From e8d11fe615be4d12a9cca8b798b1c8d27da7a161 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Wed, 16 Nov 2022 18:09:23 +0000
Subject: [PATCH 01/87] Update e2e components to v1.2.5

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 test/e2e/clusterctl_upgrade_test.go |  4 ++--
 test/e2e/config/docker.yaml         | 16 ++++++++--------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/test/e2e/clusterctl_upgrade_test.go b/test/e2e/clusterctl_upgrade_test.go
index 39e90acfd514..33996b2c5ed2 100644
--- a/test/e2e/clusterctl_upgrade_test.go
+++ b/test/e2e/clusterctl_upgrade_test.go
@@ -66,7 +66,7 @@ var _ = Describe("When testing clusterctl upgrades (v1.2=>current)", func() {
 			BootstrapClusterProxy:     bootstrapClusterProxy,
 			ArtifactFolder:            artifactFolder,
 			SkipCleanup:               skipCleanup,
-			InitWithBinary:            "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/clusterctl-{OS}-{ARCH}",
+			InitWithBinary:            "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/clusterctl-{OS}-{ARCH}",
 			InitWithProvidersContract: "v1beta1",
 			InitWithKubernetesVersion: "v1.25.0",
 		}
@@ -81,7 +81,7 @@ var _ = Describe("When testing clusterctl upgrades using ClusterClass (v1.2=>cur
 			BootstrapClusterProxy:     bootstrapClusterProxy,
 			ArtifactFolder:            artifactFolder,
 			SkipCleanup:               skipCleanup,
-			InitWithBinary:            "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/clusterctl-{OS}-{ARCH}",
+			InitWithBinary:            "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/clusterctl-{OS}-{ARCH}",
 			InitWithProvidersContract: "v1beta1",
 			InitWithKubernetesVersion: "v1.25.0",
 			WorkloadFlavor:            "topology",
diff --git a/test/e2e/config/docker.yaml b/test/e2e/config/docker.yaml
index 8ee83c2d5c21..f8aebbb1e018 100644
--- a/test/e2e/config/docker.yaml
+++ b/test/e2e/config/docker.yaml
@@ -49,8 +49,8 @@ providers:
       new: --metrics-addr=:8080
     files:
     - sourcePath: "../data/shared/v1alpha4/metadata.yaml"
-  - name: v1.2.2 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
-    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/core-components.yaml"
+  - name: v1.2.5 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
+    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/core-components.yaml"
     type: "url"
     contract: v1beta1
     replacements:
@@ -87,8 +87,8 @@ providers:
       new: --metrics-addr=:8080
     files:
     - sourcePath: "../data/shared/v1alpha4/metadata.yaml"
-  - name: v1.2.2 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
-    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/bootstrap-components.yaml"
+  - name: v1.2.5 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
+    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/bootstrap-components.yaml"
     type: "url"
     contract: v1beta1
     replacements:
@@ -125,8 +125,8 @@ providers:
       new: --metrics-addr=:8080
     files:
     - sourcePath: "../data/shared/v1alpha4/metadata.yaml"
-  - name: v1.2.2 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
-    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/control-plane-components.yaml"
+  - name: v1.2.5 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
+    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/control-plane-components.yaml"
     type: "url"
     contract: v1beta1
     replacements:
@@ -165,8 +165,8 @@ providers:
     files:
     - sourcePath: "../data/shared/v1alpha4/metadata.yaml"
     - sourcePath: "../data/infrastructure-docker/v1alpha4/cluster-template.yaml"
-  - name: v1.2.2 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
-    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.2/infrastructure-components-development.yaml"
+  - name: v1.2.5 # latest published release in the v1beta1 series; this is used for v1beta1 --> main clusterctl upgrades test only.
+    value: "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/infrastructure-components-development.yaml"
     type: "url"
     contract: v1beta1
     replacements:

From a61b8b1d8426c2a537746b025084bc7873ce3145 Mon Sep 17 00:00:00 2001
From: k8s-infra-cherrypick-robot
 <90416843+k8s-infra-cherrypick-robot@users.noreply.github.com>
Date: Thu, 17 Nov 2022 00:04:40 -0800
Subject: [PATCH 02/87] [release-1.3] :sparkles:add kubekey k3s boostrap and
 control plane provider (#7554)

* add kubekey k3s boostrap and control plane provider

Signed-off-by: 24sama <jacksama@foxmail.com>

* remove useless tab

Signed-off-by: 24sama <jacksama@foxmail.com>

Signed-off-by: 24sama <jacksama@foxmail.com>
Co-authored-by: 24sama <jacksama@foxmail.com>
---
 .../client/config/providers_client.go         | 26 +++++---
 cmd/clusterctl/client/config_test.go          |  4 ++
 .../cmd/config_repositories_test.go           | 10 ++++
 docs/book/src/clusterctl/provider-contract.md | 60 ++++++++++---------
 docs/book/src/user/quick-start.md             |  5 +-
 5 files changed, 67 insertions(+), 38 deletions(-)

diff --git a/cmd/clusterctl/client/config/providers_client.go b/cmd/clusterctl/client/config/providers_client.go
index 1eb6fbf9b27a..c77c740039be 100644
--- a/cmd/clusterctl/client/config/providers_client.go
+++ b/cmd/clusterctl/client/config/providers_client.go
@@ -65,17 +65,19 @@ const (
 
 // Bootstrap providers.
 const (
-	KubeadmBootstrapProviderName  = "kubeadm"
-	TalosBootstrapProviderName    = "talos"
-	MicroK8sBootstrapProviderName = "microk8s"
+	KubeadmBootstrapProviderName    = "kubeadm"
+	TalosBootstrapProviderName      = "talos"
+	MicroK8sBootstrapProviderName   = "microk8s"
+	KubeKeyK3sBootstrapProviderName = "kubekey-k3s"
 )
 
 // ControlPlane providers.
 const (
-	KubeadmControlPlaneProviderName  = "kubeadm"
-	TalosControlPlaneProviderName    = "talos"
-	MicroK8sControlPlaneProviderName = "microk8s"
-	NestedControlPlaneProviderName   = "nested"
+	KubeadmControlPlaneProviderName    = "kubeadm"
+	TalosControlPlaneProviderName      = "talos"
+	MicroK8sControlPlaneProviderName   = "microk8s"
+	NestedControlPlaneProviderName     = "nested"
+	KubeKeyK3sControlPlaneProviderName = "kubekey-k3s"
 )
 
 // Other.
@@ -253,6 +255,11 @@ func (p *providersClient) defaults() []Provider {
 			url:          "https://github.com/kubernetes-sigs/cluster-api/releases/latest/bootstrap-components.yaml",
 			providerType: clusterctlv1.BootstrapProviderType,
 		},
+		&provider{
+			name:         KubeKeyK3sBootstrapProviderName,
+			url:          "https://github.com/kubesphere/kubekey/releases/latest/bootstrap-components.yaml",
+			providerType: clusterctlv1.BootstrapProviderType,
+		},
 		&provider{
 			name:         TalosBootstrapProviderName,
 			url:          "https://github.com/siderolabs/cluster-api-bootstrap-provider-talos/releases/latest/bootstrap-components.yaml",
@@ -269,6 +276,11 @@ func (p *providersClient) defaults() []Provider {
 			url:          "https://github.com/kubernetes-sigs/cluster-api/releases/latest/control-plane-components.yaml",
 			providerType: clusterctlv1.ControlPlaneProviderType,
 		},
+		&provider{
+			name:         KubeKeyK3sControlPlaneProviderName,
+			url:          "https://github.com/kubesphere/kubekey/releases/latest/control-plane-components.yaml",
+			providerType: clusterctlv1.ControlPlaneProviderType,
+		},
 		&provider{
 			name:         TalosControlPlaneProviderName,
 			url:          "https://github.com/siderolabs/cluster-api-control-plane-provider-talos/releases/latest/control-plane-components.yaml",
diff --git a/cmd/clusterctl/client/config_test.go b/cmd/clusterctl/client/config_test.go
index fe8ebbd5e591..8743d74a4056 100644
--- a/cmd/clusterctl/client/config_test.go
+++ b/cmd/clusterctl/client/config_test.go
@@ -57,9 +57,11 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 			wantProviders: []string{
 				config.ClusterAPIProviderName,
 				config.KubeadmBootstrapProviderName,
+				config.KubeKeyK3sBootstrapProviderName,
 				config.MicroK8sBootstrapProviderName,
 				config.TalosBootstrapProviderName,
 				config.KubeadmControlPlaneProviderName,
+				config.KubeKeyK3sControlPlaneProviderName,
 				config.MicroK8sControlPlaneProviderName,
 				config.NestedControlPlaneProviderName,
 				config.TalosControlPlaneProviderName,
@@ -100,9 +102,11 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 				config.ClusterAPIProviderName,
 				customProviderConfig.Name(),
 				config.KubeadmBootstrapProviderName,
+				config.KubeKeyK3sBootstrapProviderName,
 				config.MicroK8sBootstrapProviderName,
 				config.TalosBootstrapProviderName,
 				config.KubeadmControlPlaneProviderName,
+				config.KubeKeyK3sControlPlaneProviderName,
 				config.MicroK8sControlPlaneProviderName,
 				config.NestedControlPlaneProviderName,
 				config.TalosControlPlaneProviderName,
diff --git a/cmd/clusterctl/cmd/config_repositories_test.go b/cmd/clusterctl/cmd/config_repositories_test.go
index 13fd40ec075c..d91806ef6cf2 100644
--- a/cmd/clusterctl/cmd/config_repositories_test.go
+++ b/cmd/clusterctl/cmd/config_repositories_test.go
@@ -103,9 +103,11 @@ var expectedOutputText = `NAME                TYPE                     URL
 cluster-api         CoreProvider             https://github.com/myorg/myforkofclusterapi/releases/latest/                                core_components.yaml
 another-provider    BootstrapProvider        ./                                                                                          bootstrap-components.yaml
 kubeadm             BootstrapProvider        https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             bootstrap-components.yaml
+kubekey-k3s         BootstrapProvider        https://github.com/kubesphere/kubekey/releases/latest/                                      bootstrap-components.yaml
 microk8s            BootstrapProvider        https://github.com/canonical/cluster-api-bootstrap-provider-microk8s/releases/latest/       bootstrap-components.yaml
 talos               BootstrapProvider        https://github.com/siderolabs/cluster-api-bootstrap-provider-talos/releases/latest/         bootstrap-components.yaml
 kubeadm             ControlPlaneProvider     https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             control-plane-components.yaml
+kubekey-k3s         ControlPlaneProvider     https://github.com/kubesphere/kubekey/releases/latest/                                      control-plane-components.yaml
 microk8s            ControlPlaneProvider     https://github.com/canonical/cluster-api-control-plane-provider-microk8s/releases/latest/   control-plane-components.yaml
 nested              ControlPlaneProvider     https://github.com/kubernetes-sigs/cluster-api-provider-nested/releases/latest/             control-plane-components.yaml
 talos               ControlPlaneProvider     https://github.com/siderolabs/cluster-api-control-plane-provider-talos/releases/latest/     control-plane-components.yaml
@@ -148,6 +150,10 @@ var expectedOutputYaml = `- File: core_components.yaml
   Name: kubeadm
   ProviderType: BootstrapProvider
   URL: https://github.com/kubernetes-sigs/cluster-api/releases/latest/
+- File: bootstrap-components.yaml
+  Name: kubekey-k3s
+  ProviderType: BootstrapProvider
+  URL: https://github.com/kubesphere/kubekey/releases/latest/
 - File: bootstrap-components.yaml
   Name: microk8s
   ProviderType: BootstrapProvider
@@ -160,6 +166,10 @@ var expectedOutputYaml = `- File: core_components.yaml
   Name: kubeadm
   ProviderType: ControlPlaneProvider
   URL: https://github.com/kubernetes-sigs/cluster-api/releases/latest/
+- File: control-plane-components.yaml
+  Name: kubekey-k3s
+  ProviderType: ControlPlaneProvider
+  URL: https://github.com/kubesphere/kubekey/releases/latest/
 - File: control-plane-components.yaml
   Name: microk8s
   ProviderType: ControlPlaneProvider
diff --git a/docs/book/src/clusterctl/provider-contract.md b/docs/book/src/clusterctl/provider-contract.md
index 8de944fd3b25..ba132d0ceeb8 100644
--- a/docs/book/src/clusterctl/provider-contract.md
+++ b/docs/book/src/clusterctl/provider-contract.md
@@ -242,35 +242,37 @@ easier transition from `kubectl apply` to `clusterctl`.
 As a reference you can consider the labels applied to the following
 providers.
 
-| Provider Name| Label                                                 |
-|--------------|-------------------------------------------------------|
-|CAPI          | cluster.x-k8s.io/provider=cluster-api                 |
-|CABPK         | cluster.x-k8s.io/provider=bootstrap-kubeadm           |
-|CABPM         | cluster.x-k8s.io/provider=bootstrap-microk8s          |
-|CACPK         | cluster.x-k8s.io/provider=control-plane-kubeadm       |
-|CACPM         | cluster.x-k8s.io/provider=control-plane-microk8s      |
-|CACPN         | cluster.x-k8s.io/provider=control-plane-nested        |
-|CAPA          | cluster.x-k8s.io/provider=infrastructure-aws          |
-|CAPB          | cluster.x-k8s.io/provider=infrastructure-byoh         |
-|CAPC          | cluster.x-k8s.io/provider=infrastructure-cloudstack   |
-|CAPD          | cluster.x-k8s.io/provider=infrastructure-docker       |
-|CAPDO         | cluster.x-k8s.io/provider=infrastructure-digitalocean |
-|CAPG          | cluster.x-k8s.io/provider=infrastructure-gcp          |
-|CAPH          | cluster.x-k8s.io/provider=infrastructure-hetzner      |
-|CAPIBM        | cluster.x-k8s.io/provider=infrastructure-ibmcloud     |
-|CAPKK         | cluster.x-k8s.io/provider=infrastructure-kubekey      |
-|CAPK          | cluster.x-k8s.io/provider=infrastructure-kubevirt     |
-|CAPM3         | cluster.x-k8s.io/provider=infrastructure-metal3       |
-|CAPN          | cluster.x-k8s.io/provider=infrastructure-nested       |
-|CAPO          | cluster.x-k8s.io/provider=infrastructure-openstack    |
-|CAPOCI        | cluster.x-k8s.io/provider=infrastructure-oci          |
-|CAPP          | cluster.x-k8s.io/provider=infrastructure-packet       |
-|CAPV          | cluster.x-k8s.io/provider=infrastructure-vsphere      |
-|CAPVC         | cluster.x-k8s.io/provider=infrastructure-vcluster     |
-|CAPVCD        | cluster.x-k8s.io/provider=infrastructure-vcd          |
-|CAPX          | cluster.x-k8s.io/provider=infrastructure-nutanix      |
-|CAPZ          | cluster.x-k8s.io/provider=infrastructure-azure        |
-|CAPOSC        | cluster.x-k8s.io/provider=infrastructure-outscale     |
+| Provider Name | Label                                                 |
+|---------------|-------------------------------------------------------|
+| CAPI          | cluster.x-k8s.io/provider=cluster-api                 |
+| CABPK         | cluster.x-k8s.io/provider=bootstrap-kubeadm           |
+| CABPM         | cluster.x-k8s.io/provider=bootstrap-microk8s          |
+| CABPKK3S      | cluster.x-k8s.io/provider=bootstrap-kubekey-k3s       |
+| CACPK         | cluster.x-k8s.io/provider=control-plane-kubeadm       |
+| CACPM         | cluster.x-k8s.io/provider=control-plane-microk8s      |
+| CACPN         | cluster.x-k8s.io/provider=control-plane-nested        |
+| CACPKK3S      | cluster.x-k8s.io/provider=control-plane-kubekey-k3s   |
+| CAPA          | cluster.x-k8s.io/provider=infrastructure-aws          |
+| CAPB          | cluster.x-k8s.io/provider=infrastructure-byoh         |
+| CAPC          | cluster.x-k8s.io/provider=infrastructure-cloudstack   |
+| CAPD          | cluster.x-k8s.io/provider=infrastructure-docker       |
+| CAPDO         | cluster.x-k8s.io/provider=infrastructure-digitalocean |
+| CAPG          | cluster.x-k8s.io/provider=infrastructure-gcp          |
+| CAPH          | cluster.x-k8s.io/provider=infrastructure-hetzner      |
+| CAPIBM        | cluster.x-k8s.io/provider=infrastructure-ibmcloud     |
+| CAPKK         | cluster.x-k8s.io/provider=infrastructure-kubekey      |
+| CAPK          | cluster.x-k8s.io/provider=infrastructure-kubevirt     |
+| CAPM3         | cluster.x-k8s.io/provider=infrastructure-metal3       |
+| CAPN          | cluster.x-k8s.io/provider=infrastructure-nested       |
+| CAPO          | cluster.x-k8s.io/provider=infrastructure-openstack    |
+| CAPOCI        | cluster.x-k8s.io/provider=infrastructure-oci          |
+| CAPP          | cluster.x-k8s.io/provider=infrastructure-packet       |
+| CAPV          | cluster.x-k8s.io/provider=infrastructure-vsphere      |
+| CAPVC         | cluster.x-k8s.io/provider=infrastructure-vcluster     |
+| CAPVCD        | cluster.x-k8s.io/provider=infrastructure-vcd          |
+| CAPX          | cluster.x-k8s.io/provider=infrastructure-nutanix      |
+| CAPZ          | cluster.x-k8s.io/provider=infrastructure-azure        |
+| CAPOSC        | cluster.x-k8s.io/provider=infrastructure-outscale     |
 ### Workload cluster templates
 
 An infrastructure provider could publish a **cluster templates** file to be used by `clusterctl generate cluster`.
diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index c067d6619560..603ec4e31402 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -441,8 +441,6 @@ clusterctl init --infrastructure ibmcloud
 clusterctl init --infrastructure kubekey
 ```
 
-{{#/tab }}
-
 {{#/tab }}
 {{#tab Kubevirt}}
 
@@ -819,6 +817,8 @@ export INSTANCES=<your-linux-ip-address>
 export CONTROL_PLANE_ENDPOINT_IP=<your-control-plane-virtual-ip>
 ```
 
+Please visit the [KubeKey provider] for more information.
+
 {{#/tab }}
 {{#tab Kubevirt}}
 
@@ -1243,6 +1243,7 @@ See the [clusterctl] documentation for more detail about clusterctl supported ac
 [management cluster]: ../reference/glossary.md#management-cluster
 [Metal3 getting started guide]: https://github.com/metal3-io/cluster-api-provider-metal3/blob/master/docs/getting-started.md
 [Metal3 provider]: https://github.com/metal3-io/cluster-api-provider-metal3/
+[KubeKey provider]: https://github.com/kubesphere/kubekey
 [Kubevirt provider]: https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt/
 [oci-provider]: https://oracle.github.io/cluster-api-provider-oci/#getting-started
 [Equinix Metal getting started guide]: https://github.com/kubernetes-sigs/cluster-api-provider-packet#using

From 6f777bb87c5ceb5b1340ff7588aeb3b74a4f3846 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Fri, 11 Nov 2022 15:23:14 +0000
Subject: [PATCH 03/87] Add finalizer reconcile for Topology MachineDeployments
 and MachineSets

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 .../machinedeployment_sync.go                 | 13 ---
 .../cluster/cluster_controller_test.go        | 15 +---
 .../topology/cluster/desired_state.go         |  8 --
 .../topology/cluster/desired_state_test.go    |  3 -
 .../machinedeployment_controller.go           | 28 +++---
 .../machinedeployment_controller_test.go      | 76 +++++++++++++++-
 .../machineset/machineset_controller.go       | 25 ++++--
 .../machineset/machineset_controller_test.go  | 88 +++++++++++++++++++
 internal/test/builder/builders.go             | 28 ++++--
 .../test/builder/zz_generated.deepcopy.go     |  7 ++
 10 files changed, 227 insertions(+), 64 deletions(-)

diff --git a/internal/controllers/machinedeployment/machinedeployment_sync.go b/internal/controllers/machinedeployment/machinedeployment_sync.go
index 241f27c7fd08..526629a1a2e8 100644
--- a/internal/controllers/machinedeployment/machinedeployment_sync.go
+++ b/internal/controllers/machinedeployment/machinedeployment_sync.go
@@ -35,11 +35,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
-	"sigs.k8s.io/cluster-api/feature"
 	"sigs.k8s.io/cluster-api/internal/controllers/machinedeployment/mdutil"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/conditions"
-	"sigs.k8s.io/cluster-api/util/labels"
 	"sigs.k8s.io/cluster-api/util/patch"
 )
 
@@ -178,17 +176,6 @@ func (r *Reconciler) getNewMachineSet(ctx context.Context, d *clusterv1.MachineD
 		},
 	}
 
-	if feature.Gates.Enabled(feature.ClusterTopology) {
-		// If the MachineDeployment is owned by a Cluster Topology,
-		// add the finalizer to allow the topology controller to
-		// clean up resources when the MachineSet is deleted.
-		// MachineSets are deleted during rollout (e.g. template rotation) and
-		// after MachineDeployment deletion.
-		if labels.IsTopologyOwned(d) {
-			controllerutil.AddFinalizer(&newMS, clusterv1.MachineSetTopologyFinalizer)
-		}
-	}
-
 	if d.Spec.Strategy.RollingUpdate.DeletePolicy != nil {
 		newMS.Spec.DeletePolicy = *d.Spec.Strategy.RollingUpdate.DeletePolicy
 	}
diff --git a/internal/controllers/topology/cluster/cluster_controller_test.go b/internal/controllers/topology/cluster/cluster_controller_test.go
index 84efee37e4ba..6299c578c68d 100644
--- a/internal/controllers/topology/cluster/cluster_controller_test.go
+++ b/internal/controllers/topology/cluster/cluster_controller_test.go
@@ -911,9 +911,8 @@ func assertControlPlaneReconcile(cluster *clusterv1.Cluster) error {
 // assertMachineDeploymentsReconcile checks if the MachineDeployments:
 // 1) Are created in the correct number.
 // 2) Have the correct labels (TopologyOwned, ClusterName, MachineDeploymentName).
-// 3) Have the correct finalizer applied.
-// 4) Have the correct replicas and version.
-// 6) Have the correct Kind/APIVersion and Labels/Annotations for BoostrapRef and InfrastructureRef templates.
+// 3) Have the correct replicas and version.
+// 4) Have the correct Kind/APIVersion and Labels/Annotations for BoostrapRef and InfrastructureRef templates.
 func assertMachineDeploymentsReconcile(cluster *clusterv1.Cluster) error {
 	// List all created machine deployments to assert the expected numbers are created.
 	machineDeployments := &clusterv1.MachineDeploymentList{}
@@ -950,16 +949,6 @@ func assertMachineDeploymentsReconcile(cluster *clusterv1.Cluster) error {
 				continue
 			}
 
-			// Assert that the correct Finalizer has been added to the MachineDeployment.
-			for _, f := range md.Finalizers {
-				// Break as soon as we find a matching finalizer.
-				if f == clusterv1.MachineDeploymentTopologyFinalizer {
-					break
-				}
-				// False if the finalizer is not present on the MachineDeployment.
-				return fmt.Errorf("finalizer %v not found on MachineDeployment", clusterv1.MachineDeploymentTopologyFinalizer)
-			}
-
 			// Check if the ClusterTopologyLabelName and ClusterTopologyOwnedLabel are set correctly.
 			if err := assertClusterTopologyOwnedLabel(&md); err != nil {
 				return err
diff --git a/internal/controllers/topology/cluster/desired_state.go b/internal/controllers/topology/cluster/desired_state.go
index 08f670bd5a22..b4d8828c115a 100644
--- a/internal/controllers/topology/cluster/desired_state.go
+++ b/internal/controllers/topology/cluster/desired_state.go
@@ -28,7 +28,6 @@ import (
 	"k8s.io/apiserver/pkg/storage/names"
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controllers/external"
@@ -678,13 +677,6 @@ func computeMachineDeployment(_ context.Context, s *scope.Scope, desiredControlP
 		},
 	}
 
-	// If it's a new MachineDeployment, set the finalizer.
-	// Note: we only add it on creation to avoid race conditions later on when
-	// the MachineDeployment topology controller removes the finalizer.
-	if currentMachineDeployment == nil {
-		controllerutil.AddFinalizer(desiredMachineDeploymentObj, clusterv1.MachineDeploymentTopologyFinalizer)
-	}
-
 	// If an existing MachineDeployment is present, override the MachineDeployment generate name
 	// re-using the existing name (this will help in reconcile).
 	if currentMachineDeployment != nil && currentMachineDeployment.Object != nil {
diff --git a/internal/controllers/topology/cluster/desired_state_test.go b/internal/controllers/topology/cluster/desired_state_test.go
index 7ae9b3a0414a..32414d7522d6 100644
--- a/internal/controllers/topology/cluster/desired_state_test.go
+++ b/internal/controllers/topology/cluster/desired_state_test.go
@@ -30,7 +30,6 @@ import (
 	utilfeature "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	runtimev1 "sigs.k8s.io/cluster-api/exp/runtime/api/v1alpha1"
@@ -1443,7 +1442,6 @@ func TestComputeMachineDeployment(t *testing.T) {
 
 		g.Expect(actualMd.Labels).To(HaveKeyWithValue(clusterv1.ClusterTopologyMachineDeploymentLabelName, "big-pool-of-machines"))
 		g.Expect(actualMd.Labels).To(HaveKey(clusterv1.ClusterTopologyOwnedLabel))
-		g.Expect(controllerutil.ContainsFinalizer(actualMd, clusterv1.MachineDeploymentTopologyFinalizer)).To(BeTrue())
 
 		g.Expect(actualMd.Spec.Selector.MatchLabels).To(HaveKey(clusterv1.ClusterTopologyOwnedLabel))
 		g.Expect(actualMd.Spec.Selector.MatchLabels).To(HaveKeyWithValue(clusterv1.ClusterTopologyMachineDeploymentLabelName, "big-pool-of-machines"))
@@ -1524,7 +1522,6 @@ func TestComputeMachineDeployment(t *testing.T) {
 
 		g.Expect(actualMd.Labels).To(HaveKeyWithValue(clusterv1.ClusterTopologyMachineDeploymentLabelName, "big-pool-of-machines"))
 		g.Expect(actualMd.Labels).To(HaveKey(clusterv1.ClusterTopologyOwnedLabel))
-		g.Expect(controllerutil.ContainsFinalizer(actualMd, clusterv1.MachineDeploymentTopologyFinalizer)).To(BeFalse())
 
 		g.Expect(actualMd.Spec.Template.ObjectMeta.Labels).To(HaveKeyWithValue("foo", "baz"))
 		g.Expect(actualMd.Spec.Template.ObjectMeta.Labels).To(HaveKeyWithValue("fizz", "buzz"))
diff --git a/internal/controllers/topology/machinedeployment/machinedeployment_controller.go b/internal/controllers/topology/machinedeployment/machinedeployment_controller.go
index 7de0f63991d7..4d5bbf2d174a 100644
--- a/internal/controllers/topology/machinedeployment/machinedeployment_controller.go
+++ b/internal/controllers/topology/machinedeployment/machinedeployment_controller.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -84,7 +85,7 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opt
 //
 // We don't have to set the finalizer, as it's already set during MachineDeployment creation
 // in the cluster topology controller.
-func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, reterr error) {
 	log := ctrl.LoggerFrom(ctx)
 
 	// Fetch the MachineDeployment instance.
@@ -112,12 +113,25 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		return ctrl.Result{}, nil
 	}
 
+	// Create a patch helper to add or remove the finalizer from the MachineDeployment.
+	patchHelper, err := patch.NewHelper(md, r.Client)
+	if err != nil {
+		return ctrl.Result{}, errors.Wrapf(err, "failed to create patch helper for %s", tlog.KObj{Obj: md})
+	}
+	defer func() {
+		if err := patchHelper.Patch(ctx, md); err != nil {
+			reterr = kerrors.NewAggregate([]error{reterr, errors.Wrapf(err, "failed to patch %s", tlog.KObj{Obj: md})})
+		}
+	}()
+
 	// Handle deletion reconciliation loop.
 	if !md.ObjectMeta.DeletionTimestamp.IsZero() {
 		return r.reconcileDelete(ctx, md)
 	}
 
-	// Nothing to do.
+	// If the MachineDeployment is not being deleted ensure the finalizer is set.
+	controllerutil.AddFinalizer(md, clusterv1.MachineDeploymentTopologyFinalizer)
+
 	return ctrl.Result{}, nil
 }
 
@@ -151,16 +165,8 @@ func (r *Reconciler) reconcileDelete(ctx context.Context, md *clusterv1.MachineD
 		return ctrl.Result{}, err
 	}
 
-	// Remove the finalizer so the MachineDeployment can be garbage collected by Kubernetes.
-	patchHelper, err := patch.NewHelper(md, r.Client)
-	if err != nil {
-		return ctrl.Result{}, errors.Wrapf(err, "failed to create patch helper for %s", tlog.KObj{Obj: md})
-	}
-
 	controllerutil.RemoveFinalizer(md, clusterv1.MachineDeploymentTopologyFinalizer)
-	if err := patchHelper.Patch(ctx, md); err != nil {
-		return ctrl.Result{}, errors.Wrapf(err, "failed to patch %s", tlog.KObj{Obj: md})
-	}
+
 	return ctrl.Result{}, nil
 }
 
diff --git a/internal/controllers/topology/machinedeployment/machinedeployment_controller_test.go b/internal/controllers/topology/machinedeployment/machinedeployment_controller_test.go
index 6298693b70d7..fbe00497a3ee 100644
--- a/internal/controllers/topology/machinedeployment/machinedeployment_controller_test.go
+++ b/internal/controllers/topology/machinedeployment/machinedeployment_controller_test.go
@@ -27,11 +27,85 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/internal/test/builder"
+	"sigs.k8s.io/cluster-api/util"
 )
 
+func TestMachineDeploymentTopologyFinalizer(t *testing.T) {
+	cluster := builder.Cluster(metav1.NamespaceDefault, "fake-cluster").Build()
+	mdBT := builder.BootstrapTemplate(metav1.NamespaceDefault, "mdBT").Build()
+	mdIMT := builder.InfrastructureMachineTemplate(metav1.NamespaceDefault, "mdIMT").Build()
+	mdBuilder := builder.MachineDeployment(metav1.NamespaceDefault, "md").
+		WithClusterName("fake-cluster").
+		WithBootstrapTemplate(mdBT).
+		WithInfrastructureTemplate(mdIMT)
+
+	md := mdBuilder.Build()
+	mdWithFinalizer := mdBuilder.Build()
+	mdWithFinalizer.Finalizers = []string{clusterv1.MachineDeploymentTopologyFinalizer}
+	mdWithDeletionTimestamp := mdBuilder.Build()
+	deletionTimestamp := metav1.Now()
+	mdWithDeletionTimestamp.DeletionTimestamp = &deletionTimestamp
+
+	mdWithDeletionTimestampAndFinalizer := mdWithDeletionTimestamp.DeepCopy()
+	mdWithDeletionTimestampAndFinalizer.Finalizers = []string{clusterv1.MachineDeploymentTopologyFinalizer}
+
+	testCases := []struct {
+		name            string
+		md              *clusterv1.MachineDeployment
+		expectFinalizer bool
+	}{
+		{
+			name:            "should add ClusterTopology finalizer to a MachineDeployment with no finalizer",
+			md:              md,
+			expectFinalizer: true,
+		},
+		{
+			name:            "should retain ClusterTopology finalizer on MachineDeployment with finalizer",
+			md:              mdWithFinalizer,
+			expectFinalizer: true,
+		},
+		{
+			name:            "should not add ClusterTopology finalizer on MachineDeployment with Deletion Timestamp and no finalizer ",
+			md:              mdWithDeletionTimestamp,
+			expectFinalizer: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			fakeClient := fake.NewClientBuilder().
+				WithScheme(fakeScheme).
+				WithObjects(tc.md, mdBT, mdIMT, cluster).
+				Build()
+
+			mdr := &Reconciler{
+				Client:    fakeClient,
+				APIReader: fakeClient,
+			}
+
+			_, err := mdr.Reconcile(ctx, reconcile.Request{
+				NamespacedName: util.ObjectKey(tc.md),
+			})
+			g.Expect(err).NotTo(HaveOccurred())
+
+			key := client.ObjectKey{Namespace: tc.md.Namespace, Name: tc.md.Name}
+			var actual clusterv1.MachineDeployment
+			g.Expect(mdr.Client.Get(ctx, key, &actual)).To(Succeed())
+			if tc.expectFinalizer {
+				g.Expect(actual.Finalizers).To(ConsistOf(clusterv1.MachineDeploymentTopologyFinalizer))
+			} else {
+				g.Expect(actual.Finalizers).To(BeEmpty())
+			}
+		})
+	}
+}
+
 func TestMachineDeploymentReconciler_ReconcileDelete(t *testing.T) {
 	deletionTimeStamp := metav1.Now()
 
@@ -98,7 +172,7 @@ func TestMachineDeploymentReconciler_ReconcileDelete(t *testing.T) {
 	t.Run("Should not delete templates of a MachineDeployment when they are still in use in a MachineSet", func(t *testing.T) {
 		g := NewWithT(t)
 
-		ms := builder.MachineSet(md.Namespace, "ms").
+		ms := builder.MachineSet(md.Namespace, "md").
 			WithBootstrapTemplate(mdBT).
 			WithInfrastructureTemplate(mdIMT).
 			WithLabels(map[string]string{
diff --git a/internal/controllers/topology/machineset/machineset_controller.go b/internal/controllers/topology/machineset/machineset_controller.go
index 7ecc75af59e6..58c526680107 100644
--- a/internal/controllers/topology/machineset/machineset_controller.go
+++ b/internal/controllers/topology/machineset/machineset_controller.go
@@ -23,6 +23,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -86,7 +87,7 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opt
 //
 // We don't have to set the finalizer, as it's already set during MachineSet creation
 // in the MachineSet controller.
-func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.Result, reterr error) {
 	// Fetch the MachineSet instance.
 	ms := &clusterv1.MachineSet{}
 	if err := r.Client.Get(ctx, req.NamespacedName, ms); err != nil {
@@ -119,12 +120,25 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		return ctrl.Result{}, nil
 	}
 
+	// Create a patch helper to add or remove the finalizer from the MachineSet.
+	patchHelper, err := patch.NewHelper(ms, r.Client)
+	if err != nil {
+		return ctrl.Result{}, errors.Wrapf(err, "failed to create patch helper for %s", tlog.KObj{Obj: ms})
+	}
+	defer func() {
+		if err := patchHelper.Patch(ctx, ms); err != nil {
+			reterr = kerrors.NewAggregate([]error{reterr, errors.Wrapf(err, "failed to patch %s", tlog.KObj{Obj: ms})})
+		}
+	}()
+
 	// Handle deletion reconciliation loop.
 	if !ms.ObjectMeta.DeletionTimestamp.IsZero() {
 		return r.reconcileDelete(ctx, ms)
 	}
 
-	// Nothing to do.
+	// If the MachineSet is not being deleted ensure the finalizer is set.
+	controllerutil.AddFinalizer(ms, clusterv1.MachineSetTopologyFinalizer)
+
 	return ctrl.Result{}, nil
 }
 
@@ -172,14 +186,7 @@ func (r *Reconciler) reconcileDelete(ctx context.Context, ms *clusterv1.MachineS
 	}
 
 	// Remove the finalizer so the MachineSet can be garbage collected by Kubernetes.
-	patchHelper, err := patch.NewHelper(ms, r.Client)
-	if err != nil {
-		return ctrl.Result{}, errors.Wrapf(err, "failed to create patch helper for %s", tlog.KObj{Obj: ms})
-	}
 	controllerutil.RemoveFinalizer(ms, clusterv1.MachineSetTopologyFinalizer)
-	if err := patchHelper.Patch(ctx, ms); err != nil {
-		return ctrl.Result{}, errors.Wrapf(err, "failed to patch %s", tlog.KObj{Obj: ms})
-	}
 
 	return ctrl.Result{}, nil
 }
diff --git a/internal/controllers/topology/machineset/machineset_controller_test.go b/internal/controllers/topology/machineset/machineset_controller_test.go
index 49b9369efa33..166241931121 100644
--- a/internal/controllers/topology/machineset/machineset_controller_test.go
+++ b/internal/controllers/topology/machineset/machineset_controller_test.go
@@ -27,11 +27,99 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/internal/test/builder"
+	"sigs.k8s.io/cluster-api/util"
 )
 
+func TestMachineSetTopologyFinalizer(t *testing.T) {
+	mdName := "md"
+
+	msBT := builder.BootstrapTemplate(metav1.NamespaceDefault, "msBT").Build()
+	msIMT := builder.InfrastructureMachineTemplate(metav1.NamespaceDefault, "msIMT").Build()
+
+	cluster := builder.Cluster(metav1.NamespaceDefault, "fake-cluster").Build()
+	msBuilder := builder.MachineSet(metav1.NamespaceDefault, "ms").
+		WithBootstrapTemplate(msBT).
+		WithInfrastructureTemplate(msIMT).
+		WithClusterName(cluster.Name).
+		WithOwnerReferences([]metav1.OwnerReference{
+			{
+				Kind:       "MachineDeployment",
+				APIVersion: clusterv1.GroupVersion.String(),
+				Name:       "md",
+			},
+		}).
+		WithLabels(map[string]string{
+			clusterv1.MachineDeploymentLabelName: mdName,
+			clusterv1.ClusterTopologyOwnedLabel:  "",
+		})
+
+	ms := msBuilder.Build()
+	msWithFinalizer := msBuilder.Build()
+	msWithFinalizer.Finalizers = []string{clusterv1.MachineSetTopologyFinalizer}
+	msWithDeletionTimestamp := msBuilder.Build()
+	deletionTimestamp := metav1.Now()
+	msWithDeletionTimestamp.DeletionTimestamp = &deletionTimestamp
+
+	msWithDeletionTimestampAndFinalizer := msWithDeletionTimestamp.DeepCopy()
+	msWithDeletionTimestampAndFinalizer.Finalizers = []string{clusterv1.MachineSetTopologyFinalizer}
+
+	testCases := []struct {
+		name            string
+		ms              *clusterv1.MachineSet
+		expectFinalizer bool
+	}{
+		{
+			name:            "should add ClusterTopology finalizer to a MachineSet with no finalizer",
+			ms:              ms,
+			expectFinalizer: true,
+		},
+		{
+			name:            "should retain ClusterTopology finalizer on MachineSet with finalizer",
+			ms:              msWithFinalizer,
+			expectFinalizer: true,
+		},
+		{
+			name:            "should not add ClusterTopology finalizer on MachineSet with Deletion Timestamp and no finalizer ",
+			ms:              msWithDeletionTimestamp,
+			expectFinalizer: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			fakeClient := fake.NewClientBuilder().
+				WithScheme(fakeScheme).
+				WithObjects(tc.ms, msBT, msIMT, cluster).
+				Build()
+
+			msr := &Reconciler{
+				Client:    fakeClient,
+				APIReader: fakeClient,
+			}
+
+			_, err := msr.Reconcile(ctx, reconcile.Request{
+				NamespacedName: util.ObjectKey(tc.ms),
+			})
+			g.Expect(err).NotTo(HaveOccurred())
+
+			key := client.ObjectKey{Namespace: tc.ms.Namespace, Name: tc.ms.Name}
+			var actual clusterv1.MachineSet
+			g.Expect(msr.Client.Get(ctx, key, &actual)).To(Succeed())
+			if tc.expectFinalizer {
+				g.Expect(actual.Finalizers).To(ConsistOf(clusterv1.MachineSetTopologyFinalizer))
+			} else {
+				g.Expect(actual.Finalizers).To(BeEmpty())
+			}
+		})
+	}
+}
+
 func TestMachineSetReconciler_ReconcileDelete(t *testing.T) {
 	deletionTimeStamp := metav1.Now()
 
diff --git a/internal/test/builder/builders.go b/internal/test/builder/builders.go
index 557acfac3710..4c6ac4370d8c 100644
--- a/internal/test/builder/builders.go
+++ b/internal/test/builder/builders.go
@@ -1249,7 +1249,7 @@ func (m *MachineDeploymentBuilder) Build() *clusterv1.MachineDeployment {
 	return obj
 }
 
-// MachineSetBuilder holds the variables and objects needed to build a generic MachineSet.
+// MachineSetBuilder holds the variables and objects needed to build a MachineSet.
 type MachineSetBuilder struct {
 	namespace              string
 	name                   string
@@ -1257,6 +1257,8 @@ type MachineSetBuilder struct {
 	infrastructureTemplate *unstructured.Unstructured
 	replicas               *int32
 	labels                 map[string]string
+	clusterName            string
+	ownerRefs              []metav1.OwnerReference
 }
 
 // MachineSet creates a MachineSetBuilder with the given name and namespace.
@@ -1273,7 +1275,7 @@ func (m *MachineSetBuilder) WithBootstrapTemplate(ref *unstructured.Unstructured
 	return m
 }
 
-// WithInfrastructureTemplate adds the passed unstructured object to the MachineSet builder as an infrastructureMachineTemplate.
+// WithInfrastructureTemplate adds the passed unstructured object to the MachineSetBuilder as an infrastructureMachineTemplate.
 func (m *MachineSetBuilder) WithInfrastructureTemplate(ref *unstructured.Unstructured) *MachineSetBuilder {
 	m.infrastructureTemplate = ref
 	return m
@@ -1285,12 +1287,24 @@ func (m *MachineSetBuilder) WithLabels(labels map[string]string) *MachineSetBuil
 	return m
 }
 
-// WithReplicas sets the number of replicas for the MachineSetClassBuilder.
+// WithReplicas sets the number of replicas for the MachineSetBuilder.
 func (m *MachineSetBuilder) WithReplicas(replicas *int32) *MachineSetBuilder {
 	m.replicas = replicas
 	return m
 }
 
+// WithClusterName sets the number of replicas for the MachineSetBuilder.
+func (m *MachineSetBuilder) WithClusterName(name string) *MachineSetBuilder {
+	m.clusterName = name
+	return m
+}
+
+// WithOwnerReferences adds ownerReferences for the MachineSetBuilder.
+func (m *MachineSetBuilder) WithOwnerReferences(ownerRefs []metav1.OwnerReference) *MachineSetBuilder {
+	m.ownerRefs = ownerRefs
+	return m
+}
+
 // Build creates a new MachineSet with the variables and objects passed to the MachineSetBuilder.
 func (m *MachineSetBuilder) Build() *clusterv1.MachineSet {
 	obj := &clusterv1.MachineSet{
@@ -1299,11 +1313,13 @@ func (m *MachineSetBuilder) Build() *clusterv1.MachineSet {
 			APIVersion: clusterv1.GroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      m.name,
-			Namespace: m.namespace,
-			Labels:    m.labels,
+			Name:            m.name,
+			Namespace:       m.namespace,
+			Labels:          m.labels,
+			OwnerReferences: m.ownerRefs,
 		},
 	}
+	obj.Spec.ClusterName = m.clusterName
 	obj.Spec.Replicas = m.replicas
 	if m.bootstrapTemplate != nil {
 		obj.Spec.Template.Spec.Bootstrap.ConfigRef = objToRef(m.bootstrapTemplate)
diff --git a/internal/test/builder/zz_generated.deepcopy.go b/internal/test/builder/zz_generated.deepcopy.go
index 991349f5a20d..4c0d23c3c8fe 100644
--- a/internal/test/builder/zz_generated.deepcopy.go
+++ b/internal/test/builder/zz_generated.deepcopy.go
@@ -580,6 +580,13 @@ func (in *MachineSetBuilder) DeepCopyInto(out *MachineSetBuilder) {
 			(*out)[key] = val
 		}
 	}
+	if in.ownerRefs != nil {
+		in, out := &in.ownerRefs, &out.ownerRefs
+		*out = make([]v1.OwnerReference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineSetBuilder.

From 5907dcb7f7f9b9c3a23a27c853ae8f56a48438cd Mon Sep 17 00:00:00 2001
From: Nahshon Unna-Tsameret <nunnatsa@redhat.com>
Date: Sun, 23 Oct 2022 18:26:26 +0300
Subject: [PATCH 04/87] Add the quickstart details for KubeVirt

Signed-off-by: Nahshon Unna-Tsameret <nunnatsa@redhat.com>
---
 docs/book/src/user/quick-start.md | 267 ++++++++++++++++++++++++++++--
 1 file changed, 253 insertions(+), 14 deletions(-)

diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index 603ec4e31402..be43d80b7a51 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -61,7 +61,7 @@ a target [management cluster] on the selected [infrastructure provider].
    The installation procedure depends on the version of kind; if you are planning to use the Docker infrastructure provider,
    please follow the additional instructions in the dedicated tab:
 
-   {{#tabs name:"install-kind" tabs:"Default,Docker"}}
+   {{#tabs name:"install-kind" tabs:"Default,Docker,KubeVirt"}}
    {{#tab Default}}
 
    Create the kind cluster:
@@ -93,6 +93,57 @@ a target [management cluster] on the selected [infrastructure provider].
    Then follow the instruction for your kind version using  `kind create cluster --config kind-cluster-with-extramounts.yaml`
    to create the management cluster using the above file.
 
+   {{#/tab }}
+   {{#tab KubeVirt}}
+
+   #### Create the Kind Cluster
+   [KubeVirt][KubeVirt] is a cloud native virtualization solution. The virtual machines we're going to create and use for
+   the workload cluster's nodes, are actually running within pods in the management cluster. In order to communicate with
+   the workload cluster's API server, we'll need to expose it. We are using Kind which is a limited environment. The
+   easiest way to expose the workload cluster's API server (a pod within a node running in a VM that is itself running
+   within a pod in the management cluster, that is running inside a docker container), is to use a LoadBalancer service.
+
+   To allow using a LoadBalancer service, we can't use the kind's default CNI (kindnet), but we'll need to install
+   another CNI, like Calico. In order to do that, we'll need first to initiate the kind cluster with two modifications:
+   1. Disable the default CNI
+   2. Add the docker credentials to the cluster, to avoid the docker hub pull rate limit of the calico images; read more
+      about it in the [docker documentation](https://docs.docker.com/docker-hub/download-rate-limit/), and in the
+      [kind documentation](https://kind.sigs.k8s.io/docs/user/private-registries/#mount-a-config-file-to-each-node).
+
+   Create a configuration file for kind. Please notice the docker config file path, and adjust it to your local setting:
+   ```bash
+   cat <<EOF > kind-config.yaml
+   kind: Cluster
+   apiVersion: kind.x-k8s.io/v1alpha4
+   networking:
+   # the default CNI will not be installed
+     disableDefaultCNI: true
+   nodes:
+   - role: control-plane
+     extraMounts:
+      - containerPath: /var/lib/kubelet/config.json
+        hostPath: <YOUR DOCKER CONFIG FILE PATH>
+   EOF
+   ```
+   Now, create the kind cluster with the configuration file:
+   ```bash
+   kind create cluster --config=kind-config.yaml
+   ```
+   Test to ensure the local kind cluster is ready:
+   ```bash
+   kubectl cluster-info
+   ```
+
+   #### Install the Calico CNI
+   Now we'll need to install a CNI. In this example, we're using calico, but other CNIs should work as well. Please see
+   [calico installation guide](https://projectcalico.docs.tigera.io/getting-started/kubernetes/self-managed-onprem/onpremises#install-calico)
+   for more details (use the "Manifest" tab). Below is an example of how to install calico version v3.24.4.
+
+   Use the Calico manifest to create the required resources; e.g.:
+   ```bash
+   kubectl create -f  https://raw.githubusercontent.com/projectcalico/calico/v3.24.4/manifests/calico.yaml
+   ```
+
    {{#/tab }}
    {{#/tabs }}
 
@@ -202,7 +253,7 @@ Additional documentation about experimental features can be found in [Experiment
 Depending on the infrastructure provider you are planning to use, some additional prerequisites should be satisfied
 before getting started with Cluster API. See below for the expected settings for common providers.
 
-{{#tabs name:"tab-installation-infrastructure" tabs:"AWS,Azure,CloudStack,DigitalOcean,Docker,Equinix Metal,GCP,Hetzner,IBM Cloud,KubeKey,Kubevirt,Metal3,Nutanix,OCI,OpenStack,Outscale,VCD,vcluster,Virtink,vSphere"}}
+{{#tabs name:"tab-installation-infrastructure" tabs:"AWS,Azure,CloudStack,DigitalOcean,Docker,Equinix Metal,GCP,Hetzner,IBM Cloud,KubeKey,KubeVirt,Metal3,Nutanix,OCI,OpenStack,Outscale,VCD,vcluster,Virtink,vSphere"}}
 {{#tab AWS}}
 
 Download the latest binary of `clusterawsadm` from the [AWS provider releases].
@@ -442,9 +493,61 @@ clusterctl init --infrastructure kubekey
 ```
 
 {{#/tab }}
-{{#tab Kubevirt}}
+{{#tab KubeVirt}}
+
+Please visit the [KubeVirt project][KubeVirt provider] for more information.
 
-Please visit the [Kubevirt project][Kubevirt provider].
+As described above, we want to use a LoadBalancer service in order to expose the workload cluster's API server. In the
+example below, we will use [MetalLB](https://metallb.universe.tf/) solution to implement load balancing to our kind
+cluster. Other solution should work as well.
+
+#### Install MetalLB for load balancing
+Install MetalLB, as described [here](https://metallb.universe.tf/installation/#installation-by-manifest); for example:
+```bash
+METALLB_VER=$(curl "https://api.github.com/repos/metallb/metallb/releases/latest" | jq -r ".tag_name")
+kubectl apply -f "https://raw.githubusercontent.com/metallb/metallb/${METALLB_VER}/config/manifests/metallb-native.yaml"
+kubectl wait pods -n metallb-system -l app=metallb,component=controller --for=condition=Ready --timeout=10m
+kubectl wait pods -n metallb-system -l app=metallb,component=speaker --for=condition=Ready --timeout=2m
+```
+
+Now, we'll create the `IPAddressPool` and the `L2Advertisement` custom resources. The script below creates the CRs with
+the right addresses, that match to the kind cluster addresses:
+```bash
+GW_IP=$(docker network inspect -f '{{range .IPAM.Config}}{{.Gateway}}{{end}}' kind)
+NET_IP=$(echo ${GW_IP} | sed -E 's|^([0-9]+\.[0-9]+)\..*$|\1|g')
+cat <<EOF | sed -E "s|172.19|${NET_IP}|g" | kubectl apply -f -
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: capi-ip-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  - 172.19.255.200-172.19.255.250
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: empty
+  namespace: metallb-system
+EOF
+```
+
+#### Install KubeVirt on the kind cluster
+```bash
+# get KubeVirt version
+KV_VER=$(curl "https://api.github.com/repos/kubevirt/kubevirt/releases/latest" | jq -r ".tag_name")
+# deploy required CRDs
+kubectl apply -f "https://github.com/kubevirt/kubevirt/releases/download/${KV_VER}/kubevirt-operator.yaml"
+# deploy the KubeVirt custom resource
+kubectl apply -f "https://github.com/kubevirt/kubevirt/releases/download/${KV_VER}/kubevirt-cr.yaml"
+kubectl wait -n kubevirt kv kubevirt --for=condition=Available --timeout=10m
+```
+
+#### Initialize the management cluster with the KubeVirt Provider
+```bash
+clusterctl init --infrastructure kubevirt
+```
 
 {{#/tab }}
 {{#tab Metal3}}
@@ -601,7 +704,7 @@ before configuring a cluster with Cluster API. Instructions are provided for com
 Otherwise, you can look at the `clusterctl generate cluster` [command][clusterctl generate cluster] documentation for details about how to
 discover the list of variables required by a cluster templates.
 
-{{#tabs name:"tab-configuration-infrastructure" tabs:"AWS,Azure,CloudStack,DigitalOcean,Docker,Equinix Metal,GCP,IBM Cloud,KubeKey,Kubevirt,Metal3,Nutanix,OpenStack,Outscale,VCD,vcluster,Virtink,vSphere"}}
+{{#tabs name:"tab-configuration-infrastructure" tabs:"AWS,Azure,CloudStack,DigitalOcean,Docker,Equinix Metal,GCP,IBM Cloud,KubeKey,KubeVirt,Metal3,Nutanix,OpenStack,Outscale,VCD,vcluster,Virtink,vSphere"}}
 {{#tab AWS}}
 
 ```bash
@@ -820,15 +923,14 @@ export CONTROL_PLANE_ENDPOINT_IP=<your-control-plane-virtual-ip>
 Please visit the [KubeKey provider] for more information.
 
 {{#/tab }}
-{{#tab Kubevirt}}
-
-A ClusterAPI compatible image must be available in your Kubevirt image library. For instructions on how to build a compatible image
-see [image-builder](https://image-builder.sigs.k8s.io/capi/capi.html).
+{{#tab KubeVirt}}
 
-To see all required Kubevirt environment variables execute:
 ```bash
-clusterctl generate cluster --infrastructure kubevirt --list-variables capi-quickstart
+export CAPK_GUEST_K8S_VERSION="v1.23.10"
+export CRI_PATH="/var/run/containerd/containerd.sock"
+export NODE_VM_IMAGE_TEMPLATE="quay.io/capk/ubuntu-2004-container-disk:${CAPK_GUEST_K8S_VERSION}"
 ```
+Please visit the [KubeVirt project][KubeVirt provider] for more information.
 
 {{#/tab }}
 {{#tab Metal3}}
@@ -1007,7 +1109,7 @@ For more information about prerequisites, credentials management, or permissions
 
 For the purpose of this tutorial, we'll name our cluster capi-quickstart.
 
-{{#tabs name:"tab-clusterctl-config-cluster" tabs:"Docker, vcluster, others..."}}
+{{#tabs name:"tab-clusterctl-config-cluster" tabs:"Docker, vcluster, KubeVirt, others..."}}
 {{#tab Docker}}
 
 <aside class="note warning">
@@ -1042,6 +1144,22 @@ clusterctl generate cluster ${CLUSTER_NAME} \
     --target-namespace ${CLUSTER_NAMESPACE} | kubectl apply -f -
 ```
 
+{{#/tab }}
+{{#tab KubeVirt}}
+
+As we described above, in this tutorial, we will use a LoadBalancer service in order to expose the API server of the
+workload cluster, so we want to use the load balancer (lb) template (rather than the default one). We'll use the
+clusterctl's `--flavor` flag for that:
+```bash
+clusterctl generate cluster capi-quickstart \
+  --infrastructure="kubevirt" \
+  --flavor lb \
+  --kubernetes-version ${CAPK_GUEST_K8S_VERSION} \
+  --control-plane-machine-count=1 \
+  --worker-machine-count=1 \
+  > capi-quickstart.yaml
+```
+
 {{#/tab }}
 {{#tab others...}}
 
@@ -1151,7 +1269,7 @@ Note: To use the default clusterctl method to retrieve kubeconfig for a workload
 
 Calico is used here as an example.
 
-{{#tabs name:"tab-deploy-cni" tabs:"Azure,vcluster,others..."}}
+{{#tabs name:"tab-deploy-cni" tabs:"Azure,vcluster,KubeVirt,others..."}}
 {{#tab Azure}}
 
 Azure [does not currently support Calico networking](https://docs.projectcalico.org/reference/public-cloud/azure). As a workaround, it is recommended that Azure clusters use the Calico spec below that uses VXLAN.
@@ -1173,6 +1291,126 @@ kubectl --kubeconfig=./capi-quickstart.kubeconfig get nodes
 
 Calico not required for vcluster.
 
+{{#/tab }}
+{{#tab KubeVirt}}
+
+Before deploying the Calico CNI, make sure the VMs are running:
+```bash
+kubectl get vm
+```
+
+If our new VMs are running, we should see a response similar to this:
+
+```text
+NAME                                  AGE    STATUS    READY
+capi-quickstart-control-plane-7s945   167m   Running   True
+capi-quickstart-md-0-zht5j            164m   Running   True
+```
+
+We can also read the virtual machine instances:
+```bash
+kubectl get vmi
+```
+The output will be similar to:
+```text
+NAME                                  AGE    PHASE     IP             NODENAME             READY
+capi-quickstart-control-plane-7s945   167m   Running   10.244.82.16   kind-control-plane   True
+capi-quickstart-md-0-zht5j            164m   Running   10.244.82.17   kind-control-plane   True
+```
+
+Since our workload cluster is running within the kind cluster, we need to prevent conflicts between the kind
+(management) cluster's CNI, and the workload cluster CNI. The following modifications in the default Calico settings
+are enough for these two CNI to work on (actually) the same environment.
+
+* Change the CIDR to a non-conflicting range
+* Change the value of the `CLUSTER_TYPE` environment variable to `k8s`
+* Change the value of the `CALICO_IPV4POOL_IPIP` environment variable to `Never`
+* Change the value of the `CALICO_IPV4POOL_VXLAN` environment variable to `Always`
+* Add the `FELIX_VXLANPORT` environment variable with the value of a non-conflicting port, e.g. `"6789"`.
+
+The following script downloads the Calico manifest and modifies the required field. The CIDR and the port values are examples.
+```bash
+curl https://raw.githubusercontent.com/projectcalico/calico/v3.24.4/manifests/calico.yaml -o calico-workload.yaml
+
+sed -i -E 's|^( +)# (- name: CALICO_IPV4POOL_CIDR)$|\1\2|g;'\
+'s|^( +)# (  value: )"192.168.0.0/16"|\1\2"10.243.0.0/16"|g;'\
+'/- name: CLUSTER_TYPE/{ n; s/( +value: ").+/\1k8s"/g };'\
+'/- name: CALICO_IPV4POOL_IPIP/{ n; s/value: "Always"/value: "Never"/ };'\
+'/- name: CALICO_IPV4POOL_VXLAN/{ n; s/value: "Never"/value: "Always"/};'\
+'/# Set Felix endpoint to host default action to ACCEPT./a\            - name: FELIX_VXLANPORT\n              value: "6789"' \
+calico-workload.yaml
+```
+Now, deploy the Calico CNI on the workload cluster:
+```bash
+kubectl --kubeconfig=./capi-quickstart.kubeconfig create -f calico-workload.yaml
+```
+
+After a short while, our nodes should be running and in `Ready` state, let’s check the status using `kubectl get nodes`:
+
+```bash
+kubectl --kubeconfig=./capi-quickstart.kubeconfig get nodes
+```
+
+<aside class="note">
+
+<h1>Troubleshooting</h1>
+
+If the nodes don't become ready after a long period, read the pods in the `kube-system` namespace
+```bash
+kubectl --kubeconfig=./capi-quickstart.kubeconfig get pod -n kube-system
+```
+
+If the Calico pods are in image pull error state (`ErrImagePull`), it's probably because of the docker hub pull rate limit.
+We can try to fix that by adding a secret with our docker hub credentials, and use it;
+see [here](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
+for details.
+
+First, create the secret. Please notice the docker config file path, and adjust it to your local setting.
+```bash
+kubectl --kubeconfig=./capi-quickstart.kubeconfig create secret generic docker-creds \
+    --from-file=.dockerconfigjson=<YOUR DOCKER CONFIG FILE PATH> \
+    --type=kubernetes.io/dockerconfigjson \
+    -n kube-system
+```
+
+Now, if the `calico-node` pods are with status of `ErrImagePull`, patch their DaemonSet to make them use the new secret to pull images:
+```bash
+kubectl --kubeconfig=./capi-quickstart.kubeconfig patch daemonset \
+    -n kube-system calico-node \
+    -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"docker-creds"}]}}}}'
+```
+
+After a short while, the calico-node pods will be with `Running` status. Now, if the calico-kube-controllers pod is also
+in `ErrImagePull` status, patch its deployment to fix the problem:
+```bash
+kubectl --kubeconfig=./capi-quickstart.kubeconfig patch deployment \
+    -n kube-system calico-kube-controllers \
+    -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"docker-creds"}]}}}}'
+```
+
+Read the pods again
+```bash
+kubectl --kubeconfig=./capi-quickstart.kubeconfig get pod -n kube-system
+```
+
+Eventually, all the pods in the kube-system namespace will run, and the result should be similar to this:
+```text
+NAME                                                          READY   STATUS    RESTARTS   AGE
+calico-kube-controllers-c969cf844-dgld6                       1/1     Running   0          50s
+calico-node-7zz7c                                             1/1     Running   0          54s
+calico-node-jmjd6                                             1/1     Running   0          54s
+coredns-64897985d-dspjm                                       1/1     Running   0          3m49s
+coredns-64897985d-pgtgz                                       1/1     Running   0          3m49s
+etcd-capi-quickstart-control-plane-kjjbb                      1/1     Running   0          3m57s
+kube-apiserver-capi-quickstart-control-plane-kjjbb            1/1     Running   0          3m57s
+kube-controller-manager-capi-quickstart-control-plane-kjjbb   1/1     Running   0          3m57s
+kube-proxy-b9g5m                                              1/1     Running   0          3m12s
+kube-proxy-p6xx8                                              1/1     Running   0          3m49s
+kube-scheduler-capi-quickstart-control-plane-kjjbb            1/1     Running   0          3m57s
+```
+
+</aside>
+
 {{#/tab }}
 {{#tab others...}}
 
@@ -1244,7 +1482,8 @@ See the [clusterctl] documentation for more detail about clusterctl supported ac
 [Metal3 getting started guide]: https://github.com/metal3-io/cluster-api-provider-metal3/blob/master/docs/getting-started.md
 [Metal3 provider]: https://github.com/metal3-io/cluster-api-provider-metal3/
 [KubeKey provider]: https://github.com/kubesphere/kubekey
-[Kubevirt provider]: https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt/
+[KubeVirt provider]: https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt/
+[KubeVirt]: https://kubevirt.io/
 [oci-provider]: https://oracle.github.io/cluster-api-provider-oci/#getting-started
 [Equinix Metal getting started guide]: https://github.com/kubernetes-sigs/cluster-api-provider-packet#using
 [provider]:../reference/providers.md

From 61cb7c2e6606060c3bec13a33790600f9f28d58d Mon Sep 17 00:00:00 2001
From: Jack Francis <jackfrancis@gmail.com>
Date: Mon, 22 Aug 2022 17:27:18 -0700
Subject: [PATCH 05/87] MachinePool annotation for externally managed
 autoscaler

---
 api/v1beta1/common_types.go                   |  6 ++
 .../architecture/controllers/machine-pool.md  | 29 ++++++
 .../src/developer/providers/v1.2-to-v1.3.md   |  5 +-
 .../src/reference/labels_and_annotations.md   |  1 +
 exp/api/v1beta1/machinepool_types.go          |  5 +
 .../machinepool_controller_phases.go          | 20 +++-
 util/annotations/helpers.go                   | 17 ++++
 util/annotations/helpers_test.go              | 92 +++++++++++++++++++
 8 files changed, 169 insertions(+), 6 deletions(-)

diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
index 218120b18375..1dd7c382cf22 100644
--- a/api/v1beta1/common_types.go
+++ b/api/v1beta1/common_types.go
@@ -128,6 +128,12 @@ const (
 	// any changes to the actual object because it is a dry run) and the topology controller
 	// will receive the resulting object.
 	TopologyDryRunAnnotation = "topology.cluster.x-k8s.io/dry-run"
+
+	// ReplicasManagedByAnnotation is an annotation that indicates external (non-Cluster API) management of infra scaling.
+	// The practical effect of this is that the capi "replica" count should be passively derived from the number of observed infra machines,
+	// instead of being a source of truth for eventual consistency.
+	// This annotation can be used to inform MachinePool status during in-progress scaling scenarios.
+	ReplicasManagedByAnnotation = "cluster.x-k8s.io/replicas-managed-by"
 )
 
 const (
diff --git a/docs/book/src/developer/architecture/controllers/machine-pool.md b/docs/book/src/developer/architecture/controllers/machine-pool.md
index 7dd3be60dc9c..04cd327e1144 100644
--- a/docs/book/src/developer/architecture/controllers/machine-pool.md
+++ b/docs/book/src/developer/architecture/controllers/machine-pool.md
@@ -96,6 +96,30 @@ The `status` object **may** define several fields that do not affect functionali
 * `failureReason` - is a string that explains why a fatal error has occurred, if possible.
 * `failureMessage` - is a string that holds the message contained by the error.
 
+Example:
+```yaml
+kind: MyMachinePool
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+spec:
+    providerIDList:
+      - cloud:////my-cloud-provider-id-0
+      - cloud:////my-cloud-provider-id-1
+status:
+    ready: true
+```
+
+#### Externally Managed Autoscaler
+
+A provider may implement an InfrastructureMachinePool that is externally managed by an autoscaler. For example, if you are using a Managed Kubernetes provider, it may include its own autoscaler solution. To indicate this to Cluster API, you would decorate the MachinePool object with the following annotation:
+
+`"cluster.x-k8s.io/replicas-managed-by": ""`
+
+Cluster API treats the annotation as a "boolean", meaning that the presence of the annotation is sufficient to indicate external replica count management, with one exception: if the value is `"false"`, then that indicates to Cluster API that replica enforcement is nominal, and managed by Cluster API.
+
+Providers may choose to implement the `cluster.x-k8s.io/replicas-managed-by` annotation with different values (e.g., `external-autoscaler`, or `karpenter`) that may inform different provider-specific behaviors, but those values will have no effect upon Cluster API.
+
+The effect upon Cluster API of this annotation is that during autoscaling events (initiated externally, not by Cluster API), when more or fewer MachinePool replicas are observed compared to the `Spec.Replicas` configuration, it will update its `Status.Phase` property to the value of `"Scaling"`.
+
 Example:
 ```yaml
 kind: MyMachinePool
@@ -104,10 +128,15 @@ spec:
     providerIDList:
       - cloud:////my-cloud-provider-id-0
       - cloud:////my-cloud-provider-id-1
+      - cloud:////my-cloud-provider-id-2
+    replicas: 1
 status:
     ready: true
+    phase: Scaling
 ```
 
+It is the provider's responsibility to update Cluster API's `Spec.Replicas` property to the value observed in the underlying infra environment as it changes in response to external autoscaling behaviors. Once that is done, and the number of providerID items is equal to the `Spec.Replicas` property, the MachinePools's `Status.Phase` property will be set to `Running` by Cluster API.
+
 ### Secrets
 
 The machine pool controller will use a secret in the following format:
diff --git a/docs/book/src/developer/providers/v1.2-to-v1.3.md b/docs/book/src/developer/providers/v1.2-to-v1.3.md
index 8c53861451b3..e46652d00dc1 100644
--- a/docs/book/src/developer/providers/v1.2-to-v1.3.md
+++ b/docs/book/src/developer/providers/v1.2-to-v1.3.md
@@ -41,6 +41,7 @@ in Cluster API are kept in sync with the versions used by `sigs.k8s.io/controlle
 - A new timeout `nodeVolumeDetachTimeout` has been introduced that defines how long the controller will spend on waiting for all volumes to be detached.
 The default value is 0, meaning that the volume can be detached without any time limitations.
 - A new annotation `machine.cluster.x-k8s.io/exclude-wait-for-node-volume-detach` has been introduced that allows explicitly skip the waiting for node volume detaching.
+- A new annotation `"cluster.x-k8s.io/replicas-managed-by"` has been introduced to indicate that a MachinePool's replica enforcement is delegated to an external autoscaler (not managed by Cluster API). For more information see the documentation [here](../architecture/controllers/machine-pool.md#externally-managed-autoscaler).
 - The `Path` func in the `sigs.k8s.io/cluster-api/cmd/clusterctl/client/repository.Overrider` interface has been adjusted to also return an error.
 
 ### Other
@@ -55,8 +56,8 @@ The default value is 0, meaning that the volume can be detached without any time
   * the `--junit-report` argument [replaces JUnit custom reporter](https://onsi.github.io/ginkgo/MIGRATING_TO_V2#improved-reporting-infrastructure) code
   * see the ["Update tests to Ginkgo v2" PR](https://github.com/kubernetes-sigs/cluster-api/pull/6906) for a reference example
 - Cluster API introduced new [logging guidelines](../../developer/logging.md). All reconcilers in the core repository were updated
-  to [log the entire object hierarchy](../../developer/logging.md#keyvalue-pairs). It would be great if providers would be adjusted 
-  as well to make it possible to cross-reference log entries across providers (please see CAPD for an infra provider reference implementation). 
+  to [log the entire object hierarchy](../../developer/logging.md#keyvalue-pairs). It would be great if providers would be adjusted
+  as well to make it possible to cross-reference log entries across providers (please see CAPD for an infra provider reference implementation).
 - The `CreateLogFile` function and `CreateLogFileInput` struct in the E2E test framework for clusterctl has been renamed to `OpenLogFile` and `OpenLogFileInput` because the function will now append to the logfile instead of truncating the content.
 - The `Move` function in E2E test framework for clusterctl has been modified to:
   * print the `clusterctl move` command including the arguments similar to `Init`.
diff --git a/docs/book/src/reference/labels_and_annotations.md b/docs/book/src/reference/labels_and_annotations.md
index e9cdcad5d24f..4a2a98633d7c 100644
--- a/docs/book/src/reference/labels_and_annotations.md
+++ b/docs/book/src/reference/labels_and_annotations.md
@@ -34,6 +34,7 @@
 | cluster.x-k8s.io/cloned-from-groupkind   | It is the infrastructure machine annotation that stores the group-kind of the infrastructure template resource that was cloned for the machine. This annotation is set only during cloning a template. Older/adopted machines will not have this annotation.   |
 |  cluster.x-k8s.io/skip-remediation  | It is used to mark the machines that should not be considered for remediation by MachineHealthCheck reconciler.   |
 |  cluster.x-k8s.io/managed-by  | It can be applied to InfraCluster resources to signify that some external system is managing the cluster infrastructure. Provider InfraCluster controllers will ignore resources with this annotation. An external controller must fulfill the contract of the InfraCluster resource. External infrastructure providers should ensure that the annotation, once set, cannot be removed.  |
+|  cluster.x-k8s.io/replicas-managed-by  | It can be applied to MachinePool resources to signify that some external system is managing infrastructure scaling for that pool. See [the MachinePool documentation](../developer/architecture/controllers/machine-pool.md#externally-managed-autoscaler) for more details. |
 |  topology.cluster.x-k8s.io/dry-run  | It is an annotation that gets set on objects by the topology controller only during a server side dry run apply operation. It is used for validating update webhooks for objects which get updated by template rotation (e.g. InfrastructureMachineTemplate). When the annotation is set and the admission request is a dry run, the webhook should deny validation due to immutability. By that the request will succeed (without any changes to the actual object because it is a dry run) and the topology controller will receive the resulting object. |
 |  machine.cluster.x-k8s.io/certificates-expiry    | It captures the expiry date of the machine certificates in RFC3339 format. It is used to trigger rollout of control plane machines before certificates expire. It can be set on BootstrapConfig and Machine objects. The value set on Machine object takes precedence. The annotation is only used by control plane machines. |
 |  machine.cluster.x-k8s.io/exclude-node-draining  | It explicitly skips node draining if set.  |
diff --git a/exp/api/v1beta1/machinepool_types.go b/exp/api/v1beta1/machinepool_types.go
index a20397097eda..2634affe1db3 100644
--- a/exp/api/v1beta1/machinepool_types.go
+++ b/exp/api/v1beta1/machinepool_types.go
@@ -163,6 +163,11 @@ const (
 	// MachinePool infrastructure is scaling down.
 	MachinePoolPhaseScalingDown = MachinePoolPhase("ScalingDown")
 
+	// MachinePoolPhaseScaling is the MachinePool state when the
+	// MachinePool infrastructure is scaling.
+	// This phase value is appropriate to indicate an active state of scaling by an external autoscaler.
+	MachinePoolPhaseScaling = MachinePoolPhase("Scaling")
+
 	// MachinePoolPhaseDeleting is the MachinePool state when a delete
 	// request has been sent to the API Server,
 	// but its infrastructure has not yet been fully deleted.
diff --git a/exp/internal/controllers/machinepool_controller_phases.go b/exp/internal/controllers/machinepool_controller_phases.go
index 24a514049548..c6cb361aa884 100644
--- a/exp/internal/controllers/machinepool_controller_phases.go
+++ b/exp/internal/controllers/machinepool_controller_phases.go
@@ -67,14 +67,26 @@ func (r *MachinePoolReconciler) reconcilePhase(mp *expv1.MachinePool) {
 		mp.Status.SetTypedPhase(expv1.MachinePoolPhaseRunning)
 	}
 
-	// Set the phase to "scalingUp" if the infrastructure is scaling up.
+	// Set the appropriate phase in response to the MachinePool replica count being greater than the observed infrastructure replicas.
 	if mp.Status.InfrastructureReady && *mp.Spec.Replicas > mp.Status.ReadyReplicas {
-		mp.Status.SetTypedPhase(expv1.MachinePoolPhaseScalingUp)
+		// If we are being managed by an external autoscaler and can't predict scaling direction, set to "Scaling".
+		if annotations.ReplicasManagedByExternalAutoscaler(mp) {
+			mp.Status.SetTypedPhase(expv1.MachinePoolPhaseScaling)
+		} else {
+			// Set the phase to "ScalingUp" if we are actively scaling the infrastructure out.
+			mp.Status.SetTypedPhase(expv1.MachinePoolPhaseScalingUp)
+		}
 	}
 
-	// Set the phase to "scalingDown" if the infrastructure is scaling down.
+	// Set the appropriate phase in response to the MachinePool replica count being less than the observed infrastructure replicas.
 	if mp.Status.InfrastructureReady && *mp.Spec.Replicas < mp.Status.ReadyReplicas {
-		mp.Status.SetTypedPhase(expv1.MachinePoolPhaseScalingDown)
+		// If we are being managed by an external autoscaler and can't predict scaling direction, set to "Scaling".
+		if annotations.ReplicasManagedByExternalAutoscaler(mp) {
+			mp.Status.SetTypedPhase(expv1.MachinePoolPhaseScaling)
+		} else {
+			// Set the phase to "ScalingDown" if we are actively scaling the infrastructure in.
+			mp.Status.SetTypedPhase(expv1.MachinePoolPhaseScalingDown)
+		}
 	}
 
 	// Set the phase to "failed" if any of Status.FailureReason or Status.FailureMessage is not-nil.
diff --git a/util/annotations/helpers.go b/util/annotations/helpers.go
index de07f7a55b92..0ec9ef9388ac 100644
--- a/util/annotations/helpers.go
+++ b/util/annotations/helpers.go
@@ -58,6 +58,11 @@ func HasWithPrefix(prefix string, annotations map[string]string) bool {
 	return false
 }
 
+// ReplicasManagedByExternalAutoscaler returns true if the standard annotation for external autoscaler is present.
+func ReplicasManagedByExternalAutoscaler(o metav1.Object) bool {
+	return hasTruthyAnnotationValue(o, clusterv1.ReplicasManagedByAnnotation)
+}
+
 // AddAnnotations sets the desired annotations on the object and returns true if the annotations have changed.
 func AddAnnotations(o metav1.Object, desired map[string]string) bool {
 	if len(desired) == 0 {
@@ -87,3 +92,15 @@ func hasAnnotation(o metav1.Object, annotation string) bool {
 	_, ok := annotations[annotation]
 	return ok
 }
+
+// hasTruthyAnnotationValue returns true if the object has an annotation with a value that is not "false".
+func hasTruthyAnnotationValue(o metav1.Object, annotation string) bool {
+	annotations := o.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	if val, ok := annotations[annotation]; ok {
+		return val != "false"
+	}
+	return false
+}
diff --git a/util/annotations/helpers_test.go b/util/annotations/helpers_test.go
index b6f7c119e860..9793fcf87369 100644
--- a/util/annotations/helpers_test.go
+++ b/util/annotations/helpers_test.go
@@ -151,3 +151,95 @@ func TestAddAnnotations(t *testing.T) {
 		})
 	}
 }
+
+func TestHasTruthyAnnotationValue(t *testing.T) {
+	tests := []struct {
+		name          string
+		obj           metav1.Object
+		annotationKey string
+		expected      bool
+	}{
+		{
+			name: "annotation does not exist",
+			obj: &corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"cluster.x-k8s.io/some-other-annotation": "",
+					},
+				},
+				Spec:   corev1.NodeSpec{},
+				Status: corev1.NodeStatus{},
+			},
+			annotationKey: "cluster.x-k8s.io/replicas-managed-by",
+			expected:      false,
+		},
+		{
+			name: "no val",
+			obj: &corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"cluster.x-k8s.io/replicas-managed-by": "",
+					},
+				},
+				Spec:   corev1.NodeSpec{},
+				Status: corev1.NodeStatus{},
+			},
+			annotationKey: "cluster.x-k8s.io/replicas-managed-by",
+			expected:      true,
+		},
+		{
+			name: "annotation exists, true value",
+			obj: &corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"cluster.x-k8s.io/replicas-managed-by": "true",
+					},
+				},
+				Spec:   corev1.NodeSpec{},
+				Status: corev1.NodeStatus{},
+			},
+			annotationKey: "cluster.x-k8s.io/replicas-managed-by",
+			expected:      true,
+		},
+		{
+			name: "annotation exists, random string value",
+			obj: &corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"cluster.x-k8s.io/replicas-managed-by": "foo",
+					},
+				},
+				Spec:   corev1.NodeSpec{},
+				Status: corev1.NodeStatus{},
+			},
+			annotationKey: "cluster.x-k8s.io/replicas-managed-by",
+			expected:      true,
+		},
+		{
+			name: "annotation exists, false value",
+			obj: &corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"cluster.x-k8s.io/replicas-managed-by": "false",
+					},
+				},
+				Spec:   corev1.NodeSpec{},
+				Status: corev1.NodeStatus{},
+			},
+			annotationKey: "cluster.x-k8s.io/replicas-managed-by",
+			expected:      false,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			ret := hasTruthyAnnotationValue(tt.obj, tt.annotationKey)
+			if tt.expected {
+				g.Expect(ret).To(BeTrue())
+			} else {
+				g.Expect(ret).To(BeFalse())
+			}
+		})
+	}
+}

From 5df64bbef14e2281f1d2d68d92700a9a31134dc5 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <buringerst@vmware.com>
Date: Fri, 4 Nov 2022 14:35:12 +0100
Subject: [PATCH 06/87] Add release tasks doc and corresponding issue template

---
 .github/ISSUE_TEMPLATE/bug_report.md          |   6 +-
 .github/ISSUE_TEMPLATE/feature_request.md     |   5 +-
 .github/ISSUE_TEMPLATE/release_tracking.md    |  80 ++++
 CONTRIBUTING.md                               |   2 +-
 docs/developer/release-cycle.md               | 113 -----
 docs/developer/releasing.md                   |  61 ---
 docs/release/release-1.3.md                   |  27 ++
 docs/release/release-1.4.md                   |  35 ++
 .../release-cycle-overview.png                | Bin
 docs/release/release-cycle.md                 |  52 +++
 docs/release/release-tasks.md                 | 408 ++++++++++++++++++
 docs/{developer => release}/release-team.md   |   6 +-
 hack/verify-doctoc.sh                         |   2 +-
 13 files changed, 616 insertions(+), 181 deletions(-)
 create mode 100644 .github/ISSUE_TEMPLATE/release_tracking.md
 delete mode 100644 docs/developer/release-cycle.md
 delete mode 100644 docs/developer/releasing.md
 create mode 100644 docs/release/release-1.3.md
 create mode 100644 docs/release/release-1.4.md
 rename docs/{developer => release}/release-cycle-overview.png (100%)
 create mode 100644 docs/release/release-cycle.md
 create mode 100644 docs/release/release-tasks.md
 rename docs/{developer => release}/release-team.md (94%)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 98a488626a25..3362f30470f3 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,6 +1,9 @@
 ---
-name: Bug report
+name: 🐛 Bug report
 about: Tell us about a problem you are experiencing
+title: ''
+labels: ''
+assignees: ''
 
 ---
 
@@ -24,4 +27,3 @@ about: Tell us about a problem you are experiencing
 
 /kind bug
 [One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels]
- 
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index 60aafc2a8716..7d19611b5116 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,6 +1,9 @@
 ---
-name: Feature request
+name: ✨ Feature request
 about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
 
 ---
 
diff --git a/.github/ISSUE_TEMPLATE/release_tracking.md b/.github/ISSUE_TEMPLATE/release_tracking.md
new file mode 100644
index 000000000000..0c5e34b565ef
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/release_tracking.md
@@ -0,0 +1,80 @@
+---
+name: 🚋 Release cycle tracking
+about: Create a new release cycle tracking issue for a minor release
+title: Tasks for v<release-tag> release cycle
+labels: ''
+assignees: ''
+
+---
+
+Please see the corresponding section in [release-tasks.md](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md) for documentation of individual tasks.  
+
+## Tasks
+
+**Notes**:
+* Weeks are only specified to give some orientation.
+* The following is based on the v1.4 release cycle. Modify according to the tracked release cycle.
+
+Week -3 to 1:
+* [ ] [Release Lead] [Set a tentative release date for the minor release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#set-a-tentative-release-date-for-the-minor-release)
+* [ ] [Release Lead] [Assemble release team](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#assemble-release-team)
+
+Week 1:
+* [ ] [Release Lead] [Finalize release schedule and team](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#finalize-release-schedule-and-team)
+* [ ] [Release Lead] [Prepare main branch for development of the new release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#prepare-main-branch-for-development-of-the-new-release)
+* [ ] [Communications Manager] [Add docs to collect release notes for users and migration notes for provider implementers](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
+* [ ] [Communications Manager] [Update supported versions](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#update-supported-versions)
+
+Week 1 to 4:
+* [ ] [Release Lead] [Track] [Remove previously deprecated code](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#track-remove-previously-deprecated-code)
+
+Week 6:
+* [ ] [Release Lead] [Cut the v1.3.1 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+
+Week 9:
+* [ ] [Release Lead] [Cut the v1.3.2 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+
+Week 11 to 12:
+* [ ] [Release Lead] [Track] [Bump dependencies](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#track-bump-dependencies)
+
+Week 13:
+* [ ] [Release Lead] [Cut the v1.4.0-beta.0 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.3.3 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Create a new GitHub milestone for the next release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#create-a-new-github-milestone-for-the-next-release)
+
+Week 14:
+* [ ] [Release Lead] [Cut the v1.4.0-beta.1 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] Select release lead for the next release cycle
+
+Week 15:
+* [ ] [Release Lead] [Create the release-1.4 release branch](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#create-a-release-branch)
+* [ ] [Release Lead] [Cut the v1.4.0-rc.0 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [CI Manager] [Setup jobs and dashboards for the release-1.4 release branch](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#setup-jobs-and-dashboards-for-a-new-release-branch)
+* [ ] [Communications Manager] [Ensure the book for the new release is available](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#ensure-the-book-for-the-new-release-is-available)
+
+Week 15 to 17:
+* [ ] [Communications Manager] [Polish release notes](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#polish-release-notes)
+
+Week 16:
+* [ ] [Release Lead] [Cut the v1.4.0-rc.1 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+
+Week 17:
+* [ ] [Release Lead] [Cut the v1.4.0 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.3.4 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] Organize release retrospective
+* [ ] [Communications Manager] [Change production branch in Netlify to the new release branch](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#change-production-branch-in-netlify-to-the-new-release-branch)
+* [ ] [Communications Manager] [Update clusterctl links in the quickstart](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#update-clusterctl-links-in-the-quickstart)
+
+Continuously:
+* [Release lead] [Maintain the GitHub release milestone](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-maintain-the-github-release-milestone)
+* [Communications Manager] [Communicate key dates to the community](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-communicate-key-dates-to-the-community)
+* [Communications Manager] Improve release process documentation
+* [Communications Manager] Maintain and improve user facing documentation about releases, release policy and release calendar
+* [CI Manager] [Monitor CI signal](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-monitor-ci-signal)
+* [CI Manager] [Reduce the amount of flaky tests](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-reduce-the-amount-of-flaky-tests)
+* [CI Manager] [Bug triage](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-bug-triage)
+* [CI Manager] Maintain and improve release automation, tooling & related developer docs
+
+If and when necessary:
+* [ ] [Release Lead] [Track] [Bump the Cluster API apiVersion](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#optional-track-bump-the-cluster-api-apiversion)
+* [ ] [Release Lead] [Track] [Bump the Kubernetes version](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#optional-track-bump-the-kubernetes-version)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 5187a41feccf..26ee8cc7ef76 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -51,7 +51,7 @@ come up, including gaps in documentation!
 
 If you're a more experienced contributor, looking at unassigned issues in the next release milestone is a good way to find work that has been prioritized. For example, if the latest minor release is `v1.0`, the next release milestone is `v1.1`.
 
-Help and contributions are very welcome in the form of code contributions but also in helping to moderate office hours, triaging issues, fixing/investigating flaky tests, being part of the [release team](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/developer/release-team.md), helping new contributors with their questions, reviewing proposals, etc.
+Help and contributions are very welcome in the form of code contributions but also in helping to moderate office hours, triaging issues, fixing/investigating flaky tests, being part of the [release team](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-team.md), helping new contributors with their questions, reviewing proposals, etc.
 
 ## Versioning
 
diff --git a/docs/developer/release-cycle.md b/docs/developer/release-cycle.md
deleted file mode 100644
index 5cbd1fc2b713..000000000000
--- a/docs/developer/release-cycle.md
+++ /dev/null
@@ -1,113 +0,0 @@
-# Release Cycle
-
-The release cycle is the time between when we start working on a release on the `main` branch until the `.0` release (e.g. `v1.3.0`) is released.
-
-**Note**: For the `v1.3` and `v1.4` releases we assume each release cycle will last approximately 4 months (~ 17 weeks).
-The release cycle duration will be revisited after the `v1.4.0` release.
-
-A release cycle can be split up into the following phases:
-
-* Week 1-12: Active development
-    * All changes impacting providers' adoption of Cluster API should be implemented and merged in this period. Exceptions
-      require special approval as described in the section below.
-    * Alpha releases will be released based on the main branch only if necessary (to be determined by the release lead)
-    * Please note that we also publish daily releases based on the main branch.
-* Week 13-14: Beta
-    * Weekly beta releases will be released based on the main branch
-        * The beta releases are meant as a preview of the upcoming release
-        * Providers can start adopting the new release based on the beta releases
-    * All changes that impact providers' adoption of the new release should be announced in the provider updates section
-      of the office hours meeting notes and approved in the PR or issue by both approvers and key affected providers.
-* Week 15-16: RC
-    * The release branch is created
-    * Weekly RC releases will be released based on the release branch
-        * RC releases are as close as possible to the final release but they are still undergoing further testing
-    * Development of the next release can technically start on the main branch, but some changes might be delayed
-      to ensure easier cherry-picking of other changes to the release branch.
-    * There is a feature freeze on the release branch
-        * Only cherry-picks for documentation, bug fixes, test fixes and test additions are allowed
-* Week 17: GA
-    * `x.y.0` GA release is created based on the release branch
-* After that:
-    * **Note** The following is the responsibility of the release team of the following release cycle.
-    * `x.y.1+`: Monthly patch releases will be released based on the release branch
-    * Cherry-picks to the release branch are allowed according to the [backport policy](https://github.com/kubernetes-sigs/cluster-api/blob/main/CONTRIBUTING.md#backporting-a-patch)
-    * Providers create releases using the new CAPI minor release when they are ready
-    * Development of the next release can now officially start on the main branch
-
-Some additional notes:
-
-* Support for new Kubernetes minor versions (for management and workload clusters) is first implemented
-  on the main branch, then cherry-picked into supported release branches when feasible and eventually
-  released in the next monthly patch release(s).
-    * **Note**: We usually don't have to bump Go dependencies to support new Kubernetes minor versions as it's not necessary
-      to run on a management cluster with the new version or create a workload cluster with the new version.
-      If it becomes necessary to bump dependencies to a new CR/Kubernetes minor version, the change cannot be cherry-picked
-      as bumping dependencies to a new minor version is a breaking change.
-* New Kubernetes and Controller-Runtime (CR) minor releases are only picked up on the main branch.
-
-The following diagram visualizes the release cycles with the v1.2, v1.3 and v1.4 releases:
-
-<!-- The release cycle png can be opened and edited in draw.io -->
-![Release Cycle Overview](release-cycle-overview.png)
-
-# v1.3 Release Cycle timeline
-
-**Note**: This release will be used to set up documentation, automation, etc. for the first release team which will start with
-the `v1.4` release cycle.
-
-The following table shows the preliminary dates for the `v1.3` release cycle.
-
-| **What**                                             | **When**                      | **Week** |
-|------------------------------------------------------|-------------------------------|----------|
-| Start of Release Cycle                               | Monday 18th July 2022         | week 1   |
-| *1.2.1 released*                                     | Monday 15th August 2022       | week 5   | 
-| *1.2.2 released*                                     | Wednesday 14th September 2022 | week 9   | 
-| *1.2.3 released*                                     | Monday 10th October 2022      | week 13  | 
-| *1.2.4 released*                                     | Monday 17th October 2022      | week 14  | 
-| 1.3.0-beta.0 released                                | Tuesday 1st November 2022     | week 16  |
-| 1.3.0-beta.1 released                                | Tuesday 8th November 2022     | week 17  |
-| *1.2.5 released*                                     | Tuesday 8th November 2022     | week 17  |
-| release-1.3 branch created (**Begin [Code Freeze]**) | Tuesday 15th November 2022    | week 18  |
-| release-1.3 jobs created                             | Tuesday 15th November 2022    | week 18  |
-| 1.3.0-rc.0 released                                  | Tuesday 15th November 2022    | week 18  |
-| 1.3.0-rc.1 released                                  | Tuesday 22nd November 2022    | week 19  |
-| **1.3.0 released**                                   | Thursday 1st December 2022    | week 20  |
-| *1.2.6 released*                                     | Thursday 1st December 2022    | week 20  |
-
-After the `.0` release monthly patch release will be created.
-
-# v1.4 Release Cycle timeline
-
-**Note**: The `v1.4` release will be the first release created by a dedicated release team.
-
-The following table shows the preliminary dates for the `v1.4` release cycle.
-
-| **What**                                             | **Who**      | **When**                   | **Week** |
-|------------------------------------------------------|--------------|----------------------------|----------|
-| Start of Release Cycle                               | Release Lead | Monday 5th December 2022   | week 1   |
-| Schedule finalized                                   | Release Lead | Friday 9th December 2022   | week 1   |
-| Team finalized                                       | Release Lead | Friday 9th December 2022   | week 1   |
-| *1.3.1 released*                                     | Release Lead | Tuesday 10th January 2023  | week 6   |
-| *1.3.2 released*                                     | Release Lead | Tuesday 31st January 2023  | week 9   |
-| 1.4.0-beta.0 released                                | Release Lead | Tuesday 28th February 2023 | week 13  |
-| *1.3.3 released*                                     | Release Lead | Tuesday 28th February 2023 | week 13  |
-| 1.4.0-beta.1 released                                | Release Lead | Tuesday 7th March 2023     | week 14  |
-| release-1.4 branch created (**Begin [Code Freeze]**) | Release Lead | Tuesday 14th March 2023    | week 15  |
-| release-1.4 jobs created                             | CI Manager   | Tuesday 14th March 2023    | week 15  |
-| 1.4.0-rc.0 released                                  | Release Lead | Tuesday 14th March 2023    | week 15  |
-| 1.4.0-rc.1 released                                  | Release Lead | Tuesday 21st March 2023    | week 16  |
-| **1.4.0 released**                                   | Release Lead | Tuesday 28th March 2023    | week 17  |
-| *1.3.4 released*                                     | Release Lead | Tuesday 28th March 2023    | week 17  |
-| Organize release retrospective                       | Release Lead | TBC                        | week 17  |
-
-## Release team
-
-TODO: This table should be filled once the release team has been finalized in ~ this
-style: [Kubernetes 1.26 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.26/release-team.md) (I'm referring to the Name, Github, Slack ID pattern)
-
-| **Role**                                  | **Lead Name** (**GitHub / Slack ID**) | **Shadow Name(s) (GitHub / Slack ID)** |
-|-------------------------------------------|---------------------------------------|----------------------------------------|
-| Release Lead                              |  Yuvaraj Kakaraparthi ([@ykakarap](https://github.com/ykakarap)/Slack:`@Yuvaraj Kakaraparthi`)  | Jim Ntosas ([@dntosas](https://github.com/dntosas)/ Slack:`@dntosas`), Carlos Panato ([@cpanato](https://github.com/cpanato)/ Slack:`@cpanato`), Amit Kumar ([@hackeramitkumar](https://github.com/hackeramitkumar)/ Slack:`@Amit Kumar`) |
-| Communications/Docs/Release Notes Manager |  Oscar Utbult ([@oscr](https://github.com/oscr)/ Slack:`@oscar`) | Sayantani Saha ([@sayantani11](https://github.com/sayantani11)/ Slack:`@sayantani`), Vibhor Chinda ([@VibhorChinda](https://github.com/VibhorChinda)/ Slack:`@Vibhor Chinda`) |
-| CI Signal/Bug Triage/Automation Manager   |  Furkat Gofurov ([@furkatgofurov7](https://github.com/furkatgofurov7)/ Slack: `@Furkat Gofurov`) | Nawaz Khazielakha ([@nawazkh](https://github.com/nawazkh)/ Slack: `@nawaz`), Aniruddha Basak ([@aniruddha2000](https://github.com/aniruddha2000/)/ Slack: `@aniruddha`), Alexander Demicev ([@alexander-demicev](https://github.com/alexander-demicev)/ Slack:`@Alexander Demicev`) |
diff --git a/docs/developer/releasing.md b/docs/developer/releasing.md
deleted file mode 100644
index 7a0526aa992c..000000000000
--- a/docs/developer/releasing.md
+++ /dev/null
@@ -1,61 +0,0 @@
-# Release Process
-
-## Create a tag
-
-1. Create an annotated tag
-   > NOTE: To use your GPG signature when pushing the tag, use `git tag -s [...]` instead)
-   - `export RELEASE_TAG=<the tag of the release to be cut>` (eg. `export RELEASE_TAG=v1.0.1`)
-   - `git tag -a ${RELEASE_TAG} -m ${RELEASE_TAG}`
-   - `git tag test/${RELEASE_TAG}` (:warning: MUST NOT be an annotated tag)
-1. Push the tag to the GitHub repository. This will automatically trigger a [Github Action](https://github.com/kubernetes-sigs/cluster-api/actions) to create a draft release.
-   > NOTE: `origin` should be the name of the remote pointing to `github.com/kubernetes-sigs/cluster-api`
-   - `git push origin ${RELEASE_TAG}`
-   - `git push origin test/${RELEASE_TAG}`
-
-## Promote images from the staging repo to `registry.k8s.io/cluster-api`
-
-Images are built by the [post push images job](https://testgrid.k8s.io/sig-cluster-lifecycle-image-pushes#post-cluster-api-push-images). This will push the image to a [staging repository](https://console.cloud.google.com/gcr/images/k8s-staging-cluster-api).
-
-1. If you don't have a GitHub token, create one by going to your GitHub settings, in [Personal access tokens](https://github.com/settings/tokens). Make sure you give the token the `repo` scope.
-1. Wait for the above job to complete for the tag commit and for the image to exist in the staging repository, then create a PR to promote the image and tag:
-   - `export GITHUB_TOKEN=<your GH token>`
-   - `make promote-images`
-
-*Note*: `kpromo` uses `git@github.com:...` as remote to push the branch for the PR. If you don't have `ssh` set up you can configure 
-        git to use `https` instead via `git config --global url."https://github.com/".insteadOf git@github.com:`.
-
-This will automatically create a PR in [k8s.io](https://github.com/kubernetes/k8s.io) and assign the CAPI maintainers.
-
-## Release in GitHub
-
-1. Review the draft release on GitHub. Pay close attention to the `## :question: Sort these by hand` section, as it contains items that need to be manually sorted.
-1. Publish the release
-
-## Update Netlify for Cluster API book
-
-_Note: Only requried for new major and minor releases._
-
-Get someone with Netlify access to do the following:
-
-1. Trigger `renew certificate` on Netlify UI.
-1. Change production branch on Netlify UI to the newest release branch.
-1. Trigger a re-deploy on Netlify UI for book to point to the new release-branch.
-
-## Homebrew
-
-1. Publish `clusterctl` to Homebrew by bumping the version in [clusterctl.rb](https://github.com/Homebrew/homebrew-core/blob/master/Formula/clusterctl.rb).
-   For an example please see: [PR: clusterctl 1.1.5](https://github.com/Homebrew/homebrew-core/pull/105075/files).
-
-   **Note**: Homebrew has [conventions for commit messages](https://docs.brew.sh/Formula-Cookbook#commit) usually 
-   the commit message for us should be e.g. "clusterctl 1.1.5"
-
-### Versioning
-
-See the [versioning documentation](./../../CONTRIBUTING.md#versioning) for more information.
-
-### Permissions
-
-Releasing requires a particular set of permissions.
-
-* Tag push access to the GitHub repository
-* GitHub Release creation access
diff --git a/docs/release/release-1.3.md b/docs/release/release-1.3.md
new file mode 100644
index 000000000000..a55704db5c7d
--- /dev/null
+++ b/docs/release/release-1.3.md
@@ -0,0 +1,27 @@
+# Cluster API v1.3
+
+## Timeline
+
+**Note**: This release will be used to set up documentation, automation, etc. for the first release team which will start with
+the `v1.4` release cycle.
+
+The following table shows the preliminary dates for the `v1.3` release cycle.
+
+| **What**                                             | **When**                      | **Week** |
+|------------------------------------------------------|-------------------------------|----------|
+| Start of Release Cycle                               | Monday 18th July 2022         | week 1   |
+| *v1.2.1 released*                                    | Monday 15th August 2022       | week 5   | 
+| *v1.2.2 released*                                    | Wednesday 14th September 2022 | week 9   | 
+| *v1.2.3 released*                                    | Monday 10th October 2022      | week 13  | 
+| *v1.2.4 released*                                    | Monday 17th October 2022      | week 14  | 
+| v1.3.0-beta.0 released                               | Tuesday 1st November 2022     | week 16  |
+| v1.3.0-beta.1 released                               | Tuesday 8th November 2022     | week 17  |
+| *v1.2.5 released*                                    | Tuesday 8th November 2022     | week 17  |
+| release-1.3 branch created (**Begin [Code Freeze]**) | Tuesday 15th November 2022    | week 18  |
+| v1.3.0-rc.0 released                                 | Tuesday 15th November 2022    | week 18  |
+| release-1.3 jobs created                             | Tuesday 15th November 2022    | week 18  |
+| v1.3.0-rc.1 released                                 | Tuesday 22nd November 2022    | week 19  |
+| **v1.3.0 released**                                  | Thursday 1st December 2022    | week 20  |
+| *v1.2.6 released*                                    | Thursday 1st December 2022    | week 20  |
+
+After the `.0` release monthly patch release will be created.
diff --git a/docs/release/release-1.4.md b/docs/release/release-1.4.md
new file mode 100644
index 000000000000..b7633107ddc4
--- /dev/null
+++ b/docs/release/release-1.4.md
@@ -0,0 +1,35 @@
+# Cluster API v1.4
+
+## Timeline
+
+**Note**: The `v1.4` release will be the first release created by a dedicated release team.
+
+The following table shows the preliminary dates for the `v1.4` release cycle.
+
+| **What**                                             | **Who**      | **When**                   | **Week** |
+|------------------------------------------------------|--------------|----------------------------|----------|
+| Start of Release Cycle                               | Release Lead | Monday 5th December 2022   | week 1   |
+| Schedule finalized                                   | Release Lead | Friday 9th December 2022   | week 1   |
+| Team finalized                                       | Release Lead | Friday 9th December 2022   | week 1   |
+| *v1.2.7 & v1.3.1 released*                           | Release Lead | Tuesday 10th January 2023  | week 6   |
+| *v1.2.8 & v1.3.2 released*                           | Release Lead | Tuesday 31st January 2023  | week 9   |
+| v1.4.0-beta.0 released                               | Release Lead | Tuesday 28th February 2023 | week 13  |
+| *v1.2.9 & v1.3.3 released*                           | Release Lead | Tuesday 28th February 2023 | week 13  |
+| v1.4.0-beta.1 released                               | Release Lead | Tuesday 7th March 2023     | week 14  |
+| release-1.4 branch created (**Begin [Code Freeze]**) | Release Lead | Tuesday 14th March 2023    | week 15  |
+| v1.4.0-rc.0 released                                 | Release Lead | Tuesday 14th March 2023    | week 15  |
+| release-1.4 jobs created                             | CI Manager   | Tuesday 14th March 2023    | week 15  |
+| v1.4.0-rc.1 released                                 | Release Lead | Tuesday 21st March 2023    | week 16  |
+| **v1.4.0 released**                                  | Release Lead | Tuesday 28th March 2023    | week 17  |
+| *v1.2.10 & v1.3.4 released*                          | Release Lead | Tuesday 28th March 2023    | week 17  |
+| Organize release retrospective                       | Release Lead | TBC                        | week 17  |
+
+After the `.0` release monthly patch release will be created.
+
+## Release team
+
+| **Role**                                  | **Lead Name** (**GitHub / Slack ID**)                                                      | **Shadow Name(s) (GitHub / Slack ID)**                                                                                                                                                                                                                                          |
+|-------------------------------------------|--------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Release Lead                              | Yuvaraj Kakaraparthi ([@ykakarap](https://github.com/ykakarap) ✉️ `@Yuvaraj Kakaraparthi`) | Jim Ntosas ([@dntosas](https://github.com/dntosas) ✉️ `@dntosas`)<br>Carlos Panato ([@cpanato](https://github.com/cpanato) ✉️ `@cpanato`)<br>Amit Kumar ([@hackeramitkumar](https://github.com/hackeramitkumar) ✉️ `@Amit Kumar`)                                               |
+| Communications/Docs/Release Notes Manager | Oscar Utbult ([@oscr](https://github.com/oscr) ✉️ `@oscar`)                                | Sayantani Saha ([@sayantani11](https://github.com/sayantani11) ✉️ ️`@sayantani`) <br> Vibhor Chinda ([@VibhorChinda](https://github.com/VibhorChinda) ✉️ ️`@Vibhor Chinda`) <br> Joe Kratzat ([@joekr](https://github.com/joekr) ✉️ `@Joe Kratzat`)                             |
+| CI Signal/Bug Triage/Automation Manager   | Furkat Gofurov ([@furkatgofurov7](https://github.com/furkatgofurov7) ✉️ `@Furkat Gofurov`) | Nawaz Khazielakha ([@nawazkh](https://github.com/nawazkh) ✉️ `@nawazkh`) <br> Aniruddha Basak ([@aniruddha2000](https://github.com/aniruddha2000/) ✉️ `@aniruddha`) <br> Alexander Demicev ([@alexander-demicev](https://github.com/alexander-demicev) ✉️ `@Alexander Demicev`) |
diff --git a/docs/developer/release-cycle-overview.png b/docs/release/release-cycle-overview.png
similarity index 100%
rename from docs/developer/release-cycle-overview.png
rename to docs/release/release-cycle-overview.png
diff --git a/docs/release/release-cycle.md b/docs/release/release-cycle.md
new file mode 100644
index 000000000000..90fc02dde9d0
--- /dev/null
+++ b/docs/release/release-cycle.md
@@ -0,0 +1,52 @@
+# Release Cycle
+
+The release cycle is the time between when we start working on a release on the `main` branch until the `.0` release (e.g. `v1.3.0`) is released.
+
+**Note**: For the `v1.3` and `v1.4` releases we assume each release cycle will last approximately 4 months (~ 17 weeks).
+The release cycle duration will be revisited after the `v1.4.0` release.
+
+A release cycle can be split up into the following phases:
+
+* Week 1-12: Active development
+    * All changes impacting providers' adoption of Cluster API should be implemented and merged in this period. Exceptions
+      require special approval as described in the section below.
+    * Alpha releases will be released based on the main branch only if necessary (to be determined by the release lead)
+    * Please note that we also publish daily releases based on the main branch.
+* Week 13-14: Beta
+    * Weekly beta releases will be released based on the main branch
+        * The beta releases are meant as a preview of the upcoming release
+        * Providers can start adopting the new release based on the beta releases
+    * All changes that impact providers' adoption of the new release should be announced in the provider updates section
+      of the office hours meeting notes and approved in the PR or issue by both approvers and key affected providers.
+* Week 15-16: RC
+    * The release branch is created
+    * Weekly RC releases will be released based on the release branch
+        * RC releases are as close as possible to the final release but they are still undergoing further testing
+    * Development of the next release can technically start on the main branch, but some changes might be delayed
+      to ensure easier cherry-picking of other changes to the release branch.
+    * There is a feature freeze on the release branch
+        * Only cherry-picks for documentation, bug fixes, test fixes and test additions are allowed
+* Week 17: GA
+    * `x.y.0` GA release is created based on the release branch
+* After that:
+    * **Note** The following is the responsibility of the release team of the following release cycle.
+    * `x.y.1+`: Monthly patch releases will be released based on the release branch
+    * Cherry-picks to the release branch are allowed according to the [backport policy](https://github.com/kubernetes-sigs/cluster-api/blob/main/CONTRIBUTING.md#backporting-a-patch)
+    * Providers create releases using the new CAPI minor release when they are ready
+    * Development of the next release can now officially start on the main branch
+
+Some additional notes:
+
+* Support for new Kubernetes minor versions (for management and workload clusters) is first implemented
+  on the main branch, then cherry-picked into supported release branches when feasible and eventually
+  released in the next monthly patch release(s).
+    * **Note**: We usually don't have to bump Go dependencies to support new Kubernetes minor versions as it's not necessary
+      to run on a management cluster with the new version or create a workload cluster with the new version.
+      If it becomes necessary to bump dependencies to a new CR/Kubernetes minor version, the change cannot be cherry-picked
+      as bumping dependencies to a new minor version is a breaking change.
+* New Kubernetes and Controller-Runtime (CR) minor releases are only picked up on the main branch.
+
+The following diagram visualizes the release cycles with the v1.2, v1.3 and v1.4 releases:
+
+<!-- The release cycle png can be opened and edited in draw.io -->
+![Release Cycle Overview](release-cycle-overview.png)
diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md
new file mode 100644
index 000000000000..d4c259d9cabb
--- /dev/null
+++ b/docs/release/release-tasks.md
@@ -0,0 +1,408 @@
+# Release Tasks
+
+This document details the responsibilities and tasks for each role in the release team.
+
+**Notes**:
+* The examples in this document are based on the v1.4 release cycle.
+* This document focuses on tasks that are done for every release. One-time improvement tasks are out of scope.
+* If a task is prefixed with `[Track]` it means it should be ensured that this task is done, but the folks with 
+  the corresponding role are not responsible to do it themselves. 
+
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**
+
+- [Release Lead](#release-lead)
+  - [Responsibilities](#responsibilities)
+  - [Tasks](#tasks)
+    - [Set a tentative release date for the minor release](#set-a-tentative-release-date-for-the-minor-release)
+    - [Assemble release team](#assemble-release-team)
+    - [Finalize release schedule and team](#finalize-release-schedule-and-team)
+    - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release)
+    - [Create a new GitHub milestone for the next release](#create-a-new-github-milestone-for-the-next-release)
+    - [[Track] Remove previously deprecated code](#track-remove-previously-deprecated-code)
+    - [[Track] Bump dependencies](#track-bump-dependencies)
+    - [Create a release branch](#create-a-release-branch)
+    - [[Continuously] Maintain the GitHub release milestone](#continuously-maintain-the-github-release-milestone)
+    - [[Repeatedly] Cut a release](#repeatedly-cut-a-release)
+    - [[Optional] [Track] Bump the Cluster API apiVersion](#optional-track-bump-the-cluster-api-apiversion)
+    - [[Optional] [Track] Bump the Kubernetes version](#optional-track-bump-the-kubernetes-version)
+- [Communications/Docs/Release Notes Manager](#communicationsdocsrelease-notes-manager)
+  - [Responsibilities](#responsibilities-1)
+  - [Tasks](#tasks-1)
+    - [Add docs to collect release notes for users and migration notes for provider implementers](#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
+    - [Update supported versions](#update-supported-versions)
+    - [Ensure the book for the new release is available](#ensure-the-book-for-the-new-release-is-available)
+    - [Polish release notes](#polish-release-notes)
+    - [Change production branch in Netlify to the new release branch](#change-production-branch-in-netlify-to-the-new-release-branch)
+    - [Update clusterctl links in the quickstart](#update-clusterctl-links-in-the-quickstart)
+    - [Continuously: Communicate key dates to the community](#continuously-communicate-key-dates-to-the-community)
+- [CI Signal/Bug Triage/Automation Manager](#ci-signalbug-triageautomation-manager)
+  - [Responsibilities](#responsibilities-2)
+  - [Tasks](#tasks-2)
+    - [Setup jobs and dashboards for a new release branch](#setup-jobs-and-dashboards-for-a-new-release-branch)
+    - [[Continuously] Monitor CI signal](#continuously-monitor-ci-signal)
+    - [[Continuously] Reduce the amount of flaky tests](#continuously-reduce-the-amount-of-flaky-tests)
+    - [[Continuously] Bug triage](#continuously-bug-triage)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+## Release Lead
+
+### Responsibilities
+
+* Coordination:
+    * Take ultimate accountability for all release tasks to be completed on time
+    * Coordinate release activities
+    * Create and maintain the GitHub release milestone
+    * Track tasks needed to add support for new Kubernetes versions in upcoming releases
+    * Ensure a retrospective happens
+* Staffing:
+    * Assemble the release team for the current release cycle
+    * Ensure a release lead for the next release cycle is selected and trained
+    * Set a tentative release date for the next release cycle
+* Cutting releases:
+    * Release patch releases for supported previous releases at least monthly or more often if needed
+    * Create beta, RC and GA releases for the minor release of the current release cycle
+* Release lead should keep an eye on what is going on in the project to be able to react if necessary
+
+### Tasks
+
+#### Set a tentative release date for the minor release
+
+1. Set a tentative release date for the release and document it by creating a `release-1.4.md`.
+
+#### Assemble release team
+
+There is currently no formalized process to assemble the release team.
+As of now we ask for volunteers in Slack and office hours.
+
+#### Finalize release schedule and team
+
+1. Finalize release schedule and team in `release-1.4.md`.
+2. Update Slack user group and GitHub team accordingly.
+   <br>Prior art: https://github.com/kubernetes-sigs/cluster-api/issues/7476
+
+#### Prepare main branch for development of the new release
+
+The goal of this issue is to bump the versions on the main branch so that the upcoming release version 
+is used for e.g. local development and e2e tests. We also modify tests so that they are testing the previous release.
+
+This comes down to changing occurrences of the old version to the new version, e.g. `v1.3` to `v1.4`:
+1. Add new release to top-level `metadata.yaml` and `test/e2e/data/shared/v1beta1/metadata.yaml`.
+2. Update providers in docker.yaml. Roughly:
+   1. Create a new entry for each provider for `v1.3.0`.
+   2. Rename `v1.3.99` to `v1.4.99`.
+3. Modify the test specs in `test/e2e/clusterctl_upgrade_test.go`.
+4. Update `create-local-repository.py` and `tools/tilt-prepare/main.go`: `v1.3.99` => `v1.4.99`.
+5. Make sure all tests are green (also run `pull-cluster-api-e2e-full-main` and `pull-cluster-api-e2e-workload-upgrade-1-23-latest-main`).
+
+Prior art: https://github.com/kubernetes-sigs/cluster-api/pull/6834/files
+
+#### Create a new GitHub milestone for the next release
+
+The goal of this task is to create a new GitHub milestone for the next release, so that we can already move tasks
+out of the current milestone if necessary.
+
+1. Create the milestone for the new release via GitHub UI.
+
+#### [Track] Remove previously deprecated code
+
+The goal of this task is to remove all previously deprecated code that can be now removed.
+
+1. Check for deprecated code and remove it.
+    * We can't just remove all code flagged with `Deprecated`. In some cases like e.g. in API packages
+      we have to keep the old code.
+
+Prior art: [Remove code deprecated in v1.2](https://github.com/kubernetes-sigs/cluster-api/pull/6779)
+
+#### [Track] Bump dependencies
+
+The goal of this task is to ensure that we have relatively up-to-date dependencies at the time of the release.
+This reduces the risk that CVEs are found in outdated dependencies after our release.
+
+We should take a look at the following dependencies:
+* Go dependencies in `go.mod` files.
+* Tools used in our Makefile (e.g. kustomize).
+
+#### Create a release branch
+
+The goal of this task is to ensure we have a release branch and the milestone applier applies milestones accordingly.
+From this point forward changes which should land in the release have to be cherry-picked into the release branch.
+
+1. Create the release branch locally based on the latest commit on main and push it:
+   ```bash
+   # Create the release branch
+   git checkout -b release-1.4
+   
+   # Push the release branch
+   # Note: `upstream` must be the remote pointing to `github.com/kubernetes-sigs/cluster-api`.
+   git push -u upstream release-1.4
+   ```
+2. Update the [milestone applier config](https://github.com/kubernetes/test-infra/blob/0b17ef5ffd6c7aa7d8ca1372d837acfb85f7bec6/config/prow/plugins.yaml#L371) accordingly (e.g. `release-1.4: v1.4` and `main: v1.5`)
+   <br>Prior art: [cluster-api: update milestone applier config for v1.3](https://github.com/kubernetes/test-infra/pull/26631)
+
+#### [Continuously] Maintain the GitHub release milestone
+
+The goal of this task is to keep an overview over the current release milestone and the implementation 
+progress of issues assigned to the milestone.
+
+This can be done by:
+1. Regularly checking in with folks implementing an issue in the milestone.
+2. If nobody is working on an issue in the milestone, drop it from the milestone.
+3. Ensuring we have a plan to get `release-blocking` issues implemented in time.
+
+#### [Repeatedly] Cut a release
+
+1. Ensure CI is stable before cutting the release (e.g. by checking with the CI manager)
+2. Create and push the release tags to the GitHub repository:
+   ```bash 
+   # Export the tag of the release to be cut, e.g.:
+   export RELEASE_TAG=v1.0.1
+   
+   # Create tags locally
+   # Warning: The test tag MUST NOT be an annotated tag.
+   git tag -s -a ${RELEASE_TAG} -m ${RELEASE_TAG}
+   git tag test/${RELEASE_TAG}
+   
+   # Push tags
+   # Note: `upstream` must be the remote pointing to `github.com/kubernetes-sigs/cluster-api`.
+   git push upstream ${RELEASE_TAG}
+   git push upstream test/${RELEASE_TAG}
+   ```
+   **Note**: This will automatically trigger a [GitHub Action](https://github.com/kubernetes-sigs/cluster-api/actions/workflows/release.yml) to create a draft release and a [ProwJob](https://prow.k8s.io/?repo=kubernetes-sigs%2Fcluster-api&job=post-cluster-api-push-images) to publish images to the staging repository.
+3. Promote images from the staging repository to the production registry (`registry.k8s.io/cluster-api`):
+    1. Wait until images for the tag have been built and pushed to the [staging repository](https://console.cloud.google.com/gcr/images/k8s-staging-cluster-api) by the [post push images job](https://prow.k8s.io/?repo=kubernetes-sigs%2Fcluster-api&job=post-cluster-api-push-images).
+    2. If you don't have a GitHub token, create one by going to your GitHub settings, in [Personal access tokens](https://github.com/settings/tokens). Make sure you give the token the `repo` scope.
+    3. Create a PR to promote the images to the production registry:
+       ```bash 
+       export GITHUB_TOKEN=<your GH token>
+       make promote-images
+       ```
+       **Notes**:
+        * `kpromo` uses `git@github.com:...` as remote to push the branch for the PR. If you don't have `ssh` set up you can configure
+          git to use `https` instead via `git config --global url."https://github.com/".insteadOf git@github.com:`.
+        * This will automatically create a PR in [k8s.io](https://github.com/kubernetes/k8s.io) and assign the CAPI maintainers.
+    4. Merge the PR (/lgtm + /hold cancel) and verify the images are available in the production registry:
+       ```bash 
+       docker pull registry.k8s.io/cluster-api/clusterctl:${RELEASE_TAG}
+       docker pull registry.k8s.io/cluster-api/cluster-api-controller:${RELEASE_TAG}
+       docker pull registry.k8s.io/cluster-api/kubeadm-bootstrap-controller:${RELEASE_TAG}
+       docker pull registry.k8s.io/cluster-api/kubeadm-control-plane-controller:${RELEASE_TAG}
+       ```
+4. Publish the release in GitHub:
+    1. Get the final release notes from the docs team and add them to the GitHub release.
+    2. Publish the release (ensure to flag the release as pre-release if necessary).
+5. Publish `clusterctl` to Homebrew by bumping the version in [clusterctl.rb](https://github.com/Homebrew/homebrew-core/blob/master/Formula/clusterctl.rb).
+   <br>**Notes**:
+    * This is only done for new latest stable releases, not for beta / RC releases and not for previous release branches.
+    * For an example please see: [PR: clusterctl 1.1.5](https://github.com/Homebrew/homebrew-core/pull/105075/files).
+    * Homebrew has [conventions for commit messages](https://docs.brew.sh/Formula-Cookbook#commit) usually
+      the commit message for us should look like: `clusterctl 1.1.5`.
+6. Set EOL date for previous release (prior art: https://github.com/kubernetes-sigs/cluster-api/issues/7146).
+
+Additional information:
+* [Versioning documentation](./../../CONTRIBUTING.md#versioning) for more information.
+* Cutting a release as of today requires permissions to:
+    * Create a release tag on the GitHub repository.
+    * Create/update/publish GitHub releases.
+
+#### [Optional] [Track] Bump the Cluster API apiVersion
+
+**Note** This should only be done when we have to bump the apiVersion of our APIs.
+
+1. Add new version of the types:
+    1. Create new api packages by copying existing packages.
+    2. Make sure webhooks only exist in the latest apiVersion (same for other subpackages like `index`).
+    3. Add conversion and conversion tests.
+    4. Adjust generate targets in the Makefile.
+    5. Consider dropping fields deprecated in the previous apiVersion.
+2. Update import aliases in `.golangci.yml`.
+3. Switch other code over to the new version (imports across the code base, e.g. controllers).
+    1. Add all versions to the schema in the `main.go` files.
+4. Add types to the `PROJECT` files of the respective provider.
+5. Add test data for the new version in `test/e2e/data/{infrastructure-docker,shared}` (also update top-level `.gitignore`).
+6. Update `docker.yaml`, make sure all tests are successful in CI.
+
+#### [Optional] [Track] Bump the Kubernetes version
+
+TODO(sbueringer): Follow-up PR (this will probably just be create an issue based on another issue template)
+
+## Communications/Docs/Release Notes Manager
+
+### Responsibilities
+
+* Communication:
+    * Communicate key dates to the community
+* Documentation:
+    * Improve release process documentation
+    * Ensure the book and provider upgrade documentation are up-to-date
+    * Maintain and improve user facing documentation about releases, release policy and release calendar
+* Release Notes:
+    * Polish release notes
+
+### Tasks
+
+#### Add docs to collect release notes for users and migration notes for provider implementers
+
+The goal of this task is to initially create the docs so that we can continuously add notes going forward.
+The release notes doc will be used to collect release notes during the release cycle and will be eventually 
+used to write the final release notes. The provider migration doc is part of the book and contains instructions 
+for provider authors on how to adopt to the new Cluster API version.
+
+1. Add a new migration doc for provider implementers.
+   <br>Prior art: [Add v1.2 -> v1.3 migration doc](https://github.com/kubernetes-sigs/cluster-api/pull/6698)
+2. Add a doc to collect initial release notes for users.
+
+#### Update supported versions
+
+1. Update supported versions in versions.md.
+   <br>Prior art: [Update supported versions for v1.3](https://github.com/kubernetes-sigs/cluster-api/pull/6850)
+
+#### Ensure the book for the new release is available 
+
+The goal of this task to make the book for the current release available under e.g. `https://release-1-4.cluster-api.sigs.k8s.io`.
+
+1. Add a DNS entry for the book of the new release (should be available under e.g. `https://release-1-4.cluster-api.sigs.k8s.io`).
+   <br>Prior art: [Add DNS for CAPI release-1.2 release branch](https://github.com/kubernetes/k8s.io/pull/3872)
+2. Open `https://release-1-4.cluster-api.sigs.k8s.io/` and verify that the certificates are valid
+   If they are not, talk to someone with access to Netlify, they have to click the `renew certificate` button in the Netlify UI.
+3. Update references in introduction.md only on the main branch (drop unsupported versions, add the new release version).
+   <br>Prior art: [Add release 1.2 book link](https://github.com/kubernetes-sigs/cluster-api/pull/6697)
+
+#### Polish release notes
+
+1. Checkout the latest commit on the release branch, e.g. `release-1.4`.
+2. Generate release notes with:
+   ```bash
+   # PREVIOUS_TAG should be the last patch release of the previous minor release.
+   PREVIOUS_TAG=v1.3.x
+   go run ./hack/tools/release/notes.go --from=${PREVIOUS_TAG} > tmp.md
+   ```
+3. Finalize the release notes:
+    1. Copy & paste the release notes into a hackmd (makes collaboration very easy).
+    2. Pay close attention to the `## :question: Sort these by hand` section, as it contains items that need to be manually sorted.
+    3. Ensure consistent formatting of entries (e.g. prefix (see [v1.2.0](https://github.com/kubernetes-sigs/cluster-api/releases/tag/v1.2.0) release notes)).
+    4. Merge dependency bump PR entries for the same dependency into a single entry.
+    5. Move minor changes into a single line at the end of each section.
+    6. Sort entries within a section alphabetically. 
+    7. Write highlights section based on the initial release notes doc.
+    8. Add Kubernetes version support section.
+4. Iterate until the GA release by generating incremental release notes and modifying the release notes in hackmd accordingly:
+   ```bash
+   # PREVIOUS_TAG should be the tag from which the previous release notes have been generated, e.g.:
+   PREVIOUS_TAG=v1.4.0-rc.0
+   go run ./hack/tools/release/notes.go --from=${PREVIOUS_TAG} > tmp.md
+   ```
+
+#### Change production branch in Netlify to the new release branch
+
+The goal of this task to make the book for the current release available under `https://cluster-api.sigs.k8s.io`.
+
+Someone with access to Netlify should:
+1. Change production branch in Netlify the current release branch (e.g. `release-1.4`) to make the book available under `https://cluster-api.sigs.k8s.io`.
+2. Re-deploy via the Netlify UI.
+
+#### Update clusterctl links in the quickstart 
+
+The goal of this task is to ensure the quickstart has links to the latest `clusterctl` binaries.
+
+1. Update clusterctl links in the quickstart (on main and cherry-pick onto release-1.4).
+   <br>Prior art: [Update clusterctl version to v1.2.x in quick start](https://github.com/kubernetes-sigs/cluster-api/pull/6716)
+
+**Note**: The PR for this should be merged after the minor release has been published.
+
+#### Continuously: Communicate key dates to the community
+
+The goal of this task is to ensure all stakeholders are informed about the current release cycle.
+
+Information can be distributed via: (TBD)
+* `sig-cluster-lifecycle` mailing list
+* Slack
+* Office hours
+* ClusterAPI book
+* ...
+
+Relevant information includes: (TBD)
+* Beta, RC, GA release
+* Start of code freeze
+* Implementation progress
+* ...
+
+Stakeholders are: (TBD)
+* End users of ClusterAPI
+* Contributors to core ClusterAPI
+* Provider implementers
+* ...
+
+## CI Signal/Bug Triage/Automation Manager
+
+### Responsibilities
+
+* Signal:
+    * Responsibility for the quality of the release
+    * Continuously monitor CI signal, so a release can be cut at any time
+    * Add CI signal for new release branches
+* Bug Triage:
+    * Make sure blocking issues and bugs are triaged and dealt with in a timely fashion
+* Automation
+    * Maintain and improve release automation, tooling & related developer docs
+
+### Tasks
+
+#### Setup jobs and dashboards for a new release branch
+
+The goal of this task is to have test coverage for the new release branch and results in testgrid.
+
+1. Create new jobs based on the jobs running against our `main` branch:
+    1. Copy `config/jobs/kubernetes-sigs/cluster-api/cluster-api-periodics-main.yaml` to `config/jobs/kubernetes-sigs/cluster-api/cluster-api-periodics-release-1-4.yaml`.
+    2. Copy `test-infra/config/jobs/kubernetes-sigs/cluster-api/cluster-api-periodics-main-upgrades.yaml` to `test-infra/config/jobs/kubernetes-sigs/cluster-api/cluster-api-periodics-release-1-4-upgrades.yaml`.
+    3. Copy `test-infra/config/jobs/kubernetes-sigs/cluster-api/cluster-api-presubmits-main.yaml` to `test-infra/config/jobs/kubernetes-sigs/cluster-api/cluster-api-presubmits-release-1-4.yaml`.
+    4. Modify the following:
+        1. Rename the jobs, e.g.: `periodic-cluster-api-test-main` => `periodic-cluster-api-test-release-1-4`.
+        2. Change `annotations.testgrid-dashboards` to `sig-cluster-lifecycle-cluster-api-1.4`.
+        3. Change `annotations.testgrid-tab-name`, e.g. `capi-test-main` => `capi-test-release-1-4`.
+        4. For periodics additionally:
+            * Change `extra_refs[].base_ref` to `release-1.4` (for repo: `cluster-api`).
+            * Change interval (let's use the same as for `1.3`).
+        5. For presubmits additionally: Adjust branches: `^main$` => `^release-1.4$`.
+2. Create a new dashboard for the new branch in: `test-infra/config/testgrids/kubernetes/sig-cluster-lifecycle/config.yaml` (`dashboard_groups` and `dashboards`).
+3. Verify the jobs and dashboards a day later by taking a look at: `https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-1.4`
+
+Prior art: [Add jobs for CAPI release 1.2](https://github.com/kubernetes/test-infra/pull/26621)
+
+#### [Continuously] Monitor CI signal
+
+The goal of this task is to keep our tests running in CI stable.
+
+**Note**: To be very clear, this is not meant to be an on-call role for Cluster API tests.
+
+1. Add yourself to the [Cluster API alert mailing list](https://github.com/kubernetes/k8s.io/blob/151899b2de933e58a4dfd1bfc2c133ce5a8bbe22/groups/sig-cluster-lifecycle/groups.yaml#L20-L35)
+    <br\>**Note**: An alternative to the alert mailing list is manually monitoring the [testgrid dashboards](https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api)
+    (also dashboards of previous releases). Using the alert mailing list has proven to be a lot less effort though.
+2. Triage CI failures reported by mail alerts or found by monitoring the testgrid dashboards:
+    1. Create an issue in the Cluster API repository to surface the CI failure.
+    2. Identify if the issue is a known issue, new issue or a regression.
+    3. Mark the issue as `release-blocking` if applicable.
+
+#### [Continuously] Reduce the amount of flaky tests
+
+The Cluster API tests are pretty stable, but there are still some flaky tests from time to time.
+
+To reduce the amount of flakes please periodically:
+1. Take a look at recent CI failures via `k8s-triage`:
+    * [periodic-cluster-api-e2e-main](https://storage.googleapis.com/k8s-triage/index.html?pr=1&job=periodic-cluster-api-e2e-main)
+    * [periodic-cluster-api-e2e-mink8s-main](https://storage.googleapis.com/k8s-triage/index.html?pr=1&job=periodic-cluster-api-e2e-mink8s-main)
+    * [periodic-cluster-api-test-main](https://storage.googleapis.com/k8s-triage/index.html?pr=1&job=periodic-cluster-api-test-main)
+    * [periodic-cluster-api-test-mink8s-main](https://storage.googleapis.com/k8s-triage/index.html?pr=1&job=periodic-cluster-api-test-mink8s-main)
+3. Open issues for occurring flakes and ideally fix them or find someone who can.
+   **Note**: Given resource limitations in the Prow cluster it might not be possible to fix all flakes.
+   Let's just try to pragmatically keep the amount of flakes pretty low.
+
+#### [Continuously] Bug triage
+
+The goal of bug triage is to triage incoming issues and if necessary flag them with `release-blocking`
+and add them to the milestone of the current release.
+
+We probably have to figure out some details about the overlap between the bug triage task here, release leads 
+and Cluster API maintainers.
diff --git a/docs/developer/release-team.md b/docs/release/release-team.md
similarity index 94%
rename from docs/developer/release-team.md
rename to docs/release/release-team.md
index ea4148e3829b..d7743e978e6a 100644
--- a/docs/developer/release-team.md
+++ b/docs/release/release-team.md
@@ -21,7 +21,7 @@ This document introduces the concept of a release team with the following goals
 
 Note that this document is intended to be a starting point for the release team. It is not a complete release process document.
 
-More details on the CAPI release process can be found in [this past issue tracking release tasks](https://github.com/kubernetes-sigs/cluster-api/issues/6615) and the current [release documentation](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/developer/releasing.md).
+More details on the CAPI release process can be found in the [release cycle](./release-cycle.md) and [release task](./release-tasks.md) documentation.
 
 ## Duration of Term
 
@@ -51,6 +51,8 @@ As noted above, making changes to  the CAPI release cadence is out of scope for
 - **CI Signal/Bug Triage/Automation Manager**: Assumes the responsibility of the quality gate for the release and makes sure blocking issues and bugs are triaged and dealt with in a timely fashion. Helps improve release automation and tools.
 - **Shadow**: Any Release Team member may select one or more mentees to shadow the release process in order to help fulfill future Release Team staffing requirements and continue to grow the CAPI community in general.
 
+*Note*: This is also documented in [Release tasks](./release-tasks.md) together with a mapping to specific tasks.  
+
 ## Team Selection
 
 To start, the release team will be assembled by the release team lead based on volunteers. A call for volunteers can be made through the usual communication channels (office hours, Slack, mailing list, etc.). In the future, we may consider introducing an application process similar to the Kubernetes release team application process. 
@@ -77,4 +79,4 @@ Volunteering to be part of a CAPI release team is a great way to contribute to t
 
 - Get more familiar with the CAPI release process
 - Create lasting relationships with other members of the community
-- Contribute to the CAPI project health
\ No newline at end of file
+- Contribute to the CAPI project health
diff --git a/hack/verify-doctoc.sh b/hack/verify-doctoc.sh
index 0c510fb9d553..02f276066e28 100755
--- a/hack/verify-doctoc.sh
+++ b/hack/verify-doctoc.sh
@@ -27,9 +27,9 @@ command -v doctoc || echo "doctoc is not available on your system, skipping veri
 doctoc_files="README.md \
               CONTRIBUTING.md \
               cmd/clusterctl/README.md \
+              docs/release/release-tasks.md \
               docs/scope-and-objectives.md \
               docs/staging-use-cases.md \
-              docs/developer/releasing.md \
               docs/proposals/20181121-machine-api.md \
               docs/proposals/20190610-machine-states-preboot-bootstrapping.md \
               docs/proposals/YYYYMMDD-template.md"

From b63ef2ee3d8f7e87b427530d51ad55f1a1427523 Mon Sep 17 00:00:00 2001
From: fabriziopandini <fpandini@vmware.com>
Date: Wed, 16 Nov 2022 23:24:07 +0100
Subject: [PATCH 07/87] add clusterctl to providers deployed with tilt

---
 hack/tools/tilt-prepare/main.go | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/hack/tools/tilt-prepare/main.go b/hack/tools/tilt-prepare/main.go
index bac2144d7c8d..6e92d8b3d767 100644
--- a/hack/tools/tilt-prepare/main.go
+++ b/hack/tools/tilt-prepare/main.go
@@ -202,15 +202,15 @@ func setDefaults(ts *tiltSettings) {
 func allowK8sConfig(ts *tiltSettings) error {
 	config, err := clientcmd.NewDefaultClientConfigLoadingRules().Load()
 	if err != nil {
-		return errors.Wrap(err, "failed to load Kubeconfig")
+		return errors.Wrap(err, "failed to load KubeConfig file")
 	}
 
 	if config.CurrentContext == "" {
-		return errors.New("failed to get current context")
+		return errors.New("failed to get current context from the KubeConfig file")
 	}
 	context, ok := config.Contexts[config.CurrentContext]
 	if !ok {
-		return errors.Errorf("failed to get context %s", config.CurrentContext)
+		return errors.Errorf("failed to get context %s from the KubeConfig file", config.CurrentContext)
 	}
 	if strings.HasPrefix(context.Cluster, "kind-") {
 		return nil
@@ -218,7 +218,7 @@ func allowK8sConfig(ts *tiltSettings) error {
 
 	allowed := sets.NewString(ts.AllowedContexts...)
 	if !allowed.Has(config.CurrentContext) {
-		return errors.Errorf("context %s is not allowed", config.CurrentContext)
+		return errors.Errorf("context %s from the KubeConfig file is not allowed", config.CurrentContext)
 	}
 	return nil
 }
@@ -668,7 +668,7 @@ func kustomizeTask(path, out string) taskFunction {
 // workloadTask generates a task for creating the component yaml for a workload and saving the output on a file.
 // NOTE: This task has several sub steps including running kustomize, envsubst, fixing components for debugging,
 // and adding the workload resource mimicking what clusterctl init does.
-func workloadTask(name, workloadType, binaryName, containerName string, ts *tiltSettings, path string, getAdditionalObjects func(string, []unstructured.Unstructured) (*unstructured.Unstructured, error)) taskFunction {
+func workloadTask(name, workloadType, binaryName, containerName string, ts *tiltSettings, path string, getAdditionalObject func(string, []unstructured.Unstructured) (*unstructured.Unstructured, error)) taskFunction {
 	return func(ctx context.Context, prefix string, errCh chan error) {
 		kustomizeCmd := exec.CommandContext(ctx, kustomizePath, "build", path)
 		var stdout1, stderr1 bytes.Buffer
@@ -701,13 +701,22 @@ func workloadTask(name, workloadType, binaryName, containerName string, ts *tilt
 			errCh <- err
 			return
 		}
-		if getAdditionalObjects != nil {
-			additionalObjects, err := getAdditionalObjects(prefix, objs)
+		if getAdditionalObject != nil {
+			additionalObject, err := getAdditionalObject(prefix, objs)
 			if err != nil {
 				errCh <- err
 				return
 			}
-			objs = append(objs, *additionalObjects)
+			objs = append(objs, *additionalObject)
+		}
+
+		for _, o := range objs {
+			labels := o.GetLabels()
+			if labels == nil {
+				labels = map[string]string{}
+			}
+			labels[clusterctlv1.ClusterctlLabelName] = ""
+			o.SetLabels(labels)
 		}
 
 		yaml, err := utilyaml.FromUnstructured(objs)
@@ -757,7 +766,6 @@ func writeIfChanged(prefix string, path string, yaml []byte) error {
 // If there are extra_args given for the workload, we append those to the ones that already exist in the deployment.
 // This has the affect that the appended ones will take precedence, as those are read last.
 // Finally, we modify the deployment to enable prometheus metrics scraping.
-
 func prepareWorkload(name, prefix, binaryName, containerName string, objs []unstructured.Unstructured, ts *tiltSettings) error {
 	return updateDeployment(prefix, objs, func(d *appsv1.Deployment) {
 		for j, container := range d.Spec.Template.Spec.Containers {

From 8dba961793d40b09495592c4afe8b9d780a21912 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Thu, 10 Nov 2022 08:02:06 +0100
Subject: [PATCH 08/87] docs: Add note about dependency bumps to Beta change
 policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 docs/release/release-cycle.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/release/release-cycle.md b/docs/release/release-cycle.md
index 90fc02dde9d0..ef4082b28e49 100644
--- a/docs/release/release-cycle.md
+++ b/docs/release/release-cycle.md
@@ -18,6 +18,8 @@ A release cycle can be split up into the following phases:
         * Providers can start adopting the new release based on the beta releases
     * All changes that impact providers' adoption of the new release should be announced in the provider updates section
       of the office hours meeting notes and approved in the PR or issue by both approvers and key affected providers.
+        * Non-breaking dependency bumps which don't require provider changes don't have to be explicitly approved
+          in addition to the regular PR review.
 * Week 15-16: RC
     * The release branch is created
     * Weekly RC releases will be released based on the release branch

From 803f3fe07edf52997c7ec35b17572b284cc870a0 Mon Sep 17 00:00:00 2001
From: Yuvaraj Kakaraparthi <kakaraparthy@vmware.com>
Date: Mon, 7 Nov 2022 11:53:28 -0800
Subject: [PATCH 09/87] self-hosted e2e should check managed fields

---
 test/e2e/self_hosted.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/test/e2e/self_hosted.go b/test/e2e/self_hosted.go
index 99edbfbb3bb9..5079d1505044 100644
--- a/test/e2e/self_hosted.go
+++ b/test/e2e/self_hosted.go
@@ -226,6 +226,26 @@ func SelfHostedSpec(ctx context.Context, inputGetter func() SelfHostedSpecInput)
 			Namespace:            namespace.Name,
 		})
 
+		// Note: clusterctl should restore the managedFields to the same as before the move,
+		// and thus removing any managedField entries with clusterctl as a manager. This should happen
+		// for all the objects processed by move, but for sake of simplicity we test only the Cluster
+		// object. The Cluster object has special processing for the paused field during the move to
+		// avoid having clusterctl as the manager of the field.
+		log.Logf("Ensure clusterctl does not take ownership on any fields on the self-hosted cluster")
+		selfHostedCluster := framework.GetClusterByName(ctx, framework.GetClusterByNameInput{
+			Getter:    selfHostedClusterProxy.GetClient(),
+			Name:      cluster.Name,
+			Namespace: selfHostedNamespace.Name,
+		})
+		hasClusterctlManagedFields := false
+		for _, managedField := range selfHostedCluster.GetManagedFields() {
+			if managedField.Manager == "clusterctl" {
+				hasClusterctlManagedFields = true
+				break
+			}
+		}
+		Expect(hasClusterctlManagedFields).To(BeFalse(), "clusterctl should not manage any fields on the Cluster after the move")
+
 		log.Logf("Waiting for the cluster to be reconciled after moving to self hosted")
 		selfHostedCluster = framework.DiscoveryAndWaitForCluster(ctx, framework.DiscoveryAndWaitForClusterInput{
 			Getter:    selfHostedClusterProxy.GetClient(),

From 8d9d8dc01df11e2506db107257942ac2cffcf7c0 Mon Sep 17 00:00:00 2001
From: fabriziopandini <fpandini@vmware.com>
Date: Fri, 18 Nov 2022 12:50:03 +0100
Subject: [PATCH 10/87] Update support policy

---
 CONTRIBUTING.md | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 26ee8cc7ef76..8a17d811cebd 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -116,19 +116,33 @@ this should generally not be the case.
 
 ### Support and guarantees
 
-Cluster API maintains the most recent release branch for all supported API and contract versions. Support for this section refers to the ability to backport and release patch versions.
-
-| API Version   | Branch      | Supported Until |
-| ------------- |-------------|-----------------|
-| **v1beta1**   | release-1.2 | current stable  |
-| **v1beta1**   | release-1.1 | 2022-09-15      |
-| **v1beta1**   | release-1.0 | 2022-02-02      |
-| **v1alpha4**  | release-0.4 | 2022-04-06      |
-| **v1alpha3**  | release-0.3 | 2022-02-23      |
+Cluster API maintains the most recent release/releases for all supported API and contract versions. Support for this section refers to the ability to backport and release patch versions;
+[backport policy](#backporting-a-patch) is defined above.
 
 - The API version is determined from the GroupVersion defined in the top-level `api/` package.
-- The EOL date is determined from the last release available once a new API version is published.
-- For each given API version only the most recent associated release branch is supported, older branches are immediately unsupported. Exceptions can be filed with maintainers and taken into consideration on a case-by-case basis.
+- The EOL date of each API Version is determined from the last release available once a new API version is published.
+
+| API Version  | Supported Until      |
+|--------------|----------------------|
+| **v1beta1**  | TBD (current stable) |
+| **v1alpha4** | EOL since 2022-04-06 |
+| **v1alpha3** | EOL since 2022-02-23 |
+
+- For the latest API version we support the two most recent minor releases; older minor releases are immediately unsupported when a new major/minor release is available. 
+- For older API versions we only support the most recent minor release until the API version reaches EOL.
+
+| Minor Release | API Version  | Supported Until                                      |
+|---------------|--------------|------------------------------------------------------|
+| v1.3.x        | **v1beta1**  | when v1.5.0 will be released                         |
+| v1.2.x        | **v1beta1**  | when v1.4.0 will be released, tentatively March 2023 |
+| v1.1.x        | **v1beta1**  | EOL since 2022-07-18 - v1.2.0 release date (*)       |
+| v1.0.x        | **v1beta1**  | EOL since 2022-02-02 - v1.1.0 release date (*)       |
+| v0.4.x        | **v1alpha4** | EOL since 2022-04-06 - API version EOL               |
+| v0.3.x        | **v1alpha3** | EOL since 2022-02-23 - API version EOL               |
+
+(*) Previous support policy applies, older minor releases were immediately unsupported when a new major/minor release was available
+
+- Exceptions can be filed with maintainers and taken into consideration on a case-by-case basis.
 
 ## Contributing a Patch
 

From 559ea160889b6c1e191b4add18e112483a377e25 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <buringerst@vmware.com>
Date: Tue, 22 Nov 2022 11:21:56 +0700
Subject: [PATCH 11/87] test/e2e: fix ClusterClass changes flake
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 test/e2e/clusterclass_changes.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/test/e2e/clusterclass_changes.go b/test/e2e/clusterclass_changes.go
index fffc8c6662a5..85f782928d7e 100644
--- a/test/e2e/clusterclass_changes.go
+++ b/test/e2e/clusterclass_changes.go
@@ -426,7 +426,12 @@ func rebaseClusterClassAndWait(ctx context.Context, input rebaseClusterClassAndW
 	patchHelper, err := patch.NewHelper(input.Cluster, mgmtClient)
 	Expect(err).ToNot(HaveOccurred())
 	input.Cluster.Spec.Topology.Class = newClusterClassName
-	Expect(patchHelper.Patch(ctx, input.Cluster)).To(Succeed())
+	// We have to retry the patch. The ClusterClass was just created so the client cache in the
+	// controller/webhook might not be aware of it yet. If the webhook is not aware of the ClusterClass
+	// we get a "Cluster ... can't be validated. ClusterClass ... can not be retrieved" error.
+	Eventually(func() error {
+		return patchHelper.Patch(ctx, input.Cluster)
+	}, "1m", "5s").Should(Succeed(), "Failed to patch Cluster")
 
 	log.Logf("Waiting for MachineDeployment rollout to complete.")
 	for _, mdTopology := range input.Cluster.Spec.Topology.Workers.MachineDeployments {

From fc4e096c1ec2e8fd6b9eb71f3e365bb866eda2fd Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Thu, 17 Nov 2022 19:31:58 +0100
Subject: [PATCH 12/87] docs: add documentation and issuetemplate for
 Kubernetes bump
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 .github/ISSUE_TEMPLATE/bug_report.md       |  2 +-
 .github/ISSUE_TEMPLATE/feature_request.md  |  2 +-
 .github/ISSUE_TEMPLATE/kubernetes_bump.md  | 68 ++++++++++++++++++++++
 .github/ISSUE_TEMPLATE/release_tracking.md | 67 ++++++++++-----------
 CONTRIBUTING.md                            |  2 +-
 docs/release/release-1.3.md                | 12 ++--
 docs/release/release-1.4.md                |  8 +--
 docs/release/release-tasks.md              |  3 +-
 8 files changed, 117 insertions(+), 47 deletions(-)
 create mode 100644 .github/ISSUE_TEMPLATE/kubernetes_bump.md

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 3362f30470f3..8087151a5160 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,6 +1,6 @@
 ---
 name: 🐛 Bug report
-about: Tell us about a problem you are experiencing
+about: Tell us about a problem you are experiencing.
 title: ''
 labels: ''
 assignees: ''
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index 7d19611b5116..4404765eee2a 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,6 +1,6 @@
 ---
 name: ✨ Feature request
-about: Suggest an idea for this project
+about: Suggest an idea for this project.
 title: ''
 labels: ''
 assignees: ''
diff --git a/.github/ISSUE_TEMPLATE/kubernetes_bump.md b/.github/ISSUE_TEMPLATE/kubernetes_bump.md
new file mode 100644
index 000000000000..e5c67eecc022
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/kubernetes_bump.md
@@ -0,0 +1,68 @@
+---
+name: 🚀 Kubernetes bump
+about: "[Only for release team lead] Create an issue to track tasks to support a new Kubernetes minor release."
+title: Tasks to bump to Kubernetes v1.<minor-version>
+labels: ''
+assignees: ''
+
+---
+
+This issue is tracking the tasks that should be implemented **after** the Kubernetes minor release has been released.
+
+## Tasks
+
+Prerequisites:
+* [ ] Decide which Cluster API release series will support the new Kubernetes version
+  * If feasible we usually cherry-pick the changes back to the latest release series.
+
+### Supporting managing and running on the new Kubernetes version
+
+This section contains tasks to update our book, e2e testing and CI to use and test the new Kubernetes version 
+as well as changes to Cluster API that we might have to make to support the new Kubernetes version. All of these 
+changes should be cherry-picked to all release series that will support the new Kubernetes version.
+
+* [ ] Modify quickstart and CAPD to use the new Kubernetes release:
+  * Bump the Kubernetes version in:
+    * `test/*`: search for occurrences of the previous Kubernetes version
+    * `Tiltfile`
+  * Ensure the latest available kind version is used as well.
+  * Verify the quickstart manually
+  * Prior art: #7156
+* [ ] Job configurations:
+  * For all releases which will support the new Kubernetes version: 
+    * Update `INIT_WITH_KUBERNETES_VERSION`.
+    * Add new periodic upgrade jobs .
+    * Adjust presubmit jobs so that we have the latest upgrade jobs available on PRs.
+  * Prior art: https://github.com/kubernetes/test-infra/pull/27421
+* [ ] Update book:
+  * Update supported versions in `versions.md`
+  * Update job documentation in `jobs.md`
+  * Prior art: #7194 #7196
+* [ ] Issues specific to the Kubernetes minor release:
+  * Sometimes there are adjustments that we have to make in Cluster API to be able to support 
+    a new Kubernetes minor version. Please add these issues here when they are identified.
+
+### Using new Kubernetes dependencies
+
+This section contains tasks to update Cluster API to use the latest Kubernetes Go dependencies and related topics 
+like using the right Go version and build images. These changes are only made on the main branch. We don't
+need them in older releases as they are not necessary to manage workload clusters of the new Kubernetes version or
+run the Cluster API controllers on the new Kubernetes version.
+
+* [ ] Ensure there is a new controller-runtime minor release which uses the new Kubernetes Go dependencies.
+* [ ] Update our Prow jobs for the `main` branch to use the correct `kubekins-e2e` image
+  * It is recommended to have one PR for presubmit and one for periodic jobs to reduce the risk of breaking the periodic jobs.
+  * Prior art: presubmit jobs: https://github.com/kubernetes/test-infra/pull/27311
+  * Prior art: periodic jobs: https://github.com/kubernetes/test-infra/pull/27311
+* [ ] Bump the Go version in Cluster API: (if Kubernetes is using a new Go minor version)
+  * Search for the currently used Go version across the repository and update it
+  * We have to at least modify it in: `.github/workflows`, `hack/ensure-go.sh`, `.golangci.yml`, `cloudbuild*.yaml`, `go.mod`, `Makefile`, `netlify.toml`, `Tiltfile`
+  * Prior art: #7135
+* [ ] Bump controller-runtime
+* [ ] Bump controller-tools
+* [ ] Bump the Kubernetes version used in integration tests via `KUBEBUILDER_ENVTEST_KUBERNETES_VERSION` in `Makefile`
+  * **Note**: This PR should be cherry-picked as well. It is part of this section as it depends on kubebuilder/controller-runtime
+    releases and is not strictly necessary for [Supporting managing and running on the new Kubernetes version](#supporting-managing-and-running-on-the-new-kubernetes-version).
+  * Prior art: #7193
+* [ ] Bump conversion-gen via `CONVERSION_GEN_VER` in `Makefile` 
+  * Prior art: #7118
diff --git a/.github/ISSUE_TEMPLATE/release_tracking.md b/.github/ISSUE_TEMPLATE/release_tracking.md
index 0c5e34b565ef..83e5b8053c22 100644
--- a/.github/ISSUE_TEMPLATE/release_tracking.md
+++ b/.github/ISSUE_TEMPLATE/release_tracking.md
@@ -1,13 +1,14 @@
 ---
 name: 🚋 Release cycle tracking
-about: Create a new release cycle tracking issue for a minor release
+about: Create a new release cycle tracking issue for a Cluster API minor release
+about: "[Only for release team lead] Create an issue to track tasks for a Cluster API minor release."
 title: Tasks for v<release-tag> release cycle
 labels: ''
 assignees: ''
 
 ---
 
-Please see the corresponding section in [release-tasks.md](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md) for documentation of individual tasks.  
+Please see the corresponding section in [release-tasks.md](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md) for documentation of individual tasks.  
 
 ## Tasks
 
@@ -16,65 +17,65 @@ Please see the corresponding section in [release-tasks.md](https://github.com/sb
 * The following is based on the v1.4 release cycle. Modify according to the tracked release cycle.
 
 Week -3 to 1:
-* [ ] [Release Lead] [Set a tentative release date for the minor release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#set-a-tentative-release-date-for-the-minor-release)
-* [ ] [Release Lead] [Assemble release team](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#assemble-release-team)
+* [ ] [Release Lead] [Set a tentative release date for the minor release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#set-a-tentative-release-date-for-the-minor-release)
+* [ ] [Release Lead] [Assemble release team](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#assemble-release-team)
 
 Week 1:
-* [ ] [Release Lead] [Finalize release schedule and team](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#finalize-release-schedule-and-team)
-* [ ] [Release Lead] [Prepare main branch for development of the new release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#prepare-main-branch-for-development-of-the-new-release)
-* [ ] [Communications Manager] [Add docs to collect release notes for users and migration notes for provider implementers](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
-* [ ] [Communications Manager] [Update supported versions](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#update-supported-versions)
+* [ ] [Release Lead] [Finalize release schedule and team](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#finalize-release-schedule-and-team)
+* [ ] [Release Lead] [Prepare main branch for development of the new release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#prepare-main-branch-for-development-of-the-new-release)
+* [ ] [Communications Manager] [Add docs to collect release notes for users and migration notes for provider implementers](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
+* [ ] [Communications Manager] [Update supported versions](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#update-supported-versions)
 
 Week 1 to 4:
-* [ ] [Release Lead] [Track] [Remove previously deprecated code](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#track-remove-previously-deprecated-code)
+* [ ] [Release Lead] [Track] [Remove previously deprecated code](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#track-remove-previously-deprecated-code)
 
 Week 6:
-* [ ] [Release Lead] [Cut the v1.3.1 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.3.1 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
 
 Week 9:
-* [ ] [Release Lead] [Cut the v1.3.2 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.3.2 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
 
 Week 11 to 12:
-* [ ] [Release Lead] [Track] [Bump dependencies](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#track-bump-dependencies)
+* [ ] [Release Lead] [Track] [Bump dependencies](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#track-bump-dependencies)
 
 Week 13:
-* [ ] [Release Lead] [Cut the v1.4.0-beta.0 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
-* [ ] [Release Lead] [Cut the v1.3.3 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
-* [ ] [Release Lead] [Create a new GitHub milestone for the next release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#create-a-new-github-milestone-for-the-next-release)
+* [ ] [Release Lead] [Cut the v1.4.0-beta.0 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.3.3 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Create a new GitHub milestone for the next release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#create-a-new-github-milestone-for-the-next-release)
 
 Week 14:
-* [ ] [Release Lead] [Cut the v1.4.0-beta.1 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.4.0-beta.1 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
 * [ ] [Release Lead] Select release lead for the next release cycle
 
 Week 15:
-* [ ] [Release Lead] [Create the release-1.4 release branch](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#create-a-release-branch)
-* [ ] [Release Lead] [Cut the v1.4.0-rc.0 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
-* [ ] [CI Manager] [Setup jobs and dashboards for the release-1.4 release branch](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#setup-jobs-and-dashboards-for-a-new-release-branch)
-* [ ] [Communications Manager] [Ensure the book for the new release is available](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#ensure-the-book-for-the-new-release-is-available)
+* [ ] [Release Lead] [Create the release-1.4 release branch](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#create-a-release-branch)
+* [ ] [Release Lead] [Cut the v1.4.0-rc.0 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [CI Manager] [Setup jobs and dashboards for the release-1.4 release branch](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#setup-jobs-and-dashboards-for-a-new-release-branch)
+* [ ] [Communications Manager] [Ensure the book for the new release is available](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#ensure-the-book-for-the-new-release-is-available)
 
 Week 15 to 17:
-* [ ] [Communications Manager] [Polish release notes](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#polish-release-notes)
+* [ ] [Communications Manager] [Polish release notes](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#polish-release-notes)
 
 Week 16:
-* [ ] [Release Lead] [Cut the v1.4.0-rc.1 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.4.0-rc.1 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
 
 Week 17:
-* [ ] [Release Lead] [Cut the v1.4.0 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
-* [ ] [Release Lead] [Cut the v1.3.4 release](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.4.0 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
+* [ ] [Release Lead] [Cut the v1.3.4 release](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#repeatedly-cut-a-release)
 * [ ] [Release Lead] Organize release retrospective
-* [ ] [Communications Manager] [Change production branch in Netlify to the new release branch](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#change-production-branch-in-netlify-to-the-new-release-branch)
-* [ ] [Communications Manager] [Update clusterctl links in the quickstart](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#update-clusterctl-links-in-the-quickstart)
+* [ ] [Communications Manager] [Change production branch in Netlify to the new release branch](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#change-production-branch-in-netlify-to-the-new-release-branch)
+* [ ] [Communications Manager] [Update clusterctl links in the quickstart](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#update-clusterctl-links-in-the-quickstart)
 
 Continuously:
-* [Release lead] [Maintain the GitHub release milestone](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-maintain-the-github-release-milestone)
-* [Communications Manager] [Communicate key dates to the community](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-communicate-key-dates-to-the-community)
+* [Release lead] [Maintain the GitHub release milestone](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#continuously-maintain-the-github-release-milestone)
+* [Communications Manager] [Communicate key dates to the community](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#continuously-communicate-key-dates-to-the-community)
 * [Communications Manager] Improve release process documentation
 * [Communications Manager] Maintain and improve user facing documentation about releases, release policy and release calendar
-* [CI Manager] [Monitor CI signal](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-monitor-ci-signal)
-* [CI Manager] [Reduce the amount of flaky tests](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-reduce-the-amount-of-flaky-tests)
-* [CI Manager] [Bug triage](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#continuously-bug-triage)
+* [CI Manager] [Monitor CI signal](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#continuously-monitor-ci-signal)
+* [CI Manager] [Reduce the amount of flaky tests](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#continuously-reduce-the-amount-of-flaky-tests)
+* [CI Manager] [Bug triage](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#continuously-bug-triage)
 * [CI Manager] Maintain and improve release automation, tooling & related developer docs
 
 If and when necessary:
-* [ ] [Release Lead] [Track] [Bump the Cluster API apiVersion](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#optional-track-bump-the-cluster-api-apiversion)
-* [ ] [Release Lead] [Track] [Bump the Kubernetes version](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-tasks.md#optional-track-bump-the-kubernetes-version)
+* [ ] [Release Lead] [Track] [Bump the Cluster API apiVersion](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#optional-track-bump-the-cluster-api-apiversion)
+* [ ] [Release Lead] [Track] [Bump the Kubernetes version](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#optional-track-bump-the-kubernetes-version)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 8a17d811cebd..fc89821b5cfe 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -51,7 +51,7 @@ come up, including gaps in documentation!
 
 If you're a more experienced contributor, looking at unassigned issues in the next release milestone is a good way to find work that has been prioritized. For example, if the latest minor release is `v1.0`, the next release milestone is `v1.1`.
 
-Help and contributions are very welcome in the form of code contributions but also in helping to moderate office hours, triaging issues, fixing/investigating flaky tests, being part of the [release team](https://github.com/sbueringer/cluster-api/blob/pr-release-tasks/docs/release/release-team.md), helping new contributors with their questions, reviewing proposals, etc.
+Help and contributions are very welcome in the form of code contributions but also in helping to moderate office hours, triaging issues, fixing/investigating flaky tests, being part of the [release team](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-team.md), helping new contributors with their questions, reviewing proposals, etc.
 
 ## Versioning
 
diff --git a/docs/release/release-1.3.md b/docs/release/release-1.3.md
index a55704db5c7d..3607c17c428b 100644
--- a/docs/release/release-1.3.md
+++ b/docs/release/release-1.3.md
@@ -10,18 +10,18 @@ The following table shows the preliminary dates for the `v1.3` release cycle.
 | **What**                                             | **When**                      | **Week** |
 |------------------------------------------------------|-------------------------------|----------|
 | Start of Release Cycle                               | Monday 18th July 2022         | week 1   |
-| *v1.2.1 released*                                    | Monday 15th August 2022       | week 5   | 
-| *v1.2.2 released*                                    | Wednesday 14th September 2022 | week 9   | 
-| *v1.2.3 released*                                    | Monday 10th October 2022      | week 13  | 
-| *v1.2.4 released*                                    | Monday 17th October 2022      | week 14  | 
+| *v1.2.x released*                                    | Monday 15th August 2022       | week 5   | 
+| *v1.2.x released*                                    | Wednesday 14th September 2022 | week 9   | 
+| *v1.2.x released*                                    | Monday 10th October 2022      | week 13  | 
+| *v1.2.x released*                                    | Monday 17th October 2022      | week 14  | 
 | v1.3.0-beta.0 released                               | Tuesday 1st November 2022     | week 16  |
 | v1.3.0-beta.1 released                               | Tuesday 8th November 2022     | week 17  |
-| *v1.2.5 released*                                    | Tuesday 8th November 2022     | week 17  |
+| *v1.2.x released*                                    | Tuesday 8th November 2022     | week 17  |
 | release-1.3 branch created (**Begin [Code Freeze]**) | Tuesday 15th November 2022    | week 18  |
 | v1.3.0-rc.0 released                                 | Tuesday 15th November 2022    | week 18  |
 | release-1.3 jobs created                             | Tuesday 15th November 2022    | week 18  |
 | v1.3.0-rc.1 released                                 | Tuesday 22nd November 2022    | week 19  |
 | **v1.3.0 released**                                  | Thursday 1st December 2022    | week 20  |
-| *v1.2.6 released*                                    | Thursday 1st December 2022    | week 20  |
+| *v1.2.x released*                                    | Thursday 1st December 2022    | week 20  |
 
 After the `.0` release monthly patch release will be created.
diff --git a/docs/release/release-1.4.md b/docs/release/release-1.4.md
index b7633107ddc4..47b7e12e090b 100644
--- a/docs/release/release-1.4.md
+++ b/docs/release/release-1.4.md
@@ -11,17 +11,17 @@ The following table shows the preliminary dates for the `v1.4` release cycle.
 | Start of Release Cycle                               | Release Lead | Monday 5th December 2022   | week 1   |
 | Schedule finalized                                   | Release Lead | Friday 9th December 2022   | week 1   |
 | Team finalized                                       | Release Lead | Friday 9th December 2022   | week 1   |
-| *v1.2.7 & v1.3.1 released*                           | Release Lead | Tuesday 10th January 2023  | week 6   |
-| *v1.2.8 & v1.3.2 released*                           | Release Lead | Tuesday 31st January 2023  | week 9   |
+| *v1.2.x & v1.3.x released*                           | Release Lead | Tuesday 10th January 2023  | week 6   |
+| *v1.2.x & v1.3.x released*                           | Release Lead | Tuesday 31st January 2023  | week 9   |
 | v1.4.0-beta.0 released                               | Release Lead | Tuesday 28th February 2023 | week 13  |
-| *v1.2.9 & v1.3.3 released*                           | Release Lead | Tuesday 28th February 2023 | week 13  |
+| *v1.2.x & v1.3.x released*                           | Release Lead | Tuesday 28th February 2023 | week 13  |
 | v1.4.0-beta.1 released                               | Release Lead | Tuesday 7th March 2023     | week 14  |
 | release-1.4 branch created (**Begin [Code Freeze]**) | Release Lead | Tuesday 14th March 2023    | week 15  |
 | v1.4.0-rc.0 released                                 | Release Lead | Tuesday 14th March 2023    | week 15  |
 | release-1.4 jobs created                             | CI Manager   | Tuesday 14th March 2023    | week 15  |
 | v1.4.0-rc.1 released                                 | Release Lead | Tuesday 21st March 2023    | week 16  |
 | **v1.4.0 released**                                  | Release Lead | Tuesday 28th March 2023    | week 17  |
-| *v1.2.10 & v1.3.4 released*                          | Release Lead | Tuesday 28th March 2023    | week 17  |
+| *v1.2.x & v1.3.x released*                           | Release Lead | Tuesday 28th March 2023    | week 17  |
 | Organize release retrospective                       | Release Lead | TBC                        | week 17  |
 
 After the `.0` release monthly patch release will be created.
diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md
index d4c259d9cabb..f34e3eadc6fb 100644
--- a/docs/release/release-tasks.md
+++ b/docs/release/release-tasks.md
@@ -226,7 +226,8 @@ Additional information:
 
 #### [Optional] [Track] Bump the Kubernetes version
 
-TODO(sbueringer): Follow-up PR (this will probably just be create an issue based on another issue template)
+1. Create an issue for the new Kubernetes version via: [New Issue: Kubernetes bump](https://github.com/kubernetes-sigs/cluster-api/issues/new/choose).
+2. Track the issue to ensure the work is completed in time.
 
 ## Communications/Docs/Release Notes Manager
 

From 244bf72b0e24926954c5e0d9814d946941761eeb Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <buringerst@vmware.com>
Date: Tue, 22 Nov 2022 12:13:44 +0700
Subject: [PATCH 13/87] test/e2e: bump ginkgo binary to v2.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 Makefile                                          | 2 +-
 docs/book/src/developer/providers/v1.2-to-v1.3.md | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 9db1137afe96..ac94437bc12f 100644
--- a/Makefile
+++ b/Makefile
@@ -148,7 +148,7 @@ YQ_BIN := yq
 YQ :=  $(abspath $(TOOLS_BIN_DIR)/$(YQ_BIN)-$(YQ_VER))
 YQ_PKG := github.com/mikefarah/yq/v4
 
-GINGKO_VER := v2.4.0
+GINGKO_VER := v2.5.0
 GINKGO_BIN := ginkgo
 GINKGO := $(abspath $(TOOLS_BIN_DIR)/$(GINKGO_BIN)-$(GINGKO_VER))
 GINKGO_PKG := github.com/onsi/ginkgo/v2/ginkgo
diff --git a/docs/book/src/developer/providers/v1.2-to-v1.3.md b/docs/book/src/developer/providers/v1.2-to-v1.3.md
index e46652d00dc1..8a42aa0960d0 100644
--- a/docs/book/src/developer/providers/v1.2-to-v1.3.md
+++ b/docs/book/src/developer/providers/v1.2-to-v1.3.md
@@ -51,7 +51,7 @@ The default value is 0, meaning that the volume can be detached without any time
   > The CRD name must have the format produced by sigs.k8s.io/cluster-api/util/contract.CalculateCRDName(Group, Kind)
 - The Kubernetes default registry has been changed from `k8s.gcr.io` to `registry.k8s.io`. Kubernetes image promotion currently publishes to both registries. Please
   consider publishing manifests which reference the controller images from the new registry (for reference [Cluster API PR](https://github.com/kubernetes-sigs/cluster-api/pull/7478)).
-- e2e tests are upgraded to use Ginkgo v2 (v2.4.0) and Gomega v1.22.1. Providers who use the test framework from this release will also need to upgrade, because Ginkgo v2 can't be imported alongside v1. Please see the [Ginkgo upgrade guide](https://onsi.github.io/ginkgo/MIGRATING_TO_V2), and note:
+- e2e tests are upgraded to use Ginkgo v2 (v2.5.0) and Gomega v1.22.1. Providers who use the test framework from this release will also need to upgrade, because Ginkgo v2 can't be imported alongside v1. Please see the [Ginkgo upgrade guide](https://onsi.github.io/ginkgo/MIGRATING_TO_V2), and note:
   * the default test timeout has been [changed to 1h](https://onsi.github.io/ginkgo/MIGRATING_TO_V2#timeout-behavior)
   * the `--junit-report` argument [replaces JUnit custom reporter](https://onsi.github.io/ginkgo/MIGRATING_TO_V2#improved-reporting-infrastructure) code
   * see the ["Update tests to Ginkgo v2" PR](https://github.com/kubernetes-sigs/cluster-api/pull/6906) for a reference example
@@ -73,4 +73,4 @@ The default value is 0, meaning that the volume can be detached without any time
 - The default minimum TLS version in use by the webhook servers is 1.2.
 
 ### Suggested changes for providers
-- Provider can expose the configuration of the TLS Options for the webhook server; it is recommended to use utility functions under the `util/flags` package to ensure consistency across CAPI and other providers.
\ No newline at end of file
+- Provider can expose the configuration of the TLS Options for the webhook server; it is recommended to use utility functions under the `util/flags` package to ensure consistency across CAPI and other providers.

From c0627266306d023b48b6efa0c53ce7ac43836364 Mon Sep 17 00:00:00 2001
From: Kotaro Inoue <k.musaino@gmail.com>
Date: Tue, 22 Nov 2022 18:35:55 +0900
Subject: [PATCH 14/87] Fix error message

---
 internal/controllers/machine/machine_controller_phases.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/controllers/machine/machine_controller_phases.go b/internal/controllers/machine/machine_controller_phases.go
index ec26bbb5d792..4fa3685e3c3b 100644
--- a/internal/controllers/machine/machine_controller_phases.go
+++ b/internal/controllers/machine/machine_controller_phases.go
@@ -313,7 +313,7 @@ func (r *Reconciler) reconcileInfrastructure(ctx context.Context, cluster *clust
 	switch {
 	case err == util.ErrUnstructuredFieldNotFound: // no-op
 	case err != nil:
-		return ctrl.Result{}, errors.Wrapf(err, "failed to failure domain from infrastructure provider for Machine %q in namespace %q", m.Name, m.Namespace)
+		return ctrl.Result{}, errors.Wrapf(err, "failed to retrieve failure domain from infrastructure provider for Machine %q in namespace %q", m.Name, m.Namespace)
 	default:
 		m.Spec.FailureDomain = pointer.String(failureDomain)
 	}

From cc4165e175bb999f637be6db62db90f69f3ca2f5 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Tue, 22 Nov 2022 12:17:05 +0000
Subject: [PATCH 15/87] Add DeleteAndWait function for ClusterClass flaky test

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 internal/webhooks/test/clusterclass_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/webhooks/test/clusterclass_test.go b/internal/webhooks/test/clusterclass_test.go
index 702c55ca2975..fcf0ca9c0e0d 100644
--- a/internal/webhooks/test/clusterclass_test.go
+++ b/internal/webhooks/test/clusterclass_test.go
@@ -446,7 +446,7 @@ func TestClusterClassWebhook_Delete_MultipleExistingClusters(t *testing.T) {
 	defer func() {
 		// Delete each of the clusters.
 		for _, c := range clusters {
-			g.Expect(env.Delete(ctx, c)).To(Succeed())
+			g.Expect(env.CleanupAndWait(ctx, c)).To(Succeed())
 		}
 
 		// Delete the ClusterClasses in the API server.

From 73c458b097c1c3c06c25b876355937249a02ddaa Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Tue, 22 Nov 2022 13:05:31 +0000
Subject: [PATCH 16/87] Fix adopting ClusterResourceSet resource by CRS when
 already applied

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 .../clusterresourceset_controller.go          | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/exp/addons/internal/controllers/clusterresourceset_controller.go b/exp/addons/internal/controllers/clusterresourceset_controller.go
index a2bf532b0e42..513609224fad 100644
--- a/exp/addons/internal/controllers/clusterresourceset_controller.go
+++ b/exp/addons/internal/controllers/clusterresourceset_controller.go
@@ -278,11 +278,6 @@ func (r *ClusterResourceSetReconciler) ApplyClusterResourceSet(ctx context.Conte
 
 	// Iterate all resources and apply them to the cluster and update the resource status in the ClusterResourceSetBinding object.
 	for _, resource := range clusterResourceSet.Spec.Resources {
-		// If resource is already applied successfully and clusterResourceSet mode is "ApplyOnce", continue. (No need to check hash changes here)
-		if resourceSetBinding.IsApplied(resource) {
-			continue
-		}
-
 		unstructuredObj, err := r.getResource(ctx, resource, cluster.GetNamespace())
 		if err != nil {
 			if err == ErrSecretTypeNotSupported {
@@ -299,6 +294,18 @@ func (r *ClusterResourceSetReconciler) ApplyClusterResourceSet(ctx context.Conte
 			continue
 		}
 
+		// Ensure an ownerReference to the clusterResourceSet is on the resource.
+		if err := r.ensureResourceOwnerRef(ctx, clusterResourceSet, unstructuredObj); err != nil {
+			log.Error(err, "Failed to add ClusterResourceSet as resource owner reference",
+				"Resource type", unstructuredObj.GetKind(), "Resource name", unstructuredObj.GetName())
+			errList = append(errList, err)
+		}
+
+		// If resource is already applied successfully and clusterResourceSet mode is "ApplyOnce", continue. (No need to check hash changes here)
+		if resourceSetBinding.IsApplied(resource) {
+			continue
+		}
+
 		// Set status in ClusterResourceSetBinding in case of early continue due to a failure.
 		// Set only when resource is retrieved successfully.
 		resourceSetBinding.SetBinding(addonsv1.ResourceBinding{
@@ -307,13 +314,6 @@ func (r *ClusterResourceSetReconciler) ApplyClusterResourceSet(ctx context.Conte
 			Applied:         false,
 			LastAppliedTime: &metav1.Time{Time: time.Now().UTC()},
 		})
-
-		if err := r.patchOwnerRefToResource(ctx, clusterResourceSet, unstructuredObj); err != nil {
-			log.Error(err, "Failed to patch ClusterResourceSet as resource owner reference",
-				"Resource type", unstructuredObj.GetKind(), "Resource name", unstructuredObj.GetName())
-			errList = append(errList, err)
-		}
-
 		// Since maps are not ordered, we need to order them to get the same hash at each reconcile.
 		keys := make([]string, 0)
 		data, ok := unstructuredObj.UnstructuredContent()["data"]
@@ -411,8 +411,8 @@ func (r *ClusterResourceSetReconciler) getResource(ctx context.Context, resource
 	return raw, nil
 }
 
-// patchOwnerRefToResource adds the ClusterResourceSet as a OwnerReference to the resource.
-func (r *ClusterResourceSetReconciler) patchOwnerRefToResource(ctx context.Context, clusterResourceSet *addonsv1.ClusterResourceSet, resource *unstructured.Unstructured) error {
+// ensureResourceOwnerRef adds the ClusterResourceSet as a OwnerReference to the resource.
+func (r *ClusterResourceSetReconciler) ensureResourceOwnerRef(ctx context.Context, clusterResourceSet *addonsv1.ClusterResourceSet, resource *unstructured.Unstructured) error {
 	newRef := metav1.OwnerReference{
 		APIVersion: clusterResourceSet.GroupVersionKind().GroupVersion().String(),
 		Kind:       clusterResourceSet.GroupVersionKind().Kind,

From 4df19207ccd1c6e0c35043cbb3bead7f79eb343d Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <buringerst@vmware.com>
Date: Wed, 23 Nov 2022 16:21:13 +0700
Subject: [PATCH 17/87] MD reconciler: improve integration test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 .../machinedeployment_controller_test.go                 | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/internal/controllers/machinedeployment/machinedeployment_controller_test.go b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
index 21c945f6c88b..5ac3a3ff2263 100644
--- a/internal/controllers/machinedeployment/machinedeployment_controller_test.go
+++ b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
@@ -92,9 +92,10 @@ func TestMachineDeploymentReconciler(t *testing.T) {
 				Replicas:             pointer.Int32(2),
 				RevisionHistoryLimit: pointer.Int32(0),
 				Selector: metav1.LabelSelector{
-					MatchLabels: map[string]string{
-						clusterv1.ClusterLabelName: testCluster.Name,
-					},
+					// We're using the same labels for spec.selector and spec.template.labels.
+					// The labels are later changed and we will use the initial labels later to
+					// verify that all original MachineSets have been deleted.
+					MatchLabels: labels,
 				},
 				Strategy: &clusterv1.MachineDeploymentStrategy{
 					Type: clusterv1.RollingUpdateMachineDeploymentStrategyType,
@@ -340,8 +341,8 @@ func TestMachineDeploymentReconciler(t *testing.T) {
 		// expect old MachineSets with old labels to be deleted
 		//
 		oldLabels := deployment.Spec.Selector.MatchLabels
-		oldLabels[clusterv1.MachineDeploymentLabelName] = deployment.Name
 
+		// Change labels and selector to a new set of labels which doesn't have any overlap with the previous labels.
 		newLabels := map[string]string{
 			"new-key":                  "new-value",
 			clusterv1.ClusterLabelName: testCluster.Name,

From b6d39378134834f21c4628347cdef9d68052f92a Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Mon, 21 Nov 2022 18:53:59 +0000
Subject: [PATCH 18/87] Fix kubeadmconfig bootstrapsecret ownerRef
 reconciliation

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 .../controllers/kubeadmconfig_controller.go   | 34 ++++++++++++++++++-
 .../kubeadm/internal/controllers/token.go     |  2 +-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
index 8213ef04e4cc..eb4f4c64adf1 100644
--- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
+++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
@@ -241,7 +241,10 @@ func (r *KubeadmConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 			}
 		}
 	}()
-
+	// Ensure the bootstrap secret associated with this KubeadmConfig has the correct ownerReference.
+	if err := r.ensureBootstrapSecretOwnersRef(ctx, scope); err != nil {
+		return ctrl.Result{}, err
+	}
 	switch {
 	// Wait for the infrastructure to be ready.
 	case !cluster.Status.InfrastructureReady:
@@ -1022,3 +1025,32 @@ func (r *KubeadmConfigReconciler) storeBootstrapData(ctx context.Context, scope
 	conditions.MarkTrue(scope.Config, bootstrapv1.DataSecretAvailableCondition)
 	return nil
 }
+
+// Ensure the bootstrap secret has the configOwner as a controller OwnerReference.
+func (r *KubeadmConfigReconciler) ensureBootstrapSecretOwnersRef(ctx context.Context, scope *Scope) error {
+	secret := &corev1.Secret{}
+	err := r.Client.Get(ctx, client.ObjectKey{Namespace: scope.Config.Namespace, Name: scope.Config.Name}, secret)
+	if err != nil {
+		// If the secret has not been created yet return early.
+		if apierrors.IsNotFound(err) {
+			return nil
+		}
+		return errors.Wrapf(err, "failed to add KubeadmConfig %s as ownerReference to bootstrap Secret %s", scope.ConfigOwner.GetName(), secret.GetName())
+	}
+	patchHelper, err := patch.NewHelper(secret, r.Client)
+	if err != nil {
+		return errors.Wrapf(err, "failed to add KubeadmConfig %s as ownerReference to bootstrap Secret %s", scope.ConfigOwner.GetName(), secret.GetName())
+	}
+	secret.OwnerReferences = util.EnsureOwnerRef(secret.OwnerReferences, metav1.OwnerReference{
+		APIVersion: scope.ConfigOwner.GetAPIVersion(),
+		Kind:       scope.ConfigOwner.GetKind(),
+		UID:        scope.ConfigOwner.GetUID(),
+		Name:       scope.ConfigOwner.GetName(),
+		Controller: pointer.Bool(true),
+	})
+	err = patchHelper.Patch(ctx, secret)
+	if err != nil {
+		return errors.Wrapf(err, "could not add KubeadmConfig %s as ownerReference to bootstrap Secret %s", scope.ConfigOwner.GetName(), secret.GetName())
+	}
+	return nil
+}
diff --git a/bootstrap/kubeadm/internal/controllers/token.go b/bootstrap/kubeadm/internal/controllers/token.go
index f1e509f9a2b1..9c61c7f9199e 100644
--- a/bootstrap/kubeadm/internal/controllers/token.go
+++ b/bootstrap/kubeadm/internal/controllers/token.go
@@ -81,7 +81,7 @@ func getToken(ctx context.Context, c client.Client, token string) (*corev1.Secre
 	}
 
 	if secret.Data == nil {
-		return nil, errors.Errorf("Invalid bootstrap secret %q, remove the token from the kubadm config to re-create", secretName)
+		return nil, errors.Errorf("Invalid bootstrap secret %q, remove the token from the kubeadm config to re-create", secretName)
 	}
 	return secret, nil
 }

From 213b153788f1c91ad0841821664b949272cba7f0 Mon Sep 17 00:00:00 2001
From: Oscar Utbult <oscar.utbult@gmail.com>
Date: Wed, 23 Nov 2022 16:35:44 +0100
Subject: [PATCH 19/87] Add KubeCon Detroit 2022 videos to CAPI book

---
 docs/book/src/developer/guide.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/book/src/developer/guide.md b/docs/book/src/developer/guide.md
index 445d9a9a35e7..cb6993cf06d4 100644
--- a/docs/book/src/developer/guide.md
+++ b/docs/book/src/developer/guide.md
@@ -139,6 +139,7 @@ To test another iteration, you'll need to follow the steps to build, push, updat
 
 **CAPI components and architecture**
 
+* [Simplified Experience Of Building Cluster API Provider In Multitenant Cloud - October 2022](https://www.youtube.com/watch?v=1oj9BuV2dzA)
 * [Cluster API Intro and Deep Dive - May 2022 v1beta1](https://www.youtube.com/watch?v=9H8flXm_lKk)
 * [Cluster API Deep Dive - Dec 2020 v1alpha3](https://youtu.be/npFO5Fixqcc)
 * [Cluster API Deep Dive - Sept 2020 v1alpha3](https://youtu.be/9SfuQQeeK6Q)
@@ -147,9 +148,22 @@ To test another iteration, you'll need to follow the steps to build, push, updat
 
 **Additional ClusterAPI KubeCon talks**
 
+* [How Adobe Planned For Scale With Argo CD, Cluster API, And VCluster - October 2022](https://www.youtube.com/watch?v=p8BluR5WT5w)
+* [Bare-Metal Chronicles: Intertwinement Of Tinkerbell, Cluster API And GitOps - October 2022](https://www.youtube.com/watch?v=NCFUUjTw6hA)
+* [Running Isolated VirtualClusters With Kata & Cluster API - October 2022](https://www.youtube.com/watch?v=T6w3YrExorY)
+* [SIG Cluster Lifecycle Intro - October 2022](https://www.youtube.com/watch?v=0Zo0cWYU0fM)
 * [How to Migrate 700 Kubernetes Clusters to Cluster API with Zero Downtime - May 2022](https://www.youtube.com/watch?v=KzYV-fJ_wH0)
 * [Build Your Own Cluster API Provider the Easy Way - May 2022](https://www.youtube.com/watch?v=HSdgmcAAXa8)
 
+**Tutorials**
+
+* [kubectl Create Cluster: Production-ready Kubernetes with Cluster API 1.0 - October 2022](https://kccncna2022.sched.com/event/1BZDs)
+
+  [Source code](https://github.com/ykakarap/kubecon-na-22-capi-lab)
+* [So You Want To Develop a Cluster API Provider? - October 2022](https://kccncna2022.sched.com/event/182Ha)
+
+  [Source code](https://capi-samples.github.io/kubecon-na-2022-tutorial/)
+
 **Code walkthroughs**
 
 * [CAPD Deep Dive - March 2021 v1alpha4](https://youtu.be/67kEp471MPk)

From 6c2aedc37000affb4f18b452578dd88515e39265 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Fri, 25 Nov 2022 09:32:12 +0000
Subject: [PATCH 20/87] Fix bug in kubeadmconfig adoption

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 .../controllers/kubeadmconfig_controller.go   | 13 ++-
 .../kubeadmconfig_controller_test.go          | 99 +++++++++++++++++++
 2 files changed, 107 insertions(+), 5 deletions(-)

diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
index eb4f4c64adf1..93512954575d 100644
--- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
+++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
@@ -1026,7 +1026,7 @@ func (r *KubeadmConfigReconciler) storeBootstrapData(ctx context.Context, scope
 	return nil
 }
 
-// Ensure the bootstrap secret has the configOwner as a controller OwnerReference.
+// Ensure the bootstrap secret has the KubeadmConfig as a controller OwnerReference.
 func (r *KubeadmConfigReconciler) ensureBootstrapSecretOwnersRef(ctx context.Context, scope *Scope) error {
 	secret := &corev1.Secret{}
 	err := r.Client.Get(ctx, client.ObjectKey{Namespace: scope.Config.Namespace, Name: scope.Config.Name}, secret)
@@ -1041,11 +1041,14 @@ func (r *KubeadmConfigReconciler) ensureBootstrapSecretOwnersRef(ctx context.Con
 	if err != nil {
 		return errors.Wrapf(err, "failed to add KubeadmConfig %s as ownerReference to bootstrap Secret %s", scope.ConfigOwner.GetName(), secret.GetName())
 	}
+	if c := metav1.GetControllerOf(secret); c != nil && c.Kind != "KubeadmConfig" {
+		secret.OwnerReferences = util.RemoveOwnerRef(secret.OwnerReferences, *c)
+	}
 	secret.OwnerReferences = util.EnsureOwnerRef(secret.OwnerReferences, metav1.OwnerReference{
-		APIVersion: scope.ConfigOwner.GetAPIVersion(),
-		Kind:       scope.ConfigOwner.GetKind(),
-		UID:        scope.ConfigOwner.GetUID(),
-		Name:       scope.ConfigOwner.GetName(),
+		APIVersion: bootstrapv1.GroupVersion.String(),
+		Kind:       "KubeadmConfig",
+		UID:        scope.Config.UID,
+		Name:       scope.Config.Name,
 		Controller: pointer.Bool(true),
 	})
 	err = patchHelper.Patch(ctx, secret)
diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_test.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_test.go
index 32f87080c5af..db6a11e70c0f 100644
--- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_test.go
+++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_test.go
@@ -117,6 +117,105 @@ func TestKubeadmConfigReconciler_Reconcile_ReturnEarlyIfKubeadmConfigIsReady(t *
 	g.Expect(result.RequeueAfter).To(Equal(time.Duration(0)))
 }
 
+// Reconcile returns early if the kubeadm config is ready because it should never re-generate bootstrap data.
+func TestKubeadmConfigReconciler_TestSecretOwnerReferenceReconciliation(t *testing.T) {
+	g := NewWithT(t)
+
+	clusterName := "my-cluster"
+	cluster := builder.Cluster(metav1.NamespaceDefault, clusterName).Build()
+	machine := builder.Machine(metav1.NamespaceDefault, "machine").
+		WithVersion("v1.19.1").
+		WithClusterName(clusterName).
+		WithBootstrapTemplate(bootstrapbuilder.KubeadmConfig(metav1.NamespaceDefault, "cfg").Unstructured()).
+		Build()
+	machine.Spec.Bootstrap.DataSecretName = pointer.String("something")
+
+	config := newKubeadmConfig(metav1.NamespaceDefault, "cfg")
+	config.SetOwnerReferences(util.EnsureOwnerRef(config.GetOwnerReferences(), metav1.OwnerReference{
+		APIVersion: machine.APIVersion,
+		Kind:       machine.Kind,
+		Name:       machine.Name,
+		UID:        machine.UID,
+	}))
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      config.Name,
+			Namespace: config.Namespace,
+		},
+		Type: corev1.SecretTypeBootstrapToken,
+	}
+	config.Status.Ready = true
+
+	objects := []client.Object{
+		config,
+		machine,
+		secret,
+		cluster,
+	}
+	myclient := fake.NewClientBuilder().WithObjects(objects...).Build()
+
+	k := &KubeadmConfigReconciler{
+		Client: myclient,
+	}
+
+	request := ctrl.Request{
+		NamespacedName: client.ObjectKey{
+			Namespace: metav1.NamespaceDefault,
+			Name:      "cfg",
+		},
+	}
+	var err error
+	key := client.ObjectKeyFromObject(config)
+	actual := &corev1.Secret{}
+
+	t.Run("KubeadmConfig ownerReference is added on first reconcile", func(t *testing.T) {
+		_, err = k.Reconcile(ctx, request)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Expect(myclient.Get(ctx, key, actual)).To(Succeed())
+
+		controllerOwner := metav1.GetControllerOf(actual)
+		g.Expect(controllerOwner).To(Not(BeNil()))
+		g.Expect(controllerOwner.Kind).To(Equal(config.Kind))
+		g.Expect(controllerOwner.Name).To(Equal(config.Name))
+	})
+
+	t.Run("KubeadmConfig ownerReference re-reconciled without error", func(t *testing.T) {
+		_, err = k.Reconcile(ctx, request)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Expect(myclient.Get(ctx, key, actual)).To(Succeed())
+
+		controllerOwner := metav1.GetControllerOf(actual)
+		g.Expect(controllerOwner).To(Not(BeNil()))
+		g.Expect(controllerOwner.Kind).To(Equal(config.Kind))
+		g.Expect(controllerOwner.Name).To(Equal(config.Name))
+	})
+	t.Run("non-KubeadmConfig controller OwnerReference is replaced", func(t *testing.T) {
+		g.Expect(myclient.Get(ctx, key, actual)).To(Succeed())
+
+		actual.SetOwnerReferences([]metav1.OwnerReference{
+			{
+				APIVersion: machine.APIVersion,
+				Kind:       machine.Kind,
+				Name:       machine.Name,
+				UID:        machine.UID,
+				Controller: pointer.Bool(true),
+			}})
+		g.Expect(myclient.Update(ctx, actual)).To(Succeed())
+
+		_, err = k.Reconcile(ctx, request)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Expect(myclient.Get(ctx, key, actual)).To(Succeed())
+
+		controllerOwner := metav1.GetControllerOf(actual)
+		g.Expect(controllerOwner).To(Not(BeNil()))
+		g.Expect(controllerOwner.Kind).To(Equal(config.Kind))
+		g.Expect(controllerOwner.Name).To(Equal(config.Name))
+	})
+}
+
 // Reconcile returns nil if the referenced Machine cannot be found.
 func TestKubeadmConfigReconciler_Reconcile_ReturnNilIfReferencedMachineIsNotFound(t *testing.T) {
 	g := NewWithT(t)

From 2f666a5ac7990cdd6b0b7920cf947880cecd8e20 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <buringerst@vmware.com>
Date: Tue, 22 Nov 2022 20:17:04 +0700
Subject: [PATCH 21/87] Improve Machine adoption
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: fabriziopandini <fpandini@vmware.com>
Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 api/v1beta1/machine_types.go                  |  3 +
 .../kubeadm/internal/cluster_labels.go        |  1 +
 .../internal/controllers/controller.go        | 13 ++++
 .../kubeadm/internal/controllers/helpers.go   |  1 +
 .../internal/controllers/helpers_test.go      |  5 ++
 .../controllers/machine/machine_controller.go | 14 +++--
 .../machinedeployment_controller.go           | 22 +++++++
 .../machinedeployment_controller_test.go      | 23 ++++---
 .../machinedeployment_sync.go                 | 19 +++++-
 .../machinedeployment/mdutil/util.go          |  4 +-
 .../machineset/machineset_controller.go       | 60 +++++++++++++++++--
 11 files changed, 141 insertions(+), 24 deletions(-)

diff --git a/api/v1beta1/machine_types.go b/api/v1beta1/machine_types.go
index 7219c126cde6..48448db4d928 100644
--- a/api/v1beta1/machine_types.go
+++ b/api/v1beta1/machine_types.go
@@ -42,6 +42,9 @@ const (
 	// MachineDeploymentLabelName is the label set on machines if they're controlled by MachineDeployment.
 	MachineDeploymentLabelName = "cluster.x-k8s.io/deployment-name"
 
+	// MachineControlPlaneNameLabel is the label set on machines if they're controlled by a ControlPlane.
+	MachineControlPlaneNameLabel = "cluster.x-k8s.io/control-plane-name"
+
 	// PreDrainDeleteHookAnnotationPrefix annotation specifies the prefix we
 	// search each annotation for during the pre-drain.delete lifecycle hook
 	// to pause reconciliation of deletion. These hooks will prevent removal of
diff --git a/controlplane/kubeadm/internal/cluster_labels.go b/controlplane/kubeadm/internal/cluster_labels.go
index cca11a27a354..288bfad2afa5 100644
--- a/controlplane/kubeadm/internal/cluster_labels.go
+++ b/controlplane/kubeadm/internal/cluster_labels.go
@@ -34,5 +34,6 @@ func ControlPlaneMachineLabelsForCluster(kcp *controlplanev1.KubeadmControlPlane
 	// Always force these labels over the ones coming from the spec.
 	labels[clusterv1.ClusterLabelName] = clusterName
 	labels[clusterv1.MachineControlPlaneLabelName] = ""
+	labels[clusterv1.MachineControlPlaneNameLabel] = kcp.Name
 	return labels
 }
diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go
index a93fda08e739..63c28e026f6b 100644
--- a/controlplane/kubeadm/internal/controllers/controller.go
+++ b/controlplane/kubeadm/internal/controllers/controller.go
@@ -329,6 +329,19 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, cluster *
 	// source ref (reason@machine/name) so the problem can be easily tracked down to its source machine.
 	conditions.SetAggregate(controlPlane.KCP, controlplanev1.MachinesReadyCondition, ownedMachines.ConditionGetters(), conditions.AddSourceRef(), conditions.WithStepCounterIf(false))
 
+	// Ensure all required labels exist on the controlled Machines.
+	// This logic is needed to add the `cluster.x-k8s.io/control-plane-name` label to Machines
+	// which were created before the `cluster.x-k8s.io/control-plane-name` label was introduced
+	// or if a user manually removed the label.
+	// NOTE: Changes will be applied to the Machines in reconcileControlPlaneConditions.
+	// NOTE: cluster.x-k8s.io/control-plane is already set at this stage (it is used when reading controlPlane.Machines).
+	for i := range controlPlane.Machines {
+		machine := controlPlane.Machines[i]
+		if value, ok := machine.Labels[clusterv1.MachineControlPlaneNameLabel]; !ok || value != kcp.Name {
+			machine.Labels[clusterv1.MachineControlPlaneNameLabel] = kcp.Name
+		}
+	}
+
 	// Updates conditions reporting the status of static pods and the status of the etcd cluster.
 	// NOTE: Conditions reporting KCP operation progress like e.g. Resized or SpecUpToDate are inlined with the rest of the execution.
 	if result, err := r.reconcileControlPlaneConditions(ctx, controlPlane); err != nil || !result.IsZero() {
diff --git a/controlplane/kubeadm/internal/controllers/helpers.go b/controlplane/kubeadm/internal/controllers/helpers.go
index e1e800555215..ea37bfef2c68 100644
--- a/controlplane/kubeadm/internal/controllers/helpers.go
+++ b/controlplane/kubeadm/internal/controllers/helpers.go
@@ -275,6 +275,7 @@ func (r *KubeadmControlPlaneReconciler) generateMachine(ctx context.Context, kcp
 			Namespace:   kcp.Namespace,
 			Labels:      internal.ControlPlaneMachineLabelsForCluster(kcp, cluster.Name),
 			Annotations: map[string]string{},
+			// Note: by setting the ownerRef on creation we signal to the Machine controller that this is not a stand-alone Machine.
 			OwnerReferences: []metav1.OwnerReference{
 				*metav1.NewControllerRef(kcp, controlplanev1.GroupVersion.WithKind("KubeadmControlPlane")),
 			},
diff --git a/controlplane/kubeadm/internal/controllers/helpers_test.go b/controlplane/kubeadm/internal/controllers/helpers_test.go
index 5b8a132d8e2c..51a9f40bf333 100644
--- a/controlplane/kubeadm/internal/controllers/helpers_test.go
+++ b/controlplane/kubeadm/internal/controllers/helpers_test.go
@@ -549,6 +549,10 @@ func TestKubeadmControlPlaneReconciler_generateMachine(t *testing.T) {
 	for k, v := range kcpMachineTemplateObjectMeta.Labels {
 		g.Expect(machine.Labels[k]).To(Equal(v))
 	}
+	g.Expect(machine.Labels[clusterv1.ClusterLabelName]).To(Equal(cluster.Name))
+	g.Expect(machine.Labels[clusterv1.MachineControlPlaneLabelName]).To(Equal(""))
+	g.Expect(machine.Labels[clusterv1.MachineControlPlaneNameLabel]).To(Equal(kcp.Name))
+
 	for k, v := range kcpMachineTemplateObjectMeta.Annotations {
 		g.Expect(machine.Annotations[k]).To(Equal(v))
 	}
@@ -556,6 +560,7 @@ func TestKubeadmControlPlaneReconciler_generateMachine(t *testing.T) {
 	// Verify that machineTemplate.ObjectMeta in KCP has not been modified.
 	g.Expect(kcp.Spec.MachineTemplate.ObjectMeta.Labels).NotTo(HaveKey(clusterv1.ClusterLabelName))
 	g.Expect(kcp.Spec.MachineTemplate.ObjectMeta.Labels).NotTo(HaveKey(clusterv1.MachineControlPlaneLabelName))
+	g.Expect(kcp.Spec.MachineTemplate.ObjectMeta.Labels).NotTo(HaveKey(clusterv1.MachineControlPlaneNameLabel))
 	g.Expect(kcp.Spec.MachineTemplate.ObjectMeta.Annotations).NotTo(HaveKey(controlplanev1.KubeadmClusterConfigurationAnnotation))
 }
 
diff --git a/internal/controllers/machine/machine_controller.go b/internal/controllers/machine/machine_controller.go
index bfdddefeccf9..c1c19f650208 100644
--- a/internal/controllers/machine/machine_controller.go
+++ b/internal/controllers/machine/machine_controller.go
@@ -760,10 +760,16 @@ func (r *Reconciler) shouldAdopt(m *clusterv1.Machine) bool {
 		return false
 	}
 
-	// If the Machine is originated by a MachineDeployment, this prevents it from being adopted as a stand-alone Machine.
-	// Note: this is required because after restore from a backup both the Machine controller and the
-	// MachineSet controller are racing to adopt Machines, see https://github.com/kubernetes-sigs/cluster-api/issues/7529
-	if _, ok := m.Labels[clusterv1.MachineDeploymentUniqueLabel]; ok {
+	// Note: following checks are required because after restore from a backup both the Machine controller and the
+	// MachineSet/ControlPlane controller are racing to adopt Machines, see https://github.com/kubernetes-sigs/cluster-api/issues/7529
+
+	// If the Machine is originated by a MachineSet, it should not be adopted directly by the Cluster as a stand-alone Machine.
+	if _, ok := m.Labels[clusterv1.MachineSetLabelName]; ok {
+		return false
+	}
+
+	// If the Machine is originated by a ControlPlane object, it should not be adopted directly by the Cluster as a stand-alone Machine.
+	if _, ok := m.Labels[clusterv1.MachineControlPlaneNameLabel]; ok {
 		return false
 	}
 	return true
diff --git a/internal/controllers/machinedeployment/machinedeployment_controller.go b/internal/controllers/machinedeployment/machinedeployment_controller.go
index 4118c422e383..51a3373ff878 100644
--- a/internal/controllers/machinedeployment/machinedeployment_controller.go
+++ b/internal/controllers/machinedeployment/machinedeployment_controller.go
@@ -200,6 +200,7 @@ func (r *Reconciler) reconcile(ctx context.Context, cluster *clusterv1.Cluster,
 
 	d.Labels[clusterv1.ClusterLabelName] = d.Spec.ClusterName
 
+	// Set the MachineDeployment as directly owned by the Cluster (if not already present).
 	if r.shouldAdopt(d) {
 		d.OwnerReferences = util.EnsureOwnerRef(d.OwnerReferences, metav1.OwnerReference{
 			APIVersion: clusterv1.GroupVersion.String(),
@@ -226,6 +227,27 @@ func (r *Reconciler) reconcile(ctx context.Context, cluster *clusterv1.Cluster,
 		return ctrl.Result{}, err
 	}
 
+	// If not already present, add a label specifying the MachineDeployment name to MachineSets.
+	// Ensure all required labels exist on the controlled MachineSets.
+	// This logic is needed to add the `cluster.x-k8s.io/deployment-name` label to MachineSets
+	// which were created before the `cluster.x-k8s.io/deployment-name` label was added
+	// to all MachineSets created by a MachineDeployment or if a user manually removed the label.
+	for idx := range msList {
+		machineSet := msList[idx]
+		if name, ok := machineSet.Labels[clusterv1.MachineDeploymentLabelName]; ok && name == d.Name {
+			continue
+		}
+
+		helper, err := patch.NewHelper(machineSet, r.Client)
+		if err != nil {
+			return ctrl.Result{}, errors.Wrapf(err, "failed to apply %s label to MachineSet %q", clusterv1.MachineDeploymentLabelName, machineSet.Name)
+		}
+		machineSet.Labels[clusterv1.MachineDeploymentLabelName] = d.Name
+		if err := helper.Patch(ctx, machineSet); err != nil {
+			return ctrl.Result{}, errors.Wrapf(err, "failed to apply %s label to MachineSet %q", clusterv1.MachineDeploymentLabelName, machineSet.Name)
+		}
+	}
+
 	if d.Spec.Paused {
 		return ctrl.Result{}, r.sync(ctx, d, msList)
 	}
diff --git a/internal/controllers/machinedeployment/machinedeployment_controller_test.go b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
index 5ac3a3ff2263..40df6c3e3408 100644
--- a/internal/controllers/machinedeployment/machinedeployment_controller_test.go
+++ b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
@@ -203,8 +203,16 @@ func TestMachineDeploymentReconciler(t *testing.T) {
 			})
 		}, timeout).Should(BeTrue())
 
-		// Verify that expected number of machines are created
-		t.Log("Verify expected number of machines are created")
+		t.Log("Verify MachineSet has expected replicas and version")
+		firstMachineSet := machineSets.Items[0]
+		g.Expect(*firstMachineSet.Spec.Replicas).To(BeEquivalentTo(2))
+		g.Expect(*firstMachineSet.Spec.Template.Spec.Version).To(BeEquivalentTo("v1.10.3"))
+
+		t.Log("Verify MachineSet has expected ClusterLabelName and MachineDeploymentLabelName")
+		g.Expect(firstMachineSet.Labels[clusterv1.ClusterLabelName]).To(Equal(testCluster.Name))
+		g.Expect(firstMachineSet.Labels[clusterv1.MachineDeploymentLabelName]).To(Equal(deployment.Name))
+
+		t.Log("Verify expected number of Machines are created")
 		machines := &clusterv1.MachineList{}
 		g.Eventually(func() int {
 			if err := env.List(ctx, machines, client.InNamespace(namespace.Name)); err != nil {
@@ -213,16 +221,13 @@ func TestMachineDeploymentReconciler(t *testing.T) {
 			return len(machines.Items)
 		}, timeout).Should(BeEquivalentTo(*deployment.Spec.Replicas))
 
-		// Verify that machines has MachineSetLabelName and MachineDeploymentLabelName labels
-		t.Log("Verify machines have expected MachineSetLabelName and MachineDeploymentLabelName")
+		t.Log("Verify Machines have expected ClusterLabelName, MachineDeploymentLabelName and MachineSetLabelName")
 		for _, m := range machines.Items {
 			g.Expect(m.Labels[clusterv1.ClusterLabelName]).To(Equal(testCluster.Name))
+			g.Expect(m.Labels[clusterv1.MachineDeploymentLabelName]).To(Equal(deployment.Name))
+			g.Expect(m.Labels[clusterv1.MachineSetLabelName]).To(Equal(firstMachineSet.Name))
 		}
 
-		firstMachineSet := machineSets.Items[0]
-		g.Expect(*firstMachineSet.Spec.Replicas).To(BeEquivalentTo(2))
-		g.Expect(*firstMachineSet.Spec.Template.Spec.Version).To(BeEquivalentTo("v1.10.3"))
-
 		//
 		// Delete firstMachineSet and expect Reconcile to be called to replace it.
 		//
@@ -348,7 +353,7 @@ func TestMachineDeploymentReconciler(t *testing.T) {
 			clusterv1.ClusterLabelName: testCluster.Name,
 		}
 
-		t.Log("Updating MachineDeployment label")
+		t.Log("Updating MachineDeployment labels")
 		modifyFunc = func(d *clusterv1.MachineDeployment) {
 			d.Spec.Selector.MatchLabels = newLabels
 			d.Spec.Template.Labels = newLabels
diff --git a/internal/controllers/machinedeployment/machinedeployment_sync.go b/internal/controllers/machinedeployment/machinedeployment_sync.go
index 526629a1a2e8..459cb999f763 100644
--- a/internal/controllers/machinedeployment/machinedeployment_sync.go
+++ b/internal/controllers/machinedeployment/machinedeployment_sync.go
@@ -162,9 +162,10 @@ func (r *Reconciler) getNewMachineSet(ctx context.Context, d *clusterv1.MachineD
 	newMS := clusterv1.MachineSet{
 		ObjectMeta: metav1.ObjectMeta{
 			// Make the name deterministic, to ensure idempotence
-			Name:            d.Name + "-" + apirand.SafeEncodeString(machineTemplateSpecHash),
-			Namespace:       d.Namespace,
-			Labels:          newMSTemplate.Labels,
+			Name:      d.Name + "-" + apirand.SafeEncodeString(machineTemplateSpecHash),
+			Namespace: d.Namespace,
+			Labels:    make(map[string]string),
+			// Note: by setting the ownerRef on creation we signal to the MachineSet controller that this is not a stand-alone MachineSet.
 			OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(d, machineDeploymentKind)},
 		},
 		Spec: clusterv1.MachineSetSpec{
@@ -176,6 +177,18 @@ func (r *Reconciler) getNewMachineSet(ctx context.Context, d *clusterv1.MachineD
 		},
 	}
 
+	// Set the labels from newMSTemplate as top-level labels for the new MS.
+	// Note: We can't just set `newMSTemplate.Labels` directly and thus "share" the labels map between top-level and
+	// .spec.template.metadata.labels. This would mean that adding the MachineDeploymentLabelName later top-level
+	// would also add the label to .spec.template.metadata.labels.
+	for k, v := range newMSTemplate.Labels {
+		newMS.Labels[k] = v
+	}
+
+	// Enforce that the MachineDeploymentLabelName label is set
+	// Note: the MachineDeploymentLabelName is added by the default webhook to MachineDeployment.spec.template.labels if spec.selector is empty.
+	newMS.Labels[clusterv1.MachineDeploymentLabelName] = d.Name
+
 	if d.Spec.Strategy.RollingUpdate.DeletePolicy != nil {
 		newMS.Spec.DeletePolicy = *d.Spec.Strategy.RollingUpdate.DeletePolicy
 	}
diff --git a/internal/controllers/machinedeployment/mdutil/util.go b/internal/controllers/machinedeployment/mdutil/util.go
index 8fddb9ba5b63..7f05f733d36d 100644
--- a/internal/controllers/machinedeployment/mdutil/util.go
+++ b/internal/controllers/machinedeployment/mdutil/util.go
@@ -410,9 +410,9 @@ func FindNewMachineSet(deployment *clusterv1.MachineDeployment, msList []*cluste
 	return nil
 }
 
-// FindOldMachineSets returns the old machine sets targeted by the given Deployment, with the given slice of MSes.
+// FindOldMachineSets returns the old machine sets targeted by the given Deployment, within the given slice of MSes.
 // Returns two list of machine sets
-//   - the first contains all old machine sets with all non-zero replicas
+//   - the first contains all old machine sets with non-zero replicas
 //   - the second contains all old machine sets
 func FindOldMachineSets(deployment *clusterv1.MachineDeployment, msList []*clusterv1.MachineSet) ([]*clusterv1.MachineSet, []*clusterv1.MachineSet) {
 	var requiredMSs []*clusterv1.MachineSet
diff --git a/internal/controllers/machineset/machineset_controller.go b/internal/controllers/machineset/machineset_controller.go
index ab4940265378..0f8b5a1bb652 100644
--- a/internal/controllers/machineset/machineset_controller.go
+++ b/internal/controllers/machineset/machineset_controller.go
@@ -289,6 +289,38 @@ func (r *Reconciler) reconcile(ctx context.Context, cluster *clusterv1.Cluster,
 		filteredMachines = append(filteredMachines, machine)
 	}
 
+	// If not already present, add a label specifying the MachineSet name to Machines.
+	// Ensure all required labels exist on the controlled Machines.
+	// This logic is needed to add the `cluster.x-k8s.io/set-name` label to Machines
+	// which were created before the `cluster.x-k8s.io/set-name` label was added to
+	// all Machines created by a MachineSet or if a user manually removed the label.
+	for _, machine := range filteredMachines {
+		mdNameOnMachineSet, mdNameSetOnMachineSet := machineSet.Labels[clusterv1.MachineDeploymentLabelName]
+		mdNameOnMachine := machine.Labels[clusterv1.MachineDeploymentLabelName]
+
+		if msName, ok := machine.Labels[clusterv1.MachineSetLabelName]; ok && msName == machineSet.Name &&
+			(!mdNameSetOnMachineSet || mdNameOnMachineSet == mdNameOnMachine) {
+			// Continue if the MachineSet name label is already set correctly and
+			// either the MachineDeployment name label is not set on the MachineSet or
+			// the MachineDeployment name label is set correctly on the Machine.
+			continue
+		}
+
+		helper, err := patch.NewHelper(machine, r.Client)
+		if err != nil {
+			return ctrl.Result{}, errors.Wrapf(err, "failed to apply %s label to Machine %q", clusterv1.MachineSetLabelName, machine.Name)
+		}
+		machine.Labels[clusterv1.MachineSetLabelName] = machineSet.Name
+		// Propagate the MachineDeploymentLabelName from MachineSet to Machine if it is set on the MachineSet.
+		if mdNameSetOnMachineSet {
+			machine.Labels[clusterv1.MachineDeploymentLabelName] = mdNameOnMachineSet
+		}
+		if err := helper.Patch(ctx, machine); err != nil {
+			return ctrl.Result{}, errors.Wrapf(err, "failed to apply %s label to Machine %q", clusterv1.MachineSetLabelName, machine.Name)
+		}
+	}
+
+	// Remediate failed Machines by deleting them.
 	var errs []error
 	for _, machine := range filteredMachines {
 		log := log.WithValues("Machine", klog.KObj(machine))
@@ -500,10 +532,11 @@ func (r *Reconciler) getNewMachine(machineSet *clusterv1.MachineSet) *clusterv1.
 	gv := clusterv1.GroupVersion
 	machine := &clusterv1.Machine{
 		ObjectMeta: metav1.ObjectMeta{
-			GenerateName:    fmt.Sprintf("%s-", machineSet.Name),
+			GenerateName: fmt.Sprintf("%s-", machineSet.Name),
+			// Note: by setting the ownerRef on creation we signal to the Machine controller that this is not a stand-alone Machine.
 			OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(machineSet, machineSetKind)},
 			Namespace:       machineSet.Namespace,
-			Labels:          machineSet.Spec.Template.Labels,
+			Labels:          make(map[string]string),
 			Annotations:     machineSet.Spec.Template.Annotations,
 		},
 		TypeMeta: metav1.TypeMeta{
@@ -513,9 +546,24 @@ func (r *Reconciler) getNewMachine(machineSet *clusterv1.MachineSet) *clusterv1.
 		Spec: machineSet.Spec.Template.Spec,
 	}
 	machine.Spec.ClusterName = machineSet.Spec.ClusterName
-	if machine.Labels == nil {
-		machine.Labels = make(map[string]string)
+
+	// Set the labels from machineSet.Spec.Template.Labels as labels for the new Machine.
+	// Note: We can't just set `machineSet.Spec.Template.Labels` directly and thus "share" the labels
+	// map between Machine and machineSet.Spec.Template.Labels. This would mean that adding the
+	// MachineSetLabelName and MachineDeploymentLabelName later on the Machine would also add the labels
+	// to machineSet.Spec.Template.Labels and thus modify the labels of the MachineSet.
+	for k, v := range machineSet.Spec.Template.Labels {
+		machine.Labels[k] = v
 	}
+
+	// Enforce that the MachineSetLabelName label is set
+	// Note: the MachineSetLabelName is added by the default webhook to MachineSet.spec.template.labels if a spec.selector is empty.
+	machine.Labels[clusterv1.MachineSetLabelName] = machineSet.Name
+	// Propagate the MachineDeploymentLabelName from MachineSet to Machine if it exists.
+	if mdName, ok := machineSet.Labels[clusterv1.MachineDeploymentLabelName]; ok {
+		machine.Labels[clusterv1.MachineDeploymentLabelName] = mdName
+	}
+
 	return machine
 }
 
@@ -652,10 +700,10 @@ func (r *Reconciler) shouldAdopt(ms *clusterv1.MachineSet) bool {
 		return false
 	}
 
-	// If the MachineSet is originated by a MachineDeployment, this prevents it from being adopted as a stand-alone MachineSet.
+	// If the MachineSet is originated by a MachineDeployment object, it should not be adopted directly by the Cluster as a stand-alone MachineSet.
 	// Note: this is required because after restore from a backup both the MachineSet controller and the
 	// MachineDeployment controller are racing to adopt MachineSets, see https://github.com/kubernetes-sigs/cluster-api/issues/7529
-	if _, ok := ms.Labels[clusterv1.MachineDeploymentUniqueLabel]; ok {
+	if _, ok := ms.Labels[clusterv1.MachineDeploymentLabelName]; ok {
 		return false
 	}
 	return true

From 14d80d685b15dccaaa68061a36cceb46925180c9 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <buringerst@vmware.com>
Date: Fri, 25 Nov 2022 13:13:22 +0700
Subject: [PATCH 22/87] Use latest kind images for CAPD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 Tiltfile                                       |  2 +-
 docs/book/src/developer/tilt.md                |  2 +-
 docs/book/src/user/quick-start.md              | 18 +++++++++---------
 test/e2e/clusterctl_upgrade_test.go            |  6 +++---
 test/e2e/config/docker.yaml                    |  8 ++++----
 test/framework/bootstrap/kind_provider.go      |  2 +-
 test/infrastructure/docker/Dockerfile          |  2 +-
 .../docker/examples/machine-pool.yaml          |  4 ++--
 .../docker/examples/simple-cluster-ipv6.yaml   |  4 ++--
 .../examples/simple-cluster-without-kcp.yaml   |  4 ++--
 .../docker/examples/simple-cluster.yaml        |  4 ++--
 .../docker/internal/docker/machine.go          |  2 +-
 12 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/Tiltfile b/Tiltfile
index 0eb9cde41a73..e735ea5f04d8 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -3,7 +3,7 @@
 envsubst_cmd = "./hack/tools/bin/envsubst"
 clusterctl_cmd = "./bin/clusterctl"
 kubectl_cmd = "kubectl"
-kubernetes_version = "v1.25.0"
+kubernetes_version = "v1.25.3"
 
 if str(local("command -v " + kubectl_cmd + " || true", quiet = True)) == "":
     fail("Required command '" + kubectl_cmd + "' not found in PATH")
diff --git a/docs/book/src/developer/tilt.md b/docs/book/src/developer/tilt.md
index 9939fbcf6b95..76d49144cf43 100644
--- a/docs/book/src/developer/tilt.md
+++ b/docs/book/src/developer/tilt.md
@@ -303,7 +303,7 @@ Custom values for variable substitutions can be set using `kustomize_substitutio
 ```yaml
 kustomize_substitutions:
   NAMESPACE: default
-  KUBERNETES_VERSION: v1.25.0
+  KUBERNETES_VERSION: v1.25.3
   CONTROL_PLANE_MACHINE_COUNT: 1
   WORKER_MACHINE_COUNT: 3
 ```
diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index be43d80b7a51..528903257a2f 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -1122,7 +1122,7 @@ The Docker provider is not designed for production use and is intended for devel
 
 ```bash
 clusterctl generate cluster capi-quickstart --flavor development \
-  --kubernetes-version v1.25.0 \
+  --kubernetes-version v1.25.3 \
   --control-plane-machine-count=3 \
   --worker-machine-count=3 \
   > capi-quickstart.yaml
@@ -1165,7 +1165,7 @@ clusterctl generate cluster capi-quickstart \
 
 ```bash
 clusterctl generate cluster capi-quickstart \
-  --kubernetes-version v1.25.0 \
+  --kubernetes-version v1.25.3 \
   --control-plane-machine-count=3 \
   --worker-machine-count=3 \
   > capi-quickstart.yaml
@@ -1225,7 +1225,7 @@ You should see an output is similar to this:
 
 ```bash
 NAME                    CLUSTER           INITIALIZED   API SERVER AVAILABLE   REPLICAS   READY   UPDATED   UNAVAILABLE   AGE    VERSION
-capi-quickstart-g2trk   capi-quickstart   true                                 3                  3         3             4m7s   v1.25.0
+capi-quickstart-g2trk   capi-quickstart   true                                 3                  3         3             4m7s   v1.25.3
 ```
 
 <aside class="note warning">
@@ -1427,12 +1427,12 @@ kubectl --kubeconfig=./capi-quickstart.kubeconfig get nodes
 ```
 ```bash
 NAME                                          STATUS   ROLES           AGE   VERSION
-capi-quickstart-g2trk-9xrjv                   Ready    control-plane   12m   v1.25.0
-capi-quickstart-g2trk-bmm9v                   Ready    control-plane   11m   v1.25.0
-capi-quickstart-g2trk-hvs9q                   Ready    control-plane   13m   v1.25.0
-capi-quickstart-md-0-55x6t-5649968bd7-8tq9v   Ready    <none>          12m   v1.25.0
-capi-quickstart-md-0-55x6t-5649968bd7-glnjd   Ready    <none>          12m   v1.25.0
-capi-quickstart-md-0-55x6t-5649968bd7-sfzp6   Ready    <none>          12m   v1.25.0
+capi-quickstart-g2trk-9xrjv                   Ready    control-plane   12m   v1.25.3
+capi-quickstart-g2trk-bmm9v                   Ready    control-plane   11m   v1.25.3
+capi-quickstart-g2trk-hvs9q                   Ready    control-plane   13m   v1.25.3
+capi-quickstart-md-0-55x6t-5649968bd7-8tq9v   Ready    <none>          12m   v1.25.3
+capi-quickstart-md-0-55x6t-5649968bd7-glnjd   Ready    <none>          12m   v1.25.3
+capi-quickstart-md-0-55x6t-5649968bd7-sfzp6   Ready    <none>          12m   v1.25.3
 ```
 
 {{#/tab }}
diff --git a/test/e2e/clusterctl_upgrade_test.go b/test/e2e/clusterctl_upgrade_test.go
index 33996b2c5ed2..105dc38ccd8d 100644
--- a/test/e2e/clusterctl_upgrade_test.go
+++ b/test/e2e/clusterctl_upgrade_test.go
@@ -53,7 +53,7 @@ var _ = Describe("When testing clusterctl upgrades (v0.4=>current)", func() {
 			SkipCleanup:               skipCleanup,
 			InitWithBinary:            "https://github.com/kubernetes-sigs/cluster-api/releases/download/v0.4.8/clusterctl-{OS}-{ARCH}",
 			InitWithProvidersContract: "v1alpha4",
-			InitWithKubernetesVersion: "v1.25.0",
+			InitWithKubernetesVersion: "v1.25.3",
 		}
 	})
 })
@@ -68,7 +68,7 @@ var _ = Describe("When testing clusterctl upgrades (v1.2=>current)", func() {
 			SkipCleanup:               skipCleanup,
 			InitWithBinary:            "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/clusterctl-{OS}-{ARCH}",
 			InitWithProvidersContract: "v1beta1",
-			InitWithKubernetesVersion: "v1.25.0",
+			InitWithKubernetesVersion: "v1.25.3",
 		}
 	})
 })
@@ -83,7 +83,7 @@ var _ = Describe("When testing clusterctl upgrades using ClusterClass (v1.2=>cur
 			SkipCleanup:               skipCleanup,
 			InitWithBinary:            "https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.2.5/clusterctl-{OS}-{ARCH}",
 			InitWithProvidersContract: "v1beta1",
-			InitWithKubernetesVersion: "v1.25.0",
+			InitWithKubernetesVersion: "v1.25.3",
 			WorkloadFlavor:            "topology",
 		}
 	})
diff --git a/test/e2e/config/docker.yaml b/test/e2e/config/docker.yaml
index f8aebbb1e018..540e522b7019 100644
--- a/test/e2e/config/docker.yaml
+++ b/test/e2e/config/docker.yaml
@@ -215,10 +215,10 @@ variables:
   # allowing the same e2e config file to be re-used in different Prow jobs e.g. each one with a K8s version permutation.
   # The following Kubernetes versions should be the latest versions with already published kindest/node images.
   # This avoids building node images in the default case which improves the test duration significantly.
-  KUBERNETES_VERSION_MANAGEMENT: "v1.25.0"
-  KUBERNETES_VERSION: "v1.25.0"
-  KUBERNETES_VERSION_UPGRADE_FROM: "1.24.4"
-  KUBERNETES_VERSION_UPGRADE_TO: "v1.25.0"
+  KUBERNETES_VERSION_MANAGEMENT: "v1.25.3"
+  KUBERNETES_VERSION: "v1.25.3"
+  KUBERNETES_VERSION_UPGRADE_FROM: "v1.24.7"
+  KUBERNETES_VERSION_UPGRADE_TO: "v1.25.3"
   ETCD_VERSION_UPGRADE_TO: "3.5.4-0"
   COREDNS_VERSION_UPGRADE_TO: "v1.9.3"
   DOCKER_SERVICE_DOMAIN: "cluster.local"
diff --git a/test/framework/bootstrap/kind_provider.go b/test/framework/bootstrap/kind_provider.go
index 05d4c0193bf7..e8cded2e4a72 100644
--- a/test/framework/bootstrap/kind_provider.go
+++ b/test/framework/bootstrap/kind_provider.go
@@ -37,7 +37,7 @@ const (
 	DefaultNodeImageRepository = "kindest/node"
 
 	// DefaultNodeImageVersion is the default Kubernetes version to be used for creating a kind cluster.
-	DefaultNodeImageVersion = "v1.25.0"
+	DefaultNodeImageVersion = "v1.25.3"
 )
 
 // KindClusterOption is a NewKindClusterProvider option.
diff --git a/test/infrastructure/docker/Dockerfile b/test/infrastructure/docker/Dockerfile
index 71ac76f47089..97c872de2350 100644
--- a/test/infrastructure/docker/Dockerfile
+++ b/test/infrastructure/docker/Dockerfile
@@ -33,7 +33,7 @@ ENV GOPROXY=$goproxy
 # Gets additional CAPD dependencies
 WORKDIR /tmp
 
-RUN curl -LO "https://dl.k8s.io/release/v1.25.0/bin/linux/${ARCH}/kubectl" && \
+RUN curl -LO "https://dl.k8s.io/release/v1.25.3/bin/linux/${ARCH}/kubectl" && \
     chmod +x ./kubectl && \
     mv ./kubectl /usr/bin/kubectl
 
diff --git a/test/infrastructure/docker/examples/machine-pool.yaml b/test/infrastructure/docker/examples/machine-pool.yaml
index 764466854d0a..37b29bbbd499 100644
--- a/test/infrastructure/docker/examples/machine-pool.yaml
+++ b/test/infrastructure/docker/examples/machine-pool.yaml
@@ -35,7 +35,7 @@ metadata:
   namespace: default
 spec:
   replicas: 1
-  version: v1.25.0
+  version: v1.25.3
   machineTemplate:
     infrastructureRef:
       apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -80,7 +80,7 @@ spec:
   replicas: 2
   template:
     spec:
-      version: v1.25.0
+      version: v1.25.3
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml b/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml
index 4775bfde98cf..9bc992520e10 100644
--- a/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml
+++ b/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml
@@ -35,7 +35,7 @@ metadata:
   namespace: default
 spec:
   replicas: 1
-  version: v1.25.0
+  version: v1.25.3
   machineTemplate:
     infrastructureRef:
       apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -90,7 +90,7 @@ spec:
       cluster.x-k8s.io/cluster-name: my-cluster
   template:
     spec:
-      version: v1.25.0
+      version: v1.25.3
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml b/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml
index 165ce2bc36b7..e8ed00b26f92 100644
--- a/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml
+++ b/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml
@@ -32,7 +32,7 @@ metadata:
   name: controlplane-0
   namespace: default
 spec:
-  version: v1.25.0
+  version: v1.25.3
   clusterName: my-cluster
   bootstrap:
     configRef:
@@ -80,7 +80,7 @@ spec:
       cluster.x-k8s.io/cluster-name: my-cluster
   template:
     spec:
-      version: v1.25.0
+      version: v1.25.3
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/docker/examples/simple-cluster.yaml b/test/infrastructure/docker/examples/simple-cluster.yaml
index 196202278556..9d68f6b334e2 100644
--- a/test/infrastructure/docker/examples/simple-cluster.yaml
+++ b/test/infrastructure/docker/examples/simple-cluster.yaml
@@ -35,7 +35,7 @@ metadata:
   namespace: default
 spec:
   replicas: 1
-  version: v1.25.0
+  version: v1.25.3
   machineTemplate:
     infrastructureRef:
       apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -83,7 +83,7 @@ spec:
       cluster.x-k8s.io/cluster-name: my-cluster
   template:
     spec:
-      version: v1.25.0
+      version: v1.25.3
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/docker/internal/docker/machine.go b/test/infrastructure/docker/internal/docker/machine.go
index 077da675193e..9c85391be58f 100644
--- a/test/infrastructure/docker/internal/docker/machine.go
+++ b/test/infrastructure/docker/internal/docker/machine.go
@@ -50,7 +50,7 @@ import (
 
 const (
 	defaultImageName = "kindest/node"
-	defaultImageTag  = "v1.25.0"
+	defaultImageTag  = "v1.25.3"
 )
 
 type nodeCreator interface {

From a0a6143fed8bdfe8556e39ff2842b0becd771821 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Tue, 22 Nov 2022 18:54:30 +0000
Subject: [PATCH 23/87] Ensure infra and bootstrap objects are owned by
 Machines

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 .../machine/machine_controller_phases.go      | 46 ++++++++++++++-----
 .../machineset/machineset_controller_test.go  | 40 ++++++++++++----
 2 files changed, 65 insertions(+), 21 deletions(-)

diff --git a/internal/controllers/machine/machine_controller_phases.go b/internal/controllers/machine/machine_controller_phases.go
index 4fa3685e3c3b..7fd3ebb1583d 100644
--- a/internal/controllers/machine/machine_controller_phases.go
+++ b/internal/controllers/machine/machine_controller_phases.go
@@ -116,17 +116,11 @@ func (r *Reconciler) reconcileExternal(ctx context.Context, cluster *clusterv1.C
 		return external.ReconcileOutput{}, err
 	}
 
-	// With the migration from v1alpha2 to v1alpha3, Machine controllers should be the owner for the
-	// infra Machines, hence remove any existing machineset controller owner reference
-	if controller := metav1.GetControllerOf(obj); controller != nil && controller.Kind == "MachineSet" {
-		gv, err := schema.ParseGroupVersion(controller.APIVersion)
-		if err != nil {
-			return external.ReconcileOutput{}, err
-		}
-		if gv.Group == clusterv1.GroupVersion.Group {
-			ownerRefs := util.RemoveOwnerRef(obj.GetOwnerReferences(), *controller)
-			obj.SetOwnerReferences(ownerRefs)
-		}
+	// removeOnCreateOwnerRefs removes MachineSet and control plane owners from the objects referred to by a Machine.
+	// These owner references are added initially because Machines don't exist when those objects are created.
+	// At this point the Machine exists and can be set as the controller reference.
+	if err := removeOnCreateOwnerRefs(cluster, m, obj); err != nil {
+		return external.ReconcileOutput{}, err
 	}
 
 	// Set external object ControllerReference to the Machine.
@@ -372,3 +366,33 @@ func (r *Reconciler) reconcileCertificateExpiry(ctx context.Context, _ *clusterv
 
 	return ctrl.Result{}, nil
 }
+
+// removeOnCreateOwnerRefs will remove any MachineSet or control plane owner references from passed objects.
+func removeOnCreateOwnerRefs(cluster *clusterv1.Cluster, m *clusterv1.Machine, obj *unstructured.Unstructured) error {
+	cpGVK := getControlPlaneGVKForMachine(cluster, m)
+	for _, owner := range obj.GetOwnerReferences() {
+		ownerGV, err := schema.ParseGroupVersion(owner.APIVersion)
+		if err != nil {
+			return errors.Wrapf(err, "Could not remove ownerReference %v from object %s/%s", owner.String(), obj.GetKind(), obj.GetName())
+		}
+		if (ownerGV.Group == clusterv1.GroupVersion.Group && owner.Kind == "MachineSet") ||
+			(cpGVK != nil && ownerGV.Group == cpGVK.GroupVersion().Group && owner.Kind == cpGVK.Kind) {
+			ownerRefs := util.RemoveOwnerRef(obj.GetOwnerReferences(), owner)
+			obj.SetOwnerReferences(ownerRefs)
+		}
+	}
+	return nil
+}
+
+// getControlPlaneGVKForMachine returns the Kind of the control plane in the Cluster associated with the Machine.
+// This function checks that the Machine is managed by a control plane, and then retrieves the Kind from the Cluster's
+// .spec.controlPlaneRef.
+func getControlPlaneGVKForMachine(cluster *clusterv1.Cluster, machine *clusterv1.Machine) *schema.GroupVersionKind {
+	if _, ok := machine.GetLabels()[clusterv1.MachineControlPlaneLabelName]; ok {
+		if cluster.Spec.ControlPlaneRef != nil {
+			gvk := cluster.Spec.ControlPlaneRef.GroupVersionKind()
+			return &gvk
+		}
+	}
+	return nil
+}
diff --git a/internal/controllers/machineset/machineset_controller_test.go b/internal/controllers/machineset/machineset_controller_test.go
index 49db0fa23647..9dfb4bdff096 100644
--- a/internal/controllers/machineset/machineset_controller_test.go
+++ b/internal/controllers/machineset/machineset_controller_test.go
@@ -228,14 +228,24 @@ func TestMachineSetReconciler(t *testing.T) {
 			g.Expect(im.GetAnnotations()).To(HaveKeyWithValue("annotation-1", "true"), "have annotations of MachineTemplate applied")
 			g.Expect(im.GetAnnotations()).To(HaveKeyWithValue("precedence", "MachineSet"), "the annotations from the MachineSpec template to overwrite the infrastructure template ones")
 			g.Expect(im.GetLabels()).To(HaveKeyWithValue("label-1", "true"), "have labels of MachineTemplate applied")
+		}
+		g.Eventually(func() bool {
+			g.Expect(env.List(ctx, infraMachines, client.InNamespace(namespace.Name))).To(Succeed())
+			// The Machine reconciler should remove the ownerReference to the MachineSet on the InfrastructureMachine.
 			hasMSOwnerRef := false
-			for _, o := range im.GetOwnerReferences() {
-				if o.Kind == machineSetKind.Kind {
-					hasMSOwnerRef = true
+			hasMachineOwnerRef := false
+			for _, im := range infraMachines.Items {
+				for _, o := range im.GetOwnerReferences() {
+					if o.Kind == machineSetKind.Kind {
+						hasMSOwnerRef = true
+					}
+					if o.Kind == "Machine" {
+						hasMachineOwnerRef = true
+					}
 				}
 			}
-			g.Expect(hasMSOwnerRef).To(BeTrue(), "have ownerRef to MachineSet")
-		}
+			return !hasMSOwnerRef && hasMachineOwnerRef
+		}, timeout).Should(BeTrue(), "infraMachine should not have ownerRef to MachineSet")
 
 		t.Log("Creating a BootstrapConfig for each Machine")
 		bootstrapConfigs := &unstructured.UnstructuredList{}
@@ -251,14 +261,24 @@ func TestMachineSetReconciler(t *testing.T) {
 			g.Expect(im.GetAnnotations()).To(HaveKeyWithValue("annotation-1", "true"), "have annotations of MachineTemplate applied")
 			g.Expect(im.GetAnnotations()).To(HaveKeyWithValue("precedence", "MachineSet"), "the annotations from the MachineSpec template to overwrite the bootstrap config template ones")
 			g.Expect(im.GetLabels()).To(HaveKeyWithValue("label-1", "true"), "have labels of MachineTemplate applied")
+		}
+		g.Eventually(func() bool {
+			g.Expect(env.List(ctx, bootstrapConfigs, client.InNamespace(namespace.Name))).To(Succeed())
+			// The Machine reconciler should remove the ownerReference to the MachineSet on the Bootstrap object.
 			hasMSOwnerRef := false
-			for _, o := range im.GetOwnerReferences() {
-				if o.Kind == machineSetKind.Kind {
-					hasMSOwnerRef = true
+			hasMachineOwnerRef := false
+			for _, im := range bootstrapConfigs.Items {
+				for _, o := range im.GetOwnerReferences() {
+					if o.Kind == machineSetKind.Kind {
+						hasMSOwnerRef = true
+					}
+					if o.Kind == "Machine" {
+						hasMachineOwnerRef = true
+					}
 				}
 			}
-			g.Expect(hasMSOwnerRef).To(BeTrue(), "have ownerRef to MachineSet")
-		}
+			return !hasMSOwnerRef && hasMachineOwnerRef
+		}, timeout).Should(BeTrue(), "bootstrap should not have ownerRef to MachineSet")
 
 		// Set the infrastructure reference as ready.
 		for _, m := range machines.Items {

From a8f0a8d922ca0807dd35aad11671cf33dc5ae85b Mon Sep 17 00:00:00 2001
From: Jim Ntosas <ntosas@gmail.com>
Date: Mon, 28 Nov 2022 14:52:09 +0200
Subject: [PATCH 24/87] Make kcp.skipPhases field mutable

Makes KCP skipPhases field mutable, needed in cases like disabling
kube-proxy deployment on an existing cluster.

Signed-off-by: Jim Ntosas <ntosas@gmail.com>
---
 .../v1beta1/kubeadm_control_plane_webhook.go   |  3 +++
 .../kubeadm_control_plane_webhook_test.go      | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
index 285cbeca3099..e8f4a68367cb 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
@@ -115,6 +115,7 @@ const (
 	initConfiguration    = "initConfiguration"
 	joinConfiguration    = "joinConfiguration"
 	nodeRegistration     = "nodeRegistration"
+	skipPhases           = "skipPhases"
 	patches              = "patches"
 	directory            = "directory"
 	preKubeadmCommands   = "preKubeadmCommands"
@@ -148,8 +149,10 @@ func (in *KubeadmControlPlane) ValidateUpdate(old runtime.Object) error {
 		{spec, kubeadmConfigSpec, clusterConfiguration, scheduler, "*"},
 		{spec, kubeadmConfigSpec, initConfiguration, nodeRegistration, "*"},
 		{spec, kubeadmConfigSpec, initConfiguration, patches, directory},
+		{spec, kubeadmConfigSpec, initConfiguration, skipPhases},
 		{spec, kubeadmConfigSpec, joinConfiguration, nodeRegistration, "*"},
 		{spec, kubeadmConfigSpec, joinConfiguration, patches, directory},
+		{spec, kubeadmConfigSpec, joinConfiguration, skipPhases},
 		{spec, kubeadmConfigSpec, preKubeadmCommands},
 		{spec, kubeadmConfigSpec, postKubeadmCommands},
 		{spec, kubeadmConfigSpec, files},
diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
index d8c52f7ce7d2..f13d34b36cb9 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
@@ -651,6 +651,12 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 		Directory: "/tmp/patches",
 	}
 
+	updateInitConfigurationSkipPhases := before.DeepCopy()
+	updateInitConfigurationSkipPhases.Spec.KubeadmConfigSpec.InitConfiguration.SkipPhases = []string{"addon/kube-proxy"}
+
+	updateJoinConfigurationSkipPhases := before.DeepCopy()
+	updateJoinConfigurationSkipPhases.Spec.KubeadmConfigSpec.JoinConfiguration.SkipPhases = []string{"addon/kube-proxy"}
+
 	updateDiskSetup := before.DeepCopy()
 	updateDiskSetup.Spec.KubeadmConfigSpec.DiskSetup = &bootstrapv1.DiskSetup{
 		Filesystems: []bootstrapv1.Filesystem{
@@ -985,6 +991,18 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 			before:    before,
 			kcp:       updateJoinConfigurationPatches,
 		},
+		{
+			name:      "should allow changes to initConfiguration.skipPhases",
+			expectErr: false,
+			before:    before,
+			kcp:       updateInitConfigurationSkipPhases,
+		},
+		{
+			name:      "should allow changes to joinConfiguration.skipPhases",
+			expectErr: false,
+			before:    before,
+			kcp:       updateJoinConfigurationSkipPhases,
+		},
 		{
 			name:      "should allow changes to diskSetup",
 			expectErr: false,

From 679ae3e9e6b60928109b9d46b3e8719581b92d4f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 28 Nov 2022 21:05:57 +0000
Subject: [PATCH 25/87] seedling: Bump github.com/coredns/corefile-migration

Bumps [github.com/coredns/corefile-migration](https://github.com/coredns/corefile-migration) from 1.0.17 to 1.0.18.
- [Release notes](https://github.com/coredns/corefile-migration/releases)
- [Commits](https://github.com/coredns/corefile-migration/compare/v1.0.17...v1.0.18)
---
 docs/book/src/reference/versions.md | 4 ++--
 go.mod                              | 2 +-
 go.sum                              | 4 ++--
 hack/tools/go.sum                   | 2 +-
 test/go.mod                         | 2 +-
 test/go.sum                         | 4 ++--
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/book/src/reference/versions.md b/docs/book/src/reference/versions.md
index 3fb4a7cde2d3..dff1b356b9e8 100644
--- a/docs/book/src/reference/versions.md
+++ b/docs/book/src/reference/versions.md
@@ -129,8 +129,8 @@ The Kubeadm Control Plane requires the Kubeadm Bootstrap Provider.
 | v0.4 (v1alpha4) | v1.8.4                          |
 | v1.0 (v1beta1)  | v1.8.5                          |
 | v1.1 (v1beta1)  | v1.9.3                          |
-| v1.2 (v1beta1)  | v1.9.3                          |
-| v1.3 (v1beta1)  | v1.9.3                          |
+| v1.2 (v1beta1)  | v1.9.3 (v1.10.0 with >= v1.2.7) |
+| v1.3 (v1beta1)  | v1.10.0                         |
 
 #### Kubernetes version specific notes
 
diff --git a/go.mod b/go.mod
index b1c748ceb755..4f69f7c8ae78 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/coredns/corefile-migration v1.0.17
+	github.com/coredns/corefile-migration v1.0.18
 	github.com/davecgh/go-spew v1.1.1
 	github.com/docker/distribution v2.8.1+incompatible
 	github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46
diff --git a/go.sum b/go.sum
index 370899b4d4c5..bb9b28336d80 100644
--- a/go.sum
+++ b/go.sum
@@ -143,8 +143,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/coredns/caddy v1.1.0 h1:ezvsPrT/tA/7pYDBZxu0cT0VmWk75AfIaf6GSYCNMf0=
 github.com/coredns/caddy v1.1.0/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
-github.com/coredns/corefile-migration v1.0.17 h1:tNwh8+4WOANV6NjSljwgW7qViJfhvPUt1kosj4rR8yg=
-github.com/coredns/corefile-migration v1.0.17/go.mod h1:XnhgULOEouimnzgn0t4WPuFDN2/PJQcTxdWKC5eXNGE=
+github.com/coredns/corefile-migration v1.0.18 h1:zs5PJm/VGZVje1ESRj6ZqyUuVsVfagExkbLU2QKV5mI=
+github.com/coredns/corefile-migration v1.0.18/go.mod h1:XnhgULOEouimnzgn0t4WPuFDN2/PJQcTxdWKC5eXNGE=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-semver v0.1.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
diff --git a/hack/tools/go.sum b/hack/tools/go.sum
index 262b6319d2df..86be17f9177d 100644
--- a/hack/tools/go.sum
+++ b/hack/tools/go.sum
@@ -123,7 +123,7 @@ github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBd
 github.com/containerd/containerd v1.6.6 h1:xJNPhbrmz8xAMDNoVjHy9YHtWwEQNS+CDkcIRh7t8Y0=
 github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0=
 github.com/coredns/caddy v1.1.0 h1:ezvsPrT/tA/7pYDBZxu0cT0VmWk75AfIaf6GSYCNMf0=
-github.com/coredns/corefile-migration v1.0.17 h1:tNwh8+4WOANV6NjSljwgW7qViJfhvPUt1kosj4rR8yg=
+github.com/coredns/corefile-migration v1.0.18 h1:zs5PJm/VGZVje1ESRj6ZqyUuVsVfagExkbLU2QKV5mI=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.11 h1:07n33Z8lZxZ2qwegKbObQohDhXDQxiMMz1NOUGYlesw=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
diff --git a/test/go.mod b/test/go.mod
index 93b8a6eed0c6..6aa128d84b9f 100644
--- a/test/go.mod
+++ b/test/go.mod
@@ -43,7 +43,7 @@ require (
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/coredns/caddy v1.1.0 // indirect
-	github.com/coredns/corefile-migration v1.0.17 // indirect
+	github.com/coredns/corefile-migration v1.0.18 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
diff --git a/test/go.sum b/test/go.sum
index 1a0c06cce5e3..563658068ce8 100644
--- a/test/go.sum
+++ b/test/go.sum
@@ -125,8 +125,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/coredns/caddy v1.1.0 h1:ezvsPrT/tA/7pYDBZxu0cT0VmWk75AfIaf6GSYCNMf0=
 github.com/coredns/caddy v1.1.0/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
-github.com/coredns/corefile-migration v1.0.17 h1:tNwh8+4WOANV6NjSljwgW7qViJfhvPUt1kosj4rR8yg=
-github.com/coredns/corefile-migration v1.0.17/go.mod h1:XnhgULOEouimnzgn0t4WPuFDN2/PJQcTxdWKC5eXNGE=
+github.com/coredns/corefile-migration v1.0.18 h1:zs5PJm/VGZVje1ESRj6ZqyUuVsVfagExkbLU2QKV5mI=
+github.com/coredns/corefile-migration v1.0.18/go.mod h1:XnhgULOEouimnzgn0t4WPuFDN2/PJQcTxdWKC5eXNGE=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-semver v0.1.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=

From d8995525353beb15e28c9b518681b60fd108e012 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Tue, 22 Nov 2022 15:44:19 +0000
Subject: [PATCH 26/87] Fix KubeadmControlPlane secrets should always be
 adopted

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 api/v1beta1/common_types.go                   |   2 +
 .../controllers/kubeadmconfig_controller.go   |  21 +-
 .../internal/controllers/controller.go        |  33 +++
 .../internal/controllers/controller_test.go   | 200 +++++++++++++++++-
 .../kubeadm/internal/controllers/helpers.go   |  50 +++--
 .../internal/controllers/helpers_test.go      | 126 ++++++++++-
 6 files changed, 402 insertions(+), 30 deletions(-)

diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
index 1dd7c382cf22..113c4e95f25a 100644
--- a/api/v1beta1/common_types.go
+++ b/api/v1beta1/common_types.go
@@ -107,6 +107,8 @@ const (
 	MachineSkipRemediationAnnotation = "cluster.x-k8s.io/skip-remediation"
 
 	// ClusterSecretType defines the type of secret created by core components.
+	// Note: This is used by core CAPI, CAPBK, and KCP to determine whether a secret is created by the controllers
+	// themselves or supplied by the user (e.g. bring your own certificates).
 	ClusterSecretType corev1.SecretType = "cluster.x-k8s.io/secret" //nolint:gosec
 
 	// InterruptibleLabel is the label used to mark the nodes that run on interruptible instances.
diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
index 93512954575d..d46246b453c6 100644
--- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
+++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
@@ -440,12 +440,21 @@ func (r *KubeadmConfigReconciler) handleClusterNotInitialized(ctx context.Contex
 	}
 
 	certificates := secret.NewCertificatesForInitialControlPlane(scope.Config.Spec.ClusterConfiguration)
-	err = certificates.LookupOrGenerate(
-		ctx,
-		r.Client,
-		util.ObjectKey(scope.Cluster),
-		*metav1.NewControllerRef(scope.Config, bootstrapv1.GroupVersion.WithKind("KubeadmConfig")),
-	)
+
+	// If the Cluster does not have a ControlPlane reference look up and generate the certificates.
+	// Otherwise rely on certificates generated by the ControlPlane controller.
+	// Note: A cluster does not have a ControlPlane reference when using standalone CP machines.
+	if scope.Cluster.Spec.ControlPlaneRef == nil {
+		err = certificates.LookupOrGenerate(
+			ctx,
+			r.Client,
+			util.ObjectKey(scope.Cluster),
+			*metav1.NewControllerRef(scope.Config, bootstrapv1.GroupVersion.WithKind("KubeadmConfig")))
+	} else {
+		err = certificates.Lookup(ctx,
+			r.Client,
+			util.ObjectKey(scope.Cluster))
+	}
 	if err != nil {
 		conditions.MarkFalse(scope.Config, bootstrapv1.CertificatesAvailableCondition, bootstrapv1.CertificatesGenerationFailedReason, clusterv1.ConditionSeverityWarning, err.Error())
 		return ctrl.Result{}, err
diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go
index 63c28e026f6b..072ce2f9662c 100644
--- a/controlplane/kubeadm/internal/controllers/controller.go
+++ b/controlplane/kubeadm/internal/controllers/controller.go
@@ -312,6 +312,9 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, cluster *
 		err = r.adoptMachines(ctx, kcp, adoptableMachines, cluster)
 		return ctrl.Result{}, err
 	}
+	if err := ensureCertificatesOwnerRef(ctx, r.Client, util.ObjectKey(cluster), certificates, *controllerRef); err != nil {
+		return ctrl.Result{}, err
+	}
 
 	ownedMachines := controlPlaneMachines.Filter(collections.OwnedMachines(kcp))
 	if len(ownedMachines) != len(controlPlaneMachines) {
@@ -786,3 +789,33 @@ func (r *KubeadmControlPlaneReconciler) adoptOwnedSecrets(ctx context.Context, k
 
 	return nil
 }
+
+// ensureCertificatesOwnerRef ensures an ownerReference to the owner is added on the Secrets holding certificates.
+func ensureCertificatesOwnerRef(ctx context.Context, ctrlclient client.Client, clusterKey client.ObjectKey, certificates secret.Certificates, owner metav1.OwnerReference) error {
+	for _, c := range certificates {
+		s := &corev1.Secret{}
+		secretKey := client.ObjectKey{Namespace: clusterKey.Namespace, Name: secret.Name(clusterKey.Name, c.Purpose)}
+		if err := ctrlclient.Get(ctx, secretKey, s); err != nil {
+			return errors.Wrapf(err, "failed to get Secret %s", secretKey)
+		}
+		// If the Type doesn't match the type used for secrets created by core components, KCP included
+		if s.Type != clusterv1.ClusterSecretType {
+			continue
+		}
+		patchHelper, err := patch.NewHelper(s, ctrlclient)
+		if err != nil {
+			return errors.Wrapf(err, "failed to create patchHelper for Secret %s", secretKey)
+		}
+
+		// Remove the current controller if one exists.
+		if controller := metav1.GetControllerOf(s); controller != nil {
+			s.SetOwnerReferences(util.RemoveOwnerRef(s.OwnerReferences, *controller))
+		}
+
+		s.OwnerReferences = util.EnsureOwnerRef(s.OwnerReferences, owner)
+		if err := patchHelper.Patch(ctx, s); err != nil {
+			return errors.Wrapf(err, "failed to patch Secret %s with ownerReference %s", secretKey, owner.String())
+		}
+	}
+	return nil
+}
diff --git a/controlplane/kubeadm/internal/controllers/controller_test.go b/controlplane/kubeadm/internal/controllers/controller_test.go
index 069d90e1f954..ac35301c033d 100644
--- a/controlplane/kubeadm/internal/controllers/controller_test.go
+++ b/controlplane/kubeadm/internal/controllers/controller_test.go
@@ -18,7 +18,12 @@ package controllers
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"fmt"
+	"math/big"
 	"sync"
 	"testing"
 	"time"
@@ -49,6 +54,7 @@ import (
 	"sigs.k8s.io/cluster-api/feature"
 	"sigs.k8s.io/cluster-api/internal/test/builder"
 	"sigs.k8s.io/cluster-api/util"
+	"sigs.k8s.io/cluster-api/util/certs"
 	"sigs.k8s.io/cluster-api/util/collections"
 	"sigs.k8s.io/cluster-api/util/conditions"
 	"sigs.k8s.io/cluster-api/util/kubeconfig"
@@ -520,11 +526,12 @@ func TestKubeadmControlPlaneReconciler_adoption(t *testing.T) {
 			g.Expect(machine.GetAnnotations()).NotTo(HaveKey(clusterv1.TemplateClonedFromNameAnnotation))
 		}
 	})
+
 	t.Run("adopts v1alpha2 cluster secrets", func(t *testing.T) {
 		g := NewWithT(t)
 
 		cluster, kcp, tmpl := createClusterWithControlPlane(metav1.NamespaceDefault)
-		cluster.Spec.ControlPlaneEndpoint.Host = "bar"
+		cluster.Spec.ControlPlaneEndpoint.Host = "validhost"
 		cluster.Spec.ControlPlaneEndpoint.Port = 6443
 		cluster.Status.InfrastructureReady = true
 		kcp.Spec.Version = version
@@ -565,7 +572,7 @@ func TestKubeadmControlPlaneReconciler_adoption(t *testing.T) {
 				},
 			}
 
-			// A simulcrum of the various Certificate and kubeconfig secrets
+			// A simulacrum of the various Certificate and kubeconfig secrets
 			// it's a little weird that this is one per KubeadmConfig rather than just whichever config was "first,"
 			// but the intent is to ensure that the owner is changed regardless of which Machine we start with
 			clusterSecret := &corev1.Secret{
@@ -749,6 +756,164 @@ func TestKubeadmControlPlaneReconciler_adoption(t *testing.T) {
 	})
 }
 
+func TestKubeadmControlPlaneReconciler_ensureOwnerReferences(t *testing.T) {
+	g := NewWithT(t)
+
+	cluster, kcp, tmpl := createClusterWithControlPlane(metav1.NamespaceDefault)
+	cluster.Spec.ControlPlaneEndpoint.Host = "bar"
+	cluster.Spec.ControlPlaneEndpoint.Port = 6443
+	cluster.Status.InfrastructureReady = true
+	kcp.Spec.Version = "v1.21.0"
+	key, err := certs.NewPrivateKey()
+	g.Expect(err).To(BeNil())
+	crt, err := getTestCACert(key)
+	g.Expect(err).To(BeNil())
+
+	fmc := &fakeManagementCluster{
+		Machines: collections.Machines{},
+		Workload: fakeWorkloadCluster{},
+	}
+
+	clusterSecret := &corev1.Secret{
+		// The Secret's Type is used by KCP to determine whether it is user-provided.
+		// clusterv1.ClusterSecretType signals that the Secret is CAPI-provided.
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: cluster.Namespace,
+			Name:      "",
+			Labels: map[string]string{
+				"cluster.x-k8s.io/cluster-name": cluster.Name,
+				"testing":                       "yes",
+			},
+		},
+		Data: map[string][]byte{
+			secret.TLSCrtDataName: certs.EncodeCertPEM(crt),
+			secret.TLSKeyDataName: certs.EncodePrivateKeyPEM(key),
+		},
+	}
+
+	t.Run("add KCP owner for secrets with no controller reference", func(t *testing.T) {
+		objs := []client.Object{fakeGenericMachineTemplateCRD, cluster.DeepCopy(), kcp.DeepCopy(), tmpl.DeepCopy()}
+		for _, purpose := range []secret.Purpose{secret.ClusterCA, secret.FrontProxyCA, secret.ServiceAccount, secret.EtcdCA} {
+			s := clusterSecret.DeepCopy()
+			// Set the secret name to the purpose
+			s.Name = secret.Name(cluster.Name, purpose)
+			// Set the Secret Type to clusterv1.ClusterSecretType which signals this Secret was generated by CAPI.
+			s.Type = clusterv1.ClusterSecretType
+
+			objs = append(objs, s)
+		}
+
+		fakeClient := newFakeClient(objs...)
+		fmc.Reader = fakeClient
+		r := &KubeadmControlPlaneReconciler{
+			Client:                    fakeClient,
+			APIReader:                 fakeClient,
+			managementCluster:         fmc,
+			managementClusterUncached: fmc,
+		}
+
+		_, err := r.reconcile(ctx, cluster, kcp)
+		g.Expect(err).To(BeNil())
+
+		secrets := &corev1.SecretList{}
+		g.Expect(fakeClient.List(ctx, secrets, client.InNamespace(cluster.Namespace), client.MatchingLabels{"testing": "yes"})).To(Succeed())
+		for _, secret := range secrets.Items {
+			g.Expect(secret.OwnerReferences).To(ContainElement(*metav1.NewControllerRef(kcp, controlplanev1.GroupVersion.WithKind("KubeadmControlPlane"))))
+		}
+	})
+
+	t.Run("replace non-KCP controller with KCP controller reference", func(t *testing.T) {
+		objs := []client.Object{fakeGenericMachineTemplateCRD, cluster.DeepCopy(), kcp.DeepCopy(), tmpl.DeepCopy()}
+		// A simulacrum of the various Certificate and kubeconfig secrets
+		// it's a little weird that this is one per KubeadmConfig rather than just whichever config was "first,"
+		// but the intent is to ensure that the owner is changed regardless of which Machine we start with
+		for _, purpose := range []secret.Purpose{secret.ClusterCA, secret.FrontProxyCA, secret.ServiceAccount, secret.EtcdCA} {
+			s := clusterSecret.DeepCopy()
+			// Set the secret name to the purpose
+			s.Name = secret.Name(cluster.Name, purpose)
+			// Set the Secret Type to clusterv1.ClusterSecretType which signals this Secret was generated by CAPI.
+			s.Type = clusterv1.ClusterSecretType
+
+			// Set the a controller owner reference of an unknown type on the secret.
+			s.SetOwnerReferences([]metav1.OwnerReference{
+				{
+					APIVersion: bootstrapv1.GroupVersion.String(),
+					// KCP should take ownership of any Secret of the correct type linked to the Cluster.
+					Kind:       "OtherController",
+					Name:       "name",
+					UID:        "uid",
+					Controller: pointer.Bool(true),
+				},
+			})
+			objs = append(objs, s)
+		}
+
+		fakeClient := newFakeClient(objs...)
+		fmc.Reader = fakeClient
+		r := &KubeadmControlPlaneReconciler{
+			Client:                    fakeClient,
+			APIReader:                 fakeClient,
+			managementCluster:         fmc,
+			managementClusterUncached: fmc,
+		}
+
+		_, err := r.reconcile(ctx, cluster, kcp)
+		g.Expect(err).To(BeNil())
+
+		secrets := &corev1.SecretList{}
+		g.Expect(fakeClient.List(ctx, secrets, client.InNamespace(cluster.Namespace), client.MatchingLabels{"testing": "yes"})).To(Succeed())
+		for _, secret := range secrets.Items {
+			g.Expect(secret.OwnerReferences).To(HaveLen(1))
+			g.Expect(secret.OwnerReferences).To(ContainElement(*metav1.NewControllerRef(kcp, controlplanev1.GroupVersion.WithKind("KubeadmControlPlane"))))
+		}
+	})
+
+	t.Run("does not add owner reference to user-provided secrets", func(t *testing.T) {
+		g := NewWithT(t)
+		objs := []client.Object{fakeGenericMachineTemplateCRD, cluster.DeepCopy(), kcp.DeepCopy(), tmpl.DeepCopy()}
+		for _, purpose := range []secret.Purpose{secret.ClusterCA, secret.FrontProxyCA, secret.ServiceAccount, secret.EtcdCA} {
+			s := clusterSecret.DeepCopy()
+			// Set the secret name to the purpose
+			s.Name = secret.Name(cluster.Name, purpose)
+			// Set the Secret Type to any type which signals this Secret was is user-provided.
+			s.Type = corev1.SecretTypeOpaque
+			// Set the a controller owner reference of an unknown type on the secret.
+			s.SetOwnerReferences([]metav1.OwnerReference{
+				{
+					APIVersion: bootstrapv1.GroupVersion.String(),
+					// This owner reference to a different controller should be preserved.
+					Kind:               "OtherController",
+					Name:               kcp.Name,
+					UID:                kcp.UID,
+					Controller:         pointer.Bool(true),
+					BlockOwnerDeletion: pointer.Bool(true),
+				},
+			})
+
+			objs = append(objs, s)
+		}
+
+		fakeClient := newFakeClient(objs...)
+		fmc.Reader = fakeClient
+		r := &KubeadmControlPlaneReconciler{
+			Client:                    fakeClient,
+			APIReader:                 fakeClient,
+			managementCluster:         fmc,
+			managementClusterUncached: fmc,
+		}
+
+		_, err := r.reconcile(ctx, cluster, kcp)
+		g.Expect(err).To(BeNil())
+
+		secrets := &corev1.SecretList{}
+		g.Expect(fakeClient.List(ctx, secrets, client.InNamespace(cluster.Namespace), client.MatchingLabels{"testing": "yes"})).To(Succeed())
+		for _, secret := range secrets.Items {
+			g.Expect(secret.OwnerReferences).To(HaveLen(1))
+			g.Expect(secret.OwnerReferences).To(ContainElement(*metav1.NewControllerRef(kcp, bootstrapv1.GroupVersion.WithKind("OtherController"))))
+		}
+	})
+}
+
 func TestReconcileCertificateExpiries(t *testing.T) {
 	g := NewWithT(t)
 
@@ -1769,3 +1934,34 @@ func newCluster(namespacedName *types.NamespacedName) *clusterv1.Cluster {
 		},
 	}
 }
+
+func getTestCACert(key *rsa.PrivateKey) (*x509.Certificate, error) {
+	cfg := certs.Config{
+		CommonName: "kubernetes",
+	}
+
+	now := time.Now().UTC()
+
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		NotBefore:             now.Add(time.Minute * -5),
+		NotAfter:              now.Add(time.Hour * 24), // 1 day
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		MaxPathLenZero:        true,
+		BasicConstraintsValid: true,
+		MaxPathLen:            0,
+		IsCA:                  true,
+	}
+
+	b, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := x509.ParseCertificate(b)
+	return c, err
+}
diff --git a/controlplane/kubeadm/internal/controllers/helpers.go b/controlplane/kubeadm/internal/controllers/helpers.go
index ea37bfef2c68..30bfba3058a5 100644
--- a/controlplane/kubeadm/internal/controllers/helpers.go
+++ b/controlplane/kubeadm/internal/controllers/helpers.go
@@ -74,12 +74,8 @@ func (r *KubeadmControlPlaneReconciler) reconcileKubeconfig(ctx context.Context,
 		return ctrl.Result{}, errors.Wrap(err, "failed to retrieve kubeconfig Secret")
 	}
 
-	// check if the kubeconfig secret was created by v1alpha2 controllers, and thus it has the Cluster as the owner instead of KCP;
-	// if yes, adopt it.
-	if util.IsOwnedByObject(configSecret, cluster) && !util.IsControlledBy(configSecret, kcp) {
-		if err := r.adoptKubeconfigSecret(ctx, cluster, configSecret, controllerOwnerRef); err != nil {
-			return ctrl.Result{}, err
-		}
+	if err := r.adoptKubeconfigSecret(ctx, cluster, configSecret, kcp); err != nil {
+		return ctrl.Result{}, err
 	}
 
 	// only do rotation on owned secrets
@@ -102,21 +98,45 @@ func (r *KubeadmControlPlaneReconciler) reconcileKubeconfig(ctx context.Context,
 	return ctrl.Result{}, nil
 }
 
-func (r *KubeadmControlPlaneReconciler) adoptKubeconfigSecret(ctx context.Context, cluster *clusterv1.Cluster, configSecret *corev1.Secret, controllerOwnerRef metav1.OwnerReference) error {
+// Ensure the KubeadmConfigSecret has an owner reference to the control plane if it is not a user-provided secret.
+func (r *KubeadmControlPlaneReconciler) adoptKubeconfigSecret(ctx context.Context, cluster *clusterv1.Cluster, configSecret *corev1.Secret, kcp *controlplanev1.KubeadmControlPlane) error {
 	log := ctrl.LoggerFrom(ctx)
-	log.Info("Adopting KubeConfig secret created by v1alpha2 controllers", "Secret", klog.KObj(configSecret))
+	controller := metav1.GetControllerOf(configSecret)
 
+	// If the Type doesn't match the CAPI-created secret type this is a no-op.
+	if configSecret.Type != clusterv1.ClusterSecretType {
+		return nil
+	}
+	// If the secret is already controlled by KCP this is a no-op.
+	if controller != nil && controller.Kind == "KubeadmControlPlane" {
+		return nil
+	}
+	log.Info("Adopting KubeConfig secret", "Secret", klog.KObj(configSecret))
 	patch, err := patch.NewHelper(configSecret, r.Client)
 	if err != nil {
 		return errors.Wrap(err, "failed to create patch helper for the kubeconfig secret")
 	}
-	configSecret.OwnerReferences = util.RemoveOwnerRef(configSecret.OwnerReferences, metav1.OwnerReference{
-		APIVersion: clusterv1.GroupVersion.String(),
-		Kind:       "Cluster",
-		Name:       cluster.Name,
-		UID:        cluster.UID,
-	})
-	configSecret.OwnerReferences = util.EnsureOwnerRef(configSecret.OwnerReferences, controllerOwnerRef)
+
+	// If the kubeconfig secret was created by v1alpha2 controllers, and thus it has the Cluster as the owner instead of KCP.
+	// In this case remove the ownerReference to the Cluster.
+	if util.IsOwnedByObject(configSecret, cluster) {
+		configSecret.SetOwnerReferences(util.RemoveOwnerRef(configSecret.OwnerReferences, metav1.OwnerReference{
+			APIVersion: clusterv1.GroupVersion.String(),
+			Kind:       "Cluster",
+			Name:       cluster.Name,
+			UID:        cluster.UID,
+		}))
+	}
+
+	// Remove the current controller if one exists.
+	if controller != nil {
+		configSecret.SetOwnerReferences(util.RemoveOwnerRef(configSecret.OwnerReferences, *controller))
+	}
+
+	// Add the KubeadmControlPlane as the controller for this secret.
+	configSecret.OwnerReferences = util.EnsureOwnerRef(configSecret.OwnerReferences,
+		*metav1.NewControllerRef(kcp, controlplanev1.GroupVersion.WithKind("KubeadmControlPlane")))
+
 	if err := patch.Patch(ctx, configSecret); err != nil {
 		return errors.Wrap(err, "failed to patch the kubeconfig secret")
 	}
diff --git a/controlplane/kubeadm/internal/controllers/helpers_test.go b/controlplane/kubeadm/internal/controllers/helpers_test.go
index 51a9f40bf333..032275112990 100644
--- a/controlplane/kubeadm/internal/controllers/helpers_test.go
+++ b/controlplane/kubeadm/internal/controllers/helpers_test.go
@@ -24,7 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/client-go/tools/record"
-	utilpointer "k8s.io/utils/pointer"
+	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -33,6 +33,7 @@ import (
 	"sigs.k8s.io/cluster-api/controllers/external"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controlplane/kubeadm/internal"
+	"sigs.k8s.io/cluster-api/internal/test/builder"
 	"sigs.k8s.io/cluster-api/util/conditions"
 	"sigs.k8s.io/cluster-api/util/kubeconfig"
 	"sigs.k8s.io/cluster-api/util/secret"
@@ -237,11 +238,22 @@ func TestReconcileKubeconfigSecretDoesNotAdoptsUserSecrets(t *testing.T) {
 		},
 	}
 
-	existingKubeconfigSecret := kubeconfig.GenerateSecretWithOwner(
-		client.ObjectKey{Name: "foo", Namespace: metav1.NamespaceDefault},
-		[]byte{},
-		metav1.OwnerReference{}, // user defined secrets are not owned by the cluster.
-	)
+	existingKubeconfigSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secret.Name("foo", secret.Kubeconfig),
+			Namespace: metav1.NamespaceDefault,
+			Labels: map[string]string{
+				clusterv1.ClusterLabelName: "foo",
+			},
+			OwnerReferences: []metav1.OwnerReference{},
+		},
+		Data: map[string][]byte{
+			secret.KubeconfigDataName: {},
+		},
+		// KCP identifies CAPI-created Secrets using the clusterv1.ClusterSecretType. Setting any other type allows
+		// the controllers to treat it as a user-provided Secret.
+		Type: corev1.SecretTypeOpaque,
+	}
 
 	fakeClient := newFakeClient(kcp.DeepCopy(), existingKubeconfigSecret.DeepCopy())
 	r := &KubeadmControlPlaneReconciler{
@@ -522,7 +534,7 @@ func TestKubeadmControlPlaneReconciler_generateMachine(t *testing.T) {
 	}
 	expectedMachineSpec := clusterv1.MachineSpec{
 		ClusterName: cluster.Name,
-		Version:     utilpointer.String(kcp.Spec.Version),
+		Version:     pointer.String(kcp.Spec.Version),
 		Bootstrap: clusterv1.Bootstrap{
 			ConfigRef: bootstrapRef.DeepCopy(),
 		},
@@ -611,3 +623,103 @@ func TestKubeadmControlPlaneReconciler_generateKubeadmConfig(t *testing.T) {
 	g.Expect(bootstrapConfig.OwnerReferences).To(ContainElement(expectedOwner))
 	g.Expect(bootstrapConfig.Spec).To(Equal(spec))
 }
+
+func TestKubeadmControlPlaneReconciler_adoptKubeconfigSecret(t *testing.T) {
+	g := NewWithT(t)
+	otherOwner := metav1.OwnerReference{
+		Name:               "testcontroller",
+		UID:                "5",
+		Kind:               "OtherController",
+		APIVersion:         clusterv1.GroupVersion.String(),
+		Controller:         pointer.Bool(true),
+		BlockOwnerDeletion: pointer.Bool(true),
+	}
+	clusterName := "test1"
+	cluster := builder.Cluster(metav1.NamespaceDefault, clusterName).Build()
+
+	// A KubeadmConfig secret created by CAPI controllers with no owner references.
+	capiKubeadmConfigSecretNoOwner := kubeconfig.GenerateSecretWithOwner(
+		client.ObjectKey{Name: clusterName, Namespace: metav1.NamespaceDefault},
+		[]byte{},
+		metav1.OwnerReference{})
+	capiKubeadmConfigSecretNoOwner.OwnerReferences = []metav1.OwnerReference{}
+
+	// A KubeadmConfig secret created by CAPI controllers with a non-KCP owner reference.
+	capiKubeadmConfigSecretOtherOwner := capiKubeadmConfigSecretNoOwner.DeepCopy()
+	capiKubeadmConfigSecretOtherOwner.OwnerReferences = []metav1.OwnerReference{otherOwner}
+
+	// A user provided KubeadmConfig secret with no owner reference.
+	userProvidedKubeadmConfigSecretNoOwner := kubeconfig.GenerateSecretWithOwner(
+		client.ObjectKey{Name: clusterName, Namespace: metav1.NamespaceDefault},
+		[]byte{},
+		metav1.OwnerReference{})
+	userProvidedKubeadmConfigSecretNoOwner.Type = corev1.SecretTypeOpaque
+
+	// A user provided KubeadmConfig with a non-KCP owner reference.
+	userProvidedKubeadmConfigSecretOtherOwner := userProvidedKubeadmConfigSecretNoOwner.DeepCopy()
+	userProvidedKubeadmConfigSecretOtherOwner.OwnerReferences = []metav1.OwnerReference{otherOwner}
+
+	kcp := &controlplanev1.KubeadmControlPlane{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "KubeadmControlPlane",
+			APIVersion: controlplanev1.GroupVersion.String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "testControlPlane",
+			Namespace: cluster.Namespace,
+		},
+	}
+	tests := []struct {
+		name             string
+		configSecret     *corev1.Secret
+		expectedOwnerRef metav1.OwnerReference
+	}{
+		{
+			name:         "add KCP owner reference on kubeconfig secret generated by CAPI",
+			configSecret: capiKubeadmConfigSecretNoOwner,
+			expectedOwnerRef: metav1.OwnerReference{
+				Name:               kcp.Name,
+				UID:                kcp.UID,
+				Kind:               kcp.Kind,
+				APIVersion:         kcp.APIVersion,
+				Controller:         pointer.Bool(true),
+				BlockOwnerDeletion: pointer.Bool(true),
+			},
+		},
+		{
+			name:         "replace owner reference with KCP on kubeconfig secret generated by CAPI with other owner",
+			configSecret: capiKubeadmConfigSecretOtherOwner,
+			expectedOwnerRef: metav1.OwnerReference{
+				Name:               kcp.Name,
+				UID:                kcp.UID,
+				Kind:               kcp.Kind,
+				APIVersion:         kcp.APIVersion,
+				Controller:         pointer.Bool(true),
+				BlockOwnerDeletion: pointer.Bool(true),
+			},
+		},
+		{
+			name:             "don't add ownerReference on kubeconfig secret provided by user",
+			configSecret:     userProvidedKubeadmConfigSecretNoOwner,
+			expectedOwnerRef: metav1.OwnerReference{},
+		},
+		{
+			name:             "don't replace ownerReference on kubeconfig secret provided by user",
+			configSecret:     userProvidedKubeadmConfigSecretOtherOwner,
+			expectedOwnerRef: otherOwner,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fakeClient := newFakeClient(cluster, kcp, tt.configSecret)
+			r := &KubeadmControlPlaneReconciler{
+				APIReader: fakeClient,
+				Client:    fakeClient,
+			}
+			g.Expect(r.adoptKubeconfigSecret(ctx, cluster, tt.configSecret, kcp)).To(Succeed())
+			actualSecret := &corev1.Secret{}
+			g.Expect(fakeClient.Get(ctx, client.ObjectKey{Namespace: tt.configSecret.Namespace, Name: tt.configSecret.Namespace}, actualSecret))
+			g.Expect(tt.configSecret.GetOwnerReferences()).To(ConsistOf(tt.expectedOwnerRef))
+		})
+	}
+}

From 34bed164c05b88e0e30641bcc17322ea0bf3310b Mon Sep 17 00:00:00 2001
From: Chirayu Kapoor <dev.csociety@gmail.com>
Date: Fri, 25 Nov 2022 18:56:19 +0530
Subject: [PATCH 27/87] Add a make target to gernerate all release manifests

Signed-off-by: Chirayu Kapoor <dev.csociety@gmail.com>
---
 Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index ac94437bc12f..eebfcb1b4abb 100644
--- a/Makefile
+++ b/Makefile
@@ -829,6 +829,11 @@ release: clean-release ## Build and push container images using the latest git t
 	git checkout "${RELEASE_TAG}"
 	# Build binaries first.
 	GIT_VERSION=$(RELEASE_TAG) $(MAKE) release-binaries
+	# Set the manifest images to the staging/production bucket and Builds the manifests to publish with a release.
+	$(MAKE) release-manifests-all
+
+.PHONY: release-manifests-all
+release-manifests-all: # Set the manifest images to the staging/production bucket and Builds the manifests to publish with a release.
 	# Set the manifest image to the production bucket.
 	$(MAKE) manifest-modification REGISTRY=$(PROD_REGISTRY)
 	## Build the manifests

From 0a00a80133145143d4d70c350a9a373a3ef2af23 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Wed, 30 Nov 2022 11:13:57 +0000
Subject: [PATCH 28/87] Remove inaccurate comment on KCP test

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 controlplane/kubeadm/internal/controllers/controller_test.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/controlplane/kubeadm/internal/controllers/controller_test.go b/controlplane/kubeadm/internal/controllers/controller_test.go
index ac35301c033d..c2b42f855a8d 100644
--- a/controlplane/kubeadm/internal/controllers/controller_test.go
+++ b/controlplane/kubeadm/internal/controllers/controller_test.go
@@ -824,9 +824,6 @@ func TestKubeadmControlPlaneReconciler_ensureOwnerReferences(t *testing.T) {
 
 	t.Run("replace non-KCP controller with KCP controller reference", func(t *testing.T) {
 		objs := []client.Object{fakeGenericMachineTemplateCRD, cluster.DeepCopy(), kcp.DeepCopy(), tmpl.DeepCopy()}
-		// A simulacrum of the various Certificate and kubeconfig secrets
-		// it's a little weird that this is one per KubeadmConfig rather than just whichever config was "first,"
-		// but the intent is to ensure that the owner is changed regardless of which Machine we start with
 		for _, purpose := range []secret.Purpose{secret.ClusterCA, secret.FrontProxyCA, secret.ServiceAccount, secret.EtcdCA} {
 			s := clusterSecret.DeepCopy()
 			// Set the secret name to the purpose

From 81331da5fc68621ad4a52f6e8dcbb62f897bac58 Mon Sep 17 00:00:00 2001
From: Lennart Jern <lennart.jern@est.tech>
Date: Fri, 25 Nov 2022 14:42:44 +0200
Subject: [PATCH 29/87] e2e: add init versions for providers

---
 test/e2e/clusterctl_upgrade.go | 63 ++++++++++++++++++++++++++++++----
 1 file changed, 57 insertions(+), 6 deletions(-)

diff --git a/test/e2e/clusterctl_upgrade.go b/test/e2e/clusterctl_upgrade.go
index 483884539b8a..73e3048a294d 100644
--- a/test/e2e/clusterctl_upgrade.go
+++ b/test/e2e/clusterctl_upgrade.go
@@ -71,6 +71,24 @@ type ClusterctlUpgradeSpecInput struct {
 	// InitWithKubernetesVersion can be used to override the INIT_WITH_KUBERNETES_VERSION e2e config variable with a specific
 	// Kubernetes version to use to create the secondary management cluster, e.g. `v1.25.0`
 	InitWithKubernetesVersion string
+	// InitWithCoreProvider specifies the core provider version to use when initializing the secondary management cluster, e.g. `cluster-api:v1.3.0`.
+	// If not set, the core provider version is calculated based on the contract.
+	InitWithCoreProvider string
+	// InitWithBootstrapProviders specifies the bootstrap provider versions to use when initializing the secondary management cluster, e.g. `kubeadm:v1.3.0`.
+	// If not set, the bootstrap provider version is calculated based on the contract.
+	InitWithBootstrapProviders []string
+	// InitWithControlPlaneProviders specifies the control plane provider versions to use when initializing the secondary management cluster, e.g. `kubeadm:v1.3.0`.
+	// If not set, the control plane provider version is calculated based on the contract.
+	InitWithControlPlaneProviders []string
+	// InitWithInfrastructureProviders specifies the infrastructure provider versions to add to the secondary management cluster, e.g. `aws:v2.0.0`.
+	// If not set, the infrastructure provider version is calculated based on the contract.
+	InitWithInfrastructureProviders []string
+	// InitWithIPAMProviders specifies the IPAM provider versions to add to the secondary management cluster, e.g. `infoblox:v0.0.1`.
+	// If not set, the IPAM provider version is calculated based on the contract.
+	InitWithIPAMProviders []string
+	// InitWithRuntimeExtensionProviders specifies the runtime extension provider versions to add to the secondary management cluster, e.g. `test:v0.0.1`.
+	// If not set, the runtime extension provider version is calculated based on the contract.
+	InitWithRuntimeExtensionProviders []string
 	// UpgradeClusterctlVariables can be used to set additional variables for clusterctl upgrade.
 	UpgradeClusterctlVariables map[string]string
 	SkipCleanup                bool
@@ -255,16 +273,41 @@ func ClusterctlUpgradeSpec(ctx context.Context, inputGetter func() ClusterctlUpg
 			input.PreInit(managementClusterProxy)
 		}
 
+		var (
+			coreProvider              string
+			bootstrapProviders        []string
+			controlPlaneProviders     []string
+			infrastructureProviders   []string
+			ipamProviders             []string
+			runtimeExtensionProviders []string
+		)
+
+		coreProvider = input.E2EConfig.GetProviderLatestVersionsByContract(initContract, config.ClusterAPIProviderName)[0]
+		if input.InitWithCoreProvider != "" {
+			coreProvider = input.InitWithCoreProvider
+		}
+
+		bootstrapProviders = getValueOrFallback(input.InitWithBootstrapProviders,
+			input.E2EConfig.GetProviderLatestVersionsByContract(initContract, config.KubeadmBootstrapProviderName))
+		controlPlaneProviders = getValueOrFallback(input.InitWithControlPlaneProviders,
+			input.E2EConfig.GetProviderLatestVersionsByContract(initContract, config.KubeadmControlPlaneProviderName))
+		infrastructureProviders = getValueOrFallback(input.InitWithInfrastructureProviders,
+			input.E2EConfig.GetProviderLatestVersionsByContract(initContract, input.E2EConfig.InfrastructureProviders()...))
+		ipamProviders = getValueOrFallback(input.IPAMProviders,
+			input.E2EConfig.GetProviderLatestVersionsByContract(initContract, input.E2EConfig.IPAMProviders()...))
+		runtimeExtensionProviders = getValueOrFallback(input.RuntimeExtensionProviders,
+			input.E2EConfig.GetProviderLatestVersionsByContract(initContract, input.E2EConfig.RuntimeExtensionProviders()...))
+
 		clusterctl.InitManagementClusterAndWatchControllerLogs(ctx, clusterctl.InitManagementClusterAndWatchControllerLogsInput{
 			ClusterctlBinaryPath:      clusterctlBinaryPath, // use older version of clusterctl to init the management cluster
 			ClusterProxy:              managementClusterProxy,
 			ClusterctlConfigPath:      clusterctlConfigPath,
-			CoreProvider:              input.E2EConfig.GetProviderLatestVersionsByContract(initContract, config.ClusterAPIProviderName)[0],
-			BootstrapProviders:        input.E2EConfig.GetProviderLatestVersionsByContract(initContract, config.KubeadmBootstrapProviderName),
-			ControlPlaneProviders:     input.E2EConfig.GetProviderLatestVersionsByContract(initContract, config.KubeadmControlPlaneProviderName),
-			InfrastructureProviders:   input.E2EConfig.GetProviderLatestVersionsByContract(initContract, input.E2EConfig.InfrastructureProviders()...),
-			IPAMProviders:             input.E2EConfig.GetProviderLatestVersionsByContract(initContract, input.E2EConfig.IPAMProviders()...),
-			RuntimeExtensionProviders: input.E2EConfig.GetProviderLatestVersionsByContract(initContract, input.E2EConfig.RuntimeExtensionProviders()...),
+			CoreProvider:              coreProvider,
+			BootstrapProviders:        bootstrapProviders,
+			ControlPlaneProviders:     controlPlaneProviders,
+			InfrastructureProviders:   infrastructureProviders,
+			IPAMProviders:             ipamProviders,
+			RuntimeExtensionProviders: runtimeExtensionProviders,
 			LogFolder:                 filepath.Join(input.ArtifactFolder, "clusters", cluster.Name),
 		}, input.E2EConfig.GetIntervals(specName, "wait-controllers")...)
 
@@ -689,3 +732,11 @@ func matchUnstructuredLists(l1 *unstructured.UnstructuredList, l2 *unstructured.
 	}
 	return s1.Equal(s2)
 }
+
+// getValueOrFallback returns the input value unless it is empty, then it returns the fallback input.
+func getValueOrFallback(value []string, fallback []string) []string {
+	if len(value) > 0 {
+		return value
+	}
+	return fallback
+}

From 893728e40499ee6e58138e9b95600ae69df0067d Mon Sep 17 00:00:00 2001
From: Yuvaraj Kakaraparthi <kakaraparthy@vmware.com>
Date: Tue, 22 Nov 2022 14:28:24 -0800
Subject: [PATCH 30/87] update clusterctl version to v1.3.x in quickstart

---
 docs/book/src/user/quick-start.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index 528903257a2f..a6a7943292ec 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -156,7 +156,7 @@ The clusterctl CLI tool handles the lifecycle of a Cluster API management cluste
 #### Install clusterctl binary with curl on linux
 Download the latest release; on linux, type:
 ```bash
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-linux-amd64" version:"1.2.x"}} -o clusterctl
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-linux-amd64" version:"1.3.x"}} -o clusterctl
 ```
 Install clusterctl:
 ```bash
@@ -173,12 +173,12 @@ clusterctl version
 #### Install clusterctl binary with curl on macOS
 Download the latest release; on macOS, type:
 ```bash
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-darwin-amd64" version:"1.2.x"}} -o clusterctl
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-darwin-amd64" version:"1.3.x"}} -o clusterctl
 ```
 
 Or if your Mac has an M1 CPU ("Apple Silicon"):
 ```bash
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-darwin-arm64" version:"1.2.x"}} -o clusterctl
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-darwin-arm64" version:"1.3.x"}} -o clusterctl
 ```
 
 Make the clusterctl binary executable.
@@ -217,7 +217,7 @@ Go to the working directory where you want clusterctl downloaded.
 
 Download the latest release; on Windows, type:
 ```powershell
-curl.exe -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-windows-amd64.exe" version:"1.2.x"}} -o clusterctl.exe
+curl.exe -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-windows-amd64.exe" version:"1.3.x"}} -o clusterctl.exe
 ```
 Append or prepend the path of that directory to the `PATH` environment variable.
 

From ac087fd052ea0290fc79f2180372641c81c1e2e0 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <buringerst@vmware.com>
Date: Thu, 1 Dec 2022 12:00:46 +0700
Subject: [PATCH 31/87] doc: release tasks: improve polish release note doc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 docs/release/release-tasks.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md
index f34e3eadc6fb..28646fd98de8 100644
--- a/docs/release/release-tasks.md
+++ b/docs/release/release-tasks.md
@@ -289,6 +289,8 @@ The goal of this task to make the book for the current release available under e
     6. Sort entries within a section alphabetically. 
     7. Write highlights section based on the initial release notes doc.
     8. Add Kubernetes version support section.
+    9. Modify `Changes since v1.x.y` to `Changes since v1.x`
+       <br>**Note**: The release notes tool includes all merges since the previous release branch was branched of.
 4. Iterate until the GA release by generating incremental release notes and modifying the release notes in hackmd accordingly:
    ```bash
    # PREVIOUS_TAG should be the tag from which the previous release notes have been generated, e.g.:

From 40bb6be02e521ac86301454b3cb757e4a3049573 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Wed, 30 Nov 2022 13:25:14 +0000
Subject: [PATCH 32/87] Add provider guidance for owner references

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 docs/book/src/developer/providers/v1.2-to-v1.3.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/book/src/developer/providers/v1.2-to-v1.3.md b/docs/book/src/developer/providers/v1.2-to-v1.3.md
index 8a42aa0960d0..5f135d4a15e9 100644
--- a/docs/book/src/developer/providers/v1.2-to-v1.3.md
+++ b/docs/book/src/developer/providers/v1.2-to-v1.3.md
@@ -71,6 +71,7 @@ The default value is 0, meaning that the volume can be detached without any time
 - cert-manager upgraded from v1.9.1 to v1.10.0.
 - Machine `providerID` is now being strictly checked for equality when compared against Kubernetes node `providerID` data. This is the expected criteria for correlating a Cluster API machine to its corresponding Kubernetes node, but historically this comparison was not strict, and instead compared only against the `ID` substring part of the full `providerID` string. Because different providers construct `providerID` strings differently, the `ID` substring is not uniformly defined and implemented across providers, and thus the existing `providerID` equality can not guarantee the correct Machine-Node correlation. It is very unlikely that this new behavior will break existing providers, but FYI: if strict `providerID` equality will degrade expected behaviors, you may need to update your provider implementation prior to adopting Cluster API v1.3.
 - The default minimum TLS version in use by the webhook servers is 1.2.
+- OwnerReferences are now more strictly enforced for objects managed by Cluster API. Machines, Bootstrap configs, Infrastructure Machines and Secrets created by CAPI components [now have strictly enforced controller owner references](https://github.com/kubernetes-sigs/cluster-api/issues/7575). This is not expected to require changes for providers.
 
 ### Suggested changes for providers
 - Provider can expose the configuration of the TLS Options for the webhook server; it is recommended to use utility functions under the `util/flags` package to ensure consistency across CAPI and other providers.

From 1ceb6792cdcff315de361a89fa14f35cadd0bde8 Mon Sep 17 00:00:00 2001
From: Oscar Utbult <oscar.utbult@gmail.com>
Date: Sat, 3 Dec 2022 10:48:14 +0100
Subject: [PATCH 33/87] docs: add Tinkerbell provider to CAPI book

---
 docs/book/src/reference/providers.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/book/src/reference/providers.md b/docs/book/src/reference/providers.md
index bdcc6df73fe9..e964729dea17 100644
--- a/docs/book/src/reference/providers.md
+++ b/docs/book/src/reference/providers.md
@@ -27,7 +27,6 @@ updated info about which API version they are supporting.
 - [Equinix Metal (formerly Packet)](https://github.com/kubernetes-sigs/cluster-api-provider-packet)
 - [GCP](https://github.com/kubernetes-sigs/cluster-api-provider-gcp)
 - [Hetzner](https://github.com/syself/cluster-api-provider-hetzner)
-- [Outscale](https://github.com/outscale-dev/cluster-api-provider-outscale)
 - [IBM Cloud](https://github.com/kubernetes-sigs/cluster-api-provider-ibmcloud)
 - [KubeKey](https://github.com/kubesphere/kubekey)
 - [KubeVirt](https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt)
@@ -38,7 +37,9 @@ updated info about which API version they are supporting.
 - [Nutanix](https://github.com/nutanix-cloud-native/cluster-api-provider-nutanix)
 - [OCI](https://github.com/oracle/cluster-api-provider-oci)
 - [OpenStack](https://github.com/kubernetes-sigs/cluster-api-provider-openstack)
+- [Outscale](https://github.com/outscale-dev/cluster-api-provider-outscale)
 - [Sidero](https://github.com/siderolabs/sidero)
+- [Tinkerbell](https://github.com/tinkerbell/cluster-api-provider-tinkerbell)
 - [vcluster](https://github.com/loft-sh/cluster-api-provider-vcluster)
 - [Virtink](https://github.com/smartxworks/cluster-api-provider-virtink)
 - [VMware Cloud Director](https://github.com/vmware/cluster-api-provider-cloud-director)  

From 687bc4d6843729fccc640784050ea14312bfb21b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Dec 2022 21:03:54 +0000
Subject: [PATCH 34/87] seedling: Bump actions/setup-go from 3.3.1 to 3.4.0

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.3.1 to 3.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/c4a742cab115ed795e34d4513e2cf7d472deb55f...d0a58c1c4d2b25278816e339b944508c875f3613)
---
 .github/workflows/dependabot.yml    | 2 +-
 .github/workflows/golangci-lint.yml | 2 +-
 .github/workflows/release.yml       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index f8304b9889f0..eea7b76914e2 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Set up Go 1.x
-      uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+      uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # tag=v3.4.0
       with:
         go-version: '1.19'
       id: go
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 1a57ba954276..c0eb5bd0eaf3 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
           - hack/tools
     steps:
       - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
-      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+      - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # tag=v3.4.0
         with:
           go-version: 1.19
       - name: golangci-lint
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d43674edbb95..fb7720265000 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Install go
-        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
+        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # tag=v3.4.0
         with:
           go-version: '^1.19'
       - name: generate release artifacts

From 6bef805c8b9b3fc1ab3a65f1081c0b4ad2a26c25 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Dec 2022 21:03:50 +0000
Subject: [PATCH 35/87] seedling: Bump softprops/action-gh-release from 0.1.14
 to 0.1.15

Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 0.1.14 to 0.1.15.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/1e07f4398721186383de40550babbdf2b84acfc5...de2c0eb89ae2a093876385947365aca7b0e5f844)
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d43674edbb95..cfddfc498171 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
         run: |
           make release-notes
       - name: Release
-        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v1
         with:
           draft: true
           files: out/*

From f7711cfd6338a4c2b01164251decea3b0c843d74 Mon Sep 17 00:00:00 2001
From: fabriziopandini <fpandini@vmware.com>
Date: Wed, 7 Dec 2022 13:31:01 +0100
Subject: [PATCH 36/87] bump sprig and golang-x-text

---
 go.mod            |  8 ++++----
 go.sum            | 23 ++++++++++++++---------
 hack/tools/go.mod |  8 ++++----
 hack/tools/go.sum | 21 ++++++++++++---------
 test/go.mod       |  8 ++++----
 test/go.sum       | 24 +++++++++++++++---------
 6 files changed, 53 insertions(+), 39 deletions(-)

diff --git a/go.mod b/go.mod
index 4f69f7c8ae78..c9488b0716d2 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	github.com/MakeNowJust/heredoc v1.0.0
-	github.com/Masterminds/sprig/v3 v3.2.2
+	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/coredns/corefile-migration v1.0.18
 	github.com/davecgh/go-spew v1.1.1
@@ -55,7 +55,7 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/ajeddeloh/go-json v0.0.0-20200220154158-5ae607161559 // indirect
 	github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed // indirect
@@ -129,10 +129,10 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
 	go4.org v0.0.0-20201209231011-d4a079459e60 // indirect
-	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/crypto v0.3.0 // indirect
 	golang.org/x/sys v0.2.0 // indirect
 	golang.org/x/term v0.2.0 // indirect
-	golang.org/x/text v0.4.0
+	golang.org/x/text v0.5.0
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0
 	google.golang.org/appengine v1.6.7 // indirect
diff --git a/go.sum b/go.sum
index bb9b28336d80..9006ecd1f9b1 100644
--- a/go.sum
+++ b/go.sum
@@ -83,10 +83,10 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
-github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
+github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
+github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/ajeddeloh/go-json v0.0.0-20160803184958-73d058cf8437/go.mod h1:otnto4/Icqn88WCcM4bhIJNSgsh9VLBuspyyCfvof9c=
 github.com/ajeddeloh/go-json v0.0.0-20200220154158-5ae607161559 h1:4SPQljF/GJ8Q+QlCWMWxRBepub4DresnOm4eI2ebFGc=
@@ -378,7 +378,6 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
-github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -625,6 +624,7 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/etcd/api/v3 v3.5.4 h1:OHVyt3TopwtUQ2GKdd5wu3PmmipR4FTwCqoEjSyRdIc=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
@@ -665,14 +665,13 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -708,6 +707,7 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -759,6 +759,7 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -795,6 +796,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -870,6 +872,7 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
@@ -887,8 +890,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -953,6 +957,7 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/hack/tools/go.mod b/hack/tools/go.mod
index fe33476cc15a..319058c2319e 100644
--- a/hack/tools/go.mod
+++ b/hack/tools/go.mod
@@ -39,8 +39,8 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/Microsoft/go-winio v0.5.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
@@ -128,14 +128,14 @@ require (
 	github.com/xlab/treeprint v1.1.0 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/crypto v0.3.0 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/net v0.2.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
 	golang.org/x/sys v0.2.0 // indirect
 	golang.org/x/term v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
diff --git a/hack/tools/go.sum b/hack/tools/go.sum
index 86be17f9177d..48444a538505 100644
--- a/hack/tools/go.sum
+++ b/hack/tools/go.sum
@@ -69,10 +69,10 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
-github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
+github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
+github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY=
 github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/hcsshim v0.9.3 h1:k371PzBuRrz2b+ebGuI2nVgVhgsVX60jMfSw80NECxo=
@@ -328,7 +328,6 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -515,6 +514,7 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI=
 github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE=
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY=
@@ -538,12 +538,12 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -627,6 +627,7 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -737,6 +738,7 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -753,8 +755,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff --git a/test/go.mod b/test/go.mod
index 6aa128d84b9f..8993fc509765 100644
--- a/test/go.mod
+++ b/test/go.mod
@@ -33,8 +33,8 @@ require (
 	github.com/BurntSushi/toml v1.0.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/Microsoft/go-winio v0.5.0 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed // indirect
@@ -108,12 +108,12 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/crypto v0.3.0 // indirect
 	golang.org/x/net v0.2.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
 	golang.org/x/sys v0.2.0 // indirect
 	golang.org/x/term v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
diff --git a/test/go.sum b/test/go.sum
index 563658068ce8..eea795fa80d2 100644
--- a/test/go.sum
+++ b/test/go.sum
@@ -68,10 +68,10 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
-github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
+github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
+github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.5.0 h1:Elr9Wn+sGKPlkaBvwu4mTrxtmOp3F3yV9qhaHbXGjwU=
 github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
@@ -345,7 +345,6 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
-github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -571,6 +570,7 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
@@ -600,12 +600,12 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -641,6 +641,7 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -691,6 +692,7 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -727,6 +729,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -800,6 +803,7 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
@@ -817,8 +821,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -882,6 +887,7 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

From 58ce631d33d7b9fc2b1d2860609ce259603e2841 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Wed, 7 Dec 2022 17:06:10 +0000
Subject: [PATCH 37/87] Update cert-manager to v1.10.1

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 cmd/clusterctl/client/config/cert_manager_client.go | 2 +-
 docs/book/src/clusterctl/commands/init.md           | 2 +-
 docs/book/src/developer/guide.md                    | 2 +-
 docs/book/src/user/quick-start.md                   | 2 +-
 docs/book/src/user/troubleshooting.md               | 4 ++--
 scripts/ci-e2e-lib.sh                               | 6 +++---
 test/e2e/config/docker.yaml                         | 6 +++---
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/cmd/clusterctl/client/config/cert_manager_client.go b/cmd/clusterctl/client/config/cert_manager_client.go
index d8817b8aadc5..179bb31bc641 100644
--- a/cmd/clusterctl/client/config/cert_manager_client.go
+++ b/cmd/clusterctl/client/config/cert_manager_client.go
@@ -29,7 +29,7 @@ const (
 	CertManagerConfigKey = "cert-manager"
 
 	// CertManagerDefaultVersion defines the default cert-manager version to be used by clusterctl.
-	CertManagerDefaultVersion = "v1.10.0"
+	CertManagerDefaultVersion = "v1.10.1"
 
 	// CertManagerDefaultURL defines the default cert-manager repository url to be used by clusterctl.
 	// NOTE: At runtime CertManagerDefaultVersion may be replaced with the
diff --git a/docs/book/src/clusterctl/commands/init.md b/docs/book/src/clusterctl/commands/init.md
index 47f8bda830be..d8dac4655fd8 100644
--- a/docs/book/src/clusterctl/commands/init.md
+++ b/docs/book/src/clusterctl/commands/init.md
@@ -188,7 +188,7 @@ If this happens, there are no guarantees about the proper functioning of `cluste
 Cluster API providers require a cert-manager version supporting the `cert-manager.io/v1` API to be installed in the cluster.
 
 While doing init, clusterctl checks if there is a version of cert-manager already installed. If not, clusterctl will
-install a default version (currently cert-manager v1.10.0). See [clusterctl configuration](../configuration.md) for
+install a default version (currently cert-manager v1.10.1). See [clusterctl configuration](../configuration.md) for
 available options to customize this operation.
 
 <aside class="note warning">
diff --git a/docs/book/src/developer/guide.md b/docs/book/src/developer/guide.md
index cb6993cf06d4..6527e1a2b2bd 100644
--- a/docs/book/src/developer/guide.md
+++ b/docs/book/src/developer/guide.md
@@ -81,7 +81,7 @@ The generated binary can be found at ./hack/tools/bin/envsubst
 You'll need to deploy [cert-manager] components on your [management cluster][mcluster], using `kubectl`
 
 ```bash
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.yaml
 ```
 
 Ensure the cert-manager webhook service is ready before creating the Cluster API components.
diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index a6a7943292ec..419fdb7fd578 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -642,7 +642,7 @@ The output of `clusterctl init` is similar to this:
 
 ```bash
 Fetching providers
-Installing cert-manager Version="v1.10.0"
+Installing cert-manager Version="v1.10.1"
 Waiting for cert-manager to be available...
 Installing Provider="cluster-api" Version="v1.0.0" TargetNamespace="capi-system"
 Installing Provider="bootstrap-kubeadm" Version="v1.0.0" TargetNamespace="capi-kubeadm-bootstrap-system"
diff --git a/docs/book/src/user/troubleshooting.md b/docs/book/src/user/troubleshooting.md
index 45a2ad6732c9..f57b8a4aff7c 100644
--- a/docs/book/src/user/troubleshooting.md
+++ b/docs/book/src/user/troubleshooting.md
@@ -161,7 +161,7 @@ clusterctl init --infrastructure docker
 ```
 ```bash
 Fetching providers
-Installing cert-manager Version="v1.10.0"
+Installing cert-manager Version="v1.10.1"
 Error: action failed after 10 attempts: failed to get cert-manager object /, Kind=, /: Object 'Kind' is missing in 'unstructured object has no kind'
 ```
 
@@ -173,7 +173,7 @@ cert-manager:
   url: "https://github.com/cert-manager/cert-manager/releases/latest/cert-manager.yaml"
 ```
 
-Alternatively a Cert Manager yaml file can be placed in the [clusterctl overrides layer](../clusterctl/configuration.md#overrides-layer) which is by default in `$HOME/.cluster-api/overrides`. A Cert Manager yaml file can be placed at `$(HOME)/.cluster-api/overrides/cert-manager/v1.10.0/cert-manager.yaml`
+Alternatively a Cert Manager yaml file can be placed in the [clusterctl overrides layer](../clusterctl/configuration.md#overrides-layer) which is by default in `$HOME/.cluster-api/overrides`. A Cert Manager yaml file can be placed at `$(HOME)/.cluster-api/overrides/cert-manager/v1.10.1/cert-manager.yaml`
 
 More information on the clusterctl config file can be found at [its page in the book](../clusterctl/configuration.md#clusterctl-configuration-file)
 
diff --git a/scripts/ci-e2e-lib.sh b/scripts/ci-e2e-lib.sh
index 5c0a19b7bc6d..50396da15278 100644
--- a/scripts/ci-e2e-lib.sh
+++ b/scripts/ci-e2e-lib.sh
@@ -200,9 +200,9 @@ EOL
 # the actual test run less sensible to the network speed.
 kind:prepullAdditionalImages () {
   # Pulling cert manager images so we can pre-load in kind nodes
-  kind::prepullImage "quay.io/jetstack/cert-manager-cainjector:v1.10.0"
-  kind::prepullImage "quay.io/jetstack/cert-manager-webhook:v1.10.0"
-  kind::prepullImage "quay.io/jetstack/cert-manager-controller:v1.10.0"
+  kind::prepullImage "quay.io/jetstack/cert-manager-cainjector:v1.10.1"
+  kind::prepullImage "quay.io/jetstack/cert-manager-webhook:v1.10.1"
+  kind::prepullImage "quay.io/jetstack/cert-manager-controller:v1.10.1"
 }
 
 # kind:prepullImage pre-pull a docker image if no already present locally.
diff --git a/test/e2e/config/docker.yaml b/test/e2e/config/docker.yaml
index 540e522b7019..728be1f41726 100644
--- a/test/e2e/config/docker.yaml
+++ b/test/e2e/config/docker.yaml
@@ -19,11 +19,11 @@ images:
   loadBehavior: tryLoad
 - name: gcr.io/k8s-staging-cluster-api/test-extension-{ARCH}:dev
   loadBehavior: tryLoad
-- name: quay.io/jetstack/cert-manager-cainjector:v1.10.0
+- name: quay.io/jetstack/cert-manager-cainjector:v1.10.1
   loadBehavior: tryLoad
-- name: quay.io/jetstack/cert-manager-webhook:v1.10.0
+- name: quay.io/jetstack/cert-manager-webhook:v1.10.1
   loadBehavior: tryLoad
-- name: quay.io/jetstack/cert-manager-controller:v1.10.0
+- name: quay.io/jetstack/cert-manager-controller:v1.10.1
   loadBehavior: tryLoad
 
 providers:

From ce33fe746317f7c91243a0fff48462065888bc6e Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Fri, 9 Dec 2022 12:36:44 +0000
Subject: [PATCH 38/87] Update cert manager version in migration doc

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 docs/book/src/developer/providers/v1.2-to-v1.3.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/book/src/developer/providers/v1.2-to-v1.3.md b/docs/book/src/developer/providers/v1.2-to-v1.3.md
index 5f135d4a15e9..51f77bbcec22 100644
--- a/docs/book/src/developer/providers/v1.2-to-v1.3.md
+++ b/docs/book/src/developer/providers/v1.2-to-v1.3.md
@@ -68,7 +68,7 @@ The default value is 0, meaning that the volume can be detached without any time
   * `ETCD_VERSION_UPGRADE_TO`
   * `COREDNS_VERSION_UPGRADE_TO`
   The variable `SkipUpgrade` could be set to revert to the old behaviour by making use of the `KUBERNETES_VERSION` variable and skipping the kubernetes upgrade.
-- cert-manager upgraded from v1.9.1 to v1.10.0.
+- cert-manager upgraded from v1.9.1 to v1.10.1.
 - Machine `providerID` is now being strictly checked for equality when compared against Kubernetes node `providerID` data. This is the expected criteria for correlating a Cluster API machine to its corresponding Kubernetes node, but historically this comparison was not strict, and instead compared only against the `ID` substring part of the full `providerID` string. Because different providers construct `providerID` strings differently, the `ID` substring is not uniformly defined and implemented across providers, and thus the existing `providerID` equality can not guarantee the correct Machine-Node correlation. It is very unlikely that this new behavior will break existing providers, but FYI: if strict `providerID` equality will degrade expected behaviors, you may need to update your provider implementation prior to adopting Cluster API v1.3.
 - The default minimum TLS version in use by the webhook servers is 1.2.
 - OwnerReferences are now more strictly enforced for objects managed by Cluster API. Machines, Bootstrap configs, Infrastructure Machines and Secrets created by CAPI components [now have strictly enforced controller owner references](https://github.com/kubernetes-sigs/cluster-api/issues/7575). This is not expected to require changes for providers.

From 236cf195ccc8419246462bf80da23697687e73cb Mon Sep 17 00:00:00 2001
From: Christian Schlotter <christi.schlotter@gmail.com>
Date: Wed, 7 Dec 2022 10:22:25 +0100
Subject: [PATCH 39/87] clusterctl: fix goproxy to also return versions for
 major > 1

Also:
* moves goproxy functionality to an internal package
* reuses the package also for releaselink
* fixes releaselink references for aws
---
 cmd/clusterctl/client/repository/goproxy.go   | 163 --------------
 .../client/repository/goproxy_test.go         | 100 ---------
 .../client/repository/repository_github.go    |  24 +-
 .../repository/repository_github_test.go      |  26 ++-
 docs/book/src/clusterctl/commands/init.md     |   2 +
 docs/book/src/clusterctl/overview.md          |   2 +
 docs/book/src/clusterctl/provider-contract.md |   2 +
 docs/book/src/user/quick-start.md             |   6 +-
 hack/tools/mdbook/releaselink/releaselink.go  |  32 +--
 internal/goproxy/doc.go                       |  18 ++
 internal/goproxy/goproxy.go                   | 192 ++++++++++++++++
 internal/goproxy/goproxy_test.go              | 210 ++++++++++++++++++
 12 files changed, 481 insertions(+), 296 deletions(-)
 delete mode 100644 cmd/clusterctl/client/repository/goproxy.go
 delete mode 100644 cmd/clusterctl/client/repository/goproxy_test.go
 create mode 100644 internal/goproxy/doc.go
 create mode 100644 internal/goproxy/goproxy.go
 create mode 100644 internal/goproxy/goproxy_test.go

diff --git a/cmd/clusterctl/client/repository/goproxy.go b/cmd/clusterctl/client/repository/goproxy.go
deleted file mode 100644
index 08e8e0fc1b4e..000000000000
--- a/cmd/clusterctl/client/repository/goproxy.go
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
-Copyright 2022 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package repository
-
-import (
-	"context"
-	"io"
-	"net/http"
-	"net/url"
-	"path"
-	"path/filepath"
-	"sort"
-	"strings"
-
-	"github.com/blang/semver"
-	"github.com/pkg/errors"
-	"k8s.io/apimachinery/pkg/util/wait"
-)
-
-const (
-	defaultGoProxyHost = "proxy.golang.org"
-)
-
-type goproxyClient struct {
-	scheme string
-	host   string
-}
-
-func newGoproxyClient(scheme, host string) *goproxyClient {
-	return &goproxyClient{
-		scheme: scheme,
-		host:   host,
-	}
-}
-
-func (g *goproxyClient) getVersions(ctx context.Context, base, owner, repository string) ([]string, error) {
-	// A goproxy is also able to handle the github repository path instead of the actual go module name.
-	gomodulePath := path.Join(base, owner, repository)
-
-	rawURL := url.URL{
-		Scheme: g.scheme,
-		Host:   g.host,
-		Path:   path.Join(gomodulePath, "@v", "/list"),
-	}
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, rawURL.String(), http.NoBody)
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to get versions: failed to create request")
-	}
-
-	var rawResponse []byte
-	var retryError error
-	_ = wait.PollImmediateWithContext(ctx, retryableOperationInterval, retryableOperationTimeout, func(ctx context.Context) (bool, error) {
-		retryError = nil
-
-		resp, err := http.DefaultClient.Do(req)
-		if err != nil {
-			retryError = errors.Wrapf(err, "failed to get versions: failed to do request")
-			return false, nil
-		}
-		defer resp.Body.Close()
-
-		if resp.StatusCode != 200 {
-			retryError = errors.Errorf("failed to get versions: response status code %d", resp.StatusCode)
-			return false, nil
-		}
-
-		rawResponse, err = io.ReadAll(resp.Body)
-		if err != nil {
-			retryError = errors.Wrap(err, "failed to get versions: error reading goproxy response body")
-			return false, nil
-		}
-		return true, nil
-	})
-	if retryError != nil {
-		return nil, retryError
-	}
-
-	parsedVersions := semver.Versions{}
-	for _, s := range strings.Split(string(rawResponse), "\n") {
-		if s == "" {
-			continue
-		}
-		parsedVersion, err := semver.ParseTolerant(s)
-		if err != nil {
-			// Discard releases with tags that are not a valid semantic versions (the user can point explicitly to such releases).
-			continue
-		}
-		parsedVersions = append(parsedVersions, parsedVersion)
-	}
-
-	sort.Sort(parsedVersions)
-
-	versions := []string{}
-	for _, v := range parsedVersions {
-		versions = append(versions, "v"+v.String())
-	}
-
-	return versions, nil
-}
-
-// getGoproxyHost detects and returns the scheme and host for goproxy requests.
-// It returns empty strings if goproxy is disabled via `off` or `direct` values.
-func getGoproxyHost(goproxy string) (string, string, error) {
-	// Fallback to default
-	if goproxy == "" {
-		return "https", defaultGoProxyHost, nil
-	}
-
-	var goproxyHost, goproxyScheme string
-	// xref https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/proxy.go
-	for goproxy != "" {
-		var rawURL string
-		if i := strings.IndexAny(goproxy, ",|"); i >= 0 {
-			rawURL = goproxy[:i]
-			goproxy = goproxy[i+1:]
-		} else {
-			rawURL = goproxy
-			goproxy = ""
-		}
-
-		rawURL = strings.TrimSpace(rawURL)
-		if rawURL == "" {
-			continue
-		}
-		if rawURL == "off" || rawURL == "direct" {
-			// Return nothing to fallback to github repository client without an error.
-			return "", "", nil
-		}
-
-		// Single-word tokens are reserved for built-in behaviors, and anything
-		// containing the string ":/" or matching an absolute file path must be a
-		// complete URL. For all other paths, implicitly add "https://".
-		if strings.ContainsAny(rawURL, ".:/") && !strings.Contains(rawURL, ":/") && !filepath.IsAbs(rawURL) && !path.IsAbs(rawURL) {
-			rawURL = "https://" + rawURL
-		}
-
-		parsedURL, err := url.Parse(rawURL)
-		if err != nil {
-			return "", "", errors.Wrapf(err, "parse GOPROXY url %q", rawURL)
-		}
-		goproxyHost = parsedURL.Host
-		goproxyScheme = parsedURL.Scheme
-		// A host was found so no need to continue.
-		break
-	}
-
-	return goproxyScheme, goproxyHost, nil
-}
diff --git a/cmd/clusterctl/client/repository/goproxy_test.go b/cmd/clusterctl/client/repository/goproxy_test.go
deleted file mode 100644
index 884ef24e362a..000000000000
--- a/cmd/clusterctl/client/repository/goproxy_test.go
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
-Copyright 2022 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package repository
-
-import (
-	"testing"
-	"time"
-)
-
-func Test_getGoproxyHost(t *testing.T) {
-	retryableOperationInterval = 200 * time.Millisecond
-	retryableOperationTimeout = 1 * time.Second
-
-	tests := []struct {
-		name       string
-		envvar     string
-		wantScheme string
-		wantHost   string
-		wantErr    bool
-	}{
-		{
-			name:       "defaulting",
-			envvar:     "",
-			wantScheme: "https",
-			wantHost:   "proxy.golang.org",
-			wantErr:    false,
-		},
-		{
-			name:       "direct falls back to empty strings",
-			envvar:     "direct",
-			wantScheme: "",
-			wantHost:   "",
-			wantErr:    false,
-		},
-		{
-			name:       "off falls back to empty strings",
-			envvar:     "off",
-			wantScheme: "",
-			wantHost:   "",
-			wantErr:    false,
-		},
-		{
-			name:       "other goproxy",
-			envvar:     "foo.bar.de",
-			wantScheme: "https",
-			wantHost:   "foo.bar.de",
-			wantErr:    false,
-		},
-		{
-			name:       "other goproxy comma separated, return first",
-			envvar:     "foo.bar,foobar.barfoo",
-			wantScheme: "https",
-			wantHost:   "foo.bar",
-			wantErr:    false,
-		},
-		{
-			name:       "other goproxy including https scheme",
-			envvar:     "https://foo.bar",
-			wantScheme: "https",
-			wantHost:   "foo.bar",
-			wantErr:    false,
-		},
-		{
-			name:       "other goproxy including http scheme",
-			envvar:     "http://foo.bar",
-			wantScheme: "http",
-			wantHost:   "foo.bar",
-			wantErr:    false,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			gotScheme, gotHost, err := getGoproxyHost(tt.envvar)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("getGoproxyHost() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if gotScheme != tt.wantScheme {
-				t.Errorf("getGoproxyHost() = %v, wantScheme %v", gotScheme, tt.wantScheme)
-			}
-			if gotHost != tt.wantHost {
-				t.Errorf("getGoproxyHost() = %v, wantHost %v", gotHost, tt.wantHost)
-			}
-		})
-	}
-}
diff --git a/cmd/clusterctl/client/repository/repository_github.go b/cmd/clusterctl/client/repository/repository_github.go
index c7f97ae36597..ac747c20792e 100644
--- a/cmd/clusterctl/client/repository/repository_github.go
+++ b/cmd/clusterctl/client/repository/repository_github.go
@@ -23,10 +23,12 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"time"
 
+	"github.com/blang/semver"
 	"github.com/google/go-github/v45/github"
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2"
@@ -36,6 +38,7 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/cmd/clusterctl/client/config"
 	logf "sigs.k8s.io/cluster-api/cmd/clusterctl/log"
+	"sigs.k8s.io/cluster-api/internal/goproxy"
 )
 
 const (
@@ -70,7 +73,7 @@ type gitHubRepository struct {
 	rootPath                 string
 	componentsPath           string
 	injectClient             *github.Client
-	injectGoproxyClient      *goproxyClient
+	injectGoproxyClient      *goproxy.Client
 }
 
 var _ Repository = &gitHubRepository{}
@@ -83,7 +86,7 @@ func injectGithubClient(c *github.Client) githubRepositoryOption {
 	}
 }
 
-func injectGoproxyClient(c *goproxyClient) githubRepositoryOption {
+func injectGoproxyClient(c *goproxy.Client) githubRepositoryOption {
 	return func(g *gitHubRepository) {
 		g.injectGoproxyClient = c
 	}
@@ -110,11 +113,20 @@ func (g *gitHubRepository) GetVersions() ([]string, error) {
 
 	var versions []string
 	if goProxyClient != nil {
-		versions, err = goProxyClient.getVersions(context.TODO(), githubDomain, g.owner, g.repository)
+		// A goproxy is also able to handle the github repository path instead of the actual go module name.
+		gomodulePath := path.Join(githubDomain, g.owner, g.repository)
+
+		var parsedVersions semver.Versions
+		parsedVersions, err = goProxyClient.GetVersions(context.TODO(), gomodulePath)
+
 		// Log the error before fallback to github repository client happens.
 		if err != nil {
 			log.V(5).Info("error using Goproxy client to list versions for repository, falling back to github client", "owner", g.owner, "repository", g.repository, "error", err)
 		}
+
+		for _, v := range parsedVersions {
+			versions = append(versions, "v"+v.String())
+		}
 	}
 
 	// Fallback to github repository client if goProxyClient is nil or an error occurred.
@@ -239,11 +251,11 @@ func (g *gitHubRepository) getClient() *github.Client {
 // getGoproxyClient returns a go proxy client.
 // It returns nil, nil if the environment variable is set to `direct` or `off`
 // to skip goproxy requests.
-func (g *gitHubRepository) getGoproxyClient() (*goproxyClient, error) {
+func (g *gitHubRepository) getGoproxyClient() (*goproxy.Client, error) {
 	if g.injectGoproxyClient != nil {
 		return g.injectGoproxyClient, nil
 	}
-	scheme, host, err := getGoproxyHost(os.Getenv("GOPROXY"))
+	scheme, host, err := goproxy.GetSchemeAndHost(os.Getenv("GOPROXY"))
 	if err != nil {
 		return nil, err
 	}
@@ -251,7 +263,7 @@ func (g *gitHubRepository) getGoproxyClient() (*goproxyClient, error) {
 	if scheme == "" && host == "" {
 		return nil, nil
 	}
-	return newGoproxyClient(scheme, host), nil
+	return goproxy.NewClient(scheme, host), nil
 }
 
 // setClientToken sets authenticatingHTTPClient field of gitHubRepository struct.
diff --git a/cmd/clusterctl/client/repository/repository_github_test.go b/cmd/clusterctl/client/repository/repository_github_test.go
index 356523891e83..49c5eac8217a 100644
--- a/cmd/clusterctl/client/repository/repository_github_test.go
+++ b/cmd/clusterctl/client/repository/repository_github_test.go
@@ -31,6 +31,7 @@ import (
 	clusterctlv1 "sigs.k8s.io/cluster-api/cmd/clusterctl/api/v1alpha3"
 	"sigs.k8s.io/cluster-api/cmd/clusterctl/client/config"
 	"sigs.k8s.io/cluster-api/cmd/clusterctl/internal/test"
+	"sigs.k8s.io/cluster-api/internal/goproxy"
 )
 
 func Test_gitHubRepository_GetVersions(t *testing.T) {
@@ -63,6 +64,21 @@ func Test_gitHubRepository_GetVersions(t *testing.T) {
 		fmt.Fprint(w, "v0.3.1\n")
 	})
 
+	// setup an handler for returning 3 different major fake releases
+	muxGoproxy.HandleFunc("/github.com/o/r3/@v/list", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "GET")
+		fmt.Fprint(w, "v1.0.0\n")
+		fmt.Fprint(w, "v0.1.0\n")
+	})
+	muxGoproxy.HandleFunc("/github.com/o/r3/v2/@v/list", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "GET")
+		fmt.Fprint(w, "v2.0.0\n")
+	})
+	muxGoproxy.HandleFunc("/github.com/o/r3/v3/@v/list", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "GET")
+		fmt.Fprint(w, "v3.0.0\n")
+	})
+
 	configVariablesClient := test.NewFakeVariableClient()
 
 	tests := []struct {
@@ -83,6 +99,12 @@ func Test_gitHubRepository_GetVersions(t *testing.T) {
 			want:           []string{"v0.3.1", "v0.3.2", "v0.4.0", "v0.5.0"},
 			wantErr:        false,
 		},
+		{
+			name:           "use goproxy having multiple majors",
+			providerConfig: config.NewProvider("test", "https://github.com/o/r3/releases/v3.0.0/path", clusterctlv1.CoreProviderType),
+			want:           []string{"v0.1.0", "v1.0.0", "v2.0.0", "v3.0.0"},
+			wantErr:        false,
+		},
 		{
 			name:           "failure",
 			providerConfig: config.NewProvider("test", "https://github.com/o/unknown/releases/v0.4.0/path", clusterctlv1.CoreProviderType),
@@ -812,7 +834,7 @@ func resetCaches() {
 // newFakeGoproxy sets up a test HTTP server along with a github.Client that is
 // configured to talk to that test server. Tests should register handlers on
 // mux which provide mock responses for the API method being tested.
-func newFakeGoproxy() (client *goproxyClient, mux *http.ServeMux, teardown func()) {
+func newFakeGoproxy() (client *goproxy.Client, mux *http.ServeMux, teardown func()) {
 	// mux is the HTTP request multiplexer used with the test server.
 	mux = http.NewServeMux()
 
@@ -824,5 +846,5 @@ func newFakeGoproxy() (client *goproxyClient, mux *http.ServeMux, teardown func(
 
 	// client is the GitHub client being tested and is configured to use test server.
 	url, _ := url.Parse(server.URL + "/")
-	return &goproxyClient{scheme: url.Scheme, host: url.Host}, mux, server.Close
+	return goproxy.NewClient(url.Scheme, url.Host), mux, server.Close
 }
diff --git a/docs/book/src/clusterctl/commands/init.md b/docs/book/src/clusterctl/commands/init.md
index d8dac4655fd8..ee4b9501f084 100644
--- a/docs/book/src/clusterctl/commands/init.md
+++ b/docs/book/src/clusterctl/commands/init.md
@@ -117,6 +117,8 @@ API calls to the GitHub API. It is possible to configure the go proxy url using
 for go itself (defaults to `https://proxy.golang.org`).
 To immediately fallback to the GitHub client and not use a go proxy, the environment variable could get set to
 `GOPROXY=off` or `GOPROXY=direct`.
+If a provider does not follow Go's semantic versioning, `clusterctl` may fail when detecting the correct version.
+In such cases, disabling the go proxy functionality via `GOPROXY=off` should be considered.
 
 See [clusterctl configuration](../configuration.md) for more info about provider repository configurations.
 
diff --git a/docs/book/src/clusterctl/overview.md b/docs/book/src/clusterctl/overview.md
index 84d58ed8c97d..e4cbaaf15117 100644
--- a/docs/book/src/clusterctl/overview.md
+++ b/docs/book/src/clusterctl/overview.md
@@ -33,6 +33,8 @@ API calls to the GitHub API. It is possible to configure the go proxy url using
 for go itself (defaults to `https://proxy.golang.org`).
 To immediately fallback to the GitHub client and not use a go proxy, the environment variable could get set to
 `GOPROXY=off` or `GOPROXY=direct`.
+If a provider does not follow Go's semantic versioning, `clusterctl` may fail when detecting the correct version.
+In such cases, disabling the go proxy functionality via `GOPROXY=off` should be considered.
 
 # Installing clusterctl
 Instructions are available in the [Quick Start](../user/quick-start.md#install-clusterctl).
diff --git a/docs/book/src/clusterctl/provider-contract.md b/docs/book/src/clusterctl/provider-contract.md
index ba132d0ceeb8..841e2082b126 100644
--- a/docs/book/src/clusterctl/provider-contract.md
+++ b/docs/book/src/clusterctl/provider-contract.md
@@ -54,6 +54,8 @@ API calls to the GitHub API. It is possible to configure the go proxy url using
 for go itself (defaults to `https://proxy.golang.org`).
 To immediately fallback to the GitHub client and not use a go proxy, the environment variable could get set to
 `GOPROXY=off` or `GOPROXY=direct`.
+If a provider does not follow Go's semantic versioning, `clusterctl` may fail when detecting the correct version.
+In such cases, disabling the go proxy functionality via `GOPROXY=off` should be considered.
 
 #### Creating a provider repository on GitLab
 
diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index 419fdb7fd578..e1a21f8793b9 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -262,7 +262,7 @@ Download the latest binary of `clusterawsadm` from the [AWS provider releases].
 
 Download the latest release; on linux, type:
 ```
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-linux-amd64" version:"1.x"}} -o clusterawsadm
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-linux-amd64" version:">=1.0.0"}} -o clusterawsadm
 ```
 
 Make it executable
@@ -284,12 +284,12 @@ clusterawsadm version
 
 Download the latest release; on macOs, type:
 ```
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-amd64" version:"1.x"}} -o clusterawsadm
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-amd64" version:">=1.0.0"}} -o clusterawsadm
 ```
 
 Or if your Mac has an M1 CPU (”Apple Silicon”):
 ```
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-arm64" version:"1.x"}} -o clusterawsadm
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-arm64" version:">=1.0.0"}} -o clusterawsadm
 ```
 
 Make it executable
diff --git a/hack/tools/mdbook/releaselink/releaselink.go b/hack/tools/mdbook/releaselink/releaselink.go
index c18b1cfd0fc0..4bd707e196e6 100644
--- a/hack/tools/mdbook/releaselink/releaselink.go
+++ b/hack/tools/mdbook/releaselink/releaselink.go
@@ -21,20 +21,18 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"fmt"
-	"io"
 	"log"
-	"net/http"
-	"net/url"
 	"os"
-	"path"
 	"reflect"
-	"sort"
 	"strings"
 
 	"github.com/blang/semver"
 	"golang.org/x/tools/go/vcs"
 	"sigs.k8s.io/kubebuilder/docs/book/utils/plugin"
+
+	"sigs.k8s.io/cluster-api/internal/goproxy"
 )
 
 // ReleaseLink responds to {{#releaselink <args>}} input. It asks for a `gomodule` parameter
@@ -58,36 +56,26 @@ func (l ReleaseLink) Process(input *plugin.Input) error {
 		versionRange := semver.MustParseRange(tags.Get("version"))
 		includePrereleases := tags.Get("prereleases") == "true"
 
-		repo, err := vcs.RepoRootForImportPath(gomodule, false)
+		scheme, host, err := goproxy.GetSchemeAndHost(os.Getenv("GOPROXY"))
 		if err != nil {
 			return "", err
 		}
-
-		rawURL := url.URL{
-			Scheme: "https",
-			Host:   "proxy.golang.org",
-			Path:   path.Join(gomodule, "@v", "/list"),
+		if scheme == "" || host == "" {
+			return "", fmt.Errorf("releaselink does not support disabling the go proxy: GOPROXY=%q", os.Getenv("GOPROXY"))
 		}
 
-		resp, err := http.Get(rawURL.String()) //nolint:noctx // NB: as we're just implementing an external interface we won't be able to get a context here.
+		goproxyClient := goproxy.NewClient(scheme, host)
+
+		repo, err := vcs.RepoRootForImportPath(gomodule, false)
 		if err != nil {
 			return "", err
 		}
-		defer resp.Body.Close()
 
-		out, err := io.ReadAll(resp.Body)
+		parsedTags, err := goproxyClient.GetVersions(context.Background(), gomodule)
 		if err != nil {
 			return "", err
 		}
 
-		parsedTags := semver.Versions{}
-		for _, line := range strings.Split(string(out), "\n") {
-			if strings.HasPrefix(line, "v") {
-				parsedTags = append(parsedTags, semver.MustParse(strings.TrimPrefix(line, "v")))
-			}
-		}
-		sort.Sort(parsedTags)
-
 		var picked semver.Version
 		for i, tag := range parsedTags {
 			if !includePrereleases && len(tag.Pre) > 0 {
diff --git a/internal/goproxy/doc.go b/internal/goproxy/doc.go
new file mode 100644
index 000000000000..3fb5d94638be
--- /dev/null
+++ b/internal/goproxy/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package goproxy implements a goproxy client.
+package goproxy
diff --git a/internal/goproxy/goproxy.go b/internal/goproxy/goproxy.go
new file mode 100644
index 000000000000..d79958a27771
--- /dev/null
+++ b/internal/goproxy/goproxy.go
@@ -0,0 +1,192 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package goproxy
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"path"
+	"path/filepath"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/blang/semver"
+	"github.com/pkg/errors"
+	"k8s.io/apimachinery/pkg/util/wait"
+)
+
+const (
+	defaultGoProxyHost = "proxy.golang.org"
+)
+
+var (
+	retryableOperationInterval = 10 * time.Second
+	retryableOperationTimeout  = 1 * time.Minute
+)
+
+// Client is a client to query versions from a goproxy instance.
+type Client struct {
+	scheme string
+	host   string
+}
+
+// NewClient returns a new goproxyClient instance.
+func NewClient(scheme, host string) *Client {
+	return &Client{
+		scheme: scheme,
+		host:   host,
+	}
+}
+
+// GetVersions returns the a sorted list of semantical versions which exist for a go module.
+func (g *Client) GetVersions(ctx context.Context, gomodulePath string) (semver.Versions, error) {
+	parsedVersions := semver.Versions{}
+
+	majorVersionNumber := 1
+	var majorVersion string
+	for {
+		if majorVersionNumber > 1 {
+			majorVersion = fmt.Sprintf("v%d", majorVersionNumber)
+		}
+		rawURL := url.URL{
+			Scheme: g.scheme,
+			Host:   g.host,
+			Path:   path.Join(gomodulePath, majorVersion, "@v", "/list"),
+		}
+		majorVersionNumber++
+
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, rawURL.String(), http.NoBody)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to get versions: failed to create request")
+		}
+
+		var rawResponse []byte
+		var responseStatusCode int
+		var retryError error
+		_ = wait.PollImmediateWithContext(ctx, retryableOperationInterval, retryableOperationTimeout, func(ctx context.Context) (bool, error) {
+			retryError = nil
+
+			resp, err := http.DefaultClient.Do(req)
+			if err != nil {
+				retryError = errors.Wrapf(err, "failed to get versions: failed to do request")
+				return false, nil
+			}
+			defer resp.Body.Close()
+
+			responseStatusCode = resp.StatusCode
+
+			// Status codes OK and NotFound are expected results:
+			// * OK indicates that we got a list of versions to read.
+			// * NotFound indicates that there are no versions for this module / modules major version.
+			if responseStatusCode != http.StatusOK && responseStatusCode != http.StatusNotFound {
+				retryError = errors.Errorf("failed to get versions: response status code %d", resp.StatusCode)
+				return false, nil
+			}
+
+			// only read the response for http.StatusOK
+			if responseStatusCode == http.StatusOK {
+				rawResponse, err = io.ReadAll(resp.Body)
+				if err != nil {
+					retryError = errors.Wrap(err, "failed to get versions: error reading goproxy response body")
+					return false, nil
+				}
+			}
+			return true, nil
+		})
+		if retryError != nil {
+			return nil, retryError
+		}
+
+		// Don't try to read the versions if status was not found.
+		if responseStatusCode == http.StatusNotFound {
+			break
+		}
+
+		for _, s := range strings.Split(string(rawResponse), "\n") {
+			if s == "" {
+				continue
+			}
+			parsedVersion, err := semver.ParseTolerant(s)
+			if err != nil {
+				// Discard releases with tags that are not a valid semantic versions (the user can point explicitly to such releases).
+				continue
+			}
+			parsedVersions = append(parsedVersions, parsedVersion)
+		}
+	}
+
+	if len(parsedVersions) == 0 {
+		return nil, fmt.Errorf("no versions found for go module %q", gomodulePath)
+	}
+
+	sort.Sort(parsedVersions)
+
+	return parsedVersions, nil
+}
+
+// GetSchemeAndHost detects and returns the scheme and host for goproxy requests.
+// It returns empty strings if goproxy is disabled via `off` or `direct` values.
+func GetSchemeAndHost(goproxy string) (string, string, error) {
+	// Fallback to default
+	if goproxy == "" {
+		return "https", defaultGoProxyHost, nil
+	}
+
+	var goproxyHost, goproxyScheme string
+	// xref https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/proxy.go
+	for goproxy != "" {
+		var rawURL string
+		if i := strings.IndexAny(goproxy, ",|"); i >= 0 {
+			rawURL = goproxy[:i]
+			goproxy = goproxy[i+1:]
+		} else {
+			rawURL = goproxy
+			goproxy = ""
+		}
+
+		rawURL = strings.TrimSpace(rawURL)
+		if rawURL == "" {
+			continue
+		}
+		if rawURL == "off" || rawURL == "direct" {
+			// Return nothing to fallback to github repository client without an error.
+			return "", "", nil
+		}
+
+		// Single-word tokens are reserved for built-in behaviors, and anything
+		// containing the string ":/" or matching an absolute file path must be a
+		// complete URL. For all other paths, implicitly add "https://".
+		if strings.ContainsAny(rawURL, ".:/") && !strings.Contains(rawURL, ":/") && !filepath.IsAbs(rawURL) && !path.IsAbs(rawURL) {
+			rawURL = "https://" + rawURL
+		}
+
+		parsedURL, err := url.Parse(rawURL)
+		if err != nil {
+			return "", "", errors.Wrapf(err, "parse GOPROXY url %q", rawURL)
+		}
+		goproxyHost = parsedURL.Host
+		goproxyScheme = parsedURL.Scheme
+		// A host was found so no need to continue.
+		break
+	}
+
+	return goproxyScheme, goproxyHost, nil
+}
diff --git a/internal/goproxy/goproxy_test.go b/internal/goproxy/goproxy_test.go
new file mode 100644
index 000000000000..c914fa6f26e1
--- /dev/null
+++ b/internal/goproxy/goproxy_test.go
@@ -0,0 +1,210 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package goproxy
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/blang/semver"
+	. "github.com/onsi/gomega"
+)
+
+func TestClient_GetVersions(t *testing.T) {
+	retryableOperationInterval = 200 * time.Millisecond
+	retryableOperationTimeout = 1 * time.Second
+
+	clientGoproxy, muxGoproxy, teardownGoproxy := NewFakeGoproxy()
+	defer teardownGoproxy()
+
+	// setup an handler for returning 2 fake releases
+	muxGoproxy.HandleFunc("/github.com/o/r1/@v/list", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "GET")
+		fmt.Fprint(w, "v1.1.0\n")
+		fmt.Fprint(w, "v0.2.0\n")
+	})
+
+	// setup an handler for returning 2 fake releases for v1
+	muxGoproxy.HandleFunc("/github.com/o/r2/@v/list", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "GET")
+		fmt.Fprint(w, "v1.1.0\n")
+		fmt.Fprint(w, "v0.2.0\n")
+	})
+	// setup an handler for returning 2 fake releases for v2
+	muxGoproxy.HandleFunc("/github.com/o/r2/v2/@v/list", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "GET")
+		fmt.Fprint(w, "v2.0.1\n")
+		fmt.Fprint(w, "v2.0.0\n")
+	})
+
+	tests := []struct {
+		name         string
+		gomodulePath string
+		want         semver.Versions
+		wantErr      bool
+	}{
+		{
+			"No versions",
+			"github.com/o/doesntexist",
+			nil,
+			true,
+		},
+		{
+			"Two versions < v2",
+			"github.com/o/r1",
+			semver.Versions{
+				semver.MustParse("0.2.0"),
+				semver.MustParse("1.1.0"),
+			},
+			false,
+		},
+		{
+			"Multiple versiosn including > v1",
+			"github.com/o/r2",
+			semver.Versions{
+				semver.MustParse("0.2.0"),
+				semver.MustParse("1.1.0"),
+				semver.MustParse("2.0.0"),
+				semver.MustParse("2.0.1"),
+			},
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := context.Background()
+			g := NewWithT(t)
+
+			got, err := clientGoproxy.GetVersions(ctx, tt.gomodulePath)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(err).ToNot(HaveOccurred())
+
+			g.Expect(got).To(BeEquivalentTo(tt.want))
+		})
+	}
+}
+
+func Test_GetGoproxyHost(t *testing.T) {
+	retryableOperationInterval = 200 * time.Millisecond
+	retryableOperationTimeout = 1 * time.Second
+
+	tests := []struct {
+		name       string
+		envvar     string
+		wantScheme string
+		wantHost   string
+		wantErr    bool
+	}{
+		{
+			name:       "defaulting",
+			envvar:     "",
+			wantScheme: "https",
+			wantHost:   "proxy.golang.org",
+			wantErr:    false,
+		},
+		{
+			name:       "direct falls back to empty strings",
+			envvar:     "direct",
+			wantScheme: "",
+			wantHost:   "",
+			wantErr:    false,
+		},
+		{
+			name:       "off falls back to empty strings",
+			envvar:     "off",
+			wantScheme: "",
+			wantHost:   "",
+			wantErr:    false,
+		},
+		{
+			name:       "other goproxy",
+			envvar:     "foo.bar.de",
+			wantScheme: "https",
+			wantHost:   "foo.bar.de",
+			wantErr:    false,
+		},
+		{
+			name:       "other goproxy comma separated, return first",
+			envvar:     "foo.bar,foobar.barfoo",
+			wantScheme: "https",
+			wantHost:   "foo.bar",
+			wantErr:    false,
+		},
+		{
+			name:       "other goproxy including https scheme",
+			envvar:     "https://foo.bar",
+			wantScheme: "https",
+			wantHost:   "foo.bar",
+			wantErr:    false,
+		},
+		{
+			name:       "other goproxy including http scheme",
+			envvar:     "http://foo.bar",
+			wantScheme: "http",
+			wantHost:   "foo.bar",
+			wantErr:    false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			gotScheme, gotHost, err := GetSchemeAndHost(tt.envvar)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(err).ToNot(HaveOccurred())
+
+			g.Expect(gotScheme).To(Equal(tt.wantScheme))
+			g.Expect(gotHost).To(Equal(tt.wantHost))
+		})
+	}
+}
+
+// NewFakeGoproxy sets up a test HTTP server along with a github.Client that is
+// configured to talk to that test server. Tests should register handlers on
+// mux which provide mock responses for the API method being tested.
+func NewFakeGoproxy() (client *Client, mux *http.ServeMux, teardown func()) {
+	// mux is the HTTP request multiplexer used with the test server.
+	mux = http.NewServeMux()
+
+	apiHandler := http.NewServeMux()
+	apiHandler.Handle("/", mux)
+
+	// server is a test HTTP server used to provide mock API responses.
+	server := httptest.NewServer(apiHandler)
+
+	// client is the GitHub client being tested and is configured to use test server.
+	url, _ := url.Parse(server.URL + "/")
+	return NewClient(url.Scheme, url.Host), mux, server.Close
+}
+
+func testMethod(t *testing.T, r *http.Request, want string) {
+	t.Helper()
+
+	if got := r.Method; got != want {
+		t.Errorf("Request method: %v, want %v", got, want)
+	}
+}

From a184a27b3b41e67165dc097ec87fc6716777ff57 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Mon, 12 Dec 2022 11:56:38 +0000
Subject: [PATCH 40/87] Fix broken links in book

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 docs/book/src/developer/guide.md         | 2 +-
 docs/proposals/20220414-runtime-hooks.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/book/src/developer/guide.md b/docs/book/src/developer/guide.md
index 6527e1a2b2bd..fbb6e275ad55 100644
--- a/docs/book/src/developer/guide.md
+++ b/docs/book/src/developer/guide.md
@@ -133,7 +133,7 @@ information on each suite.
 Now you can [create CAPI objects][qs]!
 To test another iteration, you'll need to follow the steps to build, push, update the manifests, and apply.
 
-[qs]: ../user/quick-start.md#usage
+[qs]: ../user/quick-start.md
 
 ## Videos explaining CAPI architecture and code walkthroughs
 
diff --git a/docs/proposals/20220414-runtime-hooks.md b/docs/proposals/20220414-runtime-hooks.md
index 25b9d97c7823..6559f37e0a8b 100644
--- a/docs/proposals/20220414-runtime-hooks.md
+++ b/docs/proposals/20220414-runtime-hooks.md
@@ -39,7 +39,7 @@ superseded-by:
     * [Adding Cluster info to request vs providing only the Cluster name](#adding-cluster-info-to-request-vs-providing-only-the-cluster-name)
     * [Embedding CAPI types in request vs using runtime.RawExtension](#embedding-capi-types-in-request-vs-using-runtimerawextension)
 * [Upgrade Strategy](#upgrade-strategy)
-    * [Cluster API version upgrade](#clusterapi-version-upgrade)
+    * [Cluster API version upgrade](#cluster-api-version-upgrade)
     * [Kubernetes version upgrade](#kubernetes-version-upgrade)
 * [Additional Details](#additional-details)
     * [Test Plan](#test-plan)

From 593c91d67530591b7536ca38a2f8457d891fb395 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Thu, 8 Dec 2022 19:30:39 +0000
Subject: [PATCH 41/87] Add explicit length check for cluster and md names

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 api/v1beta1/machinedeployment_webhook.go      | 14 ++++++++
 api/v1beta1/machinedeployment_webhook_test.go | 36 ++++++++++++++++++-
 internal/webhooks/cluster.go                  | 14 ++++++++
 internal/webhooks/cluster_test.go             | 30 ++++++++++++++++
 4 files changed, 93 insertions(+), 1 deletion(-)

diff --git a/api/v1beta1/machinedeployment_webhook.go b/api/v1beta1/machinedeployment_webhook.go
index 65fa45f4858b..6a5d6646c8e0 100644
--- a/api/v1beta1/machinedeployment_webhook.go
+++ b/api/v1beta1/machinedeployment_webhook.go
@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -76,6 +77,19 @@ func (m *MachineDeployment) ValidateDelete() error {
 
 func (m *MachineDeployment) validate(old *MachineDeployment) error {
 	var allErrs field.ErrorList
+	// The MachineDeployment name is used as a label value. This check ensures names which are not be valid label values are rejected.
+	if errs := validation.IsValidLabelValue(m.Name); len(errs) != 0 {
+		for _, err := range errs {
+			allErrs = append(
+				allErrs,
+				field.Invalid(
+					field.NewPath("metadata", "name"),
+					m.Name,
+					fmt.Sprintf("must be a valid label value: %s", err),
+				),
+			)
+		}
+	}
 	specPath := field.NewPath("spec")
 	selector, err := metav1.LabelSelectorAsSelector(&m.Spec.Selector)
 	if err != nil {
diff --git a/api/v1beta1/machinedeployment_webhook_test.go b/api/v1beta1/machinedeployment_webhook_test.go
index 4ab87a471896..c7ccc4800cd5 100644
--- a/api/v1beta1/machinedeployment_webhook_test.go
+++ b/api/v1beta1/machinedeployment_webhook_test.go
@@ -67,14 +67,45 @@ func TestMachineDeploymentValidation(t *testing.T) {
 
 	goodMaxSurgeInt := intstr.FromInt(1)
 	goodMaxUnavailableInt := intstr.FromInt(0)
-
 	tests := []struct {
 		name      string
+		md        MachineDeployment
+		mdName    string
 		selectors map[string]string
 		labels    map[string]string
 		strategy  MachineDeploymentStrategy
 		expectErr bool
 	}{
+		{
+			name:      "pass with name of under 63 characters",
+			mdName:    "short-name",
+			expectErr: false,
+		},
+		{
+			name:      "pass with _, -, . characters in name",
+			mdName:    "thisNameContains.A_Non-Alphanumeric",
+			expectErr: false,
+		},
+		{
+			name:      "error with name of more than 63 characters",
+			mdName:    "thisNameIsReallyMuchLongerThanTheMaximumLengthOfSixtyThreeCharacters",
+			expectErr: true,
+		},
+		{
+			name:      "error when name starts with NonAlphanumeric character",
+			mdName:    "-thisNameStartsWithANonAlphanumeric",
+			expectErr: true,
+		},
+		{
+			name:      "error when name ends with NonAlphanumeric character",
+			mdName:    "thisNameEndsWithANonAlphanumeric.",
+			expectErr: true,
+		},
+		{
+			name:      "error when name contains invalid NonAlphanumeric character",
+			mdName:    "thisNameContainsInvalid!@NonAlphanumerics",
+			expectErr: true,
+		},
 		{
 			name:      "should return error on mismatch",
 			selectors: map[string]string{"foo": "bar"},
@@ -163,6 +194,9 @@ func TestMachineDeploymentValidation(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
 			md := &MachineDeployment{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: tt.mdName,
+				},
 				Spec: MachineDeploymentSpec{
 					Strategy: &tt.strategy,
 					Selector: metav1.LabelSelector{
diff --git a/internal/webhooks/cluster.go b/internal/webhooks/cluster.go
index ef6a6d870be7..1948abfa44ba 100644
--- a/internal/webhooks/cluster.go
+++ b/internal/webhooks/cluster.go
@@ -26,6 +26,7 @@ import (
 	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -149,6 +150,19 @@ func (webhook *Cluster) ValidateDelete(_ context.Context, _ runtime.Object) erro
 
 func (webhook *Cluster) validate(ctx context.Context, oldCluster, newCluster *clusterv1.Cluster) error {
 	var allErrs field.ErrorList
+	// The Cluster name is used as a label value. This check ensures that names which are not valid label values are rejected.
+	if errs := validation.IsValidLabelValue(newCluster.Name); len(errs) != 0 {
+		for _, err := range errs {
+			allErrs = append(
+				allErrs,
+				field.Invalid(
+					field.NewPath("metadata", "name"),
+					newCluster.Name,
+					fmt.Sprintf("must be a valid label value %s", err),
+				),
+			)
+		}
+	}
 	specPath := field.NewPath("spec")
 	if newCluster.Spec.InfrastructureRef != nil && newCluster.Spec.InfrastructureRef.Namespace != newCluster.Namespace {
 		allErrs = append(
diff --git a/internal/webhooks/cluster_test.go b/internal/webhooks/cluster_test.go
index d403f8dc0ae6..2d12487d128b 100644
--- a/internal/webhooks/cluster_test.go
+++ b/internal/webhooks/cluster_test.go
@@ -518,6 +518,36 @@ func TestClusterValidation(t *testing.T) {
 							CIDRBlocks: []string{"10.10.10.10", "11.11.11.11"}}}).
 					Build(),
 			},
+			{
+				name:      "pass with name of under 63 characters",
+				expectErr: false,
+				in:        builder.Cluster("fooNamespace", "short-name").Build(),
+			},
+			{
+				name:      "pass with _, -, . characters in name",
+				in:        builder.Cluster("fooNamespace", "thisNameContains.A_Non-Alphanumeric").Build(),
+				expectErr: false,
+			},
+			{
+				name:      "fails if cluster name is longer than 63 characters",
+				in:        builder.Cluster("fooNamespace", "thisNameIsReallyMuchLongerThanTheMaximumLengthOfSixtyThreeCharacters").Build(),
+				expectErr: true,
+			},
+			{
+				name:      "error when name starts with NonAlphanumeric character",
+				in:        builder.Cluster("fooNamespace", "-thisNameStartsWithANonAlphanumeric").Build(),
+				expectErr: true,
+			},
+			{
+				name:      "error when name ends with NonAlphanumeric character",
+				in:        builder.Cluster("fooNamespace", "thisNameEndsWithANonAlphanumeric.").Build(),
+				expectErr: true,
+			},
+			{
+				name:      "error when name contains invalid NonAlphanumeric character",
+				in:        builder.Cluster("fooNamespace", "thisNameContainsInvalid!@NonAlphanumerics").Build(),
+				expectErr: true,
+			},
 		}
 	)
 	for _, tt := range tests {

From 4a21a8b55cafcf98071479165b1307e343db8f1f Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Tue, 13 Dec 2022 16:47:30 +0000
Subject: [PATCH 42/87] Update ginkgo to v2.6.0

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 go.mod            | 2 +-
 go.sum            | 4 ++--
 hack/tools/go.sum | 2 +-
 test/go.mod       | 2 +-
 test/go.sum       | 4 ++--
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/go.mod b/go.mod
index c9488b0716d2..36af70653ed9 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/google/go-github/v45 v45.2.0
 	github.com/google/gofuzz v1.2.0
 	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/onsi/ginkgo/v2 v2.5.0
+	github.com/onsi/ginkgo/v2 v2.6.0
 	github.com/onsi/gomega v1.24.1
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.6.1
diff --git a/go.sum b/go.sum
index 9006ecd1f9b1..6589ad96cab0 100644
--- a/go.sum
+++ b/go.sum
@@ -483,8 +483,8 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo/v2 v2.5.0 h1:TRtrvv2vdQqzkwrQ1ke6vtXf7IK34RBUJafIy1wMwls=
-github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw=
+github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc=
+github.com/onsi/ginkgo/v2 v2.6.0/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc=
 github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E=
 github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
diff --git a/hack/tools/go.sum b/hack/tools/go.sum
index 48444a538505..01bde7bc334e 100644
--- a/hack/tools/go.sum
+++ b/hack/tools/go.sum
@@ -406,7 +406,7 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo/v2 v2.5.0 h1:TRtrvv2vdQqzkwrQ1ke6vtXf7IK34RBUJafIy1wMwls=
+github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc=
 github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E=
 github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
diff --git a/test/go.mod b/test/go.mod
index 8993fc509765..391da4cd880b 100644
--- a/test/go.mod
+++ b/test/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/docker/go-connections v0.4.0
 	github.com/flatcar/ignition v0.36.2
 	github.com/go-logr/logr v1.2.3
-	github.com/onsi/ginkgo/v2 v2.5.0
+	github.com/onsi/ginkgo/v2 v2.6.0
 	github.com/onsi/gomega v1.24.1
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/pflag v1.0.5
diff --git a/test/go.sum b/test/go.sum
index eea795fa80d2..7b6240b73660 100644
--- a/test/go.sum
+++ b/test/go.sum
@@ -435,8 +435,8 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLA
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo/v2 v2.5.0 h1:TRtrvv2vdQqzkwrQ1ke6vtXf7IK34RBUJafIy1wMwls=
-github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw=
+github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc=
+github.com/onsi/ginkgo/v2 v2.6.0/go.mod h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc=
 github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E=
 github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

From c99824fb6b606ede959175ccd3401f7d8992ff0c Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Thu, 8 Dec 2022 17:47:08 +0000
Subject: [PATCH 43/87] Add name hashing for long MS names

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 api/v1beta1/machine_types.go                  |  2 +
 api/v1beta1/machineset_webhook.go             |  6 +-
 .../kubeadm/internal/cluster_labels.go        |  4 +-
 .../internal/controllers/controller.go        |  7 +-
 .../src/reference/labels_and_annotations.md   | 85 +++++++++---------
 .../machineset/machineset_controller.go       | 11 ++-
 internal/labels/helpers.go                    | 51 +++++++++++
 internal/labels/helpers_test.go               | 90 +++++++++++++++++++
 8 files changed, 205 insertions(+), 51 deletions(-)
 create mode 100644 internal/labels/helpers.go
 create mode 100644 internal/labels/helpers_test.go

diff --git a/api/v1beta1/machine_types.go b/api/v1beta1/machine_types.go
index 48448db4d928..f6596240bc0e 100644
--- a/api/v1beta1/machine_types.go
+++ b/api/v1beta1/machine_types.go
@@ -37,12 +37,14 @@ const (
 	ExcludeWaitForNodeVolumeDetachAnnotation = "machine.cluster.x-k8s.io/exclude-wait-for-node-volume-detach"
 
 	// MachineSetLabelName is the label set on machines if they're controlled by MachineSet.
+	// Note: The value of this label may be a hash if the MachineSet name is longer than 63 characters.
 	MachineSetLabelName = "cluster.x-k8s.io/set-name"
 
 	// MachineDeploymentLabelName is the label set on machines if they're controlled by MachineDeployment.
 	MachineDeploymentLabelName = "cluster.x-k8s.io/deployment-name"
 
 	// MachineControlPlaneNameLabel is the label set on machines if they're controlled by a ControlPlane.
+	// Note: The value of this label may be a hash if the control plane name is longer than 63 characters.
 	MachineControlPlaneNameLabel = "cluster.x-k8s.io/control-plane-name"
 
 	// PreDrainDeleteHookAnnotationPrefix annotation specifies the prefix we
diff --git a/api/v1beta1/machineset_webhook.go b/api/v1beta1/machineset_webhook.go
index 37ef1c1cdcf9..17f17ccd94e9 100644
--- a/api/v1beta1/machineset_webhook.go
+++ b/api/v1beta1/machineset_webhook.go
@@ -28,6 +28,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
+	capilabels "sigs.k8s.io/cluster-api/internal/labels"
 	"sigs.k8s.io/cluster-api/util/version"
 )
 
@@ -64,8 +65,9 @@ func (m *MachineSet) Default() {
 	}
 
 	if len(m.Spec.Selector.MatchLabels) == 0 && len(m.Spec.Selector.MatchExpressions) == 0 {
-		m.Spec.Selector.MatchLabels[MachineSetLabelName] = m.Name
-		m.Spec.Template.Labels[MachineSetLabelName] = m.Name
+		// Note: MustFormatValue is used here as the value of this label will be a hash if the MachineSet name is longer than 63 characters.
+		m.Spec.Selector.MatchLabels[MachineSetLabelName] = capilabels.MustFormatValue(m.Name)
+		m.Spec.Template.Labels[MachineSetLabelName] = capilabels.MustFormatValue(m.Name)
 	}
 
 	if m.Spec.Template.Spec.Version != nil && !strings.HasPrefix(*m.Spec.Template.Spec.Version, "v") {
diff --git a/controlplane/kubeadm/internal/cluster_labels.go b/controlplane/kubeadm/internal/cluster_labels.go
index 288bfad2afa5..2e619467377c 100644
--- a/controlplane/kubeadm/internal/cluster_labels.go
+++ b/controlplane/kubeadm/internal/cluster_labels.go
@@ -19,6 +19,7 @@ package internal
 import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
+	capilabels "sigs.k8s.io/cluster-api/internal/labels"
 )
 
 // ControlPlaneMachineLabelsForCluster returns a set of labels to add to a control plane machine for this specific cluster.
@@ -34,6 +35,7 @@ func ControlPlaneMachineLabelsForCluster(kcp *controlplanev1.KubeadmControlPlane
 	// Always force these labels over the ones coming from the spec.
 	labels[clusterv1.ClusterLabelName] = clusterName
 	labels[clusterv1.MachineControlPlaneLabelName] = ""
-	labels[clusterv1.MachineControlPlaneNameLabel] = kcp.Name
+	// Note: MustFormatValue is used here as the label value can be a hash if the control plane name is longer than 63 characters.
+	labels[clusterv1.MachineControlPlaneNameLabel] = capilabels.MustFormatValue(kcp.Name)
 	return labels
 }
diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go
index 072ce2f9662c..5b88fc941cba 100644
--- a/controlplane/kubeadm/internal/controllers/controller.go
+++ b/controlplane/kubeadm/internal/controllers/controller.go
@@ -44,6 +44,7 @@ import (
 	"sigs.k8s.io/cluster-api/controlplane/kubeadm/internal"
 	expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
 	"sigs.k8s.io/cluster-api/feature"
+	"sigs.k8s.io/cluster-api/internal/labels"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/annotations"
 	"sigs.k8s.io/cluster-api/util/collections"
@@ -340,8 +341,10 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, cluster *
 	// NOTE: cluster.x-k8s.io/control-plane is already set at this stage (it is used when reading controlPlane.Machines).
 	for i := range controlPlane.Machines {
 		machine := controlPlane.Machines[i]
-		if value, ok := machine.Labels[clusterv1.MachineControlPlaneNameLabel]; !ok || value != kcp.Name {
-			machine.Labels[clusterv1.MachineControlPlaneNameLabel] = kcp.Name
+		// Note: MustEqualValue and MustFormatValue is used here as the label value can be a hash if the control plane
+		// name is longer than 63 characters.
+		if value, ok := machine.Labels[clusterv1.MachineControlPlaneNameLabel]; !ok || !labels.MustEqualValue(kcp.Name, value) {
+			machine.Labels[clusterv1.MachineControlPlaneNameLabel] = labels.MustFormatValue(kcp.Name)
 		}
 	}
 
diff --git a/docs/book/src/reference/labels_and_annotations.md b/docs/book/src/reference/labels_and_annotations.md
index 4a2a98633d7c..e426f2d8821a 100644
--- a/docs/book/src/reference/labels_and_annotations.md
+++ b/docs/book/src/reference/labels_and_annotations.md
@@ -1,50 +1,51 @@
 **Supported Labels:**
 
 
-| Label     | Note     |
-|:--------|:--------|
-| cluster.x-k8s.io/cluster-name| It is set on machines linked to a cluster and external objects(bootstrap and infrastructure providers). |
-| topology.cluster.x-k8s.io/owned| It is set on all the object which are managed as part of a ClusterTopology. |
-|topology.cluster.x-k8s.io/deployment-name | It is set on the generated MachineDeployment objects to track the name of the MachineDeployment topology it represents. |
-| cluster.x-k8s.io/provider| It is set on components in the provider manifest. The label allows one to easily identify all the components belonging to a provider. The clusterctl tool uses this label for implementing provider's lifecycle operations. |
-| cluster.x-k8s.io/watch-filter | It can be applied to any Cluster API object. Controllers which allow for selective reconciliation may check this label and proceed with reconciliation of the object only if this label and a configured value is present. |
-| cluster.x-k8s.io/interruptible| It is used to mark the nodes that run on interruptible instances. |
-|cluster.x-k8s.io/control-plane | It is set on machines or related objects that are part of a control plane. |
-| cluster.x-k8s.io/set-name| It is set on machines if they're controlled by MachineSet. |
-| cluster.x-k8s.io/deployment-name| It is set on machines if they're controlled by a MachineDeployment. |
-| machine-template-hash| It is applied to Machines in a MachineDeployment containing the hash of the template. |
+| Label                                             | Note                                                                                                                                                                                                                        |
+|:--------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| cluster.x-k8s.io/cluster-name                     | It is set on machines linked to a cluster and external objects(bootstrap and infrastructure providers).                                                                                                                     |
+| topology.cluster.x-k8s.io/owned                   | It is set on all the object which are managed as part of a ClusterTopology.                                                                                                                                                 |
+| topology.cluster.x-k8s.io/deployment-name         | It is set on the generated MachineDeployment objects to track the name of the MachineDeployment topology it represents.                                                                                                     |
+| cluster.x-k8s.io/provider                         | It is set on components in the provider manifest. The label allows one to easily identify all the components belonging to a provider. The clusterctl tool uses this label for implementing provider's lifecycle operations. |
+| cluster.x-k8s.io/watch-filter                     | It can be applied to any Cluster API object. Controllers which allow for selective reconciliation may check this label and proceed with reconciliation of the object only if this label and a configured value is present.  |
+| cluster.x-k8s.io/interruptible                    | It is used to mark the nodes that run on interruptible instances.                                                                                                                                                           |
+| cluster.x-k8s.io/control-plane                    | It is set on machines or related objects that are part of a control plane.                                                                                                                                                  |
+| cluster.x-k8s.io/set-name                         | It is set on machines if they're controlled by MachineSet. The value of this label may be a hash if the MachineSet name is longer than 63 characters.                                                                       |
+| cluster.x-k8s.io/control-plane-name               | It is set on machines if they're controlled by a contorl plane. The value of this label may be a hash if the control plane name is longer than 63 characters.                                                               |
+| cluster.x-k8s.io/deployment-name                  | It is set on machines if they're controlled by a MachineDeployment.                                                                                                                                                         |
+| machine-template-hash                             | It is applied to Machines in a MachineDeployment containing the hash of the template.                                                                                                                                       |
 <br>
 
 
 **Supported Annotations:**
 
-| Annotation     | Note     |
-|:--------|:--------|
-| clusterctl.cluster.x-k8s.io/skip-crd-name-preflight-check   | Can be placed on provider CRDs, so that clusterctl doesn't emit a warning if the CRD doesn't comply with Cluster APIs naming scheme. Only CRDs that are referenced by core Cluster API CRDs have to comply with the naming scheme.   |
-| unsafe.topology.cluster.x-k8s.io/disable-update-class-name-check   | It can be used to disable the webhook check on update that disallows a pre-existing Cluster to be populated with Topology information and Class.  |
-| cluster.x-k8s.io/cluster-name   | It is set on nodes identifying the name of the cluster the node belongs to.  |
-|cluster.x-k8s.io/cluster-namespace    | It is set on nodes identifying the namespace of the cluster the node belongs to.   |
-| cluster.x-k8s.io/machine   | It is set on nodes identifying the machine the node belongs to.   |
-|  cluster.x-k8s.io/owner-kind  |  It is set on nodes identifying the owner kind.   |
-| cluster.x-k8s.io/owner-name   | It is set on nodes identifying the owner name.   |
-| cluster.x-k8s.io/paused   | It can be applied to any Cluster API object to prevent a controller from processing a resource. Controllers working with Cluster API objects must check the existence of this annotation on the reconciled object. |
-|   cluster.x-k8s.io/disable-machine-create | It can be used to signal a MachineSet to stop creating new machines. It is utilized in the OnDelete MachineDeploymentStrategy to allow the MachineDeployment controller to scale down older MachineSets when Machines are deleted and add the new replicas to the latest MachineSet.    |
-|  cluster.x-k8s.io/delete-machine  | It marks control plane and worker nodes that will be given priority for deletion when KCP or a MachineSet scales down. It is given top priority on all delete policies.    |
-|  cluster.x-k8s.io/cloned-from-name  | It is the infrastructure machine annotation that stores the name of the infrastructure template resource that was cloned for the machine. This annotation is set only during cloning a template. Older/adopted machines will not have this annotation.   |
-| cluster.x-k8s.io/cloned-from-groupkind   | It is the infrastructure machine annotation that stores the group-kind of the infrastructure template resource that was cloned for the machine. This annotation is set only during cloning a template. Older/adopted machines will not have this annotation.   |
-|  cluster.x-k8s.io/skip-remediation  | It is used to mark the machines that should not be considered for remediation by MachineHealthCheck reconciler.   |
-|  cluster.x-k8s.io/managed-by  | It can be applied to InfraCluster resources to signify that some external system is managing the cluster infrastructure. Provider InfraCluster controllers will ignore resources with this annotation. An external controller must fulfill the contract of the InfraCluster resource. External infrastructure providers should ensure that the annotation, once set, cannot be removed.  |
-|  cluster.x-k8s.io/replicas-managed-by  | It can be applied to MachinePool resources to signify that some external system is managing infrastructure scaling for that pool. See [the MachinePool documentation](../developer/architecture/controllers/machine-pool.md#externally-managed-autoscaler) for more details. |
-|  topology.cluster.x-k8s.io/dry-run  | It is an annotation that gets set on objects by the topology controller only during a server side dry run apply operation. It is used for validating update webhooks for objects which get updated by template rotation (e.g. InfrastructureMachineTemplate). When the annotation is set and the admission request is a dry run, the webhook should deny validation due to immutability. By that the request will succeed (without any changes to the actual object because it is a dry run) and the topology controller will receive the resulting object. |
-|  machine.cluster.x-k8s.io/certificates-expiry    | It captures the expiry date of the machine certificates in RFC3339 format. It is used to trigger rollout of control plane machines before certificates expire. It can be set on BootstrapConfig and Machine objects. The value set on Machine object takes precedence. The annotation is only used by control plane machines. |
-|  machine.cluster.x-k8s.io/exclude-node-draining  | It explicitly skips node draining if set.  |
-|  machine.cluster.x-k8s.io/exclude-wait-for-node-volume-detach  | It explicitly skips the waiting for node volume detaching if set. |
-|  pre-drain.delete.hook.machine.cluster.x-k8s.io  | It specifies the prefix we search each annotation for during the pre-drain.delete lifecycle hook to pause reconciliation of deletion. These hooks will prevent removal of draining the associated node until all are removed. |
-| pre-terminate.delete.hook.machine.cluster.x-k8s.io   | It specifies the prefix we search each annotation for during the pre-terminate.delete lifecycle hook to pause reconciliation of deletion. These hooks will prevent removal of an instance from an infrastructure provider until all are removed. |
-|  machinedeployment.clusters.x-k8s.io/revision  | It is the revision annotation of a machine deployment's machine sets which records its rollout sequence.   |
-|  machinedeployment.clusters.x-k8s.io/revision-history  | It maintains the history of all old revisions that a machine set has served for a machine deployment.   |
-|  machinedeployment.clusters.x-k8s.io/desired-replicas  | It is the desired replicas for a machine deployment recorded as an annotation in its machine sets. Helps in separating scaling events from the rollout process and for determining if the new machine set for a deployment is really saturated.   |
-|  machinedeployment.clusters.x-k8s.io/max-replicas  | It is the maximum replicas a deployment can have at a given point, which is machinedeployment.spec.replicas + maxSurge. Used by the underlying machine sets to estimate their proportions in case the deployment has surge replicas. |
-| controlplane.cluster.x-k8s.io/skip-coredns | It explicitly skips reconciling CoreDNS if set. |
-|controlplane.cluster.x-k8s.io/skip-kube-proxy | It explicitly skips reconciling kube-proxy if set.|
-| controlplane.cluster.x-k8s.io/kubeadm-cluster-configuration| It is a machine annotation that stores the json-marshalled string of KCP ClusterConfiguration. This annotation is used to detect any changes in ClusterConfiguration and trigger machine rollout in KCP.|
+| Annotation                                                       | Note                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+|:-----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| clusterctl.cluster.x-k8s.io/skip-crd-name-preflight-check        | Can be placed on provider CRDs, so that clusterctl doesn't emit a warning if the CRD doesn't comply with Cluster APIs naming scheme. Only CRDs that are referenced by core Cluster API CRDs have to comply with the naming scheme.                                                                                                                                                                                                                                                                                                                          |
+| unsafe.topology.cluster.x-k8s.io/disable-update-class-name-check | It can be used to disable the webhook check on update that disallows a pre-existing Cluster to be populated with Topology information and Class.                                                                                                                                                                                                                                                                                                                                                                                                            |
+| cluster.x-k8s.io/cluster-name                                    | It is set on nodes identifying the name of the cluster the node belongs to.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| cluster.x-k8s.io/cluster-namespace                               | It is set on nodes identifying the namespace of the cluster the node belongs to.                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| cluster.x-k8s.io/machine                                         | It is set on nodes identifying the machine the node belongs to.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| cluster.x-k8s.io/owner-kind                                      | It is set on nodes identifying the owner kind.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| cluster.x-k8s.io/owner-name                                      | It is set on nodes identifying the owner name.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| cluster.x-k8s.io/paused                                          | It can be applied to any Cluster API object to prevent a controller from processing a resource. Controllers working with Cluster API objects must check the existence of this annotation on the reconciled object.                                                                                                                                                                                                                                                                                                                                          |
+| cluster.x-k8s.io/disable-machine-create                          | It can be used to signal a MachineSet to stop creating new machines. It is utilized in the OnDelete MachineDeploymentStrategy to allow the MachineDeployment controller to scale down older MachineSets when Machines are deleted and add the new replicas to the latest MachineSet.                                                                                                                                                                                                                                                                        |
+| cluster.x-k8s.io/delete-machine                                  | It marks control plane and worker nodes that will be given priority for deletion when KCP or a MachineSet scales down. It is given top priority on all delete policies.                                                                                                                                                                                                                                                                                                                                                                                     |
+| cluster.x-k8s.io/cloned-from-name                                | It is the infrastructure machine annotation that stores the name of the infrastructure template resource that was cloned for the machine. This annotation is set only during cloning a template. Older/adopted machines will not have this annotation.                                                                                                                                                                                                                                                                                                      |
+| cluster.x-k8s.io/cloned-from-groupkind                           | It is the infrastructure machine annotation that stores the group-kind of the infrastructure template resource that was cloned for the machine. This annotation is set only during cloning a template. Older/adopted machines will not have this annotation.                                                                                                                                                                                                                                                                                                |
+| cluster.x-k8s.io/skip-remediation                                | It is used to mark the machines that should not be considered for remediation by MachineHealthCheck reconciler.                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| cluster.x-k8s.io/managed-by                                      | It can be applied to InfraCluster resources to signify that some external system is managing the cluster infrastructure. Provider InfraCluster controllers will ignore resources with this annotation. An external controller must fulfill the contract of the InfraCluster resource. External infrastructure providers should ensure that the annotation, once set, cannot be removed.                                                                                                                                                                     |
+| cluster.x-k8s.io/replicas-managed-by                             | It can be applied to MachinePool resources to signify that some external system is managing infrastructure scaling for that pool. See [the MachinePool documentation](../developer/architecture/controllers/machine-pool.md#externally-managed-autoscaler) for more details.                                                                                                                                                                                                                                                                                |
+| topology.cluster.x-k8s.io/dry-run                                | It is an annotation that gets set on objects by the topology controller only during a server side dry run apply operation. It is used for validating update webhooks for objects which get updated by template rotation (e.g. InfrastructureMachineTemplate). When the annotation is set and the admission request is a dry run, the webhook should deny validation due to immutability. By that the request will succeed (without any changes to the actual object because it is a dry run) and the topology controller will receive the resulting object. |
+| machine.cluster.x-k8s.io/certificates-expiry                     | It captures the expiry date of the machine certificates in RFC3339 format. It is used to trigger rollout of control plane machines before certificates expire. It can be set on BootstrapConfig and Machine objects. The value set on Machine object takes precedence. The annotation is only used by control plane machines.                                                                                                                                                                                                                               |
+| machine.cluster.x-k8s.io/exclude-node-draining                   | It explicitly skips node draining if set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| machine.cluster.x-k8s.io/exclude-wait-for-node-volume-detach     | It explicitly skips the waiting for node volume detaching if set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| pre-drain.delete.hook.machine.cluster.x-k8s.io                   | It specifies the prefix we search each annotation for during the pre-drain.delete lifecycle hook to pause reconciliation of deletion. These hooks will prevent removal of draining the associated node until all are removed.                                                                                                                                                                                                                                                                                                                               |
+| pre-terminate.delete.hook.machine.cluster.x-k8s.io               | It specifies the prefix we search each annotation for during the pre-terminate.delete lifecycle hook to pause reconciliation of deletion. These hooks will prevent removal of an instance from an infrastructure provider until all are removed.                                                                                                                                                                                                                                                                                                            |
+| machinedeployment.clusters.x-k8s.io/revision                     | It is the revision annotation of a machine deployment's machine sets which records its rollout sequence.                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| machinedeployment.clusters.x-k8s.io/revision-history             | It maintains the history of all old revisions that a machine set has served for a machine deployment.                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| machinedeployment.clusters.x-k8s.io/desired-replicas             | It is the desired replicas for a machine deployment recorded as an annotation in its machine sets. Helps in separating scaling events from the rollout process and for determining if the new machine set for a deployment is really saturated.                                                                                                                                                                                                                                                                                                             |
+| machinedeployment.clusters.x-k8s.io/max-replicas                 | It is the maximum replicas a deployment can have at a given point, which is machinedeployment.spec.replicas + maxSurge. Used by the underlying machine sets to estimate their proportions in case the deployment has surge replicas.                                                                                                                                                                                                                                                                                                                        |
+| controlplane.cluster.x-k8s.io/skip-coredns                       | It explicitly skips reconciling CoreDNS if set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| controlplane.cluster.x-k8s.io/skip-kube-proxy                    | It explicitly skips reconciling kube-proxy if set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| controlplane.cluster.x-k8s.io/kubeadm-cluster-configuration      | It is a machine annotation that stores the json-marshalled string of KCP ClusterConfiguration. This annotation is used to detect any changes in ClusterConfiguration and trigger machine rollout in KCP.                                                                                                                                                                                                                                                                                                                                                    |
diff --git a/internal/controllers/machineset/machineset_controller.go b/internal/controllers/machineset/machineset_controller.go
index 0f8b5a1bb652..e605b08fbb68 100644
--- a/internal/controllers/machineset/machineset_controller.go
+++ b/internal/controllers/machineset/machineset_controller.go
@@ -41,6 +41,7 @@ import (
 	"sigs.k8s.io/cluster-api/controllers/noderefutil"
 	"sigs.k8s.io/cluster-api/controllers/remote"
 	"sigs.k8s.io/cluster-api/internal/controllers/machine"
+	capilabels "sigs.k8s.io/cluster-api/internal/labels"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/annotations"
 	"sigs.k8s.io/cluster-api/util/collections"
@@ -298,7 +299,8 @@ func (r *Reconciler) reconcile(ctx context.Context, cluster *clusterv1.Cluster,
 		mdNameOnMachineSet, mdNameSetOnMachineSet := machineSet.Labels[clusterv1.MachineDeploymentLabelName]
 		mdNameOnMachine := machine.Labels[clusterv1.MachineDeploymentLabelName]
 
-		if msName, ok := machine.Labels[clusterv1.MachineSetLabelName]; ok && msName == machineSet.Name &&
+		// Note: MustEqualValue is used here as the value of this label will be a hash if the MachineSet name is longer than 63 characters.
+		if msNameLabelValue, ok := machine.Labels[clusterv1.MachineSetLabelName]; ok && capilabels.MustEqualValue(machineSet.Name, msNameLabelValue) &&
 			(!mdNameSetOnMachineSet || mdNameOnMachineSet == mdNameOnMachine) {
 			// Continue if the MachineSet name label is already set correctly and
 			// either the MachineDeployment name label is not set on the MachineSet or
@@ -310,7 +312,8 @@ func (r *Reconciler) reconcile(ctx context.Context, cluster *clusterv1.Cluster,
 		if err != nil {
 			return ctrl.Result{}, errors.Wrapf(err, "failed to apply %s label to Machine %q", clusterv1.MachineSetLabelName, machine.Name)
 		}
-		machine.Labels[clusterv1.MachineSetLabelName] = machineSet.Name
+		// Note: MustFormatValue is used here as the value of this label will be a hash if the MachineSet name is longer than 63 characters.
+		machine.Labels[clusterv1.MachineSetLabelName] = capilabels.MustFormatValue(machineSet.Name)
 		// Propagate the MachineDeploymentLabelName from MachineSet to Machine if it is set on the MachineSet.
 		if mdNameSetOnMachineSet {
 			machine.Labels[clusterv1.MachineDeploymentLabelName] = mdNameOnMachineSet
@@ -558,8 +561,8 @@ func (r *Reconciler) getNewMachine(machineSet *clusterv1.MachineSet) *clusterv1.
 
 	// Enforce that the MachineSetLabelName label is set
 	// Note: the MachineSetLabelName is added by the default webhook to MachineSet.spec.template.labels if a spec.selector is empty.
-	machine.Labels[clusterv1.MachineSetLabelName] = machineSet.Name
-	// Propagate the MachineDeploymentLabelName from MachineSet to Machine if it exists.
+	machine.Labels[clusterv1.MachineSetLabelName] = capilabels.MustFormatValue(machineSet.Name)
+	// Propagate the MachineDeploymentNameLabel from MachineSet to Machine if it exists.
 	if mdName, ok := machineSet.Labels[clusterv1.MachineDeploymentLabelName]; ok {
 		machine.Labels[clusterv1.MachineDeploymentLabelName] = mdName
 	}
diff --git a/internal/labels/helpers.go b/internal/labels/helpers.go
new file mode 100644
index 000000000000..0b79fd5ed401
--- /dev/null
+++ b/internal/labels/helpers.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package labels contains functions to validate and compare values used in Kubernetes labels.
+package labels
+
+import (
+	"encoding/base64"
+	"hash/fnv"
+
+	"k8s.io/apimachinery/pkg/util/validation"
+)
+
+// MustFormatValue returns the passed inputLabelValue if it meets the standards for a Kubernetes label value.
+// If the name is not a valid label value this function returns a hash which meets the requirements.
+func MustFormatValue(str string) string {
+	// a valid Kubernetes label value must:
+	// - be less than 64 characters long.
+	// - be an empty string OR consist of alphanumeric characters, '-', '_' or '.'.
+	// - start and end with an alphanumeric character
+	if len(validation.IsValidLabelValue(str)) == 0 {
+		return str
+	}
+	hasher := fnv.New32a()
+	_, err := hasher.Write([]byte(str))
+	if err != nil {
+		// At time of writing the implementation of fnv's Write function can never return an error.
+		// If this changes in a future go version this function will panic.
+		panic(err)
+	}
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(hasher.Sum(nil))
+}
+
+// MustEqualValue returns true if the actualLabelValue equals either the inputLabelValue or the hashed
+// value of the inputLabelValue.
+func MustEqualValue(str, labelValue string) bool {
+	return labelValue == MustFormatValue(str)
+}
diff --git a/internal/labels/helpers_test.go b/internal/labels/helpers_test.go
new file mode 100644
index 000000000000..1021e91c3333
--- /dev/null
+++ b/internal/labels/helpers_test.go
@@ -0,0 +1,90 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package labels
+
+import (
+	"testing"
+
+	"github.com/onsi/gomega"
+)
+
+func TestNameLabelValue(t *testing.T) {
+	g := gomega.NewWithT(t)
+	tests := []struct {
+		name           string
+		machineSetName string
+		want           string
+	}{
+		{
+			name:           "return the name if it's less than 63 characters",
+			machineSetName: "machineSetName",
+			want:           "machineSetName",
+		},
+		{
+			name:           "return  for a name with more than 63 characters",
+			machineSetName: "machineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetName",
+			want:           "FR_ghQ",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := MustFormatValue(tt.machineSetName)
+			g.Expect(got).To(gomega.Equal(tt.want))
+		})
+	}
+}
+
+func TestMustMatchLabelValueForName(t *testing.T) {
+	g := gomega.NewWithT(t)
+	tests := []struct {
+		name           string
+		machineSetName string
+		labelValue     string
+		want           bool
+	}{
+		{
+			name:           "match labels when MachineSet name is short",
+			machineSetName: "ms1",
+			labelValue:     "ms1",
+			want:           true,
+		},
+		{
+			name:           "don't match different labels when MachineSet name is short",
+			machineSetName: "ms1",
+			labelValue:     "notMS1",
+			want:           false,
+		},
+		{
+			name:           "don't match labels when MachineSet name is long",
+			machineSetName: "machineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetName",
+			labelValue:     "Nx4RdE",
+			want:           false,
+		},
+		{
+			name:           "match labels when MachineSet name is long",
+			machineSetName: "machineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetName",
+			labelValue:     "FR_ghQ",
+			want:           true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := MustEqualValue(tt.machineSetName, tt.labelValue)
+			g.Expect(got).To(gomega.Equal(tt.want))
+		})
+	}
+}

From edaa9ff6c93fbbe71c030b5a6ed102574576a740 Mon Sep 17 00:00:00 2001
From: fabriziopandini <fpandini@vmware.com>
Date: Tue, 13 Dec 2022 20:30:05 +0100
Subject: [PATCH 44/87] Bump shellcheck version (0.8.0 -> 0.9.0)

---
 Makefile                  | 4 +++-
 hack/verify-shellcheck.sh | 7 ++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index eebfcb1b4abb..78990cac1a56 100644
--- a/Makefile
+++ b/Makefile
@@ -138,6 +138,8 @@ GO_APIDIFF_PKG := github.com/joelanford/go-apidiff
 HADOLINT_VER := v2.10.0
 HADOLINT_FAILURE_THRESHOLD = warning
 
+SHELLCHECK_VER := v0.9.0
+
 KPROMO_VER := v3.4.5
 KPROMO_BIN := kpromo
 KPROMO :=  $(abspath $(TOOLS_BIN_DIR)/$(KPROMO_BIN)-$(KPROMO_VER))
@@ -608,7 +610,7 @@ verify-boilerplate: ## Verify boilerplate text exists in each file
 
 .PHONY: verify-shellcheck
 verify-shellcheck: ## Verify shell files
-	TRACE=$(TRACE) ./hack/verify-shellcheck.sh
+	TRACE=$(TRACE) ./hack/verify-shellcheck.sh $(SHELLCHECK_VER)
 
 .PHONY: verify-tiltfile
 verify-tiltfile: ## Verify Tiltfile format
diff --git a/hack/verify-shellcheck.sh b/hack/verify-shellcheck.sh
index b3e9ca25c865..955d6ddd1e9b 100755
--- a/hack/verify-shellcheck.sh
+++ b/hack/verify-shellcheck.sh
@@ -21,7 +21,12 @@ if [[ "${TRACE-0}" == "1" ]]; then
     set -o xtrace
 fi
 
-VERSION="v0.8.0"
+if [ $# -ne 1 ]; then
+  echo 1>&2 "$0: usage: ./verify-shellcheck.sh <version>"
+  exit 2
+fi
+
+VERSION=${1}
 
 OS="unknown"
 if [[ "${OSTYPE}" == "linux"* ]]; then

From 41a194d1322d277ca2ee53a90c920cf7afb13ad2 Mon Sep 17 00:00:00 2001
From: fabriziopandini <fpandini@vmware.com>
Date: Tue, 13 Dec 2022 20:35:35 +0100
Subject: [PATCH 45/87] seedling: Bump actions/checkout from 3.1.0 to 3.2.0

---
 .github/workflows/dependabot.yml       | 2 +-
 .github/workflows/golangci-lint.yml    | 2 +-
 .github/workflows/lint-docs-pr.yaml    | 2 +-
 .github/workflows/lint-docs-weekly.yml | 2 +-
 .github/workflows/release.yml          | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index eea7b76914e2..d28aa5f9ca0a 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -23,7 +23,7 @@ jobs:
         go-version: '1.19'
       id: go
     - name: Check out code into the Go module directory
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
     - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3.0.11
       name: Restore go cache
       with:
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index c0eb5bd0eaf3..2c296e030aff 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -18,7 +18,7 @@ jobs:
           - test
           - hack/tools
     steps:
-      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
       - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # tag=v3.4.0
         with:
           go-version: 1.19
diff --git a/.github/workflows/lint-docs-pr.yaml b/.github/workflows/lint-docs-pr.yaml
index 3d90027824e9..bb540ce75f61 100644
--- a/.github/workflows/lint-docs-pr.yaml
+++ b/.github/workflows/lint-docs-pr.yaml
@@ -14,7 +14,7 @@ jobs:
     name: Broken Links
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+    - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
     - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1
       with:
         use-quiet-mode: 'yes'
diff --git a/.github/workflows/lint-docs-weekly.yml b/.github/workflows/lint-docs-weekly.yml
index 2fe3a55a6fa2..3b35199b9099 100644
--- a/.github/workflows/lint-docs-weekly.yml
+++ b/.github/workflows/lint-docs-weekly.yml
@@ -12,7 +12,7 @@ jobs:
     name: Broken Links
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
       - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1
         with:
           use-quiet-mode: 'yes'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 032a40a85bb1..3777adf63a07 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Set env
         run:  echo "RELEASE_TAG=${GITHUB_REF:10}" >> $GITHUB_ENV
       - name: checkout code
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
         with:
           fetch-depth: 0
       - name: Install go

From 74abba43419305e859438f3920390adc58e47c04 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Wed, 30 Nov 2022 13:56:09 +0000
Subject: [PATCH 46/87] Fix flakiness in MD controller test

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 .../machinedeployment/machinedeployment_controller_test.go      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/controllers/machinedeployment/machinedeployment_controller_test.go b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
index 40df6c3e3408..6d2d7953c8b1 100644
--- a/internal/controllers/machinedeployment/machinedeployment_controller_test.go
+++ b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
@@ -404,7 +404,7 @@ func TestMachineDeploymentReconciler(t *testing.T) {
 			}
 
 			return len(machineSets.Items)
-		}, timeout*5).Should(BeEquivalentTo(0))
+		}, timeout*10).Should(BeEquivalentTo(0))
 
 		t.Log("Verifying MachineDeployment has correct Conditions")
 		g.Eventually(func() bool {

From 8bf5d8a2122261db2f4ef976e0a41a1de3654388 Mon Sep 17 00:00:00 2001
From: fabriziopandini <fpandini@vmware.com>
Date: Tue, 13 Dec 2022 20:37:37 +0100
Subject: [PATCH 47/87] KCP should avoid to reconcile certificates too early

---
 controlplane/kubeadm/internal/controllers/controller.go      | 5 +++++
 controlplane/kubeadm/internal/controllers/controller_test.go | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go
index 072ce2f9662c..838dbf0cac94 100644
--- a/controlplane/kubeadm/internal/controllers/controller.go
+++ b/controlplane/kubeadm/internal/controllers/controller.go
@@ -621,6 +621,11 @@ func (r *KubeadmControlPlaneReconciler) reconcileCertificateExpiries(ctx context
 		return ctrl.Result{}, nil
 	}
 
+	// Return if KCP is not yet initialized (no API server to contact for checking certificate expiration).
+	if !controlPlane.KCP.Status.Initialized {
+		return ctrl.Result{}, nil
+	}
+
 	// Ignore machines which are being deleted.
 	machines := controlPlane.Machines.Filter(collections.Not(collections.HasDeletionTimestamp))
 
diff --git a/controlplane/kubeadm/internal/controllers/controller_test.go b/controlplane/kubeadm/internal/controllers/controller_test.go
index c2b42f855a8d..3ec316110214 100644
--- a/controlplane/kubeadm/internal/controllers/controller_test.go
+++ b/controlplane/kubeadm/internal/controllers/controller_test.go
@@ -918,7 +918,9 @@ func TestReconcileCertificateExpiries(t *testing.T) {
 	detectedExpiry := time.Now().Add(25 * 24 * time.Hour)
 
 	cluster := newCluster(&types.NamespacedName{Name: "foo", Namespace: metav1.NamespaceDefault})
-	kcp := &controlplanev1.KubeadmControlPlane{}
+	kcp := &controlplanev1.KubeadmControlPlane{
+		Status: controlplanev1.KubeadmControlPlaneStatus{Initialized: true},
+	}
 	machineWithoutExpiryAnnotation := &clusterv1.Machine{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "machineWithoutExpiryAnnotation",

From 518afff76976636dab3501f296030849c472c740 Mon Sep 17 00:00:00 2001
From: Oscar Utbult <oscar.utbult@gmail.com>
Date: Tue, 13 Dec 2022 20:33:38 +0100
Subject: [PATCH 48/87] Fix verify-shellcheck script and fix findings

---
 hack/ensure-golangci-lint.sh | 4 +++-
 hack/verify-shellcheck.sh    | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hack/ensure-golangci-lint.sh b/hack/ensure-golangci-lint.sh
index 85164228e65c..fef55ba8cb38 100755
--- a/hack/ensure-golangci-lint.sh
+++ b/hack/ensure-golangci-lint.sh
@@ -167,6 +167,8 @@ echoerr() {
   echo "$@" 1>&2
 }
 log_prefix() {
+  # Invoked indirectly
+  # shellcheck disable=SC2317
   echo "$0"
 }
 _logp=6
@@ -230,7 +232,7 @@ uname_arch() {
     armv6*) arch="armv6" ;;
     armv7*) arch="armv7" ;;
   esac
-  echo ${arch}
+  echo "${arch}"
 }
 uname_os_check() {
   os=$(uname_os)
diff --git a/hack/verify-shellcheck.sh b/hack/verify-shellcheck.sh
index b3e9ca25c865..03fd4a7c8480 100755
--- a/hack/verify-shellcheck.sh
+++ b/hack/verify-shellcheck.sh
@@ -68,7 +68,7 @@ fi
 
 echo "Running shellcheck..."
 cd "${ROOT_PATH}" || exit
-IGNORE_FILES=$(find . -name "*.sh" | grep "tilt_modules")
+IGNORE_FILES=$(find . -name "*.sh" | { grep "tilt_modules" || true; })
 echo "Ignoring shellcheck on ${IGNORE_FILES}"
 FILES=$(find . -name "*.sh" -not -path "./tilt_modules/*")
 while read -r file; do

From 1bf3df8aec5859313921743ff7cf214509ab2dfc Mon Sep 17 00:00:00 2001
From: Yuvaraj Kakaraparthi <kakaraparthy@vmware.com>
Date: Tue, 13 Dec 2022 20:55:44 -0800
Subject: [PATCH 49/87] restrict machine deployment topology name to less than
 63 characters

---
 internal/topology/check/compatibility.go      | 14 +++++++++
 internal/topology/check/compatibility_test.go | 30 +++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/internal/topology/check/compatibility.go b/internal/topology/check/compatibility.go
index 604d583844b0..fe7adaf9f50e 100644
--- a/internal/topology/check/compatibility.go
+++ b/internal/topology/check/compatibility.go
@@ -23,6 +23,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -277,6 +278,19 @@ func MachineDeploymentTopologiesAreValidAndDefinedInClusterClass(desired *cluste
 	machineDeploymentClasses := classNamesFromWorkerClass(clusterClass.Spec.Workers)
 	names := sets.String{}
 	for i, md := range desired.Spec.Topology.Workers.MachineDeployments {
+		if errs := validation.IsValidLabelValue(md.Name); len(errs) != 0 {
+			for _, err := range errs {
+				allErrs = append(
+					allErrs,
+					field.Invalid(
+						field.NewPath("spec", "topology", "workers", "machineDeployments").Index(i).Child("name"),
+						md.Name,
+						fmt.Sprintf("must be a valid label value %s", err),
+					),
+				)
+			}
+		}
+
 		if !machineDeploymentClasses.Has(md.Class) {
 			allErrs = append(allErrs,
 				field.Invalid(
diff --git a/internal/topology/check/compatibility_test.go b/internal/topology/check/compatibility_test.go
index 0f2c9074c4f1..ece2a14df892 100644
--- a/internal/topology/check/compatibility_test.go
+++ b/internal/topology/check/compatibility_test.go
@@ -992,6 +992,36 @@ func TestMachineDeploymentTopologiesAreUniqueAndDefinedInClusterClass(t *testing
 				Build(),
 			wantErr: false,
 		},
+		{
+			name: "fail if MachineDeploymentTopology name is longer than 63 characters",
+			clusterClass: builder.ClusterClass(metav1.NamespaceDefault, "class1").
+				WithInfrastructureClusterTemplate(
+					builder.InfrastructureClusterTemplate(metav1.NamespaceDefault, "infra1").Build()).
+				WithControlPlaneTemplate(
+					builder.ControlPlane(metav1.NamespaceDefault, "cp1").Build()).
+				WithControlPlaneInfrastructureMachineTemplate(
+					builder.InfrastructureMachineTemplate(metav1.NamespaceDefault, "cpinfra1").Build()).
+				WithWorkerMachineDeploymentClasses(
+					*builder.MachineDeploymentClass("aa").
+						WithInfrastructureTemplate(
+							builder.InfrastructureMachineTemplate(metav1.NamespaceDefault, "infra1").Build()).
+						WithBootstrapTemplate(
+							builder.BootstrapTemplate(metav1.NamespaceDefault, "bootstrap1").Build()).
+						Build()).
+				Build(),
+			cluster: builder.Cluster(metav1.NamespaceDefault, "cluster1").
+				WithTopology(
+					builder.ClusterTopology().
+						WithClass("class1").
+						WithVersion("v1.22.2").
+						WithMachineDeployment(
+							builder.MachineDeploymentTopology("machine-deployment-topology-name-that-has-longerthan63characterlooooooooooooooooooooooongname").
+								WithClass("aa").
+								Build()).
+						Build()).
+				Build(),
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From bc5dc3cd95dd9d093f92e9c8c95f5849ec8a38cf Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Wed, 14 Dec 2022 12:20:18 +0000
Subject: [PATCH 50/87] Add deterministic prefix and suffix to label hash

Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
---
 internal/labels/helpers.go      | 3 ++-
 internal/labels/helpers_test.go | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/internal/labels/helpers.go b/internal/labels/helpers.go
index 0b79fd5ed401..24f85cbbeadf 100644
--- a/internal/labels/helpers.go
+++ b/internal/labels/helpers.go
@@ -19,6 +19,7 @@ package labels
 
 import (
 	"encoding/base64"
+	"fmt"
 	"hash/fnv"
 
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -41,7 +42,7 @@ func MustFormatValue(str string) string {
 		// If this changes in a future go version this function will panic.
 		panic(err)
 	}
-	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(hasher.Sum(nil))
+	return fmt.Sprintf("hash_%s_z", base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(hasher.Sum(nil)))
 }
 
 // MustEqualValue returns true if the actualLabelValue equals either the inputLabelValue or the hashed
diff --git a/internal/labels/helpers_test.go b/internal/labels/helpers_test.go
index 1021e91c3333..53dfef1640b4 100644
--- a/internal/labels/helpers_test.go
+++ b/internal/labels/helpers_test.go
@@ -37,7 +37,7 @@ func TestNameLabelValue(t *testing.T) {
 		{
 			name:           "return  for a name with more than 63 characters",
 			machineSetName: "machineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetName",
-			want:           "FR_ghQ",
+			want:           "hash_FR_ghQ_z",
 		},
 	}
 	for _, tt := range tests {
@@ -71,13 +71,13 @@ func TestMustMatchLabelValueForName(t *testing.T) {
 		{
 			name:           "don't match labels when MachineSet name is long",
 			machineSetName: "machineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetName",
-			labelValue:     "Nx4RdE",
+			labelValue:     "hash_Nx4RdE_z",
 			want:           false,
 		},
 		{
 			name:           "match labels when MachineSet name is long",
 			machineSetName: "machineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetNamemachineSetName",
-			labelValue:     "FR_ghQ",
+			labelValue:     "hash_FR_ghQ_z",
 			want:           true,
 		},
 	}

From dacf1c79a9e41a2160827c3b11f6abc706767b45 Mon Sep 17 00:00:00 2001
From: Yuvaraj Kakaraparthi <kakaraparthy@vmware.com>
Date: Tue, 20 Dec 2022 08:55:49 -0800
Subject: [PATCH 51/87] update golang/x/net to v0.4.0

---
 go.mod            | 6 +++---
 go.sum            | 9 ++++++---
 hack/tools/go.mod | 6 +++---
 hack/tools/go.sum | 9 ++++++---
 test/go.mod       | 6 +++---
 test/go.sum       | 9 ++++++---
 6 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/go.mod b/go.mod
index 36af70653ed9..a012e2ec920c 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/valyala/fastjson v1.6.3
 	go.etcd.io/etcd/api/v3 v3.5.4
 	go.etcd.io/etcd/client/v3 v3.5.4
-	golang.org/x/net v0.2.0 // indirect
+	golang.org/x/net v0.4.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
 	google.golang.org/grpc v1.47.0
 	k8s.io/api v0.25.0
@@ -130,8 +130,8 @@ require (
 	go.uber.org/zap v1.21.0 // indirect
 	go4.org v0.0.0-20201209231011-d4a079459e60 // indirect
 	golang.org/x/crypto v0.3.0 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/term v0.2.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.3.0 // indirect
 	golang.org/x/text v0.5.0
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0
diff --git a/go.sum b/go.sum
index 6589ad96cab0..51108f9e3075 100644
--- a/go.sum
+++ b/go.sum
@@ -760,8 +760,9 @@ golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
+golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -875,12 +876,14 @@ golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/hack/tools/go.mod b/hack/tools/go.mod
index 319058c2319e..66ebe9511963 100644
--- a/hack/tools/go.mod
+++ b/hack/tools/go.mod
@@ -130,11 +130,11 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	golang.org/x/crypto v0.3.0 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/net v0.2.0 // indirect
+	golang.org/x/net v0.4.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/term v0.2.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.3.0 // indirect
 	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
diff --git a/hack/tools/go.sum b/hack/tools/go.sum
index 01bde7bc334e..fc664da87993 100644
--- a/hack/tools/go.sum
+++ b/hack/tools/go.sum
@@ -628,8 +628,9 @@ golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
+golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -740,12 +741,14 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/test/go.mod b/test/go.mod
index 391da4cd880b..406a5544f2fd 100644
--- a/test/go.mod
+++ b/test/go.mod
@@ -109,10 +109,10 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
 	golang.org/x/crypto v0.3.0 // indirect
-	golang.org/x/net v0.2.0 // indirect
+	golang.org/x/net v0.4.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/term v0.2.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.3.0 // indirect
 	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
diff --git a/test/go.sum b/test/go.sum
index 7b6240b73660..ec33ff940fab 100644
--- a/test/go.sum
+++ b/test/go.sum
@@ -693,8 +693,9 @@ golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
+golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -806,12 +807,14 @@ golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

From 113c0b57c2198964f415b644c637d898256bbe4e Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Wed, 21 Dec 2022 14:34:47 +0100
Subject: [PATCH 52/87] Bump to Go 1.19.4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 Makefile | 2 +-
 Tiltfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 78990cac1a56..c878670b9209 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ SHELL:=/usr/bin/env bash
 #
 # Go.
 #
-GO_VERSION ?= 1.19.3
+GO_VERSION ?= 1.19.4
 GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
 
 # Use GOPROXY environment variable if set
diff --git a/Tiltfile b/Tiltfile
index e735ea5f04d8..08b204995ac7 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -167,7 +167,7 @@ def load_provider_tiltfiles():
 
 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.19.3 as tilt-helper
+FROM golang:1.19.4 as tilt-helper
 # Support live reloading with Tilt
 RUN go install github.com/go-delve/delve/cmd/dlv@latest
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/tilt-dev/rerun-process-wrapper/master/restart.sh  && \

From 4406e9967e123ab96d61734f1999b9839e5dd08f Mon Sep 17 00:00:00 2001
From: Oscar Utbult <oscar.utbult@gmail.com>
Date: Thu, 15 Dec 2022 14:41:23 +0100
Subject: [PATCH 53/87] book: add download links for all clusterctl
 architectures to quick start

---
 docs/book/src/user/quick-start.md | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index e1a21f8793b9..e5a3da188772 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -153,11 +153,24 @@ The clusterctl CLI tool handles the lifecycle of a Cluster API management cluste
 {{#tabs name:"install-clusterctl" tabs:"linux,macOS,homebrew,Windows"}}
 {{#tab linux}}
 
-#### Install clusterctl binary with curl on linux
-Download the latest release; on linux, type:
+#### Install clusterctl binary with curl on Linux
+If you are unsure you can determine your computers architecture by running `uname -a`
+
+Download for AMD64:
 ```bash
 curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-linux-amd64" version:"1.3.x"}} -o clusterctl
 ```
+
+Download for ARM64:
+```bash
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-linux-arm64" version:"1.3.x"}} -o clusterctl
+```
+
+Download for PPC64LE:
+```bash
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-linux-ppc64le" version:"1.3.x"}} -o clusterctl
+```
+
 Install clusterctl:
 ```bash
 sudo install -o root -g root -m 0755 clusterctl /usr/local/bin/clusterctl
@@ -171,12 +184,14 @@ clusterctl version
 {{#tab macOS}}
 
 #### Install clusterctl binary with curl on macOS
-Download the latest release; on macOS, type:
+If you are unsure you can determine your computers architecture by running `uname -a`
+
+Download for AMD64:
 ```bash
 curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-darwin-amd64" version:"1.3.x"}} -o clusterctl
 ```
 
-Or if your Mac has an M1 CPU ("Apple Silicon"):
+Download for M1 CPU ("Apple Silicon") / ARM64:
 ```bash
 curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api" asset:"clusterctl-darwin-arm64" version:"1.3.x"}} -o clusterctl
 ```

From dd843fe4df03caeedc5b168e19e9923c0cb699d5 Mon Sep 17 00:00:00 2001
From: Jayesh Srivastava <jayesh0200@gmail.com>
Date: Fri, 16 Dec 2022 17:54:10 +0530
Subject: [PATCH 54/87] Add support for CoxEdge provider

---
 cmd/clusterctl/client/config/providers_client.go | 6 ++++++
 cmd/clusterctl/client/config_test.go             | 2 ++
 cmd/clusterctl/cmd/config_repositories_test.go   | 5 +++++
 docs/book/src/reference/providers.md             | 1 +
 4 files changed, 14 insertions(+)

diff --git a/cmd/clusterctl/client/config/providers_client.go b/cmd/clusterctl/client/config/providers_client.go
index c77c740039be..08233f2856de 100644
--- a/cmd/clusterctl/client/config/providers_client.go
+++ b/cmd/clusterctl/client/config/providers_client.go
@@ -61,6 +61,7 @@ const (
 	KubeKeyProviderName        = "kubekey"
 	VclusterProviderName       = "vcluster"
 	VirtinkProviderName        = "virtink"
+	CoxEdgeProviderName        = "coxedge"
 )
 
 // Bootstrap providers.
@@ -203,6 +204,11 @@ func (p *providersClient) defaults() []Provider {
 			url:          "https://github.com/spectrocloud/cluster-api-provider-maas/releases/latest/infrastructure-components.yaml",
 			providerType: clusterctlv1.InfrastructureProviderType,
 		},
+		&provider{
+			name:         CoxEdgeProviderName,
+			url:          "https://github.com/coxedge/cluster-api-provider-coxedge/releases/latest/infrastructure-components.yaml",
+			providerType: clusterctlv1.InfrastructureProviderType,
+		},
 		&provider{
 			name:         BYOHProviderName,
 			url:          "https://github.com/vmware-tanzu/cluster-api-provider-bringyourownhost/releases/latest/infrastructure-components.yaml",
diff --git a/cmd/clusterctl/client/config_test.go b/cmd/clusterctl/client/config_test.go
index 8743d74a4056..ede509b616f6 100644
--- a/cmd/clusterctl/client/config_test.go
+++ b/cmd/clusterctl/client/config_test.go
@@ -69,6 +69,7 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 				config.AzureProviderName,
 				config.BYOHProviderName,
 				config.CloudStackProviderName,
+				config.CoxEdgeProviderName,
 				config.DOProviderName,
 				config.DockerProviderName,
 				config.GCPProviderName,
@@ -114,6 +115,7 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 				config.AzureProviderName,
 				config.BYOHProviderName,
 				config.CloudStackProviderName,
+				config.CoxEdgeProviderName,
 				config.DOProviderName,
 				config.DockerProviderName,
 				config.GCPProviderName,
diff --git a/cmd/clusterctl/cmd/config_repositories_test.go b/cmd/clusterctl/cmd/config_repositories_test.go
index d91806ef6cf2..040bbb9897bc 100644
--- a/cmd/clusterctl/cmd/config_repositories_test.go
+++ b/cmd/clusterctl/cmd/config_repositories_test.go
@@ -115,6 +115,7 @@ aws                 InfrastructureProvider
 azure               InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-azure/releases/latest/              infrastructure-components.yaml
 byoh                InfrastructureProvider   https://github.com/vmware-tanzu/cluster-api-provider-bringyourownhost/releases/latest/      infrastructure-components.yaml
 cloudstack          InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack/releases/latest/         infrastructure-components.yaml
+coxedge             InfrastructureProvider   https://github.com/coxedge/cluster-api-provider-coxedge/releases/latest/                    infrastructure-components.yaml
 digitalocean        InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-digitalocean/releases/latest/       infrastructure-components.yaml
 docker              InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             infrastructure-components-development.yaml
 gcp                 InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-gcp/releases/latest/                infrastructure-components.yaml
@@ -198,6 +199,10 @@ var expectedOutputYaml = `- File: core_components.yaml
   Name: cloudstack
   ProviderType: InfrastructureProvider
   URL: https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack/releases/latest/
+- File: infrastructure-components.yaml
+  Name: coxedge
+  ProviderType: InfrastructureProvider
+  URL: https://github.com/coxedge/cluster-api-provider-coxedge/releases/latest/
 - File: infrastructure-components.yaml
   Name: digitalocean
   ProviderType: InfrastructureProvider
diff --git a/docs/book/src/reference/providers.md b/docs/book/src/reference/providers.md
index e964729dea17..5ad09c584493 100644
--- a/docs/book/src/reference/providers.md
+++ b/docs/book/src/reference/providers.md
@@ -23,6 +23,7 @@ updated info about which API version they are supporting.
 - [Azure Stack HCI](https://github.com/microsoft/cluster-api-provider-azurestackhci)
 - [BYOH](https://github.com/vmware-tanzu/cluster-api-provider-bringyourownhost)
 - [CloudStack](https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack)
+- [CoxEdge](https://github.com/coxedge/cluster-api-provider-coxedge)
 - [DigitalOcean](https://github.com/kubernetes-sigs/cluster-api-provider-digitalocean)
 - [Equinix Metal (formerly Packet)](https://github.com/kubernetes-sigs/cluster-api-provider-packet)
 - [GCP](https://github.com/kubernetes-sigs/cluster-api-provider-gcp)

From 239924158e4cef21c53fce2e7855301a675f642a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 26 Dec 2022 21:03:23 +0000
Subject: [PATCH 55/87] seedling: Bump actions/cache from 3.0.11 to 3.2.1

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.11 to 3.2.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7...c1a5de879eb890d062a85ee0252d6036480b1fe2)
---
 .github/workflows/dependabot.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index d28aa5f9ca0a..0eb46dde0c1a 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -24,7 +24,7 @@ jobs:
       id: go
     - name: Check out code into the Go module directory
       uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
-    - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3.0.11
+    - uses: actions/cache@c1a5de879eb890d062a85ee0252d6036480b1fe2 # tag=v3.2.1
       name: Restore go cache
       with:
         path: |

From eabd6d7b39eebf7124caeae69650a4d8ebc6c059 Mon Sep 17 00:00:00 2001
From: Benjamin Gentil <benjamin.gentil@infomaniak.com>
Date: Fri, 23 Dec 2022 17:56:24 +0100
Subject: [PATCH 56/87] docs/tilt: fix duplicate key in tilt-provider.yaml

Signed-off-by: Benjamin Gentil <benjamin.gentil@infomaniak.com>
---
 docs/book/src/developer/tilt.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/book/src/developer/tilt.md b/docs/book/src/developer/tilt.md
index 76d49144cf43..9ecca19458f2 100644
--- a/docs/book/src/developer/tilt.md
+++ b/docs/book/src/developer/tilt.md
@@ -354,7 +354,6 @@ A provider must supply a `tilt-provider.yaml` file describing how to build it. H
 name: aws
 config:
   image: "gcr.io/k8s-staging-cluster-api-aws/cluster-api-aws-controller",
-  label: CAPA
   live_reload_deps: ["main.go", "go.mod", "go.sum", "api", "cmd", "controllers", "pkg"]
   label: CAPA
 ```

From 0981e64196535f05cf0613f7b48d188aa292b181 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Mon, 2 Jan 2023 15:43:28 +0100
Subject: [PATCH 57/87] book: drop outdated note about removed e2e test func
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 docs/book/src/developer/e2e.md | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/docs/book/src/developer/e2e.md b/docs/book/src/developer/e2e.md
index 07748163c9f5..94762a200d9b 100644
--- a/docs/book/src/developer/e2e.md
+++ b/docs/book/src/developer/e2e.md
@@ -77,16 +77,6 @@ This method:
 - Waits for the providers controllers to be running.
 - Creates log watchers for all the providers
 
-<aside class="note">
-
-<h1>Deprecated InitManagementCluster method</h1>
-
-The [Cluster API test framework] also includes a [deprecated InitManagementCluster method] implementation,
-that was used before the introduction of clusterctl. This might be removed in future releases
-of the test framework.
-
-</aside>
-
 ## Writing test specs
 
 A typical test spec is a sequence of:
@@ -202,7 +192,6 @@ test specs for the most common Cluster API use cases.
 [Cluster API quick start]:  ../user/quick-start.md
 [Cluster API test framework]: https://pkg.go.dev/sigs.k8s.io/cluster-api/test/framework?tab=doc
 [deprecated E2E config file]: https://pkg.go.dev/sigs.k8s.io/cluster-api/test/framework?tab=doc#Config
-[deprecated InitManagementCluster method]: https://pkg.go.dev/sigs.k8s.io/cluster-api/test/framework?tab=doc#InitManagementCluster
 [Apply method]: https://pkg.go.dev/sigs.k8s.io/cluster-api/test/framework?tab=doc#Applier
 [CAPA E2E tests]: https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/scripts/ci-e2e.sh
 [CAPG E2E tests]: https://github.com/kubernetes-sigs/cluster-api-provider-gcp/blob/main/scripts/ci-e2e.sh

From 5bf721079c78aa9c34699023a5f6e90dd213a88a Mon Sep 17 00:00:00 2001
From: fabriziopandini <fpandini@vmware.com>
Date: Fri, 30 Dec 2022 13:14:35 +0100
Subject: [PATCH 58/87] Add verify script and weekly scan workflow

---
 .github/workflows/scan.yml      | 22 ++++++++++
 Makefile                        |  4 ++
 docs/book/src/reference/jobs.md |  7 +++
 docs/release/release-tasks.md   | 68 ++++++++++++++--------------
 hack/verify-container-images.sh | 78 +++++++++++++++++++++++++++++++++
 5 files changed, 147 insertions(+), 32 deletions(-)
 create mode 100644 .github/workflows/scan.yml
 create mode 100755 hack/verify-container-images.sh

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 000000000000..648f337b1f29
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,22 @@
+name: scan-images
+
+on:
+  schedule:
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+    - name: Setup go
+      uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # tag=v3.4.0
+      with:
+        go-version: 1.19
+    - name: Run verify container script
+      run: make verify-container-images
diff --git a/Makefile b/Makefile
index c878670b9209..0ce0e65f4acd 100644
--- a/Makefile
+++ b/Makefile
@@ -616,6 +616,10 @@ verify-shellcheck: ## Verify shell files
 verify-tiltfile: ## Verify Tiltfile format
 	TRACE=$(TRACE) ./hack/verify-starlark.sh
 
+.PHONY: verify-container-images
+verify-container-images: ## Verify container images
+	TRACE=$(TRACE) ./hack/verify-container-images.sh
+
 ## --------------------------------------
 ## Binaries
 ## --------------------------------------
diff --git a/docs/book/src/reference/jobs.md b/docs/book/src/reference/jobs.md
index 14ce9c67ba95..f318b78f9fd3 100644
--- a/docs/book/src/reference/jobs.md
+++ b/docs/book/src/reference/jobs.md
@@ -43,6 +43,13 @@ GitHub Presubmit Workflows:
 * release (run on tags)
   * Creates a GitHub release with release notes for the tag.
 
+
+GitHub Weekly Workflows:
+* golangci-lint: golangci/golangci-lint-action
+  * Weekly check all Markdown links
+* scan-images:
+  * Scan all images for vulnerabilities. Can be run locally via `make verify-container-images`
+
 ### Postsubmits
 
 Prow Postsubmits:
diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md
index 28646fd98de8..305bf52e3a25 100644
--- a/docs/release/release-tasks.md
+++ b/docs/release/release-tasks.md
@@ -12,38 +12,39 @@ This document details the responsibilities and tasks for each role in the releas
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**
 
-- [Release Lead](#release-lead)
-  - [Responsibilities](#responsibilities)
-  - [Tasks](#tasks)
-    - [Set a tentative release date for the minor release](#set-a-tentative-release-date-for-the-minor-release)
-    - [Assemble release team](#assemble-release-team)
-    - [Finalize release schedule and team](#finalize-release-schedule-and-team)
-    - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release)
-    - [Create a new GitHub milestone for the next release](#create-a-new-github-milestone-for-the-next-release)
-    - [[Track] Remove previously deprecated code](#track-remove-previously-deprecated-code)
-    - [[Track] Bump dependencies](#track-bump-dependencies)
-    - [Create a release branch](#create-a-release-branch)
-    - [[Continuously] Maintain the GitHub release milestone](#continuously-maintain-the-github-release-milestone)
-    - [[Repeatedly] Cut a release](#repeatedly-cut-a-release)
-    - [[Optional] [Track] Bump the Cluster API apiVersion](#optional-track-bump-the-cluster-api-apiversion)
-    - [[Optional] [Track] Bump the Kubernetes version](#optional-track-bump-the-kubernetes-version)
-- [Communications/Docs/Release Notes Manager](#communicationsdocsrelease-notes-manager)
-  - [Responsibilities](#responsibilities-1)
-  - [Tasks](#tasks-1)
-    - [Add docs to collect release notes for users and migration notes for provider implementers](#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
-    - [Update supported versions](#update-supported-versions)
-    - [Ensure the book for the new release is available](#ensure-the-book-for-the-new-release-is-available)
-    - [Polish release notes](#polish-release-notes)
-    - [Change production branch in Netlify to the new release branch](#change-production-branch-in-netlify-to-the-new-release-branch)
-    - [Update clusterctl links in the quickstart](#update-clusterctl-links-in-the-quickstart)
-    - [Continuously: Communicate key dates to the community](#continuously-communicate-key-dates-to-the-community)
-- [CI Signal/Bug Triage/Automation Manager](#ci-signalbug-triageautomation-manager)
-  - [Responsibilities](#responsibilities-2)
-  - [Tasks](#tasks-2)
-    - [Setup jobs and dashboards for a new release branch](#setup-jobs-and-dashboards-for-a-new-release-branch)
-    - [[Continuously] Monitor CI signal](#continuously-monitor-ci-signal)
-    - [[Continuously] Reduce the amount of flaky tests](#continuously-reduce-the-amount-of-flaky-tests)
-    - [[Continuously] Bug triage](#continuously-bug-triage)
+- [Release Tasks](#release-tasks)
+  - [Release Lead](#release-lead)
+    - [Responsibilities](#responsibilities)
+    - [Tasks](#tasks)
+      - [Set a tentative release date for the minor release](#set-a-tentative-release-date-for-the-minor-release)
+      - [Assemble release team](#assemble-release-team)
+      - [Finalize release schedule and team](#finalize-release-schedule-and-team)
+      - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release)
+      - [Create a new GitHub milestone for the next release](#create-a-new-github-milestone-for-the-next-release)
+      - [\[Track\] Remove previously deprecated code](#track-remove-previously-deprecated-code)
+      - [\[Track\] Bump dependencies](#track-bump-dependencies)
+      - [Create a release branch](#create-a-release-branch)
+      - [\[Continuously\] Maintain the GitHub release milestone](#continuously-maintain-the-github-release-milestone)
+      - [\[Repeatedly\] Cut a release](#repeatedly-cut-a-release)
+      - [\[Optional\] \[Track\] Bump the Cluster API apiVersion](#optional-track-bump-the-cluster-api-apiversion)
+      - [\[Optional\] \[Track\] Bump the Kubernetes version](#optional-track-bump-the-kubernetes-version)
+  - [Communications/Docs/Release Notes Manager](#communicationsdocsrelease-notes-manager)
+    - [Responsibilities](#responsibilities-1)
+    - [Tasks](#tasks-1)
+      - [Add docs to collect release notes for users and migration notes for provider implementers](#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
+      - [Update supported versions](#update-supported-versions)
+      - [Ensure the book for the new release is available](#ensure-the-book-for-the-new-release-is-available)
+      - [Polish release notes](#polish-release-notes)
+      - [Change production branch in Netlify to the new release branch](#change-production-branch-in-netlify-to-the-new-release-branch)
+      - [Update clusterctl links in the quickstart](#update-clusterctl-links-in-the-quickstart)
+      - [Continuously: Communicate key dates to the community](#continuously-communicate-key-dates-to-the-community)
+  - [CI Signal/Bug Triage/Automation Manager](#ci-signalbug-triageautomation-manager)
+    - [Responsibilities](#responsibilities-2)
+    - [Tasks](#tasks-2)
+      - [Setup jobs and dashboards for a new release branch](#setup-jobs-and-dashboards-for-a-new-release-branch)
+      - [\[Continuously\] Monitor CI signal](#continuously-monitor-ci-signal)
+      - [\[Continuously\] Reduce the amount of flaky tests](#continuously-reduce-the-amount-of-flaky-tests)
+      - [\[Continuously\] Bug triage](#continuously-bug-triage)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -155,6 +156,7 @@ This can be done by:
 #### [Repeatedly] Cut a release
 
 1. Ensure CI is stable before cutting the release (e.g. by checking with the CI manager)
+   Note: special attention should be given to image scan results, so we can avoid cutting a release with CVE or document known CVEs in release notes.
 2. Create and push the release tags to the GitHub repository:
    ```bash 
    # Export the tag of the release to be cut, e.g.:
@@ -387,6 +389,8 @@ The goal of this task is to keep our tests running in CI stable.
     1. Create an issue in the Cluster API repository to surface the CI failure.
     2. Identify if the issue is a known issue, new issue or a regression.
     3. Mark the issue as `release-blocking` if applicable.
+4. Triage periodic GitHub actions failures, with special attention to image scan results;
+   Eventually open issues as described above.
 
 #### [Continuously] Reduce the amount of flaky tests
 
diff --git a/hack/verify-container-images.sh b/hack/verify-container-images.sh
new file mode 100755
index 000000000000..85a2dfa77707
--- /dev/null
+++ b/hack/verify-container-images.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Copyright 2022 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [[ "${TRACE-0}" == "1" ]]; then
+    set -o xtrace
+fi
+
+TRIVY_VERSION=0.34.0
+
+GO_OS="$(go env GOOS)"
+if [[ "${GO_OS}" == "linux" ]]; then
+  TRIVY_OS="Linux"
+elif [[ "${GO_OS}" == "darwin"* ]]; then
+  TRIVY_OS="macOS"
+fi
+
+GO_ARCH="$(go env GOARCH)"
+if [[ "${GO_ARCH}" == "amd" ]]; then
+  TRIVY_ARCH="32bit"
+elif [[ "${GO_ARCH}" == "amd64"* ]]; then
+  TRIVY_ARCH="64bit"
+elif [[ "${GO_ARCH}" == "arm" ]]; then
+  TRIVY_ARCH="ARM"
+elif [[ "${GO_ARCH}" == "arm64" ]]; then
+  TRIVY_ARCH="ARM64"
+fi
+
+TOOL_BIN=hack/tools/bin
+mkdir -p ${TOOL_BIN}
+
+# Downloads trivy scanner
+curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz"
+
+tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}" trivy
+chmod +x ${TOOL_BIN}/trivy
+rm ${TOOL_BIN}/trivy.tar.gz
+
+# Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml.
+make REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent TAG=dev docker-build
+make clean-release-git
+
+# Scan the images
+${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/clusterctl-"${GO_ARCH}":dev && R1=$? || R1=$?
+${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/test-extension-"${GO_ARCH}":dev && R2=$? || R2=$?
+${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-"${GO_ARCH}":dev && R3=$? || R3=$?
+${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-"${GO_ARCH}":dev && R4=$? || R4=$?
+${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/cluster-api-controller-"${GO_ARCH}":dev && R5=$? || R5=$?
+${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/capd-manager-"${GO_ARCH}":dev && R6=$? || R6=$?
+
+echo ""
+BRed='\033[1;31m'
+BGreen='\033[1;32m'
+NC='\033[0m' # No
+
+if [ "$R1" -ne "0" ] || [ "$R2"  -ne "0" ] || [ "$R3" -ne "0" ] || [ "$R4" -ne "0"  ] || [ "$R5" -ne "0"  ] || [ "$R6" -ne "0" ]
+then
+  echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}"
+  exit 1
+fi
+
+echo -e "${BGreen}Check container images passed! No vulnerability found${NC}"

From af068cb6a01e0d270cd6527fb08af87e49788167 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Wed, 4 Jan 2023 13:48:41 +0100
Subject: [PATCH 59/87] test/e2e: fix CoreDNS readiness validation, misc
 improvements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 scripts/ci-e2e-lib.sh                                |  1 +
 test/e2e/data/kubetest/conformance.yaml              |  3 +++
 test/framework/deployment_helpers.go                 | 12 ++++--------
 .../infrastructure/docker/internal/docker/machine.go |  2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/scripts/ci-e2e-lib.sh b/scripts/ci-e2e-lib.sh
index 50396da15278..ee6db3203b40 100644
--- a/scripts/ci-e2e-lib.sh
+++ b/scripts/ci-e2e-lib.sh
@@ -84,6 +84,7 @@ k8s::resolveVersion() {
 
   resolveVersion=$version
   if [[ "$version" =~ ^v ]]; then
+    echo "+ $variableName=\"$version\" already a version, no need to resolve"
     return
   fi
 
diff --git a/test/e2e/data/kubetest/conformance.yaml b/test/e2e/data/kubetest/conformance.yaml
index 400ae8408b4c..c59fc45de9b4 100644
--- a/test/e2e/data/kubetest/conformance.yaml
+++ b/test/e2e/data/kubetest/conformance.yaml
@@ -6,3 +6,6 @@ ginkgo.slowSpecThreshold: 120.0
 ginkgo.flakeAttempts: 3
 ginkgo.trace: true
 ginkgo.v: true
+# Use 5m instead of the default 10m to fail faster
+# if kube-system Pods are not coming up.
+system-pods-startup-timeout: 5m
diff --git a/test/framework/deployment_helpers.go b/test/framework/deployment_helpers.go
index 10fb4780eb14..0b5d89f6f266 100644
--- a/test/framework/deployment_helpers.go
+++ b/test/framework/deployment_helpers.go
@@ -284,17 +284,13 @@ func WaitForDNSUpgrade(ctx context.Context, input WaitForDNSUpgradeInput, interv
 
 		// NOTE: coredns image name has changed over time (k8s.gcr.io/coredns,
 		// k8s.gcr.io/coredns/coredns), so we are checking if the version actually changed.
-		if strings.HasSuffix(d.Spec.Template.Spec.Containers[0].Image, fmt.Sprintf(":%s", input.DNSVersion)) {
+		if strings.HasSuffix(d.Spec.Template.Spec.Containers[0].Image, fmt.Sprintf(":%s", input.DNSVersion)) &&
+			// Also check whether the upgraded CoreDNS replicas are available and ready for use.
+			d.Status.ObservedGeneration >= d.Generation &&
+			d.Spec.Replicas != nil && d.Status.UpdatedReplicas == *d.Spec.Replicas && d.Status.AvailableReplicas == *d.Spec.Replicas {
 			return true, nil
 		}
 
-		// check whether the upgraded CoreDNS replicas are available and ready for use.
-		if d.Status.ObservedGeneration >= d.Generation {
-			if d.Spec.Replicas != nil && d.Status.UpdatedReplicas == *d.Spec.Replicas && d.Status.AvailableReplicas == *d.Spec.Replicas {
-				return true, nil
-			}
-		}
-
 		return false, nil
 	}, intervals...).Should(BeTrue())
 }
diff --git a/test/infrastructure/docker/internal/docker/machine.go b/test/infrastructure/docker/internal/docker/machine.go
index 9c85391be58f..498ca49a33b5 100644
--- a/test/infrastructure/docker/internal/docker/machine.go
+++ b/test/infrastructure/docker/internal/docker/machine.go
@@ -357,7 +357,7 @@ func (m *Machine) ExecBootstrap(ctx context.Context, data string, format bootstr
 		if err != nil {
 			log.Info("Failed running command", "instance", m.Name(), "command", command, "stdout", outStd.String(), "stderr", outErr.String(), "bootstrap data", data)
 			logContainerDebugInfo(ctx, log, m.ContainerName())
-			return errors.Wrap(errors.WithStack(err), "failed to run cloud config")
+			return errors.Wrapf(err, "failed to run cloud config: stdout: %s stderr: %s", outStd.String(), outErr.String())
 		}
 	}
 

From f48e639d55ff6dd06ef9f92d1ee9a02a4a4dbfad Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Wed, 4 Jan 2023 13:46:14 +0100
Subject: [PATCH 60/87] CAPD: only ignore necessary kubeadm preflight errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 .../internal/provisioning/cloudinit/runcmd.go   | 17 ++++++++++++-----
 .../provisioning/cloudinit/runcmd_test.go       |  6 +++---
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go
index 9b01270851f4..74e211666416 100644
--- a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go
+++ b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go
@@ -17,6 +17,7 @@ limitations under the License.
 package cloudinit
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -53,21 +54,27 @@ func (a *runCmd) Commands() ([]provisioning.Cmd, error) {
 	return cmds, nil
 }
 
+// ignorePreflightErrors are preflight errors that fail in CAPD and thus we have to ignore them.
+const ignorePreflightErrors = "SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables"
+
 func hackKubeadmIgnoreErrors(c provisioning.Cmd) provisioning.Cmd {
 	// case kubeadm commands are defined as a string
 	if c.Cmd == "/bin/sh" && len(c.Args) >= 2 {
 		if c.Args[0] == "-c" {
-			c.Args[1] = strings.Replace(c.Args[1], "kubeadm init", "kubeadm init --ignore-preflight-errors=all", 1)
-			c.Args[1] = strings.Replace(c.Args[1], "kubeadm join", "kubeadm join --ignore-preflight-errors=all", 1)
+			c.Args[1] = strings.Replace(c.Args[1], "kubeadm init", fmt.Sprintf("kubeadm init --ignore-preflight-errors=%s", ignorePreflightErrors), 1)
+			c.Args[1] = strings.Replace(c.Args[1], "kubeadm join", fmt.Sprintf("kubeadm join --ignore-preflight-errors=%s", ignorePreflightErrors), 1)
 		}
 	}
 
 	// case kubeadm commands are defined as a list
 	if c.Cmd == "kubeadm" && len(c.Args) >= 1 {
 		if c.Args[0] == "init" || c.Args[0] == "join" {
-			c.Args = append(c.Args, "")                 // make space
-			copy(c.Args[2:], c.Args[1:])                // shift elements
-			c.Args[1] = "--ignore-preflight-errors=all" // insert the additional arg
+			// make space
+			c.Args = append(c.Args, "")
+			// shift elements
+			copy(c.Args[2:], c.Args[1:])
+			// insert the additional arg
+			c.Args[1] = fmt.Sprintf("--ignore-preflight-errors=%s", ignorePreflightErrors)
 		}
 	}
 
diff --git a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go
index 1afb666a09e4..8e9ebcb0cc84 100644
--- a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go
+++ b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go
@@ -70,7 +70,7 @@ func TestRunCmdRun(t *testing.T) {
 				},
 			},
 			expectedCmds: []provisioning.Cmd{
-				{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=all --config /run/kubeadm/kubeadm.yaml"}},
+				{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables --config /run/kubeadm/kubeadm.yaml"}},
 			},
 		},
 	}
@@ -100,11 +100,11 @@ runcmd:
 
 	r.Cmds[0] = hackKubeadmIgnoreErrors(r.Cmds[0])
 
-	expected0 := provisioning.Cmd{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=all --config=/run/kubeadm/kubeadm.yaml"}}
+	expected0 := provisioning.Cmd{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables --config=/run/kubeadm/kubeadm.yaml"}}
 	g.Expect(r.Cmds[0]).To(Equal(expected0))
 
 	r.Cmds[1] = hackKubeadmIgnoreErrors(r.Cmds[1])
 
-	expected1 := provisioning.Cmd{Cmd: "kubeadm", Args: []string{"join", "--ignore-preflight-errors=all", "--config=/run/kubeadm/kubeadm-controlplane-join-config.yaml"}}
+	expected1 := provisioning.Cmd{Cmd: "kubeadm", Args: []string{"join", "--ignore-preflight-errors=SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables", "--config=/run/kubeadm/kubeadm-controlplane-join-config.yaml"}}
 	g.Expect(r.Cmds[1]).To(Equal(expected1))
 }

From dc19b22d9fb1d6e300f9d6c8e00a1ef4e95a3f54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Berk=20Dehrio=C4=9Flu?= <bdehrioglu@yahoo.com>
Date: Fri, 9 Dec 2022 13:45:00 +0300
Subject: [PATCH 61/87] add bootstrap secret rotation if the secret itself
 missing

---
 bootstrap/kubeadm/internal/controllers/token.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/bootstrap/kubeadm/internal/controllers/token.go b/bootstrap/kubeadm/internal/controllers/token.go
index 9c61c7f9199e..7fc2be7586a3 100644
--- a/bootstrap/kubeadm/internal/controllers/token.go
+++ b/bootstrap/kubeadm/internal/controllers/token.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
 	bootstraputil "k8s.io/cluster-bootstrap/token/util"
@@ -101,6 +102,12 @@ func refreshToken(ctx context.Context, c client.Client, token string, ttl time.D
 func shouldRotate(ctx context.Context, c client.Client, token string, ttl time.Duration) (bool, error) {
 	secret, err := getToken(ctx, c, token)
 	if err != nil {
+		// If the secret is deleted before due to unknown reasons, machine pools cannot be scaled up.
+		// Since that, secret should be rotated if missing.
+		// Normally, it is not expected to reach this line.
+		if apierrors.IsNotFound(err) {
+			return true, nil
+		}
 		return false, err
 	}
 

From 02515e87a4c8f530c500704393bc982b43a69d68 Mon Sep 17 00:00:00 2001
From: Aniruddha Basak <codewithaniruddha@gmail.com>
Date: Tue, 3 Jan 2023 22:03:16 +0530
Subject: [PATCH 62/87] Update kubebuilder envtest(1.25.0->1.26.0)

Signed-off-by: Aniruddha Basak <codewithaniruddha@gmail.com>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 0ce0e65f4acd..c1bafb4bb5ac 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,7 @@ export GO111MODULE=on
 #
 # Kubebuilder.
 #
-export KUBEBUILDER_ENVTEST_KUBERNETES_VERSION ?= 1.25.0
+export KUBEBUILDER_ENVTEST_KUBERNETES_VERSION ?= 1.26.0
 export KUBEBUILDER_CONTROLPLANE_START_TIMEOUT ?= 60s
 export KUBEBUILDER_CONTROLPLANE_STOP_TIMEOUT ?= 60s
 

From eb8276998dce80f9e98a11e8b778f20918450116 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Mon, 9 Jan 2023 14:02:19 +0100
Subject: [PATCH 63/87] book: cherry-pick Linux capitalization & clusterawsdm
 doc updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 docs/book/src/user/quick-start.md | 107 +++++++++++++++++++++++++-----
 1 file changed, 92 insertions(+), 15 deletions(-)

diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index e5a3da188772..21f9e09720e6 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -150,8 +150,8 @@ a target [management cluster] on the selected [infrastructure provider].
 ### Install clusterctl
 The clusterctl CLI tool handles the lifecycle of a Cluster API management cluster.
 
-{{#tabs name:"install-clusterctl" tabs:"linux,macOS,homebrew,Windows"}}
-{{#tab linux}}
+{{#tabs name:"install-clusterctl" tabs:"Linux,macOS,homebrew,Windows"}}
+{{#tab Linux}}
 
 #### Install clusterctl binary with curl on Linux
 If you are unsure you can determine your computers architecture by running `uname -a`
@@ -211,7 +211,7 @@ clusterctl version
 {{#/tab }}
 {{#tab homebrew}}
 
-#### Install clusterctl with homebrew on macOS and linux
+#### Install clusterctl with homebrew on macOS and Linux
 
 Install the latest release using homebrew:
 
@@ -271,13 +271,14 @@ before getting started with Cluster API. See below for the expected settings for
 {{#tabs name:"tab-installation-infrastructure" tabs:"AWS,Azure,CloudStack,DigitalOcean,Docker,Equinix Metal,GCP,Hetzner,IBM Cloud,KubeKey,KubeVirt,Metal3,Nutanix,OCI,OpenStack,Outscale,VCD,vcluster,Virtink,vSphere"}}
 {{#tab AWS}}
 
-Download the latest binary of `clusterawsadm` from the [AWS provider releases].
-{{#tabs name:"install-clusterawsadm" tabs:"linux,macOS,homebrew"}}
-{{#tab linux}}
+Download the latest binary of `clusterawsadm` from the [AWS provider releases]. The [clusterawsadm] command line utility assists with identity and access management (IAM) for [Cluster API Provider AWS][capa].
 
-Download the latest release; on linux, type:
+{{#tabs name:"install-clusterawsadm" tabs:"Linux,macOS,homebrew,Windows"}}
+{{#tab Linux}}
+
+Download the latest release; on Linux, type:
 ```
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-linux-amd64" version:">=1.0.0"}} -o clusterawsadm
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-linux-amd64" version:">=2.0.0"}} -o clusterawsadm
 ```
 
 Make it executable
@@ -294,17 +295,39 @@ Check version to confirm installation
 ```
 clusterawsadm version
 ```
+
+**Example Usage**
+```bash
+export AWS_REGION=us-east-1 # This is used to help encode your environment variables
+export AWS_ACCESS_KEY_ID=<your-access-key>
+export AWS_SECRET_ACCESS_KEY=<your-secret-access-key>
+export AWS_SESSION_TOKEN=<session-token> # If you are using Multi-Factor Auth.
+
+# The clusterawsadm utility takes the credentials that you set as environment
+# variables and uses them to create a CloudFormation stack in your AWS account
+# with the correct IAM resources.
+clusterawsadm bootstrap iam create-cloudformation-stack
+
+# Create the base64 encoded credentials using clusterawsadm.
+# This command uses your environment variables and encodes
+# them in a value to be stored in a Kubernetes Secret.
+export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
+
+# Finally, initialize the management cluster
+clusterctl init --infrastructure aws
+```
+
 {{#/tab }}
 {{#tab macOS}}
 
 Download the latest release; on macOs, type:
 ```
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-amd64" version:">=1.0.0"}} -o clusterawsadm
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-amd64" version:">=2.0.0"}} -o clusterawsadm
 ```
 
 Or if your Mac has an M1 CPU (”Apple Silicon”):
 ```
-curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-arm64" version:">=1.0.0"}} -o clusterawsadm
+curl -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-arm64" version:">=2.0.0"}} -o clusterawsadm
 ```
 
 Make it executable
@@ -321,6 +344,27 @@ Check version to confirm installation
 ```
 clusterawsadm version
 ```
+
+**Example Usage**
+```bash
+export AWS_REGION=us-east-1 # This is used to help encode your environment variables
+export AWS_ACCESS_KEY_ID=<your-access-key>
+export AWS_SECRET_ACCESS_KEY=<your-secret-access-key>
+export AWS_SESSION_TOKEN=<session-token> # If you are using Multi-Factor Auth.
+
+# The clusterawsadm utility takes the credentials that you set as environment
+# variables and uses them to create a CloudFormation stack in your AWS account
+# with the correct IAM resources.
+clusterawsadm bootstrap iam create-cloudformation-stack
+
+# Create the base64 encoded credentials using clusterawsadm.
+# This command uses your environment variables and encodes
+# them in a value to be stored in a Kubernetes Secret.
+export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
+
+# Finally, initialize the management cluster
+clusterctl init --infrastructure aws
+```
 {{#/tab }}
 {{#tab homebrew}}
 
@@ -334,11 +378,7 @@ Check version to confirm installation
 clusterawsadm version
 ```
 
-{{#/tab }}
-{{#/tabs }}
-
-The [clusterawsadm] command line utility assists with identity and access management (IAM) for [Cluster API Provider AWS][capa].
-
+**Example Usage**
 ```bash
 export AWS_REGION=us-east-1 # This is used to help encode your environment variables
 export AWS_ACCESS_KEY_ID=<your-access-key>
@@ -359,6 +399,43 @@ export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-a
 clusterctl init --infrastructure aws
 ```
 
+{{#/tab }}
+{{#tab Windows}}
+
+Download the latest release; on Windows, type:
+```
+curl.exe -L {{#releaselink gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-windows-amd64" version:">=2.0.0"}} -o clusterawsadm.exe
+```
+
+Append or prepend the path of that directory to the `PATH` environment variable.
+Check version to confirm installation
+```
+clusterawsadm.exe version
+```
+
+**Example Usage in Powershell**
+```bash
+$Env:AWS_REGION="us-east-1" # This is used to help encode your environment variables
+$Env:AWS_ACCESS_KEY_ID="<your-access-key>"
+$Env:AWS_SECRET_ACCESS_KEY="<your-secret-access-key>"
+$Env:AWS_SESSION_TOKEN="<session-token>" # If you are using Multi-Factor Auth.
+
+# The clusterawsadm utility takes the credentials that you set as environment
+# variables and uses them to create a CloudFormation stack in your AWS account
+# with the correct IAM resources.
+clusterawsadm bootstrap iam create-cloudformation-stack
+
+# Create the base64 encoded credentials using clusterawsadm.
+# This command uses your environment variables and encodes
+# them in a value to be stored in a Kubernetes Secret.
+$Env:AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)
+
+# Finally, initialize the management cluster
+clusterctl init --infrastructure aws
+```
+{{#/tab }}
+{{#/tabs }}
+
 See the [AWS provider prerequisites] document for more details.
 
 {{#/tab }}

From 16183d7b18852242b44942f2fe7ccab64306dbd6 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Thu, 5 Jan 2023 12:34:34 +0100
Subject: [PATCH 64/87] KCP: block upgrade to versions with old registry,
 improve registry handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Büringer buringerst@vmware.com
---
 .../kubeadm/api/v1beta1/kubeadm_types.go      |  13 +-
 ...strap.cluster.x-k8s.io_kubeadmconfigs.yaml |  20 +-
 ...uster.x-k8s.io_kubeadmconfigtemplates.yaml |  23 +-
 .../v1beta1/kubeadm_control_plane_types.go    |   5 +
 .../v1beta1/kubeadm_control_plane_webhook.go  |  31 ++-
 .../kubeadm_control_plane_webhook_test.go     | 201 ++++++++++++++----
 ...cluster.x-k8s.io_kubeadmcontrolplanes.yaml |  25 ++-
 ...x-k8s.io_kubeadmcontrolplanetemplates.yaml |  21 +-
 .../kubeadm/internal/workload_cluster.go      |  34 ++-
 .../internal/workload_cluster_coredns.go      |  20 +-
 .../internal/workload_cluster_coredns_test.go |  42 +++-
 internal/util/kubeadm/kubeadm.go              |  72 +++++++
 internal/util/kubeadm/kubeadm_test.go         |  68 ++++++
 test/framework/daemonset_helpers.go           |  13 +-
 .../docker/internal/docker/machine.go         |   4 +-
 15 files changed, 467 insertions(+), 125 deletions(-)
 create mode 100644 internal/util/kubeadm/kubeadm.go
 create mode 100644 internal/util/kubeadm/kubeadm_test.go

diff --git a/bootstrap/kubeadm/api/v1beta1/kubeadm_types.go b/bootstrap/kubeadm/api/v1beta1/kubeadm_types.go
index f8ea593ec0ac..dc2bb60876f9 100644
--- a/bootstrap/kubeadm/api/v1beta1/kubeadm_types.go
+++ b/bootstrap/kubeadm/api/v1beta1/kubeadm_types.go
@@ -125,9 +125,16 @@ type ClusterConfiguration struct {
 	CertificatesDir string `json:"certificatesDir,omitempty"`
 
 	// ImageRepository sets the container registry to pull images from.
-	// If empty, `registry.k8s.io` will be used by default; in case of kubernetes version is a CI build (kubernetes version starts with `ci/` or `ci-cross/`)
-	// `gcr.io/k8s-staging-ci-images` will be used as a default for control plane components and for kube-proxy, while `registry.k8s.io`
-	// will be used for all the other images.
+	// * If not set, the default registry of kubeadm will be used, i.e.
+	//   * registry.k8s.io (new registry): >= v1.22.17, >= v1.23.15, >= v1.24.9, >= v1.25.0
+	//   * k8s.gcr.io (old registry): all older versions
+	//   Please note that when imageRepository is not set we don't allow upgrades to
+	//   versions >= v1.22.0 which use the old registry (k8s.gcr.io). Please use
+	//   a newer patch version with the new registry instead (i.e. >= v1.22.17,
+	//   >= v1.23.15, >= v1.24.9, >= v1.25.0).
+	// * If the version is a CI build (kubernetes version starts with `ci/` or `ci-cross/`)
+	//  `gcr.io/k8s-staging-ci-images` will be used as a default for control plane components
+	//   and for kube-proxy, while `registry.k8s.io` will be used for all the other images.
 	// +optional
 	ImageRepository string `json:"imageRepository,omitempty"`
 
diff --git a/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml b/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml
index 71c60711ac0a..1ae748175bdb 100644
--- a/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml
+++ b/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml
@@ -2243,13 +2243,19 @@ spec:
                     description: FeatureGates enabled by the user.
                     type: object
                   imageRepository:
-                    description: ImageRepository sets the container registry to pull
-                      images from. If empty, `registry.k8s.io` will be used by default;
-                      in case of kubernetes version is a CI build (kubernetes version
-                      starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
-                      will be used as a default for control plane components and for
-                      kube-proxy, while `registry.k8s.io` will be used for all the
-                      other images.
+                    description: 'ImageRepository sets the container registry to pull
+                      images from. * If not set, the default registry of kubeadm will
+                      be used, i.e. * registry.k8s.io (new registry): >= v1.22.17,
+                      >= v1.23.15, >= v1.24.9, >= v1.25.0 * k8s.gcr.io (old registry):
+                      all older versions Please note that when imageRepository is
+                      not set we don''t allow upgrades to versions >= v1.22.0 which
+                      use the old registry (k8s.gcr.io). Please use a newer patch
+                      version with the new registry instead (i.e. >= v1.22.17, >=
+                      v1.23.15, >= v1.24.9, >= v1.25.0). * If the version is a CI
+                      build (kubernetes version starts with `ci/` or `ci-cross/`)
+                      `gcr.io/k8s-staging-ci-images` will be used as a default for
+                      control plane components and for kube-proxy, while `registry.k8s.io`
+                      will be used for all the other images.'
                     type: string
                   kind:
                     description: 'Kind is a string value representing the REST resource
diff --git a/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml b/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml
index 85493b712abd..b9b33cb1fac5 100644
--- a/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml
+++ b/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml
@@ -2246,14 +2246,21 @@ spec:
                             description: FeatureGates enabled by the user.
                             type: object
                           imageRepository:
-                            description: ImageRepository sets the container registry
-                              to pull images from. If empty, `registry.k8s.io` will
-                              be used by default; in case of kubernetes version is
-                              a CI build (kubernetes version starts with `ci/` or
-                              `ci-cross/`) `gcr.io/k8s-staging-ci-images` will be
-                              used as a default for control plane components and for
-                              kube-proxy, while `registry.k8s.io` will be used for
-                              all the other images.
+                            description: 'ImageRepository sets the container registry
+                              to pull images from. * If not set, the default registry
+                              of kubeadm will be used, i.e. * registry.k8s.io (new
+                              registry): >= v1.22.17, >= v1.23.15, >= v1.24.9, >=
+                              v1.25.0 * k8s.gcr.io (old registry): all older versions
+                              Please note that when imageRepository is not set we
+                              don''t allow upgrades to versions >= v1.22.0 which use
+                              the old registry (k8s.gcr.io). Please use a newer patch
+                              version with the new registry instead (i.e. >= v1.22.17,
+                              >= v1.23.15, >= v1.24.9, >= v1.25.0). * If the version
+                              is a CI build (kubernetes version starts with `ci/`
+                              or `ci-cross/`) `gcr.io/k8s-staging-ci-images` will
+                              be used as a default for control plane components and
+                              for kube-proxy, while `registry.k8s.io` will be used
+                              for all the other images.'
                             type: string
                           kind:
                             description: 'Kind is a string value representing the
diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_types.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_types.go
index 8f07c1dd91c6..823fb123f679 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_types.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_types.go
@@ -60,6 +60,11 @@ type KubeadmControlPlaneSpec struct {
 	Replicas *int32 `json:"replicas,omitempty"`
 
 	// Version defines the desired Kubernetes version.
+	// Please note that if kubeadmConfigSpec.ClusterConfiguration.imageRepository is not set
+	// we don't allow upgrades to versions >= v1.22.0 for which kubeadm uses the old registry (k8s.gcr.io).
+	// Please use a newer patch version with the new registry instead. The default registries of kubeadm are:
+	//   * registry.k8s.io (new registry): >= v1.22.17, >= v1.23.15, >= v1.24.9, >= v1.25.0
+	//   * k8s.gcr.io (old registry): all older versions
 	Version string `json:"version"`
 
 	// MachineTemplate contains information about how machines
diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
index e8f4a68367cb..dd512fe26967 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
@@ -33,6 +33,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
+	"sigs.k8s.io/cluster-api/internal/util/kubeadm"
 	"sigs.k8s.io/cluster-api/util/container"
 	"sigs.k8s.io/cluster-api/util/version"
 )
@@ -601,7 +602,10 @@ func (in *KubeadmControlPlane) validateVersion(previousVersion string) (allErrs
 		return allErrs
 	}
 
-	// Since upgrades to the next minor version are allowed, irrespective of the patch version.
+	// Validate that the update is upgrading at most one minor version.
+	// Note: Skipping a minor version is not allowed.
+	// Note: Checking against this ceilVersion allows upgrading to the next minor
+	// version irrespective of the patch version.
 	ceilVersion := semver.Version{
 		Major: fromVersion.Major,
 		Minor: fromVersion.Minor + 2,
@@ -616,6 +620,31 @@ func (in *KubeadmControlPlane) validateVersion(previousVersion string) (allErrs
 		)
 	}
 
+	// The Kubernetes ecosystem has been requested to move users to the new registry due to cost issues.
+	// This validation enforces the move to the new registry by forcing users to upgrade to kubeadm versions
+	// with the new registry.
+	// NOTE: This only affects users relying on the community maintained registry.
+	// NOTE: Pinning to the upstream registry is not recommended because it could lead to issues
+	// given how the migration has been implemented in kubeadm.
+	//
+	// Block if imageRepository is not set (i.e. the default registry should be used),
+	if (in.Spec.KubeadmConfigSpec.ClusterConfiguration == nil ||
+		in.Spec.KubeadmConfigSpec.ClusterConfiguration.ImageRepository == "") &&
+		// the version changed (i.e. we have an upgrade),
+		toVersion.NE(fromVersion) &&
+		// the version is >= v1.22.0 and < v1.26.0
+		toVersion.GTE(kubeadm.MinKubernetesVersionImageRegistryMigration) &&
+		toVersion.LT(kubeadm.NextKubernetesVersionImageRegistryMigration) &&
+		// and the default registry of the new Kubernetes/kubeadm version is the old default registry.
+		kubeadm.GetDefaultRegistry(toVersion) == kubeadm.OldDefaultImageRepository {
+		allErrs = append(allErrs,
+			field.Forbidden(
+				field.NewPath("spec", "version"),
+				"cannot upgrade to a Kubernetes/kubeadm version which is using the old default registry. Please use a newer Kubernetes patch release which is using the new default registry (>= v1.22.17, >= v1.23.15, >= v1.24.9)",
+			),
+		)
+	}
+
 	return allErrs
 }
 
diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
index f13d34b36cb9..3ead11553c28 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
@@ -451,14 +451,6 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 	kubernetesVersion := before.DeepCopy()
 	kubernetesVersion.Spec.KubeadmConfigSpec.ClusterConfiguration.KubernetesVersion = "some kubernetes version"
 
-	prevKCPWithVersion := func(version string) *KubeadmControlPlane {
-		prev := before.DeepCopy()
-		prev.Spec.Version = version
-		return prev
-	}
-	skipMinorControlPlaneVersion := prevKCPWithVersion("v1.18.1")
-	emptyControlPlaneVersion := prevKCPWithVersion("")
-
 	controlPlaneEndpoint := before.DeepCopy()
 	controlPlaneEndpoint.Spec.KubeadmConfigSpec.ClusterConfiguration.ControlPlaneEndpoint = "some control plane endpoint"
 
@@ -611,13 +603,6 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 		DataDir: "/data",
 	}
 
-	disallowedUpgrade118Prev := prevKCPWithVersion("v1.18.8")
-	disallowedUpgrade119Version := before.DeepCopy()
-	disallowedUpgrade119Version.Spec.Version = "v1.19.0"
-
-	disallowedUpgrade120AlphaVersion := before.DeepCopy()
-	disallowedUpgrade120AlphaVersion.Spec.Version = "v1.20.0-alpha.0.734_ba502ee555924a"
-
 	updateNTPServers := before.DeepCopy()
 	updateNTPServers.Spec.KubeadmConfigSpec.NTP.Servers = []string{"new-server"}
 
@@ -925,36 +910,6 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 			before:    withoutClusterConfiguration,
 			kcp:       afterEtcdLocalDirAddition,
 		},
-		{
-			name:      "should fail when skipping control plane minor versions",
-			expectErr: true,
-			before:    before,
-			kcp:       skipMinorControlPlaneVersion,
-		},
-		{
-			name:      "should fail when no control plane version is passed",
-			expectErr: true,
-			before:    before,
-			kcp:       emptyControlPlaneVersion,
-		},
-		{
-			name:      "should pass if control plane version is the same",
-			expectErr: false,
-			before:    before,
-			kcp:       before.DeepCopy(),
-		},
-		{
-			name:      "should return error when trying to upgrade to v1.19.0",
-			expectErr: true,
-			before:    disallowedUpgrade118Prev,
-			kcp:       disallowedUpgrade119Version,
-		},
-		{
-			name:      "should return error when trying to upgrade two minor versions",
-			expectErr: true,
-			before:    disallowedUpgrade118Prev,
-			kcp:       disallowedUpgrade120AlphaVersion,
-		},
 		{
 			name:      "should not return an error when maxSurge value is updated to 0",
 			expectErr: false,
@@ -1051,6 +1006,162 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 	}
 }
 
+func TestValidateVersion(t *testing.T) {
+	tests := []struct {
+		name                 string
+		clusterConfiguration *bootstrapv1.ClusterConfiguration
+		oldVersion           string
+		newVersion           string
+		expectErr            bool
+	}{
+		// Basic validation of old and new version.
+		{
+			name:       "error when old version is empty",
+			oldVersion: "",
+			newVersion: "v1.16.6",
+			expectErr:  true,
+		},
+		{
+			name:       "error when old version is invalid",
+			oldVersion: "invalid-version",
+			newVersion: "v1.18.1",
+			expectErr:  true,
+		},
+		{
+			name:       "error when new version is empty",
+			oldVersion: "v1.16.6",
+			newVersion: "",
+			expectErr:  true,
+		},
+		{
+			name:       "error when new version is invalid",
+			oldVersion: "v1.18.1",
+			newVersion: "invalid-version",
+			expectErr:  true,
+		},
+		// Validation that we block upgrade to v1.19.0.
+		// Note: Upgrading to v1.19.0 is not supported, because of issues in v1.19.0,
+		// see: https://github.com/kubernetes-sigs/cluster-api/issues/3564
+		{
+			name:       "error when upgrading to v1.19.0",
+			oldVersion: "v1.18.8",
+			newVersion: "v1.19.0",
+			expectErr:  true,
+		},
+		{
+			name:       "pass when both versions are v1.19.0",
+			oldVersion: "v1.19.0",
+			newVersion: "v1.19.0",
+			expectErr:  false,
+		},
+		// Validation for skip-level upgrades.
+		{
+			name:       "error when upgrading two minor versions",
+			oldVersion: "v1.18.8",
+			newVersion: "v1.20.0-alpha.0.734_ba502ee555924a",
+			expectErr:  true,
+		},
+		{
+			name:       "pass when upgrading one minor version",
+			oldVersion: "v1.20.1",
+			newVersion: "v1.21.18",
+			expectErr:  false,
+		},
+		// Validation for usage of the old registry.
+		// Notes:
+		// * kubeadm versions < v1.22 are always using the old registry.
+		// * kubeadm versions >= v1.25.0 are always using the new registry.
+		// * kubeadm versions in between are using the new registry
+		//   starting with certain patch versions.
+		// This test validates that we don't block upgrades for < v1.22.0 and >= v1.25.0
+		// and block upgrades to kubeadm versions in between with the old registry.
+		{
+			name: "pass when imageRepository is set",
+			clusterConfiguration: &bootstrapv1.ClusterConfiguration{
+				ImageRepository: "k8s.gcr.io",
+			},
+			oldVersion: "v1.21.1",
+			newVersion: "v1.22.16",
+			expectErr:  false,
+		},
+		{
+			name:       "pass when version didn't change",
+			oldVersion: "v1.22.16",
+			newVersion: "v1.22.16",
+			expectErr:  false,
+		},
+		{
+			name:       "pass when new version is < v1.22.0",
+			oldVersion: "v1.20.10",
+			newVersion: "v1.21.5",
+			expectErr:  false,
+		},
+		{
+			name:       "error when new version is using old registry (v1.22.0 <= version <= v1.22.16)",
+			oldVersion: "v1.21.1",
+			newVersion: "v1.22.16", // last patch release using old registry
+			expectErr:  true,
+		},
+		{
+			name:       "pass when new version is using new registry (>= v1.22.17)",
+			oldVersion: "v1.21.1",
+			newVersion: "v1.22.17", // first patch release using new registry
+			expectErr:  false,
+		},
+		{
+			name:       "error when new version is using old registry (v1.23.0 <= version <= v1.23.14)",
+			oldVersion: "v1.22.17",
+			newVersion: "v1.23.14", // last patch release using old registry
+			expectErr:  true,
+		},
+		{
+			name:       "pass when new version is using new registry (>= v1.23.15)",
+			oldVersion: "v1.22.17",
+			newVersion: "v1.23.15", // first patch release using new registry
+			expectErr:  false,
+		},
+		{
+			name:       "error when new version is using old registry (v1.24.0 <= version <= v1.24.8)",
+			oldVersion: "v1.23.1",
+			newVersion: "v1.24.8", // last patch release using old registry
+			expectErr:  true,
+		},
+		{
+			name:       "pass when new version is using new registry (>= v1.24.9)",
+			oldVersion: "v1.23.1",
+			newVersion: "v1.24.9", // first patch release using new registry
+			expectErr:  false,
+		},
+		{
+			name:       "pass when new version is using new registry (>= v1.25.0)",
+			oldVersion: "v1.24.8",
+			newVersion: "v1.25.0", // uses new registry
+			expectErr:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			kcp := KubeadmControlPlane{
+				Spec: KubeadmControlPlaneSpec{
+					KubeadmConfigSpec: bootstrapv1.KubeadmConfigSpec{
+						ClusterConfiguration: tt.clusterConfiguration,
+					},
+					Version: tt.newVersion,
+				},
+			}
+
+			allErrs := kcp.validateVersion(tt.oldVersion)
+			if tt.expectErr {
+				g.Expect(allErrs).ToNot(HaveLen(0))
+			} else {
+				g.Expect(allErrs).To(HaveLen(0))
+			}
+		})
+	}
+}
 func TestKubeadmControlPlaneValidateUpdateAfterDefaulting(t *testing.T) {
 	before := &KubeadmControlPlane{
 		ObjectMeta: metav1.ObjectMeta{
diff --git a/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml b/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
index 533231db6ce0..cdb28bee52a4 100644
--- a/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
+++ b/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
@@ -2701,13 +2701,20 @@ spec:
                         description: FeatureGates enabled by the user.
                         type: object
                       imageRepository:
-                        description: ImageRepository sets the container registry to
-                          pull images from. If empty, `registry.k8s.io` will be used
-                          by default; in case of kubernetes version is a CI build
-                          (kubernetes version starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                        description: 'ImageRepository sets the container registry
+                          to pull images from. * If not set, the default registry
+                          of kubeadm will be used, i.e. * registry.k8s.io (new registry):
+                          >= v1.22.17, >= v1.23.15, >= v1.24.9, >= v1.25.0 * k8s.gcr.io
+                          (old registry): all older versions Please note that when
+                          imageRepository is not set we don''t allow upgrades to versions
+                          >= v1.22.0 which use the old registry (k8s.gcr.io). Please
+                          use a newer patch version with the new registry instead
+                          (i.e. >= v1.22.17, >= v1.23.15, >= v1.24.9, >= v1.25.0).
+                          * If the version is a CI build (kubernetes version starts
+                          with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
                           will be used as a default for control plane components and
                           for kube-proxy, while `registry.k8s.io` will be used for
-                          all the other images.
+                          all the other images.'
                         type: string
                       kind:
                         description: 'Kind is a string value representing the REST
@@ -3639,7 +3646,13 @@ spec:
                     type: string
                 type: object
               version:
-                description: Version defines the desired Kubernetes version.
+                description: 'Version defines the desired Kubernetes version. Please
+                  note that if kubeadmConfigSpec.ClusterConfiguration.imageRepository
+                  is not set we don''t allow upgrades to versions >= v1.22.0 for which
+                  kubeadm uses the old registry (k8s.gcr.io). Please use a newer patch
+                  version with the new registry instead. The default registries of
+                  kubeadm are: * registry.k8s.io (new registry): >= v1.22.17, >= v1.23.15,
+                  >= v1.24.9, >= v1.25.0 * k8s.gcr.io (old registry): all older versions'
                 type: string
             required:
             - kubeadmConfigSpec
diff --git a/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml b/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml
index 52663f04e22a..ef9869f54f35 100644
--- a/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml
+++ b/controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml
@@ -1466,14 +1466,21 @@ spec:
                                 description: FeatureGates enabled by the user.
                                 type: object
                               imageRepository:
-                                description: ImageRepository sets the container registry
-                                  to pull images from. If empty, `registry.k8s.io`
-                                  will be used by default; in case of kubernetes version
-                                  is a CI build (kubernetes version starts with `ci/`
-                                  or `ci-cross/`) `gcr.io/k8s-staging-ci-images` will
-                                  be used as a default for control plane components
+                                description: 'ImageRepository sets the container registry
+                                  to pull images from. * If not set, the default registry
+                                  of kubeadm will be used, i.e. * registry.k8s.io
+                                  (new registry): >= v1.22.17, >= v1.23.15, >= v1.24.9,
+                                  >= v1.25.0 * k8s.gcr.io (old registry): all older
+                                  versions Please note that when imageRepository is
+                                  not set we don''t allow upgrades to versions >=
+                                  v1.22.0 which use the old registry (k8s.gcr.io).
+                                  Please use a newer patch version with the new registry
+                                  instead (i.e. >= v1.22.17, >= v1.23.15, >= v1.24.9,
+                                  >= v1.25.0). * If the version is a CI build (kubernetes
+                                  version starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                                  will be used as a default for control plane components
                                   and for kube-proxy, while `registry.k8s.io` will
-                                  be used for all the other images.
+                                  be used for all the other images.'
                                 type: string
                               kind:
                                 description: 'Kind is a string value representing
diff --git a/controlplane/kubeadm/internal/workload_cluster.go b/controlplane/kubeadm/internal/workload_cluster.go
index 64e9477bb452..99f3fc1b3524 100644
--- a/controlplane/kubeadm/internal/workload_cluster.go
+++ b/controlplane/kubeadm/internal/workload_cluster.go
@@ -47,6 +47,7 @@ import (
 	kubeadmtypes "sigs.k8s.io/cluster-api/bootstrap/kubeadm/types"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controlplane/kubeadm/internal/proxy"
+	"sigs.k8s.io/cluster-api/internal/util/kubeadm"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/certs"
 	containerutil "sigs.k8s.io/cluster-api/util/container"
@@ -85,14 +86,6 @@ var (
 	// NOTE: The following assumes that kubeadm version equals to Kubernetes version.
 	minVerUnversionedKubeletConfig = semver.MustParse("1.24.0")
 
-	// minKubernetesVersionImageRegistryMigration is first kubernetes version where
-	// the default image registry is registry.k8s.io instead of k8s.gcr.io.
-	minKubernetesVersionImageRegistryMigration = semver.MustParse("1.22.0")
-
-	// nextKubernetesVersionImageRegistryMigration is the next minor version after
-	// the default image registry changed to registry.k8s.io.
-	nextKubernetesVersionImageRegistryMigration = semver.MustParse("1.26.0")
-
 	// ErrControlPlaneMinNodes signals that a cluster doesn't meet the minimum required nodes
 	// to remove an etcd member.
 	ErrControlPlaneMinNodes = errors.New("cluster has fewer than 2 control plane nodes; removing an etcd member is not supported")
@@ -623,12 +616,15 @@ func yamlToUnstructured(rawYAML []byte) (*unstructured.Unstructured, error) {
 }
 
 // ImageRepositoryFromClusterConfig returns the image repository to use. It returns:
-// * clusterConfig.ImageRepository if set.
-// * "registry.k8s.io" if v1.22 <= version < v1.26 to migrate to the new registry
-// * "" otherwise.
-// Beginning with kubernetes v1.22, the default registry for kubernetes is registry.k8s.io
-// instead of k8s.gcr.io which is why references should get migrated when upgrading to v1.22.
-// The migration follows the behavior of `kubeadm upgrade`.
+//   - clusterConfig.ImageRepository if set.
+//   - else either k8s.gcr.io or registry.k8s.io depending on the default registry of the kubeadm
+//     binary of the given kubernetes version. This is only done for Kubernetes versions >= v1.22.0
+//     and < v1.26.0 because in this version range the default registry was changed.
+//
+// Note: Please see the following issue for more context: https://github.com/kubernetes-sigs/cluster-api/issues/7833
+// tl;dr is that the imageRepository must be in sync with the default registry of kubeadm.
+// Otherwise kubeadm preflight checks will fail because kubeadm is trying to pull the CoreDNS image
+// from the wrong repository (<registry>/coredns instead of <registry>/coredns/coredns).
 func ImageRepositoryFromClusterConfig(clusterConfig *bootstrapv1.ClusterConfiguration, kubernetesVersion semver.Version) string {
 	// If ImageRepository is explicitly specified, return early.
 	if clusterConfig != nil &&
@@ -636,11 +632,11 @@ func ImageRepositoryFromClusterConfig(clusterConfig *bootstrapv1.ClusterConfigur
 		return clusterConfig.ImageRepository
 	}
 
-	// If v1.22 <= version < v1.26 return the default Kubernetes image repository to
-	// migrate to the new location and not cause changes else.
-	if kubernetesVersion.GTE(minKubernetesVersionImageRegistryMigration) &&
-		kubernetesVersion.LT(nextKubernetesVersionImageRegistryMigration) {
-		return kubernetesImageRepository
+	// If v1.22.0 <= version < v1.26.0 return the default registry of the
+	// corresponding kubeadm binary.
+	if kubernetesVersion.GTE(kubeadm.MinKubernetesVersionImageRegistryMigration) &&
+		kubernetesVersion.LT(kubeadm.NextKubernetesVersionImageRegistryMigration) {
+		return kubeadm.GetDefaultRegistry(kubernetesVersion)
 	}
 
 	// Use defaulting or current values otherwise.
diff --git a/controlplane/kubeadm/internal/workload_cluster_coredns.go b/controlplane/kubeadm/internal/workload_cluster_coredns.go
index a105a61a89a4..9ebf7eda9950 100644
--- a/controlplane/kubeadm/internal/workload_cluster_coredns.go
+++ b/controlplane/kubeadm/internal/workload_cluster_coredns.go
@@ -35,6 +35,7 @@ import (
 
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
+	"sigs.k8s.io/cluster-api/internal/util/kubeadm"
 	containerutil "sigs.k8s.io/cluster-api/util/container"
 	"sigs.k8s.io/cluster-api/util/patch"
 	"sigs.k8s.io/cluster-api/util/version"
@@ -47,11 +48,8 @@ const (
 	coreDNSVolumeKey       = "config-volume"
 	coreDNSClusterRoleName = "system:coredns"
 
-	// kubernetesImageRepository is the default Kubernetes image repository for build artifacts.
-	kubernetesImageRepository    = "registry.k8s.io"
-	oldKubernetesImageRepository = "k8s.gcr.io"
-	oldCoreDNSImageName          = "coredns"
-	coreDNSImageName             = "coredns/coredns"
+	oldCoreDNSImageName = "coredns"
+	coreDNSImageName    = "coredns/coredns"
 
 	oldControlPlaneTaint = "node-role.kubernetes.io/master" // Deprecated: https://github.com/kubernetes/kubeadm/issues/2200
 	controlPlaneTaint    = "node-role.kubernetes.io/control-plane"
@@ -200,11 +198,11 @@ func (w *Workload) getCoreDNSInfo(ctx context.Context, clusterConfig *bootstrapv
 	toImageRepository := parsedImage.Repository
 	// Overwrite the image repository if a value was explicitly set or an upgrade is required.
 	if imageRegistryRepository := ImageRepositoryFromClusterConfig(clusterConfig, version); imageRegistryRepository != "" {
-		if imageRegistryRepository == kubernetesImageRepository {
-			// Only patch to KubernetesImageRepository if oldKubernetesImageRepository is set as prefix.
-			if strings.HasPrefix(toImageRepository, oldKubernetesImageRepository) {
-				// Ensure to keep the repository subpaths when patching from oldKubernetesImageRepository to new KubernetesImageRepository.
-				toImageRepository = strings.TrimSuffix(imageRegistryRepository+strings.TrimPrefix(toImageRepository, oldKubernetesImageRepository), "/")
+		if imageRegistryRepository == kubeadm.DefaultImageRepository {
+			// Only patch to DefaultImageRepository if OldDefaultImageRepository is set as prefix.
+			if strings.HasPrefix(toImageRepository, kubeadm.OldDefaultImageRepository) {
+				// Ensure to keep the repository subpaths when patching from OldDefaultImageRepository to new DefaultImageRepository.
+				toImageRepository = strings.TrimSuffix(imageRegistryRepository+strings.TrimPrefix(toImageRepository, kubeadm.OldDefaultImageRepository), "/")
 			}
 		} else {
 			toImageRepository = strings.TrimSuffix(imageRegistryRepository, "/")
@@ -235,7 +233,7 @@ func (w *Workload) getCoreDNSInfo(ctx context.Context, clusterConfig *bootstrapv
 	// * "registry.k8s.io/coredns" to "registry.k8s.io/coredns/coredns" or
 	// * "k8s.gcr.io/coredns" to "k8s.gcr.io/coredns/coredns"
 	toImageName := parsedImage.Name
-	if (toImageRepository == oldKubernetesImageRepository || toImageRepository == kubernetesImageRepository) &&
+	if (toImageRepository == kubeadm.OldDefaultImageRepository || toImageRepository == kubeadm.DefaultImageRepository) &&
 		toImageName == oldCoreDNSImageName && targetMajorMinorPatch.GTE(semver.MustParse("1.8.0")) {
 		toImageName = coreDNSImageName
 	}
diff --git a/controlplane/kubeadm/internal/workload_cluster_coredns_test.go b/controlplane/kubeadm/internal/workload_cluster_coredns_test.go
index 2436bc024b5e..bac6124e733b 100644
--- a/controlplane/kubeadm/internal/workload_cluster_coredns_test.go
+++ b/controlplane/kubeadm/internal/workload_cluster_coredns_test.go
@@ -1213,8 +1213,10 @@ func TestGetCoreDNSInfo(t *testing.T) {
 				},
 			},
 			{
-				name: "rename to coredns/coredns when upgrading to coredns=1.8.0 and kubernetesVersion=1.21.0",
-				objs: []client.Object{newCoreDNSInfoDeploymentWithimage(image162), cm},
+				name: "rename to coredns/coredns when upgrading to coredns=1.8.0 and kubernetesVersion=1.22.16",
+				// 1.22.16 uses k8s.gcr.io as default registry. Thus the registry doesn't get changed as
+				// FromImage is already using k8s.gcr.io.
+				objs: []client.Object{newCoreDNSInfoDeploymentWithimage("k8s.gcr.io/coredns:1.6.2"), cm},
 				clusterConfig: &bootstrapv1.ClusterConfiguration{
 					DNS: bootstrapv1.DNS{
 						ImageMeta: bootstrapv1.ImageMeta{
@@ -1222,18 +1224,42 @@ func TestGetCoreDNSInfo(t *testing.T) {
 						},
 					},
 				},
-				kubernetesVersion: semver.MustParse("1.21.0"),
+				kubernetesVersion: semver.MustParse("1.22.16"),
 				expectedInfo: coreDNSInfo{
 					CurrentMajorMinorPatch: "1.6.2",
 					FromImageTag:           "1.6.2",
 					TargetMajorMinorPatch:  "1.8.0",
-					FromImage:              image162,
+					FromImage:              "k8s.gcr.io/coredns:1.6.2",
 					ToImage:                "k8s.gcr.io/coredns/coredns:1.8.0",
 					ToImageTag:             "1.8.0",
 				},
 			},
+			{
+				name: "rename to coredns/coredns when upgrading to coredns=1.8.0 and kubernetesVersion=1.22.17",
+				// 1.22.17 has registry.k8s.io as default registry. Thus the registry gets changed as
+				// FromImage is using k8s.gcr.io.
+				objs: []client.Object{newCoreDNSInfoDeploymentWithimage("k8s.gcr.io/coredns:1.6.2"), cm},
+				clusterConfig: &bootstrapv1.ClusterConfiguration{
+					DNS: bootstrapv1.DNS{
+						ImageMeta: bootstrapv1.ImageMeta{
+							ImageTag: "1.8.0",
+						},
+					},
+				},
+				kubernetesVersion: semver.MustParse("1.22.17"),
+				expectedInfo: coreDNSInfo{
+					CurrentMajorMinorPatch: "1.6.2",
+					FromImageTag:           "1.6.2",
+					TargetMajorMinorPatch:  "1.8.0",
+					FromImage:              "k8s.gcr.io/coredns:1.6.2",
+					ToImage:                "registry.k8s.io/coredns/coredns:1.8.0",
+					ToImageTag:             "1.8.0",
+				},
+			},
 			{
 				name: "rename to coredns/coredns when upgrading to coredns=1.8.0 and kubernetesVersion=1.26.0",
+				// 1.26.0 uses registry.k8s.io as default registry. Thus the registry doesn't get changed as
+				// FromImage is already using registry.k8s.io.
 				objs: []client.Object{newCoreDNSInfoDeploymentWithimage("registry.k8s.io/coredns:1.6.2"), cm},
 				clusterConfig: &bootstrapv1.ClusterConfiguration{
 					DNS: bootstrapv1.DNS{
@@ -1242,7 +1268,7 @@ func TestGetCoreDNSInfo(t *testing.T) {
 						},
 					},
 				},
-				kubernetesVersion: semver.MustParse("1.24.0"),
+				kubernetesVersion: semver.MustParse("1.26.0"),
 				expectedInfo: coreDNSInfo{
 					CurrentMajorMinorPatch: "1.6.2",
 					FromImageTag:           "1.6.2",
@@ -1253,7 +1279,9 @@ func TestGetCoreDNSInfo(t *testing.T) {
 				},
 			},
 			{
-				name: "patches ImageRepository to registry.k8s.io if it's set on neither global nor DNS-level and kubernetesVersion >= v1.22 and rename to coredns/coredns",
+				name: "patches ImageRepository to registry.k8s.io if it's set on neither global nor DNS-level and kubernetesVersion >= v1.22.17 and rename to coredns/coredns",
+				// 1.22.17 has registry.k8s.io as default registry. Thus the registry gets changed as
+				// FromImage is using k8s.gcr.io.
 				objs: []client.Object{newCoreDNSInfoDeploymentWithimage(image162), cm},
 				clusterConfig: &bootstrapv1.ClusterConfiguration{
 					DNS: bootstrapv1.DNS{
@@ -1262,7 +1290,7 @@ func TestGetCoreDNSInfo(t *testing.T) {
 						},
 					},
 				},
-				kubernetesVersion: semver.MustParse("1.22.0"),
+				kubernetesVersion: semver.MustParse("1.22.17"),
 				expectedInfo: coreDNSInfo{
 					CurrentMajorMinorPatch: "1.6.2",
 					FromImageTag:           "1.6.2",
diff --git a/internal/util/kubeadm/kubeadm.go b/internal/util/kubeadm/kubeadm.go
new file mode 100644
index 000000000000..bd69027114fa
--- /dev/null
+++ b/internal/util/kubeadm/kubeadm.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package kubeadm contains utils related to kubeadm.
+package kubeadm
+
+import "github.com/blang/semver"
+
+const (
+	// DefaultImageRepository is the new default Kubernetes image registry.
+	DefaultImageRepository = "registry.k8s.io"
+	// OldDefaultImageRepository is the old default Kubernetes image registry.
+	OldDefaultImageRepository = "k8s.gcr.io"
+)
+
+var (
+	// MinKubernetesVersionImageRegistryMigration is the first Kubernetes minor version which
+	// has patch versions where the default image registry in kubeadm is registry.k8s.io instead of k8s.gcr.io.
+	MinKubernetesVersionImageRegistryMigration = semver.MustParse("1.22.0")
+
+	// NextKubernetesVersionImageRegistryMigration is the next minor version after
+	// the default image registry in kubeadm changed to registry.k8s.io.
+	NextKubernetesVersionImageRegistryMigration = semver.MustParse("1.26.0")
+)
+
+// GetDefaultRegistry returns the default registry of the given kubeadm version.
+func GetDefaultRegistry(version semver.Version) string {
+	// If version <= v1.22.16 return k8s.gcr.io
+	if version.LTE(semver.MustParse("1.22.16")) {
+		return OldDefaultImageRepository
+	}
+
+	// If v1.22.17 <= version < v1.23.0 return registry.k8s.io
+	if version.GTE(semver.MustParse("1.22.17")) &&
+		version.LT(semver.MustParse("1.23.0")) {
+		return DefaultImageRepository
+	}
+
+	// If v1.23.0  <= version <= v1.23.14 return k8s.gcr.io
+	if version.GTE(semver.MustParse("1.23.0")) &&
+		version.LTE(semver.MustParse("1.23.14")) {
+		return OldDefaultImageRepository
+	}
+
+	// If v1.23.15 <= version < v1.24.0 return registry.k8s.io
+	if version.GTE(semver.MustParse("1.23.15")) &&
+		version.LT(semver.MustParse("1.24.0")) {
+		return DefaultImageRepository
+	}
+
+	// If v1.24.0  <= version <= v1.24.8 return k8s.gcr.io
+	if version.GTE(semver.MustParse("1.24.0")) &&
+		version.LTE(semver.MustParse("1.24.8")) {
+		return OldDefaultImageRepository
+	}
+
+	// If v1.24.9  <= version return registry.k8s.io
+	return DefaultImageRepository
+}
diff --git a/internal/util/kubeadm/kubeadm_test.go b/internal/util/kubeadm/kubeadm_test.go
new file mode 100644
index 000000000000..4e1f7c81f12a
--- /dev/null
+++ b/internal/util/kubeadm/kubeadm_test.go
@@ -0,0 +1,68 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubeadm
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/blang/semver"
+	. "github.com/onsi/gomega"
+)
+
+func TestGetDefaultRegistry(t *testing.T) {
+	tests := []struct {
+		version          string
+		expectedRegistry string
+	}{
+		// < v1.22
+		{version: "1.19.1", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.20.5", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.21.85", expectedRegistry: OldDefaultImageRepository},
+
+		// v1.22
+		{version: "1.22.0", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.22.16", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.22.17", expectedRegistry: DefaultImageRepository},
+		{version: "1.22.99", expectedRegistry: DefaultImageRepository},
+
+		// v1.23
+		{version: "1.23.0", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.23.14", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.23.15", expectedRegistry: DefaultImageRepository},
+		{version: "1.23.99", expectedRegistry: DefaultImageRepository},
+
+		// v1.24
+		{version: "1.24.0", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.24.8", expectedRegistry: OldDefaultImageRepository},
+		{version: "1.24.9", expectedRegistry: DefaultImageRepository},
+		{version: "1.24.99", expectedRegistry: DefaultImageRepository},
+
+		// > v1.24
+		{version: "1.25.0", expectedRegistry: DefaultImageRepository},
+		{version: "1.26.1", expectedRegistry: DefaultImageRepository},
+		{version: "1.27.2", expectedRegistry: DefaultImageRepository},
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%s => %s", tt.version, tt.expectedRegistry), func(t *testing.T) {
+			g := NewWithT(t)
+
+			g.Expect(GetDefaultRegistry(semver.MustParse(tt.version))).To(Equal(tt.expectedRegistry))
+		})
+	}
+}
diff --git a/test/framework/daemonset_helpers.go b/test/framework/daemonset_helpers.go
index 2a4dca7e0020..40510638e93d 100644
--- a/test/framework/daemonset_helpers.go
+++ b/test/framework/daemonset_helpers.go
@@ -26,6 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"sigs.k8s.io/cluster-api/internal/util/kubeadm"
 	containerutil "sigs.k8s.io/cluster-api/util/container"
 )
 
@@ -42,15 +43,9 @@ func WaitForKubeProxyUpgrade(ctx context.Context, input WaitForKubeProxyUpgradeI
 	parsedVersion, err := semver.ParseTolerant(input.KubernetesVersion)
 	Expect(err).ToNot(HaveOccurred())
 
-	// Beginning with kubernetes v1.22, kubernetes images including kube-proxy get published to registry.k8s.io.
-	// This ensures that the imageRepository setting gets patched to registry.k8s.io when upgrading from v1.21 or lower,
-	// but only if there was no imageRepository explicitly set at the KubeadmControlPlanes ClusterConfiguration.
-	// This follows the behavior of `kubeadm upgrade`.
-	wantKubeProxyRegistry := "registry.k8s.io"
-	if parsedVersion.LT(semver.Version{Major: 1, Minor: 22, Patch: 0, Pre: []semver.PRVersion{{VersionStr: "alpha"}}}) {
-		wantKubeProxyRegistry = "k8s.gcr.io"
-	}
-	wantKubeProxyImage := wantKubeProxyRegistry + "/kube-proxy:" + containerutil.SemverToOCIImageTag(input.KubernetesVersion)
+	// Validate the kube-proxy image according to how KCP sets the image in the kube-proxy DaemonSet.
+	// KCP does this based on the default registry of the Kubernetes/kubeadm version.
+	wantKubeProxyImage := kubeadm.GetDefaultRegistry(parsedVersion) + "/kube-proxy:" + containerutil.SemverToOCIImageTag(input.KubernetesVersion)
 
 	Eventually(func() (bool, error) {
 		ds := &appsv1.DaemonSet{}
diff --git a/test/infrastructure/docker/internal/docker/machine.go b/test/infrastructure/docker/internal/docker/machine.go
index 498ca49a33b5..d648407a1e4e 100644
--- a/test/infrastructure/docker/internal/docker/machine.go
+++ b/test/infrastructure/docker/internal/docker/machine.go
@@ -254,7 +254,7 @@ func (m *Machine) Create(ctx context.Context, image string, role string, version
 		if err != nil {
 			log.Info("Failed running command", "command", "crictl ps")
 			logContainerDebugInfo(ctx, log, m.ContainerName())
-			return errors.Wrap(errors.WithStack(err), "failed to run crictl ps")
+			return errors.Wrap(err, "failed to run crictl ps")
 		}
 		return nil
 	}
@@ -381,7 +381,7 @@ func (m *Machine) CheckForBootstrapSuccess(ctx context.Context, logResult bool)
 		if logResult {
 			log.Info("Failed running command", "command", "test -f /run/cluster-api/bootstrap-success.complete", "stdout", outStd.String(), "stderr", outErr.String())
 		}
-		return errors.Wrap(errors.WithStack(err), "failed to run bootstrap check")
+		return errors.Wrap(err, "failed to run bootstrap check")
 	}
 	return nil
 }

From df1491b5bfe9701ffb7053ce1212e82ba93b1aa6 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Mon, 9 Jan 2023 21:44:05 +0100
Subject: [PATCH 65/87] Revert "CAPD: only ignore necessary kubeadm preflight
 errors"

This reverts commit a4c9bb8bc82d8305c96ba01c49cb1b02e3fcee28.
---
 .../internal/provisioning/cloudinit/runcmd.go   | 17 +++++------------
 .../provisioning/cloudinit/runcmd_test.go       |  6 +++---
 2 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go
index 74e211666416..9b01270851f4 100644
--- a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go
+++ b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd.go
@@ -17,7 +17,6 @@ limitations under the License.
 package cloudinit
 
 import (
-	"fmt"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -54,27 +53,21 @@ func (a *runCmd) Commands() ([]provisioning.Cmd, error) {
 	return cmds, nil
 }
 
-// ignorePreflightErrors are preflight errors that fail in CAPD and thus we have to ignore them.
-const ignorePreflightErrors = "SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables"
-
 func hackKubeadmIgnoreErrors(c provisioning.Cmd) provisioning.Cmd {
 	// case kubeadm commands are defined as a string
 	if c.Cmd == "/bin/sh" && len(c.Args) >= 2 {
 		if c.Args[0] == "-c" {
-			c.Args[1] = strings.Replace(c.Args[1], "kubeadm init", fmt.Sprintf("kubeadm init --ignore-preflight-errors=%s", ignorePreflightErrors), 1)
-			c.Args[1] = strings.Replace(c.Args[1], "kubeadm join", fmt.Sprintf("kubeadm join --ignore-preflight-errors=%s", ignorePreflightErrors), 1)
+			c.Args[1] = strings.Replace(c.Args[1], "kubeadm init", "kubeadm init --ignore-preflight-errors=all", 1)
+			c.Args[1] = strings.Replace(c.Args[1], "kubeadm join", "kubeadm join --ignore-preflight-errors=all", 1)
 		}
 	}
 
 	// case kubeadm commands are defined as a list
 	if c.Cmd == "kubeadm" && len(c.Args) >= 1 {
 		if c.Args[0] == "init" || c.Args[0] == "join" {
-			// make space
-			c.Args = append(c.Args, "")
-			// shift elements
-			copy(c.Args[2:], c.Args[1:])
-			// insert the additional arg
-			c.Args[1] = fmt.Sprintf("--ignore-preflight-errors=%s", ignorePreflightErrors)
+			c.Args = append(c.Args, "")                 // make space
+			copy(c.Args[2:], c.Args[1:])                // shift elements
+			c.Args[1] = "--ignore-preflight-errors=all" // insert the additional arg
 		}
 	}
 
diff --git a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go
index 8e9ebcb0cc84..1afb666a09e4 100644
--- a/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go
+++ b/test/infrastructure/docker/internal/provisioning/cloudinit/runcmd_test.go
@@ -70,7 +70,7 @@ func TestRunCmdRun(t *testing.T) {
 				},
 			},
 			expectedCmds: []provisioning.Cmd{
-				{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables --config /run/kubeadm/kubeadm.yaml"}},
+				{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=all --config /run/kubeadm/kubeadm.yaml"}},
 			},
 		},
 	}
@@ -100,11 +100,11 @@ runcmd:
 
 	r.Cmds[0] = hackKubeadmIgnoreErrors(r.Cmds[0])
 
-	expected0 := provisioning.Cmd{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables --config=/run/kubeadm/kubeadm.yaml"}}
+	expected0 := provisioning.Cmd{Cmd: "/bin/sh", Args: []string{"-c", "kubeadm init --ignore-preflight-errors=all --config=/run/kubeadm/kubeadm.yaml"}}
 	g.Expect(r.Cmds[0]).To(Equal(expected0))
 
 	r.Cmds[1] = hackKubeadmIgnoreErrors(r.Cmds[1])
 
-	expected1 := provisioning.Cmd{Cmd: "kubeadm", Args: []string{"join", "--ignore-preflight-errors=SystemVerification,Swap,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables", "--config=/run/kubeadm/kubeadm-controlplane-join-config.yaml"}}
+	expected1 := provisioning.Cmd{Cmd: "kubeadm", Args: []string{"join", "--ignore-preflight-errors=all", "--config=/run/kubeadm/kubeadm-controlplane-join-config.yaml"}}
 	g.Expect(r.Cmds[1]).To(Equal(expected1))
 }

From 97923c7a330fa954c1f6af67eaa464192e496e4d Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Tue, 14 Jun 2022 18:54:02 +0530
Subject: [PATCH 66/87] added spectro

---
 spectro/bootstrap/base/kustomization.yaml     |    34 +
 spectro/bootstrap/base/patch_healthcheck.yaml |     6 +
 .../bootstrap/base/patch_service_account.yaml |     2 +
 spectro/bootstrap/global/kustomization.yaml   |    72 +
 .../global/patch_crd_webhook_namespace.yaml   |     3 +
 .../global/patch_service_account.yaml         |     2 +
 spectro/controlplane/base/kustomization.yaml  |    30 +
 .../controlplane/base/patch_healthcheck.yaml  |     6 +
 .../base/patch_service_account.yaml           |     2 +
 .../controlplane/global/kustomization.yaml    |    64 +
 .../global/patch_crd_webhook_namespace.yaml   |     3 +
 .../global/patch_service_account.yaml         |     2 +
 spectro/core/base/kustomization.yaml          |    30 +
 spectro/core/base/patch_healthcheck.yaml      |     6 +
 spectro/core/base/patch_service_account.yaml  |     2 +
 spectro/core/global/kustomization.yaml        |    96 +
 .../global/patch_crd_webhook_namespace.yaml   |     3 +
 spectro/core/global/patch_namespace.yaml      |     3 +
 .../core/global/patch_service_account.yaml    |     2 +
 spectro/generated/bootstrap-base.yaml         |    37 +
 spectro/generated/bootstrap-global.yaml       |  6410 ++++++++++
 spectro/generated/controlplane-base.yaml      |    36 +
 spectro/generated/controlplane-global.yaml    |  6399 ++++++++++
 spectro/generated/core-base.yaml              |    36 +
 spectro/generated/core-global.yaml            | 10119 ++++++++++++++++
 spectro/run.sh                                |    13 +
 26 files changed, 23418 insertions(+)
 create mode 100644 spectro/bootstrap/base/kustomization.yaml
 create mode 100644 spectro/bootstrap/base/patch_healthcheck.yaml
 create mode 100644 spectro/bootstrap/base/patch_service_account.yaml
 create mode 100644 spectro/bootstrap/global/kustomization.yaml
 create mode 100644 spectro/bootstrap/global/patch_crd_webhook_namespace.yaml
 create mode 100644 spectro/bootstrap/global/patch_service_account.yaml
 create mode 100644 spectro/controlplane/base/kustomization.yaml
 create mode 100644 spectro/controlplane/base/patch_healthcheck.yaml
 create mode 100644 spectro/controlplane/base/patch_service_account.yaml
 create mode 100644 spectro/controlplane/global/kustomization.yaml
 create mode 100644 spectro/controlplane/global/patch_crd_webhook_namespace.yaml
 create mode 100644 spectro/controlplane/global/patch_service_account.yaml
 create mode 100644 spectro/core/base/kustomization.yaml
 create mode 100644 spectro/core/base/patch_healthcheck.yaml
 create mode 100644 spectro/core/base/patch_service_account.yaml
 create mode 100644 spectro/core/global/kustomization.yaml
 create mode 100644 spectro/core/global/patch_crd_webhook_namespace.yaml
 create mode 100644 spectro/core/global/patch_namespace.yaml
 create mode 100644 spectro/core/global/patch_service_account.yaml
 create mode 100644 spectro/generated/bootstrap-base.yaml
 create mode 100644 spectro/generated/bootstrap-global.yaml
 create mode 100644 spectro/generated/controlplane-base.yaml
 create mode 100644 spectro/generated/controlplane-global.yaml
 create mode 100644 spectro/generated/core-base.yaml
 create mode 100644 spectro/generated/core-global.yaml
 create mode 100755 spectro/run.sh

diff --git a/spectro/bootstrap/base/kustomization.yaml b/spectro/bootstrap/base/kustomization.yaml
new file mode 100644
index 000000000000..164470ebc393
--- /dev/null
+++ b/spectro/bootstrap/base/kustomization.yaml
@@ -0,0 +1,34 @@
+# Adds namespace to all resources.
+namespace: capi-kubeadm-bootstrap-system
+
+namePrefix: capi-kubeadm-bootstrap-
+
+commonLabels:
+  cluster.x-k8s.io/provider: "bootstrap-kubeadm"
+
+bases:
+  - ../../../bootstrap/kubeadm/config/manager
+
+patchesStrategicMerge:
+  # Provide customizable hook for make targets.
+  - ../../../bootstrap/kubeadm/config/default/manager_image_patch.yaml
+  - ../../../bootstrap/kubeadm/config/default/manager_pull_policy.yaml
+
+configurations:
+  - ../../../bootstrap/kubeadm/config/default/kustomizeconfig.yaml
+
+patchesJson6902:
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_service_account.yaml
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_healthcheck.yaml
\ No newline at end of file
diff --git a/spectro/bootstrap/base/patch_healthcheck.yaml b/spectro/bootstrap/base/patch_healthcheck.yaml
new file mode 100644
index 000000000000..1279812a6d21
--- /dev/null
+++ b/spectro/bootstrap/base/patch_healthcheck.yaml
@@ -0,0 +1,6 @@
+- op: remove
+  path: "/spec/template/spec/containers/0/ports"
+- op: remove
+  path: "/spec/template/spec/containers/0/livenessProbe"
+- op: remove
+  path: "/spec/template/spec/containers/0/readinessProbe"
\ No newline at end of file
diff --git a/spectro/bootstrap/base/patch_service_account.yaml b/spectro/bootstrap/base/patch_service_account.yaml
new file mode 100644
index 000000000000..d9cd4321fc0c
--- /dev/null
+++ b/spectro/bootstrap/base/patch_service_account.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: "/spec/template/spec/serviceAccountName"
diff --git a/spectro/bootstrap/global/kustomization.yaml b/spectro/bootstrap/global/kustomization.yaml
new file mode 100644
index 000000000000..b6e761428845
--- /dev/null
+++ b/spectro/bootstrap/global/kustomization.yaml
@@ -0,0 +1,72 @@
+# Adds namespace to all resources.
+namespace: capi-webhook-system
+
+namePrefix: capi-kubeadm-bootstrap-
+
+commonLabels:
+  cluster.x-k8s.io/provider: "bootstrap-kubeadm"
+
+bases:
+  - ../../../bootstrap/kubeadm/config/crd
+  - ../../../bootstrap/kubeadm/config/webhook
+  - ../../../bootstrap/kubeadm/config/manager
+  - ../../../bootstrap/kubeadm/config/certmanager
+
+patchesStrategicMerge:
+  - ../../../bootstrap/kubeadm/config/default/manager_image_patch.yaml
+  - ../../../bootstrap/kubeadm/config/default/manager_pull_policy.yaml
+  - ../../../bootstrap/kubeadm/config/default/manager_webhook_patch.yaml
+  - ../../../bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml
+
+vars:
+  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: CERTIFICATE_NAME
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+  - name: SERVICE_NAMESPACE # namespace of the service
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: SERVICE_NAME
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+
+configurations:
+  - ../../../bootstrap/kubeadm/config/default/kustomizeconfig.yaml
+
+
+patchesJson6902:
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_service_account.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: kubeadmconfigs.bootstrap.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
\ No newline at end of file
diff --git a/spectro/bootstrap/global/patch_crd_webhook_namespace.yaml b/spectro/bootstrap/global/patch_crd_webhook_namespace.yaml
new file mode 100644
index 000000000000..e40df94ba2c0
--- /dev/null
+++ b/spectro/bootstrap/global/patch_crd_webhook_namespace.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: "/spec/conversion/webhook/clientConfig/service/namespace"
+  value: capi-webhook-system
\ No newline at end of file
diff --git a/spectro/bootstrap/global/patch_service_account.yaml b/spectro/bootstrap/global/patch_service_account.yaml
new file mode 100644
index 000000000000..d9cd4321fc0c
--- /dev/null
+++ b/spectro/bootstrap/global/patch_service_account.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: "/spec/template/spec/serviceAccountName"
diff --git a/spectro/controlplane/base/kustomization.yaml b/spectro/controlplane/base/kustomization.yaml
new file mode 100644
index 000000000000..bf8e15a6ebc2
--- /dev/null
+++ b/spectro/controlplane/base/kustomization.yaml
@@ -0,0 +1,30 @@
+namespace: capi-kubeadm-control-plane-system
+
+namePrefix: capi-kubeadm-control-plane-
+
+commonLabels:
+  cluster.x-k8s.io/provider: "control-plane-kubeadm"
+
+bases:
+  - ../../../controlplane/kubeadm/config/manager
+
+patchesStrategicMerge:
+  - ../../../controlplane/kubeadm/config/default/manager_image_patch.yaml
+  - ../../../controlplane/kubeadm/config/default/manager_pull_policy.yaml
+
+patchesJson6902:
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_service_account.yaml
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_healthcheck.yaml
+
diff --git a/spectro/controlplane/base/patch_healthcheck.yaml b/spectro/controlplane/base/patch_healthcheck.yaml
new file mode 100644
index 000000000000..1279812a6d21
--- /dev/null
+++ b/spectro/controlplane/base/patch_healthcheck.yaml
@@ -0,0 +1,6 @@
+- op: remove
+  path: "/spec/template/spec/containers/0/ports"
+- op: remove
+  path: "/spec/template/spec/containers/0/livenessProbe"
+- op: remove
+  path: "/spec/template/spec/containers/0/readinessProbe"
\ No newline at end of file
diff --git a/spectro/controlplane/base/patch_service_account.yaml b/spectro/controlplane/base/patch_service_account.yaml
new file mode 100644
index 000000000000..d9cd4321fc0c
--- /dev/null
+++ b/spectro/controlplane/base/patch_service_account.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: "/spec/template/spec/serviceAccountName"
diff --git a/spectro/controlplane/global/kustomization.yaml b/spectro/controlplane/global/kustomization.yaml
new file mode 100644
index 000000000000..f097052ec57b
--- /dev/null
+++ b/spectro/controlplane/global/kustomization.yaml
@@ -0,0 +1,64 @@
+namespace: capi-kubeadm-control-plane-system
+
+namePrefix: capi-kubeadm-control-plane-
+
+commonLabels:
+  cluster.x-k8s.io/provider: "control-plane-kubeadm"
+
+bases:
+  - ../../../controlplane/kubeadm/config/crd
+  - ../../../controlplane/kubeadm/config/manager
+  - ../../../controlplane/kubeadm/config/webhook
+  - ../../../controlplane/kubeadm/config/certmanager
+
+patchesStrategicMerge:
+  - ../../../controlplane/kubeadm/config/default/manager_image_patch.yaml
+  - ../../../controlplane/kubeadm/config/default/manager_pull_policy.yaml
+  - ../../../controlplane/kubeadm/config/default/manager_webhook_patch.yaml
+  - ../../../controlplane/kubeadm/config/default/webhookcainjection_patch.yaml
+
+vars:
+  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: CERTIFICATE_NAME
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+  - name: SERVICE_NAMESPACE # namespace of the service
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: SERVICE_NAME
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+
+configurations:
+  - ../../../controlplane/kubeadm/config/default/kustomizeconfig.yaml
+
+patchesJson6902:
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_service_account.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
diff --git a/spectro/controlplane/global/patch_crd_webhook_namespace.yaml b/spectro/controlplane/global/patch_crd_webhook_namespace.yaml
new file mode 100644
index 000000000000..e40df94ba2c0
--- /dev/null
+++ b/spectro/controlplane/global/patch_crd_webhook_namespace.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: "/spec/conversion/webhook/clientConfig/service/namespace"
+  value: capi-webhook-system
\ No newline at end of file
diff --git a/spectro/controlplane/global/patch_service_account.yaml b/spectro/controlplane/global/patch_service_account.yaml
new file mode 100644
index 000000000000..d9cd4321fc0c
--- /dev/null
+++ b/spectro/controlplane/global/patch_service_account.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: "/spec/template/spec/serviceAccountName"
diff --git a/spectro/core/base/kustomization.yaml b/spectro/core/base/kustomization.yaml
new file mode 100644
index 000000000000..8c5ef52c8133
--- /dev/null
+++ b/spectro/core/base/kustomization.yaml
@@ -0,0 +1,30 @@
+namespace: capi-system
+
+namePrefix: capi-
+
+commonLabels:
+  cluster.x-k8s.io/provider: "cluster-api"
+
+bases:
+- ../../../config/manager
+
+patchesStrategicMerge:
+# Provide customizable hook for make targets.
+- ../../../config/default/manager_image_patch.yaml
+- ../../../config/default/manager_pull_policy.yaml
+
+patchesJson6902:
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_service_account.yaml
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_healthcheck.yaml
diff --git a/spectro/core/base/patch_healthcheck.yaml b/spectro/core/base/patch_healthcheck.yaml
new file mode 100644
index 000000000000..1279812a6d21
--- /dev/null
+++ b/spectro/core/base/patch_healthcheck.yaml
@@ -0,0 +1,6 @@
+- op: remove
+  path: "/spec/template/spec/containers/0/ports"
+- op: remove
+  path: "/spec/template/spec/containers/0/livenessProbe"
+- op: remove
+  path: "/spec/template/spec/containers/0/readinessProbe"
\ No newline at end of file
diff --git a/spectro/core/base/patch_service_account.yaml b/spectro/core/base/patch_service_account.yaml
new file mode 100644
index 000000000000..d9cd4321fc0c
--- /dev/null
+++ b/spectro/core/base/patch_service_account.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: "/spec/template/spec/serviceAccountName"
diff --git a/spectro/core/global/kustomization.yaml b/spectro/core/global/kustomization.yaml
new file mode 100644
index 000000000000..8915de85d59b
--- /dev/null
+++ b/spectro/core/global/kustomization.yaml
@@ -0,0 +1,96 @@
+namespace: capi-system
+
+namePrefix: capi-
+
+commonLabels:
+  cluster.x-k8s.io/provider: "cluster-api"
+
+bases:
+- ../../../config/crd
+- ../../../config/manager
+- ../../../config/webhook
+- ../../../config/certmanager
+
+patchesStrategicMerge:
+# Provide customizable hook for make targets.
+- ../../../config/default/manager_image_patch.yaml
+- ../../../config/default/manager_pull_policy.yaml
+# Enable webhook.
+- ../../../config/default/manager_webhook_patch.yaml
+# Inject certificate in the webhook definition.
+- ../../../config/default/webhookcainjection_patch.yaml
+
+vars:
+  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: CERTIFICATE_NAME
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+  - name: SERVICE_NAMESPACE # namespace of the service
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: SERVICE_NAME
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+
+configurations:
+  - ../../../config/default/kustomizeconfig.yaml
+
+patchesJson6902:
+  - target:
+      kind: Namespace
+      name: system
+      version: v1
+    path: patch_namespace.yaml
+  - target:
+      group: apps
+      kind: Deployment
+      name: controller-manager
+      namespace: system
+      version: v1
+    path: patch_service_account.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: clusters.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: machinedeployments.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: machines.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: machinesets.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
+  - target:
+      group: apiextensions.k8s.io
+      version: v1
+      kind: CustomResourceDefinition
+      name: machinehealthchecks.cluster.x-k8s.io
+    path: patch_crd_webhook_namespace.yaml
diff --git a/spectro/core/global/patch_crd_webhook_namespace.yaml b/spectro/core/global/patch_crd_webhook_namespace.yaml
new file mode 100644
index 000000000000..e40df94ba2c0
--- /dev/null
+++ b/spectro/core/global/patch_crd_webhook_namespace.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: "/spec/conversion/webhook/clientConfig/service/namespace"
+  value: capi-webhook-system
\ No newline at end of file
diff --git a/spectro/core/global/patch_namespace.yaml b/spectro/core/global/patch_namespace.yaml
new file mode 100644
index 000000000000..0de288003c7a
--- /dev/null
+++ b/spectro/core/global/patch_namespace.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: "/metadata/name"
+  value: capi-webhook-system
\ No newline at end of file
diff --git a/spectro/core/global/patch_service_account.yaml b/spectro/core/global/patch_service_account.yaml
new file mode 100644
index 000000000000..d9cd4321fc0c
--- /dev/null
+++ b/spectro/core/global/patch_service_account.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: "/spec/template/spec/serviceAccountName"
diff --git a/spectro/generated/bootstrap-base.yaml b/spectro/generated/bootstrap-base.yaml
new file mode 100644
index 000000000000..04c4e52a7c2f
--- /dev/null
+++ b/spectro/generated/bootstrap-base.yaml
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+    control-plane: controller-manager
+  name: capi-kubeadm-bootstrap-controller-manager
+  namespace: capi-kubeadm-bootstrap-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/provider: bootstrap-kubeadm
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/provider: bootstrap-kubeadm
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        - --metrics-bind-addr=localhost:8080
+        - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}
+        - --bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}
+        command:
+        - /manager
+        image: gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller:main
+        imagePullPolicy: Always
+        name: manager
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
diff --git a/spectro/generated/bootstrap-global.yaml b/spectro/generated/bootstrap-global.yaml
new file mode 100644
index 000000000000..d056f7e79d9a
--- /dev/null
+++ b/spectro/generated/bootstrap-global.yaml
@@ -0,0 +1,6410 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-bootstrap-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+    cluster.x-k8s.io/v1alpha3: v1alpha3
+    cluster.x-k8s.io/v1alpha4: v1alpha4
+    cluster.x-k8s.io/v1beta1: v1beta1
+  name: kubeadmconfigs.bootstrap.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-kubeadm-bootstrap-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: bootstrap.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: KubeadmConfig
+    listKind: KubeadmConfigList
+    plural: kubeadmconfigs
+    singular: kubeadmconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: KubeadmConfig is the Schema for the kubeadmconfigs API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmConfigSpec defines the desired state of KubeadmConfig.
+              Either ClusterConfiguration and InitConfiguration should be defined
+              or the JoinConfiguration should be defined.
+            properties:
+              clusterConfiguration:
+                description: ClusterConfiguration along with InitConfiguration are
+                  the configurations necessary for the init command
+                properties:
+                  apiServer:
+                    description: APIServer contains extra settings for the API server
+                      control plane component
+                    properties:
+                      certSANs:
+                        description: CertSANs sets extra Subject Alternative Names
+                          for the API Server signing cert.
+                        items:
+                          type: string
+                        type: array
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                      timeoutForControlPlane:
+                        description: TimeoutForControlPlane controls the timeout that
+                          we use for API server to appear
+                        type: string
+                    type: object
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  certificatesDir:
+                    description: 'CertificatesDir specifies where to store or look
+                      for all required certificates. NB: if not provided, this will
+                      default to `/etc/kubernetes/pki`'
+                    type: string
+                  clusterName:
+                    description: The cluster name
+                    type: string
+                  controlPlaneEndpoint:
+                    description: 'ControlPlaneEndpoint sets a stable IP address or
+                      DNS name for the control plane; it can be a valid IP address
+                      or a RFC-1123 DNS subdomain, both with optional TCP port. In
+                      case the ControlPlaneEndpoint is not specified, the AdvertiseAddress
+                      + BindPort are used; in case the ControlPlaneEndpoint is specified
+                      but without a TCP port, the BindPort is used. Possible usages
+                      are: e.g. In a cluster with more than one control plane instances,
+                      this field should be assigned the address of the external load
+                      balancer in front of the control plane instances. e.g.  in environments
+                      with enforced node recycling, the ControlPlaneEndpoint could
+                      be used for assigning a stable DNS to the control plane. NB:
+                      This value defaults to the first value in the Cluster object
+                      status.apiEndpoints array.'
+                    type: string
+                  controllerManager:
+                    description: ControllerManager contains extra settings for the
+                      controller manager control plane component
+                    properties:
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                  dns:
+                    description: DNS defines the options for the DNS add-on installed
+                      in the cluster.
+                    properties:
+                      imageRepository:
+                        description: ImageRepository sets the container registry to
+                          pull images from. if not set, the ImageRepository defined
+                          in ClusterConfiguration will be used instead.
+                        type: string
+                      imageTag:
+                        description: ImageTag allows to specify a tag for the image.
+                          In case this value is set, kubeadm does not change automatically
+                          the version of the above components during upgrades.
+                        type: string
+                      type:
+                        description: Type defines the DNS add-on to be used
+                        type: string
+                    type: object
+                  etcd:
+                    description: 'Etcd holds configuration for etcd. NB: This value
+                      defaults to a Local (stacked) etcd'
+                    properties:
+                      external:
+                        description: External describes how to connect to an external
+                          etcd cluster Local and External are mutually exclusive
+                        properties:
+                          caFile:
+                            description: CAFile is an SSL Certificate Authority file
+                              used to secure etcd communication. Required if using
+                              a TLS connection.
+                            type: string
+                          certFile:
+                            description: CertFile is an SSL certification file used
+                              to secure etcd communication. Required if using a TLS
+                              connection.
+                            type: string
+                          endpoints:
+                            description: Endpoints of etcd members. Required for ExternalEtcd.
+                            items:
+                              type: string
+                            type: array
+                          keyFile:
+                            description: KeyFile is an SSL key file used to secure
+                              etcd communication. Required if using a TLS connection.
+                            type: string
+                        required:
+                        - caFile
+                        - certFile
+                        - endpoints
+                        - keyFile
+                        type: object
+                      local:
+                        description: Local provides configuration knobs for configuring
+                          the local etcd instance Local and External are mutually
+                          exclusive
+                        properties:
+                          dataDir:
+                            description: DataDir is the directory etcd will place
+                              its data. Defaults to "/var/lib/etcd".
+                            type: string
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: ExtraArgs are extra arguments provided to
+                              the etcd binary when run inside a static pod.
+                            type: object
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. if not set, the ImageRepository
+                              defined in ClusterConfiguration will be used instead.
+                            type: string
+                          imageTag:
+                            description: ImageTag allows to specify a tag for the
+                              image. In case this value is set, kubeadm does not change
+                              automatically the version of the above components during
+                              upgrades.
+                            type: string
+                          peerCertSANs:
+                            description: PeerCertSANs sets extra Subject Alternative
+                              Names for the etcd peer signing cert.
+                            items:
+                              type: string
+                            type: array
+                          serverCertSANs:
+                            description: ServerCertSANs sets extra Subject Alternative
+                              Names for the etcd server signing cert.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                    type: object
+                  featureGates:
+                    additionalProperties:
+                      type: boolean
+                    description: FeatureGates enabled by the user.
+                    type: object
+                  imageRepository:
+                    description: ImageRepository sets the container registry to pull
+                      images from. If empty, `k8s.gcr.io` will be used by default;
+                      in case of kubernetes version is a CI build (kubernetes version
+                      starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                      will be used as a default for control plane components and for
+                      kube-proxy, while `k8s.gcr.io` will be used for all the other
+                      images.
+                    type: string
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  kubernetesVersion:
+                    description: 'KubernetesVersion is the target version of the control
+                      plane. NB: This value defaults to the Machine object spec.version'
+                    type: string
+                  networking:
+                    description: 'Networking holds configuration for the networking
+                      topology of the cluster. NB: This value defaults to the Cluster
+                      object spec.clusterNetwork.'
+                    properties:
+                      dnsDomain:
+                        description: DNSDomain is the dns domain used by k8s services.
+                          Defaults to "cluster.local".
+                        type: string
+                      podSubnet:
+                        description: PodSubnet is the subnet used by pods. If unset,
+                          the API server will not allocate CIDR ranges for every node.
+                          Defaults to a comma-delimited string of the Cluster object's
+                          spec.clusterNetwork.services.cidrBlocks if that is set
+                        type: string
+                      serviceSubnet:
+                        description: ServiceSubnet is the subnet used by k8s services.
+                          Defaults to a comma-delimited string of the Cluster object's
+                          spec.clusterNetwork.pods.cidrBlocks, or to "10.96.0.0/12"
+                          if that's unset.
+                        type: string
+                    type: object
+                  scheduler:
+                    description: Scheduler contains extra settings for the scheduler
+                      control plane component
+                    properties:
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                  useHyperKubeImage:
+                    description: UseHyperKubeImage controls if hyperkube should be
+                      used for Kubernetes components instead of their respective separate
+                      images
+                    type: boolean
+                type: object
+              diskSetup:
+                description: DiskSetup specifies options for the creation of partition
+                  tables and file systems on devices.
+                properties:
+                  filesystems:
+                    description: Filesystems specifies the list of file systems to
+                      setup.
+                    items:
+                      description: Filesystem defines the file systems to be created.
+                      properties:
+                        device:
+                          description: Device specifies the device name
+                          type: string
+                        extraOpts:
+                          description: ExtraOpts defined extra options to add to the
+                            command for creating the file system.
+                          items:
+                            type: string
+                          type: array
+                        filesystem:
+                          description: Filesystem specifies the file system type.
+                          type: string
+                        label:
+                          description: Label specifies the file system label to be
+                            used. If set to None, no label is used.
+                          type: string
+                        overwrite:
+                          description: Overwrite defines whether or not to overwrite
+                            any existing filesystem. If true, any pre-existing file
+                            system will be destroyed. Use with Caution.
+                          type: boolean
+                        partition:
+                          description: 'Partition specifies the partition to use.
+                            The valid options are: "auto|any", "auto", "any", "none",
+                            and <NUM>, where NUM is the actual partition number.'
+                          type: string
+                        replaceFS:
+                          description: 'ReplaceFS is a special directive, used for
+                            Microsoft Azure that instructs cloud-init to replace a
+                            file system of <FS_TYPE>. NOTE: unless you define a label,
+                            this requires the use of the ''any'' partition directive.'
+                          type: string
+                      required:
+                      - device
+                      - filesystem
+                      - label
+                      type: object
+                    type: array
+                  partitions:
+                    description: Partitions specifies the list of the partitions to
+                      setup.
+                    items:
+                      description: Partition defines how to create and layout a partition.
+                      properties:
+                        device:
+                          description: Device is the name of the device.
+                          type: string
+                        layout:
+                          description: Layout specifies the device layout. If it is
+                            true, a single partition will be created for the entire
+                            device. When layout is false, it means don't partition
+                            or ignore existing partitioning.
+                          type: boolean
+                        overwrite:
+                          description: Overwrite describes whether to skip checks
+                            and create the partition if a partition or filesystem
+                            is found on the device. Use with caution. Default is 'false'.
+                          type: boolean
+                        tableType:
+                          description: 'TableType specifies the tupe of partition
+                            table. The following are supported: ''mbr'': default and
+                            setups a MS-DOS partition table ''gpt'': setups a GPT
+                            partition table'
+                          type: string
+                      required:
+                      - device
+                      - layout
+                      type: object
+                    type: array
+                type: object
+              files:
+                description: Files specifies extra files to be passed to user_data
+                  upon creation.
+                items:
+                  description: File defines the input for generating write_files in
+                    cloud-init.
+                  properties:
+                    content:
+                      description: Content is the actual content of the file.
+                      type: string
+                    contentFrom:
+                      description: ContentFrom is a referenced source of content to
+                        populate the file.
+                      properties:
+                        secret:
+                          description: Secret represents a secret that should populate
+                            this file.
+                          properties:
+                            key:
+                              description: Key is the key in the secret's data map
+                                for this value.
+                              type: string
+                            name:
+                              description: Name of the secret in the KubeadmBootstrapConfig's
+                                namespace to use.
+                              type: string
+                          required:
+                          - key
+                          - name
+                          type: object
+                      required:
+                      - secret
+                      type: object
+                    encoding:
+                      description: Encoding specifies the encoding of the file contents.
+                      enum:
+                      - base64
+                      - gzip
+                      - gzip+base64
+                      type: string
+                    owner:
+                      description: Owner specifies the ownership of the file, e.g.
+                        "root:root".
+                      type: string
+                    path:
+                      description: Path specifies the full path on disk where to store
+                        the file.
+                      type: string
+                    permissions:
+                      description: Permissions specifies the permissions to assign
+                        to the file, e.g. "0640".
+                      type: string
+                  required:
+                  - path
+                  type: object
+                type: array
+              format:
+                description: Format specifies the output format of the bootstrap data
+                enum:
+                - cloud-config
+                type: string
+              initConfiguration:
+                description: InitConfiguration along with ClusterConfiguration are
+                  the configurations necessary for the init command
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  bootstrapTokens:
+                    description: BootstrapTokens is respected at `kubeadm init` time
+                      and describes a set of Bootstrap Tokens to create. This information
+                      IS NOT uploaded to the kubeadm cluster configmap, partly because
+                      of its sensitive nature
+                    items:
+                      description: BootstrapToken describes one bootstrap token, stored
+                        as a Secret in the cluster.
+                      properties:
+                        description:
+                          description: Description sets a human-friendly message why
+                            this token exists and what it's used for, so other administrators
+                            can know its purpose.
+                          type: string
+                        expires:
+                          description: Expires specifies the timestamp when this token
+                            expires. Defaults to being set dynamically at runtime
+                            based on the TTL. Expires and TTL are mutually exclusive.
+                          format: date-time
+                          type: string
+                        groups:
+                          description: Groups specifies the extra groups that this
+                            token will authenticate as when/if used for authentication
+                          items:
+                            type: string
+                          type: array
+                        token:
+                          description: Token is used for establishing bidirectional
+                            trust between nodes and control-planes. Used for joining
+                            nodes in the cluster.
+                          type: string
+                        ttl:
+                          description: TTL defines the time to live for this token.
+                            Defaults to 24h. Expires and TTL are mutually exclusive.
+                          type: string
+                        usages:
+                          description: Usages describes the ways in which this token
+                            can be used. Can by default be used for establishing bidirectional
+                            trust, but that can be changed here.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - token
+                      type: object
+                    type: array
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  localAPIEndpoint:
+                    description: LocalAPIEndpoint represents the endpoint of the API
+                      server instance that's deployed on this control plane node In
+                      HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                      in the sense that ControlPlaneEndpoint is the global endpoint
+                      for the cluster, which then loadbalances the requests to each
+                      individual API server. This configuration object lets you customize
+                      what IP/DNS name and port the local API server advertises it's
+                      accessible on. By default, kubeadm tries to auto-detect the
+                      IP of the default interface and use that, but in case that process
+                      fails you may set the desired value here.
+                    properties:
+                      advertiseAddress:
+                        description: AdvertiseAddress sets the IP address for the
+                          API server to advertise.
+                        type: string
+                      bindPort:
+                        description: BindPort sets the secure port for the API Server
+                          to bind to. Defaults to 6443.
+                        format: int32
+                        type: integer
+                    required:
+                    - advertiseAddress
+                    - bindPort
+                    type: object
+                  nodeRegistration:
+                    description: NodeRegistration holds fields that relate to registering
+                      the new control-plane node to the cluster. When used in the
+                      context of control plane nodes, NodeRegistration should remain
+                      consistent across both InitConfiguration and JoinConfiguration
+                    properties:
+                      criSocket:
+                        description: CRISocket is used to retrieve container runtime
+                          info. This information will be annotated to the Node API
+                          object, for later re-use
+                        type: string
+                      kubeletExtraArgs:
+                        additionalProperties:
+                          type: string
+                        description: KubeletExtraArgs passes through extra arguments
+                          to the kubelet. The arguments here are passed to the kubelet
+                          command line via the environment file kubeadm writes at
+                          runtime for the kubelet to source. This overrides the generic
+                          base-level configuration in the kubelet-config-1.X ConfigMap
+                          Flags have higher priority when parsing. These values are
+                          local and specific to the node kubeadm is executing on.
+                        type: object
+                      name:
+                        description: Name is the `.Metadata.Name` field of the Node
+                          API object that will be created in this `kubeadm init` or
+                          `kubeadm join` operation. This field is also used in the
+                          CommonName field of the kubelet's client certificate to
+                          the API server. Defaults to the hostname of the node if
+                          not provided.
+                        type: string
+                      taints:
+                        description: 'Taints specifies the taints the Node API object
+                          should be registered with. If this field is unset, i.e.
+                          nil, in the `kubeadm init` process it will be defaulted
+                          to []v1.Taint{''node-role.kubernetes.io/master=""''}. If
+                          you don''t want to taint your control-plane node, set this
+                          field to an empty slice, i.e. `taints: {}` in the YAML file.
+                          This field is solely used for Node registration.'
+                        items:
+                          description: The node this Taint is attached to has the
+                            "effect" on any pod that does not tolerate the Taint.
+                          properties:
+                            effect:
+                              description: Required. The effect of the taint on pods
+                                that do not tolerate the taint. Valid effects are
+                                NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: Required. The taint key to be applied to
+                                a node.
+                              type: string
+                            timeAdded:
+                              description: TimeAdded represents the time at which
+                                the taint was added. It is only written for NoExecute
+                                taints.
+                              format: date-time
+                              type: string
+                            value:
+                              description: The taint value corresponding to the taint
+                                key.
+                              type: string
+                          required:
+                          - effect
+                          - key
+                          type: object
+                        type: array
+                    type: object
+                type: object
+              joinConfiguration:
+                description: JoinConfiguration is the kubeadm configuration for the
+                  join command
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  caCertPath:
+                    description: 'CACertPath is the path to the SSL certificate authority
+                      used to secure comunications between node and control-plane.
+                      Defaults to "/etc/kubernetes/pki/ca.crt". TODO: revisit when
+                      there is defaulting from k/k'
+                    type: string
+                  controlPlane:
+                    description: ControlPlane defines the additional control plane
+                      instance to be deployed on the joining node. If nil, no additional
+                      control plane instance will be deployed.
+                    properties:
+                      localAPIEndpoint:
+                        description: LocalAPIEndpoint represents the endpoint of the
+                          API server instance to be deployed on this node.
+                        properties:
+                          advertiseAddress:
+                            description: AdvertiseAddress sets the IP address for
+                              the API server to advertise.
+                            type: string
+                          bindPort:
+                            description: BindPort sets the secure port for the API
+                              Server to bind to. Defaults to 6443.
+                            format: int32
+                            type: integer
+                        required:
+                        - advertiseAddress
+                        - bindPort
+                        type: object
+                    type: object
+                  discovery:
+                    description: 'Discovery specifies the options for the kubelet
+                      to use during the TLS Bootstrap process TODO: revisit when there
+                      is defaulting from k/k'
+                    properties:
+                      bootstrapToken:
+                        description: BootstrapToken is used to set the options for
+                          bootstrap token based discovery BootstrapToken and File
+                          are mutually exclusive
+                        properties:
+                          apiServerEndpoint:
+                            description: APIServerEndpoint is an IP or domain name
+                              to the API server from which info will be fetched.
+                            type: string
+                          caCertHashes:
+                            description: 'CACertHashes specifies a set of public key
+                              pins to verify when token-based discovery is used. The
+                              root CA found during discovery must match one of these
+                              values. Specifying an empty set disables root CA pinning,
+                              which can be unsafe. Each hash is specified as "<type>:<value>",
+                              where the only currently supported type is "sha256".
+                              This is a hex-encoded SHA-256 hash of the Subject Public
+                              Key Info (SPKI) object in DER-encoded ASN.1. These hashes
+                              can be calculated using, for example, OpenSSL: openssl
+                              x509 -pubkey -in ca.crt openssl rsa -pubin -outform
+                              der 2>&/dev/null | openssl dgst -sha256 -hex'
+                            items:
+                              type: string
+                            type: array
+                          token:
+                            description: Token is a token used to validate cluster
+                              information fetched from the control-plane.
+                            type: string
+                          unsafeSkipCAVerification:
+                            description: UnsafeSkipCAVerification allows token-based
+                              discovery without CA verification via CACertHashes.
+                              This can weaken the security of kubeadm since other
+                              nodes can impersonate the control-plane.
+                            type: boolean
+                        required:
+                        - token
+                        - unsafeSkipCAVerification
+                        type: object
+                      file:
+                        description: File is used to specify a file or URL to a kubeconfig
+                          file from which to load cluster information BootstrapToken
+                          and File are mutually exclusive
+                        properties:
+                          kubeConfigPath:
+                            description: KubeConfigPath is used to specify the actual
+                              file path or URL to the kubeconfig file from which to
+                              load cluster information
+                            type: string
+                        required:
+                        - kubeConfigPath
+                        type: object
+                      timeout:
+                        description: Timeout modifies the discovery timeout
+                        type: string
+                      tlsBootstrapToken:
+                        description: 'TLSBootstrapToken is a token used for TLS bootstrapping.
+                          If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token,
+                          but can be overridden. If .File is set, this field **must
+                          be set** in case the KubeConfigFile does not contain any
+                          other authentication information TODO: revisit when there
+                          is defaulting from k/k'
+                        type: string
+                    type: object
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  nodeRegistration:
+                    description: NodeRegistration holds fields that relate to registering
+                      the new control-plane node to the cluster. When used in the
+                      context of control plane nodes, NodeRegistration should remain
+                      consistent across both InitConfiguration and JoinConfiguration
+                    properties:
+                      criSocket:
+                        description: CRISocket is used to retrieve container runtime
+                          info. This information will be annotated to the Node API
+                          object, for later re-use
+                        type: string
+                      kubeletExtraArgs:
+                        additionalProperties:
+                          type: string
+                        description: KubeletExtraArgs passes through extra arguments
+                          to the kubelet. The arguments here are passed to the kubelet
+                          command line via the environment file kubeadm writes at
+                          runtime for the kubelet to source. This overrides the generic
+                          base-level configuration in the kubelet-config-1.X ConfigMap
+                          Flags have higher priority when parsing. These values are
+                          local and specific to the node kubeadm is executing on.
+                        type: object
+                      name:
+                        description: Name is the `.Metadata.Name` field of the Node
+                          API object that will be created in this `kubeadm init` or
+                          `kubeadm join` operation. This field is also used in the
+                          CommonName field of the kubelet's client certificate to
+                          the API server. Defaults to the hostname of the node if
+                          not provided.
+                        type: string
+                      taints:
+                        description: 'Taints specifies the taints the Node API object
+                          should be registered with. If this field is unset, i.e.
+                          nil, in the `kubeadm init` process it will be defaulted
+                          to []v1.Taint{''node-role.kubernetes.io/master=""''}. If
+                          you don''t want to taint your control-plane node, set this
+                          field to an empty slice, i.e. `taints: {}` in the YAML file.
+                          This field is solely used for Node registration.'
+                        items:
+                          description: The node this Taint is attached to has the
+                            "effect" on any pod that does not tolerate the Taint.
+                          properties:
+                            effect:
+                              description: Required. The effect of the taint on pods
+                                that do not tolerate the taint. Valid effects are
+                                NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: Required. The taint key to be applied to
+                                a node.
+                              type: string
+                            timeAdded:
+                              description: TimeAdded represents the time at which
+                                the taint was added. It is only written for NoExecute
+                                taints.
+                              format: date-time
+                              type: string
+                            value:
+                              description: The taint value corresponding to the taint
+                                key.
+                              type: string
+                          required:
+                          - effect
+                          - key
+                          type: object
+                        type: array
+                    type: object
+                type: object
+              mounts:
+                description: Mounts specifies a list of mount points to be setup.
+                items:
+                  description: MountPoints defines input for generated mounts in cloud-init.
+                  items:
+                    type: string
+                  type: array
+                type: array
+              ntp:
+                description: NTP specifies NTP configuration
+                properties:
+                  enabled:
+                    description: Enabled specifies whether NTP should be enabled
+                    type: boolean
+                  servers:
+                    description: Servers specifies which NTP servers to use
+                    items:
+                      type: string
+                    type: array
+                type: object
+              postKubeadmCommands:
+                description: PostKubeadmCommands specifies extra commands to run after
+                  kubeadm runs
+                items:
+                  type: string
+                type: array
+              preKubeadmCommands:
+                description: PreKubeadmCommands specifies extra commands to run before
+                  kubeadm runs
+                items:
+                  type: string
+                type: array
+              useExperimentalRetryJoin:
+                description: "UseExperimentalRetryJoin replaces a basic kubeadm command
+                  with a shell script with retries for joins. \n This is meant to
+                  be an experimental temporary workaround on some environments where
+                  joins fail due to timing (and other issues). The long term goal
+                  is to add retries to kubeadm proper and use that functionality.
+                  \n This will add about 40KB to userdata \n For more information,
+                  refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                type: boolean
+              users:
+                description: Users specifies extra users to add
+                items:
+                  description: User defines the input for a generated user in cloud-init.
+                  properties:
+                    gecos:
+                      description: Gecos specifies the gecos to use for the user
+                      type: string
+                    groups:
+                      description: Groups specifies the additional groups for the
+                        user
+                      type: string
+                    homeDir:
+                      description: HomeDir specifies the home directory to use for
+                        the user
+                      type: string
+                    inactive:
+                      description: Inactive specifies whether to mark the user as
+                        inactive
+                      type: boolean
+                    lockPassword:
+                      description: LockPassword specifies if password login should
+                        be disabled
+                      type: boolean
+                    name:
+                      description: Name specifies the user name
+                      type: string
+                    passwd:
+                      description: Passwd specifies a hashed password for the user
+                      type: string
+                    primaryGroup:
+                      description: PrimaryGroup specifies the primary group for the
+                        user
+                      type: string
+                    shell:
+                      description: Shell specifies the user's shell
+                      type: string
+                    sshAuthorizedKeys:
+                      description: SSHAuthorizedKeys specifies a list of ssh authorized
+                        keys for the user
+                      items:
+                        type: string
+                      type: array
+                    sudo:
+                      description: Sudo specifies a sudo role for the user
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+              verbosity:
+                description: Verbosity is the number for the kubeadm log level verbosity.
+                  It overrides the `--v` flag in kubeadm commands.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: KubeadmConfigStatus defines the observed state of KubeadmConfig.
+            properties:
+              bootstrapData:
+                description: "BootstrapData will be a cloud-init script for now. \n
+                  Deprecated: Switch to DataSecretName."
+                format: byte
+                type: string
+              conditions:
+                description: Conditions defines current service state of the KubeadmConfig.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              dataSecretName:
+                description: DataSecretName is the name of the secret that stores
+                  the bootstrap data script.
+                type: string
+              failureMessage:
+                description: FailureMessage will be set on non-retryable errors
+                type: string
+              failureReason:
+                description: FailureReason will be set on non-retryable errors
+                type: string
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              ready:
+                description: Ready indicates the BootstrapData field is ready to be
+                  consumed
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of KubeadmConfig
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: KubeadmConfig is the Schema for the kubeadmconfigs API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmConfigSpec defines the desired state of KubeadmConfig.
+              Either ClusterConfiguration and InitConfiguration should be defined
+              or the JoinConfiguration should be defined.
+            properties:
+              clusterConfiguration:
+                description: ClusterConfiguration along with InitConfiguration are
+                  the configurations necessary for the init command
+                properties:
+                  apiServer:
+                    description: APIServer contains extra settings for the API server
+                      control plane component
+                    properties:
+                      certSANs:
+                        description: CertSANs sets extra Subject Alternative Names
+                          for the API Server signing cert.
+                        items:
+                          type: string
+                        type: array
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                      timeoutForControlPlane:
+                        description: TimeoutForControlPlane controls the timeout that
+                          we use for API server to appear
+                        type: string
+                    type: object
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  certificatesDir:
+                    description: 'CertificatesDir specifies where to store or look
+                      for all required certificates. NB: if not provided, this will
+                      default to `/etc/kubernetes/pki`'
+                    type: string
+                  clusterName:
+                    description: The cluster name
+                    type: string
+                  controlPlaneEndpoint:
+                    description: 'ControlPlaneEndpoint sets a stable IP address or
+                      DNS name for the control plane; it can be a valid IP address
+                      or a RFC-1123 DNS subdomain, both with optional TCP port. In
+                      case the ControlPlaneEndpoint is not specified, the AdvertiseAddress
+                      + BindPort are used; in case the ControlPlaneEndpoint is specified
+                      but without a TCP port, the BindPort is used. Possible usages
+                      are: e.g. In a cluster with more than one control plane instances,
+                      this field should be assigned the address of the external load
+                      balancer in front of the control plane instances. e.g.  in environments
+                      with enforced node recycling, the ControlPlaneEndpoint could
+                      be used for assigning a stable DNS to the control plane. NB:
+                      This value defaults to the first value in the Cluster object
+                      status.apiEndpoints array.'
+                    type: string
+                  controllerManager:
+                    description: ControllerManager contains extra settings for the
+                      controller manager control plane component
+                    properties:
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                  dns:
+                    description: DNS defines the options for the DNS add-on installed
+                      in the cluster.
+                    properties:
+                      imageRepository:
+                        description: ImageRepository sets the container registry to
+                          pull images from. if not set, the ImageRepository defined
+                          in ClusterConfiguration will be used instead.
+                        type: string
+                      imageTag:
+                        description: ImageTag allows to specify a tag for the image.
+                          In case this value is set, kubeadm does not change automatically
+                          the version of the above components during upgrades.
+                        type: string
+                    type: object
+                  etcd:
+                    description: 'Etcd holds configuration for etcd. NB: This value
+                      defaults to a Local (stacked) etcd'
+                    properties:
+                      external:
+                        description: External describes how to connect to an external
+                          etcd cluster Local and External are mutually exclusive
+                        properties:
+                          caFile:
+                            description: CAFile is an SSL Certificate Authority file
+                              used to secure etcd communication. Required if using
+                              a TLS connection.
+                            type: string
+                          certFile:
+                            description: CertFile is an SSL certification file used
+                              to secure etcd communication. Required if using a TLS
+                              connection.
+                            type: string
+                          endpoints:
+                            description: Endpoints of etcd members. Required for ExternalEtcd.
+                            items:
+                              type: string
+                            type: array
+                          keyFile:
+                            description: KeyFile is an SSL key file used to secure
+                              etcd communication. Required if using a TLS connection.
+                            type: string
+                        required:
+                        - caFile
+                        - certFile
+                        - endpoints
+                        - keyFile
+                        type: object
+                      local:
+                        description: Local provides configuration knobs for configuring
+                          the local etcd instance Local and External are mutually
+                          exclusive
+                        properties:
+                          dataDir:
+                            description: DataDir is the directory etcd will place
+                              its data. Defaults to "/var/lib/etcd".
+                            type: string
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: ExtraArgs are extra arguments provided to
+                              the etcd binary when run inside a static pod.
+                            type: object
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. if not set, the ImageRepository
+                              defined in ClusterConfiguration will be used instead.
+                            type: string
+                          imageTag:
+                            description: ImageTag allows to specify a tag for the
+                              image. In case this value is set, kubeadm does not change
+                              automatically the version of the above components during
+                              upgrades.
+                            type: string
+                          peerCertSANs:
+                            description: PeerCertSANs sets extra Subject Alternative
+                              Names for the etcd peer signing cert.
+                            items:
+                              type: string
+                            type: array
+                          serverCertSANs:
+                            description: ServerCertSANs sets extra Subject Alternative
+                              Names for the etcd server signing cert.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                    type: object
+                  featureGates:
+                    additionalProperties:
+                      type: boolean
+                    description: FeatureGates enabled by the user.
+                    type: object
+                  imageRepository:
+                    description: ImageRepository sets the container registry to pull
+                      images from. If empty, `k8s.gcr.io` will be used by default;
+                      in case of kubernetes version is a CI build (kubernetes version
+                      starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                      will be used as a default for control plane components and for
+                      kube-proxy, while `k8s.gcr.io` will be used for all the other
+                      images.
+                    type: string
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  kubernetesVersion:
+                    description: 'KubernetesVersion is the target version of the control
+                      plane. NB: This value defaults to the Machine object spec.version'
+                    type: string
+                  networking:
+                    description: 'Networking holds configuration for the networking
+                      topology of the cluster. NB: This value defaults to the Cluster
+                      object spec.clusterNetwork.'
+                    properties:
+                      dnsDomain:
+                        description: DNSDomain is the dns domain used by k8s services.
+                          Defaults to "cluster.local".
+                        type: string
+                      podSubnet:
+                        description: PodSubnet is the subnet used by pods. If unset,
+                          the API server will not allocate CIDR ranges for every node.
+                          Defaults to a comma-delimited string of the Cluster object's
+                          spec.clusterNetwork.services.cidrBlocks if that is set
+                        type: string
+                      serviceSubnet:
+                        description: ServiceSubnet is the subnet used by k8s services.
+                          Defaults to a comma-delimited string of the Cluster object's
+                          spec.clusterNetwork.pods.cidrBlocks, or to "10.96.0.0/12"
+                          if that's unset.
+                        type: string
+                    type: object
+                  scheduler:
+                    description: Scheduler contains extra settings for the scheduler
+                      control plane component
+                    properties:
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                type: object
+              diskSetup:
+                description: DiskSetup specifies options for the creation of partition
+                  tables and file systems on devices.
+                properties:
+                  filesystems:
+                    description: Filesystems specifies the list of file systems to
+                      setup.
+                    items:
+                      description: Filesystem defines the file systems to be created.
+                      properties:
+                        device:
+                          description: Device specifies the device name
+                          type: string
+                        extraOpts:
+                          description: ExtraOpts defined extra options to add to the
+                            command for creating the file system.
+                          items:
+                            type: string
+                          type: array
+                        filesystem:
+                          description: Filesystem specifies the file system type.
+                          type: string
+                        label:
+                          description: Label specifies the file system label to be
+                            used. If set to None, no label is used.
+                          type: string
+                        overwrite:
+                          description: Overwrite defines whether or not to overwrite
+                            any existing filesystem. If true, any pre-existing file
+                            system will be destroyed. Use with Caution.
+                          type: boolean
+                        partition:
+                          description: 'Partition specifies the partition to use.
+                            The valid options are: "auto|any", "auto", "any", "none",
+                            and <NUM>, where NUM is the actual partition number.'
+                          type: string
+                        replaceFS:
+                          description: 'ReplaceFS is a special directive, used for
+                            Microsoft Azure that instructs cloud-init to replace a
+                            file system of <FS_TYPE>. NOTE: unless you define a label,
+                            this requires the use of the ''any'' partition directive.'
+                          type: string
+                      required:
+                      - device
+                      - filesystem
+                      - label
+                      type: object
+                    type: array
+                  partitions:
+                    description: Partitions specifies the list of the partitions to
+                      setup.
+                    items:
+                      description: Partition defines how to create and layout a partition.
+                      properties:
+                        device:
+                          description: Device is the name of the device.
+                          type: string
+                        layout:
+                          description: Layout specifies the device layout. If it is
+                            true, a single partition will be created for the entire
+                            device. When layout is false, it means don't partition
+                            or ignore existing partitioning.
+                          type: boolean
+                        overwrite:
+                          description: Overwrite describes whether to skip checks
+                            and create the partition if a partition or filesystem
+                            is found on the device. Use with caution. Default is 'false'.
+                          type: boolean
+                        tableType:
+                          description: 'TableType specifies the tupe of partition
+                            table. The following are supported: ''mbr'': default and
+                            setups a MS-DOS partition table ''gpt'': setups a GPT
+                            partition table'
+                          type: string
+                      required:
+                      - device
+                      - layout
+                      type: object
+                    type: array
+                type: object
+              files:
+                description: Files specifies extra files to be passed to user_data
+                  upon creation.
+                items:
+                  description: File defines the input for generating write_files in
+                    cloud-init.
+                  properties:
+                    content:
+                      description: Content is the actual content of the file.
+                      type: string
+                    contentFrom:
+                      description: ContentFrom is a referenced source of content to
+                        populate the file.
+                      properties:
+                        secret:
+                          description: Secret represents a secret that should populate
+                            this file.
+                          properties:
+                            key:
+                              description: Key is the key in the secret's data map
+                                for this value.
+                              type: string
+                            name:
+                              description: Name of the secret in the KubeadmBootstrapConfig's
+                                namespace to use.
+                              type: string
+                          required:
+                          - key
+                          - name
+                          type: object
+                      required:
+                      - secret
+                      type: object
+                    encoding:
+                      description: Encoding specifies the encoding of the file contents.
+                      enum:
+                      - base64
+                      - gzip
+                      - gzip+base64
+                      type: string
+                    owner:
+                      description: Owner specifies the ownership of the file, e.g.
+                        "root:root".
+                      type: string
+                    path:
+                      description: Path specifies the full path on disk where to store
+                        the file.
+                      type: string
+                    permissions:
+                      description: Permissions specifies the permissions to assign
+                        to the file, e.g. "0640".
+                      type: string
+                  required:
+                  - path
+                  type: object
+                type: array
+              format:
+                description: Format specifies the output format of the bootstrap data
+                enum:
+                - cloud-config
+                type: string
+              initConfiguration:
+                description: InitConfiguration along with ClusterConfiguration are
+                  the configurations necessary for the init command
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  bootstrapTokens:
+                    description: BootstrapTokens is respected at `kubeadm init` time
+                      and describes a set of Bootstrap Tokens to create. This information
+                      IS NOT uploaded to the kubeadm cluster configmap, partly because
+                      of its sensitive nature
+                    items:
+                      description: BootstrapToken describes one bootstrap token, stored
+                        as a Secret in the cluster.
+                      properties:
+                        description:
+                          description: Description sets a human-friendly message why
+                            this token exists and what it's used for, so other administrators
+                            can know its purpose.
+                          type: string
+                        expires:
+                          description: Expires specifies the timestamp when this token
+                            expires. Defaults to being set dynamically at runtime
+                            based on the TTL. Expires and TTL are mutually exclusive.
+                          format: date-time
+                          type: string
+                        groups:
+                          description: Groups specifies the extra groups that this
+                            token will authenticate as when/if used for authentication
+                          items:
+                            type: string
+                          type: array
+                        token:
+                          description: Token is used for establishing bidirectional
+                            trust between nodes and control-planes. Used for joining
+                            nodes in the cluster.
+                          type: string
+                        ttl:
+                          description: TTL defines the time to live for this token.
+                            Defaults to 24h. Expires and TTL are mutually exclusive.
+                          type: string
+                        usages:
+                          description: Usages describes the ways in which this token
+                            can be used. Can by default be used for establishing bidirectional
+                            trust, but that can be changed here.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - token
+                      type: object
+                    type: array
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  localAPIEndpoint:
+                    description: LocalAPIEndpoint represents the endpoint of the API
+                      server instance that's deployed on this control plane node In
+                      HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                      in the sense that ControlPlaneEndpoint is the global endpoint
+                      for the cluster, which then loadbalances the requests to each
+                      individual API server. This configuration object lets you customize
+                      what IP/DNS name and port the local API server advertises it's
+                      accessible on. By default, kubeadm tries to auto-detect the
+                      IP of the default interface and use that, but in case that process
+                      fails you may set the desired value here.
+                    properties:
+                      advertiseAddress:
+                        description: AdvertiseAddress sets the IP address for the
+                          API server to advertise.
+                        type: string
+                      bindPort:
+                        description: BindPort sets the secure port for the API Server
+                          to bind to. Defaults to 6443.
+                        format: int32
+                        type: integer
+                    type: object
+                  nodeRegistration:
+                    description: NodeRegistration holds fields that relate to registering
+                      the new control-plane node to the cluster. When used in the
+                      context of control plane nodes, NodeRegistration should remain
+                      consistent across both InitConfiguration and JoinConfiguration
+                    properties:
+                      criSocket:
+                        description: CRISocket is used to retrieve container runtime
+                          info. This information will be annotated to the Node API
+                          object, for later re-use
+                        type: string
+                      ignorePreflightErrors:
+                        description: IgnorePreflightErrors provides a slice of pre-flight
+                          errors to be ignored when the current node is registered.
+                        items:
+                          type: string
+                        type: array
+                      kubeletExtraArgs:
+                        additionalProperties:
+                          type: string
+                        description: KubeletExtraArgs passes through extra arguments
+                          to the kubelet. The arguments here are passed to the kubelet
+                          command line via the environment file kubeadm writes at
+                          runtime for the kubelet to source. This overrides the generic
+                          base-level configuration in the kubelet-config-1.X ConfigMap
+                          Flags have higher priority when parsing. These values are
+                          local and specific to the node kubeadm is executing on.
+                        type: object
+                      name:
+                        description: Name is the `.Metadata.Name` field of the Node
+                          API object that will be created in this `kubeadm init` or
+                          `kubeadm join` operation. This field is also used in the
+                          CommonName field of the kubelet's client certificate to
+                          the API server. Defaults to the hostname of the node if
+                          not provided.
+                        type: string
+                      taints:
+                        description: 'Taints specifies the taints the Node API object
+                          should be registered with. If this field is unset, i.e.
+                          nil, in the `kubeadm init` process it will be defaulted
+                          to []v1.Taint{''node-role.kubernetes.io/master=""''}. If
+                          you don''t want to taint your control-plane node, set this
+                          field to an empty slice, i.e. `taints: {}` in the YAML file.
+                          This field is solely used for Node registration.'
+                        items:
+                          description: The node this Taint is attached to has the
+                            "effect" on any pod that does not tolerate the Taint.
+                          properties:
+                            effect:
+                              description: Required. The effect of the taint on pods
+                                that do not tolerate the taint. Valid effects are
+                                NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: Required. The taint key to be applied to
+                                a node.
+                              type: string
+                            timeAdded:
+                              description: TimeAdded represents the time at which
+                                the taint was added. It is only written for NoExecute
+                                taints.
+                              format: date-time
+                              type: string
+                            value:
+                              description: The taint value corresponding to the taint
+                                key.
+                              type: string
+                          required:
+                          - effect
+                          - key
+                          type: object
+                        type: array
+                    type: object
+                type: object
+              joinConfiguration:
+                description: JoinConfiguration is the kubeadm configuration for the
+                  join command
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  caCertPath:
+                    description: 'CACertPath is the path to the SSL certificate authority
+                      used to secure comunications between node and control-plane.
+                      Defaults to "/etc/kubernetes/pki/ca.crt". TODO: revisit when
+                      there is defaulting from k/k'
+                    type: string
+                  controlPlane:
+                    description: ControlPlane defines the additional control plane
+                      instance to be deployed on the joining node. If nil, no additional
+                      control plane instance will be deployed.
+                    properties:
+                      localAPIEndpoint:
+                        description: LocalAPIEndpoint represents the endpoint of the
+                          API server instance to be deployed on this node.
+                        properties:
+                          advertiseAddress:
+                            description: AdvertiseAddress sets the IP address for
+                              the API server to advertise.
+                            type: string
+                          bindPort:
+                            description: BindPort sets the secure port for the API
+                              Server to bind to. Defaults to 6443.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  discovery:
+                    description: 'Discovery specifies the options for the kubelet
+                      to use during the TLS Bootstrap process TODO: revisit when there
+                      is defaulting from k/k'
+                    properties:
+                      bootstrapToken:
+                        description: BootstrapToken is used to set the options for
+                          bootstrap token based discovery BootstrapToken and File
+                          are mutually exclusive
+                        properties:
+                          apiServerEndpoint:
+                            description: APIServerEndpoint is an IP or domain name
+                              to the API server from which info will be fetched.
+                            type: string
+                          caCertHashes:
+                            description: 'CACertHashes specifies a set of public key
+                              pins to verify when token-based discovery is used. The
+                              root CA found during discovery must match one of these
+                              values. Specifying an empty set disables root CA pinning,
+                              which can be unsafe. Each hash is specified as "<type>:<value>",
+                              where the only currently supported type is "sha256".
+                              This is a hex-encoded SHA-256 hash of the Subject Public
+                              Key Info (SPKI) object in DER-encoded ASN.1. These hashes
+                              can be calculated using, for example, OpenSSL: openssl
+                              x509 -pubkey -in ca.crt openssl rsa -pubin -outform
+                              der 2>&/dev/null | openssl dgst -sha256 -hex'
+                            items:
+                              type: string
+                            type: array
+                          token:
+                            description: Token is a token used to validate cluster
+                              information fetched from the control-plane.
+                            type: string
+                          unsafeSkipCAVerification:
+                            description: UnsafeSkipCAVerification allows token-based
+                              discovery without CA verification via CACertHashes.
+                              This can weaken the security of kubeadm since other
+                              nodes can impersonate the control-plane.
+                            type: boolean
+                        required:
+                        - token
+                        type: object
+                      file:
+                        description: File is used to specify a file or URL to a kubeconfig
+                          file from which to load cluster information BootstrapToken
+                          and File are mutually exclusive
+                        properties:
+                          kubeConfigPath:
+                            description: KubeConfigPath is used to specify the actual
+                              file path or URL to the kubeconfig file from which to
+                              load cluster information
+                            type: string
+                        required:
+                        - kubeConfigPath
+                        type: object
+                      timeout:
+                        description: Timeout modifies the discovery timeout
+                        type: string
+                      tlsBootstrapToken:
+                        description: TLSBootstrapToken is a token used for TLS bootstrapping.
+                          If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token,
+                          but can be overridden. If .File is set, this field **must
+                          be set** in case the KubeConfigFile does not contain any
+                          other authentication information
+                        type: string
+                    type: object
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  nodeRegistration:
+                    description: NodeRegistration holds fields that relate to registering
+                      the new control-plane node to the cluster. When used in the
+                      context of control plane nodes, NodeRegistration should remain
+                      consistent across both InitConfiguration and JoinConfiguration
+                    properties:
+                      criSocket:
+                        description: CRISocket is used to retrieve container runtime
+                          info. This information will be annotated to the Node API
+                          object, for later re-use
+                        type: string
+                      ignorePreflightErrors:
+                        description: IgnorePreflightErrors provides a slice of pre-flight
+                          errors to be ignored when the current node is registered.
+                        items:
+                          type: string
+                        type: array
+                      kubeletExtraArgs:
+                        additionalProperties:
+                          type: string
+                        description: KubeletExtraArgs passes through extra arguments
+                          to the kubelet. The arguments here are passed to the kubelet
+                          command line via the environment file kubeadm writes at
+                          runtime for the kubelet to source. This overrides the generic
+                          base-level configuration in the kubelet-config-1.X ConfigMap
+                          Flags have higher priority when parsing. These values are
+                          local and specific to the node kubeadm is executing on.
+                        type: object
+                      name:
+                        description: Name is the `.Metadata.Name` field of the Node
+                          API object that will be created in this `kubeadm init` or
+                          `kubeadm join` operation. This field is also used in the
+                          CommonName field of the kubelet's client certificate to
+                          the API server. Defaults to the hostname of the node if
+                          not provided.
+                        type: string
+                      taints:
+                        description: 'Taints specifies the taints the Node API object
+                          should be registered with. If this field is unset, i.e.
+                          nil, in the `kubeadm init` process it will be defaulted
+                          to []v1.Taint{''node-role.kubernetes.io/master=""''}. If
+                          you don''t want to taint your control-plane node, set this
+                          field to an empty slice, i.e. `taints: {}` in the YAML file.
+                          This field is solely used for Node registration.'
+                        items:
+                          description: The node this Taint is attached to has the
+                            "effect" on any pod that does not tolerate the Taint.
+                          properties:
+                            effect:
+                              description: Required. The effect of the taint on pods
+                                that do not tolerate the taint. Valid effects are
+                                NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: Required. The taint key to be applied to
+                                a node.
+                              type: string
+                            timeAdded:
+                              description: TimeAdded represents the time at which
+                                the taint was added. It is only written for NoExecute
+                                taints.
+                              format: date-time
+                              type: string
+                            value:
+                              description: The taint value corresponding to the taint
+                                key.
+                              type: string
+                          required:
+                          - effect
+                          - key
+                          type: object
+                        type: array
+                    type: object
+                type: object
+              mounts:
+                description: Mounts specifies a list of mount points to be setup.
+                items:
+                  description: MountPoints defines input for generated mounts in cloud-init.
+                  items:
+                    type: string
+                  type: array
+                type: array
+              ntp:
+                description: NTP specifies NTP configuration
+                properties:
+                  enabled:
+                    description: Enabled specifies whether NTP should be enabled
+                    type: boolean
+                  servers:
+                    description: Servers specifies which NTP servers to use
+                    items:
+                      type: string
+                    type: array
+                type: object
+              postKubeadmCommands:
+                description: PostKubeadmCommands specifies extra commands to run after
+                  kubeadm runs
+                items:
+                  type: string
+                type: array
+              preKubeadmCommands:
+                description: PreKubeadmCommands specifies extra commands to run before
+                  kubeadm runs
+                items:
+                  type: string
+                type: array
+              useExperimentalRetryJoin:
+                description: "UseExperimentalRetryJoin replaces a basic kubeadm command
+                  with a shell script with retries for joins. \n This is meant to
+                  be an experimental temporary workaround on some environments where
+                  joins fail due to timing (and other issues). The long term goal
+                  is to add retries to kubeadm proper and use that functionality.
+                  \n This will add about 40KB to userdata \n For more information,
+                  refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                type: boolean
+              users:
+                description: Users specifies extra users to add
+                items:
+                  description: User defines the input for a generated user in cloud-init.
+                  properties:
+                    gecos:
+                      description: Gecos specifies the gecos to use for the user
+                      type: string
+                    groups:
+                      description: Groups specifies the additional groups for the
+                        user
+                      type: string
+                    homeDir:
+                      description: HomeDir specifies the home directory to use for
+                        the user
+                      type: string
+                    inactive:
+                      description: Inactive specifies whether to mark the user as
+                        inactive
+                      type: boolean
+                    lockPassword:
+                      description: LockPassword specifies if password login should
+                        be disabled
+                      type: boolean
+                    name:
+                      description: Name specifies the user name
+                      type: string
+                    passwd:
+                      description: Passwd specifies a hashed password for the user
+                      type: string
+                    primaryGroup:
+                      description: PrimaryGroup specifies the primary group for the
+                        user
+                      type: string
+                    shell:
+                      description: Shell specifies the user's shell
+                      type: string
+                    sshAuthorizedKeys:
+                      description: SSHAuthorizedKeys specifies a list of ssh authorized
+                        keys for the user
+                      items:
+                        type: string
+                      type: array
+                    sudo:
+                      description: Sudo specifies a sudo role for the user
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+              verbosity:
+                description: Verbosity is the number for the kubeadm log level verbosity.
+                  It overrides the `--v` flag in kubeadm commands.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: KubeadmConfigStatus defines the observed state of KubeadmConfig.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the KubeadmConfig.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              dataSecretName:
+                description: DataSecretName is the name of the secret that stores
+                  the bootstrap data script.
+                type: string
+              failureMessage:
+                description: FailureMessage will be set on non-retryable errors
+                type: string
+              failureReason:
+                description: FailureReason will be set on non-retryable errors
+                type: string
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              ready:
+                description: Ready indicates the BootstrapData field is ready to be
+                  consumed
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .metadata.labels['cluster\.x-k8s\.io/cluster-name']
+      name: Cluster
+      type: string
+    - description: Time duration since creation of KubeadmConfig
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KubeadmConfig is the Schema for the kubeadmconfigs API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmConfigSpec defines the desired state of KubeadmConfig.
+              Either ClusterConfiguration and InitConfiguration should be defined
+              or the JoinConfiguration should be defined.
+            properties:
+              clusterConfiguration:
+                description: ClusterConfiguration along with InitConfiguration are
+                  the configurations necessary for the init command
+                properties:
+                  apiServer:
+                    description: APIServer contains extra settings for the API server
+                      control plane component
+                    properties:
+                      certSANs:
+                        description: CertSANs sets extra Subject Alternative Names
+                          for the API Server signing cert.
+                        items:
+                          type: string
+                        type: array
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                      timeoutForControlPlane:
+                        description: TimeoutForControlPlane controls the timeout that
+                          we use for API server to appear
+                        type: string
+                    type: object
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  certificatesDir:
+                    description: 'CertificatesDir specifies where to store or look
+                      for all required certificates. NB: if not provided, this will
+                      default to `/etc/kubernetes/pki`'
+                    type: string
+                  clusterName:
+                    description: The cluster name
+                    type: string
+                  controlPlaneEndpoint:
+                    description: 'ControlPlaneEndpoint sets a stable IP address or
+                      DNS name for the control plane; it can be a valid IP address
+                      or a RFC-1123 DNS subdomain, both with optional TCP port. In
+                      case the ControlPlaneEndpoint is not specified, the AdvertiseAddress
+                      + BindPort are used; in case the ControlPlaneEndpoint is specified
+                      but without a TCP port, the BindPort is used. Possible usages
+                      are: e.g. In a cluster with more than one control plane instances,
+                      this field should be assigned the address of the external load
+                      balancer in front of the control plane instances. e.g.  in environments
+                      with enforced node recycling, the ControlPlaneEndpoint could
+                      be used for assigning a stable DNS to the control plane. NB:
+                      This value defaults to the first value in the Cluster object
+                      status.apiEndpoints array.'
+                    type: string
+                  controllerManager:
+                    description: ControllerManager contains extra settings for the
+                      controller manager control plane component
+                    properties:
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                  dns:
+                    description: DNS defines the options for the DNS add-on installed
+                      in the cluster.
+                    properties:
+                      imageRepository:
+                        description: ImageRepository sets the container registry to
+                          pull images from. if not set, the ImageRepository defined
+                          in ClusterConfiguration will be used instead.
+                        type: string
+                      imageTag:
+                        description: ImageTag allows to specify a tag for the image.
+                          In case this value is set, kubeadm does not change automatically
+                          the version of the above components during upgrades.
+                        type: string
+                    type: object
+                  etcd:
+                    description: 'Etcd holds configuration for etcd. NB: This value
+                      defaults to a Local (stacked) etcd'
+                    properties:
+                      external:
+                        description: External describes how to connect to an external
+                          etcd cluster Local and External are mutually exclusive
+                        properties:
+                          caFile:
+                            description: CAFile is an SSL Certificate Authority file
+                              used to secure etcd communication. Required if using
+                              a TLS connection.
+                            type: string
+                          certFile:
+                            description: CertFile is an SSL certification file used
+                              to secure etcd communication. Required if using a TLS
+                              connection.
+                            type: string
+                          endpoints:
+                            description: Endpoints of etcd members. Required for ExternalEtcd.
+                            items:
+                              type: string
+                            type: array
+                          keyFile:
+                            description: KeyFile is an SSL key file used to secure
+                              etcd communication. Required if using a TLS connection.
+                            type: string
+                        required:
+                        - caFile
+                        - certFile
+                        - endpoints
+                        - keyFile
+                        type: object
+                      local:
+                        description: Local provides configuration knobs for configuring
+                          the local etcd instance Local and External are mutually
+                          exclusive
+                        properties:
+                          dataDir:
+                            description: DataDir is the directory etcd will place
+                              its data. Defaults to "/var/lib/etcd".
+                            type: string
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: ExtraArgs are extra arguments provided to
+                              the etcd binary when run inside a static pod.
+                            type: object
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. if not set, the ImageRepository
+                              defined in ClusterConfiguration will be used instead.
+                            type: string
+                          imageTag:
+                            description: ImageTag allows to specify a tag for the
+                              image. In case this value is set, kubeadm does not change
+                              automatically the version of the above components during
+                              upgrades.
+                            type: string
+                          peerCertSANs:
+                            description: PeerCertSANs sets extra Subject Alternative
+                              Names for the etcd peer signing cert.
+                            items:
+                              type: string
+                            type: array
+                          serverCertSANs:
+                            description: ServerCertSANs sets extra Subject Alternative
+                              Names for the etcd server signing cert.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                    type: object
+                  featureGates:
+                    additionalProperties:
+                      type: boolean
+                    description: FeatureGates enabled by the user.
+                    type: object
+                  imageRepository:
+                    description: ImageRepository sets the container registry to pull
+                      images from. If empty, `k8s.gcr.io` will be used by default;
+                      in case of kubernetes version is a CI build (kubernetes version
+                      starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                      will be used as a default for control plane components and for
+                      kube-proxy, while `k8s.gcr.io` will be used for all the other
+                      images.
+                    type: string
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  kubernetesVersion:
+                    description: 'KubernetesVersion is the target version of the control
+                      plane. NB: This value defaults to the Machine object spec.version'
+                    type: string
+                  networking:
+                    description: 'Networking holds configuration for the networking
+                      topology of the cluster. NB: This value defaults to the Cluster
+                      object spec.clusterNetwork.'
+                    properties:
+                      dnsDomain:
+                        description: DNSDomain is the dns domain used by k8s services.
+                          Defaults to "cluster.local".
+                        type: string
+                      podSubnet:
+                        description: PodSubnet is the subnet used by pods. If unset,
+                          the API server will not allocate CIDR ranges for every node.
+                          Defaults to a comma-delimited string of the Cluster object's
+                          spec.clusterNetwork.services.cidrBlocks if that is set
+                        type: string
+                      serviceSubnet:
+                        description: ServiceSubnet is the subnet used by k8s services.
+                          Defaults to a comma-delimited string of the Cluster object's
+                          spec.clusterNetwork.pods.cidrBlocks, or to "10.96.0.0/12"
+                          if that's unset.
+                        type: string
+                    type: object
+                  scheduler:
+                    description: Scheduler contains extra settings for the scheduler
+                      control plane component
+                    properties:
+                      extraArgs:
+                        additionalProperties:
+                          type: string
+                        description: 'ExtraArgs is an extra set of flags to pass to
+                          the control plane component. TODO: This is temporary and
+                          ideally we would like to switch all components to use ComponentConfig
+                          + ConfigMaps.'
+                        type: object
+                      extraVolumes:
+                        description: ExtraVolumes is an extra set of host volumes,
+                          mounted to the control plane component.
+                        items:
+                          description: HostPathMount contains elements describing
+                            volumes that are mounted from the host.
+                          properties:
+                            hostPath:
+                              description: HostPath is the path in the host that will
+                                be mounted inside the pod.
+                              type: string
+                            mountPath:
+                              description: MountPath is the path inside the pod where
+                                hostPath will be mounted.
+                              type: string
+                            name:
+                              description: Name of the volume inside the pod template.
+                              type: string
+                            pathType:
+                              description: PathType is the type of the HostPath.
+                              type: string
+                            readOnly:
+                              description: ReadOnly controls write access to the volume
+                              type: boolean
+                          required:
+                          - hostPath
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                type: object
+              diskSetup:
+                description: DiskSetup specifies options for the creation of partition
+                  tables and file systems on devices.
+                properties:
+                  filesystems:
+                    description: Filesystems specifies the list of file systems to
+                      setup.
+                    items:
+                      description: Filesystem defines the file systems to be created.
+                      properties:
+                        device:
+                          description: Device specifies the device name
+                          type: string
+                        extraOpts:
+                          description: ExtraOpts defined extra options to add to the
+                            command for creating the file system.
+                          items:
+                            type: string
+                          type: array
+                        filesystem:
+                          description: Filesystem specifies the file system type.
+                          type: string
+                        label:
+                          description: Label specifies the file system label to be
+                            used. If set to None, no label is used.
+                          type: string
+                        overwrite:
+                          description: Overwrite defines whether or not to overwrite
+                            any existing filesystem. If true, any pre-existing file
+                            system will be destroyed. Use with Caution.
+                          type: boolean
+                        partition:
+                          description: 'Partition specifies the partition to use.
+                            The valid options are: "auto|any", "auto", "any", "none",
+                            and <NUM>, where NUM is the actual partition number.'
+                          type: string
+                        replaceFS:
+                          description: 'ReplaceFS is a special directive, used for
+                            Microsoft Azure that instructs cloud-init to replace a
+                            file system of <FS_TYPE>. NOTE: unless you define a label,
+                            this requires the use of the ''any'' partition directive.'
+                          type: string
+                      required:
+                      - device
+                      - filesystem
+                      - label
+                      type: object
+                    type: array
+                  partitions:
+                    description: Partitions specifies the list of the partitions to
+                      setup.
+                    items:
+                      description: Partition defines how to create and layout a partition.
+                      properties:
+                        device:
+                          description: Device is the name of the device.
+                          type: string
+                        layout:
+                          description: Layout specifies the device layout. If it is
+                            true, a single partition will be created for the entire
+                            device. When layout is false, it means don't partition
+                            or ignore existing partitioning.
+                          type: boolean
+                        overwrite:
+                          description: Overwrite describes whether to skip checks
+                            and create the partition if a partition or filesystem
+                            is found on the device. Use with caution. Default is 'false'.
+                          type: boolean
+                        tableType:
+                          description: 'TableType specifies the tupe of partition
+                            table. The following are supported: ''mbr'': default and
+                            setups a MS-DOS partition table ''gpt'': setups a GPT
+                            partition table'
+                          type: string
+                      required:
+                      - device
+                      - layout
+                      type: object
+                    type: array
+                type: object
+              files:
+                description: Files specifies extra files to be passed to user_data
+                  upon creation.
+                items:
+                  description: File defines the input for generating write_files in
+                    cloud-init.
+                  properties:
+                    append:
+                      description: Append specifies whether to append Content to existing
+                        file if Path exists.
+                      type: boolean
+                    content:
+                      description: Content is the actual content of the file.
+                      type: string
+                    contentFrom:
+                      description: ContentFrom is a referenced source of content to
+                        populate the file.
+                      properties:
+                        secret:
+                          description: Secret represents a secret that should populate
+                            this file.
+                          properties:
+                            key:
+                              description: Key is the key in the secret's data map
+                                for this value.
+                              type: string
+                            name:
+                              description: Name of the secret in the KubeadmBootstrapConfig's
+                                namespace to use.
+                              type: string
+                          required:
+                          - key
+                          - name
+                          type: object
+                      required:
+                      - secret
+                      type: object
+                    encoding:
+                      description: Encoding specifies the encoding of the file contents.
+                      enum:
+                      - base64
+                      - gzip
+                      - gzip+base64
+                      type: string
+                    owner:
+                      description: Owner specifies the ownership of the file, e.g.
+                        "root:root".
+                      type: string
+                    path:
+                      description: Path specifies the full path on disk where to store
+                        the file.
+                      type: string
+                    permissions:
+                      description: Permissions specifies the permissions to assign
+                        to the file, e.g. "0640".
+                      type: string
+                  required:
+                  - path
+                  type: object
+                type: array
+              format:
+                description: Format specifies the output format of the bootstrap data
+                enum:
+                - cloud-config
+                - ignition
+                type: string
+              ignition:
+                description: Ignition contains Ignition specific configuration.
+                properties:
+                  containerLinuxConfig:
+                    description: ContainerLinuxConfig contains CLC specific configuration.
+                    properties:
+                      additionalConfig:
+                        description: "AdditionalConfig contains additional configuration
+                          to be merged with the Ignition configuration generated by
+                          the bootstrapper controller. More info: https://coreos.github.io/ignition/operator-notes/#config-merging
+                          \n The data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/"
+                        type: string
+                      strict:
+                        description: Strict controls if AdditionalConfig should be
+                          strictly parsed. If so, warnings are treated as errors.
+                        type: boolean
+                    type: object
+                type: object
+              initConfiguration:
+                description: InitConfiguration along with ClusterConfiguration are
+                  the configurations necessary for the init command
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  bootstrapTokens:
+                    description: BootstrapTokens is respected at `kubeadm init` time
+                      and describes a set of Bootstrap Tokens to create. This information
+                      IS NOT uploaded to the kubeadm cluster configmap, partly because
+                      of its sensitive nature
+                    items:
+                      description: BootstrapToken describes one bootstrap token, stored
+                        as a Secret in the cluster.
+                      properties:
+                        description:
+                          description: Description sets a human-friendly message why
+                            this token exists and what it's used for, so other administrators
+                            can know its purpose.
+                          type: string
+                        expires:
+                          description: Expires specifies the timestamp when this token
+                            expires. Defaults to being set dynamically at runtime
+                            based on the TTL. Expires and TTL are mutually exclusive.
+                          format: date-time
+                          type: string
+                        groups:
+                          description: Groups specifies the extra groups that this
+                            token will authenticate as when/if used for authentication
+                          items:
+                            type: string
+                          type: array
+                        token:
+                          description: Token is used for establishing bidirectional
+                            trust between nodes and control-planes. Used for joining
+                            nodes in the cluster.
+                          type: string
+                        ttl:
+                          description: TTL defines the time to live for this token.
+                            Defaults to 24h. Expires and TTL are mutually exclusive.
+                          type: string
+                        usages:
+                          description: Usages describes the ways in which this token
+                            can be used. Can by default be used for establishing bidirectional
+                            trust, but that can be changed here.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - token
+                      type: object
+                    type: array
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  localAPIEndpoint:
+                    description: LocalAPIEndpoint represents the endpoint of the API
+                      server instance that's deployed on this control plane node In
+                      HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                      in the sense that ControlPlaneEndpoint is the global endpoint
+                      for the cluster, which then loadbalances the requests to each
+                      individual API server. This configuration object lets you customize
+                      what IP/DNS name and port the local API server advertises it's
+                      accessible on. By default, kubeadm tries to auto-detect the
+                      IP of the default interface and use that, but in case that process
+                      fails you may set the desired value here.
+                    properties:
+                      advertiseAddress:
+                        description: AdvertiseAddress sets the IP address for the
+                          API server to advertise.
+                        type: string
+                      bindPort:
+                        description: BindPort sets the secure port for the API Server
+                          to bind to. Defaults to 6443.
+                        format: int32
+                        type: integer
+                    type: object
+                  nodeRegistration:
+                    description: NodeRegistration holds fields that relate to registering
+                      the new control-plane node to the cluster. When used in the
+                      context of control plane nodes, NodeRegistration should remain
+                      consistent across both InitConfiguration and JoinConfiguration
+                    properties:
+                      criSocket:
+                        description: CRISocket is used to retrieve container runtime
+                          info. This information will be annotated to the Node API
+                          object, for later re-use
+                        type: string
+                      ignorePreflightErrors:
+                        description: IgnorePreflightErrors provides a slice of pre-flight
+                          errors to be ignored when the current node is registered.
+                        items:
+                          type: string
+                        type: array
+                      kubeletExtraArgs:
+                        additionalProperties:
+                          type: string
+                        description: KubeletExtraArgs passes through extra arguments
+                          to the kubelet. The arguments here are passed to the kubelet
+                          command line via the environment file kubeadm writes at
+                          runtime for the kubelet to source. This overrides the generic
+                          base-level configuration in the kubelet-config-1.X ConfigMap
+                          Flags have higher priority when parsing. These values are
+                          local and specific to the node kubeadm is executing on.
+                        type: object
+                      name:
+                        description: Name is the `.Metadata.Name` field of the Node
+                          API object that will be created in this `kubeadm init` or
+                          `kubeadm join` operation. This field is also used in the
+                          CommonName field of the kubelet's client certificate to
+                          the API server. Defaults to the hostname of the node if
+                          not provided.
+                        type: string
+                      taints:
+                        description: 'Taints specifies the taints the Node API object
+                          should be registered with. If this field is unset, i.e.
+                          nil, in the `kubeadm init` process it will be defaulted
+                          to []v1.Taint{''node-role.kubernetes.io/master=""''}. If
+                          you don''t want to taint your control-plane node, set this
+                          field to an empty slice, i.e. `taints: {}` in the YAML file.
+                          This field is solely used for Node registration.'
+                        items:
+                          description: The node this Taint is attached to has the
+                            "effect" on any pod that does not tolerate the Taint.
+                          properties:
+                            effect:
+                              description: Required. The effect of the taint on pods
+                                that do not tolerate the taint. Valid effects are
+                                NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: Required. The taint key to be applied to
+                                a node.
+                              type: string
+                            timeAdded:
+                              description: TimeAdded represents the time at which
+                                the taint was added. It is only written for NoExecute
+                                taints.
+                              format: date-time
+                              type: string
+                            value:
+                              description: The taint value corresponding to the taint
+                                key.
+                              type: string
+                          required:
+                          - effect
+                          - key
+                          type: object
+                        type: array
+                    type: object
+                  patches:
+                    description: Patches contains options related to applying patches
+                      to components deployed by kubeadm during "kubeadm init". The
+                      minimum kubernetes version needed to support Patches is v1.22
+                    properties:
+                      directory:
+                        description: Directory is a path to a directory that contains
+                          files named "target[suffix][+patchtype].extension". For
+                          example, "kube-apiserver0+merge.yaml" or just "etcd.json".
+                          "target" can be one of "kube-apiserver", "kube-controller-manager",
+                          "kube-scheduler", "etcd". "patchtype" can be one of "strategic"
+                          "merge" or "json" and they match the patch formats supported
+                          by kubectl. The default "patchtype" is "strategic". "extension"
+                          must be either "json" or "yaml". "suffix" is an optional
+                          string that can be used to determine which patches are applied
+                          first alpha-numerically. These files can be written into
+                          the target directory via KubeadmConfig.Files which specifies
+                          additional files to be created on the machine, either with
+                          content inline or by referencing a secret.
+                        type: string
+                    type: object
+                  skipPhases:
+                    description: SkipPhases is a list of phases to skip during command
+                      execution. The list of phases can be obtained with the "kubeadm
+                      init --help" command. This option takes effect only on Kubernetes
+                      >=1.22.0.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              joinConfiguration:
+                description: JoinConfiguration is the kubeadm configuration for the
+                  join command
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  caCertPath:
+                    description: 'CACertPath is the path to the SSL certificate authority
+                      used to secure comunications between node and control-plane.
+                      Defaults to "/etc/kubernetes/pki/ca.crt". TODO: revisit when
+                      there is defaulting from k/k'
+                    type: string
+                  controlPlane:
+                    description: ControlPlane defines the additional control plane
+                      instance to be deployed on the joining node. If nil, no additional
+                      control plane instance will be deployed.
+                    properties:
+                      localAPIEndpoint:
+                        description: LocalAPIEndpoint represents the endpoint of the
+                          API server instance to be deployed on this node.
+                        properties:
+                          advertiseAddress:
+                            description: AdvertiseAddress sets the IP address for
+                              the API server to advertise.
+                            type: string
+                          bindPort:
+                            description: BindPort sets the secure port for the API
+                              Server to bind to. Defaults to 6443.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  discovery:
+                    description: 'Discovery specifies the options for the kubelet
+                      to use during the TLS Bootstrap process TODO: revisit when there
+                      is defaulting from k/k'
+                    properties:
+                      bootstrapToken:
+                        description: BootstrapToken is used to set the options for
+                          bootstrap token based discovery BootstrapToken and File
+                          are mutually exclusive
+                        properties:
+                          apiServerEndpoint:
+                            description: APIServerEndpoint is an IP or domain name
+                              to the API server from which info will be fetched.
+                            type: string
+                          caCertHashes:
+                            description: 'CACertHashes specifies a set of public key
+                              pins to verify when token-based discovery is used. The
+                              root CA found during discovery must match one of these
+                              values. Specifying an empty set disables root CA pinning,
+                              which can be unsafe. Each hash is specified as "<type>:<value>",
+                              where the only currently supported type is "sha256".
+                              This is a hex-encoded SHA-256 hash of the Subject Public
+                              Key Info (SPKI) object in DER-encoded ASN.1. These hashes
+                              can be calculated using, for example, OpenSSL: openssl
+                              x509 -pubkey -in ca.crt openssl rsa -pubin -outform
+                              der 2>&/dev/null | openssl dgst -sha256 -hex'
+                            items:
+                              type: string
+                            type: array
+                          token:
+                            description: Token is a token used to validate cluster
+                              information fetched from the control-plane.
+                            type: string
+                          unsafeSkipCAVerification:
+                            description: UnsafeSkipCAVerification allows token-based
+                              discovery without CA verification via CACertHashes.
+                              This can weaken the security of kubeadm since other
+                              nodes can impersonate the control-plane.
+                            type: boolean
+                        required:
+                        - token
+                        type: object
+                      file:
+                        description: File is used to specify a file or URL to a kubeconfig
+                          file from which to load cluster information BootstrapToken
+                          and File are mutually exclusive
+                        properties:
+                          kubeConfigPath:
+                            description: KubeConfigPath is used to specify the actual
+                              file path or URL to the kubeconfig file from which to
+                              load cluster information
+                            type: string
+                        required:
+                        - kubeConfigPath
+                        type: object
+                      timeout:
+                        description: Timeout modifies the discovery timeout
+                        type: string
+                      tlsBootstrapToken:
+                        description: TLSBootstrapToken is a token used for TLS bootstrapping.
+                          If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token,
+                          but can be overridden. If .File is set, this field **must
+                          be set** in case the KubeConfigFile does not contain any
+                          other authentication information
+                        type: string
+                    type: object
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  nodeRegistration:
+                    description: NodeRegistration holds fields that relate to registering
+                      the new control-plane node to the cluster. When used in the
+                      context of control plane nodes, NodeRegistration should remain
+                      consistent across both InitConfiguration and JoinConfiguration
+                    properties:
+                      criSocket:
+                        description: CRISocket is used to retrieve container runtime
+                          info. This information will be annotated to the Node API
+                          object, for later re-use
+                        type: string
+                      ignorePreflightErrors:
+                        description: IgnorePreflightErrors provides a slice of pre-flight
+                          errors to be ignored when the current node is registered.
+                        items:
+                          type: string
+                        type: array
+                      kubeletExtraArgs:
+                        additionalProperties:
+                          type: string
+                        description: KubeletExtraArgs passes through extra arguments
+                          to the kubelet. The arguments here are passed to the kubelet
+                          command line via the environment file kubeadm writes at
+                          runtime for the kubelet to source. This overrides the generic
+                          base-level configuration in the kubelet-config-1.X ConfigMap
+                          Flags have higher priority when parsing. These values are
+                          local and specific to the node kubeadm is executing on.
+                        type: object
+                      name:
+                        description: Name is the `.Metadata.Name` field of the Node
+                          API object that will be created in this `kubeadm init` or
+                          `kubeadm join` operation. This field is also used in the
+                          CommonName field of the kubelet's client certificate to
+                          the API server. Defaults to the hostname of the node if
+                          not provided.
+                        type: string
+                      taints:
+                        description: 'Taints specifies the taints the Node API object
+                          should be registered with. If this field is unset, i.e.
+                          nil, in the `kubeadm init` process it will be defaulted
+                          to []v1.Taint{''node-role.kubernetes.io/master=""''}. If
+                          you don''t want to taint your control-plane node, set this
+                          field to an empty slice, i.e. `taints: {}` in the YAML file.
+                          This field is solely used for Node registration.'
+                        items:
+                          description: The node this Taint is attached to has the
+                            "effect" on any pod that does not tolerate the Taint.
+                          properties:
+                            effect:
+                              description: Required. The effect of the taint on pods
+                                that do not tolerate the taint. Valid effects are
+                                NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: Required. The taint key to be applied to
+                                a node.
+                              type: string
+                            timeAdded:
+                              description: TimeAdded represents the time at which
+                                the taint was added. It is only written for NoExecute
+                                taints.
+                              format: date-time
+                              type: string
+                            value:
+                              description: The taint value corresponding to the taint
+                                key.
+                              type: string
+                          required:
+                          - effect
+                          - key
+                          type: object
+                        type: array
+                    type: object
+                  patches:
+                    description: Patches contains options related to applying patches
+                      to components deployed by kubeadm during "kubeadm join". The
+                      minimum kubernetes version needed to support Patches is v1.22
+                    properties:
+                      directory:
+                        description: Directory is a path to a directory that contains
+                          files named "target[suffix][+patchtype].extension". For
+                          example, "kube-apiserver0+merge.yaml" or just "etcd.json".
+                          "target" can be one of "kube-apiserver", "kube-controller-manager",
+                          "kube-scheduler", "etcd". "patchtype" can be one of "strategic"
+                          "merge" or "json" and they match the patch formats supported
+                          by kubectl. The default "patchtype" is "strategic". "extension"
+                          must be either "json" or "yaml". "suffix" is an optional
+                          string that can be used to determine which patches are applied
+                          first alpha-numerically. These files can be written into
+                          the target directory via KubeadmConfig.Files which specifies
+                          additional files to be created on the machine, either with
+                          content inline or by referencing a secret.
+                        type: string
+                    type: object
+                  skipPhases:
+                    description: SkipPhases is a list of phases to skip during command
+                      execution. The list of phases can be obtained with the "kubeadm
+                      init --help" command. This option takes effect only on Kubernetes
+                      >=1.22.0.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              mounts:
+                description: Mounts specifies a list of mount points to be setup.
+                items:
+                  description: MountPoints defines input for generated mounts in cloud-init.
+                  items:
+                    type: string
+                  type: array
+                type: array
+              ntp:
+                description: NTP specifies NTP configuration
+                properties:
+                  enabled:
+                    description: Enabled specifies whether NTP should be enabled
+                    type: boolean
+                  servers:
+                    description: Servers specifies which NTP servers to use
+                    items:
+                      type: string
+                    type: array
+                type: object
+              postKubeadmCommands:
+                description: PostKubeadmCommands specifies extra commands to run after
+                  kubeadm runs
+                items:
+                  type: string
+                type: array
+              preKubeadmCommands:
+                description: PreKubeadmCommands specifies extra commands to run before
+                  kubeadm runs
+                items:
+                  type: string
+                type: array
+              useExperimentalRetryJoin:
+                description: "UseExperimentalRetryJoin replaces a basic kubeadm command
+                  with a shell script with retries for joins. \n This is meant to
+                  be an experimental temporary workaround on some environments where
+                  joins fail due to timing (and other issues). The long term goal
+                  is to add retries to kubeadm proper and use that functionality.
+                  \n This will add about 40KB to userdata \n For more information,
+                  refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                type: boolean
+              users:
+                description: Users specifies extra users to add
+                items:
+                  description: User defines the input for a generated user in cloud-init.
+                  properties:
+                    gecos:
+                      description: Gecos specifies the gecos to use for the user
+                      type: string
+                    groups:
+                      description: Groups specifies the additional groups for the
+                        user
+                      type: string
+                    homeDir:
+                      description: HomeDir specifies the home directory to use for
+                        the user
+                      type: string
+                    inactive:
+                      description: Inactive specifies whether to mark the user as
+                        inactive
+                      type: boolean
+                    lockPassword:
+                      description: LockPassword specifies if password login should
+                        be disabled
+                      type: boolean
+                    name:
+                      description: Name specifies the user name
+                      type: string
+                    passwd:
+                      description: Passwd specifies a hashed password for the user
+                      type: string
+                    passwdFrom:
+                      description: PasswdFrom is a referenced source of passwd to
+                        populate the passwd.
+                      properties:
+                        secret:
+                          description: Secret represents a secret that should populate
+                            this password.
+                          properties:
+                            key:
+                              description: Key is the key in the secret's data map
+                                for this value.
+                              type: string
+                            name:
+                              description: Name of the secret in the KubeadmBootstrapConfig's
+                                namespace to use.
+                              type: string
+                          required:
+                          - key
+                          - name
+                          type: object
+                      required:
+                      - secret
+                      type: object
+                    primaryGroup:
+                      description: PrimaryGroup specifies the primary group for the
+                        user
+                      type: string
+                    shell:
+                      description: Shell specifies the user's shell
+                      type: string
+                    sshAuthorizedKeys:
+                      description: SSHAuthorizedKeys specifies a list of ssh authorized
+                        keys for the user
+                      items:
+                        type: string
+                      type: array
+                    sudo:
+                      description: Sudo specifies a sudo role for the user
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+              verbosity:
+                description: Verbosity is the number for the kubeadm log level verbosity.
+                  It overrides the `--v` flag in kubeadm commands.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: KubeadmConfigStatus defines the observed state of KubeadmConfig.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the KubeadmConfig.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              dataSecretName:
+                description: DataSecretName is the name of the secret that stores
+                  the bootstrap data script.
+                type: string
+              failureMessage:
+                description: FailureMessage will be set on non-retryable errors
+                type: string
+              failureReason:
+                description: FailureReason will be set on non-retryable errors
+                type: string
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              ready:
+                description: Ready indicates the BootstrapData field is ready to be
+                  consumed
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-bootstrap-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+    cluster.x-k8s.io/v1alpha3: v1alpha3
+    cluster.x-k8s.io/v1alpha4: v1alpha4
+    cluster.x-k8s.io/v1beta1: v1beta1
+  name: kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-kubeadm-bootstrap-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: bootstrap.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: KubeadmConfigTemplate
+    listKind: KubeadmConfigTemplateList
+    plural: kubeadmconfigtemplates
+    singular: kubeadmconfigtemplate
+  scope: Namespaced
+  versions:
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: KubeadmConfigTemplate is the Schema for the kubeadmconfigtemplates
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmConfigTemplateSpec defines the desired state of KubeadmConfigTemplate.
+            properties:
+              template:
+                description: KubeadmConfigTemplateResource defines the Template structure.
+                properties:
+                  spec:
+                    description: KubeadmConfigSpec defines the desired state of KubeadmConfig.
+                      Either ClusterConfiguration and InitConfiguration should be
+                      defined or the JoinConfiguration should be defined.
+                    properties:
+                      clusterConfiguration:
+                        description: ClusterConfiguration along with InitConfiguration
+                          are the configurations necessary for the init command
+                        properties:
+                          apiServer:
+                            description: APIServer contains extra settings for the
+                              API server control plane component
+                            properties:
+                              certSANs:
+                                description: CertSANs sets extra Subject Alternative
+                                  Names for the API Server signing cert.
+                                items:
+                                  type: string
+                                type: array
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                              timeoutForControlPlane:
+                                description: TimeoutForControlPlane controls the timeout
+                                  that we use for API server to appear
+                                type: string
+                            type: object
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          certificatesDir:
+                            description: 'CertificatesDir specifies where to store
+                              or look for all required certificates. NB: if not provided,
+                              this will default to `/etc/kubernetes/pki`'
+                            type: string
+                          clusterName:
+                            description: The cluster name
+                            type: string
+                          controlPlaneEndpoint:
+                            description: 'ControlPlaneEndpoint sets a stable IP address
+                              or DNS name for the control plane; it can be a valid
+                              IP address or a RFC-1123 DNS subdomain, both with optional
+                              TCP port. In case the ControlPlaneEndpoint is not specified,
+                              the AdvertiseAddress + BindPort are used; in case the
+                              ControlPlaneEndpoint is specified but without a TCP
+                              port, the BindPort is used. Possible usages are: e.g.
+                              In a cluster with more than one control plane instances,
+                              this field should be assigned the address of the external
+                              load balancer in front of the control plane instances.
+                              e.g.  in environments with enforced node recycling,
+                              the ControlPlaneEndpoint could be used for assigning
+                              a stable DNS to the control plane. NB: This value defaults
+                              to the first value in the Cluster object status.apiEndpoints
+                              array.'
+                            type: string
+                          controllerManager:
+                            description: ControllerManager contains extra settings
+                              for the controller manager control plane component
+                            properties:
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                            type: object
+                          dns:
+                            description: DNS defines the options for the DNS add-on
+                              installed in the cluster.
+                            properties:
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. if not set, the ImageRepository
+                                  defined in ClusterConfiguration will be used instead.
+                                type: string
+                              imageTag:
+                                description: ImageTag allows to specify a tag for
+                                  the image. In case this value is set, kubeadm does
+                                  not change automatically the version of the above
+                                  components during upgrades.
+                                type: string
+                              type:
+                                description: Type defines the DNS add-on to be used
+                                type: string
+                            type: object
+                          etcd:
+                            description: 'Etcd holds configuration for etcd. NB: This
+                              value defaults to a Local (stacked) etcd'
+                            properties:
+                              external:
+                                description: External describes how to connect to
+                                  an external etcd cluster Local and External are
+                                  mutually exclusive
+                                properties:
+                                  caFile:
+                                    description: CAFile is an SSL Certificate Authority
+                                      file used to secure etcd communication. Required
+                                      if using a TLS connection.
+                                    type: string
+                                  certFile:
+                                    description: CertFile is an SSL certification
+                                      file used to secure etcd communication. Required
+                                      if using a TLS connection.
+                                    type: string
+                                  endpoints:
+                                    description: Endpoints of etcd members. Required
+                                      for ExternalEtcd.
+                                    items:
+                                      type: string
+                                    type: array
+                                  keyFile:
+                                    description: KeyFile is an SSL key file used to
+                                      secure etcd communication. Required if using
+                                      a TLS connection.
+                                    type: string
+                                required:
+                                - caFile
+                                - certFile
+                                - endpoints
+                                - keyFile
+                                type: object
+                              local:
+                                description: Local provides configuration knobs for
+                                  configuring the local etcd instance Local and External
+                                  are mutually exclusive
+                                properties:
+                                  dataDir:
+                                    description: DataDir is the directory etcd will
+                                      place its data. Defaults to "/var/lib/etcd".
+                                    type: string
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: ExtraArgs are extra arguments provided
+                                      to the etcd binary when run inside a static
+                                      pod.
+                                    type: object
+                                  imageRepository:
+                                    description: ImageRepository sets the container
+                                      registry to pull images from. if not set, the
+                                      ImageRepository defined in ClusterConfiguration
+                                      will be used instead.
+                                    type: string
+                                  imageTag:
+                                    description: ImageTag allows to specify a tag
+                                      for the image. In case this value is set, kubeadm
+                                      does not change automatically the version of
+                                      the above components during upgrades.
+                                    type: string
+                                  peerCertSANs:
+                                    description: PeerCertSANs sets extra Subject Alternative
+                                      Names for the etcd peer signing cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                  serverCertSANs:
+                                    description: ServerCertSANs sets extra Subject
+                                      Alternative Names for the etcd server signing
+                                      cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          featureGates:
+                            additionalProperties:
+                              type: boolean
+                            description: FeatureGates enabled by the user.
+                            type: object
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. If empty, `k8s.gcr.io` will be
+                              used by default; in case of kubernetes version is a
+                              CI build (kubernetes version starts with `ci/` or `ci-cross/`)
+                              `gcr.io/k8s-staging-ci-images` will be used as a default
+                              for control plane components and for kube-proxy, while
+                              `k8s.gcr.io` will be used for all the other images.
+                            type: string
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          kubernetesVersion:
+                            description: 'KubernetesVersion is the target version
+                              of the control plane. NB: This value defaults to the
+                              Machine object spec.version'
+                            type: string
+                          networking:
+                            description: 'Networking holds configuration for the networking
+                              topology of the cluster. NB: This value defaults to
+                              the Cluster object spec.clusterNetwork.'
+                            properties:
+                              dnsDomain:
+                                description: DNSDomain is the dns domain used by k8s
+                                  services. Defaults to "cluster.local".
+                                type: string
+                              podSubnet:
+                                description: PodSubnet is the subnet used by pods.
+                                  If unset, the API server will not allocate CIDR
+                                  ranges for every node. Defaults to a comma-delimited
+                                  string of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                                  if that is set
+                                type: string
+                              serviceSubnet:
+                                description: ServiceSubnet is the subnet used by k8s
+                                  services. Defaults to a comma-delimited string of
+                                  the Cluster object's spec.clusterNetwork.pods.cidrBlocks,
+                                  or to "10.96.0.0/12" if that's unset.
+                                type: string
+                            type: object
+                          scheduler:
+                            description: Scheduler contains extra settings for the
+                              scheduler control plane component
+                            properties:
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                            type: object
+                          useHyperKubeImage:
+                            description: UseHyperKubeImage controls if hyperkube should
+                              be used for Kubernetes components instead of their respective
+                              separate images
+                            type: boolean
+                        type: object
+                      diskSetup:
+                        description: DiskSetup specifies options for the creation
+                          of partition tables and file systems on devices.
+                        properties:
+                          filesystems:
+                            description: Filesystems specifies the list of file systems
+                              to setup.
+                            items:
+                              description: Filesystem defines the file systems to
+                                be created.
+                              properties:
+                                device:
+                                  description: Device specifies the device name
+                                  type: string
+                                extraOpts:
+                                  description: ExtraOpts defined extra options to
+                                    add to the command for creating the file system.
+                                  items:
+                                    type: string
+                                  type: array
+                                filesystem:
+                                  description: Filesystem specifies the file system
+                                    type.
+                                  type: string
+                                label:
+                                  description: Label specifies the file system label
+                                    to be used. If set to None, no label is used.
+                                  type: string
+                                overwrite:
+                                  description: Overwrite defines whether or not to
+                                    overwrite any existing filesystem. If true, any
+                                    pre-existing file system will be destroyed. Use
+                                    with Caution.
+                                  type: boolean
+                                partition:
+                                  description: 'Partition specifies the partition
+                                    to use. The valid options are: "auto|any", "auto",
+                                    "any", "none", and <NUM>, where NUM is the actual
+                                    partition number.'
+                                  type: string
+                                replaceFS:
+                                  description: 'ReplaceFS is a special directive,
+                                    used for Microsoft Azure that instructs cloud-init
+                                    to replace a file system of <FS_TYPE>. NOTE: unless
+                                    you define a label, this requires the use of the
+                                    ''any'' partition directive.'
+                                  type: string
+                              required:
+                              - device
+                              - filesystem
+                              - label
+                              type: object
+                            type: array
+                          partitions:
+                            description: Partitions specifies the list of the partitions
+                              to setup.
+                            items:
+                              description: Partition defines how to create and layout
+                                a partition.
+                              properties:
+                                device:
+                                  description: Device is the name of the device.
+                                  type: string
+                                layout:
+                                  description: Layout specifies the device layout.
+                                    If it is true, a single partition will be created
+                                    for the entire device. When layout is false, it
+                                    means don't partition or ignore existing partitioning.
+                                  type: boolean
+                                overwrite:
+                                  description: Overwrite describes whether to skip
+                                    checks and create the partition if a partition
+                                    or filesystem is found on the device. Use with
+                                    caution. Default is 'false'.
+                                  type: boolean
+                                tableType:
+                                  description: 'TableType specifies the tupe of partition
+                                    table. The following are supported: ''mbr'': default
+                                    and setups a MS-DOS partition table ''gpt'': setups
+                                    a GPT partition table'
+                                  type: string
+                              required:
+                              - device
+                              - layout
+                              type: object
+                            type: array
+                        type: object
+                      files:
+                        description: Files specifies extra files to be passed to user_data
+                          upon creation.
+                        items:
+                          description: File defines the input for generating write_files
+                            in cloud-init.
+                          properties:
+                            content:
+                              description: Content is the actual content of the file.
+                              type: string
+                            contentFrom:
+                              description: ContentFrom is a referenced source of content
+                                to populate the file.
+                              properties:
+                                secret:
+                                  description: Secret represents a secret that should
+                                    populate this file.
+                                  properties:
+                                    key:
+                                      description: Key is the key in the secret's
+                                        data map for this value.
+                                      type: string
+                                    name:
+                                      description: Name of the secret in the KubeadmBootstrapConfig's
+                                        namespace to use.
+                                      type: string
+                                  required:
+                                  - key
+                                  - name
+                                  type: object
+                              required:
+                              - secret
+                              type: object
+                            encoding:
+                              description: Encoding specifies the encoding of the
+                                file contents.
+                              enum:
+                              - base64
+                              - gzip
+                              - gzip+base64
+                              type: string
+                            owner:
+                              description: Owner specifies the ownership of the file,
+                                e.g. "root:root".
+                              type: string
+                            path:
+                              description: Path specifies the full path on disk where
+                                to store the file.
+                              type: string
+                            permissions:
+                              description: Permissions specifies the permissions to
+                                assign to the file, e.g. "0640".
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        type: array
+                      format:
+                        description: Format specifies the output format of the bootstrap
+                          data
+                        enum:
+                        - cloud-config
+                        type: string
+                      initConfiguration:
+                        description: InitConfiguration along with ClusterConfiguration
+                          are the configurations necessary for the init command
+                        properties:
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          bootstrapTokens:
+                            description: BootstrapTokens is respected at `kubeadm
+                              init` time and describes a set of Bootstrap Tokens to
+                              create. This information IS NOT uploaded to the kubeadm
+                              cluster configmap, partly because of its sensitive nature
+                            items:
+                              description: BootstrapToken describes one bootstrap
+                                token, stored as a Secret in the cluster.
+                              properties:
+                                description:
+                                  description: Description sets a human-friendly message
+                                    why this token exists and what it's used for,
+                                    so other administrators can know its purpose.
+                                  type: string
+                                expires:
+                                  description: Expires specifies the timestamp when
+                                    this token expires. Defaults to being set dynamically
+                                    at runtime based on the TTL. Expires and TTL are
+                                    mutually exclusive.
+                                  format: date-time
+                                  type: string
+                                groups:
+                                  description: Groups specifies the extra groups that
+                                    this token will authenticate as when/if used for
+                                    authentication
+                                  items:
+                                    type: string
+                                  type: array
+                                token:
+                                  description: Token is used for establishing bidirectional
+                                    trust between nodes and control-planes. Used for
+                                    joining nodes in the cluster.
+                                  type: string
+                                ttl:
+                                  description: TTL defines the time to live for this
+                                    token. Defaults to 24h. Expires and TTL are mutually
+                                    exclusive.
+                                  type: string
+                                usages:
+                                  description: Usages describes the ways in which
+                                    this token can be used. Can by default be used
+                                    for establishing bidirectional trust, but that
+                                    can be changed here.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - token
+                              type: object
+                            type: array
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          localAPIEndpoint:
+                            description: LocalAPIEndpoint represents the endpoint
+                              of the API server instance that's deployed on this control
+                              plane node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                              in the sense that ControlPlaneEndpoint is the global
+                              endpoint for the cluster, which then loadbalances the
+                              requests to each individual API server. This configuration
+                              object lets you customize what IP/DNS name and port
+                              the local API server advertises it's accessible on.
+                              By default, kubeadm tries to auto-detect the IP of the
+                              default interface and use that, but in case that process
+                              fails you may set the desired value here.
+                            properties:
+                              advertiseAddress:
+                                description: AdvertiseAddress sets the IP address
+                                  for the API server to advertise.
+                                type: string
+                              bindPort:
+                                description: BindPort sets the secure port for the
+                                  API Server to bind to. Defaults to 6443.
+                                format: int32
+                                type: integer
+                            required:
+                            - advertiseAddress
+                            - bindPort
+                            type: object
+                          nodeRegistration:
+                            description: NodeRegistration holds fields that relate
+                              to registering the new control-plane node to the cluster.
+                              When used in the context of control plane nodes, NodeRegistration
+                              should remain consistent across both InitConfiguration
+                              and JoinConfiguration
+                            properties:
+                              criSocket:
+                                description: CRISocket is used to retrieve container
+                                  runtime info. This information will be annotated
+                                  to the Node API object, for later re-use
+                                type: string
+                              kubeletExtraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: KubeletExtraArgs passes through extra
+                                  arguments to the kubelet. The arguments here are
+                                  passed to the kubelet command line via the environment
+                                  file kubeadm writes at runtime for the kubelet to
+                                  source. This overrides the generic base-level configuration
+                                  in the kubelet-config-1.X ConfigMap Flags have higher
+                                  priority when parsing. These values are local and
+                                  specific to the node kubeadm is executing on.
+                                type: object
+                              name:
+                                description: Name is the `.Metadata.Name` field of
+                                  the Node API object that will be created in this
+                                  `kubeadm init` or `kubeadm join` operation. This
+                                  field is also used in the CommonName field of the
+                                  kubelet's client certificate to the API server.
+                                  Defaults to the hostname of the node if not provided.
+                                type: string
+                              taints:
+                                description: 'Taints specifies the taints the Node
+                                  API object should be registered with. If this field
+                                  is unset, i.e. nil, in the `kubeadm init` process
+                                  it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                  If you don''t want to taint your control-plane node,
+                                  set this field to an empty slice, i.e. `taints:
+                                  {}` in the YAML file. This field is solely used
+                                  for Node registration.'
+                                items:
+                                  description: The node this Taint is attached to
+                                    has the "effect" on any pod that does not tolerate
+                                    the Taint.
+                                  properties:
+                                    effect:
+                                      description: Required. The effect of the taint
+                                        on pods that do not tolerate the taint. Valid
+                                        effects are NoSchedule, PreferNoSchedule and
+                                        NoExecute.
+                                      type: string
+                                    key:
+                                      description: Required. The taint key to be applied
+                                        to a node.
+                                      type: string
+                                    timeAdded:
+                                      description: TimeAdded represents the time at
+                                        which the taint was added. It is only written
+                                        for NoExecute taints.
+                                      format: date-time
+                                      type: string
+                                    value:
+                                      description: The taint value corresponding to
+                                        the taint key.
+                                      type: string
+                                  required:
+                                  - effect
+                                  - key
+                                  type: object
+                                type: array
+                            type: object
+                        type: object
+                      joinConfiguration:
+                        description: JoinConfiguration is the kubeadm configuration
+                          for the join command
+                        properties:
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          caCertPath:
+                            description: 'CACertPath is the path to the SSL certificate
+                              authority used to secure comunications between node
+                              and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                              TODO: revisit when there is defaulting from k/k'
+                            type: string
+                          controlPlane:
+                            description: ControlPlane defines the additional control
+                              plane instance to be deployed on the joining node. If
+                              nil, no additional control plane instance will be deployed.
+                            properties:
+                              localAPIEndpoint:
+                                description: LocalAPIEndpoint represents the endpoint
+                                  of the API server instance to be deployed on this
+                                  node.
+                                properties:
+                                  advertiseAddress:
+                                    description: AdvertiseAddress sets the IP address
+                                      for the API server to advertise.
+                                    type: string
+                                  bindPort:
+                                    description: BindPort sets the secure port for
+                                      the API Server to bind to. Defaults to 6443.
+                                    format: int32
+                                    type: integer
+                                required:
+                                - advertiseAddress
+                                - bindPort
+                                type: object
+                            type: object
+                          discovery:
+                            description: 'Discovery specifies the options for the
+                              kubelet to use during the TLS Bootstrap process TODO:
+                              revisit when there is defaulting from k/k'
+                            properties:
+                              bootstrapToken:
+                                description: BootstrapToken is used to set the options
+                                  for bootstrap token based discovery BootstrapToken
+                                  and File are mutually exclusive
+                                properties:
+                                  apiServerEndpoint:
+                                    description: APIServerEndpoint is an IP or domain
+                                      name to the API server from which info will
+                                      be fetched.
+                                    type: string
+                                  caCertHashes:
+                                    description: 'CACertHashes specifies a set of
+                                      public key pins to verify when token-based discovery
+                                      is used. The root CA found during discovery
+                                      must match one of these values. Specifying an
+                                      empty set disables root CA pinning, which can
+                                      be unsafe. Each hash is specified as "<type>:<value>",
+                                      where the only currently supported type is "sha256".
+                                      This is a hex-encoded SHA-256 hash of the Subject
+                                      Public Key Info (SPKI) object in DER-encoded
+                                      ASN.1. These hashes can be calculated using,
+                                      for example, OpenSSL: openssl x509 -pubkey -in
+                                      ca.crt openssl rsa -pubin -outform der 2>&/dev/null
+                                      | openssl dgst -sha256 -hex'
+                                    items:
+                                      type: string
+                                    type: array
+                                  token:
+                                    description: Token is a token used to validate
+                                      cluster information fetched from the control-plane.
+                                    type: string
+                                  unsafeSkipCAVerification:
+                                    description: UnsafeSkipCAVerification allows token-based
+                                      discovery without CA verification via CACertHashes.
+                                      This can weaken the security of kubeadm since
+                                      other nodes can impersonate the control-plane.
+                                    type: boolean
+                                required:
+                                - token
+                                - unsafeSkipCAVerification
+                                type: object
+                              file:
+                                description: File is used to specify a file or URL
+                                  to a kubeconfig file from which to load cluster
+                                  information BootstrapToken and File are mutually
+                                  exclusive
+                                properties:
+                                  kubeConfigPath:
+                                    description: KubeConfigPath is used to specify
+                                      the actual file path or URL to the kubeconfig
+                                      file from which to load cluster information
+                                    type: string
+                                required:
+                                - kubeConfigPath
+                                type: object
+                              timeout:
+                                description: Timeout modifies the discovery timeout
+                                type: string
+                              tlsBootstrapToken:
+                                description: 'TLSBootstrapToken is a token used for
+                                  TLS bootstrapping. If .BootstrapToken is set, this
+                                  field is defaulted to .BootstrapToken.Token, but
+                                  can be overridden. If .File is set, this field **must
+                                  be set** in case the KubeConfigFile does not contain
+                                  any other authentication information TODO: revisit
+                                  when there is defaulting from k/k'
+                                type: string
+                            type: object
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          nodeRegistration:
+                            description: NodeRegistration holds fields that relate
+                              to registering the new control-plane node to the cluster.
+                              When used in the context of control plane nodes, NodeRegistration
+                              should remain consistent across both InitConfiguration
+                              and JoinConfiguration
+                            properties:
+                              criSocket:
+                                description: CRISocket is used to retrieve container
+                                  runtime info. This information will be annotated
+                                  to the Node API object, for later re-use
+                                type: string
+                              kubeletExtraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: KubeletExtraArgs passes through extra
+                                  arguments to the kubelet. The arguments here are
+                                  passed to the kubelet command line via the environment
+                                  file kubeadm writes at runtime for the kubelet to
+                                  source. This overrides the generic base-level configuration
+                                  in the kubelet-config-1.X ConfigMap Flags have higher
+                                  priority when parsing. These values are local and
+                                  specific to the node kubeadm is executing on.
+                                type: object
+                              name:
+                                description: Name is the `.Metadata.Name` field of
+                                  the Node API object that will be created in this
+                                  `kubeadm init` or `kubeadm join` operation. This
+                                  field is also used in the CommonName field of the
+                                  kubelet's client certificate to the API server.
+                                  Defaults to the hostname of the node if not provided.
+                                type: string
+                              taints:
+                                description: 'Taints specifies the taints the Node
+                                  API object should be registered with. If this field
+                                  is unset, i.e. nil, in the `kubeadm init` process
+                                  it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                  If you don''t want to taint your control-plane node,
+                                  set this field to an empty slice, i.e. `taints:
+                                  {}` in the YAML file. This field is solely used
+                                  for Node registration.'
+                                items:
+                                  description: The node this Taint is attached to
+                                    has the "effect" on any pod that does not tolerate
+                                    the Taint.
+                                  properties:
+                                    effect:
+                                      description: Required. The effect of the taint
+                                        on pods that do not tolerate the taint. Valid
+                                        effects are NoSchedule, PreferNoSchedule and
+                                        NoExecute.
+                                      type: string
+                                    key:
+                                      description: Required. The taint key to be applied
+                                        to a node.
+                                      type: string
+                                    timeAdded:
+                                      description: TimeAdded represents the time at
+                                        which the taint was added. It is only written
+                                        for NoExecute taints.
+                                      format: date-time
+                                      type: string
+                                    value:
+                                      description: The taint value corresponding to
+                                        the taint key.
+                                      type: string
+                                  required:
+                                  - effect
+                                  - key
+                                  type: object
+                                type: array
+                            type: object
+                        type: object
+                      mounts:
+                        description: Mounts specifies a list of mount points to be
+                          setup.
+                        items:
+                          description: MountPoints defines input for generated mounts
+                            in cloud-init.
+                          items:
+                            type: string
+                          type: array
+                        type: array
+                      ntp:
+                        description: NTP specifies NTP configuration
+                        properties:
+                          enabled:
+                            description: Enabled specifies whether NTP should be enabled
+                            type: boolean
+                          servers:
+                            description: Servers specifies which NTP servers to use
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      postKubeadmCommands:
+                        description: PostKubeadmCommands specifies extra commands
+                          to run after kubeadm runs
+                        items:
+                          type: string
+                        type: array
+                      preKubeadmCommands:
+                        description: PreKubeadmCommands specifies extra commands to
+                          run before kubeadm runs
+                        items:
+                          type: string
+                        type: array
+                      useExperimentalRetryJoin:
+                        description: "UseExperimentalRetryJoin replaces a basic kubeadm
+                          command with a shell script with retries for joins. \n This
+                          is meant to be an experimental temporary workaround on some
+                          environments where joins fail due to timing (and other issues).
+                          The long term goal is to add retries to kubeadm proper and
+                          use that functionality. \n This will add about 40KB to userdata
+                          \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                        type: boolean
+                      users:
+                        description: Users specifies extra users to add
+                        items:
+                          description: User defines the input for a generated user
+                            in cloud-init.
+                          properties:
+                            gecos:
+                              description: Gecos specifies the gecos to use for the
+                                user
+                              type: string
+                            groups:
+                              description: Groups specifies the additional groups
+                                for the user
+                              type: string
+                            homeDir:
+                              description: HomeDir specifies the home directory to
+                                use for the user
+                              type: string
+                            inactive:
+                              description: Inactive specifies whether to mark the
+                                user as inactive
+                              type: boolean
+                            lockPassword:
+                              description: LockPassword specifies if password login
+                                should be disabled
+                              type: boolean
+                            name:
+                              description: Name specifies the user name
+                              type: string
+                            passwd:
+                              description: Passwd specifies a hashed password for
+                                the user
+                              type: string
+                            primaryGroup:
+                              description: PrimaryGroup specifies the primary group
+                                for the user
+                              type: string
+                            shell:
+                              description: Shell specifies the user's shell
+                              type: string
+                            sshAuthorizedKeys:
+                              description: SSHAuthorizedKeys specifies a list of ssh
+                                authorized keys for the user
+                              items:
+                                type: string
+                              type: array
+                            sudo:
+                              description: Sudo specifies a sudo role for the user
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      verbosity:
+                        description: Verbosity is the number for the kubeadm log level
+                          verbosity. It overrides the `--v` flag in kubeadm commands.
+                        format: int32
+                        type: integer
+                    type: object
+                type: object
+            required:
+            - template
+            type: object
+        type: object
+    served: true
+    storage: false
+  - additionalPrinterColumns:
+    - description: Time duration since creation of KubeadmConfigTemplate
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: KubeadmConfigTemplate is the Schema for the kubeadmconfigtemplates
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmConfigTemplateSpec defines the desired state of KubeadmConfigTemplate.
+            properties:
+              template:
+                description: KubeadmConfigTemplateResource defines the Template structure.
+                properties:
+                  spec:
+                    description: KubeadmConfigSpec defines the desired state of KubeadmConfig.
+                      Either ClusterConfiguration and InitConfiguration should be
+                      defined or the JoinConfiguration should be defined.
+                    properties:
+                      clusterConfiguration:
+                        description: ClusterConfiguration along with InitConfiguration
+                          are the configurations necessary for the init command
+                        properties:
+                          apiServer:
+                            description: APIServer contains extra settings for the
+                              API server control plane component
+                            properties:
+                              certSANs:
+                                description: CertSANs sets extra Subject Alternative
+                                  Names for the API Server signing cert.
+                                items:
+                                  type: string
+                                type: array
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                              timeoutForControlPlane:
+                                description: TimeoutForControlPlane controls the timeout
+                                  that we use for API server to appear
+                                type: string
+                            type: object
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          certificatesDir:
+                            description: 'CertificatesDir specifies where to store
+                              or look for all required certificates. NB: if not provided,
+                              this will default to `/etc/kubernetes/pki`'
+                            type: string
+                          clusterName:
+                            description: The cluster name
+                            type: string
+                          controlPlaneEndpoint:
+                            description: 'ControlPlaneEndpoint sets a stable IP address
+                              or DNS name for the control plane; it can be a valid
+                              IP address or a RFC-1123 DNS subdomain, both with optional
+                              TCP port. In case the ControlPlaneEndpoint is not specified,
+                              the AdvertiseAddress + BindPort are used; in case the
+                              ControlPlaneEndpoint is specified but without a TCP
+                              port, the BindPort is used. Possible usages are: e.g.
+                              In a cluster with more than one control plane instances,
+                              this field should be assigned the address of the external
+                              load balancer in front of the control plane instances.
+                              e.g.  in environments with enforced node recycling,
+                              the ControlPlaneEndpoint could be used for assigning
+                              a stable DNS to the control plane. NB: This value defaults
+                              to the first value in the Cluster object status.apiEndpoints
+                              array.'
+                            type: string
+                          controllerManager:
+                            description: ControllerManager contains extra settings
+                              for the controller manager control plane component
+                            properties:
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                            type: object
+                          dns:
+                            description: DNS defines the options for the DNS add-on
+                              installed in the cluster.
+                            properties:
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. if not set, the ImageRepository
+                                  defined in ClusterConfiguration will be used instead.
+                                type: string
+                              imageTag:
+                                description: ImageTag allows to specify a tag for
+                                  the image. In case this value is set, kubeadm does
+                                  not change automatically the version of the above
+                                  components during upgrades.
+                                type: string
+                            type: object
+                          etcd:
+                            description: 'Etcd holds configuration for etcd. NB: This
+                              value defaults to a Local (stacked) etcd'
+                            properties:
+                              external:
+                                description: External describes how to connect to
+                                  an external etcd cluster Local and External are
+                                  mutually exclusive
+                                properties:
+                                  caFile:
+                                    description: CAFile is an SSL Certificate Authority
+                                      file used to secure etcd communication. Required
+                                      if using a TLS connection.
+                                    type: string
+                                  certFile:
+                                    description: CertFile is an SSL certification
+                                      file used to secure etcd communication. Required
+                                      if using a TLS connection.
+                                    type: string
+                                  endpoints:
+                                    description: Endpoints of etcd members. Required
+                                      for ExternalEtcd.
+                                    items:
+                                      type: string
+                                    type: array
+                                  keyFile:
+                                    description: KeyFile is an SSL key file used to
+                                      secure etcd communication. Required if using
+                                      a TLS connection.
+                                    type: string
+                                required:
+                                - caFile
+                                - certFile
+                                - endpoints
+                                - keyFile
+                                type: object
+                              local:
+                                description: Local provides configuration knobs for
+                                  configuring the local etcd instance Local and External
+                                  are mutually exclusive
+                                properties:
+                                  dataDir:
+                                    description: DataDir is the directory etcd will
+                                      place its data. Defaults to "/var/lib/etcd".
+                                    type: string
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: ExtraArgs are extra arguments provided
+                                      to the etcd binary when run inside a static
+                                      pod.
+                                    type: object
+                                  imageRepository:
+                                    description: ImageRepository sets the container
+                                      registry to pull images from. if not set, the
+                                      ImageRepository defined in ClusterConfiguration
+                                      will be used instead.
+                                    type: string
+                                  imageTag:
+                                    description: ImageTag allows to specify a tag
+                                      for the image. In case this value is set, kubeadm
+                                      does not change automatically the version of
+                                      the above components during upgrades.
+                                    type: string
+                                  peerCertSANs:
+                                    description: PeerCertSANs sets extra Subject Alternative
+                                      Names for the etcd peer signing cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                  serverCertSANs:
+                                    description: ServerCertSANs sets extra Subject
+                                      Alternative Names for the etcd server signing
+                                      cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          featureGates:
+                            additionalProperties:
+                              type: boolean
+                            description: FeatureGates enabled by the user.
+                            type: object
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. If empty, `k8s.gcr.io` will be
+                              used by default; in case of kubernetes version is a
+                              CI build (kubernetes version starts with `ci/` or `ci-cross/`)
+                              `gcr.io/k8s-staging-ci-images` will be used as a default
+                              for control plane components and for kube-proxy, while
+                              `k8s.gcr.io` will be used for all the other images.
+                            type: string
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          kubernetesVersion:
+                            description: 'KubernetesVersion is the target version
+                              of the control plane. NB: This value defaults to the
+                              Machine object spec.version'
+                            type: string
+                          networking:
+                            description: 'Networking holds configuration for the networking
+                              topology of the cluster. NB: This value defaults to
+                              the Cluster object spec.clusterNetwork.'
+                            properties:
+                              dnsDomain:
+                                description: DNSDomain is the dns domain used by k8s
+                                  services. Defaults to "cluster.local".
+                                type: string
+                              podSubnet:
+                                description: PodSubnet is the subnet used by pods.
+                                  If unset, the API server will not allocate CIDR
+                                  ranges for every node. Defaults to a comma-delimited
+                                  string of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                                  if that is set
+                                type: string
+                              serviceSubnet:
+                                description: ServiceSubnet is the subnet used by k8s
+                                  services. Defaults to a comma-delimited string of
+                                  the Cluster object's spec.clusterNetwork.pods.cidrBlocks,
+                                  or to "10.96.0.0/12" if that's unset.
+                                type: string
+                            type: object
+                          scheduler:
+                            description: Scheduler contains extra settings for the
+                              scheduler control plane component
+                            properties:
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                            type: object
+                        type: object
+                      diskSetup:
+                        description: DiskSetup specifies options for the creation
+                          of partition tables and file systems on devices.
+                        properties:
+                          filesystems:
+                            description: Filesystems specifies the list of file systems
+                              to setup.
+                            items:
+                              description: Filesystem defines the file systems to
+                                be created.
+                              properties:
+                                device:
+                                  description: Device specifies the device name
+                                  type: string
+                                extraOpts:
+                                  description: ExtraOpts defined extra options to
+                                    add to the command for creating the file system.
+                                  items:
+                                    type: string
+                                  type: array
+                                filesystem:
+                                  description: Filesystem specifies the file system
+                                    type.
+                                  type: string
+                                label:
+                                  description: Label specifies the file system label
+                                    to be used. If set to None, no label is used.
+                                  type: string
+                                overwrite:
+                                  description: Overwrite defines whether or not to
+                                    overwrite any existing filesystem. If true, any
+                                    pre-existing file system will be destroyed. Use
+                                    with Caution.
+                                  type: boolean
+                                partition:
+                                  description: 'Partition specifies the partition
+                                    to use. The valid options are: "auto|any", "auto",
+                                    "any", "none", and <NUM>, where NUM is the actual
+                                    partition number.'
+                                  type: string
+                                replaceFS:
+                                  description: 'ReplaceFS is a special directive,
+                                    used for Microsoft Azure that instructs cloud-init
+                                    to replace a file system of <FS_TYPE>. NOTE: unless
+                                    you define a label, this requires the use of the
+                                    ''any'' partition directive.'
+                                  type: string
+                              required:
+                              - device
+                              - filesystem
+                              - label
+                              type: object
+                            type: array
+                          partitions:
+                            description: Partitions specifies the list of the partitions
+                              to setup.
+                            items:
+                              description: Partition defines how to create and layout
+                                a partition.
+                              properties:
+                                device:
+                                  description: Device is the name of the device.
+                                  type: string
+                                layout:
+                                  description: Layout specifies the device layout.
+                                    If it is true, a single partition will be created
+                                    for the entire device. When layout is false, it
+                                    means don't partition or ignore existing partitioning.
+                                  type: boolean
+                                overwrite:
+                                  description: Overwrite describes whether to skip
+                                    checks and create the partition if a partition
+                                    or filesystem is found on the device. Use with
+                                    caution. Default is 'false'.
+                                  type: boolean
+                                tableType:
+                                  description: 'TableType specifies the tupe of partition
+                                    table. The following are supported: ''mbr'': default
+                                    and setups a MS-DOS partition table ''gpt'': setups
+                                    a GPT partition table'
+                                  type: string
+                              required:
+                              - device
+                              - layout
+                              type: object
+                            type: array
+                        type: object
+                      files:
+                        description: Files specifies extra files to be passed to user_data
+                          upon creation.
+                        items:
+                          description: File defines the input for generating write_files
+                            in cloud-init.
+                          properties:
+                            content:
+                              description: Content is the actual content of the file.
+                              type: string
+                            contentFrom:
+                              description: ContentFrom is a referenced source of content
+                                to populate the file.
+                              properties:
+                                secret:
+                                  description: Secret represents a secret that should
+                                    populate this file.
+                                  properties:
+                                    key:
+                                      description: Key is the key in the secret's
+                                        data map for this value.
+                                      type: string
+                                    name:
+                                      description: Name of the secret in the KubeadmBootstrapConfig's
+                                        namespace to use.
+                                      type: string
+                                  required:
+                                  - key
+                                  - name
+                                  type: object
+                              required:
+                              - secret
+                              type: object
+                            encoding:
+                              description: Encoding specifies the encoding of the
+                                file contents.
+                              enum:
+                              - base64
+                              - gzip
+                              - gzip+base64
+                              type: string
+                            owner:
+                              description: Owner specifies the ownership of the file,
+                                e.g. "root:root".
+                              type: string
+                            path:
+                              description: Path specifies the full path on disk where
+                                to store the file.
+                              type: string
+                            permissions:
+                              description: Permissions specifies the permissions to
+                                assign to the file, e.g. "0640".
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        type: array
+                      format:
+                        description: Format specifies the output format of the bootstrap
+                          data
+                        enum:
+                        - cloud-config
+                        type: string
+                      initConfiguration:
+                        description: InitConfiguration along with ClusterConfiguration
+                          are the configurations necessary for the init command
+                        properties:
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          bootstrapTokens:
+                            description: BootstrapTokens is respected at `kubeadm
+                              init` time and describes a set of Bootstrap Tokens to
+                              create. This information IS NOT uploaded to the kubeadm
+                              cluster configmap, partly because of its sensitive nature
+                            items:
+                              description: BootstrapToken describes one bootstrap
+                                token, stored as a Secret in the cluster.
+                              properties:
+                                description:
+                                  description: Description sets a human-friendly message
+                                    why this token exists and what it's used for,
+                                    so other administrators can know its purpose.
+                                  type: string
+                                expires:
+                                  description: Expires specifies the timestamp when
+                                    this token expires. Defaults to being set dynamically
+                                    at runtime based on the TTL. Expires and TTL are
+                                    mutually exclusive.
+                                  format: date-time
+                                  type: string
+                                groups:
+                                  description: Groups specifies the extra groups that
+                                    this token will authenticate as when/if used for
+                                    authentication
+                                  items:
+                                    type: string
+                                  type: array
+                                token:
+                                  description: Token is used for establishing bidirectional
+                                    trust between nodes and control-planes. Used for
+                                    joining nodes in the cluster.
+                                  type: string
+                                ttl:
+                                  description: TTL defines the time to live for this
+                                    token. Defaults to 24h. Expires and TTL are mutually
+                                    exclusive.
+                                  type: string
+                                usages:
+                                  description: Usages describes the ways in which
+                                    this token can be used. Can by default be used
+                                    for establishing bidirectional trust, but that
+                                    can be changed here.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - token
+                              type: object
+                            type: array
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          localAPIEndpoint:
+                            description: LocalAPIEndpoint represents the endpoint
+                              of the API server instance that's deployed on this control
+                              plane node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                              in the sense that ControlPlaneEndpoint is the global
+                              endpoint for the cluster, which then loadbalances the
+                              requests to each individual API server. This configuration
+                              object lets you customize what IP/DNS name and port
+                              the local API server advertises it's accessible on.
+                              By default, kubeadm tries to auto-detect the IP of the
+                              default interface and use that, but in case that process
+                              fails you may set the desired value here.
+                            properties:
+                              advertiseAddress:
+                                description: AdvertiseAddress sets the IP address
+                                  for the API server to advertise.
+                                type: string
+                              bindPort:
+                                description: BindPort sets the secure port for the
+                                  API Server to bind to. Defaults to 6443.
+                                format: int32
+                                type: integer
+                            type: object
+                          nodeRegistration:
+                            description: NodeRegistration holds fields that relate
+                              to registering the new control-plane node to the cluster.
+                              When used in the context of control plane nodes, NodeRegistration
+                              should remain consistent across both InitConfiguration
+                              and JoinConfiguration
+                            properties:
+                              criSocket:
+                                description: CRISocket is used to retrieve container
+                                  runtime info. This information will be annotated
+                                  to the Node API object, for later re-use
+                                type: string
+                              ignorePreflightErrors:
+                                description: IgnorePreflightErrors provides a slice
+                                  of pre-flight errors to be ignored when the current
+                                  node is registered.
+                                items:
+                                  type: string
+                                type: array
+                              kubeletExtraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: KubeletExtraArgs passes through extra
+                                  arguments to the kubelet. The arguments here are
+                                  passed to the kubelet command line via the environment
+                                  file kubeadm writes at runtime for the kubelet to
+                                  source. This overrides the generic base-level configuration
+                                  in the kubelet-config-1.X ConfigMap Flags have higher
+                                  priority when parsing. These values are local and
+                                  specific to the node kubeadm is executing on.
+                                type: object
+                              name:
+                                description: Name is the `.Metadata.Name` field of
+                                  the Node API object that will be created in this
+                                  `kubeadm init` or `kubeadm join` operation. This
+                                  field is also used in the CommonName field of the
+                                  kubelet's client certificate to the API server.
+                                  Defaults to the hostname of the node if not provided.
+                                type: string
+                              taints:
+                                description: 'Taints specifies the taints the Node
+                                  API object should be registered with. If this field
+                                  is unset, i.e. nil, in the `kubeadm init` process
+                                  it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                  If you don''t want to taint your control-plane node,
+                                  set this field to an empty slice, i.e. `taints:
+                                  {}` in the YAML file. This field is solely used
+                                  for Node registration.'
+                                items:
+                                  description: The node this Taint is attached to
+                                    has the "effect" on any pod that does not tolerate
+                                    the Taint.
+                                  properties:
+                                    effect:
+                                      description: Required. The effect of the taint
+                                        on pods that do not tolerate the taint. Valid
+                                        effects are NoSchedule, PreferNoSchedule and
+                                        NoExecute.
+                                      type: string
+                                    key:
+                                      description: Required. The taint key to be applied
+                                        to a node.
+                                      type: string
+                                    timeAdded:
+                                      description: TimeAdded represents the time at
+                                        which the taint was added. It is only written
+                                        for NoExecute taints.
+                                      format: date-time
+                                      type: string
+                                    value:
+                                      description: The taint value corresponding to
+                                        the taint key.
+                                      type: string
+                                  required:
+                                  - effect
+                                  - key
+                                  type: object
+                                type: array
+                            type: object
+                        type: object
+                      joinConfiguration:
+                        description: JoinConfiguration is the kubeadm configuration
+                          for the join command
+                        properties:
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          caCertPath:
+                            description: 'CACertPath is the path to the SSL certificate
+                              authority used to secure comunications between node
+                              and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                              TODO: revisit when there is defaulting from k/k'
+                            type: string
+                          controlPlane:
+                            description: ControlPlane defines the additional control
+                              plane instance to be deployed on the joining node. If
+                              nil, no additional control plane instance will be deployed.
+                            properties:
+                              localAPIEndpoint:
+                                description: LocalAPIEndpoint represents the endpoint
+                                  of the API server instance to be deployed on this
+                                  node.
+                                properties:
+                                  advertiseAddress:
+                                    description: AdvertiseAddress sets the IP address
+                                      for the API server to advertise.
+                                    type: string
+                                  bindPort:
+                                    description: BindPort sets the secure port for
+                                      the API Server to bind to. Defaults to 6443.
+                                    format: int32
+                                    type: integer
+                                type: object
+                            type: object
+                          discovery:
+                            description: 'Discovery specifies the options for the
+                              kubelet to use during the TLS Bootstrap process TODO:
+                              revisit when there is defaulting from k/k'
+                            properties:
+                              bootstrapToken:
+                                description: BootstrapToken is used to set the options
+                                  for bootstrap token based discovery BootstrapToken
+                                  and File are mutually exclusive
+                                properties:
+                                  apiServerEndpoint:
+                                    description: APIServerEndpoint is an IP or domain
+                                      name to the API server from which info will
+                                      be fetched.
+                                    type: string
+                                  caCertHashes:
+                                    description: 'CACertHashes specifies a set of
+                                      public key pins to verify when token-based discovery
+                                      is used. The root CA found during discovery
+                                      must match one of these values. Specifying an
+                                      empty set disables root CA pinning, which can
+                                      be unsafe. Each hash is specified as "<type>:<value>",
+                                      where the only currently supported type is "sha256".
+                                      This is a hex-encoded SHA-256 hash of the Subject
+                                      Public Key Info (SPKI) object in DER-encoded
+                                      ASN.1. These hashes can be calculated using,
+                                      for example, OpenSSL: openssl x509 -pubkey -in
+                                      ca.crt openssl rsa -pubin -outform der 2>&/dev/null
+                                      | openssl dgst -sha256 -hex'
+                                    items:
+                                      type: string
+                                    type: array
+                                  token:
+                                    description: Token is a token used to validate
+                                      cluster information fetched from the control-plane.
+                                    type: string
+                                  unsafeSkipCAVerification:
+                                    description: UnsafeSkipCAVerification allows token-based
+                                      discovery without CA verification via CACertHashes.
+                                      This can weaken the security of kubeadm since
+                                      other nodes can impersonate the control-plane.
+                                    type: boolean
+                                required:
+                                - token
+                                type: object
+                              file:
+                                description: File is used to specify a file or URL
+                                  to a kubeconfig file from which to load cluster
+                                  information BootstrapToken and File are mutually
+                                  exclusive
+                                properties:
+                                  kubeConfigPath:
+                                    description: KubeConfigPath is used to specify
+                                      the actual file path or URL to the kubeconfig
+                                      file from which to load cluster information
+                                    type: string
+                                required:
+                                - kubeConfigPath
+                                type: object
+                              timeout:
+                                description: Timeout modifies the discovery timeout
+                                type: string
+                              tlsBootstrapToken:
+                                description: TLSBootstrapToken is a token used for
+                                  TLS bootstrapping. If .BootstrapToken is set, this
+                                  field is defaulted to .BootstrapToken.Token, but
+                                  can be overridden. If .File is set, this field **must
+                                  be set** in case the KubeConfigFile does not contain
+                                  any other authentication information
+                                type: string
+                            type: object
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          nodeRegistration:
+                            description: NodeRegistration holds fields that relate
+                              to registering the new control-plane node to the cluster.
+                              When used in the context of control plane nodes, NodeRegistration
+                              should remain consistent across both InitConfiguration
+                              and JoinConfiguration
+                            properties:
+                              criSocket:
+                                description: CRISocket is used to retrieve container
+                                  runtime info. This information will be annotated
+                                  to the Node API object, for later re-use
+                                type: string
+                              ignorePreflightErrors:
+                                description: IgnorePreflightErrors provides a slice
+                                  of pre-flight errors to be ignored when the current
+                                  node is registered.
+                                items:
+                                  type: string
+                                type: array
+                              kubeletExtraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: KubeletExtraArgs passes through extra
+                                  arguments to the kubelet. The arguments here are
+                                  passed to the kubelet command line via the environment
+                                  file kubeadm writes at runtime for the kubelet to
+                                  source. This overrides the generic base-level configuration
+                                  in the kubelet-config-1.X ConfigMap Flags have higher
+                                  priority when parsing. These values are local and
+                                  specific to the node kubeadm is executing on.
+                                type: object
+                              name:
+                                description: Name is the `.Metadata.Name` field of
+                                  the Node API object that will be created in this
+                                  `kubeadm init` or `kubeadm join` operation. This
+                                  field is also used in the CommonName field of the
+                                  kubelet's client certificate to the API server.
+                                  Defaults to the hostname of the node if not provided.
+                                type: string
+                              taints:
+                                description: 'Taints specifies the taints the Node
+                                  API object should be registered with. If this field
+                                  is unset, i.e. nil, in the `kubeadm init` process
+                                  it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                  If you don''t want to taint your control-plane node,
+                                  set this field to an empty slice, i.e. `taints:
+                                  {}` in the YAML file. This field is solely used
+                                  for Node registration.'
+                                items:
+                                  description: The node this Taint is attached to
+                                    has the "effect" on any pod that does not tolerate
+                                    the Taint.
+                                  properties:
+                                    effect:
+                                      description: Required. The effect of the taint
+                                        on pods that do not tolerate the taint. Valid
+                                        effects are NoSchedule, PreferNoSchedule and
+                                        NoExecute.
+                                      type: string
+                                    key:
+                                      description: Required. The taint key to be applied
+                                        to a node.
+                                      type: string
+                                    timeAdded:
+                                      description: TimeAdded represents the time at
+                                        which the taint was added. It is only written
+                                        for NoExecute taints.
+                                      format: date-time
+                                      type: string
+                                    value:
+                                      description: The taint value corresponding to
+                                        the taint key.
+                                      type: string
+                                  required:
+                                  - effect
+                                  - key
+                                  type: object
+                                type: array
+                            type: object
+                        type: object
+                      mounts:
+                        description: Mounts specifies a list of mount points to be
+                          setup.
+                        items:
+                          description: MountPoints defines input for generated mounts
+                            in cloud-init.
+                          items:
+                            type: string
+                          type: array
+                        type: array
+                      ntp:
+                        description: NTP specifies NTP configuration
+                        properties:
+                          enabled:
+                            description: Enabled specifies whether NTP should be enabled
+                            type: boolean
+                          servers:
+                            description: Servers specifies which NTP servers to use
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      postKubeadmCommands:
+                        description: PostKubeadmCommands specifies extra commands
+                          to run after kubeadm runs
+                        items:
+                          type: string
+                        type: array
+                      preKubeadmCommands:
+                        description: PreKubeadmCommands specifies extra commands to
+                          run before kubeadm runs
+                        items:
+                          type: string
+                        type: array
+                      useExperimentalRetryJoin:
+                        description: "UseExperimentalRetryJoin replaces a basic kubeadm
+                          command with a shell script with retries for joins. \n This
+                          is meant to be an experimental temporary workaround on some
+                          environments where joins fail due to timing (and other issues).
+                          The long term goal is to add retries to kubeadm proper and
+                          use that functionality. \n This will add about 40KB to userdata
+                          \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                        type: boolean
+                      users:
+                        description: Users specifies extra users to add
+                        items:
+                          description: User defines the input for a generated user
+                            in cloud-init.
+                          properties:
+                            gecos:
+                              description: Gecos specifies the gecos to use for the
+                                user
+                              type: string
+                            groups:
+                              description: Groups specifies the additional groups
+                                for the user
+                              type: string
+                            homeDir:
+                              description: HomeDir specifies the home directory to
+                                use for the user
+                              type: string
+                            inactive:
+                              description: Inactive specifies whether to mark the
+                                user as inactive
+                              type: boolean
+                            lockPassword:
+                              description: LockPassword specifies if password login
+                                should be disabled
+                              type: boolean
+                            name:
+                              description: Name specifies the user name
+                              type: string
+                            passwd:
+                              description: Passwd specifies a hashed password for
+                                the user
+                              type: string
+                            primaryGroup:
+                              description: PrimaryGroup specifies the primary group
+                                for the user
+                              type: string
+                            shell:
+                              description: Shell specifies the user's shell
+                              type: string
+                            sshAuthorizedKeys:
+                              description: SSHAuthorizedKeys specifies a list of ssh
+                                authorized keys for the user
+                              items:
+                                type: string
+                              type: array
+                            sudo:
+                              description: Sudo specifies a sudo role for the user
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      verbosity:
+                        description: Verbosity is the number for the kubeadm log level
+                          verbosity. It overrides the `--v` flag in kubeadm commands.
+                        format: int32
+                        type: integer
+                    type: object
+                type: object
+            required:
+            - template
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of KubeadmConfigTemplate
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KubeadmConfigTemplate is the Schema for the kubeadmconfigtemplates
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmConfigTemplateSpec defines the desired state of KubeadmConfigTemplate.
+            properties:
+              template:
+                description: KubeadmConfigTemplateResource defines the Template structure.
+                properties:
+                  spec:
+                    description: KubeadmConfigSpec defines the desired state of KubeadmConfig.
+                      Either ClusterConfiguration and InitConfiguration should be
+                      defined or the JoinConfiguration should be defined.
+                    properties:
+                      clusterConfiguration:
+                        description: ClusterConfiguration along with InitConfiguration
+                          are the configurations necessary for the init command
+                        properties:
+                          apiServer:
+                            description: APIServer contains extra settings for the
+                              API server control plane component
+                            properties:
+                              certSANs:
+                                description: CertSANs sets extra Subject Alternative
+                                  Names for the API Server signing cert.
+                                items:
+                                  type: string
+                                type: array
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                              timeoutForControlPlane:
+                                description: TimeoutForControlPlane controls the timeout
+                                  that we use for API server to appear
+                                type: string
+                            type: object
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          certificatesDir:
+                            description: 'CertificatesDir specifies where to store
+                              or look for all required certificates. NB: if not provided,
+                              this will default to `/etc/kubernetes/pki`'
+                            type: string
+                          clusterName:
+                            description: The cluster name
+                            type: string
+                          controlPlaneEndpoint:
+                            description: 'ControlPlaneEndpoint sets a stable IP address
+                              or DNS name for the control plane; it can be a valid
+                              IP address or a RFC-1123 DNS subdomain, both with optional
+                              TCP port. In case the ControlPlaneEndpoint is not specified,
+                              the AdvertiseAddress + BindPort are used; in case the
+                              ControlPlaneEndpoint is specified but without a TCP
+                              port, the BindPort is used. Possible usages are: e.g.
+                              In a cluster with more than one control plane instances,
+                              this field should be assigned the address of the external
+                              load balancer in front of the control plane instances.
+                              e.g.  in environments with enforced node recycling,
+                              the ControlPlaneEndpoint could be used for assigning
+                              a stable DNS to the control plane. NB: This value defaults
+                              to the first value in the Cluster object status.apiEndpoints
+                              array.'
+                            type: string
+                          controllerManager:
+                            description: ControllerManager contains extra settings
+                              for the controller manager control plane component
+                            properties:
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                            type: object
+                          dns:
+                            description: DNS defines the options for the DNS add-on
+                              installed in the cluster.
+                            properties:
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. if not set, the ImageRepository
+                                  defined in ClusterConfiguration will be used instead.
+                                type: string
+                              imageTag:
+                                description: ImageTag allows to specify a tag for
+                                  the image. In case this value is set, kubeadm does
+                                  not change automatically the version of the above
+                                  components during upgrades.
+                                type: string
+                            type: object
+                          etcd:
+                            description: 'Etcd holds configuration for etcd. NB: This
+                              value defaults to a Local (stacked) etcd'
+                            properties:
+                              external:
+                                description: External describes how to connect to
+                                  an external etcd cluster Local and External are
+                                  mutually exclusive
+                                properties:
+                                  caFile:
+                                    description: CAFile is an SSL Certificate Authority
+                                      file used to secure etcd communication. Required
+                                      if using a TLS connection.
+                                    type: string
+                                  certFile:
+                                    description: CertFile is an SSL certification
+                                      file used to secure etcd communication. Required
+                                      if using a TLS connection.
+                                    type: string
+                                  endpoints:
+                                    description: Endpoints of etcd members. Required
+                                      for ExternalEtcd.
+                                    items:
+                                      type: string
+                                    type: array
+                                  keyFile:
+                                    description: KeyFile is an SSL key file used to
+                                      secure etcd communication. Required if using
+                                      a TLS connection.
+                                    type: string
+                                required:
+                                - caFile
+                                - certFile
+                                - endpoints
+                                - keyFile
+                                type: object
+                              local:
+                                description: Local provides configuration knobs for
+                                  configuring the local etcd instance Local and External
+                                  are mutually exclusive
+                                properties:
+                                  dataDir:
+                                    description: DataDir is the directory etcd will
+                                      place its data. Defaults to "/var/lib/etcd".
+                                    type: string
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: ExtraArgs are extra arguments provided
+                                      to the etcd binary when run inside a static
+                                      pod.
+                                    type: object
+                                  imageRepository:
+                                    description: ImageRepository sets the container
+                                      registry to pull images from. if not set, the
+                                      ImageRepository defined in ClusterConfiguration
+                                      will be used instead.
+                                    type: string
+                                  imageTag:
+                                    description: ImageTag allows to specify a tag
+                                      for the image. In case this value is set, kubeadm
+                                      does not change automatically the version of
+                                      the above components during upgrades.
+                                    type: string
+                                  peerCertSANs:
+                                    description: PeerCertSANs sets extra Subject Alternative
+                                      Names for the etcd peer signing cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                  serverCertSANs:
+                                    description: ServerCertSANs sets extra Subject
+                                      Alternative Names for the etcd server signing
+                                      cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          featureGates:
+                            additionalProperties:
+                              type: boolean
+                            description: FeatureGates enabled by the user.
+                            type: object
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. If empty, `k8s.gcr.io` will be
+                              used by default; in case of kubernetes version is a
+                              CI build (kubernetes version starts with `ci/` or `ci-cross/`)
+                              `gcr.io/k8s-staging-ci-images` will be used as a default
+                              for control plane components and for kube-proxy, while
+                              `k8s.gcr.io` will be used for all the other images.
+                            type: string
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          kubernetesVersion:
+                            description: 'KubernetesVersion is the target version
+                              of the control plane. NB: This value defaults to the
+                              Machine object spec.version'
+                            type: string
+                          networking:
+                            description: 'Networking holds configuration for the networking
+                              topology of the cluster. NB: This value defaults to
+                              the Cluster object spec.clusterNetwork.'
+                            properties:
+                              dnsDomain:
+                                description: DNSDomain is the dns domain used by k8s
+                                  services. Defaults to "cluster.local".
+                                type: string
+                              podSubnet:
+                                description: PodSubnet is the subnet used by pods.
+                                  If unset, the API server will not allocate CIDR
+                                  ranges for every node. Defaults to a comma-delimited
+                                  string of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                                  if that is set
+                                type: string
+                              serviceSubnet:
+                                description: ServiceSubnet is the subnet used by k8s
+                                  services. Defaults to a comma-delimited string of
+                                  the Cluster object's spec.clusterNetwork.pods.cidrBlocks,
+                                  or to "10.96.0.0/12" if that's unset.
+                                type: string
+                            type: object
+                          scheduler:
+                            description: Scheduler contains extra settings for the
+                              scheduler control plane component
+                            properties:
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: 'ExtraArgs is an extra set of flags to
+                                  pass to the control plane component. TODO: This
+                                  is temporary and ideally we would like to switch
+                                  all components to use ComponentConfig + ConfigMaps.'
+                                type: object
+                              extraVolumes:
+                                description: ExtraVolumes is an extra set of host
+                                  volumes, mounted to the control plane component.
+                                items:
+                                  description: HostPathMount contains elements describing
+                                    volumes that are mounted from the host.
+                                  properties:
+                                    hostPath:
+                                      description: HostPath is the path in the host
+                                        that will be mounted inside the pod.
+                                      type: string
+                                    mountPath:
+                                      description: MountPath is the path inside the
+                                        pod where hostPath will be mounted.
+                                      type: string
+                                    name:
+                                      description: Name of the volume inside the pod
+                                        template.
+                                      type: string
+                                    pathType:
+                                      description: PathType is the type of the HostPath.
+                                      type: string
+                                    readOnly:
+                                      description: ReadOnly controls write access
+                                        to the volume
+                                      type: boolean
+                                  required:
+                                  - hostPath
+                                  - mountPath
+                                  - name
+                                  type: object
+                                type: array
+                            type: object
+                        type: object
+                      diskSetup:
+                        description: DiskSetup specifies options for the creation
+                          of partition tables and file systems on devices.
+                        properties:
+                          filesystems:
+                            description: Filesystems specifies the list of file systems
+                              to setup.
+                            items:
+                              description: Filesystem defines the file systems to
+                                be created.
+                              properties:
+                                device:
+                                  description: Device specifies the device name
+                                  type: string
+                                extraOpts:
+                                  description: ExtraOpts defined extra options to
+                                    add to the command for creating the file system.
+                                  items:
+                                    type: string
+                                  type: array
+                                filesystem:
+                                  description: Filesystem specifies the file system
+                                    type.
+                                  type: string
+                                label:
+                                  description: Label specifies the file system label
+                                    to be used. If set to None, no label is used.
+                                  type: string
+                                overwrite:
+                                  description: Overwrite defines whether or not to
+                                    overwrite any existing filesystem. If true, any
+                                    pre-existing file system will be destroyed. Use
+                                    with Caution.
+                                  type: boolean
+                                partition:
+                                  description: 'Partition specifies the partition
+                                    to use. The valid options are: "auto|any", "auto",
+                                    "any", "none", and <NUM>, where NUM is the actual
+                                    partition number.'
+                                  type: string
+                                replaceFS:
+                                  description: 'ReplaceFS is a special directive,
+                                    used for Microsoft Azure that instructs cloud-init
+                                    to replace a file system of <FS_TYPE>. NOTE: unless
+                                    you define a label, this requires the use of the
+                                    ''any'' partition directive.'
+                                  type: string
+                              required:
+                              - device
+                              - filesystem
+                              - label
+                              type: object
+                            type: array
+                          partitions:
+                            description: Partitions specifies the list of the partitions
+                              to setup.
+                            items:
+                              description: Partition defines how to create and layout
+                                a partition.
+                              properties:
+                                device:
+                                  description: Device is the name of the device.
+                                  type: string
+                                layout:
+                                  description: Layout specifies the device layout.
+                                    If it is true, a single partition will be created
+                                    for the entire device. When layout is false, it
+                                    means don't partition or ignore existing partitioning.
+                                  type: boolean
+                                overwrite:
+                                  description: Overwrite describes whether to skip
+                                    checks and create the partition if a partition
+                                    or filesystem is found on the device. Use with
+                                    caution. Default is 'false'.
+                                  type: boolean
+                                tableType:
+                                  description: 'TableType specifies the tupe of partition
+                                    table. The following are supported: ''mbr'': default
+                                    and setups a MS-DOS partition table ''gpt'': setups
+                                    a GPT partition table'
+                                  type: string
+                              required:
+                              - device
+                              - layout
+                              type: object
+                            type: array
+                        type: object
+                      files:
+                        description: Files specifies extra files to be passed to user_data
+                          upon creation.
+                        items:
+                          description: File defines the input for generating write_files
+                            in cloud-init.
+                          properties:
+                            append:
+                              description: Append specifies whether to append Content
+                                to existing file if Path exists.
+                              type: boolean
+                            content:
+                              description: Content is the actual content of the file.
+                              type: string
+                            contentFrom:
+                              description: ContentFrom is a referenced source of content
+                                to populate the file.
+                              properties:
+                                secret:
+                                  description: Secret represents a secret that should
+                                    populate this file.
+                                  properties:
+                                    key:
+                                      description: Key is the key in the secret's
+                                        data map for this value.
+                                      type: string
+                                    name:
+                                      description: Name of the secret in the KubeadmBootstrapConfig's
+                                        namespace to use.
+                                      type: string
+                                  required:
+                                  - key
+                                  - name
+                                  type: object
+                              required:
+                              - secret
+                              type: object
+                            encoding:
+                              description: Encoding specifies the encoding of the
+                                file contents.
+                              enum:
+                              - base64
+                              - gzip
+                              - gzip+base64
+                              type: string
+                            owner:
+                              description: Owner specifies the ownership of the file,
+                                e.g. "root:root".
+                              type: string
+                            path:
+                              description: Path specifies the full path on disk where
+                                to store the file.
+                              type: string
+                            permissions:
+                              description: Permissions specifies the permissions to
+                                assign to the file, e.g. "0640".
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        type: array
+                      format:
+                        description: Format specifies the output format of the bootstrap
+                          data
+                        enum:
+                        - cloud-config
+                        - ignition
+                        type: string
+                      ignition:
+                        description: Ignition contains Ignition specific configuration.
+                        properties:
+                          containerLinuxConfig:
+                            description: ContainerLinuxConfig contains CLC specific
+                              configuration.
+                            properties:
+                              additionalConfig:
+                                description: "AdditionalConfig contains additional
+                                  configuration to be merged with the Ignition configuration
+                                  generated by the bootstrapper controller. More info:
+                                  https://coreos.github.io/ignition/operator-notes/#config-merging
+                                  \n The data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/"
+                                type: string
+                              strict:
+                                description: Strict controls if AdditionalConfig should
+                                  be strictly parsed. If so, warnings are treated
+                                  as errors.
+                                type: boolean
+                            type: object
+                        type: object
+                      initConfiguration:
+                        description: InitConfiguration along with ClusterConfiguration
+                          are the configurations necessary for the init command
+                        properties:
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          bootstrapTokens:
+                            description: BootstrapTokens is respected at `kubeadm
+                              init` time and describes a set of Bootstrap Tokens to
+                              create. This information IS NOT uploaded to the kubeadm
+                              cluster configmap, partly because of its sensitive nature
+                            items:
+                              description: BootstrapToken describes one bootstrap
+                                token, stored as a Secret in the cluster.
+                              properties:
+                                description:
+                                  description: Description sets a human-friendly message
+                                    why this token exists and what it's used for,
+                                    so other administrators can know its purpose.
+                                  type: string
+                                expires:
+                                  description: Expires specifies the timestamp when
+                                    this token expires. Defaults to being set dynamically
+                                    at runtime based on the TTL. Expires and TTL are
+                                    mutually exclusive.
+                                  format: date-time
+                                  type: string
+                                groups:
+                                  description: Groups specifies the extra groups that
+                                    this token will authenticate as when/if used for
+                                    authentication
+                                  items:
+                                    type: string
+                                  type: array
+                                token:
+                                  description: Token is used for establishing bidirectional
+                                    trust between nodes and control-planes. Used for
+                                    joining nodes in the cluster.
+                                  type: string
+                                ttl:
+                                  description: TTL defines the time to live for this
+                                    token. Defaults to 24h. Expires and TTL are mutually
+                                    exclusive.
+                                  type: string
+                                usages:
+                                  description: Usages describes the ways in which
+                                    this token can be used. Can by default be used
+                                    for establishing bidirectional trust, but that
+                                    can be changed here.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - token
+                              type: object
+                            type: array
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          localAPIEndpoint:
+                            description: LocalAPIEndpoint represents the endpoint
+                              of the API server instance that's deployed on this control
+                              plane node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                              in the sense that ControlPlaneEndpoint is the global
+                              endpoint for the cluster, which then loadbalances the
+                              requests to each individual API server. This configuration
+                              object lets you customize what IP/DNS name and port
+                              the local API server advertises it's accessible on.
+                              By default, kubeadm tries to auto-detect the IP of the
+                              default interface and use that, but in case that process
+                              fails you may set the desired value here.
+                            properties:
+                              advertiseAddress:
+                                description: AdvertiseAddress sets the IP address
+                                  for the API server to advertise.
+                                type: string
+                              bindPort:
+                                description: BindPort sets the secure port for the
+                                  API Server to bind to. Defaults to 6443.
+                                format: int32
+                                type: integer
+                            type: object
+                          nodeRegistration:
+                            description: NodeRegistration holds fields that relate
+                              to registering the new control-plane node to the cluster.
+                              When used in the context of control plane nodes, NodeRegistration
+                              should remain consistent across both InitConfiguration
+                              and JoinConfiguration
+                            properties:
+                              criSocket:
+                                description: CRISocket is used to retrieve container
+                                  runtime info. This information will be annotated
+                                  to the Node API object, for later re-use
+                                type: string
+                              ignorePreflightErrors:
+                                description: IgnorePreflightErrors provides a slice
+                                  of pre-flight errors to be ignored when the current
+                                  node is registered.
+                                items:
+                                  type: string
+                                type: array
+                              kubeletExtraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: KubeletExtraArgs passes through extra
+                                  arguments to the kubelet. The arguments here are
+                                  passed to the kubelet command line via the environment
+                                  file kubeadm writes at runtime for the kubelet to
+                                  source. This overrides the generic base-level configuration
+                                  in the kubelet-config-1.X ConfigMap Flags have higher
+                                  priority when parsing. These values are local and
+                                  specific to the node kubeadm is executing on.
+                                type: object
+                              name:
+                                description: Name is the `.Metadata.Name` field of
+                                  the Node API object that will be created in this
+                                  `kubeadm init` or `kubeadm join` operation. This
+                                  field is also used in the CommonName field of the
+                                  kubelet's client certificate to the API server.
+                                  Defaults to the hostname of the node if not provided.
+                                type: string
+                              taints:
+                                description: 'Taints specifies the taints the Node
+                                  API object should be registered with. If this field
+                                  is unset, i.e. nil, in the `kubeadm init` process
+                                  it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                  If you don''t want to taint your control-plane node,
+                                  set this field to an empty slice, i.e. `taints:
+                                  {}` in the YAML file. This field is solely used
+                                  for Node registration.'
+                                items:
+                                  description: The node this Taint is attached to
+                                    has the "effect" on any pod that does not tolerate
+                                    the Taint.
+                                  properties:
+                                    effect:
+                                      description: Required. The effect of the taint
+                                        on pods that do not tolerate the taint. Valid
+                                        effects are NoSchedule, PreferNoSchedule and
+                                        NoExecute.
+                                      type: string
+                                    key:
+                                      description: Required. The taint key to be applied
+                                        to a node.
+                                      type: string
+                                    timeAdded:
+                                      description: TimeAdded represents the time at
+                                        which the taint was added. It is only written
+                                        for NoExecute taints.
+                                      format: date-time
+                                      type: string
+                                    value:
+                                      description: The taint value corresponding to
+                                        the taint key.
+                                      type: string
+                                  required:
+                                  - effect
+                                  - key
+                                  type: object
+                                type: array
+                            type: object
+                          patches:
+                            description: Patches contains options related to applying
+                              patches to components deployed by kubeadm during "kubeadm
+                              init". The minimum kubernetes version needed to support
+                              Patches is v1.22
+                            properties:
+                              directory:
+                                description: Directory is a path to a directory that
+                                  contains files named "target[suffix][+patchtype].extension".
+                                  For example, "kube-apiserver0+merge.yaml" or just
+                                  "etcd.json". "target" can be one of "kube-apiserver",
+                                  "kube-controller-manager", "kube-scheduler", "etcd".
+                                  "patchtype" can be one of "strategic" "merge" or
+                                  "json" and they match the patch formats supported
+                                  by kubectl. The default "patchtype" is "strategic".
+                                  "extension" must be either "json" or "yaml". "suffix"
+                                  is an optional string that can be used to determine
+                                  which patches are applied first alpha-numerically.
+                                  These files can be written into the target directory
+                                  via KubeadmConfig.Files which specifies additional
+                                  files to be created on the machine, either with
+                                  content inline or by referencing a secret.
+                                type: string
+                            type: object
+                          skipPhases:
+                            description: SkipPhases is a list of phases to skip during
+                              command execution. The list of phases can be obtained
+                              with the "kubeadm init --help" command. This option
+                              takes effect only on Kubernetes >=1.22.0.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      joinConfiguration:
+                        description: JoinConfiguration is the kubeadm configuration
+                          for the join command
+                        properties:
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          caCertPath:
+                            description: 'CACertPath is the path to the SSL certificate
+                              authority used to secure comunications between node
+                              and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                              TODO: revisit when there is defaulting from k/k'
+                            type: string
+                          controlPlane:
+                            description: ControlPlane defines the additional control
+                              plane instance to be deployed on the joining node. If
+                              nil, no additional control plane instance will be deployed.
+                            properties:
+                              localAPIEndpoint:
+                                description: LocalAPIEndpoint represents the endpoint
+                                  of the API server instance to be deployed on this
+                                  node.
+                                properties:
+                                  advertiseAddress:
+                                    description: AdvertiseAddress sets the IP address
+                                      for the API server to advertise.
+                                    type: string
+                                  bindPort:
+                                    description: BindPort sets the secure port for
+                                      the API Server to bind to. Defaults to 6443.
+                                    format: int32
+                                    type: integer
+                                type: object
+                            type: object
+                          discovery:
+                            description: 'Discovery specifies the options for the
+                              kubelet to use during the TLS Bootstrap process TODO:
+                              revisit when there is defaulting from k/k'
+                            properties:
+                              bootstrapToken:
+                                description: BootstrapToken is used to set the options
+                                  for bootstrap token based discovery BootstrapToken
+                                  and File are mutually exclusive
+                                properties:
+                                  apiServerEndpoint:
+                                    description: APIServerEndpoint is an IP or domain
+                                      name to the API server from which info will
+                                      be fetched.
+                                    type: string
+                                  caCertHashes:
+                                    description: 'CACertHashes specifies a set of
+                                      public key pins to verify when token-based discovery
+                                      is used. The root CA found during discovery
+                                      must match one of these values. Specifying an
+                                      empty set disables root CA pinning, which can
+                                      be unsafe. Each hash is specified as "<type>:<value>",
+                                      where the only currently supported type is "sha256".
+                                      This is a hex-encoded SHA-256 hash of the Subject
+                                      Public Key Info (SPKI) object in DER-encoded
+                                      ASN.1. These hashes can be calculated using,
+                                      for example, OpenSSL: openssl x509 -pubkey -in
+                                      ca.crt openssl rsa -pubin -outform der 2>&/dev/null
+                                      | openssl dgst -sha256 -hex'
+                                    items:
+                                      type: string
+                                    type: array
+                                  token:
+                                    description: Token is a token used to validate
+                                      cluster information fetched from the control-plane.
+                                    type: string
+                                  unsafeSkipCAVerification:
+                                    description: UnsafeSkipCAVerification allows token-based
+                                      discovery without CA verification via CACertHashes.
+                                      This can weaken the security of kubeadm since
+                                      other nodes can impersonate the control-plane.
+                                    type: boolean
+                                required:
+                                - token
+                                type: object
+                              file:
+                                description: File is used to specify a file or URL
+                                  to a kubeconfig file from which to load cluster
+                                  information BootstrapToken and File are mutually
+                                  exclusive
+                                properties:
+                                  kubeConfigPath:
+                                    description: KubeConfigPath is used to specify
+                                      the actual file path or URL to the kubeconfig
+                                      file from which to load cluster information
+                                    type: string
+                                required:
+                                - kubeConfigPath
+                                type: object
+                              timeout:
+                                description: Timeout modifies the discovery timeout
+                                type: string
+                              tlsBootstrapToken:
+                                description: TLSBootstrapToken is a token used for
+                                  TLS bootstrapping. If .BootstrapToken is set, this
+                                  field is defaulted to .BootstrapToken.Token, but
+                                  can be overridden. If .File is set, this field **must
+                                  be set** in case the KubeConfigFile does not contain
+                                  any other authentication information
+                                type: string
+                            type: object
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          nodeRegistration:
+                            description: NodeRegistration holds fields that relate
+                              to registering the new control-plane node to the cluster.
+                              When used in the context of control plane nodes, NodeRegistration
+                              should remain consistent across both InitConfiguration
+                              and JoinConfiguration
+                            properties:
+                              criSocket:
+                                description: CRISocket is used to retrieve container
+                                  runtime info. This information will be annotated
+                                  to the Node API object, for later re-use
+                                type: string
+                              ignorePreflightErrors:
+                                description: IgnorePreflightErrors provides a slice
+                                  of pre-flight errors to be ignored when the current
+                                  node is registered.
+                                items:
+                                  type: string
+                                type: array
+                              kubeletExtraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: KubeletExtraArgs passes through extra
+                                  arguments to the kubelet. The arguments here are
+                                  passed to the kubelet command line via the environment
+                                  file kubeadm writes at runtime for the kubelet to
+                                  source. This overrides the generic base-level configuration
+                                  in the kubelet-config-1.X ConfigMap Flags have higher
+                                  priority when parsing. These values are local and
+                                  specific to the node kubeadm is executing on.
+                                type: object
+                              name:
+                                description: Name is the `.Metadata.Name` field of
+                                  the Node API object that will be created in this
+                                  `kubeadm init` or `kubeadm join` operation. This
+                                  field is also used in the CommonName field of the
+                                  kubelet's client certificate to the API server.
+                                  Defaults to the hostname of the node if not provided.
+                                type: string
+                              taints:
+                                description: 'Taints specifies the taints the Node
+                                  API object should be registered with. If this field
+                                  is unset, i.e. nil, in the `kubeadm init` process
+                                  it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                  If you don''t want to taint your control-plane node,
+                                  set this field to an empty slice, i.e. `taints:
+                                  {}` in the YAML file. This field is solely used
+                                  for Node registration.'
+                                items:
+                                  description: The node this Taint is attached to
+                                    has the "effect" on any pod that does not tolerate
+                                    the Taint.
+                                  properties:
+                                    effect:
+                                      description: Required. The effect of the taint
+                                        on pods that do not tolerate the taint. Valid
+                                        effects are NoSchedule, PreferNoSchedule and
+                                        NoExecute.
+                                      type: string
+                                    key:
+                                      description: Required. The taint key to be applied
+                                        to a node.
+                                      type: string
+                                    timeAdded:
+                                      description: TimeAdded represents the time at
+                                        which the taint was added. It is only written
+                                        for NoExecute taints.
+                                      format: date-time
+                                      type: string
+                                    value:
+                                      description: The taint value corresponding to
+                                        the taint key.
+                                      type: string
+                                  required:
+                                  - effect
+                                  - key
+                                  type: object
+                                type: array
+                            type: object
+                          patches:
+                            description: Patches contains options related to applying
+                              patches to components deployed by kubeadm during "kubeadm
+                              join". The minimum kubernetes version needed to support
+                              Patches is v1.22
+                            properties:
+                              directory:
+                                description: Directory is a path to a directory that
+                                  contains files named "target[suffix][+patchtype].extension".
+                                  For example, "kube-apiserver0+merge.yaml" or just
+                                  "etcd.json". "target" can be one of "kube-apiserver",
+                                  "kube-controller-manager", "kube-scheduler", "etcd".
+                                  "patchtype" can be one of "strategic" "merge" or
+                                  "json" and they match the patch formats supported
+                                  by kubectl. The default "patchtype" is "strategic".
+                                  "extension" must be either "json" or "yaml". "suffix"
+                                  is an optional string that can be used to determine
+                                  which patches are applied first alpha-numerically.
+                                  These files can be written into the target directory
+                                  via KubeadmConfig.Files which specifies additional
+                                  files to be created on the machine, either with
+                                  content inline or by referencing a secret.
+                                type: string
+                            type: object
+                          skipPhases:
+                            description: SkipPhases is a list of phases to skip during
+                              command execution. The list of phases can be obtained
+                              with the "kubeadm init --help" command. This option
+                              takes effect only on Kubernetes >=1.22.0.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      mounts:
+                        description: Mounts specifies a list of mount points to be
+                          setup.
+                        items:
+                          description: MountPoints defines input for generated mounts
+                            in cloud-init.
+                          items:
+                            type: string
+                          type: array
+                        type: array
+                      ntp:
+                        description: NTP specifies NTP configuration
+                        properties:
+                          enabled:
+                            description: Enabled specifies whether NTP should be enabled
+                            type: boolean
+                          servers:
+                            description: Servers specifies which NTP servers to use
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      postKubeadmCommands:
+                        description: PostKubeadmCommands specifies extra commands
+                          to run after kubeadm runs
+                        items:
+                          type: string
+                        type: array
+                      preKubeadmCommands:
+                        description: PreKubeadmCommands specifies extra commands to
+                          run before kubeadm runs
+                        items:
+                          type: string
+                        type: array
+                      useExperimentalRetryJoin:
+                        description: "UseExperimentalRetryJoin replaces a basic kubeadm
+                          command with a shell script with retries for joins. \n This
+                          is meant to be an experimental temporary workaround on some
+                          environments where joins fail due to timing (and other issues).
+                          The long term goal is to add retries to kubeadm proper and
+                          use that functionality. \n This will add about 40KB to userdata
+                          \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                        type: boolean
+                      users:
+                        description: Users specifies extra users to add
+                        items:
+                          description: User defines the input for a generated user
+                            in cloud-init.
+                          properties:
+                            gecos:
+                              description: Gecos specifies the gecos to use for the
+                                user
+                              type: string
+                            groups:
+                              description: Groups specifies the additional groups
+                                for the user
+                              type: string
+                            homeDir:
+                              description: HomeDir specifies the home directory to
+                                use for the user
+                              type: string
+                            inactive:
+                              description: Inactive specifies whether to mark the
+                                user as inactive
+                              type: boolean
+                            lockPassword:
+                              description: LockPassword specifies if password login
+                                should be disabled
+                              type: boolean
+                            name:
+                              description: Name specifies the user name
+                              type: string
+                            passwd:
+                              description: Passwd specifies a hashed password for
+                                the user
+                              type: string
+                            passwdFrom:
+                              description: PasswdFrom is a referenced source of passwd
+                                to populate the passwd.
+                              properties:
+                                secret:
+                                  description: Secret represents a secret that should
+                                    populate this password.
+                                  properties:
+                                    key:
+                                      description: Key is the key in the secret's
+                                        data map for this value.
+                                      type: string
+                                    name:
+                                      description: Name of the secret in the KubeadmBootstrapConfig's
+                                        namespace to use.
+                                      type: string
+                                  required:
+                                  - key
+                                  - name
+                                  type: object
+                              required:
+                              - secret
+                              type: object
+                            primaryGroup:
+                              description: PrimaryGroup specifies the primary group
+                                for the user
+                              type: string
+                            shell:
+                              description: Shell specifies the user's shell
+                              type: string
+                            sshAuthorizedKeys:
+                              description: SSHAuthorizedKeys specifies a list of ssh
+                                authorized keys for the user
+                              items:
+                                type: string
+                              type: array
+                            sudo:
+                              description: Sudo specifies a sudo role for the user
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      verbosity:
+                        description: Verbosity is the number for the kubeadm log level
+                          verbosity. It overrides the `--v` flag in kubeadm commands.
+                        format: int32
+                        type: integer
+                    type: object
+                type: object
+            required:
+            - template
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+  name: capi-kubeadm-bootstrap-webhook-service
+  namespace: capi-webhook-system
+spec:
+  ports:
+  - port: 443
+    targetPort: webhook-server
+  selector:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+    control-plane: controller-manager
+  name: capi-kubeadm-bootstrap-controller-manager
+  namespace: capi-webhook-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/provider: bootstrap-kubeadm
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/provider: bootstrap-kubeadm
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        - --metrics-bind-addr=localhost:8080
+        - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}
+        - --bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}
+        command:
+        - /manager
+        image: gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller:main
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+      volumes:
+      - name: cert
+        secret:
+          secretName: capi-kubeadm-bootstrap-webhook-service-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+  name: capi-kubeadm-bootstrap-serving-cert
+  namespace: capi-webhook-system
+spec:
+  dnsNames:
+  - capi-kubeadm-bootstrap-webhook-service.capi-webhook-system.svc
+  - capi-kubeadm-bootstrap-webhook-service.capi-webhook-system.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: capi-kubeadm-bootstrap-selfsigned-issuer
+  secretName: capi-kubeadm-bootstrap-webhook-service-cert
+  subject:
+    organizations:
+    - k8s-sig-cluster-lifecycle
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+  name: capi-kubeadm-bootstrap-selfsigned-issuer
+  namespace: capi-webhook-system
+spec:
+  selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-bootstrap-serving-cert
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+  name: capi-kubeadm-bootstrap-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-bootstrap-webhook-service
+      namespace: capi-webhook-system
+      path: /mutate-bootstrap-cluster-x-k8s-io-v1beta1-kubeadmconfig
+  failurePolicy: Fail
+  name: default.kubeadmconfig.bootstrap.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - bootstrap.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmconfigs
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-bootstrap-webhook-service
+      namespace: capi-webhook-system
+      path: /mutate-bootstrap-cluster-x-k8s-io-v1beta1-kubeadmconfigtemplate
+  failurePolicy: Fail
+  name: default.kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - bootstrap.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmconfigtemplates
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-bootstrap-serving-cert
+  labels:
+    cluster.x-k8s.io/provider: bootstrap-kubeadm
+  name: capi-kubeadm-bootstrap-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-bootstrap-webhook-service
+      namespace: capi-webhook-system
+      path: /validate-bootstrap-cluster-x-k8s-io-v1beta1-kubeadmconfig
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.kubeadmconfig.bootstrap.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - bootstrap.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmconfigs
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-bootstrap-webhook-service
+      namespace: capi-webhook-system
+      path: /validate-bootstrap-cluster-x-k8s-io-v1beta1-kubeadmconfigtemplate
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - bootstrap.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmconfigtemplates
+  sideEffects: None
diff --git a/spectro/generated/controlplane-base.yaml b/spectro/generated/controlplane-base.yaml
new file mode 100644
index 000000000000..288e17cb6901
--- /dev/null
+++ b/spectro/generated/controlplane-base.yaml
@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+    control-plane: controller-manager
+  name: capi-kubeadm-control-plane-controller-manager
+  namespace: capi-kubeadm-control-plane-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/provider: control-plane-kubeadm
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/provider: control-plane-kubeadm
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        - --metrics-bind-addr=localhost:8080
+        - --feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}
+        command:
+        - /manager
+        image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:main
+        imagePullPolicy: Always
+        name: manager
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
diff --git a/spectro/generated/controlplane-global.yaml b/spectro/generated/controlplane-global.yaml
new file mode 100644
index 000000000000..07dfabf31b47
--- /dev/null
+++ b/spectro/generated/controlplane-global.yaml
@@ -0,0 +1,6399 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+    cluster.x-k8s.io/v1alpha3: v1alpha3
+    cluster.x-k8s.io/v1alpha4: v1alpha4
+    cluster.x-k8s.io/v1beta1: v1beta1
+  name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-kubeadm-control-plane-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: controlplane.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: KubeadmControlPlane
+    listKind: KubeadmControlPlaneList
+    plural: kubeadmcontrolplanes
+    shortNames:
+    - kcp
+    singular: kubeadmcontrolplane
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: This denotes whether or not the control plane has the uploaded
+        kubeadm-config configmap
+      jsonPath: .status.initialized
+      name: Initialized
+      type: boolean
+    - description: KubeadmControlPlane API Server is ready to receive requests
+      jsonPath: .status.ready
+      name: API Server Available
+      type: boolean
+    - description: Kubernetes version associated with this control plane
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: Total number of non-terminated machines targeted by this control
+        plane
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of fully running and ready control plane machines
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    - description: Total number of non-terminated machines targeted by this control
+        plane that have the desired template spec
+      jsonPath: .status.updatedReplicas
+      name: Updated
+      type: integer
+    - description: Total number of unavailable machines targeted by this control plane
+      jsonPath: .status.unavailableReplicas
+      name: Unavailable
+      type: integer
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: KubeadmControlPlane is the Schema for the KubeadmControlPlane
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmControlPlaneSpec defines the desired state of KubeadmControlPlane.
+            properties:
+              infrastructureTemplate:
+                description: InfrastructureTemplate is a required reference to a custom
+                  resource offered by an infrastructure provider.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              kubeadmConfigSpec:
+                description: KubeadmConfigSpec is a KubeadmConfigSpec to use for initializing
+                  and joining machines to the control plane.
+                properties:
+                  clusterConfiguration:
+                    description: ClusterConfiguration along with InitConfiguration
+                      are the configurations necessary for the init command
+                    properties:
+                      apiServer:
+                        description: APIServer contains extra settings for the API
+                          server control plane component
+                        properties:
+                          certSANs:
+                            description: CertSANs sets extra Subject Alternative Names
+                              for the API Server signing cert.
+                            items:
+                              type: string
+                            type: array
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                          timeoutForControlPlane:
+                            description: TimeoutForControlPlane controls the timeout
+                              that we use for API server to appear
+                            type: string
+                        type: object
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      certificatesDir:
+                        description: 'CertificatesDir specifies where to store or
+                          look for all required certificates. NB: if not provided,
+                          this will default to `/etc/kubernetes/pki`'
+                        type: string
+                      clusterName:
+                        description: The cluster name
+                        type: string
+                      controlPlaneEndpoint:
+                        description: 'ControlPlaneEndpoint sets a stable IP address
+                          or DNS name for the control plane; it can be a valid IP
+                          address or a RFC-1123 DNS subdomain, both with optional
+                          TCP port. In case the ControlPlaneEndpoint is not specified,
+                          the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint
+                          is specified but without a TCP port, the BindPort is used.
+                          Possible usages are: e.g. In a cluster with more than one
+                          control plane instances, this field should be assigned the
+                          address of the external load balancer in front of the control
+                          plane instances. e.g.  in environments with enforced node
+                          recycling, the ControlPlaneEndpoint could be used for assigning
+                          a stable DNS to the control plane. NB: This value defaults
+                          to the first value in the Cluster object status.apiEndpoints
+                          array.'
+                        type: string
+                      controllerManager:
+                        description: ControllerManager contains extra settings for
+                          the controller manager control plane component
+                        properties:
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                        type: object
+                      dns:
+                        description: DNS defines the options for the DNS add-on installed
+                          in the cluster.
+                        properties:
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. if not set, the ImageRepository
+                              defined in ClusterConfiguration will be used instead.
+                            type: string
+                          imageTag:
+                            description: ImageTag allows to specify a tag for the
+                              image. In case this value is set, kubeadm does not change
+                              automatically the version of the above components during
+                              upgrades.
+                            type: string
+                          type:
+                            description: Type defines the DNS add-on to be used
+                            type: string
+                        type: object
+                      etcd:
+                        description: 'Etcd holds configuration for etcd. NB: This
+                          value defaults to a Local (stacked) etcd'
+                        properties:
+                          external:
+                            description: External describes how to connect to an external
+                              etcd cluster Local and External are mutually exclusive
+                            properties:
+                              caFile:
+                                description: CAFile is an SSL Certificate Authority
+                                  file used to secure etcd communication. Required
+                                  if using a TLS connection.
+                                type: string
+                              certFile:
+                                description: CertFile is an SSL certification file
+                                  used to secure etcd communication. Required if using
+                                  a TLS connection.
+                                type: string
+                              endpoints:
+                                description: Endpoints of etcd members. Required for
+                                  ExternalEtcd.
+                                items:
+                                  type: string
+                                type: array
+                              keyFile:
+                                description: KeyFile is an SSL key file used to secure
+                                  etcd communication. Required if using a TLS connection.
+                                type: string
+                            required:
+                            - caFile
+                            - certFile
+                            - endpoints
+                            - keyFile
+                            type: object
+                          local:
+                            description: Local provides configuration knobs for configuring
+                              the local etcd instance Local and External are mutually
+                              exclusive
+                            properties:
+                              dataDir:
+                                description: DataDir is the directory etcd will place
+                                  its data. Defaults to "/var/lib/etcd".
+                                type: string
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: ExtraArgs are extra arguments provided
+                                  to the etcd binary when run inside a static pod.
+                                type: object
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. if not set, the ImageRepository
+                                  defined in ClusterConfiguration will be used instead.
+                                type: string
+                              imageTag:
+                                description: ImageTag allows to specify a tag for
+                                  the image. In case this value is set, kubeadm does
+                                  not change automatically the version of the above
+                                  components during upgrades.
+                                type: string
+                              peerCertSANs:
+                                description: PeerCertSANs sets extra Subject Alternative
+                                  Names for the etcd peer signing cert.
+                                items:
+                                  type: string
+                                type: array
+                              serverCertSANs:
+                                description: ServerCertSANs sets extra Subject Alternative
+                                  Names for the etcd server signing cert.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        type: object
+                      featureGates:
+                        additionalProperties:
+                          type: boolean
+                        description: FeatureGates enabled by the user.
+                        type: object
+                      imageRepository:
+                        description: ImageRepository sets the container registry to
+                          pull images from. If empty, `k8s.gcr.io` will be used by
+                          default; in case of kubernetes version is a CI build (kubernetes
+                          version starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                          will be used as a default for control plane components and
+                          for kube-proxy, while `k8s.gcr.io` will be used for all
+                          the other images.
+                        type: string
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      kubernetesVersion:
+                        description: 'KubernetesVersion is the target version of the
+                          control plane. NB: This value defaults to the Machine object
+                          spec.version'
+                        type: string
+                      networking:
+                        description: 'Networking holds configuration for the networking
+                          topology of the cluster. NB: This value defaults to the
+                          Cluster object spec.clusterNetwork.'
+                        properties:
+                          dnsDomain:
+                            description: DNSDomain is the dns domain used by k8s services.
+                              Defaults to "cluster.local".
+                            type: string
+                          podSubnet:
+                            description: PodSubnet is the subnet used by pods. If
+                              unset, the API server will not allocate CIDR ranges
+                              for every node. Defaults to a comma-delimited string
+                              of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                              if that is set
+                            type: string
+                          serviceSubnet:
+                            description: ServiceSubnet is the subnet used by k8s services.
+                              Defaults to a comma-delimited string of the Cluster
+                              object's spec.clusterNetwork.pods.cidrBlocks, or to
+                              "10.96.0.0/12" if that's unset.
+                            type: string
+                        type: object
+                      scheduler:
+                        description: Scheduler contains extra settings for the scheduler
+                          control plane component
+                        properties:
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                        type: object
+                      useHyperKubeImage:
+                        description: UseHyperKubeImage controls if hyperkube should
+                          be used for Kubernetes components instead of their respective
+                          separate images
+                        type: boolean
+                    type: object
+                  diskSetup:
+                    description: DiskSetup specifies options for the creation of partition
+                      tables and file systems on devices.
+                    properties:
+                      filesystems:
+                        description: Filesystems specifies the list of file systems
+                          to setup.
+                        items:
+                          description: Filesystem defines the file systems to be created.
+                          properties:
+                            device:
+                              description: Device specifies the device name
+                              type: string
+                            extraOpts:
+                              description: ExtraOpts defined extra options to add
+                                to the command for creating the file system.
+                              items:
+                                type: string
+                              type: array
+                            filesystem:
+                              description: Filesystem specifies the file system type.
+                              type: string
+                            label:
+                              description: Label specifies the file system label to
+                                be used. If set to None, no label is used.
+                              type: string
+                            overwrite:
+                              description: Overwrite defines whether or not to overwrite
+                                any existing filesystem. If true, any pre-existing
+                                file system will be destroyed. Use with Caution.
+                              type: boolean
+                            partition:
+                              description: 'Partition specifies the partition to use.
+                                The valid options are: "auto|any", "auto", "any",
+                                "none", and <NUM>, where NUM is the actual partition
+                                number.'
+                              type: string
+                            replaceFS:
+                              description: 'ReplaceFS is a special directive, used
+                                for Microsoft Azure that instructs cloud-init to replace
+                                a file system of <FS_TYPE>. NOTE: unless you define
+                                a label, this requires the use of the ''any'' partition
+                                directive.'
+                              type: string
+                          required:
+                          - device
+                          - filesystem
+                          - label
+                          type: object
+                        type: array
+                      partitions:
+                        description: Partitions specifies the list of the partitions
+                          to setup.
+                        items:
+                          description: Partition defines how to create and layout
+                            a partition.
+                          properties:
+                            device:
+                              description: Device is the name of the device.
+                              type: string
+                            layout:
+                              description: Layout specifies the device layout. If
+                                it is true, a single partition will be created for
+                                the entire device. When layout is false, it means
+                                don't partition or ignore existing partitioning.
+                              type: boolean
+                            overwrite:
+                              description: Overwrite describes whether to skip checks
+                                and create the partition if a partition or filesystem
+                                is found on the device. Use with caution. Default
+                                is 'false'.
+                              type: boolean
+                            tableType:
+                              description: 'TableType specifies the tupe of partition
+                                table. The following are supported: ''mbr'': default
+                                and setups a MS-DOS partition table ''gpt'': setups
+                                a GPT partition table'
+                              type: string
+                          required:
+                          - device
+                          - layout
+                          type: object
+                        type: array
+                    type: object
+                  files:
+                    description: Files specifies extra files to be passed to user_data
+                      upon creation.
+                    items:
+                      description: File defines the input for generating write_files
+                        in cloud-init.
+                      properties:
+                        content:
+                          description: Content is the actual content of the file.
+                          type: string
+                        contentFrom:
+                          description: ContentFrom is a referenced source of content
+                            to populate the file.
+                          properties:
+                            secret:
+                              description: Secret represents a secret that should
+                                populate this file.
+                              properties:
+                                key:
+                                  description: Key is the key in the secret's data
+                                    map for this value.
+                                  type: string
+                                name:
+                                  description: Name of the secret in the KubeadmBootstrapConfig's
+                                    namespace to use.
+                                  type: string
+                              required:
+                              - key
+                              - name
+                              type: object
+                          required:
+                          - secret
+                          type: object
+                        encoding:
+                          description: Encoding specifies the encoding of the file
+                            contents.
+                          enum:
+                          - base64
+                          - gzip
+                          - gzip+base64
+                          type: string
+                        owner:
+                          description: Owner specifies the ownership of the file,
+                            e.g. "root:root".
+                          type: string
+                        path:
+                          description: Path specifies the full path on disk where
+                            to store the file.
+                          type: string
+                        permissions:
+                          description: Permissions specifies the permissions to assign
+                            to the file, e.g. "0640".
+                          type: string
+                      required:
+                      - path
+                      type: object
+                    type: array
+                  format:
+                    description: Format specifies the output format of the bootstrap
+                      data
+                    enum:
+                    - cloud-config
+                    type: string
+                  initConfiguration:
+                    description: InitConfiguration along with ClusterConfiguration
+                      are the configurations necessary for the init command
+                    properties:
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      bootstrapTokens:
+                        description: BootstrapTokens is respected at `kubeadm init`
+                          time and describes a set of Bootstrap Tokens to create.
+                          This information IS NOT uploaded to the kubeadm cluster
+                          configmap, partly because of its sensitive nature
+                        items:
+                          description: BootstrapToken describes one bootstrap token,
+                            stored as a Secret in the cluster.
+                          properties:
+                            description:
+                              description: Description sets a human-friendly message
+                                why this token exists and what it's used for, so other
+                                administrators can know its purpose.
+                              type: string
+                            expires:
+                              description: Expires specifies the timestamp when this
+                                token expires. Defaults to being set dynamically at
+                                runtime based on the TTL. Expires and TTL are mutually
+                                exclusive.
+                              format: date-time
+                              type: string
+                            groups:
+                              description: Groups specifies the extra groups that
+                                this token will authenticate as when/if used for authentication
+                              items:
+                                type: string
+                              type: array
+                            token:
+                              description: Token is used for establishing bidirectional
+                                trust between nodes and control-planes. Used for joining
+                                nodes in the cluster.
+                              type: string
+                            ttl:
+                              description: TTL defines the time to live for this token.
+                                Defaults to 24h. Expires and TTL are mutually exclusive.
+                              type: string
+                            usages:
+                              description: Usages describes the ways in which this
+                                token can be used. Can by default be used for establishing
+                                bidirectional trust, but that can be changed here.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - token
+                          type: object
+                        type: array
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      localAPIEndpoint:
+                        description: LocalAPIEndpoint represents the endpoint of the
+                          API server instance that's deployed on this control plane
+                          node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                          in the sense that ControlPlaneEndpoint is the global endpoint
+                          for the cluster, which then loadbalances the requests to
+                          each individual API server. This configuration object lets
+                          you customize what IP/DNS name and port the local API server
+                          advertises it's accessible on. By default, kubeadm tries
+                          to auto-detect the IP of the default interface and use that,
+                          but in case that process fails you may set the desired value
+                          here.
+                        properties:
+                          advertiseAddress:
+                            description: AdvertiseAddress sets the IP address for
+                              the API server to advertise.
+                            type: string
+                          bindPort:
+                            description: BindPort sets the secure port for the API
+                              Server to bind to. Defaults to 6443.
+                            format: int32
+                            type: integer
+                        required:
+                        - advertiseAddress
+                        - bindPort
+                        type: object
+                      nodeRegistration:
+                        description: NodeRegistration holds fields that relate to
+                          registering the new control-plane node to the cluster. When
+                          used in the context of control plane nodes, NodeRegistration
+                          should remain consistent across both InitConfiguration and
+                          JoinConfiguration
+                        properties:
+                          criSocket:
+                            description: CRISocket is used to retrieve container runtime
+                              info. This information will be annotated to the Node
+                              API object, for later re-use
+                            type: string
+                          kubeletExtraArgs:
+                            additionalProperties:
+                              type: string
+                            description: KubeletExtraArgs passes through extra arguments
+                              to the kubelet. The arguments here are passed to the
+                              kubelet command line via the environment file kubeadm
+                              writes at runtime for the kubelet to source. This overrides
+                              the generic base-level configuration in the kubelet-config-1.X
+                              ConfigMap Flags have higher priority when parsing. These
+                              values are local and specific to the node kubeadm is
+                              executing on.
+                            type: object
+                          name:
+                            description: Name is the `.Metadata.Name` field of the
+                              Node API object that will be created in this `kubeadm
+                              init` or `kubeadm join` operation. This field is also
+                              used in the CommonName field of the kubelet's client
+                              certificate to the API server. Defaults to the hostname
+                              of the node if not provided.
+                            type: string
+                          taints:
+                            description: 'Taints specifies the taints the Node API
+                              object should be registered with. If this field is unset,
+                              i.e. nil, in the `kubeadm init` process it will be defaulted
+                              to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                              If you don''t want to taint your control-plane node,
+                              set this field to an empty slice, i.e. `taints: {}`
+                              in the YAML file. This field is solely used for Node
+                              registration.'
+                            items:
+                              description: The node this Taint is attached to has
+                                the "effect" on any pod that does not tolerate the
+                                Taint.
+                              properties:
+                                effect:
+                                  description: Required. The effect of the taint on
+                                    pods that do not tolerate the taint. Valid effects
+                                    are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: Required. The taint key to be applied
+                                    to a node.
+                                  type: string
+                                timeAdded:
+                                  description: TimeAdded represents the time at which
+                                    the taint was added. It is only written for NoExecute
+                                    taints.
+                                  format: date-time
+                                  type: string
+                                value:
+                                  description: The taint value corresponding to the
+                                    taint key.
+                                  type: string
+                              required:
+                              - effect
+                              - key
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  joinConfiguration:
+                    description: JoinConfiguration is the kubeadm configuration for
+                      the join command
+                    properties:
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      caCertPath:
+                        description: 'CACertPath is the path to the SSL certificate
+                          authority used to secure comunications between node and
+                          control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                          TODO: revisit when there is defaulting from k/k'
+                        type: string
+                      controlPlane:
+                        description: ControlPlane defines the additional control plane
+                          instance to be deployed on the joining node. If nil, no
+                          additional control plane instance will be deployed.
+                        properties:
+                          localAPIEndpoint:
+                            description: LocalAPIEndpoint represents the endpoint
+                              of the API server instance to be deployed on this node.
+                            properties:
+                              advertiseAddress:
+                                description: AdvertiseAddress sets the IP address
+                                  for the API server to advertise.
+                                type: string
+                              bindPort:
+                                description: BindPort sets the secure port for the
+                                  API Server to bind to. Defaults to 6443.
+                                format: int32
+                                type: integer
+                            required:
+                            - advertiseAddress
+                            - bindPort
+                            type: object
+                        type: object
+                      discovery:
+                        description: 'Discovery specifies the options for the kubelet
+                          to use during the TLS Bootstrap process TODO: revisit when
+                          there is defaulting from k/k'
+                        properties:
+                          bootstrapToken:
+                            description: BootstrapToken is used to set the options
+                              for bootstrap token based discovery BootstrapToken and
+                              File are mutually exclusive
+                            properties:
+                              apiServerEndpoint:
+                                description: APIServerEndpoint is an IP or domain
+                                  name to the API server from which info will be fetched.
+                                type: string
+                              caCertHashes:
+                                description: 'CACertHashes specifies a set of public
+                                  key pins to verify when token-based discovery is
+                                  used. The root CA found during discovery must match
+                                  one of these values. Specifying an empty set disables
+                                  root CA pinning, which can be unsafe. Each hash
+                                  is specified as "<type>:<value>", where the only
+                                  currently supported type is "sha256". This is a
+                                  hex-encoded SHA-256 hash of the Subject Public Key
+                                  Info (SPKI) object in DER-encoded ASN.1. These hashes
+                                  can be calculated using, for example, OpenSSL: openssl
+                                  x509 -pubkey -in ca.crt openssl rsa -pubin -outform
+                                  der 2>&/dev/null | openssl dgst -sha256 -hex'
+                                items:
+                                  type: string
+                                type: array
+                              token:
+                                description: Token is a token used to validate cluster
+                                  information fetched from the control-plane.
+                                type: string
+                              unsafeSkipCAVerification:
+                                description: UnsafeSkipCAVerification allows token-based
+                                  discovery without CA verification via CACertHashes.
+                                  This can weaken the security of kubeadm since other
+                                  nodes can impersonate the control-plane.
+                                type: boolean
+                            required:
+                            - token
+                            - unsafeSkipCAVerification
+                            type: object
+                          file:
+                            description: File is used to specify a file or URL to
+                              a kubeconfig file from which to load cluster information
+                              BootstrapToken and File are mutually exclusive
+                            properties:
+                              kubeConfigPath:
+                                description: KubeConfigPath is used to specify the
+                                  actual file path or URL to the kubeconfig file from
+                                  which to load cluster information
+                                type: string
+                            required:
+                            - kubeConfigPath
+                            type: object
+                          timeout:
+                            description: Timeout modifies the discovery timeout
+                            type: string
+                          tlsBootstrapToken:
+                            description: 'TLSBootstrapToken is a token used for TLS
+                              bootstrapping. If .BootstrapToken is set, this field
+                              is defaulted to .BootstrapToken.Token, but can be overridden.
+                              If .File is set, this field **must be set** in case
+                              the KubeConfigFile does not contain any other authentication
+                              information TODO: revisit when there is defaulting from
+                              k/k'
+                            type: string
+                        type: object
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      nodeRegistration:
+                        description: NodeRegistration holds fields that relate to
+                          registering the new control-plane node to the cluster. When
+                          used in the context of control plane nodes, NodeRegistration
+                          should remain consistent across both InitConfiguration and
+                          JoinConfiguration
+                        properties:
+                          criSocket:
+                            description: CRISocket is used to retrieve container runtime
+                              info. This information will be annotated to the Node
+                              API object, for later re-use
+                            type: string
+                          kubeletExtraArgs:
+                            additionalProperties:
+                              type: string
+                            description: KubeletExtraArgs passes through extra arguments
+                              to the kubelet. The arguments here are passed to the
+                              kubelet command line via the environment file kubeadm
+                              writes at runtime for the kubelet to source. This overrides
+                              the generic base-level configuration in the kubelet-config-1.X
+                              ConfigMap Flags have higher priority when parsing. These
+                              values are local and specific to the node kubeadm is
+                              executing on.
+                            type: object
+                          name:
+                            description: Name is the `.Metadata.Name` field of the
+                              Node API object that will be created in this `kubeadm
+                              init` or `kubeadm join` operation. This field is also
+                              used in the CommonName field of the kubelet's client
+                              certificate to the API server. Defaults to the hostname
+                              of the node if not provided.
+                            type: string
+                          taints:
+                            description: 'Taints specifies the taints the Node API
+                              object should be registered with. If this field is unset,
+                              i.e. nil, in the `kubeadm init` process it will be defaulted
+                              to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                              If you don''t want to taint your control-plane node,
+                              set this field to an empty slice, i.e. `taints: {}`
+                              in the YAML file. This field is solely used for Node
+                              registration.'
+                            items:
+                              description: The node this Taint is attached to has
+                                the "effect" on any pod that does not tolerate the
+                                Taint.
+                              properties:
+                                effect:
+                                  description: Required. The effect of the taint on
+                                    pods that do not tolerate the taint. Valid effects
+                                    are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: Required. The taint key to be applied
+                                    to a node.
+                                  type: string
+                                timeAdded:
+                                  description: TimeAdded represents the time at which
+                                    the taint was added. It is only written for NoExecute
+                                    taints.
+                                  format: date-time
+                                  type: string
+                                value:
+                                  description: The taint value corresponding to the
+                                    taint key.
+                                  type: string
+                              required:
+                              - effect
+                              - key
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  mounts:
+                    description: Mounts specifies a list of mount points to be setup.
+                    items:
+                      description: MountPoints defines input for generated mounts
+                        in cloud-init.
+                      items:
+                        type: string
+                      type: array
+                    type: array
+                  ntp:
+                    description: NTP specifies NTP configuration
+                    properties:
+                      enabled:
+                        description: Enabled specifies whether NTP should be enabled
+                        type: boolean
+                      servers:
+                        description: Servers specifies which NTP servers to use
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  postKubeadmCommands:
+                    description: PostKubeadmCommands specifies extra commands to run
+                      after kubeadm runs
+                    items:
+                      type: string
+                    type: array
+                  preKubeadmCommands:
+                    description: PreKubeadmCommands specifies extra commands to run
+                      before kubeadm runs
+                    items:
+                      type: string
+                    type: array
+                  useExperimentalRetryJoin:
+                    description: "UseExperimentalRetryJoin replaces a basic kubeadm
+                      command with a shell script with retries for joins. \n This
+                      is meant to be an experimental temporary workaround on some
+                      environments where joins fail due to timing (and other issues).
+                      The long term goal is to add retries to kubeadm proper and use
+                      that functionality. \n This will add about 40KB to userdata
+                      \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                    type: boolean
+                  users:
+                    description: Users specifies extra users to add
+                    items:
+                      description: User defines the input for a generated user in
+                        cloud-init.
+                      properties:
+                        gecos:
+                          description: Gecos specifies the gecos to use for the user
+                          type: string
+                        groups:
+                          description: Groups specifies the additional groups for
+                            the user
+                          type: string
+                        homeDir:
+                          description: HomeDir specifies the home directory to use
+                            for the user
+                          type: string
+                        inactive:
+                          description: Inactive specifies whether to mark the user
+                            as inactive
+                          type: boolean
+                        lockPassword:
+                          description: LockPassword specifies if password login should
+                            be disabled
+                          type: boolean
+                        name:
+                          description: Name specifies the user name
+                          type: string
+                        passwd:
+                          description: Passwd specifies a hashed password for the
+                            user
+                          type: string
+                        primaryGroup:
+                          description: PrimaryGroup specifies the primary group for
+                            the user
+                          type: string
+                        shell:
+                          description: Shell specifies the user's shell
+                          type: string
+                        sshAuthorizedKeys:
+                          description: SSHAuthorizedKeys specifies a list of ssh authorized
+                            keys for the user
+                          items:
+                            type: string
+                          type: array
+                        sudo:
+                          description: Sudo specifies a sudo role for the user
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  verbosity:
+                    description: Verbosity is the number for the kubeadm log level
+                      verbosity. It overrides the `--v` flag in kubeadm commands.
+                    format: int32
+                    type: integer
+                type: object
+              nodeDrainTimeout:
+                description: 'NodeDrainTimeout is the total amount of time that the
+                  controller will spend on draining a controlplane node The default
+                  value is 0, meaning that the node can be drained without any time
+                  limitations. NOTE: NodeDrainTimeout is different from `kubectl drain
+                  --timeout`'
+                type: string
+              replicas:
+                description: Number of desired machines. Defaults to 1. When stacked
+                  etcd is used only odd numbers are permitted, as per [etcd best practice](https://etcd.io/docs/v3.3.12/faq/#why-an-odd-number-of-cluster-members).
+                  This is a pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              rolloutStrategy:
+                description: The RolloutStrategy to use to replace control plane machines
+                  with new ones.
+                properties:
+                  rollingUpdate:
+                    description: Rolling update config params. Present only if RolloutStrategyType
+                      = RollingUpdate.
+                    properties:
+                      maxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of control planes that can
+                          be scheduled above or under the desired number of control
+                          planes. Value can be an absolute number 1 or 0. Defaults
+                          to 1. Example: when this is set to 1, the control plane
+                          can be scaled up immediately when the rolling update starts.'
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  type:
+                    description: Type of rollout. Currently the only supported strategy
+                      is "RollingUpdate". Default is RollingUpdate.
+                    type: string
+                type: object
+              upgradeAfter:
+                description: UpgradeAfter is a field to indicate an upgrade should
+                  be performed after the specified time even if no changes have been
+                  made to the KubeadmControlPlane
+                format: date-time
+                type: string
+              version:
+                description: Version defines the desired Kubernetes version.
+                type: string
+            required:
+            - infrastructureTemplate
+            - kubeadmConfigSpec
+            - version
+            type: object
+          status:
+            description: KubeadmControlPlaneStatus defines the observed state of KubeadmControlPlane.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the KubeadmControlPlane.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: ErrorMessage indicates that there is a terminal problem
+                  reconciling the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a terminal problem
+                  reconciling the state, and will be set to a token value suitable
+                  for programmatic interpretation.
+                type: string
+              initialized:
+                description: Initialized denotes whether or not the control plane
+                  has the uploaded kubeadm-config configmap.
+                type: boolean
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              ready:
+                description: Ready denotes that the KubeadmControlPlane API Server
+                  is ready to receive requests.
+                type: boolean
+              readyReplicas:
+                description: Total number of fully running and ready control plane
+                  machines.
+                format: int32
+                type: integer
+              replicas:
+                description: Total number of non-terminated machines targeted by this
+                  control plane (their labels match the selector).
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the label selector in string format to avoid
+                  introspection by clients, and is used to provide the CRD-based integration
+                  for the scale subresource and additional integrations for things
+                  like kubectl describe.. The string will be in the same format as
+                  the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+              unavailableReplicas:
+                description: Total number of unavailable machines targeted by this
+                  control plane. This is the total number of machines that are still
+                  required for the deployment to have 100% available capacity. They
+                  may either be machines that are running but not yet ready or machines
+                  that still have not been created.
+                format: int32
+                type: integer
+              updatedReplicas:
+                description: Total number of non-terminated machines targeted by this
+                  control plane that have the desired template spec.
+                format: int32
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of KubeadmControlPlane
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: This denotes whether or not the control plane has the uploaded
+        kubeadm-config configmap
+      jsonPath: .status.initialized
+      name: Initialized
+      type: boolean
+    - description: KubeadmControlPlane API Server is ready to receive requests
+      jsonPath: .status.ready
+      name: API Server Available
+      type: boolean
+    - description: Kubernetes version associated with this control plane
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: Total number of non-terminated machines targeted by this control
+        plane
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of fully running and ready control plane machines
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    - description: Total number of non-terminated machines targeted by this control
+        plane that have the desired template spec
+      jsonPath: .status.updatedReplicas
+      name: Updated
+      type: integer
+    - description: Total number of unavailable machines targeted by this control plane
+      jsonPath: .status.unavailableReplicas
+      name: Unavailable
+      type: integer
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: KubeadmControlPlane is the Schema for the KubeadmControlPlane
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmControlPlaneSpec defines the desired state of KubeadmControlPlane.
+            properties:
+              kubeadmConfigSpec:
+                description: KubeadmConfigSpec is a KubeadmConfigSpec to use for initializing
+                  and joining machines to the control plane.
+                properties:
+                  clusterConfiguration:
+                    description: ClusterConfiguration along with InitConfiguration
+                      are the configurations necessary for the init command
+                    properties:
+                      apiServer:
+                        description: APIServer contains extra settings for the API
+                          server control plane component
+                        properties:
+                          certSANs:
+                            description: CertSANs sets extra Subject Alternative Names
+                              for the API Server signing cert.
+                            items:
+                              type: string
+                            type: array
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                          timeoutForControlPlane:
+                            description: TimeoutForControlPlane controls the timeout
+                              that we use for API server to appear
+                            type: string
+                        type: object
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      certificatesDir:
+                        description: 'CertificatesDir specifies where to store or
+                          look for all required certificates. NB: if not provided,
+                          this will default to `/etc/kubernetes/pki`'
+                        type: string
+                      clusterName:
+                        description: The cluster name
+                        type: string
+                      controlPlaneEndpoint:
+                        description: 'ControlPlaneEndpoint sets a stable IP address
+                          or DNS name for the control plane; it can be a valid IP
+                          address or a RFC-1123 DNS subdomain, both with optional
+                          TCP port. In case the ControlPlaneEndpoint is not specified,
+                          the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint
+                          is specified but without a TCP port, the BindPort is used.
+                          Possible usages are: e.g. In a cluster with more than one
+                          control plane instances, this field should be assigned the
+                          address of the external load balancer in front of the control
+                          plane instances. e.g.  in environments with enforced node
+                          recycling, the ControlPlaneEndpoint could be used for assigning
+                          a stable DNS to the control plane. NB: This value defaults
+                          to the first value in the Cluster object status.apiEndpoints
+                          array.'
+                        type: string
+                      controllerManager:
+                        description: ControllerManager contains extra settings for
+                          the controller manager control plane component
+                        properties:
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                        type: object
+                      dns:
+                        description: DNS defines the options for the DNS add-on installed
+                          in the cluster.
+                        properties:
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. if not set, the ImageRepository
+                              defined in ClusterConfiguration will be used instead.
+                            type: string
+                          imageTag:
+                            description: ImageTag allows to specify a tag for the
+                              image. In case this value is set, kubeadm does not change
+                              automatically the version of the above components during
+                              upgrades.
+                            type: string
+                        type: object
+                      etcd:
+                        description: 'Etcd holds configuration for etcd. NB: This
+                          value defaults to a Local (stacked) etcd'
+                        properties:
+                          external:
+                            description: External describes how to connect to an external
+                              etcd cluster Local and External are mutually exclusive
+                            properties:
+                              caFile:
+                                description: CAFile is an SSL Certificate Authority
+                                  file used to secure etcd communication. Required
+                                  if using a TLS connection.
+                                type: string
+                              certFile:
+                                description: CertFile is an SSL certification file
+                                  used to secure etcd communication. Required if using
+                                  a TLS connection.
+                                type: string
+                              endpoints:
+                                description: Endpoints of etcd members. Required for
+                                  ExternalEtcd.
+                                items:
+                                  type: string
+                                type: array
+                              keyFile:
+                                description: KeyFile is an SSL key file used to secure
+                                  etcd communication. Required if using a TLS connection.
+                                type: string
+                            required:
+                            - caFile
+                            - certFile
+                            - endpoints
+                            - keyFile
+                            type: object
+                          local:
+                            description: Local provides configuration knobs for configuring
+                              the local etcd instance Local and External are mutually
+                              exclusive
+                            properties:
+                              dataDir:
+                                description: DataDir is the directory etcd will place
+                                  its data. Defaults to "/var/lib/etcd".
+                                type: string
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: ExtraArgs are extra arguments provided
+                                  to the etcd binary when run inside a static pod.
+                                type: object
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. if not set, the ImageRepository
+                                  defined in ClusterConfiguration will be used instead.
+                                type: string
+                              imageTag:
+                                description: ImageTag allows to specify a tag for
+                                  the image. In case this value is set, kubeadm does
+                                  not change automatically the version of the above
+                                  components during upgrades.
+                                type: string
+                              peerCertSANs:
+                                description: PeerCertSANs sets extra Subject Alternative
+                                  Names for the etcd peer signing cert.
+                                items:
+                                  type: string
+                                type: array
+                              serverCertSANs:
+                                description: ServerCertSANs sets extra Subject Alternative
+                                  Names for the etcd server signing cert.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        type: object
+                      featureGates:
+                        additionalProperties:
+                          type: boolean
+                        description: FeatureGates enabled by the user.
+                        type: object
+                      imageRepository:
+                        description: ImageRepository sets the container registry to
+                          pull images from. If empty, `k8s.gcr.io` will be used by
+                          default; in case of kubernetes version is a CI build (kubernetes
+                          version starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                          will be used as a default for control plane components and
+                          for kube-proxy, while `k8s.gcr.io` will be used for all
+                          the other images.
+                        type: string
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      kubernetesVersion:
+                        description: 'KubernetesVersion is the target version of the
+                          control plane. NB: This value defaults to the Machine object
+                          spec.version'
+                        type: string
+                      networking:
+                        description: 'Networking holds configuration for the networking
+                          topology of the cluster. NB: This value defaults to the
+                          Cluster object spec.clusterNetwork.'
+                        properties:
+                          dnsDomain:
+                            description: DNSDomain is the dns domain used by k8s services.
+                              Defaults to "cluster.local".
+                            type: string
+                          podSubnet:
+                            description: PodSubnet is the subnet used by pods. If
+                              unset, the API server will not allocate CIDR ranges
+                              for every node. Defaults to a comma-delimited string
+                              of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                              if that is set
+                            type: string
+                          serviceSubnet:
+                            description: ServiceSubnet is the subnet used by k8s services.
+                              Defaults to a comma-delimited string of the Cluster
+                              object's spec.clusterNetwork.pods.cidrBlocks, or to
+                              "10.96.0.0/12" if that's unset.
+                            type: string
+                        type: object
+                      scheduler:
+                        description: Scheduler contains extra settings for the scheduler
+                          control plane component
+                        properties:
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  diskSetup:
+                    description: DiskSetup specifies options for the creation of partition
+                      tables and file systems on devices.
+                    properties:
+                      filesystems:
+                        description: Filesystems specifies the list of file systems
+                          to setup.
+                        items:
+                          description: Filesystem defines the file systems to be created.
+                          properties:
+                            device:
+                              description: Device specifies the device name
+                              type: string
+                            extraOpts:
+                              description: ExtraOpts defined extra options to add
+                                to the command for creating the file system.
+                              items:
+                                type: string
+                              type: array
+                            filesystem:
+                              description: Filesystem specifies the file system type.
+                              type: string
+                            label:
+                              description: Label specifies the file system label to
+                                be used. If set to None, no label is used.
+                              type: string
+                            overwrite:
+                              description: Overwrite defines whether or not to overwrite
+                                any existing filesystem. If true, any pre-existing
+                                file system will be destroyed. Use with Caution.
+                              type: boolean
+                            partition:
+                              description: 'Partition specifies the partition to use.
+                                The valid options are: "auto|any", "auto", "any",
+                                "none", and <NUM>, where NUM is the actual partition
+                                number.'
+                              type: string
+                            replaceFS:
+                              description: 'ReplaceFS is a special directive, used
+                                for Microsoft Azure that instructs cloud-init to replace
+                                a file system of <FS_TYPE>. NOTE: unless you define
+                                a label, this requires the use of the ''any'' partition
+                                directive.'
+                              type: string
+                          required:
+                          - device
+                          - filesystem
+                          - label
+                          type: object
+                        type: array
+                      partitions:
+                        description: Partitions specifies the list of the partitions
+                          to setup.
+                        items:
+                          description: Partition defines how to create and layout
+                            a partition.
+                          properties:
+                            device:
+                              description: Device is the name of the device.
+                              type: string
+                            layout:
+                              description: Layout specifies the device layout. If
+                                it is true, a single partition will be created for
+                                the entire device. When layout is false, it means
+                                don't partition or ignore existing partitioning.
+                              type: boolean
+                            overwrite:
+                              description: Overwrite describes whether to skip checks
+                                and create the partition if a partition or filesystem
+                                is found on the device. Use with caution. Default
+                                is 'false'.
+                              type: boolean
+                            tableType:
+                              description: 'TableType specifies the tupe of partition
+                                table. The following are supported: ''mbr'': default
+                                and setups a MS-DOS partition table ''gpt'': setups
+                                a GPT partition table'
+                              type: string
+                          required:
+                          - device
+                          - layout
+                          type: object
+                        type: array
+                    type: object
+                  files:
+                    description: Files specifies extra files to be passed to user_data
+                      upon creation.
+                    items:
+                      description: File defines the input for generating write_files
+                        in cloud-init.
+                      properties:
+                        content:
+                          description: Content is the actual content of the file.
+                          type: string
+                        contentFrom:
+                          description: ContentFrom is a referenced source of content
+                            to populate the file.
+                          properties:
+                            secret:
+                              description: Secret represents a secret that should
+                                populate this file.
+                              properties:
+                                key:
+                                  description: Key is the key in the secret's data
+                                    map for this value.
+                                  type: string
+                                name:
+                                  description: Name of the secret in the KubeadmBootstrapConfig's
+                                    namespace to use.
+                                  type: string
+                              required:
+                              - key
+                              - name
+                              type: object
+                          required:
+                          - secret
+                          type: object
+                        encoding:
+                          description: Encoding specifies the encoding of the file
+                            contents.
+                          enum:
+                          - base64
+                          - gzip
+                          - gzip+base64
+                          type: string
+                        owner:
+                          description: Owner specifies the ownership of the file,
+                            e.g. "root:root".
+                          type: string
+                        path:
+                          description: Path specifies the full path on disk where
+                            to store the file.
+                          type: string
+                        permissions:
+                          description: Permissions specifies the permissions to assign
+                            to the file, e.g. "0640".
+                          type: string
+                      required:
+                      - path
+                      type: object
+                    type: array
+                  format:
+                    description: Format specifies the output format of the bootstrap
+                      data
+                    enum:
+                    - cloud-config
+                    type: string
+                  initConfiguration:
+                    description: InitConfiguration along with ClusterConfiguration
+                      are the configurations necessary for the init command
+                    properties:
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      bootstrapTokens:
+                        description: BootstrapTokens is respected at `kubeadm init`
+                          time and describes a set of Bootstrap Tokens to create.
+                          This information IS NOT uploaded to the kubeadm cluster
+                          configmap, partly because of its sensitive nature
+                        items:
+                          description: BootstrapToken describes one bootstrap token,
+                            stored as a Secret in the cluster.
+                          properties:
+                            description:
+                              description: Description sets a human-friendly message
+                                why this token exists and what it's used for, so other
+                                administrators can know its purpose.
+                              type: string
+                            expires:
+                              description: Expires specifies the timestamp when this
+                                token expires. Defaults to being set dynamically at
+                                runtime based on the TTL. Expires and TTL are mutually
+                                exclusive.
+                              format: date-time
+                              type: string
+                            groups:
+                              description: Groups specifies the extra groups that
+                                this token will authenticate as when/if used for authentication
+                              items:
+                                type: string
+                              type: array
+                            token:
+                              description: Token is used for establishing bidirectional
+                                trust between nodes and control-planes. Used for joining
+                                nodes in the cluster.
+                              type: string
+                            ttl:
+                              description: TTL defines the time to live for this token.
+                                Defaults to 24h. Expires and TTL are mutually exclusive.
+                              type: string
+                            usages:
+                              description: Usages describes the ways in which this
+                                token can be used. Can by default be used for establishing
+                                bidirectional trust, but that can be changed here.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - token
+                          type: object
+                        type: array
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      localAPIEndpoint:
+                        description: LocalAPIEndpoint represents the endpoint of the
+                          API server instance that's deployed on this control plane
+                          node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                          in the sense that ControlPlaneEndpoint is the global endpoint
+                          for the cluster, which then loadbalances the requests to
+                          each individual API server. This configuration object lets
+                          you customize what IP/DNS name and port the local API server
+                          advertises it's accessible on. By default, kubeadm tries
+                          to auto-detect the IP of the default interface and use that,
+                          but in case that process fails you may set the desired value
+                          here.
+                        properties:
+                          advertiseAddress:
+                            description: AdvertiseAddress sets the IP address for
+                              the API server to advertise.
+                            type: string
+                          bindPort:
+                            description: BindPort sets the secure port for the API
+                              Server to bind to. Defaults to 6443.
+                            format: int32
+                            type: integer
+                        type: object
+                      nodeRegistration:
+                        description: NodeRegistration holds fields that relate to
+                          registering the new control-plane node to the cluster. When
+                          used in the context of control plane nodes, NodeRegistration
+                          should remain consistent across both InitConfiguration and
+                          JoinConfiguration
+                        properties:
+                          criSocket:
+                            description: CRISocket is used to retrieve container runtime
+                              info. This information will be annotated to the Node
+                              API object, for later re-use
+                            type: string
+                          ignorePreflightErrors:
+                            description: IgnorePreflightErrors provides a slice of
+                              pre-flight errors to be ignored when the current node
+                              is registered.
+                            items:
+                              type: string
+                            type: array
+                          kubeletExtraArgs:
+                            additionalProperties:
+                              type: string
+                            description: KubeletExtraArgs passes through extra arguments
+                              to the kubelet. The arguments here are passed to the
+                              kubelet command line via the environment file kubeadm
+                              writes at runtime for the kubelet to source. This overrides
+                              the generic base-level configuration in the kubelet-config-1.X
+                              ConfigMap Flags have higher priority when parsing. These
+                              values are local and specific to the node kubeadm is
+                              executing on.
+                            type: object
+                          name:
+                            description: Name is the `.Metadata.Name` field of the
+                              Node API object that will be created in this `kubeadm
+                              init` or `kubeadm join` operation. This field is also
+                              used in the CommonName field of the kubelet's client
+                              certificate to the API server. Defaults to the hostname
+                              of the node if not provided.
+                            type: string
+                          taints:
+                            description: 'Taints specifies the taints the Node API
+                              object should be registered with. If this field is unset,
+                              i.e. nil, in the `kubeadm init` process it will be defaulted
+                              to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                              If you don''t want to taint your control-plane node,
+                              set this field to an empty slice, i.e. `taints: {}`
+                              in the YAML file. This field is solely used for Node
+                              registration.'
+                            items:
+                              description: The node this Taint is attached to has
+                                the "effect" on any pod that does not tolerate the
+                                Taint.
+                              properties:
+                                effect:
+                                  description: Required. The effect of the taint on
+                                    pods that do not tolerate the taint. Valid effects
+                                    are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: Required. The taint key to be applied
+                                    to a node.
+                                  type: string
+                                timeAdded:
+                                  description: TimeAdded represents the time at which
+                                    the taint was added. It is only written for NoExecute
+                                    taints.
+                                  format: date-time
+                                  type: string
+                                value:
+                                  description: The taint value corresponding to the
+                                    taint key.
+                                  type: string
+                              required:
+                              - effect
+                              - key
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  joinConfiguration:
+                    description: JoinConfiguration is the kubeadm configuration for
+                      the join command
+                    properties:
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      caCertPath:
+                        description: 'CACertPath is the path to the SSL certificate
+                          authority used to secure comunications between node and
+                          control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                          TODO: revisit when there is defaulting from k/k'
+                        type: string
+                      controlPlane:
+                        description: ControlPlane defines the additional control plane
+                          instance to be deployed on the joining node. If nil, no
+                          additional control plane instance will be deployed.
+                        properties:
+                          localAPIEndpoint:
+                            description: LocalAPIEndpoint represents the endpoint
+                              of the API server instance to be deployed on this node.
+                            properties:
+                              advertiseAddress:
+                                description: AdvertiseAddress sets the IP address
+                                  for the API server to advertise.
+                                type: string
+                              bindPort:
+                                description: BindPort sets the secure port for the
+                                  API Server to bind to. Defaults to 6443.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      discovery:
+                        description: 'Discovery specifies the options for the kubelet
+                          to use during the TLS Bootstrap process TODO: revisit when
+                          there is defaulting from k/k'
+                        properties:
+                          bootstrapToken:
+                            description: BootstrapToken is used to set the options
+                              for bootstrap token based discovery BootstrapToken and
+                              File are mutually exclusive
+                            properties:
+                              apiServerEndpoint:
+                                description: APIServerEndpoint is an IP or domain
+                                  name to the API server from which info will be fetched.
+                                type: string
+                              caCertHashes:
+                                description: 'CACertHashes specifies a set of public
+                                  key pins to verify when token-based discovery is
+                                  used. The root CA found during discovery must match
+                                  one of these values. Specifying an empty set disables
+                                  root CA pinning, which can be unsafe. Each hash
+                                  is specified as "<type>:<value>", where the only
+                                  currently supported type is "sha256". This is a
+                                  hex-encoded SHA-256 hash of the Subject Public Key
+                                  Info (SPKI) object in DER-encoded ASN.1. These hashes
+                                  can be calculated using, for example, OpenSSL: openssl
+                                  x509 -pubkey -in ca.crt openssl rsa -pubin -outform
+                                  der 2>&/dev/null | openssl dgst -sha256 -hex'
+                                items:
+                                  type: string
+                                type: array
+                              token:
+                                description: Token is a token used to validate cluster
+                                  information fetched from the control-plane.
+                                type: string
+                              unsafeSkipCAVerification:
+                                description: UnsafeSkipCAVerification allows token-based
+                                  discovery without CA verification via CACertHashes.
+                                  This can weaken the security of kubeadm since other
+                                  nodes can impersonate the control-plane.
+                                type: boolean
+                            required:
+                            - token
+                            type: object
+                          file:
+                            description: File is used to specify a file or URL to
+                              a kubeconfig file from which to load cluster information
+                              BootstrapToken and File are mutually exclusive
+                            properties:
+                              kubeConfigPath:
+                                description: KubeConfigPath is used to specify the
+                                  actual file path or URL to the kubeconfig file from
+                                  which to load cluster information
+                                type: string
+                            required:
+                            - kubeConfigPath
+                            type: object
+                          timeout:
+                            description: Timeout modifies the discovery timeout
+                            type: string
+                          tlsBootstrapToken:
+                            description: TLSBootstrapToken is a token used for TLS
+                              bootstrapping. If .BootstrapToken is set, this field
+                              is defaulted to .BootstrapToken.Token, but can be overridden.
+                              If .File is set, this field **must be set** in case
+                              the KubeConfigFile does not contain any other authentication
+                              information
+                            type: string
+                        type: object
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      nodeRegistration:
+                        description: NodeRegistration holds fields that relate to
+                          registering the new control-plane node to the cluster. When
+                          used in the context of control plane nodes, NodeRegistration
+                          should remain consistent across both InitConfiguration and
+                          JoinConfiguration
+                        properties:
+                          criSocket:
+                            description: CRISocket is used to retrieve container runtime
+                              info. This information will be annotated to the Node
+                              API object, for later re-use
+                            type: string
+                          ignorePreflightErrors:
+                            description: IgnorePreflightErrors provides a slice of
+                              pre-flight errors to be ignored when the current node
+                              is registered.
+                            items:
+                              type: string
+                            type: array
+                          kubeletExtraArgs:
+                            additionalProperties:
+                              type: string
+                            description: KubeletExtraArgs passes through extra arguments
+                              to the kubelet. The arguments here are passed to the
+                              kubelet command line via the environment file kubeadm
+                              writes at runtime for the kubelet to source. This overrides
+                              the generic base-level configuration in the kubelet-config-1.X
+                              ConfigMap Flags have higher priority when parsing. These
+                              values are local and specific to the node kubeadm is
+                              executing on.
+                            type: object
+                          name:
+                            description: Name is the `.Metadata.Name` field of the
+                              Node API object that will be created in this `kubeadm
+                              init` or `kubeadm join` operation. This field is also
+                              used in the CommonName field of the kubelet's client
+                              certificate to the API server. Defaults to the hostname
+                              of the node if not provided.
+                            type: string
+                          taints:
+                            description: 'Taints specifies the taints the Node API
+                              object should be registered with. If this field is unset,
+                              i.e. nil, in the `kubeadm init` process it will be defaulted
+                              to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                              If you don''t want to taint your control-plane node,
+                              set this field to an empty slice, i.e. `taints: {}`
+                              in the YAML file. This field is solely used for Node
+                              registration.'
+                            items:
+                              description: The node this Taint is attached to has
+                                the "effect" on any pod that does not tolerate the
+                                Taint.
+                              properties:
+                                effect:
+                                  description: Required. The effect of the taint on
+                                    pods that do not tolerate the taint. Valid effects
+                                    are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: Required. The taint key to be applied
+                                    to a node.
+                                  type: string
+                                timeAdded:
+                                  description: TimeAdded represents the time at which
+                                    the taint was added. It is only written for NoExecute
+                                    taints.
+                                  format: date-time
+                                  type: string
+                                value:
+                                  description: The taint value corresponding to the
+                                    taint key.
+                                  type: string
+                              required:
+                              - effect
+                              - key
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  mounts:
+                    description: Mounts specifies a list of mount points to be setup.
+                    items:
+                      description: MountPoints defines input for generated mounts
+                        in cloud-init.
+                      items:
+                        type: string
+                      type: array
+                    type: array
+                  ntp:
+                    description: NTP specifies NTP configuration
+                    properties:
+                      enabled:
+                        description: Enabled specifies whether NTP should be enabled
+                        type: boolean
+                      servers:
+                        description: Servers specifies which NTP servers to use
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  postKubeadmCommands:
+                    description: PostKubeadmCommands specifies extra commands to run
+                      after kubeadm runs
+                    items:
+                      type: string
+                    type: array
+                  preKubeadmCommands:
+                    description: PreKubeadmCommands specifies extra commands to run
+                      before kubeadm runs
+                    items:
+                      type: string
+                    type: array
+                  useExperimentalRetryJoin:
+                    description: "UseExperimentalRetryJoin replaces a basic kubeadm
+                      command with a shell script with retries for joins. \n This
+                      is meant to be an experimental temporary workaround on some
+                      environments where joins fail due to timing (and other issues).
+                      The long term goal is to add retries to kubeadm proper and use
+                      that functionality. \n This will add about 40KB to userdata
+                      \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                    type: boolean
+                  users:
+                    description: Users specifies extra users to add
+                    items:
+                      description: User defines the input for a generated user in
+                        cloud-init.
+                      properties:
+                        gecos:
+                          description: Gecos specifies the gecos to use for the user
+                          type: string
+                        groups:
+                          description: Groups specifies the additional groups for
+                            the user
+                          type: string
+                        homeDir:
+                          description: HomeDir specifies the home directory to use
+                            for the user
+                          type: string
+                        inactive:
+                          description: Inactive specifies whether to mark the user
+                            as inactive
+                          type: boolean
+                        lockPassword:
+                          description: LockPassword specifies if password login should
+                            be disabled
+                          type: boolean
+                        name:
+                          description: Name specifies the user name
+                          type: string
+                        passwd:
+                          description: Passwd specifies a hashed password for the
+                            user
+                          type: string
+                        primaryGroup:
+                          description: PrimaryGroup specifies the primary group for
+                            the user
+                          type: string
+                        shell:
+                          description: Shell specifies the user's shell
+                          type: string
+                        sshAuthorizedKeys:
+                          description: SSHAuthorizedKeys specifies a list of ssh authorized
+                            keys for the user
+                          items:
+                            type: string
+                          type: array
+                        sudo:
+                          description: Sudo specifies a sudo role for the user
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  verbosity:
+                    description: Verbosity is the number for the kubeadm log level
+                      verbosity. It overrides the `--v` flag in kubeadm commands.
+                    format: int32
+                    type: integer
+                type: object
+              machineTemplate:
+                description: MachineTemplate contains information about how machines
+                  should be shaped when creating or updating a control plane.
+                properties:
+                  infrastructureRef:
+                    description: InfrastructureRef is a required reference to a custom
+                      resource offered by an infrastructure provider.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  nodeDrainTimeout:
+                    description: 'NodeDrainTimeout is the total amount of time that
+                      the controller will spend on draining a controlplane node The
+                      default value is 0, meaning that the node can be drained without
+                      any time limitations. NOTE: NodeDrainTimeout is different from
+                      `kubectl drain --timeout`'
+                    type: string
+                required:
+                - infrastructureRef
+                type: object
+              replicas:
+                description: Number of desired machines. Defaults to 1. When stacked
+                  etcd is used only odd numbers are permitted, as per [etcd best practice](https://etcd.io/docs/v3.3.12/faq/#why-an-odd-number-of-cluster-members).
+                  This is a pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              rolloutAfter:
+                description: RolloutAfter is a field to indicate a rollout should
+                  be performed after the specified time even if no changes have been
+                  made to the KubeadmControlPlane.
+                format: date-time
+                type: string
+              rolloutStrategy:
+                default:
+                  rollingUpdate:
+                    maxSurge: 1
+                  type: RollingUpdate
+                description: The RolloutStrategy to use to replace control plane machines
+                  with new ones.
+                properties:
+                  rollingUpdate:
+                    description: Rolling update config params. Present only if RolloutStrategyType
+                      = RollingUpdate.
+                    properties:
+                      maxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of control planes that can
+                          be scheduled above or under the desired number of control
+                          planes. Value can be an absolute number 1 or 0. Defaults
+                          to 1. Example: when this is set to 1, the control plane
+                          can be scaled up immediately when the rolling update starts.'
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  type:
+                    description: Type of rollout. Currently the only supported strategy
+                      is "RollingUpdate". Default is RollingUpdate.
+                    type: string
+                type: object
+              version:
+                description: Version defines the desired Kubernetes version.
+                type: string
+            required:
+            - kubeadmConfigSpec
+            - machineTemplate
+            - version
+            type: object
+          status:
+            description: KubeadmControlPlaneStatus defines the observed state of KubeadmControlPlane.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the KubeadmControlPlane.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: ErrorMessage indicates that there is a terminal problem
+                  reconciling the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a terminal problem
+                  reconciling the state, and will be set to a token value suitable
+                  for programmatic interpretation.
+                type: string
+              initialized:
+                description: Initialized denotes whether or not the control plane
+                  has the uploaded kubeadm-config configmap.
+                type: boolean
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              ready:
+                description: Ready denotes that the KubeadmControlPlane API Server
+                  is ready to receive requests.
+                type: boolean
+              readyReplicas:
+                description: Total number of fully running and ready control plane
+                  machines.
+                format: int32
+                type: integer
+              replicas:
+                description: Total number of non-terminated machines targeted by this
+                  control plane (their labels match the selector).
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the label selector in string format to avoid
+                  introspection by clients, and is used to provide the CRD-based integration
+                  for the scale subresource and additional integrations for things
+                  like kubectl describe.. The string will be in the same format as
+                  the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+              unavailableReplicas:
+                description: Total number of unavailable machines targeted by this
+                  control plane. This is the total number of machines that are still
+                  required for the deployment to have 100% available capacity. They
+                  may either be machines that are running but not yet ready or machines
+                  that still have not been created.
+                format: int32
+                type: integer
+              updatedReplicas:
+                description: Total number of non-terminated machines targeted by this
+                  control plane that have the desired template spec.
+                format: int32
+                type: integer
+              version:
+                description: Version represents the minimum Kubernetes version for
+                  the control plane machines in the cluster.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .metadata.labels['cluster\.x-k8s\.io/cluster-name']
+      name: Cluster
+      type: string
+    - description: This denotes whether or not the control plane has the uploaded
+        kubeadm-config configmap
+      jsonPath: .status.initialized
+      name: Initialized
+      type: boolean
+    - description: KubeadmControlPlane API Server is ready to receive requests
+      jsonPath: .status.ready
+      name: API Server Available
+      type: boolean
+    - description: Total number of machines desired by this control plane
+      jsonPath: .spec.replicas
+      name: Desired
+      priority: 10
+      type: integer
+    - description: Total number of non-terminated machines targeted by this control
+        plane
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of fully running and ready control plane machines
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    - description: Total number of non-terminated machines targeted by this control
+        plane that have the desired template spec
+      jsonPath: .status.updatedReplicas
+      name: Updated
+      type: integer
+    - description: Total number of unavailable machines targeted by this control plane
+      jsonPath: .status.unavailableReplicas
+      name: Unavailable
+      type: integer
+    - description: Time duration since creation of KubeadmControlPlane
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Kubernetes version associated with this control plane
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KubeadmControlPlane is the Schema for the KubeadmControlPlane
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmControlPlaneSpec defines the desired state of KubeadmControlPlane.
+            properties:
+              kubeadmConfigSpec:
+                description: KubeadmConfigSpec is a KubeadmConfigSpec to use for initializing
+                  and joining machines to the control plane.
+                properties:
+                  clusterConfiguration:
+                    description: ClusterConfiguration along with InitConfiguration
+                      are the configurations necessary for the init command
+                    properties:
+                      apiServer:
+                        description: APIServer contains extra settings for the API
+                          server control plane component
+                        properties:
+                          certSANs:
+                            description: CertSANs sets extra Subject Alternative Names
+                              for the API Server signing cert.
+                            items:
+                              type: string
+                            type: array
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                          timeoutForControlPlane:
+                            description: TimeoutForControlPlane controls the timeout
+                              that we use for API server to appear
+                            type: string
+                        type: object
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      certificatesDir:
+                        description: 'CertificatesDir specifies where to store or
+                          look for all required certificates. NB: if not provided,
+                          this will default to `/etc/kubernetes/pki`'
+                        type: string
+                      clusterName:
+                        description: The cluster name
+                        type: string
+                      controlPlaneEndpoint:
+                        description: 'ControlPlaneEndpoint sets a stable IP address
+                          or DNS name for the control plane; it can be a valid IP
+                          address or a RFC-1123 DNS subdomain, both with optional
+                          TCP port. In case the ControlPlaneEndpoint is not specified,
+                          the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint
+                          is specified but without a TCP port, the BindPort is used.
+                          Possible usages are: e.g. In a cluster with more than one
+                          control plane instances, this field should be assigned the
+                          address of the external load balancer in front of the control
+                          plane instances. e.g.  in environments with enforced node
+                          recycling, the ControlPlaneEndpoint could be used for assigning
+                          a stable DNS to the control plane. NB: This value defaults
+                          to the first value in the Cluster object status.apiEndpoints
+                          array.'
+                        type: string
+                      controllerManager:
+                        description: ControllerManager contains extra settings for
+                          the controller manager control plane component
+                        properties:
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                        type: object
+                      dns:
+                        description: DNS defines the options for the DNS add-on installed
+                          in the cluster.
+                        properties:
+                          imageRepository:
+                            description: ImageRepository sets the container registry
+                              to pull images from. if not set, the ImageRepository
+                              defined in ClusterConfiguration will be used instead.
+                            type: string
+                          imageTag:
+                            description: ImageTag allows to specify a tag for the
+                              image. In case this value is set, kubeadm does not change
+                              automatically the version of the above components during
+                              upgrades.
+                            type: string
+                        type: object
+                      etcd:
+                        description: 'Etcd holds configuration for etcd. NB: This
+                          value defaults to a Local (stacked) etcd'
+                        properties:
+                          external:
+                            description: External describes how to connect to an external
+                              etcd cluster Local and External are mutually exclusive
+                            properties:
+                              caFile:
+                                description: CAFile is an SSL Certificate Authority
+                                  file used to secure etcd communication. Required
+                                  if using a TLS connection.
+                                type: string
+                              certFile:
+                                description: CertFile is an SSL certification file
+                                  used to secure etcd communication. Required if using
+                                  a TLS connection.
+                                type: string
+                              endpoints:
+                                description: Endpoints of etcd members. Required for
+                                  ExternalEtcd.
+                                items:
+                                  type: string
+                                type: array
+                              keyFile:
+                                description: KeyFile is an SSL key file used to secure
+                                  etcd communication. Required if using a TLS connection.
+                                type: string
+                            required:
+                            - caFile
+                            - certFile
+                            - endpoints
+                            - keyFile
+                            type: object
+                          local:
+                            description: Local provides configuration knobs for configuring
+                              the local etcd instance Local and External are mutually
+                              exclusive
+                            properties:
+                              dataDir:
+                                description: DataDir is the directory etcd will place
+                                  its data. Defaults to "/var/lib/etcd".
+                                type: string
+                              extraArgs:
+                                additionalProperties:
+                                  type: string
+                                description: ExtraArgs are extra arguments provided
+                                  to the etcd binary when run inside a static pod.
+                                type: object
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. if not set, the ImageRepository
+                                  defined in ClusterConfiguration will be used instead.
+                                type: string
+                              imageTag:
+                                description: ImageTag allows to specify a tag for
+                                  the image. In case this value is set, kubeadm does
+                                  not change automatically the version of the above
+                                  components during upgrades.
+                                type: string
+                              peerCertSANs:
+                                description: PeerCertSANs sets extra Subject Alternative
+                                  Names for the etcd peer signing cert.
+                                items:
+                                  type: string
+                                type: array
+                              serverCertSANs:
+                                description: ServerCertSANs sets extra Subject Alternative
+                                  Names for the etcd server signing cert.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        type: object
+                      featureGates:
+                        additionalProperties:
+                          type: boolean
+                        description: FeatureGates enabled by the user.
+                        type: object
+                      imageRepository:
+                        description: ImageRepository sets the container registry to
+                          pull images from. If empty, `k8s.gcr.io` will be used by
+                          default; in case of kubernetes version is a CI build (kubernetes
+                          version starts with `ci/` or `ci-cross/`) `gcr.io/k8s-staging-ci-images`
+                          will be used as a default for control plane components and
+                          for kube-proxy, while `k8s.gcr.io` will be used for all
+                          the other images.
+                        type: string
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      kubernetesVersion:
+                        description: 'KubernetesVersion is the target version of the
+                          control plane. NB: This value defaults to the Machine object
+                          spec.version'
+                        type: string
+                      networking:
+                        description: 'Networking holds configuration for the networking
+                          topology of the cluster. NB: This value defaults to the
+                          Cluster object spec.clusterNetwork.'
+                        properties:
+                          dnsDomain:
+                            description: DNSDomain is the dns domain used by k8s services.
+                              Defaults to "cluster.local".
+                            type: string
+                          podSubnet:
+                            description: PodSubnet is the subnet used by pods. If
+                              unset, the API server will not allocate CIDR ranges
+                              for every node. Defaults to a comma-delimited string
+                              of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                              if that is set
+                            type: string
+                          serviceSubnet:
+                            description: ServiceSubnet is the subnet used by k8s services.
+                              Defaults to a comma-delimited string of the Cluster
+                              object's spec.clusterNetwork.pods.cidrBlocks, or to
+                              "10.96.0.0/12" if that's unset.
+                            type: string
+                        type: object
+                      scheduler:
+                        description: Scheduler contains extra settings for the scheduler
+                          control plane component
+                        properties:
+                          extraArgs:
+                            additionalProperties:
+                              type: string
+                            description: 'ExtraArgs is an extra set of flags to pass
+                              to the control plane component. TODO: This is temporary
+                              and ideally we would like to switch all components to
+                              use ComponentConfig + ConfigMaps.'
+                            type: object
+                          extraVolumes:
+                            description: ExtraVolumes is an extra set of host volumes,
+                              mounted to the control plane component.
+                            items:
+                              description: HostPathMount contains elements describing
+                                volumes that are mounted from the host.
+                              properties:
+                                hostPath:
+                                  description: HostPath is the path in the host that
+                                    will be mounted inside the pod.
+                                  type: string
+                                mountPath:
+                                  description: MountPath is the path inside the pod
+                                    where hostPath will be mounted.
+                                  type: string
+                                name:
+                                  description: Name of the volume inside the pod template.
+                                  type: string
+                                pathType:
+                                  description: PathType is the type of the HostPath.
+                                  type: string
+                                readOnly:
+                                  description: ReadOnly controls write access to the
+                                    volume
+                                  type: boolean
+                              required:
+                              - hostPath
+                              - mountPath
+                              - name
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  diskSetup:
+                    description: DiskSetup specifies options for the creation of partition
+                      tables and file systems on devices.
+                    properties:
+                      filesystems:
+                        description: Filesystems specifies the list of file systems
+                          to setup.
+                        items:
+                          description: Filesystem defines the file systems to be created.
+                          properties:
+                            device:
+                              description: Device specifies the device name
+                              type: string
+                            extraOpts:
+                              description: ExtraOpts defined extra options to add
+                                to the command for creating the file system.
+                              items:
+                                type: string
+                              type: array
+                            filesystem:
+                              description: Filesystem specifies the file system type.
+                              type: string
+                            label:
+                              description: Label specifies the file system label to
+                                be used. If set to None, no label is used.
+                              type: string
+                            overwrite:
+                              description: Overwrite defines whether or not to overwrite
+                                any existing filesystem. If true, any pre-existing
+                                file system will be destroyed. Use with Caution.
+                              type: boolean
+                            partition:
+                              description: 'Partition specifies the partition to use.
+                                The valid options are: "auto|any", "auto", "any",
+                                "none", and <NUM>, where NUM is the actual partition
+                                number.'
+                              type: string
+                            replaceFS:
+                              description: 'ReplaceFS is a special directive, used
+                                for Microsoft Azure that instructs cloud-init to replace
+                                a file system of <FS_TYPE>. NOTE: unless you define
+                                a label, this requires the use of the ''any'' partition
+                                directive.'
+                              type: string
+                          required:
+                          - device
+                          - filesystem
+                          - label
+                          type: object
+                        type: array
+                      partitions:
+                        description: Partitions specifies the list of the partitions
+                          to setup.
+                        items:
+                          description: Partition defines how to create and layout
+                            a partition.
+                          properties:
+                            device:
+                              description: Device is the name of the device.
+                              type: string
+                            layout:
+                              description: Layout specifies the device layout. If
+                                it is true, a single partition will be created for
+                                the entire device. When layout is false, it means
+                                don't partition or ignore existing partitioning.
+                              type: boolean
+                            overwrite:
+                              description: Overwrite describes whether to skip checks
+                                and create the partition if a partition or filesystem
+                                is found on the device. Use with caution. Default
+                                is 'false'.
+                              type: boolean
+                            tableType:
+                              description: 'TableType specifies the tupe of partition
+                                table. The following are supported: ''mbr'': default
+                                and setups a MS-DOS partition table ''gpt'': setups
+                                a GPT partition table'
+                              type: string
+                          required:
+                          - device
+                          - layout
+                          type: object
+                        type: array
+                    type: object
+                  files:
+                    description: Files specifies extra files to be passed to user_data
+                      upon creation.
+                    items:
+                      description: File defines the input for generating write_files
+                        in cloud-init.
+                      properties:
+                        append:
+                          description: Append specifies whether to append Content
+                            to existing file if Path exists.
+                          type: boolean
+                        content:
+                          description: Content is the actual content of the file.
+                          type: string
+                        contentFrom:
+                          description: ContentFrom is a referenced source of content
+                            to populate the file.
+                          properties:
+                            secret:
+                              description: Secret represents a secret that should
+                                populate this file.
+                              properties:
+                                key:
+                                  description: Key is the key in the secret's data
+                                    map for this value.
+                                  type: string
+                                name:
+                                  description: Name of the secret in the KubeadmBootstrapConfig's
+                                    namespace to use.
+                                  type: string
+                              required:
+                              - key
+                              - name
+                              type: object
+                          required:
+                          - secret
+                          type: object
+                        encoding:
+                          description: Encoding specifies the encoding of the file
+                            contents.
+                          enum:
+                          - base64
+                          - gzip
+                          - gzip+base64
+                          type: string
+                        owner:
+                          description: Owner specifies the ownership of the file,
+                            e.g. "root:root".
+                          type: string
+                        path:
+                          description: Path specifies the full path on disk where
+                            to store the file.
+                          type: string
+                        permissions:
+                          description: Permissions specifies the permissions to assign
+                            to the file, e.g. "0640".
+                          type: string
+                      required:
+                      - path
+                      type: object
+                    type: array
+                  format:
+                    description: Format specifies the output format of the bootstrap
+                      data
+                    enum:
+                    - cloud-config
+                    - ignition
+                    type: string
+                  ignition:
+                    description: Ignition contains Ignition specific configuration.
+                    properties:
+                      containerLinuxConfig:
+                        description: ContainerLinuxConfig contains CLC specific configuration.
+                        properties:
+                          additionalConfig:
+                            description: "AdditionalConfig contains additional configuration
+                              to be merged with the Ignition configuration generated
+                              by the bootstrapper controller. More info: https://coreos.github.io/ignition/operator-notes/#config-merging
+                              \n The data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/"
+                            type: string
+                          strict:
+                            description: Strict controls if AdditionalConfig should
+                              be strictly parsed. If so, warnings are treated as errors.
+                            type: boolean
+                        type: object
+                    type: object
+                  initConfiguration:
+                    description: InitConfiguration along with ClusterConfiguration
+                      are the configurations necessary for the init command
+                    properties:
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      bootstrapTokens:
+                        description: BootstrapTokens is respected at `kubeadm init`
+                          time and describes a set of Bootstrap Tokens to create.
+                          This information IS NOT uploaded to the kubeadm cluster
+                          configmap, partly because of its sensitive nature
+                        items:
+                          description: BootstrapToken describes one bootstrap token,
+                            stored as a Secret in the cluster.
+                          properties:
+                            description:
+                              description: Description sets a human-friendly message
+                                why this token exists and what it's used for, so other
+                                administrators can know its purpose.
+                              type: string
+                            expires:
+                              description: Expires specifies the timestamp when this
+                                token expires. Defaults to being set dynamically at
+                                runtime based on the TTL. Expires and TTL are mutually
+                                exclusive.
+                              format: date-time
+                              type: string
+                            groups:
+                              description: Groups specifies the extra groups that
+                                this token will authenticate as when/if used for authentication
+                              items:
+                                type: string
+                              type: array
+                            token:
+                              description: Token is used for establishing bidirectional
+                                trust between nodes and control-planes. Used for joining
+                                nodes in the cluster.
+                              type: string
+                            ttl:
+                              description: TTL defines the time to live for this token.
+                                Defaults to 24h. Expires and TTL are mutually exclusive.
+                              type: string
+                            usages:
+                              description: Usages describes the ways in which this
+                                token can be used. Can by default be used for establishing
+                                bidirectional trust, but that can be changed here.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - token
+                          type: object
+                        type: array
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      localAPIEndpoint:
+                        description: LocalAPIEndpoint represents the endpoint of the
+                          API server instance that's deployed on this control plane
+                          node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+                          in the sense that ControlPlaneEndpoint is the global endpoint
+                          for the cluster, which then loadbalances the requests to
+                          each individual API server. This configuration object lets
+                          you customize what IP/DNS name and port the local API server
+                          advertises it's accessible on. By default, kubeadm tries
+                          to auto-detect the IP of the default interface and use that,
+                          but in case that process fails you may set the desired value
+                          here.
+                        properties:
+                          advertiseAddress:
+                            description: AdvertiseAddress sets the IP address for
+                              the API server to advertise.
+                            type: string
+                          bindPort:
+                            description: BindPort sets the secure port for the API
+                              Server to bind to. Defaults to 6443.
+                            format: int32
+                            type: integer
+                        type: object
+                      nodeRegistration:
+                        description: NodeRegistration holds fields that relate to
+                          registering the new control-plane node to the cluster. When
+                          used in the context of control plane nodes, NodeRegistration
+                          should remain consistent across both InitConfiguration and
+                          JoinConfiguration
+                        properties:
+                          criSocket:
+                            description: CRISocket is used to retrieve container runtime
+                              info. This information will be annotated to the Node
+                              API object, for later re-use
+                            type: string
+                          ignorePreflightErrors:
+                            description: IgnorePreflightErrors provides a slice of
+                              pre-flight errors to be ignored when the current node
+                              is registered.
+                            items:
+                              type: string
+                            type: array
+                          kubeletExtraArgs:
+                            additionalProperties:
+                              type: string
+                            description: KubeletExtraArgs passes through extra arguments
+                              to the kubelet. The arguments here are passed to the
+                              kubelet command line via the environment file kubeadm
+                              writes at runtime for the kubelet to source. This overrides
+                              the generic base-level configuration in the kubelet-config-1.X
+                              ConfigMap Flags have higher priority when parsing. These
+                              values are local and specific to the node kubeadm is
+                              executing on.
+                            type: object
+                          name:
+                            description: Name is the `.Metadata.Name` field of the
+                              Node API object that will be created in this `kubeadm
+                              init` or `kubeadm join` operation. This field is also
+                              used in the CommonName field of the kubelet's client
+                              certificate to the API server. Defaults to the hostname
+                              of the node if not provided.
+                            type: string
+                          taints:
+                            description: 'Taints specifies the taints the Node API
+                              object should be registered with. If this field is unset,
+                              i.e. nil, in the `kubeadm init` process it will be defaulted
+                              to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                              If you don''t want to taint your control-plane node,
+                              set this field to an empty slice, i.e. `taints: {}`
+                              in the YAML file. This field is solely used for Node
+                              registration.'
+                            items:
+                              description: The node this Taint is attached to has
+                                the "effect" on any pod that does not tolerate the
+                                Taint.
+                              properties:
+                                effect:
+                                  description: Required. The effect of the taint on
+                                    pods that do not tolerate the taint. Valid effects
+                                    are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: Required. The taint key to be applied
+                                    to a node.
+                                  type: string
+                                timeAdded:
+                                  description: TimeAdded represents the time at which
+                                    the taint was added. It is only written for NoExecute
+                                    taints.
+                                  format: date-time
+                                  type: string
+                                value:
+                                  description: The taint value corresponding to the
+                                    taint key.
+                                  type: string
+                              required:
+                              - effect
+                              - key
+                              type: object
+                            type: array
+                        type: object
+                      patches:
+                        description: Patches contains options related to applying
+                          patches to components deployed by kubeadm during "kubeadm
+                          init". The minimum kubernetes version needed to support
+                          Patches is v1.22
+                        properties:
+                          directory:
+                            description: Directory is a path to a directory that contains
+                              files named "target[suffix][+patchtype].extension".
+                              For example, "kube-apiserver0+merge.yaml" or just "etcd.json".
+                              "target" can be one of "kube-apiserver", "kube-controller-manager",
+                              "kube-scheduler", "etcd". "patchtype" can be one of
+                              "strategic" "merge" or "json" and they match the patch
+                              formats supported by kubectl. The default "patchtype"
+                              is "strategic". "extension" must be either "json" or
+                              "yaml". "suffix" is an optional string that can be used
+                              to determine which patches are applied first alpha-numerically.
+                              These files can be written into the target directory
+                              via KubeadmConfig.Files which specifies additional files
+                              to be created on the machine, either with content inline
+                              or by referencing a secret.
+                            type: string
+                        type: object
+                      skipPhases:
+                        description: SkipPhases is a list of phases to skip during
+                          command execution. The list of phases can be obtained with
+                          the "kubeadm init --help" command. This option takes effect
+                          only on Kubernetes >=1.22.0.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  joinConfiguration:
+                    description: JoinConfiguration is the kubeadm configuration for
+                      the join command
+                    properties:
+                      apiVersion:
+                        description: 'APIVersion defines the versioned schema of this
+                          representation of an object. Servers should convert recognized
+                          schemas to the latest internal value, and may reject unrecognized
+                          values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                      caCertPath:
+                        description: 'CACertPath is the path to the SSL certificate
+                          authority used to secure comunications between node and
+                          control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                          TODO: revisit when there is defaulting from k/k'
+                        type: string
+                      controlPlane:
+                        description: ControlPlane defines the additional control plane
+                          instance to be deployed on the joining node. If nil, no
+                          additional control plane instance will be deployed.
+                        properties:
+                          localAPIEndpoint:
+                            description: LocalAPIEndpoint represents the endpoint
+                              of the API server instance to be deployed on this node.
+                            properties:
+                              advertiseAddress:
+                                description: AdvertiseAddress sets the IP address
+                                  for the API server to advertise.
+                                type: string
+                              bindPort:
+                                description: BindPort sets the secure port for the
+                                  API Server to bind to. Defaults to 6443.
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                      discovery:
+                        description: 'Discovery specifies the options for the kubelet
+                          to use during the TLS Bootstrap process TODO: revisit when
+                          there is defaulting from k/k'
+                        properties:
+                          bootstrapToken:
+                            description: BootstrapToken is used to set the options
+                              for bootstrap token based discovery BootstrapToken and
+                              File are mutually exclusive
+                            properties:
+                              apiServerEndpoint:
+                                description: APIServerEndpoint is an IP or domain
+                                  name to the API server from which info will be fetched.
+                                type: string
+                              caCertHashes:
+                                description: 'CACertHashes specifies a set of public
+                                  key pins to verify when token-based discovery is
+                                  used. The root CA found during discovery must match
+                                  one of these values. Specifying an empty set disables
+                                  root CA pinning, which can be unsafe. Each hash
+                                  is specified as "<type>:<value>", where the only
+                                  currently supported type is "sha256". This is a
+                                  hex-encoded SHA-256 hash of the Subject Public Key
+                                  Info (SPKI) object in DER-encoded ASN.1. These hashes
+                                  can be calculated using, for example, OpenSSL: openssl
+                                  x509 -pubkey -in ca.crt openssl rsa -pubin -outform
+                                  der 2>&/dev/null | openssl dgst -sha256 -hex'
+                                items:
+                                  type: string
+                                type: array
+                              token:
+                                description: Token is a token used to validate cluster
+                                  information fetched from the control-plane.
+                                type: string
+                              unsafeSkipCAVerification:
+                                description: UnsafeSkipCAVerification allows token-based
+                                  discovery without CA verification via CACertHashes.
+                                  This can weaken the security of kubeadm since other
+                                  nodes can impersonate the control-plane.
+                                type: boolean
+                            required:
+                            - token
+                            type: object
+                          file:
+                            description: File is used to specify a file or URL to
+                              a kubeconfig file from which to load cluster information
+                              BootstrapToken and File are mutually exclusive
+                            properties:
+                              kubeConfigPath:
+                                description: KubeConfigPath is used to specify the
+                                  actual file path or URL to the kubeconfig file from
+                                  which to load cluster information
+                                type: string
+                            required:
+                            - kubeConfigPath
+                            type: object
+                          timeout:
+                            description: Timeout modifies the discovery timeout
+                            type: string
+                          tlsBootstrapToken:
+                            description: TLSBootstrapToken is a token used for TLS
+                              bootstrapping. If .BootstrapToken is set, this field
+                              is defaulted to .BootstrapToken.Token, but can be overridden.
+                              If .File is set, this field **must be set** in case
+                              the KubeConfigFile does not contain any other authentication
+                              information
+                            type: string
+                        type: object
+                      kind:
+                        description: 'Kind is a string value representing the REST
+                          resource this object represents. Servers may infer this
+                          from the endpoint the client submits requests to. Cannot
+                          be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      nodeRegistration:
+                        description: NodeRegistration holds fields that relate to
+                          registering the new control-plane node to the cluster. When
+                          used in the context of control plane nodes, NodeRegistration
+                          should remain consistent across both InitConfiguration and
+                          JoinConfiguration
+                        properties:
+                          criSocket:
+                            description: CRISocket is used to retrieve container runtime
+                              info. This information will be annotated to the Node
+                              API object, for later re-use
+                            type: string
+                          ignorePreflightErrors:
+                            description: IgnorePreflightErrors provides a slice of
+                              pre-flight errors to be ignored when the current node
+                              is registered.
+                            items:
+                              type: string
+                            type: array
+                          kubeletExtraArgs:
+                            additionalProperties:
+                              type: string
+                            description: KubeletExtraArgs passes through extra arguments
+                              to the kubelet. The arguments here are passed to the
+                              kubelet command line via the environment file kubeadm
+                              writes at runtime for the kubelet to source. This overrides
+                              the generic base-level configuration in the kubelet-config-1.X
+                              ConfigMap Flags have higher priority when parsing. These
+                              values are local and specific to the node kubeadm is
+                              executing on.
+                            type: object
+                          name:
+                            description: Name is the `.Metadata.Name` field of the
+                              Node API object that will be created in this `kubeadm
+                              init` or `kubeadm join` operation. This field is also
+                              used in the CommonName field of the kubelet's client
+                              certificate to the API server. Defaults to the hostname
+                              of the node if not provided.
+                            type: string
+                          taints:
+                            description: 'Taints specifies the taints the Node API
+                              object should be registered with. If this field is unset,
+                              i.e. nil, in the `kubeadm init` process it will be defaulted
+                              to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                              If you don''t want to taint your control-plane node,
+                              set this field to an empty slice, i.e. `taints: {}`
+                              in the YAML file. This field is solely used for Node
+                              registration.'
+                            items:
+                              description: The node this Taint is attached to has
+                                the "effect" on any pod that does not tolerate the
+                                Taint.
+                              properties:
+                                effect:
+                                  description: Required. The effect of the taint on
+                                    pods that do not tolerate the taint. Valid effects
+                                    are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: Required. The taint key to be applied
+                                    to a node.
+                                  type: string
+                                timeAdded:
+                                  description: TimeAdded represents the time at which
+                                    the taint was added. It is only written for NoExecute
+                                    taints.
+                                  format: date-time
+                                  type: string
+                                value:
+                                  description: The taint value corresponding to the
+                                    taint key.
+                                  type: string
+                              required:
+                              - effect
+                              - key
+                              type: object
+                            type: array
+                        type: object
+                      patches:
+                        description: Patches contains options related to applying
+                          patches to components deployed by kubeadm during "kubeadm
+                          join". The minimum kubernetes version needed to support
+                          Patches is v1.22
+                        properties:
+                          directory:
+                            description: Directory is a path to a directory that contains
+                              files named "target[suffix][+patchtype].extension".
+                              For example, "kube-apiserver0+merge.yaml" or just "etcd.json".
+                              "target" can be one of "kube-apiserver", "kube-controller-manager",
+                              "kube-scheduler", "etcd". "patchtype" can be one of
+                              "strategic" "merge" or "json" and they match the patch
+                              formats supported by kubectl. The default "patchtype"
+                              is "strategic". "extension" must be either "json" or
+                              "yaml". "suffix" is an optional string that can be used
+                              to determine which patches are applied first alpha-numerically.
+                              These files can be written into the target directory
+                              via KubeadmConfig.Files which specifies additional files
+                              to be created on the machine, either with content inline
+                              or by referencing a secret.
+                            type: string
+                        type: object
+                      skipPhases:
+                        description: SkipPhases is a list of phases to skip during
+                          command execution. The list of phases can be obtained with
+                          the "kubeadm init --help" command. This option takes effect
+                          only on Kubernetes >=1.22.0.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  mounts:
+                    description: Mounts specifies a list of mount points to be setup.
+                    items:
+                      description: MountPoints defines input for generated mounts
+                        in cloud-init.
+                      items:
+                        type: string
+                      type: array
+                    type: array
+                  ntp:
+                    description: NTP specifies NTP configuration
+                    properties:
+                      enabled:
+                        description: Enabled specifies whether NTP should be enabled
+                        type: boolean
+                      servers:
+                        description: Servers specifies which NTP servers to use
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  postKubeadmCommands:
+                    description: PostKubeadmCommands specifies extra commands to run
+                      after kubeadm runs
+                    items:
+                      type: string
+                    type: array
+                  preKubeadmCommands:
+                    description: PreKubeadmCommands specifies extra commands to run
+                      before kubeadm runs
+                    items:
+                      type: string
+                    type: array
+                  useExperimentalRetryJoin:
+                    description: "UseExperimentalRetryJoin replaces a basic kubeadm
+                      command with a shell script with retries for joins. \n This
+                      is meant to be an experimental temporary workaround on some
+                      environments where joins fail due to timing (and other issues).
+                      The long term goal is to add retries to kubeadm proper and use
+                      that functionality. \n This will add about 40KB to userdata
+                      \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                    type: boolean
+                  users:
+                    description: Users specifies extra users to add
+                    items:
+                      description: User defines the input for a generated user in
+                        cloud-init.
+                      properties:
+                        gecos:
+                          description: Gecos specifies the gecos to use for the user
+                          type: string
+                        groups:
+                          description: Groups specifies the additional groups for
+                            the user
+                          type: string
+                        homeDir:
+                          description: HomeDir specifies the home directory to use
+                            for the user
+                          type: string
+                        inactive:
+                          description: Inactive specifies whether to mark the user
+                            as inactive
+                          type: boolean
+                        lockPassword:
+                          description: LockPassword specifies if password login should
+                            be disabled
+                          type: boolean
+                        name:
+                          description: Name specifies the user name
+                          type: string
+                        passwd:
+                          description: Passwd specifies a hashed password for the
+                            user
+                          type: string
+                        passwdFrom:
+                          description: PasswdFrom is a referenced source of passwd
+                            to populate the passwd.
+                          properties:
+                            secret:
+                              description: Secret represents a secret that should
+                                populate this password.
+                              properties:
+                                key:
+                                  description: Key is the key in the secret's data
+                                    map for this value.
+                                  type: string
+                                name:
+                                  description: Name of the secret in the KubeadmBootstrapConfig's
+                                    namespace to use.
+                                  type: string
+                              required:
+                              - key
+                              - name
+                              type: object
+                          required:
+                          - secret
+                          type: object
+                        primaryGroup:
+                          description: PrimaryGroup specifies the primary group for
+                            the user
+                          type: string
+                        shell:
+                          description: Shell specifies the user's shell
+                          type: string
+                        sshAuthorizedKeys:
+                          description: SSHAuthorizedKeys specifies a list of ssh authorized
+                            keys for the user
+                          items:
+                            type: string
+                          type: array
+                        sudo:
+                          description: Sudo specifies a sudo role for the user
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  verbosity:
+                    description: Verbosity is the number for the kubeadm log level
+                      verbosity. It overrides the `--v` flag in kubeadm commands.
+                    format: int32
+                    type: integer
+                type: object
+              machineTemplate:
+                description: MachineTemplate contains information about how machines
+                  should be shaped when creating or updating a control plane.
+                properties:
+                  infrastructureRef:
+                    description: InfrastructureRef is a required reference to a custom
+                      resource offered by an infrastructure provider.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  nodeDeletionTimeout:
+                    description: NodeDeletionTimeout defines how long the machine
+                      controller will attempt to delete the Node that the Machine
+                      hosts after the Machine is marked for deletion. A duration of
+                      0 will retry deletion indefinitely. If no value is provided,
+                      the default value for this property of the Machine resource
+                      will be used.
+                    type: string
+                  nodeDrainTimeout:
+                    description: 'NodeDrainTimeout is the total amount of time that
+                      the controller will spend on draining a controlplane node The
+                      default value is 0, meaning that the node can be drained without
+                      any time limitations. NOTE: NodeDrainTimeout is different from
+                      `kubectl drain --timeout`'
+                    type: string
+                required:
+                - infrastructureRef
+                type: object
+              replicas:
+                description: Number of desired machines. Defaults to 1. When stacked
+                  etcd is used only odd numbers are permitted, as per [etcd best practice](https://etcd.io/docs/v3.3.12/faq/#why-an-odd-number-of-cluster-members).
+                  This is a pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              rolloutAfter:
+                description: RolloutAfter is a field to indicate a rollout should
+                  be performed after the specified time even if no changes have been
+                  made to the KubeadmControlPlane.
+                format: date-time
+                type: string
+              rolloutStrategy:
+                default:
+                  rollingUpdate:
+                    maxSurge: 1
+                  type: RollingUpdate
+                description: The RolloutStrategy to use to replace control plane machines
+                  with new ones.
+                properties:
+                  rollingUpdate:
+                    description: Rolling update config params. Present only if RolloutStrategyType
+                      = RollingUpdate.
+                    properties:
+                      maxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of control planes that can
+                          be scheduled above or under the desired number of control
+                          planes. Value can be an absolute number 1 or 0. Defaults
+                          to 1. Example: when this is set to 1, the control plane
+                          can be scaled up immediately when the rolling update starts.'
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  type:
+                    description: Type of rollout. Currently the only supported strategy
+                      is "RollingUpdate". Default is RollingUpdate.
+                    type: string
+                type: object
+              version:
+                description: Version defines the desired Kubernetes version.
+                type: string
+            required:
+            - kubeadmConfigSpec
+            - machineTemplate
+            - version
+            type: object
+          status:
+            description: KubeadmControlPlaneStatus defines the observed state of KubeadmControlPlane.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the KubeadmControlPlane.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: ErrorMessage indicates that there is a terminal problem
+                  reconciling the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a terminal problem
+                  reconciling the state, and will be set to a token value suitable
+                  for programmatic interpretation.
+                type: string
+              initialized:
+                description: Initialized denotes whether or not the control plane
+                  has the uploaded kubeadm-config configmap.
+                type: boolean
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              ready:
+                description: Ready denotes that the KubeadmControlPlane API Server
+                  is ready to receive requests.
+                type: boolean
+              readyReplicas:
+                description: Total number of fully running and ready control plane
+                  machines.
+                format: int32
+                type: integer
+              replicas:
+                description: Total number of non-terminated machines targeted by this
+                  control plane (their labels match the selector).
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the label selector in string format to avoid
+                  introspection by clients, and is used to provide the CRD-based integration
+                  for the scale subresource and additional integrations for things
+                  like kubectl describe.. The string will be in the same format as
+                  the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+              unavailableReplicas:
+                description: Total number of unavailable machines targeted by this
+                  control plane. This is the total number of machines that are still
+                  required for the deployment to have 100% available capacity. They
+                  may either be machines that are running but not yet ready or machines
+                  that still have not been created.
+                format: int32
+                type: integer
+              updatedReplicas:
+                description: Total number of non-terminated machines targeted by this
+                  control plane that have the desired template spec.
+                format: int32
+                type: integer
+              version:
+                description: Version represents the minimum Kubernetes version for
+                  the control plane machines in the cluster.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+    cluster.x-k8s.io/v1alpha3: v1alpha3
+    cluster.x-k8s.io/v1alpha4: v1alpha4
+    cluster.x-k8s.io/v1beta1: v1beta1
+  name: kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-kubeadm-control-plane-webhook-service
+          namespace: capi-kubeadm-control-plane-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: controlplane.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: KubeadmControlPlaneTemplate
+    listKind: KubeadmControlPlaneTemplateList
+    plural: kubeadmcontrolplanetemplates
+    singular: kubeadmcontrolplanetemplate
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Time duration since creation of KubeadmControlPlaneTemplate
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: KubeadmControlPlaneTemplate is the Schema for the kubeadmcontrolplanetemplates
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmControlPlaneTemplateSpec defines the desired state
+              of KubeadmControlPlaneTemplate.
+            properties:
+              template:
+                description: KubeadmControlPlaneTemplateResource describes the data
+                  needed to create a KubeadmControlPlane from a template.
+                properties:
+                  spec:
+                    description: KubeadmControlPlaneSpec defines the desired state
+                      of KubeadmControlPlane.
+                    properties:
+                      kubeadmConfigSpec:
+                        description: KubeadmConfigSpec is a KubeadmConfigSpec to use
+                          for initializing and joining machines to the control plane.
+                        properties:
+                          clusterConfiguration:
+                            description: ClusterConfiguration along with InitConfiguration
+                              are the configurations necessary for the init command
+                            properties:
+                              apiServer:
+                                description: APIServer contains extra settings for
+                                  the API server control plane component
+                                properties:
+                                  certSANs:
+                                    description: CertSANs sets extra Subject Alternative
+                                      Names for the API Server signing cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'ExtraArgs is an extra set of flags
+                                      to pass to the control plane component. TODO:
+                                      This is temporary and ideally we would like
+                                      to switch all components to use ComponentConfig
+                                      + ConfigMaps.'
+                                    type: object
+                                  extraVolumes:
+                                    description: ExtraVolumes is an extra set of host
+                                      volumes, mounted to the control plane component.
+                                    items:
+                                      description: HostPathMount contains elements
+                                        describing volumes that are mounted from the
+                                        host.
+                                      properties:
+                                        hostPath:
+                                          description: HostPath is the path in the
+                                            host that will be mounted inside the pod.
+                                          type: string
+                                        mountPath:
+                                          description: MountPath is the path inside
+                                            the pod where hostPath will be mounted.
+                                          type: string
+                                        name:
+                                          description: Name of the volume inside the
+                                            pod template.
+                                          type: string
+                                        pathType:
+                                          description: PathType is the type of the
+                                            HostPath.
+                                          type: string
+                                        readOnly:
+                                          description: ReadOnly controls write access
+                                            to the volume
+                                          type: boolean
+                                      required:
+                                      - hostPath
+                                      - mountPath
+                                      - name
+                                      type: object
+                                    type: array
+                                  timeoutForControlPlane:
+                                    description: TimeoutForControlPlane controls the
+                                      timeout that we use for API server to appear
+                                    type: string
+                                type: object
+                              apiVersion:
+                                description: 'APIVersion defines the versioned schema
+                                  of this representation of an object. Servers should
+                                  convert recognized schemas to the latest internal
+                                  value, and may reject unrecognized values. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                                type: string
+                              certificatesDir:
+                                description: 'CertificatesDir specifies where to store
+                                  or look for all required certificates. NB: if not
+                                  provided, this will default to `/etc/kubernetes/pki`'
+                                type: string
+                              clusterName:
+                                description: The cluster name
+                                type: string
+                              controlPlaneEndpoint:
+                                description: 'ControlPlaneEndpoint sets a stable IP
+                                  address or DNS name for the control plane; it can
+                                  be a valid IP address or a RFC-1123 DNS subdomain,
+                                  both with optional TCP port. In case the ControlPlaneEndpoint
+                                  is not specified, the AdvertiseAddress + BindPort
+                                  are used; in case the ControlPlaneEndpoint is specified
+                                  but without a TCP port, the BindPort is used. Possible
+                                  usages are: e.g. In a cluster with more than one
+                                  control plane instances, this field should be assigned
+                                  the address of the external load balancer in front
+                                  of the control plane instances. e.g.  in environments
+                                  with enforced node recycling, the ControlPlaneEndpoint
+                                  could be used for assigning a stable DNS to the
+                                  control plane. NB: This value defaults to the first
+                                  value in the Cluster object status.apiEndpoints
+                                  array.'
+                                type: string
+                              controllerManager:
+                                description: ControllerManager contains extra settings
+                                  for the controller manager control plane component
+                                properties:
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'ExtraArgs is an extra set of flags
+                                      to pass to the control plane component. TODO:
+                                      This is temporary and ideally we would like
+                                      to switch all components to use ComponentConfig
+                                      + ConfigMaps.'
+                                    type: object
+                                  extraVolumes:
+                                    description: ExtraVolumes is an extra set of host
+                                      volumes, mounted to the control plane component.
+                                    items:
+                                      description: HostPathMount contains elements
+                                        describing volumes that are mounted from the
+                                        host.
+                                      properties:
+                                        hostPath:
+                                          description: HostPath is the path in the
+                                            host that will be mounted inside the pod.
+                                          type: string
+                                        mountPath:
+                                          description: MountPath is the path inside
+                                            the pod where hostPath will be mounted.
+                                          type: string
+                                        name:
+                                          description: Name of the volume inside the
+                                            pod template.
+                                          type: string
+                                        pathType:
+                                          description: PathType is the type of the
+                                            HostPath.
+                                          type: string
+                                        readOnly:
+                                          description: ReadOnly controls write access
+                                            to the volume
+                                          type: boolean
+                                      required:
+                                      - hostPath
+                                      - mountPath
+                                      - name
+                                      type: object
+                                    type: array
+                                type: object
+                              dns:
+                                description: DNS defines the options for the DNS add-on
+                                  installed in the cluster.
+                                properties:
+                                  imageRepository:
+                                    description: ImageRepository sets the container
+                                      registry to pull images from. if not set, the
+                                      ImageRepository defined in ClusterConfiguration
+                                      will be used instead.
+                                    type: string
+                                  imageTag:
+                                    description: ImageTag allows to specify a tag
+                                      for the image. In case this value is set, kubeadm
+                                      does not change automatically the version of
+                                      the above components during upgrades.
+                                    type: string
+                                type: object
+                              etcd:
+                                description: 'Etcd holds configuration for etcd. NB:
+                                  This value defaults to a Local (stacked) etcd'
+                                properties:
+                                  external:
+                                    description: External describes how to connect
+                                      to an external etcd cluster Local and External
+                                      are mutually exclusive
+                                    properties:
+                                      caFile:
+                                        description: CAFile is an SSL Certificate
+                                          Authority file used to secure etcd communication.
+                                          Required if using a TLS connection.
+                                        type: string
+                                      certFile:
+                                        description: CertFile is an SSL certification
+                                          file used to secure etcd communication.
+                                          Required if using a TLS connection.
+                                        type: string
+                                      endpoints:
+                                        description: Endpoints of etcd members. Required
+                                          for ExternalEtcd.
+                                        items:
+                                          type: string
+                                        type: array
+                                      keyFile:
+                                        description: KeyFile is an SSL key file used
+                                          to secure etcd communication. Required if
+                                          using a TLS connection.
+                                        type: string
+                                    required:
+                                    - caFile
+                                    - certFile
+                                    - endpoints
+                                    - keyFile
+                                    type: object
+                                  local:
+                                    description: Local provides configuration knobs
+                                      for configuring the local etcd instance Local
+                                      and External are mutually exclusive
+                                    properties:
+                                      dataDir:
+                                        description: DataDir is the directory etcd
+                                          will place its data. Defaults to "/var/lib/etcd".
+                                        type: string
+                                      extraArgs:
+                                        additionalProperties:
+                                          type: string
+                                        description: ExtraArgs are extra arguments
+                                          provided to the etcd binary when run inside
+                                          a static pod.
+                                        type: object
+                                      imageRepository:
+                                        description: ImageRepository sets the container
+                                          registry to pull images from. if not set,
+                                          the ImageRepository defined in ClusterConfiguration
+                                          will be used instead.
+                                        type: string
+                                      imageTag:
+                                        description: ImageTag allows to specify a
+                                          tag for the image. In case this value is
+                                          set, kubeadm does not change automatically
+                                          the version of the above components during
+                                          upgrades.
+                                        type: string
+                                      peerCertSANs:
+                                        description: PeerCertSANs sets extra Subject
+                                          Alternative Names for the etcd peer signing
+                                          cert.
+                                        items:
+                                          type: string
+                                        type: array
+                                      serverCertSANs:
+                                        description: ServerCertSANs sets extra Subject
+                                          Alternative Names for the etcd server signing
+                                          cert.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                type: object
+                              featureGates:
+                                additionalProperties:
+                                  type: boolean
+                                description: FeatureGates enabled by the user.
+                                type: object
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. If empty, `k8s.gcr.io` will
+                                  be used by default; in case of kubernetes version
+                                  is a CI build (kubernetes version starts with `ci/`
+                                  or `ci-cross/`) `gcr.io/k8s-staging-ci-images` will
+                                  be used as a default for control plane components
+                                  and for kube-proxy, while `k8s.gcr.io` will be used
+                                  for all the other images.
+                                type: string
+                              kind:
+                                description: 'Kind is a string value representing
+                                  the REST resource this object represents. Servers
+                                  may infer this from the endpoint the client submits
+                                  requests to. Cannot be updated. In CamelCase. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              kubernetesVersion:
+                                description: 'KubernetesVersion is the target version
+                                  of the control plane. NB: This value defaults to
+                                  the Machine object spec.version'
+                                type: string
+                              networking:
+                                description: 'Networking holds configuration for the
+                                  networking topology of the cluster. NB: This value
+                                  defaults to the Cluster object spec.clusterNetwork.'
+                                properties:
+                                  dnsDomain:
+                                    description: DNSDomain is the dns domain used
+                                      by k8s services. Defaults to "cluster.local".
+                                    type: string
+                                  podSubnet:
+                                    description: PodSubnet is the subnet used by pods.
+                                      If unset, the API server will not allocate CIDR
+                                      ranges for every node. Defaults to a comma-delimited
+                                      string of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                                      if that is set
+                                    type: string
+                                  serviceSubnet:
+                                    description: ServiceSubnet is the subnet used
+                                      by k8s services. Defaults to a comma-delimited
+                                      string of the Cluster object's spec.clusterNetwork.pods.cidrBlocks,
+                                      or to "10.96.0.0/12" if that's unset.
+                                    type: string
+                                type: object
+                              scheduler:
+                                description: Scheduler contains extra settings for
+                                  the scheduler control plane component
+                                properties:
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'ExtraArgs is an extra set of flags
+                                      to pass to the control plane component. TODO:
+                                      This is temporary and ideally we would like
+                                      to switch all components to use ComponentConfig
+                                      + ConfigMaps.'
+                                    type: object
+                                  extraVolumes:
+                                    description: ExtraVolumes is an extra set of host
+                                      volumes, mounted to the control plane component.
+                                    items:
+                                      description: HostPathMount contains elements
+                                        describing volumes that are mounted from the
+                                        host.
+                                      properties:
+                                        hostPath:
+                                          description: HostPath is the path in the
+                                            host that will be mounted inside the pod.
+                                          type: string
+                                        mountPath:
+                                          description: MountPath is the path inside
+                                            the pod where hostPath will be mounted.
+                                          type: string
+                                        name:
+                                          description: Name of the volume inside the
+                                            pod template.
+                                          type: string
+                                        pathType:
+                                          description: PathType is the type of the
+                                            HostPath.
+                                          type: string
+                                        readOnly:
+                                          description: ReadOnly controls write access
+                                            to the volume
+                                          type: boolean
+                                      required:
+                                      - hostPath
+                                      - mountPath
+                                      - name
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          diskSetup:
+                            description: DiskSetup specifies options for the creation
+                              of partition tables and file systems on devices.
+                            properties:
+                              filesystems:
+                                description: Filesystems specifies the list of file
+                                  systems to setup.
+                                items:
+                                  description: Filesystem defines the file systems
+                                    to be created.
+                                  properties:
+                                    device:
+                                      description: Device specifies the device name
+                                      type: string
+                                    extraOpts:
+                                      description: ExtraOpts defined extra options
+                                        to add to the command for creating the file
+                                        system.
+                                      items:
+                                        type: string
+                                      type: array
+                                    filesystem:
+                                      description: Filesystem specifies the file system
+                                        type.
+                                      type: string
+                                    label:
+                                      description: Label specifies the file system
+                                        label to be used. If set to None, no label
+                                        is used.
+                                      type: string
+                                    overwrite:
+                                      description: Overwrite defines whether or not
+                                        to overwrite any existing filesystem. If true,
+                                        any pre-existing file system will be destroyed.
+                                        Use with Caution.
+                                      type: boolean
+                                    partition:
+                                      description: 'Partition specifies the partition
+                                        to use. The valid options are: "auto|any",
+                                        "auto", "any", "none", and <NUM>, where NUM
+                                        is the actual partition number.'
+                                      type: string
+                                    replaceFS:
+                                      description: 'ReplaceFS is a special directive,
+                                        used for Microsoft Azure that instructs cloud-init
+                                        to replace a file system of <FS_TYPE>. NOTE:
+                                        unless you define a label, this requires the
+                                        use of the ''any'' partition directive.'
+                                      type: string
+                                  required:
+                                  - device
+                                  - filesystem
+                                  - label
+                                  type: object
+                                type: array
+                              partitions:
+                                description: Partitions specifies the list of the
+                                  partitions to setup.
+                                items:
+                                  description: Partition defines how to create and
+                                    layout a partition.
+                                  properties:
+                                    device:
+                                      description: Device is the name of the device.
+                                      type: string
+                                    layout:
+                                      description: Layout specifies the device layout.
+                                        If it is true, a single partition will be
+                                        created for the entire device. When layout
+                                        is false, it means don't partition or ignore
+                                        existing partitioning.
+                                      type: boolean
+                                    overwrite:
+                                      description: Overwrite describes whether to
+                                        skip checks and create the partition if a
+                                        partition or filesystem is found on the device.
+                                        Use with caution. Default is 'false'.
+                                      type: boolean
+                                    tableType:
+                                      description: 'TableType specifies the tupe of
+                                        partition table. The following are supported:
+                                        ''mbr'': default and setups a MS-DOS partition
+                                        table ''gpt'': setups a GPT partition table'
+                                      type: string
+                                  required:
+                                  - device
+                                  - layout
+                                  type: object
+                                type: array
+                            type: object
+                          files:
+                            description: Files specifies extra files to be passed
+                              to user_data upon creation.
+                            items:
+                              description: File defines the input for generating write_files
+                                in cloud-init.
+                              properties:
+                                content:
+                                  description: Content is the actual content of the
+                                    file.
+                                  type: string
+                                contentFrom:
+                                  description: ContentFrom is a referenced source
+                                    of content to populate the file.
+                                  properties:
+                                    secret:
+                                      description: Secret represents a secret that
+                                        should populate this file.
+                                      properties:
+                                        key:
+                                          description: Key is the key in the secret's
+                                            data map for this value.
+                                          type: string
+                                        name:
+                                          description: Name of the secret in the KubeadmBootstrapConfig's
+                                            namespace to use.
+                                          type: string
+                                      required:
+                                      - key
+                                      - name
+                                      type: object
+                                  required:
+                                  - secret
+                                  type: object
+                                encoding:
+                                  description: Encoding specifies the encoding of
+                                    the file contents.
+                                  enum:
+                                  - base64
+                                  - gzip
+                                  - gzip+base64
+                                  type: string
+                                owner:
+                                  description: Owner specifies the ownership of the
+                                    file, e.g. "root:root".
+                                  type: string
+                                path:
+                                  description: Path specifies the full path on disk
+                                    where to store the file.
+                                  type: string
+                                permissions:
+                                  description: Permissions specifies the permissions
+                                    to assign to the file, e.g. "0640".
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            type: array
+                          format:
+                            description: Format specifies the output format of the
+                              bootstrap data
+                            enum:
+                            - cloud-config
+                            type: string
+                          initConfiguration:
+                            description: InitConfiguration along with ClusterConfiguration
+                              are the configurations necessary for the init command
+                            properties:
+                              apiVersion:
+                                description: 'APIVersion defines the versioned schema
+                                  of this representation of an object. Servers should
+                                  convert recognized schemas to the latest internal
+                                  value, and may reject unrecognized values. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                                type: string
+                              bootstrapTokens:
+                                description: BootstrapTokens is respected at `kubeadm
+                                  init` time and describes a set of Bootstrap Tokens
+                                  to create. This information IS NOT uploaded to the
+                                  kubeadm cluster configmap, partly because of its
+                                  sensitive nature
+                                items:
+                                  description: BootstrapToken describes one bootstrap
+                                    token, stored as a Secret in the cluster.
+                                  properties:
+                                    description:
+                                      description: Description sets a human-friendly
+                                        message why this token exists and what it's
+                                        used for, so other administrators can know
+                                        its purpose.
+                                      type: string
+                                    expires:
+                                      description: Expires specifies the timestamp
+                                        when this token expires. Defaults to being
+                                        set dynamically at runtime based on the TTL.
+                                        Expires and TTL are mutually exclusive.
+                                      format: date-time
+                                      type: string
+                                    groups:
+                                      description: Groups specifies the extra groups
+                                        that this token will authenticate as when/if
+                                        used for authentication
+                                      items:
+                                        type: string
+                                      type: array
+                                    token:
+                                      description: Token is used for establishing
+                                        bidirectional trust between nodes and control-planes.
+                                        Used for joining nodes in the cluster.
+                                      type: string
+                                    ttl:
+                                      description: TTL defines the time to live for
+                                        this token. Defaults to 24h. Expires and TTL
+                                        are mutually exclusive.
+                                      type: string
+                                    usages:
+                                      description: Usages describes the ways in which
+                                        this token can be used. Can by default be
+                                        used for establishing bidirectional trust,
+                                        but that can be changed here.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - token
+                                  type: object
+                                type: array
+                              kind:
+                                description: 'Kind is a string value representing
+                                  the REST resource this object represents. Servers
+                                  may infer this from the endpoint the client submits
+                                  requests to. Cannot be updated. In CamelCase. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              localAPIEndpoint:
+                                description: LocalAPIEndpoint represents the endpoint
+                                  of the API server instance that's deployed on this
+                                  control plane node In HA setups, this differs from
+                                  ClusterConfiguration.ControlPlaneEndpoint in the
+                                  sense that ControlPlaneEndpoint is the global endpoint
+                                  for the cluster, which then loadbalances the requests
+                                  to each individual API server. This configuration
+                                  object lets you customize what IP/DNS name and port
+                                  the local API server advertises it's accessible
+                                  on. By default, kubeadm tries to auto-detect the
+                                  IP of the default interface and use that, but in
+                                  case that process fails you may set the desired
+                                  value here.
+                                properties:
+                                  advertiseAddress:
+                                    description: AdvertiseAddress sets the IP address
+                                      for the API server to advertise.
+                                    type: string
+                                  bindPort:
+                                    description: BindPort sets the secure port for
+                                      the API Server to bind to. Defaults to 6443.
+                                    format: int32
+                                    type: integer
+                                type: object
+                              nodeRegistration:
+                                description: NodeRegistration holds fields that relate
+                                  to registering the new control-plane node to the
+                                  cluster. When used in the context of control plane
+                                  nodes, NodeRegistration should remain consistent
+                                  across both InitConfiguration and JoinConfiguration
+                                properties:
+                                  criSocket:
+                                    description: CRISocket is used to retrieve container
+                                      runtime info. This information will be annotated
+                                      to the Node API object, for later re-use
+                                    type: string
+                                  ignorePreflightErrors:
+                                    description: IgnorePreflightErrors provides a
+                                      slice of pre-flight errors to be ignored when
+                                      the current node is registered.
+                                    items:
+                                      type: string
+                                    type: array
+                                  kubeletExtraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: KubeletExtraArgs passes through extra
+                                      arguments to the kubelet. The arguments here
+                                      are passed to the kubelet command line via the
+                                      environment file kubeadm writes at runtime for
+                                      the kubelet to source. This overrides the generic
+                                      base-level configuration in the kubelet-config-1.X
+                                      ConfigMap Flags have higher priority when parsing.
+                                      These values are local and specific to the node
+                                      kubeadm is executing on.
+                                    type: object
+                                  name:
+                                    description: Name is the `.Metadata.Name` field
+                                      of the Node API object that will be created
+                                      in this `kubeadm init` or `kubeadm join` operation.
+                                      This field is also used in the CommonName field
+                                      of the kubelet's client certificate to the API
+                                      server. Defaults to the hostname of the node
+                                      if not provided.
+                                    type: string
+                                  taints:
+                                    description: 'Taints specifies the taints the
+                                      Node API object should be registered with. If
+                                      this field is unset, i.e. nil, in the `kubeadm
+                                      init` process it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                      If you don''t want to taint your control-plane
+                                      node, set this field to an empty slice, i.e.
+                                      `taints: {}` in the YAML file. This field is
+                                      solely used for Node registration.'
+                                    items:
+                                      description: The node this Taint is attached
+                                        to has the "effect" on any pod that does not
+                                        tolerate the Taint.
+                                      properties:
+                                        effect:
+                                          description: Required. The effect of the
+                                            taint on pods that do not tolerate the
+                                            taint. Valid effects are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Required. The taint key to
+                                            be applied to a node.
+                                          type: string
+                                        timeAdded:
+                                          description: TimeAdded represents the time
+                                            at which the taint was added. It is only
+                                            written for NoExecute taints.
+                                          format: date-time
+                                          type: string
+                                        value:
+                                          description: The taint value corresponding
+                                            to the taint key.
+                                          type: string
+                                      required:
+                                      - effect
+                                      - key
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          joinConfiguration:
+                            description: JoinConfiguration is the kubeadm configuration
+                              for the join command
+                            properties:
+                              apiVersion:
+                                description: 'APIVersion defines the versioned schema
+                                  of this representation of an object. Servers should
+                                  convert recognized schemas to the latest internal
+                                  value, and may reject unrecognized values. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                                type: string
+                              caCertPath:
+                                description: 'CACertPath is the path to the SSL certificate
+                                  authority used to secure comunications between node
+                                  and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                                  TODO: revisit when there is defaulting from k/k'
+                                type: string
+                              controlPlane:
+                                description: ControlPlane defines the additional control
+                                  plane instance to be deployed on the joining node.
+                                  If nil, no additional control plane instance will
+                                  be deployed.
+                                properties:
+                                  localAPIEndpoint:
+                                    description: LocalAPIEndpoint represents the endpoint
+                                      of the API server instance to be deployed on
+                                      this node.
+                                    properties:
+                                      advertiseAddress:
+                                        description: AdvertiseAddress sets the IP
+                                          address for the API server to advertise.
+                                        type: string
+                                      bindPort:
+                                        description: BindPort sets the secure port
+                                          for the API Server to bind to. Defaults
+                                          to 6443.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                              discovery:
+                                description: 'Discovery specifies the options for
+                                  the kubelet to use during the TLS Bootstrap process
+                                  TODO: revisit when there is defaulting from k/k'
+                                properties:
+                                  bootstrapToken:
+                                    description: BootstrapToken is used to set the
+                                      options for bootstrap token based discovery
+                                      BootstrapToken and File are mutually exclusive
+                                    properties:
+                                      apiServerEndpoint:
+                                        description: APIServerEndpoint is an IP or
+                                          domain name to the API server from which
+                                          info will be fetched.
+                                        type: string
+                                      caCertHashes:
+                                        description: 'CACertHashes specifies a set
+                                          of public key pins to verify when token-based
+                                          discovery is used. The root CA found during
+                                          discovery must match one of these values.
+                                          Specifying an empty set disables root CA
+                                          pinning, which can be unsafe. Each hash
+                                          is specified as "<type>:<value>", where
+                                          the only currently supported type is "sha256".
+                                          This is a hex-encoded SHA-256 hash of the
+                                          Subject Public Key Info (SPKI) object in
+                                          DER-encoded ASN.1. These hashes can be calculated
+                                          using, for example, OpenSSL: openssl x509
+                                          -pubkey -in ca.crt openssl rsa -pubin -outform
+                                          der 2>&/dev/null | openssl dgst -sha256
+                                          -hex'
+                                        items:
+                                          type: string
+                                        type: array
+                                      token:
+                                        description: Token is a token used to validate
+                                          cluster information fetched from the control-plane.
+                                        type: string
+                                      unsafeSkipCAVerification:
+                                        description: UnsafeSkipCAVerification allows
+                                          token-based discovery without CA verification
+                                          via CACertHashes. This can weaken the security
+                                          of kubeadm since other nodes can impersonate
+                                          the control-plane.
+                                        type: boolean
+                                    required:
+                                    - token
+                                    type: object
+                                  file:
+                                    description: File is used to specify a file or
+                                      URL to a kubeconfig file from which to load
+                                      cluster information BootstrapToken and File
+                                      are mutually exclusive
+                                    properties:
+                                      kubeConfigPath:
+                                        description: KubeConfigPath is used to specify
+                                          the actual file path or URL to the kubeconfig
+                                          file from which to load cluster information
+                                        type: string
+                                    required:
+                                    - kubeConfigPath
+                                    type: object
+                                  timeout:
+                                    description: Timeout modifies the discovery timeout
+                                    type: string
+                                  tlsBootstrapToken:
+                                    description: TLSBootstrapToken is a token used
+                                      for TLS bootstrapping. If .BootstrapToken is
+                                      set, this field is defaulted to .BootstrapToken.Token,
+                                      but can be overridden. If .File is set, this
+                                      field **must be set** in case the KubeConfigFile
+                                      does not contain any other authentication information
+                                    type: string
+                                type: object
+                              kind:
+                                description: 'Kind is a string value representing
+                                  the REST resource this object represents. Servers
+                                  may infer this from the endpoint the client submits
+                                  requests to. Cannot be updated. In CamelCase. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              nodeRegistration:
+                                description: NodeRegistration holds fields that relate
+                                  to registering the new control-plane node to the
+                                  cluster. When used in the context of control plane
+                                  nodes, NodeRegistration should remain consistent
+                                  across both InitConfiguration and JoinConfiguration
+                                properties:
+                                  criSocket:
+                                    description: CRISocket is used to retrieve container
+                                      runtime info. This information will be annotated
+                                      to the Node API object, for later re-use
+                                    type: string
+                                  ignorePreflightErrors:
+                                    description: IgnorePreflightErrors provides a
+                                      slice of pre-flight errors to be ignored when
+                                      the current node is registered.
+                                    items:
+                                      type: string
+                                    type: array
+                                  kubeletExtraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: KubeletExtraArgs passes through extra
+                                      arguments to the kubelet. The arguments here
+                                      are passed to the kubelet command line via the
+                                      environment file kubeadm writes at runtime for
+                                      the kubelet to source. This overrides the generic
+                                      base-level configuration in the kubelet-config-1.X
+                                      ConfigMap Flags have higher priority when parsing.
+                                      These values are local and specific to the node
+                                      kubeadm is executing on.
+                                    type: object
+                                  name:
+                                    description: Name is the `.Metadata.Name` field
+                                      of the Node API object that will be created
+                                      in this `kubeadm init` or `kubeadm join` operation.
+                                      This field is also used in the CommonName field
+                                      of the kubelet's client certificate to the API
+                                      server. Defaults to the hostname of the node
+                                      if not provided.
+                                    type: string
+                                  taints:
+                                    description: 'Taints specifies the taints the
+                                      Node API object should be registered with. If
+                                      this field is unset, i.e. nil, in the `kubeadm
+                                      init` process it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                      If you don''t want to taint your control-plane
+                                      node, set this field to an empty slice, i.e.
+                                      `taints: {}` in the YAML file. This field is
+                                      solely used for Node registration.'
+                                    items:
+                                      description: The node this Taint is attached
+                                        to has the "effect" on any pod that does not
+                                        tolerate the Taint.
+                                      properties:
+                                        effect:
+                                          description: Required. The effect of the
+                                            taint on pods that do not tolerate the
+                                            taint. Valid effects are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Required. The taint key to
+                                            be applied to a node.
+                                          type: string
+                                        timeAdded:
+                                          description: TimeAdded represents the time
+                                            at which the taint was added. It is only
+                                            written for NoExecute taints.
+                                          format: date-time
+                                          type: string
+                                        value:
+                                          description: The taint value corresponding
+                                            to the taint key.
+                                          type: string
+                                      required:
+                                      - effect
+                                      - key
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          mounts:
+                            description: Mounts specifies a list of mount points to
+                              be setup.
+                            items:
+                              description: MountPoints defines input for generated
+                                mounts in cloud-init.
+                              items:
+                                type: string
+                              type: array
+                            type: array
+                          ntp:
+                            description: NTP specifies NTP configuration
+                            properties:
+                              enabled:
+                                description: Enabled specifies whether NTP should
+                                  be enabled
+                                type: boolean
+                              servers:
+                                description: Servers specifies which NTP servers to
+                                  use
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          postKubeadmCommands:
+                            description: PostKubeadmCommands specifies extra commands
+                              to run after kubeadm runs
+                            items:
+                              type: string
+                            type: array
+                          preKubeadmCommands:
+                            description: PreKubeadmCommands specifies extra commands
+                              to run before kubeadm runs
+                            items:
+                              type: string
+                            type: array
+                          useExperimentalRetryJoin:
+                            description: "UseExperimentalRetryJoin replaces a basic
+                              kubeadm command with a shell script with retries for
+                              joins. \n This is meant to be an experimental temporary
+                              workaround on some environments where joins fail due
+                              to timing (and other issues). The long term goal is
+                              to add retries to kubeadm proper and use that functionality.
+                              \n This will add about 40KB to userdata \n For more
+                              information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                            type: boolean
+                          users:
+                            description: Users specifies extra users to add
+                            items:
+                              description: User defines the input for a generated
+                                user in cloud-init.
+                              properties:
+                                gecos:
+                                  description: Gecos specifies the gecos to use for
+                                    the user
+                                  type: string
+                                groups:
+                                  description: Groups specifies the additional groups
+                                    for the user
+                                  type: string
+                                homeDir:
+                                  description: HomeDir specifies the home directory
+                                    to use for the user
+                                  type: string
+                                inactive:
+                                  description: Inactive specifies whether to mark
+                                    the user as inactive
+                                  type: boolean
+                                lockPassword:
+                                  description: LockPassword specifies if password
+                                    login should be disabled
+                                  type: boolean
+                                name:
+                                  description: Name specifies the user name
+                                  type: string
+                                passwd:
+                                  description: Passwd specifies a hashed password
+                                    for the user
+                                  type: string
+                                primaryGroup:
+                                  description: PrimaryGroup specifies the primary
+                                    group for the user
+                                  type: string
+                                shell:
+                                  description: Shell specifies the user's shell
+                                  type: string
+                                sshAuthorizedKeys:
+                                  description: SSHAuthorizedKeys specifies a list
+                                    of ssh authorized keys for the user
+                                  items:
+                                    type: string
+                                  type: array
+                                sudo:
+                                  description: Sudo specifies a sudo role for the
+                                    user
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                          verbosity:
+                            description: Verbosity is the number for the kubeadm log
+                              level verbosity. It overrides the `--v` flag in kubeadm
+                              commands.
+                            format: int32
+                            type: integer
+                        type: object
+                      machineTemplate:
+                        description: MachineTemplate contains information about how
+                          machines should be shaped when creating or updating a control
+                          plane.
+                        properties:
+                          infrastructureRef:
+                            description: InfrastructureRef is a required reference
+                              to a custom resource offered by an infrastructure provider.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          metadata:
+                            description: 'Standard object''s metadata. More info:
+                              https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: 'Annotations is an unstructured key value
+                                  map stored with a resource that may be set by external
+                                  tools to store and retrieve arbitrary metadata.
+                                  They are not queryable and should be preserved when
+                                  modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: 'Map of string keys and values that can
+                                  be used to organize and categorize (scope and select)
+                                  objects. May match selectors of replication controllers
+                                  and services. More info: http://kubernetes.io/docs/user-guide/labels'
+                                type: object
+                            type: object
+                          nodeDrainTimeout:
+                            description: 'NodeDrainTimeout is the total amount of
+                              time that the controller will spend on draining a controlplane
+                              node The default value is 0, meaning that the node can
+                              be drained without any time limitations. NOTE: NodeDrainTimeout
+                              is different from `kubectl drain --timeout`'
+                            type: string
+                        required:
+                        - infrastructureRef
+                        type: object
+                      replicas:
+                        description: Number of desired machines. Defaults to 1. When
+                          stacked etcd is used only odd numbers are permitted, as
+                          per [etcd best practice](https://etcd.io/docs/v3.3.12/faq/#why-an-odd-number-of-cluster-members).
+                          This is a pointer to distinguish between explicit zero and
+                          not specified.
+                        format: int32
+                        type: integer
+                      rolloutAfter:
+                        description: RolloutAfter is a field to indicate a rollout
+                          should be performed after the specified time even if no
+                          changes have been made to the KubeadmControlPlane.
+                        format: date-time
+                        type: string
+                      rolloutStrategy:
+                        default:
+                          rollingUpdate:
+                            maxSurge: 1
+                          type: RollingUpdate
+                        description: The RolloutStrategy to use to replace control
+                          plane machines with new ones.
+                        properties:
+                          rollingUpdate:
+                            description: Rolling update config params. Present only
+                              if RolloutStrategyType = RollingUpdate.
+                            properties:
+                              maxSurge:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: 'The maximum number of control planes
+                                  that can be scheduled above or under the desired
+                                  number of control planes. Value can be an absolute
+                                  number 1 or 0. Defaults to 1. Example: when this
+                                  is set to 1, the control plane can be scaled up
+                                  immediately when the rolling update starts.'
+                                x-kubernetes-int-or-string: true
+                            type: object
+                          type:
+                            description: Type of rollout. Currently the only supported
+                              strategy is "RollingUpdate". Default is RollingUpdate.
+                            type: string
+                        type: object
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                        type: string
+                    required:
+                    - kubeadmConfigSpec
+                    - machineTemplate
+                    - version
+                    type: object
+                required:
+                - spec
+                type: object
+            required:
+            - template
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of KubeadmControlPlaneTemplate
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KubeadmControlPlaneTemplate is the Schema for the kubeadmcontrolplanetemplates
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeadmControlPlaneTemplateSpec defines the desired state
+              of KubeadmControlPlaneTemplate.
+            properties:
+              template:
+                description: KubeadmControlPlaneTemplateResource describes the data
+                  needed to create a KubeadmControlPlane from a template.
+                properties:
+                  spec:
+                    description: 'KubeadmControlPlaneTemplateResourceSpec defines
+                      the desired state of KubeadmControlPlane. NOTE: KubeadmControlPlaneTemplateResourceSpec
+                      is similar to KubeadmControlPlaneSpec but omits Replicas and
+                      Version fields. These fields do not make sense on the KubeadmControlPlaneTemplate,
+                      because they are calculated by the Cluster topology reconciler
+                      during reconciliation and thus cannot be configured on the KubeadmControlPlaneTemplate.'
+                    properties:
+                      kubeadmConfigSpec:
+                        description: KubeadmConfigSpec is a KubeadmConfigSpec to use
+                          for initializing and joining machines to the control plane.
+                        properties:
+                          clusterConfiguration:
+                            description: ClusterConfiguration along with InitConfiguration
+                              are the configurations necessary for the init command
+                            properties:
+                              apiServer:
+                                description: APIServer contains extra settings for
+                                  the API server control plane component
+                                properties:
+                                  certSANs:
+                                    description: CertSANs sets extra Subject Alternative
+                                      Names for the API Server signing cert.
+                                    items:
+                                      type: string
+                                    type: array
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'ExtraArgs is an extra set of flags
+                                      to pass to the control plane component. TODO:
+                                      This is temporary and ideally we would like
+                                      to switch all components to use ComponentConfig
+                                      + ConfigMaps.'
+                                    type: object
+                                  extraVolumes:
+                                    description: ExtraVolumes is an extra set of host
+                                      volumes, mounted to the control plane component.
+                                    items:
+                                      description: HostPathMount contains elements
+                                        describing volumes that are mounted from the
+                                        host.
+                                      properties:
+                                        hostPath:
+                                          description: HostPath is the path in the
+                                            host that will be mounted inside the pod.
+                                          type: string
+                                        mountPath:
+                                          description: MountPath is the path inside
+                                            the pod where hostPath will be mounted.
+                                          type: string
+                                        name:
+                                          description: Name of the volume inside the
+                                            pod template.
+                                          type: string
+                                        pathType:
+                                          description: PathType is the type of the
+                                            HostPath.
+                                          type: string
+                                        readOnly:
+                                          description: ReadOnly controls write access
+                                            to the volume
+                                          type: boolean
+                                      required:
+                                      - hostPath
+                                      - mountPath
+                                      - name
+                                      type: object
+                                    type: array
+                                  timeoutForControlPlane:
+                                    description: TimeoutForControlPlane controls the
+                                      timeout that we use for API server to appear
+                                    type: string
+                                type: object
+                              apiVersion:
+                                description: 'APIVersion defines the versioned schema
+                                  of this representation of an object. Servers should
+                                  convert recognized schemas to the latest internal
+                                  value, and may reject unrecognized values. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                                type: string
+                              certificatesDir:
+                                description: 'CertificatesDir specifies where to store
+                                  or look for all required certificates. NB: if not
+                                  provided, this will default to `/etc/kubernetes/pki`'
+                                type: string
+                              clusterName:
+                                description: The cluster name
+                                type: string
+                              controlPlaneEndpoint:
+                                description: 'ControlPlaneEndpoint sets a stable IP
+                                  address or DNS name for the control plane; it can
+                                  be a valid IP address or a RFC-1123 DNS subdomain,
+                                  both with optional TCP port. In case the ControlPlaneEndpoint
+                                  is not specified, the AdvertiseAddress + BindPort
+                                  are used; in case the ControlPlaneEndpoint is specified
+                                  but without a TCP port, the BindPort is used. Possible
+                                  usages are: e.g. In a cluster with more than one
+                                  control plane instances, this field should be assigned
+                                  the address of the external load balancer in front
+                                  of the control plane instances. e.g.  in environments
+                                  with enforced node recycling, the ControlPlaneEndpoint
+                                  could be used for assigning a stable DNS to the
+                                  control plane. NB: This value defaults to the first
+                                  value in the Cluster object status.apiEndpoints
+                                  array.'
+                                type: string
+                              controllerManager:
+                                description: ControllerManager contains extra settings
+                                  for the controller manager control plane component
+                                properties:
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'ExtraArgs is an extra set of flags
+                                      to pass to the control plane component. TODO:
+                                      This is temporary and ideally we would like
+                                      to switch all components to use ComponentConfig
+                                      + ConfigMaps.'
+                                    type: object
+                                  extraVolumes:
+                                    description: ExtraVolumes is an extra set of host
+                                      volumes, mounted to the control plane component.
+                                    items:
+                                      description: HostPathMount contains elements
+                                        describing volumes that are mounted from the
+                                        host.
+                                      properties:
+                                        hostPath:
+                                          description: HostPath is the path in the
+                                            host that will be mounted inside the pod.
+                                          type: string
+                                        mountPath:
+                                          description: MountPath is the path inside
+                                            the pod where hostPath will be mounted.
+                                          type: string
+                                        name:
+                                          description: Name of the volume inside the
+                                            pod template.
+                                          type: string
+                                        pathType:
+                                          description: PathType is the type of the
+                                            HostPath.
+                                          type: string
+                                        readOnly:
+                                          description: ReadOnly controls write access
+                                            to the volume
+                                          type: boolean
+                                      required:
+                                      - hostPath
+                                      - mountPath
+                                      - name
+                                      type: object
+                                    type: array
+                                type: object
+                              dns:
+                                description: DNS defines the options for the DNS add-on
+                                  installed in the cluster.
+                                properties:
+                                  imageRepository:
+                                    description: ImageRepository sets the container
+                                      registry to pull images from. if not set, the
+                                      ImageRepository defined in ClusterConfiguration
+                                      will be used instead.
+                                    type: string
+                                  imageTag:
+                                    description: ImageTag allows to specify a tag
+                                      for the image. In case this value is set, kubeadm
+                                      does not change automatically the version of
+                                      the above components during upgrades.
+                                    type: string
+                                type: object
+                              etcd:
+                                description: 'Etcd holds configuration for etcd. NB:
+                                  This value defaults to a Local (stacked) etcd'
+                                properties:
+                                  external:
+                                    description: External describes how to connect
+                                      to an external etcd cluster Local and External
+                                      are mutually exclusive
+                                    properties:
+                                      caFile:
+                                        description: CAFile is an SSL Certificate
+                                          Authority file used to secure etcd communication.
+                                          Required if using a TLS connection.
+                                        type: string
+                                      certFile:
+                                        description: CertFile is an SSL certification
+                                          file used to secure etcd communication.
+                                          Required if using a TLS connection.
+                                        type: string
+                                      endpoints:
+                                        description: Endpoints of etcd members. Required
+                                          for ExternalEtcd.
+                                        items:
+                                          type: string
+                                        type: array
+                                      keyFile:
+                                        description: KeyFile is an SSL key file used
+                                          to secure etcd communication. Required if
+                                          using a TLS connection.
+                                        type: string
+                                    required:
+                                    - caFile
+                                    - certFile
+                                    - endpoints
+                                    - keyFile
+                                    type: object
+                                  local:
+                                    description: Local provides configuration knobs
+                                      for configuring the local etcd instance Local
+                                      and External are mutually exclusive
+                                    properties:
+                                      dataDir:
+                                        description: DataDir is the directory etcd
+                                          will place its data. Defaults to "/var/lib/etcd".
+                                        type: string
+                                      extraArgs:
+                                        additionalProperties:
+                                          type: string
+                                        description: ExtraArgs are extra arguments
+                                          provided to the etcd binary when run inside
+                                          a static pod.
+                                        type: object
+                                      imageRepository:
+                                        description: ImageRepository sets the container
+                                          registry to pull images from. if not set,
+                                          the ImageRepository defined in ClusterConfiguration
+                                          will be used instead.
+                                        type: string
+                                      imageTag:
+                                        description: ImageTag allows to specify a
+                                          tag for the image. In case this value is
+                                          set, kubeadm does not change automatically
+                                          the version of the above components during
+                                          upgrades.
+                                        type: string
+                                      peerCertSANs:
+                                        description: PeerCertSANs sets extra Subject
+                                          Alternative Names for the etcd peer signing
+                                          cert.
+                                        items:
+                                          type: string
+                                        type: array
+                                      serverCertSANs:
+                                        description: ServerCertSANs sets extra Subject
+                                          Alternative Names for the etcd server signing
+                                          cert.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                type: object
+                              featureGates:
+                                additionalProperties:
+                                  type: boolean
+                                description: FeatureGates enabled by the user.
+                                type: object
+                              imageRepository:
+                                description: ImageRepository sets the container registry
+                                  to pull images from. If empty, `k8s.gcr.io` will
+                                  be used by default; in case of kubernetes version
+                                  is a CI build (kubernetes version starts with `ci/`
+                                  or `ci-cross/`) `gcr.io/k8s-staging-ci-images` will
+                                  be used as a default for control plane components
+                                  and for kube-proxy, while `k8s.gcr.io` will be used
+                                  for all the other images.
+                                type: string
+                              kind:
+                                description: 'Kind is a string value representing
+                                  the REST resource this object represents. Servers
+                                  may infer this from the endpoint the client submits
+                                  requests to. Cannot be updated. In CamelCase. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              kubernetesVersion:
+                                description: 'KubernetesVersion is the target version
+                                  of the control plane. NB: This value defaults to
+                                  the Machine object spec.version'
+                                type: string
+                              networking:
+                                description: 'Networking holds configuration for the
+                                  networking topology of the cluster. NB: This value
+                                  defaults to the Cluster object spec.clusterNetwork.'
+                                properties:
+                                  dnsDomain:
+                                    description: DNSDomain is the dns domain used
+                                      by k8s services. Defaults to "cluster.local".
+                                    type: string
+                                  podSubnet:
+                                    description: PodSubnet is the subnet used by pods.
+                                      If unset, the API server will not allocate CIDR
+                                      ranges for every node. Defaults to a comma-delimited
+                                      string of the Cluster object's spec.clusterNetwork.services.cidrBlocks
+                                      if that is set
+                                    type: string
+                                  serviceSubnet:
+                                    description: ServiceSubnet is the subnet used
+                                      by k8s services. Defaults to a comma-delimited
+                                      string of the Cluster object's spec.clusterNetwork.pods.cidrBlocks,
+                                      or to "10.96.0.0/12" if that's unset.
+                                    type: string
+                                type: object
+                              scheduler:
+                                description: Scheduler contains extra settings for
+                                  the scheduler control plane component
+                                properties:
+                                  extraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: 'ExtraArgs is an extra set of flags
+                                      to pass to the control plane component. TODO:
+                                      This is temporary and ideally we would like
+                                      to switch all components to use ComponentConfig
+                                      + ConfigMaps.'
+                                    type: object
+                                  extraVolumes:
+                                    description: ExtraVolumes is an extra set of host
+                                      volumes, mounted to the control plane component.
+                                    items:
+                                      description: HostPathMount contains elements
+                                        describing volumes that are mounted from the
+                                        host.
+                                      properties:
+                                        hostPath:
+                                          description: HostPath is the path in the
+                                            host that will be mounted inside the pod.
+                                          type: string
+                                        mountPath:
+                                          description: MountPath is the path inside
+                                            the pod where hostPath will be mounted.
+                                          type: string
+                                        name:
+                                          description: Name of the volume inside the
+                                            pod template.
+                                          type: string
+                                        pathType:
+                                          description: PathType is the type of the
+                                            HostPath.
+                                          type: string
+                                        readOnly:
+                                          description: ReadOnly controls write access
+                                            to the volume
+                                          type: boolean
+                                      required:
+                                      - hostPath
+                                      - mountPath
+                                      - name
+                                      type: object
+                                    type: array
+                                type: object
+                            type: object
+                          diskSetup:
+                            description: DiskSetup specifies options for the creation
+                              of partition tables and file systems on devices.
+                            properties:
+                              filesystems:
+                                description: Filesystems specifies the list of file
+                                  systems to setup.
+                                items:
+                                  description: Filesystem defines the file systems
+                                    to be created.
+                                  properties:
+                                    device:
+                                      description: Device specifies the device name
+                                      type: string
+                                    extraOpts:
+                                      description: ExtraOpts defined extra options
+                                        to add to the command for creating the file
+                                        system.
+                                      items:
+                                        type: string
+                                      type: array
+                                    filesystem:
+                                      description: Filesystem specifies the file system
+                                        type.
+                                      type: string
+                                    label:
+                                      description: Label specifies the file system
+                                        label to be used. If set to None, no label
+                                        is used.
+                                      type: string
+                                    overwrite:
+                                      description: Overwrite defines whether or not
+                                        to overwrite any existing filesystem. If true,
+                                        any pre-existing file system will be destroyed.
+                                        Use with Caution.
+                                      type: boolean
+                                    partition:
+                                      description: 'Partition specifies the partition
+                                        to use. The valid options are: "auto|any",
+                                        "auto", "any", "none", and <NUM>, where NUM
+                                        is the actual partition number.'
+                                      type: string
+                                    replaceFS:
+                                      description: 'ReplaceFS is a special directive,
+                                        used for Microsoft Azure that instructs cloud-init
+                                        to replace a file system of <FS_TYPE>. NOTE:
+                                        unless you define a label, this requires the
+                                        use of the ''any'' partition directive.'
+                                      type: string
+                                  required:
+                                  - device
+                                  - filesystem
+                                  - label
+                                  type: object
+                                type: array
+                              partitions:
+                                description: Partitions specifies the list of the
+                                  partitions to setup.
+                                items:
+                                  description: Partition defines how to create and
+                                    layout a partition.
+                                  properties:
+                                    device:
+                                      description: Device is the name of the device.
+                                      type: string
+                                    layout:
+                                      description: Layout specifies the device layout.
+                                        If it is true, a single partition will be
+                                        created for the entire device. When layout
+                                        is false, it means don't partition or ignore
+                                        existing partitioning.
+                                      type: boolean
+                                    overwrite:
+                                      description: Overwrite describes whether to
+                                        skip checks and create the partition if a
+                                        partition or filesystem is found on the device.
+                                        Use with caution. Default is 'false'.
+                                      type: boolean
+                                    tableType:
+                                      description: 'TableType specifies the tupe of
+                                        partition table. The following are supported:
+                                        ''mbr'': default and setups a MS-DOS partition
+                                        table ''gpt'': setups a GPT partition table'
+                                      type: string
+                                  required:
+                                  - device
+                                  - layout
+                                  type: object
+                                type: array
+                            type: object
+                          files:
+                            description: Files specifies extra files to be passed
+                              to user_data upon creation.
+                            items:
+                              description: File defines the input for generating write_files
+                                in cloud-init.
+                              properties:
+                                append:
+                                  description: Append specifies whether to append
+                                    Content to existing file if Path exists.
+                                  type: boolean
+                                content:
+                                  description: Content is the actual content of the
+                                    file.
+                                  type: string
+                                contentFrom:
+                                  description: ContentFrom is a referenced source
+                                    of content to populate the file.
+                                  properties:
+                                    secret:
+                                      description: Secret represents a secret that
+                                        should populate this file.
+                                      properties:
+                                        key:
+                                          description: Key is the key in the secret's
+                                            data map for this value.
+                                          type: string
+                                        name:
+                                          description: Name of the secret in the KubeadmBootstrapConfig's
+                                            namespace to use.
+                                          type: string
+                                      required:
+                                      - key
+                                      - name
+                                      type: object
+                                  required:
+                                  - secret
+                                  type: object
+                                encoding:
+                                  description: Encoding specifies the encoding of
+                                    the file contents.
+                                  enum:
+                                  - base64
+                                  - gzip
+                                  - gzip+base64
+                                  type: string
+                                owner:
+                                  description: Owner specifies the ownership of the
+                                    file, e.g. "root:root".
+                                  type: string
+                                path:
+                                  description: Path specifies the full path on disk
+                                    where to store the file.
+                                  type: string
+                                permissions:
+                                  description: Permissions specifies the permissions
+                                    to assign to the file, e.g. "0640".
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            type: array
+                          format:
+                            description: Format specifies the output format of the
+                              bootstrap data
+                            enum:
+                            - cloud-config
+                            - ignition
+                            type: string
+                          ignition:
+                            description: Ignition contains Ignition specific configuration.
+                            properties:
+                              containerLinuxConfig:
+                                description: ContainerLinuxConfig contains CLC specific
+                                  configuration.
+                                properties:
+                                  additionalConfig:
+                                    description: "AdditionalConfig contains additional
+                                      configuration to be merged with the Ignition
+                                      configuration generated by the bootstrapper
+                                      controller. More info: https://coreos.github.io/ignition/operator-notes/#config-merging
+                                      \n The data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/"
+                                    type: string
+                                  strict:
+                                    description: Strict controls if AdditionalConfig
+                                      should be strictly parsed. If so, warnings are
+                                      treated as errors.
+                                    type: boolean
+                                type: object
+                            type: object
+                          initConfiguration:
+                            description: InitConfiguration along with ClusterConfiguration
+                              are the configurations necessary for the init command
+                            properties:
+                              apiVersion:
+                                description: 'APIVersion defines the versioned schema
+                                  of this representation of an object. Servers should
+                                  convert recognized schemas to the latest internal
+                                  value, and may reject unrecognized values. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                                type: string
+                              bootstrapTokens:
+                                description: BootstrapTokens is respected at `kubeadm
+                                  init` time and describes a set of Bootstrap Tokens
+                                  to create. This information IS NOT uploaded to the
+                                  kubeadm cluster configmap, partly because of its
+                                  sensitive nature
+                                items:
+                                  description: BootstrapToken describes one bootstrap
+                                    token, stored as a Secret in the cluster.
+                                  properties:
+                                    description:
+                                      description: Description sets a human-friendly
+                                        message why this token exists and what it's
+                                        used for, so other administrators can know
+                                        its purpose.
+                                      type: string
+                                    expires:
+                                      description: Expires specifies the timestamp
+                                        when this token expires. Defaults to being
+                                        set dynamically at runtime based on the TTL.
+                                        Expires and TTL are mutually exclusive.
+                                      format: date-time
+                                      type: string
+                                    groups:
+                                      description: Groups specifies the extra groups
+                                        that this token will authenticate as when/if
+                                        used for authentication
+                                      items:
+                                        type: string
+                                      type: array
+                                    token:
+                                      description: Token is used for establishing
+                                        bidirectional trust between nodes and control-planes.
+                                        Used for joining nodes in the cluster.
+                                      type: string
+                                    ttl:
+                                      description: TTL defines the time to live for
+                                        this token. Defaults to 24h. Expires and TTL
+                                        are mutually exclusive.
+                                      type: string
+                                    usages:
+                                      description: Usages describes the ways in which
+                                        this token can be used. Can by default be
+                                        used for establishing bidirectional trust,
+                                        but that can be changed here.
+                                      items:
+                                        type: string
+                                      type: array
+                                  required:
+                                  - token
+                                  type: object
+                                type: array
+                              kind:
+                                description: 'Kind is a string value representing
+                                  the REST resource this object represents. Servers
+                                  may infer this from the endpoint the client submits
+                                  requests to. Cannot be updated. In CamelCase. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              localAPIEndpoint:
+                                description: LocalAPIEndpoint represents the endpoint
+                                  of the API server instance that's deployed on this
+                                  control plane node In HA setups, this differs from
+                                  ClusterConfiguration.ControlPlaneEndpoint in the
+                                  sense that ControlPlaneEndpoint is the global endpoint
+                                  for the cluster, which then loadbalances the requests
+                                  to each individual API server. This configuration
+                                  object lets you customize what IP/DNS name and port
+                                  the local API server advertises it's accessible
+                                  on. By default, kubeadm tries to auto-detect the
+                                  IP of the default interface and use that, but in
+                                  case that process fails you may set the desired
+                                  value here.
+                                properties:
+                                  advertiseAddress:
+                                    description: AdvertiseAddress sets the IP address
+                                      for the API server to advertise.
+                                    type: string
+                                  bindPort:
+                                    description: BindPort sets the secure port for
+                                      the API Server to bind to. Defaults to 6443.
+                                    format: int32
+                                    type: integer
+                                type: object
+                              nodeRegistration:
+                                description: NodeRegistration holds fields that relate
+                                  to registering the new control-plane node to the
+                                  cluster. When used in the context of control plane
+                                  nodes, NodeRegistration should remain consistent
+                                  across both InitConfiguration and JoinConfiguration
+                                properties:
+                                  criSocket:
+                                    description: CRISocket is used to retrieve container
+                                      runtime info. This information will be annotated
+                                      to the Node API object, for later re-use
+                                    type: string
+                                  ignorePreflightErrors:
+                                    description: IgnorePreflightErrors provides a
+                                      slice of pre-flight errors to be ignored when
+                                      the current node is registered.
+                                    items:
+                                      type: string
+                                    type: array
+                                  kubeletExtraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: KubeletExtraArgs passes through extra
+                                      arguments to the kubelet. The arguments here
+                                      are passed to the kubelet command line via the
+                                      environment file kubeadm writes at runtime for
+                                      the kubelet to source. This overrides the generic
+                                      base-level configuration in the kubelet-config-1.X
+                                      ConfigMap Flags have higher priority when parsing.
+                                      These values are local and specific to the node
+                                      kubeadm is executing on.
+                                    type: object
+                                  name:
+                                    description: Name is the `.Metadata.Name` field
+                                      of the Node API object that will be created
+                                      in this `kubeadm init` or `kubeadm join` operation.
+                                      This field is also used in the CommonName field
+                                      of the kubelet's client certificate to the API
+                                      server. Defaults to the hostname of the node
+                                      if not provided.
+                                    type: string
+                                  taints:
+                                    description: 'Taints specifies the taints the
+                                      Node API object should be registered with. If
+                                      this field is unset, i.e. nil, in the `kubeadm
+                                      init` process it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                      If you don''t want to taint your control-plane
+                                      node, set this field to an empty slice, i.e.
+                                      `taints: {}` in the YAML file. This field is
+                                      solely used for Node registration.'
+                                    items:
+                                      description: The node this Taint is attached
+                                        to has the "effect" on any pod that does not
+                                        tolerate the Taint.
+                                      properties:
+                                        effect:
+                                          description: Required. The effect of the
+                                            taint on pods that do not tolerate the
+                                            taint. Valid effects are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Required. The taint key to
+                                            be applied to a node.
+                                          type: string
+                                        timeAdded:
+                                          description: TimeAdded represents the time
+                                            at which the taint was added. It is only
+                                            written for NoExecute taints.
+                                          format: date-time
+                                          type: string
+                                        value:
+                                          description: The taint value corresponding
+                                            to the taint key.
+                                          type: string
+                                      required:
+                                      - effect
+                                      - key
+                                      type: object
+                                    type: array
+                                type: object
+                              patches:
+                                description: Patches contains options related to applying
+                                  patches to components deployed by kubeadm during
+                                  "kubeadm init". The minimum kubernetes version needed
+                                  to support Patches is v1.22
+                                properties:
+                                  directory:
+                                    description: Directory is a path to a directory
+                                      that contains files named "target[suffix][+patchtype].extension".
+                                      For example, "kube-apiserver0+merge.yaml" or
+                                      just "etcd.json". "target" can be one of "kube-apiserver",
+                                      "kube-controller-manager", "kube-scheduler",
+                                      "etcd". "patchtype" can be one of "strategic"
+                                      "merge" or "json" and they match the patch formats
+                                      supported by kubectl. The default "patchtype"
+                                      is "strategic". "extension" must be either "json"
+                                      or "yaml". "suffix" is an optional string that
+                                      can be used to determine which patches are applied
+                                      first alpha-numerically. These files can be
+                                      written into the target directory via KubeadmConfig.Files
+                                      which specifies additional files to be created
+                                      on the machine, either with content inline or
+                                      by referencing a secret.
+                                    type: string
+                                type: object
+                              skipPhases:
+                                description: SkipPhases is a list of phases to skip
+                                  during command execution. The list of phases can
+                                  be obtained with the "kubeadm init --help" command.
+                                  This option takes effect only on Kubernetes >=1.22.0.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          joinConfiguration:
+                            description: JoinConfiguration is the kubeadm configuration
+                              for the join command
+                            properties:
+                              apiVersion:
+                                description: 'APIVersion defines the versioned schema
+                                  of this representation of an object. Servers should
+                                  convert recognized schemas to the latest internal
+                                  value, and may reject unrecognized values. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                                type: string
+                              caCertPath:
+                                description: 'CACertPath is the path to the SSL certificate
+                                  authority used to secure comunications between node
+                                  and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+                                  TODO: revisit when there is defaulting from k/k'
+                                type: string
+                              controlPlane:
+                                description: ControlPlane defines the additional control
+                                  plane instance to be deployed on the joining node.
+                                  If nil, no additional control plane instance will
+                                  be deployed.
+                                properties:
+                                  localAPIEndpoint:
+                                    description: LocalAPIEndpoint represents the endpoint
+                                      of the API server instance to be deployed on
+                                      this node.
+                                    properties:
+                                      advertiseAddress:
+                                        description: AdvertiseAddress sets the IP
+                                          address for the API server to advertise.
+                                        type: string
+                                      bindPort:
+                                        description: BindPort sets the secure port
+                                          for the API Server to bind to. Defaults
+                                          to 6443.
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                              discovery:
+                                description: 'Discovery specifies the options for
+                                  the kubelet to use during the TLS Bootstrap process
+                                  TODO: revisit when there is defaulting from k/k'
+                                properties:
+                                  bootstrapToken:
+                                    description: BootstrapToken is used to set the
+                                      options for bootstrap token based discovery
+                                      BootstrapToken and File are mutually exclusive
+                                    properties:
+                                      apiServerEndpoint:
+                                        description: APIServerEndpoint is an IP or
+                                          domain name to the API server from which
+                                          info will be fetched.
+                                        type: string
+                                      caCertHashes:
+                                        description: 'CACertHashes specifies a set
+                                          of public key pins to verify when token-based
+                                          discovery is used. The root CA found during
+                                          discovery must match one of these values.
+                                          Specifying an empty set disables root CA
+                                          pinning, which can be unsafe. Each hash
+                                          is specified as "<type>:<value>", where
+                                          the only currently supported type is "sha256".
+                                          This is a hex-encoded SHA-256 hash of the
+                                          Subject Public Key Info (SPKI) object in
+                                          DER-encoded ASN.1. These hashes can be calculated
+                                          using, for example, OpenSSL: openssl x509
+                                          -pubkey -in ca.crt openssl rsa -pubin -outform
+                                          der 2>&/dev/null | openssl dgst -sha256
+                                          -hex'
+                                        items:
+                                          type: string
+                                        type: array
+                                      token:
+                                        description: Token is a token used to validate
+                                          cluster information fetched from the control-plane.
+                                        type: string
+                                      unsafeSkipCAVerification:
+                                        description: UnsafeSkipCAVerification allows
+                                          token-based discovery without CA verification
+                                          via CACertHashes. This can weaken the security
+                                          of kubeadm since other nodes can impersonate
+                                          the control-plane.
+                                        type: boolean
+                                    required:
+                                    - token
+                                    type: object
+                                  file:
+                                    description: File is used to specify a file or
+                                      URL to a kubeconfig file from which to load
+                                      cluster information BootstrapToken and File
+                                      are mutually exclusive
+                                    properties:
+                                      kubeConfigPath:
+                                        description: KubeConfigPath is used to specify
+                                          the actual file path or URL to the kubeconfig
+                                          file from which to load cluster information
+                                        type: string
+                                    required:
+                                    - kubeConfigPath
+                                    type: object
+                                  timeout:
+                                    description: Timeout modifies the discovery timeout
+                                    type: string
+                                  tlsBootstrapToken:
+                                    description: TLSBootstrapToken is a token used
+                                      for TLS bootstrapping. If .BootstrapToken is
+                                      set, this field is defaulted to .BootstrapToken.Token,
+                                      but can be overridden. If .File is set, this
+                                      field **must be set** in case the KubeConfigFile
+                                      does not contain any other authentication information
+                                    type: string
+                                type: object
+                              kind:
+                                description: 'Kind is a string value representing
+                                  the REST resource this object represents. Servers
+                                  may infer this from the endpoint the client submits
+                                  requests to. Cannot be updated. In CamelCase. More
+                                  info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              nodeRegistration:
+                                description: NodeRegistration holds fields that relate
+                                  to registering the new control-plane node to the
+                                  cluster. When used in the context of control plane
+                                  nodes, NodeRegistration should remain consistent
+                                  across both InitConfiguration and JoinConfiguration
+                                properties:
+                                  criSocket:
+                                    description: CRISocket is used to retrieve container
+                                      runtime info. This information will be annotated
+                                      to the Node API object, for later re-use
+                                    type: string
+                                  ignorePreflightErrors:
+                                    description: IgnorePreflightErrors provides a
+                                      slice of pre-flight errors to be ignored when
+                                      the current node is registered.
+                                    items:
+                                      type: string
+                                    type: array
+                                  kubeletExtraArgs:
+                                    additionalProperties:
+                                      type: string
+                                    description: KubeletExtraArgs passes through extra
+                                      arguments to the kubelet. The arguments here
+                                      are passed to the kubelet command line via the
+                                      environment file kubeadm writes at runtime for
+                                      the kubelet to source. This overrides the generic
+                                      base-level configuration in the kubelet-config-1.X
+                                      ConfigMap Flags have higher priority when parsing.
+                                      These values are local and specific to the node
+                                      kubeadm is executing on.
+                                    type: object
+                                  name:
+                                    description: Name is the `.Metadata.Name` field
+                                      of the Node API object that will be created
+                                      in this `kubeadm init` or `kubeadm join` operation.
+                                      This field is also used in the CommonName field
+                                      of the kubelet's client certificate to the API
+                                      server. Defaults to the hostname of the node
+                                      if not provided.
+                                    type: string
+                                  taints:
+                                    description: 'Taints specifies the taints the
+                                      Node API object should be registered with. If
+                                      this field is unset, i.e. nil, in the `kubeadm
+                                      init` process it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+                                      If you don''t want to taint your control-plane
+                                      node, set this field to an empty slice, i.e.
+                                      `taints: {}` in the YAML file. This field is
+                                      solely used for Node registration.'
+                                    items:
+                                      description: The node this Taint is attached
+                                        to has the "effect" on any pod that does not
+                                        tolerate the Taint.
+                                      properties:
+                                        effect:
+                                          description: Required. The effect of the
+                                            taint on pods that do not tolerate the
+                                            taint. Valid effects are NoSchedule, PreferNoSchedule
+                                            and NoExecute.
+                                          type: string
+                                        key:
+                                          description: Required. The taint key to
+                                            be applied to a node.
+                                          type: string
+                                        timeAdded:
+                                          description: TimeAdded represents the time
+                                            at which the taint was added. It is only
+                                            written for NoExecute taints.
+                                          format: date-time
+                                          type: string
+                                        value:
+                                          description: The taint value corresponding
+                                            to the taint key.
+                                          type: string
+                                      required:
+                                      - effect
+                                      - key
+                                      type: object
+                                    type: array
+                                type: object
+                              patches:
+                                description: Patches contains options related to applying
+                                  patches to components deployed by kubeadm during
+                                  "kubeadm join". The minimum kubernetes version needed
+                                  to support Patches is v1.22
+                                properties:
+                                  directory:
+                                    description: Directory is a path to a directory
+                                      that contains files named "target[suffix][+patchtype].extension".
+                                      For example, "kube-apiserver0+merge.yaml" or
+                                      just "etcd.json". "target" can be one of "kube-apiserver",
+                                      "kube-controller-manager", "kube-scheduler",
+                                      "etcd". "patchtype" can be one of "strategic"
+                                      "merge" or "json" and they match the patch formats
+                                      supported by kubectl. The default "patchtype"
+                                      is "strategic". "extension" must be either "json"
+                                      or "yaml". "suffix" is an optional string that
+                                      can be used to determine which patches are applied
+                                      first alpha-numerically. These files can be
+                                      written into the target directory via KubeadmConfig.Files
+                                      which specifies additional files to be created
+                                      on the machine, either with content inline or
+                                      by referencing a secret.
+                                    type: string
+                                type: object
+                              skipPhases:
+                                description: SkipPhases is a list of phases to skip
+                                  during command execution. The list of phases can
+                                  be obtained with the "kubeadm init --help" command.
+                                  This option takes effect only on Kubernetes >=1.22.0.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          mounts:
+                            description: Mounts specifies a list of mount points to
+                              be setup.
+                            items:
+                              description: MountPoints defines input for generated
+                                mounts in cloud-init.
+                              items:
+                                type: string
+                              type: array
+                            type: array
+                          ntp:
+                            description: NTP specifies NTP configuration
+                            properties:
+                              enabled:
+                                description: Enabled specifies whether NTP should
+                                  be enabled
+                                type: boolean
+                              servers:
+                                description: Servers specifies which NTP servers to
+                                  use
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          postKubeadmCommands:
+                            description: PostKubeadmCommands specifies extra commands
+                              to run after kubeadm runs
+                            items:
+                              type: string
+                            type: array
+                          preKubeadmCommands:
+                            description: PreKubeadmCommands specifies extra commands
+                              to run before kubeadm runs
+                            items:
+                              type: string
+                            type: array
+                          useExperimentalRetryJoin:
+                            description: "UseExperimentalRetryJoin replaces a basic
+                              kubeadm command with a shell script with retries for
+                              joins. \n This is meant to be an experimental temporary
+                              workaround on some environments where joins fail due
+                              to timing (and other issues). The long term goal is
+                              to add retries to kubeadm proper and use that functionality.
+                              \n This will add about 40KB to userdata \n For more
+                              information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+                            type: boolean
+                          users:
+                            description: Users specifies extra users to add
+                            items:
+                              description: User defines the input for a generated
+                                user in cloud-init.
+                              properties:
+                                gecos:
+                                  description: Gecos specifies the gecos to use for
+                                    the user
+                                  type: string
+                                groups:
+                                  description: Groups specifies the additional groups
+                                    for the user
+                                  type: string
+                                homeDir:
+                                  description: HomeDir specifies the home directory
+                                    to use for the user
+                                  type: string
+                                inactive:
+                                  description: Inactive specifies whether to mark
+                                    the user as inactive
+                                  type: boolean
+                                lockPassword:
+                                  description: LockPassword specifies if password
+                                    login should be disabled
+                                  type: boolean
+                                name:
+                                  description: Name specifies the user name
+                                  type: string
+                                passwd:
+                                  description: Passwd specifies a hashed password
+                                    for the user
+                                  type: string
+                                passwdFrom:
+                                  description: PasswdFrom is a referenced source of
+                                    passwd to populate the passwd.
+                                  properties:
+                                    secret:
+                                      description: Secret represents a secret that
+                                        should populate this password.
+                                      properties:
+                                        key:
+                                          description: Key is the key in the secret's
+                                            data map for this value.
+                                          type: string
+                                        name:
+                                          description: Name of the secret in the KubeadmBootstrapConfig's
+                                            namespace to use.
+                                          type: string
+                                      required:
+                                      - key
+                                      - name
+                                      type: object
+                                  required:
+                                  - secret
+                                  type: object
+                                primaryGroup:
+                                  description: PrimaryGroup specifies the primary
+                                    group for the user
+                                  type: string
+                                shell:
+                                  description: Shell specifies the user's shell
+                                  type: string
+                                sshAuthorizedKeys:
+                                  description: SSHAuthorizedKeys specifies a list
+                                    of ssh authorized keys for the user
+                                  items:
+                                    type: string
+                                  type: array
+                                sudo:
+                                  description: Sudo specifies a sudo role for the
+                                    user
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                          verbosity:
+                            description: Verbosity is the number for the kubeadm log
+                              level verbosity. It overrides the `--v` flag in kubeadm
+                              commands.
+                            format: int32
+                            type: integer
+                        type: object
+                      machineTemplate:
+                        description: MachineTemplate contains information about how
+                          machines should be shaped when creating or updating a control
+                          plane.
+                        properties:
+                          nodeDeletionTimeout:
+                            description: NodeDeletionTimeout defines how long the
+                              machine controller will attempt to delete the Node that
+                              the Machine hosts after the Machine is marked for deletion.
+                              A duration of 0 will retry deletion indefinitely. If
+                              no value is provided, the default value for this property
+                              of the Machine resource will be used.
+                            type: string
+                          nodeDrainTimeout:
+                            description: 'NodeDrainTimeout is the total amount of
+                              time that the controller will spend on draining a controlplane
+                              node The default value is 0, meaning that the node can
+                              be drained without any time limitations. NOTE: NodeDrainTimeout
+                              is different from `kubectl drain --timeout`'
+                            type: string
+                        type: object
+                      rolloutAfter:
+                        description: RolloutAfter is a field to indicate a rollout
+                          should be performed after the specified time even if no
+                          changes have been made to the KubeadmControlPlane.
+                        format: date-time
+                        type: string
+                      rolloutStrategy:
+                        default:
+                          rollingUpdate:
+                            maxSurge: 1
+                          type: RollingUpdate
+                        description: The RolloutStrategy to use to replace control
+                          plane machines with new ones.
+                        properties:
+                          rollingUpdate:
+                            description: Rolling update config params. Present only
+                              if RolloutStrategyType = RollingUpdate.
+                            properties:
+                              maxSurge:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: 'The maximum number of control planes
+                                  that can be scheduled above or under the desired
+                                  number of control planes. Value can be an absolute
+                                  number 1 or 0. Defaults to 1. Example: when this
+                                  is set to 1, the control plane can be scaled up
+                                  immediately when the rolling update starts.'
+                                x-kubernetes-int-or-string: true
+                            type: object
+                          type:
+                            description: Type of rollout. Currently the only supported
+                              strategy is "RollingUpdate". Default is RollingUpdate.
+                            type: string
+                        type: object
+                    required:
+                    - kubeadmConfigSpec
+                    type: object
+                required:
+                - spec
+                type: object
+            required:
+            - template
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+  name: capi-kubeadm-control-plane-webhook-service
+  namespace: capi-kubeadm-control-plane-system
+spec:
+  ports:
+  - port: 443
+    targetPort: webhook-server
+  selector:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+    control-plane: controller-manager
+  name: capi-kubeadm-control-plane-controller-manager
+  namespace: capi-kubeadm-control-plane-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/provider: control-plane-kubeadm
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/provider: control-plane-kubeadm
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        - --metrics-bind-addr=localhost:8080
+        - --feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}
+        command:
+        - /manager
+        image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:main
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+      volumes:
+      - name: cert
+        secret:
+          secretName: capi-kubeadm-control-plane-webhook-service-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+  name: capi-kubeadm-control-plane-serving-cert
+  namespace: capi-kubeadm-control-plane-system
+spec:
+  dnsNames:
+  - capi-kubeadm-control-plane-webhook-service.capi-kubeadm-control-plane-system.svc
+  - capi-kubeadm-control-plane-webhook-service.capi-kubeadm-control-plane-system.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: capi-kubeadm-control-plane-selfsigned-issuer
+  secretName: capi-kubeadm-control-plane-webhook-service-cert
+  subject:
+    organizations:
+    - k8s-sig-cluster-lifecycle
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+  name: capi-kubeadm-control-plane-selfsigned-issuer
+  namespace: capi-kubeadm-control-plane-system
+spec:
+  selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+  name: capi-kubeadm-control-plane-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-control-plane-webhook-service
+      namespace: capi-kubeadm-control-plane-system
+      path: /mutate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplane
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.kubeadmcontrolplane.controlplane.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - controlplane.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmcontrolplanes
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-control-plane-webhook-service
+      namespace: capi-kubeadm-control-plane-system
+      path: /mutate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplanetemplate
+  failurePolicy: Fail
+  name: default.kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - controlplane.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmcontrolplanetemplates
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+  labels:
+    cluster.x-k8s.io/provider: control-plane-kubeadm
+  name: capi-kubeadm-control-plane-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-control-plane-webhook-service
+      namespace: capi-kubeadm-control-plane-system
+      path: /validate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplane
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.kubeadmcontrolplane.controlplane.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - controlplane.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmcontrolplanes
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-control-plane-webhook-service
+      namespace: capi-kubeadm-control-plane-system
+      path: /validate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplanetemplate
+  failurePolicy: Fail
+  name: validation.kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - controlplane.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - kubeadmcontrolplanetemplates
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-kubeadm-control-plane-webhook-service
+      namespace: capi-kubeadm-control-plane-system
+      path: /validate-scale-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplane
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation-scale.kubeadmcontrolplane.controlplane.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - controlplane.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - UPDATE
+    resources:
+    - kubeadmcontrolplanes/scale
+  sideEffects: None
diff --git a/spectro/generated/core-base.yaml b/spectro/generated/core-base.yaml
new file mode 100644
index 000000000000..0c102398ed6d
--- /dev/null
+++ b/spectro/generated/core-base.yaml
@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+    control-plane: controller-manager
+  name: capi-controller-manager
+  namespace: capi-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/provider: cluster-api
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/provider: cluster-api
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        - --metrics-bind-addr=localhost:8080
+        - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}
+        command:
+        - /manager
+        image: gcr.io/k8s-staging-cluster-api/cluster-api-controller:main
+        imagePullPolicy: Always
+        name: manager
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
diff --git a/spectro/generated/core-global.yaml b/spectro/generated/core-global.yaml
new file mode 100644
index 000000000000..263789e53553
--- /dev/null
+++ b/spectro/generated/core-global.yaml
@@ -0,0 +1,10119 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: clusterclasses.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: ClusterClass
+    listKind: ClusterClassList
+    plural: clusterclasses
+    shortNames:
+    - cc
+    singular: clusterclass
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Time duration since creation of ClusterClass
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: ClusterClass is a template which can be used to create managed
+          topologies.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterClassSpec describes the desired state of the ClusterClass.
+            properties:
+              controlPlane:
+                description: ControlPlane is a reference to a local struct that holds
+                  the details for provisioning the Control Plane for the Cluster.
+                properties:
+                  machineInfrastructure:
+                    description: "MachineTemplate defines the metadata and infrastructure
+                      information for control plane machines. \n This field is supported
+                      if and only if the control plane provider template referenced
+                      above is Machine based and supports setting replicas."
+                    properties:
+                      ref:
+                        description: Ref is a required reference to a custom resource
+                          offered by a provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                    required:
+                    - ref
+                    type: object
+                  metadata:
+                    description: "Metadata is the metadata applied to the machines
+                      of the ControlPlane. At runtime this metadata is merged with
+                      the corresponding metadata from the topology. \n This field
+                      is supported if and only if the control plane provider template
+                      referenced is Machine based."
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  ref:
+                    description: Ref is a required reference to a custom resource
+                      offered by a provider.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                required:
+                - ref
+                type: object
+              infrastructure:
+                description: Infrastructure is a reference to a provider-specific
+                  template that holds the details for provisioning infrastructure
+                  specific cluster for the underlying provider. The underlying provider
+                  is responsible for the implementation of the template to an infrastructure
+                  cluster.
+                properties:
+                  ref:
+                    description: Ref is a required reference to a custom resource
+                      offered by a provider.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                required:
+                - ref
+                type: object
+              workers:
+                description: Workers describes the worker nodes for the cluster. It
+                  is a collection of node types which can be used to create the worker
+                  nodes of the cluster.
+                properties:
+                  machineDeployments:
+                    description: MachineDeployments is a list of machine deployment
+                      classes that can be used to create a set of worker nodes.
+                    items:
+                      description: MachineDeploymentClass serves as a template to
+                        define a set of worker nodes of the cluster provisioned using
+                        the `ClusterClass`.
+                      properties:
+                        class:
+                          description: Class denotes a type of worker node present
+                            in the cluster, this name MUST be unique within a ClusterClass
+                            and can be referenced in the Cluster to create a managed
+                            MachineDeployment.
+                          type: string
+                        template:
+                          description: Template is a local struct containing a collection
+                            of templates for creation of MachineDeployment objects
+                            representing a set of worker nodes.
+                          properties:
+                            bootstrap:
+                              description: Bootstrap contains the bootstrap template
+                                reference to be used for the creation of worker Machines.
+                              properties:
+                                ref:
+                                  description: Ref is a required reference to a custom
+                                    resource offered by a provider.
+                                  properties:
+                                    apiVersion:
+                                      description: API version of the referent.
+                                      type: string
+                                    fieldPath:
+                                      description: 'If referring to a piece of an
+                                        object instead of an entire object, this string
+                                        should contain a valid JSON/Go field access
+                                        statement, such as desiredState.manifest.containers[2].
+                                        For example, if the object reference is to
+                                        a container within a pod, this would take
+                                        on a value like: "spec.containers{name}" (where
+                                        "name" refers to the name of the container
+                                        that triggered the event) or if no container
+                                        name is specified "spec.containers[2]" (container
+                                        with index 2 in this pod). This syntax is
+                                        chosen only to have some well-defined way
+                                        of referencing a part of an object. TODO:
+                                        this design is not final and this field is
+                                        subject to change in the future.'
+                                      type: string
+                                    kind:
+                                      description: 'Kind of the referent. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                      type: string
+                                    name:
+                                      description: 'Name of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                    namespace:
+                                      description: 'Namespace of the referent. More
+                                        info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                      type: string
+                                    resourceVersion:
+                                      description: 'Specific resourceVersion to which
+                                        this reference is made, if any. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                      type: string
+                                    uid:
+                                      description: 'UID of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                      type: string
+                                  type: object
+                              required:
+                              - ref
+                              type: object
+                            infrastructure:
+                              description: Infrastructure contains the infrastructure
+                                template reference to be used for the creation of
+                                worker Machines.
+                              properties:
+                                ref:
+                                  description: Ref is a required reference to a custom
+                                    resource offered by a provider.
+                                  properties:
+                                    apiVersion:
+                                      description: API version of the referent.
+                                      type: string
+                                    fieldPath:
+                                      description: 'If referring to a piece of an
+                                        object instead of an entire object, this string
+                                        should contain a valid JSON/Go field access
+                                        statement, such as desiredState.manifest.containers[2].
+                                        For example, if the object reference is to
+                                        a container within a pod, this would take
+                                        on a value like: "spec.containers{name}" (where
+                                        "name" refers to the name of the container
+                                        that triggered the event) or if no container
+                                        name is specified "spec.containers[2]" (container
+                                        with index 2 in this pod). This syntax is
+                                        chosen only to have some well-defined way
+                                        of referencing a part of an object. TODO:
+                                        this design is not final and this field is
+                                        subject to change in the future.'
+                                      type: string
+                                    kind:
+                                      description: 'Kind of the referent. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                      type: string
+                                    name:
+                                      description: 'Name of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                    namespace:
+                                      description: 'Namespace of the referent. More
+                                        info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                      type: string
+                                    resourceVersion:
+                                      description: 'Specific resourceVersion to which
+                                        this reference is made, if any. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                      type: string
+                                    uid:
+                                      description: 'UID of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                      type: string
+                                  type: object
+                              required:
+                              - ref
+                              type: object
+                            metadata:
+                              description: Metadata is the metadata applied to the
+                                machines of the MachineDeployment. At runtime this
+                                metadata is merged with the corresponding metadata
+                                from the topology.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Annotations is an unstructured key
+                                    value map stored with a resource that may be set
+                                    by external tools to store and retrieve arbitrary
+                                    metadata. They are not queryable and should be
+                                    preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
+                                  type: object
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Map of string keys and values that
+                                    can be used to organize and categorize (scope
+                                    and select) objects. May match selectors of replication
+                                    controllers and services. More info: http://kubernetes.io/docs/user-guide/labels'
+                                  type: object
+                              type: object
+                          required:
+                          - bootstrap
+                          - infrastructure
+                          type: object
+                      required:
+                      - class
+                      - template
+                      type: object
+                    type: array
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of ClusterClass
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ClusterClass is a template which can be used to create managed
+          topologies.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterClassSpec describes the desired state of the ClusterClass.
+            properties:
+              controlPlane:
+                description: ControlPlane is a reference to a local struct that holds
+                  the details for provisioning the Control Plane for the Cluster.
+                properties:
+                  machineHealthCheck:
+                    description: MachineHealthCheck defines a MachineHealthCheck for
+                      this ControlPlaneClass. This field is supported if and only
+                      if the ControlPlane provider template referenced above is Machine
+                      based and supports setting replicas.
+                    properties:
+                      maxUnhealthy:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: Any further remediation is only allowed if at
+                          most "MaxUnhealthy" machines selected by "selector" are
+                          not healthy.
+                        x-kubernetes-int-or-string: true
+                      nodeStartupTimeout:
+                        description: Machines older than this duration without a node
+                          will be considered to have failed and will be remediated.
+                          If you wish to disable this feature, set the value explicitly
+                          to 0.
+                        type: string
+                      remediationTemplate:
+                        description: "RemediationTemplate is a reference to a remediation
+                          template provided by an infrastructure provider. \n This
+                          field is completely optional, when filled, the MachineHealthCheck
+                          controller creates a new object from the template referenced
+                          and hands off remediation of the machine to a controller
+                          that lives outside of Cluster API."
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      unhealthyConditions:
+                        description: UnhealthyConditions contains a list of the conditions
+                          that determine whether a node is considered unhealthy. The
+                          conditions are combined in a logical OR, i.e. if any of
+                          the conditions is met, the node is unhealthy.
+                        items:
+                          description: UnhealthyCondition represents a Node condition
+                            type and value with a timeout specified as a duration.  When
+                            the named condition has been in the given status for at
+                            least the timeout value, a node is considered unhealthy.
+                          properties:
+                            status:
+                              minLength: 1
+                              type: string
+                            timeout:
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                          required:
+                          - status
+                          - timeout
+                          - type
+                          type: object
+                        type: array
+                      unhealthyRange:
+                        description: 'Any further remediation is only allowed if the
+                          number of machines selected by "selector" as not healthy
+                          is within the range of "UnhealthyRange". Takes precedence
+                          over MaxUnhealthy. Eg. "[3-5]" - This means that remediation
+                          will be allowed only when: (a) there are at least 3 unhealthy
+                          machines (and) (b) there are at most 5 unhealthy machines'
+                        type: string
+                    type: object
+                  machineInfrastructure:
+                    description: "MachineInfrastructure defines the metadata and infrastructure
+                      information for control plane machines. \n This field is supported
+                      if and only if the control plane provider template referenced
+                      above is Machine based and supports setting replicas."
+                    properties:
+                      ref:
+                        description: Ref is a required reference to a custom resource
+                          offered by a provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                    required:
+                    - ref
+                    type: object
+                  metadata:
+                    description: "Metadata is the metadata applied to the machines
+                      of the ControlPlane. At runtime this metadata is merged with
+                      the corresponding metadata from the topology. \n This field
+                      is supported if and only if the control plane provider template
+                      referenced is Machine based."
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  ref:
+                    description: Ref is a required reference to a custom resource
+                      offered by a provider.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                required:
+                - ref
+                type: object
+              infrastructure:
+                description: Infrastructure is a reference to a provider-specific
+                  template that holds the details for provisioning infrastructure
+                  specific cluster for the underlying provider. The underlying provider
+                  is responsible for the implementation of the template to an infrastructure
+                  cluster.
+                properties:
+                  ref:
+                    description: Ref is a required reference to a custom resource
+                      offered by a provider.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                required:
+                - ref
+                type: object
+              patches:
+                description: 'Patches defines the patches which are applied to customize
+                  referenced templates of a ClusterClass. Note: Patches will be applied
+                  in the order of the array.'
+                items:
+                  description: ClusterClassPatch defines a patch which is applied
+                    to customize the referenced templates.
+                  properties:
+                    definitions:
+                      description: 'Definitions define the patches inline. Note: Patches
+                        will be applied in the order of the array.'
+                      items:
+                        description: PatchDefinition defines a patch which is applied
+                          to customize the referenced templates.
+                        properties:
+                          jsonPatches:
+                            description: 'JSONPatches defines the patches which should
+                              be applied on the templates matching the selector. Note:
+                              Patches will be applied in the order of the array.'
+                            items:
+                              description: JSONPatch defines a JSON patch.
+                              properties:
+                                op:
+                                  description: 'Op defines the operation of the patch.
+                                    Note: Only `add`, `replace` and `remove` are supported.'
+                                  type: string
+                                path:
+                                  description: 'Path defines the path of the patch.
+                                    Note: Only the spec of a template can be patched,
+                                    thus the path has to start with /spec/. Note:
+                                    For now the only allowed array modifications are
+                                    `append` and `prepend`, i.e.: * for op: `add`:
+                                    only index 0 (prepend) and - (append) are allowed
+                                    * for op: `replace` or `remove`: no indexes are
+                                    allowed'
+                                  type: string
+                                value:
+                                  description: 'Value defines the value of the patch.
+                                    Note: Either Value or ValueFrom is required for
+                                    add and replace operations. Only one of them is
+                                    allowed to be set at the same time. Note: We have
+                                    to use apiextensionsv1.JSON instead of our JSON
+                                    type, because controller-tools has a hard-coded
+                                    schema for apiextensionsv1.JSON which cannot be
+                                    produced by another type (unset type field). Ref:
+                                    https://github.com/kubernetes-sigs/controller-tools/blob/d0e03a142d0ecdd5491593e941ee1d6b5d91dba6/pkg/crd/known_types.go#L106-L111'
+                                  x-kubernetes-preserve-unknown-fields: true
+                                valueFrom:
+                                  description: 'ValueFrom defines the value of the
+                                    patch. Note: Either Value or ValueFrom is required
+                                    for add and replace operations. Only one of them
+                                    is allowed to be set at the same time.'
+                                  properties:
+                                    template:
+                                      description: 'Template is the Go template to
+                                        be used to calculate the value. A template
+                                        can reference variables defined in .spec.variables
+                                        and builtin variables. Note: The template
+                                        must evaluate to a valid YAML or JSON value.'
+                                      type: string
+                                    variable:
+                                      description: Variable is the variable to be
+                                        used as value. Variable can be one of the
+                                        variables defined in .spec.variables or a
+                                        builtin variable.
+                                      type: string
+                                  type: object
+                              required:
+                              - op
+                              - path
+                              type: object
+                            type: array
+                          selector:
+                            description: Selector defines on which templates the patch
+                              should be applied.
+                            properties:
+                              apiVersion:
+                                description: APIVersion filters templates by apiVersion.
+                                type: string
+                              kind:
+                                description: Kind filters templates by kind.
+                                type: string
+                              matchResources:
+                                description: MatchResources selects templates based
+                                  on where they are referenced.
+                                properties:
+                                  controlPlane:
+                                    description: 'ControlPlane selects templates referenced
+                                      in .spec.ControlPlane. Note: this will match
+                                      the controlPlane and also the controlPlane machineInfrastructure
+                                      (depending on the kind and apiVersion).'
+                                    type: boolean
+                                  infrastructureCluster:
+                                    description: InfrastructureCluster selects templates
+                                      referenced in .spec.infrastructure.
+                                    type: boolean
+                                  machineDeploymentClass:
+                                    description: MachineDeploymentClass selects templates
+                                      referenced in specific MachineDeploymentClasses
+                                      in .spec.workers.machineDeployments.
+                                    properties:
+                                      names:
+                                        description: Names selects templates by class
+                                          names.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                type: object
+                            required:
+                            - apiVersion
+                            - kind
+                            - matchResources
+                            type: object
+                        required:
+                        - jsonPatches
+                        - selector
+                        type: object
+                      type: array
+                    description:
+                      description: Description is a human-readable description of
+                        this patch.
+                      type: string
+                    enabledIf:
+                      description: EnabledIf is a Go template to be used to calculate
+                        if a patch should be enabled. It can reference variables defined
+                        in .spec.variables and builtin variables. The patch will be
+                        enabled if the template evaluates to `true`, otherwise it
+                        will be disabled. If EnabledIf is not set, the patch will
+                        be enabled per default.
+                      type: string
+                    name:
+                      description: Name of the patch.
+                      type: string
+                  required:
+                  - definitions
+                  - name
+                  type: object
+                type: array
+              variables:
+                description: Variables defines the variables which can be configured
+                  in the Cluster topology and are then used in patches.
+                items:
+                  description: ClusterClassVariable defines a variable which can be
+                    configured in the Cluster topology and used in patches.
+                  properties:
+                    name:
+                      description: Name of the variable.
+                      type: string
+                    required:
+                      description: 'Required specifies if the variable is required.
+                        Note: this applies to the variable as a whole and thus the
+                        top-level object defined in the schema. If nested fields are
+                        required, this will be specified inside the schema.'
+                      type: boolean
+                    schema:
+                      description: Schema defines the schema of the variable.
+                      properties:
+                        openAPIV3Schema:
+                          description: OpenAPIV3Schema defines the schema of a variable
+                            via OpenAPI v3 schema. The schema is a subset of the schema
+                            used in Kubernetes CRDs.
+                          properties:
+                            additionalProperties:
+                              description: 'AdditionalProperties specifies the schema
+                                of values in a map (keys are always strings). NOTE:
+                                Can only be set if type is object. NOTE: AdditionalProperties
+                                is mutually exclusive with Properties. NOTE: This
+                                field uses PreserveUnknownFields and Schemaless, because
+                                recursive validation is not possible.'
+                              x-kubernetes-preserve-unknown-fields: true
+                            default:
+                              description: 'Default is the default value of the variable.
+                                NOTE: Can be set for all types.'
+                              x-kubernetes-preserve-unknown-fields: true
+                            description:
+                              description: Description is a human-readable description
+                                of this variable.
+                              type: string
+                            enum:
+                              description: 'Enum is the list of valid values of the
+                                variable. NOTE: Can be set for all types.'
+                              items:
+                                x-kubernetes-preserve-unknown-fields: true
+                              type: array
+                            example:
+                              description: Example is an example for this variable.
+                              x-kubernetes-preserve-unknown-fields: true
+                            exclusiveMaximum:
+                              description: 'ExclusiveMaximum specifies if the Maximum
+                                is exclusive. NOTE: Can only be set if type is integer
+                                or number.'
+                              type: boolean
+                            exclusiveMinimum:
+                              description: 'ExclusiveMinimum specifies if the Minimum
+                                is exclusive. NOTE: Can only be set if type is integer
+                                or number.'
+                              type: boolean
+                            format:
+                              description: 'Format is an OpenAPI v3 format string.
+                                Unknown formats are ignored. For a list of supported
+                                formats please see: (of the k8s.io/apiextensions-apiserver
+                                version we''re currently using) https://github.com/kubernetes/apiextensions-apiserver/blob/master/pkg/apiserver/validation/formats.go
+                                NOTE: Can only be set if type is string.'
+                              type: string
+                            items:
+                              description: 'Items specifies fields of an array. NOTE:
+                                Can only be set if type is array. NOTE: This field
+                                uses PreserveUnknownFields and Schemaless, because
+                                recursive validation is not possible.'
+                              x-kubernetes-preserve-unknown-fields: true
+                            maxItems:
+                              description: 'MaxItems is the max length of an array
+                                variable. NOTE: Can only be set if type is array.'
+                              format: int64
+                              type: integer
+                            maxLength:
+                              description: 'MaxLength is the max length of a string
+                                variable. NOTE: Can only be set if type is string.'
+                              format: int64
+                              type: integer
+                            maximum:
+                              description: 'Maximum is the maximum of an integer or
+                                number variable. If ExclusiveMaximum is false, the
+                                variable is valid if it is lower than, or equal to,
+                                the value of Maximum. If ExclusiveMaximum is true,
+                                the variable is valid if it is strictly lower than
+                                the value of Maximum. NOTE: Can only be set if type
+                                is integer or number.'
+                              format: int64
+                              type: integer
+                            minItems:
+                              description: 'MinItems is the min length of an array
+                                variable. NOTE: Can only be set if type is array.'
+                              format: int64
+                              type: integer
+                            minLength:
+                              description: 'MinLength is the min length of a string
+                                variable. NOTE: Can only be set if type is string.'
+                              format: int64
+                              type: integer
+                            minimum:
+                              description: 'Minimum is the minimum of an integer or
+                                number variable. If ExclusiveMinimum is false, the
+                                variable is valid if it is greater than, or equal
+                                to, the value of Minimum. If ExclusiveMinimum is true,
+                                the variable is valid if it is strictly greater than
+                                the value of Minimum. NOTE: Can only be set if type
+                                is integer or number.'
+                              format: int64
+                              type: integer
+                            pattern:
+                              description: 'Pattern is the regex which a string variable
+                                must match. NOTE: Can only be set if type is string.'
+                              type: string
+                            properties:
+                              description: 'Properties specifies fields of an object.
+                                NOTE: Can only be set if type is object. NOTE: Properties
+                                is mutually exclusive with AdditionalProperties. NOTE:
+                                This field uses PreserveUnknownFields and Schemaless,
+                                because recursive validation is not possible.'
+                              x-kubernetes-preserve-unknown-fields: true
+                            required:
+                              description: 'Required specifies which fields of an
+                                object are required. NOTE: Can only be set if type
+                                is object.'
+                              items:
+                                type: string
+                              type: array
+                            type:
+                              description: 'Type is the type of the variable. Valid
+                                values are: object, array, string, integer, number
+                                or boolean.'
+                              type: string
+                            uniqueItems:
+                              description: 'UniqueItems specifies if items in an array
+                                must be unique. NOTE: Can only be set if type is array.'
+                              type: boolean
+                          required:
+                          - type
+                          type: object
+                      required:
+                      - openAPIV3Schema
+                      type: object
+                  required:
+                  - name
+                  - required
+                  - schema
+                  type: object
+                type: array
+              workers:
+                description: Workers describes the worker nodes for the cluster. It
+                  is a collection of node types which can be used to create the worker
+                  nodes of the cluster.
+                properties:
+                  machineDeployments:
+                    description: MachineDeployments is a list of machine deployment
+                      classes that can be used to create a set of worker nodes.
+                    items:
+                      description: MachineDeploymentClass serves as a template to
+                        define a set of worker nodes of the cluster provisioned using
+                        the `ClusterClass`.
+                      properties:
+                        class:
+                          description: Class denotes a type of worker node present
+                            in the cluster, this name MUST be unique within a ClusterClass
+                            and can be referenced in the Cluster to create a managed
+                            MachineDeployment.
+                          type: string
+                        machineHealthCheck:
+                          description: MachineHealthCheck defines a MachineHealthCheck
+                            for this MachineDeploymentClass.
+                          properties:
+                            maxUnhealthy:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: Any further remediation is only allowed
+                                if at most "MaxUnhealthy" machines selected by "selector"
+                                are not healthy.
+                              x-kubernetes-int-or-string: true
+                            nodeStartupTimeout:
+                              description: Machines older than this duration without
+                                a node will be considered to have failed and will
+                                be remediated. If you wish to disable this feature,
+                                set the value explicitly to 0.
+                              type: string
+                            remediationTemplate:
+                              description: "RemediationTemplate is a reference to
+                                a remediation template provided by an infrastructure
+                                provider. \n This field is completely optional, when
+                                filled, the MachineHealthCheck controller creates
+                                a new object from the template referenced and hands
+                                off remediation of the machine to a controller that
+                                lives outside of Cluster API."
+                              properties:
+                                apiVersion:
+                                  description: API version of the referent.
+                                  type: string
+                                fieldPath:
+                                  description: 'If referring to a piece of an object
+                                    instead of an entire object, this string should
+                                    contain a valid JSON/Go field access statement,
+                                    such as desiredState.manifest.containers[2]. For
+                                    example, if the object reference is to a container
+                                    within a pod, this would take on a value like:
+                                    "spec.containers{name}" (where "name" refers to
+                                    the name of the container that triggered the event)
+                                    or if no container name is specified "spec.containers[2]"
+                                    (container with index 2 in this pod). This syntax
+                                    is chosen only to have some well-defined way of
+                                    referencing a part of an object. TODO: this design
+                                    is not final and this field is subject to change
+                                    in the future.'
+                                  type: string
+                                kind:
+                                  description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                  type: string
+                                name:
+                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                  type: string
+                                namespace:
+                                  description: 'Namespace of the referent. More info:
+                                    https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                  type: string
+                                resourceVersion:
+                                  description: 'Specific resourceVersion to which
+                                    this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                  type: string
+                                uid:
+                                  description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                  type: string
+                              type: object
+                            unhealthyConditions:
+                              description: UnhealthyConditions contains a list of
+                                the conditions that determine whether a node is considered
+                                unhealthy. The conditions are combined in a logical
+                                OR, i.e. if any of the conditions is met, the node
+                                is unhealthy.
+                              items:
+                                description: UnhealthyCondition represents a Node
+                                  condition type and value with a timeout specified
+                                  as a duration.  When the named condition has been
+                                  in the given status for at least the timeout value,
+                                  a node is considered unhealthy.
+                                properties:
+                                  status:
+                                    minLength: 1
+                                    type: string
+                                  timeout:
+                                    type: string
+                                  type:
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - status
+                                - timeout
+                                - type
+                                type: object
+                              type: array
+                            unhealthyRange:
+                              description: 'Any further remediation is only allowed
+                                if the number of machines selected by "selector" as
+                                not healthy is within the range of "UnhealthyRange".
+                                Takes precedence over MaxUnhealthy. Eg. "[3-5]" -
+                                This means that remediation will be allowed only when:
+                                (a) there are at least 3 unhealthy machines (and)
+                                (b) there are at most 5 unhealthy machines'
+                              type: string
+                          type: object
+                        template:
+                          description: Template is a local struct containing a collection
+                            of templates for creation of MachineDeployment objects
+                            representing a set of worker nodes.
+                          properties:
+                            bootstrap:
+                              description: Bootstrap contains the bootstrap template
+                                reference to be used for the creation of worker Machines.
+                              properties:
+                                ref:
+                                  description: Ref is a required reference to a custom
+                                    resource offered by a provider.
+                                  properties:
+                                    apiVersion:
+                                      description: API version of the referent.
+                                      type: string
+                                    fieldPath:
+                                      description: 'If referring to a piece of an
+                                        object instead of an entire object, this string
+                                        should contain a valid JSON/Go field access
+                                        statement, such as desiredState.manifest.containers[2].
+                                        For example, if the object reference is to
+                                        a container within a pod, this would take
+                                        on a value like: "spec.containers{name}" (where
+                                        "name" refers to the name of the container
+                                        that triggered the event) or if no container
+                                        name is specified "spec.containers[2]" (container
+                                        with index 2 in this pod). This syntax is
+                                        chosen only to have some well-defined way
+                                        of referencing a part of an object. TODO:
+                                        this design is not final and this field is
+                                        subject to change in the future.'
+                                      type: string
+                                    kind:
+                                      description: 'Kind of the referent. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                      type: string
+                                    name:
+                                      description: 'Name of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                    namespace:
+                                      description: 'Namespace of the referent. More
+                                        info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                      type: string
+                                    resourceVersion:
+                                      description: 'Specific resourceVersion to which
+                                        this reference is made, if any. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                      type: string
+                                    uid:
+                                      description: 'UID of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                      type: string
+                                  type: object
+                              required:
+                              - ref
+                              type: object
+                            infrastructure:
+                              description: Infrastructure contains the infrastructure
+                                template reference to be used for the creation of
+                                worker Machines.
+                              properties:
+                                ref:
+                                  description: Ref is a required reference to a custom
+                                    resource offered by a provider.
+                                  properties:
+                                    apiVersion:
+                                      description: API version of the referent.
+                                      type: string
+                                    fieldPath:
+                                      description: 'If referring to a piece of an
+                                        object instead of an entire object, this string
+                                        should contain a valid JSON/Go field access
+                                        statement, such as desiredState.manifest.containers[2].
+                                        For example, if the object reference is to
+                                        a container within a pod, this would take
+                                        on a value like: "spec.containers{name}" (where
+                                        "name" refers to the name of the container
+                                        that triggered the event) or if no container
+                                        name is specified "spec.containers[2]" (container
+                                        with index 2 in this pod). This syntax is
+                                        chosen only to have some well-defined way
+                                        of referencing a part of an object. TODO:
+                                        this design is not final and this field is
+                                        subject to change in the future.'
+                                      type: string
+                                    kind:
+                                      description: 'Kind of the referent. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                      type: string
+                                    name:
+                                      description: 'Name of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                    namespace:
+                                      description: 'Namespace of the referent. More
+                                        info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                      type: string
+                                    resourceVersion:
+                                      description: 'Specific resourceVersion to which
+                                        this reference is made, if any. More info:
+                                        https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                      type: string
+                                    uid:
+                                      description: 'UID of the referent. More info:
+                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                      type: string
+                                  type: object
+                              required:
+                              - ref
+                              type: object
+                            metadata:
+                              description: Metadata is the metadata applied to the
+                                machines of the MachineDeployment. At runtime this
+                                metadata is merged with the corresponding metadata
+                                from the topology.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Annotations is an unstructured key
+                                    value map stored with a resource that may be set
+                                    by external tools to store and retrieve arbitrary
+                                    metadata. They are not queryable and should be
+                                    preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
+                                  type: object
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Map of string keys and values that
+                                    can be used to organize and categorize (scope
+                                    and select) objects. May match selectors of replication
+                                    controllers and services. More info: http://kubernetes.io/docs/user-guide/labels'
+                                  type: object
+                              type: object
+                          required:
+                          - bootstrap
+                          - infrastructure
+                          type: object
+                      required:
+                      - class
+                      - template
+                      type: object
+                    type: array
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: clusterresourcesetbindings.addons.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: addons.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: ClusterResourceSetBinding
+    listKind: ClusterResourceSetBindingList
+    plural: clusterresourcesetbindings
+    singular: clusterresourcesetbinding
+  scope: Namespaced
+  versions:
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: ClusterResourceSetBinding lists all matching ClusterResourceSets
+          with the cluster it belongs to.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterResourceSetBindingSpec defines the desired state of
+              ClusterResourceSetBinding.
+            properties:
+              bindings:
+                description: Bindings is a list of ClusterResourceSets and their resources.
+                items:
+                  description: ResourceSetBinding keeps info on all of the resources
+                    in a ClusterResourceSet.
+                  properties:
+                    clusterResourceSetName:
+                      description: ClusterResourceSetName is the name of the ClusterResourceSet
+                        that is applied to the owner cluster of the binding.
+                      type: string
+                    resources:
+                      description: Resources is a list of resources that the ClusterResourceSet
+                        has.
+                      items:
+                        description: ResourceBinding shows the status of a resource
+                          that belongs to a ClusterResourceSet matched by the owner
+                          cluster of the ClusterResourceSetBinding object.
+                        properties:
+                          applied:
+                            description: Applied is to track if a resource is applied
+                              to the cluster or not.
+                            type: boolean
+                          hash:
+                            description: Hash is the hash of a resource's data. This
+                              can be used to decide if a resource is changed. For
+                              "ApplyOnce" ClusterResourceSet.spec.strategy, this is
+                              no-op as that strategy does not act on change.
+                            type: string
+                          kind:
+                            description: 'Kind of the resource. Supported kinds are:
+                              Secrets and ConfigMaps.'
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          lastAppliedTime:
+                            description: LastAppliedTime identifies when this resource
+                              was last applied to the cluster.
+                            format: date-time
+                            type: string
+                          name:
+                            description: Name of the resource that is in the same
+                              namespace with ClusterResourceSet object.
+                            minLength: 1
+                            type: string
+                        required:
+                        - applied
+                        - kind
+                        - name
+                        type: object
+                      type: array
+                  required:
+                  - clusterResourceSetName
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of ClusterResourceSetBinding
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: ClusterResourceSetBinding lists all matching ClusterResourceSets
+          with the cluster it belongs to.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterResourceSetBindingSpec defines the desired state of
+              ClusterResourceSetBinding.
+            properties:
+              bindings:
+                description: Bindings is a list of ClusterResourceSets and their resources.
+                items:
+                  description: ResourceSetBinding keeps info on all of the resources
+                    in a ClusterResourceSet.
+                  properties:
+                    clusterResourceSetName:
+                      description: ClusterResourceSetName is the name of the ClusterResourceSet
+                        that is applied to the owner cluster of the binding.
+                      type: string
+                    resources:
+                      description: Resources is a list of resources that the ClusterResourceSet
+                        has.
+                      items:
+                        description: ResourceBinding shows the status of a resource
+                          that belongs to a ClusterResourceSet matched by the owner
+                          cluster of the ClusterResourceSetBinding object.
+                        properties:
+                          applied:
+                            description: Applied is to track if a resource is applied
+                              to the cluster or not.
+                            type: boolean
+                          hash:
+                            description: Hash is the hash of a resource's data. This
+                              can be used to decide if a resource is changed. For
+                              "ApplyOnce" ClusterResourceSet.spec.strategy, this is
+                              no-op as that strategy does not act on change.
+                            type: string
+                          kind:
+                            description: 'Kind of the resource. Supported kinds are:
+                              Secrets and ConfigMaps.'
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          lastAppliedTime:
+                            description: LastAppliedTime identifies when this resource
+                              was last applied to the cluster.
+                            format: date-time
+                            type: string
+                          name:
+                            description: Name of the resource that is in the same
+                              namespace with ClusterResourceSet object.
+                            minLength: 1
+                            type: string
+                        required:
+                        - applied
+                        - kind
+                        - name
+                        type: object
+                      type: array
+                  required:
+                  - clusterResourceSetName
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of ClusterResourceSetBinding
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ClusterResourceSetBinding lists all matching ClusterResourceSets
+          with the cluster it belongs to.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterResourceSetBindingSpec defines the desired state of
+              ClusterResourceSetBinding.
+            properties:
+              bindings:
+                description: Bindings is a list of ClusterResourceSets and their resources.
+                items:
+                  description: ResourceSetBinding keeps info on all of the resources
+                    in a ClusterResourceSet.
+                  properties:
+                    clusterResourceSetName:
+                      description: ClusterResourceSetName is the name of the ClusterResourceSet
+                        that is applied to the owner cluster of the binding.
+                      type: string
+                    resources:
+                      description: Resources is a list of resources that the ClusterResourceSet
+                        has.
+                      items:
+                        description: ResourceBinding shows the status of a resource
+                          that belongs to a ClusterResourceSet matched by the owner
+                          cluster of the ClusterResourceSetBinding object.
+                        properties:
+                          applied:
+                            description: Applied is to track if a resource is applied
+                              to the cluster or not.
+                            type: boolean
+                          hash:
+                            description: Hash is the hash of a resource's data. This
+                              can be used to decide if a resource is changed. For
+                              "ApplyOnce" ClusterResourceSet.spec.strategy, this is
+                              no-op as that strategy does not act on change.
+                            type: string
+                          kind:
+                            description: 'Kind of the resource. Supported kinds are:
+                              Secrets and ConfigMaps.'
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                          lastAppliedTime:
+                            description: LastAppliedTime identifies when this resource
+                              was last applied to the cluster.
+                            format: date-time
+                            type: string
+                          name:
+                            description: Name of the resource that is in the same
+                              namespace with ClusterResourceSet object.
+                            minLength: 1
+                            type: string
+                        required:
+                        - applied
+                        - kind
+                        - name
+                        type: object
+                      type: array
+                  required:
+                  - clusterResourceSetName
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: clusterresourcesets.addons.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: addons.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: ClusterResourceSet
+    listKind: ClusterResourceSetList
+    plural: clusterresourcesets
+    singular: clusterresourceset
+  scope: Namespaced
+  versions:
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: ClusterResourceSet is the Schema for the clusterresourcesets
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterResourceSetSpec defines the desired state of ClusterResourceSet.
+            properties:
+              clusterSelector:
+                description: Label selector for Clusters. The Clusters that are selected
+                  by this will be the ones affected by this ClusterResourceSet. It
+                  must match the Cluster labels. This field is immutable.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              resources:
+                description: Resources is a list of Secrets/ConfigMaps where each
+                  contains 1 or more resources to be applied to remote clusters.
+                items:
+                  description: ResourceRef specifies a resource.
+                  properties:
+                    kind:
+                      description: 'Kind of the resource. Supported kinds are: Secrets
+                        and ConfigMaps.'
+                      enum:
+                      - Secret
+                      - ConfigMap
+                      type: string
+                    name:
+                      description: Name of the resource that is in the same namespace
+                        with ClusterResourceSet object.
+                      minLength: 1
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+              strategy:
+                description: Strategy is the strategy to be used during applying resources.
+                  Defaults to ApplyOnce. This field is immutable.
+                enum:
+                - ApplyOnce
+                type: string
+            required:
+            - clusterSelector
+            type: object
+          status:
+            description: ClusterResourceSetStatus defines the observed state of ClusterResourceSet.
+            properties:
+              conditions:
+                description: Conditions defines current state of the ClusterResourceSet.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration reflects the generation of the most
+                  recently observed ClusterResourceSet.
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of ClusterResourceSet
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: ClusterResourceSet is the Schema for the clusterresourcesets
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterResourceSetSpec defines the desired state of ClusterResourceSet.
+            properties:
+              clusterSelector:
+                description: Label selector for Clusters. The Clusters that are selected
+                  by this will be the ones affected by this ClusterResourceSet. It
+                  must match the Cluster labels. This field is immutable. Label selector
+                  cannot be empty.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              resources:
+                description: Resources is a list of Secrets/ConfigMaps where each
+                  contains 1 or more resources to be applied to remote clusters.
+                items:
+                  description: ResourceRef specifies a resource.
+                  properties:
+                    kind:
+                      description: 'Kind of the resource. Supported kinds are: Secrets
+                        and ConfigMaps.'
+                      enum:
+                      - Secret
+                      - ConfigMap
+                      type: string
+                    name:
+                      description: Name of the resource that is in the same namespace
+                        with ClusterResourceSet object.
+                      minLength: 1
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+              strategy:
+                description: Strategy is the strategy to be used during applying resources.
+                  Defaults to ApplyOnce. This field is immutable.
+                enum:
+                - ApplyOnce
+                type: string
+            required:
+            - clusterSelector
+            type: object
+          status:
+            description: ClusterResourceSetStatus defines the observed state of ClusterResourceSet.
+            properties:
+              conditions:
+                description: Conditions defines current state of the ClusterResourceSet.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration reflects the generation of the most
+                  recently observed ClusterResourceSet.
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of ClusterResourceSet
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ClusterResourceSet is the Schema for the clusterresourcesets
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterResourceSetSpec defines the desired state of ClusterResourceSet.
+            properties:
+              clusterSelector:
+                description: Label selector for Clusters. The Clusters that are selected
+                  by this will be the ones affected by this ClusterResourceSet. It
+                  must match the Cluster labels. This field is immutable. Label selector
+                  cannot be empty.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              resources:
+                description: Resources is a list of Secrets/ConfigMaps where each
+                  contains 1 or more resources to be applied to remote clusters.
+                items:
+                  description: ResourceRef specifies a resource.
+                  properties:
+                    kind:
+                      description: 'Kind of the resource. Supported kinds are: Secrets
+                        and ConfigMaps.'
+                      enum:
+                      - Secret
+                      - ConfigMap
+                      type: string
+                    name:
+                      description: Name of the resource that is in the same namespace
+                        with ClusterResourceSet object.
+                      minLength: 1
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+              strategy:
+                description: Strategy is the strategy to be used during applying resources.
+                  Defaults to ApplyOnce. This field is immutable.
+                enum:
+                - ApplyOnce
+                type: string
+            required:
+            - clusterSelector
+            type: object
+          status:
+            description: ClusterResourceSetStatus defines the observed state of ClusterResourceSet.
+            properties:
+              conditions:
+                description: Conditions defines current state of the ClusterResourceSet.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration reflects the generation of the most
+                  recently observed ClusterResourceSet.
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: clusters.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: Cluster
+    listKind: ClusterList
+    plural: clusters
+    shortNames:
+    - cl
+    singular: cluster
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Cluster status such as Pending/Provisioning/Provisioned/Deleting/Failed
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: Cluster is the Schema for the clusters API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterSpec defines the desired state of Cluster.
+            properties:
+              clusterNetwork:
+                description: Cluster network configuration.
+                properties:
+                  apiServerPort:
+                    description: APIServerPort specifies the port the API Server should
+                      bind to. Defaults to 6443.
+                    format: int32
+                    type: integer
+                  pods:
+                    description: The network ranges from which Pod networks are allocated.
+                    properties:
+                      cidrBlocks:
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - cidrBlocks
+                    type: object
+                  serviceDomain:
+                    description: Domain name for services.
+                    type: string
+                  services:
+                    description: The network ranges from which service VIPs are allocated.
+                    properties:
+                      cidrBlocks:
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - cidrBlocks
+                    type: object
+                type: object
+              controlPlaneEndpoint:
+                description: ControlPlaneEndpoint represents the endpoint used to
+                  communicate with the control plane.
+                properties:
+                  host:
+                    description: The hostname on which the API server is serving.
+                    type: string
+                  port:
+                    description: The port on which the API server is serving.
+                    format: int32
+                    type: integer
+                required:
+                - host
+                - port
+                type: object
+              controlPlaneRef:
+                description: ControlPlaneRef is an optional reference to a provider-specific
+                  resource that holds the details for provisioning the Control Plane
+                  for a Cluster.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              infrastructureRef:
+                description: InfrastructureRef is a reference to a provider-specific
+                  resource that holds the details for provisioning infrastructure
+                  for a cluster in said provider.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              paused:
+                description: Paused can be used to prevent controllers from processing
+                  the Cluster and all its associated objects.
+                type: boolean
+            type: object
+          status:
+            description: ClusterStatus defines the observed state of Cluster.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the cluster.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              controlPlaneInitialized:
+                description: ControlPlaneInitialized defines if the control plane
+                  has been initialized.
+                type: boolean
+              controlPlaneReady:
+                description: ControlPlaneReady defines if the control plane is ready.
+                type: boolean
+              failureDomains:
+                additionalProperties:
+                  description: FailureDomainSpec is the Schema for Cluster API failure
+                    domains. It allows controllers to understand how many failure
+                    domains a cluster can optionally span across.
+                  properties:
+                    attributes:
+                      additionalProperties:
+                        type: string
+                      description: Attributes is a free form map of attributes an
+                        infrastructure provider might use or require.
+                      type: object
+                    controlPlane:
+                      description: ControlPlane determines if this failure domain
+                        is suitable for use by control plane machines.
+                      type: boolean
+                  type: object
+                description: FailureDomains is a slice of failure domain objects synced
+                  from the infrastructure provider.
+                type: object
+              failureMessage:
+                description: FailureMessage indicates that there is a fatal problem
+                  reconciling the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a fatal problem
+                  reconciling the state, and will be set to a token value suitable
+                  for programmatic interpretation.
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of cluster actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of Cluster
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Cluster status such as Pending/Provisioning/Provisioned/Deleting/Failed
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: Cluster is the Schema for the clusters API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterSpec defines the desired state of Cluster.
+            properties:
+              clusterNetwork:
+                description: Cluster network configuration.
+                properties:
+                  apiServerPort:
+                    description: APIServerPort specifies the port the API Server should
+                      bind to. Defaults to 6443.
+                    format: int32
+                    type: integer
+                  pods:
+                    description: The network ranges from which Pod networks are allocated.
+                    properties:
+                      cidrBlocks:
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - cidrBlocks
+                    type: object
+                  serviceDomain:
+                    description: Domain name for services.
+                    type: string
+                  services:
+                    description: The network ranges from which service VIPs are allocated.
+                    properties:
+                      cidrBlocks:
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - cidrBlocks
+                    type: object
+                type: object
+              controlPlaneEndpoint:
+                description: ControlPlaneEndpoint represents the endpoint used to
+                  communicate with the control plane.
+                properties:
+                  host:
+                    description: The hostname on which the API server is serving.
+                    type: string
+                  port:
+                    description: The port on which the API server is serving.
+                    format: int32
+                    type: integer
+                required:
+                - host
+                - port
+                type: object
+              controlPlaneRef:
+                description: ControlPlaneRef is an optional reference to a provider-specific
+                  resource that holds the details for provisioning the Control Plane
+                  for a Cluster.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              infrastructureRef:
+                description: InfrastructureRef is a reference to a provider-specific
+                  resource that holds the details for provisioning infrastructure
+                  for a cluster in said provider.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              paused:
+                description: Paused can be used to prevent controllers from processing
+                  the Cluster and all its associated objects.
+                type: boolean
+              topology:
+                description: 'This encapsulates the topology for the cluster. NOTE:
+                  It is required to enable the ClusterTopology feature gate flag to
+                  activate managed topologies support; this feature is highly experimental,
+                  and parts of it might still be not implemented.'
+                properties:
+                  class:
+                    description: The name of the ClusterClass object to create the
+                      topology.
+                    type: string
+                  controlPlane:
+                    description: ControlPlane describes the cluster control plane.
+                    properties:
+                      metadata:
+                        description: "Metadata is the metadata applied to the machines
+                          of the ControlPlane. At runtime this metadata is merged
+                          with the corresponding metadata from the ClusterClass. \n
+                          This field is supported if and only if the control plane
+                          provider template referenced in the ClusterClass is Machine
+                          based."
+                        properties:
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            description: 'Annotations is an unstructured key value
+                              map stored with a resource that may be set by external
+                              tools to store and retrieve arbitrary metadata. They
+                              are not queryable and should be preserved when modifying
+                              objects. More info: http://kubernetes.io/docs/user-guide/annotations'
+                            type: object
+                          labels:
+                            additionalProperties:
+                              type: string
+                            description: 'Map of string keys and values that can be
+                              used to organize and categorize (scope and select) objects.
+                              May match selectors of replication controllers and services.
+                              More info: http://kubernetes.io/docs/user-guide/labels'
+                            type: object
+                        type: object
+                      replicas:
+                        description: Replicas is the number of control plane nodes.
+                          If the value is nil, the ControlPlane object is created
+                          without the number of Replicas and it's assumed that the
+                          control plane controller does not implement support for
+                          this field. When specified against a control plane provider
+                          that lacks support for this field, this value will be ignored.
+                        format: int32
+                        type: integer
+                    type: object
+                  rolloutAfter:
+                    description: RolloutAfter performs a rollout of the entire cluster
+                      one component at a time, control plane first and then machine
+                      deployments.
+                    format: date-time
+                    type: string
+                  version:
+                    description: The Kubernetes version of the cluster.
+                    type: string
+                  workers:
+                    description: Workers encapsulates the different constructs that
+                      form the worker nodes for the cluster.
+                    properties:
+                      machineDeployments:
+                        description: MachineDeployments is a list of machine deployments
+                          in the cluster.
+                        items:
+                          description: MachineDeploymentTopology specifies the different
+                            parameters for a set of worker nodes in the topology.
+                            This set of nodes is managed by a MachineDeployment object
+                            whose lifecycle is managed by the Cluster controller.
+                          properties:
+                            class:
+                              description: Class is the name of the MachineDeploymentClass
+                                used to create the set of worker nodes. This should
+                                match one of the deployment classes defined in the
+                                ClusterClass object mentioned in the `Cluster.Spec.Class`
+                                field.
+                              type: string
+                            metadata:
+                              description: Metadata is the metadata applied to the
+                                machines of the MachineDeployment. At runtime this
+                                metadata is merged with the corresponding metadata
+                                from the ClusterClass.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Annotations is an unstructured key
+                                    value map stored with a resource that may be set
+                                    by external tools to store and retrieve arbitrary
+                                    metadata. They are not queryable and should be
+                                    preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
+                                  type: object
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Map of string keys and values that
+                                    can be used to organize and categorize (scope
+                                    and select) objects. May match selectors of replication
+                                    controllers and services. More info: http://kubernetes.io/docs/user-guide/labels'
+                                  type: object
+                              type: object
+                            name:
+                              description: Name is the unique identifier for this
+                                MachineDeploymentTopology. The value is used with
+                                other unique identifiers to create a MachineDeployment's
+                                Name (e.g. cluster's name, etc). In case the name
+                                is greater than the allowed maximum length, the values
+                                are hashed together.
+                              type: string
+                            replicas:
+                              description: Replicas is the number of worker nodes
+                                belonging to this set. If the value is nil, the MachineDeployment
+                                is created without the number of Replicas (defaulting
+                                to zero) and it's assumed that an external entity
+                                (like cluster autoscaler) is responsible for the management
+                                of this value.
+                              format: int32
+                              type: integer
+                          required:
+                          - class
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                required:
+                - class
+                - version
+                type: object
+            type: object
+          status:
+            description: ClusterStatus defines the observed state of Cluster.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the cluster.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              controlPlaneReady:
+                description: ControlPlaneReady defines if the control plane is ready.
+                type: boolean
+              failureDomains:
+                additionalProperties:
+                  description: FailureDomainSpec is the Schema for Cluster API failure
+                    domains. It allows controllers to understand how many failure
+                    domains a cluster can optionally span across.
+                  properties:
+                    attributes:
+                      additionalProperties:
+                        type: string
+                      description: Attributes is a free form map of attributes an
+                        infrastructure provider might use or require.
+                      type: object
+                    controlPlane:
+                      description: ControlPlane determines if this failure domain
+                        is suitable for use by control plane machines.
+                      type: boolean
+                  type: object
+                description: FailureDomains is a slice of failure domain objects synced
+                  from the infrastructure provider.
+                type: object
+              failureMessage:
+                description: FailureMessage indicates that there is a fatal problem
+                  reconciling the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a fatal problem
+                  reconciling the state, and will be set to a token value suitable
+                  for programmatic interpretation.
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of cluster actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster status such as Pending/Provisioning/Provisioned/Deleting/Failed
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Time duration since creation of Cluster
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Kubernetes version associated with this Cluster
+      jsonPath: .spec.topology.version
+      name: Version
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Cluster is the Schema for the clusters API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterSpec defines the desired state of Cluster.
+            properties:
+              clusterNetwork:
+                description: Cluster network configuration.
+                properties:
+                  apiServerPort:
+                    description: APIServerPort specifies the port the API Server should
+                      bind to. Defaults to 6443.
+                    format: int32
+                    type: integer
+                  pods:
+                    description: The network ranges from which Pod networks are allocated.
+                    properties:
+                      cidrBlocks:
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - cidrBlocks
+                    type: object
+                  serviceDomain:
+                    description: Domain name for services.
+                    type: string
+                  services:
+                    description: The network ranges from which service VIPs are allocated.
+                    properties:
+                      cidrBlocks:
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - cidrBlocks
+                    type: object
+                type: object
+              controlPlaneEndpoint:
+                description: ControlPlaneEndpoint represents the endpoint used to
+                  communicate with the control plane.
+                properties:
+                  host:
+                    description: The hostname on which the API server is serving.
+                    type: string
+                  port:
+                    description: The port on which the API server is serving.
+                    format: int32
+                    type: integer
+                required:
+                - host
+                - port
+                type: object
+              controlPlaneRef:
+                description: ControlPlaneRef is an optional reference to a provider-specific
+                  resource that holds the details for provisioning the Control Plane
+                  for a Cluster.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              infrastructureRef:
+                description: InfrastructureRef is a reference to a provider-specific
+                  resource that holds the details for provisioning infrastructure
+                  for a cluster in said provider.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              paused:
+                description: Paused can be used to prevent controllers from processing
+                  the Cluster and all its associated objects.
+                type: boolean
+              topology:
+                description: 'This encapsulates the topology for the cluster. NOTE:
+                  It is required to enable the ClusterTopology feature gate flag to
+                  activate managed topologies support; this feature is highly experimental,
+                  and parts of it might still be not implemented.'
+                properties:
+                  class:
+                    description: The name of the ClusterClass object to create the
+                      topology.
+                    type: string
+                  controlPlane:
+                    description: ControlPlane describes the cluster control plane.
+                    properties:
+                      metadata:
+                        description: "Metadata is the metadata applied to the machines
+                          of the ControlPlane. At runtime this metadata is merged
+                          with the corresponding metadata from the ClusterClass. \n
+                          This field is supported if and only if the control plane
+                          provider template referenced in the ClusterClass is Machine
+                          based."
+                        properties:
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            description: 'Annotations is an unstructured key value
+                              map stored with a resource that may be set by external
+                              tools to store and retrieve arbitrary metadata. They
+                              are not queryable and should be preserved when modifying
+                              objects. More info: http://kubernetes.io/docs/user-guide/annotations'
+                            type: object
+                          labels:
+                            additionalProperties:
+                              type: string
+                            description: 'Map of string keys and values that can be
+                              used to organize and categorize (scope and select) objects.
+                              May match selectors of replication controllers and services.
+                              More info: http://kubernetes.io/docs/user-guide/labels'
+                            type: object
+                        type: object
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      replicas:
+                        description: Replicas is the number of control plane nodes.
+                          If the value is nil, the ControlPlane object is created
+                          without the number of Replicas and it's assumed that the
+                          control plane controller does not implement support for
+                          this field. When specified against a control plane provider
+                          that lacks support for this field, this value will be ignored.
+                        format: int32
+                        type: integer
+                    type: object
+                  rolloutAfter:
+                    description: RolloutAfter performs a rollout of the entire cluster
+                      one component at a time, control plane first and then machine
+                      deployments.
+                    format: date-time
+                    type: string
+                  variables:
+                    description: Variables can be used to customize the Cluster through
+                      patches. They must comply to the corresponding VariableClasses
+                      defined in the ClusterClass.
+                    items:
+                      description: ClusterVariable can be used to customize the Cluster
+                        through patches. It must comply to the corresponding ClusterClassVariable
+                        defined in the ClusterClass.
+                      properties:
+                        name:
+                          description: Name of the variable.
+                          type: string
+                        value:
+                          description: 'Value of the variable. Note: the value will
+                            be validated against the schema of the corresponding ClusterClassVariable
+                            from the ClusterClass. Note: We have to use apiextensionsv1.JSON
+                            instead of a custom JSON type, because controller-tools
+                            has a hard-coded schema for apiextensionsv1.JSON which
+                            cannot be produced by another type via controller-tools,
+                            i.e. it is not possible to have no type field. Ref: https://github.com/kubernetes-sigs/controller-tools/blob/d0e03a142d0ecdd5491593e941ee1d6b5d91dba6/pkg/crd/known_types.go#L106-L111'
+                          x-kubernetes-preserve-unknown-fields: true
+                      required:
+                      - name
+                      - value
+                      type: object
+                    type: array
+                  version:
+                    description: The Kubernetes version of the cluster.
+                    type: string
+                  workers:
+                    description: Workers encapsulates the different constructs that
+                      form the worker nodes for the cluster.
+                    properties:
+                      machineDeployments:
+                        description: MachineDeployments is a list of machine deployments
+                          in the cluster.
+                        items:
+                          description: MachineDeploymentTopology specifies the different
+                            parameters for a set of worker nodes in the topology.
+                            This set of nodes is managed by a MachineDeployment object
+                            whose lifecycle is managed by the Cluster controller.
+                          properties:
+                            class:
+                              description: Class is the name of the MachineDeploymentClass
+                                used to create the set of worker nodes. This should
+                                match one of the deployment classes defined in the
+                                ClusterClass object mentioned in the `Cluster.Spec.Class`
+                                field.
+                              type: string
+                            failureDomain:
+                              description: FailureDomain is the failure domain the
+                                machines will be created in. Must match a key in the
+                                FailureDomains map stored on the cluster object.
+                              type: string
+                            metadata:
+                              description: Metadata is the metadata applied to the
+                                machines of the MachineDeployment. At runtime this
+                                metadata is merged with the corresponding metadata
+                                from the ClusterClass.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Annotations is an unstructured key
+                                    value map stored with a resource that may be set
+                                    by external tools to store and retrieve arbitrary
+                                    metadata. They are not queryable and should be
+                                    preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
+                                  type: object
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'Map of string keys and values that
+                                    can be used to organize and categorize (scope
+                                    and select) objects. May match selectors of replication
+                                    controllers and services. More info: http://kubernetes.io/docs/user-guide/labels'
+                                  type: object
+                              type: object
+                            name:
+                              description: Name is the unique identifier for this
+                                MachineDeploymentTopology. The value is used with
+                                other unique identifiers to create a MachineDeployment's
+                                Name (e.g. cluster's name, etc). In case the name
+                                is greater than the allowed maximum length, the values
+                                are hashed together.
+                              type: string
+                            nodeDrainTimeout:
+                              description: 'NodeDrainTimeout is the total amount of
+                                time that the controller will spend on draining a
+                                node. The default value is 0, meaning that the node
+                                can be drained without any time limitations. NOTE:
+                                NodeDrainTimeout is different from `kubectl drain
+                                --timeout`'
+                              type: string
+                            replicas:
+                              description: Replicas is the number of worker nodes
+                                belonging to this set. If the value is nil, the MachineDeployment
+                                is created without the number of Replicas (defaulting
+                                to zero) and it's assumed that an external entity
+                                (like cluster autoscaler) is responsible for the management
+                                of this value.
+                              format: int32
+                              type: integer
+                            variables:
+                              description: Variables can be used to customize the
+                                MachineDeployment through patches.
+                              properties:
+                                overrides:
+                                  description: Overrides can be used to override Cluster
+                                    level variables.
+                                  items:
+                                    description: ClusterVariable can be used to customize
+                                      the Cluster through patches. It must comply
+                                      to the corresponding ClusterClassVariable defined
+                                      in the ClusterClass.
+                                    properties:
+                                      name:
+                                        description: Name of the variable.
+                                        type: string
+                                      value:
+                                        description: 'Value of the variable. Note:
+                                          the value will be validated against the
+                                          schema of the corresponding ClusterClassVariable
+                                          from the ClusterClass. Note: We have to
+                                          use apiextensionsv1.JSON instead of a custom
+                                          JSON type, because controller-tools has
+                                          a hard-coded schema for apiextensionsv1.JSON
+                                          which cannot be produced by another type
+                                          via controller-tools, i.e. it is not possible
+                                          to have no type field. Ref: https://github.com/kubernetes-sigs/controller-tools/blob/d0e03a142d0ecdd5491593e941ee1d6b5d91dba6/pkg/crd/known_types.go#L106-L111'
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    required:
+                                    - name
+                                    - value
+                                    type: object
+                                  type: array
+                              type: object
+                          required:
+                          - class
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                required:
+                - class
+                - version
+                type: object
+            type: object
+          status:
+            description: ClusterStatus defines the observed state of Cluster.
+            properties:
+              conditions:
+                description: Conditions defines current service state of the cluster.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              controlPlaneReady:
+                description: ControlPlaneReady defines if the control plane is ready.
+                type: boolean
+              failureDomains:
+                additionalProperties:
+                  description: FailureDomainSpec is the Schema for Cluster API failure
+                    domains. It allows controllers to understand how many failure
+                    domains a cluster can optionally span across.
+                  properties:
+                    attributes:
+                      additionalProperties:
+                        type: string
+                      description: Attributes is a free form map of attributes an
+                        infrastructure provider might use or require.
+                      type: object
+                    controlPlane:
+                      description: ControlPlane determines if this failure domain
+                        is suitable for use by control plane machines.
+                      type: boolean
+                  type: object
+                description: FailureDomains is a slice of failure domain objects synced
+                  from the infrastructure provider.
+                type: object
+              failureMessage:
+                description: FailureMessage indicates that there is a fatal problem
+                  reconciling the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a fatal problem
+                  reconciling the state, and will be set to a token value suitable
+                  for programmatic interpretation.
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of cluster actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: extensionconfigs.runtime.cluster.x-k8s.io
+spec:
+  group: runtime.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: ExtensionConfig
+    listKind: ExtensionConfigList
+    plural: extensionconfigs
+    shortNames:
+    - ext
+    singular: extensionconfig
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: Time duration since creation of ExtensionConfig
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ExtensionConfig is the Schema for the ExtensionConfig API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ExtensionConfigSpec is the desired state of the ExtensionConfig
+            properties:
+              clientConfig:
+                description: ClientConfig defines how to communicate with ExtensionHandlers.
+                properties:
+                  caBundle:
+                    description: CABundle is a PEM encoded CA bundle which will be
+                      used to validate the ExtensionHandler's server certificate.
+                    format: byte
+                    type: string
+                  service:
+                    description: "Service is a reference to the Kubernetes service
+                      for the ExtensionHandler. Either `service` or `url` must be
+                      specified. \n If the ExtensionHandler is running within a cluster,
+                      then you should use `service`."
+                    properties:
+                      name:
+                        description: Name is the name of the service.
+                        type: string
+                      namespace:
+                        description: Namespace is the namespace of the service.
+                        type: string
+                      path:
+                        description: Path is an optional URL path which will be sent
+                          in any request to this service. If a path is set it will
+                          be used as prefix and the hook-specific path will be appended.
+                        type: string
+                      port:
+                        description: Port is the port on the service that's hosting
+                          the ExtensionHandler. Default to 443. `port` should be a
+                          valid port number (1-65535, inclusive).
+                        format: int32
+                        type: integer
+                    required:
+                    - name
+                    - namespace
+                    type: object
+                  url:
+                    description: "URL gives the location of the ExtensionHandler,
+                      in standard URL form (`scheme://host:port/path`). Exactly one
+                      of `url` or `service` must be specified. \n The `host` should
+                      not refer to a service running in the cluster; use the `service`
+                      field instead. \n The scheme should be \"https\"; the URL should
+                      begin with \"https://\". \"http\" is supported for insecure
+                      development purposes only. \n A path is optional, and if present
+                      may be any string permissible in a URL. If a path is set it
+                      will be used as prefix and the hook-specific path will be appended.
+                      \n Attempting to use a user or basic auth e.g. \"user:password@\"
+                      is not allowed. Fragments (\"#...\") and query parameters (\"?...\")
+                      are not allowed either."
+                    type: string
+                type: object
+              namespaceSelector:
+                description: NamespaceSelector decides whether to run the webhook
+                  on an object based on whether the namespace for that object matches
+                  the selector. Default to the empty LabelSelector, which matches
+                  everything.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+            required:
+            - clientConfig
+            type: object
+          status:
+            description: ExtensionConfigStatus is the current state of the ExtensionConfig
+            properties:
+              conditions:
+                description: Conditions define the current service state of the ExtensionConfig.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              handlers:
+                description: Handlers defines the current ExtensionHandlers supported
+                  by an Extension.
+                items:
+                  description: ExtensionHandler specifies the details of a handler
+                    for a particular runtime hook registered by an Extension server.
+                  properties:
+                    failurePolicy:
+                      description: FailurePolicy defines how failures in calls to
+                        the ExtensionHandler should be handled by a client. Defaults
+                        to Fail if not set.
+                      type: string
+                    name:
+                      description: Name is the unique name of the ExtensionHandler.
+                      type: string
+                    requestHook:
+                      description: RequestHook defines the versioned runtime hook
+                        which this ExtensionHandler serves.
+                      properties:
+                        apiVersion:
+                          description: APIVersion is the Version of the Hook.
+                          type: string
+                        hook:
+                          description: Hook is the name of the hook.
+                          type: string
+                      required:
+                      - apiVersion
+                      - hook
+                      type: object
+                    timeoutSeconds:
+                      description: TimeoutSeconds defines the timeout duration for
+                        client calls to the ExtensionHandler.
+                      format: int32
+                      type: integer
+                  required:
+                  - name
+                  - requestHook
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: machinedeployments.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: MachineDeployment
+    listKind: MachineDeploymentList
+    plural: machinedeployments
+    shortNames:
+    - md
+    singular: machinedeployment
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: MachineDeployment status such as ScalingUp/ScalingDown/Running/Failed/Unknown
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Total number of non-terminated machines targeted by this MachineDeployment
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of ready machines targeted by this MachineDeployment
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    - description: Total number of non-terminated machines targeted by this deployment
+        that have the desired template spec
+      jsonPath: .status.updatedReplicas
+      name: Updated
+      type: integer
+    - description: Total number of unavailable machines targeted by this MachineDeployment
+      jsonPath: .status.unavailableReplicas
+      name: Unavailable
+      type: integer
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: MachineDeployment is the Schema for the machinedeployments API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineDeploymentSpec defines the desired state of MachineDeployment.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              minReadySeconds:
+                description: Minimum number of seconds for which a newly created machine
+                  should be ready. Defaults to 0 (machine will be considered available
+                  as soon as it is ready)
+                format: int32
+                type: integer
+              paused:
+                description: Indicates that the deployment is paused.
+                type: boolean
+              progressDeadlineSeconds:
+                description: The maximum time in seconds for a deployment to make
+                  progress before it is considered to be failed. The deployment controller
+                  will continue to process failed deployments and a condition with
+                  a ProgressDeadlineExceeded reason will be surfaced in the deployment
+                  status. Note that progress will not be estimated during the time
+                  a deployment is paused. Defaults to 600s.
+                format: int32
+                type: integer
+              replicas:
+                description: Number of desired machines. Defaults to 1. This is a
+                  pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              revisionHistoryLimit:
+                description: The number of old MachineSets to retain to allow rollback.
+                  This is a pointer to distinguish between explicit zero and not specified.
+                  Defaults to 1.
+                format: int32
+                type: integer
+              selector:
+                description: Label selector for machines. Existing MachineSets whose
+                  machines are selected by this will be the ones affected by this
+                  deployment. It must match the machine template's labels.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              strategy:
+                description: The deployment strategy to use to replace existing machines
+                  with new ones.
+                properties:
+                  rollingUpdate:
+                    description: Rolling update config params. Present only if MachineDeploymentStrategyType
+                      = RollingUpdate.
+                    properties:
+                      maxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be scheduled
+                          above the desired number of machines. Value can be an absolute
+                          number (ex: 5) or a percentage of desired machines (ex:
+                          10%). This can not be 0 if MaxUnavailable is 0. Absolute
+                          number is calculated from percentage by rounding up. Defaults
+                          to 1. Example: when this is set to 30%, the new MachineSet
+                          can be scaled up immediately when the rolling update starts,
+                          such that the total number of old and new machines do not
+                          exceed 130% of desired machines. Once old machines have
+                          been killed, new MachineSet can be scaled up further, ensuring
+                          that total number of machines running at any time during
+                          the update is at most 130% of desired machines.'
+                        x-kubernetes-int-or-string: true
+                      maxUnavailable:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be unavailable
+                          during the update. Value can be an absolute number (ex:
+                          5) or a percentage of desired machines (ex: 10%). Absolute
+                          number is calculated from percentage by rounding down. This
+                          can not be 0 if MaxSurge is 0. Defaults to 0. Example: when
+                          this is set to 30%, the old MachineSet can be scaled down
+                          to 70% of desired machines immediately when the rolling
+                          update starts. Once new machines are ready, old MachineSet
+                          can be scaled down further, followed by scaling up the new
+                          MachineSet, ensuring that the total number of machines available
+                          at all times during the update is at least 70% of desired
+                          machines.'
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  type:
+                    description: Type of deployment. Currently the only supported
+                      strategy is "RollingUpdate". Default is RollingUpdate.
+                    type: string
+                type: object
+              template:
+                description: Template describes the machines that will be created.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      generateName:
+                        description: "GenerateName is an optional prefix, used by
+                          the server, to generate a unique name ONLY IF the Name field
+                          has not been provided. If this field is used, the name returned
+                          to the client will be different than the name passed. This
+                          value will also be combined with a unique suffix. The provided
+                          value has the same validation rules as the Name field, and
+                          may be truncated by the length of the suffix required to
+                          make the value unique on the server. \n If this field is
+                          specified and the generated name exists, the server will
+                          NOT return a 409 - instead, it will either return 201 Created
+                          or 500 with Reason ServerTimeout indicating a unique name
+                          could not be found in the time allotted, and the client
+                          should retry (optionally after the time indicated in the
+                          Retry-After header). \n Applied only if Name is not specified.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+                          \n Deprecated: This field has no function and is going to
+                          be removed in a next release."
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                      name:
+                        description: "Name must be unique within a namespace. Is required
+                          when creating resources, although some resources may allow
+                          a client to request the generation of an appropriate name
+                          automatically. Name is primarily intended for creation idempotence
+                          and configuration definition. Cannot be updated. More info:
+                          http://kubernetes.io/docs/user-guide/identifiers#names \n
+                          Deprecated: This field has no function and is going to be
+                          removed in a next release."
+                        type: string
+                      namespace:
+                        description: "Namespace defines the space within each name
+                          must be unique. An empty namespace is equivalent to the
+                          \"default\" namespace, but \"default\" is the canonical
+                          representation. Not all objects are required to be scoped
+                          to a namespace - the value of this field for those objects
+                          will be empty. \n Must be a DNS_LABEL. Cannot be updated.
+                          More info: http://kubernetes.io/docs/user-guide/namespaces
+                          \n Deprecated: This field has no function and is going to
+                          be removed in a next release."
+                        type: string
+                      ownerReferences:
+                        description: "List of objects depended by this object. If
+                          ALL objects in the list have been deleted, this object will
+                          be garbage collected. If this object is managed by a controller,
+                          then an entry in this list will point to this controller,
+                          with the controller field set to true. There cannot be more
+                          than one managing controller. \n Deprecated: This field
+                          has no function and is going to be removed in a next release."
+                        items:
+                          description: OwnerReference contains enough information
+                            to let you identify an owning object. An owning object
+                            must be in the same namespace as the dependent, or be
+                            cluster-scoped, so there is no namespace field.
+                          properties:
+                            apiVersion:
+                              description: API version of the referent.
+                              type: string
+                            blockOwnerDeletion:
+                              description: If true, AND if the owner has the "foregroundDeletion"
+                                finalizer, then the owner cannot be deleted from the
+                                key-value store until this reference is removed. See
+                                https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+                                for how the garbage collector interacts with this
+                                field and enforces the foreground deletion. Defaults
+                                to false. To set this field, a user needs "delete"
+                                permission of the owner, otherwise 422 (Unprocessable
+                                Entity) will be returned.
+                              type: boolean
+                            controller:
+                              description: If true, this reference points to the managing
+                                controller.
+                              type: boolean
+                            kind:
+                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+                              type: string
+                            uid:
+                              description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
+                              type: string
+                          required:
+                          - apiVersion
+                          - kind
+                          - name
+                          - uid
+                          type: object
+                        type: array
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.Data
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          data:
+                            description: "Data contains the bootstrap data, such as
+                              cloud-init details scripts. If nil, the Machine should
+                              remain in the Pending state. \n Deprecated: Switch to
+                              DataSecretName."
+                            type: string
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - selector
+            - template
+            type: object
+          status:
+            description: MachineDeploymentStatus defines the observed state of MachineDeployment.
+            properties:
+              availableReplicas:
+                description: Total number of available machines (ready for at least
+                  minReadySeconds) targeted by this deployment.
+                format: int32
+                type: integer
+              observedGeneration:
+                description: The generation observed by the deployment controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of a MachineDeployment
+                  (ScalingUp, ScalingDown, Running, Failed, or Unknown).
+                type: string
+              readyReplicas:
+                description: Total number of ready machines targeted by this deployment.
+                format: int32
+                type: integer
+              replicas:
+                description: Total number of non-terminated machines targeted by this
+                  deployment (their labels match the selector).
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the same as the label selector but in the
+                  string format to avoid introspection by clients. The string will
+                  be in the same format as the query-param syntax. More info about
+                  label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+              unavailableReplicas:
+                description: Total number of unavailable machines targeted by this
+                  deployment. This is the total number of machines that are still
+                  required for the deployment to have 100% available capacity. They
+                  may either be machines that are running but not yet available or
+                  machines that still have not been created.
+                format: int32
+                type: integer
+              updatedReplicas:
+                description: Total number of non-terminated machines targeted by this
+                  deployment that have the desired template spec.
+                format: int32
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Time duration since creation of MachineDeployment
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: MachineDeployment status such as ScalingUp/ScalingDown/Running/Failed/Unknown
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Total number of non-terminated machines targeted by this MachineDeployment
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of ready machines targeted by this MachineDeployment
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    - description: Total number of non-terminated machines targeted by this deployment
+        that have the desired template spec
+      jsonPath: .status.updatedReplicas
+      name: Updated
+      type: integer
+    - description: Total number of unavailable machines targeted by this MachineDeployment
+      jsonPath: .status.unavailableReplicas
+      name: Unavailable
+      type: integer
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: MachineDeployment is the Schema for the machinedeployments API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineDeploymentSpec defines the desired state of MachineDeployment.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              minReadySeconds:
+                description: Minimum number of seconds for which a newly created machine
+                  should be ready. Defaults to 0 (machine will be considered available
+                  as soon as it is ready)
+                format: int32
+                type: integer
+              paused:
+                description: Indicates that the deployment is paused.
+                type: boolean
+              progressDeadlineSeconds:
+                description: The maximum time in seconds for a deployment to make
+                  progress before it is considered to be failed. The deployment controller
+                  will continue to process failed deployments and a condition with
+                  a ProgressDeadlineExceeded reason will be surfaced in the deployment
+                  status. Note that progress will not be estimated during the time
+                  a deployment is paused. Defaults to 600s.
+                format: int32
+                type: integer
+              replicas:
+                default: 1
+                description: Number of desired machines. Defaults to 1. This is a
+                  pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              revisionHistoryLimit:
+                description: The number of old MachineSets to retain to allow rollback.
+                  This is a pointer to distinguish between explicit zero and not specified.
+                  Defaults to 1.
+                format: int32
+                type: integer
+              selector:
+                description: Label selector for machines. Existing MachineSets whose
+                  machines are selected by this will be the ones affected by this
+                  deployment. It must match the machine template's labels.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              strategy:
+                description: The deployment strategy to use to replace existing machines
+                  with new ones.
+                properties:
+                  rollingUpdate:
+                    description: Rolling update config params. Present only if MachineDeploymentStrategyType
+                      = RollingUpdate.
+                    properties:
+                      deletePolicy:
+                        description: DeletePolicy defines the policy used by the MachineDeployment
+                          to identify nodes to delete when downscaling. Valid values
+                          are "Random, "Newest", "Oldest" When no value is supplied,
+                          the default DeletePolicy of MachineSet is used
+                        enum:
+                        - Random
+                        - Newest
+                        - Oldest
+                        type: string
+                      maxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be scheduled
+                          above the desired number of machines. Value can be an absolute
+                          number (ex: 5) or a percentage of desired machines (ex:
+                          10%). This can not be 0 if MaxUnavailable is 0. Absolute
+                          number is calculated from percentage by rounding up. Defaults
+                          to 1. Example: when this is set to 30%, the new MachineSet
+                          can be scaled up immediately when the rolling update starts,
+                          such that the total number of old and new machines do not
+                          exceed 130% of desired machines. Once old machines have
+                          been killed, new MachineSet can be scaled up further, ensuring
+                          that total number of machines running at any time during
+                          the update is at most 130% of desired machines.'
+                        x-kubernetes-int-or-string: true
+                      maxUnavailable:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be unavailable
+                          during the update. Value can be an absolute number (ex:
+                          5) or a percentage of desired machines (ex: 10%). Absolute
+                          number is calculated from percentage by rounding down. This
+                          can not be 0 if MaxSurge is 0. Defaults to 0. Example: when
+                          this is set to 30%, the old MachineSet can be scaled down
+                          to 70% of desired machines immediately when the rolling
+                          update starts. Once new machines are ready, old MachineSet
+                          can be scaled down further, followed by scaling up the new
+                          MachineSet, ensuring that the total number of machines available
+                          at all times during the update is at least 70% of desired
+                          machines.'
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  type:
+                    description: Type of deployment. Default is RollingUpdate.
+                    enum:
+                    - RollingUpdate
+                    - OnDelete
+                    type: string
+                type: object
+              template:
+                description: Template describes the machines that will be created.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.DataSecretName
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - selector
+            - template
+            type: object
+          status:
+            description: MachineDeploymentStatus defines the observed state of MachineDeployment.
+            properties:
+              availableReplicas:
+                description: Total number of available machines (ready for at least
+                  minReadySeconds) targeted by this deployment.
+                format: int32
+                type: integer
+              conditions:
+                description: Conditions defines current service state of the MachineDeployment.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: The generation observed by the deployment controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of a MachineDeployment
+                  (ScalingUp, ScalingDown, Running, Failed, or Unknown).
+                type: string
+              readyReplicas:
+                description: Total number of ready machines targeted by this deployment.
+                format: int32
+                type: integer
+              replicas:
+                description: Total number of non-terminated machines targeted by this
+                  deployment (their labels match the selector).
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the same as the label selector but in the
+                  string format to avoid introspection by clients. The string will
+                  be in the same format as the query-param syntax. More info about
+                  label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+              unavailableReplicas:
+                description: Total number of unavailable machines targeted by this
+                  deployment. This is the total number of machines that are still
+                  required for the deployment to have 100% available capacity. They
+                  may either be machines that are running but not yet available or
+                  machines that still have not been created.
+                format: int32
+                type: integer
+              updatedReplicas:
+                description: Total number of non-terminated machines targeted by this
+                  deployment that have the desired template spec.
+                format: int32
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Total number of machines desired by this MachineDeployment
+      jsonPath: .spec.replicas
+      name: Desired
+      priority: 10
+      type: integer
+    - description: Total number of non-terminated machines targeted by this MachineDeployment
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of ready machines targeted by this MachineDeployment
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    - description: Total number of non-terminated machines targeted by this deployment
+        that have the desired template spec
+      jsonPath: .status.updatedReplicas
+      name: Updated
+      type: integer
+    - description: Total number of unavailable machines targeted by this MachineDeployment
+      jsonPath: .status.unavailableReplicas
+      name: Unavailable
+      type: integer
+    - description: MachineDeployment status such as ScalingUp/ScalingDown/Running/Failed/Unknown
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Time duration since creation of MachineDeployment
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Kubernetes version associated with this MachineDeployment
+      jsonPath: .spec.template.spec.version
+      name: Version
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MachineDeployment is the Schema for the machinedeployments API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineDeploymentSpec defines the desired state of MachineDeployment.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              minReadySeconds:
+                description: Minimum number of seconds for which a newly created machine
+                  should be ready. Defaults to 0 (machine will be considered available
+                  as soon as it is ready)
+                format: int32
+                type: integer
+              paused:
+                description: Indicates that the deployment is paused.
+                type: boolean
+              progressDeadlineSeconds:
+                description: The maximum time in seconds for a deployment to make
+                  progress before it is considered to be failed. The deployment controller
+                  will continue to process failed deployments and a condition with
+                  a ProgressDeadlineExceeded reason will be surfaced in the deployment
+                  status. Note that progress will not be estimated during the time
+                  a deployment is paused. Defaults to 600s.
+                format: int32
+                type: integer
+              replicas:
+                default: 1
+                description: Number of desired machines. Defaults to 1. This is a
+                  pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              revisionHistoryLimit:
+                description: The number of old MachineSets to retain to allow rollback.
+                  This is a pointer to distinguish between explicit zero and not specified.
+                  Defaults to 1.
+                format: int32
+                type: integer
+              selector:
+                description: Label selector for machines. Existing MachineSets whose
+                  machines are selected by this will be the ones affected by this
+                  deployment. It must match the machine template's labels.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              strategy:
+                description: The deployment strategy to use to replace existing machines
+                  with new ones.
+                properties:
+                  rollingUpdate:
+                    description: Rolling update config params. Present only if MachineDeploymentStrategyType
+                      = RollingUpdate.
+                    properties:
+                      deletePolicy:
+                        description: DeletePolicy defines the policy used by the MachineDeployment
+                          to identify nodes to delete when downscaling. Valid values
+                          are "Random, "Newest", "Oldest" When no value is supplied,
+                          the default DeletePolicy of MachineSet is used
+                        enum:
+                        - Random
+                        - Newest
+                        - Oldest
+                        type: string
+                      maxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be scheduled
+                          above the desired number of machines. Value can be an absolute
+                          number (ex: 5) or a percentage of desired machines (ex:
+                          10%). This can not be 0 if MaxUnavailable is 0. Absolute
+                          number is calculated from percentage by rounding up. Defaults
+                          to 1. Example: when this is set to 30%, the new MachineSet
+                          can be scaled up immediately when the rolling update starts,
+                          such that the total number of old and new machines do not
+                          exceed 130% of desired machines. Once old machines have
+                          been killed, new MachineSet can be scaled up further, ensuring
+                          that total number of machines running at any time during
+                          the update is at most 130% of desired machines.'
+                        x-kubernetes-int-or-string: true
+                      maxUnavailable:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be unavailable
+                          during the update. Value can be an absolute number (ex:
+                          5) or a percentage of desired machines (ex: 10%). Absolute
+                          number is calculated from percentage by rounding down. This
+                          can not be 0 if MaxSurge is 0. Defaults to 0. Example: when
+                          this is set to 30%, the old MachineSet can be scaled down
+                          to 70% of desired machines immediately when the rolling
+                          update starts. Once new machines are ready, old MachineSet
+                          can be scaled down further, followed by scaling up the new
+                          MachineSet, ensuring that the total number of machines available
+                          at all times during the update is at least 70% of desired
+                          machines.'
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  type:
+                    description: Type of deployment. Default is RollingUpdate.
+                    enum:
+                    - RollingUpdate
+                    - OnDelete
+                    type: string
+                type: object
+              template:
+                description: Template describes the machines that will be created.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.DataSecretName
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDeletionTimeout:
+                        description: NodeDeletionTimeout defines how long the controller
+                          will attempt to delete the Node that the Machine hosts after
+                          the Machine is marked for deletion. A duration of 0 will
+                          retry deletion indefinitely. Defaults to 10 seconds.
+                        type: string
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - selector
+            - template
+            type: object
+          status:
+            description: MachineDeploymentStatus defines the observed state of MachineDeployment.
+            properties:
+              availableReplicas:
+                description: Total number of available machines (ready for at least
+                  minReadySeconds) targeted by this deployment.
+                format: int32
+                type: integer
+              conditions:
+                description: Conditions defines current service state of the MachineDeployment.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: The generation observed by the deployment controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of a MachineDeployment
+                  (ScalingUp, ScalingDown, Running, Failed, or Unknown).
+                type: string
+              readyReplicas:
+                description: Total number of ready machines targeted by this deployment.
+                format: int32
+                type: integer
+              replicas:
+                description: Total number of non-terminated machines targeted by this
+                  deployment (their labels match the selector).
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the same as the label selector but in the
+                  string format to avoid introspection by clients. The string will
+                  be in the same format as the query-param syntax. More info about
+                  label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+              unavailableReplicas:
+                description: Total number of unavailable machines targeted by this
+                  deployment. This is the total number of machines that are still
+                  required for the deployment to have 100% available capacity. They
+                  may either be machines that are running but not yet available or
+                  machines that still have not been created.
+                format: int32
+                type: integer
+              updatedReplicas:
+                description: Total number of non-terminated machines targeted by this
+                  deployment that have the desired template spec.
+                format: int32
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: machinehealthchecks.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: MachineHealthCheck
+    listKind: MachineHealthCheckList
+    plural: machinehealthchecks
+    shortNames:
+    - mhc
+    - mhcs
+    singular: machinehealthcheck
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Maximum number of unhealthy machines allowed
+      jsonPath: .spec.maxUnhealthy
+      name: MaxUnhealthy
+      type: string
+    - description: Number of machines currently monitored
+      jsonPath: .status.expectedMachines
+      name: ExpectedMachines
+      type: integer
+    - description: Current observed healthy machines
+      jsonPath: .status.currentHealthy
+      name: CurrentHealthy
+      type: integer
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: MachineHealthCheck is the Schema for the machinehealthchecks
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of machine health check policy
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              maxUnhealthy:
+                anyOf:
+                - type: integer
+                - type: string
+                description: Any further remediation is only allowed if at most "MaxUnhealthy"
+                  machines selected by "selector" are not healthy.
+                x-kubernetes-int-or-string: true
+              nodeStartupTimeout:
+                description: Machines older than this duration without a node will
+                  be considered to have failed and will be remediated.
+                type: string
+              remediationTemplate:
+                description: "RemediationTemplate is a reference to a remediation
+                  template provided by an infrastructure provider. \n This field is
+                  completely optional, when filled, the MachineHealthCheck controller
+                  creates a new object from the template referenced and hands off
+                  remediation of the machine to a controller that lives outside of
+                  Cluster API."
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              selector:
+                description: Label selector to match machines whose health will be
+                  exercised
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              unhealthyConditions:
+                description: UnhealthyConditions contains a list of the conditions
+                  that determine whether a node is considered unhealthy.  The conditions
+                  are combined in a logical OR, i.e. if any of the conditions is met,
+                  the node is unhealthy.
+                items:
+                  description: UnhealthyCondition represents a Node condition type
+                    and value with a timeout specified as a duration.  When the named
+                    condition has been in the given status for at least the timeout
+                    value, a node is considered unhealthy.
+                  properties:
+                    status:
+                      minLength: 1
+                      type: string
+                    timeout:
+                      type: string
+                    type:
+                      minLength: 1
+                      type: string
+                  required:
+                  - status
+                  - timeout
+                  - type
+                  type: object
+                minItems: 1
+                type: array
+            required:
+            - clusterName
+            - selector
+            - unhealthyConditions
+            type: object
+          status:
+            description: Most recently observed status of MachineHealthCheck resource
+            properties:
+              conditions:
+                description: Conditions defines current service state of the MachineHealthCheck.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              currentHealthy:
+                description: total number of healthy machines counted by this machine
+                  health check
+                format: int32
+                minimum: 0
+                type: integer
+              expectedMachines:
+                description: total number of machines counted by this machine health
+                  check
+                format: int32
+                minimum: 0
+                type: integer
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              remediationsAllowed:
+                description: RemediationsAllowed is the number of further remediations
+                  allowed by this machine health check before maxUnhealthy short circuiting
+                  will be applied
+                format: int32
+                minimum: 0
+                type: integer
+              targets:
+                description: Targets shows the current list of machines the machine
+                  health check is watching
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Time duration since creation of MachineHealthCheck
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Maximum number of unhealthy machines allowed
+      jsonPath: .spec.maxUnhealthy
+      name: MaxUnhealthy
+      type: string
+    - description: Number of machines currently monitored
+      jsonPath: .status.expectedMachines
+      name: ExpectedMachines
+      type: integer
+    - description: Current observed healthy machines
+      jsonPath: .status.currentHealthy
+      name: CurrentHealthy
+      type: integer
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: MachineHealthCheck is the Schema for the machinehealthchecks
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of machine health check policy
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              maxUnhealthy:
+                anyOf:
+                - type: integer
+                - type: string
+                description: Any further remediation is only allowed if at most "MaxUnhealthy"
+                  machines selected by "selector" are not healthy.
+                x-kubernetes-int-or-string: true
+              nodeStartupTimeout:
+                description: Machines older than this duration without a node will
+                  be considered to have failed and will be remediated. If not set,
+                  this value is defaulted to 10 minutes. If you wish to disable this
+                  feature, set the value explicitly to 0.
+                type: string
+              remediationTemplate:
+                description: "RemediationTemplate is a reference to a remediation
+                  template provided by an infrastructure provider. \n This field is
+                  completely optional, when filled, the MachineHealthCheck controller
+                  creates a new object from the template referenced and hands off
+                  remediation of the machine to a controller that lives outside of
+                  Cluster API."
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              selector:
+                description: Label selector to match machines whose health will be
+                  exercised
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              unhealthyConditions:
+                description: UnhealthyConditions contains a list of the conditions
+                  that determine whether a node is considered unhealthy.  The conditions
+                  are combined in a logical OR, i.e. if any of the conditions is met,
+                  the node is unhealthy.
+                items:
+                  description: UnhealthyCondition represents a Node condition type
+                    and value with a timeout specified as a duration.  When the named
+                    condition has been in the given status for at least the timeout
+                    value, a node is considered unhealthy.
+                  properties:
+                    status:
+                      minLength: 1
+                      type: string
+                    timeout:
+                      type: string
+                    type:
+                      minLength: 1
+                      type: string
+                  required:
+                  - status
+                  - timeout
+                  - type
+                  type: object
+                minItems: 1
+                type: array
+              unhealthyRange:
+                description: 'Any further remediation is only allowed if the number
+                  of machines selected by "selector" as not healthy is within the
+                  range of "UnhealthyRange". Takes precedence over MaxUnhealthy. Eg.
+                  "[3-5]" - This means that remediation will be allowed only when:
+                  (a) there are at least 3 unhealthy machines (and) (b) there are
+                  at most 5 unhealthy machines'
+                pattern: ^\[[0-9]+-[0-9]+\]$
+                type: string
+            required:
+            - clusterName
+            - selector
+            - unhealthyConditions
+            type: object
+          status:
+            description: Most recently observed status of MachineHealthCheck resource
+            properties:
+              conditions:
+                description: Conditions defines current service state of the MachineHealthCheck.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              currentHealthy:
+                description: total number of healthy machines counted by this machine
+                  health check
+                format: int32
+                minimum: 0
+                type: integer
+              expectedMachines:
+                description: total number of machines counted by this machine health
+                  check
+                format: int32
+                minimum: 0
+                type: integer
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              remediationsAllowed:
+                description: RemediationsAllowed is the number of further remediations
+                  allowed by this machine health check before maxUnhealthy short circuiting
+                  will be applied
+                format: int32
+                minimum: 0
+                type: integer
+              targets:
+                description: Targets shows the current list of machines the machine
+                  health check is watching
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Number of machines currently monitored
+      jsonPath: .status.expectedMachines
+      name: ExpectedMachines
+      type: integer
+    - description: Maximum number of unhealthy machines allowed
+      jsonPath: .spec.maxUnhealthy
+      name: MaxUnhealthy
+      type: string
+    - description: Current observed healthy machines
+      jsonPath: .status.currentHealthy
+      name: CurrentHealthy
+      type: integer
+    - description: Time duration since creation of MachineHealthCheck
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MachineHealthCheck is the Schema for the machinehealthchecks
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of machine health check policy
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              maxUnhealthy:
+                anyOf:
+                - type: integer
+                - type: string
+                description: Any further remediation is only allowed if at most "MaxUnhealthy"
+                  machines selected by "selector" are not healthy.
+                x-kubernetes-int-or-string: true
+              nodeStartupTimeout:
+                description: Machines older than this duration without a node will
+                  be considered to have failed and will be remediated. If not set,
+                  this value is defaulted to 10 minutes. If you wish to disable this
+                  feature, set the value explicitly to 0.
+                type: string
+              remediationTemplate:
+                description: "RemediationTemplate is a reference to a remediation
+                  template provided by an infrastructure provider. \n This field is
+                  completely optional, when filled, the MachineHealthCheck controller
+                  creates a new object from the template referenced and hands off
+                  remediation of the machine to a controller that lives outside of
+                  Cluster API."
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              selector:
+                description: Label selector to match machines whose health will be
+                  exercised
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              unhealthyConditions:
+                description: UnhealthyConditions contains a list of the conditions
+                  that determine whether a node is considered unhealthy.  The conditions
+                  are combined in a logical OR, i.e. if any of the conditions is met,
+                  the node is unhealthy.
+                items:
+                  description: UnhealthyCondition represents a Node condition type
+                    and value with a timeout specified as a duration.  When the named
+                    condition has been in the given status for at least the timeout
+                    value, a node is considered unhealthy.
+                  properties:
+                    status:
+                      minLength: 1
+                      type: string
+                    timeout:
+                      type: string
+                    type:
+                      minLength: 1
+                      type: string
+                  required:
+                  - status
+                  - timeout
+                  - type
+                  type: object
+                minItems: 1
+                type: array
+              unhealthyRange:
+                description: 'Any further remediation is only allowed if the number
+                  of machines selected by "selector" as not healthy is within the
+                  range of "UnhealthyRange". Takes precedence over MaxUnhealthy. Eg.
+                  "[3-5]" - This means that remediation will be allowed only when:
+                  (a) there are at least 3 unhealthy machines (and) (b) there are
+                  at most 5 unhealthy machines'
+                pattern: ^\[[0-9]+-[0-9]+\]$
+                type: string
+            required:
+            - clusterName
+            - selector
+            - unhealthyConditions
+            type: object
+          status:
+            description: Most recently observed status of MachineHealthCheck resource
+            properties:
+              conditions:
+                description: Conditions defines current service state of the MachineHealthCheck.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              currentHealthy:
+                description: total number of healthy machines counted by this machine
+                  health check
+                format: int32
+                minimum: 0
+                type: integer
+              expectedMachines:
+                description: total number of machines counted by this machine health
+                  check
+                format: int32
+                minimum: 0
+                type: integer
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              remediationsAllowed:
+                description: RemediationsAllowed is the number of further remediations
+                  allowed by this machine health check before maxUnhealthy short circuiting
+                  will be applied
+                format: int32
+                minimum: 0
+                type: integer
+              targets:
+                description: Targets shows the current list of machines the machine
+                  health check is watching
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: machinepools.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: MachinePool
+    listKind: MachinePoolList
+    plural: machinepools
+    shortNames:
+    - mp
+    singular: machinepool
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: MachinePool replicas count
+      jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - description: MachinePool status such as Terminating/Pending/Provisioning/Running/Failed
+        etc
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Kubernetes version associated with this MachinePool
+      jsonPath: .spec.template.spec.version
+      name: Version
+      type: string
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: MachinePool is the Schema for the machinepools API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachinePoolSpec defines the desired state of MachinePool.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              failureDomains:
+                description: FailureDomains is the list of failure domains this MachinePool
+                  should be attached to.
+                items:
+                  type: string
+                type: array
+              minReadySeconds:
+                description: Minimum number of seconds for which a newly created machine
+                  instances should be ready. Defaults to 0 (machine instance will
+                  be considered available as soon as it is ready)
+                format: int32
+                type: integer
+              providerIDList:
+                description: ProviderIDList are the identification IDs of machine
+                  instances provided by the provider. This field must match the provider
+                  IDs as seen on the node objects corresponding to a machine pool's
+                  machine instances.
+                items:
+                  type: string
+                type: array
+              replicas:
+                description: Number of desired machines. Defaults to 1. This is a
+                  pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              strategy:
+                description: The deployment strategy to use to replace existing machine
+                  instances with new ones.
+                properties:
+                  rollingUpdate:
+                    description: Rolling update config params. Present only if MachineDeploymentStrategyType
+                      = RollingUpdate.
+                    properties:
+                      maxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be scheduled
+                          above the desired number of machines. Value can be an absolute
+                          number (ex: 5) or a percentage of desired machines (ex:
+                          10%). This can not be 0 if MaxUnavailable is 0. Absolute
+                          number is calculated from percentage by rounding up. Defaults
+                          to 1. Example: when this is set to 30%, the new MachineSet
+                          can be scaled up immediately when the rolling update starts,
+                          such that the total number of old and new machines do not
+                          exceed 130% of desired machines. Once old machines have
+                          been killed, new MachineSet can be scaled up further, ensuring
+                          that total number of machines running at any time during
+                          the update is at most 130% of desired machines.'
+                        x-kubernetes-int-or-string: true
+                      maxUnavailable:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: 'The maximum number of machines that can be unavailable
+                          during the update. Value can be an absolute number (ex:
+                          5) or a percentage of desired machines (ex: 10%). Absolute
+                          number is calculated from percentage by rounding down. This
+                          can not be 0 if MaxSurge is 0. Defaults to 0. Example: when
+                          this is set to 30%, the old MachineSet can be scaled down
+                          to 70% of desired machines immediately when the rolling
+                          update starts. Once new machines are ready, old MachineSet
+                          can be scaled down further, followed by scaling up the new
+                          MachineSet, ensuring that the total number of machines available
+                          at all times during the update is at least 70% of desired
+                          machines.'
+                        x-kubernetes-int-or-string: true
+                    type: object
+                  type:
+                    description: Type of deployment. Currently the only supported
+                      strategy is "RollingUpdate". Default is RollingUpdate.
+                    type: string
+                type: object
+              template:
+                description: Template describes the machines that will be created.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      generateName:
+                        description: "GenerateName is an optional prefix, used by
+                          the server, to generate a unique name ONLY IF the Name field
+                          has not been provided. If this field is used, the name returned
+                          to the client will be different than the name passed. This
+                          value will also be combined with a unique suffix. The provided
+                          value has the same validation rules as the Name field, and
+                          may be truncated by the length of the suffix required to
+                          make the value unique on the server. \n If this field is
+                          specified and the generated name exists, the server will
+                          NOT return a 409 - instead, it will either return 201 Created
+                          or 500 with Reason ServerTimeout indicating a unique name
+                          could not be found in the time allotted, and the client
+                          should retry (optionally after the time indicated in the
+                          Retry-After header). \n Applied only if Name is not specified.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+                          \n Deprecated: This field has no function and is going to
+                          be removed in a next release."
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                      name:
+                        description: "Name must be unique within a namespace. Is required
+                          when creating resources, although some resources may allow
+                          a client to request the generation of an appropriate name
+                          automatically. Name is primarily intended for creation idempotence
+                          and configuration definition. Cannot be updated. More info:
+                          http://kubernetes.io/docs/user-guide/identifiers#names \n
+                          Deprecated: This field has no function and is going to be
+                          removed in a next release."
+                        type: string
+                      namespace:
+                        description: "Namespace defines the space within each name
+                          must be unique. An empty namespace is equivalent to the
+                          \"default\" namespace, but \"default\" is the canonical
+                          representation. Not all objects are required to be scoped
+                          to a namespace - the value of this field for those objects
+                          will be empty. \n Must be a DNS_LABEL. Cannot be updated.
+                          More info: http://kubernetes.io/docs/user-guide/namespaces
+                          \n Deprecated: This field has no function and is going to
+                          be removed in a next release."
+                        type: string
+                      ownerReferences:
+                        description: "List of objects depended by this object. If
+                          ALL objects in the list have been deleted, this object will
+                          be garbage collected. If this object is managed by a controller,
+                          then an entry in this list will point to this controller,
+                          with the controller field set to true. There cannot be more
+                          than one managing controller. \n Deprecated: This field
+                          has no function and is going to be removed in a next release."
+                        items:
+                          description: OwnerReference contains enough information
+                            to let you identify an owning object. An owning object
+                            must be in the same namespace as the dependent, or be
+                            cluster-scoped, so there is no namespace field.
+                          properties:
+                            apiVersion:
+                              description: API version of the referent.
+                              type: string
+                            blockOwnerDeletion:
+                              description: If true, AND if the owner has the "foregroundDeletion"
+                                finalizer, then the owner cannot be deleted from the
+                                key-value store until this reference is removed. See
+                                https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+                                for how the garbage collector interacts with this
+                                field and enforces the foreground deletion. Defaults
+                                to false. To set this field, a user needs "delete"
+                                permission of the owner, otherwise 422 (Unprocessable
+                                Entity) will be returned.
+                              type: boolean
+                            controller:
+                              description: If true, this reference points to the managing
+                                controller.
+                              type: boolean
+                            kind:
+                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+                              type: string
+                            uid:
+                              description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
+                              type: string
+                          required:
+                          - apiVersion
+                          - kind
+                          - name
+                          - uid
+                          type: object
+                        type: array
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.Data
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          data:
+                            description: "Data contains the bootstrap data, such as
+                              cloud-init details scripts. If nil, the Machine should
+                              remain in the Pending state. \n Deprecated: Switch to
+                              DataSecretName."
+                            type: string
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - template
+            type: object
+          status:
+            description: MachinePoolStatus defines the observed state of MachinePool.
+            properties:
+              availableReplicas:
+                description: The number of available replicas (ready for at least
+                  minReadySeconds) for this MachinePool.
+                format: int32
+                type: integer
+              bootstrapReady:
+                description: BootstrapReady is the state of the bootstrap provider.
+                type: boolean
+              conditions:
+                description: Conditions define the current service state of the MachinePool.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: FailureMessage indicates that there is a problem reconciling
+                  the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a problem reconciling
+                  the state, and will be set to a token value suitable for programmatic
+                  interpretation.
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              nodeRefs:
+                description: NodeRefs will point to the corresponding Nodes if it
+                  they exist.
+                items:
+                  description: 'ObjectReference contains enough information to let
+                    you inspect or modify the referred object. --- New uses of this
+                    type are discouraged because of difficulty describing its usage
+                    when embedded in APIs. 1. Ignored fields.  It includes many fields
+                    which are not generally honored.  For instance, ResourceVersion
+                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
+                    usage help.  It is impossible to add specific help for individual
+                    usage.  In most embedded usages, there are particular restrictions
+                    like, "must refer only to types A and B" or "UID not honored"
+                    or "name must be restricted". Those cannot be well described when
+                    embedded. 3. Inconsistent validation.  Because the usages are
+                    different, the validation rules are different by usage, which
+                    makes it hard for users to predict what will happen. 4. The fields
+                    are both imprecise and overly precise.  Kind is not a precise
+                    mapping to a URL. This can produce ambiguity during interpretation
+                    and require a REST mapping.  In most cases, the dependency is
+                    on the group,resource tuple and the version of the actual struct
+                    is irrelevant. 5. We cannot easily change it.  Because this type
+                    is embedded in many locations, updates to this type will affect
+                    numerous schemas.  Don''t make new APIs embed an underspecified
+                    API type they do not control. Instead of using this type, create
+                    a locally provided and used type that is well-focused on your
+                    reference. For example, ServiceReferences for admission registration:
+                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                    .'
+                  properties:
+                    apiVersion:
+                      description: API version of the referent.
+                      type: string
+                    fieldPath:
+                      description: 'If referring to a piece of an object instead of
+                        an entire object, this string should contain a valid JSON/Go
+                        field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within
+                        a pod, this would take on a value like: "spec.containers{name}"
+                        (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]"
+                        (container with index 2 in this pod). This syntax is chosen
+                        only to have some well-defined way of referencing a part of
+                        an object. TODO: this design is not final and this field is
+                        subject to change in the future.'
+                      type: string
+                    kind:
+                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      type: string
+                    namespace:
+                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      type: string
+                    resourceVersion:
+                      description: 'Specific resourceVersion to which this reference
+                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      type: string
+                    uid:
+                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of cluster actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+              readyReplicas:
+                description: The number of ready replicas for this MachinePool. A
+                  machine is considered ready when the node has been created and is
+                  "Ready".
+                format: int32
+                type: integer
+              replicas:
+                description: Replicas is the most recently observed number of replicas.
+                format: int32
+                type: integer
+              unavailableReplicas:
+                description: Total number of unavailable machine instances targeted
+                  by this machine pool. This is the total number of machine instances
+                  that are still required for the machine pool to have 100% available
+                  capacity. They may either be machine instances that are running
+                  but not yet available or machine instances that still have not been
+                  created.
+                format: int32
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Time duration since creation of MachinePool
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: MachinePool replicas count
+      jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - description: MachinePool status such as Terminating/Pending/Provisioning/Running/Failed
+        etc
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Kubernetes version associated with this MachinePool
+      jsonPath: .spec.template.spec.version
+      name: Version
+      type: string
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: MachinePool is the Schema for the machinepools API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachinePoolSpec defines the desired state of MachinePool.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              failureDomains:
+                description: FailureDomains is the list of failure domains this MachinePool
+                  should be attached to.
+                items:
+                  type: string
+                type: array
+              minReadySeconds:
+                description: Minimum number of seconds for which a newly created machine
+                  instances should be ready. Defaults to 0 (machine instance will
+                  be considered available as soon as it is ready)
+                format: int32
+                type: integer
+              providerIDList:
+                description: ProviderIDList are the identification IDs of machine
+                  instances provided by the provider. This field must match the provider
+                  IDs as seen on the node objects corresponding to a machine pool's
+                  machine instances.
+                items:
+                  type: string
+                type: array
+              replicas:
+                description: Number of desired machines. Defaults to 1. This is a
+                  pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              template:
+                description: Template describes the machines that will be created.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.DataSecretName
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - template
+            type: object
+          status:
+            description: MachinePoolStatus defines the observed state of MachinePool.
+            properties:
+              availableReplicas:
+                description: The number of available replicas (ready for at least
+                  minReadySeconds) for this MachinePool.
+                format: int32
+                type: integer
+              bootstrapReady:
+                description: BootstrapReady is the state of the bootstrap provider.
+                type: boolean
+              conditions:
+                description: Conditions define the current service state of the MachinePool.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: FailureMessage indicates that there is a problem reconciling
+                  the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a problem reconciling
+                  the state, and will be set to a token value suitable for programmatic
+                  interpretation.
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              nodeRefs:
+                description: NodeRefs will point to the corresponding Nodes if it
+                  they exist.
+                items:
+                  description: 'ObjectReference contains enough information to let
+                    you inspect or modify the referred object. --- New uses of this
+                    type are discouraged because of difficulty describing its usage
+                    when embedded in APIs. 1. Ignored fields.  It includes many fields
+                    which are not generally honored.  For instance, ResourceVersion
+                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
+                    usage help.  It is impossible to add specific help for individual
+                    usage.  In most embedded usages, there are particular restrictions
+                    like, "must refer only to types A and B" or "UID not honored"
+                    or "name must be restricted". Those cannot be well described when
+                    embedded. 3. Inconsistent validation.  Because the usages are
+                    different, the validation rules are different by usage, which
+                    makes it hard for users to predict what will happen. 4. The fields
+                    are both imprecise and overly precise.  Kind is not a precise
+                    mapping to a URL. This can produce ambiguity during interpretation
+                    and require a REST mapping.  In most cases, the dependency is
+                    on the group,resource tuple and the version of the actual struct
+                    is irrelevant. 5. We cannot easily change it.  Because this type
+                    is embedded in many locations, updates to this type will affect
+                    numerous schemas.  Don''t make new APIs embed an underspecified
+                    API type they do not control. Instead of using this type, create
+                    a locally provided and used type that is well-focused on your
+                    reference. For example, ServiceReferences for admission registration:
+                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                    .'
+                  properties:
+                    apiVersion:
+                      description: API version of the referent.
+                      type: string
+                    fieldPath:
+                      description: 'If referring to a piece of an object instead of
+                        an entire object, this string should contain a valid JSON/Go
+                        field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within
+                        a pod, this would take on a value like: "spec.containers{name}"
+                        (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]"
+                        (container with index 2 in this pod). This syntax is chosen
+                        only to have some well-defined way of referencing a part of
+                        an object. TODO: this design is not final and this field is
+                        subject to change in the future.'
+                      type: string
+                    kind:
+                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      type: string
+                    namespace:
+                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      type: string
+                    resourceVersion:
+                      description: 'Specific resourceVersion to which this reference
+                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      type: string
+                    uid:
+                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of cluster actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+              readyReplicas:
+                description: The number of ready replicas for this MachinePool. A
+                  machine is considered ready when the node has been created and is
+                  "Ready".
+                format: int32
+                type: integer
+              replicas:
+                description: Replicas is the most recently observed number of replicas.
+                format: int32
+                type: integer
+              unavailableReplicas:
+                description: Total number of unavailable machine instances targeted
+                  by this machine pool. This is the total number of machine instances
+                  that are still required for the machine pool to have 100% available
+                  capacity. They may either be machine instances that are running
+                  but not yet available or machine instances that still have not been
+                  created.
+                format: int32
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Total number of machines desired by this MachinePool
+      jsonPath: .spec.replicas
+      name: Desired
+      priority: 10
+      type: integer
+    - description: MachinePool replicas count
+      jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - description: MachinePool status such as Terminating/Pending/Provisioning/Running/Failed
+        etc
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Time duration since creation of MachinePool
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Kubernetes version associated with this MachinePool
+      jsonPath: .spec.template.spec.version
+      name: Version
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MachinePool is the Schema for the machinepools API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachinePoolSpec defines the desired state of MachinePool.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              failureDomains:
+                description: FailureDomains is the list of failure domains this MachinePool
+                  should be attached to.
+                items:
+                  type: string
+                type: array
+              minReadySeconds:
+                description: Minimum number of seconds for which a newly created machine
+                  instances should be ready. Defaults to 0 (machine instance will
+                  be considered available as soon as it is ready)
+                format: int32
+                type: integer
+              providerIDList:
+                description: ProviderIDList are the identification IDs of machine
+                  instances provided by the provider. This field must match the provider
+                  IDs as seen on the node objects corresponding to a machine pool's
+                  machine instances.
+                items:
+                  type: string
+                type: array
+              replicas:
+                description: Number of desired machines. Defaults to 1. This is a
+                  pointer to distinguish between explicit zero and not specified.
+                format: int32
+                type: integer
+              template:
+                description: Template describes the machines that will be created.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.DataSecretName
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDeletionTimeout:
+                        description: NodeDeletionTimeout defines how long the controller
+                          will attempt to delete the Node that the Machine hosts after
+                          the Machine is marked for deletion. A duration of 0 will
+                          retry deletion indefinitely. Defaults to 10 seconds.
+                        type: string
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - template
+            type: object
+          status:
+            description: MachinePoolStatus defines the observed state of MachinePool.
+            properties:
+              availableReplicas:
+                description: The number of available replicas (ready for at least
+                  minReadySeconds) for this MachinePool.
+                format: int32
+                type: integer
+              bootstrapReady:
+                description: BootstrapReady is the state of the bootstrap provider.
+                type: boolean
+              conditions:
+                description: Conditions define the current service state of the MachinePool.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: FailureMessage indicates that there is a problem reconciling
+                  the state, and will be set to a descriptive error message.
+                type: string
+              failureReason:
+                description: FailureReason indicates that there is a problem reconciling
+                  the state, and will be set to a token value suitable for programmatic
+                  interpretation.
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              nodeRefs:
+                description: NodeRefs will point to the corresponding Nodes if it
+                  they exist.
+                items:
+                  description: 'ObjectReference contains enough information to let
+                    you inspect or modify the referred object. --- New uses of this
+                    type are discouraged because of difficulty describing its usage
+                    when embedded in APIs. 1. Ignored fields.  It includes many fields
+                    which are not generally honored.  For instance, ResourceVersion
+                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
+                    usage help.  It is impossible to add specific help for individual
+                    usage.  In most embedded usages, there are particular restrictions
+                    like, "must refer only to types A and B" or "UID not honored"
+                    or "name must be restricted". Those cannot be well described when
+                    embedded. 3. Inconsistent validation.  Because the usages are
+                    different, the validation rules are different by usage, which
+                    makes it hard for users to predict what will happen. 4. The fields
+                    are both imprecise and overly precise.  Kind is not a precise
+                    mapping to a URL. This can produce ambiguity during interpretation
+                    and require a REST mapping.  In most cases, the dependency is
+                    on the group,resource tuple and the version of the actual struct
+                    is irrelevant. 5. We cannot easily change it.  Because this type
+                    is embedded in many locations, updates to this type will affect
+                    numerous schemas.  Don''t make new APIs embed an underspecified
+                    API type they do not control. Instead of using this type, create
+                    a locally provided and used type that is well-focused on your
+                    reference. For example, ServiceReferences for admission registration:
+                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                    .'
+                  properties:
+                    apiVersion:
+                      description: API version of the referent.
+                      type: string
+                    fieldPath:
+                      description: 'If referring to a piece of an object instead of
+                        an entire object, this string should contain a valid JSON/Go
+                        field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within
+                        a pod, this would take on a value like: "spec.containers{name}"
+                        (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]"
+                        (container with index 2 in this pod). This syntax is chosen
+                        only to have some well-defined way of referencing a part of
+                        an object. TODO: this design is not final and this field is
+                        subject to change in the future.'
+                      type: string
+                    kind:
+                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      type: string
+                    namespace:
+                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      type: string
+                    resourceVersion:
+                      description: 'Specific resourceVersion to which this reference
+                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      type: string
+                    uid:
+                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of cluster actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+              readyReplicas:
+                description: The number of ready replicas for this MachinePool. A
+                  machine is considered ready when the node has been created and is
+                  "Ready".
+                format: int32
+                type: integer
+              replicas:
+                description: Replicas is the most recently observed number of replicas.
+                format: int32
+                type: integer
+              unavailableReplicas:
+                description: Total number of unavailable machine instances targeted
+                  by this machine pool. This is the total number of machine instances
+                  that are still required for the machine pool to have 100% available
+                  capacity. They may either be machine instances that are running
+                  but not yet available or machine instances that still have not been
+                  created.
+                format: int32
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: machines.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: Machine
+    listKind: MachineList
+    plural: machines
+    shortNames:
+    - ma
+    singular: machine
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Provider ID
+      jsonPath: .spec.providerID
+      name: ProviderID
+      type: string
+    - description: Machine status such as Terminating/Pending/Running/Failed etc
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Kubernetes version associated with this Machine
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: Node name associated with this machine
+      jsonPath: .status.nodeRef.name
+      name: NodeName
+      priority: 1
+      type: string
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: Machine is the Schema for the machines API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSpec defines the desired state of Machine.
+            properties:
+              bootstrap:
+                description: Bootstrap is a reference to a local struct which encapsulates
+                  fields to configure the Machine’s bootstrapping mechanism.
+                properties:
+                  configRef:
+                    description: ConfigRef is a reference to a bootstrap provider-specific
+                      resource that holds configuration details. The reference is
+                      optional to allow users/operators to specify Bootstrap.Data
+                      without the need of a controller.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  data:
+                    description: "Data contains the bootstrap data, such as cloud-init
+                      details scripts. If nil, the Machine should remain in the Pending
+                      state. \n Deprecated: Switch to DataSecretName."
+                    type: string
+                  dataSecretName:
+                    description: DataSecretName is the name of the secret that stores
+                      the bootstrap data script. If nil, the Machine should remain
+                      in the Pending state.
+                    type: string
+                type: object
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              failureDomain:
+                description: FailureDomain is the failure domain the machine will
+                  be created in. Must match a key in the FailureDomains map stored
+                  on the cluster object.
+                type: string
+              infrastructureRef:
+                description: InfrastructureRef is a required reference to a custom
+                  resource offered by an infrastructure provider.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              nodeDrainTimeout:
+                description: 'NodeDrainTimeout is the total amount of time that the
+                  controller will spend on draining a node. The default value is 0,
+                  meaning that the node can be drained without any time limitations.
+                  NOTE: NodeDrainTimeout is different from `kubectl drain --timeout`'
+                type: string
+              providerID:
+                description: ProviderID is the identification ID of the machine provided
+                  by the provider. This field must match the provider ID as seen on
+                  the node object corresponding to this machine. This field is required
+                  by higher level consumers of cluster-api. Example use case is cluster
+                  autoscaler with cluster-api as provider. Clean-up logic in the autoscaler
+                  compares machines to nodes to find out machines at provider which
+                  could not get registered as Kubernetes nodes. With cluster-api as
+                  a generic out-of-tree provider for autoscaler, this field is required
+                  by autoscaler to be able to have a provider view of the list of
+                  machines. Another list of nodes is queried from the k8s apiserver
+                  and then a comparison is done to find out unregistered machines
+                  and are marked for delete. This field will be set by the actuators
+                  and consumed by higher level entities like autoscaler that will
+                  be interfacing with cluster-api as generic provider.
+                type: string
+              version:
+                description: Version defines the desired Kubernetes version. This
+                  field is meant to be optionally used by bootstrap providers.
+                type: string
+            required:
+            - bootstrap
+            - clusterName
+            - infrastructureRef
+            type: object
+          status:
+            description: MachineStatus defines the observed state of Machine.
+            properties:
+              addresses:
+                description: Addresses is a list of addresses assigned to the machine.
+                  This field is copied from the infrastructure provider reference.
+                items:
+                  description: MachineAddress contains information for the node's
+                    address.
+                  properties:
+                    address:
+                      description: The machine address.
+                      type: string
+                    type:
+                      description: Machine address type, one of Hostname, ExternalIP
+                        or InternalIP.
+                      type: string
+                  required:
+                  - address
+                  - type
+                  type: object
+                type: array
+              bootstrapReady:
+                description: BootstrapReady is the state of the bootstrap provider.
+                type: boolean
+              conditions:
+                description: Conditions defines current service state of the Machine.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: "FailureMessage will be set in the event that there is
+                  a terminal problem reconciling the Machine and will contain a more
+                  verbose string suitable for logging and human consumption. \n This
+                  field should not be set for transitive errors that a controller
+                  faces that are expected to be fixed automatically over time (like
+                  service outages), but instead indicate that something is fundamentally
+                  wrong with the Machine's spec or the configuration of the controller,
+                  and that manual intervention is required. Examples of terminal errors
+                  would be invalid combinations of settings in the spec, values that
+                  are unsupported by the controller, or the responsible controller
+                  itself being critically misconfigured. \n Any transient errors that
+                  occur during the reconciliation of Machines can be added as events
+                  to the Machine object and/or logged in the controller's output."
+                type: string
+              failureReason:
+                description: "FailureReason will be set in the event that there is
+                  a terminal problem reconciling the Machine and will contain a succinct
+                  value suitable for machine interpretation. \n This field should
+                  not be set for transitive errors that a controller faces that are
+                  expected to be fixed automatically over time (like service outages),
+                  but instead indicate that something is fundamentally wrong with
+                  the Machine's spec or the configuration of the controller, and that
+                  manual intervention is required. Examples of terminal errors would
+                  be invalid combinations of settings in the spec, values that are
+                  unsupported by the controller, or the responsible controller itself
+                  being critically misconfigured. \n Any transient errors that occur
+                  during the reconciliation of Machines can be added as events to
+                  the Machine object and/or logged in the controller's output."
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              lastUpdated:
+                description: LastUpdated identifies when the phase of the Machine
+                  last transitioned.
+                format: date-time
+                type: string
+              nodeRef:
+                description: NodeRef will point to the corresponding Node if it exists.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of machine actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+              version:
+                description: Version specifies the current version of Kubernetes running
+                  on the corresponding Node. This is meant to be a means of bubbling
+                  up status from the Node to the Machine. It is entirely optional,
+                  but useful for end-user UX if it’s present.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Time duration since creation of Machine
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Provider ID
+      jsonPath: .spec.providerID
+      name: ProviderID
+      type: string
+    - description: Machine status such as Terminating/Pending/Running/Failed etc
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Kubernetes version associated with this Machine
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: Node name associated with this machine
+      jsonPath: .status.nodeRef.name
+      name: NodeName
+      priority: 1
+      type: string
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: Machine is the Schema for the machines API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSpec defines the desired state of Machine.
+            properties:
+              bootstrap:
+                description: Bootstrap is a reference to a local struct which encapsulates
+                  fields to configure the Machine’s bootstrapping mechanism.
+                properties:
+                  configRef:
+                    description: ConfigRef is a reference to a bootstrap provider-specific
+                      resource that holds configuration details. The reference is
+                      optional to allow users/operators to specify Bootstrap.DataSecretName
+                      without the need of a controller.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  dataSecretName:
+                    description: DataSecretName is the name of the secret that stores
+                      the bootstrap data script. If nil, the Machine should remain
+                      in the Pending state.
+                    type: string
+                type: object
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              failureDomain:
+                description: FailureDomain is the failure domain the machine will
+                  be created in. Must match a key in the FailureDomains map stored
+                  on the cluster object.
+                type: string
+              infrastructureRef:
+                description: InfrastructureRef is a required reference to a custom
+                  resource offered by an infrastructure provider.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              nodeDrainTimeout:
+                description: 'NodeDrainTimeout is the total amount of time that the
+                  controller will spend on draining a node. The default value is 0,
+                  meaning that the node can be drained without any time limitations.
+                  NOTE: NodeDrainTimeout is different from `kubectl drain --timeout`'
+                type: string
+              providerID:
+                description: ProviderID is the identification ID of the machine provided
+                  by the provider. This field must match the provider ID as seen on
+                  the node object corresponding to this machine. This field is required
+                  by higher level consumers of cluster-api. Example use case is cluster
+                  autoscaler with cluster-api as provider. Clean-up logic in the autoscaler
+                  compares machines to nodes to find out machines at provider which
+                  could not get registered as Kubernetes nodes. With cluster-api as
+                  a generic out-of-tree provider for autoscaler, this field is required
+                  by autoscaler to be able to have a provider view of the list of
+                  machines. Another list of nodes is queried from the k8s apiserver
+                  and then a comparison is done to find out unregistered machines
+                  and are marked for delete. This field will be set by the actuators
+                  and consumed by higher level entities like autoscaler that will
+                  be interfacing with cluster-api as generic provider.
+                type: string
+              version:
+                description: Version defines the desired Kubernetes version. This
+                  field is meant to be optionally used by bootstrap providers.
+                type: string
+            required:
+            - bootstrap
+            - clusterName
+            - infrastructureRef
+            type: object
+          status:
+            description: MachineStatus defines the observed state of Machine.
+            properties:
+              addresses:
+                description: Addresses is a list of addresses assigned to the machine.
+                  This field is copied from the infrastructure provider reference.
+                items:
+                  description: MachineAddress contains information for the node's
+                    address.
+                  properties:
+                    address:
+                      description: The machine address.
+                      type: string
+                    type:
+                      description: Machine address type, one of Hostname, ExternalIP
+                        or InternalIP.
+                      type: string
+                  required:
+                  - address
+                  - type
+                  type: object
+                type: array
+              bootstrapReady:
+                description: BootstrapReady is the state of the bootstrap provider.
+                type: boolean
+              conditions:
+                description: Conditions defines current service state of the Machine.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: "FailureMessage will be set in the event that there is
+                  a terminal problem reconciling the Machine and will contain a more
+                  verbose string suitable for logging and human consumption. \n This
+                  field should not be set for transitive errors that a controller
+                  faces that are expected to be fixed automatically over time (like
+                  service outages), but instead indicate that something is fundamentally
+                  wrong with the Machine's spec or the configuration of the controller,
+                  and that manual intervention is required. Examples of terminal errors
+                  would be invalid combinations of settings in the spec, values that
+                  are unsupported by the controller, or the responsible controller
+                  itself being critically misconfigured. \n Any transient errors that
+                  occur during the reconciliation of Machines can be added as events
+                  to the Machine object and/or logged in the controller's output."
+                type: string
+              failureReason:
+                description: "FailureReason will be set in the event that there is
+                  a terminal problem reconciling the Machine and will contain a succinct
+                  value suitable for machine interpretation. \n This field should
+                  not be set for transitive errors that a controller faces that are
+                  expected to be fixed automatically over time (like service outages),
+                  but instead indicate that something is fundamentally wrong with
+                  the Machine's spec or the configuration of the controller, and that
+                  manual intervention is required. Examples of terminal errors would
+                  be invalid combinations of settings in the spec, values that are
+                  unsupported by the controller, or the responsible controller itself
+                  being critically misconfigured. \n Any transient errors that occur
+                  during the reconciliation of Machines can be added as events to
+                  the Machine object and/or logged in the controller's output."
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              lastUpdated:
+                description: LastUpdated identifies when the phase of the Machine
+                  last transitioned.
+                format: date-time
+                type: string
+              nodeInfo:
+                description: 'NodeInfo is a set of ids/uuids to uniquely identify
+                  the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info'
+                properties:
+                  architecture:
+                    description: The Architecture reported by the node
+                    type: string
+                  bootID:
+                    description: Boot ID reported by the node.
+                    type: string
+                  containerRuntimeVersion:
+                    description: ContainerRuntime Version reported by the node through
+                      runtime remote API (e.g. containerd://1.4.2).
+                    type: string
+                  kernelVersion:
+                    description: Kernel Version reported by the node from 'uname -r'
+                      (e.g. 3.16.0-0.bpo.4-amd64).
+                    type: string
+                  kubeProxyVersion:
+                    description: KubeProxy Version reported by the node.
+                    type: string
+                  kubeletVersion:
+                    description: Kubelet Version reported by the node.
+                    type: string
+                  machineID:
+                    description: 'MachineID reported by the node. For unique machine
+                      identification in the cluster this field is preferred. Learn
+                      more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html'
+                    type: string
+                  operatingSystem:
+                    description: The Operating System reported by the node
+                    type: string
+                  osImage:
+                    description: OS Image reported by the node from /etc/os-release
+                      (e.g. Debian GNU/Linux 7 (wheezy)).
+                    type: string
+                  systemUUID:
+                    description: SystemUUID reported by the node. For unique machine
+                      identification MachineID is preferred. This field is specific
+                      to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid
+                    type: string
+                required:
+                - architecture
+                - bootID
+                - containerRuntimeVersion
+                - kernelVersion
+                - kubeProxyVersion
+                - kubeletVersion
+                - machineID
+                - operatingSystem
+                - osImage
+                - systemUUID
+                type: object
+              nodeRef:
+                description: NodeRef will point to the corresponding Node if it exists.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of machine actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+              version:
+                description: Version specifies the current version of Kubernetes running
+                  on the corresponding Node. This is meant to be a means of bubbling
+                  up status from the Node to the Machine. It is entirely optional,
+                  but useful for end-user UX if it’s present.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Node name associated with this machine
+      jsonPath: .status.nodeRef.name
+      name: NodeName
+      type: string
+    - description: Provider ID
+      jsonPath: .spec.providerID
+      name: ProviderID
+      type: string
+    - description: Machine status such as Terminating/Pending/Running/Failed etc
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: Time duration since creation of Machine
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Kubernetes version associated with this Machine
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Machine is the Schema for the machines API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSpec defines the desired state of Machine.
+            properties:
+              bootstrap:
+                description: Bootstrap is a reference to a local struct which encapsulates
+                  fields to configure the Machine’s bootstrapping mechanism.
+                properties:
+                  configRef:
+                    description: ConfigRef is a reference to a bootstrap provider-specific
+                      resource that holds configuration details. The reference is
+                      optional to allow users/operators to specify Bootstrap.DataSecretName
+                      without the need of a controller.
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  dataSecretName:
+                    description: DataSecretName is the name of the secret that stores
+                      the bootstrap data script. If nil, the Machine should remain
+                      in the Pending state.
+                    type: string
+                type: object
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              failureDomain:
+                description: FailureDomain is the failure domain the machine will
+                  be created in. Must match a key in the FailureDomains map stored
+                  on the cluster object.
+                type: string
+              infrastructureRef:
+                description: InfrastructureRef is a required reference to a custom
+                  resource offered by an infrastructure provider.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              nodeDeletionTimeout:
+                description: NodeDeletionTimeout defines how long the controller will
+                  attempt to delete the Node that the Machine hosts after the Machine
+                  is marked for deletion. A duration of 0 will retry deletion indefinitely.
+                  Defaults to 10 seconds.
+                type: string
+              nodeDrainTimeout:
+                description: 'NodeDrainTimeout is the total amount of time that the
+                  controller will spend on draining a node. The default value is 0,
+                  meaning that the node can be drained without any time limitations.
+                  NOTE: NodeDrainTimeout is different from `kubectl drain --timeout`'
+                type: string
+              providerID:
+                description: ProviderID is the identification ID of the machine provided
+                  by the provider. This field must match the provider ID as seen on
+                  the node object corresponding to this machine. This field is required
+                  by higher level consumers of cluster-api. Example use case is cluster
+                  autoscaler with cluster-api as provider. Clean-up logic in the autoscaler
+                  compares machines to nodes to find out machines at provider which
+                  could not get registered as Kubernetes nodes. With cluster-api as
+                  a generic out-of-tree provider for autoscaler, this field is required
+                  by autoscaler to be able to have a provider view of the list of
+                  machines. Another list of nodes is queried from the k8s apiserver
+                  and then a comparison is done to find out unregistered machines
+                  and are marked for delete. This field will be set by the actuators
+                  and consumed by higher level entities like autoscaler that will
+                  be interfacing with cluster-api as generic provider.
+                type: string
+              version:
+                description: Version defines the desired Kubernetes version. This
+                  field is meant to be optionally used by bootstrap providers.
+                type: string
+            required:
+            - bootstrap
+            - clusterName
+            - infrastructureRef
+            type: object
+          status:
+            description: MachineStatus defines the observed state of Machine.
+            properties:
+              addresses:
+                description: Addresses is a list of addresses assigned to the machine.
+                  This field is copied from the infrastructure provider reference.
+                items:
+                  description: MachineAddress contains information for the node's
+                    address.
+                  properties:
+                    address:
+                      description: The machine address.
+                      type: string
+                    type:
+                      description: Machine address type, one of Hostname, ExternalIP
+                        or InternalIP.
+                      type: string
+                  required:
+                  - address
+                  - type
+                  type: object
+                type: array
+              bootstrapReady:
+                description: BootstrapReady is the state of the bootstrap provider.
+                type: boolean
+              conditions:
+                description: Conditions defines current service state of the Machine.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                description: "FailureMessage will be set in the event that there is
+                  a terminal problem reconciling the Machine and will contain a more
+                  verbose string suitable for logging and human consumption. \n This
+                  field should not be set for transitive errors that a controller
+                  faces that are expected to be fixed automatically over time (like
+                  service outages), but instead indicate that something is fundamentally
+                  wrong with the Machine's spec or the configuration of the controller,
+                  and that manual intervention is required. Examples of terminal errors
+                  would be invalid combinations of settings in the spec, values that
+                  are unsupported by the controller, or the responsible controller
+                  itself being critically misconfigured. \n Any transient errors that
+                  occur during the reconciliation of Machines can be added as events
+                  to the Machine object and/or logged in the controller's output."
+                type: string
+              failureReason:
+                description: "FailureReason will be set in the event that there is
+                  a terminal problem reconciling the Machine and will contain a succinct
+                  value suitable for machine interpretation. \n This field should
+                  not be set for transitive errors that a controller faces that are
+                  expected to be fixed automatically over time (like service outages),
+                  but instead indicate that something is fundamentally wrong with
+                  the Machine's spec or the configuration of the controller, and that
+                  manual intervention is required. Examples of terminal errors would
+                  be invalid combinations of settings in the spec, values that are
+                  unsupported by the controller, or the responsible controller itself
+                  being critically misconfigured. \n Any transient errors that occur
+                  during the reconciliation of Machines can be added as events to
+                  the Machine object and/or logged in the controller's output."
+                type: string
+              infrastructureReady:
+                description: InfrastructureReady is the state of the infrastructure
+                  provider.
+                type: boolean
+              lastUpdated:
+                description: LastUpdated identifies when the phase of the Machine
+                  last transitioned.
+                format: date-time
+                type: string
+              nodeInfo:
+                description: 'NodeInfo is a set of ids/uuids to uniquely identify
+                  the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info'
+                properties:
+                  architecture:
+                    description: The Architecture reported by the node
+                    type: string
+                  bootID:
+                    description: Boot ID reported by the node.
+                    type: string
+                  containerRuntimeVersion:
+                    description: ContainerRuntime Version reported by the node through
+                      runtime remote API (e.g. containerd://1.4.2).
+                    type: string
+                  kernelVersion:
+                    description: Kernel Version reported by the node from 'uname -r'
+                      (e.g. 3.16.0-0.bpo.4-amd64).
+                    type: string
+                  kubeProxyVersion:
+                    description: KubeProxy Version reported by the node.
+                    type: string
+                  kubeletVersion:
+                    description: Kubelet Version reported by the node.
+                    type: string
+                  machineID:
+                    description: 'MachineID reported by the node. For unique machine
+                      identification in the cluster this field is preferred. Learn
+                      more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html'
+                    type: string
+                  operatingSystem:
+                    description: The Operating System reported by the node
+                    type: string
+                  osImage:
+                    description: OS Image reported by the node from /etc/os-release
+                      (e.g. Debian GNU/Linux 7 (wheezy)).
+                    type: string
+                  systemUUID:
+                    description: SystemUUID reported by the node. For unique machine
+                      identification MachineID is preferred. This field is specific
+                      to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid
+                    type: string
+                required:
+                - architecture
+                - bootID
+                - containerRuntimeVersion
+                - kernelVersion
+                - kubeProxyVersion
+                - kubeletVersion
+                - machineID
+                - operatingSystem
+                - osImage
+                - systemUUID
+                type: object
+              nodeRef:
+                description: NodeRef will point to the corresponding Node if it exists.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              observedGeneration:
+                description: ObservedGeneration is the latest generation observed
+                  by the controller.
+                format: int64
+                type: integer
+              phase:
+                description: Phase represents the current phase of machine actuation.
+                  E.g. Pending, Running, Terminating, Failed etc.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: machinesets.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: capi-webhook-service
+          namespace: capi-webhook-system
+          path: /convert
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: MachineSet
+    listKind: MachineSetList
+    plural: machinesets
+    shortNames:
+    - ms
+    singular: machineset
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Total number of non-terminated machines targeted by this machineset
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of available machines (ready for at least minReadySeconds)
+      jsonPath: .status.availableReplicas
+      name: Available
+      type: integer
+    - description: Total number of ready machines targeted by this machineset.
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        description: MachineSet is the Schema for the machinesets API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSetSpec defines the desired state of MachineSet.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              deletePolicy:
+                description: DeletePolicy defines the policy used to identify nodes
+                  to delete when downscaling. Defaults to "Random".  Valid values
+                  are "Random, "Newest", "Oldest"
+                enum:
+                - Random
+                - Newest
+                - Oldest
+                type: string
+              minReadySeconds:
+                description: MinReadySeconds is the minimum number of seconds for
+                  which a newly created machine should be ready. Defaults to 0 (machine
+                  will be considered available as soon as it is ready)
+                format: int32
+                type: integer
+              replicas:
+                description: Replicas is the number of desired replicas. This is a
+                  pointer to distinguish between explicit zero and unspecified. Defaults
+                  to 1.
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is a label query over machines that should
+                  match the replica count. Label keys and values that must match in
+                  order to be controlled by this MachineSet. It must match the machine
+                  template''s labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors'
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              template:
+                description: Template is the object that describes the machine that
+                  will be created if insufficient replicas are detected. Object references
+                  to custom resources resources are treated as templates.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      generateName:
+                        description: "GenerateName is an optional prefix, used by
+                          the server, to generate a unique name ONLY IF the Name field
+                          has not been provided. If this field is used, the name returned
+                          to the client will be different than the name passed. This
+                          value will also be combined with a unique suffix. The provided
+                          value has the same validation rules as the Name field, and
+                          may be truncated by the length of the suffix required to
+                          make the value unique on the server. \n If this field is
+                          specified and the generated name exists, the server will
+                          NOT return a 409 - instead, it will either return 201 Created
+                          or 500 with Reason ServerTimeout indicating a unique name
+                          could not be found in the time allotted, and the client
+                          should retry (optionally after the time indicated in the
+                          Retry-After header). \n Applied only if Name is not specified.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+                          \n Deprecated: This field has no function and is going to
+                          be removed in a next release."
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                      name:
+                        description: "Name must be unique within a namespace. Is required
+                          when creating resources, although some resources may allow
+                          a client to request the generation of an appropriate name
+                          automatically. Name is primarily intended for creation idempotence
+                          and configuration definition. Cannot be updated. More info:
+                          http://kubernetes.io/docs/user-guide/identifiers#names \n
+                          Deprecated: This field has no function and is going to be
+                          removed in a next release."
+                        type: string
+                      namespace:
+                        description: "Namespace defines the space within each name
+                          must be unique. An empty namespace is equivalent to the
+                          \"default\" namespace, but \"default\" is the canonical
+                          representation. Not all objects are required to be scoped
+                          to a namespace - the value of this field for those objects
+                          will be empty. \n Must be a DNS_LABEL. Cannot be updated.
+                          More info: http://kubernetes.io/docs/user-guide/namespaces
+                          \n Deprecated: This field has no function and is going to
+                          be removed in a next release."
+                        type: string
+                      ownerReferences:
+                        description: "List of objects depended by this object. If
+                          ALL objects in the list have been deleted, this object will
+                          be garbage collected. If this object is managed by a controller,
+                          then an entry in this list will point to this controller,
+                          with the controller field set to true. There cannot be more
+                          than one managing controller. \n Deprecated: This field
+                          has no function and is going to be removed in a next release."
+                        items:
+                          description: OwnerReference contains enough information
+                            to let you identify an owning object. An owning object
+                            must be in the same namespace as the dependent, or be
+                            cluster-scoped, so there is no namespace field.
+                          properties:
+                            apiVersion:
+                              description: API version of the referent.
+                              type: string
+                            blockOwnerDeletion:
+                              description: If true, AND if the owner has the "foregroundDeletion"
+                                finalizer, then the owner cannot be deleted from the
+                                key-value store until this reference is removed. See
+                                https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+                                for how the garbage collector interacts with this
+                                field and enforces the foreground deletion. Defaults
+                                to false. To set this field, a user needs "delete"
+                                permission of the owner, otherwise 422 (Unprocessable
+                                Entity) will be returned.
+                              type: boolean
+                            controller:
+                              description: If true, this reference points to the managing
+                                controller.
+                              type: boolean
+                            kind:
+                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+                              type: string
+                            uid:
+                              description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
+                              type: string
+                          required:
+                          - apiVersion
+                          - kind
+                          - name
+                          - uid
+                          type: object
+                        type: array
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.Data
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          data:
+                            description: "Data contains the bootstrap data, such as
+                              cloud-init details scripts. If nil, the Machine should
+                              remain in the Pending state. \n Deprecated: Switch to
+                              DataSecretName."
+                            type: string
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - selector
+            type: object
+          status:
+            description: MachineSetStatus defines the observed state of MachineSet.
+            properties:
+              availableReplicas:
+                description: The number of available replicas (ready for at least
+                  minReadySeconds) for this MachineSet.
+                format: int32
+                type: integer
+              failureMessage:
+                type: string
+              failureReason:
+                description: "In the event that there is a terminal problem reconciling
+                  the replicas, both FailureReason and FailureMessage will be set.
+                  FailureReason will be populated with a succinct value suitable for
+                  machine interpretation, while FailureMessage will contain a more
+                  verbose string suitable for logging and human consumption. \n These
+                  fields should not be set for transitive errors that a controller
+                  faces that are expected to be fixed automatically over time (like
+                  service outages), but instead indicate that something is fundamentally
+                  wrong with the MachineTemplate's spec or the configuration of the
+                  machine controller, and that manual intervention is required. Examples
+                  of terminal errors would be invalid combinations of settings in
+                  the spec, values that are unsupported by the machine controller,
+                  or the responsible machine controller itself being critically misconfigured.
+                  \n Any transient errors that occur during the reconciliation of
+                  Machines can be added as events to the MachineSet object and/or
+                  logged in the controller's output."
+                type: string
+              fullyLabeledReplicas:
+                description: The number of replicas that have labels matching the
+                  labels of the machine template of the MachineSet.
+                format: int32
+                type: integer
+              observedGeneration:
+                description: ObservedGeneration reflects the generation of the most
+                  recently observed MachineSet.
+                format: int64
+                type: integer
+              readyReplicas:
+                description: The number of ready replicas for this MachineSet. A machine
+                  is considered ready when the node has been created and is "Ready".
+                format: int32
+                type: integer
+              replicas:
+                description: Replicas is the most recently observed number of replicas.
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the same as the label selector but in the
+                  string format to avoid introspection by clients. The string will
+                  be in the same format as the query-param syntax. More info about
+                  label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Time duration since creation of MachineSet
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Total number of non-terminated machines targeted by this machineset
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of available machines (ready for at least minReadySeconds)
+      jsonPath: .status.availableReplicas
+      name: Available
+      type: integer
+    - description: Total number of ready machines targeted by this machineset.
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    name: v1alpha4
+    schema:
+      openAPIV3Schema:
+        description: MachineSet is the Schema for the machinesets API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSetSpec defines the desired state of MachineSet.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              deletePolicy:
+                description: DeletePolicy defines the policy used to identify nodes
+                  to delete when downscaling. Defaults to "Random".  Valid values
+                  are "Random, "Newest", "Oldest"
+                enum:
+                - Random
+                - Newest
+                - Oldest
+                type: string
+              minReadySeconds:
+                description: MinReadySeconds is the minimum number of seconds for
+                  which a newly created machine should be ready. Defaults to 0 (machine
+                  will be considered available as soon as it is ready)
+                format: int32
+                type: integer
+              replicas:
+                default: 1
+                description: Replicas is the number of desired replicas. This is a
+                  pointer to distinguish between explicit zero and unspecified. Defaults
+                  to 1.
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is a label query over machines that should
+                  match the replica count. Label keys and values that must match in
+                  order to be controlled by this MachineSet. It must match the machine
+                  template''s labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors'
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              template:
+                description: Template is the object that describes the machine that
+                  will be created if insufficient replicas are detected. Object references
+                  to custom resources resources are treated as templates.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.DataSecretName
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - selector
+            type: object
+          status:
+            description: MachineSetStatus defines the observed state of MachineSet.
+            properties:
+              availableReplicas:
+                description: The number of available replicas (ready for at least
+                  minReadySeconds) for this MachineSet.
+                format: int32
+                type: integer
+              conditions:
+                description: Conditions defines current service state of the MachineSet.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                type: string
+              failureReason:
+                description: "In the event that there is a terminal problem reconciling
+                  the replicas, both FailureReason and FailureMessage will be set.
+                  FailureReason will be populated with a succinct value suitable for
+                  machine interpretation, while FailureMessage will contain a more
+                  verbose string suitable for logging and human consumption. \n These
+                  fields should not be set for transitive errors that a controller
+                  faces that are expected to be fixed automatically over time (like
+                  service outages), but instead indicate that something is fundamentally
+                  wrong with the MachineTemplate's spec or the configuration of the
+                  machine controller, and that manual intervention is required. Examples
+                  of terminal errors would be invalid combinations of settings in
+                  the spec, values that are unsupported by the machine controller,
+                  or the responsible machine controller itself being critically misconfigured.
+                  \n Any transient errors that occur during the reconciliation of
+                  Machines can be added as events to the MachineSet object and/or
+                  logged in the controller's output."
+                type: string
+              fullyLabeledReplicas:
+                description: The number of replicas that have labels matching the
+                  labels of the machine template of the MachineSet.
+                format: int32
+                type: integer
+              observedGeneration:
+                description: ObservedGeneration reflects the generation of the most
+                  recently observed MachineSet.
+                format: int64
+                type: integer
+              readyReplicas:
+                description: The number of ready replicas for this MachineSet. A machine
+                  is considered ready when the node has been created and is "Ready".
+                format: int32
+                type: integer
+              replicas:
+                description: Replicas is the most recently observed number of replicas.
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the same as the label selector but in the
+                  string format to avoid introspection by clients. The string will
+                  be in the same format as the query-param syntax. More info about
+                  label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+  - additionalPrinterColumns:
+    - description: Cluster
+      jsonPath: .spec.clusterName
+      name: Cluster
+      type: string
+    - description: Total number of machines desired by this machineset
+      jsonPath: .spec.replicas
+      name: Desired
+      priority: 10
+      type: integer
+    - description: Total number of non-terminated machines targeted by this machineset
+      jsonPath: .status.replicas
+      name: Replicas
+      type: integer
+    - description: Total number of ready machines targeted by this machineset.
+      jsonPath: .status.readyReplicas
+      name: Ready
+      type: integer
+    - description: Total number of available machines (ready for at least minReadySeconds)
+      jsonPath: .status.availableReplicas
+      name: Available
+      type: integer
+    - description: Time duration since creation of MachineSet
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Kubernetes version associated with this MachineSet
+      jsonPath: .spec.template.spec.version
+      name: Version
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MachineSet is the Schema for the machinesets API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSetSpec defines the desired state of MachineSet.
+            properties:
+              clusterName:
+                description: ClusterName is the name of the Cluster this object belongs
+                  to.
+                minLength: 1
+                type: string
+              deletePolicy:
+                description: DeletePolicy defines the policy used to identify nodes
+                  to delete when downscaling. Defaults to "Random".  Valid values
+                  are "Random, "Newest", "Oldest"
+                enum:
+                - Random
+                - Newest
+                - Oldest
+                type: string
+              minReadySeconds:
+                description: MinReadySeconds is the minimum number of seconds for
+                  which a newly created machine should be ready. Defaults to 0 (machine
+                  will be considered available as soon as it is ready)
+                format: int32
+                type: integer
+              replicas:
+                default: 1
+                description: Replicas is the number of desired replicas. This is a
+                  pointer to distinguish between explicit zero and unspecified. Defaults
+                  to 1.
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is a label query over machines that should
+                  match the replica count. Label keys and values that must match in
+                  order to be controlled by this MachineSet. It must match the machine
+                  template''s labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors'
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              template:
+                description: Template is the object that describes the machine that
+                  will be created if insufficient replicas are detected. Object references
+                  to custom resources resources are treated as templates.
+                properties:
+                  metadata:
+                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: 'Annotations is an unstructured key value map
+                          stored with a resource that may be set by external tools
+                          to store and retrieve arbitrary metadata. They are not queryable
+                          and should be preserved when modifying objects. More info:
+                          http://kubernetes.io/docs/user-guide/annotations'
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: 'Map of string keys and values that can be used
+                          to organize and categorize (scope and select) objects. May
+                          match selectors of replication controllers and services.
+                          More info: http://kubernetes.io/docs/user-guide/labels'
+                        type: object
+                    type: object
+                  spec:
+                    description: 'Specification of the desired behavior of the machine.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+                    properties:
+                      bootstrap:
+                        description: Bootstrap is a reference to a local struct which
+                          encapsulates fields to configure the Machine’s bootstrapping
+                          mechanism.
+                        properties:
+                          configRef:
+                            description: ConfigRef is a reference to a bootstrap provider-specific
+                              resource that holds configuration details. The reference
+                              is optional to allow users/operators to specify Bootstrap.DataSecretName
+                              without the need of a controller.
+                            properties:
+                              apiVersion:
+                                description: API version of the referent.
+                                type: string
+                              fieldPath:
+                                description: 'If referring to a piece of an object
+                                  instead of an entire object, this string should
+                                  contain a valid JSON/Go field access statement,
+                                  such as desiredState.manifest.containers[2]. For
+                                  example, if the object reference is to a container
+                                  within a pod, this would take on a value like: "spec.containers{name}"
+                                  (where "name" refers to the name of the container
+                                  that triggered the event) or if no container name
+                                  is specified "spec.containers[2]" (container with
+                                  index 2 in this pod). This syntax is chosen only
+                                  to have some well-defined way of referencing a part
+                                  of an object. TODO: this design is not final and
+                                  this field is subject to change in the future.'
+                                type: string
+                              kind:
+                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                              namespace:
+                                description: 'Namespace of the referent. More info:
+                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                                type: string
+                              resourceVersion:
+                                description: 'Specific resourceVersion to which this
+                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                                type: string
+                              uid:
+                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                                type: string
+                            type: object
+                          dataSecretName:
+                            description: DataSecretName is the name of the secret
+                              that stores the bootstrap data script. If nil, the Machine
+                              should remain in the Pending state.
+                            type: string
+                        type: object
+                      clusterName:
+                        description: ClusterName is the name of the Cluster this object
+                          belongs to.
+                        minLength: 1
+                        type: string
+                      failureDomain:
+                        description: FailureDomain is the failure domain the machine
+                          will be created in. Must match a key in the FailureDomains
+                          map stored on the cluster object.
+                        type: string
+                      infrastructureRef:
+                        description: InfrastructureRef is a required reference to
+                          a custom resource offered by an infrastructure provider.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: 'If referring to a piece of an object instead
+                              of an entire object, this string should contain a valid
+                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container
+                              within a pod, this would take on a value like: "spec.containers{name}"
+                              (where "name" refers to the name of the container that
+                              triggered the event) or if no container name is specified
+                              "spec.containers[2]" (container with index 2 in this
+                              pod). This syntax is chosen only to have some well-defined
+                              way of referencing a part of an object. TODO: this design
+                              is not final and this field is subject to change in
+                              the future.'
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            type: string
+                          resourceVersion:
+                            description: 'Specific resourceVersion to which this reference
+                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            type: string
+                          uid:
+                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            type: string
+                        type: object
+                      nodeDeletionTimeout:
+                        description: NodeDeletionTimeout defines how long the controller
+                          will attempt to delete the Node that the Machine hosts after
+                          the Machine is marked for deletion. A duration of 0 will
+                          retry deletion indefinitely. Defaults to 10 seconds.
+                        type: string
+                      nodeDrainTimeout:
+                        description: 'NodeDrainTimeout is the total amount of time
+                          that the controller will spend on draining a node. The default
+                          value is 0, meaning that the node can be drained without
+                          any time limitations. NOTE: NodeDrainTimeout is different
+                          from `kubectl drain --timeout`'
+                        type: string
+                      providerID:
+                        description: ProviderID is the identification ID of the machine
+                          provided by the provider. This field must match the provider
+                          ID as seen on the node object corresponding to this machine.
+                          This field is required by higher level consumers of cluster-api.
+                          Example use case is cluster autoscaler with cluster-api
+                          as provider. Clean-up logic in the autoscaler compares machines
+                          to nodes to find out machines at provider which could not
+                          get registered as Kubernetes nodes. With cluster-api as
+                          a generic out-of-tree provider for autoscaler, this field
+                          is required by autoscaler to be able to have a provider
+                          view of the list of machines. Another list of nodes is queried
+                          from the k8s apiserver and then a comparison is done to
+                          find out unregistered machines and are marked for delete.
+                          This field will be set by the actuators and consumed by
+                          higher level entities like autoscaler that will be interfacing
+                          with cluster-api as generic provider.
+                        type: string
+                      version:
+                        description: Version defines the desired Kubernetes version.
+                          This field is meant to be optionally used by bootstrap providers.
+                        type: string
+                    required:
+                    - bootstrap
+                    - clusterName
+                    - infrastructureRef
+                    type: object
+                type: object
+            required:
+            - clusterName
+            - selector
+            type: object
+          status:
+            description: MachineSetStatus defines the observed state of MachineSet.
+            properties:
+              availableReplicas:
+                description: The number of available replicas (ready for at least
+                  minReadySeconds) for this MachineSet.
+                format: int32
+                type: integer
+              conditions:
+                description: Conditions defines current service state of the MachineSet.
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              failureMessage:
+                type: string
+              failureReason:
+                description: "In the event that there is a terminal problem reconciling
+                  the replicas, both FailureReason and FailureMessage will be set.
+                  FailureReason will be populated with a succinct value suitable for
+                  machine interpretation, while FailureMessage will contain a more
+                  verbose string suitable for logging and human consumption. \n These
+                  fields should not be set for transitive errors that a controller
+                  faces that are expected to be fixed automatically over time (like
+                  service outages), but instead indicate that something is fundamentally
+                  wrong with the MachineTemplate's spec or the configuration of the
+                  machine controller, and that manual intervention is required. Examples
+                  of terminal errors would be invalid combinations of settings in
+                  the spec, values that are unsupported by the machine controller,
+                  or the responsible machine controller itself being critically misconfigured.
+                  \n Any transient errors that occur during the reconciliation of
+                  Machines can be added as events to the MachineSet object and/or
+                  logged in the controller's output."
+                type: string
+              fullyLabeledReplicas:
+                description: The number of replicas that have labels matching the
+                  labels of the machine template of the MachineSet.
+                format: int32
+                type: integer
+              observedGeneration:
+                description: ObservedGeneration reflects the generation of the most
+                  recently observed MachineSet.
+                format: int64
+                type: integer
+              readyReplicas:
+                description: The number of ready replicas for this MachineSet. A machine
+                  is considered ready when the node has been created and is "Ready".
+                format: int32
+                type: integer
+              replicas:
+                description: Replicas is the most recently observed number of replicas.
+                format: int32
+                type: integer
+              selector:
+                description: 'Selector is the same as the label selector but in the
+                  string format to avoid introspection by clients. The string will
+                  be in the same format as the query-param syntax. More info about
+                  label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-webhook-service
+  namespace: capi-system
+spec:
+  ports:
+  - port: 443
+    targetPort: webhook-server
+  selector:
+    cluster.x-k8s.io/provider: cluster-api
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+    control-plane: controller-manager
+  name: capi-controller-manager
+  namespace: capi-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/provider: cluster-api
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/provider: cluster-api
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        - --metrics-bind-addr=localhost:8080
+        - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}
+        command:
+        - /manager
+        image: gcr.io/k8s-staging-cluster-api/cluster-api-controller:main
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+      volumes:
+      - name: cert
+        secret:
+          secretName: capi-webhook-service-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-serving-cert
+  namespace: capi-system
+spec:
+  dnsNames:
+  - capi-webhook-service.capi-system.svc
+  - capi-webhook-service.capi-system.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: capi-selfsigned-issuer
+  secretName: capi-webhook-service-cert
+  subject:
+    organizations:
+    - k8s-sig-cluster-lifecycle
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-selfsigned-issuer
+  namespace: capi-system
+spec:
+  selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-cluster-x-k8s-io-v1beta1-machine
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.machine.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machines
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-cluster-x-k8s-io-v1beta1-machinedeployment
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.machinedeployment.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinedeployments
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-cluster-x-k8s-io-v1beta1-machinehealthcheck
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.machinehealthcheck.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinehealthchecks
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-cluster-x-k8s-io-v1beta1-machineset
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.machineset.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinesets
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-cluster-x-k8s-io-v1beta1-machinepool
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.machinepool.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinepools
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-cluster-x-k8s-io-v1beta1-cluster
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.cluster.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusters
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-cluster-x-k8s-io-v1beta1-clusterclass
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.clusterclass.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterclasses
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-runtime-cluster-x-k8s-io-v1alpha1-extensionconfig
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.extensionconfig.runtime.addons.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - runtime.cluster.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - extensionconfigs
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /mutate-addons-cluster-x-k8s-io-v1beta1-clusterresourceset
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: default.clusterresourceset.addons.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - addons.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterresourcesets
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-cluster-x-k8s-io-v1beta1-machine
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.machine.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machines
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-cluster-x-k8s-io-v1beta1-machinedeployment
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.machinedeployment.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinedeployments
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-cluster-x-k8s-io-v1beta1-machinehealthcheck
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.machinehealthcheck.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinehealthchecks
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-cluster-x-k8s-io-v1beta1-machineset
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.machineset.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinesets
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-cluster-x-k8s-io-v1beta1-machinepool
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.machinepool.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - machinepools
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-cluster-x-k8s-io-v1beta1-cluster
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.cluster.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - clusters
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-cluster-x-k8s-io-v1beta1-clusterclass
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.clusterclass.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - clusterclasses
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-runtime-cluster-x-k8s-io-v1alpha1-extensionconfig
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.extensionconfig.runtime.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - runtime.cluster.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - extensionconfigs
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: capi-webhook-service
+      namespace: capi-system
+      path: /validate-addons-cluster-x-k8s-io-v1beta1-clusterresourceset
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.clusterresourceset.addons.cluster.x-k8s.io
+  rules:
+  - apiGroups:
+    - addons.cluster.x-k8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterresourcesets
+  sideEffects: None
diff --git a/spectro/run.sh b/spectro/run.sh
new file mode 100755
index 000000000000..979f21bcc99b
--- /dev/null
+++ b/spectro/run.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+
+rm generated/*
+
+kustomize build --load-restrictor LoadRestrictionsNone core/global > generated/core-global.yaml
+kustomize build --load-restrictor LoadRestrictionsNone core/base > generated/core-base.yaml
+
+kustomize build --load-restrictor LoadRestrictionsNone bootstrap/global > generated/bootstrap-global.yaml
+kustomize build --load-restrictor LoadRestrictionsNone bootstrap/base > generated/bootstrap-base.yaml
+
+kustomize build --load-restrictor LoadRestrictionsNone controlplane/global > generated/controlplane-global.yaml
+kustomize build --load-restrictor LoadRestrictionsNone controlplane/base > generated/controlplane-base.yaml

From 0fbb85efe25a62a94e11d54ca9a8b3de4264fbf7 Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Wed, 15 Jun 2022 14:53:52 +0530
Subject: [PATCH 67/87] fix for exclusive webhook and reconcilers

---
 bootstrap/kubeadm/main.go    | 14 +++++++++++++-
 controlplane/kubeadm/main.go | 15 ++++++++++++++-
 main.go                      | 22 +++++++++++++++++++---
 3 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/bootstrap/kubeadm/main.go b/bootstrap/kubeadm/main.go
index 04f30bfefc9b..8a0f55afb059 100644
--- a/bootstrap/kubeadm/main.go
+++ b/bootstrap/kubeadm/main.go
@@ -128,7 +128,7 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&watchFilterValue, "watch-filter", "",
 		fmt.Sprintf("Label value that the controller watches to reconcile cluster-api objects. Label key is always %s. If unspecified, the controller watches for all cluster-api objects.", clusterv1.WatchLabel))
 
-	fs.IntVar(&webhookPort, "webhook-port", 9443,
+	fs.IntVar(&webhookPort, "webhook-port", 0,
 		"Webhook Server port")
 
 	fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/",
@@ -217,6 +217,10 @@ func main() {
 }
 
 func setupChecks(mgr ctrl.Manager) {
+	if webhookPort == 0 {
+		setupLog.V(0).Info("webhook is disabled skipping webhook healthcheck setup")
+		return
+	}
 	if err := mgr.AddReadyzCheck("webhook", mgr.GetWebhookServer().StartedChecker()); err != nil {
 		setupLog.Error(err, "unable to create ready check")
 		os.Exit(1)
@@ -229,6 +233,10 @@ func setupChecks(mgr ctrl.Manager) {
 }
 
 func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
+	if webhookPort != 0 {
+		setupLog.V(0).Info("webhook is enabled skipping reconcilers setup")
+		return
+	}
 	if err := (&kubeadmbootstrapcontrollers.KubeadmConfigReconciler{
 		Client:           mgr.GetClient(),
 		WatchFilterValue: watchFilterValue,
@@ -240,6 +248,10 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 }
 
 func setupWebhooks(mgr ctrl.Manager) {
+	if webhookPort == 0 {
+		setupLog.V(0).Info("webhook is disabled skipping webhook setup")
+		return
+	}
 	if err := (&bootstrapv1.KubeadmConfig{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "KubeadmConfig")
 		os.Exit(1)
diff --git a/controlplane/kubeadm/main.go b/controlplane/kubeadm/main.go
index 7d3f36080cdf..3d94d1d010b6 100644
--- a/controlplane/kubeadm/main.go
+++ b/controlplane/kubeadm/main.go
@@ -129,7 +129,7 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&watchFilterValue, "watch-filter", "",
 		fmt.Sprintf("Label value that the controller watches to reconcile cluster-api objects. Label key is always %s. If unspecified, the controller watches for all cluster-api objects.", clusterv1.WatchLabel))
 
-	fs.IntVar(&webhookPort, "webhook-port", 9443,
+	fs.IntVar(&webhookPort, "webhook-port", 0,
 		"Webhook Server port")
 
 	fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/",
@@ -221,6 +221,10 @@ func main() {
 }
 
 func setupChecks(mgr ctrl.Manager) {
+	if webhookPort == 0 {
+		setupLog.V(0).Info("webhook is disabled skipping webhook healtcheck setup")
+		return
+	}
 	if err := mgr.AddReadyzCheck("webhook", mgr.GetWebhookServer().StartedChecker()); err != nil {
 		setupLog.Error(err, "unable to create ready check")
 		os.Exit(1)
@@ -233,6 +237,10 @@ func setupChecks(mgr ctrl.Manager) {
 }
 
 func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
+	if webhookPort != 0 {
+		setupLog.V(0).Info("webhook is enabled skipping reconcilers setup")
+		return
+	}
 	// Set up a ClusterCacheTracker to provide to controllers
 	// requiring a connection to a remote cluster
 	log := ctrl.Log.WithName("remote").WithName("ClusterCacheTracker")
@@ -273,6 +281,11 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 }
 
 func setupWebhooks(mgr ctrl.Manager) {
+	if webhookPort == 0 {
+		setupLog.V(0).Info("webhook is disabled skipping webhook setup")
+		return
+	}
+
 	if err := (&controlplanev1.KubeadmControlPlane{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "KubeadmControlPlane")
 		os.Exit(1)
diff --git a/main.go b/main.go
index 2fc9c4f983e3..e2b8cbad93e5 100644
--- a/main.go
+++ b/main.go
@@ -191,7 +191,7 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.DurationVar(&syncPeriod, "sync-period", 10*time.Minute,
 		"The minimum interval at which watched resources are reconciled (e.g. 15m)")
 
-	fs.IntVar(&webhookPort, "webhook-port", 9443,
+	fs.IntVar(&webhookPort, "webhook-port", 0,
 		"Webhook Server port")
 
 	fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/",
@@ -278,7 +278,7 @@ func main() {
 	// Setup the context that's going to be used in controllers and for the manager.
 	ctx := ctrl.SetupSignalHandler()
 
-	setupChecks(mgr)
+	(mgr)
 	setupIndexes(ctx, mgr)
 	setupReconcilers(ctx, mgr)
 	setupWebhooks(mgr)
@@ -291,7 +291,11 @@ func main() {
 	}
 }
 
-func setupChecks(mgr ctrl.Manager) {
+func setupChsetupChecksecks(mgr ctrl.Manager) {
+	if webhookPort == 0 {
+		setupLog.V(0).Info("webhook is disabled skipping webhook healthcheck setup")
+		return
+	}
 	if err := mgr.AddReadyzCheck("webhook", mgr.GetWebhookServer().StartedChecker()); err != nil {
 		setupLog.Error(err, "unable to create ready check")
 		os.Exit(1)
@@ -304,6 +308,10 @@ func setupChecks(mgr ctrl.Manager) {
 }
 
 func setupIndexes(ctx context.Context, mgr ctrl.Manager) {
+	if webhookPort != 0 {
+		setupLog.V(0).Info("webhook is enabled skipping index setup")
+		return
+	}
 	if err := index.AddDefaultIndexes(ctx, mgr); err != nil {
 		setupLog.Error(err, "unable to setup indexes")
 		os.Exit(1)
@@ -311,6 +319,10 @@ func setupIndexes(ctx context.Context, mgr ctrl.Manager) {
 }
 
 func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
+	if webhookPort != 0 {
+		setupLog.V(0).Info("webhook is enabled skipping reconcilers setup")
+		return
+	}
 	// Set up a ClusterCacheTracker and ClusterCacheReconciler to provide to controllers
 	// requiring a connection to a remote cluster
 	log := ctrl.Log.WithName("remote").WithName("ClusterCacheTracker")
@@ -486,6 +498,10 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 }
 
 func setupWebhooks(mgr ctrl.Manager) {
+	if webhookPort == 0 {
+		setupLog.V(0).Info("webhook is disabled skipping webhook setup")
+		return
+	}
 	// NOTE: ClusterClass and managed topologies are behind ClusterTopology feature gate flag; the webhook
 	// is going to prevent creating or updating new objects in case the feature flag is disabled.
 	if err := (&webhooks.ClusterClass{Client: mgr.GetClient()}).SetupWebhookWithManager(mgr); err != nil {

From 3fb2d59e39a1121e365b75ec429a92316bc18dbb Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Fri, 5 Aug 2022 11:17:42 +0530
Subject: [PATCH 68/87] Disabled k8s check validation for managed clusters

---
 Makefile                                      |  8 +-
 .../config/default/manager_image_patch.yaml   |  2 +-
 config/default/manager_image_patch.yaml       |  2 +-
 .../config/default/manager_image_patch.yaml   |  2 +-
 exp/api/v1beta1/machinepool_webhook.go        | 11 ++-
 main.go                                       |  4 +-
 .../controlplane/global/kustomization.yaml    |  2 +-
 spectro/core/global/kustomization.yaml        |  6 +-
 spectro/generated/bootstrap-base.yaml         |  2 +-
 spectro/generated/bootstrap-global.yaml       |  2 +-
 spectro/generated/controlplane-base.yaml      |  2 +-
 spectro/generated/controlplane-global.yaml    | 34 +++----
 spectro/generated/core-base.yaml              |  2 +-
 spectro/generated/core-global.yaml            | 88 ++++++++++---------
 14 files changed, 89 insertions(+), 78 deletions(-)

diff --git a/Makefile b/Makefile
index c1bafb4bb5ac..8703245b516a 100644
--- a/Makefile
+++ b/Makefile
@@ -211,7 +211,7 @@ CAPI_KIND_CLUSTER_NAME ?= capi-test
 
 # It is set by Prow GIT_TAG, a git-based tag of the form vYYYYMMDD-hash, e.g., v20210120-v0.3.10-308-gc61521971
 
-TAG ?= dev
+TAG ?= 20220805
 ARCH ?= $(shell go env GOARCH)
 ALL_ARCH = amd64 arm arm64 ppc64le s390x
 
@@ -679,19 +679,19 @@ docker-build-e2e: ## Run docker-build-* targets for all the images with settings
 
 .PHONY: docker-build-core
 docker-build-core: ## Build the docker image for core controller manager
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG)
+	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml"
 
 .PHONY: docker-build-kubeadm-bootstrap
 docker-build-kubeadm-bootstrap: ## Build the docker image for kubeadm bootstrap controller manager
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./bootstrap/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./bootstrap/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_pull_policy.yaml"
 
 .PHONY: docker-build-kubeadm-control-plane
 docker-build-kubeadm-control-plane: ## Build the docker image for kubeadm control plane controller manager
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./controlplane/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./controlplane/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_pull_policy.yaml"
 
diff --git a/bootstrap/kubeadm/config/default/manager_image_patch.yaml b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
index 21edd7e47b4a..810a74d02471 100644
--- a/bootstrap/kubeadm/config/default/manager_image_patch.yaml
+++ b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller:main
+        - image: gcr.io/spectro-dev-public/release/kubeadm-bootstrap-controller-amd64:20220805
           name: manager
diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml
index 95f09097b7f8..11b1230a111c 100644
--- a/config/default/manager_image_patch.yaml
+++ b/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-      - image: gcr.io/k8s-staging-cluster-api/cluster-api-controller:main
+      - image: gcr.io/spectro-dev-public/release/cluster-api-controller-amd64:20220805
         name: manager
diff --git a/controlplane/kubeadm/config/default/manager_image_patch.yaml b/controlplane/kubeadm/config/default/manager_image_patch.yaml
index 1a9bb736f695..5c278272e3dd 100644
--- a/controlplane/kubeadm/config/default/manager_image_patch.yaml
+++ b/controlplane/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:main
+        - image: gcr.io/spectro-dev-public/release/kubeadm-control-plane-controller-amd64:20220805
           name: manager
diff --git a/exp/api/v1beta1/machinepool_webhook.go b/exp/api/v1beta1/machinepool_webhook.go
index 7d7752ba1d85..923816ea4e26 100644
--- a/exp/api/v1beta1/machinepool_webhook.go
+++ b/exp/api/v1beta1/machinepool_webhook.go
@@ -29,7 +29,6 @@ import (
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/feature"
-	"sigs.k8s.io/cluster-api/util/version"
 )
 
 func (m *MachinePool) SetupWebhookWithManager(mgr ctrl.Manager) error {
@@ -145,11 +144,11 @@ func (m *MachinePool) validate(old *MachinePool) error {
 		)
 	}
 
-	if m.Spec.Template.Spec.Version != nil {
-		if !version.KubeSemver.MatchString(*m.Spec.Template.Spec.Version) {
-			allErrs = append(allErrs, field.Invalid(specPath.Child("template", "spec", "version"), *m.Spec.Template.Spec.Version, "must be a valid semantic version"))
-		}
-	}
+	//if m.Spec.Template.Spec.Version != nil {
+	//	if !version.KubeSemver.MatchString(*m.Spec.Template.Spec.Version) {
+	//		allErrs = append(allErrs, field.Invalid(specPath.Child("template", "spec", "version"), *m.Spec.Template.Spec.Version, "must be a valid semantic version"))
+	//	}
+	//}
 
 	if len(allErrs) == 0 {
 		return nil
diff --git a/main.go b/main.go
index e2b8cbad93e5..385e733b9809 100644
--- a/main.go
+++ b/main.go
@@ -278,7 +278,7 @@ func main() {
 	// Setup the context that's going to be used in controllers and for the manager.
 	ctx := ctrl.SetupSignalHandler()
 
-	(mgr)
+	setupChecks(mgr)
 	setupIndexes(ctx, mgr)
 	setupReconcilers(ctx, mgr)
 	setupWebhooks(mgr)
@@ -291,7 +291,7 @@ func main() {
 	}
 }
 
-func setupChsetupChecksecks(mgr ctrl.Manager) {
+func setupChecks(mgr ctrl.Manager) {
 	if webhookPort == 0 {
 		setupLog.V(0).Info("webhook is disabled skipping webhook healthcheck setup")
 		return
diff --git a/spectro/controlplane/global/kustomization.yaml b/spectro/controlplane/global/kustomization.yaml
index f097052ec57b..11afa95d59b8 100644
--- a/spectro/controlplane/global/kustomization.yaml
+++ b/spectro/controlplane/global/kustomization.yaml
@@ -1,4 +1,4 @@
-namespace: capi-kubeadm-control-plane-system
+namespace: capi-webhook-system
 
 namePrefix: capi-kubeadm-control-plane-
 
diff --git a/spectro/core/global/kustomization.yaml b/spectro/core/global/kustomization.yaml
index 8915de85d59b..186f6defbff3 100644
--- a/spectro/core/global/kustomization.yaml
+++ b/spectro/core/global/kustomization.yaml
@@ -1,10 +1,14 @@
-namespace: capi-system
+namespace: capi-webhook-system
 
 namePrefix: capi-
 
 commonLabels:
   cluster.x-k8s.io/provider: "cluster-api"
 
+# added here and patched to have capi-webhook-system namespace crd
+resources:
+  - ../../../config/default/namespace.yaml
+
 bases:
 - ../../../config/crd
 - ../../../config/manager
diff --git a/spectro/generated/bootstrap-base.yaml b/spectro/generated/bootstrap-base.yaml
index 04c4e52a7c2f..558d42de5217 100644
--- a/spectro/generated/bootstrap-base.yaml
+++ b/spectro/generated/bootstrap-base.yaml
@@ -26,7 +26,7 @@ spec:
         - --bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}
         command:
         - /manager
-        image: gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller:main
+        image: gcr.io/spectro-dev-public/release/kubeadm-bootstrap-controller-amd64:20220805
         imagePullPolicy: Always
         name: manager
       terminationGracePeriodSeconds: 10
diff --git a/spectro/generated/bootstrap-global.yaml b/spectro/generated/bootstrap-global.yaml
index d056f7e79d9a..90de902d0bb1 100644
--- a/spectro/generated/bootstrap-global.yaml
+++ b/spectro/generated/bootstrap-global.yaml
@@ -6241,7 +6241,7 @@ spec:
         - --bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}
         command:
         - /manager
-        image: gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller:main
+        image: gcr.io/spectro-dev-public/release/kubeadm-bootstrap-controller-amd64:20220805
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
diff --git a/spectro/generated/controlplane-base.yaml b/spectro/generated/controlplane-base.yaml
index 288e17cb6901..5cd9f6869892 100644
--- a/spectro/generated/controlplane-base.yaml
+++ b/spectro/generated/controlplane-base.yaml
@@ -25,7 +25,7 @@ spec:
         - --feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}
         command:
         - /manager
-        image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:main
+        image: gcr.io/spectro-dev-public/release/kubeadm-control-plane-controller-amd64:20220805
         imagePullPolicy: Always
         name: manager
       terminationGracePeriodSeconds: 10
diff --git a/spectro/generated/controlplane-global.yaml b/spectro/generated/controlplane-global.yaml
index 07dfabf31b47..6adf5b04b649 100644
--- a/spectro/generated/controlplane-global.yaml
+++ b/spectro/generated/controlplane-global.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-control-plane-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: control-plane-kubeadm
@@ -3764,7 +3764,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-control-plane-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: control-plane-kubeadm
@@ -3780,7 +3780,7 @@ spec:
         caBundle: Cg==
         service:
           name: capi-kubeadm-control-plane-webhook-service
-          namespace: capi-kubeadm-control-plane-system
+          namespace: capi-webhook-system
           path: /convert
       conversionReviewVersions:
       - v1
@@ -6174,7 +6174,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: control-plane-kubeadm
   name: capi-kubeadm-control-plane-webhook-service
-  namespace: capi-kubeadm-control-plane-system
+  namespace: capi-webhook-system
 spec:
   ports:
   - port: 443
@@ -6189,7 +6189,7 @@ metadata:
     cluster.x-k8s.io/provider: control-plane-kubeadm
     control-plane: controller-manager
   name: capi-kubeadm-control-plane-controller-manager
-  namespace: capi-kubeadm-control-plane-system
+  namespace: capi-webhook-system
 spec:
   replicas: 1
   selector:
@@ -6209,7 +6209,7 @@ spec:
         - --feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}
         command:
         - /manager
-        image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:main
+        image: gcr.io/spectro-dev-public/release/kubeadm-control-plane-controller-amd64:20220805
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -6248,11 +6248,11 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: control-plane-kubeadm
   name: capi-kubeadm-control-plane-serving-cert
-  namespace: capi-kubeadm-control-plane-system
+  namespace: capi-webhook-system
 spec:
   dnsNames:
-  - capi-kubeadm-control-plane-webhook-service.capi-kubeadm-control-plane-system.svc
-  - capi-kubeadm-control-plane-webhook-service.capi-kubeadm-control-plane-system.svc.cluster.local
+  - capi-kubeadm-control-plane-webhook-service.capi-webhook-system.svc
+  - capi-kubeadm-control-plane-webhook-service.capi-webhook-system.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: capi-kubeadm-control-plane-selfsigned-issuer
@@ -6267,7 +6267,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: control-plane-kubeadm
   name: capi-kubeadm-control-plane-selfsigned-issuer
-  namespace: capi-kubeadm-control-plane-system
+  namespace: capi-webhook-system
 spec:
   selfSigned: {}
 ---
@@ -6275,7 +6275,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-control-plane-serving-cert
   labels:
     cluster.x-k8s.io/provider: control-plane-kubeadm
   name: capi-kubeadm-control-plane-mutating-webhook-configuration
@@ -6286,7 +6286,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-kubeadm-control-plane-webhook-service
-      namespace: capi-kubeadm-control-plane-system
+      namespace: capi-webhook-system
       path: /mutate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplane
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -6308,7 +6308,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-kubeadm-control-plane-webhook-service
-      namespace: capi-kubeadm-control-plane-system
+      namespace: capi-webhook-system
       path: /mutate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplanetemplate
   failurePolicy: Fail
   name: default.kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io
@@ -6328,7 +6328,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-kubeadm-control-plane-system/capi-kubeadm-control-plane-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-control-plane-serving-cert
   labels:
     cluster.x-k8s.io/provider: control-plane-kubeadm
   name: capi-kubeadm-control-plane-validating-webhook-configuration
@@ -6339,7 +6339,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-kubeadm-control-plane-webhook-service
-      namespace: capi-kubeadm-control-plane-system
+      namespace: capi-webhook-system
       path: /validate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplane
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -6361,7 +6361,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-kubeadm-control-plane-webhook-service
-      namespace: capi-kubeadm-control-plane-system
+      namespace: capi-webhook-system
       path: /validate-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplanetemplate
   failurePolicy: Fail
   name: validation.kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io
@@ -6382,7 +6382,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-kubeadm-control-plane-webhook-service
-      namespace: capi-kubeadm-control-plane-system
+      namespace: capi-webhook-system
       path: /validate-scale-controlplane-cluster-x-k8s-io-v1beta1-kubeadmcontrolplane
   failurePolicy: Fail
   matchPolicy: Equivalent
diff --git a/spectro/generated/core-base.yaml b/spectro/generated/core-base.yaml
index 0c102398ed6d..3096a97a49fd 100644
--- a/spectro/generated/core-base.yaml
+++ b/spectro/generated/core-base.yaml
@@ -25,7 +25,7 @@ spec:
         - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}
         command:
         - /manager
-        image: gcr.io/k8s-staging-cluster-api/cluster-api-controller:main
+        image: gcr.io/spectro-dev-public/release/cluster-api-controller-amd64:20220805
         imagePullPolicy: Always
         name: manager
       terminationGracePeriodSeconds: 10
diff --git a/spectro/generated/core-global.yaml b/spectro/generated/core-global.yaml
index 263789e53553..28ab7d47c1fb 100644
--- a/spectro/generated/core-global.yaml
+++ b/spectro/generated/core-global.yaml
@@ -1,8 +1,16 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+    control-plane: controller-manager
+  name: capi-webhook-system
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -15,7 +23,7 @@ spec:
         caBundle: Cg==
         service:
           name: capi-webhook-service
-          namespace: capi-system
+          namespace: capi-webhook-system
           path: /convert
       conversionReviewVersions:
       - v1
@@ -1248,7 +1256,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -1261,7 +1269,7 @@ spec:
         caBundle: Cg==
         service:
           name: capi-webhook-service
-          namespace: capi-system
+          namespace: capi-webhook-system
           path: /convert
       conversionReviewVersions:
       - v1
@@ -1546,7 +1554,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -1559,7 +1567,7 @@ spec:
         caBundle: Cg==
         service:
           name: capi-webhook-service
-          namespace: capi-system
+          namespace: capi-webhook-system
           path: /convert
       conversionReviewVersions:
       - v1
@@ -2069,7 +2077,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -3468,7 +3476,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -4928,7 +4936,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -5759,7 +5767,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -5772,7 +5780,7 @@ spec:
         caBundle: Cg==
         service:
           name: capi-webhook-service
-          namespace: capi-system
+          namespace: capi-webhook-system
           path: /convert
       conversionReviewVersions:
       - v1
@@ -7169,7 +7177,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -8327,7 +8335,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
     controller-gen.kubebuilder.io/version: v0.8.0
   labels:
     cluster.x-k8s.io/provider: cluster-api
@@ -9603,7 +9611,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: cluster-api
   name: capi-webhook-service
-  namespace: capi-system
+  namespace: capi-webhook-system
 spec:
   ports:
   - port: 443
@@ -9618,7 +9626,7 @@ metadata:
     cluster.x-k8s.io/provider: cluster-api
     control-plane: controller-manager
   name: capi-controller-manager
-  namespace: capi-system
+  namespace: capi-webhook-system
 spec:
   replicas: 1
   selector:
@@ -9638,7 +9646,7 @@ spec:
         - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}
         command:
         - /manager
-        image: gcr.io/k8s-staging-cluster-api/cluster-api-controller:main
+        image: gcr.io/spectro-dev-public/release/cluster-api-controller-amd64:20220805
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -9677,11 +9685,11 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: cluster-api
   name: capi-serving-cert
-  namespace: capi-system
+  namespace: capi-webhook-system
 spec:
   dnsNames:
-  - capi-webhook-service.capi-system.svc
-  - capi-webhook-service.capi-system.svc.cluster.local
+  - capi-webhook-service.capi-webhook-system.svc
+  - capi-webhook-service.capi-webhook-system.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: capi-selfsigned-issuer
@@ -9696,7 +9704,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: cluster-api
   name: capi-selfsigned-issuer
-  namespace: capi-system
+  namespace: capi-webhook-system
 spec:
   selfSigned: {}
 ---
@@ -9704,7 +9712,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
   labels:
     cluster.x-k8s.io/provider: cluster-api
   name: capi-mutating-webhook-configuration
@@ -9715,7 +9723,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-cluster-x-k8s-io-v1beta1-machine
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9737,7 +9745,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-cluster-x-k8s-io-v1beta1-machinedeployment
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9759,7 +9767,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-cluster-x-k8s-io-v1beta1-machinehealthcheck
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9781,7 +9789,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-cluster-x-k8s-io-v1beta1-machineset
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9803,7 +9811,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-cluster-x-k8s-io-v1beta1-machinepool
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9825,7 +9833,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-cluster-x-k8s-io-v1beta1-cluster
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9847,7 +9855,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-cluster-x-k8s-io-v1beta1-clusterclass
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9869,7 +9877,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-runtime-cluster-x-k8s-io-v1alpha1-extensionconfig
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9891,7 +9899,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /mutate-addons-cluster-x-k8s-io-v1beta1-clusterresourceset
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9912,7 +9920,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: capi-system/capi-serving-cert
+    cert-manager.io/inject-ca-from: capi-webhook-system/capi-serving-cert
   labels:
     cluster.x-k8s.io/provider: cluster-api
   name: capi-validating-webhook-configuration
@@ -9923,7 +9931,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-cluster-x-k8s-io-v1beta1-machine
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9945,7 +9953,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-cluster-x-k8s-io-v1beta1-machinedeployment
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9967,7 +9975,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-cluster-x-k8s-io-v1beta1-machinehealthcheck
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -9989,7 +9997,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-cluster-x-k8s-io-v1beta1-machineset
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -10011,7 +10019,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-cluster-x-k8s-io-v1beta1-machinepool
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -10033,7 +10041,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-cluster-x-k8s-io-v1beta1-cluster
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -10056,7 +10064,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-cluster-x-k8s-io-v1beta1-clusterclass
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -10079,7 +10087,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-runtime-cluster-x-k8s-io-v1alpha1-extensionconfig
   failurePolicy: Fail
   matchPolicy: Equivalent
@@ -10101,7 +10109,7 @@ webhooks:
   clientConfig:
     service:
       name: capi-webhook-service
-      namespace: capi-system
+      namespace: capi-webhook-system
       path: /validate-addons-cluster-x-k8s-io-v1beta1-clusterresourceset
   failurePolicy: Fail
   matchPolicy: Equivalent

From 9e73437f0ff7f28ec362218d3b69726a90585fdb Mon Sep 17 00:00:00 2001
From: Jayesh Srivastava <jayesh0200@gmail.com>
Date: Mon, 9 Jan 2023 13:43:14 +0530
Subject: [PATCH 69/87] Relax kcp webhook - cherry pick

---
 .../v1beta1/kubeadm_control_plane_webhook.go  | 45 +++++++++----------
 1 file changed, 22 insertions(+), 23 deletions(-)

diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
index dd512fe26967..33603f5931a2 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
@@ -139,29 +139,28 @@ func (in *KubeadmControlPlane) ValidateUpdate(old runtime.Object) error {
 	// For example, {"spec", "*"} will allow any path under "spec" to change.
 	allowedPaths := [][]string{
 		{"metadata", "*"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, "etcd", "local", "imageRepository"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, "etcd", "local", "imageTag"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, "etcd", "local", "extraArgs", "*"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, "dns", "imageRepository"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, "dns", "imageTag"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, "imageRepository"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, apiServer, "*"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, controllerManager, "*"},
-		{spec, kubeadmConfigSpec, clusterConfiguration, scheduler, "*"},
-		{spec, kubeadmConfigSpec, initConfiguration, nodeRegistration, "*"},
-		{spec, kubeadmConfigSpec, initConfiguration, patches, directory},
-		{spec, kubeadmConfigSpec, initConfiguration, skipPhases},
-		{spec, kubeadmConfigSpec, joinConfiguration, nodeRegistration, "*"},
-		{spec, kubeadmConfigSpec, joinConfiguration, patches, directory},
-		{spec, kubeadmConfigSpec, joinConfiguration, skipPhases},
-		{spec, kubeadmConfigSpec, preKubeadmCommands},
-		{spec, kubeadmConfigSpec, postKubeadmCommands},
-		{spec, kubeadmConfigSpec, files},
-		{spec, kubeadmConfigSpec, "verbosity"},
-		{spec, kubeadmConfigSpec, users},
-		{spec, kubeadmConfigSpec, ntp, "*"},
-		{spec, kubeadmConfigSpec, ignition, "*"},
-		{spec, kubeadmConfigSpec, diskSetup, "*"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, "etcd", "local", "imageRepository"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, "etcd", "local", "imageTag"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, "etcd", "local", "extraArgs", "*"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, "dns", "imageRepository"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, "dns", "imageTag"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, "imageRepository"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, apiServer, "*"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, controllerManager, "*"},
+		//{spec, kubeadmConfigSpec, clusterConfiguration, scheduler, "*"},
+		//{spec, kubeadmConfigSpec, initConfiguration, nodeRegistration, "*"},
+		//{spec, kubeadmConfigSpec, initConfiguration, patches, directory},
+		//{spec, kubeadmConfigSpec, joinConfiguration, nodeRegistration, "*"},
+		//{spec, kubeadmConfigSpec, joinConfiguration, patches, directory},
+		//{spec, kubeadmConfigSpec, preKubeadmCommands},
+		//{spec, kubeadmConfigSpec, postKubeadmCommands},
+		//{spec, kubeadmConfigSpec, files},
+		//{spec, kubeadmConfigSpec, "verbosity"},
+		//{spec, kubeadmConfigSpec, users},
+		//{spec, kubeadmConfigSpec, ntp, "*"},
+		//{spec, kubeadmConfigSpec, ignition, "*"},
+		// allow all fields to be modified
+		{spec, kubeadmConfigSpec, "*"},
 		{spec, "machineTemplate", "metadata", "*"},
 		{spec, "machineTemplate", "infrastructureRef", "apiVersion"},
 		{spec, "machineTemplate", "infrastructureRef", "name"},

From 99515d3011c4d6cdf47f8fd40441353f17163ed1 Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Mon, 6 Feb 2023 18:26:07 +0530
Subject: [PATCH 70/87] Added nodeVolumeDetachTimeout to CP machine

Added UT's
---
 controlplane/kubeadm/internal/controllers/helpers.go  |  9 ++++-----
 .../kubeadm/internal/controllers/helpers_test.go      | 11 +++++++++--
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/controlplane/kubeadm/internal/controllers/helpers.go b/controlplane/kubeadm/internal/controllers/helpers.go
index 30bfba3058a5..3355f942409c 100644
--- a/controlplane/kubeadm/internal/controllers/helpers.go
+++ b/controlplane/kubeadm/internal/controllers/helpers.go
@@ -307,13 +307,12 @@ func (r *KubeadmControlPlaneReconciler) generateMachine(ctx context.Context, kcp
 			Bootstrap: clusterv1.Bootstrap{
 				ConfigRef: bootstrapRef,
 			},
-			FailureDomain:    failureDomain,
-			NodeDrainTimeout: kcp.Spec.MachineTemplate.NodeDrainTimeout,
+			FailureDomain:           failureDomain,
+			NodeDrainTimeout:        kcp.Spec.MachineTemplate.NodeDrainTimeout,
+			NodeDeletionTimeout:     kcp.Spec.MachineTemplate.NodeDeletionTimeout,
+			NodeVolumeDetachTimeout: kcp.Spec.MachineTemplate.NodeVolumeDetachTimeout,
 		},
 	}
-	if kcp.Spec.MachineTemplate.NodeDeletionTimeout != nil {
-		machine.Spec.NodeDeletionTimeout = kcp.Spec.MachineTemplate.NodeDeletionTimeout
-	}
 
 	// Machine's bootstrap config may be missing ClusterConfiguration if it is not the first machine in the control plane.
 	// We store ClusterConfiguration as annotation here to detect any changes in KCP ClusterConfiguration and rollout the machine if any.
diff --git a/controlplane/kubeadm/internal/controllers/helpers_test.go b/controlplane/kubeadm/internal/controllers/helpers_test.go
index 032275112990..0aafd08a318a 100644
--- a/controlplane/kubeadm/internal/controllers/helpers_test.go
+++ b/controlplane/kubeadm/internal/controllers/helpers_test.go
@@ -18,6 +18,7 @@ package controllers
 
 import (
 	"testing"
+	"time"
 
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
@@ -515,7 +516,10 @@ func TestKubeadmControlPlaneReconciler_generateMachine(t *testing.T) {
 		Spec: controlplanev1.KubeadmControlPlaneSpec{
 			Version: "v1.16.6",
 			MachineTemplate: controlplanev1.KubeadmControlPlaneMachineTemplate{
-				ObjectMeta: kcpMachineTemplateObjectMeta,
+				ObjectMeta:              kcpMachineTemplateObjectMeta,
+				NodeVolumeDetachTimeout: &metav1.Duration{Duration: 10 * time.Second},
+				NodeDeletionTimeout:     &metav1.Duration{Duration: 10 * time.Second},
+				NodeDrainTimeout:        &metav1.Duration{Duration: 10 * time.Second},
 			},
 		},
 	}
@@ -538,7 +542,10 @@ func TestKubeadmControlPlaneReconciler_generateMachine(t *testing.T) {
 		Bootstrap: clusterv1.Bootstrap{
 			ConfigRef: bootstrapRef.DeepCopy(),
 		},
-		InfrastructureRef: *infraRef.DeepCopy(),
+		InfrastructureRef:       *infraRef.DeepCopy(),
+		NodeVolumeDetachTimeout: &metav1.Duration{Duration: 10 * time.Second},
+		NodeDeletionTimeout:     &metav1.Duration{Duration: 10 * time.Second},
+		NodeDrainTimeout:        &metav1.Duration{Duration: 10 * time.Second},
 	}
 	r := &KubeadmControlPlaneReconciler{
 		Client:            fakeClient,

From b645e313a7f261383a9cd44b7f4cc9eaf46261ed Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Wed, 15 Feb 2023 11:48:18 +0530
Subject: [PATCH 71/87] Updated Makefile for ARCH and TAG

---
 Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 8703245b516a..51aec7d7c656 100644
--- a/Makefile
+++ b/Makefile
@@ -175,7 +175,7 @@ GOLANGCI_LINT_BIN := golangci-lint
 GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN))
 
 # Define Docker related variables. Releases should modify and double check these vars.
-REGISTRY ?= gcr.io/$(shell gcloud config get-value project)
+REGISTRY ?= gcr.io/spectro-dev-public/$(USER)
 PROD_REGISTRY ?= registry.k8s.io/cluster-api
 
 STAGING_REGISTRY ?= gcr.io/k8s-staging-cluster-api
@@ -211,8 +211,8 @@ CAPI_KIND_CLUSTER_NAME ?= capi-test
 
 # It is set by Prow GIT_TAG, a git-based tag of the form vYYYYMMDD-hash, e.g., v20210120-v0.3.10-308-gc61521971
 
-TAG ?= 20220805
-ARCH ?= $(shell go env GOARCH)
+TAG ?= spectro-v1.3.2-$(shell date +%Y%m%d)
+ARCH ?= amd64
 ALL_ARCH = amd64 arm arm64 ppc64le s390x
 
 # Allow overriding the imagePullPolicy

From 627db57446bf1bc95531e6b357afae60573bdedd Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Tue, 21 Feb 2023 16:44:05 +0530
Subject: [PATCH 72/87] Set SkipWaitForDeleteTimeoutSeconds for reachable nodes

---
 internal/controllers/machine/machine_controller.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/controllers/machine/machine_controller.go b/internal/controllers/machine/machine_controller.go
index c1c19f650208..07ecd799c059 100644
--- a/internal/controllers/machine/machine_controller.go
+++ b/internal/controllers/machine/machine_controller.go
@@ -618,6 +618,8 @@ func (r *Reconciler) drainNode(ctx context.Context, cluster *clusterv1.Cluster,
 		ErrOut: writer{func(msg string, keysAndValues ...interface{}) {
 			log.Error(nil, msg, keysAndValues...)
 		}},
+		// SPECTRO: Even if the node is reachable, we wait 30 minutes for drain completion else move ahead
+		SkipWaitForDeleteTimeoutSeconds: 60 * 30, // 30 minutes
 	}
 
 	if noderefutil.IsNodeUnreachable(node) {

From 4d7ae7ce01868ba4f265bab70d121df63800e348 Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Wed, 1 Mar 2023 19:43:41 +0530
Subject: [PATCH 73/87] Bumped version to resolve security issues

---
 .../config/default/manager_image_patch.yaml   |  2 +-
 config/default/manager_image_patch.yaml       |  2 +-
 .../config/default/manager_image_patch.yaml   |  2 +-
 go.mod                                        | 10 +++++-----
 go.sum                                        | 20 +++++++++----------
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/bootstrap/kubeadm/config/default/manager_image_patch.yaml b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
index 810a74d02471..6233832003cb 100644
--- a/bootstrap/kubeadm/config/default/manager_image_patch.yaml
+++ b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/release/kubeadm-bootstrap-controller-amd64:20220805
+        - image: gcr.io/spectro-dev-public/snehal/kubeadm-bootstrap-controller-amd64:spectro-v1.3.2-20230301
           name: manager
diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml
index 11b1230a111c..b68681f82391 100644
--- a/config/default/manager_image_patch.yaml
+++ b/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-      - image: gcr.io/spectro-dev-public/release/cluster-api-controller-amd64:20220805
+      - image: gcr.io/spectro-dev-public/snehal/cluster-api-controller-amd64:spectro-v1.3.2-20230301
         name: manager
diff --git a/controlplane/kubeadm/config/default/manager_image_patch.yaml b/controlplane/kubeadm/config/default/manager_image_patch.yaml
index 5c278272e3dd..2fd7556af465 100644
--- a/controlplane/kubeadm/config/default/manager_image_patch.yaml
+++ b/controlplane/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/release/kubeadm-control-plane-controller-amd64:20220805
+        - image: gcr.io/spectro-dev-public/snehal/kubeadm-control-plane-controller-amd64:spectro-v1.3.2-20230301
           name: manager
diff --git a/go.mod b/go.mod
index a012e2ec920c..2455d370e13b 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/valyala/fastjson v1.6.3
 	go.etcd.io/etcd/api/v3 v3.5.4
 	go.etcd.io/etcd/client/v3 v3.5.4
-	golang.org/x/net v0.4.0 // indirect
+	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
 	google.golang.org/grpc v1.47.0
 	k8s.io/api v0.25.0
@@ -130,9 +130,9 @@ require (
 	go.uber.org/zap v1.21.0 // indirect
 	go4.org v0.0.0-20201209231011-d4a079459e60 // indirect
 	golang.org/x/crypto v0.3.0 // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/term v0.3.0 // indirect
-	golang.org/x/text v0.5.0
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/term v0.5.0 // indirect
+	golang.org/x/text v0.7.0
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0
 	google.golang.org/appengine v1.6.7 // indirect
@@ -153,7 +153,7 @@ require (
 require (
 	cloud.google.com/go/compute v1.7.0 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
diff --git a/go.sum b/go.sum
index 51108f9e3075..8fda73cc6e5e 100644
--- a/go.sum
+++ b/go.sum
@@ -173,8 +173,8 @@ github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 h1:7QPwrLT79GlD5
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46/go.mod h1:esf2rsHFNlZlxsqsZDojNBcnNs5REqIvRrWRHqX0vEU=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc=
-github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
-github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
+github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -761,8 +761,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -877,13 +877,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -894,8 +894,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

From dc64c61dc5f6d33568cf1d7bfe68e9db7ee74d82 Mon Sep 17 00:00:00 2001
From: Snehal Amrutkar <snehal@spectrocloud.com>
Date: Wed, 15 Mar 2023 12:53:25 +0530
Subject: [PATCH 74/87] Bumped golang to 1.20.2

---
 Makefile                                                     | 2 +-
 bootstrap/kubeadm/config/default/manager_image_patch.yaml    | 2 +-
 config/default/manager_image_patch.yaml                      | 2 +-
 controlplane/kubeadm/config/default/manager_image_patch.yaml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 51aec7d7c656..9d697302f5d3 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ SHELL:=/usr/bin/env bash
 #
 # Go.
 #
-GO_VERSION ?= 1.19.4
+GO_VERSION ?= 1.20.2
 GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
 
 # Use GOPROXY environment variable if set
diff --git a/bootstrap/kubeadm/config/default/manager_image_patch.yaml b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
index 6233832003cb..7b37cec6e212 100644
--- a/bootstrap/kubeadm/config/default/manager_image_patch.yaml
+++ b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/snehal/kubeadm-bootstrap-controller-amd64:spectro-v1.3.2-20230301
+        - image: gcr.io/spectro-dev-public/snehal/kubeadm-bootstrap-controller-amd64:spectro-v1.3.2-20230314
           name: manager
diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml
index b68681f82391..9164592b42b7 100644
--- a/config/default/manager_image_patch.yaml
+++ b/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-      - image: gcr.io/spectro-dev-public/snehal/cluster-api-controller-amd64:spectro-v1.3.2-20230301
+      - image: gcr.io/spectro-dev-public/snehal/cluster-api-controller-amd64:spectro-v1.3.2-20230314
         name: manager
diff --git a/controlplane/kubeadm/config/default/manager_image_patch.yaml b/controlplane/kubeadm/config/default/manager_image_patch.yaml
index 2fd7556af465..48294c9e4381 100644
--- a/controlplane/kubeadm/config/default/manager_image_patch.yaml
+++ b/controlplane/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/snehal/kubeadm-control-plane-controller-amd64:spectro-v1.3.2-20230301
+        - image: gcr.io/spectro-dev-public/snehal/kubeadm-control-plane-controller-amd64:spectro-v1.3.2-20230314
           name: manager

From 239d4a69ad67910402300d60f1bb60e7b419b763 Mon Sep 17 00:00:00 2001
From: Jayesh Srivastava <jayesh0200@gmail.com>
Date: Mon, 1 May 2023 20:23:34 +0530
Subject: [PATCH 75/87] PSS 119: Update go

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 9d697302f5d3..46e37347c12b 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ SHELL:=/usr/bin/env bash
 #
 # Go.
 #
-GO_VERSION ?= 1.20.2
+GO_VERSION ?= 1.19.8
 GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
 
 # Use GOPROXY environment variable if set

From 1f365d157a206135269c3311c3434b86bb4114f0 Mon Sep 17 00:00:00 2001
From: zulfilee <zulfilee@gmail.com>
Date: Sun, 4 Jun 2023 01:26:41 +0000
Subject: [PATCH 76/87] CICD Integration

---
 Dockerfile                                    |  5 +++
 Makefile                                      | 43 ++++++++++++-------
 .../config/default/manager_image_patch.yaml   |  2 +-
 cmd/clusterctl/Dockerfile                     |  5 +++
 config/default/manager_image_patch.yaml       |  2 +-
 .../config/default/manager_image_patch.yaml   |  2 +-
 test/extension/Dockerfile                     |  5 +++
 7 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 118d2f9fb921..875358f0e515 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,6 +33,11 @@ ARG goproxy=https://proxy.golang.org
 # Run this with docker build --build-arg package=./controlplane/kubeadm or --build-arg package=./bootstrap/kubeadm
 ENV GOPROXY=$goproxy
 
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
+
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
diff --git a/Makefile b/Makefile
index 46e37347c12b..89fde25219a7 100644
--- a/Makefile
+++ b/Makefile
@@ -174,8 +174,24 @@ TILT_PREPARE := $(abspath $(TOOLS_BIN_DIR)/$(TILT_PREPARE_BIN))
 GOLANGCI_LINT_BIN := golangci-lint
 GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN))
 
+# It is set by Prow GIT_TAG, a git-based tag of the form vYYYYMMDD-hash, e.g., v20210120-v0.3.10-308-gc61521971
+# Fips Flags
+FIPS_ENABLE ?= ""
+
+RELEASE_LOC := release
+ifeq ($(FIPS_ENABLE),yes)
+  RELEASE_LOC := release-fips
+endif
+
+SPECTRO_VERSION ?= 4.0.0-dev
+TAG ?= v1.3.2-spectro-${SPECTRO_VERSION}
+ARCH ?= amd64
+# ALL_ARCH = amd64 arm arm64 ppc64le s390x
+ALL_ARCH = amd64 
+
+REGISTRY ?= gcr.io/spectro-dev-public/$(USER)/${RELEASE_LOC}
+
 # Define Docker related variables. Releases should modify and double check these vars.
-REGISTRY ?= gcr.io/spectro-dev-public/$(USER)
 PROD_REGISTRY ?= registry.k8s.io/cluster-api
 
 STAGING_REGISTRY ?= gcr.io/k8s-staging-cluster-api
@@ -209,12 +225,6 @@ TEST_EXTENSION_IMG ?= $(REGISTRY)/$(TEST_EXTENSION_IMAGE_NAME)
 # kind
 CAPI_KIND_CLUSTER_NAME ?= capi-test
 
-# It is set by Prow GIT_TAG, a git-based tag of the form vYYYYMMDD-hash, e.g., v20210120-v0.3.10-308-gc61521971
-
-TAG ?= spectro-v1.3.2-$(shell date +%Y%m%d)
-ARCH ?= amd64
-ALL_ARCH = amd64 arm arm64 ppc64le s390x
-
 # Allow overriding the imagePullPolicy
 PULL_POLICY ?= Always
 
@@ -663,7 +673,8 @@ docker-build-all: $(addprefix docker-build-,$(ALL_ARCH)) ## Build docker images
 docker-build-%:
 	$(MAKE) ARCH=$* docker-build
 
-ALL_DOCKER_BUILD = core kubeadm-bootstrap kubeadm-control-plane docker-infrastructure test-extension clusterctl
+# ALL_DOCKER_BUILD = core kubeadm-bootstrap kubeadm-control-plane docker-infrastructure test-extension clusterctl
+ALL_DOCKER_BUILD = core kubeadm-bootstrap kubeadm-control-plane clusterctl
 
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Run docker-build-* targets for all the images
@@ -679,35 +690,35 @@ docker-build-e2e: ## Run docker-build-* targets for all the images with settings
 
 .PHONY: docker-build-core
 docker-build-core: ## Build the docker image for core controller manager
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG):$(TAG)
+	DOCKER_BUILDKIT=1 docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml"
 
 .PHONY: docker-build-kubeadm-bootstrap
 docker-build-kubeadm-bootstrap: ## Build the docker image for kubeadm bootstrap controller manager
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./bootstrap/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG):$(TAG)
+	DOCKER_BUILDKIT=1 docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./bootstrap/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_pull_policy.yaml"
 
 .PHONY: docker-build-kubeadm-control-plane
 docker-build-kubeadm-control-plane: ## Build the docker image for kubeadm control plane controller manager
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./controlplane/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG):$(TAG)
+	DOCKER_BUILDKIT=1 docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./controlplane/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_pull_policy.yaml"
 
 .PHONY: docker-build-docker-infrastructure
 docker-build-docker-infrastructure: ## Build the docker image for docker infrastructure controller manager
-	cd $(CAPD_DIR); DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" ../../.. -t $(CAPD_CONTROLLER_IMG)-$(ARCH):$(TAG) --file Dockerfile
+	cd $(CAPD_DIR); DOCKER_BUILDKIT=1 docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" ../../.. -t $(CAPD_CONTROLLER_IMG)-$(ARCH):$(TAG) --file Dockerfile
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(CAPD_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="$(CAPD_DIR)/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="$(CAPD_DIR)/config/default/manager_pull_policy.yaml"
 
 .PHONY: docker-build-clusterctl
 docker-build-clusterctl: ## Build the docker image for clusterctl
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./cmd/clusterctl --build-arg ldflags="$(LDFLAGS)" -f ./cmd/clusterctl/Dockerfile . -t $(CLUSTERCTL_IMG)-$(ARCH):$(TAG)
+	DOCKER_BUILDKIT=1 docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./cmd/clusterctl --build-arg ldflags="$(LDFLAGS)" -f ./cmd/clusterctl/Dockerfile . -t $(CLUSTERCTL_IMG)-$(ARCH):$(TAG)
 
 .PHONY: docker-build-test-extension
 docker-build-test-extension: ## Build the docker image for core controller manager
-	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(TEST_EXTENSION_IMG)-$(ARCH):$(TAG) --file ./test/extension/Dockerfile
+	DOCKER_BUILDKIT=1 docker build --build-arg CRYPTO_LIB=${FIPS_ENABLE} --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(TEST_EXTENSION_IMG)-$(ARCH):$(TAG) --file ./test/extension/Dockerfile
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(TEST_EXTENSION_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./test/extension/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./test/extension/config/default/manager_pull_policy.yaml"
 
@@ -971,7 +982,7 @@ docker-push-all: $(addprefix docker-push-,$(ALL_ARCH))  ## Push the docker image
 	$(MAKE) docker-push-manifest-core
 	$(MAKE) docker-push-manifest-kubeadm-bootstrap
 	$(MAKE) docker-push-manifest-kubeadm-control-plane
-	$(MAKE) docker-push-manifest-docker-infrastructure
+#	$(MAKE) docker-push-manifest-docker-infrastructure
 	$(MAKE) docker-push-clusterctl
 
 docker-push-%:
@@ -983,7 +994,7 @@ docker-push: ## Push the docker images to be included in the release
 	docker push $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH):$(TAG)
 	docker push $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH):$(TAG)
 	docker push $(CLUSTERCTL_IMG)-$(ARCH):$(TAG)
-	docker push $(CAPD_CONTROLLER_IMG)-$(ARCH):$(TAG)
+#	docker push $(CAPD_CONTROLLER_IMG)-$(ARCH):$(TAG)
 
 .PHONY: docker-push-manifest-core
 docker-push-manifest-core: ## Push the multiarch manifest for the core docker images
diff --git a/bootstrap/kubeadm/config/default/manager_image_patch.yaml b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
index 7b37cec6e212..127ded389be2 100644
--- a/bootstrap/kubeadm/config/default/manager_image_patch.yaml
+++ b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/snehal/kubeadm-bootstrap-controller-amd64:spectro-v1.3.2-20230314
+        - image: gcr.io/spectro-dev-public/devop2023/release-fips/kubeadm-bootstrap-controller:v1.3.2-spectro-4.0.0-dev
           name: manager
diff --git a/cmd/clusterctl/Dockerfile b/cmd/clusterctl/Dockerfile
index 5057608650c0..da12b38adc69 100644
--- a/cmd/clusterctl/Dockerfile
+++ b/cmd/clusterctl/Dockerfile
@@ -33,6 +33,11 @@ ARG goproxy=https://proxy.golang.org
 # Run this with docker build --build-arg package=./cmd/clusterctl
 ENV GOPROXY=$goproxy
 
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
+
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml
index 9164592b42b7..bda4a34d6d56 100644
--- a/config/default/manager_image_patch.yaml
+++ b/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-      - image: gcr.io/spectro-dev-public/snehal/cluster-api-controller-amd64:spectro-v1.3.2-20230314
+      - image: gcr.io/spectro-dev-public/devop2023/release-fips/cluster-api-controller:v1.3.2-spectro-4.0.0-dev
         name: manager
diff --git a/controlplane/kubeadm/config/default/manager_image_patch.yaml b/controlplane/kubeadm/config/default/manager_image_patch.yaml
index 48294c9e4381..830a33bebad9 100644
--- a/controlplane/kubeadm/config/default/manager_image_patch.yaml
+++ b/controlplane/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/snehal/kubeadm-control-plane-controller-amd64:spectro-v1.3.2-20230314
+        - image: gcr.io/spectro-dev-public/devop2023/release-fips/kubeadm-control-plane-controller:v1.3.2-spectro-4.0.0-dev
           name: manager
diff --git a/test/extension/Dockerfile b/test/extension/Dockerfile
index 7ade1108d2ab..0e2e3003ff8c 100644
--- a/test/extension/Dockerfile
+++ b/test/extension/Dockerfile
@@ -33,6 +33,11 @@ ARG goproxy=https://proxy.golang.org
 # Run this with docker build --build-arg package=./controlplane/kubeadm or --build-arg package=./bootstrap/kubeadm
 ENV GOPROXY=$goproxy
 
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
+
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum

From 8e3a947ebc0e7e44277c70136c11c0174253a936 Mon Sep 17 00:00:00 2001
From: zulfilee <zulfilee@gmail.com>
Date: Sun, 4 Jun 2023 01:38:52 +0000
Subject: [PATCH 77/87] CICD Integration

---
 .github/workflows/spectro-release.yaml | 68 ++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 .github/workflows/spectro-release.yaml

diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
new file mode 100644
index 000000000000..4c3b27caa0b3
--- /dev/null
+++ b/.github/workflows/spectro-release.yaml
@@ -0,0 +1,68 @@
+name: Spectro Release
+run-name: Release for Cluster API  ${{ github.event.inputs.release_version }}
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Cluster API Version to Build'
+        required: true
+        default: '0.0.0'
+jobs:
+  builder:
+    # edge-runner machine group is a bunch of machines in US Datacenter
+    runs-on: ubuntu-latest
+    # Initialize all secrets required for the job
+    # Ensure that the credentials are provided as encrypted secrets
+    env:
+      SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+    steps:
+      -
+        uses: mukunku/tag-exists-action@v1.2.0
+        id: checkTag
+        with:
+          tag: spectro-v${{ github.event.inputs.release_version }}
+      -
+        if: ${{ steps.checkTag.outputs.exists == 'true' }}
+        run: |
+          echo "Tag already exists for spectro-v${{ github.event.inputs.release_version }}..."
+          exit 1
+      -
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to private registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.REGISTRY_URL }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      -
+        name: Build Image
+        env:
+          DEV_REGISTRY: gcr.io/spectro-images-public/release/cluster-api
+        run: |
+          make docker-build
+          make docker-push-gcr
+      -
+        name: Build Image - FIPS Mode
+        env:
+          FIPS_ENABLE: yes
+          DEV_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api
+        run: |
+          make docker-build
+          make docker-push-gcr
+      -
+        name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: spectro-v${{ github.event.inputs.release_version }}
+          release_name: Release spectro-v${{ github.event.inputs.release_version }}
+          body: |
+            Release version ${{ github.event.inputs.release_version }}
+          draft: false
+          prerelease: false

From b936d46c2beff14f83ca824acd02e1bd8d0ca4bd Mon Sep 17 00:00:00 2001
From: Zulfi <zulfi@spectrocloud.com>
Date: Sun, 4 Jun 2023 08:31:03 +0530
Subject: [PATCH 78/87] Update spectro-release.yaml

---
 .github/workflows/spectro-release.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
index 4c3b27caa0b3..bcad3de12077 100644
--- a/.github/workflows/spectro-release.yaml
+++ b/.github/workflows/spectro-release.yaml
@@ -43,16 +43,16 @@ jobs:
         env:
           DEV_REGISTRY: gcr.io/spectro-images-public/release/cluster-api
         run: |
-          make docker-build
-          make docker-push-gcr
+          make docker-build-all
+          make docker-push-all
       -
         name: Build Image - FIPS Mode
         env:
           FIPS_ENABLE: yes
           DEV_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api
         run: |
-          make docker-build
-          make docker-push-gcr
+          make docker-build-all
+          make docker-push-all
       -
         name: Create Release
         id: create_release

From 4384471cad7c2584f5a5d469d562a015adcec6d4 Mon Sep 17 00:00:00 2001
From: zulfilee <zulfilee@gmail.com>
Date: Sun, 11 Jun 2023 11:30:18 +0000
Subject: [PATCH 79/87] Fix Registry String in Workflow

---
 .github/workflows/spectro-release.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
index bcad3de12077..21fb6222c517 100644
--- a/.github/workflows/spectro-release.yaml
+++ b/.github/workflows/spectro-release.yaml
@@ -41,7 +41,7 @@ jobs:
       -
         name: Build Image
         env:
-          DEV_REGISTRY: gcr.io/spectro-images-public/release/cluster-api
+          REGISTRY: gcr.io/spectro-images-public/release/cluster-api
         run: |
           make docker-build-all
           make docker-push-all
@@ -49,7 +49,7 @@ jobs:
         name: Build Image - FIPS Mode
         env:
           FIPS_ENABLE: yes
-          DEV_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api
+          REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api
         run: |
           make docker-build-all
           make docker-push-all

From d5cc1be9b57ad47a0c59baa45f82bbce31a1f954 Mon Sep 17 00:00:00 2001
From: zulfilee <zulfilee@gmail.com>
Date: Mon, 26 Jun 2023 17:23:07 +0000
Subject: [PATCH 80/87] Fix Static compile for FIPS

---
 Dockerfile | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 875358f0e515..67a1c41a4079 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -61,11 +61,19 @@ ARG ARCH
 ARG ldflags
 
 # Do not force rebuild of up-to-date packages (do not use -a) and use the compiler cache folder
-RUN --mount=type=cache,target=/root/.cache/go-build \
+RUN  --mount=type=cache,target=/root/.cache/go-build \ 
     --mount=type=cache,target=/go/pkg/mod \
+    if [ ${CRYPTO_LIB} ]; \
+    then \
+    CGO_ENABLED=1 GOOS=linux GOARCH=${ARCH} \
+    go build -trimpath -ldflags "${ldflags} -linkmode=external -extldflags '-static'" \
+    -o manager ${package};\
+    else \
     CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
     go build -trimpath -ldflags "${ldflags} -extldflags '-static'" \
-    -o manager ${package}
+    -o manager ${package};\
+    fi
+
 
 # Production image
 FROM gcr.io/distroless/static:nonroot-${ARCH}

From c8f375b6f0e121a2603e3072951f24503597baa8 Mon Sep 17 00:00:00 2001
From: zulfilee <zulfilee@gmail.com>
Date: Mon, 26 Jun 2023 18:54:39 +0000
Subject: [PATCH 81/87] Fix Static compile for FIPS

---
 Dockerfile                                                   | 3 +++
 Makefile                                                     | 3 ++-
 bootstrap/kubeadm/config/default/manager_image_patch.yaml    | 2 +-
 config/default/manager_image_patch.yaml                      | 2 +-
 controlplane/kubeadm/config/default/manager_image_patch.yaml | 2 +-
 5 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 67a1c41a4079..42a18048ecda 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,6 +28,9 @@ ARG ARCH
 FROM ${builder_image} as builder
 WORKDIR /workspace
 
+RUN apk update
+RUN apk add git gcc g++ curl
+
 # Run this with docker build --build-arg goproxy=$(go env GOPROXY) to override the goproxy
 ARG goproxy=https://proxy.golang.org
 # Run this with docker build --build-arg package=./controlplane/kubeadm or --build-arg package=./bootstrap/kubeadm
diff --git a/Makefile b/Makefile
index 89fde25219a7..db1362f465aa 100644
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,8 @@ SHELL:=/usr/bin/env bash
 # Go.
 #
 GO_VERSION ?= 1.19.8
-GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
+# GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
+GO_CONTAINER_IMAGE ?= golang:1.19.10-alpine3.18
 
 # Use GOPROXY environment variable if set
 GOPROXY := $(shell go env GOPROXY)
diff --git a/bootstrap/kubeadm/config/default/manager_image_patch.yaml b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
index 127ded389be2..ed33de69c764 100644
--- a/bootstrap/kubeadm/config/default/manager_image_patch.yaml
+++ b/bootstrap/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/devop2023/release-fips/kubeadm-bootstrap-controller:v1.3.2-spectro-4.0.0-dev
+        - image: gcr.io/spectro-dev-public/devop2023/release-fips/kubeadm-bootstrap-controller-amd64:v1.3.2-spectro-4.0.0-dev
           name: manager
diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml
index bda4a34d6d56..2593ce58a708 100644
--- a/config/default/manager_image_patch.yaml
+++ b/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-      - image: gcr.io/spectro-dev-public/devop2023/release-fips/cluster-api-controller:v1.3.2-spectro-4.0.0-dev
+      - image: gcr.io/spectro-dev-public/devop2023/release-fips/cluster-api-controller-amd64:v1.3.2-spectro-4.0.0-dev
         name: manager
diff --git a/controlplane/kubeadm/config/default/manager_image_patch.yaml b/controlplane/kubeadm/config/default/manager_image_patch.yaml
index 830a33bebad9..517c7f6a0134 100644
--- a/controlplane/kubeadm/config/default/manager_image_patch.yaml
+++ b/controlplane/kubeadm/config/default/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: gcr.io/spectro-dev-public/devop2023/release-fips/kubeadm-control-plane-controller:v1.3.2-spectro-4.0.0-dev
+        - image: gcr.io/spectro-dev-public/devop2023/release-fips/kubeadm-control-plane-controller-amd64:v1.3.2-spectro-4.0.0-dev
           name: manager

From b5982a6cd2c8cbc5d0eafde28200fe753f634738 Mon Sep 17 00:00:00 2001
From: zulfilee <zulfilee@gmail.com>
Date: Tue, 27 Jun 2023 11:00:03 +0000
Subject: [PATCH 82/87] Fips changes for Static Linking

---
 .github/workflows/spectro-release.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
index 21fb6222c517..340fc1242125 100644
--- a/.github/workflows/spectro-release.yaml
+++ b/.github/workflows/spectro-release.yaml
@@ -20,11 +20,11 @@ jobs:
         uses: mukunku/tag-exists-action@v1.2.0
         id: checkTag
         with:
-          tag: spectro-v${{ github.event.inputs.release_version }}
+          tag: v${{ github.event.inputs.release_version }}-spectro
       -
         if: ${{ steps.checkTag.outputs.exists == 'true' }}
         run: |
-          echo "Tag already exists for spectro-v${{ github.event.inputs.release_version }}..."
+          echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
           exit 1
       -
         uses: actions/checkout@v3
@@ -60,9 +60,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: spectro-v${{ github.event.inputs.release_version }}
-          release_name: Release spectro-v${{ github.event.inputs.release_version }}
+          tag_name: v${{ github.event.inputs.release_version }}-spectro
+          release_name: Release v${{ github.event.inputs.release_version }}-spectro
           body: |
-            Release version ${{ github.event.inputs.release_version }}
+            Release version v${{ github.event.inputs.release_version }}-spectro
           draft: false
           prerelease: false

From 684a6a841460d3db0a380472b5585f3b58c4605e Mon Sep 17 00:00:00 2001
From: Jayesh Srivastava <jayesh0200@gmail.com>
Date: Thu, 3 Aug 2023 12:12:18 +0530
Subject: [PATCH 83/87] PEM-2613: Fix cipher suit issue (#113) (#114)

---
 util/flags/tls.go | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/util/flags/tls.go b/util/flags/tls.go
index 631b23b7af36..d42c221bb4da 100644
--- a/util/flags/tls.go
+++ b/util/flags/tls.go
@@ -60,16 +60,28 @@ func GetTLSOptionOverrideFuncs(options TLSOptions) ([]func(*tls.Config), error)
 	}
 	tlsOptions = append(tlsOptions, func(cfg *tls.Config) {
 		cfg.MinVersion = tlsVersion
+		cfg.CipherSuites = GetDefaultTLSCipherSuits()
 	})
+	
+	// For PEM-2613
+	//if len(options.TLSCipherSuites) != 0 {
+	//	// suites, err := cliflag.TLSCipherSuites(options.TLSCipherSuites)
+	//	// Not required PEM 2613
+	//	if err != nil {
+	//		return nil, err
+	//	}
+	//	tlsOptions = append(tlsOptions, func(cfg *tls.Config) {
+	//		cfg.CipherSuites = GetDefaultTLSCipherSuits()
+	//	})
+	//}
 
-	if len(options.TLSCipherSuites) != 0 {
-		suites, err := cliflag.TLSCipherSuites(options.TLSCipherSuites)
-		if err != nil {
-			return nil, err
-		}
-		tlsOptions = append(tlsOptions, func(cfg *tls.Config) {
-			cfg.CipherSuites = suites
-		})
-	}
 	return tlsOptions, nil
 }
+
+func GetDefaultTLSCipherSuits() []uint16 {
+	return []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	}
+}

From 46263ba527b9f1efb1931060e6dad810f8f9d11a Mon Sep 17 00:00:00 2001
From: Jayesh Srivastava <jayesh0200@gmail.com>
Date: Tue, 8 Aug 2023 11:41:15 +0530
Subject: [PATCH 84/87] PEM-2613: Update cipher suit (#116) (#117)

---
 util/flags/tls.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/util/flags/tls.go b/util/flags/tls.go
index d42c221bb4da..2d012f2ae00a 100644
--- a/util/flags/tls.go
+++ b/util/flags/tls.go
@@ -80,8 +80,9 @@ func GetTLSOptionOverrideFuncs(options TLSOptions) ([]func(*tls.Config), error)
 
 func GetDefaultTLSCipherSuits() []uint16 {
 	return []uint16{
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ 		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ 		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 	}
 }

From e7bd2d8e23589378787be088a485813f7e072dc9 Mon Sep 17 00:00:00 2001
From: Jayesh Srivastava <jayesh0200@gmail.com>
Date: Fri, 11 Aug 2023 16:12:21 +0530
Subject: [PATCH 85/87] PCP-1651-1652-1653: CAPI Cipher suit add boringcrypto
 flag for Max version (#118) (#119)

---
 util/flags/tls.go            | 11 +++++++----
 util/flags/tls_boring.go     | 13 +++++++++++++
 util/flags/tls_non_boring.go | 13 +++++++++++++
 3 files changed, 33 insertions(+), 4 deletions(-)
 create mode 100644 util/flags/tls_boring.go
 create mode 100644 util/flags/tls_non_boring.go

diff --git a/util/flags/tls.go b/util/flags/tls.go
index 2d012f2ae00a..492850b93a61 100644
--- a/util/flags/tls.go
+++ b/util/flags/tls.go
@@ -54,6 +54,7 @@ func AddTLSOptions(fs *pflag.FlagSet, options *TLSOptions) {
 // by the webhook server.
 func GetTLSOptionOverrideFuncs(options TLSOptions) ([]func(*tls.Config), error) {
 	var tlsOptions []func(config *tls.Config)
+	var insecureSkipVerify bool
 	tlsVersion, err := cliflag.TLSVersion(options.TLSMinVersion)
 	if err != nil {
 		return nil, err
@@ -61,8 +62,10 @@ func GetTLSOptionOverrideFuncs(options TLSOptions) ([]func(*tls.Config), error)
 	tlsOptions = append(tlsOptions, func(cfg *tls.Config) {
 		cfg.MinVersion = tlsVersion
 		cfg.CipherSuites = GetDefaultTLSCipherSuits()
+		cfg.MaxVersion = GetTlsMaxVersion()
+		cfg.InsecureSkipVerify = InsecureSkipVerify(insecureSkipVerify)
 	})
-	
+
 	// For PEM-2613
 	//if len(options.TLSCipherSuites) != 0 {
 	//	// suites, err := cliflag.TLSCipherSuites(options.TLSCipherSuites)
@@ -81,8 +84,8 @@ func GetTLSOptionOverrideFuncs(options TLSOptions) ([]func(*tls.Config), error)
 func GetDefaultTLSCipherSuits() []uint16 {
 	return []uint16{
 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- 		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- 		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 	}
 }
diff --git a/util/flags/tls_boring.go b/util/flags/tls_boring.go
new file mode 100644
index 000000000000..3de4464020c6
--- /dev/null
+++ b/util/flags/tls_boring.go
@@ -0,0 +1,13 @@
+//go:build boringcrypto
+
+package flags
+
+import "crypto/tls"
+
+func InsecureSkipVerify(insecureSkipVerify bool) bool {
+	return false
+}
+
+func GetTlsMaxVersion() uint16 {
+	return tls.VersionTLS12
+}
diff --git a/util/flags/tls_non_boring.go b/util/flags/tls_non_boring.go
new file mode 100644
index 000000000000..e430d7b93943
--- /dev/null
+++ b/util/flags/tls_non_boring.go
@@ -0,0 +1,13 @@
+//go:build !boringcrypto
+
+package flags
+
+import "crypto/tls"
+
+func InsecureSkipVerify(insecureSkipVerify bool) bool {
+	return insecureSkipVerify
+}
+
+func GetTlsMaxVersion() uint16 {
+	return tls.VersionTLS13
+}

From 4d74a03fe3dfd0459469411290619a011634b9aa Mon Sep 17 00:00:00 2001
From: Deepak Sharma <deepak@spectrocloud.com>
Date: Mon, 4 Sep 2023 12:02:18 +0530
Subject: [PATCH 86/87] more changes

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index db1362f465aa..69edbbfd6256 100644
--- a/Makefile
+++ b/Makefile
@@ -188,7 +188,7 @@ SPECTRO_VERSION ?= 4.0.0-dev
 TAG ?= v1.3.2-spectro-${SPECTRO_VERSION}
 ARCH ?= amd64
 # ALL_ARCH = amd64 arm arm64 ppc64le s390x
-ALL_ARCH = amd64 
+ALL_ARCH = amd64  arm64
 
 REGISTRY ?= gcr.io/spectro-dev-public/$(USER)/${RELEASE_LOC}
 

From 667f0c283afe121dc9231b77c5af811957cf89e0 Mon Sep 17 00:00:00 2001
From: Deepak Sharma <deepak@spectrocloud.com>
Date: Mon, 4 Sep 2023 12:26:34 +0530
Subject: [PATCH 87/87] more changes

---
 .github/workflows/spectro-dev-build.yaml | 60 ++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 .github/workflows/spectro-dev-build.yaml

diff --git a/.github/workflows/spectro-dev-build.yaml b/.github/workflows/spectro-dev-build.yaml
new file mode 100644
index 000000000000..a5b77b0ca55a
--- /dev/null
+++ b/.github/workflows/spectro-dev-build.yaml
@@ -0,0 +1,60 @@
+name: Spectro Release
+run-name: Release for Cluster API  ${{ github.event.inputs.release_version }}
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Cluster API Version to Build'
+        required: true
+        default: '0.0.0'
+jobs:
+  builder:
+    # edge-runner machine group is a bunch of machines in US Datacenter
+    runs-on: ubuntu-latest
+    # Initialize all secrets required for the job
+    # Ensure that the credentials are provided as encrypted secrets
+    env:
+      SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+    steps:
+      -
+        uses: mukunku/tag-exists-action@v1.2.0
+        id: checkTag
+        with:
+          tag: v${{ github.event.inputs.release_version }}-spectro
+      -
+        if: ${{ steps.checkTag.outputs.exists == 'true' }}
+        run: |
+          echo "Tag already exists for v${{ github.event.inputs.release_version }}-spectro..."
+          exit 1
+      -
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to private registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.REGISTRY_URL }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      -
+        name: Build Image
+        env:
+          REGISTRY: gcr.io/spectro-images-public/release/cluster-api
+        run: |
+          make docker-build-all
+          make docker-push-all
+      -
+        name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ github.event.inputs.release_version }}-spectro
+          release_name: Release v${{ github.event.inputs.release_version }}-spectro
+          body: |
+            Release version v${{ github.event.inputs.release_version }}-spectro
+          draft: false
+          prerelease: false