -267,13 +242,17 @@ linters:
         text: 'SA1019: .* is deprecated: This package is deprecated and is going to be removed when support for v1beta1 will be dropped.'
         # Specific exclude rules for deprecated types that are still part of the codebase. These
         # should be removed as the referenced deprecated types are removed from the project.
+        # v1Beta1 deprecated fields/types
       - linters:
           - staticcheck
-        text: 'SA1019: (clusterv1alpha3.*|clusterv1alpha4.*) is deprecated: This type will be removed in one of the next releases.'
-        # v1Beta1 deprecated fields
+        text: 'SA1019: .*\.Deprecated\.V1Beta1.* is deprecated'
+        # Docker resources are marked as deprecated.
       - linters:
           - staticcheck
-        text: 'SA1019: .*\.Deprecated\.V1Beta1.* is deprecated'
+        text: 'SA1019: .*Docker.* is deprecated: .* Use Dev.* instead\.'
+      - linters:
+          - staticcheck
+        text: 'SA1019: clusterv1\.(Condition|Conditions|ConditionSeverity|ConditionType) is deprecated'
       # TODO: var-naming: avoid meaningless package names by revive
       #   * test/infrastructure/docker/internal/docker/types/
       #   * bootstrap/kubeadm/types/
@@ -293,6 +272,10 @@ linters:
       - linters:
           - errcheck
         text: Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked
+        # deprecated feature gates
+      - linters:
+          - staticcheck
+        text: 'SA1019: feature.MachineWaitForVolumeDetachConsiderVolumeAttachments is deprecated'
         # v1beta1 deprecated util packages
       - linters:
           - staticcheck
@@ -306,6 +289,10 @@ linters:
           - importas
         text: 'imported as ".*" but must be ".*" according to config'
         path: util/deprecated/v1beta1/.*\.go$
+      # Excludes for controller-runtime deprecations that we should migrate away from sooner or later
+      - linters:
+          - staticcheck
+        text: 'SA1019: (env|mgr).GetEventRecorderFor is deprecated'
         # Exclude some packages or code to require comments, for example test code, or fake clients.
       - linters:
           - revive
@@ -443,5 +430,3 @@ formatters:
     paths:
       - zz_generated.*\.go$
       - vendored_openapi\.go$
-      # We don't want to invest time to fix new linter findings in old API types.
-      - internal/api/.*

CHANGELOG/v1.10.10.md

@@ -0,0 +1,27 @@
+## 👌 Kubernetes version support
+
+- Management Cluster: v1.28.x -> v1.33.x
+- Workload Cluster: v1.26.x -> v1.33.x
+
+[More information about version support can be found here](https://cluster-api.sigs.k8s.io/reference/versions.html)
+
+## Changes since v1.10.9
+## :chart_with_upwards_trend: Overview
+- 1 new commit merged
+- 1 bug fixed 🐛
+
+## :bug: Bug Fixes
+- Runtime SDK: Improve client cert/key rotation of the RuntimeSDK client (#13215)
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+_Nothing has changed._
+
+### Removed
+_Nothing has changed._
+
+_Thanks to all our contributors!_ 😊

CHANGELOG/v1.10.9.md

@@ -0,0 +1,38 @@
+## 👌 Kubernetes version support
+
+- Management Cluster: v1.28.x -> v1.33.x
+- Workload Cluster: v1.26.x -> v1.33.x
+
+[More information about version support can be found here](https://cluster-api.sigs.k8s.io/reference/versions.html)
+
+## Changes since v1.10.8
+## :chart_with_upwards_trend: Overview
+- 10 new commits merged
+- 1 bug fixed 🐛
+
+## :bug: Bug Fixes
+- ClusterClass: Do not overwrite global http.DefaultClient TLSConfig (#13061)
+
+## :seedling: Others
+- CI: Ignore CVE-2025-47914 & CVE-2025-58181 in trivy scans (#13038)
+- Dependency: [release-1.10] Bump Go to v1.24.11 (#13132)
+- Dependency: Also set godebug on modules (#12967)
+- Dependency: Bump Go to v1.24.10 (#12964)
+- Dependency: Bump Go version to 1.24.9 (#12945)
+- e2e: Skip test using outdated docker client (#13129)
+- e2e: Temporarily disable KAL in CI (#13128)
+- e2e: Use crane to pre-pull images instead of docker pull (#13131)
+- Runtime SDK: Add httpClientCache to runtime client (#13084)
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+_Nothing has changed._
+
+### Removed
+_Nothing has changed._
+
+_Thanks to all our contributors!_ 😊