kubernetes-sigs
diff --git a/‎.golangci-kal.yml‎
Lines changed: 17 additions & 1 deletion b/‎.golangci-kal.yml‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎Makefile‎
Lines changed: 10 additions & 3 deletions b/‎Makefile‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎Tiltfile‎
Lines changed: 2 additions & 2 deletions b/‎Tiltfile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/core/v1beta1/conversion.go‎
Lines changed: 12 additions & 0 deletions b/‎api/core/v1beta1/conversion.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎api/core/v1beta2/cluster_types.go‎
Lines changed: 20 additions & 0 deletions b/‎api/core/v1beta2/cluster_types.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎api/core/v1beta2/clusterclass_types.go‎
Lines changed: 20 additions & 0 deletions b/‎api/core/v1beta2/clusterclass_types.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎api/core/v1beta2/machine_types.go‎
Lines changed: 15 additions & 0 deletions b/‎api/core/v1beta2/machine_types.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎api/core/v1beta2/machinehealthcheck_types.go‎
Lines changed: 37 additions & 1 deletion b/‎api/core/v1beta2/machinehealthcheck_types.go‎
Lines changed: 37 additions & 1 deletion
diff --git a/‎api/core/v1beta2/machineset_types.go‎
Lines changed: 23 additions & 0 deletions b/‎api/core/v1beta2/machineset_types.go‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎api/core/v1beta2/v1beta1_condition_consts.go‎
Lines changed: 5 additions & 0 deletions b/‎api/core/v1beta2/v1beta1_condition_consts.go‎
Lines changed: 5 additions & 0 deletions
@@ -18,7 +18,7 @@ linters:
               - "conditions" # Ensure conditions have the correct json tags and markers.
               - "conflictingmarkers"
               - "duplicatemarkers" # Ensure there are no exact duplicate markers. for types and fields.
-              #- "forbiddenmarkers" # Ensure that types and fields do not contain any markers that are forbidden.
+              - "forbiddenmarkers" # Ensure that types and fields do not contain any markers that are forbidden.
               - "integers" # Ensure only int32 and int64 are used for integers.
               - "jsontags" # Ensure every field has a json tag.
               - "maxlength" # Ensure all strings and arrays have maximum lengths/maximum items.
@@ -53,6 +53,12 @@ linters:
                   - ["default", "kubebuilder:default"]
                   - ["required", "kubebuilder:validation:Required", "k8s:required"]
                 description: "A field with a default value cannot be required"
+            forbiddenmarkers:
+              markers:
+                # We don't want to do any defaulting (including OpenAPI) anymore on API fields because we prefer
+                # to have a clear signal on user intent. This also allows us to easily change the default behavior if necessary.
+                - identifier: "kubebuilder:default"
+                - identifier: "default"
             conditions:
               isFirstField: Warn # Require conditions to be the first field in the status struct.
               usePatchStrategy: Forbid # Forbid patchStrategy markers on the Conditions field.
@@ -158,6 +164,16 @@ linters:
       linters:
         - kubeapilinter
 
+    # Excludes for existing default markers 
+    - path: "api/core/v1beta2/clusterclass_types.go"
+      text: 'forbiddenmarkers: field Reason has forbidden marker "kubebuilder:default=FieldValueInvalid"'
+      linters:
+        - kubeapilinter
+    - path: "api/core/v1beta2/clusterclass_types.go"
+      text: 'forbiddenmarkers: field Reason has forbidden marker "default=ref\(sigs.k8s.io/cluster-api/api/core/v1beta2.FieldValueInvalid\)"'
+      linters:
+        - kubeapilinter
+
     # TODO: Excludes that should be removed once the corresponding issues in KAL are fixed
     # KAL incorrectly reports that the Taints field doesn't have to be a pointer (it has to be to preserve []).
     # See: https://github.com/kubernetes-sigs/kube-api-linter/issues/116
 
@@ -23,7 +23,7 @@ SHELL:=/usr/bin/env bash
 #
 # Go.
 #
-GO_VERSION ?= 1.24.8
+GO_VERSION ?= 1.24.9
 GO_DIRECTIVE_VERSION ?= 1.24.0
 GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
 
@@ -943,9 +943,16 @@ test-infrastructure: $(SETUP_ENVTEST) ## Run unit and integration tests with rac
 	# Note: Fuzz tests are not executed with race detector because they would just time out.
 	# To achieve that, all files with fuzz tests have the "!race" build tag, to still run fuzz tests
 	# we have an additional `go test` run that focuses on "TestFuzzyConversion".
-	cd test/infrastructure; KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... $(TEST_ARGS)
+	cd test/infrastructure; KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test -race ./... $(TEST_ARGS)
 	$(MAKE) test-infrastructure-conversions TEST_ARGS="$(TEST_ARGS)"
 
+.PHONY: test-infrastructure-no-race
+test-infrastructure-no-race: $(SETUP_ENVTEST) ## Run unit and integration tests with no race detector for docker infrastructure provider
+	# Note: Fuzz tests are not executed with race detector because they would just time out.
+	# To achieve that, all files with fuzz tests have the "!race" build tag, to still run fuzz tests
+	# we have an additional `go test` run that focuses on "TestFuzzyConversion".
+	cd test/infrastructure; KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... $(TEST_ARGS)
+
 .PHONY: test-infrastructure-conversions
 test-infrastructure-conversions: $(SETUP_ENVTEST) ## Run conversions test for docker infrastructure provider
 	cd test/infrastructure; KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test -run "^TestFuzzyConversion$$" ./... $(TEST_ARGS)
@@ -956,7 +963,7 @@ test-infrastructure-verbose: ## Run unit and integration tests with race detecto
 
 .PHONY: test-infrastructure-junit
 test-infrastructure-junit: $(SETUP_ENVTEST) $(GOTESTSUM) ## Run unit and integration tests with race detector and generate a junit report for docker infrastructure provider
-	cd test/infrastructure; set +o errexit; (KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test -json ./... $(TEST_ARGS); echo $$? > $(ARTIFACTS)/junit.infra_docker.exitcode) | tee $(ARTIFACTS)/junit.infra_docker.stdout
+	cd test/infrastructure; set +o errexit; (KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test -race -json ./... $(TEST_ARGS); echo $$? > $(ARTIFACTS)/junit.infra_docker.exitcode) | tee $(ARTIFACTS)/junit.infra_docker.stdout
 	$(GOTESTSUM) --junitfile $(ARTIFACTS)/junit.infra_docker.xml --raw-command cat $(ARTIFACTS)/junit.infra_docker.stdout
 	exit $$(cat $(ARTIFACTS)/junit.infra_docker.exitcode)
 	cd test/infrastructure; set +o errexit; (KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test -run "^TestFuzzyConversion$$" -json ./... $(TEST_ARGS); echo $$? > $(ARTIFACTS)/junit-fuzz.infra_docker.exitcode) | tee $(ARTIFACTS)/junit-fuzz.infra_docker.stdout
 
@@ -172,7 +172,7 @@ def load_provider_tilt_files():
 
 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.24.8 as tilt-helper
+FROM golang:1.24.9 as tilt-helper
 # Install delve. Note this should be kept in step with the Go release minor version.
 RUN go install github.com/go-delve/delve/cmd/dlv@v1.24
 # Support live reloading with Tilt
@@ -183,7 +183,7 @@ RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com
 """
 
 tilt_dockerfile_header = """
-FROM golang:1.24.8 as tilt
+FROM golang:1.24.9 as tilt
 WORKDIR /
 COPY --from=tilt-helper /process.txt .
 COPY --from=tilt-helper /start.sh .
 
@@ -73,6 +73,11 @@ func (src *Cluster) ConvertTo(dstRaw conversion.Hub) error {
 		return err
 	}
 
+	dst.Spec.Topology.ControlPlane.HealthCheck.Checks.UnhealthyMachineConditions = restored.Spec.Topology.ControlPlane.HealthCheck.Checks.UnhealthyMachineConditions
+	for i, md := range restored.Spec.Topology.Workers.MachineDeployments {
+		dst.Spec.Topology.Workers.MachineDeployments[i].HealthCheck.Checks.UnhealthyMachineConditions = md.HealthCheck.Checks.UnhealthyMachineConditions
+	}
+
 	// Recover intent for bool values converted to *bool.
 	clusterv1.Convert_bool_To_Pointer_bool(src.Spec.Paused, ok, restored.Spec.Paused, &dst.Spec.Paused)
 
@@ -145,6 +150,11 @@ func (src *ClusterClass) ConvertTo(dstRaw conversion.Hub) error {
 		return err
 	}
 
+	dst.Spec.ControlPlane.HealthCheck.Checks.UnhealthyMachineConditions = restored.Spec.ControlPlane.HealthCheck.Checks.UnhealthyMachineConditions
+	for i, md := range restored.Spec.Workers.MachineDeployments {
+		dst.Spec.Workers.MachineDeployments[i].HealthCheck.Checks.UnhealthyMachineConditions = md.HealthCheck.Checks.UnhealthyMachineConditions
+	}
+
 	// Recover intent for bool values converted to *bool.
 	for i, patch := range dst.Spec.Patches {
 		for j, definition := range patch.Definitions {
@@ -513,6 +523,8 @@ func (src *MachineHealthCheck) ConvertTo(dstRaw conversion.Hub) error {
 		return err
 	}
 
+	dst.Spec.Checks.UnhealthyMachineConditions = restored.Spec.Checks.UnhealthyMachineConditions
+
 	clusterv1.Convert_int32_To_Pointer_int32(src.Status.ExpectedMachines, ok, restored.Status.ExpectedMachines, &dst.Status.ExpectedMachines)
 	clusterv1.Convert_int32_To_Pointer_int32(src.Status.CurrentHealthy, ok, restored.Status.CurrentHealthy, &dst.Status.CurrentHealthy)
 	clusterv1.Convert_int32_To_Pointer_int32(src.Status.RemediationsAllowed, ok, restored.Status.RemediationsAllowed, &dst.Status.RemediationsAllowed)
 
@@ -725,6 +725,16 @@ type ControlPlaneTopologyHealthCheckChecks struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	UnhealthyNodeConditions []UnhealthyNodeCondition `json:"unhealthyNodeConditions,omitempty"`
+
+	// unhealthyMachineConditions contains a list of the machine conditions that determine
+	// whether a machine is considered unhealthy.  The conditions are combined in a
+	// logical OR, i.e. if any of the conditions is met, the machine is unhealthy.
+	//
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	UnhealthyMachineConditions []UnhealthyMachineCondition `json:"unhealthyMachineConditions,omitempty"`
 }
 
 // ControlPlaneTopologyHealthCheckRemediation configures if and how remediations are triggered if a control plane Machine is unhealthy.
@@ -975,6 +985,16 @@ type MachineDeploymentTopologyHealthCheckChecks struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	UnhealthyNodeConditions []UnhealthyNodeCondition `json:"unhealthyNodeConditions,omitempty"`
+
+	// unhealthyMachineConditions contains a list of the machine conditions that determine
+	// whether a machine is considered unhealthy.  The conditions are combined in a
+	// logical OR, i.e. if any of the conditions is met, the machine is unhealthy.
+	//
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	UnhealthyMachineConditions []UnhealthyMachineCondition `json:"unhealthyMachineConditions,omitempty"`
 }
 
 // MachineDeploymentTopologyHealthCheckRemediation configures if and how remediations are triggered if a MachineDeployment Machine is unhealthy.
 
@@ -281,6 +281,16 @@ type ControlPlaneClassHealthCheckChecks struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	UnhealthyNodeConditions []UnhealthyNodeCondition `json:"unhealthyNodeConditions,omitempty"`
+
+	// unhealthyMachineConditions contains a list of the machine conditions that determine
+	// whether a machine is considered unhealthy.  The conditions are combined in a
+	// logical OR, i.e. if any of the conditions is met, the machine is unhealthy.
+	//
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	UnhealthyMachineConditions []UnhealthyMachineCondition `json:"unhealthyMachineConditions,omitempty"`
 }
 
 // ControlPlaneClassHealthCheckRemediation configures if and how remediations are triggered if a control plane Machine is unhealthy.
@@ -542,6 +552,16 @@ type MachineDeploymentClassHealthCheckChecks struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	UnhealthyNodeConditions []UnhealthyNodeCondition `json:"unhealthyNodeConditions,omitempty"`
+
+	// unhealthyMachineConditions contains a list of the machine conditions that determine
+	// whether a machine is considered unhealthy.  The conditions are combined in a
+	// logical OR, i.e. if any of the conditions is met, the machine is unhealthy.
+	//
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	UnhealthyMachineConditions []UnhealthyMachineCondition `json:"unhealthyMachineConditions,omitempty"`
 }
 
 // MachineDeploymentClassHealthCheckRemediation configures if and how remediations are triggered if a MachineDeployment Machine is unhealthy.
 
@@ -87,6 +87,17 @@ const (
 
 	// ManagedNodeAnnotationDomain is one of the CAPI managed Node annotation domains.
 	ManagedNodeAnnotationDomain = "node.cluster.x-k8s.io"
+
+	// PendingAcknowledgeMoveAnnotation is an internal annotation added by the MS controller to a machine when being
+	// moved from the oldMS to the newMS. The annotation is removed as soon as the MS controller get the acknowledgment about the
+	// replica being accounted from the corresponding MD.
+	// Note: The annotation is added when reconciling the oldMS, and it is removed when reconciling the newMS.
+	// Note: This annotation is used in pair with AcknowledgedMoveAnnotation on MachineSets.
+	PendingAcknowledgeMoveAnnotation = "in-place-updates.internal.cluster.x-k8s.io/pending-acknowledge-move"
+
+	// UpdateInProgressAnnotation is an internal annotation added to machines by the controller owning the Machine when in-place update
+	// is started, e.g. by the MachineSet controller; the annotation will be removed by the Machine controller when in-place update is completed.
+	UpdateInProgressAnnotation = "in-place-updates.internal.cluster.x-k8s.io/update-in-progress"
 )
 
 // Machine's Available condition and corresponding reasons.
@@ -276,6 +287,10 @@ const (
 	// defined by a MachineHealthCheck object.
 	MachineHealthCheckUnhealthyNodeReason = "UnhealthyNode"
 
+	// MachineHealthCheckUnhealthyMachineReason surfaces when the machine does not pass the health checks
+	// defined by a MachineHealthCheck object.
+	MachineHealthCheckUnhealthyMachineReason = "UnhealthyMachine"
+
 	// MachineHealthCheckNodeStartupTimeoutReason surfaces when the node hosted on the machine does not appear within
 	// the timeout defined by a MachineHealthCheck object.
 	MachineHealthCheckNodeStartupTimeoutReason = "NodeStartupTimeout"
 
@@ -111,6 +111,16 @@ type MachineHealthCheckChecks struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	UnhealthyNodeConditions []UnhealthyNodeCondition `json:"unhealthyNodeConditions,omitempty"`
+
+	// unhealthyMachineConditions contains a list of the machine conditions that determine
+	// whether a machine is considered unhealthy.  The conditions are combined in a
+	// logical OR, i.e. if any of the conditions is met, the machine is unhealthy.
+	//
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	UnhealthyMachineConditions []UnhealthyMachineCondition `json:"unhealthyMachineConditions,omitempty"`
 }
 
 // MachineHealthCheckRemediation configures if and how remediations are triggered if a Machine is unhealthy.
@@ -227,7 +237,33 @@ type UnhealthyNodeCondition struct {
 
 	// timeoutSeconds is the duration that a node must be in a given status for,
 	// after which the node is considered unhealthy.
-	// For example, with a value of "1h", the node must match the status
+	// For example, with a value of "3600", the node must match the status
+	// for at least 1 hour before being considered unhealthy.
+	// +required
+	// +kubebuilder:validation:Minimum=0
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+}
+
+// UnhealthyMachineCondition represents a Machine condition type and value with a timeout
+// specified as a duration.  When the named condition has been in the given
+// status for at least the timeout value, a machine is considered unhealthy.
+type UnhealthyMachineCondition struct {
+	// type of Machine condition
+	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=316
+	// +kubebuilder:validation:XValidation:rule="!(self in ['Ready','Available','HealthCheckSucceeded','OwnerRemediated','ExternallyRemediated'])",message="type must not be one of: Ready, Available, HealthCheckSucceeded, OwnerRemediated, ExternallyRemediated"
+	// +required
+	Type string `json:"type,omitempty"`
+
+	// status of the condition, one of True, False, Unknown.
+	// +required
+	// +kubebuilder:validation:Enum=True;False;Unknown
+	Status metav1.ConditionStatus `json:"status,omitempty"`
+
+	// timeoutSeconds is the duration that a machine must be in a given status for,
+	// after which the machine is considered unhealthy.
+	// For example, with a value of "3600", the machine must match the status
 	// for at least 1 hour before being considered unhealthy.
 	// +required
 	// +kubebuilder:validation:Minimum=0
 
@@ -33,6 +33,29 @@ const (
 	// MachineSetFinalizer is the finalizer used by the MachineSet controller to
 	// ensure ordered cleanup of corresponding Machines when a Machineset is being deleted.
 	MachineSetFinalizer = "cluster.x-k8s.io/machineset"
+
+	// MachineSetMoveMachinesToMachineSetAnnotation is an internal annotation added by the MD controller to the oldMS
+	// when it should scale down by moving machines that can be updated in-place to the newMS instead of deleting them.
+	// The annotation value is the newMS name.
+	// Note: This annotation is used in pair with MachineSetReceiveMachinesFromMachineSetsAnnotation to perform a two-ways check before moving a machine from oldMS to newMS:
+	//
+	//	"oldMS must have: move to newMS" and "newMS must have: receive replicas from oldMS"
+	MachineSetMoveMachinesToMachineSetAnnotation = "in-place-updates.internal.cluster.x-k8s.io/move-machines-to-machineset"
+
+	// MachineSetReceiveMachinesFromMachineSetsAnnotation is an internal annotation added by the MD controller to the newMS
+	// when it should receive replicas from oldMSs as a first step of an in-place upgrade operation
+	// The annotation value is a comma separated list of oldMSs.
+	// Note: This annotation is used in pair with MachineSetMoveMachinesToMachineSetAnnotation to perform a two-ways check before moving a machine from oldMS to newMS:
+	//
+	//	"oldMS must have: move to newMS" and "newMS must have: receive replicas from oldMS"
+	MachineSetReceiveMachinesFromMachineSetsAnnotation = "in-place-updates.internal.cluster.x-k8s.io/receive-machines-from-machinesets"
+
+	// AcknowledgedMoveAnnotation is an internal annotation with a list of machines added by the MD controller
+	// to a MachineSet when it acknowledges a machine pending acknowledge after being moved from an oldMS.
+	// The annotation value is a comma separated list of Machines already acknowledged; a machine is dropped
+	// from this annotation as soon as pending-acknowledge-move is removed from the machine; the annotation is dropped when empty.
+	// Note: This annotation is used in pair with PendingAcknowledgeMoveAnnotation on Machines.
+	AcknowledgedMoveAnnotation = "in-place-updates.internal.cluster.x-k8s.io/acknowledged-move"
 )
 
 // MachineSetSpec defines the desired state of MachineSet.
 
@@ -157,6 +157,11 @@ const (
 
 	// UnhealthyNodeConditionV1Beta1Reason is the reason used when a machine's node has one of the MachineHealthCheck's unhealthy conditions.
 	UnhealthyNodeConditionV1Beta1Reason = "UnhealthyNode"
+
+	// UnhealthyMachineConditionV1Beta1Reason is the reason used when a machine has one of the MachineHealthCheck's unhealthy conditions.
+	// When both machine and node issues are detected, this reason takes precedence over node-related reasons
+	// (NodeNotFoundV1Beta1Reason, NodeStartupTimeoutV1Beta1Reason, UnhealthyNodeConditionV1Beta1Reason).
+	UnhealthyMachineConditionV1Beta1Reason = "UnhealthyMachine"
 )
 
 const (