diff --git a/.github/workflows/nightly-install.yaml b/.github/workflows/nightly-install.yaml
index 17f1b9af6cd..b0aa8add121 100644
--- a/.github/workflows/nightly-install.yaml
+++ b/.github/workflows/nightly-install.yaml
@@ -13,7 +13,7 @@ jobs:
       fail-fast: false
       matrix:
         channel: [stable]
-        vm: [centos-7, rocky-8, opensuse-microos, ubuntu-focal, windows-2019, windows-2022]
+        vm: [centos-7, rocky-8, opensuse-microos, opensuse-leap, ubuntu-focal, windows-2019, windows-2022]
         include:
           - {channel: latest, vm: rocky-8}
           - {channel: latest, vm: ubuntu-focal}
diff --git a/Dockerfile b/Dockerfile
index 5de1bb98b62..9dd89157305 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -110,7 +110,7 @@ RUN CHART_VERSION="v3.25.1-build2023051202"   CHART_FILE=/charts/rke2-canal.yaml
 RUN CHART_VERSION="v3.25.002"                 CHART_FILE=/charts/rke2-calico.yaml         CHART_BOOTSTRAP=true   /charts/build-chart.sh
 RUN CHART_VERSION="v3.25.002"                 CHART_FILE=/charts/rke2-calico-crd.yaml     CHART_BOOTSTRAP=true   /charts/build-chart.sh
 RUN CHART_VERSION="1.24.004"                  CHART_FILE=/charts/rke2-coredns.yaml        CHART_BOOTSTRAP=true   /charts/build-chart.sh
-RUN CHART_VERSION="4.5.202"                   CHART_FILE=/charts/rke2-ingress-nginx.yaml  CHART_BOOTSTRAP=false  /charts/build-chart.sh
+RUN CHART_VERSION="4.6.100"                   CHART_FILE=/charts/rke2-ingress-nginx.yaml  CHART_BOOTSTRAP=false  /charts/build-chart.sh
 RUN CHART_VERSION="2.11.100-build2023051509"  CHART_FILE=/charts/rke2-metrics-server.yaml CHART_BOOTSTRAP=false  /charts/build-chart.sh
 RUN CHART_VERSION="v3.9.3-build2023010903"    CHART_FILE=/charts/rke2-multus.yaml         CHART_BOOTSTRAP=true   /charts/build-chart.sh
 RUN CHART_VERSION="1.5.100"                   CHART_FILE=/charts/rancher-vsphere-cpi.yaml CHART_BOOTSTRAP=true   /charts/build-chart.sh
diff --git a/channels.yaml b/channels.yaml
index 8a0799ee636..4424e83f0b9 100644
--- a/channels.yaml
+++ b/channels.yaml
@@ -1,6 +1,6 @@
 channels:
 - name: stable
-  latest: v1.25.10+rke2r1
+  latest: v1.25.11+rke2r1
 - name: latest
   latestRegexp: .*
   excludeRegexp: (^[^+]+-|v1\.25\.5\+rke2r1|v1\.26\.0\+rke2r1)
diff --git a/scripts/build-images b/scripts/build-images
index a963a70126e..02dfa525bad 100755
--- a/scripts/build-images
+++ b/scripts/build-images
@@ -22,7 +22,7 @@ xargs -n1 -t docker image pull --quiet << EOF >> build/images-core.txt
     ${REGISTRY}/rancher/klipper-lb:v0.4.4
     ${REGISTRY}/rancher/mirrored-pause:${PAUSE_VERSION}
     ${REGISTRY}/rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20230312-helm-chart-4.5.2-28-g66a760794
-    ${REGISTRY}/rancher/nginx-ingress-controller:nginx-1.6.4-hardened5
+    ${REGISTRY}/rancher/nginx-ingress-controller:nginx-1.7.1-hardened1
     ${REGISTRY}/rancher/rke2-cloud-provider:${CCM_VERSION}
     ${REGISTRY}/rancher/mirrored-sig-storage-snapshot-controller:v6.2.1
     ${REGISTRY}/rancher/mirrored-sig-storage-snapshot-validation-webhook:v6.2.1
diff --git a/tests/acceptance/shared/cluster.go b/tests/acceptance/shared/cluster.go
index 8079f1b8569..4a57d6d933f 100644
--- a/tests/acceptance/shared/cluster.go
+++ b/tests/acceptance/shared/cluster.go
@@ -164,8 +164,7 @@ func KubectlCommand(destination, action, source string, args ...string) (string,
 // FetchClusterIP returns the cluster IP and port of the service.
 func FetchClusterIP(
 	namespace string,
-	serviceName string,
-) (string, string, error) {
+	serviceName string) (string, string, error) {
 	ip, err := RunCommandHost("kubectl get svc " + serviceName + " -n " + namespace +
 		" -o jsonpath='{.spec.clusterIP}' --kubeconfig=" + KubeConfigFile)
 	if err != nil {
diff --git a/tests/install/opensuse-leap/Vagrantfile b/tests/install/opensuse-leap/Vagrantfile
new file mode 100644
index 00000000000..ed63d6074cb
--- /dev/null
+++ b/tests/install/opensuse-leap/Vagrantfile
@@ -0,0 +1,131 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+ENV['TEST_INSTALL_SH'] ||= '../../../install.sh'
+
+Vagrant.configure("2") do |config|
+  config.vm.box = 'opensuse/Leap-15.4.x86_64'
+  config.vm.boot_timeout = ENV['TEST_VM_BOOT_TIMEOUT'] || 600 # seconds
+  config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false
+  %w[libvirt virtualbox vmware_desktop].each do |p|
+    config.vm.provider p do |v, o|
+      v.cpus = ENV['TEST_VM_CPUS'] || 2
+      v.memory = ENV['TEST_VM_MEMORY'] || 3072
+    end
+  end
+
+  external_env = ""
+  ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.each {|key,value| external_env << "#{key.to_s}=#{value.to_s}"}
+
+  config.vm.define "install-leap-15.4", primary: true do |test|
+    test.vm.hostname = 'smoke'
+    test.vm.provision 'rke2-upload-installer', type: 'file', run: 'always', source: ENV['TEST_INSTALL_SH'], destination: 'install.sh'
+    test.vm.provision"rke2-install", type: 'rke2', run: "once" do |rke2|
+      rke2.installer_url = 'file:///home/vagrant/install.sh'
+      rke2.env = %W[ #{external_env} INSTALL_RKE2_TYPE=server]
+      rke2.config = <<~YAML
+        token: 'vagrant'
+      YAML
+      rke2.config_mode = '0644' # side-step https://github.com/k3s-io/k3s/issues/4321
+    end
+    test.vm.provision "rke2-wait-for-node", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        echo 'Waiting for node (and static pods) to be ready ...'
+        time {
+            timeout 240 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostnamectl --static) 2>/dev/null); do sleep 5; done'
+            timeout 240 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostnamectl --static) 2>/dev/null); do sleep 5; done'
+            timeout 240 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostnamectl --static) 2>/dev/null); do sleep 5; done'
+            timeout 240 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostnamectl --static) 2>/dev/null); do sleep 5; done'
+            timeout 240 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostnamectl --static) 2>/dev/null); do sleep 5; done'
+            timeout 240 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostnamectl --static) 2>/dev/null); do sleep 5; done'
+            timeout 240 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostnamectl --static) 2>/dev/null); do sleep 5; done'
+        }
+        kubectl get node,all -A -o wide
+      SHELL
+    end
+    test.vm.provision "rke2-wait-for-canal", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        time {
+            timeout 240 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done'
+        }
+      SHELL
+    end
+    test.vm.provision "rke2-wait-for-coredns", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        time {
+            timeout 240 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done'
+            timeout 240 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done'
+        }
+      SHELL
+    end
+    test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        time {
+            timeout 240 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done'
+        }
+      SHELL
+    end
+    test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        time {
+            timeout 240 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done'
+        }
+      SHELL
+    end
+    test.vm.provision "rke2-status", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eux -o pipefail
+        kubectl get node,all -A -o wide
+      SHELL
+    end
+    test.vm.provision "rke2-procps", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eux -o pipefail
+        ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep
+      SHELL
+    end
+  end
+
+  config.vm.provision "install-packages", type: "shell", run: "once" do |sh|
+    sh.upload_path = "/tmp/vagrant-install-packages"
+    sh.env = {
+        'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'],
+    }
+    sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eux -o pipefail
+        zypper install -y \
+            curl \
+            iptables \
+            less \
+            lsof \
+            socat \
+            restorecond \
+            policycoreutils
+            ${INSTALL_PACKAGES}
+    SHELL
+  end
+
+  config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v"
+  config.vm.provision "rke2-profile-env", type: "shell", run: "once" do |sh|
+    sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        cat <<-EOF > /etc/profile.d/rke2.sh
+export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin
+EOF
+    SHELL
+  end
+
+end