diff --git a/Makefile.kube_git.var b/Makefile.kube_git.var
index 5b01a5a264..b457dc70b5 100644
--- a/Makefile.kube_git.var
+++ b/Makefile.kube_git.var
@@ -1,5 +1,5 @@
 KUBE_GIT_MAJOR=1
 KUBE_GIT_MINOR=35
 KUBE_GIT_VERSION=v1.35.3
-KUBE_GIT_COMMIT=872bd3722d0954b31459f715fbd4fb7612aaf338
+KUBE_GIT_COMMIT=d8d517e6bbe7cf7359026cac26bb96ea45e18806
 KUBE_GIT_TREE_STATE=clean
diff --git a/Makefile.version.aarch64.var b/Makefile.version.aarch64.var
index ff987370b4..db648f7911 100644
--- a/Makefile.version.aarch64.var
+++ b/Makefile.version.aarch64.var
@@ -1 +1 @@
-OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-10-025037
+OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-14-225436
diff --git a/Makefile.version.x86_64.var b/Makefile.version.x86_64.var
index a931f60b4f..e695f2586b 100644
--- a/Makefile.version.x86_64.var
+++ b/Makefile.version.x86_64.var
@@ -1 +1 @@
-OCP_VERSION := 5.0.0-0.nightly-2026-06-09-112600
+OCP_VERSION := 5.0.0-0.nightly-2026-06-14-221055
diff --git a/assets/components/multus/kustomization.aarch64.yaml b/assets/components/multus/kustomization.aarch64.yaml
index 773e81016a..f7c4d8ece4 100644
--- a/assets/components/multus/kustomization.aarch64.yaml
+++ b/assets/components/multus/kustomization.aarch64.yaml
@@ -2,7 +2,7 @@
 images:
   - name: multus-cni-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:12f6644c521588d72e607d5761c7fa3e9a73bb0aab88b08420a8c5e4d4236ec5
+    digest: sha256:fbc294064821a949122c19e8d01b9049e431b5144a26c251103d6679a4bbfa27
   - name: containernetworking-plugins-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:fc47b7c1f5138b74498c9c7ce7ad845f8fe73aa51fed2c735d6ebfa8882545a3
+    digest: sha256:14d52df91337b4c53777c351589adc82772a0f6e0fe3f40abf17c305163ef558
diff --git a/assets/components/multus/kustomization.x86_64.yaml b/assets/components/multus/kustomization.x86_64.yaml
index 89dcabff80..bae8465054 100644
--- a/assets/components/multus/kustomization.x86_64.yaml
+++ b/assets/components/multus/kustomization.x86_64.yaml
@@ -2,7 +2,7 @@
 images:
   - name: multus-cni-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:457d82310a2ecd6823e5eb2a1650d14443c2730ecda4d62ad8b88d181f63463d
+    digest: sha256:131da38b7935bb3497cacaf564697508d8298ffacb19b06df4d0ab2fd16bef9f
   - name: containernetworking-plugins-microshift
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:db6025036ff280675e8d784ab0457acfcfa29ec4af35e823e64f04901d39da72
+    digest: sha256:7335aca1b6454b6b5f02fecd7a062eaf27fe4c2367f9ddf071eedb80b47ce7ab
diff --git a/assets/components/multus/release-multus-aarch64.json b/assets/components/multus/release-multus-aarch64.json
index e989ae6e20..f6a97b1530 100644
--- a/assets/components/multus/release-multus-aarch64.json
+++ b/assets/components/multus/release-multus-aarch64.json
@@ -1,9 +1,9 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-arm64-2026-06-10-025037"
+    "base": "5.0.0-0.nightly-arm64-2026-06-14-225436"
   },
   "images": {
-    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:12f6644c521588d72e607d5761c7fa3e9a73bb0aab88b08420a8c5e4d4236ec5",
-    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:fc47b7c1f5138b74498c9c7ce7ad845f8fe73aa51fed2c735d6ebfa8882545a3"
+    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:fbc294064821a949122c19e8d01b9049e431b5144a26c251103d6679a4bbfa27",
+    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:14d52df91337b4c53777c351589adc82772a0f6e0fe3f40abf17c305163ef558"
   }
 }
diff --git a/assets/components/multus/release-multus-x86_64.json b/assets/components/multus/release-multus-x86_64.json
index 702fdc0e29..ed1a78d9af 100644
--- a/assets/components/multus/release-multus-x86_64.json
+++ b/assets/components/multus/release-multus-x86_64.json
@@ -1,9 +1,9 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-2026-06-09-112600"
+    "base": "5.0.0-0.nightly-2026-06-14-221055"
   },
   "images": {
-    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:457d82310a2ecd6823e5eb2a1650d14443c2730ecda4d62ad8b88d181f63463d",
-    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:db6025036ff280675e8d784ab0457acfcfa29ec4af35e823e64f04901d39da72"
+    "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:131da38b7935bb3497cacaf564697508d8298ffacb19b06df4d0ab2fd16bef9f",
+    "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:7335aca1b6454b6b5f02fecd7a062eaf27fe4c2367f9ddf071eedb80b47ce7ab"
   }
 }
diff --git a/assets/optional/metrics-server/00-namespace.yaml b/assets/optional/metrics-server/00-namespace.yaml
new file mode 100644
index 0000000000..17f727565a
--- /dev/null
+++ b/assets/optional/metrics-server/00-namespace.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-monitoring
+  labels:
+    name: openshift-monitoring
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml b/assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml
new file mode 100644
index 0000000000..fad58afef1
--- /dev/null
+++ b/assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: auth-delegator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: openshift-monitoring
diff --git a/assets/optional/metrics-server/01-cluster-role-binding.yaml b/assets/optional/metrics-server/01-cluster-role-binding.yaml
new file mode 100644
index 0000000000..0bf14bd3e2
--- /dev/null
+++ b/assets/optional/metrics-server/01-cluster-role-binding.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+  - kind: ServiceAccount
+    name: metrics-server
+    namespace: openshift-monitoring
+  - kind: User
+    name: system:metrics-server
diff --git a/assets/optional/metrics-server/01-cluster-role.yaml b/assets/optional/metrics-server/01-cluster-role.yaml
new file mode 100644
index 0000000000..19be5ca4b0
--- /dev/null
+++ b/assets/optional/metrics-server/01-cluster-role.yaml
@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/metrics
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/assets/optional/metrics-server/01-role-binding-auth-reader.yaml b/assets/optional/metrics-server/01-role-binding-auth-reader.yaml
new file mode 100644
index 0000000000..6b11a238ce
--- /dev/null
+++ b/assets/optional/metrics-server/01-role-binding-auth-reader.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server-auth-reader
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: openshift-monitoring
diff --git a/assets/optional/metrics-server/01-service-account.yaml b/assets/optional/metrics-server/01-service-account.yaml
new file mode 100644
index 0000000000..310685e790
--- /dev/null
+++ b/assets/optional/metrics-server/01-service-account.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring
diff --git a/assets/optional/metrics-server/02-configmap-audit-profiles.yaml b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml
new file mode 100644
index 0000000000..1cff598a6d
--- /dev/null
+++ b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+data:
+  metadata-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "Metadata"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "Metadata"
+  none-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "None"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "None"
+  request-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "Request"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "Request"
+  requestresponse-profile.yaml: |-
+    "apiVersion": "audit.k8s.io/v1"
+    "kind": "Policy"
+    "metadata":
+      "name": "RequestResponse"
+    "omitStages":
+    - "RequestReceived"
+    "rules":
+    - "level": "RequestResponse"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server-audit-profiles
+  namespace: openshift-monitoring
diff --git a/assets/optional/metrics-server/03-deployment.yaml b/assets/optional/metrics-server/03-deployment.yaml
new file mode 100644
index 0000000000..1830ee8fc2
--- /dev/null
+++ b/assets/optional/metrics-server/03-deployment.yaml
@@ -0,0 +1,114 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: metrics-server
+      app.kubernetes.io/name: metrics-server
+      app.kubernetes.io/part-of: openshift-monitoring
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      annotations:
+        openshift.io/required-scc: restricted-v2
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+      labels:
+        app.kubernetes.io/component: metrics-server
+        app.kubernetes.io/name: metrics-server
+        app.kubernetes.io/part-of: openshift-monitoring
+    spec:
+      containers:
+        - args:
+            - --secure-port=10250
+            - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+            - --kubelet-use-node-status-port
+            - --metric-resolution=15s
+            - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt
+            - --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt
+            - --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key
+            - --tls-cert-file=/etc/tls/private/tls.crt
+            - --tls-private-key-file=/etc/tls/private/tls.key
+            - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+            - --shutdown-send-retry-after=true
+            - --shutdown-delay-duration=150s
+            - --disable-http2-serving=true
+          image: "quay.io/openshift/kube-metrics-server"
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /livez
+              port: https
+              scheme: HTTPS
+            periodSeconds: 10
+          name: metrics-server
+          ports:
+            - containerPort: 10250
+              name: https
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 6
+            httpGet:
+              path: /readyz
+              port: https
+              scheme: HTTPS
+            initialDelaySeconds: 20
+            periodSeconds: 20
+          resources:
+            requests:
+              cpu: 1m
+              memory: 40Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: secret-metrics-server-tls
+            - mountPath: /etc/tls/metrics-server-client-certs
+              name: secret-metrics-server-client-certs
+            - mountPath: /etc/tls/kubelet-serving-ca-bundle
+              name: configmap-kubelet-serving-ca-bundle
+            - mountPath: /etc/audit
+              name: metrics-server-audit-profiles
+              readOnly: true
+            - mountPath: /var/log/metrics-server
+              name: audit-log
+              readOnly: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      terminationGracePeriodSeconds: 170
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+      volumes:
+        - name: secret-metrics-server-client-certs
+          secret:
+            secretName: metrics-server-client-certs
+        - name: secret-metrics-server-tls
+          secret:
+            secretName: metrics-server-tls
+        - configMap:
+            name: kubelet-serving-ca-bundle
+          name: configmap-kubelet-serving-ca-bundle
+        - emptyDir: {}
+          name: audit-log
+        - configMap:
+            name: metrics-server-audit-profiles
+          name: metrics-server-audit-profiles
diff --git a/assets/optional/metrics-server/04-api-service.yaml b/assets/optional/metrics-server/04-api-service.yaml
new file mode 100644
index 0000000000..54303f0d9d
--- /dev/null
+++ b/assets/optional/metrics-server/04-api-service.yaml
@@ -0,0 +1,21 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 100
+  insecureSkipTLSVerify: false
+  service:
+    name: metrics-server
+    namespace: openshift-monitoring
+    port: 443
+  version: v1beta1
+  versionPriority: 100
diff --git a/assets/optional/metrics-server/04-service.yaml b/assets/optional/metrics-server/04-service.yaml
new file mode 100644
index 0000000000..3a485b2dad
--- /dev/null
+++ b/assets/optional/metrics-server/04-service.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    openshift.io/description: Expose the metrics-server web server on port 443. This port is for internal use, and no other usage is guaranteed.
+    service.beta.openshift.io/serving-cert-secret-name: metrics-server-tls
+  labels:
+    app.kubernetes.io/component: metrics-server
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/name: metrics-server
+    app.kubernetes.io/part-of: openshift-monitoring
diff --git a/assets/optional/metrics-server/kustomization.aarch64.yaml b/assets/optional/metrics-server/kustomization.aarch64.yaml
new file mode 100644
index 0000000000..0a79cdb357
--- /dev/null
+++ b/assets/optional/metrics-server/kustomization.aarch64.yaml
@@ -0,0 +1,4 @@
+images:
+  - name: quay.io/openshift/kube-metrics-server
+    newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
+    digest: sha256:790dcea1d4cf5eb3a989bf3d14d460148d23a743951644668a300b7fc21f29ec
diff --git a/assets/optional/metrics-server/kustomization.x86_64.yaml b/assets/optional/metrics-server/kustomization.x86_64.yaml
new file mode 100644
index 0000000000..49529cad12
--- /dev/null
+++ b/assets/optional/metrics-server/kustomization.x86_64.yaml
@@ -0,0 +1,4 @@
+images:
+  - name: quay.io/openshift/kube-metrics-server
+    newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
+    digest: sha256:0590e13d7955f71db964f601f5ce6c66416a1e2e5acee5c2831f41fb2b13435c
diff --git a/assets/optional/metrics-server/kustomization.yaml b/assets/optional/metrics-server/kustomization.yaml
new file mode 100644
index 0000000000..ca034994ff
--- /dev/null
+++ b/assets/optional/metrics-server/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - 00-namespace.yaml
+  - 01-service-account.yaml
+  - 01-cluster-role.yaml
+  - 01-cluster-role-binding.yaml
+  - 01-cluster-role-binding-auth-delegator.yaml
+  - 01-role-binding-auth-reader.yaml
+  - 02-configmap-audit-profiles.yaml
+  - 03-deployment.yaml
+  - 04-service.yaml
+  - 04-api-service.yaml
diff --git a/assets/optional/metrics-server/release-metrics-server-aarch64.json b/assets/optional/metrics-server/release-metrics-server-aarch64.json
new file mode 100644
index 0000000000..c12ffcbb53
--- /dev/null
+++ b/assets/optional/metrics-server/release-metrics-server-aarch64.json
@@ -0,0 +1,8 @@
+{
+  "release": {
+    "base": "5.0.0-0.nightly-arm64-2026-06-19-154904"
+  },
+  "images": {
+    "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:790dcea1d4cf5eb3a989bf3d14d460148d23a743951644668a300b7fc21f29ec"
+  }
+}
diff --git a/assets/optional/metrics-server/release-metrics-server-x86_64.json b/assets/optional/metrics-server/release-metrics-server-x86_64.json
new file mode 100644
index 0000000000..57ab6cbd6a
--- /dev/null
+++ b/assets/optional/metrics-server/release-metrics-server-x86_64.json
@@ -0,0 +1,8 @@
+{
+  "release": {
+    "base": "5.0.0-0.nightly-2026-06-19-155631"
+  },
+  "images": {
+    "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0590e13d7955f71db964f601f5ce6c66416a1e2e5acee5c2831f41fb2b13435c"
+  }
+}
diff --git a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml
index d7f365ab30..df56db8e85 100644
--- a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml
+++ b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml
@@ -2,13 +2,13 @@
 images:
   - name: quay.io/operator-framework/olm
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:a65b0dcf06f57dd03e2569f33649f06bc51f0845ceea01ecb141b76eaea485c1
+    digest: sha256:cc04e20fa27e35dd2ff9ebace50af735f81cd80f412c866e64763b8c95b68b09
   - name: quay.io/operator-framework/configmap-operator-registry
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:15d824e3b808602a5b4257a9aa51a807745754a46322c43ba4ba01ee56d73818
+    digest: sha256:57e853d5b140ce4989658f3b3b0b42898fd623f196a2be368c296df4603aa272
   - name: quay.io/openshift/origin-kube-rbac-proxy
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:6f5dc0bdcbb044810e7b09b01f80df866b3c3af938bd150d818c2914344fb4b2
+    digest: sha256:9ccb2f5ee2a82e65010b23308a5a87d166a15d39de330f552d63fcdb219826f5
 
 patches:
   - patch: |-
@@ -16,12 +16,12 @@ patches:
        path: /spec/template/spec/containers/0/env/-
        value:
          name: OPERATOR_REGISTRY_IMAGE
-         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:15d824e3b808602a5b4257a9aa51a807745754a46322c43ba4ba01ee56d73818
+         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:57e853d5b140ce4989658f3b3b0b42898fd623f196a2be368c296df4603aa272
      - op: add
        path: /spec/template/spec/containers/0/env/-
        value:
          name: OLM_IMAGE
-         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a65b0dcf06f57dd03e2569f33649f06bc51f0845ceea01ecb141b76eaea485c1
+         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cc04e20fa27e35dd2ff9ebace50af735f81cd80f412c866e64763b8c95b68b09
     target:
       kind: Deployment
       labelSelector: app=catalog-operator
diff --git a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml
index b607a5ae73..bf9f325896 100644
--- a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml
+++ b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml
@@ -2,13 +2,13 @@
 images:
   - name: quay.io/operator-framework/olm
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:1e28d2b718e7ad024fd6ac20e5ec4ac5e30ebcc81c136b0c733165a47483625b
+    digest: sha256:dfaf388e82381af5c124796edde6ae3f7bb356adb4ec729f3f09589bdeee5804
   - name: quay.io/operator-framework/configmap-operator-registry
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:cae1efda5b44d38b54fbc0fa7acee126a8334b4af380691f8c05981d27afb690
+    digest: sha256:ed441d972938bc6739adc652748aa5fba137cbd7b045e401c66c72a9f6781ef1
   - name: quay.io/openshift/origin-kube-rbac-proxy
     newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
-    digest: sha256:cd84fae073953125e6eed47e7feacb146161df6d5222f5d899704686f917c50d
+    digest: sha256:ad6e02eccba4091228187fae03a434bbec1c4481261d7dfd05282542e82c4256
 
 patches:
   - patch: |-
@@ -16,12 +16,12 @@ patches:
        path: /spec/template/spec/containers/0/env/-
        value:
          name: OPERATOR_REGISTRY_IMAGE
-         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cae1efda5b44d38b54fbc0fa7acee126a8334b4af380691f8c05981d27afb690
+         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ed441d972938bc6739adc652748aa5fba137cbd7b045e401c66c72a9f6781ef1
      - op: add
        path: /spec/template/spec/containers/0/env/-
        value:
          name: OLM_IMAGE
-         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1e28d2b718e7ad024fd6ac20e5ec4ac5e30ebcc81c136b0c733165a47483625b
+         value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:dfaf388e82381af5c124796edde6ae3f7bb356adb4ec729f3f09589bdeee5804
     target:
       kind: Deployment
       labelSelector: app=catalog-operator
diff --git a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
index 7e3b68ea10..2de2747f9a 100644
--- a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
+++ b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
@@ -1,10 +1,10 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-arm64-2026-06-10-025037"
+    "base": "5.0.0-0.nightly-arm64-2026-06-14-225436"
   },
   "images": {
-    "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a65b0dcf06f57dd03e2569f33649f06bc51f0845ceea01ecb141b76eaea485c1",
-    "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:15d824e3b808602a5b4257a9aa51a807745754a46322c43ba4ba01ee56d73818",
-    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:6f5dc0bdcbb044810e7b09b01f80df866b3c3af938bd150d818c2914344fb4b2"
+    "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cc04e20fa27e35dd2ff9ebace50af735f81cd80f412c866e64763b8c95b68b09",
+    "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:57e853d5b140ce4989658f3b3b0b42898fd623f196a2be368c296df4603aa272",
+    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9ccb2f5ee2a82e65010b23308a5a87d166a15d39de330f552d63fcdb219826f5"
   }
 }
diff --git a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
index 5179725c0b..5e1ec26ef2 100644
--- a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
+++ b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
@@ -1,10 +1,10 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-2026-06-09-112600"
+    "base": "5.0.0-0.nightly-2026-06-14-221055"
   },
   "images": {
-    "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1e28d2b718e7ad024fd6ac20e5ec4ac5e30ebcc81c136b0c733165a47483625b",
-    "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cae1efda5b44d38b54fbc0fa7acee126a8334b4af380691f8c05981d27afb690",
-    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cd84fae073953125e6eed47e7feacb146161df6d5222f5d899704686f917c50d"
+    "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:dfaf388e82381af5c124796edde6ae3f7bb356adb4ec729f3f09589bdeee5804",
+    "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ed441d972938bc6739adc652748aa5fba137cbd7b045e401c66c72a9f6781ef1",
+    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ad6e02eccba4091228187fae03a434bbec1c4481261d7dfd05282542e82c4256"
   }
 }
diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json
index 7ceb44b017..123e1a73ec 100644
--- a/assets/release/release-aarch64.json
+++ b/assets/release/release-aarch64.json
@@ -1,16 +1,16 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-arm64-2026-06-10-025037"
+    "base": "5.0.0-0.nightly-arm64-2026-06-14-225436"
   },
   "images": {
-    "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:335cc4f16ae535d0d2e72206f63bba97db6c7f3d7ae8896842e179548e1db76b",
-    "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9c3900c948954ad3c9206147f75a9cd3039e6e95947f4bf82ee994db9317202a",
-    "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b3308350dc53d829dcdad213454159c207ecc634dd2378db4916dea3614c9c9c",
-    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:6f5dc0bdcbb044810e7b09b01f80df866b3c3af938bd150d818c2914344fb4b2",
-    "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:59eba69120cff661709251ed6c21cc5b53ec8f288b5576014f8d893705153e99",
-    "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:56ac733f8a19c57d0027aba6bebd7063d85f1cf1b6f474c0180cd8f7d862c71f",
-    "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cbcbf4bacdc37322bfa70addad27cbc09d1d57dae05e0be5c0bdbab27fd4edc3",
+    "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0e892562882a04fffb983830bf38dd7ae8d3af0ab063ef63ff91b8794164ce6f",
+    "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:dc9c14cf3b0cf83f73640ebe44b855d4c37a09b91fd279bcf89cd1c7f1ae0d13",
+    "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:baae88272255e16c2f87060440acb446429409d672cb6d6a7ce8e8658e404344",
+    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9ccb2f5ee2a82e65010b23308a5a87d166a15d39de330f552d63fcdb219826f5",
+    "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:2929931b3af6be09e54828dadc3638877d7bc4c50a506bece55adba4ac184352",
+    "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1172f9ca3672d5447e523300f0eaa9f2189360e415d0f59d15446c8f3d6b9df2",
+    "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c518baeaee5a42942eeb8b6d2b6145c994cc3c003eede138d0f6024a75dff0be",
     "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:e77365e44676fbd8ab9e4ce53f3a406856bbdfef3467c545a7df1197d84477af",
-    "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a1d1ef4683809a939a4c7e44d459e141c9c1be5808bfba303fd7a422373a5070"
+    "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:027953dca1752d0a4723426385fd68c368b744bce34a14677d0d6240d91f7fec"
   }
 }
diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json
index a79a10a009..a324dfdf92 100644
--- a/assets/release/release-x86_64.json
+++ b/assets/release/release-x86_64.json
@@ -1,16 +1,16 @@
 {
   "release": {
-    "base": "5.0.0-0.nightly-2026-06-09-112600"
+    "base": "5.0.0-0.nightly-2026-06-14-221055"
   },
   "images": {
-    "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:4e9157049bcb87590c356e522fb74ddb350b5f6e375f2007e36b20ecc841cd13",
-    "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:3707f170213eda5d37f45c8f2f5605c3d4db80acd55f3b7943d90ad0248f8582",
-    "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:39fdc41a150c6665c192f1ec06563c5c1f7b8f65e8377a5e2d16cf495c5bca50",
-    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cd84fae073953125e6eed47e7feacb146161df6d5222f5d899704686f917c50d",
-    "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:78d59d56dd6fb55ffa858fc96f7e67193a28b3baac9cfca46ee1b6a1a4e1bca4",
-    "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0b69d8c02c7d6231928b1737e74ee30ade20bce70887b6c7c1d68ae034bc9dcd",
-    "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:065512cd13378b366cd1adad78b9047f099bd777dccd0dbb4a99f25f504381e4",
+    "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:38f9415aaedc4192ce1ad8d4aa9fd7fbf7901153bea22445b59cf7aa2aa11a47",
+    "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:72415bafd446512cfcaf6f14fc081a35cf8b1c37bd97ed004b7f39f92b263194",
+    "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8cc4dc6be6d9768a3433176222105503aaa9416c40e13b04dce33c1a8e5c4547",
+    "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ad6e02eccba4091228187fae03a434bbec1c4481261d7dfd05282542e82c4256",
+    "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c015028192789c72cce5a4050d9e061caf82850227b16e37ff6ec62bad111832",
+    "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8b02980a346029f27b7dbac48a8c2ef3a9e82d09d8e2d8ce90043d8112631eef",
+    "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5447a0041b961413fd9440f1afd59fadc5aca516f8b5aefa1af809534a2d80a1",
     "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:10c9ccab4f2857d113b55e12cac29aed0dc97d5a4e29ed2e4ea0f77551ee55f8",
-    "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c254280d6a89ed1d0c570544fd1ae40e804fc3c81dc671d161e56bb922add9e9"
+    "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ddf6df0d50205edf7af3ce2efded17ad9cf405ca5b3c9875d85a1af5a4122bf6"
   }
 }
diff --git a/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go b/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go
index 640062df5f..113f3dab1c 100644
--- a/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go
+++ b/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go
@@ -70,9 +70,16 @@ func main() {
 		Qualifiers: []string{withExcludedTestsFilter(`(name.contains('[Serial]') || labels.exists(l, l == '[Serial]')) && labels.exists(l, l == "Conformance")`)},
 	})
 
+	// AddGlobalSuite so the umbrella starts with zero qualifiers and inherits
+	// exclusively from its children via mergeParentQualifiers in origin.
+	kubeTestsExtension.AddGlobalSuite(e.Suite{
+		Name: "kubernetes/conformance",
+	})
+
 	kubeTestsExtension.AddSuite(e.Suite{
 		Name: "kubernetes/conformance/parallel",
 		Parents: []string{
+			"kubernetes/conformance",
 			"openshift/conformance/parallel",
 		},
 		Qualifiers: []string{withExcludedTestsFilter(`(!name.contains('[Serial]') && !labels.exists(l, l == '[Serial]'))`)},
@@ -81,6 +88,7 @@ func main() {
 	kubeTestsExtension.AddSuite(e.Suite{
 		Name: "kubernetes/conformance/serial",
 		Parents: []string{
+			"kubernetes/conformance",
 			"openshift/conformance/serial",
 		},
 		Qualifiers: []string{withExcludedTestsFilter(`(name.contains('[Serial]') || labels.exists(l, l == '[Serial]'))`)},
diff --git a/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go b/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go
index aed383b9fa..4e8c50989e 100644
--- a/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go
+++ b/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go
@@ -74,6 +74,10 @@ func AdminKubeconfigClientCertDir(certsDir string) string {
 	return filepath.Join(AdminKubeconfigSignerDir(certsDir), "admin-kubeconfig-client")
 }
 
+func MetricsServerKubeletClientCertDir(certsDir string) string {
+	return filepath.Join(KubeAPIServerToKubeletSignerCertDir(certsDir), "metrics-server-kubelet-client")
+}
+
 // KubeletCSRSignerSignerCertDir returns path to the signer that signs kubelet CSRs
 // and the signer that signs CSRs of the CSR API
 func KubeletCSRSignerSignerCertDir(certsDir string) string {
diff --git a/go.mod b/go.mod
index f265c6ee06..3df196fb1d 100644
--- a/go.mod
+++ b/go.mod
@@ -35,7 +35,7 @@ require (
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/snappy v0.0.4
 	github.com/openshift/cluster-policy-controller v0.0.0-20260420102459-bb429f5b2a7d
-	github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5
+	github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56
 	github.com/prometheus/client_model v0.6.2
 	github.com/prometheus/common v0.67.5
 	github.com/prometheus/prometheus v0.302.1
diff --git a/go.sum b/go.sum
index b20160773d..32c6a6492e 100644
--- a/go.sum
+++ b/go.sum
@@ -330,8 +330,8 @@ github.com/openshift/library-go v0.0.0-20260520180710-3a6f949c22c3 h1:AHjJETxL4n
 github.com/openshift/library-go v0.0.0-20260520180710-3a6f949c22c3/go.mod h1:gKG9lctU0yEftSoT3DUyeIWz1oAgF0EHUpwI4pnCo4o=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
-github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5 h1:s6RpuCCneK83XdWh6KHb1kpoXSR3hI/ZG8g5b/M4+N8=
-github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5/go.mod h1:CQPEBwTmpfLFhayttl243qBVr3CeBXpsUBsF5bQFvNg=
+github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56 h1:hX5oJuUnVXDk3FBDiMiteZWy+b+JSP7UcQdlcqBSD/o=
+github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56/go.mod h1:D5jarnF94awXjzy6WNR/pImmNof2fuyI612hqjhfy/4=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/ovn-kubernetes/libovsdb v0.8.2-0.20260302130604-c07ce22366ac h1:D7Ex9/u5HMz+xvqel1RCCO1AxVG7XRAx9AcP02/nyzk=
 github.com/ovn-kubernetes/libovsdb v0.8.2-0.20260302130604-c07ce22366ac/go.mod h1:x2keWyG0K1WmZeZLRh+z4fWwcqp99Yu9/HAiMucj5D0=
diff --git a/packaging/crio.conf.d/10-microshift_amd64.conf b/packaging/crio.conf.d/10-microshift_amd64.conf
index bc2042e60d..0748a135fd 100644
--- a/packaging/crio.conf.d/10-microshift_amd64.conf
+++ b/packaging/crio.conf.d/10-microshift_amd64.conf
@@ -2,6 +2,6 @@
 # for community builds on top of OKD, this setting has no effect
 [crio.image]
 global_auth_file="/etc/crio/openshift-pull-secret"
-pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0b69d8c02c7d6231928b1737e74ee30ade20bce70887b6c7c1d68ae034bc9dcd"
+pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8b02980a346029f27b7dbac48a8c2ef3a9e82d09d8e2d8ce90043d8112631eef"
 pause_image_auth_file = "/etc/crio/openshift-pull-secret"
 pause_command = "/usr/bin/pod"
diff --git a/packaging/crio.conf.d/10-microshift_arm64.conf b/packaging/crio.conf.d/10-microshift_arm64.conf
index 2bc16bcbfc..402898457a 100644
--- a/packaging/crio.conf.d/10-microshift_arm64.conf
+++ b/packaging/crio.conf.d/10-microshift_arm64.conf
@@ -2,6 +2,6 @@
 # for community builds on top of OKD, this setting has no effect
 [crio.image]
 global_auth_file="/etc/crio/openshift-pull-secret"
-pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:56ac733f8a19c57d0027aba6bebd7063d85f1cf1b6f474c0180cd8f7d862c71f"
+pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1172f9ca3672d5447e523300f0eaa9f2189360e415d0f59d15446c8f3d6b9df2"
 pause_image_auth_file = "/etc/crio/openshift-pull-secret"
 pause_command = "/usr/bin/pod"
diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec
index 6362e4f552..e720a65bad 100644
--- a/packaging/rpm/microshift.spec
+++ b/packaging/rpm/microshift.spec
@@ -261,6 +261,25 @@ The microshift-cert-manager-release-info package provides release information fi
 release. These files contain the list of container image references used by Cert Manager
 and can be used to embed those images into osbuilder blueprints or bootc containerfiles.
 
+%package metrics-server
+Summary: Kubernetes metrics-server for MicroShift
+ExclusiveArch: x86_64 aarch64
+Requires: microshift = %{version}
+
+%description metrics-server
+The microshift-metrics-server package provides the metrics-server for MicroShift.
+Install this package to enable kubectl top and resource metrics via the Metrics API.
+
+%package metrics-server-release-info
+Summary: Release information for metrics-server for MicroShift
+BuildArch: noarch
+Requires: microshift-release-info = %{version}
+
+%description metrics-server-release-info
+The microshift-metrics-server-release-info package provides release information files for this
+release. These files contain the list of container image references used by the metrics-server
+and can be used to embed those images into osbuilder blueprints or bootc containerfiles.
+
 %package sriov
 Summary: SR-IOV Network Operator for MicroShift
 ExclusiveArch: x86_64 aarch64
@@ -599,6 +618,31 @@ cat assets/optional/cert-manager/manager/images-x86_64.yaml >> %{buildroot}/%{_p
 mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release
 install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/
 
+# metrics-server
+install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/00-namespace.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/01-service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/01-cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/01-cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/01-role-binding-auth-reader.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/02-configmap-audit-profiles.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/03-deployment.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/04-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/04-api-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+install -p -m644 assets/optional/metrics-server/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+
+%ifarch %{arm} aarch64
+cat assets/optional/metrics-server/kustomization.aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/kustomization.yaml
+%endif
+%ifarch x86_64
+cat assets/optional/metrics-server/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/kustomization.yaml
+%endif
+
+# metrics-server-release-info
+mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release
+install -p -m644 assets/optional/metrics-server/release-metrics-server-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/
+
 # sriov
 install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov
 install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd
@@ -802,6 +846,13 @@ fi
 %files cert-manager-release-info
 %{_datadir}/microshift/release/release-cert-manager-{x86_64,aarch64}.json
 
+%files metrics-server
+%dir %{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server
+%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/*
+
+%files metrics-server-release-info
+%{_datadir}/microshift/release/release-metrics-server-{x86_64,aarch64}.json
+
 %files sriov
 %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov
 %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd
diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
index 50851ed33e..8c8e9ec6ff 100644
--- a/pkg/cmd/init.go
+++ b/pkg/cmd/init.go
@@ -155,6 +155,13 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) {
 					Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity),
 				},
 				UserInfo: &user.DefaultInfo{Name: "system:kube-apiserver", Groups: []string{"kube-master"}},
+			}).WithClientCertificates(
+			&certchains.ClientCertificateSigningRequestInfo{
+				CSRMeta: certchains.CSRMeta{
+					Name:     "metrics-server-kubelet-client",
+					Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity),
+				},
+				UserInfo: &user.DefaultInfo{Name: "system:metrics-server"},
 			}),
 
 		// admin-kubeconfig-signer
@@ -175,7 +182,7 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) {
 					Name:     "openshift-observability-client",
 					Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity),
 				},
-				UserInfo: &user.DefaultInfo{Name: "openshift-observability-client", Groups: []string{""}},
+				UserInfo: &user.DefaultInfo{Name: "openshift-observability-client"},
 			},
 		),
 
@@ -364,6 +371,10 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) {
 		[]string{"admin-kubeconfig-signer"},
 		[]string{"kubelet-signer"},
 		[]string{"kubelet-signer", "kube-csr-signer"},
+	).WithCABundle(
+		cryptomaterial.KubeletServingCAPath(certsDir),
+		[]string{"kubelet-signer"},
+		[]string{"kubelet-signer", "kube-csr-signer"},
 	).WithCABundle(
 		cryptomaterial.ServiceAccountTokenCABundlePath(certsDir),
 		[]string{"kube-apiserver-localhost-signer"},
diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go
index 94c2fbd8f6..99b4864bad 100644
--- a/pkg/cmd/run.go
+++ b/pkg/cmd/run.go
@@ -14,6 +14,7 @@ import (
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/openshift/microshift/pkg/admin/data"
 	"github.com/openshift/microshift/pkg/admin/prerun"
+	"github.com/openshift/microshift/pkg/components"
 	"github.com/openshift/microshift/pkg/config"
 	"github.com/openshift/microshift/pkg/controllers"
 	"github.com/openshift/microshift/pkg/controllers/c2cc"
@@ -303,6 +304,11 @@ func RunMicroshift(cfg *config.Config) error {
 		// After MicroShift's core becomes ready, run the kustomizer (delete and/or apply manifests).
 		kustomize.NewKustomizer(cfg).RunStandalone(runCtx)
 
+		// Provision certs for optional components after kustomize creates their namespaces.
+		if err := components.ProvisionMetricsServerCerts(runCtx, cfg); err != nil {
+			return fmt.Errorf("failed to provision metrics-server certs: %w", err)
+		}
+
 		// Watch for SIGTERM or service error to exit, now that we are ready.
 		select {
 		case <-sigTerm:
diff --git a/pkg/components/metrics.go b/pkg/components/metrics.go
new file mode 100644
index 0000000000..3539cb0de6
--- /dev/null
+++ b/pkg/components/metrics.go
@@ -0,0 +1,132 @@
+package components
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
+	"github.com/openshift/microshift/pkg/config"
+	"github.com/openshift/microshift/pkg/util"
+	"github.com/openshift/microshift/pkg/util/cryptomaterial"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog/v2"
+	"k8s.io/utils/clock"
+)
+
+const (
+	metricsServerManifestPath = "/usr/lib/microshift/manifests.d/080-microshift-metrics-server"
+	metricsServerNamespace    = "openshift-monitoring"
+)
+
+var metricsEventRecorder events.Recorder = events.NewLoggingEventRecorder("microshift-metrics-server", clock.RealClock{})
+
+func ProvisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error {
+	exists, err := util.PathExists(metricsServerManifestPath)
+	if err != nil {
+		return err
+	}
+	if !exists {
+		klog.V(2).Infof("Metrics-server manifests not found at %s, skipping cert provisioning", metricsServerManifestPath)
+		return nil
+	}
+
+	kubeconfigPath := cfg.KubeConfigPath(config.KubeAdmin)
+
+	clientset, err := getKubernetesClient(kubeconfigPath)
+	if err != nil {
+		return fmt.Errorf("creating clientset: %w", err)
+	}
+
+	err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 5*time.Minute, true, func(ctx context.Context) (bool, error) {
+		_, err := clientset.CoreV1().Namespaces().Get(ctx, metricsServerNamespace, metav1.GetOptions{})
+		if err == nil {
+			return true, nil
+		}
+		if !apierrors.IsNotFound(err) {
+			klog.Errorf("getting namespace %s: %v", metricsServerNamespace, err)
+			return false, nil
+		}
+		klog.V(2).Infof("Waiting for namespace %s to be created by kustomize", metricsServerNamespace)
+		return false, nil
+	})
+	if err != nil {
+		return fmt.Errorf("waiting for namespace %s: %w", metricsServerNamespace, err)
+	}
+
+	certsDir := cryptomaterial.CertsDirectory(config.DataDir)
+
+	certDir := cryptomaterial.MetricsServerKubeletClientCertDir(certsDir)
+	certPEM, err := os.ReadFile(cryptomaterial.ClientCertPath(certDir))
+	if err != nil {
+		return err
+	}
+	keyPEM, err := os.ReadFile(cryptomaterial.ClientKeyPath(certDir))
+	if err != nil {
+		return err
+	}
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "metrics-server-client-certs",
+			Namespace: metricsServerNamespace,
+			Annotations: map[string]string{
+				"openshift.io/owning-component": "metrics-server",
+			},
+		},
+		Type: corev1.SecretTypeTLS,
+		Data: map[string][]byte{
+			"tls.crt": certPEM,
+			"tls.key": keyPEM,
+		},
+	}
+
+	err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 1*time.Minute, true, func(ctx context.Context) (bool, error) {
+		_, _, err := resourceapply.ApplySecret(ctx, clientset.CoreV1(), metricsEventRecorder, secret)
+		if err != nil {
+			klog.Errorf("applying metrics-server client cert secret: %v", err)
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		return fmt.Errorf("applying metrics-server client cert secret: %w", err)
+	}
+
+	caPEM, err := os.ReadFile(cryptomaterial.KubeletServingCAPath(certsDir))
+	if err != nil {
+		return err
+	}
+
+	cm := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "kubelet-serving-ca-bundle",
+			Namespace: metricsServerNamespace,
+			Annotations: map[string]string{
+				"openshift.io/owning-component": "metrics-server",
+			},
+		},
+		Data: map[string]string{
+			"ca-bundle.crt": string(caPEM),
+		},
+	}
+
+	err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 1*time.Minute, true, func(ctx context.Context) (bool, error) {
+		_, _, err := resourceapply.ApplyConfigMap(ctx, clientset.CoreV1(), metricsEventRecorder, cm)
+		if err != nil {
+			return false, fmt.Errorf("applying kubelet serving CA configmap: %w", err)
+		}
+		return true, nil
+	})
+	if err != nil {
+		return fmt.Errorf("applying kubelet serving CA configmap: %v", err)
+	}
+
+	klog.Infof("Provisioned metrics-server kubelet client cert and CA bundle")
+	return nil
+}
diff --git a/pkg/healthcheck/microshift_optional_workloads.go b/pkg/healthcheck/microshift_optional_workloads.go
index 80e2d9a3b0..7772b1e36c 100644
--- a/pkg/healthcheck/microshift_optional_workloads.go
+++ b/pkg/healthcheck/microshift_optional_workloads.go
@@ -1,6 +1,8 @@
 package healthcheck
 
 import (
+	"slices"
+
 	"github.com/openshift/microshift/pkg/config"
 	"github.com/openshift/microshift/pkg/util"
 	"k8s.io/klog/v2"
@@ -38,6 +40,20 @@ var optionalWorkloadPaths = map[string]optionalWorkloads{
 		Namespace: "sriov-network-operator",
 		Workloads: NamespaceWorkloads{Deployments: []string{"sriov-network-operator"}},
 	},
+
+	"/usr/lib/microshift/manifests.d/080-microshift-metrics-server": {
+		Namespace: "openshift-monitoring",
+		Workloads: NamespaceWorkloads{Deployments: []string{"metrics-server"}},
+	},
+}
+
+// mergeWorkloads combines two NamespaceWorkloads into one.
+func mergeWorkloads(existing, incoming NamespaceWorkloads) NamespaceWorkloads {
+	return NamespaceWorkloads{
+		Deployments:  slices.Concat(existing.Deployments, incoming.Deployments),
+		DaemonSets:   slices.Concat(existing.DaemonSets, incoming.DaemonSets),
+		StatefulSets: slices.Concat(existing.StatefulSets, incoming.StatefulSets),
+	}
 }
 
 // fillOptionalMicroShiftWorkloads assembles list of optional MicroShift workloads
@@ -73,7 +89,7 @@ func fillOptionalMicroShiftWorkloads(workloadsToCheck map[string]NamespaceWorklo
 		}
 
 		klog.Infof("Optional component path exists and is configured: %s - expecting %v in namespace %q", path, ow.Workloads.String(), ow.Namespace)
-		workloadsToCheck[ow.Namespace] = ow.Workloads
+		workloadsToCheck[ow.Namespace] = mergeWorkloads(workloadsToCheck[ow.Namespace], ow.Workloads)
 	}
 	return nil
 }
diff --git a/pkg/util/cryptomaterial/certinfo.go b/pkg/util/cryptomaterial/certinfo.go
index aed383b9fa..12c413d114 100644
--- a/pkg/util/cryptomaterial/certinfo.go
+++ b/pkg/util/cryptomaterial/certinfo.go
@@ -74,6 +74,10 @@ func AdminKubeconfigClientCertDir(certsDir string) string {
 	return filepath.Join(AdminKubeconfigSignerDir(certsDir), "admin-kubeconfig-client")
 }
 
+func MetricsServerKubeletClientCertDir(certsDir string) string {
+	return filepath.Join(KubeAPIServerToKubeletSignerCertDir(certsDir), "metrics-server-kubelet-client")
+}
+
 // KubeletCSRSignerSignerCertDir returns path to the signer that signs kubelet CSRs
 // and the signer that signs CSRs of the CSR API
 func KubeletCSRSignerSignerCertDir(certsDir string) string {
@@ -167,6 +171,10 @@ func KubeletClientCAPath(certsDir string) string {
 	return filepath.Join(certsDir, "ca-bundle", "kubelet-ca.crt")
 }
 
+func KubeletServingCAPath(certsDir string) string {
+	return filepath.Join(certsDir, "ca-bundle", "kubelet-serving-ca.crt")
+}
+
 func ServiceAccountTokenCABundlePath(certsDir string) string {
 	return filepath.Join(certsDir, "ca-bundle", "service-account-token-ca.crt")
 }
diff --git a/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml
new file mode 100644
index 0000000000..9a86ad1eac
--- /dev/null
+++ b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml
@@ -0,0 +1,37 @@
+assets:
+  - dir: optional/metrics-server/
+    no_clean: True
+    src: cluster-monitoring-operator/assets/metrics-server/
+    files:
+      - file: 00-namespace.yaml
+        ignore: "MicroShift-specific, no upstream equivalent"
+        git_restore: True
+      - file: 01-service-account.yaml
+        src: service-account.yaml
+      - file: 01-cluster-role.yaml
+        src: cluster-role.yaml
+      - file: 01-cluster-role-binding.yaml
+        src: cluster-role-binding.yaml
+      - file: 01-cluster-role-binding-auth-delegator.yaml
+        src: cluster-role-binding-auth-delegator.yaml
+      - file: 01-role-binding-auth-reader.yaml
+        src: role-binding-auth-reader.yaml
+      - file: 02-configmap-audit-profiles.yaml
+        src: configmap-audit-profiles.yaml
+      - file: 03-deployment.yaml
+        src: deployment.yaml
+      - file: 04-service.yaml
+        src: service.yaml
+      - file: 04-api-service.yaml
+        src: api-service.yaml
+      - file: kustomization.yaml
+        ignore: "MicroShift-specific kustomization"
+        git_restore: True
+      - file: kustomization.x86_64.yaml
+        ignore: "gets generated during image rebase"
+      - file: kustomization.aarch64.yaml
+        ignore: "gets generated during image rebase"
+      - file: release-metrics-server-aarch64.json
+        ignore: "gets generated during image rebase"
+      - file: release-metrics-server-x86_64.json
+        ignore: "gets generated during image rebase"
diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt
index f8de7a5969..ac45b5b06c 100644
--- a/scripts/auto-rebase/changelog.txt
+++ b/scripts/auto-rebase/changelog.txt
@@ -1,39 +1,223 @@
-- cluster-kube-apiserver-operator embedded-component 24b60d04b3478e04a728fb0ae1385abc6a478d20 to a61282875d032c4b8cc7ea5567830942583ec378
-  - 75e998a 2026-06-08T13:41:30+02:00 NO-JIRA: Automatic agentic rebase: Update library-go to 0469313
-  - e126bb0 2026-06-01T12:29:56+02:00 Fix kube-apiserver-to-kubelet-signer refresh interval
+- api embedded-component 1194f4c62539275cd6dec231cc2bf7e0a010bd94 to 992ec954f8b3debeb041fa3f17caf27b264d9fb8
+  - 6889b9c1 2026-06-10T16:13:57+01:00 rewrite api review command to skill
+  - e8598fc2 2026-06-10T13:12:05Z Revert "SPLAT-2793: Promoted VSphereMultiVCenterDay2 feature gate to TP"
+  - 936a2b0a 2026-06-09T09:32:35-04:00 Promoted VSphereMultiVCenterDay2 feature gate to TP
+  - ee7dc415 2026-06-07T19:39:21Z Updating ose-cluster-config-api-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-cluster-config-api.yml
+  - b4b461bd 2026-06-04T19:21:24+02:00 Remove all KMS changes from retention PR vs rebase base
+  - 94f7c093 2026-06-04T18:44:42+02:00 Drop unrelated apiservers KMS test changes from retention PR
+  - d4cc57b4 2026-06-04T17:40:33+02:00 Revert unrelated KMS changes to match master
+  - c67898b0 2026-06-04T17:12:29+02:00 fix review comments
+  - a8a2c339 2026-06-04T17:12:29+02:00 Tombstone legacy retention fields and tighten duration/size validation
+  - f6e2e929 2026-06-04T17:12:28+02:00 Fix retention API schema compatibility and validation tests
+  - 68a8b0db 2026-06-04T17:12:28+02:00 Clarify retention duration semantics and fix tombstone comments
+  - 602d6f4e 2026-06-04T17:12:28+02:00 Use Prometheus Operator retention strings in ClusterMonitoring API
+  - db4e70fa 2026-06-04T17:11:47+02:00 Use durationInHours for Prometheus retention and tune limits
+  - b479107f 2026-06-04T10:27:34-04:00 promote OSStreams to GA in self-managed clusters
+  - a6130498 2026-05-18T13:43:30+01:00 Add eval suite for /api-review command
+  - 8ecf6a78 2026-05-14T11:13:38-04:00 Lower maximum allowed etcd quota from 32 to 16GiB
 
-- cluster-kube-controller-manager-operator embedded-component 9d636ab4992bd501006d2b0c1d3ac512666c6ca7 to c35307f04313369c9ba4dcab3308506a3987065e
-  - aa0c868 2026-06-03T17:05:46+05:30 fix lock failure cases
+- cluster-csi-snapshot-controller-operator embedded-component 108f37f0e378accc322cbeb68136ec500ec35b94 to ed3c0c6b8b1639d8688309c3e999a6f037436d62
+  - 9915fa5 2026-06-09T12:19:21+02:00 Fix group snapshots on HyperShift
+  - a2cf0e8 2026-06-06T13:54:10Z Updating ose-cluster-csi-snapshot-controller-operator-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-cluster-csi-snapshot-controller-operator.yml
 
-- etcd embedded-component c543fe15324510d13e896c31232ecd5d100d9de5 to bf6c0094589afdf6c814a28c24f8f1bb5a577816
-  - d4656811 2026-06-06T16:04:21Z Updating ose-etcd-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-etcd.yml
+- cluster-dns-operator embedded-component 65d60f9c12297a91ee89359e90f591fd44e661b0 to 4556c40798213ee824f76c26bef66865326fe08b
+  - d4284dc 2026-05-18T14:30:22-04:00 NE-2391: Add Force management state to docs
+  - 2fa1fac 2026-04-24T09:33:58-04:00 Address CodeRabbit review feedback
+  - 75d5e62 2026-04-23T17:50:34-04:00 NE-2391: Add progressive disclosure AI agent context
 
-- machine-config-operator embedded-component 62b06d28399b348cb7238d32ad74b9a978c4292f to 62dbab4477ce608b73bb8d4b190b0f522d2a5bb5
-  - cfb74c3e 2026-06-05T13:08:35-04:00 Fix error wrapping and error message casing
-  - a96a9248 2026-06-05T08:57:59Z MCO-2321: adapt osimagestream tests to clusters with rhel-10 default stream
-  - b547d0ae 2026-06-04T07:50:22-04:00 avoid running IRI deletion tests for standard e2e IRI tests
-  - 55be329d 2026-06-03T14:48:40+05:30 Reorder functions to match source file sequence
-  - 02d7d918 2026-06-02T20:20:43+05:30 Add bootstrap infrastructure and migrate test 53960
-  - 80b16676 2026-06-02T20:20:43+05:30 Migrate registry tests from openshift-tests-private
-  - dbea5e53 2026-05-28T15:23:08-04:00 bootimage: use version for vsphere hotloop check
+- cluster-ingress-operator embedded-component 140e0bf13b3d01c369672c766c44b4be0b4ec78c to 6c84b7c7250e7412502382dca7d1f065f94fed5b
+  - b2875a0b 2026-06-09T17:43:53-04:00 Add aswinsuryan (asuryana@redhat.com) to OWNERS
+  - 5fcf1a07 2026-06-09T14:58:48+01:00 Replace iptables with nftables in TestConnectTimeout e2e test
+  - 77b06b59 2026-06-08T18:06:45-03:00 OCPBUGS-87205: Add configuration override for X-SSL strip
+  - 02ace843 2026-06-07T07:43:53Z Updating ose-cluster-ingress-operator-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-cluster-ingress-operator.yml
 
-- operator-framework-olm embedded-component a1de734673fb56da500b6ea212a70d50bd5740ab to c0b1b223882bd7657853441ccf18099527a8841b
-  - 230f72bf 2026-06-05T10:25:33-04:00 [CARRY] fix unit test failure
-  - 2d13397d 2026-06-05T06:43:47-04:00 UPSTREAM: <carry>: Update to golang 1.26.3 and openshift-4.23 builders
+- cluster-kube-apiserver-operator embedded-component a61282875d032c4b8cc7ea5567830942583ec378 to 8fe970955c77da87fbbcf2c8f9e0665548185fce
+  - 4a28fda 2026-06-12T10:54:29-04:00 bump(openshift/library-go): to get KMS plugin CA bundle wiring
+  - 3cda3c4 2026-06-11T10:11:56+02:00 NO-JIRA: Automatic agentic rebase: Update library-go to 7fd5f33
 
-- oc image-amd64 d1f312bb855e741cadb8b3ac419d2cb3f3fd7ba5 to 4007283544cbc3609f90375b7a8efd395561612f
-  - c57c61a1 2026-06-08T04:25:30Z Updating openshift-enterprise-deployer-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/openshift-enterprise-deployer.yml
+- cluster-monitoring-operator is a new embedded-component dependency
 
-- csi-external-snapshotter image-arm64 77d02e52a442c1a98457797bf8eb5777489aabae to 6411c3232ca015c2a02ece1d5a675045d17031cd
+- csi-external-snapshotter embedded-component 77d02e52a442c1a98457797bf8eb5777489aabae to e695e2bd0b548afd0fce049d86d4af29dd34e574
+  - 56ba1dc 2026-06-11T13:36:34Z UPSTREAM: revert: <carry>: Rebase external-snapshotter to v8.6.0
+  - 151ed79 2026-06-10T12:38:21+02:00 UPSTREAM: <carry>: Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml
+  - c611294 2026-06-09T14:07:00+02:00 UPSTREAM: <carry>: Add OpenShift files
   - 872813a 2026-06-07T12:35:43Z UPSTREAM: <carry>: Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml
+  - af6ba61 2026-06-05T21:55:26Z UPSTREAM: <carry>: Updating ose-csi-external-snapshotter-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-csi-external-snapshotter.yml
+  - d920dc6 2026-05-27T22:18:07-04:00 Add changelog for v8.6.0
+  - 41cb4da 2026-05-27T05:36:33Z Bump the k8s-dependencies group across 1 directory with 2 updates
+  - e3d7c8b 2026-05-26T17:51:49Z Squashed 'release-tools/' changes from e019f2a72..31186bf0a
+  - c57619a 2026-05-25T17:14:54Z Bump the github-dependencies group across 1 directory with 34 updates
+  - fce55ed 2026-05-22T19:31:15Z Add timeouts to webhook server.
+  - ac46e7f 2026-05-20T10:01:48+02:00 Bump k8s dependencies to v1.36.1
+  - e38b2f6 2026-05-19T16:31:31+02:00 Squashed 'release-tools/' changes from 909252797..e019f2a72
+  - 4907b0a 2026-05-14T10:35:25+05:30 Add newClaimPendingRestoreFromVolumeSnapshot and a TestDeleteSync case that asserts syncSnapshot returns an error and emits SnapshotDeletePending while a Pending PVC's dataSource references the snapshot, matching the requeue behavior for issue #1366.
+  - 9c09524 2026-04-29T09:56:41+05:30 Address review: clarify snapshot-in-use errors and group snapshot requeue comment
+  - 21c0111 2026-04-29T09:34:52+05:30 Fix requeue on VolumeSnapshot deletion when used for PVC restore When a VolumeSnapshot is deleted while a PVC is still being created from it, the controller blocked deletion but returned nil, so the workqueue never retried. Return an error so the snapshot is requeued and deletion is retried once the PVC is no longer in use. Same fix applied for VolumeGroupSnapshot in the group snapshot helper.
+  - f3f8db4 2026-04-22T11:23:08Z Bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
+  - e8f6849 2026-04-20T13:28:17+02:00 Fix VolumeSnapshotContent deletion
+  - 9773a35 2026-04-17T03:00:21Z Squashed 'release-tools/' changes from de06a09a7..909252797
+  - 1aececd 2026-04-16T12:44:28-04:00 Update unit tests
+  - f298d12 2026-04-16T11:26:01-04:00 Update go version to 1.25.8
+  - c28b251 2026-04-16T11:26:01-04:00 Set v1beta2 as stored version
+  - 027ff6f 2026-04-16T11:25:54-04:00 Update controllers to use v1 VolumeGroupSnapshot APIs
+  - 7810fa8 2026-04-16T11:23:47-04:00 Move VolumeGroupSnapshot API to V1
+  - 86c1a6c 2026-04-15T19:55:40-04:00 Add unit tests for group snapshots
+  - 13bf493 2026-04-15T18:26:54Z Run Trivy scan on schedule instead of pull requests
+  - fad717c 2026-04-15T12:32:14-04:00 Update go.opentelemetry.io/otel libs
+  - 72ee717 2026-04-15T10:57:54-04:00 Squashed 'release-tools/' changes from 119a53c3c..de06a09a7
+  - c34d0df 2026-04-08T14:17:37-04:00 Fix data race in metrics test
+  - 4a8f5b5 2026-03-31T13:27:30+02:00 fix: pin github action to exact SHA
+  - 93ef9f3 2026-03-23T11:35:40Z Bump the github-dependencies group across 1 directory with 39 updates
+  - c18f4ec 2026-03-22T19:22:58+01:00 security: Update trivy-action to v0.35.0
+  - 77c491f 2026-03-15T22:27:40-04:00 Squashed 'release-tools/' changes from 1e81e752e..119a53c3c
+  - 8c992f2 2026-03-03T13:37:39-05:00 Add more unit tests
+  - 97f3abc 2026-03-03T13:03:59+05:30 deploy: update sidecar image versions
+  - dec67ea 2026-02-27T12:54:09-05:00 Add unit tests for volume group snapshot controller in sidecar
+  - ee18dbc 2026-02-17T16:28:28-05:00 Add unit tests for group snapshots in snapshot-controller
+  - bb34c93 2026-02-16T12:29:17Z Bump the github-dependencies group with 11 updates
+  - 658c1ac 2025-10-19T14:06:14+03:00 [snapshot-controller] Do not modify error when retrying PVC finalizer removal
 
-- router image-arm64 a86164c8ebaed55a2a28451fa913a04f10cc9a72 to 808b0001233b4c084694244f25cd53c3808c4e81
+- kubernetes embedded-component 872bd3722d0954b31459f715fbd4fb7612aaf338 to d8d517e6bbe7cf7359026cac26bb96ea45e18806
+  - 59c831f7c 2026-06-06T16:54:59-04:00 UPSTREAM: <carry>: add kubernetes/conformance umbrella suite
+
+- machine-config-operator embedded-component 62dbab4477ce608b73bb8d4b190b0f522d2a5bb5 to 6a2c5c65419c3e9c3028f6bd9344690f48ae837c
+  - 4be5fa97 2026-06-12T12:40:02+02:00 MCO-2344: Revert MCO-2343
+  - b0d6754e 2026-06-11T14:19:57-04:00 tests: update custom containerfile OCB test to work in disconnected environments
+  - 2c81fec6 2026-06-11T18:42:55+05:30 Add fix for TC 59424
+  - 2f47b964 2026-06-10T02:54:33-04:00 move helpers in iri e2e main test
+  - 34a93a4e 2026-06-10T11:57:49+05:30 MCO-2209 MCO-2213 MCO-2233: Migrate security, daemon, and kernel TCs from otp3 mco.go
+  - 4016370d 2026-06-10T11:57:13+05:30 Update OWNERS: update current MCO team members
+  - 8959e528 2026-06-08T20:02:57+02:00 MCO-2343: Temporary make MCO default to rhel-9
+  - ea093553 2026-06-08T09:21:56+02:00 OCPBUGS-87635: Fix MCP.status.osImageStream
+  - 73caf416 2026-06-06T22:07:29Z Updating ose-machine-config-operator-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-machine-config-operator.yml
+  - 23696fbf 2026-06-05T14:44:41-04:00 Added check for missingAnnotation
+  - ce58f78d 2026-06-05T13:50:04-04:00 Added a if-statement to compare images
+  - 4dc05f6f 2026-06-05T13:55:40+05:30 OCPBUGS-78524: Create mco_extensions.go suite with USBGuard, install all extensions, and invalid extensions tests
+  - 65934067 2026-06-05T12:58:31+05:30 OCP-88729: Only wait on last MachineConfig deletion to avoid double-waiting
+  - 2f91e47a 2026-06-05T12:58:31+05:30 OCP-88729: Use mc.DeleteWithWait() for cleanup instead of raw oc delete
+  - 7222f9d1 2026-06-05T12:58:31+05:30 OCP-88729: Optimize cleanup by deleting both MachineConfigs in one shot
+  - 0a2ade7a 2026-06-05T12:58:30+05:30 Move OCP-88729 USBGuard test to mco_kernel.go and add extension RPM verification
+  - 78749cea 2026-06-04T15:56:52+05:30 Fix kubelet certificate wait loop in criometricsproxy.yaml and update init container's volumeMount to  /var/lib/kubelet
+  - 36c7cead 2026-06-02T12:13:48+05:30 OCPNODE-4487: replace --system-reserved flags with config drop-in Remove EnvironmentFile=/etc/node-sizing.env and the --system-reserved command-line flag from kubelet.service. The auto-sizing script now writes a KubeletConfiguration drop-in file to /etc/openshift/kubelet.conf.d/20-auto-sizing.conf, which kubelet reads via --config-dir. Add --config-dir to master and arbiter kubelet.service for consistency with workers.
+
+- operator-framework-olm embedded-component c0b1b223882bd7657853441ccf18099527a8841b to 3eb13541cac6e2c0110329b37cb5375ddb52ecc0
+  - 0e8033fe 2026-06-10T08:01:50Z Updating operator-registry-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/da480a0c5a26a42e950fbcaf77b64918e1d76442/images/operator-registry.yml
+
+- route-controller-manager embedded-component 1916ceb059f500f06e8552f88bf38cd09f9522fd to e454c01fbe561cce9973f54b1ddbcdd35a9d18ff
+  - d4a98a4 2026-06-02T15:09:50-03:00 OCPBUGS-86886: (vendor) Use the copied ipallocator utils
+  - f51ec5e 2026-06-02T15:04:33-03:00 OCPBUGS-86886: Use the copied ipallocator utils
+  - b547252 2026-06-02T15:04:07-03:00 OCPBUGS-86886: Copy ipallocator code to route-controller-manager
+  - 31a2af8 2026-06-02T13:48:36-03:00 OCPBUGS-86886: (vendor) modernize dependency of k8s imports
+  - 5a43a7e 2026-06-02T13:48:36-03:00 OCPBUGS-86886: modernize dependency of k8s imports
+
+- service-ca-operator embedded-component e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b to 35cf51895f4dc77dca8a709e7635980753f87e17
+  - 97a337e 2026-06-10T16:02:10+02:00 Watch CA bundle files for changes and reload dynamically
+  - 792dd4a 2026-06-10T16:00:29+02:00 deps: Update library-go and add k8s.io/kubernetes
+
+- oc image-amd64 4007283544cbc3609f90375b7a8efd395561612f to 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2
+  - 4c50d0b4 2026-06-11T14:13:12-04:00 spec: Recommend bash-completion instead of requiring it
+
+- csi-external-snapshotter image-amd64 77d02e52a442c1a98457797bf8eb5777489aabae to e695e2bd0b548afd0fce049d86d4af29dd34e574
+  - 56ba1dc 2026-06-11T13:36:34Z UPSTREAM: revert: <carry>: Rebase external-snapshotter to v8.6.0
+  - 151ed79 2026-06-10T12:38:21+02:00 UPSTREAM: <carry>: Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml
+  - c611294 2026-06-09T14:07:00+02:00 UPSTREAM: <carry>: Add OpenShift files
+  - 872813a 2026-06-07T12:35:43Z UPSTREAM: <carry>: Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml
+  - af6ba61 2026-06-05T21:55:26Z UPSTREAM: <carry>: Updating ose-csi-external-snapshotter-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-csi-external-snapshotter.yml
+  - d920dc6 2026-05-27T22:18:07-04:00 Add changelog for v8.6.0
+  - 41cb4da 2026-05-27T05:36:33Z Bump the k8s-dependencies group across 1 directory with 2 updates
+  - e3d7c8b 2026-05-26T17:51:49Z Squashed 'release-tools/' changes from e019f2a72..31186bf0a
+  - c57619a 2026-05-25T17:14:54Z Bump the github-dependencies group across 1 directory with 34 updates
+  - fce55ed 2026-05-22T19:31:15Z Add timeouts to webhook server.
+  - ac46e7f 2026-05-20T10:01:48+02:00 Bump k8s dependencies to v1.36.1
+  - e38b2f6 2026-05-19T16:31:31+02:00 Squashed 'release-tools/' changes from 909252797..e019f2a72
+  - 4907b0a 2026-05-14T10:35:25+05:30 Add newClaimPendingRestoreFromVolumeSnapshot and a TestDeleteSync case that asserts syncSnapshot returns an error and emits SnapshotDeletePending while a Pending PVC's dataSource references the snapshot, matching the requeue behavior for issue #1366.
+  - 9c09524 2026-04-29T09:56:41+05:30 Address review: clarify snapshot-in-use errors and group snapshot requeue comment
+  - 21c0111 2026-04-29T09:34:52+05:30 Fix requeue on VolumeSnapshot deletion when used for PVC restore When a VolumeSnapshot is deleted while a PVC is still being created from it, the controller blocked deletion but returned nil, so the workqueue never retried. Return an error so the snapshot is requeued and deletion is retried once the PVC is no longer in use. Same fix applied for VolumeGroupSnapshot in the group snapshot helper.
+  - f3f8db4 2026-04-22T11:23:08Z Bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
+  - e8f6849 2026-04-20T13:28:17+02:00 Fix VolumeSnapshotContent deletion
+  - 9773a35 2026-04-17T03:00:21Z Squashed 'release-tools/' changes from de06a09a7..909252797
+  - 1aececd 2026-04-16T12:44:28-04:00 Update unit tests
+  - f298d12 2026-04-16T11:26:01-04:00 Update go version to 1.25.8
+  - c28b251 2026-04-16T11:26:01-04:00 Set v1beta2 as stored version
+  - 027ff6f 2026-04-16T11:25:54-04:00 Update controllers to use v1 VolumeGroupSnapshot APIs
+  - 7810fa8 2026-04-16T11:23:47-04:00 Move VolumeGroupSnapshot API to V1
+  - 86c1a6c 2026-04-15T19:55:40-04:00 Add unit tests for group snapshots
+  - 13bf493 2026-04-15T18:26:54Z Run Trivy scan on schedule instead of pull requests
+  - fad717c 2026-04-15T12:32:14-04:00 Update go.opentelemetry.io/otel libs
+  - 72ee717 2026-04-15T10:57:54-04:00 Squashed 'release-tools/' changes from 119a53c3c..de06a09a7
+  - c34d0df 2026-04-08T14:17:37-04:00 Fix data race in metrics test
+  - 4a8f5b5 2026-03-31T13:27:30+02:00 fix: pin github action to exact SHA
+  - 93ef9f3 2026-03-23T11:35:40Z Bump the github-dependencies group across 1 directory with 39 updates
+  - c18f4ec 2026-03-22T19:22:58+01:00 security: Update trivy-action to v0.35.0
+  - 77c491f 2026-03-15T22:27:40-04:00 Squashed 'release-tools/' changes from 1e81e752e..119a53c3c
+  - 8c992f2 2026-03-03T13:37:39-05:00 Add more unit tests
+  - 97f3abc 2026-03-03T13:03:59+05:30 deploy: update sidecar image versions
+  - dec67ea 2026-02-27T12:54:09-05:00 Add unit tests for volume group snapshot controller in sidecar
+  - ee18dbc 2026-02-17T16:28:28-05:00 Add unit tests for group snapshots in snapshot-controller
+  - bb34c93 2026-02-16T12:29:17Z Bump the github-dependencies group with 11 updates
+  - 658c1ac 2025-10-19T14:06:14+03:00 [snapshot-controller] Do not modify error when retrying PVC finalizer removal
+
+- router image-amd64 a86164c8ebaed55a2a28451fa913a04f10cc9a72 to ce3479af6677053650d617a8165ce80c1178597c
   - d180c82 2026-06-08T18:21:01-03:00 OCPBUGS-87205: fix comments on template
   - 861e7c2 2026-06-08T11:47:45-03:00 Update images/router/haproxy/conf/haproxy-config.template
   - fca5221 2026-06-08T11:47:45-03:00 Expand list of stripped X-SSL-Client-* headers
   - ef98dff 2026-06-08T11:47:45-03:00 Rename env var to ROUTER_MUTUAL_TLS_HEADER_FILTER
   - 2e0ec41 2026-06-08T11:47:45-03:00 OCPBUGS-86718: Strip X-SSL-Client-* headers for plain HTTP
+  - befe5dd 2026-06-07T22:20:03Z Updating ose-haproxy-router-base-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-haproxy-router-base.yml
 
-- kubernetes image-arm64 872bd3722d0954b31459f715fbd4fb7612aaf338 to d8d517e6bbe7cf7359026cac26bb96ea45e18806
+- kubernetes image-amd64 872bd3722d0954b31459f715fbd4fb7612aaf338 to d8d517e6bbe7cf7359026cac26bb96ea45e18806
   - 59c831f7c 2026-06-06T16:54:59-04:00 UPSTREAM: <carry>: add kubernetes/conformance umbrella suite
 
+- service-ca-operator image-amd64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b to 35cf51895f4dc77dca8a709e7635980753f87e17
+  - 97a337e 2026-06-10T16:02:10+02:00 Watch CA bundle files for changes and reload dynamically
+  - 792dd4a 2026-06-10T16:00:29+02:00 deps: Update library-go and add k8s.io/kubernetes
+
+- oc image-arm64 4007283544cbc3609f90375b7a8efd395561612f to 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2
+  - 4c50d0b4 2026-06-11T14:13:12-04:00 spec: Recommend bash-completion instead of requiring it
+
+- csi-external-snapshotter image-arm64 6411c3232ca015c2a02ece1d5a675045d17031cd to e695e2bd0b548afd0fce049d86d4af29dd34e574
+  - 56ba1dc 2026-06-11T13:36:34Z UPSTREAM: revert: <carry>: Rebase external-snapshotter to v8.6.0
+  - 151ed79 2026-06-10T12:38:21+02:00 UPSTREAM: <carry>: Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml
+  - c611294 2026-06-09T14:07:00+02:00 UPSTREAM: <carry>: Add OpenShift files
+  - af6ba61 2026-06-05T21:55:26Z UPSTREAM: <carry>: Updating ose-csi-external-snapshotter-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-csi-external-snapshotter.yml
+  - d920dc6 2026-05-27T22:18:07-04:00 Add changelog for v8.6.0
+  - 41cb4da 2026-05-27T05:36:33Z Bump the k8s-dependencies group across 1 directory with 2 updates
+  - e3d7c8b 2026-05-26T17:51:49Z Squashed 'release-tools/' changes from e019f2a72..31186bf0a
+  - c57619a 2026-05-25T17:14:54Z Bump the github-dependencies group across 1 directory with 34 updates
+  - fce55ed 2026-05-22T19:31:15Z Add timeouts to webhook server.
+  - ac46e7f 2026-05-20T10:01:48+02:00 Bump k8s dependencies to v1.36.1
+  - e38b2f6 2026-05-19T16:31:31+02:00 Squashed 'release-tools/' changes from 909252797..e019f2a72
+  - 4907b0a 2026-05-14T10:35:25+05:30 Add newClaimPendingRestoreFromVolumeSnapshot and a TestDeleteSync case that asserts syncSnapshot returns an error and emits SnapshotDeletePending while a Pending PVC's dataSource references the snapshot, matching the requeue behavior for issue #1366.
+  - 9c09524 2026-04-29T09:56:41+05:30 Address review: clarify snapshot-in-use errors and group snapshot requeue comment
+  - 21c0111 2026-04-29T09:34:52+05:30 Fix requeue on VolumeSnapshot deletion when used for PVC restore When a VolumeSnapshot is deleted while a PVC is still being created from it, the controller blocked deletion but returned nil, so the workqueue never retried. Return an error so the snapshot is requeued and deletion is retried once the PVC is no longer in use. Same fix applied for VolumeGroupSnapshot in the group snapshot helper.
+  - f3f8db4 2026-04-22T11:23:08Z Bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
+  - e8f6849 2026-04-20T13:28:17+02:00 Fix VolumeSnapshotContent deletion
+  - 9773a35 2026-04-17T03:00:21Z Squashed 'release-tools/' changes from de06a09a7..909252797
+  - 1aececd 2026-04-16T12:44:28-04:00 Update unit tests
+  - f298d12 2026-04-16T11:26:01-04:00 Update go version to 1.25.8
+  - c28b251 2026-04-16T11:26:01-04:00 Set v1beta2 as stored version
+  - 027ff6f 2026-04-16T11:25:54-04:00 Update controllers to use v1 VolumeGroupSnapshot APIs
+  - 7810fa8 2026-04-16T11:23:47-04:00 Move VolumeGroupSnapshot API to V1
+  - 86c1a6c 2026-04-15T19:55:40-04:00 Add unit tests for group snapshots
+  - 13bf493 2026-04-15T18:26:54Z Run Trivy scan on schedule instead of pull requests
+  - fad717c 2026-04-15T12:32:14-04:00 Update go.opentelemetry.io/otel libs
+  - 72ee717 2026-04-15T10:57:54-04:00 Squashed 'release-tools/' changes from 119a53c3c..de06a09a7
+  - c34d0df 2026-04-08T14:17:37-04:00 Fix data race in metrics test
+  - 4a8f5b5 2026-03-31T13:27:30+02:00 fix: pin github action to exact SHA
+  - 93ef9f3 2026-03-23T11:35:40Z Bump the github-dependencies group across 1 directory with 39 updates
+  - c18f4ec 2026-03-22T19:22:58+01:00 security: Update trivy-action to v0.35.0
+  - 77c491f 2026-03-15T22:27:40-04:00 Squashed 'release-tools/' changes from 1e81e752e..119a53c3c
+  - 8c992f2 2026-03-03T13:37:39-05:00 Add more unit tests
+  - 97f3abc 2026-03-03T13:03:59+05:30 deploy: update sidecar image versions
+  - dec67ea 2026-02-27T12:54:09-05:00 Add unit tests for volume group snapshot controller in sidecar
+  - ee18dbc 2026-02-17T16:28:28-05:00 Add unit tests for group snapshots in snapshot-controller
+  - bb34c93 2026-02-16T12:29:17Z Bump the github-dependencies group with 11 updates
+  - 658c1ac 2025-10-19T14:06:14+03:00 [snapshot-controller] Do not modify error when retrying PVC finalizer removal
+
+- router image-arm64 808b0001233b4c084694244f25cd53c3808c4e81 to ce3479af6677053650d617a8165ce80c1178597c
+  - befe5dd 2026-06-07T22:20:03Z Updating ose-haproxy-router-base-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-haproxy-router-base.yml
+
+- service-ca-operator image-arm64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b to 35cf51895f4dc77dca8a709e7635980753f87e17
+  - 97a337e 2026-06-10T16:02:10+02:00 Watch CA bundle files for changes and reload dynamically
+  - 792dd4a 2026-06-10T16:00:29+02:00 deps: Update library-go and add k8s.io/kubernetes
+
diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt
index da804158be..d1cbbbea14 100644
--- a/scripts/auto-rebase/commits.txt
+++ b/scripts/auto-rebase/commits.txt
@@ -1,35 +1,36 @@
-https://github.com/openshift/api embedded-component 1194f4c62539275cd6dec231cc2bf7e0a010bd94
-https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component 108f37f0e378accc322cbeb68136ec500ec35b94
-https://github.com/openshift/cluster-dns-operator embedded-component 65d60f9c12297a91ee89359e90f591fd44e661b0
-https://github.com/openshift/cluster-ingress-operator embedded-component 140e0bf13b3d01c369672c766c44b4be0b4ec78c
-https://github.com/openshift/cluster-kube-apiserver-operator embedded-component a61282875d032c4b8cc7ea5567830942583ec378
+https://github.com/openshift/api embedded-component 992ec954f8b3debeb041fa3f17caf27b264d9fb8
+https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component ed3c0c6b8b1639d8688309c3e999a6f037436d62
+https://github.com/openshift/cluster-dns-operator embedded-component 4556c40798213ee824f76c26bef66865326fe08b
+https://github.com/openshift/cluster-ingress-operator embedded-component 6c84b7c7250e7412502382dca7d1f065f94fed5b
+https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 8fe970955c77da87fbbcf2c8f9e0665548185fce
 https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component c35307f04313369c9ba4dcab3308506a3987065e
 https://github.com/openshift/cluster-kube-scheduler-operator embedded-component d43423b583269eea8236040424609c3f108ac9c4
+https://github.com/openshift/cluster-monitoring-operator embedded-component 641c1f8278616fb6e8274aeadb1d125a1536ab6c
 https://github.com/openshift/cluster-network-operator embedded-component 6dc18040e7c214f6a1db25b6f5ef4642c6c6a186
 https://github.com/openshift/cluster-openshift-controller-manager-operator embedded-component 34f95b07f4afbc47558e54e4fa2710fd692e615e
 https://github.com/openshift/cluster-policy-controller embedded-component bb429f5b2a7d77791110b06d8ec5c017183e3ab9
-https://github.com/openshift/csi-external-snapshotter embedded-component 77d02e52a442c1a98457797bf8eb5777489aabae
+https://github.com/openshift/csi-external-snapshotter embedded-component e695e2bd0b548afd0fce049d86d4af29dd34e574
 https://github.com/openshift/etcd embedded-component bf6c0094589afdf6c814a28c24f8f1bb5a577816
-https://github.com/openshift/kubernetes embedded-component 872bd3722d0954b31459f715fbd4fb7612aaf338
+https://github.com/openshift/kubernetes embedded-component d8d517e6bbe7cf7359026cac26bb96ea45e18806
 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component 72835e43c7754356645e41031f3a99926b4d42e6
-https://github.com/openshift/machine-config-operator embedded-component 62dbab4477ce608b73bb8d4b190b0f522d2a5bb5
+https://github.com/openshift/machine-config-operator embedded-component 6a2c5c65419c3e9c3028f6bd9344690f48ae837c
 https://github.com/openshift/openshift-controller-manager embedded-component 5631cf493b006cbc72a8600a7435813272d71940
-https://github.com/openshift/operator-framework-olm embedded-component c0b1b223882bd7657853441ccf18099527a8841b
-https://github.com/openshift/route-controller-manager embedded-component 1916ceb059f500f06e8552f88bf38cd09f9522fd
-https://github.com/openshift/service-ca-operator embedded-component e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b
-https://github.com/openshift/oc image-amd64 4007283544cbc3609f90375b7a8efd395561612f
+https://github.com/openshift/operator-framework-olm embedded-component 3eb13541cac6e2c0110329b37cb5375ddb52ecc0
+https://github.com/openshift/route-controller-manager embedded-component e454c01fbe561cce9973f54b1ddbcdd35a9d18ff
+https://github.com/openshift/service-ca-operator embedded-component 35cf51895f4dc77dca8a709e7635980753f87e17
+https://github.com/openshift/oc image-amd64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2
 https://github.com/openshift/coredns image-amd64 3c21b066c9bd86caa06f790dcd1c046667875d46
-https://github.com/openshift/csi-external-snapshotter image-amd64 77d02e52a442c1a98457797bf8eb5777489aabae
-https://github.com/openshift/router image-amd64 a86164c8ebaed55a2a28451fa913a04f10cc9a72
+https://github.com/openshift/csi-external-snapshotter image-amd64 e695e2bd0b548afd0fce049d86d4af29dd34e574
+https://github.com/openshift/router image-amd64 ce3479af6677053650d617a8165ce80c1178597c
 https://github.com/openshift/kube-rbac-proxy image-amd64 d12e274605248f6c59373240a7eae7a7a357dcb3
 https://github.com/openshift/ovn-kubernetes image-amd64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c
-https://github.com/openshift/kubernetes image-amd64 872bd3722d0954b31459f715fbd4fb7612aaf338
-https://github.com/openshift/service-ca-operator image-amd64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b
-https://github.com/openshift/oc image-arm64 4007283544cbc3609f90375b7a8efd395561612f
+https://github.com/openshift/kubernetes image-amd64 d8d517e6bbe7cf7359026cac26bb96ea45e18806
+https://github.com/openshift/service-ca-operator image-amd64 35cf51895f4dc77dca8a709e7635980753f87e17
+https://github.com/openshift/oc image-arm64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2
 https://github.com/openshift/coredns image-arm64 3c21b066c9bd86caa06f790dcd1c046667875d46
-https://github.com/openshift/csi-external-snapshotter image-arm64 6411c3232ca015c2a02ece1d5a675045d17031cd
-https://github.com/openshift/router image-arm64 808b0001233b4c084694244f25cd53c3808c4e81
+https://github.com/openshift/csi-external-snapshotter image-arm64 e695e2bd0b548afd0fce049d86d4af29dd34e574
+https://github.com/openshift/router image-arm64 ce3479af6677053650d617a8165ce80c1178597c
 https://github.com/openshift/kube-rbac-proxy image-arm64 d12e274605248f6c59373240a7eae7a7a357dcb3
 https://github.com/openshift/ovn-kubernetes image-arm64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c
 https://github.com/openshift/kubernetes image-arm64 d8d517e6bbe7cf7359026cac26bb96ea45e18806
-https://github.com/openshift/service-ca-operator image-arm64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b
+https://github.com/openshift/service-ca-operator image-arm64 35cf51895f4dc77dca8a709e7635980753f87e17
diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh
index 0f507bbbc8..e4651d4e92 100755
--- a/scripts/auto-rebase/last_rebase.sh
+++ b/scripts/auto-rebase/last_rebase.sh
@@ -1,2 +1,2 @@
 #!/bin/bash -x
-./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-09-112600" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-10-025037"
+./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-14-221055" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-14-225436"
diff --git a/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh
new file mode 100755
index 0000000000..f61200df82
--- /dev/null
+++ b/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh
@@ -0,0 +1,2 @@
+#!/bin/bash -x
+./scripts/auto-rebase/rebase_cluster_monitoring_operator.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-19-155631" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-19-154904"
diff --git a/scripts/auto-rebase/presubmit.py b/scripts/auto-rebase/presubmit.py
index 5e90ed4639..ea3f6199b4 100755
--- a/scripts/auto-rebase/presubmit.py
+++ b/scripts/auto-rebase/presubmit.py
@@ -29,6 +29,7 @@
     "./scripts/auto-rebase/assets_ai_model_serving.yaml",
     "./scripts/auto-rebase/assets_cert_manager.yaml",
     "./scripts/auto-rebase/assets_sriov.yaml",
+    "./scripts/auto-rebase/assets_cluster_monitoring_operator.yaml",
 ]
 
 
diff --git a/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh
new file mode 100755
index 0000000000..be1124f04e
--- /dev/null
+++ b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh
@@ -0,0 +1,375 @@
+#!/usr/bin/env bash
+# shellcheck disable=all
+#   Copyright 2022 The MicroShift authors
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+set -o errexit
+set -o errtrace
+set -o nounset
+set -o pipefail
+
+shopt -s expand_aliases
+shopt -s extglob
+
+#debugging options
+#trap 'echo "#L$LINENO: $BASH_COMMAND" >&2' DEBUG
+#set -xo functrace
+#PS4='+ $LINENO  '
+REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../..")"
+STAGING_DIR="$REPOROOT/_output/staging"
+PULL_SECRET_FILE="${HOME}/.pull-secret.json"
+REBASE_USE_SSH="${REBASE_USE_SSH:-false}"
+
+declare -a ARCHS=("amd64" "arm64")
+declare -A GOARCH_TO_UNAME_MAP=( ["amd64"]="x86_64" ["arm64"]="aarch64" )
+
+# Maps kustomization image name -> OCP release tag name
+declare -A IMAGE_MAP=(
+    ["quay.io/openshift/kube-metrics-server"]="kube-metrics-server"
+    ["quay.io/openshift/kube-state-metrics"]="kube-state-metrics"
+    ["quay.io/openshift/node-exporter"]="prometheus-node-exporter"
+    ["quay.io/openshift/kube-rbac-proxy"]="kube-rbac-proxy"
+)
+
+# Maps component dir -> release JSON key
+declare -A COMPONENT_JSON_KEY=(
+    ["metrics-server"]="metrics_server"
+    ["kube-state-metrics"]="kube_state_metrics"
+    ["node-exporter"]="node_exporter"
+)
+
+# Maps release JSON key -> OCP release tag name
+declare -A EXPORTER_TAG_MAP=(
+    ["metrics_server"]="kube-metrics-server"
+    ["kube_state_metrics"]="kube-state-metrics"
+    ["node_exporter"]="prometheus-node-exporter"
+)
+
+title() {
+    echo -e "\E[34m$1\E[00m";
+}
+
+retry_cmd() {
+    local -r max_attempts=5
+    local timeout=1
+    local attempt=1
+    local exit_code=0
+
+    while (( attempt <= max_attempts )); do
+        if "$@"; then
+            return 0
+        else
+            exit_code=$?
+        fi
+        echo "Attempt ${attempt} of ${max_attempts} failed (exit code ${exit_code}). Retrying in ${timeout}s..."
+        sleep "${timeout}"
+        attempt=$(( attempt + 1 ))
+        timeout=$(( timeout * 2 ))
+    done
+
+    echo "Command failed after ${max_attempts} attempts: $@"
+    return "${exit_code}"
+}
+
+check_preconditions() {
+    if ! hash yq; then
+        title "Installing yq"
+        sudo DEST_DIR=/usr/bin/ "${REPOROOT}/scripts/fetch_tools.sh" yq
+    fi
+
+    if ! hash python3; then
+        echo "ERROR: python3 is not present on the system - please install"
+        exit 1
+    fi
+
+    if ! python3 -c "import yaml"; then
+        echo "ERROR: missing python's yaml library - please install"
+        exit 1
+    fi
+}
+
+clone_repo() {
+    local repo="$1"
+    local commit="$2"
+    local destdir="$3"
+
+    local repodir="${destdir}/${repo##*/}"
+
+    if [[ -d "${repodir}" ]]; then
+        return
+    fi
+
+    if "${REBASE_USE_SSH}"; then
+        repo="git@github.com:${repo#https://github.com/}"
+    fi
+
+    git init "${repodir}"
+    pushd "${repodir}" >/dev/null
+    git remote add origin "${repo}"
+    retry_cmd git fetch origin --quiet --filter=tree:0 --tags "${commit}"
+    git checkout "${commit}"
+    popd >/dev/null
+}
+
+download_cluster_monitoring_operator() {
+    local release_image_amd64="$1"
+    local release_image_arm64="$2"
+
+    rm -rf "${STAGING_DIR}"
+    mkdir -p "${STAGING_DIR}"
+    pushd "${STAGING_DIR}" >/dev/null
+
+    local authentication=""
+    if [[ -f "${PULL_SECRET_FILE}" ]]; then
+        authentication="-a ${PULL_SECRET_FILE}"
+    else
+        >&2 echo "Warning: no pull secret found at ${PULL_SECRET_FILE}"
+    fi
+
+    title "# Fetching release info for ${release_image_amd64} (amd64)"
+    oc adm release info ${authentication} "${release_image_amd64}" -o json > release_amd64.json
+    title "# Fetching release info for ${release_image_arm64} (arm64)"
+    oc adm release info ${authentication} "${release_image_arm64}" -o json > release_arm64.json
+
+    title "# Extracting cluster-monitoring-operator source commit"
+    cat release_amd64.json \
+        | jq -r '.references.spec.tags[] | "\(.name) \(.annotations."io.openshift.build.source-location") \(.annotations."io.openshift.build.commit.id")"' > source-commits
+
+    local cmo_line
+    cmo_line=$(grep '^cluster-monitoring-operator ' source-commits) || {
+        >&2 echo "ERROR: cluster-monitoring-operator not found in release payload"
+        return 1
+    }
+
+    local repo commit
+    repo=$(echo "${cmo_line}" | cut -d ' ' -f 2)
+    commit=$(echo "${cmo_line}" | cut -d ' ' -f 3)
+
+    title "# Cloning cluster-monitoring-operator at ${commit}"
+    clone_repo "${repo}" "${commit}" "."
+
+    popd >/dev/null
+}
+
+update_metrics_server_manifests() {
+    [[ -d "${REPOROOT}/assets/optional/metrics-server" ]] || return 0
+
+    title "Rebasing metrics-server manifests"
+
+    local ms_crb="${REPOROOT}/assets/optional/metrics-server/01-cluster-role-binding.yaml"
+    yq -i '.subjects += [{"kind": "User", "name": "system:metrics-server"}]' "$ms_crb"
+
+    local ms_deploy="${REPOROOT}/assets/optional/metrics-server/03-deployment.yaml"
+    yq -i '.spec.replicas = 1' "$ms_deploy"
+    yq -i '.spec.strategy = {"type": "Recreate"}' "$ms_deploy"
+    yq -i 'del(.spec.template.spec.affinity)' "$ms_deploy"
+    yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/kube-metrics-server"' "$ms_deploy"
+    yq -i '.spec.template.spec.containers[0].securityContext.capabilities.drop = ["ALL"]' "$ms_deploy"
+}
+
+update_kube_state_metrics_manifests() {
+    [[ -d "${REPOROOT}/assets/optional/kube-state-metrics" ]] || return 0
+
+    title "Rebasing kube-state-metrics manifests"
+
+    local ksm_deploy="${REPOROOT}/assets/optional/kube-state-metrics/03-deployment.yaml"
+
+    yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/kube-state-metrics"' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[1].image = "quay.io/openshift/kube-rbac-proxy"' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[2].image = "quay.io/openshift/kube-rbac-proxy"' "$ksm_deploy"
+
+    yq -i '.spec.template.spec.containers[0].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[1].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[2].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy"
+    yq -i '.spec.template.spec.securityContext = {"runAsNonRoot": true}' "$ksm_deploy"
+
+    yq -i '.spec.template.spec.containers[0].resources.limits = {"cpu": "100m", "memory": "200Mi"}' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[1].resources.limits = {"cpu": "20m", "memory": "40Mi"}' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[2].resources.limits = {"cpu": "20m", "memory": "40Mi"}' "$ksm_deploy"
+
+    yq -i '(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "kube-state-metrics-tls")).readOnly = true' "$ksm_deploy"
+    yq -i '(.spec.template.spec.containers[2].volumeMounts[] | select(.name == "kube-state-metrics-tls")).readOnly = true' "$ksm_deploy"
+
+    yq -i '(.spec.template.spec.containers[1].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ksm_deploy"
+    yq -i '(.spec.template.spec.containers[2].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ksm_deploy"
+    yq -i 'del(.spec.template.spec.volumes[] | select(.name == "metrics-client-ca"))' "$ksm_deploy"
+    yq -i '.spec.template.spec.volumes += [{"hostPath": {"path": "/var/lib/microshift/certs/admin-kubeconfig-signer/ca.crt", "type": "File"}, "name": "admin-kubeconfig-signer-ca"}]' "$ksm_deploy"
+    yq -i 'del(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ksm_deploy"
+    yq -i 'del(.spec.template.spec.containers[2].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[1].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ksm_deploy"
+    yq -i '.spec.template.spec.containers[2].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ksm_deploy"
+
+    local ksm_secret="${REPOROOT}/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml"
+    sed -i '/"user":/,/"name":/d' "$ksm_secret"
+}
+
+update_node_exporter_manifests() {
+    [[ -d "${REPOROOT}/assets/optional/node-exporter" ]] || return 0
+
+    title "Rebasing node-exporter manifests"
+
+    local ne_ds="${REPOROOT}/assets/optional/node-exporter/03-daemonset.yaml"
+
+    yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/node-exporter"' "$ne_ds"
+    yq -i '.spec.template.spec.containers[1].image = "quay.io/openshift/kube-rbac-proxy"' "$ne_ds"
+    yq -i '.spec.template.spec.initContainers[0].image = "quay.io/openshift/node-exporter"' "$ne_ds"
+
+    yq -i '(.spec.template.spec.containers[1].args[] | select(test("--secure-listen-address="))) |= "--secure-listen-address=0.0.0.0:9100"' "$ne_ds"
+
+    yq -i '(.spec.template.spec.containers[1].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ne_ds"
+    yq -i 'del(.spec.template.spec.volumes[] | select(.name == "metrics-client-ca"))' "$ne_ds"
+    yq -i '.spec.template.spec.volumes += [{"hostPath": {"path": "/var/lib/microshift/certs/admin-kubeconfig-signer/ca.crt", "type": "File"}, "name": "admin-kubeconfig-signer-ca"}]' "$ne_ds"
+    yq -i 'del(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ne_ds"
+    yq -i '.spec.template.spec.containers[1].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ne_ds"
+
+    yq -i '(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "node-exporter-tls")).readOnly = true' "$ne_ds"
+
+    local ne_secret="${REPOROOT}/assets/optional/node-exporter/02-kube-rbac-proxy-secret.yaml"
+    sed -i '/"user":/,/"name":/d' "$ne_secret"
+}
+
+update_cluster_monitoring_operator_images() {
+    title "Rebasing metrics component images"
+
+    for goarch in amd64 arm64; do
+        local arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch}
+        local release_file="${STAGING_DIR}/release_${goarch}.json"
+
+        local base_release
+        base_release=$(jq -r ".metadata.version" "${release_file}")
+
+        for component_dir in metrics-server kube-state-metrics node-exporter; do
+            [[ -d "${REPOROOT}/assets/optional/${component_dir}" ]] || continue
+
+            local json_key="${COMPONENT_JSON_KEY[$component_dir]}"
+            local release_tag="${EXPORTER_TAG_MAP[$json_key]}"
+            local new_image
+            new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}")
+            if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then
+                >&2 echo "ERROR: Release tag '${release_tag}' not found in payload for ${component_dir}"
+                return 1
+            fi
+            local component_release_json="${REPOROOT}/assets/optional/${component_dir}/release-${component_dir}-${arch}.json"
+            jq -n --arg base "$base_release" --arg img "${new_image}" \
+                "{\"release\": {\"base\": \$base}, \"images\": {\"${json_key}\": \$img}}" > "${component_release_json}"
+
+            local kustomization_arch_file="${REPOROOT}/assets/optional/${component_dir}/kustomization.${arch}.yaml"
+
+            cat <<EOF > "${kustomization_arch_file}"
+images:
+EOF
+
+            local image_names
+            image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \
+                | sed 's/.*image: *//; s/"//g; s/:.*//; s/@.*//' | sort -u | grep -v '^$')
+
+            for orig_image in ${image_names}; do
+                local release_tag="${IMAGE_MAP[$orig_image]:-}"
+                if [[ -z "${release_tag}" ]]; then
+                    >&2 echo "ERROR: Unknown metrics image '${orig_image}' in ${component_dir}"
+                    return 1
+                fi
+
+                local new_image
+                new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}")
+                if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then
+                    >&2 echo "ERROR: Image for release tag '${release_tag}' not found in payload for ${component_dir}"
+                    return 1
+                fi
+                local new_image_name="${new_image%@*}"
+                local new_image_digest="${new_image#*@}"
+
+                cat <<EOF >> "${kustomization_arch_file}"
+  - name: ${orig_image}
+    newName: ${new_image_name}
+    digest: ${new_image_digest}
+EOF
+            done
+        done
+    done
+}
+
+copy_manifests() {
+    title "Copying manifests"
+    "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets_cluster_monitoring_operator.yaml"
+}
+
+update_last_rebase() {
+    local release_image_amd64="$1"
+    local release_image_arm64="$2"
+
+    title "## Updating last_rebase_cluster_monitoring_operator.sh"
+
+    local last_rebase_script="${REPOROOT}/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh"
+
+    rm -f "${last_rebase_script}"
+    cat - >"${last_rebase_script}" <<EOF
+#!/bin/bash -x
+./scripts/auto-rebase/rebase_cluster_monitoring_operator.sh to "${release_image_amd64}" "${release_image_arm64}"
+EOF
+    chmod +x "${last_rebase_script}"
+
+    (cd "${REPOROOT}" && \
+         if test -n "$(git status -s scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh)"; then \
+             title "## Committing changes to last_rebase_cluster_monitoring_operator.sh" && \
+             git add scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh && \
+             git commit -m "update last_rebase_cluster_monitoring_operator.sh"; \
+         fi)
+}
+
+rebase_cluster_monitoring_operator_to() {
+    local release_image_amd64="$1"
+    local release_image_arm64="$2"
+    download_cluster_monitoring_operator "${release_image_amd64}" "${release_image_arm64}"
+    copy_manifests
+    update_metrics_server_manifests
+    update_kube_state_metrics_manifests
+    update_node_exporter_manifests
+    update_cluster_monitoring_operator_images
+    update_last_rebase "${release_image_amd64}" "${release_image_arm64}"
+}
+
+usage() {
+    echo "Usage:"
+    echo "$(basename "$0") to AMD64_RELEASE_IMAGE ARM64_RELEASE_IMAGE        Performs all the steps to rebase metrics exporters."
+    echo "$(basename "$0") download AMD64_RELEASE_IMAGE ARM64_RELEASE_IMAGE  Downloads the content of release images to disk in preparation for rebasing."
+    echo "$(basename "$0") images                                            Rebases the component images to the downloaded release"
+    echo "$(basename "$0") manifests                                         Rebases the component manifests to the downloaded release"
+    exit 1
+}
+
+check_preconditions
+
+command=${1:-help}
+case "$command" in
+    to)
+        [[ $# -lt 3 ]] && usage
+        rebase_cluster_monitoring_operator_to "$2" "$3"
+        ;;
+    download)
+        [[ $# -lt 3 ]] && usage
+        download_cluster_monitoring_operator "$2" "$3"
+        ;;
+    images)
+        update_cluster_monitoring_operator_images
+        ;;
+    manifests)
+        copy_manifests
+        update_metrics_server_manifests
+        update_kube_state_metrics_manifests
+        update_node_exporter_manifests
+        ;;
+    *) usage;;
+esac
diff --git a/test/assets/observability/otel_config.yaml b/test/assets/observability/otel_config.yaml
index 4565f82077..25609b2d17 100644
--- a/test/assets/observability/otel_config.yaml
+++ b/test/assets/observability/otel_config.yaml
@@ -59,6 +59,10 @@ exporters:
       enabled: true
   otlphttp/loki: # only for logs, exports the logs in the loki server
     endpoint: "http://{{LOKI_HOST}}:{{LOKI_PORT}}/otlp"
+  otlp:
+    endpoint: "localhost:4317"
+    tls:
+      insecure: true
 
 extensions:
   file_storage:
diff --git a/test/bin/common.sh b/test/bin/common.sh
index ef682a676f..8b092354b8 100644
--- a/test/bin/common.sh
+++ b/test/bin/common.sh
@@ -388,6 +388,8 @@ MICROSHIFT_Y2_OPTIONAL_RPMS_LIST=(
     microshift-cert-manager-release-info
     microshift-sriov
     microshift-sriov-release-info
+    microshift-metrics-server
+    microshift-metrics-server-release-info
 )
 MICROSHIFT_Y1_OPTIONAL_RPMS_LIST=(
     "${MICROSHIFT_Y2_OPTIONAL_RPMS_LIST[@]}"
diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go
index 82e02ff93d..4177fd1166 100644
--- a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go
+++ b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go
@@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	networkingv1informers "k8s.io/client-go/informers/networking/v1"
+	"k8s.io/client-go/kubernetes/scheme"
 	kv1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	kv1networking "k8s.io/client-go/kubernetes/typed/networking/v1"
 	corelisters "k8s.io/client-go/listers/core/v1"
@@ -35,7 +36,6 @@ import (
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/component-base/metrics/legacyregistry"
-	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
 	routev1 "github.com/openshift/api/route/v1"
 	routeclient "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1"
@@ -177,7 +177,7 @@ func NewController(eventsClient kv1core.EventsGetter, routeClient routeclient.Ro
 	broadcaster.StartLogging(klog.Infof)
 	// TODO: remove the wrapper when every clients have moved to use the clientset.
 	broadcaster.StartRecordingToSink(&kv1core.EventSinkImpl{Interface: eventsClient.Events("")})
-	recorder := broadcaster.NewRecorder(legacyscheme.Scheme, corev1.EventSource{Component: "ingress-to-route-controller"})
+	recorder := broadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: "ingress-to-route-controller"})
 
 	c := &Controller{
 		eventRecorder: recorder,
diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go
index 5f20dcae53..fbbff11eb2 100644
--- a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go
+++ b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go
@@ -18,15 +18,14 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	kclientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
 	kcoreclient "k8s.io/client-go/kubernetes/typed/core/v1"
 	kv1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
-	"k8s.io/kubernetes/pkg/api/legacyscheme"
-	"k8s.io/kubernetes/pkg/controller"
-	"k8s.io/kubernetes/pkg/registry/core/service/allocator"
-	"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
+
+	"github.com/openshift/route-controller-manager/pkg/utils/ipallocator"
 )
 
 const (
@@ -85,7 +84,7 @@ type serviceChange struct {
 func NewIngressIPController(services cache.SharedIndexInformer, kc kclientset.Interface, ipNet *net.IPNet, resyncInterval time.Duration) *IngressIPController {
 	eventBroadcaster := record.NewBroadcaster()
 	eventBroadcaster.StartRecordingToSink(&kv1core.EventSinkImpl{Interface: kc.CoreV1().Events("")})
-	recorder := eventBroadcaster.NewRecorder(legacyscheme.Scheme, v1.EventSource{Component: "ingressip-controller"})
+	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "ingressip-controller"})
 
 	ic := &IngressIPController{
 		client:     kc.CoreV1(),
@@ -115,9 +114,7 @@ func NewIngressIPController(services cache.SharedIndexInformer, kc kclientset.In
 	ic.changeHandler = ic.processChange
 	ic.persistenceHandler = persistService
 
-	ic.ipAllocator, _ = ipallocator.New(ipNet, func(max int, rangeSpec string, offset int) (allocator.Interface, error) {
-		return allocator.NewAllocationMap(max, rangeSpec), nil
-	})
+	ic.ipAllocator, _ = ipallocator.NewInMemory(ipNet)
 
 	ic.allocationMap = make(map[string]string)
 	ic.requeuedAllocations = sets.NewString()
@@ -138,7 +135,7 @@ func (ic *IngressIPController) enqueueChange(new interface{}, old interface{}) {
 	if new != nil {
 		// Queue the key needed to retrieve the lastest state from the
 		// cache when the change is processed.
-		key, err := controller.KeyFunc(new)
+		key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(new)
 		if err != nil {
 			utilruntime.HandleError(fmt.Errorf("Couldn't get key for object %+v: %v", new, err))
 			return
@@ -274,7 +271,7 @@ func (ic *IngressIPController) processInitialSync() bool {
 	// Add pending service additions back to the queue in consistent order.
 	sort.Sort(serviceAge(pendingServices))
 	for _, service := range pendingServices {
-		if key, err := controller.KeyFunc(service); err == nil {
+		if key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(service); err == nil {
 			klog.V(5).Infof("Adding service back to queue: %v ", key)
 			change := &serviceChange{key: key}
 			ic.queue.Add(change)
@@ -443,7 +440,7 @@ func (ic *IngressIPController) clearOldAllocation(new, old *v1.Service) bool {
 	// New allocation differs from old due to update or deletion
 
 	// Get the key from the old service since the new service may be nil
-	if key, err := controller.KeyFunc(old); err == nil {
+	if key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(old); err == nil {
 		ic.clearLocalAllocation(key, oldIP)
 		return true
 	} else {
diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/README.md b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/README.md
new file mode 100644
index 0000000000..f5e0b550fb
--- /dev/null
+++ b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/README.md
@@ -0,0 +1,23 @@
+# ipallocator
+
+Minimal in-memory IP range allocator for assigning IPs from a CIDR block.
+
+## Provenance
+
+This code is copied from two packages in **k8s.io/kubernetes v1.35.0**:
+
+- `k8s.io/kubernetes/pkg/registry/core/service/allocator` — bitmap allocator
+- `k8s.io/kubernetes/pkg/registry/core/service/ipallocator` — IP range wrapper
+
+Only the code paths used by the IngressIP controller (`pkg/route/ingressip/`) are
+included. The following features from the original were removed:
+
+- Metrics recording (`metricsRecorderInterface`, Prometheus counters)
+- Dry-run support (`DryRun()`, `dryRunRange`)
+- Snapshot/restore (`Snapshot()`, `Restore()`, `NewFromSnapshot`)
+- IPFamily tracking (`IPFamily()`, `api.IPFamily` dependency)
+- Factory pattern (`New()` with `AllocatorWithOffsetFactory`)
+- Unused methods: `ForEach()`, `Destroy()`, `CIDR()`, `Used()`, `EnableMetrics()`
+
+This eliminates the dependency on `k8s.io/kubernetes` (the monorepo).
+IP math uses `k8s.io/utils/net` which is a standalone module.
diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/allocator.go b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/allocator.go
new file mode 100644
index 0000000000..fd07023dee
--- /dev/null
+++ b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/allocator.go
@@ -0,0 +1,176 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipallocator
+
+import (
+	"fmt"
+	"math/big"
+	"math/rand"
+	"sync"
+	"time"
+)
+
+// allocatorInterface manages the allocation of items out of a range.
+type allocatorInterface interface {
+	Allocate(int) (bool, error)
+	AllocateNext() (int, bool, error)
+	Release(int) error
+	Has(int) bool
+	Free() int
+}
+
+// allocationBitmap is a contiguous block of resources that can be allocated atomically.
+//
+// Each resource has an offset. The internal structure is a bitmap, with a bit for each offset.
+//
+// If a resource is taken, the bit at that offset is set to one.
+// r.count is always equal to the number of set bits and can be recalculated at any time
+// by counting the set bits in r.allocated.
+type allocationBitmap struct {
+	strategy  bitAllocator
+	max       int
+	rangeSpec string
+
+	lock      sync.Mutex
+	count     int
+	allocated *big.Int
+}
+
+var _ allocatorInterface = &allocationBitmap{}
+
+// bitAllocator represents a search strategy in the allocation map for a valid item.
+type bitAllocator interface {
+	AllocateBit(allocated *big.Int, max, count int) (int, bool)
+}
+
+// newAllocationMapWithOffset creates an allocation bitmap using a random scan strategy that
+// allows to pass an offset that divides the allocation bitmap in two blocks.
+// The first block of values will not be used for random value assigned by the AllocateNext()
+// method until the second block of values has been exhausted.
+func newAllocationMapWithOffset(max int, rangeSpec string, offset int) *allocationBitmap {
+	return &allocationBitmap{
+		strategy: randomScanStrategyWithOffset{
+			rand:   rand.New(rand.NewSource(time.Now().UnixNano())),
+			offset: offset,
+		},
+		allocated: big.NewInt(0),
+		count:     0,
+		max:       max,
+		rangeSpec: rangeSpec,
+	}
+}
+
+// Allocate attempts to reserve the provided item.
+// Returns true if it was allocated, false if it was already in use.
+func (r *allocationBitmap) Allocate(offset int) (bool, error) {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+
+	if offset < 0 || offset >= r.max {
+		return false, fmt.Errorf("offset %d out of range [0,%d]", offset, r.max)
+	}
+	if r.allocated.Bit(offset) == 1 {
+		return false, nil
+	}
+	r.allocated = r.allocated.SetBit(r.allocated, offset, 1)
+	r.count++
+	return true, nil
+}
+
+// AllocateNext reserves one of the items from the pool.
+// (0, false, nil) may be returned if there are no items left.
+func (r *allocationBitmap) AllocateNext() (int, bool, error) {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+
+	next, ok := r.strategy.AllocateBit(r.allocated, r.max, r.count)
+	if !ok {
+		return 0, false, nil
+	}
+	r.count++
+	r.allocated = r.allocated.SetBit(r.allocated, next, 1)
+	return next, true, nil
+}
+
+// Release releases the item back to the pool. Releasing an
+// unallocated item or an item out of the range is a no-op and
+// returns no error.
+func (r *allocationBitmap) Release(offset int) error {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+
+	if r.allocated.Bit(offset) == 0 {
+		return nil
+	}
+
+	r.allocated = r.allocated.SetBit(r.allocated, offset, 0)
+	r.count--
+	return nil
+}
+
+// Has returns true if the provided item is already allocated and a call
+// to Allocate(offset) would fail.
+func (r *allocationBitmap) Has(offset int) bool {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+
+	return r.allocated.Bit(offset) == 1
+}
+
+// Free returns the count of items left in the range.
+func (r *allocationBitmap) Free() int {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	return r.max - r.count
+}
+
+// randomScanStrategyWithOffset chooses a random address from the provided big.Int and then scans
+// forward looking for the next available address. The big.Int range is subdivided so it will try
+// to allocate first from the reserved upper range of addresses (it will wrap the upper subrange if necessary).
+// If there is no free address it will try to allocate one from the lower range too.
+type randomScanStrategyWithOffset struct {
+	rand   *rand.Rand
+	offset int
+}
+
+func (rss randomScanStrategyWithOffset) AllocateBit(allocated *big.Int, max, count int) (int, bool) {
+	if count >= max {
+		return 0, false
+	}
+	subrangeMax := max - rss.offset
+	start := rss.rand.Intn(subrangeMax)
+	for i := 0; i < subrangeMax; i++ {
+		at := rss.offset + ((start + i) % subrangeMax)
+		if allocated.Bit(at) == 0 {
+			return at, true
+		}
+	}
+
+	// Guard against rand.Intn(0) panic when offset is 0.
+	if rss.offset > 0 {
+		start = rss.rand.Intn(rss.offset)
+		for i := 0; i < rss.offset; i++ {
+			at := (start + i) % rss.offset
+			if allocated.Bit(at) == 0 {
+				return at, true
+			}
+		}
+	}
+	return 0, false
+}
+
+var _ bitAllocator = randomScanStrategyWithOffset{}
diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/ipallocator.go b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/ipallocator.go
new file mode 100644
index 0000000000..77450783ff
--- /dev/null
+++ b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/ipallocator.go
@@ -0,0 +1,210 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipallocator
+
+import (
+	"errors"
+	"fmt"
+	"math/big"
+	"net"
+
+	netutils "k8s.io/utils/net"
+)
+
+var (
+	ErrFull      = errors.New("range is full")
+	ErrAllocated = errors.New("provided IP is already allocated")
+)
+
+type ErrNotInRange struct {
+	IP         net.IP
+	ValidRange string
+}
+
+func (e *ErrNotInRange) Error() string {
+	return fmt.Sprintf("the provided IP (%v) is not in the valid range. The range of valid IPs is %s", e.IP, e.ValidRange)
+}
+
+// Range is a contiguous block of IPs that can be allocated atomically.
+//
+// The internal structure of the range is:
+//
+//	For CIDR 10.0.0.0/24
+//	254 addresses usable out of 256 total (minus base and broadcast IPs)
+//	  The number of usable addresses is r.max
+//
+//	CIDR base IP          CIDR broadcast IP
+//	10.0.0.0                     10.0.0.255
+//	|                                     |
+//	0 1 2 3 4 5 ...         ... 253 254 255
+//	  |                              |
+//	r.base                     r.base + r.max
+//	  |                              |
+//	offset #0 of r.allocated   last offset of r.allocated
+type Range struct {
+	net  *net.IPNet
+	base *big.Int
+	max  int
+
+	alloc allocatorInterface
+}
+
+// NewInMemory creates an in-memory IP allocator over a net.IPNet.
+func NewInMemory(cidr *net.IPNet) (*Range, error) {
+	max := netutils.RangeSize(cidr)
+	base := netutils.BigForIP(cidr.IP)
+	rangeSpec := cidr.String()
+
+	if netutils.IsIPv6CIDR(cidr) {
+		if max > 65536 {
+			max = 65536
+		}
+	} else {
+		// Don't use the IPv4 network's broadcast address.
+		max--
+	}
+
+	// Don't use the network's ".0" address.
+	base.Add(base, big.NewInt(1))
+	max--
+
+	if max < 0 {
+		max = 0
+	}
+
+	r := Range{
+		net:  cidr,
+		base: base,
+		max:  maximum(0, int(max)),
+	}
+
+	offset := calculateRangeOffset(cidr)
+	r.alloc = newAllocationMapWithOffset(r.max, rangeSpec, offset)
+	return &r, nil
+}
+
+func maximum(a, b int) int {
+	if a > b {
+		return a
+	}
+	return b
+}
+
+// Free returns the count of IP addresses left in the range.
+func (r *Range) Free() int {
+	return r.alloc.Free()
+}
+
+// Allocate attempts to reserve the provided IP. ErrNotInRange or
+// ErrAllocated will be returned if the IP is not valid for this range
+// or has already been reserved. ErrFull will be returned if there
+// are no addresses left.
+func (r *Range) Allocate(ip net.IP) error {
+	ok, offset := r.contains(ip)
+	if !ok {
+		return &ErrNotInRange{ip, r.net.String()}
+	}
+
+	allocated, err := r.alloc.Allocate(offset)
+	if err != nil {
+		return err
+	}
+	if !allocated {
+		return ErrAllocated
+	}
+	return nil
+}
+
+// AllocateNext reserves one of the IPs from the pool. ErrFull may
+// be returned if there are no addresses left.
+func (r *Range) AllocateNext() (net.IP, error) {
+	offset, ok, err := r.alloc.AllocateNext()
+	if err != nil {
+		return nil, err
+	}
+	if !ok {
+		return nil, ErrFull
+	}
+	return netutils.AddIPOffset(r.base, offset), nil
+}
+
+// Release releases the IP back to the pool. Releasing an
+// unallocated IP or an IP out of the range is a no-op and
+// returns no error.
+func (r *Range) Release(ip net.IP) error {
+	ok, offset := r.contains(ip)
+	if !ok {
+		return nil
+	}
+	return r.alloc.Release(offset)
+}
+
+// Has returns true if the provided IP is already allocated and a call
+// to Allocate(ip) would fail with ErrAllocated.
+func (r *Range) Has(ip net.IP) bool {
+	ok, offset := r.contains(ip)
+	if !ok {
+		return false
+	}
+	return r.alloc.Has(offset)
+}
+
+// contains returns true and the offset if the ip is in the range, and false
+// and 0 otherwise. The first and last addresses of the CIDR are omitted.
+func (r *Range) contains(ip net.IP) (bool, int) {
+	if !r.net.Contains(ip) {
+		return false, 0
+	}
+
+	offset := calculateIPOffset(r.base, ip)
+	if offset < 0 || offset >= r.max {
+		return false, 0
+	}
+	return true, offset
+}
+
+// calculateIPOffset calculates the integer offset of ip from base such that
+// base + offset = ip. It requires ip >= base.
+func calculateIPOffset(base *big.Int, ip net.IP) int {
+	return int(big.NewInt(0).Sub(netutils.BigForIP(ip), base).Int64())
+}
+
+// calculateRangeOffset estimates the offset used on the range for static allocation based on
+// the following formula `min(max($min, cidrSize/$step), $max)`, described as ~never less than
+// $min or more than $max, with a graduated step function between them~. The function returns 0
+// if any of the parameters is invalid.
+func calculateRangeOffset(cidr *net.IPNet) int {
+	const (
+		min  = 16
+		max  = 256
+		step = 16
+	)
+
+	cidrSize := netutils.RangeSize(cidr)
+	if cidrSize <= min {
+		return 0
+	}
+
+	offset := cidrSize / step
+	if offset < min {
+		return min
+	}
+	if offset > max {
+		return max
+	}
+	return int(offset)
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index d48af84e56..6a562993c1 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -798,13 +798,14 @@ github.com/openshift/library-go/pkg/route/validation
 github.com/openshift/library-go/pkg/security/ldaputil
 github.com/openshift/library-go/pkg/security/uid
 github.com/openshift/library-go/pkg/serviceability
-# github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5
+# github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56
 ## explicit; go 1.25.0
 github.com/openshift/route-controller-manager/pkg/cmd/controller
 github.com/openshift/route-controller-manager/pkg/cmd/route-controller-manager
 github.com/openshift/route-controller-manager/pkg/route/ingress
 github.com/openshift/route-controller-manager/pkg/route/ingressip
 github.com/openshift/route-controller-manager/pkg/routecontroller
+github.com/openshift/route-controller-manager/pkg/utils/ipallocator
 github.com/openshift/route-controller-manager/pkg/version
 # github.com/ovn-kubernetes/libovsdb v0.8.2-0.20260302130604-c07ce22366ac
 ## explicit; go 1.24.0