* Add optional NAT support in calico router mode

* Add a blank line in front of lists

* Remove mutual exclusivity: NAT and router mode

* Ignore router mode from NAT

* Update calico doc

Signed-off-by: cleverhu <shouping.hu@daocloud.io>

Signed-off-by: cleverhu <shouping.hu@daocloud.io>

* WIP: sometimes,we not run etcd

* fix ansible lint

* like calico(kdd) cni, no need run etcd

* add retries for restart of kube-apiserver

* change var name

Signed-off-by: hang.jiang <hang.jiang@daocloud.io>

Signed-off-by: hang.jiang <hang.jiang@daocloud.io>

* feat: add kubelet systemd service hardening option

* refactor: move variable name to kubelet_secure_addresses

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* docs: add diagram about kubelet_secure_addresses variable

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* fix-kube-vip-strict-arp

* fix-kube-vip-strict-arp

It seems that PR #8839 broke `calico_datastore: etcd` when it removed ipamconfig support for etcd mode.

This PR fixes some failing tasks when `calico_datastore == etcd`, but it does not restore ipamconfig support for calico in etcd mode. If someone wants to restore ipamconfig support for `calico_datastore: etcd` please submit a follow up PR for that.

* cri-dockerd: add restart of docker.service

* remove enabling of cri-dockerd.socket

For the following configuration

```
    containerd_insecure_registries:
      docker.io:
        - dockerhubcache.example.com
```

the rendered /etc/containerd/config.toml contains

```
        [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls]
          insecure_skip_verify = true
```

but it needs to be

```
        [plugins."io.containerd.grpc.v1.cri".registry.configs."dockerhubcache.example.com".tls]
          insecure_skip_verify = true
```

* 🌱 Enable cri-dockerd service

* 🔨 Fix the task name in order to pass the CI tests

See #9035

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration

* Add 'flush ip6tables' task in reset role 

If enable_dual_stack_networks is set to true and ip6 is defined，ip6tables will be created. But when reset the kubernetes cluster, kubespray doesn't flush ip6tables.

* [CI] fix molecule tests on opensuse by upgrading to 15.4 (#9175)

* [CI] fix molecule tests on opensuse by upgrading to 15.4

* [opensuse] use correct python crytography package name depending on distribution version

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* Disable DNSStubListener for Flatcar Linux

* Fix missing "Flatcar" condition of os_family

* Include missing azuredisk rbac manifest

* Remove missing azure csi manifest

* Remove invalid reference mount to waagent settings

* Use cloud-config secret instead of /etc/kubernetes/cloud_config file

* update calico rr

* fix bgppeer conf

* fix yamllint

* fix ansible lint

* fix calico deploy

* fix yamllint

* fix some typo

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

This condition blocks the creation of the `etcd` user in certain conditions.
Specifically, when you have a `etcd_deployment_type: kubeadm` and `kube_owner: root`.
Being the `root` user already present on the system, this will not be a problem (due to the idempotency of ansible).

* [CI] fix molecule tests on opensuse by upgrading to 15.4

* [opensuse] use correct python crytography package name depending on distribution version

when ingress-nginx is deployes without a class, we need to use 'ingress-controller-leader' resource instead of the default 'ingress-controller-leader-nginx' (#9156)