diff --git a/.github/ISSUE_TEMPLATE/kubernetes_bump.md b/.github/ISSUE_TEMPLATE/kubernetes_bump.md
index ac1733c14a2f..e9fcce9f5fd5 100644
--- a/.github/ISSUE_TEMPLATE/kubernetes_bump.md
+++ b/.github/ISSUE_TEMPLATE/kubernetes_bump.md
@@ -26,9 +26,11 @@ changes should be cherry-picked to all release series that will support the new
     * `test/*`: search for occurrences of the previous Kubernetes version
     * `Tiltfile`
   * Ensure the latest available kind version is used (including the latest images for this kind release)
-    * Add new images in the [kind mapper.go](https://github.com/kubernetes-sigs/cluster-api/blob/48ae58e51f9723ab7b9635d0e05ee54c4843707a/test/infrastructure/kind/mapper.go#L79).
+    * Add new images in the [kind mapper.go](https://github.com/kubernetes-sigs/cluster-api/blob/0f47a19e038ee6b0d3b1e7675a62cdaf84face8c/test/infrastructure/kind/mapper.go#L79).
       * See the [kind releases page](https://github.com/kubernetes-sigs/kind/releases) for the list of released images.
-    * Set new default image for the [test framework](https://github.com/kubernetes-sigs/cluster-api/blob/48ae58e51f9723ab7b9635d0e05ee54c4843707a/test/framework/bootstrap/kind_provider.go#L40)
+    * Set new default image for the [test framework](https://github.com/kubernetes-sigs/cluster-api/blob/0f47a19e038ee6b0d3b1e7675a62cdaf84face8c/test/framework/bootstrap/kind_provider.go#L40)
+    * If code changes are required for CAPD to incorporate the new Kind version, update [kind latestMode](https://github.com/kubernetes-sigs/cluster-api/blob/0f47a19e038ee6b0d3b1e7675a62cdaf84face8c/test/infrastructure/kind/mapper.go#L66)
+    * Prior art: #10094
   * Verify the quickstart manually
   * Bump `InitWithKubernetesVersion` and `WorkloadKubernetesVersion` in `clusterctl_upgrade_test.go`
     * Note: Only bump for Cluster API versions that will support the new Kubernetes release.
diff --git a/.github/workflows/pr-dependabot.yaml b/.github/workflows/pr-dependabot.yaml
index 4099a664bd18..b8b3bbf792fc 100644
--- a/.github/workflows/pr-dependabot.yaml
+++ b/.github/workflows/pr-dependabot.yaml
@@ -27,7 +27,7 @@ jobs:
       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
-    - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # tag=v4.0.0
+    - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # tag=v4.0.1
       name: Restore go cache
       with:
         path: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f76f0585341a..f825e4d1bd1e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -22,7 +22,7 @@ jobs:
           fetch-depth: 0
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@90a06d6ba9543371ab4df8eeca0be07ca6054959 # tag=v42.0.2
+        uses: tj-actions/changed-files@aa08304bd477b800d468db44fe10f6c61f7f7b11 # tag=v42.1.0
       - name: Get release version
         id: release-version
         run: |
@@ -105,7 +105,7 @@ jobs:
           curl -L "https://raw.githubusercontent.com/${{ github.repository }}/main/CHANGELOG/${{ env.RELEASE_TAG }}.md" \
           -o "${{ env.RELEASE_TAG }}.md"
       - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v1
+        uses: softprops/action-gh-release@3198ee18f814cdf787321b4a32a26ddbf37acc52 # tag=v2.0.3
         with:
           draft: true
           files: out/*
diff --git a/CHANGELOG/v1.5.6.md b/CHANGELOG/v1.5.6.md
new file mode 100644
index 000000000000..86ca91ad340f
--- /dev/null
+++ b/CHANGELOG/v1.5.6.md
@@ -0,0 +1,24 @@
+## 👌 Kubernetes version support
+
+- Management Cluster: v1.24.x -> v1.28.x
+- Workload Cluster: v1.22.x -> v1.28.x
+
+[More information about version support can be found here](https://cluster-api.sigs.k8s.io/reference/versions.html)
+
+## Changes since v1.5.5
+## :chart_with_upwards_trend: Overview
+- 6 new commits merged
+- 1 bug fixed 🐛
+
+## :bug: Bug Fixes
+- ClusterCacheTracker: Fix ClusterCacheTracker memory leak (#10065)
+
+## :seedling: Others
+- clusterctl: Bump cert-manager to v1.14.2 (#10121) (#10128)
+- Community meeting: Promote chrischdi to Cluster API maintainer (#10090)
+- Dependency: Bump Go to 1.21.5 (#10153)
+
+:book: Additionally, there has been 1 contribution to our documentation and book. (#10117)
+
+
+_Thanks to all our contributors!_ 😊
diff --git a/CHANGELOG/v1.6.2.md b/CHANGELOG/v1.6.2.md
new file mode 100644
index 000000000000..5ab1ec8d97e7
--- /dev/null
+++ b/CHANGELOG/v1.6.2.md
@@ -0,0 +1,34 @@
+## 👌 Kubernetes version support
+
+- Management Cluster: v1.25.x -> v1.29.x
+- Workload Cluster: v1.23.x -> v1.29.x
+
+[More information about version support can be found here](https://cluster-api.sigs.k8s.io/reference/versions.html)
+
+## Highlights
+* :warning: Warning: This release fixes a bug (#10051) that was introduced in v1.6.0, which caused a regression in the conversion of v1alpha3/v1alpha4 objects. It is recommended to upgrade to v1.6.2 to avoid the issue.
+
+## Changes since v1.6.1
+## :chart_with_upwards_trend: Overview
+- 16 new commits merged
+- 3 bugs fixed 🐛
+
+## :bug: Bug Fixes
+- [API/e2e]: Restore v1alpha3/v1alpha4 conversion to fix SSA issue & add e2e test coverage (#10151)
+  - :warning: Warning: This change is a fix for the conversion bug that was introduced in v1.6.0.
+- ClusterCacheTracker: Fix ClusterCacheTracker memory leak (#10064)
+- Machine: Watch external objects for machine before deleting (#10177)
+
+## :seedling: Others
+- clusterctl: Bump cert-manager to v1.14.2 (#10120) (#10127)
+- clusterctl: Clarify rules for adding new clusterctl default providers (#10109)
+- Community meeting: Promote chrischdi to Cluster API maintainer (#10089)
+- Dependency: Bump controller runtime v0.16.5 (#10163)
+- Dependency: Bump Go to 1.21.5 (#10152)
+- e2e: Use manager in test extension (#10106)
+- Testing: Print conformance image used in kubetest (#10081)
+
+:book: Additionally, there have been 4 contributions to our documentation and book. (#10024, #10047, #10105, #10116)
+
+
+_Thanks to all our contributors!_ 😊
diff --git a/Makefile b/Makefile
index dea7187b21b9..b3a63b577d98 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ SHELL:=/usr/bin/env bash
 #
 # Go.
 #
-GO_VERSION ?= 1.21.5
+GO_VERSION ?= 1.21.8
 GO_CONTAINER_IMAGE ?= docker.io/library/golang:$(GO_VERSION)
 
 # Use GOPROXY environment variable if set
@@ -108,7 +108,7 @@ KUSTOMIZE_BIN := kustomize
 KUSTOMIZE := $(abspath $(TOOLS_BIN_DIR)/$(KUSTOMIZE_BIN)-$(KUSTOMIZE_VER))
 KUSTOMIZE_PKG := sigs.k8s.io/kustomize/kustomize/v4
 
-SETUP_ENVTEST_VER := v0.0.0-20231012212722-e25aeebc7846
+SETUP_ENVTEST_VER := v0.0.0-20240215143116-d0396a3d6f9f
 SETUP_ENVTEST_BIN := setup-envtest
 SETUP_ENVTEST := $(abspath $(TOOLS_BIN_DIR)/$(SETUP_ENVTEST_BIN)-$(SETUP_ENVTEST_VER))
 SETUP_ENVTEST_PKG := sigs.k8s.io/controller-runtime/tools/setup-envtest
@@ -123,7 +123,7 @@ GOTESTSUM_BIN := gotestsum
 GOTESTSUM := $(abspath $(TOOLS_BIN_DIR)/$(GOTESTSUM_BIN)-$(GOTESTSUM_VER))
 GOTESTSUM_PKG := gotest.tools/gotestsum
 
-CONVERSION_GEN_VER := v0.29.0
+CONVERSION_GEN_VER := v0.29.2
 CONVERSION_GEN_BIN := conversion-gen
 # We are intentionally using the binary without version suffix, to avoid the version
 # in generated files.
@@ -145,7 +145,7 @@ HADOLINT_FAILURE_THRESHOLD = warning
 
 SHELLCHECK_VER := v0.9.0
 
-TRIVY_VER := 0.47.0
+TRIVY_VER := 0.49.1
 
 KPROMO_VER := v4.0.5
 KPROMO_BIN := kpromo
@@ -158,7 +158,7 @@ YQ_BIN := yq
 YQ :=  $(abspath $(TOOLS_BIN_DIR)/$(YQ_BIN)-$(YQ_VER))
 YQ_PKG := github.com/mikefarah/yq/v4
 
-PLANTUML_VER := 1.2023.10
+PLANTUML_VER := 1.2024.3
 
 GINKGO_BIN := ginkgo
 GINKGO_VER := $(call get_go_version,github.com/onsi/ginkgo/v2)
@@ -183,7 +183,7 @@ IMPORT_BOSS_PKG := k8s.io/code-generator/cmd/import-boss
 CONVERSION_VERIFIER_BIN := conversion-verifier
 CONVERSION_VERIFIER := $(abspath $(TOOLS_BIN_DIR)/$(CONVERSION_VERIFIER_BIN))
 
-OPENAPI_GEN_VER := 5e7f5fd
+OPENAPI_GEN_VER := 70dd376
 OPENAPI_GEN_BIN := openapi-gen
 # We are intentionally using the binary without version suffix, to avoid the version
 # in generated files.
@@ -546,10 +546,11 @@ generate-go-openapi: $(OPENAPI_GEN) $(CONTROLLER_GEN) ## Generate openapi go cod
 		(cd ../ && $(MAKE) clean-generated-openapi-definitions SRC_DIRS="./$${pkg}"); \
 		echo "** Generating openapi schema for types in ./$${pkg} **"; \
 		$(OPENAPI_GEN) \
-			--input-dirs=sigs.k8s.io/cluster-api/$${pkg} \
-			--output-file-base=zz_generated.openapi \
-			--output-package=sigs.k8s.io/cluster-api/$${pkg} \
-			--go-header-file=../hack/boilerplate/boilerplate.generatego.txt; \
+			--output-dir=../$${pkg} \
+			--output-file=zz_generated.openapi.go \
+			--output-pkg=sigs.k8s.io/cluster-api/$${pkg} \
+			--go-header-file=../hack/boilerplate/boilerplate.generatego.txt \
+			sigs.k8s.io/cluster-api/$${pkg}; \
 	done; \
 	rm sigs.k8s.io/cluster-api
 
@@ -1166,6 +1167,10 @@ release-notes: release-notes-tool
 test-release-notes-tool:
 	go test -C hack/tools -v -tags tools,integration sigs.k8s.io/cluster-api/hack/tools/release/notes
 
+.PHONY: release-provider-issues-tool
+release-provider-issues-tool: # Creates GitHub issues in a pre-defined list of CAPI provider repositories
+	@go run ./hack/tools/release/internal/update_providers/provider_issues.go
+
 .PHONY: release-weekly-update-tool
 release-weekly-update-tool:
 	go build -C hack/tools -o $(ROOT_DIR)/bin/weekly -tags tools sigs.k8s.io/cluster-api/hack/tools/release/weekly
diff --git a/Tiltfile b/Tiltfile
index fa5b97684163..6dbc6565b120 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -3,7 +3,7 @@
 envsubst_cmd = "./hack/tools/bin/envsubst"
 clusterctl_cmd = "./bin/clusterctl"
 kubectl_cmd = "kubectl"
-kubernetes_version = "v1.29.0"
+kubernetes_version = "v1.29.2"
 
 load("ext://uibutton", "cmd_button", "location", "text_input")
 
@@ -184,7 +184,7 @@ def load_provider_tiltfiles():
 
 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.21.5 as tilt-helper
+FROM golang:1.21.8 as tilt-helper
 # Install delve. Note this should be kept in step with the Go release minor version.
 RUN go install github.com/go-delve/delve/cmd/dlv@v1.21
 # Support live reloading with Tilt
@@ -195,7 +195,7 @@ RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com
 """
 
 tilt_dockerfile_header = """
-FROM golang:1.21.5 as tilt
+FROM golang:1.21.8 as tilt
 WORKDIR /
 COPY --from=tilt-helper /process.txt .
 COPY --from=tilt-helper /start.sh .
@@ -342,23 +342,24 @@ def enable_provider(name, debug):
 
     port_forwards, links = get_port_forwards(debug)
 
-    build_go_binary(
-        context = p.get("context"),
-        reload_deps = p.get("live_reload_deps"),
-        debug = debug,
-        go_main = p.get("go_main", "main.go"),
-        binary_name = "manager",
-        label = label,
-    )
+    if p.get("image"):
+        build_go_binary(
+            context = p.get("context"),
+            reload_deps = p.get("live_reload_deps"),
+            debug = debug,
+            go_main = p.get("go_main", "main.go"),
+            binary_name = "manager",
+            label = label,
+        )
 
-    build_docker_image(
-        image = p.get("image"),
-        context = p.get("context"),
-        binary_name = "manager",
-        additional_docker_helper_commands = p.get("additional_docker_helper_commands", ""),
-        additional_docker_build_commands = p.get("additional_docker_build_commands", ""),
-        port_forwards = port_forwards,
-    )
+        build_docker_image(
+            image = p.get("image"),
+            context = p.get("context"),
+            binary_name = "manager",
+            additional_docker_helper_commands = p.get("additional_docker_helper_commands", ""),
+            additional_docker_build_commands = p.get("additional_docker_build_commands", ""),
+            port_forwards = port_forwards,
+        )
 
     additional_objs = []
     p_resources = p.get("additional_resources", [])
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
index 017f7f675791..b25985f1eccb 100644
--- a/api/v1beta1/common_types.go
+++ b/api/v1beta1/common_types.go
@@ -68,6 +68,10 @@ const (
 	// update that disallows a pre-existing Cluster to be populated with Topology information and Class.
 	ClusterTopologyUnsafeUpdateClassNameAnnotation = "unsafe.topology.cluster.x-k8s.io/disable-update-class-name-check"
 
+	// ClusterTopologyUnsafeUpdateVersionAnnotation can be used to disable the webhook checks on
+	// update that disallows updating the .topology.spec.version on certain conditions.
+	ClusterTopologyUnsafeUpdateVersionAnnotation = "unsafe.topology.cluster.x-k8s.io/disable-update-version-check"
+
 	// ProviderNameLabel is the label set on components in the provider manifest.
 	// This label allows to easily identify all the components belonging to a provider; the clusterctl
 	// tool uses this label for implementing provider's lifecycle operations.
diff --git a/api/v1beta1/zz_generated.openapi.go b/api/v1beta1/zz_generated.openapi.go
index 073de884ba90..a3644d79f97a 100644
--- a/api/v1beta1/zz_generated.openapi.go
+++ b/api/v1beta1/zz_generated.openapi.go
@@ -19,8 +19,6 @@ limitations under the License.
 
 // Code generated by openapi-gen. DO NOT EDIT.
 
-// This file was autogenerated by openapi-gen. Do not edit it manually!
-
 package v1beta1
 
 import (
@@ -856,7 +854,6 @@ func schema_sigsk8sio_cluster_api_api_v1beta1_ClusterVariable(ref common.Referen
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value of the variable. Note: the value will be validated against the schema of the corresponding ClusterClassVariable from the ClusterClass. Note: We have to use apiextensionsv1.JSON instead of a custom JSON type, because controller-tools has a hard-coded schema for apiextensionsv1.JSON which cannot be produced by another type via controller-tools, i.e. it is not possible to have no type field. Ref: https://github.com/kubernetes-sigs/controller-tools/blob/d0e03a142d0ecdd5491593e941ee1d6b5d91dba6/pkg/crd/known_types.go#L106-L111",
-							Default:     map[string]interface{}{},
 							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
 						},
 					},
@@ -902,7 +899,6 @@ func schema_sigsk8sio_cluster_api_api_v1beta1_Condition(ref common.ReferenceCall
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
-							Default:     map[string]interface{}{},
 							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
 						},
 					},
@@ -1385,8 +1381,7 @@ func schema_sigsk8sio_cluster_api_api_v1beta1_JSONSchemaProps(ref common.Referen
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
+										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
 									},
 								},
 							},
@@ -3558,8 +3553,7 @@ func schema_sigsk8sio_cluster_api_api_v1beta1_UnhealthyCondition(ref common.Refe
 					},
 					"timeout": {
 						SchemaProps: spec.SchemaProps{
-							Default: 0,
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
 						},
 					},
 				},
diff --git a/bootstrap/kubeadm/config/manager/manager.yaml b/bootstrap/kubeadm/config/manager/manager.yaml
index d5e12b4572e8..dae2a9b6c615 100644
--- a/bootstrap/kubeadm/config/manager/manager.yaml
+++ b/bootstrap/kubeadm/config/manager/manager.yaml
@@ -26,6 +26,19 @@ spec:
             - "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}"
           image: controller:latest
           name: manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
           ports:
             - containerPort: 9440
               name: healthz
diff --git a/cmd/clusterctl/client/config/providers_client.go b/cmd/clusterctl/client/config/providers_client.go
index 3adad5719b5c..476738e3d561 100644
--- a/cmd/clusterctl/client/config/providers_client.go
+++ b/cmd/clusterctl/client/config/providers_client.go
@@ -45,6 +45,7 @@ const (
 	DOProviderName             = "digitalocean"
 	GCPProviderName            = "gcp"
 	HetznerProviderName        = "hetzner"
+	HivelocityProviderName     = "hivelocity-hivelocity"
 	OutscaleProviderName       = "outscale"
 	IBMCloudProviderName       = "ibmcloud"
 	InMemoryProviderName       = "in-memory"
@@ -91,6 +92,11 @@ const (
 	K0smotronControlPlaneProviderName         = "k0sproject-k0smotron"
 )
 
+// IPAM providers.
+const (
+	InClusterIPAMProviderName = "in-cluster"
+)
+
 // Add-on providers.
 const (
 	HelmAddonProviderName = "helm"
@@ -234,6 +240,11 @@ func (p *providersClient) defaults() []Provider {
 			url:          "https://github.com/syself/cluster-api-provider-hetzner/releases/latest/infrastructure-components.yaml",
 			providerType: clusterctlv1.InfrastructureProviderType,
 		},
+		&provider{
+			name:         HivelocityProviderName,
+			url:          "https://github.com/hivelocity/cluster-api-provider-hivelocity/releases/latest/infrastructure-components.yaml",
+			providerType: clusterctlv1.InfrastructureProviderType,
+		},
 		&provider{
 			name:         OutscaleProviderName,
 			url:          "https://github.com/outscale/cluster-api-provider-outscale/releases/latest/infrastructure-components.yaml",
@@ -369,6 +380,13 @@ func (p *providersClient) defaults() []Provider {
 			providerType: clusterctlv1.ControlPlaneProviderType,
 		},
 
+		// IPAM providers
+		&provider{
+			name:         InClusterIPAMProviderName,
+			url:          "https://github.com/kubernetes-sigs/cluster-api-ipam-provider-in-cluster/releases/latest/ipam-components.yaml",
+			providerType: clusterctlv1.IPAMProviderType,
+		},
+
 		// Add-on providers
 		&provider{
 			name:         HelmAddonProviderName,
diff --git a/cmd/clusterctl/client/config_test.go b/cmd/clusterctl/client/config_test.go
index 864b894f9277..4ee7a56796a3 100644
--- a/cmd/clusterctl/client/config_test.go
+++ b/cmd/clusterctl/client/config_test.go
@@ -82,6 +82,7 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 				config.DockerProviderName,
 				config.GCPProviderName,
 				config.HetznerProviderName,
+				config.HivelocityProviderName,
 				config.IBMCloudProviderName,
 				config.InMemoryProviderName,
 				config.K0smotronProviderName,
@@ -101,6 +102,7 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 				config.VclusterProviderName,
 				config.VirtinkProviderName,
 				config.VSphereProviderName,
+				config.InClusterIPAMProviderName,
 				config.HelmAddonProviderName,
 			},
 			wantErr: false,
@@ -139,6 +141,7 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 				config.DockerProviderName,
 				config.GCPProviderName,
 				config.HetznerProviderName,
+				config.HivelocityProviderName,
 				config.IBMCloudProviderName,
 				config.InMemoryProviderName,
 				config.K0smotronProviderName,
@@ -158,6 +161,7 @@ func Test_clusterctlClient_GetProvidersConfig(t *testing.T) {
 				config.VclusterProviderName,
 				config.VirtinkProviderName,
 				config.VSphereProviderName,
+				config.InClusterIPAMProviderName,
 				config.HelmAddonProviderName,
 			},
 			wantErr: false,
diff --git a/cmd/clusterctl/client/repository/overrides.go b/cmd/clusterctl/client/repository/overrides.go
index 1a6c858347bf..bd14f035d61b 100644
--- a/cmd/clusterctl/client/repository/overrides.go
+++ b/cmd/clusterctl/client/repository/overrides.go
@@ -28,6 +28,7 @@ import (
 	"github.com/pkg/errors"
 
 	"sigs.k8s.io/cluster-api/cmd/clusterctl/client/config"
+	logf "sigs.k8s.io/cluster-api/cmd/clusterctl/log"
 )
 
 const (
@@ -107,7 +108,11 @@ func (o *overrides) Path() (string, error) {
 // getLocalOverride return local override file from the config folder, if it exists.
 // This is required for development purposes, but it can be used also in production as a workaround for problems on the official repositories.
 func getLocalOverride(info *newOverrideInput) ([]byte, error) {
+	log := logf.Log
+
 	overridePath, err := newOverride(info).Path()
+	log.V(5).Info("Potential override file", "SearchFile", overridePath, "Provider", info.provider.ManifestLabel(), "Version", info.version)
+
 	if err != nil {
 		return nil, err
 	}
diff --git a/cmd/clusterctl/cmd/config_repositories_test.go b/cmd/clusterctl/cmd/config_repositories_test.go
index 3f522a203a26..a5ef73c9b8f4 100644
--- a/cmd/clusterctl/cmd/config_repositories_test.go
+++ b/cmd/clusterctl/cmd/config_repositories_test.go
@@ -102,55 +102,57 @@ providers:
     type: "CoreProvider"
 `
 
-var expectedOutputText = `NAME                   TYPE                     URL                                                                                         FILE
-cluster-api            CoreProvider             https://github.com/myorg/myforkofclusterapi/releases/latest/                                core_components.yaml
-another-provider       BootstrapProvider        ./                                                                                          bootstrap-components.yaml
-k0sproject-k0smotron   BootstrapProvider        https://github.com/k0sproject/k0smotron/releases/latest/                                    bootstrap-components.yaml
-kubeadm                BootstrapProvider        https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             bootstrap-components.yaml
-kubekey-k3s            BootstrapProvider        https://github.com/kubesphere/kubekey/releases/latest/                                      bootstrap-components.yaml
-microk8s               BootstrapProvider        https://github.com/canonical/cluster-api-bootstrap-provider-microk8s/releases/latest/       bootstrap-components.yaml
-ocne                   BootstrapProvider        https://github.com/verrazzano/cluster-api-provider-ocne/releases/latest/                    bootstrap-components.yaml
-rke2                   BootstrapProvider        https://github.com/rancher-sandbox/cluster-api-provider-rke2/releases/latest/               bootstrap-components.yaml
-talos                  BootstrapProvider        https://github.com/siderolabs/cluster-api-bootstrap-provider-talos/releases/latest/         bootstrap-components.yaml
-k0sproject-k0smotron   ControlPlaneProvider     https://github.com/k0sproject/k0smotron/releases/latest/                                    control-plane-components.yaml
-kamaji                 ControlPlaneProvider     https://github.com/clastix/cluster-api-control-plane-provider-kamaji/releases/latest/       control-plane-components.yaml
-kubeadm                ControlPlaneProvider     https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             control-plane-components.yaml
-kubekey-k3s            ControlPlaneProvider     https://github.com/kubesphere/kubekey/releases/latest/                                      control-plane-components.yaml
-microk8s               ControlPlaneProvider     https://github.com/canonical/cluster-api-control-plane-provider-microk8s/releases/latest/   control-plane-components.yaml
-nested                 ControlPlaneProvider     https://github.com/kubernetes-sigs/cluster-api-provider-nested/releases/latest/             control-plane-components.yaml
-ocne                   ControlPlaneProvider     https://github.com/verrazzano/cluster-api-provider-ocne/releases/latest/                    control-plane-components.yaml
-rke2                   ControlPlaneProvider     https://github.com/rancher-sandbox/cluster-api-provider-rke2/releases/latest/               control-plane-components.yaml
-talos                  ControlPlaneProvider     https://github.com/siderolabs/cluster-api-control-plane-provider-talos/releases/latest/     control-plane-components.yaml
-aws                    InfrastructureProvider                                                                                               my-aws-infrastructure-components.yaml
-azure                  InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-azure/releases/latest/              infrastructure-components.yaml
-byoh                   InfrastructureProvider   https://github.com/vmware-tanzu/cluster-api-provider-bringyourownhost/releases/latest/      infrastructure-components.yaml
-cloudstack             InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack/releases/latest/         infrastructure-components.yaml
-coxedge                InfrastructureProvider   https://github.com/coxedge/cluster-api-provider-coxedge/releases/latest/                    infrastructure-components.yaml
-digitalocean           InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-digitalocean/releases/latest/       infrastructure-components.yaml
-docker                 InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             infrastructure-components-development.yaml
-gcp                    InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-gcp/releases/latest/                infrastructure-components.yaml
-hetzner                InfrastructureProvider   https://github.com/syself/cluster-api-provider-hetzner/releases/latest/                     infrastructure-components.yaml
-ibmcloud               InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-ibmcloud/releases/latest/           infrastructure-components.yaml
-in-memory              InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             infrastructure-components-in-memory-development.yaml
-k0sproject-k0smotron   InfrastructureProvider   https://github.com/k0sproject/k0smotron/releases/latest/                                    infrastructure-components.yaml
-kubekey                InfrastructureProvider   https://github.com/kubesphere/kubekey/releases/latest/                                      infrastructure-components.yaml
-kubevirt               InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt/releases/latest/           infrastructure-components.yaml
-maas                   InfrastructureProvider   https://github.com/spectrocloud/cluster-api-provider-maas/releases/latest/                  infrastructure-components.yaml
-metal3                 InfrastructureProvider   https://github.com/metal3-io/cluster-api-provider-metal3/releases/latest/                   infrastructure-components.yaml
-my-infra-provider      InfrastructureProvider   /home/.config/cluster-api/overrides/infrastructure-docker/latest/                           infrastructure-components.yaml
-nested                 InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-nested/releases/latest/             infrastructure-components.yaml
-nutanix                InfrastructureProvider   https://github.com/nutanix-cloud-native/cluster-api-provider-nutanix/releases/latest/       infrastructure-components.yaml
-oci                    InfrastructureProvider   https://github.com/oracle/cluster-api-provider-oci/releases/latest/                         infrastructure-components.yaml
-openstack              InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-openstack/releases/latest/          infrastructure-components.yaml
-outscale               InfrastructureProvider   https://github.com/outscale/cluster-api-provider-outscale/releases/latest/                  infrastructure-components.yaml
-packet                 InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-packet/releases/latest/             infrastructure-components.yaml
-proxmox                InfrastructureProvider   https://github.com/ionos-cloud/cluster-api-provider-proxmox/releases/latest/                infrastructure-components.yaml
-sidero                 InfrastructureProvider   https://github.com/siderolabs/sidero/releases/latest/                                       infrastructure-components.yaml
-vcd                    InfrastructureProvider   https://github.com/vmware/cluster-api-provider-cloud-director/releases/latest/              infrastructure-components.yaml
-vcluster               InfrastructureProvider   https://github.com/loft-sh/cluster-api-provider-vcluster/releases/latest/                   infrastructure-components.yaml
-virtink                InfrastructureProvider   https://github.com/smartxworks/cluster-api-provider-virtink/releases/latest/                infrastructure-components.yaml
-vsphere                InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/releases/latest/            infrastructure-components.yaml
-helm                   AddonProvider            https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/releases/latest/         addon-components.yaml
+var expectedOutputText = `NAME                    TYPE                     URL                                                                                         FILE
+cluster-api             CoreProvider             https://github.com/myorg/myforkofclusterapi/releases/latest/                                core_components.yaml
+another-provider        BootstrapProvider        ./                                                                                          bootstrap-components.yaml
+k0sproject-k0smotron    BootstrapProvider        https://github.com/k0sproject/k0smotron/releases/latest/                                    bootstrap-components.yaml
+kubeadm                 BootstrapProvider        https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             bootstrap-components.yaml
+kubekey-k3s             BootstrapProvider        https://github.com/kubesphere/kubekey/releases/latest/                                      bootstrap-components.yaml
+microk8s                BootstrapProvider        https://github.com/canonical/cluster-api-bootstrap-provider-microk8s/releases/latest/       bootstrap-components.yaml
+ocne                    BootstrapProvider        https://github.com/verrazzano/cluster-api-provider-ocne/releases/latest/                    bootstrap-components.yaml
+rke2                    BootstrapProvider        https://github.com/rancher-sandbox/cluster-api-provider-rke2/releases/latest/               bootstrap-components.yaml
+talos                   BootstrapProvider        https://github.com/siderolabs/cluster-api-bootstrap-provider-talos/releases/latest/         bootstrap-components.yaml
+k0sproject-k0smotron    ControlPlaneProvider     https://github.com/k0sproject/k0smotron/releases/latest/                                    control-plane-components.yaml
+kamaji                  ControlPlaneProvider     https://github.com/clastix/cluster-api-control-plane-provider-kamaji/releases/latest/       control-plane-components.yaml
+kubeadm                 ControlPlaneProvider     https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             control-plane-components.yaml
+kubekey-k3s             ControlPlaneProvider     https://github.com/kubesphere/kubekey/releases/latest/                                      control-plane-components.yaml
+microk8s                ControlPlaneProvider     https://github.com/canonical/cluster-api-control-plane-provider-microk8s/releases/latest/   control-plane-components.yaml
+nested                  ControlPlaneProvider     https://github.com/kubernetes-sigs/cluster-api-provider-nested/releases/latest/             control-plane-components.yaml
+ocne                    ControlPlaneProvider     https://github.com/verrazzano/cluster-api-provider-ocne/releases/latest/                    control-plane-components.yaml
+rke2                    ControlPlaneProvider     https://github.com/rancher-sandbox/cluster-api-provider-rke2/releases/latest/               control-plane-components.yaml
+talos                   ControlPlaneProvider     https://github.com/siderolabs/cluster-api-control-plane-provider-talos/releases/latest/     control-plane-components.yaml
+aws                     InfrastructureProvider                                                                                               my-aws-infrastructure-components.yaml
+azure                   InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-azure/releases/latest/              infrastructure-components.yaml
+byoh                    InfrastructureProvider   https://github.com/vmware-tanzu/cluster-api-provider-bringyourownhost/releases/latest/      infrastructure-components.yaml
+cloudstack              InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack/releases/latest/         infrastructure-components.yaml
+coxedge                 InfrastructureProvider   https://github.com/coxedge/cluster-api-provider-coxedge/releases/latest/                    infrastructure-components.yaml
+digitalocean            InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-digitalocean/releases/latest/       infrastructure-components.yaml
+docker                  InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             infrastructure-components-development.yaml
+gcp                     InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-gcp/releases/latest/                infrastructure-components.yaml
+hetzner                 InfrastructureProvider   https://github.com/syself/cluster-api-provider-hetzner/releases/latest/                     infrastructure-components.yaml
+hivelocity-hivelocity   InfrastructureProvider   https://github.com/hivelocity/cluster-api-provider-hivelocity/releases/latest/              infrastructure-components.yaml
+ibmcloud                InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-ibmcloud/releases/latest/           infrastructure-components.yaml
+in-memory               InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api/releases/latest/                             infrastructure-components-in-memory-development.yaml
+k0sproject-k0smotron    InfrastructureProvider   https://github.com/k0sproject/k0smotron/releases/latest/                                    infrastructure-components.yaml
+kubekey                 InfrastructureProvider   https://github.com/kubesphere/kubekey/releases/latest/                                      infrastructure-components.yaml
+kubevirt                InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt/releases/latest/           infrastructure-components.yaml
+maas                    InfrastructureProvider   https://github.com/spectrocloud/cluster-api-provider-maas/releases/latest/                  infrastructure-components.yaml
+metal3                  InfrastructureProvider   https://github.com/metal3-io/cluster-api-provider-metal3/releases/latest/                   infrastructure-components.yaml
+my-infra-provider       InfrastructureProvider   /home/.config/cluster-api/overrides/infrastructure-docker/latest/                           infrastructure-components.yaml
+nested                  InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-nested/releases/latest/             infrastructure-components.yaml
+nutanix                 InfrastructureProvider   https://github.com/nutanix-cloud-native/cluster-api-provider-nutanix/releases/latest/       infrastructure-components.yaml
+oci                     InfrastructureProvider   https://github.com/oracle/cluster-api-provider-oci/releases/latest/                         infrastructure-components.yaml
+openstack               InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-openstack/releases/latest/          infrastructure-components.yaml
+outscale                InfrastructureProvider   https://github.com/outscale/cluster-api-provider-outscale/releases/latest/                  infrastructure-components.yaml
+packet                  InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-packet/releases/latest/             infrastructure-components.yaml
+proxmox                 InfrastructureProvider   https://github.com/ionos-cloud/cluster-api-provider-proxmox/releases/latest/                infrastructure-components.yaml
+sidero                  InfrastructureProvider   https://github.com/siderolabs/sidero/releases/latest/                                       infrastructure-components.yaml
+vcd                     InfrastructureProvider   https://github.com/vmware/cluster-api-provider-cloud-director/releases/latest/              infrastructure-components.yaml
+vcluster                InfrastructureProvider   https://github.com/loft-sh/cluster-api-provider-vcluster/releases/latest/                   infrastructure-components.yaml
+virtink                 InfrastructureProvider   https://github.com/smartxworks/cluster-api-provider-virtink/releases/latest/                infrastructure-components.yaml
+vsphere                 InfrastructureProvider   https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/releases/latest/            infrastructure-components.yaml
+in-cluster              IPAMProvider             https://github.com/kubernetes-sigs/cluster-api-ipam-provider-in-cluster/releases/latest/    ipam-components.yaml
+helm                    AddonProvider            https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/releases/latest/         addon-components.yaml
 `
 
 var expectedOutputYaml = `- File: core_components.yaml
@@ -261,6 +263,10 @@ var expectedOutputYaml = `- File: core_components.yaml
   Name: hetzner
   ProviderType: InfrastructureProvider
   URL: https://github.com/syself/cluster-api-provider-hetzner/releases/latest/
+- File: infrastructure-components.yaml
+  Name: hivelocity-hivelocity
+  ProviderType: InfrastructureProvider
+  URL: https://github.com/hivelocity/cluster-api-provider-hivelocity/releases/latest/
 - File: infrastructure-components.yaml
   Name: ibmcloud
   ProviderType: InfrastructureProvider
@@ -341,6 +347,10 @@ var expectedOutputYaml = `- File: core_components.yaml
   Name: vsphere
   ProviderType: InfrastructureProvider
   URL: https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/releases/latest/
+- File: ipam-components.yaml
+  Name: in-cluster
+  ProviderType: IPAMProvider
+  URL: https://github.com/kubernetes-sigs/cluster-api-ipam-provider-in-cluster/releases/latest/
 - File: addon-components.yaml
   Name: helm
   ProviderType: AddonProvider
diff --git a/cmd/clusterctl/cmd/generate_cluster.go b/cmd/clusterctl/cmd/generate_cluster.go
index 7562a90380b8..9b95911e5831 100644
--- a/cmd/clusterctl/cmd/generate_cluster.go
+++ b/cmd/clusterctl/cmd/generate_cluster.go
@@ -116,8 +116,9 @@ func init() {
 		"The Kubernetes version to use for the workload cluster. If unspecified, the value from OS environment variables or the $XDG_CONFIG_HOME/cluster-api/clusterctl.yaml config file will be used.")
 	generateClusterClusterCmd.Flags().Int64Var(&gc.controlPlaneMachineCount, "control-plane-machine-count", 1,
 		"The number of control plane machines for the workload cluster.")
+	// Remove default from hard coded text if the default is ever changed from 0 since cobra would then add it
 	generateClusterClusterCmd.Flags().Int64Var(&gc.workerMachineCount, "worker-machine-count", 0,
-		"The number of worker machines for the workload cluster.")
+		"The number of worker machines for the workload cluster. (default 0)")
 
 	// flags for the repository source
 	generateClusterClusterCmd.Flags().StringVarP(&gc.infrastructureProvider, "infrastructure", "i", "",
diff --git a/cmd/clusterctl/cmd/init.go b/cmd/clusterctl/cmd/init.go
index e19eee9796da..18dd3edab328 100644
--- a/cmd/clusterctl/cmd/init.go
+++ b/cmd/clusterctl/cmd/init.go
@@ -103,7 +103,7 @@ func init() {
 	initCmd.PersistentFlags().StringSliceVarP(&initOpts.controlPlaneProviders, "control-plane", "c", nil,
 		"Control plane providers and versions (e.g. kubeadm:v1.1.5) to add to the management cluster. If unspecified, the Kubeadm control plane provider's latest release is used.")
 	initCmd.PersistentFlags().StringSliceVar(&initOpts.ipamProviders, "ipam", nil,
-		"IPAM providers and versions (e.g. infoblox:v0.0.1) to add to the management cluster.")
+		"IPAM providers and versions (e.g. in-cluster:v0.1.0) to add to the management cluster.")
 	initCmd.PersistentFlags().StringSliceVar(&initOpts.runtimeExtensionProviders, "runtime-extension", nil,
 		"Runtime extension providers and versions to add to the management cluster; please note that clusterctl doesn't include any default runtime extensions and thus it is required to use custom configuration files to register runtime extensions.")
 	initCmd.PersistentFlags().StringSliceVar(&initOpts.addonProviders, "addon", nil,
diff --git a/cmd/clusterctl/cmd/root.go b/cmd/clusterctl/cmd/root.go
index 6e54068fd813..89366a78ddd4 100644
--- a/cmd/clusterctl/cmd/root.go
+++ b/cmd/clusterctl/cmd/root.go
@@ -106,6 +106,8 @@ var RootCmd = &cobra.Command{
 
 // Execute executes the root command.
 func Execute() {
+	handlePlugins()
+
 	if err := RootCmd.Execute(); err != nil {
 		if verbosity != nil && *verbosity >= 5 {
 			if err, ok := err.(stackTracer); ok {
@@ -146,8 +148,6 @@ func init() {
 	RootCmd.SetCompletionCommandGroupID(groupOther)
 
 	cobra.OnInitialize(initConfig, registerCompletionFuncForCommonFlags)
-
-	handlePlugins()
 }
 
 func initConfig() {
diff --git a/controllers/remote/cluster_cache_tracker.go b/controllers/remote/cluster_cache_tracker.go
index 3c1c67248d60..5060729ce1a4 100644
--- a/controllers/remote/cluster_cache_tracker.go
+++ b/controllers/remote/cluster_cache_tracker.go
@@ -189,6 +189,11 @@ func (t *ClusterCacheTracker) GetClient(ctx context.Context, cluster client.Obje
 	return accessor.client, nil
 }
 
+// GetReader returns a cached read-only client for the given cluster.
+func (t *ClusterCacheTracker) GetReader(ctx context.Context, cluster client.ObjectKey) (client.Reader, error) {
+	return t.GetClient(ctx, cluster)
+}
+
 // GetRESTConfig returns a cached REST config for the given cluster.
 func (t *ClusterCacheTracker) GetRESTConfig(ctc context.Context, cluster client.ObjectKey) (*rest.Config, error) {
 	accessor, err := t.getClusterAccessor(ctc, cluster, t.indexes...)
diff --git a/controlplane/kubeadm/internal/controllers/controller_test.go b/controlplane/kubeadm/internal/controllers/controller_test.go
index aaf7c09a180b..6459174a918a 100644
--- a/controlplane/kubeadm/internal/controllers/controller_test.go
+++ b/controlplane/kubeadm/internal/controllers/controller_test.go
@@ -1279,7 +1279,8 @@ dns:
   type: CoreDNS
 imageRepository: registry.k8s.io
 kind: ClusterConfiguration
-kubernetesVersion: metav1.16.1`,
+kubernetesVersion: metav1.16.1
+`,
 		},
 	}
 	g.Expect(env.Create(ctx, kubeadmCM)).To(Succeed())
diff --git a/controlplane/kubeadm/internal/controllers/fakes_test.go b/controlplane/kubeadm/internal/controllers/fakes_test.go
index 3c7348bc4831..cf9fcbafe66e 100644
--- a/controlplane/kubeadm/internal/controllers/fakes_test.go
+++ b/controlplane/kubeadm/internal/controllers/fakes_test.go
@@ -108,11 +108,11 @@ func (f fakeWorkloadCluster) ReconcileKubeletRBACBinding(_ context.Context, _ se
 	return nil
 }
 
-func (f fakeWorkloadCluster) UpdateKubernetesVersionInKubeadmConfigMap(_ context.Context, _ semver.Version) error {
+func (f fakeWorkloadCluster) UpdateKubernetesVersionInKubeadmConfigMap(semver.Version) func(*bootstrapv1.ClusterConfiguration) {
 	return nil
 }
 
-func (f fakeWorkloadCluster) UpdateEtcdVersionInKubeadmConfigMap(_ context.Context, _, _ string, _ semver.Version) error {
+func (f fakeWorkloadCluster) UpdateEtcdLocalInKubeadmConfigMap(*bootstrapv1.LocalEtcd) func(*bootstrapv1.ClusterConfiguration) {
 	return nil
 }
 
@@ -132,13 +132,17 @@ func (f fakeWorkloadCluster) EtcdMembers(_ context.Context) ([]string, error) {
 	return f.EtcdMembersResult, nil
 }
 
+func (f fakeWorkloadCluster) UpdateClusterConfiguration(context.Context, semver.Version, ...func(*bootstrapv1.ClusterConfiguration)) error {
+	return nil
+}
+
 type fakeMigrator struct {
 	migrateCalled    bool
 	migrateErr       error
 	migratedCorefile string
 }
 
-func (m *fakeMigrator) Migrate(_, _, _ string, _ bool) (string, error) {
+func (m *fakeMigrator) Migrate(string, string, string, bool) (string, error) {
 	m.migrateCalled = true
 	if m.migrateErr != nil {
 		return "", m.migrateErr
diff --git a/controlplane/kubeadm/internal/controllers/upgrade.go b/controlplane/kubeadm/internal/controllers/upgrade.go
index 6abf136947ab..651d0c2a798c 100644
--- a/controlplane/kubeadm/internal/controllers/upgrade.go
+++ b/controlplane/kubeadm/internal/controllers/upgrade.go
@@ -23,6 +23,7 @@ import (
 	"github.com/pkg/errors"
 	ctrl "sigs.k8s.io/controller-runtime"
 
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controlplane/kubeadm/internal"
 	"sigs.k8s.io/cluster-api/util"
@@ -73,9 +74,8 @@ func (r *KubeadmControlPlaneReconciler) upgradeControlPlane(
 		return ctrl.Result{}, errors.Wrap(err, "failed to set cluster-admin ClusterRoleBinding for kubeadm")
 	}
 
-	if err := workloadCluster.UpdateKubernetesVersionInKubeadmConfigMap(ctx, parsedVersion); err != nil {
-		return ctrl.Result{}, errors.Wrap(err, "failed to update the kubernetes version in the kubeadm config map")
-	}
+	kubeadmCMMutators := make([]func(*bootstrapv1.ClusterConfiguration), 0)
+	kubeadmCMMutators = append(kubeadmCMMutators, workloadCluster.UpdateKubernetesVersionInKubeadmConfigMap(parsedVersion))
 
 	if controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration != nil {
 		// We intentionally only parse major/minor/patch so that the subsequent code
@@ -84,38 +84,30 @@ func (r *KubeadmControlPlaneReconciler) upgradeControlPlane(
 		if err != nil {
 			return ctrl.Result{}, errors.Wrapf(err, "failed to parse kubernetes version %q", controlPlane.KCP.Spec.Version)
 		}
+
 		// Get the imageRepository or the correct value if nothing is set and a migration is necessary.
 		imageRepository := internal.ImageRepositoryFromClusterConfig(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration, parsedVersionTolerant)
 
-		if err := workloadCluster.UpdateImageRepositoryInKubeadmConfigMap(ctx, imageRepository, parsedVersion); err != nil {
-			return ctrl.Result{}, errors.Wrap(err, "failed to update the image repository in the kubeadm config map")
-		}
-	}
-
-	if controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration != nil && controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local != nil {
-		meta := controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local.ImageMeta
-		if err := workloadCluster.UpdateEtcdVersionInKubeadmConfigMap(ctx, meta.ImageRepository, meta.ImageTag, parsedVersion); err != nil {
-			return ctrl.Result{}, errors.Wrap(err, "failed to update the etcd version in the kubeadm config map")
-		}
-
-		extraArgs := controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local.ExtraArgs
-		if err := workloadCluster.UpdateEtcdExtraArgsInKubeadmConfigMap(ctx, extraArgs, parsedVersion); err != nil {
-			return ctrl.Result{}, errors.Wrap(err, "failed to update the etcd extra args in the kubeadm config map")
+		kubeadmCMMutators = append(kubeadmCMMutators,
+			workloadCluster.UpdateImageRepositoryInKubeadmConfigMap(imageRepository),
+			workloadCluster.UpdateFeatureGatesInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.FeatureGates),
+			workloadCluster.UpdateAPIServerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.APIServer),
+			workloadCluster.UpdateControllerManagerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.ControllerManager),
+			workloadCluster.UpdateSchedulerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Scheduler))
+
+		// Etcd local and external are mutually exclusive and they cannot be switched, once set.
+		if controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local != nil {
+			kubeadmCMMutators = append(kubeadmCMMutators,
+				workloadCluster.UpdateEtcdLocalInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local))
+		} else {
+			kubeadmCMMutators = append(kubeadmCMMutators,
+				workloadCluster.UpdateEtcdExternalInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.External))
 		}
 	}
 
-	if controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration != nil {
-		if err := workloadCluster.UpdateAPIServerInKubeadmConfigMap(ctx, controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.APIServer, parsedVersion); err != nil {
-			return ctrl.Result{}, errors.Wrap(err, "failed to update api server in the kubeadm config map")
-		}
-
-		if err := workloadCluster.UpdateControllerManagerInKubeadmConfigMap(ctx, controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.ControllerManager, parsedVersion); err != nil {
-			return ctrl.Result{}, errors.Wrap(err, "failed to update controller manager in the kubeadm config map")
-		}
-
-		if err := workloadCluster.UpdateSchedulerInKubeadmConfigMap(ctx, controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Scheduler, parsedVersion); err != nil {
-			return ctrl.Result{}, errors.Wrap(err, "failed to update scheduler in the kubeadm config map")
-		}
+	// collectively update Kubeadm config map
+	if err = workloadCluster.UpdateClusterConfiguration(ctx, parsedVersion, kubeadmCMMutators...); err != nil {
+		return ctrl.Result{}, err
 	}
 
 	if err := workloadCluster.UpdateKubeletConfigMap(ctx, parsedVersion); err != nil {
diff --git a/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane.go b/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane.go
index 4338b8b11b15..d848d4616bba 100644
--- a/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane.go
+++ b/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane.go
@@ -150,6 +150,7 @@ const (
 	ntp                  = "ntp"
 	ignition             = "ignition"
 	diskSetup            = "diskSetup"
+	featureGates         = "featureGates"
 )
 
 const minimumCertificatesExpiryDays = 7
@@ -176,6 +177,8 @@ func (webhook *KubeadmControlPlane) ValidateUpdate(_ context.Context, oldObj, ne
 		{spec, kubeadmConfigSpec, clusterConfiguration, "dns", "imageRepository"},
 		{spec, kubeadmConfigSpec, clusterConfiguration, "dns", "imageTag"},
 		{spec, kubeadmConfigSpec, clusterConfiguration, "imageRepository"},
+		{spec, kubeadmConfigSpec, clusterConfiguration, featureGates},
+		{spec, kubeadmConfigSpec, clusterConfiguration, featureGates, "*"},
 		{spec, kubeadmConfigSpec, clusterConfiguration, apiServer},
 		{spec, kubeadmConfigSpec, clusterConfiguration, apiServer, "*"},
 		{spec, kubeadmConfigSpec, clusterConfiguration, controllerManager},
diff --git a/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane_test.go b/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane_test.go
index 699d3776d0e1..9c62b22ad4e6 100644
--- a/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane_test.go
+++ b/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane_test.go
@@ -886,8 +886,8 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 			kcp:       imageRepository,
 		},
 		{
-			name:      "should fail when making a change to the cluster config's featureGates",
-			expectErr: true,
+			name:      "should succeed when making a change to the cluster config's featureGates",
+			expectErr: false,
 			before:    before,
 			kcp:       featureGates,
 		},
diff --git a/controlplane/kubeadm/internal/workload_cluster.go b/controlplane/kubeadm/internal/workload_cluster.go
index d4c41eb89f4c..9034dd1e05e8 100644
--- a/controlplane/kubeadm/internal/workload_cluster.go
+++ b/controlplane/kubeadm/internal/workload_cluster.go
@@ -105,13 +105,14 @@ type WorkloadCluster interface {
 	// Upgrade related tasks.
 	ReconcileKubeletRBACBinding(ctx context.Context, version semver.Version) error
 	ReconcileKubeletRBACRole(ctx context.Context, version semver.Version) error
-	UpdateKubernetesVersionInKubeadmConfigMap(ctx context.Context, version semver.Version) error
-	UpdateImageRepositoryInKubeadmConfigMap(ctx context.Context, imageRepository string, version semver.Version) error
-	UpdateEtcdVersionInKubeadmConfigMap(ctx context.Context, imageRepository, imageTag string, version semver.Version) error
-	UpdateEtcdExtraArgsInKubeadmConfigMap(ctx context.Context, extraArgs map[string]string, version semver.Version) error
-	UpdateAPIServerInKubeadmConfigMap(ctx context.Context, apiServer bootstrapv1.APIServer, version semver.Version) error
-	UpdateControllerManagerInKubeadmConfigMap(ctx context.Context, controllerManager bootstrapv1.ControlPlaneComponent, version semver.Version) error
-	UpdateSchedulerInKubeadmConfigMap(ctx context.Context, scheduler bootstrapv1.ControlPlaneComponent, version semver.Version) error
+	UpdateKubernetesVersionInKubeadmConfigMap(version semver.Version) func(*bootstrapv1.ClusterConfiguration)
+	UpdateImageRepositoryInKubeadmConfigMap(imageRepository string) func(*bootstrapv1.ClusterConfiguration)
+	UpdateFeatureGatesInKubeadmConfigMap(featureGates map[string]bool) func(*bootstrapv1.ClusterConfiguration)
+	UpdateEtcdLocalInKubeadmConfigMap(localEtcd *bootstrapv1.LocalEtcd) func(*bootstrapv1.ClusterConfiguration)
+	UpdateEtcdExternalInKubeadmConfigMap(externalEtcd *bootstrapv1.ExternalEtcd) func(*bootstrapv1.ClusterConfiguration)
+	UpdateAPIServerInKubeadmConfigMap(apiServer bootstrapv1.APIServer) func(*bootstrapv1.ClusterConfiguration)
+	UpdateControllerManagerInKubeadmConfigMap(controllerManager bootstrapv1.ControlPlaneComponent) func(*bootstrapv1.ClusterConfiguration)
+	UpdateSchedulerInKubeadmConfigMap(scheduler bootstrapv1.ControlPlaneComponent) func(*bootstrapv1.ClusterConfiguration)
 	UpdateKubeletConfigMap(ctx context.Context, version semver.Version) error
 	UpdateKubeProxyImageInfo(ctx context.Context, kcp *controlplanev1.KubeadmControlPlane, version semver.Version) error
 	UpdateCoreDNS(ctx context.Context, kcp *controlplanev1.KubeadmControlPlane, version semver.Version) error
@@ -121,6 +122,7 @@ type WorkloadCluster interface {
 	ForwardEtcdLeadership(ctx context.Context, machine *clusterv1.Machine, leaderCandidate *clusterv1.Machine) error
 	AllowBootstrapTokensToGetNodes(ctx context.Context) error
 	AllowClusterAdminPermissions(ctx context.Context, version semver.Version) error
+	UpdateClusterConfiguration(ctx context.Context, version semver.Version, mutators ...func(*bootstrapv1.ClusterConfiguration)) error
 
 	// State recovery tasks.
 	ReconcileEtcdMembers(ctx context.Context, nodeNames []string, version semver.Version) ([]string, error)
@@ -173,20 +175,30 @@ func (w *Workload) getConfigMap(ctx context.Context, configMap ctrlclient.Object
 }
 
 // UpdateImageRepositoryInKubeadmConfigMap updates the image repository in the kubeadm config map.
-func (w *Workload) UpdateImageRepositoryInKubeadmConfigMap(ctx context.Context, imageRepository string, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
+func (w *Workload) UpdateImageRepositoryInKubeadmConfigMap(imageRepository string) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
 		if imageRepository == "" {
 			return
 		}
+
 		c.ImageRepository = imageRepository
-	}, version)
+	}
+}
+
+// UpdateFeatureGatesInKubeadmConfigMap updates the feature gates in the kubeadm config map.
+func (w *Workload) UpdateFeatureGatesInKubeadmConfigMap(featureGates map[string]bool) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
+		// Even if featureGates is nil, reset it to ClusterConfiguration
+		// to override any previously set feature gates.
+		c.FeatureGates = featureGates
+	}
 }
 
 // UpdateKubernetesVersionInKubeadmConfigMap updates the kubernetes version in the kubeadm config map.
-func (w *Workload) UpdateKubernetesVersionInKubeadmConfigMap(ctx context.Context, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
+func (w *Workload) UpdateKubernetesVersionInKubeadmConfigMap(version semver.Version) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
 		c.KubernetesVersion = fmt.Sprintf("v%s", version.String())
-	}, version)
+	}
 }
 
 // UpdateKubeletConfigMap will create a new kubelet-config-1.x config map for a new version of the kubelet.
@@ -270,24 +282,24 @@ func (w *Workload) UpdateKubeletConfigMap(ctx context.Context, version semver.Ve
 }
 
 // UpdateAPIServerInKubeadmConfigMap updates api server configuration in kubeadm config map.
-func (w *Workload) UpdateAPIServerInKubeadmConfigMap(ctx context.Context, apiServer bootstrapv1.APIServer, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
+func (w *Workload) UpdateAPIServerInKubeadmConfigMap(apiServer bootstrapv1.APIServer) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
 		c.APIServer = apiServer
-	}, version)
+	}
 }
 
 // UpdateControllerManagerInKubeadmConfigMap updates controller manager configuration in kubeadm config map.
-func (w *Workload) UpdateControllerManagerInKubeadmConfigMap(ctx context.Context, controllerManager bootstrapv1.ControlPlaneComponent, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
+func (w *Workload) UpdateControllerManagerInKubeadmConfigMap(controllerManager bootstrapv1.ControlPlaneComponent) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
 		c.ControllerManager = controllerManager
-	}, version)
+	}
 }
 
 // UpdateSchedulerInKubeadmConfigMap updates scheduler configuration in kubeadm config map.
-func (w *Workload) UpdateSchedulerInKubeadmConfigMap(ctx context.Context, scheduler bootstrapv1.ControlPlaneComponent, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
+func (w *Workload) UpdateSchedulerInKubeadmConfigMap(scheduler bootstrapv1.ControlPlaneComponent) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
 		c.Scheduler = scheduler
-	}, version)
+	}
 }
 
 // RemoveMachineFromKubeadmConfigMap removes the entry for the machine from the kubeadm configmap.
@@ -350,11 +362,11 @@ func (w *Workload) updateClusterStatus(ctx context.Context, mutator func(status
 	})
 }
 
-// updateClusterConfiguration gets the ClusterConfiguration kubeadm-config ConfigMap, converts it to the
+// UpdateClusterConfiguration gets the ClusterConfiguration kubeadm-config ConfigMap, converts it to the
 // Cluster API representation, and then applies a mutation func; if changes are detected, the
 // data are converted back into the Kubeadm API version in use for the target Kubernetes version and the
 // kubeadm-config ConfigMap updated.
-func (w *Workload) updateClusterConfiguration(ctx context.Context, mutator func(*bootstrapv1.ClusterConfiguration), version semver.Version) error {
+func (w *Workload) UpdateClusterConfiguration(ctx context.Context, version semver.Version, mutators ...func(*bootstrapv1.ClusterConfiguration)) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 		key := ctrlclient.ObjectKey{Name: kubeadmConfigKey, Namespace: metav1.NamespaceSystem}
 		configMap, err := w.getConfigMap(ctx, key)
@@ -373,7 +385,9 @@ func (w *Workload) updateClusterConfiguration(ctx context.Context, mutator func(
 		}
 
 		updatedObj := currentObj.DeepCopy()
-		mutator(updatedObj)
+		for i := range mutators {
+			mutators[i](updatedObj)
+		}
 
 		if !reflect.DeepEqual(currentObj, updatedObj) {
 			updatedData, err := kubeadmtypes.MarshalClusterConfigurationForVersion(updatedObj, version)
@@ -382,7 +396,7 @@ func (w *Workload) updateClusterConfiguration(ctx context.Context, mutator func(
 			}
 			configMap.Data[clusterConfigurationKey] = updatedData
 			if err := w.Client.Update(ctx, configMap); err != nil {
-				return errors.Wrap(err, "failed to upgrade the kubeadmConfigMap")
+				return errors.Wrap(err, "failed to upgrade cluster configuration in the kubeadmConfigMap")
 			}
 		}
 		return nil
diff --git a/controlplane/kubeadm/internal/workload_cluster_coredns.go b/controlplane/kubeadm/internal/workload_cluster_coredns.go
index 5699c9c06656..deb5d712d708 100644
--- a/controlplane/kubeadm/internal/workload_cluster_coredns.go
+++ b/controlplane/kubeadm/internal/workload_cluster_coredns.go
@@ -145,7 +145,7 @@ func (w *Workload) UpdateCoreDNS(ctx context.Context, kcp *controlplanev1.Kubead
 	}
 
 	// Perform the upgrade.
-	if err := w.updateCoreDNSImageInfoInKubeadmConfigMap(ctx, &clusterConfig.DNS, version); err != nil {
+	if err := w.UpdateClusterConfiguration(ctx, version, w.updateCoreDNSImageInfoInKubeadmConfigMap(&clusterConfig.DNS)); err != nil {
 		return err
 	}
 	if err := w.updateCoreDNSCorefile(ctx, info); err != nil {
@@ -270,11 +270,11 @@ func (w *Workload) updateCoreDNSDeployment(ctx context.Context, info *coreDNSInf
 }
 
 // updateCoreDNSImageInfoInKubeadmConfigMap updates the kubernetes version in the kubeadm config map.
-func (w *Workload) updateCoreDNSImageInfoInKubeadmConfigMap(ctx context.Context, dns *bootstrapv1.DNS, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
+func (w *Workload) updateCoreDNSImageInfoInKubeadmConfigMap(dns *bootstrapv1.DNS) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
 		c.DNS.ImageRepository = dns.ImageRepository
 		c.DNS.ImageTag = dns.ImageTag
-	}, version)
+	}
 }
 
 // updateCoreDNSClusterRole updates the CoreDNS ClusterRole when necessary.
diff --git a/controlplane/kubeadm/internal/workload_cluster_coredns_test.go b/controlplane/kubeadm/internal/workload_cluster_coredns_test.go
index 12bf01c42863..fd68d0a1595e 100644
--- a/controlplane/kubeadm/internal/workload_cluster_coredns_test.go
+++ b/controlplane/kubeadm/internal/workload_cluster_coredns_test.go
@@ -32,7 +32,7 @@ import (
 
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
-	"sigs.k8s.io/cluster-api/util/yaml"
+	utilyaml "sigs.k8s.io/cluster-api/util/yaml"
 )
 
 func TestUpdateCoreDNS(t *testing.T) {
@@ -124,7 +124,7 @@ func TestUpdateCoreDNS(t *testing.T) {
 			Namespace: metav1.NamespaceSystem,
 		},
 		Data: map[string]string{
-			"ClusterConfiguration": yaml.Raw(`
+			"ClusterConfiguration": utilyaml.Raw(`
 				apiServer:
 				apiVersion: kubeadm.k8s.io/v1beta2
 				dns:
@@ -140,7 +140,7 @@ func TestUpdateCoreDNS(t *testing.T) {
 			Namespace: metav1.NamespaceSystem,
 		},
 		Data: map[string]string{
-			"ClusterConfiguration": yaml.Raw(`
+			"ClusterConfiguration": utilyaml.Raw(`
 				apiServer:
 				apiVersion: kubeadm.k8s.io/v1beta2
 				dns:
@@ -1410,7 +1410,7 @@ func TestUpdateCoreDNSImageInfoInKubeadmConfigMap(t *testing.T) {
 	}{
 		{
 			name: "it should set the DNS image config",
-			clusterConfigurationData: yaml.Raw(`
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				`),
@@ -1420,7 +1420,7 @@ func TestUpdateCoreDNSImageInfoInKubeadmConfigMap(t *testing.T) {
 					ImageTag:        "v1.2.3",
 				},
 			},
-			wantClusterConfiguration: yaml.Raw(`
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiServer: {}
 				apiVersion: kubeadm.k8s.io/v1beta2
 				controllerManager: {}
@@ -1451,7 +1451,7 @@ func TestUpdateCoreDNSImageInfoInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.updateCoreDNSImageInfoInKubeadmConfigMap(ctx, &tt.newDNS, semver.MustParse("1.19.1"))
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.updateCoreDNSImageInfoInKubeadmConfigMap(&tt.newDNS))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
diff --git a/controlplane/kubeadm/internal/workload_cluster_etcd.go b/controlplane/kubeadm/internal/workload_cluster_etcd.go
index bb4c4d417960..48c06bc3f567 100644
--- a/controlplane/kubeadm/internal/workload_cluster_etcd.go
+++ b/controlplane/kubeadm/internal/workload_cluster_etcd.go
@@ -92,23 +92,22 @@ loopmembers:
 	return removedMembers, errs
 }
 
-// UpdateEtcdVersionInKubeadmConfigMap sets the imageRepository or the imageTag or both in the kubeadm config map.
-func (w *Workload) UpdateEtcdVersionInKubeadmConfigMap(ctx context.Context, imageRepository, imageTag string, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
+// UpdateEtcdLocalInKubeadmConfigMap sets etcd local configuration in the kubeadm config map.
+func (w *Workload) UpdateEtcdLocalInKubeadmConfigMap(etcdLocal *bootstrapv1.LocalEtcd) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
 		if c.Etcd.Local != nil {
-			c.Etcd.Local.ImageRepository = imageRepository
-			c.Etcd.Local.ImageTag = imageTag
+			c.Etcd.Local = etcdLocal
 		}
-	}, version)
+	}
 }
 
-// UpdateEtcdExtraArgsInKubeadmConfigMap sets extraArgs in the kubeadm config map.
-func (w *Workload) UpdateEtcdExtraArgsInKubeadmConfigMap(ctx context.Context, extraArgs map[string]string, version semver.Version) error {
-	return w.updateClusterConfiguration(ctx, func(c *bootstrapv1.ClusterConfiguration) {
-		if c.Etcd.Local != nil {
-			c.Etcd.Local.ExtraArgs = extraArgs
+// UpdateEtcdExternalInKubeadmConfigMap sets etcd external configuration in the kubeadm config map.
+func (w *Workload) UpdateEtcdExternalInKubeadmConfigMap(etcdExternal *bootstrapv1.ExternalEtcd) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
+		if c.Etcd.External != nil {
+			c.Etcd.External = etcdExternal
 		}
-	}, version)
+	}
 }
 
 // RemoveEtcdMemberForMachine removes the etcd member from the target cluster's etcd cluster.
diff --git a/controlplane/kubeadm/internal/workload_cluster_etcd_test.go b/controlplane/kubeadm/internal/workload_cluster_etcd_test.go
index e80e869a51ba..3c8f8736ae0d 100644
--- a/controlplane/kubeadm/internal/workload_cluster_etcd_test.go
+++ b/controlplane/kubeadm/internal/workload_cluster_etcd_test.go
@@ -32,58 +32,69 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controlplane/kubeadm/internal/etcd"
 	fake2 "sigs.k8s.io/cluster-api/controlplane/kubeadm/internal/etcd/fake"
-	"sigs.k8s.io/cluster-api/util/yaml"
+	utilyaml "sigs.k8s.io/cluster-api/util/yaml"
 )
 
-func TestUpdateEtcdVersionInKubeadmConfigMap(t *testing.T) {
+func TestUpdateEtcdExternalInKubeadmConfigMap(t *testing.T) {
 	tests := []struct {
 		name                     string
 		clusterConfigurationData string
-		newImageRepository       string
-		newImageTag              string
+		externalEtcd             *bootstrapv1.ExternalEtcd
 		wantClusterConfiguration string
 	}{
 		{
-			name: "it should set etcd version when local etcd",
-			clusterConfigurationData: yaml.Raw(`
+			name: "it should set external etcd configuration with external etcd",
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				etcd:
-				  local: {}
+				  external: {}
 				`),
-			newImageRepository: "example.com/k8s",
-			newImageTag:        "v1.6.0",
-			wantClusterConfiguration: yaml.Raw(`
+			externalEtcd: &bootstrapv1.ExternalEtcd{
+				Endpoints: []string{"1.2.3.4"},
+				CAFile:    "/tmp/ca_file.pem",
+				CertFile:  "/tmp/cert_file.crt",
+				KeyFile:   "/tmp/key_file.key",
+			},
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiServer: {}
 				apiVersion: kubeadm.k8s.io/v1beta2
 				controllerManager: {}
 				dns: {}
 				etcd:
-				  local:
-				    imageRepository: example.com/k8s
-				    imageTag: v1.6.0
+				  external:
+				    caFile: /tmp/ca_file.pem
+				    certFile: /tmp/cert_file.crt
+				    endpoints:
+				    - 1.2.3.4
+				    keyFile: /tmp/key_file.key
 				kind: ClusterConfiguration
 				networking: {}
 				scheduler: {}
 				`),
 		},
 		{
-			name: "no op when external etcd",
-			clusterConfigurationData: yaml.Raw(`
+			name: "no op when local etcd configuration already exists",
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				etcd:
-				  external: {}
+				  local: {}
 				`),
-			newImageRepository: "example.com/k8s",
-			newImageTag:        "v1.6.0",
-			wantClusterConfiguration: yaml.Raw(`
+			externalEtcd: &bootstrapv1.ExternalEtcd{
+				Endpoints: []string{"1.2.3.4"},
+				CAFile:    "/tmp/ca_file.pem",
+				CertFile:  "/tmp/cert_file.crt",
+				KeyFile:   "/tmp/key_file.key",
+			},
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				etcd:
-				  external: {}
+				  local: {}
 				`),
 		},
 	}
@@ -104,7 +115,7 @@ func TestUpdateEtcdVersionInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.UpdateEtcdVersionInKubeadmConfigMap(ctx, tt.newImageRepository, tt.newImageTag, semver.MustParse("1.19.1"))
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.UpdateEtcdExternalInKubeadmConfigMap(tt.externalEtcd))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
@@ -118,25 +129,31 @@ func TestUpdateEtcdVersionInKubeadmConfigMap(t *testing.T) {
 	}
 }
 
-func TestUpdateEtcdExtraArgsInKubeadmConfigMap(t *testing.T) {
+func TestUpdateEtcdLocalInKubeadmConfigMap(t *testing.T) {
 	tests := []struct {
 		name                     string
 		clusterConfigurationData string
-		newExtraArgs             map[string]string
+		localEtcd                *bootstrapv1.LocalEtcd
 		wantClusterConfiguration string
 	}{
 		{
-			name: "it should set etcd extraArgs when local etcd",
-			clusterConfigurationData: yaml.Raw(`
+			name: "it should set local etcd configuration with local etcd",
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				etcd:
 				  local: {}
 				`),
-			newExtraArgs: map[string]string{
-				"foo": "bar",
+			localEtcd: &bootstrapv1.LocalEtcd{
+				ImageMeta: bootstrapv1.ImageMeta{
+					ImageRepository: "example.com/k8s",
+					ImageTag:        "v1.6.0",
+				},
+				ExtraArgs: map[string]string{
+					"foo": "bar",
+				},
 			},
-			wantClusterConfiguration: yaml.Raw(`
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiServer: {}
 				apiVersion: kubeadm.k8s.io/v1beta2
 				controllerManager: {}
@@ -145,23 +162,31 @@ func TestUpdateEtcdExtraArgsInKubeadmConfigMap(t *testing.T) {
 				  local:
 				    extraArgs:
 				      foo: bar
+				    imageRepository: example.com/k8s
+				    imageTag: v1.6.0
 				kind: ClusterConfiguration
 				networking: {}
 				scheduler: {}
 				`),
 		},
 		{
-			name: "no op when external etcd",
-			clusterConfigurationData: yaml.Raw(`
+			name: "no op when external etcd configuration already exists",
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				etcd:
 				  external: {}
 				`),
-			newExtraArgs: map[string]string{
-				"foo": "bar",
+			localEtcd: &bootstrapv1.LocalEtcd{
+				ImageMeta: bootstrapv1.ImageMeta{
+					ImageRepository: "example.com/k8s",
+					ImageTag:        "v1.6.0",
+				},
+				ExtraArgs: map[string]string{
+					"foo": "bar",
+				},
 			},
-			wantClusterConfiguration: yaml.Raw(`
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				etcd:
@@ -186,7 +211,7 @@ func TestUpdateEtcdExtraArgsInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.UpdateEtcdExtraArgsInKubeadmConfigMap(ctx, tt.newExtraArgs, semver.MustParse("1.19.1"))
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.UpdateEtcdLocalInKubeadmConfigMap(tt.localEtcd))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
@@ -534,7 +559,7 @@ func TestReconcileEtcdMembers(t *testing.T) {
 			Namespace: metav1.NamespaceSystem,
 		},
 		Data: map[string]string{
-			clusterStatusKey: yaml.Raw(`
+			clusterStatusKey: utilyaml.Raw(`
 				apiEndpoints:
 				  ip-10-0-0-1.ec2.internal:
 				    advertiseAddress: 10.0.0.1
@@ -610,7 +635,7 @@ func TestReconcileEtcdMembers(t *testing.T) {
 					client.ObjectKey{Name: kubeadmConfigKey, Namespace: metav1.NamespaceSystem},
 					&actualConfig,
 				)).To(Succeed())
-				expectedOutput := yaml.Raw(`
+				expectedOutput := utilyaml.Raw(`
 					apiEndpoints:
 					  ip-10-0-0-1.ec2.internal:
 					    advertiseAddress: 10.0.0.1
@@ -702,7 +727,7 @@ func TestRemoveNodeFromKubeadmConfigMap(t *testing.T) {
 		{
 			name:        "removes the api endpoint",
 			apiEndpoint: "ip-10-0-0-2.ec2.internal",
-			clusterStatusData: yaml.Raw(`
+			clusterStatusData: utilyaml.Raw(`
 				apiEndpoints:
 				  ip-10-0-0-1.ec2.internal:
 				    advertiseAddress: 10.0.0.1
@@ -713,7 +738,7 @@ func TestRemoveNodeFromKubeadmConfigMap(t *testing.T) {
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterStatus
 				`),
-			wantClusterStatus: yaml.Raw(`
+			wantClusterStatus: utilyaml.Raw(`
 				apiEndpoints:
 				  ip-10-0-0-1.ec2.internal:
 				    advertiseAddress: 10.0.0.1
@@ -725,7 +750,7 @@ func TestRemoveNodeFromKubeadmConfigMap(t *testing.T) {
 		{
 			name:        "no op if the api endpoint does not exists",
 			apiEndpoint: "ip-10-0-0-2.ec2.internal",
-			clusterStatusData: yaml.Raw(`
+			clusterStatusData: utilyaml.Raw(`
 				apiEndpoints:
 				  ip-10-0-0-1.ec2.internal:
 				    advertiseAddress: 10.0.0.1
@@ -733,7 +758,7 @@ func TestRemoveNodeFromKubeadmConfigMap(t *testing.T) {
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterStatus
 				`),
-			wantClusterStatus: yaml.Raw(`
+			wantClusterStatus: utilyaml.Raw(`
 				apiEndpoints:
 				  ip-10-0-0-1.ec2.internal:
 				    advertiseAddress: 10.0.0.1
diff --git a/controlplane/kubeadm/internal/workload_cluster_test.go b/controlplane/kubeadm/internal/workload_cluster_test.go
index bb15b6d99da2..eb475a89ca21 100644
--- a/controlplane/kubeadm/internal/workload_cluster_test.go
+++ b/controlplane/kubeadm/internal/workload_cluster_test.go
@@ -30,12 +30,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/yaml"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util/version"
-	"sigs.k8s.io/cluster-api/util/yaml"
+	utilyaml "sigs.k8s.io/cluster-api/util/yaml"
 )
 
 func TestGetControlPlaneNodes(t *testing.T) {
@@ -262,7 +263,7 @@ func TestRemoveMachineFromKubeadmConfigMap(t *testing.T) {
 			Namespace: metav1.NamespaceSystem,
 		},
 		Data: map[string]string{
-			clusterStatusKey: yaml.Raw(`
+			clusterStatusKey: utilyaml.Raw(`
 				apiEndpoints:
 				  ip-10-0-0-1.ec2.internal:
 				    advertiseAddress: 10.0.0.1
@@ -327,7 +328,7 @@ func TestRemoveMachineFromKubeadmConfigMap(t *testing.T) {
 			machine:           machine,
 			objs:              []client.Object{kubeadmConfig},
 			expectErr:         false,
-			expectedEndpoints: yaml.Raw(`
+			expectedEndpoints: utilyaml.Raw(`
 				apiEndpoints:
 				  ip-10-0-0-2.ec2.internal:
 				    advertiseAddress: 10.0.0.2
@@ -397,7 +398,7 @@ func TestUpdateKubeletConfigMap(t *testing.T) {
 					ResourceVersion: "some-resource-version",
 				},
 				Data: map[string]string{
-					kubeletConfigKey: yaml.Raw(`
+					kubeletConfigKey: utilyaml.Raw(`
 						apiVersion: kubelet.config.k8s.io/v1beta1
 						kind: KubeletConfiguration
 						foo: bar
@@ -416,7 +417,7 @@ func TestUpdateKubeletConfigMap(t *testing.T) {
 					ResourceVersion: "some-resource-version",
 				},
 				Data: map[string]string{
-					kubeletConfigKey: yaml.Raw(`
+					kubeletConfigKey: utilyaml.Raw(`
 						apiVersion: kubelet.config.k8s.io/v1beta1
 						kind: KubeletConfiguration
 						foo: bar
@@ -435,7 +436,7 @@ func TestUpdateKubeletConfigMap(t *testing.T) {
 					ResourceVersion: "some-resource-version",
 				},
 				Data: map[string]string{
-					kubeletConfigKey: yaml.Raw(`
+					kubeletConfigKey: utilyaml.Raw(`
 						apiVersion: kubelet.config.k8s.io/v1beta1
 						kind: KubeletConfiguration
 						foo: bar
@@ -453,7 +454,7 @@ func TestUpdateKubeletConfigMap(t *testing.T) {
 					ResourceVersion: "some-resource-version",
 				},
 				Data: map[string]string{
-					kubeletConfigKey: yaml.Raw(`
+					kubeletConfigKey: utilyaml.Raw(`
 						apiVersion: kubelet.config.k8s.io/v1beta1
 						kind: KubeletConfiguration
 						foo: bar
@@ -473,7 +474,7 @@ func TestUpdateKubeletConfigMap(t *testing.T) {
 					ResourceVersion: "some-resource-version",
 				},
 				Data: map[string]string{
-					kubeletConfigKey: yaml.Raw(`
+					kubeletConfigKey: utilyaml.Raw(`
 						apiVersion: kubelet.config.k8s.io/v1beta1
 						kind: KubeletConfiguration
 						cgroupDriver: cgroupfs
@@ -576,7 +577,7 @@ func TestUpdateUpdateClusterConfigurationInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterConfigurationKey: yaml.Raw(`
+					clusterConfigurationKey: utilyaml.Raw(`
 						apiVersion: kubeadm.k8s.io/v1beta2
 						kind: ClusterConfiguration
 						kubernetesVersion: v1.16.1
@@ -590,7 +591,7 @@ func TestUpdateUpdateClusterConfigurationInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterConfigurationKey: yaml.Raw(`
+					clusterConfigurationKey: utilyaml.Raw(`
 						apiVersion: kubeadm.k8s.io/v1beta2
 						kind: ClusterConfiguration
 						kubernetesVersion: v1.16.1
@@ -607,7 +608,7 @@ func TestUpdateUpdateClusterConfigurationInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterConfigurationKey: yaml.Raw(`
+					clusterConfigurationKey: utilyaml.Raw(`
 						apiVersion: kubeadm.k8s.io/v1beta2
 						kind: ClusterConfiguration
 						kubernetesVersion: v1.16.1
@@ -623,7 +624,7 @@ func TestUpdateUpdateClusterConfigurationInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterConfigurationKey: yaml.Raw(`
+					clusterConfigurationKey: utilyaml.Raw(`
 						apiServer: {}
 						apiVersion: kubeadm.k8s.io/v1beta2
 						controllerManager: {}
@@ -646,7 +647,7 @@ func TestUpdateUpdateClusterConfigurationInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterConfigurationKey: yaml.Raw(`
+					clusterConfigurationKey: utilyaml.Raw(`
 						apiVersion: kubeadm.k8s.io/v1beta2
 						kind: ClusterConfiguration
 						kubernetesVersion: v1.16.1
@@ -662,7 +663,7 @@ func TestUpdateUpdateClusterConfigurationInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterConfigurationKey: yaml.Raw(`
+					clusterConfigurationKey: utilyaml.Raw(`
 						apiServer: {}
 						apiVersion: kubeadm.k8s.io/v1beta3
 						controllerManager: {}
@@ -686,7 +687,7 @@ func TestUpdateUpdateClusterConfigurationInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.updateClusterConfiguration(ctx, tt.mutator, tt.version)
+			err := w.UpdateClusterConfiguration(ctx, tt.version, tt.mutator)
 			if tt.wantErr {
 				g.Expect(err).To(HaveOccurred())
 				return
@@ -754,7 +755,7 @@ func TestUpdateUpdateClusterStatusInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterStatusKey: yaml.Raw(`
+					clusterStatusKey: utilyaml.Raw(`
 						apiEndpoints:
 						  ip-10-0-0-1.ec2.internal:
 						    advertiseAddress: 10.0.0.1
@@ -771,7 +772,7 @@ func TestUpdateUpdateClusterStatusInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterStatusKey: yaml.Raw(`
+					clusterStatusKey: utilyaml.Raw(`
 						apiEndpoints:
 						  ip-10-0-0-1.ec2.internal:
 						    advertiseAddress: 10.0.0.1
@@ -791,7 +792,7 @@ func TestUpdateUpdateClusterStatusInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterStatusKey: yaml.Raw(`
+					clusterStatusKey: utilyaml.Raw(`
 						apiEndpoints:
 						  ip-10-0-0-1.ec2.internal:
 						    advertiseAddress: 10.0.0.1
@@ -810,7 +811,7 @@ func TestUpdateUpdateClusterStatusInKubeadmConfigMap(t *testing.T) {
 					Namespace: metav1.NamespaceSystem,
 				},
 				Data: map[string]string{
-					clusterStatusKey: yaml.Raw(`
+					clusterStatusKey: utilyaml.Raw(`
 						apiEndpoints:
 						  ip-10-0-0-1.ec2.internal:
 						    advertiseAddress: 10.0.0.1
@@ -859,7 +860,7 @@ func TestUpdateKubernetesVersionInKubeadmConfigMap(t *testing.T) {
 		{
 			name:    "updates the config map and changes the kubeadm API version",
 			version: semver.MustParse("1.17.2"),
-			clusterConfigurationData: yaml.Raw(`
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				kubernetesVersion: v1.16.1`),
@@ -882,7 +883,8 @@ func TestUpdateKubernetesVersionInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.UpdateKubernetesVersionInKubeadmConfigMap(ctx, tt.version)
+
+			err := w.UpdateClusterConfiguration(ctx, tt.version, w.UpdateKubernetesVersionInKubeadmConfigMap(tt.version))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
@@ -905,7 +907,7 @@ func TestUpdateImageRepositoryInKubeadmConfigMap(t *testing.T) {
 	}{
 		{
 			name: "it should set the image repository",
-			clusterConfigurationData: yaml.Raw(`
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration`),
 			newImageRepository:  "example.com/k8s",
@@ -913,7 +915,7 @@ func TestUpdateImageRepositoryInKubeadmConfigMap(t *testing.T) {
 		},
 		{
 			name: "it should preserve the existing image repository if then new value is empty",
-			clusterConfigurationData: yaml.Raw(`
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				imageRepository: foo.bar/baz.io`),
@@ -938,7 +940,7 @@ func TestUpdateImageRepositoryInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.UpdateImageRepositoryInKubeadmConfigMap(ctx, tt.newImageRepository, semver.MustParse("1.19.1"))
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.UpdateImageRepositoryInKubeadmConfigMap(tt.newImageRepository))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
@@ -961,7 +963,7 @@ func TestUpdateApiServerInKubeadmConfigMap(t *testing.T) {
 	}{
 		{
 			name: "it should set the api server config",
-			clusterConfigurationData: yaml.Raw(`
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				`),
@@ -980,7 +982,7 @@ func TestUpdateApiServerInKubeadmConfigMap(t *testing.T) {
 					},
 				},
 			},
-			wantClusterConfiguration: yaml.Raw(`
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiServer:
 				  extraArgs:
 				    bar: baz
@@ -1016,7 +1018,7 @@ func TestUpdateApiServerInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.UpdateAPIServerInKubeadmConfigMap(ctx, tt.newAPIServer, semver.MustParse("1.19.1"))
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.UpdateAPIServerInKubeadmConfigMap(tt.newAPIServer))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
@@ -1039,7 +1041,7 @@ func TestUpdateControllerManagerInKubeadmConfigMap(t *testing.T) {
 	}{
 		{
 			name: "it should set the controller manager config",
-			clusterConfigurationData: yaml.Raw(`
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				`),
@@ -1056,7 +1058,7 @@ func TestUpdateControllerManagerInKubeadmConfigMap(t *testing.T) {
 					},
 				},
 			},
-			wantClusterConfiguration: yaml.Raw(`
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiServer: {}
 				apiVersion: kubeadm.k8s.io/v1beta2
 				controllerManager:
@@ -1092,7 +1094,7 @@ func TestUpdateControllerManagerInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.UpdateControllerManagerInKubeadmConfigMap(ctx, tt.newControllerManager, semver.MustParse("1.19.1"))
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.UpdateControllerManagerInKubeadmConfigMap(tt.newControllerManager))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
@@ -1115,7 +1117,7 @@ func TestUpdateSchedulerInKubeadmConfigMap(t *testing.T) {
 	}{
 		{
 			name: "it should set the scheduler config",
-			clusterConfigurationData: yaml.Raw(`
+			clusterConfigurationData: utilyaml.Raw(`
 				apiVersion: kubeadm.k8s.io/v1beta2
 				kind: ClusterConfiguration
 				`),
@@ -1132,7 +1134,7 @@ func TestUpdateSchedulerInKubeadmConfigMap(t *testing.T) {
 					},
 				},
 			},
-			wantClusterConfiguration: yaml.Raw(`
+			wantClusterConfiguration: utilyaml.Raw(`
 				apiServer: {}
 				apiVersion: kubeadm.k8s.io/v1beta2
 				controllerManager: {}
@@ -1167,7 +1169,7 @@ func TestUpdateSchedulerInKubeadmConfigMap(t *testing.T) {
 			w := &Workload{
 				Client: fakeClient,
 			}
-			err := w.UpdateSchedulerInKubeadmConfigMap(ctx, tt.newScheduler, semver.MustParse("1.19.1"))
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.UpdateSchedulerInKubeadmConfigMap(tt.newScheduler))
 			g.Expect(err).ToNot(HaveOccurred())
 
 			var actualConfig corev1.ConfigMap
@@ -1260,6 +1262,70 @@ func TestClusterStatus(t *testing.T) {
 	}
 }
 
+func TestUpdateFeatureGatesInKubeadmConfigMap(t *testing.T) {
+	tests := []struct {
+		name                     string
+		clusterConfigurationData string
+		newFeatureGates          map[string]bool
+		wantFeatureGates         map[string]bool
+	}{
+		{
+			name: "it updates feature gates",
+			clusterConfigurationData: utilyaml.Raw(`
+				apiVersion: kubeadm.k8s.io/v1beta2
+				kind: ClusterConfiguration`),
+			newFeatureGates:  map[string]bool{"EtcdLearnerMode": true},
+			wantFeatureGates: map[string]bool{"EtcdLearnerMode": true},
+		},
+		{
+			name: "it should override feature gates even if new value is nil",
+			clusterConfigurationData: utilyaml.Raw(`
+				apiVersion: kubeadm.k8s.io/v1beta2
+				kind: ClusterConfiguration
+				featureGates:
+				  EtcdLearnerMode: true
+				`),
+			newFeatureGates:  nil,
+			wantFeatureGates: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			fakeClient := fake.NewClientBuilder().WithObjects(&corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      kubeadmConfigKey,
+					Namespace: metav1.NamespaceSystem,
+				},
+				Data: map[string]string{
+					clusterConfigurationKey: tt.clusterConfigurationData,
+				},
+			}).Build()
+
+			w := &Workload{
+				Client: fakeClient,
+			}
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.19.1"), w.UpdateFeatureGatesInKubeadmConfigMap(tt.newFeatureGates))
+			g.Expect(err).ToNot(HaveOccurred())
+
+			var actualConfig corev1.ConfigMap
+			g.Expect(w.Client.Get(
+				ctx,
+				client.ObjectKey{Name: kubeadmConfigKey, Namespace: metav1.NamespaceSystem},
+				&actualConfig,
+			)).To(Succeed())
+
+			actualConfiguration := bootstrapv1.ClusterConfiguration{}
+			err = yaml.Unmarshal([]byte(actualConfig.Data[clusterConfigurationKey]), &actualConfiguration)
+			if err != nil {
+				return
+			}
+			g.Expect(actualConfiguration.FeatureGates).Should(Equal(tt.wantFeatureGates))
+		})
+	}
+}
+
 func getProxyImageInfo(ctx context.Context, c client.Client) (string, error) {
 	ds := &appsv1.DaemonSet{}
 
diff --git a/docs/book/book.toml b/docs/book/book.toml
index ea3f1591c7f4..0f07025c6a7a 100644
--- a/docs/book/book.toml
+++ b/docs/book/book.toml
@@ -13,11 +13,11 @@ additional-css = ["theme/css/custom.css"]
 [output.html.redirect]
 "/tasks/upgrade.html" = "/tasks/upgrading-cluster-api-versions.html"
 "/agenda.html" = "/agenda/2024.html"
-"/agenda/2024.html" = "https://docs.google.com/document/d/1X5_qNUvoY0Tk3BwXODWHAl72L-APM_GiA-IE4WoitYY"
+"/agenda/2024.html" = "https://docs.google.com/document/d/1GgFbaYs-H6J5HSQ6a7n4aKpk0nDLE2hgG2NSOM9YIRw"
 "/agenda/2023.html" = "https://docs.google.com/document/d/1Ov_rbxOV_O4HeAuwTev1lSwkiLJoBc_HDS1NyI93AcY"
-"/agenda/2022.html" = ""
+"/agenda/2022.html" = "https://docs.google.com/document/d/1Bk_1581mriNUlwOFpt7SAC3WnaM_gBqLy8aWoiWG-9A"
 "/agenda/2021.html" = ""
-"/agenda/2020.html" = ""
+"/agenda/2020.html" = "https://docs.google.com/document/d/1r8ydd2g2NFE4giD9MqLspv0CJcjzC17e4UUQyyNLx2M"
 "/agenda/2019.html" = "https://docs.google.com/document/d/1Ys-DOR5UsgbMEeciuG0HOgDQc8kZsaWIWJeKJ1-UfbY"
 
 [preprocessor.tabulate]
diff --git a/docs/book/src/clusterctl/provider-contract.md b/docs/book/src/clusterctl/provider-contract.md
index da52a09dfc46..b1ad3e261685 100644
--- a/docs/book/src/clusterctl/provider-contract.md
+++ b/docs/book/src/clusterctl/provider-contract.md
@@ -321,6 +321,7 @@ providers.
 | CAPDO         | cluster.x-k8s.io/provider=infrastructure-digitalocean |
 | CAPG          | cluster.x-k8s.io/provider=infrastructure-gcp          |
 | CAPH          | cluster.x-k8s.io/provider=infrastructure-hetzner      |
+| CAPHV         | cluster.x-k8s.io/provider=infrastructure-hivelocity   |
 | CAPIBM        | cluster.x-k8s.io/provider=infrastructure-ibmcloud     |
 | CAPKK         | cluster.x-k8s.io/provider=infrastructure-kubekey      |
 | CAPK          | cluster.x-k8s.io/provider=infrastructure-kubevirt     |
@@ -336,6 +337,7 @@ providers.
 | CAPZ          | cluster.x-k8s.io/provider=infrastructure-azure        |
 | CAPOSC        | cluster.x-k8s.io/provider=infrastructure-outscale     |
 | CAPK0S        | cluster.x-k8s.io/provider=infrastructure-k0smotron    |
+| CAIPAMIC      | cluster.x-k8s.io/provider=ipam-in-cluster             |
 
 ### Workload cluster templates
 
diff --git a/docs/book/src/developer/providers/implementers-guide/controllers_and_reconciliation.md b/docs/book/src/developer/providers/implementers-guide/controllers_and_reconciliation.md
index a5029886c79a..836532204490 100644
--- a/docs/book/src/developer/providers/implementers-guide/controllers_and_reconciliation.md
+++ b/docs/book/src/developer/providers/implementers-guide/controllers_and_reconciliation.md
@@ -175,7 +175,7 @@ if err != nil {
 But wait, this isn't quite right.
 `Reconcile()` gets called periodically for updates, and any time any updates are made.
 That would mean we're potentially sending an email every few minutes!
-This is an important thing about controllers: they need to be [*idempotent*][idempotent].
+This is an important thing about controllers: they need to be idempotent. This means a controller must be able to repeat actions on the same inputs without changing the effect of those actions.
 
 So in our case, we'll store the result of sending a message, and then check to see if we've sent one before.
 
@@ -209,7 +209,6 @@ return ctrl.Result{}, nil
 
 [cluster]: https://godoc.org/sigs.k8s.io/cluster-api/api/v1beta1#Cluster
 [getowner]: https://godoc.org/sigs.k8s.io/cluster-api/util#GetOwnerMachine
-[idempotent]: https://stackoverflow.com/questions/1077412/what-is-an-idempotent-operation
 
 #### A note about the status
 
diff --git a/docs/book/src/developer/providers/migrations/v1.4-to-v1.5.md b/docs/book/src/developer/providers/migrations/v1.4-to-v1.5.md
index ba37d8d8884d..44b42de695e5 100644
--- a/docs/book/src/developer/providers/migrations/v1.4-to-v1.5.md
+++ b/docs/book/src/developer/providers/migrations/v1.4-to-v1.5.md
@@ -25,7 +25,7 @@ maintainers of providers and consumers of our Go API.
 ### Removals
 
 - API version `v1alpha3` is not served in v1.5 (users can enable it manually in case they are lagging behind with deprecation cycles). Important: `v1alpha3` will be completely removed in 1.6.
-- The lazy restmapper feature gate was removed in controller-runtime and lazy restmapper is now the default restmapper. Accordingly the `EXP_LAZY_RESTMAPPER` feature gate was removed in Cluster API. 
+- The lazy restmapper feature gate was removed in controller-runtime and lazy restmapper is now the default restmapper. Accordingly the `EXP_LAZY_RESTMAPPER` feature gate was removed in Cluster API.
 
 ### API Changes
 
@@ -34,32 +34,34 @@ maintainers of providers and consumers of our Go API.
 ### Other
 
 - clusterctl move is adding the new annotation `clusterctl.cluster.x-k8s.io/delete-for-move` before object deletion.
-- Providers running CAPI release-0.3 clusterctl upgrade tests should set `WorkloadKubernetesVersion` field to the maximum workload cluster kubernetes version supported by the old providers in `ClusterctlUpgradeSpecInput`. For more information, please see: https://github.com/kubernetes-sigs/cluster-api/pull/8518#issuecomment-1508064859 
+- Providers running CAPI release-0.3 clusterctl upgrade tests should set `WorkloadKubernetesVersion` field to the maximum workload cluster kubernetes version supported by the old providers in `ClusterctlUpgradeSpecInput`. For more information, please see: https://github.com/kubernetes-sigs/cluster-api/pull/8518#issuecomment-1508064859
 - Introduced function `CollectInfrastructureLogs` at the `ClusterLogCollector` interface in `test/framework/cluster_proxy.go` to allow collecting infrastructure related logs during tests.
 - A `GetTypedConfigOwner` function has been added to the `sigs.k8s.io./cluster-api/bootstrap/util` package. It is equivalent to `GetConfigOwner` except that it uses the cached typed client instead of the uncached unstructured client, so `GetTypedConfigOwner` is expected to be more performant.
 - `ClusterToObjectsMapper` in `sigs.k8s.io./cluster-api/util` has been deprecated, please use `ClusterToTypedObjectsMapper` instead.
 - The generated `kubeconfig` by the Control Plane providers must be labelled with the key-value pair `cluster.x-k8s.io/cluster-name=${CLUSTER_NAME}`.
-  This is required for the CAPI managers caches to store and retrieve them for the required operations.     
+  This is required for the CAPI managers caches to store and retrieve them for the required operations.
+- When using custom certificates, the certificates must be labeled with the key-value pair `cluster.x-k8s.io/cluster-name=${CLUSTER_NAME}`.
+  This is required for the CAPI managers caches to store and retrieve them for the required operations.
 
 ### Suggested changes for providers
 
-- 
+-
 
 ## Notes about the controller-runtime bump
 
 This section shares our learnings of bumping controller-runtime to v0.15 in core Cluster API. It highlights the most relevant changes and pitfalls
 for Cluster API providers. For the full list of changes please see the [controller-runtime release notes](https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0).
 
-* Webhooks can now also return warnings, this requires adding an additional `admission.Warnings` return parameter to all webhooks. 
+* Webhooks can now also return warnings, this requires adding an additional `admission.Warnings` return parameter to all webhooks.
 * Manager options have been refactored and old fields have been deprecated.
 * Manager now has a builtin profiler server which can be enabled via `Options.PprofBindAddress`, this allows us to remove our profiler server.
 * Controller builder has been refactored, this requires small changes to our controller setup code.
 * The EventHandler interface has been modified to also take a context, which affects our mapping functions (e.g. `ClusterToInfrastructureMapFunc`).
 * Controller-runtime now uses a lazy restmapper per default, i.e. API groups and resources are only fetched when they are actually used.
   This should drastically reduce the amount of API calls in clusters with a lot of CRDs.
-* Some wait utils in `k8s.io/apimachinery/pkg/util/wait` have been deprecated. The migration is relatively straightforward except that passing in `0` 
+* Some wait utils in `k8s.io/apimachinery/pkg/util/wait` have been deprecated. The migration is relatively straightforward except that passing in `0`
   as a timeout in `wait.PollUntilContextTimeout` is treated as a timeout with 0 seconds, in `wait.PollImmediateWithContext` it is interpreted as infinity.
 * The fake client has been improved to handle status properly. In tests that write the CRD status, the CRDs should be added to the fake client via `WithStatusSubresource`.
-* Ensure that the e2e test suite is setting a logger (e.g. via `ctrl.SetLogger(klog.Background())` in `TestE2E`. Otherwise logs are not visible and controller-runtime will print a warning. 
+* Ensure that the e2e test suite is setting a logger (e.g. via `ctrl.SetLogger(klog.Background())` in `TestE2E`. Otherwise logs are not visible and controller-runtime will print a warning.
 
 For reference, please see the [Bump to CR v0.15 PR](https://github.com/kubernetes-sigs/cluster-api/pull/8007) in core Cluster API.
diff --git a/docs/book/src/developer/providers/migrations/v1.6-to-v1.7.md b/docs/book/src/developer/providers/migrations/v1.6-to-v1.7.md
index e7999a0869a0..d361011c8bfd 100644
--- a/docs/book/src/developer/providers/migrations/v1.6-to-v1.7.md
+++ b/docs/book/src/developer/providers/migrations/v1.6-to-v1.7.md
@@ -10,6 +10,7 @@ maintainers of providers and consumers of our Go API.
 ## Dependencies
 
 **Note**: Only the most relevant dependencies are listed, `k8s.io/` and `ginkgo`/`gomega` dependencies in Cluster API are kept in sync with the versions used by `sigs.k8s.io/controller-runtime`.
+- sigs.k8s.io/kind: v0.20.x => v0.22.x
 
 
 ## Changes by Kind
diff --git a/docs/book/src/developer/tilt.md b/docs/book/src/developer/tilt.md
index 037a518721ac..3dec91b63380 100644
--- a/docs/book/src/developer/tilt.md
+++ b/docs/book/src/developer/tilt.md
@@ -8,7 +8,7 @@ workflow that offers easy deployments and rapid iterative builds.
 ## Prerequisites
 
 1. [Docker](https://docs.docker.com/install/): v19.03 or newer
-2. [kind](https://kind.sigs.k8s.io): v0.20.0 or newer
+2. [kind](https://kind.sigs.k8s.io): v0.22.0 or newer
 3. [Tilt](https://docs.tilt.dev/install.html): v0.30.8 or newer
 4. [kustomize](https://github.com/kubernetes-sigs/kustomize): provided via `make kustomize`
 5. [envsubst](https://github.com/drone/envsubst): provided via `make envsubst`
@@ -337,7 +337,7 @@ Custom values for variable substitutions can be set using `kustomize_substitutio
 ```yaml
 kustomize_substitutions:
   NAMESPACE: "default"
-  KUBERNETES_VERSION: "v1.29.0"
+  KUBERNETES_VERSION: "v1.29.2"
   CONTROL_PLANE_MACHINE_COUNT: "1"
   WORKER_MACHINE_COUNT: "3"
 # Note: kustomize substitutions expects the values to be strings. This can be achieved by wrapping the values in quotation marks.
diff --git a/docs/book/src/images/bootstrap-controller.png b/docs/book/src/images/bootstrap-controller.png
index 21db2d26587c..242385e69001 100644
Binary files a/docs/book/src/images/bootstrap-controller.png and b/docs/book/src/images/bootstrap-controller.png differ
diff --git a/docs/book/src/images/bootstrap-provider.png b/docs/book/src/images/bootstrap-provider.png
index 1a58524bfced..086e1f076dd6 100644
Binary files a/docs/book/src/images/bootstrap-provider.png and b/docs/book/src/images/bootstrap-provider.png differ
diff --git a/docs/book/src/images/cluster-admission-cluster-controller.png b/docs/book/src/images/cluster-admission-cluster-controller.png
index 8a08df94be4e..31d75eacae5e 100644
Binary files a/docs/book/src/images/cluster-admission-cluster-controller.png and b/docs/book/src/images/cluster-admission-cluster-controller.png differ
diff --git a/docs/book/src/images/cluster-admission-machine-controller.png b/docs/book/src/images/cluster-admission-machine-controller.png
index 5f9c9b520792..67c21f1d6328 100644
Binary files a/docs/book/src/images/cluster-admission-machine-controller.png and b/docs/book/src/images/cluster-admission-machine-controller.png differ
diff --git a/docs/book/src/images/cluster-admission-machinedeployment-controller.png b/docs/book/src/images/cluster-admission-machinedeployment-controller.png
index 5e2a9fe01f57..dcc81260a1d6 100644
Binary files a/docs/book/src/images/cluster-admission-machinedeployment-controller.png and b/docs/book/src/images/cluster-admission-machinedeployment-controller.png differ
diff --git a/docs/book/src/images/cluster-admission-machinepool-controller.png b/docs/book/src/images/cluster-admission-machinepool-controller.png
index 8c7b582dc6e1..892393c7ea6f 100644
Binary files a/docs/book/src/images/cluster-admission-machinepool-controller.png and b/docs/book/src/images/cluster-admission-machinepool-controller.png differ
diff --git a/docs/book/src/images/cluster-admission-machineset-controller.png b/docs/book/src/images/cluster-admission-machineset-controller.png
index e9ea358c154e..4f19976661b0 100644
Binary files a/docs/book/src/images/cluster-admission-machineset-controller.png and b/docs/book/src/images/cluster-admission-machineset-controller.png differ
diff --git a/docs/book/src/images/cluster-infra-provider.png b/docs/book/src/images/cluster-infra-provider.png
index fc58b3dff732..567f10a01693 100644
Binary files a/docs/book/src/images/cluster-infra-provider.png and b/docs/book/src/images/cluster-infra-provider.png differ
diff --git a/docs/book/src/images/cluster-resource-set-controller.png b/docs/book/src/images/cluster-resource-set-controller.png
index 57716645eb59..9a85c12734c0 100644
Binary files a/docs/book/src/images/cluster-resource-set-controller.png and b/docs/book/src/images/cluster-resource-set-controller.png differ
diff --git a/docs/book/src/images/cluster-topology-controller.png b/docs/book/src/images/cluster-topology-controller.png
index e8015a62c2ca..8a3358f7129b 100644
Binary files a/docs/book/src/images/cluster-topology-controller.png and b/docs/book/src/images/cluster-topology-controller.png differ
diff --git a/docs/book/src/images/cluster-topology-reconciller.png b/docs/book/src/images/cluster-topology-reconciller.png
index aeb20addb722..d875df566b0e 100644
Binary files a/docs/book/src/images/cluster-topology-reconciller.png and b/docs/book/src/images/cluster-topology-reconciller.png differ
diff --git a/docs/book/src/images/control-plane-controller.png b/docs/book/src/images/control-plane-controller.png
index 7ea511cd917e..2693c13bcf57 100644
Binary files a/docs/book/src/images/control-plane-controller.png and b/docs/book/src/images/control-plane-controller.png differ
diff --git a/docs/book/src/images/kubeadm-control-plane-machines-resources.png b/docs/book/src/images/kubeadm-control-plane-machines-resources.png
index 2e2c7a1b495c..160dbfc22fd9 100644
Binary files a/docs/book/src/images/kubeadm-control-plane-machines-resources.png and b/docs/book/src/images/kubeadm-control-plane-machines-resources.png differ
diff --git a/docs/book/src/images/machine-infra-provider.png b/docs/book/src/images/machine-infra-provider.png
index 2b0d8eec9463..792279645b9a 100644
Binary files a/docs/book/src/images/machine-infra-provider.png and b/docs/book/src/images/machine-infra-provider.png differ
diff --git a/docs/book/src/images/machinehealthcheck-controller.png b/docs/book/src/images/machinehealthcheck-controller.png
index 2a0affef6702..78f235b3b537 100644
Binary files a/docs/book/src/images/machinehealthcheck-controller.png and b/docs/book/src/images/machinehealthcheck-controller.png differ
diff --git a/docs/book/src/images/management-workload-same-cluster.png b/docs/book/src/images/management-workload-same-cluster.png
index 8d631fd39452..ac7bfe4a235d 100644
Binary files a/docs/book/src/images/management-workload-same-cluster.png and b/docs/book/src/images/management-workload-same-cluster.png differ
diff --git a/docs/book/src/images/management-workload-separate-clusters.png b/docs/book/src/images/management-workload-separate-clusters.png
index a3ec82376931..b10623077f56 100644
Binary files a/docs/book/src/images/management-workload-separate-clusters.png and b/docs/book/src/images/management-workload-separate-clusters.png differ
diff --git a/docs/book/src/images/runtime-sdk-topology-mutation.png b/docs/book/src/images/runtime-sdk-topology-mutation.png
index 99f3fb976a9e..92da0abe6f53 100644
Binary files a/docs/book/src/images/runtime-sdk-topology-mutation.png and b/docs/book/src/images/runtime-sdk-topology-mutation.png differ
diff --git a/docs/book/src/images/worker-machines-resources.png b/docs/book/src/images/worker-machines-resources.png
index 74d24f9d8416..0e2d05971aa8 100644
Binary files a/docs/book/src/images/worker-machines-resources.png and b/docs/book/src/images/worker-machines-resources.png differ
diff --git a/docs/book/src/reference/glossary.md b/docs/book/src/reference/glossary.md
index dd22362c30af..2b6d7103049c 100644
--- a/docs/book/src/reference/glossary.md
+++ b/docs/book/src/reference/glossary.md
@@ -66,6 +66,9 @@ Cluster API Google Cloud Provider
 ### CAPH
 Cluster API Provider Hetzner
 
+### CAPHV
+Cluster API Provider Hivelocity
+
 ### CAPIBM
 Cluster API Provider IBM Cloud
 
@@ -108,6 +111,9 @@ Cluster API Provider VMware Cloud Director
 ### CAPZ
 Cluster API Provider Azure
 
+### CAIPAMIC
+Cluster API IPAM Provider In Cluster
+
 ### Cloud provider
 
 Or __Cloud service provider__
diff --git a/docs/book/src/reference/labels_and_annotations.md b/docs/book/src/reference/labels_and_annotations.md
index e1eb0de5900a..3d20686f853c 100644
--- a/docs/book/src/reference/labels_and_annotations.md
+++ b/docs/book/src/reference/labels_and_annotations.md
@@ -2,7 +2,7 @@
 
 
 | Label                                     | Note                                                                                                                                                                                                                        |
-| :---------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|:------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | cluster.x-k8s.io/cluster-name             | It is set on machines linked to a cluster and external objects(bootstrap and infrastructure providers).                                                                                                                     |
 | topology.cluster.x-k8s.io/owned           | It is set on all the object which are managed as part of a ClusterTopology.                                                                                                                                                 |
 | topology.cluster.x-k8s.io/deployment-name | It is set on the generated MachineDeployment objects to track the name of the MachineDeployment topology it represents.                                                                                                     |
@@ -21,11 +21,12 @@
 **Supported Annotations:**
 
 | Annotation                                                       | Note                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| :--------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|:-----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | clusterctl.cluster.x-k8s.io/skip-crd-name-preflight-check        | Can be placed on provider CRDs, so that clusterctl doesn't emit an error if the CRD doesn't comply with Cluster APIs naming scheme. Only CRDs that are referenced by core Cluster API CRDs have to comply with the naming scheme.                                                                                                                                                                                                                                                                                                                           |
 | clusterctl.cluster.x-k8s.io/delete-for-move                      | DeleteForMoveAnnotation will be set to objects that are going to be deleted from the source cluster after being moved to the target cluster during the clusterctl move operation. It will help any validation webhook to take decision based on it.                                                                                                                                                                                                                                                                                                         |
 | clusterctl.cluster.x-k8s.io/block-move                           | BlockMoveAnnotation prevents the cluster move operation from starting if it is defined on at least one of the objects in scope. Provider controllers are expected to set the annotation on resources that cannot be instantaneously paused and remove the annotation when the resource has been actually paused.                                                                                                                                                                                                                                            |
 | unsafe.topology.cluster.x-k8s.io/disable-update-class-name-check | It can be used to disable the webhook check on update that disallows a pre-existing Cluster to be populated with Topology information and Class.                                                                                                                                                                                                                                                                                                                                                                                                            |
+| unsafe.topology.cluster.x-k8s.io/disable-update-version-check    | It can be used to disable the webhook checks on update that disallows updating the `.topology.spec.version` on certain conditions.                                                                                                                                                                                                                                                                                                                                                                                                                          |
 | cluster.x-k8s.io/cluster-name                                    | It is set on nodes identifying the name of the cluster the node belongs to.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | cluster.x-k8s.io/cluster-namespace                               | It is set on nodes identifying the namespace of the cluster the node belongs to.                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | cluster.x-k8s.io/machine                                         | It is set on nodes identifying the machine the node belongs to.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
diff --git a/docs/book/src/reference/providers.md b/docs/book/src/reference/providers.md
index 3589f794739a..7f368ae83ead 100644
--- a/docs/book/src/reference/providers.md
+++ b/docs/book/src/reference/providers.md
@@ -33,8 +33,9 @@ updated info about which API version they are supporting.
 - [CoxEdge](https://github.com/coxedge/cluster-api-provider-coxedge)
 - [DigitalOcean](https://github.com/kubernetes-sigs/cluster-api-provider-digitalocean)
 - [Equinix Metal (formerly Packet)](https://github.com/kubernetes-sigs/cluster-api-provider-packet)
-- [Google Cloud Platform (GCP)](https://github.com/kubernetes-sigs/cluster-api-provider-gcp)
+- [Google Cloud Platform (GCP)](https://cluster-api-gcp.sigs.k8s.io/)
 - [Hetzner](https://github.com/syself/cluster-api-provider-hetzner)
+- [Hivelocity](https://github.com/hivelocity/cluster-api-provider-hivelocity)
 - [IBM Cloud](https://github.com/kubernetes-sigs/cluster-api-provider-ibmcloud)
 - [KubeKey](https://github.com/kubesphere/kubekey)
 - [KubeVirt](https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt)
diff --git a/docs/book/src/tasks/certs/using-custom-certificates.md b/docs/book/src/tasks/certs/using-custom-certificates.md
index b89373cd162f..267ac83abdf9 100644
--- a/docs/book/src/tasks/certs/using-custom-certificates.md
+++ b/docs/book/src/tasks/certs/using-custom-certificates.md
@@ -11,6 +11,7 @@ Each certificate must be stored in a single secret named one of:
 | *[cluster name]***-proxy** | CA       | openssl req -x509 -subj "/CN=Front-End Proxy" -new -newkey rsa:2048 -nodes -keyout tls.key -sha256 -days 3650 -out tls.crt                                                           |
 | *[cluster name]***-sa**  | Key Pair | openssl genrsa -out tls.key 2048 && openssl rsa -in tls.key -pubout -out tls.crt |
 
+The certificates *must* also be labeled with the key-value pair `cluster.x-k8s.io/cluster-name=[cluster name]` (where `[cluster name]` is the name of the cluster it should be used with).
 
 <aside class="note warning">
 
@@ -26,9 +27,10 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: cluster1-ca
+  labels:
+    cluster.x-k8s.io/cluster-name: cluster1
 type: kubernetes.io/tls
 data:
   tls.crt: <base 64 encoded PEM>
   tls.key: <base 64 encoded PEM>
 ```
-
diff --git a/docs/book/src/user/quick-start.md b/docs/book/src/user/quick-start.md
index 1b1957cf80d2..075dda19eccc 100644
--- a/docs/book/src/user/quick-start.md
+++ b/docs/book/src/user/quick-start.md
@@ -56,7 +56,7 @@ a target [management cluster] on the selected [infrastructure provider].
 
    [kind] is not designed for production use.
 
-   **Minimum [kind] supported version**: v0.20.0
+   **Minimum [kind] supported version**: v0.22.0
 
    **Help with common issues can be found in the [Troubleshooting Guide](./troubleshooting.md).**
 
@@ -281,7 +281,7 @@ Additional documentation about experimental features can be found in [Experiment
 Depending on the infrastructure provider you are planning to use, some additional prerequisites should be satisfied
 before getting started with Cluster API. See below for the expected settings for common providers.
 
-{{#tabs name:"tab-installation-infrastructure" tabs:"AWS,Azure,CloudStack,DigitalOcean,Docker,Equinix Metal,GCP,Hetzner,IBM Cloud,K0smotron,KubeKey,KubeVirt,Metal3,Nutanix,OCI,OpenStack,Outscale,Proxmox,VCD,vcluster,Virtink,vSphere"}}
+{{#tabs name:"tab-installation-infrastructure" tabs:"AWS,Azure,CloudStack,DigitalOcean,Docker,Equinix Metal,GCP,Hetzner,Hivelocity,IBM Cloud,K0smotron,KubeKey,KubeVirt,Metal3,Nutanix,OCI,OpenStack,Outscale,Proxmox,VCD,vcluster,Virtink,vSphere"}}
 {{#tab AWS}}
 
 Download the latest binary of `clusterawsadm` from the [AWS provider releases]. The [clusterawsadm] command line utility assists with identity and access management (IAM) for [Cluster API Provider AWS][capa].
@@ -291,7 +291,7 @@ Download the latest binary of `clusterawsadm` from the [AWS provider releases].
 
 Download the latest release; on Linux, type:
 ```
-curl -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-linux-amd64" version:">=2.0.0"}} -o clusterawsadm
+curl -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api-provider-aws" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-linux-amd64" version:">=2.0.0"}} -o clusterawsadm
 ```
 
 Make it executable
@@ -335,12 +335,12 @@ clusterctl init --infrastructure aws
 
 Download the latest release; on macOs, type:
 ```
-curl -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-amd64" version:">=2.0.0"}} -o clusterawsadm
+curl -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api-provider-aws" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-amd64" version:">=2.0.0"}} -o clusterawsadm
 ```
 
 Or if your Mac has an M1 CPU (”Apple Silicon”):
 ```
-curl -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-arm64" version:">=2.0.0"}} -o clusterawsadm
+curl -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api-provider-aws" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-darwin-arm64" version:">=2.0.0"}} -o clusterawsadm
 ```
 
 Make it executable
@@ -417,7 +417,7 @@ clusterctl init --infrastructure aws
 
 Download the latest release; on Windows, type:
 ```
-curl.exe -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-windows-amd64" version:">=2.0.0"}} -o clusterawsadm.exe
+curl.exe -L {{#releaselink repo:"https://github.com/kubernetes-sigs/cluster-api-provider-aws" gomodule:"sigs.k8s.io/cluster-api-provider-aws" asset:"clusterawsadm-windows-amd64.exe" version:">=2.0.0"}} -o clusterawsadm.exe
 ```
 
 Append or prepend the path of that directory to the `PATH` environment variable.
@@ -578,6 +578,11 @@ clusterctl init --infrastructure gcp
 
 Please visit the [Hetzner project][Hetzner provider].
 
+{{#/tab }}
+{{#tab Hivelocity}}
+
+Please visit the [Hivelocity project][Hivelocity provider].
+
 {{#/tab }}
 {{#tab IBM Cloud}}
 
@@ -1305,7 +1310,7 @@ The Docker provider is not designed for production use and is intended for devel
 
 ```bash
 clusterctl generate cluster capi-quickstart --flavor development \
-  --kubernetes-version v1.29.0 \
+  --kubernetes-version v1.29.2 \
   --control-plane-machine-count=3 \
   --worker-machine-count=3 \
   > capi-quickstart.yaml
@@ -1348,7 +1353,7 @@ clusterctl generate cluster capi-quickstart \
 
 ```bash
 clusterctl generate cluster capi-quickstart \
-  --kubernetes-version v1.29.0 \
+  --kubernetes-version v1.29.2 \
   --control-plane-machine-count=3 \
   --worker-machine-count=3 \
   > capi-quickstart.yaml
@@ -1402,7 +1407,7 @@ and see an output similar to this:
 
 ```bash
 NAME              PHASE         AGE   VERSION
-capi-quickstart   Provisioned   8s    v1.29.0
+capi-quickstart   Provisioned   8s    v1.29.2
 ```
 
 To verify the first control plane is up:
@@ -1415,7 +1420,7 @@ You should see an output is similar to this:
 
 ```bash
 NAME                    CLUSTER           INITIALIZED   API SERVER AVAILABLE   REPLICAS   READY   UPDATED   UNAVAILABLE   AGE    VERSION
-capi-quickstart-g2trk   capi-quickstart   true                                 3                  3         3             4m7s   v1.29.0
+capi-quickstart-g2trk   capi-quickstart   true                                 3                  3         3             4m7s   v1.29.2
 ```
 
 <aside class="note warning">
@@ -1670,12 +1675,12 @@ kubectl --kubeconfig=./capi-quickstart.kubeconfig get nodes
 ```
 ```bash
 NAME                                          STATUS   ROLES           AGE    VERSION
-capi-quickstart-vs89t-gmbld                   Ready    control-plane   5m33s  v1.29.0
-capi-quickstart-vs89t-kf9l5                   Ready    control-plane   6m20s  v1.29.0
-capi-quickstart-vs89t-t8cfn                   Ready    control-plane   7m10s  v1.29.0
-capi-quickstart-md-0-55x6t-5649968bd7-8tq9v   Ready    <none>          6m5s   v1.29.0
-capi-quickstart-md-0-55x6t-5649968bd7-glnjd   Ready    <none>          6m9s   v1.29.0
-capi-quickstart-md-0-55x6t-5649968bd7-sfzp6   Ready    <none>          6m9s   v1.29.0
+capi-quickstart-vs89t-gmbld                   Ready    control-plane   5m33s  v1.29.2
+capi-quickstart-vs89t-kf9l5                   Ready    control-plane   6m20s  v1.29.2
+capi-quickstart-vs89t-t8cfn                   Ready    control-plane   7m10s  v1.29.2
+capi-quickstart-md-0-55x6t-5649968bd7-8tq9v   Ready    <none>          6m5s   v1.29.2
+capi-quickstart-md-0-55x6t-5649968bd7-glnjd   Ready    <none>          6m9s   v1.29.2
+capi-quickstart-md-0-55x6t-5649968bd7-sfzp6   Ready    <none>          6m9s   v1.29.2
 ```
 
 {{#/tab }}
@@ -1716,9 +1721,10 @@ kind delete cluster
 [clusterctl get kubeconfig]: ../clusterctl/commands/get-kubeconfig.md
 [clusterctl]: ../clusterctl/overview.md
 [Docker]: https://www.docker.com/
-[GCP provider]: https://github.com/kubernetes-sigs/cluster-api-provider-gcp
+[GCP provider]: https://cluster-api-gcp.sigs.k8s.io/
 [Helm]: https://helm.sh/docs/intro/install/
 [Hetzner provider]: https://github.com/syself/cluster-api-provider-hetzner
+[Hivelocity provider]: https://github.com/hivelocity/cluster-api-provider-hivelocity
 [IBM Cloud provider]: https://github.com/kubernetes-sigs/cluster-api-provider-ibmcloud
 [infrastructure provider]: ../reference/glossary.md#infrastructure-provider
 [kind]: https://kind.sigs.k8s.io/
diff --git a/docs/proposals/images/capi-provider-operator/fig1.png b/docs/proposals/images/capi-provider-operator/fig1.png
index f4a6d6b98772..c73414fccd2a 100644
Binary files a/docs/proposals/images/capi-provider-operator/fig1.png and b/docs/proposals/images/capi-provider-operator/fig1.png differ
diff --git a/docs/proposals/images/capi-provider-operator/fig2.png b/docs/proposals/images/capi-provider-operator/fig2.png
index 07b57f0fdf56..ce24988588aa 100644
Binary files a/docs/proposals/images/capi-provider-operator/fig2.png and b/docs/proposals/images/capi-provider-operator/fig2.png differ
diff --git a/docs/proposals/images/cluster-class/create.png b/docs/proposals/images/cluster-class/create.png
index ae427693ecfe..0fd715dc2e46 100644
Binary files a/docs/proposals/images/cluster-class/create.png and b/docs/proposals/images/cluster-class/create.png differ
diff --git a/docs/proposals/images/cluster-class/update.png b/docs/proposals/images/cluster-class/update.png
index 82275538236f..70b21922d9fb 100644
Binary files a/docs/proposals/images/cluster-class/update.png and b/docs/proposals/images/cluster-class/update.png differ
diff --git a/docs/proposals/images/cluster-spec-crds/figure1.png b/docs/proposals/images/cluster-spec-crds/figure1.png
index 21f79d5aaf95..8713bc42cdc4 100644
Binary files a/docs/proposals/images/cluster-spec-crds/figure1.png and b/docs/proposals/images/cluster-spec-crds/figure1.png differ
diff --git a/docs/proposals/images/cluster-spec-crds/figure2.png b/docs/proposals/images/cluster-spec-crds/figure2.png
index ed753a83eacb..d9b04bbf3271 100644
Binary files a/docs/proposals/images/cluster-spec-crds/figure2.png and b/docs/proposals/images/cluster-spec-crds/figure2.png differ
diff --git a/docs/proposals/images/clusterctl-extensible-templates/pkgCalls.png b/docs/proposals/images/clusterctl-extensible-templates/pkgCalls.png
index 5aa53a702b1f..1d020beceba2 100644
Binary files a/docs/proposals/images/clusterctl-extensible-templates/pkgCalls.png and b/docs/proposals/images/clusterctl-extensible-templates/pkgCalls.png differ
diff --git a/docs/proposals/images/clusterctl-extensible-templates/templateClient.png b/docs/proposals/images/clusterctl-extensible-templates/templateClient.png
index 7219434c304e..55d21bc1bc82 100644
Binary files a/docs/proposals/images/clusterctl-extensible-templates/templateClient.png and b/docs/proposals/images/clusterctl-extensible-templates/templateClient.png differ
diff --git a/docs/proposals/images/clusterctl-extensible-templates/yamlProcessor.png b/docs/proposals/images/clusterctl-extensible-templates/yamlProcessor.png
index 7e60c095439c..e34f315fd24d 100644
Binary files a/docs/proposals/images/clusterctl-extensible-templates/yamlProcessor.png and b/docs/proposals/images/clusterctl-extensible-templates/yamlProcessor.png differ
diff --git a/docs/proposals/images/clusterctl-redesign/config.png b/docs/proposals/images/clusterctl-redesign/config.png
index d1b2fcfe99ee..3230f06839c5 100644
Binary files a/docs/proposals/images/clusterctl-redesign/config.png and b/docs/proposals/images/clusterctl-redesign/config.png differ
diff --git a/docs/proposals/images/clusterctl-redesign/init.png b/docs/proposals/images/clusterctl-redesign/init.png
index a94ba1fe915b..bce69bd45962 100644
Binary files a/docs/proposals/images/clusterctl-redesign/init.png and b/docs/proposals/images/clusterctl-redesign/init.png differ
diff --git a/docs/proposals/images/controlplane/controlplane-init-1.png b/docs/proposals/images/controlplane/controlplane-init-1.png
index e8f1fc4d0a7b..084be1c94cf8 100644
Binary files a/docs/proposals/images/controlplane/controlplane-init-1.png and b/docs/proposals/images/controlplane/controlplane-init-1.png differ
diff --git a/docs/proposals/images/controlplane/controlplane-init-2.png b/docs/proposals/images/controlplane/controlplane-init-2.png
index db2925e7bcc1..65c91eda1623 100644
Binary files a/docs/proposals/images/controlplane/controlplane-init-2.png and b/docs/proposals/images/controlplane/controlplane-init-2.png differ
diff --git a/docs/proposals/images/controlplane/controlplane-init-3.png b/docs/proposals/images/controlplane/controlplane-init-3.png
index cc0e7ceb9541..f30983ba420d 100644
Binary files a/docs/proposals/images/controlplane/controlplane-init-3.png and b/docs/proposals/images/controlplane/controlplane-init-3.png differ
diff --git a/docs/proposals/images/controlplane/controlplane-init-4.png b/docs/proposals/images/controlplane/controlplane-init-4.png
index 3599126d5a38..00c4b9279dba 100644
Binary files a/docs/proposals/images/controlplane/controlplane-init-4.png and b/docs/proposals/images/controlplane/controlplane-init-4.png differ
diff --git a/docs/proposals/images/controlplane/controlplane-init-6.png b/docs/proposals/images/controlplane/controlplane-init-6.png
index b1156903529b..20288c72e328 100644
Binary files a/docs/proposals/images/controlplane/controlplane-init-6.png and b/docs/proposals/images/controlplane/controlplane-init-6.png differ
diff --git a/docs/proposals/images/controlplane/controlplane-init-7.png b/docs/proposals/images/controlplane/controlplane-init-7.png
index d9db505d5163..65533a5512d4 100644
Binary files a/docs/proposals/images/controlplane/controlplane-init-7.png and b/docs/proposals/images/controlplane/controlplane-init-7.png differ
diff --git a/docs/proposals/images/developer/diagram.png b/docs/proposals/images/developer/diagram.png
index bd98352e2425..b31d0210c9f6 100644
Binary files a/docs/proposals/images/developer/diagram.png and b/docs/proposals/images/developer/diagram.png differ
diff --git a/docs/proposals/images/kubelet-authentication/client-authenticator-flow.png b/docs/proposals/images/kubelet-authentication/client-authenticator-flow.png
index fe45ea87c663..ebc09a007818 100644
Binary files a/docs/proposals/images/kubelet-authentication/client-authenticator-flow.png and b/docs/proposals/images/kubelet-authentication/client-authenticator-flow.png differ
diff --git a/docs/proposals/images/machine-health-check/mhc.png b/docs/proposals/images/machine-health-check/mhc.png
index 395a7bba289a..3115239f318c 100644
Binary files a/docs/proposals/images/machine-health-check/mhc.png and b/docs/proposals/images/machine-health-check/mhc.png differ
diff --git a/docs/proposals/images/machine-states-preboot/Figure3.png b/docs/proposals/images/machine-states-preboot/Figure3.png
index 2c89cde5f993..48c782178ebb 100644
Binary files a/docs/proposals/images/machine-states-preboot/Figure3.png and b/docs/proposals/images/machine-states-preboot/Figure3.png differ
diff --git a/docs/proposals/images/machine-states-preboot/Figure4.png b/docs/proposals/images/machine-states-preboot/Figure4.png
index 5ca0e4933267..50a5f253592b 100644
Binary files a/docs/proposals/images/machine-states-preboot/Figure4.png and b/docs/proposals/images/machine-states-preboot/Figure4.png differ
diff --git a/docs/proposals/images/machine-states-preboot/Figure5.png b/docs/proposals/images/machine-states-preboot/Figure5.png
index f423b4a22c47..26fd9f93f458 100644
Binary files a/docs/proposals/images/machine-states-preboot/Figure5.png and b/docs/proposals/images/machine-states-preboot/Figure5.png differ
diff --git a/docs/proposals/images/machine-states-preboot/Figure6.png b/docs/proposals/images/machine-states-preboot/Figure6.png
index cafff947435c..414077ec9f75 100644
Binary files a/docs/proposals/images/machine-states-preboot/Figure6.png and b/docs/proposals/images/machine-states-preboot/Figure6.png differ
diff --git a/docs/proposals/images/machine-states-preboot/Figure7.png b/docs/proposals/images/machine-states-preboot/Figure7.png
index 3d574ed737cd..ab191c982bd2 100644
Binary files a/docs/proposals/images/machine-states-preboot/Figure7.png and b/docs/proposals/images/machine-states-preboot/Figure7.png differ
diff --git a/docs/proposals/images/machine-states-preboot/Figure8.png b/docs/proposals/images/machine-states-preboot/Figure8.png
index e5d7b30e5e48..b015e6aa3be5 100644
Binary files a/docs/proposals/images/machine-states-preboot/Figure8.png and b/docs/proposals/images/machine-states-preboot/Figure8.png differ
diff --git a/docs/proposals/images/machinepool-api/figure1.png b/docs/proposals/images/machinepool-api/figure1.png
index f50fc5246062..b0f5d33be6b7 100644
Binary files a/docs/proposals/images/machinepool-api/figure1.png and b/docs/proposals/images/machinepool-api/figure1.png differ
diff --git a/docs/proposals/images/machinepool-machines/inframachinepool-scale-down.png b/docs/proposals/images/machinepool-machines/inframachinepool-scale-down.png
index 2503b25ac40b..826fd87c625d 100644
Binary files a/docs/proposals/images/machinepool-machines/inframachinepool-scale-down.png and b/docs/proposals/images/machinepool-machines/inframachinepool-scale-down.png differ
diff --git a/docs/proposals/images/machinepool-machines/inframachinepool-scale-up.png b/docs/proposals/images/machinepool-machines/inframachinepool-scale-up.png
index 4659104b505e..07775b25b036 100644
Binary files a/docs/proposals/images/machinepool-machines/inframachinepool-scale-up.png and b/docs/proposals/images/machinepool-machines/inframachinepool-scale-up.png differ
diff --git a/docs/proposals/images/machinepool-machines/machinepool-machine-reconcile.png b/docs/proposals/images/machinepool-machines/machinepool-machine-reconcile.png
index 62e7b3806db2..50a6895a40af 100644
Binary files a/docs/proposals/images/machinepool-machines/machinepool-machine-reconcile.png and b/docs/proposals/images/machinepool-machines/machinepool-machine-reconcile.png differ
diff --git a/docs/proposals/images/machinepool-machines/machinepool-reconcile.png b/docs/proposals/images/machinepool-machines/machinepool-reconcile.png
index 4ec805791a8b..c39517f80b06 100644
Binary files a/docs/proposals/images/machinepool-machines/machinepool-reconcile.png and b/docs/proposals/images/machinepool-machines/machinepool-reconcile.png differ
diff --git a/docs/proposals/images/topology-mutation-hook/topology-reconciliation.png b/docs/proposals/images/topology-mutation-hook/topology-reconciliation.png
index 99f3fb976a9e..92da0abe6f53 100644
Binary files a/docs/proposals/images/topology-mutation-hook/topology-reconciliation.png and b/docs/proposals/images/topology-mutation-hook/topology-reconciliation.png differ
diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md
index 62d9a8ac6d4d..59c852ba60bc 100644
--- a/docs/release/release-tasks.md
+++ b/docs/release/release-tasks.md
@@ -464,7 +464,9 @@ We should inform at least the following providers via a new issue on their respe
 * Packet: https://github.com/kubernetes-sigs/cluster-api-provider-packet/issues/new
 * vSphere: https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/issues/new
 
-TODO: Right now we don't have a template for this message but the Comms Team will provide one later. 
+To create GitHub issues at the Cluster API providers repositories and inform about a new minor beta release, use ["provider_issues.go"](../../hack/tools/release/internal/update_providers/provider_issues.go) go utility.
+- Ensure that the [provider repos pre-requisites](../../hack/tools/release/internal/update_providers/README.md#pre-requisites) are completed.
+- From the root of this repository, run `make release-provider-issues-tool` to create git issues at the provider repositories.
 
 ## CI Signal/Bug Triage/Automation Manager
 
@@ -543,4 +545,4 @@ The goal of bug triage is to triage incoming issues and if necessary flag them w
 and add them to the milestone of the current release.
 
 We probably have to figure out some details about the overlap between the bug triage task here, release leads
-and Cluster API maintainers.
\ No newline at end of file
+and Cluster API maintainers.
diff --git a/exp/runtime/hooks/api/v1alpha1/zz_generated.openapi.go b/exp/runtime/hooks/api/v1alpha1/zz_generated.openapi.go
index 1486a6fdd83d..76016618d974 100644
--- a/exp/runtime/hooks/api/v1alpha1/zz_generated.openapi.go
+++ b/exp/runtime/hooks/api/v1alpha1/zz_generated.openapi.go
@@ -19,8 +19,6 @@ limitations under the License.
 
 // Code generated by openapi-gen. DO NOT EDIT.
 
-// This file was autogenerated by openapi-gen. Do not edit it manually!
-
 package v1alpha1
 
 import (
@@ -151,7 +149,8 @@ func schema_runtime_hooks_api_v1alpha1_AfterClusterUpgradeResponse(ref common.Re
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -248,7 +247,8 @@ func schema_runtime_hooks_api_v1alpha1_AfterControlPlaneInitializedResponse(ref
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -353,7 +353,8 @@ func schema_runtime_hooks_api_v1alpha1_AfterControlPlaneUpgradeResponse(ref comm
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -458,7 +459,8 @@ func schema_runtime_hooks_api_v1alpha1_BeforeClusterCreateResponse(ref common.Re
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -563,7 +565,8 @@ func schema_runtime_hooks_api_v1alpha1_BeforeClusterDeleteResponse(ref common.Re
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -684,7 +687,8 @@ func schema_runtime_hooks_api_v1alpha1_BeforeClusterUpgradeResponse(ref common.R
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -751,7 +755,8 @@ func schema_runtime_hooks_api_v1alpha1_CommonResponse(ref common.ReferenceCallba
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -781,7 +786,8 @@ func schema_runtime_hooks_api_v1alpha1_CommonRetryResponse(ref common.ReferenceC
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -876,7 +882,8 @@ func schema_runtime_hooks_api_v1alpha1_DiscoverVariablesResponse(ref common.Refe
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -963,7 +970,8 @@ func schema_runtime_hooks_api_v1alpha1_DiscoveryResponse(ref common.ReferenceCal
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -1148,7 +1156,6 @@ func schema_runtime_hooks_api_v1alpha1_GeneratePatchesRequestItem(ref common.Ref
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object contains the template as a raw object.",
-							Default:     map[string]interface{}{},
 							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
 						},
 					},
@@ -1202,7 +1209,8 @@ func schema_runtime_hooks_api_v1alpha1_GeneratePatchesResponse(ref common.Refere
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -1256,7 +1264,8 @@ func schema_runtime_hooks_api_v1alpha1_GeneratePatchesResponseItem(ref common.Re
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"JSONMergePatch", "JSONPatch"}},
+							Enum:        []interface{}{"JSONMergePatch", "JSONPatch"},
+						},
 					},
 					"patch": {
 						SchemaProps: spec.SchemaProps{
@@ -1446,7 +1455,6 @@ func schema_runtime_hooks_api_v1alpha1_ValidateTopologyRequestItem(ref common.Re
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object contains the template as a raw object.",
-							Default:     map[string]interface{}{},
 							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
 						},
 					},
@@ -1500,7 +1508,8 @@ func schema_runtime_hooks_api_v1alpha1_ValidateTopologyResponse(ref common.Refer
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Failure", "Success"}},
+							Enum:        []interface{}{"Failure", "Success"},
+						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
@@ -1535,7 +1544,6 @@ func schema_runtime_hooks_api_v1alpha1_Variable(ref common.ReferenceCallback) co
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value of the variable.",
-							Default:     map[string]interface{}{},
 							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
 						},
 					},
diff --git a/go.mod b/go.mod
index 2b6c782e12fd..ad42326a09ff 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/google/go-github/v53 v53.2.0
 	github.com/google/gofuzz v1.2.0
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/onsi/ginkgo/v2 v2.15.0
+	github.com/onsi/ginkgo/v2 v2.16.0
 	github.com/onsi/gomega v1.31.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.18.0
@@ -35,16 +35,16 @@ require (
 	golang.org/x/text v0.14.0
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	google.golang.org/grpc v1.59.0
-	k8s.io/api v0.29.1
-	k8s.io/apiextensions-apiserver v0.29.1
-	k8s.io/apimachinery v0.29.1
-	k8s.io/apiserver v0.29.1
-	k8s.io/client-go v0.29.1
-	k8s.io/cluster-bootstrap v0.29.1
-	k8s.io/component-base v0.29.1
+	k8s.io/api v0.29.2
+	k8s.io/apiextensions-apiserver v0.29.2
+	k8s.io/apimachinery v0.29.2
+	k8s.io/apiserver v0.29.2
+	k8s.io/client-go v0.29.2
+	k8s.io/cluster-bootstrap v0.29.2
+	k8s.io/component-base v0.29.2
 	k8s.io/klog/v2 v2.110.1
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
-	k8s.io/kubectl v0.29.1
+	k8s.io/kubectl v0.29.2
 	k8s.io/utils v0.0.0-20231127182322-b307cd553661
 	sigs.k8s.io/controller-runtime v0.17.2
 	sigs.k8s.io/yaml v1.4.0
@@ -158,23 +158,23 @@ require (
 	golang.org/x/crypto v0.19.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/term v0.17.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/tools v0.17.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/cli-runtime v0.29.1 // indirect
-	k8s.io/component-helpers v0.29.1 // indirect
-	k8s.io/metrics v0.29.1 // indirect
+	k8s.io/cli-runtime v0.29.2 // indirect
+	k8s.io/component-helpers v0.29.2 // indirect
+	k8s.io/metrics v0.29.2 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
diff --git a/go.sum b/go.sum
index b54e29936937..c24401e537ac 100644
--- a/go.sum
+++ b/go.sum
@@ -383,8 +383,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
+github.com/onsi/ginkgo/v2 v2.16.0 h1:7q1w9frJDzninhXxjZd+Y/x54XNjG/UlRLIYPZafsPM=
+github.com/onsi/ginkgo/v2 v2.16.0/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
 github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -649,8 +649,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -732,8 +732,8 @@ golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -794,8 +794,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -828,32 +828,32 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw=
-k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ=
-k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw=
-k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU=
-k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc=
-k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
-k8s.io/apiserver v0.29.1 h1:e2wwHUfEmMsa8+cuft8MT56+16EONIEK8A/gpBSco+g=
-k8s.io/apiserver v0.29.1/go.mod h1:V0EpkTRrJymyVT3M49we8uh2RvXf7fWC5XLB0P3SwRw=
-k8s.io/cli-runtime v0.29.1 h1:By3WVOlEWYfyxhGko0f/IuAOLQcbBSMzwSaDren2JUs=
-k8s.io/cli-runtime v0.29.1/go.mod h1:vjEY9slFp8j8UoMhV5AlO8uulX9xk6ogfIesHobyBDU=
-k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A=
-k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks=
-k8s.io/cluster-bootstrap v0.29.1 h1:YZ7fAY9DT1ZQVU6JFPWjpgm7DzSoTs50r6cI/OP+vLA=
-k8s.io/cluster-bootstrap v0.29.1/go.mod h1:T8sLsyIaQg2aIRdWxrBPYm8pyk+9Xxy+DJxJarv2MnM=
-k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw=
-k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc=
-k8s.io/component-helpers v0.29.1 h1:54MMEDu6xeJmMtAKztsPwu0kJKr4+jCUzaEIn2UXRoc=
-k8s.io/component-helpers v0.29.1/go.mod h1:+I7xz4kfUgxWAPJIVKrqe4ml4rb9UGpazlOmhXYo+cY=
+k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
+k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
+k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg=
+k8s.io/apiextensions-apiserver v0.29.2/go.mod h1:aLfYjpA5p3OwtqNXQFkhJ56TB+spV8Gc4wfMhUA3/b8=
+k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
+k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
+k8s.io/apiserver v0.29.2 h1:+Z9S0dSNr+CjnVXQePG8TcBWHr3Q7BmAr7NraHvsMiQ=
+k8s.io/apiserver v0.29.2/go.mod h1:B0LieKVoyU7ykQvPFm7XSdIHaCHSzCzQWPFa5bqbeMQ=
+k8s.io/cli-runtime v0.29.2 h1:smfsOcT4QujeghsNjECKN3lwyX9AwcFU0nvJ7sFN3ro=
+k8s.io/cli-runtime v0.29.2/go.mod h1:KLisYYfoqeNfO+MkTWvpqIyb1wpJmmFJhioA0xd4MW8=
+k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
+k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
+k8s.io/cluster-bootstrap v0.29.2 h1:CJ8kNpm6vqPX6laBEPGoEFpVQ0XmzgXMdQosvd5m2OA=
+k8s.io/cluster-bootstrap v0.29.2/go.mod h1:75qXUXImrhRHglBCQsBvZrS4uJFyaDinOWLWbbaRRH0=
+k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8=
+k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM=
+k8s.io/component-helpers v0.29.2 h1:1kTIanIdqUVG2nW3e2ENVEaYbZKphqPgEdCmJvk71aw=
+k8s.io/component-helpers v0.29.2/go.mod h1:gFc/p60rYtpD8UCcNfPCmbokHT2uy0yDpmr/KKUMNAw=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/kubectl v0.29.1 h1:rWnW3hi/rEUvvg7jp4iYB68qW5un/urKbv7fu3Vj0/s=
-k8s.io/kubectl v0.29.1/go.mod h1:SZzvLqtuOJYSvZzPZR9weSuP0wDQ+N37CENJf0FhDF4=
-k8s.io/metrics v0.29.1 h1:qutc3aIPMCniMuEApuLaeYX47rdCn8eycVDx7R6wMlQ=
-k8s.io/metrics v0.29.1/go.mod h1:JrbV2U71+v7d/9qb90UVKL8r0uJ6Z2Hy4V7mDm05cKs=
+k8s.io/kubectl v0.29.2 h1:uaDYaBhumvkwz0S2XHt36fK0v5IdNgL7HyUniwb2IUo=
+k8s.io/kubectl v0.29.2/go.mod h1:BhizuYBGcKaHWyq+G7txGw2fXg576QbPrrnQdQDZgqI=
+k8s.io/metrics v0.29.2 h1:oLSTHEr40V7c7C8wDRRhiAefjGRHROK5zeV8NT0tpzc=
+k8s.io/metrics v0.29.2/go.mod h1:cWzACDpKElWhm0CElwfK+7I39wDNbmDDCX7hywjvgR4=
 k8s.io/utils v0.0.0-20231127182322-b307cd553661 h1:FepOBzJ0GXm8t0su67ln2wAZjbQ6RxQGZDnzuLcrUTI=
 k8s.io/utils v0.0.0-20231127182322-b307cd553661/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
diff --git a/hack/ensure-kind.sh b/hack/ensure-kind.sh
index 27b9e690d5bc..c285a25c4ed1 100755
--- a/hack/ensure-kind.sh
+++ b/hack/ensure-kind.sh
@@ -30,7 +30,7 @@ goarch="$(go env GOARCH)"
 goos="$(go env GOOS)"
 
 # Note: When updating the MINIMUM_KIND_VERSION new shas MUST be added in `preBuiltMappings` at `test/infrastructure/kind/mapper.go`
-MINIMUM_KIND_VERSION=v0.20.0
+MINIMUM_KIND_VERSION=v0.22.0
 
 
 # Ensure the kind tool exists and is a viable version, or installs it
diff --git a/hack/tools/go.mod b/hack/tools/go.mod
index 7bbed585f1fc..a6300a1eddb7 100644
--- a/hack/tools/go.mod
+++ b/hack/tools/go.mod
@@ -7,7 +7,7 @@ replace sigs.k8s.io/cluster-api => ../../
 replace sigs.k8s.io/cluster-api/test => ../../test
 
 require (
-	cloud.google.com/go/storage v1.38.0
+	cloud.google.com/go/storage v1.39.0
 	github.com/blang/semver/v4 v4.0.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-github v17.0.0+incompatible
@@ -15,15 +15,15 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/pflag v1.0.5
 	github.com/valyala/fastjson v1.6.4
-	golang.org/x/oauth2 v0.17.0
-	google.golang.org/api v0.164.0
-	k8s.io/api v0.29.1
-	k8s.io/apiextensions-apiserver v0.29.1
-	k8s.io/apimachinery v0.29.1
-	k8s.io/client-go v0.29.1
+	golang.org/x/oauth2 v0.18.0
+	google.golang.org/api v0.168.0
+	k8s.io/api v0.29.2
+	k8s.io/apiextensions-apiserver v0.29.2
+	k8s.io/apimachinery v0.29.2
+	k8s.io/client-go v0.29.2
 	k8s.io/klog/v2 v2.110.1
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
-	k8s.io/utils v0.0.0-20231127182322-b307cd553661
+	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 	sigs.k8s.io/cluster-api v0.0.0-00010101000000-000000000000
 	sigs.k8s.io/cluster-api/test v0.0.0-00010101000000-000000000000
 	sigs.k8s.io/controller-runtime v0.17.2
@@ -35,58 +35,73 @@ require (
 
 require (
 	cloud.google.com/go v0.112.0 // indirect
-	cloud.google.com/go/compute v1.23.3 // indirect
+	cloud.google.com/go/compute v1.24.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.6 // indirect
+	dario.cat/mergo v1.0.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
-	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/adrg/xdg v0.4.0 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
-	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cheggaaa/pb/v3 v3.1.5 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/docker v25.0.3+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.2 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.3 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.11.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/cel-go v0.17.7 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/go-github/v53 v53.2.0 // indirect
+	github.com/google/go-github/v58 v58.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.2 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/huandu/xstrings v1.3.3 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -94,54 +109,66 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/prometheus/client_golang v1.18.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/saschagrunert/go-modiff v1.3.5 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect
-	go.opentelemetry.io/otel v1.23.0 // indirect
-	go.opentelemetry.io/otel/metric v1.23.0 // indirect
-	go.opentelemetry.io/otel/trace v1.23.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/term v0.17.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/tools v0.17.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014 // indirect
-	google.golang.org/grpc v1.61.0 // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240304161311-37d4d3c04a78 // indirect
+	google.golang.org/grpc v1.62.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiserver v0.29.1 // indirect
-	k8s.io/cluster-bootstrap v0.29.1 // indirect
-	k8s.io/component-base v0.29.1 // indirect
+	k8s.io/apiserver v0.29.2 // indirect
+	k8s.io/cluster-bootstrap v0.29.2 // indirect
+	k8s.io/component-base v0.29.2 // indirect
+	k8s.io/release v0.16.6-0.20240222112346-71feb57b59a4
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
+	sigs.k8s.io/release-sdk v0.11.0 // indirect
+	sigs.k8s.io/release-utils v0.7.7 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
diff --git a/hack/tools/go.sum b/hack/tools/go.sum
index 11d092f328af..b282630d9fec 100644
--- a/hack/tools/go.sum
+++ b/hack/tools/go.sum
@@ -1,52 +1,62 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.112.0 h1:tpFCD7hpHFlQ8yPwT3x+QeXqc2T6+n6T+hmABHfDUSM=
 cloud.google.com/go v0.112.0/go.mod h1:3jEEVwZ/MHU4djK5t5RHuKOA/GbLddgTdVubX1qnPD4=
-cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
-cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
+cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg=
+cloud.google.com/go/compute v1.24.0/go.mod h1:kw1/T+h/+tK2LJK0wiPPx1intgdAM3j/g3hFDlscY40=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc=
 cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI=
-cloud.google.com/go/storage v1.38.0 h1:Az68ZRGlnNTpIBbLjSMIV2BDcwwXYlRlQzis0llkpJg=
-cloud.google.com/go/storage v1.38.0/go.mod h1:tlUADB0mAb9BgYls9lq+8MGkfzOXuLrnHXlpHmvFJoY=
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+cloud.google.com/go/storage v1.39.0 h1:brbjUa4hbDHhpQf48tjqMaXEV+f1OGoaTmQau9tmCsA=
+cloud.google.com/go/storage v1.39.0/go.mod h1:OAEj/WZwUYjA3YHQ10/YcN9ttGuEpLwvaoyBXIPikEk=
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g=
 github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
+github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
-github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA=
-github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
+github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
 github.com/adrg/xdg v0.4.0 h1:RzRqFcjH4nE5C6oTAxhBtoE2IRyjBSa62SCbyPidvls=
 github.com/adrg/xdg v0.4.0/go.mod h1:N6ag73EX4wyxeaoeHctc1mas01KZgsj5tYiAIwqJE/E=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
-github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY=
-github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cheggaaa/pb/v3 v3.1.5 h1:QuuUzeM2WsAqG2gMqtzaWithDJv0i+i6UlnwSCI4QLk=
+github.com/cheggaaa/pb/v3 v3.1.5/go.mod h1:CrxkeghYTXi1lQBEI7jSn+3svI3cuc19haAj6jM60XI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101 h1:7To3pQ+pZo0i3dsWEbinPNFs5gPSBOsJtx3wTT94VBY=
-github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coredns/caddy v1.1.0 h1:ezvsPrT/tA/7pYDBZxu0cT0VmWk75AfIaf6GSYCNMf0=
@@ -59,6 +69,8 @@ github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pq
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -73,26 +85,40 @@ github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 h1:7QPwrLT79GlD5sizHf27aoY2RTvw62mO6x7mxkScNk0=
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46/go.mod h1:esf2rsHFNlZlxsqsZDojNBcnNs5REqIvRrWRHqX0vEU=
-github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU=
-github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/emicklei/go-restful/v3 v3.11.3 h1:yagOQz/38xJmcNeZJtrUcKjkHRltIaIFXKWeG1SkWGE=
+github.com/emicklei/go-restful/v3 v3.11.3/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA=
-github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
 github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI=
 github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
+github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
@@ -101,12 +127,14 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
+github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
+github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
@@ -133,8 +161,8 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/cel-go v0.17.7 h1:6ebJFzu1xO2n7TLtN+UBqShGBhlD85bhvglh5DpcfqQ=
 github.com/google/cel-go v0.17.7/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY=
-github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
-github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -150,6 +178,8 @@ github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4r
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
 github.com/google/go-github/v53 v53.2.0 h1:wvz3FyF53v4BK+AsnvCmeNhf8AkTaeh2SoYu/XUvTtI=
 github.com/google/go-github/v53 v53.2.0/go.mod h1:XhFRObz+m/l+UCm9b7KSIC3lT3NWSXGt7mOsAWEloao=
+github.com/google/go-github/v58 v58.0.0 h1:Una7GGERlF/37XfkPwpzYJe0Vp4dt2k1kCjlxwjIvzw=
+github.com/google/go-github/v58 v58.0.0/go.mod h1:k4hxDKEfoWpSqFlc8LTpGd9fu2KrV1YAa6Hi6FmDNY4=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -167,26 +197,31 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
-github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
+github.com/googleapis/gax-go/v2 v2.12.2 h1:mhN09QQW1jEWeMF74zGR81R30z4VJzjZsfkUhuHF+DA=
+github.com/googleapis/gax-go/v2 v2.12.2/go.mod h1:61M8vcyyXR2kqKFxKrfA22jaA8JGF7Dc8App1U3H6jc=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
+github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
-github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
+github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
+github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -198,6 +233,13 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
@@ -208,8 +250,8 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA=
-github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -219,20 +261,24 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
+github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
+github.com/onsi/ginkgo/v2 v2.16.0 h1:7q1w9frJDzninhXxjZd+Y/x54XNjG/UlRLIYPZafsPM=
+github.com/onsi/ginkgo/v2 v2.16.0/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
 github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034=
-github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
+github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
+github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4=
 github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -247,18 +293,27 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne
 github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
+github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
 github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
+github.com/saschagrunert/go-modiff v1.3.5 h1:Wb2KUhCiuTJfhCwGYIwjZOpC++RbY0MTf7J5m1CfQlw=
+github.com/saschagrunert/go-modiff v1.3.5/go.mod h1:yWSOFnT8wQIzUMsVflHmkL1qYHk+WLcjzGoeAjqjRXM=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
 github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
+github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
@@ -277,6 +332,7 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -288,6 +344,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
@@ -299,24 +357,24 @@ go.etcd.io/etcd/client/v3 v3.5.12 h1:v5lCPXn1pf1Uu3M4laUE2hp/geOTc5uPcYYsNe1lDxg
 go.etcd.io/etcd/client/v3 v3.5.12/go.mod h1:tSbBCakoWmmddL+BKVAJHa9km+O/E+bumDe9mSbPiqw=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 h1:UNQQKPfTDe1J81ViolILjTKPr9WetKW6uei2hFgJmFs=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw=
-go.opentelemetry.io/otel v1.23.0 h1:Df0pqjqExIywbMCMTxkAwzjLZtRf+bBKLbUcpxO2C9E=
-go.opentelemetry.io/otel v1.23.0/go.mod h1:YCycw9ZeKhcJFrb34iVSkyT0iczq/zYDtZYFufObyB0=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
+go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
+go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0 h1:gvmNvqrPYovvyRmCSygkUDyL8lC5Tl845MLEwqpxhEU=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0/go.mod h1:vNUq47TGFioo+ffTSnKNdob241vePmtNZnAODKapKd0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0 h1:FyjCyI9jVEfqhUh2MoSkmolPjfh5fp2hnV0b0irxH4Q=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0/go.mod h1:hYwym2nDEeZfG/motx0p7L7J1N1vyzIThemQsb4g2qY=
-go.opentelemetry.io/otel/metric v1.23.0 h1:pazkx7ss4LFVVYSxYew7L5I6qvLXHA0Ap2pwV+9Cnpo=
-go.opentelemetry.io/otel/metric v1.23.0/go.mod h1:MqUW2X2a6Q8RN96E2/nqNoT+z9BSms20Jb7Bbp+HiTo=
+go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
+go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
 go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw=
 go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc=
-go.opentelemetry.io/otel/trace v1.23.0 h1:37Ik5Ib7xfYVb4V1UtnT97T1jI+AoIYkJyPkuL4iJgI=
-go.opentelemetry.io/otel/trace v1.23.0/go.mod h1:GSGTbIClEsuZrGIzoEHqsVfxgn5UkggkflQwDScNUsk=
+go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
+go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -329,18 +387,22 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w=
+golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -353,19 +415,23 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
-golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
+golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
+golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -375,24 +441,34 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
@@ -406,8 +482,9 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -416,8 +493,8 @@ golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSm
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/api v0.164.0 h1:of5G3oE2WRMVb2yoWKME4ZP8y8zpUKC6bMhxDr8ifyk=
-google.golang.org/api v0.164.0/go.mod h1:2OatzO7ZDQsoS7IFf3rvsE17/TldiU3F/zxFHeqUB5o=
+google.golang.org/api v0.168.0 h1:MBRe+Ki4mMN93jhDDbpuRLjRddooArz4FeSObvUMmjY=
+google.golang.org/api v0.168.0/go.mod h1:gpNOiMA2tZ4mf5R9Iwf4rK/Dcz0fbdIgWYWVoxmsyLg=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
@@ -425,19 +502,19 @@ google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJ
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe h1:USL2DhxfgRchafRvt/wYyyQNzwgL7ZiURcozOE/Pkvo=
-google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro=
-google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 h1:x9PwdEgd11LgK+orcck69WVRo7DezSO4VUMPI4xpc8A=
-google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014/go.mod h1:rbHMSEDyoYX62nRVLOCc4Qt1HbsdytAYoVwgjiOhF3I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014 h1:FSL3lRCkhaPFxqi0s9o+V4UI2WTzAVOvkgbd4kVV4Wg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014/go.mod h1:SaPjaZGWb0lPqs6Ittu0spdfrOArqji4ZdeP5IC/9N4=
+google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
+google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s=
+google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c h1:9g7erC9qu44ks7UK4gDNlnk4kOxZG707xKm4jVniy6o=
+google.golang.org/genproto/googleapis/api v0.0.0-20240221002015-b0ce06bbee7c/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240304161311-37d4d3c04a78 h1:Xs9lu+tLXxLIfuci70nG4cpwaRC+mRQPUL7LoIeDJC4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240304161311-37d4d3c04a78/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0=
-google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
+google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk=
+google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -449,9 +526,10 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
-google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
@@ -460,39 +538,42 @@ gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw=
-k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ=
-k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw=
-k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU=
-k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc=
-k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
-k8s.io/apiserver v0.29.1 h1:e2wwHUfEmMsa8+cuft8MT56+16EONIEK8A/gpBSco+g=
-k8s.io/apiserver v0.29.1/go.mod h1:V0EpkTRrJymyVT3M49we8uh2RvXf7fWC5XLB0P3SwRw=
-k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A=
-k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks=
-k8s.io/cluster-bootstrap v0.29.1 h1:YZ7fAY9DT1ZQVU6JFPWjpgm7DzSoTs50r6cI/OP+vLA=
-k8s.io/cluster-bootstrap v0.29.1/go.mod h1:T8sLsyIaQg2aIRdWxrBPYm8pyk+9Xxy+DJxJarv2MnM=
-k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw=
-k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc=
+k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
+k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
+k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg=
+k8s.io/apiextensions-apiserver v0.29.2/go.mod h1:aLfYjpA5p3OwtqNXQFkhJ56TB+spV8Gc4wfMhUA3/b8=
+k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
+k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
+k8s.io/apiserver v0.29.2 h1:+Z9S0dSNr+CjnVXQePG8TcBWHr3Q7BmAr7NraHvsMiQ=
+k8s.io/apiserver v0.29.2/go.mod h1:B0LieKVoyU7ykQvPFm7XSdIHaCHSzCzQWPFa5bqbeMQ=
+k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
+k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
+k8s.io/cluster-bootstrap v0.29.2 h1:CJ8kNpm6vqPX6laBEPGoEFpVQ0XmzgXMdQosvd5m2OA=
+k8s.io/cluster-bootstrap v0.29.2/go.mod h1:75qXUXImrhRHglBCQsBvZrS4uJFyaDinOWLWbbaRRH0=
+k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8=
+k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/utils v0.0.0-20231127182322-b307cd553661 h1:FepOBzJ0GXm8t0su67ln2wAZjbQ6RxQGZDnzuLcrUTI=
-k8s.io/utils v0.0.0-20231127182322-b307cd553661/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/release v0.16.6-0.20240222112346-71feb57b59a4 h1:uXh5E2tjb4ihVVtQ1+w+lkCVmJGRL4dLe7o+EXk+HKE=
+k8s.io/release v0.16.6-0.20240222112346-71feb57b59a4/go.mod h1:5M4lvW1Vca98tMEsqi9M8bhhkVRwV+IynxGcO0Gqhrg=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2SGwkQasmbeqDo8th5wOBA5h/AjTKA4I=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y=
 sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0=
@@ -507,6 +588,10 @@ sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKU
 sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY=
 sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U=
 sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag=
+sigs.k8s.io/release-sdk v0.11.0 h1:a+zjOO3tHm1NiVZgNcUWq5QrKmv7b63UZXw+XGdPGfk=
+sigs.k8s.io/release-sdk v0.11.0/go.mod h1:sjbFpskyVjCXcFBnI3Bj1iGQHGjDYPoHVyld/pT+TvU=
+sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU=
+sigs.k8s.io/release-utils v0.7.7/go.mod h1:iU7DGVNi3umZJ8q6aHyUFzsDUIaYwNnNKGHo3YE5E3s=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
diff --git a/hack/tools/internal/tilt-prepare/main.go b/hack/tools/internal/tilt-prepare/main.go
index 3d3c1435eef7..52b97e8ad49d 100644
--- a/hack/tools/internal/tilt-prepare/main.go
+++ b/hack/tools/internal/tilt-prepare/main.go
@@ -133,6 +133,7 @@ type tiltProvider struct {
 type tiltProviderConfig struct {
 	Context           *string  `json:"context,omitempty"`
 	Version           *string  `json:"version,omitempty"`
+	LiveReloadDeps    []string `json:"live_reload_deps,omitempty"`
 	ApplyProviderYaml *bool    `json:"apply_provider_yaml,omitempty"`
 	KustomizeFolder   *string  `json:"kustomize_folder,omitempty"`
 	KustomizeOptions  []string `json:"kustomize_options,omitempty"`
@@ -347,7 +348,13 @@ func tiltResources(ctx context.Context, ts *tiltSettings) error {
 		if ptr.Deref(config.ApplyProviderYaml, true) {
 			kustomizeFolder := path.Join(*config.Context, ptr.Deref(config.KustomizeFolder, "config/default"))
 			kustomizeOptions := config.KustomizeOptions
-			tasks[providerName] = workloadTask(providerName, "provider", "manager", "manager", ts, kustomizeFolder, kustomizeOptions, getProviderObj(config.Version))
+			liveReloadDeps := config.LiveReloadDeps
+			var debugConfig *tiltSettingsDebugConfig
+			if d, ok := ts.Debug[providerName]; ok {
+				debugConfig = &d
+			}
+			extraArgs := ts.ExtraArgs[providerName]
+			tasks[providerName] = workloadTask(providerName, "provider", "manager", "manager", liveReloadDeps, debugConfig, extraArgs, kustomizeFolder, kustomizeOptions, getProviderObj(config.Version))
 		}
 	}
 
@@ -686,7 +693,7 @@ func kustomizeTask(path, out string) taskFunction {
 // workloadTask generates a task for creating the component yaml for a workload and saving the output on a file.
 // NOTE: This task has several sub steps including running kustomize, envsubst, fixing components for debugging,
 // and adding the workload resource mimicking what clusterctl init does.
-func workloadTask(name, workloadType, binaryName, containerName string, ts *tiltSettings, path string, options []string, getAdditionalObject func(string, []unstructured.Unstructured) (*unstructured.Unstructured, error)) taskFunction {
+func workloadTask(name, workloadType, binaryName, containerName string, liveReloadDeps []string, debugConfig *tiltSettingsDebugConfig, extraArgs tiltSettingsExtraArgs, path string, options []string, getAdditionalObject func(string, []unstructured.Unstructured) (*unstructured.Unstructured, error)) taskFunction {
 	return func(ctx context.Context, prefix string, errCh chan error) {
 		args := []string{"build"}
 		args = append(args, options...)
@@ -718,7 +725,7 @@ func workloadTask(name, workloadType, binaryName, containerName string, ts *tilt
 			return
 		}
 
-		if err := prepareWorkload(name, prefix, binaryName, containerName, objs, ts); err != nil {
+		if err := prepareWorkload(prefix, binaryName, containerName, objs, liveReloadDeps, debugConfig, extraArgs); err != nil {
 			errCh <- err
 			return
 		}
@@ -787,17 +794,21 @@ func writeIfChanged(prefix string, path string, yaml []byte) error {
 // If there are extra_args given for the workload, we append those to the ones that already exist in the deployment.
 // This has the affect that the appended ones will take precedence, as those are read last.
 // Finally, we modify the deployment to enable prometheus metrics scraping.
-func prepareWorkload(name, prefix, binaryName, containerName string, objs []unstructured.Unstructured, ts *tiltSettings) error {
+func prepareWorkload(prefix, binaryName, containerName string, objs []unstructured.Unstructured, liveReloadDeps []string, debugConfig *tiltSettingsDebugConfig, extraArgs tiltSettingsExtraArgs) error {
 	// Update provider namespaces to have the pod security standard enforce label set to privileged.
 	// This is required because we remove the SecurityContext from provider deployments below to make tilt work.
 	updateNamespacePodSecurityStandard(objs)
-	return updateDeployment(prefix, objs, func(deployment *appsv1.Deployment) {
+  return updateDeployment(prefix, objs, func(deployment *appsv1.Deployment) {
 		for j, container := range deployment.Spec.Template.Spec.Containers {
 			if container.Name != containerName {
 				continue
 			}
-			cmd := []string{"sh", "/start.sh", "/" + binaryName}
-			args := append(container.Args, []string(ts.ExtraArgs[name])...)
+
+			cmd := []string{"/" + binaryName}
+			if len(liveReloadDeps) > 0 || debugConfig != nil {
+				cmd = []string{"sh", "/start.sh", "/" + binaryName}
+			}
+			args := append(container.Args, []string(extraArgs)...)
 
 			// remove securityContext for tilt live_update, see https://github.com/tilt-dev/tilt/issues/3060
 			container.SecurityContext = nil
@@ -808,19 +819,19 @@ func prepareWorkload(name, prefix, binaryName, containerName string, objs []unst
 			// alter deployment for working nicely with delve debugger;
 			// most specifically, configuring delve, starting the manager with profiling enabled, dropping liveness and
 			// readiness probes and disabling leader election.
-			if d, ok := ts.Debug[name]; ok {
+			if debugConfig != nil {
 				cmd = []string{"sh", "/start.sh", "/dlv", "--accept-multiclient", "--api-version=2", "--headless=true", "exec"}
 
-				if d.Port != nil && *d.Port > 0 {
+				if debugConfig.Port != nil && *debugConfig.Port > 0 {
 					cmd = append(cmd, "--listen=:30000")
 				}
-				if d.Continue != nil && *d.Continue {
+				if debugConfig.Continue != nil && *debugConfig.Continue {
 					cmd = append(cmd, "--continue")
 				}
 
 				cmd = append(cmd, []string{"--", "/" + binaryName}...)
 
-				if d.ProfilerPort != nil && *d.ProfilerPort > 0 {
+				if debugConfig.ProfilerPort != nil && *debugConfig.ProfilerPort > 0 {
 					args = append(args, []string{"--profiler-address=:6060"}...)
 				}
 
diff --git a/hack/tools/release/internal/constants.go b/hack/tools/release/internal/constants.go
index 5f2446676d09..2ab146f61c90 100644
--- a/hack/tools/release/internal/constants.go
+++ b/hack/tools/release/internal/constants.go
@@ -40,3 +40,6 @@ const (
 	// Unknown is the tag used for PRs that need to be sorted by hand.
 	Unknown = ":question: Sort these by hand"
 )
+
+// TagsPrefix is the prefix used for from/to refs.
+const TagsPrefix = "tags/"
diff --git a/hack/tools/release/internal/update_providers/README.md b/hack/tools/release/internal/update_providers/README.md
new file mode 100644
index 000000000000..80b52fdb646f
--- /dev/null
+++ b/hack/tools/release/internal/update_providers/README.md
@@ -0,0 +1,38 @@
+# Update CAPI Providers with CAPI beta releases
+
+`provider_issues` is a go utility intended to open git issues on provider repos about the first beta minor release of CAPI.
+
+## Pre-requisites
+
+- Create a github token with the below access and export it in your environment as `GITHUB_ISSUE_OPENER_TOKEN`. Set the validity to the least number of days since this utility is a one time use tool per release cycle.
+  - `repo:status` - Grants access to commit status on public and private repositories.
+  - `repo_deployment` - Grants access to deployment statuses on public and private repositories.
+  - `public_repo` - Grants access to public repositories
+
+- Export `PROVIDER_ISSUES_DRY_RUN` environment variable to `"true"` to run the utility in dry run mode. Export it to `"false"` to create issues on the provider repositories. Example:
+
+  ```sh
+  export PROVIDER_ISSUES_DRY_RUN="true"
+  ```
+
+- Export `RELEASE_TAG` environment variable to the CAPI release version e.g. `1.6.0`. The suffix `-beta.0` is appended by the utility.  
+  Example:
+
+  ```sh
+  export RELEASE_TAG="1.6.0"
+  ```
+
+- Export `RELEASE_DATE` to the targeted CAPI release version date. Fetch the target date from latest [release file](https://github.com/kubernetes-sigs/cluster-api/tree/main/docs/release/releases).
+  Example:
+
+  ```sh
+  export RELEASE_DATE="2023-11-28"
+  ```
+
+## How to run the tool
+
+- Finish the pre-requites [tasks](#pre-requisites).
+- From the root of the project Cluster API, run `make release-provider-issues-tool` to create issues at provider repositories.
+  - Note that the utility will  
+    - do a dry run on setting `PROVIDER_ISSUES_DRY_RUN="true"` (and will not create git issues)
+    - create git issues on setting `PROVIDER_ISSUES_DRY_RUN="false"`.
diff --git a/hack/tools/release/internal/update_providers/provider_issues.go b/hack/tools/release/internal/update_providers/provider_issues.go
new file mode 100644
index 000000000000..c76f6e91fe83
--- /dev/null
+++ b/hack/tools/release/internal/update_providers/provider_issues.go
@@ -0,0 +1,352 @@
+//go:build tools
+// +build tools
+
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// main is the main package for the open issues utility.
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"regexp"
+	"strings"
+	"text/template"
+	"time"
+)
+
+const (
+	baseURL = "https://api.github.com"
+)
+
+var (
+	repoList = []string{
+		"kubernetes-sigs/cluster-api-addon-provider-helm",
+		"kubernetes-sigs/cluster-api-provider-aws",
+		"kubernetes-sigs/cluster-api-provider-azure",
+		"kubernetes-sigs/cluster-api-provider-cloudstack",
+		"kubernetes-sigs/cluster-api-provider-digitalocean",
+		"kubernetes-sigs/cluster-api-provider-gcp",
+		"kubernetes-sigs/cluster-api-provider-kubemark",
+		"kubernetes-sigs/cluster-api-provider-kubevirt",
+		"kubernetes-sigs/cluster-api-provider-ibmcloud",
+		"kubernetes-sigs/cluster-api-provider-nested",
+		"oracle/cluster-api-provider-oci",
+		"kubernetes-sigs/cluster-api-provider-openstack",
+		"kubernetes-sigs/cluster-api-operator",
+		"kubernetes-sigs/cluster-api-provider-packet",
+		"kubernetes-sigs/cluster-api-provider-vsphere",
+		"metal3-io/cluster-api-provider-metal3",
+	}
+)
+
+// Issue is the struct for the issue.
+type Issue struct {
+	Title string `json:"title"`
+	Body  string `json:"body"`
+}
+
+// IssueResponse is the struct for the issue response.
+type IssueResponse struct {
+	HTMLURL string `json:"html_url"`
+}
+
+// releaseDetails is the struct for the release details.
+type releaseDetails struct {
+	ReleaseTag  string
+	BetaTag     string
+	ReleaseLink string
+	ReleaseDate string
+}
+
+// Example command:
+//
+//	GITHUB_ISSUE_OPENER_TOKEN="fake" RELEASE_TAG="1.6.0" RELEASE_DATE="2023-11-28" PROVIDER_ISSUES_DRY_RUN="true" make release-provider-issues-tool
+func main() {
+	githubToken, keySet := os.LookupEnv("GITHUB_ISSUE_OPENER_TOKEN")
+	if !keySet || githubToken == "" {
+		fmt.Println("GitHub personal access token is required.")
+		fmt.Println("Refer to README.md in folder for more information.")
+		os.Exit(1)
+	}
+
+	// always start in dry run mode unless explicitly set to false
+	var dryRun bool
+	isDryRun, dryRunSet := os.LookupEnv("PROVIDER_ISSUES_DRY_RUN")
+	if !dryRunSet || isDryRun == "" || isDryRun != "false" {
+		fmt.Printf("\n")
+		fmt.Println("###############################################")
+		fmt.Println("This script will run in dry run mode.")
+		fmt.Println("To run it for real, set the PROVIDER_ISSUES_DRY_RUN environment variable to \"false\".")
+		fmt.Println("###############################################")
+		fmt.Printf("\n")
+		dryRun = true
+	} else {
+		dryRun = false
+	}
+
+	fmt.Println("List of CAPI Providers:")
+	fmt.Println("-", strings.Join(repoList, "\n- "))
+	fmt.Printf("\n")
+
+	details := getReleaseDetails()
+
+	// generate title
+	titleBuffer := bytes.NewBuffer([]byte{})
+	if err := getIssueTitle().Execute(titleBuffer, details); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(1)
+	}
+
+	// generate issue body
+	issueBuffer := bytes.NewBuffer([]byte{})
+	if err := getIssueBody().Execute(issueBuffer, details); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(1)
+	}
+
+	fmt.Println("Issue Title:")
+	fmt.Println(titleBuffer.String())
+	fmt.Printf("\n")
+
+	fmt.Println("Issue body:")
+	fmt.Println(issueBuffer.String())
+
+	// if dry run, exit
+	if dryRun {
+		fmt.Printf("\n")
+		fmt.Println("DRY RUN: issue(s) body will not be posted.")
+		fmt.Println("Exiting...")
+		fmt.Printf("\n")
+		os.Exit(0)
+	}
+
+	// else, ask for confirmation
+	fmt.Printf("\n")
+	fmt.Println("Issues will be posted to the provider repositories.")
+	continueOrAbort()
+	fmt.Printf("\n")
+
+	var issuesCreated, issuedFailed []string
+	for _, repo := range repoList {
+		issue := Issue{
+			Title: titleBuffer.String(),
+			Body:  issueBuffer.String(),
+		}
+
+		issueJSON, err := json.Marshal(issue)
+		if err != nil {
+			fmt.Printf("Failed to marshal issue: %s\n", err)
+			os.Exit(1)
+		}
+
+		url := fmt.Sprintf("%s/repos/%s/issues", baseURL, repo)
+		req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, url, bytes.NewBuffer(issueJSON))
+		if err != nil {
+			fmt.Printf("Failed to create request: %s\n", err)
+			os.Exit(1)
+		}
+
+		req.Header.Set("Accept", "application/vnd.github+json")
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", githubToken))
+		req.Header.Set("X-Github-Api-Version", "2022-11-28")
+		req.Header.Set("User-Agent", "provider_issues")
+		req.Header.Set("Content-Type", "application/json")
+
+		client := &http.Client{}
+		resp, err := client.Do(req)
+		if err != nil {
+			fmt.Printf("Failed to send request: %s\n", err)
+			os.Exit(1)
+		}
+
+		if resp.StatusCode != http.StatusCreated {
+			fmt.Println("Failed to create issue for the repository:", repo, "Status:", resp.Status)
+			issuedFailed = append(issuedFailed, repo)
+		} else {
+			responseBody, err := io.ReadAll(resp.Body)
+			if err != nil {
+				fmt.Printf("Failed to read response body: %s\n", err)
+				err := resp.Body.Close()
+				if err != nil {
+					fmt.Printf("Failed to close response body: %s\n", err)
+				}
+				os.Exit(1)
+			}
+
+			var issueResponse IssueResponse
+			err = json.Unmarshal(responseBody, &issueResponse)
+			if err != nil {
+				fmt.Printf("Failed to unmarshal issue response: %s\n", err)
+				err := resp.Body.Close()
+				if err != nil {
+					fmt.Printf("Failed to close response body: %s\n", err)
+				}
+				os.Exit(1)
+			}
+
+			fmt.Println("Issue created for repository:", repo)
+			issuesCreated = append(issuesCreated, issueResponse.HTMLURL)
+		}
+		err = resp.Body.Close()
+		if err != nil {
+			fmt.Printf("Failed to close response body: %s\n", err)
+		}
+	}
+
+	if len(issuesCreated) > 0 || len(issuedFailed) > 0 {
+		fmt.Printf("\n")
+		fmt.Println("###############################################")
+		fmt.Println("Summary:")
+		fmt.Println("###############################################")
+	}
+
+	if len(issuesCreated) > 0 {
+		fmt.Printf("\n")
+		fmt.Println("List of issues created:")
+		fmt.Println("-", strings.Join(issuesCreated, "\n- "))
+	}
+
+	if len(issuedFailed) > 0 {
+		fmt.Printf("\n")
+		fmt.Println("List of issues failed to create:")
+		fmt.Println("-", strings.Join(issuedFailed, "\n- "))
+	}
+}
+
+// continueOrAbort asks the user to continue or abort the script.
+func continueOrAbort() {
+	fmt.Println("Continue? (y/n)")
+	var response string
+	_, err := fmt.Scanln(&response)
+	if err != nil {
+		fmt.Printf("Failed to read response: %s\n", err)
+		os.Exit(1)
+	}
+	if response != "y" {
+		fmt.Println("Aborting...")
+		os.Exit(0)
+	}
+}
+
+// getReleaseDetails returns the release details from the environment variables.
+func getReleaseDetails() releaseDetails {
+	releaseSemVer, keySet := os.LookupEnv("RELEASE_TAG")
+	if !keySet || releaseSemVer == "" {
+		fmt.Println("RELEASE_TAG is a required environmental variable.")
+		fmt.Println("Refer to README.md in folder for more information.")
+		os.Exit(1)
+	}
+
+	match, err := regexp.Match("\\d\\.\\d\\.\\d", []byte(releaseSemVer))
+	if err != nil || !match {
+		fmt.Println("RELEASE_TAG must be in format `\\d\\.\\d\\.\\d` e.g. 1.5")
+		os.Exit(1)
+	}
+
+	releaseDate, keySet := os.LookupEnv("RELEASE_DATE")
+	if !keySet || releaseDate == "" {
+		fmt.Println("RELEASE_DATE is a required environmental variable.")
+		fmt.Println("Refer to README.md in folder for more information.")
+		os.Exit(1)
+	}
+
+	formattedReleaseDate, err := formatDate(releaseDate)
+	if err != nil {
+		fmt.Println("Unable to parse the date.", err)
+		fmt.Println("Refer to README.md in folder for more information.")
+	}
+
+	releaseTag := fmt.Sprintf("v%s", releaseSemVer)
+	betaTag := fmt.Sprintf("v%s%s", releaseSemVer, "-beta.0")
+	releaseLink := fmt.Sprintf("https://github.com/kubernetes-sigs/cluster-api/tree/main/docs/release/releases/release-%s.md#timeline", releaseSemVer)
+
+	return releaseDetails{
+		ReleaseDate: formattedReleaseDate,
+		ReleaseTag:  releaseTag,
+		BetaTag:     betaTag,
+		ReleaseLink: releaseLink,
+	}
+}
+
+// formatDate takes a date in ISO format i.e "2006-01-02" and returns it in the format "Monday 2nd January 2006".
+func formatDate(inputDate string) (string, error) {
+	layoutISO := "2006-01-02"
+	parsedDate, err := time.Parse(layoutISO, inputDate)
+	if err != nil {
+		return "", err
+	}
+
+	// Get the day suffix
+	day := parsedDate.Day()
+	suffix := "th"
+	if day%10 == 1 && day != 11 {
+		suffix = "st"
+	} else if day%10 == 2 && day != 12 {
+		suffix = "nd"
+	} else if day%10 == 3 && day != 13 {
+		suffix = "rd"
+	}
+
+	weekDay := parsedDate.Weekday().String()
+	month := parsedDate.Month().String()
+	formattedDate := fmt.Sprintf("%s, %d%s %s %d", weekDay, day, suffix, month, parsedDate.Year())
+
+	return formattedDate, nil
+}
+
+// getIssueBody returns the issue body template.
+func getIssueBody() *template.Template {
+	// do not indent the body
+	// indenting the body will result in the body being posted as a code snippet
+	issueBody, err := template.New("issue").Parse(`CAPI {{.BetaTag}} has been released and is ready for testing.
+Looking forward to your feedback before {{.ReleaseTag}} release!
+
+## For quick reference
+
+<!-- body -->
+- [CAPI {{.BetaTag}} release notes](https://github.com/kubernetes-sigs/cluster-api/releases/tag/{{.BetaTag}})
+- [Shortcut to CAPI git issues](https://github.com/kubernetes-sigs/cluster-api/issues)
+
+## Following are the planned dates for the upcoming releases
+
+CAPI {{.ReleaseTag}} will be released on **{{.ReleaseDate}}**.
+
+More details of the upcoming schedule can be seen at [CAPI {{.ReleaseTag}} release timeline]({{.ReleaseLink}}).
+
+<!-- [List of CAPI providers](https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/release/release-tasks.md#communicate-beta-to-providers) -->
+<!-- body -->
+`)
+	if err != nil {
+		panic(err)
+	}
+	return issueBody
+}
+
+// getIssueTitle returns the issue title template.
+func getIssueTitle() *template.Template {
+	issueTitle, err := template.New("title").Parse(`CAPI {{.BetaTag}} has been released and is ready for testing`)
+	if err != nil {
+		panic(err)
+	}
+	return issueTitle
+}
diff --git a/hack/tools/release/notes/generator.go b/hack/tools/release/notes/generator.go
index 49e6e92e7e8b..9acb60cd6269 100644
--- a/hack/tools/release/notes/generator.go
+++ b/hack/tools/release/notes/generator.go
@@ -24,16 +24,18 @@ package main
 // process them to generate one entry per PR and then
 // formats and prints the results.
 type notesGenerator struct {
-	lister    prLister
-	processor prProcessor
-	printer   entriesPrinter
+	lister                prLister
+	processor             prProcessor
+	printer               entriesPrinter
+	dependenciesProcessor dependenciesProcessor
 }
 
-func newNotesGenerator(lister prLister, processor prProcessor, printer entriesPrinter) *notesGenerator {
+func newNotesGenerator(lister prLister, processor prProcessor, printer entriesPrinter, dedependenciesProcessor dependenciesProcessor) *notesGenerator {
 	return &notesGenerator{
-		lister:    lister,
-		processor: processor,
-		printer:   printer,
+		lister:                lister,
+		processor:             processor,
+		printer:               printer,
+		dependenciesProcessor: dedependenciesProcessor,
 	}
 }
 
@@ -42,6 +44,7 @@ type pr struct {
 	number uint64
 	title  string
 	labels []string
+	user   string
 }
 
 // prLister returns a list of PRs.
@@ -64,7 +67,7 @@ type prProcessor interface {
 // entriesPrinter formats and outputs to stdout the notes
 // based on a list of entries.
 type entriesPrinter interface {
-	print([]notesEntry)
+	print([]notesEntry, int, string)
 }
 
 // run generates and prints the notes.
@@ -76,7 +79,13 @@ func (g *notesGenerator) run() error {
 
 	entries := g.processor.process(prs)
 
-	g.printer.print(entries)
+	dependencies, err := g.dependenciesProcessor.generateDependencies()
+	if err != nil {
+		return err
+	}
+
+	// Pass in length of PRs to printer as some PRs are excluded from the entries list
+	g.printer.print(entries, len(prs), dependencies)
 
 	return nil
 }
diff --git a/hack/tools/release/notes/github.go b/hack/tools/release/notes/github.go
index 8a93d3803706..5911eca91829 100644
--- a/hack/tools/release/notes/github.go
+++ b/hack/tools/release/notes/github.go
@@ -135,12 +135,17 @@ type githubPR struct {
 	Number uint64        `json:"number"`
 	Title  string        `json:"title"`
 	Labels []githubLabel `json:"labels"`
+	User   githubUser    `json:"user"`
 }
 
 type githubLabel struct {
 	Name string `json:"name"`
 }
 
+type githubUser struct {
+	Login string `json:"login"`
+}
+
 // listMergedPRs calls the `search` endpoint and queries for PRs.
 func (c githubClient) listMergedPRs(after, before time.Time, baseBranches ...string) ([]githubPR, error) {
 	pageSize := 100
diff --git a/hack/tools/release/notes/list.go b/hack/tools/release/notes/list.go
index 2c0afa1b1ea6..fae9c823e5da 100644
--- a/hack/tools/release/notes/list.go
+++ b/hack/tools/release/notes/list.go
@@ -118,6 +118,7 @@ func (l *githubFromToPRLister) listPRs() ([]pr, error) {
 			number: p.Number,
 			title:  p.Title,
 			labels: labels,
+			user:   p.User.Login,
 		})
 	}
 
diff --git a/hack/tools/release/notes/main.go b/hack/tools/release/notes/main.go
index 860fd702a1c8..711336cbc1b5 100644
--- a/hack/tools/release/notes/main.go
+++ b/hack/tools/release/notes/main.go
@@ -2,7 +2,7 @@
 // +build tools
 
 /*
-Copyright 2019 The Kubernetes Authors.
+Copyright 2024 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -28,6 +28,8 @@ import (
 
 	"github.com/blang/semver/v4"
 	"github.com/pkg/errors"
+
+	release "sigs.k8s.io/cluster-api/hack/tools/release/internal"
 )
 
 /*
@@ -109,6 +111,7 @@ func (cmd *notesCmd) run() error {
 		newGithubFromToPRLister(cmd.config.repo, from, to, cmd.config.branch),
 		newPREntryProcessor(cmd.config.prefixAreaLabel),
 		printer,
+		newDependenciesProcessor(cmd.config.repo, from.value, to.value),
 	)
 
 	return generator.run()
@@ -167,10 +170,10 @@ func computeConfigDefaults(config *notesCmdConfig) error {
 		if newTag.Patch == 0 {
 			// If patch = 0, this a new minor release
 			// Hence we want to read commits from
-			config.fromRef = "tags/" + fmt.Sprintf("v%d.%d.0", newTag.Major, newTag.Minor-1)
+			config.fromRef = release.TagsPrefix + fmt.Sprintf("v%d.%d.0", newTag.Major, newTag.Minor-1)
 		} else {
 			// if not new minor release, this is a new patch, just decrease the patch
-			config.fromRef = "tags/" + fmt.Sprintf("v%d.%d.%d", newTag.Major, newTag.Minor, newTag.Patch-1)
+			config.fromRef = release.TagsPrefix + fmt.Sprintf("v%d.%d.%d", newTag.Major, newTag.Minor, newTag.Patch-1)
 		}
 	}
 
diff --git a/hack/tools/release/notes/print.go b/hack/tools/release/notes/print.go
index 4c2819577b7a..2c0a4affbe83 100644
--- a/hack/tools/release/notes/print.go
+++ b/hack/tools/release/notes/print.go
@@ -57,7 +57,7 @@ func newReleaseNotesPrinter(repo, fromTag string) *releaseNotesPrinter {
 }
 
 // print outputs to stdout the release notes.
-func (p *releaseNotesPrinter) print(entries []notesEntry) {
+func (p *releaseNotesPrinter) print(entries []notesEntry, commitsInRelease int, dependencies string) {
 	merges := map[string][]string{
 		release.Features:      {},
 		release.Bugs:          {},
@@ -109,10 +109,10 @@ REPLACE ME: A couple sentences describing the deprecation, including links to do
 	fmt.Printf("## Changes since %s\n", p.fromTag)
 
 	fmt.Printf("## :chart_with_upwards_trend: Overview\n")
-	if count := len(entries); count == 1 {
+	if commitsInRelease == 1 {
 		fmt.Println("- 1 new commit merged")
-	} else if count > 1 {
-		fmt.Printf("- %d new commits merged\n", count)
+	} else if commitsInRelease > 1 {
+		fmt.Printf("- %d new commits merged\n", commitsInRelease)
 	}
 	if count := len(merges[release.Warning]); count == 1 {
 		fmt.Println("- 1 breaking change :warning:")
@@ -167,6 +167,8 @@ REPLACE ME: A couple sentences describing the deprecation, including links to do
 		}
 	}
 
+	fmt.Print(dependencies)
+
 	fmt.Println("")
 	fmt.Println("_Thanks to all our contributors!_ 😊")
 }
diff --git a/hack/tools/release/notes/process.go b/hack/tools/release/notes/process.go
index 7b5da18e6792..1bc3fed534c6 100644
--- a/hack/tools/release/notes/process.go
+++ b/hack/tools/release/notes/process.go
@@ -25,6 +25,8 @@ import (
 	"regexp"
 	"strings"
 
+	"k8s.io/release/pkg/notes"
+
 	release "sigs.k8s.io/cluster-api/hack/tools/release/internal"
 )
 
@@ -80,6 +82,20 @@ func newPREntryProcessor(addAreaPrefix bool) prEntriesProcessor {
 	}
 }
 
+type dependenciesProcessor struct {
+	repo    string
+	fromTag string
+	toTag   string
+}
+
+func newDependenciesProcessor(repo, fromTag, toTag string) dependenciesProcessor {
+	return dependenciesProcessor{
+		repo:    repo,
+		fromTag: fromTag,
+		toTag:   toTag,
+	}
+}
+
 // process generates a PR entry ready for printing per PR. It extracts the area
 // from the PR labels and appends it as a prefix to the title.
 // It might skip some PRs depending on the title.
@@ -101,6 +117,17 @@ func (g prEntriesProcessor) process(prs []pr) []notesEntry {
 	return entries
 }
 
+func (d dependenciesProcessor) generateDependencies() (string, error) {
+	repoURL := fmt.Sprintf("https://github.com/%s", d.repo)
+	deps, err := notes.NewDependencies().ChangesForURL(
+		repoURL, d.fromTag, d.toTag,
+	)
+	if err != nil {
+		return "", err
+	}
+	return deps, nil
+}
+
 func (g prEntriesProcessor) generateNoteEntry(p *pr) *notesEntry {
 	entry := &notesEntry{}
 
@@ -132,6 +159,10 @@ func (g prEntriesProcessor) generateNoteEntry(p *pr) *notesEntry {
 		// Release trigger PRs from previous releases are not included in the release notes
 		return nil
 	case strings.HasPrefix(entry.title, ":seedling:"), strings.HasPrefix(entry.title, "🌱"):
+		// Skip PRs from depndabot. Dependency updates are listed in the dependencies section.
+		if p.user == "dependabot[bot]" {
+			return nil
+		}
 		entry.section = release.Other
 		entry.title = removePrefixes(entry.title, []string{":seedling:", "🌱"})
 	default:
diff --git a/hack/tools/release/notes/test/golden/v1.3.10.md b/hack/tools/release/notes/test/golden/v1.3.10.md
index 282850019b8f..525238e6ccad 100644
--- a/hack/tools/release/notes/test/golden/v1.3.10.md
+++ b/hack/tools/release/notes/test/golden/v1.3.10.md
@@ -30,5 +30,164 @@ REPLACE ME: A couple sentences describing the deprecation, including links to do
 - Dependency: Bump google.golang.org/grpc to v1.55.0 (#8971)
 - Dependency: Change tilt debug base image to golang (#9075)
 
+## Dependencies
+
+### Added
+- cloud.google.com/go/accessapproval: v1.6.0
+- cloud.google.com/go/accesscontextmanager: v1.6.0
+- cloud.google.com/go/aiplatform: v1.35.0
+- cloud.google.com/go/analytics: v0.18.0
+- cloud.google.com/go/apigateway: v1.5.0
+- cloud.google.com/go/apigeeconnect: v1.5.0
+- cloud.google.com/go/apigeeregistry: v0.5.0
+- cloud.google.com/go/apikeys: v0.5.0
+- cloud.google.com/go/appengine: v1.6.0
+- cloud.google.com/go/area120: v0.7.1
+- cloud.google.com/go/artifactregistry: v1.11.2
+- cloud.google.com/go/asset: v1.11.1
+- cloud.google.com/go/assuredworkloads: v1.10.0
+- cloud.google.com/go/automl: v1.12.0
+- cloud.google.com/go/baremetalsolution: v0.5.0
+- cloud.google.com/go/batch: v0.7.0
+- cloud.google.com/go/beyondcorp: v0.4.0
+- cloud.google.com/go/billing: v1.12.0
+- cloud.google.com/go/binaryauthorization: v1.5.0
+- cloud.google.com/go/certificatemanager: v1.6.0
+- cloud.google.com/go/channel: v1.11.0
+- cloud.google.com/go/cloudbuild: v1.7.0
+- cloud.google.com/go/clouddms: v1.5.0
+- cloud.google.com/go/cloudtasks: v1.9.0
+- cloud.google.com/go/compute/metadata: v0.2.3
+- cloud.google.com/go/contactcenterinsights: v1.6.0
+- cloud.google.com/go/container: v1.13.1
+- cloud.google.com/go/containeranalysis: v0.7.0
+- cloud.google.com/go/datacatalog: v1.12.0
+- cloud.google.com/go/dataflow: v0.8.0
+- cloud.google.com/go/dataform: v0.6.0
+- cloud.google.com/go/datafusion: v1.6.0
+- cloud.google.com/go/datalabeling: v0.7.0
+- cloud.google.com/go/dataplex: v1.5.2
+- cloud.google.com/go/dataproc: v1.12.0
+- cloud.google.com/go/dataqna: v0.7.0
+- cloud.google.com/go/datastream: v1.6.0
+- cloud.google.com/go/deploy: v1.6.0
+- cloud.google.com/go/dialogflow: v1.31.0
+- cloud.google.com/go/dlp: v1.9.0
+- cloud.google.com/go/documentai: v1.16.0
+- cloud.google.com/go/domains: v0.8.0
+- cloud.google.com/go/edgecontainer: v0.3.0
+- cloud.google.com/go/errorreporting: v0.3.0
+- cloud.google.com/go/essentialcontacts: v1.5.0
+- cloud.google.com/go/eventarc: v1.10.0
+- cloud.google.com/go/filestore: v1.5.0
+- cloud.google.com/go/functions: v1.10.0
+- cloud.google.com/go/gaming: v1.9.0
+- cloud.google.com/go/gkebackup: v0.4.0
+- cloud.google.com/go/gkeconnect: v0.7.0
+- cloud.google.com/go/gkehub: v0.11.0
+- cloud.google.com/go/gkemulticloud: v0.5.0
+- cloud.google.com/go/gsuiteaddons: v1.5.0
+- cloud.google.com/go/iap: v1.6.0
+- cloud.google.com/go/ids: v1.3.0
+- cloud.google.com/go/iot: v1.5.0
+- cloud.google.com/go/kms: v1.9.0
+- cloud.google.com/go/language: v1.9.0
+- cloud.google.com/go/lifesciences: v0.8.0
+- cloud.google.com/go/logging: v1.7.0
+- cloud.google.com/go/longrunning: v0.4.1
+- cloud.google.com/go/managedidentities: v1.5.0
+- cloud.google.com/go/maps: v0.6.0
+- cloud.google.com/go/mediatranslation: v0.7.0
+- cloud.google.com/go/memcache: v1.9.0
+- cloud.google.com/go/metastore: v1.10.0
+- cloud.google.com/go/monitoring: v1.12.0
+- cloud.google.com/go/networkconnectivity: v1.10.0
+- cloud.google.com/go/networkmanagement: v1.6.0
+- cloud.google.com/go/networksecurity: v0.7.0
+- cloud.google.com/go/notebooks: v1.7.0
+- cloud.google.com/go/optimization: v1.3.1
+- cloud.google.com/go/orchestration: v1.6.0
+- cloud.google.com/go/orgpolicy: v1.10.0
+- cloud.google.com/go/osconfig: v1.11.0
+- cloud.google.com/go/oslogin: v1.9.0
+- cloud.google.com/go/phishingprotection: v0.7.0
+- cloud.google.com/go/policytroubleshooter: v1.5.0
+- cloud.google.com/go/privatecatalog: v0.7.0
+- cloud.google.com/go/pubsublite: v1.6.0
+- cloud.google.com/go/recaptchaenterprise/v2: v2.6.0
+- cloud.google.com/go/recommendationengine: v0.7.0
+- cloud.google.com/go/recommender: v1.9.0
+- cloud.google.com/go/redis: v1.11.0
+- cloud.google.com/go/resourcemanager: v1.5.0
+- cloud.google.com/go/resourcesettings: v1.5.0
+- cloud.google.com/go/retail: v1.12.0
+- cloud.google.com/go/run: v0.8.0
+- cloud.google.com/go/scheduler: v1.8.0
+- cloud.google.com/go/secretmanager: v1.10.0
+- cloud.google.com/go/security: v1.12.0
+- cloud.google.com/go/securitycenter: v1.18.1
+- cloud.google.com/go/servicecontrol: v1.11.0
+- cloud.google.com/go/servicedirectory: v1.8.0
+- cloud.google.com/go/servicemanagement: v1.6.0
+- cloud.google.com/go/serviceusage: v1.5.0
+- cloud.google.com/go/shell: v1.6.0
+- cloud.google.com/go/spanner: v1.44.0
+- cloud.google.com/go/speech: v1.14.1
+- cloud.google.com/go/storagetransfer: v1.7.0
+- cloud.google.com/go/talent: v1.5.0
+- cloud.google.com/go/texttospeech: v1.6.0
+- cloud.google.com/go/tpu: v1.5.0
+- cloud.google.com/go/trace: v1.8.0
+- cloud.google.com/go/translate: v1.6.0
+- cloud.google.com/go/video: v1.13.0
+- cloud.google.com/go/videointelligence: v1.10.0
+- cloud.google.com/go/vision/v2: v2.6.0
+- cloud.google.com/go/vmmigration: v1.5.0
+- cloud.google.com/go/vmwareengine: v0.2.2
+- cloud.google.com/go/vpcaccess: v1.6.0
+- cloud.google.com/go/webrisk: v1.8.0
+- cloud.google.com/go/websecurityscanner: v1.5.0
+- cloud.google.com/go/workflows: v1.10.0
+
+### Changed
+- cloud.google.com/go/bigquery: v1.8.0 → v1.48.0
+- cloud.google.com/go/compute: v1.7.0 → v1.18.0
+- cloud.google.com/go/datastore: v1.1.0 → v1.10.0
+- cloud.google.com/go/firestore: v1.6.1 → v1.9.0
+- cloud.google.com/go/iam: v0.3.0 → v0.12.0
+- cloud.google.com/go/pubsub: v1.3.1 → v1.28.0
+- cloud.google.com/go/storage: v1.22.1 → v1.14.0
+- cloud.google.com/go: v0.102.0 → v0.110.0
+- github.com/census-instrumentation/opencensus-proto: [v0.2.1 → v0.4.1](https://github.com/census-instrumentation/opencensus-proto/compare/v0.2.1...v0.4.1)
+- github.com/cespare/xxhash/v2: [v2.1.2 → v2.2.0](https://github.com/cespare/xxhash/compare/v2.1.2...v2.2.0)
+- github.com/cncf/udpa/go: [04548b0 → c52dc94](https://github.com/cncf/udpa/compare/04548b0...c52dc94)
+- github.com/cncf/xds/go: [cb28da3 → 32f1caf](https://github.com/cncf/xds/compare/cb28da3...32f1caf)
+- github.com/envoyproxy/go-control-plane: [49ff273 → v0.11.0](https://github.com/envoyproxy/go-control-plane/compare/49ff273...v0.11.0)
+- github.com/envoyproxy/protoc-gen-validate: [v0.1.0 → v0.10.0](https://github.com/envoyproxy/protoc-gen-validate/compare/v0.1.0...v0.10.0)
+- github.com/golang/glog: [v1.0.0 → v1.1.0](https://github.com/golang/glog/compare/v1.0.0...v1.1.0)
+- github.com/golang/mock: [v1.6.0 → v1.4.4](https://github.com/golang/mock/compare/v1.6.0...v1.4.4)
+- github.com/golang/protobuf: [v1.5.2 → v1.5.3](https://github.com/golang/protobuf/compare/v1.5.2...v1.5.3)
+- github.com/google/martian/v3: [v3.2.1 → v3.1.0](https://github.com/google/martian/compare/v3.2.1...v3.1.0)
+- github.com/google/pprof: [4bb14d4 → 94a9f03](https://github.com/google/pprof/compare/4bb14d4...94a9f03)
+- github.com/googleapis/enterprise-certificate-proxy: [fd19c99 → v0.2.1](https://github.com/googleapis/enterprise-certificate-proxy/compare/fd19c99...v0.2.1)
+- github.com/googleapis/gax-go/v2: [v2.4.0 → v2.7.0](https://github.com/googleapis/gax-go/compare/v2.4.0...v2.7.0)
+- go.opencensus.io: v0.23.0 → v0.24.0
+- golang.org/x/mod: 86c51ed → v0.8.0
+- golang.org/x/net: v0.7.0 → v0.8.0
+- golang.org/x/oauth2: f213421 → v0.6.0
+- golang.org/x/sys: v0.5.0 → v0.6.0
+- golang.org/x/term: v0.5.0 → v0.6.0
+- golang.org/x/text: v0.7.0 → v0.8.0
+- golang.org/x/tools: v0.2.0 → v0.6.0
+- golang.org/x/xerrors: 65e6541 → f3a8303
+- google.golang.org/api: v0.84.0 → v0.108.0
+- google.golang.org/genproto: 88e70c0 → 7f2fa6f
+- google.golang.org/grpc: v1.47.0 → v1.55.0
+- google.golang.org/protobuf: v1.28.1 → v1.30.0
+
+### Removed
+- github.com/golang/snappy: [v0.0.3](https://github.com/golang/snappy/tree/v0.0.3)
+- github.com/googleapis/go-type-adapters: [v1.0.0](https://github.com/googleapis/go-type-adapters/tree/v1.0.0)
+- google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0
 
 _Thanks to all our contributors!_ 😊
diff --git a/hack/tools/release/notes/test/golden/v1.5.0.md b/hack/tools/release/notes/test/golden/v1.5.0.md
index 01f35fdba2a8..235ec34b63c7 100644
--- a/hack/tools/release/notes/test/golden/v1.5.0.md
+++ b/hack/tools/release/notes/test/golden/v1.5.0.md
@@ -161,45 +161,14 @@ REPLACE ME: A couple sentences describing the deprecation, including links to do
 - clusterctl: Update cert-manager to v1.12.2 (#8883)
 - Core: Cache unstructured in Cluster, MD and MS controller (#8916)
 - Core: Remove unnecessary requeues (#8743)
-- Dependency: Bump actions/checkout from 3.3.0 to 3.4.0 (#8321)
-- Dependency: Bump actions/checkout from 3.4.0 to 3.5.0 (#8389)
-- Dependency: Bump actions/checkout from 3.5.0 to 3.5.2 (#8540)
-- Dependency: Bump actions/checkout from 3.5.2 to 3.5.3 (#8837)
-- Dependency: Bump actions/setup-go from 3.5.0 to 4.0.1 (#8664)
 - Dependency: Bump docker to v24.0.5 (#9065)
 - Dependency: Bump docker/distribution to v2.8.2 (#8645)
-- Dependency: Bump EndBug/add-and-commit from 9.1.1 to 9.1.2 (#8584)
-- Dependency: Bump EndBug/add-and-commit from 9.1.2 to 9.1.3 (#8621)
 - Dependency: Bump gcb-docker-gcloud from v20230424-910a2a439d to v20230522-312425ae46 (#8770)
 - Dependency: Bump gcb-docker-gcloud image (#8570)
 - Dependency: Bump github.com/emicklei/go-restful/v3  from 3.9.0 to 3.10.2 in /test (#9056)
-- Dependency: Bump github.com/go-logr/logr from 1.2.3 to 1.2.4 (#8461)
-- Dependency: Bump github.com/onsi/ginkgo/v2 from 2.10.0 to 2.11.0 (#8891)
-- Dependency: Bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.9.4 (#8622)
-- Dependency: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 (#8666)
-- Dependency: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#8792)
-- Dependency: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 (#8839)
-- Dependency: Bump github.com/onsi/gomega from 1.27.4 to 1.27.5 (#8390)
-- Dependency: Bump github.com/onsi/gomega from 1.27.5 to 1.27.6 (#8460)
-- Dependency: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#8715)
-- Dependency: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 (#8841)
-- Dependency: Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#8541)
-- Dependency: Bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 (#8623)
-- Dependency: Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#8890)
-- Dependency: Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#8502)
-- Dependency: Bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#8791)
 - Dependency: Bump golang version (1.20.3 -> 1.20.4) (#8749)
-- Dependency: Bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 (#8503)
-- Dependency: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#8665)
-- Dependency: Bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 (#8889)
-- Dependency: Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#8985)
-- Dependency: Bump golang.org/x/text from 0.8.0 to 0.9.0 (#8504)
-- Dependency: Bump golang.org/x/text from 0.9.0 to 0.10.0 (#8840)
 - Dependency: Bump golangci-lint to 1.52.1 and fix findings (#8331)
 - Dependency: Bump golangci-lint to v1.51.2 (#8312)
-- Dependency: Bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#8790)
-- Dependency: Bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#8838)
-- Dependency: Bump gomodules.xyz/jsonpatch/v2 from 2.2.0 to 2.3.0 (#8716)
 - Dependency: Bump kind to v0.19.0 (#8681)
 - Dependency: Bump kindnet and haproxy images to latest (#8676)
 - Dependency: Bump to Go 1.20.6 (#9058)
@@ -297,5 +266,241 @@ REPLACE ME: A couple sentences describing the deprecation, including links to do
 
 :book: Additionally, there have been 74 contributions to our documentation and book. (#8252, #8279, #8284, #8288, #8293, #8307, #8308, #8309, #8319, #8327, #8351, #8355, #8363, #8375, #8383, #8397, #8416, #8419, #8439, #8446, #8447, #8454, #8508, #8509, #8510, #8511, #8520, #8521, #8544, #8552, #8554, #8559, #8580, #8587, #8593, #8596, #8597, #8612, #8613, #8630, #8632, #8651, #8661, #8673, #8686, #8699, #8701, #8712, #8719, #8729, #8740, #8753, #8760, #8762, #8763, #8775, #8779, #8781, #8782, #8787, #8798, #8802, #8805, #8812, #8843, #8854, #8901, #8924, #8932, #8955, #8956, #8958, #8960, #8980) 
 
+## Dependencies
+
+### Added
+- cloud.google.com/go/apigeeregistry: v0.6.0
+- cloud.google.com/go/apikeys: v0.6.0
+- github.com/adrg/xdg: [v0.4.0](https://github.com/adrg/xdg/tree/v0.4.0)
+- github.com/alecthomas/kingpin/v2: [v2.3.1](https://github.com/alecthomas/kingpin/tree/v2.3.1)
+- github.com/golang-jwt/jwt/v4: [v4.4.2](https://github.com/golang-jwt/jwt/tree/v4.4.2)
+- github.com/golangplus/bytes: [v1.0.0](https://github.com/golangplus/bytes/tree/v1.0.0)
+- github.com/golangplus/fmt: [v1.0.0](https://github.com/golangplus/fmt/tree/v1.0.0)
+- github.com/golangplus/testing: [v1.0.0](https://github.com/golangplus/testing/tree/v1.0.0)
+- github.com/google/s2a-go: [v0.1.3](https://github.com/google/s2a-go/tree/v0.1.3)
+- github.com/xhit/go-str2duration: [v1.2.0](https://github.com/xhit/go-str2duration/tree/v1.2.0)
+- sigs.k8s.io/kustomize/cmd/config: v0.11.1
+- sigs.k8s.io/kustomize/kustomize/v5: v5.0.1
+
+### Changed
+- cloud.google.com/go/accessapproval: v1.5.0 → v1.6.0
+- cloud.google.com/go/accesscontextmanager: v1.4.0 → v1.7.0
+- cloud.google.com/go/aiplatform: v1.27.0 → v1.37.0
+- cloud.google.com/go/analytics: v0.12.0 → v0.19.0
+- cloud.google.com/go/apigateway: v1.4.0 → v1.5.0
+- cloud.google.com/go/apigeeconnect: v1.4.0 → v1.5.0
+- cloud.google.com/go/appengine: v1.5.0 → v1.7.1
+- cloud.google.com/go/area120: v0.6.0 → v0.7.1
+- cloud.google.com/go/artifactregistry: v1.9.0 → v1.13.0
+- cloud.google.com/go/asset: v1.10.0 → v1.13.0
+- cloud.google.com/go/assuredworkloads: v1.9.0 → v1.10.0
+- cloud.google.com/go/automl: v1.8.0 → v1.12.0
+- cloud.google.com/go/baremetalsolution: v0.4.0 → v0.5.0
+- cloud.google.com/go/batch: v0.4.0 → v0.7.0
+- cloud.google.com/go/beyondcorp: v0.3.0 → v0.5.0
+- cloud.google.com/go/bigquery: v1.44.0 → v1.50.0
+- cloud.google.com/go/billing: v1.7.0 → v1.13.0
+- cloud.google.com/go/binaryauthorization: v1.4.0 → v1.5.0
+- cloud.google.com/go/certificatemanager: v1.4.0 → v1.6.0
+- cloud.google.com/go/channel: v1.9.0 → v1.12.0
+- cloud.google.com/go/cloudbuild: v1.4.0 → v1.9.0
+- cloud.google.com/go/clouddms: v1.4.0 → v1.5.0
+- cloud.google.com/go/cloudtasks: v1.8.0 → v1.10.0
+- cloud.google.com/go/compute: v1.14.0 → v1.20.1
+- cloud.google.com/go/contactcenterinsights: v1.4.0 → v1.6.0
+- cloud.google.com/go/container: v1.7.0 → v1.15.0
+- cloud.google.com/go/containeranalysis: v0.6.0 → v0.9.0
+- cloud.google.com/go/datacatalog: v1.8.0 → v1.13.0
+- cloud.google.com/go/dataflow: v0.7.0 → v0.8.0
+- cloud.google.com/go/dataform: v0.5.0 → v0.7.0
+- cloud.google.com/go/datafusion: v1.5.0 → v1.6.0
+- cloud.google.com/go/datalabeling: v0.6.0 → v0.7.0
+- cloud.google.com/go/dataplex: v1.4.0 → v1.6.0
+- cloud.google.com/go/dataproc: v1.8.0 → v1.12.0
+- cloud.google.com/go/dataqna: v0.6.0 → v0.7.0
+- cloud.google.com/go/datastore: v1.10.0 → v1.11.0
+- cloud.google.com/go/datastream: v1.5.0 → v1.7.0
+- cloud.google.com/go/deploy: v1.5.0 → v1.8.0
+- cloud.google.com/go/dialogflow: v1.19.0 → v1.32.0
+- cloud.google.com/go/dlp: v1.7.0 → v1.9.0
+- cloud.google.com/go/documentai: v1.10.0 → v1.18.0
+- cloud.google.com/go/domains: v0.7.0 → v0.8.0
+- cloud.google.com/go/edgecontainer: v0.2.0 → v1.0.0
+- cloud.google.com/go/essentialcontacts: v1.4.0 → v1.5.0
+- cloud.google.com/go/eventarc: v1.8.0 → v1.11.0
+- cloud.google.com/go/filestore: v1.4.0 → v1.6.0
+- cloud.google.com/go/functions: v1.9.0 → v1.13.0
+- cloud.google.com/go/gaming: v1.8.0 → v1.9.0
+- cloud.google.com/go/gkebackup: v0.3.0 → v0.4.0
+- cloud.google.com/go/gkeconnect: v0.6.0 → v0.7.0
+- cloud.google.com/go/gkehub: v0.10.0 → v0.12.0
+- cloud.google.com/go/gkemulticloud: v0.4.0 → v0.5.0
+- cloud.google.com/go/gsuiteaddons: v1.4.0 → v1.5.0
+- cloud.google.com/go/iam: v0.8.0 → v0.13.0
+- cloud.google.com/go/iap: v1.5.0 → v1.7.1
+- cloud.google.com/go/ids: v1.2.0 → v1.3.0
+- cloud.google.com/go/iot: v1.4.0 → v1.6.0
+- cloud.google.com/go/kms: v1.6.0 → v1.10.1
+- cloud.google.com/go/language: v1.8.0 → v1.9.0
+- cloud.google.com/go/lifesciences: v0.6.0 → v0.8.0
+- cloud.google.com/go/logging: v1.6.1 → v1.7.0
+- cloud.google.com/go/longrunning: v0.3.0 → v0.4.1
+- cloud.google.com/go/managedidentities: v1.4.0 → v1.5.0
+- cloud.google.com/go/maps: v0.1.0 → v0.7.0
+- cloud.google.com/go/mediatranslation: v0.6.0 → v0.7.0
+- cloud.google.com/go/memcache: v1.7.0 → v1.9.0
+- cloud.google.com/go/metastore: v1.8.0 → v1.10.0
+- cloud.google.com/go/monitoring: v1.8.0 → v1.13.0
+- cloud.google.com/go/networkconnectivity: v1.7.0 → v1.11.0
+- cloud.google.com/go/networkmanagement: v1.5.0 → v1.6.0
+- cloud.google.com/go/networksecurity: v0.6.0 → v0.8.0
+- cloud.google.com/go/notebooks: v1.5.0 → v1.8.0
+- cloud.google.com/go/optimization: v1.2.0 → v1.3.1
+- cloud.google.com/go/orchestration: v1.4.0 → v1.6.0
+- cloud.google.com/go/orgpolicy: v1.5.0 → v1.10.0
+- cloud.google.com/go/osconfig: v1.10.0 → v1.11.0
+- cloud.google.com/go/oslogin: v1.7.0 → v1.9.0
+- cloud.google.com/go/phishingprotection: v0.6.0 → v0.7.0
+- cloud.google.com/go/policytroubleshooter: v1.4.0 → v1.6.0
+- cloud.google.com/go/privatecatalog: v0.6.0 → v0.8.0
+- cloud.google.com/go/pubsub: v1.27.1 → v1.30.0
+- cloud.google.com/go/pubsublite: v1.5.0 → v1.7.0
+- cloud.google.com/go/recaptchaenterprise/v2: v2.5.0 → v2.7.0
+- cloud.google.com/go/recommendationengine: v0.6.0 → v0.7.0
+- cloud.google.com/go/recommender: v1.8.0 → v1.9.0
+- cloud.google.com/go/redis: v1.10.0 → v1.11.0
+- cloud.google.com/go/resourcemanager: v1.4.0 → v1.7.0
+- cloud.google.com/go/resourcesettings: v1.4.0 → v1.5.0
+- cloud.google.com/go/retail: v1.11.0 → v1.12.0
+- cloud.google.com/go/run: v0.3.0 → v0.9.0
+- cloud.google.com/go/scheduler: v1.7.0 → v1.9.0
+- cloud.google.com/go/secretmanager: v1.9.0 → v1.10.0
+- cloud.google.com/go/security: v1.10.0 → v1.13.0
+- cloud.google.com/go/securitycenter: v1.16.0 → v1.19.0
+- cloud.google.com/go/servicecontrol: v1.5.0 → v1.11.1
+- cloud.google.com/go/servicedirectory: v1.7.0 → v1.9.0
+- cloud.google.com/go/servicemanagement: v1.5.0 → v1.8.0
+- cloud.google.com/go/serviceusage: v1.4.0 → v1.6.0
+- cloud.google.com/go/shell: v1.4.0 → v1.6.0
+- cloud.google.com/go/spanner: v1.41.0 → v1.45.0
+- cloud.google.com/go/speech: v1.9.0 → v1.15.0
+- cloud.google.com/go/storagetransfer: v1.6.0 → v1.8.0
+- cloud.google.com/go/talent: v1.4.0 → v1.5.0
+- cloud.google.com/go/texttospeech: v1.5.0 → v1.6.0
+- cloud.google.com/go/tpu: v1.4.0 → v1.5.0
+- cloud.google.com/go/trace: v1.4.0 → v1.9.0
+- cloud.google.com/go/translate: v1.4.0 → v1.7.0
+- cloud.google.com/go/video: v1.9.0 → v1.15.0
+- cloud.google.com/go/videointelligence: v1.9.0 → v1.10.0
+- cloud.google.com/go/vision/v2: v2.5.0 → v2.7.0
+- cloud.google.com/go/vmmigration: v1.3.0 → v1.6.0
+- cloud.google.com/go/vmwareengine: v0.1.0 → v0.3.0
+- cloud.google.com/go/vpcaccess: v1.5.0 → v1.6.0
+- cloud.google.com/go/webrisk: v1.7.0 → v1.8.0
+- cloud.google.com/go/websecurityscanner: v1.4.0 → v1.5.0
+- cloud.google.com/go/workflows: v1.9.0 → v1.10.0
+- cloud.google.com/go: v0.105.0 → v0.110.0
+- github.com/alecthomas/template: [fb15b89 → a0175ee](https://github.com/alecthomas/template/compare/fb15b89...a0175ee)
+- github.com/alecthomas/units: [ff826a3 → b94a6e3](https://github.com/alecthomas/units/compare/ff826a3...b94a6e3)
+- github.com/census-instrumentation/opencensus-proto: [v0.2.1 → v0.4.1](https://github.com/census-instrumentation/opencensus-proto/compare/v0.2.1...v0.4.1)
+- github.com/cespare/xxhash/v2: [v2.1.2 → v2.2.0](https://github.com/cespare/xxhash/compare/v2.1.2...v2.2.0)
+- github.com/cncf/udpa/go: [04548b0 → c52dc94](https://github.com/cncf/udpa/compare/04548b0...c52dc94)
+- github.com/cncf/xds/go: [cb28da3 → 32f1caf](https://github.com/cncf/xds/compare/cb28da3...32f1caf)
+- github.com/coreos/go-systemd/v22: [v22.3.2 → v22.4.0](https://github.com/coreos/go-systemd/compare/v22.3.2...v22.4.0)
+- github.com/creack/pty: [v1.1.11 → v1.1.18](https://github.com/creack/pty/compare/v1.1.11...v1.1.18)
+- github.com/docker/distribution: [v2.8.1+incompatible → v2.8.2+incompatible](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)
+- github.com/envoyproxy/go-control-plane: [49ff273 → v0.11.0](https://github.com/envoyproxy/go-control-plane/compare/49ff273...v0.11.0)
+- github.com/envoyproxy/protoc-gen-validate: [v0.1.0 → v0.10.0](https://github.com/envoyproxy/protoc-gen-validate/compare/v0.1.0...v0.10.0)
+- github.com/frankban/quicktest: [v1.14.3 → v1.14.4](https://github.com/frankban/quicktest/compare/v1.14.3...v1.14.4)
+- github.com/go-errors/errors: [v1.0.1 → v1.4.2](https://github.com/go-errors/errors/compare/v1.0.1...v1.4.2)
+- github.com/go-kit/kit: [v0.9.0 → v0.8.0](https://github.com/go-kit/kit/compare/v0.9.0...v0.8.0)
+- github.com/go-kit/log: [v0.2.0 → v0.2.1](https://github.com/go-kit/log/compare/v0.2.0...v0.2.1)
+- github.com/go-logr/logr: [v1.2.3 → v1.2.4](https://github.com/go-logr/logr/compare/v1.2.3...v1.2.4)
+- github.com/go-logr/zapr: [v1.2.3 → v1.2.4](https://github.com/go-logr/zapr/compare/v1.2.3...v1.2.4)
+- github.com/go-openapi/jsonpointer: [v0.19.5 → v0.19.6](https://github.com/go-openapi/jsonpointer/compare/v0.19.5...v0.19.6)
+- github.com/go-openapi/jsonreference: [v0.20.0 → v0.20.1](https://github.com/go-openapi/jsonreference/compare/v0.20.0...v0.20.1)
+- github.com/go-task/slim-sprig: [348f09d → 52ccab3](https://github.com/go-task/slim-sprig/compare/348f09d...52ccab3)
+- github.com/golang/glog: [23def4e → v1.1.0](https://github.com/golang/glog/compare/23def4e...v1.1.0)
+- github.com/google/pprof: [94a9f03 → 4bb14d4](https://github.com/google/pprof/compare/94a9f03...4bb14d4)
+- github.com/googleapis/enterprise-certificate-proxy: [v0.2.1 → v0.2.3](https://github.com/googleapis/enterprise-certificate-proxy/compare/v0.2.1...v0.2.3)
+- github.com/googleapis/gax-go/v2: [v2.7.0 → v2.8.0](https://github.com/googleapis/gax-go/compare/v2.7.0...v2.8.0)
+- github.com/hashicorp/consul/api: [v1.18.0 → v1.20.0](https://github.com/hashicorp/consul/compare/api/v1.18.0...api/v1.20.0)
+- github.com/inconshreveable/mousetrap: [v1.0.1 → v1.1.0](https://github.com/inconshreveable/mousetrap/compare/v1.0.1...v1.1.0)
+- github.com/konsorten/go-windows-terminal-sequences: [v1.0.3 → v1.0.1](https://github.com/konsorten/go-windows-terminal-sequences/compare/v1.0.3...v1.0.1)
+- github.com/kr/pretty: [v0.3.0 → v0.3.1](https://github.com/kr/pretty/compare/v0.3.0...v0.3.1)
+- github.com/matttproud/golang_protobuf_extensions: [v1.0.2 → v1.0.4](https://github.com/matttproud/golang_protobuf_extensions/compare/v1.0.2...v1.0.4)
+- github.com/moby/term: [39b0c02 → 1aeaba8](https://github.com/moby/term/compare/39b0c02...1aeaba8)
+- github.com/onsi/ginkgo/v2: [v2.9.1 → v2.11.0](https://github.com/onsi/ginkgo/compare/v2.9.1...v2.11.0)
+- github.com/onsi/gomega: [v1.27.4 → v1.27.8](https://github.com/onsi/gomega/compare/v1.27.4...v1.27.8)
+- github.com/pelletier/go-toml/v2: [v2.0.6 → v2.0.8](https://github.com/pelletier/go-toml/compare/v2.0.6...v2.0.8)
+- github.com/prometheus/client_golang: [v1.14.0 → v1.16.0](https://github.com/prometheus/client_golang/compare/v1.14.0...v1.16.0)
+- github.com/prometheus/client_model: [v0.3.0 → v0.4.0](https://github.com/prometheus/client_model/compare/v0.3.0...v0.4.0)
+- github.com/prometheus/common: [v0.37.0 → v0.42.0](https://github.com/prometheus/common/compare/v0.37.0...v0.42.0)
+- github.com/prometheus/procfs: [v0.8.0 → v0.10.1](https://github.com/prometheus/procfs/compare/v0.8.0...v0.10.1)
+- github.com/rogpeppe/go-internal: [v1.6.1 → v1.10.0](https://github.com/rogpeppe/go-internal/compare/v1.6.1...v1.10.0)
+- github.com/sagikazarmark/crypt: [v0.9.0 → v0.10.0](https://github.com/sagikazarmark/crypt/compare/v0.9.0...v0.10.0)
+- github.com/sirupsen/logrus: [v1.8.1 → v1.9.0](https://github.com/sirupsen/logrus/compare/v1.8.1...v1.9.0)
+- github.com/spf13/afero: [v1.9.3 → v1.9.5](https://github.com/spf13/afero/compare/v1.9.3...v1.9.5)
+- github.com/spf13/cast: [v1.5.0 → v1.5.1](https://github.com/spf13/cast/compare/v1.5.0...v1.5.1)
+- github.com/spf13/cobra: [v1.6.1 → v1.7.0](https://github.com/spf13/cobra/compare/v1.6.1...v1.7.0)
+- github.com/spf13/viper: [v1.15.0 → v1.16.0](https://github.com/spf13/viper/compare/v1.15.0...v1.16.0)
+- github.com/stretchr/testify: [v1.8.1 → v1.8.3](https://github.com/stretchr/testify/compare/v1.8.1...v1.8.3)
+- github.com/tmc/grpc-websocket-proxy: [e5319fd → 673ab2c](https://github.com/tmc/grpc-websocket-proxy/compare/e5319fd...673ab2c)
+- go.etcd.io/etcd/api/v3: v3.5.6 → v3.5.9
+- go.etcd.io/etcd/client/pkg/v3: v3.5.6 → v3.5.9
+- go.etcd.io/etcd/client/v2: v2.305.6 → v2.305.7
+- go.etcd.io/etcd/client/v3: v3.5.6 → v3.5.9
+- go.etcd.io/etcd/pkg/v3: v3.5.5 → v3.5.7
+- go.etcd.io/etcd/raft/v3: v3.5.5 → v3.5.7
+- go.etcd.io/etcd/server/v3: v3.5.5 → v3.5.7
+- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.35.0 → v0.35.1
+- go.uber.org/goleak: v1.2.0 → v1.2.1
+- golang.org/x/crypto: v0.3.0 → v0.11.0
+- golang.org/x/lint: 6edffad → 83fdc39
+- golang.org/x/mod: v0.9.0 → v0.10.0
+- golang.org/x/net: v0.8.0 → v0.12.0
+- golang.org/x/oauth2: v0.6.0 → v0.10.0
+- golang.org/x/sync: v0.1.0 → v0.2.0
+- golang.org/x/sys: v0.6.0 → v0.10.0
+- golang.org/x/term: v0.6.0 → v0.10.0
+- golang.org/x/text: v0.8.0 → v0.11.0
+- golang.org/x/tools: v0.7.0 → v0.9.3
+- gomodules.xyz/jsonpatch/v2: v2.2.0 → v2.3.0
+- google.golang.org/api: v0.107.0 → v0.122.0
+- google.golang.org/genproto: f9683d7 → daa745c
+- google.golang.org/grpc: v1.52.0 → v1.55.0
+- google.golang.org/protobuf: v1.28.1 → v1.31.0
+- gopkg.in/square/go-jose.v2: v2.2.2 → v2.6.0
+- k8s.io/api: v0.26.1 → v0.27.2
+- k8s.io/apiextensions-apiserver: v0.26.1 → v0.27.2
+- k8s.io/apimachinery: v0.26.1 → v0.27.2
+- k8s.io/apiserver: v0.26.1 → v0.27.2
+- k8s.io/cli-runtime: v0.25.0 → v0.27.2
+- k8s.io/client-go: v0.26.1 → v0.27.2
+- k8s.io/cluster-bootstrap: v0.25.0 → v0.27.2
+- k8s.io/code-generator: v0.26.1 → v0.27.2
+- k8s.io/component-base: v0.26.1 → v0.27.2
+- k8s.io/component-helpers: v0.25.0 → v0.27.2
+- k8s.io/klog/v2: v2.80.1 → v2.90.1
+- k8s.io/kms: v0.26.1 → v0.27.2
+- k8s.io/kube-openapi: 172d655 → 8b0f38b
+- k8s.io/kubectl: v0.25.0 → v0.27.2
+- k8s.io/metrics: v0.25.0 → v0.27.2
+- k8s.io/utils: 99ec85e → a36077c
+- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.35 → v0.1.2
+- sigs.k8s.io/controller-runtime: v0.14.5 → v0.15.0
+- sigs.k8s.io/json: f223a00 → bc3834c
+- sigs.k8s.io/kustomize/api: v0.12.1 → v0.13.2
+- sigs.k8s.io/kustomize/kyaml: v0.13.9 → v0.14.1
+
+### Removed
+- github.com/PuerkitoBio/purell: [v1.1.1](https://github.com/PuerkitoBio/purell/tree/v1.1.1)
+- github.com/PuerkitoBio/urlesc: [de5bf2a](https://github.com/PuerkitoBio/urlesc/tree/de5bf2a)
+- github.com/elazarl/goproxy: [947c36d](https://github.com/elazarl/goproxy/tree/947c36d)
+- github.com/form3tech-oss/jwt-go: [v3.2.3+incompatible](https://github.com/form3tech-oss/jwt-go/tree/v3.2.3)
+- github.com/niemeyer/pretty: [a10e7ca](https://github.com/niemeyer/pretty/tree/a10e7ca)
+- github.com/russross/blackfriday: [v1.5.2](https://github.com/russross/blackfriday/tree/v1.5.2)
+- gotest.tools/v3: v3.0.3
+- sigs.k8s.io/kustomize/kustomize/v4: v4.5.7
 
 _Thanks to all our contributors!_ 😊
diff --git a/internal/controllers/machinedeployment/machinedeployment_controller_test.go b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
index 8c6015511d3d..b54f128cb41e 100644
--- a/internal/controllers/machinedeployment/machinedeployment_controller_test.go
+++ b/internal/controllers/machinedeployment/machinedeployment_controller_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package machinedeployment
 
 import (
+	"context"
 	"testing"
 	"time"
 
@@ -25,6 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -35,6 +37,7 @@ import (
 	"sigs.k8s.io/cluster-api/internal/util/ssa"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/conditions"
+	"sigs.k8s.io/cluster-api/util/patch"
 )
 
 const (
@@ -970,3 +973,23 @@ func TestGetMachineSetsForDeployment(t *testing.T) {
 		})
 	}
 }
+
+// We have this as standalone variant to be able to use it from the tests.
+func updateMachineDeployment(ctx context.Context, c client.Client, md *clusterv1.MachineDeployment, modify func(*clusterv1.MachineDeployment)) error {
+	mdObjectKey := util.ObjectKey(md)
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		// Note: We intentionally don't re-use the passed in MachineDeployment md here as that would
+		// overwrite any local changes we might have previously made to the MachineDeployment with the version
+		// we get here from the apiserver.
+		md := &clusterv1.MachineDeployment{}
+		if err := c.Get(ctx, mdObjectKey, md); err != nil {
+			return err
+		}
+		patchHelper, err := patch.NewHelper(md, c)
+		if err != nil {
+			return err
+		}
+		modify(md)
+		return patchHelper.Patch(ctx, md)
+	})
+}
diff --git a/internal/controllers/machinedeployment/machinedeployment_sync.go b/internal/controllers/machinedeployment/machinedeployment_sync.go
index 09c42c0f4f83..18f0bbe99274 100644
--- a/internal/controllers/machinedeployment/machinedeployment_sync.go
+++ b/internal/controllers/machinedeployment/machinedeployment_sync.go
@@ -31,7 +31,6 @@ import (
 	apirand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/client-go/util/retry"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -41,7 +40,6 @@ import (
 	"sigs.k8s.io/cluster-api/internal/controllers/machinedeployment/mdutil"
 	"sigs.k8s.io/cluster-api/internal/util/hash"
 	"sigs.k8s.io/cluster-api/internal/util/ssa"
-	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/conditions"
 	"sigs.k8s.io/cluster-api/util/patch"
 )
@@ -114,12 +112,7 @@ func (r *Reconciler) getNewMachineSet(ctx context.Context, md *clusterv1.Machine
 		}
 
 		// Ensure MachineDeployment has the latest MachineSet revision in its revision annotation.
-		err = r.updateMachineDeployment(ctx, md, func(*clusterv1.MachineDeployment) {
-			mdutil.SetDeploymentRevision(md, updatedMS.Annotations[clusterv1.RevisionAnnotation])
-		})
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to update revision annotation on MachineDeployment")
-		}
+		mdutil.SetDeploymentRevision(md, updatedMS.Annotations[clusterv1.RevisionAnnotation])
 		return updatedMS, nil
 	}
 
@@ -133,13 +126,7 @@ func (r *Reconciler) getNewMachineSet(ctx context.Context, md *clusterv1.Machine
 		return nil, err
 	}
 
-	// Ensure MachineDeployment has the latest MachineSet revision in its revision annotation.
-	err = r.updateMachineDeployment(ctx, md, func(*clusterv1.MachineDeployment) {
-		mdutil.SetDeploymentRevision(md, newMS.Annotations[clusterv1.RevisionAnnotation])
-	})
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to update revision annotation on MachineDeployment")
-	}
+	mdutil.SetDeploymentRevision(md, newMS.Annotations[clusterv1.RevisionAnnotation])
 
 	return newMS, nil
 }
@@ -655,27 +642,3 @@ func (r *Reconciler) cleanupDeployment(ctx context.Context, oldMSs []*clusterv1.
 
 	return nil
 }
-
-func (r *Reconciler) updateMachineDeployment(ctx context.Context, md *clusterv1.MachineDeployment, modify func(*clusterv1.MachineDeployment)) error {
-	return updateMachineDeployment(ctx, r.Client, md, modify)
-}
-
-// We have this as standalone variant to be able to use it from the tests.
-func updateMachineDeployment(ctx context.Context, c client.Client, md *clusterv1.MachineDeployment, modify func(*clusterv1.MachineDeployment)) error {
-	mdObjectKey := util.ObjectKey(md)
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
-		// Note: We intentionally don't re-use the passed in MachineDeployment md here as that would
-		// overwrite any local changes we might have previously made to the MachineDeployment with the version
-		// we get here from the apiserver.
-		md := &clusterv1.MachineDeployment{}
-		if err := c.Get(ctx, mdObjectKey, md); err != nil {
-			return err
-		}
-		patchHelper, err := patch.NewHelper(md, c)
-		if err != nil {
-			return err
-		}
-		modify(md)
-		return patchHelper.Patch(ctx, md)
-	})
-}
diff --git a/internal/controllers/topology/cluster/scope/state.go b/internal/controllers/topology/cluster/scope/state.go
index 23d6239cef5e..00ebc04bbbb5 100644
--- a/internal/controllers/topology/cluster/scope/state.go
+++ b/internal/controllers/topology/cluster/scope/state.go
@@ -18,16 +18,14 @@ package scope
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/pkg/errors"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
+	"sigs.k8s.io/cluster-api/internal/topology/check"
 )
 
 // ClusterState holds all the objects representing the state of a managed Cluster topology.
@@ -68,7 +66,7 @@ type MachineDeploymentsStateMap map[string]*MachineDeploymentState
 
 // Upgrading returns the list of the machine deployments
 // that are upgrading.
-func (mds MachineDeploymentsStateMap) Upgrading(ctx context.Context, c client.Client) ([]string, error) {
+func (mds MachineDeploymentsStateMap) Upgrading(ctx context.Context, c client.Reader) ([]string, error) {
 	names := []string{}
 	for _, md := range mds {
 		upgrading, err := md.IsUpgrading(ctx, c)
@@ -101,32 +99,8 @@ type MachineDeploymentState struct {
 // IsUpgrading determines if the MachineDeployment is upgrading.
 // A machine deployment is considered upgrading if at least one of the Machines of this
 // MachineDeployment has a different version.
-func (md *MachineDeploymentState) IsUpgrading(ctx context.Context, c client.Client) (bool, error) {
-	// If the MachineDeployment has no version there is no definitive way to check if it is upgrading. Therefore, return false.
-	// Note: This case should not happen.
-	if md.Object.Spec.Template.Spec.Version == nil {
-		return false, nil
-	}
-	selectorMap, err := metav1.LabelSelectorAsMap(&md.Object.Spec.Selector)
-	if err != nil {
-		return false, errors.Wrapf(err, "failed to check if MachineDeployment %s is upgrading: failed to convert label selector to map", md.Object.Name)
-	}
-	machines := &clusterv1.MachineList{}
-	if err := c.List(ctx, machines, client.InNamespace(md.Object.Namespace), client.MatchingLabels(selectorMap)); err != nil {
-		return false, errors.Wrapf(err, "failed to check if MachineDeployment %s is upgrading: failed to list Machines", md.Object.Name)
-	}
-	mdVersion := *md.Object.Spec.Template.Spec.Version
-	// Check if the versions of the all the Machines match the MachineDeployment version.
-	for i := range machines.Items {
-		machine := machines.Items[i]
-		if machine.Spec.Version == nil {
-			return false, fmt.Errorf("failed to check if MachineDeployment %s is upgrading: Machine %s has no version", md.Object.Name, machine.Name)
-		}
-		if *machine.Spec.Version != mdVersion {
-			return true, nil
-		}
-	}
-	return false, nil
+func (md *MachineDeploymentState) IsUpgrading(ctx context.Context, c client.Reader) (bool, error) {
+	return check.IsMachineDeploymentUpgrading(ctx, c, md.Object)
 }
 
 // MachinePoolsStateMap holds a collection of MachinePool states.
@@ -134,7 +108,7 @@ type MachinePoolsStateMap map[string]*MachinePoolState
 
 // Upgrading returns the list of the machine pools
 // that are upgrading.
-func (mps MachinePoolsStateMap) Upgrading(ctx context.Context, c client.Client) ([]string, error) {
+func (mps MachinePoolsStateMap) Upgrading(ctx context.Context, c client.Reader) ([]string, error) {
 	names := []string{}
 	for _, mp := range mps {
 		upgrading, err := mp.IsUpgrading(ctx, c)
@@ -163,22 +137,6 @@ type MachinePoolState struct {
 // IsUpgrading determines if the MachinePool is upgrading.
 // A machine pool is considered upgrading if at least one of the Machines of this
 // MachinePool has a different version.
-func (mp *MachinePoolState) IsUpgrading(ctx context.Context, c client.Client) (bool, error) {
-	// If the MachinePool has no version there is no definitive way to check if it is upgrading. Therefore, return false.
-	// Note: This case should not happen.
-	if mp.Object.Spec.Template.Spec.Version == nil {
-		return false, nil
-	}
-	mpVersion := *mp.Object.Spec.Template.Spec.Version
-	// Check if the kubelet versions of the MachinePool noderefs match the MachinePool version.
-	for _, nodeRef := range mp.Object.Status.NodeRefs {
-		node := &corev1.Node{}
-		if err := c.Get(ctx, client.ObjectKey{Name: nodeRef.Name}, node); err != nil {
-			return false, fmt.Errorf("failed to check if MachinePool %s is upgrading: failed to get Node %s", mp.Object.Name, nodeRef.Name)
-		}
-		if mpVersion != node.Status.NodeInfo.KubeletVersion {
-			return true, nil
-		}
-	}
-	return false, nil
+func (mp *MachinePoolState) IsUpgrading(ctx context.Context, c client.Reader) (bool, error) {
+	return check.IsMachinePoolUpgrading(ctx, c, mp.Object)
 }
diff --git a/internal/controllers/topology/cluster/scope/state_test.go b/internal/controllers/topology/cluster/scope/state_test.go
index b7cdbfb0f9cd..870dd5e5fc4a 100644
--- a/internal/controllers/topology/cluster/scope/state_test.go
+++ b/internal/controllers/topology/cluster/scope/state_test.go
@@ -29,92 +29,6 @@ import (
 	"sigs.k8s.io/cluster-api/internal/test/builder"
 )
 
-func TestIsUpgrading(t *testing.T) {
-	g := NewWithT(t)
-	scheme := runtime.NewScheme()
-	g.Expect(clusterv1.AddToScheme(scheme)).To(Succeed())
-
-	tests := []struct {
-		name     string
-		md       *clusterv1.MachineDeployment
-		machines []*clusterv1.Machine
-		want     bool
-		wantErr  bool
-	}{
-		{
-			name: "should return false if all the machines of MachineDeployment have the same version as the MachineDeployment",
-			md: builder.MachineDeployment("ns", "md1").
-				WithClusterName("cluster1").
-				WithVersion("v1.2.3").
-				Build(),
-			machines: []*clusterv1.Machine{
-				builder.Machine("ns", "machine1").
-					WithClusterName("cluster1").
-					WithVersion("v1.2.3").
-					Build(),
-				builder.Machine("ns", "machine2").
-					WithClusterName("cluster1").
-					WithVersion("v1.2.3").
-					Build(),
-			},
-			want:    false,
-			wantErr: false,
-		},
-		{
-			name: "should return true if at least one of the machines of MachineDeployment has a different version",
-			md: builder.MachineDeployment("ns", "md1").
-				WithClusterName("cluster1").
-				WithVersion("v1.2.3").
-				Build(),
-			machines: []*clusterv1.Machine{
-				builder.Machine("ns", "machine1").
-					WithClusterName("cluster1").
-					WithVersion("v1.2.3").
-					Build(),
-				builder.Machine("ns", "machine2").
-					WithClusterName("cluster1").
-					WithVersion("v1.2.2").
-					Build(),
-			},
-			want:    true,
-			wantErr: false,
-		},
-		{
-			name: "should return false if the MachineDeployment has no machines (creation phase)",
-			md: builder.MachineDeployment("ns", "md1").
-				WithClusterName("cluster1").
-				WithVersion("v1.2.3").
-				Build(),
-			machines: []*clusterv1.Machine{},
-			want:     false,
-			wantErr:  false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			g := NewWithT(t)
-			ctx := context.Background()
-			objs := []client.Object{}
-			objs = append(objs, tt.md)
-			for _, m := range tt.machines {
-				objs = append(objs, m)
-			}
-			fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(objs...).Build()
-			mdState := &MachineDeploymentState{
-				Object: tt.md,
-			}
-			got, err := mdState.IsUpgrading(ctx, fakeClient)
-			if tt.wantErr {
-				g.Expect(err).To(HaveOccurred())
-			} else {
-				g.Expect(err).ToNot(HaveOccurred())
-				g.Expect(got).To(Equal(tt.want))
-			}
-		})
-	}
-}
-
 func TestUpgrading(t *testing.T) {
 	g := NewWithT(t)
 	scheme := runtime.NewScheme()
diff --git a/internal/topology/check/upgrade.go b/internal/topology/check/upgrade.go
new file mode 100644
index 000000000000..affb359cbf11
--- /dev/null
+++ b/internal/topology/check/upgrade.go
@@ -0,0 +1,84 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package check
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
+)
+
+// IsMachineDeploymentUpgrading determines if the MachineDeployment is upgrading.
+// A machine deployment is considered upgrading if at least one of the Machines of this
+// MachineDeployment has a different version.
+func IsMachineDeploymentUpgrading(ctx context.Context, c client.Reader, md *clusterv1.MachineDeployment) (bool, error) {
+	// If the MachineDeployment has no version there is no definitive way to check if it is upgrading. Therefore, return false.
+	// Note: This case should not happen.
+	if md.Spec.Template.Spec.Version == nil {
+		return false, nil
+	}
+	selectorMap, err := metav1.LabelSelectorAsMap(&md.Spec.Selector)
+	if err != nil {
+		return false, errors.Wrapf(err, "failed to check if MachineDeployment %s is upgrading: failed to convert label selector to map", md.Name)
+	}
+	machines := &clusterv1.MachineList{}
+	if err := c.List(ctx, machines, client.InNamespace(md.Namespace), client.MatchingLabels(selectorMap)); err != nil {
+		return false, errors.Wrapf(err, "failed to check if MachineDeployment %s is upgrading: failed to list Machines", md.Name)
+	}
+	mdVersion := *md.Spec.Template.Spec.Version
+	// Check if the versions of the all the Machines match the MachineDeployment version.
+	for i := range machines.Items {
+		machine := machines.Items[i]
+		if machine.Spec.Version == nil {
+			return false, fmt.Errorf("failed to check if MachineDeployment %s is upgrading: Machine %s has no version", md.Name, machine.Name)
+		}
+		if *machine.Spec.Version != mdVersion {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// IsMachinePoolUpgrading determines if the MachinePool is upgrading.
+// A machine pool is considered upgrading if at least one of the Machines of this
+// MachinePool has a different version.
+func IsMachinePoolUpgrading(ctx context.Context, c client.Reader, mp *expv1.MachinePool) (bool, error) {
+	// If the MachinePool has no version there is no definitive way to check if it is upgrading. Therefore, return false.
+	// Note: This case should not happen.
+	if mp.Spec.Template.Spec.Version == nil {
+		return false, nil
+	}
+	mpVersion := *mp.Spec.Template.Spec.Version
+	// Check if the kubelet versions of the MachinePool noderefs match the MachinePool version.
+	for _, nodeRef := range mp.Status.NodeRefs {
+		node := &corev1.Node{}
+		if err := c.Get(ctx, client.ObjectKey{Name: nodeRef.Name}, node); err != nil {
+			return false, fmt.Errorf("failed to check if MachinePool %s is upgrading: failed to get Node %s", mp.Name, nodeRef.Name)
+		}
+		if mpVersion != node.Status.NodeInfo.KubeletVersion {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff --git a/internal/topology/check/upgrade_test.go b/internal/topology/check/upgrade_test.go
new file mode 100644
index 000000000000..601343ef9c07
--- /dev/null
+++ b/internal/topology/check/upgrade_test.go
@@ -0,0 +1,222 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package check
+
+import (
+	"context"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
+	"sigs.k8s.io/cluster-api/internal/test/builder"
+)
+
+func TestIsMachineDeploymentUpgrading(t *testing.T) {
+	g := NewWithT(t)
+	scheme := runtime.NewScheme()
+	g.Expect(clusterv1.AddToScheme(scheme)).To(Succeed())
+
+	tests := []struct {
+		name     string
+		md       *clusterv1.MachineDeployment
+		machines []*clusterv1.Machine
+		want     bool
+		wantErr  bool
+	}{
+		{
+			name: "should return false if all the machines of MachineDeployment have the same version as the MachineDeployment",
+			md: builder.MachineDeployment("ns", "md1").
+				WithClusterName("cluster1").
+				WithVersion("v1.2.3").
+				Build(),
+			machines: []*clusterv1.Machine{
+				builder.Machine("ns", "machine1").
+					WithClusterName("cluster1").
+					WithVersion("v1.2.3").
+					Build(),
+				builder.Machine("ns", "machine2").
+					WithClusterName("cluster1").
+					WithVersion("v1.2.3").
+					Build(),
+			},
+			want:    false,
+			wantErr: false,
+		},
+		{
+			name: "should return true if at least one of the machines of MachineDeployment has a different version",
+			md: builder.MachineDeployment("ns", "md1").
+				WithClusterName("cluster1").
+				WithVersion("v1.2.3").
+				Build(),
+			machines: []*clusterv1.Machine{
+				builder.Machine("ns", "machine1").
+					WithClusterName("cluster1").
+					WithVersion("v1.2.3").
+					Build(),
+				builder.Machine("ns", "machine2").
+					WithClusterName("cluster1").
+					WithVersion("v1.2.2").
+					Build(),
+			},
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name: "should return false if the MachineDeployment has no machines (creation phase)",
+			md: builder.MachineDeployment("ns", "md1").
+				WithClusterName("cluster1").
+				WithVersion("v1.2.3").
+				Build(),
+			machines: []*clusterv1.Machine{},
+			want:     false,
+			wantErr:  false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			ctx := context.Background()
+
+			objs := []client.Object{}
+			objs = append(objs, tt.md)
+			for _, m := range tt.machines {
+				objs = append(objs, m)
+			}
+			fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(objs...).Build()
+
+			got, err := IsMachineDeploymentUpgrading(ctx, fakeClient, tt.md)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(got).To(Equal(tt.want))
+			}
+		})
+	}
+}
+
+func TestIsMachinePoolUpgrading(t *testing.T) {
+	g := NewWithT(t)
+	scheme := runtime.NewScheme()
+	g.Expect(corev1.AddToScheme(scheme)).To(Succeed())
+
+	tests := []struct {
+		name    string
+		mp      *expv1.MachinePool
+		nodes   []*corev1.Node
+		want    bool
+		wantErr bool
+	}{
+		{
+			name: "should return false if all the nodes of MachinePool have the same version as the MachinePool",
+			mp: builder.MachinePool("ns", "mp1").
+				WithClusterName("cluster1").
+				WithVersion("v1.2.3").
+				WithStatus(expv1.MachinePoolStatus{
+					NodeRefs: []corev1.ObjectReference{
+						{Name: "node1"},
+						{Name: "node2"},
+					}}).
+				Build(),
+			nodes: []*corev1.Node{
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: "node1"},
+					Status: corev1.NodeStatus{
+						NodeInfo: corev1.NodeSystemInfo{KubeletVersion: "v1.2.3"},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: "node2"},
+					Status: corev1.NodeStatus{
+						NodeInfo: corev1.NodeSystemInfo{KubeletVersion: "v1.2.3"},
+					},
+				},
+			},
+			want:    false,
+			wantErr: false,
+		},
+		{
+			name: "should return true if at least one of the nodes of MachinePool has a different version",
+			mp: builder.MachinePool("ns", "mp1").
+				WithClusterName("cluster1").
+				WithVersion("v1.2.3").
+				WithStatus(expv1.MachinePoolStatus{
+					NodeRefs: []corev1.ObjectReference{
+						{Name: "node1"},
+						{Name: "node2"},
+					}}).
+				Build(),
+			nodes: []*corev1.Node{
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: "node1"},
+					Status: corev1.NodeStatus{
+						NodeInfo: corev1.NodeSystemInfo{KubeletVersion: "v1.2.3"},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: "node2"},
+					Status: corev1.NodeStatus{
+						NodeInfo: corev1.NodeSystemInfo{KubeletVersion: "v1.2.2"},
+					},
+				},
+			},
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name: "should return false if the MachinePool has no nodes (creation phase)",
+			mp: builder.MachinePool("ns", "mp1").
+				WithClusterName("cluster1").
+				WithVersion("v1.2.3").
+				WithStatus(expv1.MachinePoolStatus{
+					NodeRefs: []corev1.ObjectReference{}}).
+				Build(),
+			nodes:   []*corev1.Node{},
+			want:    false,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			ctx := context.Background()
+
+			objs := []client.Object{}
+			for _, m := range tt.nodes {
+				objs = append(objs, m)
+			}
+			fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(objs...).Build()
+
+			got, err := IsMachinePoolUpgrading(ctx, fakeClient, tt.mp)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(got).To(Equal(tt.want))
+			}
+		})
+	}
+}
diff --git a/internal/webhooks/cluster.go b/internal/webhooks/cluster.go
index cfaa6bd7223f..b3d4ceb387e0 100644
--- a/internal/webhooks/cluster.go
+++ b/internal/webhooks/cluster.go
@@ -28,16 +28,21 @@ import (
 	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	"sigs.k8s.io/cluster-api/controllers/external"
+	expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
 	"sigs.k8s.io/cluster-api/feature"
+	"sigs.k8s.io/cluster-api/internal/contract"
 	"sigs.k8s.io/cluster-api/internal/topology/check"
 	"sigs.k8s.io/cluster-api/internal/topology/variables"
 	"sigs.k8s.io/cluster-api/util/conditions"
@@ -56,9 +61,15 @@ func (webhook *Cluster) SetupWebhookWithManager(mgr ctrl.Manager) error {
 // +kubebuilder:webhook:verbs=create;update;delete,path=/validate-cluster-x-k8s-io-v1beta1-cluster,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=cluster.x-k8s.io,resources=clusters,versions=v1beta1,name=validation.cluster.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 // +kubebuilder:webhook:verbs=create;update,path=/mutate-cluster-x-k8s-io-v1beta1-cluster,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=cluster.x-k8s.io,resources=clusters,versions=v1beta1,name=default.cluster.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
+// ClusterCacheTrackerReader is a scoped-down interface from ClusterCacheTracker that only allows to get a reader client.
+type ClusterCacheTrackerReader interface {
+	GetReader(ctx context.Context, cluster client.ObjectKey) (client.Reader, error)
+}
+
 // Cluster implements a validating and defaulting webhook for Cluster.
 type Cluster struct {
-	Client client.Reader
+	Client  client.Reader
+	Tracker ClusterCacheTrackerReader
 }
 
 var _ webhook.CustomDefaulter = &Cluster{}
@@ -323,7 +334,6 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 			return allWarnings, allErrs
 		}
 
-		// Version could only be increased.
 		inVersion, err := semver.ParseTolerant(newCluster.Spec.Topology.Version)
 		if err != nil {
 			allErrs = append(
@@ -343,34 +353,20 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 				field.Invalid(
 					fldPath.Child("version"),
 					oldCluster.Spec.Topology.Version,
-					fmt.Sprintf("old version %q cannot be compared with %q", oldVersion, inVersion),
-				),
-			)
-		}
-		if inVersion.NE(semver.Version{}) && oldVersion.NE(semver.Version{}) && version.Compare(inVersion, oldVersion, version.WithBuildTags()) == -1 {
-			allErrs = append(
-				allErrs,
-				field.Invalid(
-					fldPath.Child("version"),
-					newCluster.Spec.Topology.Version,
-					fmt.Sprintf("version cannot be decreased from %q to %q", oldVersion, inVersion),
+					"old version must be a valid semantic version",
 				),
 			)
 		}
-		// A +2 minor version upgrade is not allowed.
-		ceilVersion := semver.Version{
-			Major: oldVersion.Major,
-			Minor: oldVersion.Minor + 2,
-			Patch: 0,
-		}
-		if inVersion.GTE(ceilVersion) {
-			allErrs = append(
-				allErrs,
-				field.Forbidden(
-					fldPath.Child("version"),
-					fmt.Sprintf("version cannot be increased from %q to %q", oldVersion, inVersion),
-				),
-			)
+
+		if _, ok := newCluster.GetAnnotations()[clusterv1.ClusterTopologyUnsafeUpdateVersionAnnotation]; ok {
+			log := ctrl.LoggerFrom(ctx)
+			warningMsg := fmt.Sprintf("Skipping version validation for Cluster because annotation %q is set.", clusterv1.ClusterTopologyUnsafeUpdateVersionAnnotation)
+			log.Info(warningMsg)
+			allWarnings = append(allWarnings, warningMsg)
+		} else {
+			if err := webhook.validateTopologyVersion(ctx, fldPath.Child("version"), newCluster.Spec.Topology.Version, inVersion, oldVersion, oldCluster); err != nil {
+				allErrs = append(allErrs, err)
+			}
 		}
 
 		// If the ClusterClass referenced in the Topology has changed compatibility checks are needed.
@@ -395,6 +391,218 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 	return allWarnings, allErrs
 }
 
+func (webhook *Cluster) validateTopologyVersion(ctx context.Context, fldPath *field.Path, fldValue string, inVersion, oldVersion semver.Version, oldCluster *clusterv1.Cluster) *field.Error {
+	// Version could only be increased.
+	if inVersion.NE(semver.Version{}) && oldVersion.NE(semver.Version{}) && version.Compare(inVersion, oldVersion, version.WithBuildTags()) == -1 {
+		return field.Invalid(
+			fldPath,
+			fldValue,
+			fmt.Sprintf("version cannot be decreased from %q to %q", oldVersion, inVersion),
+		)
+	}
+
+	// A +2 minor version upgrade is not allowed.
+	ceilVersion := semver.Version{
+		Major: oldVersion.Major,
+		Minor: oldVersion.Minor + 2,
+		Patch: 0,
+	}
+	if inVersion.GTE(ceilVersion) {
+		return field.Invalid(
+			fldPath,
+			fldValue,
+			fmt.Sprintf("version cannot be increased from %q to %q", oldVersion, inVersion),
+		)
+	}
+
+	// Only check the following cases if the minor version increases by 1 (we already return above for >= 2).
+	ceilVersion = semver.Version{
+		Major: oldVersion.Major,
+		Minor: oldVersion.Minor + 1,
+		Patch: 0,
+	}
+
+	// Return early if its not a minor version upgrade.
+	if !inVersion.GTE(ceilVersion) {
+		return nil
+	}
+
+	allErrs := []error{}
+	// minor version cannot be increased if control plane is upgrading or not yet on the current version
+	if err := validateTopologyControlPlaneVersion(ctx, webhook.Client, oldCluster, oldVersion); err != nil {
+		allErrs = append(allErrs, fmt.Errorf("blocking version update due to ControlPlane version check: %v", err))
+	}
+
+	// minor version cannot be increased if MachineDeployments are upgrading or not yet on the current version
+	if err := validateTopologyMachineDeploymentVersions(ctx, webhook.Client, oldCluster, oldVersion); err != nil {
+		allErrs = append(allErrs, fmt.Errorf("blocking version update due to MachineDeployment version check: %v", err))
+	}
+
+	// minor version cannot be increased if MachinePools are upgrading or not yet on the current version
+	if err := validateTopologyMachinePoolVersions(ctx, webhook.Client, webhook.Tracker, oldCluster, oldVersion); err != nil {
+		allErrs = append(allErrs, fmt.Errorf("blocking version update due to MachinePool version check: %v", err))
+	}
+
+	if len(allErrs) > 0 {
+		return field.Invalid(
+			fldPath,
+			fldValue,
+			fmt.Sprintf("minor version update cannot happen at this time: %v", kerrors.NewAggregate(allErrs)),
+		)
+	}
+
+	return nil
+}
+
+func validateTopologyControlPlaneVersion(ctx context.Context, ctrlClient client.Reader, oldCluster *clusterv1.Cluster, oldVersion semver.Version) error {
+	cp, err := external.Get(ctx, ctrlClient, oldCluster.Spec.ControlPlaneRef, oldCluster.Namespace)
+	if err != nil {
+		return errors.Wrap(err, "failed to get ControlPlane object")
+	}
+
+	cpVersionString, err := contract.ControlPlane().Version().Get(cp)
+	if err != nil {
+		return errors.Wrap(err, "failed to get ControlPlane version")
+	}
+
+	cpVersion, err := semver.ParseTolerant(*cpVersionString)
+	if err != nil {
+		// NOTE: this should never happen. Nevertheless, handling this for extra caution.
+		return errors.New("failed to parse version of ControlPlane")
+	}
+	if cpVersion.NE(oldVersion) {
+		return fmt.Errorf("ControlPlane version %q does not match the current version %q", cpVersion, oldVersion)
+	}
+
+	provisioning, err := contract.ControlPlane().IsProvisioning(cp)
+	if err != nil {
+		return errors.Wrap(err, "failed to check if ControlPlane is provisioning")
+	}
+
+	if provisioning {
+		return errors.New("ControlPlane is currently provisioning")
+	}
+
+	upgrading, err := contract.ControlPlane().IsUpgrading(cp)
+	if err != nil {
+		return errors.Wrap(err, "failed to check if ControlPlane is upgrading")
+	}
+
+	if upgrading {
+		return errors.New("ControlPlane is still completing a previous upgrade")
+	}
+
+	return nil
+}
+
+func validateTopologyMachineDeploymentVersions(ctx context.Context, ctrlClient client.Reader, oldCluster *clusterv1.Cluster, oldVersion semver.Version) error {
+	// List all the machine deployments in the current cluster and in a managed topology.
+	// FROM: current_state.go getCurrentMachineDeploymentState
+	mds := &clusterv1.MachineDeploymentList{}
+	err := ctrlClient.List(ctx, mds,
+		client.MatchingLabels{
+			clusterv1.ClusterNameLabel:          oldCluster.Name,
+			clusterv1.ClusterTopologyOwnedLabel: "",
+		},
+		client.InNamespace(oldCluster.Namespace),
+	)
+	if err != nil {
+		return errors.Wrap(err, "failed to read MachineDeployments for managed topology")
+	}
+
+	if len(mds.Items) == 0 {
+		return nil
+	}
+
+	mdUpgradingNames := []string{}
+
+	for i := range mds.Items {
+		md := &mds.Items[i]
+
+		mdVersion, err := semver.ParseTolerant(*md.Spec.Template.Spec.Version)
+		if err != nil {
+			// NOTE: this should never happen. Nevertheless, handling this for extra caution.
+			return errors.Wrapf(err, "failed to parse MachineDeployment's %q version %q", klog.KObj(md), *md.Spec.Template.Spec.Version)
+		}
+
+		if mdVersion.NE(oldVersion) {
+			mdUpgradingNames = append(mdUpgradingNames, md.Name)
+			continue
+		}
+
+		upgrading, err := check.IsMachineDeploymentUpgrading(ctx, ctrlClient, md)
+		if err != nil {
+			return errors.Wrap(err, "failed to check if MachineDeployment is upgrading")
+		}
+		if upgrading {
+			mdUpgradingNames = append(mdUpgradingNames, md.Name)
+		}
+	}
+
+	if len(mdUpgradingNames) > 0 {
+		return fmt.Errorf("there are MachineDeployments still completing a previous upgrade: [%s]", strings.Join(mdUpgradingNames, ", "))
+	}
+
+	return nil
+}
+
+func validateTopologyMachinePoolVersions(ctx context.Context, ctrlClient client.Reader, tracker ClusterCacheTrackerReader, oldCluster *clusterv1.Cluster, oldVersion semver.Version) error {
+	// List all the machine pools in the current cluster and in a managed topology.
+	// FROM: current_state.go getCurrentMachinePoolState
+	mps := &expv1.MachinePoolList{}
+	err := ctrlClient.List(ctx, mps,
+		client.MatchingLabels{
+			clusterv1.ClusterNameLabel:          oldCluster.Name,
+			clusterv1.ClusterTopologyOwnedLabel: "",
+		},
+		client.InNamespace(oldCluster.Namespace),
+	)
+	if err != nil {
+		return errors.Wrap(err, "failed to read MachinePools for managed topology")
+	}
+
+	// Return early
+	if len(mps.Items) == 0 {
+		return nil
+	}
+
+	wlClient, err := tracker.GetReader(ctx, client.ObjectKeyFromObject(oldCluster))
+	if err != nil {
+		return errors.Wrap(err, "unable to get client for workload cluster")
+	}
+
+	mpUpgradingNames := []string{}
+
+	for i := range mps.Items {
+		mp := &mps.Items[i]
+
+		mpVersion, err := semver.ParseTolerant(*mp.Spec.Template.Spec.Version)
+		if err != nil {
+			// NOTE: this should never happen. Nevertheless, handling this for extra caution.
+			return errors.Wrapf(err, "failed to parse MachinePool's %q version %q", klog.KObj(mp), *mp.Spec.Template.Spec.Version)
+		}
+
+		if mpVersion.NE(oldVersion) {
+			mpUpgradingNames = append(mpUpgradingNames, mp.Name)
+			continue
+		}
+
+		upgrading, err := check.IsMachinePoolUpgrading(ctx, wlClient, mp)
+		if err != nil {
+			return errors.Wrap(err, "failed to check if MachinePool is upgrading")
+		}
+		if upgrading {
+			mpUpgradingNames = append(mpUpgradingNames, mp.Name)
+		}
+	}
+
+	if len(mpUpgradingNames) > 0 {
+		return fmt.Errorf("there are MachinePools still completing a previous upgrade: [%s]", strings.Join(mpUpgradingNames, ", "))
+	}
+
+	return nil
+}
+
 func validateMachineHealthChecks(cluster *clusterv1.Cluster, clusterClass *clusterv1.ClusterClass) field.ErrorList {
 	var allErrs field.ErrorList
 
diff --git a/internal/webhooks/cluster_test.go b/internal/webhooks/cluster_test.go
index 88daa050783f..eefdb817a6d4 100644
--- a/internal/webhooks/cluster_test.go
+++ b/internal/webhooks/cluster_test.go
@@ -20,12 +20,15 @@ import (
 	"context"
 	"testing"
 
+	"github.com/blang/semver/v4"
 	. "github.com/onsi/gomega"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/types"
 	utilfeature "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -33,6 +36,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
 	"sigs.k8s.io/cluster-api/feature"
 	"sigs.k8s.io/cluster-api/internal/test/builder"
 	"sigs.k8s.io/cluster-api/internal/webhooks/util"
@@ -1113,7 +1117,9 @@ func TestClusterTopologyValidation(t *testing.T) {
 		clusterClassStatusVariables []clusterv1.ClusterClassStatusVariable
 		in                          *clusterv1.Cluster
 		old                         *clusterv1.Cluster
+		additionalObjects           []client.Object
 		expectErr                   bool
+		expectWarning               bool
 	}{
 		{
 			name:      "should return error when topology does not have class",
@@ -1386,6 +1392,155 @@ func TestClusterTopologyValidation(t *testing.T) {
 					Build()).
 				Build(),
 		},
+		{
+			name:      "should update if cluster is fully upgraded and up to date",
+			expectErr: false,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachineDeployment(
+						builder.MachineDeploymentTopology("workers1").
+							WithClass("aa").
+							Build()).
+					WithMachinePool(
+						builder.MachinePoolTopology("pool1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			in: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.20.2").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.19.1").
+					WithStatusFields(map[string]interface{}{"status.version": "v1.19.1"}).
+					Build(),
+				builder.MachineDeployment("fooboo", "cluster1-workers1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                          "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:                 "",
+					clusterv1.ClusterTopologyMachineDeploymentNameLabel: "workers1",
+				}).WithVersion("v1.19.1").Build(),
+				builder.MachinePool("fooboo", "cluster1-pool1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                    "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:           "",
+					clusterv1.ClusterTopologyMachinePoolNameLabel: "pool1",
+				}).WithVersion("v1.19.1").Build(),
+			},
+		},
+		{
+			name:          "should skip validation if cluster kcp is not yet provisioned but annotation is set",
+			expectErr:     false,
+			expectWarning: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			in: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithAnnotations(map[string]string{clusterv1.ClusterTopologyUnsafeUpdateVersionAnnotation: "true"}).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.20.2").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.18.1").Build(),
+			},
+		},
+		{
+			name:      "should block update if cluster kcp is not yet provisioned",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			in: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.20.2").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.18.1").Build(),
+			},
+		},
+		{
+			name:      "should block update if md is not yet upgraded",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachineDeployment(
+						builder.MachineDeploymentTopology("workers1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			in: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.20.2").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.19.1").
+					WithStatusFields(map[string]interface{}{"status.version": "v1.19.1"}).
+					Build(),
+				builder.MachineDeployment("fooboo", "cluster1-workers1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                          "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:                 "",
+					clusterv1.ClusterTopologyMachineDeploymentNameLabel: "workers1",
+				}).WithVersion("v1.18.1").Build(),
+			},
+		},
+		{
+			name:      "should block update if mp is not yet upgraded",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachinePool(
+						builder.MachinePoolTopology("pool1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			in: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.20.2").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.19.1").
+					WithStatusFields(map[string]interface{}{"status.version": "v1.19.1"}).
+					Build(),
+				builder.MachinePool("fooboo", "cluster1-pool1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                    "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:           "",
+					clusterv1.ClusterTopologyMachinePoolNameLabel: "pool1",
+				}).WithVersion("v1.18.1").Build(),
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1407,20 +1562,27 @@ func TestClusterTopologyValidation(t *testing.T) {
 			// Sets up the fakeClient for the test case.
 			fakeClient := fake.NewClientBuilder().
 				WithObjects(class).
+				WithObjects(tt.additionalObjects...).
 				WithScheme(fakeScheme).
 				Build()
 
+			// Use an empty fakeClusterCacheTracker here because the real cases are tested in Test_validateTopologyMachinePoolVersions.
+			fakeClusterCacheTrackerReader := &fakeClusterCacheTracker{client: fake.NewFakeClient()}
+
 			// Create the webhook and add the fakeClient as its client. This is required because the test uses a Managed Topology.
-			webhook := &Cluster{Client: fakeClient}
+			webhook := &Cluster{Client: fakeClient, Tracker: fakeClusterCacheTrackerReader}
 
 			warnings, err := webhook.validate(ctx, tt.old, tt.in)
 			if tt.expectErr {
 				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+			if tt.expectWarning {
+				g.Expect(warnings).ToNot(BeEmpty())
+			} else {
 				g.Expect(warnings).To(BeEmpty())
-				return
 			}
-			g.Expect(err).ToNot(HaveOccurred())
-			g.Expect(warnings).To(BeEmpty())
 		})
 	}
 }
@@ -2564,14 +2726,358 @@ func TestClusterClassPollingErrors(t *testing.T) {
 				g.Expect(err).ToNot(HaveOccurred())
 			}
 			if tt.wantWarnings {
-				g.Expect(warnings).NotTo(BeNil())
+				g.Expect(warnings).NotTo(BeEmpty())
 			} else {
-				g.Expect(warnings).To(BeNil())
+				g.Expect(warnings).To(BeEmpty())
 			}
 		})
 	}
 }
 
+func Test_validateTopologyControlPlaneVersion(t *testing.T) {
+	tests := []struct {
+		name              string
+		expectErr         bool
+		old               *clusterv1.Cluster
+		additionalObjects []client.Object
+	}{
+		{
+			name:      "should update if kcp is fully upgraded and up to date",
+			expectErr: false,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.19.1").
+					WithStatusFields(map[string]interface{}{"status.version": "v1.19.1"}).
+					Build(),
+			},
+		},
+		{
+			name:      "should block update if kcp is provisioning",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.19.1").
+					Build(),
+			},
+		},
+		{
+			name:      "should block update if kcp is upgrading",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.18.1").
+					WithStatusFields(map[string]interface{}{"status.version": "v1.17.1"}).
+					Build(),
+			},
+		},
+		{
+			name:      "should block update if kcp is not yet upgraded",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithControlPlane(builder.ControlPlane("fooboo", "cluster1-cp").Build()).
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.ControlPlane("fooboo", "cluster1-cp").WithVersion("v1.18.1").
+					WithStatusFields(map[string]interface{}{"status.version": "v1.18.1"}).
+					Build(),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			fakeClient := fake.NewClientBuilder().
+				WithObjects(tt.additionalObjects...).
+				WithScheme(fakeScheme).
+				Build()
+
+			oldVersion, err := semver.ParseTolerant(tt.old.Spec.Topology.Version)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			err = validateTopologyControlPlaneVersion(ctx, fakeClient, tt.old, oldVersion)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(err).ToNot(HaveOccurred())
+		})
+	}
+}
+
+func Test_validateTopologyMachineDeploymentVersions(t *testing.T) {
+	tests := []struct {
+		name              string
+		expectErr         bool
+		old               *clusterv1.Cluster
+		additionalObjects []client.Object
+	}{
+		{
+			name:      "should update if no machine deployment is exists",
+			expectErr: false,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{},
+		},
+		{
+			name:      "should update if machine deployments are fully upgraded and up to date",
+			expectErr: false,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachineDeployment(
+						builder.MachineDeploymentTopology("workers1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.MachineDeployment("fooboo", "cluster1-workers1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                          "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:                 "",
+					clusterv1.ClusterTopologyMachineDeploymentNameLabel: "workers1",
+				}).WithVersion("v1.19.1").Build(),
+			},
+		},
+		{
+			name:      "should block update if machine deployment is not yet upgraded",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachineDeployment(
+						builder.MachineDeploymentTopology("workers1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.MachineDeployment("fooboo", "cluster1-workers1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                          "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:                 "",
+					clusterv1.ClusterTopologyMachineDeploymentNameLabel: "workers1",
+				}).WithVersion("v1.18.1").Build(),
+			},
+		},
+		{
+			name:      "should block update if machine deployment is upgrading",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachineDeployment(
+						builder.MachineDeploymentTopology("workers1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.MachineDeployment("fooboo", "cluster1-workers1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                          "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:                 "",
+					clusterv1.ClusterTopologyMachineDeploymentNameLabel: "workers1",
+				}).WithVersion("v1.19.1").WithSelector(*metav1.SetAsLabelSelector(labels.Set{clusterv1.ClusterTopologyMachineDeploymentNameLabel: "workers1"})).Build(),
+				builder.Machine("fooboo", "cluster1-workers1-1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel: "cluster1",
+					// clusterv1.ClusterTopologyOwnedLabel:                 "",
+					clusterv1.ClusterTopologyMachineDeploymentNameLabel: "workers1",
+				}).WithVersion("v1.18.1").Build(),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			fakeClient := fake.NewClientBuilder().
+				WithObjects(tt.additionalObjects...).
+				WithScheme(fakeScheme).
+				Build()
+
+			oldVersion, err := semver.ParseTolerant(tt.old.Spec.Topology.Version)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			err = validateTopologyMachineDeploymentVersions(ctx, fakeClient, tt.old, oldVersion)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(err).ToNot(HaveOccurred())
+		})
+	}
+}
+
+func Test_validateTopologyMachinePoolVersions(t *testing.T) {
+	tests := []struct {
+		name              string
+		expectErr         bool
+		old               *clusterv1.Cluster
+		additionalObjects []client.Object
+		workloadObjects   []client.Object
+	}{
+		{
+			name:      "should update if no machine pool is exists",
+			expectErr: false,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{},
+			workloadObjects:   []client.Object{},
+		},
+		{
+			name:      "should update if machine pools are fully upgraded and up to date",
+			expectErr: false,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachinePool(
+						builder.MachinePoolTopology("pool1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.MachinePool("fooboo", "cluster1-pool1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                    "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:           "",
+					clusterv1.ClusterTopologyMachinePoolNameLabel: "pool1",
+				}).WithVersion("v1.19.1").Build(),
+			},
+			workloadObjects: []client.Object{},
+		},
+		{
+			name:      "should block update if machine pool is not yet upgraded",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachinePool(
+						builder.MachinePoolTopology("pool1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.MachinePool("fooboo", "cluster1-pool1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                    "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:           "",
+					clusterv1.ClusterTopologyMachinePoolNameLabel: "pool1",
+				}).WithVersion("v1.18.1").Build(),
+			},
+			workloadObjects: []client.Object{},
+		},
+		{
+			name:      "should block update machine pool is upgrading",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachinePool(
+						builder.MachinePoolTopology("pool1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.MachinePool("fooboo", "cluster1-pool1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                    "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:           "",
+					clusterv1.ClusterTopologyMachinePoolNameLabel: "pool1",
+				}).WithVersion("v1.19.1").WithStatus(expv1.MachinePoolStatus{NodeRefs: []corev1.ObjectReference{{Name: "mp-node-1"}}}).Build(),
+			},
+			workloadObjects: []client.Object{
+				&corev1.Node{
+					ObjectMeta: metav1.ObjectMeta{Name: "mp-node-1"},
+					Status:     corev1.NodeStatus{NodeInfo: corev1.NodeSystemInfo{KubeletVersion: "v1.18.1"}},
+				},
+			},
+		},
+		{
+			name:      "should block update if it cannot get the node of a machine pool",
+			expectErr: true,
+			old: builder.Cluster("fooboo", "cluster1").
+				WithTopology(builder.ClusterTopology().
+					WithClass("foo").
+					WithVersion("v1.19.1").
+					WithMachinePool(
+						builder.MachinePoolTopology("pool1").
+							WithClass("aa").
+							Build()).
+					Build()).
+				Build(),
+			additionalObjects: []client.Object{
+				builder.MachinePool("fooboo", "cluster1-pool1").WithLabels(map[string]string{
+					clusterv1.ClusterNameLabel:                    "cluster1",
+					clusterv1.ClusterTopologyOwnedLabel:           "",
+					clusterv1.ClusterTopologyMachinePoolNameLabel: "pool1",
+				}).WithVersion("v1.19.1").WithStatus(expv1.MachinePoolStatus{NodeRefs: []corev1.ObjectReference{{Name: "mp-node-1"}}}).Build(),
+			},
+			workloadObjects: []client.Object{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			fakeClient := fake.NewClientBuilder().
+				WithObjects(tt.additionalObjects...).
+				WithScheme(fakeScheme).
+				Build()
+
+			oldVersion, err := semver.ParseTolerant(tt.old.Spec.Topology.Version)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			fakeClusterCacheTracker := &fakeClusterCacheTracker{
+				client: fake.NewClientBuilder().
+					WithObjects(tt.workloadObjects...).
+					Build(),
+			}
+
+			err = validateTopologyMachinePoolVersions(ctx, fakeClient, fakeClusterCacheTracker, tt.old, oldVersion)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+			g.Expect(err).ToNot(HaveOccurred())
+		})
+	}
+}
+
 func refToUnstructured(ref *corev1.ObjectReference) *unstructured.Unstructured {
 	gvk := ref.GetObjectKind().GroupVersionKind()
 	output := &unstructured.Unstructured{}
@@ -2581,3 +3087,11 @@ func refToUnstructured(ref *corev1.ObjectReference) *unstructured.Unstructured {
 	output.SetNamespace(ref.Namespace)
 	return output
 }
+
+type fakeClusterCacheTracker struct {
+	client client.Reader
+}
+
+func (f *fakeClusterCacheTracker) GetReader(_ context.Context, _ types.NamespacedName) (client.Reader, error) {
+	return f.client, nil
+}
diff --git a/internal/webhooks/clusterclass_test.go b/internal/webhooks/clusterclass_test.go
index 3e3088d3f62a..f7abf7a571b2 100644
--- a/internal/webhooks/clusterclass_test.go
+++ b/internal/webhooks/clusterclass_test.go
@@ -33,6 +33,7 @@ import (
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/api/v1beta1/index"
+	expv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
 	"sigs.k8s.io/cluster-api/feature"
 	"sigs.k8s.io/cluster-api/internal/test/builder"
 	"sigs.k8s.io/cluster-api/internal/webhooks/util"
@@ -45,6 +46,7 @@ var (
 
 func init() {
 	_ = clusterv1.AddToScheme(fakeScheme)
+	_ = expv1.AddToScheme(fakeScheme)
 }
 
 func TestClusterClassDefaultNamespaces(t *testing.T) {
diff --git a/main.go b/main.go
index 9fc78256205b..4156c082a94d 100644
--- a/main.go
+++ b/main.go
@@ -343,8 +343,8 @@ func main() {
 
 	setupChecks(mgr)
 	setupIndexes(ctx, mgr)
-	setupReconcilers(ctx, mgr)
-	setupWebhooks(mgr)
+	tracker := setupReconcilers(ctx, mgr)
+	setupWebhooks(mgr, tracker)
 
 	setupLog.Info("starting manager", "version", version.Get().String())
 	if err := mgr.Start(ctx); err != nil {
@@ -372,7 +372,7 @@ func setupIndexes(ctx context.Context, mgr ctrl.Manager) {
 	}
 }
 
-func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
+func setupReconcilers(ctx context.Context, mgr ctrl.Manager) webhooks.ClusterCacheTrackerReader {
 	secretCachingClient, err := client.New(mgr.GetConfig(), client.Options{
 		HTTPClient: mgr.GetHTTPClient(),
 		Cache: &client.CacheOptions{
@@ -564,9 +564,11 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 		setupLog.Error(err, "unable to create controller", "controller", "MachineHealthCheck")
 		os.Exit(1)
 	}
+
+	return tracker
 }
 
-func setupWebhooks(mgr ctrl.Manager) {
+func setupWebhooks(mgr ctrl.Manager, tracker webhooks.ClusterCacheTrackerReader) {
 	// NOTE: ClusterClass and managed topologies are behind ClusterTopology feature gate flag; the webhook
 	// is going to prevent creating or updating new objects in case the feature flag is disabled.
 	if err := (&webhooks.ClusterClass{Client: mgr.GetClient()}).SetupWebhookWithManager(mgr); err != nil {
@@ -576,7 +578,7 @@ func setupWebhooks(mgr ctrl.Manager) {
 
 	// NOTE: ClusterClass and managed topologies are behind ClusterTopology feature gate flag; the webhook
 	// is going to prevent usage of Cluster.Topology in case the feature flag is disabled.
-	if err := (&webhooks.Cluster{Client: mgr.GetClient()}).SetupWebhookWithManager(mgr); err != nil {
+	if err := (&webhooks.Cluster{Client: mgr.GetClient(), ClusterCacheTrackerReader: tracker}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "Cluster")
 		os.Exit(1)
 	}
diff --git a/test/e2e/clusterctl_upgrade_test.go b/test/e2e/clusterctl_upgrade_test.go
index aa35a563c65e..4a262bdfdf3d 100644
--- a/test/e2e/clusterctl_upgrade_test.go
+++ b/test/e2e/clusterctl_upgrade_test.go
@@ -283,8 +283,8 @@ var _ = Describe("When testing clusterctl upgrades (v1.6=>current)", func() {
 			InitWithBinary:            fmt.Sprintf(clusterctlDownloadURL, stableRelease),
 			InitWithProvidersContract: "v1beta1",
 			//  Note: Both InitWithKubernetesVersion and WorkloadKubernetesVersion should be the highest mgmt cluster version supported by the source Cluster API version.
-			InitWithKubernetesVersion: "v1.29.0",
-			WorkloadKubernetesVersion: "v1.29.0",
+			InitWithKubernetesVersion: "v1.29.2",
+			WorkloadKubernetesVersion: "v1.29.2",
 			MgmtFlavor:                "topology",
 			WorkloadFlavor:            "",
 		}
@@ -307,8 +307,8 @@ var _ = Describe("When testing clusterctl upgrades using ClusterClass (v1.6=>cur
 			InitWithBinary:            fmt.Sprintf(clusterctlDownloadURL, stableRelease),
 			InitWithProvidersContract: "v1beta1",
 			// Note: Both InitWithKubernetesVersion and WorkloadKubernetesVersion should be the highest mgmt cluster version supported by the source Cluster API version.
-			InitWithKubernetesVersion: "v1.29.0",
-			WorkloadKubernetesVersion: "v1.29.0",
+			InitWithKubernetesVersion: "v1.29.2",
+			WorkloadKubernetesVersion: "v1.29.2",
 			MgmtFlavor:                "topology",
 			WorkloadFlavor:            "topology",
 		}
diff --git a/test/e2e/config/docker.yaml b/test/e2e/config/docker.yaml
index bbeaa3c1ce6a..daa653bf92c3 100644
--- a/test/e2e/config/docker.yaml
+++ b/test/e2e/config/docker.yaml
@@ -314,10 +314,10 @@ variables:
   # allowing the same e2e config file to be re-used in different Prow jobs e.g. each one with a K8s version permutation.
   # The following Kubernetes versions should be the latest versions with already published kindest/node images.
   # This avoids building node images in the default case which improves the test duration significantly.
-  KUBERNETES_VERSION_MANAGEMENT: "v1.29.0"
-  KUBERNETES_VERSION: "v1.29.0"
+  KUBERNETES_VERSION_MANAGEMENT: "v1.29.2"
+  KUBERNETES_VERSION: "v1.29.2"
   KUBERNETES_VERSION_UPGRADE_FROM: "v1.28.0"
-  KUBERNETES_VERSION_UPGRADE_TO: "v1.29.0"
+  KUBERNETES_VERSION_UPGRADE_TO: "v1.29.2"
   KUBERNETES_VERSION_LATEST_CI: "ci/latest-1.30"
   ETCD_VERSION_UPGRADE_TO: "3.5.10-0"
   COREDNS_VERSION_UPGRADE_TO: "v1.11.1"
diff --git a/test/e2e/data/kubetest/conformance.yaml b/test/e2e/data/kubetest/conformance.yaml
index f3d62e99b6c0..36ea15c73ee9 100644
--- a/test/e2e/data/kubetest/conformance.yaml
+++ b/test/e2e/data/kubetest/conformance.yaml
@@ -1,9 +1,12 @@
 ginkgo.focus: \[Conformance\]
 ginkgo.skip: \[Serial\]
 disable-log-dump: true
+# ginkgo.progress flag is deprecated but its still used in
+# k8s versions <= v1.26, we have to keep it as long as we
+# support these versions.
 ginkgo.progress: true
-ginkgo.slowSpecThreshold: 120.0
-ginkgo.flakeAttempts: 3
+ginkgo.slow-spec-threshold: 120s
+ginkgo.flake-attempts: 3
 ginkgo.trace: true
 ginkgo.v: true
 # Use 5m instead of the default 10m to fail faster
diff --git a/test/e2e/data/kubetest/dualstack.yaml b/test/e2e/data/kubetest/dualstack.yaml
index bfa4340eec06..682c5d918c11 100644
--- a/test/e2e/data/kubetest/dualstack.yaml
+++ b/test/e2e/data/kubetest/dualstack.yaml
@@ -1,9 +1,12 @@
 ginkgo.focus: \[Feature\:IPv6DualStack\]
 ginkgo.skip: \[Feature\:SCTPConnectivity\]
 disable-log-dump: true
+# ginkgo.progress flag is deprecated but its still used when
+# we run kubetest on K8s versions <= v1.26, we have to keep it
+# as long as we support these versions.
 ginkgo.progress: true
-ginkgo.slowSpecThreshold: 120.0
-ginkgo.flakeAttempts: 3
+ginkgo.slow-spec-threshold: 120s
+ginkgo.flake-attempts: 3
 ginkgo.trace: true
 ginkgo.v: true
 ginkgo.no-color: true
diff --git a/test/e2e/quick_start_test.go b/test/e2e/quick_start_test.go
index bc0a545d6a55..077f737c6594 100644
--- a/test/e2e/quick_start_test.go
+++ b/test/e2e/quick_start_test.go
@@ -56,6 +56,13 @@ var _ = Describe("When following the Cluster API quick-start", func() {
 					framework.KubeadmControlPlaneOwnerReferenceAssertions,
 					framework.KubernetesReferenceAssertions,
 				)
+				// This check ensures that finalizers are resilient - i.e. correctly re-reconciled - when removed.
+				framework.ValidateFinalizersResilience(ctx, proxy, namespace, clusterName,
+					framework.CoreFinalizersAssertion,
+					framework.KubeadmControlPlaneFinalizersAssertion,
+					framework.ExpFinalizersAssertion,
+					framework.DockerInfraFinalizersAssertion,
+				)
 			},
 		}
 	})
@@ -90,6 +97,13 @@ var _ = Describe("When following the Cluster API quick-start with ClusterClass [
 					framework.KubeadmControlPlaneOwnerReferenceAssertions,
 					framework.KubernetesReferenceAssertions,
 				)
+				// This check ensures that finalizers are resilient - i.e. correctly re-reconciled - when removed.
+				framework.ValidateFinalizersResilience(ctx, proxy, namespace, clusterName,
+					framework.CoreFinalizersAssertion,
+					framework.KubeadmControlPlaneFinalizersAssertion,
+					framework.ExpFinalizersAssertion,
+					framework.DockerInfraFinalizersAssertion,
+				)
 			},
 		}
 	})
@@ -175,48 +189,3 @@ var _ = Describe("When following the Cluster API quick-start with dualstack and
 		}
 	})
 })
-
-var _ = Describe("When following the Cluster API quick-start check finalizers resilience after deletion", func() {
-	QuickStartSpec(ctx, func() QuickStartSpecInput {
-		return QuickStartSpecInput{
-			E2EConfig:              e2eConfig,
-			ClusterctlConfigPath:   clusterctlConfigPath,
-			BootstrapClusterProxy:  bootstrapClusterProxy,
-			ArtifactFolder:         artifactFolder,
-			SkipCleanup:            skipCleanup,
-			InfrastructureProvider: ptr.To("docker"),
-			PostMachinesProvisioned: func(proxy framework.ClusterProxy, namespace, clusterName string) {
-				// This check ensures that finalizers are resilient - i.e. correctly re-reconciled - when removed.
-				framework.ValidateFinalizersResilience(ctx, proxy, namespace, clusterName,
-					framework.CoreFinalizersAssertion,
-					framework.KubeadmControlPlaneFinalizersAssertion,
-					framework.ExpFinalizersAssertion,
-					framework.DockerInfraFinalizersAssertion,
-				)
-			},
-		}
-	})
-})
-
-var _ = Describe("When following the Cluster API quick-start with ClusterClass check finalizers resilience after deletion [ClusterClass]", func() {
-	QuickStartSpec(ctx, func() QuickStartSpecInput {
-		return QuickStartSpecInput{
-			E2EConfig:              e2eConfig,
-			ClusterctlConfigPath:   clusterctlConfigPath,
-			BootstrapClusterProxy:  bootstrapClusterProxy,
-			ArtifactFolder:         artifactFolder,
-			SkipCleanup:            skipCleanup,
-			Flavor:                 ptr.To("topology"),
-			InfrastructureProvider: ptr.To("docker"),
-			PostMachinesProvisioned: func(proxy framework.ClusterProxy, namespace, clusterName string) {
-				// This check ensures that finalizers are resilient - i.e. correctly re-reconciled - when removed.
-				framework.ValidateFinalizersResilience(ctx, proxy, namespace, clusterName,
-					framework.CoreFinalizersAssertion,
-					framework.KubeadmControlPlaneFinalizersAssertion,
-					framework.ExpFinalizersAssertion,
-					framework.DockerInfraFinalizersAssertion,
-				)
-			},
-		}
-	})
-})
diff --git a/test/framework/alltypes_helpers.go b/test/framework/alltypes_helpers.go
index 851a70ff7c6a..d499d4477c5d 100644
--- a/test/framework/alltypes_helpers.go
+++ b/test/framework/alltypes_helpers.go
@@ -23,6 +23,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strings"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -155,10 +156,30 @@ func DumpResourcesForCluster(ctx context.Context, input DumpResourcesForClusterI
 	for _, resource := range input.Resources {
 		resourceList := new(unstructured.UnstructuredList)
 		resourceList.SetGroupVersionKind(resource.GVK)
+
+		var i int
 		var listErr error
 		_ = wait.PollUntilContextTimeout(ctx, retryableOperationInterval, retryableOperationTimeout, true, func(ctx context.Context) (bool, error) {
 			if listErr = input.Lister.List(ctx, resourceList, client.InNamespace(resource.Namespace)); listErr != nil {
-				return false, nil //nolint:nilerr
+				// Fail fast for well known network errors that most likely won't recover.
+				// e.g This error happens when the control plane endpoint for the workload cluster can't be reached from
+				// the machine where the E2E test runs.
+				if strings.HasSuffix(listErr.Error(), "connect: no route to host") {
+					return true, nil
+				}
+				// e.g This error happens when the API server for the workload cluster is down or the control plane endpoint
+				// can't be reached from the machine where the E2E test runs.
+				// NOTE: we consider this error won't recover after it happens at least 3 times in a row
+				if strings.HasSuffix(listErr.Error(), "i/o timeout") {
+					i++
+					if i >= 3 {
+						return true, nil
+					}
+					return false, nil
+				}
+
+				i = 0
+				return false, nil
 			}
 			return true, nil
 		})
diff --git a/test/framework/bootstrap/kind_provider.go b/test/framework/bootstrap/kind_provider.go
index 5b0042663290..4671ec7f9981 100644
--- a/test/framework/bootstrap/kind_provider.go
+++ b/test/framework/bootstrap/kind_provider.go
@@ -37,7 +37,7 @@ const (
 	DefaultNodeImageRepository = "kindest/node"
 
 	// DefaultNodeImageVersion is the default Kubernetes version to be used for creating a kind cluster.
-	DefaultNodeImageVersion = "v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570"
+	DefaultNodeImageVersion = "v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245"
 )
 
 // KindClusterOption is a NewKindClusterProvider option.
diff --git a/test/framework/ownerreference_helpers.go b/test/framework/ownerreference_helpers.go
index 910952fbc77a..a755ce6a9a0e 100644
--- a/test/framework/ownerreference_helpers.go
+++ b/test/framework/ownerreference_helpers.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"reflect"
 	"sort"
+	"strings"
 	"time"
 
 	. "github.com/onsi/gomega"
@@ -112,6 +113,12 @@ func AssertOwnerReferences(namespace, kubeconfigPath string, assertFuncs ...map[
 		ctx := context.Background()
 
 		graph, err := clusterctlcluster.GetOwnerGraph(ctx, namespace, kubeconfigPath)
+		// Sometimes the conversion-webhooks are not ready yet / cert-managers ca-injector
+		// may not yet have injected the new ca bundle after the upgrade.
+		// If this is the case we return an error to retry.
+		if err != nil && strings.Contains(err.Error(), "x509: certificate signed by unknown authority") {
+			return err
+		}
 		Expect(err).ToNot(HaveOccurred())
 		for _, v := range graph {
 			if _, ok := allAssertFuncs[v.Object.Kind]; !ok {
diff --git a/test/go.mod b/test/go.mod
index 48ca591280f1..801a9cc7a4a9 100644
--- a/test/go.mod
+++ b/test/go.mod
@@ -8,12 +8,12 @@ require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/docker/docker v25.0.3+incompatible
 	github.com/docker/go-connections v0.5.0
-	github.com/emicklei/go-restful/v3 v3.11.2
+	github.com/emicklei/go-restful/v3 v3.11.3
 	github.com/evanphx/json-patch/v5 v5.9.0
 	github.com/flatcar/ignition v0.36.2
 	github.com/go-logr/logr v1.4.1
 	github.com/google/go-cmp v0.6.0
-	github.com/onsi/ginkgo/v2 v2.15.0
+	github.com/onsi/ginkgo/v2 v2.16.0
 	github.com/onsi/gomega v1.31.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.18.0
@@ -21,19 +21,19 @@ require (
 	github.com/vincent-petithory/dataurl v1.0.0
 	go.etcd.io/etcd/api/v3 v3.5.12
 	go.etcd.io/etcd/client/v3 v3.5.12
-	golang.org/x/net v0.21.0
+	golang.org/x/net v0.22.0
 	google.golang.org/grpc v1.60.1
-	k8s.io/api v0.29.1
-	k8s.io/apiextensions-apiserver v0.29.1
-	k8s.io/apimachinery v0.29.1
-	k8s.io/apiserver v0.29.1
-	k8s.io/client-go v0.29.1
-	k8s.io/component-base v0.29.1
+	k8s.io/api v0.29.2
+	k8s.io/apiextensions-apiserver v0.29.2
+	k8s.io/apimachinery v0.29.2
+	k8s.io/apiserver v0.29.2
+	k8s.io/client-go v0.29.2
+	k8s.io/component-base v0.29.2
 	k8s.io/klog/v2 v2.110.1
 	k8s.io/utils v0.0.0-20231127182322-b307cd553661
 	sigs.k8s.io/cluster-api v0.0.0-00010101000000-000000000000
 	sigs.k8s.io/controller-runtime v0.17.2
-	sigs.k8s.io/kind v0.20.0
+	sigs.k8s.io/kind v0.22.0
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -135,27 +135,27 @@ require (
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/crypto v0.19.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/oauth2 v0.17.0 // indirect
-	golang.org/x/sync v0.5.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/term v0.17.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
+	golang.org/x/tools v0.17.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.4.0 // indirect
-	k8s.io/cluster-bootstrap v0.29.1 // indirect
+	k8s.io/cluster-bootstrap v0.29.2 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
diff --git a/test/go.sum b/test/go.sum
index 9119fb646c70..a2bd0e940ffa 100644
--- a/test/go.sum
+++ b/test/go.sum
@@ -83,8 +83,8 @@ github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 h1:7QPwrLT79GlD5
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46/go.mod h1:esf2rsHFNlZlxsqsZDojNBcnNs5REqIvRrWRHqX0vEU=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU=
-github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emicklei/go-restful/v3 v3.11.3 h1:yagOQz/38xJmcNeZJtrUcKjkHRltIaIFXKWeG1SkWGE=
+github.com/emicklei/go-restful/v3 v3.11.3/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA=
 github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
 github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI=
@@ -233,8 +233,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
+github.com/onsi/ginkgo/v2 v2.16.0 h1:7q1w9frJDzninhXxjZd+Y/x54XNjG/UlRLIYPZafsPM=
+github.com/onsi/ginkgo/v2 v2.16.0/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
 github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -373,8 +373,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -389,16 +389,16 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
 golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -415,13 +415,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -438,8 +438,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -458,8 +458,8 @@ google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU=
 google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
-google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -481,20 +481,20 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw=
-k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ=
-k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw=
-k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU=
-k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc=
-k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
-k8s.io/apiserver v0.29.1 h1:e2wwHUfEmMsa8+cuft8MT56+16EONIEK8A/gpBSco+g=
-k8s.io/apiserver v0.29.1/go.mod h1:V0EpkTRrJymyVT3M49we8uh2RvXf7fWC5XLB0P3SwRw=
-k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A=
-k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks=
-k8s.io/cluster-bootstrap v0.29.1 h1:YZ7fAY9DT1ZQVU6JFPWjpgm7DzSoTs50r6cI/OP+vLA=
-k8s.io/cluster-bootstrap v0.29.1/go.mod h1:T8sLsyIaQg2aIRdWxrBPYm8pyk+9Xxy+DJxJarv2MnM=
-k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw=
-k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc=
+k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
+k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
+k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg=
+k8s.io/apiextensions-apiserver v0.29.2/go.mod h1:aLfYjpA5p3OwtqNXQFkhJ56TB+spV8Gc4wfMhUA3/b8=
+k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
+k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
+k8s.io/apiserver v0.29.2 h1:+Z9S0dSNr+CjnVXQePG8TcBWHr3Q7BmAr7NraHvsMiQ=
+k8s.io/apiserver v0.29.2/go.mod h1:B0LieKVoyU7ykQvPFm7XSdIHaCHSzCzQWPFa5bqbeMQ=
+k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
+k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
+k8s.io/cluster-bootstrap v0.29.2 h1:CJ8kNpm6vqPX6laBEPGoEFpVQ0XmzgXMdQosvd5m2OA=
+k8s.io/cluster-bootstrap v0.29.2/go.mod h1:75qXUXImrhRHglBCQsBvZrS4uJFyaDinOWLWbbaRRH0=
+k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8=
+k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
@@ -507,8 +507,8 @@ sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeG
 sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/kind v0.20.0 h1:f0sc3v9mQbGnjBUaqSFST1dwIuiikKVGgoTwpoP33a8=
-sigs.k8s.io/kind v0.20.0/go.mod h1:aBlbxg08cauDgZ612shr017/rZwqd7AS563FvpWKPVs=
+sigs.k8s.io/kind v0.22.0 h1:z/+yr/azoOfzsfooqRsPw1wjJlqT/ukXP0ShkHwNlsI=
+sigs.k8s.io/kind v0.22.0/go.mod h1:aBlbxg08cauDgZ612shr017/rZwqd7AS563FvpWKPVs=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
diff --git a/test/infrastructure/docker/examples/machine-pool.yaml b/test/infrastructure/docker/examples/machine-pool.yaml
index 5f3e63d5b422..eb18faa68fb0 100644
--- a/test/infrastructure/docker/examples/machine-pool.yaml
+++ b/test/infrastructure/docker/examples/machine-pool.yaml
@@ -35,7 +35,7 @@ metadata:
   namespace: default
 spec:
   replicas: 1
-  version: v1.29.0
+  version: v1.29.2
   machineTemplate:
     infrastructureRef:
       apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -80,7 +80,7 @@ spec:
   replicas: 2
   template:
     spec:
-      version: v1.29.0
+      version: v1.29.2
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml b/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml
index 792b413f98ca..737f1c618c62 100644
--- a/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml
+++ b/test/infrastructure/docker/examples/simple-cluster-ipv6.yaml
@@ -35,7 +35,7 @@ metadata:
   namespace: default
 spec:
   replicas: 1
-  version: v1.29.0
+  version: v1.29.2
   machineTemplate:
     infrastructureRef:
       apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -90,7 +90,7 @@ spec:
       cluster.x-k8s.io/cluster-name: my-cluster
   template:
     spec:
-      version: v1.29.0
+      version: v1.29.2
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml b/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml
index be56c248ad9c..36829b40f4bd 100644
--- a/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml
+++ b/test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml
@@ -32,7 +32,7 @@ metadata:
   name: controlplane-0
   namespace: default
 spec:
-  version: v1.29.0
+  version: v1.29.2
   clusterName: my-cluster
   bootstrap:
     configRef:
@@ -80,7 +80,7 @@ spec:
       cluster.x-k8s.io/cluster-name: my-cluster
   template:
     spec:
-      version: v1.29.0
+      version: v1.29.2
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/docker/examples/simple-cluster.yaml b/test/infrastructure/docker/examples/simple-cluster.yaml
index 134ec23fdc46..55cd41d64f30 100644
--- a/test/infrastructure/docker/examples/simple-cluster.yaml
+++ b/test/infrastructure/docker/examples/simple-cluster.yaml
@@ -35,7 +35,7 @@ metadata:
   namespace: default
 spec:
   replicas: 1
-  version: v1.29.0
+  version: v1.29.2
   machineTemplate:
     infrastructureRef:
       apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
@@ -83,7 +83,7 @@ spec:
       cluster.x-k8s.io/cluster-name: my-cluster
   template:
     spec:
-      version: v1.29.0
+      version: v1.29.2
       clusterName: my-cluster
       bootstrap:
         configRef:
diff --git a/test/infrastructure/inmemory/pkg/server/mux.go b/test/infrastructure/inmemory/pkg/server/mux.go
index 8d47d273af81..13fba07ff452 100644
--- a/test/infrastructure/inmemory/pkg/server/mux.go
+++ b/test/infrastructure/inmemory/pkg/server/mux.go
@@ -108,8 +108,8 @@ type WorkloadClustersMux struct {
 	debugServer              http.Server
 	muxServer                http.Server
 	workloadClusterListeners map[string]*WorkloadClusterListener
-	// workloadClusterNameByHost maps from Host to workload cluster name.
-	workloadClusterNameByHost map[string]string
+	// workloadClusterNameByPort maps from Port to workload cluster name.
+	workloadClusterNameByPort map[string]string
 
 	lock sync.RWMutex
 	log  logr.Logger
@@ -131,7 +131,7 @@ func NewWorkloadClustersMux(manager inmemoryruntime.Manager, host string, opts .
 		portIndex:                 options.MinPort,
 		manager:                   manager,
 		workloadClusterListeners:  map[string]*WorkloadClusterListener{},
-		workloadClusterNameByHost: map[string]string{},
+		workloadClusterNameByPort: map[string]string{},
 		log:                       log.Log,
 	}
 
@@ -169,7 +169,12 @@ func (m *WorkloadClustersMux) mixedHandler() http.Handler {
 	resourceGroupResolver := func(host string) (string, error) {
 		m.lock.RLock()
 		defer m.lock.RUnlock()
-		wclName, ok := m.workloadClusterNameByHost[host]
+
+		_, port, err := net.SplitHostPort(host)
+		if err != nil {
+			return "", err
+		}
+		wclName, ok := m.workloadClusterNameByPort[port]
 		if !ok {
 			return "", errors.Errorf("failed to get workloadClusterListener for host %s", host)
 		}
@@ -211,10 +216,14 @@ func (m *WorkloadClustersMux) getCertificate(info *tls.ClientHelloInfo) (*tls.Ce
 	defer m.lock.RUnlock()
 
 	// Identify which workloadCluster/resourceGroup a request targets to.
-	hostPort := info.Conn.LocalAddr().String()
-	wclName, ok := m.workloadClusterNameByHost[hostPort]
+	_, port, err := net.SplitHostPort(info.Conn.LocalAddr().String())
+	if err != nil {
+		return nil, err
+	}
+
+	wclName, ok := m.workloadClusterNameByPort[port]
 	if !ok {
-		err := errors.Errorf("failed to get listener name for workload cluster serving on %s", hostPort)
+		err := errors.Errorf("failed to get listener name for workload cluster serving on %s", port)
 		m.log.Error(err, "Error resolving certificates")
 		return nil, err
 	}
@@ -222,7 +231,7 @@ func (m *WorkloadClustersMux) getCertificate(info *tls.ClientHelloInfo) (*tls.Ce
 	// Gets the listener config for the target workloadCluster.
 	wcl, ok := m.workloadClusterListeners[wclName]
 	if !ok {
-		err := errors.Errorf("failed to get listener with name %s for workload cluster serving on %s", wclName, hostPort)
+		err := errors.Errorf("failed to get listener with name %s for workload cluster serving on %s", wclName, port)
 		m.log.Error(err, "Error resolving certificates")
 		return nil, err
 	}
@@ -231,12 +240,12 @@ func (m *WorkloadClustersMux) getCertificate(info *tls.ClientHelloInfo) (*tls.Ce
 	// NOTE: the port forward call to etcd sets the server name to the name of the targeted etcd pod,
 	// which is also the name of the corresponding etcd member.
 	if wcl.etcdMembers.Has(info.ServerName) {
-		m.log.V(4).Info("Using etcd serving certificate", "listenerName", wcl, "host", hostPort, "etcdPod", info.ServerName)
+		m.log.V(4).Info("Using etcd serving certificate", "listenerName", wcl, "host", port, "etcdPod", info.ServerName)
 		return wcl.etcdServingCertificates[info.ServerName], nil
 	}
 
 	// Otherwise we assume the request targets the API server.
-	m.log.V(4).Info("Using API server serving certificate", "listenerName", wcl, "host", hostPort)
+	m.log.V(4).Info("Using API server serving certificate", "listenerName", wcl, "host", port)
 	return wcl.apiServerServingCertificate, nil
 }
 
@@ -320,7 +329,7 @@ func (m *WorkloadClustersMux) initWorkloadClusterListenerWithPortLocked(wclName
 	// NOTE: it is required to add on both maps and keep them in sync
 	// In order to get the resourceGroupResolver to work.
 	m.workloadClusterListeners[wclName] = wcl
-	m.workloadClusterNameByHost[wcl.HostPort()] = wclName
+	m.workloadClusterNameByPort[fmt.Sprintf("%d", wcl.Port())] = wclName
 
 	m.log.Info("Workload cluster listener created", "listenerName", wclName, "address", wcl.Address())
 	return wcl
@@ -432,9 +441,9 @@ func (m *WorkloadClustersMux) AddAPIServer(wclName, podName string, caCert *x509
 			return nil
 		}
 
-		l, err := net.Listen("tcp", wcl.HostPort())
+		l, err := net.Listen("tcp", fmt.Sprintf(":%d", wcl.Port()))
 		if err != nil {
-			return errors.Wrapf(err, "failed to start WorkloadClusterListener %s, %s", wclName, wcl.HostPort())
+			return errors.Wrapf(err, "failed to start WorkloadClusterListener %s, %s", wclName, fmt.Sprintf(":%d", wcl.Port()))
 		}
 		wcl.listener = l
 
@@ -451,7 +460,7 @@ func (m *WorkloadClustersMux) AddAPIServer(wclName, podName string, caCert *x509
 
 	// Wait until the sever is working.
 	var pollErr error
-	err = wait.PollUntilContextTimeout(context.TODO(), 10*time.Millisecond, 1*time.Second, true, func(context.Context) (done bool, err error) {
+	err = wait.PollUntilContextTimeout(context.TODO(), 250*time.Millisecond, 5*time.Second, true, func(context.Context) (done bool, err error) {
 		d := &net.Dialer{Timeout: 50 * time.Millisecond}
 		conn, err := tls.DialWithDialer(d, "tcp", wcl.HostPort(), &tls.Config{
 			InsecureSkipVerify: true, //nolint:gosec // config is used to connect to our own port.
@@ -603,7 +612,7 @@ func (m *WorkloadClustersMux) DeleteWorkloadClusterListener(wclName string) erro
 	}
 
 	delete(m.workloadClusterListeners, wclName)
-	delete(m.workloadClusterNameByHost, wcl.HostPort())
+	delete(m.workloadClusterNameByPort, fmt.Sprintf("%d", wcl.Port()))
 
 	m.log.Info("Workload cluster listener deleted", "listenerName", wclName, "address", wcl.Address())
 	return nil
diff --git a/test/infrastructure/kind/mapper.go b/test/infrastructure/kind/mapper.go
index b596b79fab77..4e9b08c131db 100644
--- a/test/infrastructure/kind/mapper.go
+++ b/test/infrastructure/kind/mapper.go
@@ -79,6 +79,99 @@ type Mapping struct {
 var preBuiltMappings = []Mapping{
 
 	// TODO: Add pre-built images for newer Kind versions on top
+	// Pre-built images for Kind v1.22.
+	{
+		KubernetesVersion: semver.MustParse("1.29.2"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.29.1"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.29.1@sha256:0c06baa545c3bb3fbd4828eb49b8b805f6788e18ce67bff34706ffa91866558b",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.28.7"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.28.7@sha256:9bc6c451a289cf96ad0bbaf33d416901de6fd632415b076ab05f5fa7e4f65c58",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.28.6"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.28.6@sha256:e9e59d321795595d0eed0de48ef9fbda50388dc8bd4a9b23fb9bd869f370ec7e",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.27.11"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.27.11@sha256:681253009e68069b8e01aad36a1e0fa8cf18bb0ab3e5c4069b2e65cafdd70843",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.27.10"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.27.10@sha256:e6b2f72f22a4de7b957cd5541e519a8bef3bae7261dd30c6df34cd9bdd3f8476",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.26.14"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.26.14@sha256:5d548739ddef37b9318c70cb977f57bf3e5015e4552be4e27e57280a8cbb8e4f",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.26.13"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.26.13@sha256:8cb4239d64ff897e0c21ad19fe1d68c3422d4f3c1c1a734b7ab9ccc76c549605",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.25.16"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.25.16@sha256:e8b50f8e06b44bb65a93678a65a26248fae585b3d3c2a669e5ca6c90c69dc519",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.24.17"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.24.17@sha256:bad10f9b98d54586cba05a7eaa1b61c6b90bfc4ee174fdc43a7b75ca75c95e51",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.23.17"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3",
+	},
+
+	// Pre-built images for Kind v1.21.
+	{
+		KubernetesVersion: semver.MustParse("1.29.1"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.29.1@sha256:a0cc28af37cf39b019e2b448c54d1a3f789de32536cb5a5db61a49623e527144",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.28.6"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.28.6@sha256:b7e1cf6b2b729f604133c667a6be8aab6f4dde5bb042c1891ae248d9154f665b",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.27.10"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.27.10@sha256:3700c811144e24a6c6181065265f69b9bf0b437c45741017182d7c82b908918f",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.26.13"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.26.13@sha256:15ae92d507b7d4aec6e8920d358fc63d3b980493db191d7327541fbaaed1f789",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.25.16"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.25.16@sha256:9d0a62b55d4fe1e262953be8d406689b947668626a357b5f9d0cfbddbebbc727",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.24.17"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.24.17@sha256:ea292d57ec5dd0e2f3f5a2d77efa246ac883c051ff80e887109fabefbd3125c7",
+	},
+	{
+		KubernetesVersion: semver.MustParse("1.23.17"),
+		Mode:              Mode0_20,
+		Image:             "kindest/node:v1.23.17@sha256:fbb92ac580fce498473762419df27fa8664dbaa1c5a361b5957e123b4035bdcf",
+	},
 
 	// Pre-built images for Kind v1.20.
 	{
diff --git a/test/infrastructure/kind/mapper_test.go b/test/infrastructure/kind/mapper_test.go
index bd6ab73978bd..952ebcf0594f 100644
--- a/test/infrastructure/kind/mapper_test.go
+++ b/test/infrastructure/kind/mapper_test.go
@@ -48,6 +48,14 @@ func TestGetMapping(t *testing.T) {
 				Image: "foo",
 			},
 		},
+		{
+			name:       "Exact match for Kubernetes version, kind Mode0_20",
+			k8sVersion: semver.MustParse("1.29.1"),
+			expectedMapping: Mapping{
+				Mode:  Mode0_20,
+				Image: "kindest/node:v1.29.1@sha256:0c06baa545c3bb3fbd4828eb49b8b805f6788e18ce67bff34706ffa91866558b",
+			},
+		},
 		{
 			name:       "Exact match for Kubernetes version, kind Mode0_20",
 			k8sVersion: semver.MustParse("1.27.3"),
@@ -69,7 +77,7 @@ func TestGetMapping(t *testing.T) {
 			k8sVersion: semver.MustParse("1.23.17"),
 			expectedMapping: Mapping{
 				Mode:  Mode0_20,
-				Image: "kindest/node:v1.23.17@sha256:59c989ff8a517a93127d4a536e7014d28e235fb3529d9fba91b3951d461edfdb",
+				Image: "kindest/node:v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3",
 			},
 		},
 		{
diff --git a/webhooks/alias.go b/webhooks/alias.go
index b1688d95c80c..db3dbe43803a 100644
--- a/webhooks/alias.go
+++ b/webhooks/alias.go
@@ -25,13 +25,19 @@ import (
 
 // Cluster implements a validating and defaulting webhook for Cluster.
 type Cluster struct {
-	Client client.Reader
+	Client                    client.Reader
+	ClusterCacheTrackerReader webhooks.ClusterCacheTrackerReader
 }
 
+// ClusterCacheTrackerReader is a read-only ClusterCacheTracker useful to gather information
+// for MachinePool nodes for workload clusters.
+type ClusterCacheTrackerReader = webhooks.ClusterCacheTrackerReader
+
 // SetupWebhookWithManager sets up Cluster webhooks.
 func (webhook *Cluster) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return (&webhooks.Cluster{
-		Client: webhook.Client,
+		Client:  webhook.Client,
+		Tracker: webhook.ClusterCacheTrackerReader,
 	}).SetupWebhookWithManager(mgr)
 }