Update module github.com/gardener/gardener to v1.112.1

[23t-machine-user]

This PR contains the following updates:

Package	Type	Update	Change
github.com/gardener/gardener	require	minor	v1.106.1 -> v1.112.1

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.112.1

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Specifying Seed labels in ManagedSeed.spec.gardenlet.config.seedConfig.metadata.labels is fixed. by @​timebertt [#​11368]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.112.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.112.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.112.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.112.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.112.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.112.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.112.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.112.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.112.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.112.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.112.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.112.1

v1.112.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The Garden.spec.virtualCluster.gardener.gardenerControllerManager.defaultProjectQuotas[].config type has been changed from runtime.RawExtension to corev1.ResourceQuota. by @​timebertt [#​11098]
• [DEPENDENCY] The temporary helper functions github.com/gardener/gardener/pkg/client/kubernetes.{ConvertClientConnectionConfigurationToExternal,RESTConfigFromInternalClientConnectionConfiguration} have been removed. Please use the external version of k8s.io/component-base/config.ClientConnectionConfiguration directly. by @​timebertt [#​11243]
• [USER] Users are no longer able to modify shoot CA bundle configmaps. Such system resources are considered sensitive to modification because the data stored in them cannot be trusted unless its authenticity is guaranteed. by @​dimityrmirchev [#​11224]
• [DEVELOPER] The following functions are moved from the github.com/gardener/gardener/pkg/client/kubernetes package to the github.com/gardener/gardener/pkg/utils/kubernetes package:
  • HasDeploymentRolloutCompleted
  • WaitUntilDeploymentRolloutIsComplete
  • GetPodLogs
  • ScaleStatefulSet
  • ScaleDeployment
  • WaitUntilDeploymentScaledToDesiredReplicas
  • WaitUntilStatefulSetScaledToDesiredReplicas
  • ScaleStatefulSetAndWaitUntilScaled by @​RadaBDimitrova [#​11153]
• [DEVELOPER] The following var is removed from the github.com/gardener/gardener/pkg/client/kubernetes package:
  • ForceDeleteOptions by @​RadaBDimitrova [#​11153]

📰 Noteworthy

• [OPERATOR] The new CredentialsRotationWithoutWorkersRollout feature gate should only be enabled when all registered Gardener provider extensions vendor at least gardener/[email protected]+. by @​rfranzke [#​11027]
• [OPERATOR] The ClientConnectionConfiguration and LeaderElectionConfiguration in the component config APIs are now validated. by @​timebertt [#​11254]

✨ New Features

• [USER] All Seeds are now automatically labeled with seed.gardener.cloud/<name>=true where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. by @​rfranzke [#​11062]
• [USER] The feature gate UseNamespacedCloudProfile has been graduated to Beta and is now enabled by default. by @​LucaBernstein [#​11289]
• [USER] It is now possible to specify the the priority of worker groups with the Shoot.spec.provider.workers[].priority field. When at least one priority is specified, the CA will respect this configuration before other expanders.
  WARNING: When using this feature, Gardener will overwrite existing configurations that were made manual beforehand. by @​tobschli [#​11045]
• [USER] New Shoot operation annotations rotate-{ca,serviceaccount-key,credentials}-start-without-workers-rollout are being introduced in order to start a credentials rotation without causing an immediately rolling update of all worker nodes. Such rolling updates can later be triggered by the end-user at a time of their convenience with the rotate-rollout-workers=<pool1-name>[,<pool2-name>,...] operation annotation. Read all about it here. by @​rfranzke [#​11027]
• [OPERATOR] Introduces shoot_operation_duration_seconds metric to record Shoot operation Create and Delete. by @​simcod [#​10971]
• [OPERATOR] Add VPA parameters memoryAggregationInterval and memoryAggregationIntervalCount to the Shoot spec. by @​voelzmo [#​11215]
• [DEVELOPER] A wrapper function for OperatingSystemConfig provisioning bash script has been implemented. Using the wrapper ensures that the script exits early in case it has been executed successfully before. by @​oliver-goetz [#​11208]

🐛 Bug Fixes

• [OPERATOR] A bug preventing the deletion of Shoots that previously failed to create due to an erroneous kube-apiserver has been fixed. by @​shafeeqes [#​11284]
• [OPERATOR] Fixed checking etcd cluster readiness when rolling out spec changes. On rare occasions this led to failing credential rotations. by @​timuthy [#​11231]
• [OPERATOR] A bug which leads to a gardenlet nil pointer exception when running shoot deletion or migration flow for shoots where shoot.status.networking == nil has been fixed. by @​oliver-goetz [#​11304]
• [OPERATOR] A bug which might lead to duplicate config entries for node-agent-authorizer webhook has been fixed. by @​oliver-goetz [#​11281]

🏃 Others

• [OPERATOR] Local dual-stack setup for development now running with IPv6 as primary address family. by @​ScheererJ [#​11226]
• [OPERATOR] An issue has been fixed that caused the garden reconciliation to stop when structured authentication was used in combination with the gardener-dashboard oidcConfig. by @​timuthy [#​11230]
• [OPERATOR] Rewrite Setup Gardener document by @​hendrikKahl [#​11260]
• [OPERATOR] Disable default node range in test machinery tests for IPv6-only tests. by @​ScheererJ [#​11221]
• [OPERATOR] Deploy runtime extension in own namespace. by @​MartinWeindel [#​11204]
• [OPERATOR] Allow the apiserver_admission_webhook_request_total metric in the shoot Prometheus by @​vicwicker [#​11225]
• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.1. Release Notes by @​gardener-ci-robot [#​11256]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.35 to v7.5.36. Release Notes by @​gardener-ci-robot [#​11316]
• [DEPENDENCY] The gardener/machine-controller-manager image has been updated to v0.56.0. Release Notes by @​gardener-ci-robot [#​11278]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.30.0. by @​gardener-ci-robot [#​11274]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.29.1. by @​gardener-ci-robot [#​11239]
• [DEPENDENCY] The registry.k8s.io/kube-state-metrics/kube-state-metrics image has been updated to v2.15.0. by @​gardener-ci-robot [#​11282]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.20 to v2.2.21. Release Notes by @​gardener-ci-robot [#​11313]
• [DEPENDENCY] The gardener/autoscaler image has been updated to v1.30.2. Release Notes by @​gardener-ci-robot [#​11295]
• [DEPENDENCY] The gardener/logging image has been updated to v0.64.0. Release Notes by @​gardener-ci-robot [#​11269]
• [DEPENDENCY] The registry.k8s.io/dns/k8s-dns-node-cache image has been updated to 1.25.0. by @​gardener-ci-robot [#​11235]
• [DEPENDENCY] The gardener/ingress-default-backend image has been updated to 0.22.0. Release Notes by @​gardener-ci-robot [#​11265]
• [DEPENDENCY] The gardener/gardener-metrics-exporter image has been updated to 0.34.0. Release Notes by @​gardener-ci-robot [#​11300]
• [DEVELOPER] testing framework: The RootPodExecutor no longer requires output from command execution to interpret the command execution as successful. by @​ialidzhikov [#​11250]

v1.111.2

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug preventing the deletion of Shoots that previously failed to create due to an erroneous kube-apiserver has been fixed. by @​shafeeqes [#​11296]
• [OPERATOR] A bug which leads to a gardenlet nil pointer exception when running shoot deletion or migration flow for shoots where shoot.status.networking == nil has been fixed. by @​oliver-goetz [#​11307]
• [OPERATOR] A bug which might lead to duplicate config entries for node-agent-authorizer webhook has been fixed. by @​oliver-goetz [#​11302]

🏃 Others

• [DEPENDENCY] The gardener/machine-controller-manager image has been updated to v0.56.0. Release Notes by @​gardener-ci-robot [#​11299]
• [DEPENDENCY] The gardener/autoscaler image has been updated to v1.30.2. Release Notes by @​gardener-ci-robot [#​11298]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.2

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.2

v1.111.1

Compare Source

[gardener/gardener]

✨ New Features

• [DEVELOPER] A wrapper function for OperatingSystemConfig provisioning bash script has been implemented. Using the wrapper ensures that the script exits early in case it has been executed successfully before. by @​oliver-goetz [#​11257]

🏃 Others

• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.1. Release Notes by @​gardener-ci-robot [#​11262]
• [OPERATOR] An issue has been fixed that caused the garden reconciliation to stop when structured authentication was used in combination with the gardener-dashboard oidcConfig. by @​timuthy [#​11233]
• [DEVELOPER] testing framework: The RootPodExecutor no longer requires output from command execution to interpret the command execution as successful. by @​ialidzhikov [#​11253]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.1

v1.111.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] The OperatorConfiguration changed incompatibly: extensionRequired was renamed to extensionRequiredRuntime. by @​timuthy [#​11001]

• [OPERATOR] The ShootManagedIssuer feature gate was removed. Enablement of the feature is now dependent on the existence of a secret in the garden namespace labeled with gardener.cloud/role: shoot-service-account-issuer. by @​dimityrmirchev [#​11078]

• [OPERATOR] The ShootForceDeletion feature gate has been graduated to GA and is locked to true. by @​shafeeqes [#​11107]

• [OPERATOR] This change applies to IPv4 clusters only.
  Gardener uses the CIDR range of 240.0.0.0/8 which is reserved as per IANA db to map the cluster ip of the kubernetes api-server in the seed to a different network range before exposing it to the shoot in the kubernetes service. This frees up address space in the shoot and removes potential clashes with shoot workload ips.

  Seed operators need to check if any of the following properties collide with the 240.0.0.0/8 range:

  spec:  
    networks:  
      pods: < check here >  
      nodes: < check here >  
      services: < check here >  
      shootDefaults:  
        pods: < check here >  
        nodes: < check here >  
        services: < check here >  
  

  by @​domdom82 [#​10949]

• [OPERATOR] The wildcard TLS certificate for the runtime cluster must now be labelled with gardener.cloud/role=garden-cert instead of gardener.cloud/role=controlplane-cert to avoid duplicate role assignments for runtime and seed certificate secrets if Gardener runtime and seed run on the same cluster.
  The old role name is deprecated for the runtime cluster. It will not be accepted anymore with the next Gardener release. by @​MartinWeindel [#​11113]

• [DEPENDENCY] Client-related functions have been adapted to use the external version of k8s.io/component-base/config.ClientConnectionConfiguration. If you need a helper function for transitioning to the external version, use pkg/client/kubernetes.ConvertClientConnectionConfigurationToExternal. by @​timebertt [#​11052]

• [DEPENDENCY] The package github.com/gardener/gardener/extensions/pkg/apis/config has been dropped. Use the versioned variant of the package instead: github.com/gardener/gardener/extensions/pkg/apis/config/v1alpha1. by @​timebertt [#​11056]

📰 Noteworthy

• [USER] Expired versions from the NamespacedCloudProfile are always dropped, except for already applied versions. by @​LucaBernstein [#​10910]
• [OPERATOR] The vpa field (ineffective since v1.102) has been removed from the ManagedSeed API. by @​rfranzke [#​11047]
• [OPERATOR] Now "vali" contains the managed control plane logs from the early stages of shoot reconcile. by @​nickytd [#​11082]

✨ New Features

• [OPERATOR] Gardener-Operator handles generic Gardener extensions in the Garden-Runtime cluster (type: Extension). Such extensions can be configured via spec.extensions in the Garden resource. by @​timuthy [#​11192]
• [OPERATOR] gardener-node-agent now persists its applied changes after each step when reconciling the OSC. This should avoid unnecessary work and systemd unit restarts. by @​maboehm [#​10969]
• [OPERATOR] Add vpa histogram decay half-life parameters to the Shoot spec. by @​voelzmo [#​10959]
• [OPERATOR] The Gardener Admission Controller now implements a handler that can prevent tampering with system Secrets and ConfigMaps if they are labeled with gardener.cloud/update-restriction=true. by @​dimityrmirchev [#​11108]
• [OPERATOR] Add flow and flow task metrics for timing duration, delay and result count to gardenlet metrics. by @​LucaBernstein [#​10967]
• [USER] Gardener now allows to omit or to only partially define the machine image version in shoot.Spec.Provider.Workers[].Machine.Image.Version. The version will automatically be defaulted to the latest minor/patch version found in the referenced CloudProfile. by @​LucaBernstein [#​10954]
• [DEVELOPER] The extension library now supports adding watches via WatchBuilder for other resources in the generic extension controller. by @​domdom82 [#​11064]
• [DEVELOPER] Add option to register flow metrics on monitoring registry. by @​LucaBernstein [#​10967]
• [DEVELOPER] A local setup for trying out, developing, and testing the autonomous shoot cluster functionality of gardenadm has been introduced. You can find the documentation here. by @​rfranzke [#​10977]

🐛 Bug Fixes

• [OPERATOR] Gardener can now delete and migrate shoots that use dynamic node network allocation, even if the infrastructure creation has never been successfully completed. by @​timebertt [#​11038]
• [OPERATOR] An issue was fixed in gardener-operator that prevented configuring OIDC for gardener-dashboard while using Structured Authentication. by @​timuthy [#​11080]
• [OPERATOR] gardener-node-agent does not restart containerd.service on every OSC reconciliation anymore. by @​oliver-goetz [#​11120]
• [USER] Fix the NamespacedCloudProfile status mutation. by @​LucaBernstein [#​11036]
• [DEVELOPER] Avoid calling GetCluster for non-shoot namespaces in shootNotFailedPredicate and dnsrecord controller. by @​MartinWeindel [#​11123]
• [DEVELOPER] gardener-node-agent deletes unit files and drop-ins only if it created them previously. by @​oliver-goetz [#​11015]

🏃 Others

• [USER] Custom machine images and machine types in NamespacedCloudProfile are not interfered by later added conflicting entries in the parent CloudProfile. by @​LucaBernstein [#​11093]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.29.0. by @​gardener-ci-robot [#​11138]
• [DEPENDENCY] The gardener/etcd-druid image has been updated to v0.26.1. Release Notes by @​gardener-ci-robot [#​11202]
• [DEPENDENCY] The gcr.io/istio-release/pilot image has been updated to 1.23.4. by @​gardener-ci-robot [#​11071]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.33.0. Release Notes by @​gardener-ci-robot [#​11167]
• [DEPENDENCY] The registry.k8s.io/ingress-nginx/controller-chroot image has been updated to v1.12.0. by @​gardener-ci-robot [#​11087]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.28.4. by @​gardener-ci-robot [#​11053]
• [DEPENDENCY] The gardener/logging image has been updated to v0.63.0. Release Notes by @​gardener-ci-robot [#​11195]
• [DEPENDENCY] The registry.k8s.io/dns/k8s-dns-node-cache image has been updated to 1.24.0. by @​gardener-ci-robot [#​11032]
• [DEPENDENCY] The gardener/alpine-conntrack image has been updated to 3.21.0. Release Notes by @​gardener-ci-robot [#​11023]
• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.0. Release Notes by @​gardener-ci-robot [#​11199]
• [DEPENDENCY] The quay.io/prometheus/alertmanager image has been updated to v0.28.0. by @​gardener-ci-robot [#​11176]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.32.3. Release Notes by @​gardener-ci-robot [#​11068]
• [DEPENDENCY] The gardener/ingress-default-backend image has been updated to 0.21.0. Release Notes by @​gardener-ci-robot [#​11046]
• [DEPENDENCY] The gardener/terminal-controller-manager image has been updated to v0.34.0. Release Notes by @​gardener-ci-robot [#​11212]
• [DEPENDENCY] The gardener/alpine-conntrack image has been updated to 3.21.1. Release Notes by @​gardener-ci-robot [#​11151]
• [DEVELOPER] Fix malformed file path error on go get github.com/gardener/gardener@master by @​MartinWeindel [#​11145]
• [DEVELOPER] drop unused codepath from component_descriptor creation script. by @​ccwienk [#​11124]
• [DEVELOPER] The images of the registry caches used in the extensions local setup are now updated to distribution/[email protected] rc.2. by @​ialidzhikov [#​11079]
• [OPERATOR] Add additional context to shoot admission DNS errors so that it is more obvious what should be changed. by @​ScheererJ [#​11022]
• [OPERATOR] Allow specifying the IP families for the shoot creation tests. by @​ScheererJ [#​11135]
• [OPERATOR] Switch vpa-recommender back to the image built from the vertical-pod-autoscaler upstream repo . by @​plkokanov [#​11122]
• [OPERATOR] The gardener-dashboard configuration was enhanced in the garden API with fields gardenerDashboard.oidcConfig.clientIDPublic and gardenerDashboard.oidcConfig.issuerURL.
  Those are required to switch from the deprecated kubeAPIServer.oidcConfig to kubeAPIServer.structuredAuthentication. by @​timuthy [#​11080]
• [OPERATOR] gardener-operator now maintains a new condition RequiredVirtual for Extension resources. The new condition indicates whether the extension is related to required ControllerInstallations in the virtual garden cluster. by @​timuthy [#​11001]
• [OPERATOR] Add alerts for capped VPA recommendations by @​vicwicker [#​11136]
• [OPERATOR] Retry failed Cluster resource sync after otherwise successful Shoot reconciliation. by @​LucaBernstein [#​11144]
• [OPERATOR] gardener-operator restarts itself when the garden resource is deleted. This is required to stop controllers gracefully that depend on the existence of a virtual garden cluster. by @​timuthy [#​11058]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.0

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.0

v1.110.4

Compare Source

[gardener/gardener]

🏃 Others

• [DEPENDENCY] The following images have been updated:
  • registry.k8s.io/autoscaling/vpa-admission-controller: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-recommender: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-updater: 1.2.1 -> 1.2.2 by @​ialidzhikov [#​11179]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.4
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.4

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.4
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.4
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.4
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.4
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.4
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.4

v1.110.3

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fix bug where gardenlet was missing permissions to read v1.Events in the istio ingress namespace in the seed cluster. by @​vpnachev [#​11163]

🏃 Others

• [DEPENDENCY] The gardener/vpn2 image has been updated to 0.34.0. Release Notes by @​gardener-ci-robot [#​11161]
• [OPERATOR] Fix a bug in the gardener operator where the issuer URL domain for workload identity tokens was not prefixed with discovery. resulting in invalid OIDC tokens and discovery documents. by @​vpnachev [#​11158]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.3
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.3

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.3
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.3
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.3
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.3
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.3
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.3

v1.110.2

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A permission issue was fixed that prevented the VPAEvictionRequirements controller to patch VPA resources in the garden runtime cluster, in case it is also registered as a seed. by @​timuthy [#​11143]

🏃 Others

• [DEVELOPER] The order of the predicates for extension controllers has been changed to ensure that class and types are checked first.
  This avoids side effects by the passed predicates especially if the controller runs on the runtime cluster. by @​oliver-goetz [#​11133]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.2

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.2

v1.110.1

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [USER] Fix initial scheduling of Shoot with NamespacedCloudProfile reference. by @​LucaBernstein [#​11076]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.1

v1.110.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] The autoscaling.k8s.io/v1alpha1.Hvpa and autoscaling.k8s.io/v1alpha1.HvpaList resources were removed from the pkg/client/kubernetes.SeedScheme and pkg/operator/client.RuntimeScheme by @​plkokanov [#​10921]
• [DEVELOPER] Extension webhooks need to remove the provider type Predicates and add an ObjectSelector against the object's provider type label instead. by @​LucaBernstein [#​10896]

✨ New Features

• [OPERATOR] Secrets for the TokenRequestor can be additionally annotated with serviceaccount.resources.gardener.cloud/inject-ca-bundle=true to get the current CA bundle injected as well by @​maboehm [#​10988]

🐛 Bug Fixes

• [OPERATOR] seed-authorizer and structured authorization webhooks of shoot kube-apiservers no longer use the default TTL for AuthorizedTTL and UnauthorizedTTL. by @​oliver-goetz [#​10703]
• [OPERATOR] An issue was fixed in gardener-operator that led to an inactive Gardenlet controller after a certain period. Thus, the operator needed a restart to react on Gardenlet resources. by @​timuthy [#​10663]
• [OPERATOR] Fixes the bug where ManagedResource were still in progressing phase because of Completed pods by @​ary1992 [#​10961]

🏃 Others

• [OPERATOR] Fixes the calculation of the maximum number of nodes for cluster autoscaling for dual-stack shoots. by @​axel7born [#​10994]
• [OPERATOR] RBAC rules related to HVPA resources have been removed from gardenlet and gardener-operator - they are no longer necessary. by @​plkokanov [#​10921]
• [OPERATOR] The resource-manager is no longer HVPA-aware. by @​ialidzhikov [#​10860]
• [OPERATOR] [NewVPN] Enable IPv6 for non-HA if needed. by @​MartinWeindel [#​10997]
• [OPERATOR] Custom CAs are updated on existing nodes too. by @​oliver-goetz [#​10923]
• [OPERATOR] Set env variables for dual-stack in kube-apiserver. by @​axel7born [#​10970]
• [DEPENDENCY] The gardener/machine-controller-manager image has been updated to v0.55.1. Release Notes by @​gardener-ci-robot [#​10956]
• [DEPENDENCY] The quay.io/brancz/kube-rbac-proxy image has been updated to v0.18.2. by @​gardener-ci-robot [#​10953]
• [DEPENDENCY] The credativ/vali image has been updated to v2.2.20. Release Notes by @​gardener-ci-robot [#​10993]
• [DEPENDENCY] The credativ/plutono image has been updated to v7.5.35. Release Notes by @​gardener-ci-robot [#​10995]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.28.1. by @​gardener-ci-robot [#​10981]
• [DEPENDENCY] The gardener/apiserver-proxy image has been updated to v0.18.0. Release Notes by @​gardener-ci-robot [#​10933]
• [DEPENDENCY] The registry.k8s.io/coredns/coredns image has been updated to v1.12.0. by @​gardener-ci-robot [#​10909]
• [DEPENDENCY] The gardener/vpn2 image has been updated to 0.33.0. Release Notes by @​gardener-ci-robot [#​10996]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.32.2. Release Notes by @​gardener-ci-robot [#​11000]
• [DEPENDENCY] The gardener/gardener-metrics-exporter image has been updated to 0.31.0. Release Notes by @​gardener-ci-robot [#​10941]
• [DEPENDENCY] The gardener/gardener-metrics-exporter image has been updated to 0.33.0. Release Notes by @​gardener-ci-robot [#​10952]
• [DEPENDENCY] The gardener/ext-authz-server image has been updated to 0.11.0. Release Notes by @​gardener-ci-robot [#​10935]
• [DEVELOPER] The HVPA CRD has been removed from the codebase and is no longer generated. by @​plkokanov [#​10921]

📖 Documentation

• [OPERATOR] Improve shoot credential rotation documentation. by @​marc1404 [#​10998]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.0

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.0

v1.109.2

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug which might lead to duplicate config entries for node-agent-authorizer webhook has been fixed. by @​oliver-goetz [#​11309]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.109.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.109.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.109.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.109.2

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.109.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.109.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.109.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.109.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.109.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.109.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.109.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.109.2

v1.109.1

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fix bug where gardenlet was missing permissions to read v1.Events in the istio ingress namespace in the seed cluster. by @​vpnachev [#​11164]

🏃 Others

• [OPERATOR] Fix a bug in the gardener operator where the issuer URL domain for workload identity tokens was not prefixed with discovery. resulting in invalid OIDC tokens and discovery documents. by @​vpnachev [#​11159]
• [DEPENDENCY] The following images have been updated:
  • registry.k8s.io/autoscaling/vpa-admission-controller: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-recommender: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-updater: 1.2.1 -> 1.2.2 by @​ialidzhikov [#​11180]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.109.1
• gardenlet: `europe-docker.pkg.dev/gardener-proj

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[23t-machine-user]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 31 additional dependencies were updated

Details:

Package	Change
github.com/gardener/etcd-druid	v0.25.0 -> v0.26.1
github.com/BurntSushi/toml	v1.3.2 -> v1.4.0
github.com/cyphar/filepath-securejoin	v0.3.1 -> v0.3.5
github.com/emicklei/go-restful/v3	v3.11.0 -> v3.12.1
github.com/fatih/color	v1.17.0 -> v1.18.0
github.com/gardener/cert-management	v0.15.0 -> v0.17.3
github.com/go-openapi/errors	v0.20.4 -> v0.22.0
github.com/go-openapi/jsonreference	v0.20.2 -> v0.21.0
github.com/google/gnostic-models	v0.6.8 -> v0.6.9
github.com/gorilla/websocket	v1.5.0 -> v1.5.3
github.com/klauspost/compress	v1.17.9 -> v1.17.11
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring	v0.74.0 -> v0.78.2
github.com/prometheus/common	v0.61.0 -> v0.62.0
github.com/spf13/afero	v1.11.0 -> v1.12.0
go.opentelemetry.io/otel	v1.28.0 -> v1.32.0
go.opentelemetry.io/otel/trace	v1.28.0 -> v1.32.0
golang.org/x/exp	v0.0.0-20241009180824-f66d83c29e7c -> v0.0.0-20250128182459-e0ece0dbea4c
golang.org/x/oauth2	v0.24.0 -> v0.25.0
golang.org/x/sync	v0.10.0 -> v0.11.0
golang.org/x/text	v0.21.0 -> v0.22.0
golang.org/x/time	v0.8.0 -> v0.10.0
golang.org/x/tools	v0.28.0 -> v0.29.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240826202546-f6391c0de4c7 -> v0.0.0-20241209162323-e6fa225c2576
helm.sh/helm/v3	v3.16.2 -> v3.16.4
istio.io/api	v1.23.2 -> v1.24.2
istio.io/client-go	v1.23.2 -> v1.24.2
k8s.io/kube-aggregator	v0.31.1 -> v0.31.5
k8s.io/kube-openapi	v0.0.0-20241105132330-32ad38e42d3f -> v0.0.0-20241127205056-99599406b04f
sigs.k8s.io/controller-tools	v0.16.4 -> v0.16.5
sigs.k8s.io/json	v0.0.0-20241010143419-9aa6b5e7a4b3 -> v0.0.0-20241014173422-cfa47c3a1cc8
sigs.k8s.io/structured-merge-diff/v4	v4.4.2 -> v4.4.3