chore(deps): update dependency gardener/gardener to v1.126.0 (#76)

* chore(deps): update dependency gardener/gardener to v1.126.0

* task generate

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Johannes Aubart <[email protected]>

Author: renovate[bot]

api/crds/manifests/gardener.clusters.openmcp.cloud_providerconfigs.yaml

@@ -182,7 +182,8 @@ spec:
                         description: |-
                           CloudProfileName is a name of a CloudProfile object.
                           Deprecated: This field will be removed in a future version of Gardener. Use `CloudProfile` instead.
-                          Until removed, this field is synced with the `CloudProfile` field.
+                          Until Kubernetes v1.33, this field is synced with the `CloudProfile` field.
+                          Starting with Kubernetes v1.34, this field is set to empty string and must not be provided anymore.
                         type: string
                       controlPlane:
                         description: ControlPlane contains general settings for the
@@ -1445,6 +1446,26 @@ spec:
                                   EvictionTolerance defines the fraction of replica count that can be evicted for update in case more than one
                                   pod can be evicted (default: 0.5).
                                 type: number
+                              featureGates:
+                                additionalProperties:
+                                  type: boolean
+                                description: FeatureGates contains information about
+                                  enabled feature gates.
+                                type: object
+                              maxAllowed:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  MaxAllowed specifies the global maximum allowed (maximum amount of resources) that vpa-recommender can recommend for a container.
+                                  The VerticalPodAutoscaler-level maximum allowed takes precedence over the global maximum allowed.
+                                  For more information, see https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/docs/examples.md#specifying-global-maximum-allowed-resources-to-prevent-pods-from-being-unschedulable.
+
+                                  Defaults to nil (no maximum).
+                                type: object
                               memoryAggregationInterval:
                                 description: |-
                                   MemoryAggregationInterval is the length of a single interval, for which the peak memory usage is computed.
@@ -1583,7 +1604,7 @@ spec:
                         properties:
                           ipFamilies:
                             description: |-
-                              IPFamilies specifies the IP protocol versions to use for shoot networking. This field is immutable.
+                              IPFamilies specifies the IP protocol versions to use for shoot networking.
                               See https://github.com/gardener/gardener/blob/master/docs/development/ipv6.md.
                               Defaults to ["IPv4"].
                             items:

api/external/gardener/pkg/apis/core/v1beta1/constants/types_constants.go

@@ -459,6 +459,9 @@ const (
 	// LabelPrefixMonitoringDashboard is the prefix of a label key on ConfigMaps for indicating that the data contains a
 	// dashboard.
 	LabelPrefixMonitoringDashboard = "dashboard.monitoring.gardener.cloud/"
+	// LabelPrefixMonitoringDataSource is the prefix of a label key on ConfigMaps for indicating that the data contains
+	// a datasource.
+	LabelPrefixMonitoringDataSource = "datasource.monitoring.gardener.cloud/"
 	// LabelKeyCustomLoggingResource is the key of the label which is used from the operator to select the CustomResources which will be imported in the FluentBit configuration.
 	// TODO(nickytd): the label key has to be migrated to "fluentbit.gardener.cloud/type".
 	LabelKeyCustomLoggingResource = "fluentbit.gardener/type"
@@ -799,13 +802,30 @@ const (
 	// SeedUserNamePrefix is the identity user name prefix for gardenlets when authenticating to the API server.
 	SeedUserNamePrefix = "gardener.cloud:system:seed:"
 
-	// ShootGroupViewers is a constant for a group name in shoot clusters whose users get read-only privileges (except
-	// for core/v1.Secrets).
-	ShootGroupViewers = "gardener.cloud:system:viewers"
 	// ClusterRoleNameGardenerAdministrators is the name of a cluster role in the garden cluster defining privileges
 	// for administrators.
 	ClusterRoleNameGardenerAdministrators = "gardener.cloud:system:administrators"
 
+	// ShootReadOnlyClusterRoleName is the name of a cluster role allowing read-only access to resources
+	// in a shoot cluster, except core/v1.Secrets and those that are encrypted in the ETCD.
+	ShootReadOnlyClusterRoleName = "gardener.cloud:system:read-only"
+	// ShootSystemAdminsGroupName is a group assigned to gardener system administrators
+	// when they request an AdminKubeconfig to access a shoot cluster.
+	ShootSystemAdminsGroupName = "gardener.cloud:system:admins"
+	// ShootSystemViewersGroupName is a group assigned to gardener system viewers
+	// when they request a ViewerKubeconfig to access a shoot cluster.
+	ShootSystemViewersGroupName = "gardener.cloud:system:viewers"
+	// ShootProjectAdminsGroupName is a group assigned during AdminKubeconfig generation to
+	// gardener project administrators or other users allowed to request an AdminKubeconfig.
+	// System administrators do not get assigned to this group when requesting an AdminKubeconfig.
+	// Instead, they are assigned to the group "gardener.cloud:system:admins".
+	ShootProjectAdminsGroupName = "gardener.cloud:project:admins"
+	// ShootProjectViewersGroupName is a group assigned during ViewerKubeconfig generation to
+	// gardener project viewers or other users allowed to request a ViewerKubeconfig.
+	// System viewers do not get assigned to this group when requesting a ViewerKubeconfig.
+	// Instead, they are assigned to the group "gardener.cloud:system:viewers".
+	ShootProjectViewersGroupName = "gardener.cloud:project:viewers"
+
 	// ProjectName is the key of a label on namespaces whose value holds the project name.
 	ProjectName = "project.gardener.cloud/name"
 	// ProjectSkipStaleCheck is the key of an annotation on a project namespace that marks the associated Project to be
@@ -837,6 +857,10 @@ const (
 	ReservedShootPodNetworkMappedRange = "244.0.0.0/8"
 	// EnvoyNonRootUserId is the user ID for the non-root user in the envoy container.
 	EnvoyNonRootUserId = 65532
+	// DistrolessNonRootUserId is the user ID for the 'nonroot' user in the github.com/GoogleContainerTools/distroless image.
+	DistrolessNonRootUserId = EnvoyNonRootUserId
+	// EnvoyVPNGroupId is the group ID used for the envoy process in VPN. It is used for mapping of seed/shoot ranges to 240/4.
+	EnvoyVPNGroupId = 31415
 
 	// BackupSecretName is the name of secret having credentials for etcd backups.
 	BackupSecretName string = "etcd-backup"
@@ -1012,4 +1036,8 @@ const (
 	// LabelInjectGardenKubeconfig is a constant for a label on workload resources that indicates that a kubeconfig to
 	// the garden cluster should be injected.
 	LabelInjectGardenKubeconfig = "extensions.gardener.cloud/inject-garden-kubeconfig"
+
+	// AnnotationEmergencyStopShootReconciliations is the key for the emergency switch annotation for the seed resource
+	// to temporarily pause further shoot reconciliations.
+	AnnotationEmergencyStopShootReconciliations = "shoot.gardener.cloud/emergency-stop-reconciliations"
 )

api/external/gardener/pkg/apis/core/v1beta1/types_backupbucket.go

@@ -46,10 +46,10 @@ type BackupBucketSpec struct {
 	// ProviderConfig is the configuration passed to BackupBucket resource.
 	// +optional
 	ProviderConfig *runtime.RawExtension `json:"providerConfig,omitempty" protobuf:"bytes,2,opt,name=providerConfig"`
-	// SecretRef is a reference to a secret that contains the credentials to access object store.
-	// Deprecated: This field will be removed after v1.123.0 has been released. Use `CredentialsRef` instead.
-	// Until removed, this field is synced with the `CredentialsRef` field when it refers to a secret.
-	SecretRef corev1.SecretReference `json:"secretRef" protobuf:"bytes,3,opt,name=secretRef"`
+
+	// SecretRef is tombstoned to show why 3 is reserved protobuf tag.
+	// SecretRef corev1.SecretReference `json:"secretRef" protobuf:"bytes,3,opt,name=secretRef"`
+
 	// SeedName holds the name of the seed allocated to BackupBucket for running controller.
 	// This field is immutable.
 	// +optional

api/external/gardener/pkg/apis/core/v1beta1/types_cloudprofile.go

@@ -197,11 +197,28 @@ type MachineType struct {
 }
 
 // GetArchitecture returns the architecture of the machine type.
-func (m *MachineType) GetArchitecture() string {
+func (m *MachineType) GetArchitecture(capabilityDefinitions []CapabilityDefinition) string {
+	if len(capabilityDefinitions) == 0 {
+		return ptr.Deref(m.Architecture, "")
+	}
+
 	if len(m.Capabilities[constants.ArchitectureName]) == 1 {
 		return m.Capabilities[constants.ArchitectureName][0]
 	}
-	return ptr.Deref(m.Architecture, "")
+
+	if len(m.Capabilities[constants.ArchitectureName]) == 0 {
+		for _, capabilityDefinition := range capabilityDefinitions {
+			if capabilityDefinition.Name == constants.ArchitectureName && len(capabilityDefinition.Values) == 1 {
+				return capabilityDefinition.Values[0]
+			}
+		}
+	}
+
+	// constants.ArchitectureName is a required capability and
+	// machineType.Capabilities[constants.ArchitectureName] can only
+	// be empty for cloudprofiles supporting exactly one architecture.
+	// we should never reach this point.
+	return ""
 }
 
 // MachineTypeStorage is the amount of storage associated with the root volume of this machine type.

api/external/gardener/pkg/apis/core/v1beta1/types_seed.go

@@ -359,6 +359,16 @@ type SeedSettingVerticalPodAutoscaler struct {
 	// is enabled by default because Gardener heavily relies on a VPA being deployed. You should only disable this if
 	// your seed cluster already has another, manually/custom managed VPA deployment.
 	Enabled bool `json:"enabled" protobuf:"bytes,1,opt,name=enabled"`
+	// FeatureGates contains information about enabled feature gates.
+	// +optional
+	FeatureGates map[string]bool `json:"featureGates,omitempty" protobuf:"bytes,2,opt,name=featureGates"`
+	// MaxAllowed specifies the global maximum allowed (maximum amount of resources) that vpa-recommender can recommend for a container.
+	// The VerticalPodAutoscaler-level maximum allowed takes precedence over the global maximum allowed.
+	// For more information, see https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/docs/examples.md#specifying-global-maximum-allowed-resources-to-prevent-pods-from-being-unschedulable.
+	//
+	// Defaults to nil (no maximum).
+	// +optional
+	MaxAllowed corev1.ResourceList `json:"maxAllowed,omitempty" protobuf:"bytes,3,rep,name=maxAllowed,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName"`
 }
 
 // SeedSettingDependencyWatchdog controls the dependency-watchdog settings for the seed.
@@ -444,6 +454,8 @@ const (
 	SeedGardenletReady ConditionType = "GardenletReady"
 	// SeedSystemComponentsHealthy is a constant for a condition type indicating the system components health.
 	SeedSystemComponentsHealthy ConditionType = "SeedSystemComponentsHealthy"
+	// SeedEmergencyStopShootReconciliations is a constant for a condition type indicating disabled shoot reconciliations.
+	SeedEmergencyStopShootReconciliations ConditionType = "EmergencyStopShootReconciliations"
 )
 
 // Resource constants for Gardener object types

api/external/gardener/pkg/apis/core/v1beta1/types_shoot.go

@@ -67,7 +67,8 @@ type ShootSpec struct {
 	Addons *Addons `json:"addons,omitempty" protobuf:"bytes,1,opt,name=addons"`
 	// CloudProfileName is a name of a CloudProfile object.
 	// Deprecated: This field will be removed in a future version of Gardener. Use `CloudProfile` instead.
-	// Until removed, this field is synced with the `CloudProfile` field.
+	// Until Kubernetes v1.33, this field is synced with the `CloudProfile` field.
+	// Starting with Kubernetes v1.34, this field is set to empty string and must not be provided anymore.
 	// +optional
 	CloudProfileName *string `json:"cloudProfileName,omitempty" protobuf:"bytes,2,opt,name=cloudProfileName"`
 	// DNS contains information about the DNS settings of the Shoot.
@@ -810,6 +811,16 @@ type VerticalPodAutoscaler struct {
 	// (default: 8)
 	// +optional
 	MemoryAggregationIntervalCount *int64 `json:"memoryAggregationIntervalCount,omitempty" protobuf:"varint,18,opt,name=memoryAggregationIntervalCount"`
+	// FeatureGates contains information about enabled feature gates.
+	// +optional
+	FeatureGates map[string]bool `json:"featureGates,omitempty" protobuf:"bytes,19,rep,name=featureGates"`
+	// MaxAllowed specifies the global maximum allowed (maximum amount of resources) that vpa-recommender can recommend for a container.
+	// The VerticalPodAutoscaler-level maximum allowed takes precedence over the global maximum allowed.
+	// For more information, see https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/docs/examples.md#specifying-global-maximum-allowed-resources-to-prevent-pods-from-being-unschedulable.
+	//
+	// Defaults to nil (no maximum).
+	// +optional
+	MaxAllowed corev1.ResourceList `json:"maxAllowed,omitempty" protobuf:"bytes,20,rep,name=maxAllowed,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName"`
 }
 
 const (
@@ -853,6 +864,9 @@ var (
 )
 
 // KubernetesConfig contains common configuration fields for the control plane components.
+//
+// This is a legacy type that should not be used in new API fields or resources.
+// Instead of embedding this type, consider using inline map for feature gates definitions.
 type KubernetesConfig struct {
 	// FeatureGates contains information about enabled feature gates.
 	// +optional
@@ -1526,7 +1540,7 @@ type Networking struct {
 	// Services is the CIDR of the service network. This field is immutable.
 	// +optional
 	Services *string `json:"services,omitempty" protobuf:"bytes,5,opt,name=services"`
-	// IPFamilies specifies the IP protocol versions to use for shoot networking. This field is immutable.
+	// IPFamilies specifies the IP protocol versions to use for shoot networking.
 	// See https://github.com/gardener/gardener/blob/master/docs/development/ipv6.md.
 	// Defaults to ["IPv4"].
 	// +optional
@@ -1894,12 +1908,12 @@ type SSHAccess struct {
 var (
 	// DefaultWorkerMaxSurge is the default value for Worker MaxSurge.
 	DefaultWorkerMaxSurge = intstr.FromInt32(1)
-	// DefaultInPlaceWorkerMaxSurge is the default value for In-Place Worker MaxSurge.
-	DefaultInPlaceWorkerMaxSurge = intstr.FromInt32(0)
+	// DefaultAutoInPlaceWorkerMaxSurge is the default value for AutoInPlaceUpdate Worker MaxSurge.
+	DefaultAutoInPlaceWorkerMaxSurge = intstr.FromInt32(0)
 	// DefaultWorkerMaxUnavailable is the default value for Worker MaxUnavailable.
 	DefaultWorkerMaxUnavailable = intstr.FromInt32(0)
-	// DefaultInPlaceWorkerMaxUnavailable is the default value for In-Place Worker MaxUnavailable.
-	DefaultInPlaceWorkerMaxUnavailable = intstr.FromInt32(1)
+	// DefaultAutoInPlaceWorkerMaxUnavailable is the default value for AutoInPlaceUpdate Worker MaxUnavailable.
+	DefaultAutoInPlaceWorkerMaxUnavailable = intstr.FromInt32(1)
 	// DefaultWorkerSystemComponentsAllow is the default value for Worker AllowSystemComponents
 	DefaultWorkerSystemComponentsAllow = true
 )
@@ -2005,9 +2019,6 @@ const (
 	// ShootCRDsWithProblematicConversionWebhooks is a constant for a condition type indicating that the Shoot cluster has
 	// CRDs with conversion webhooks and multiple stored versions which can break the reconciliation flow of the cluster.
 	ShootCRDsWithProblematicConversionWebhooks ConditionType = "CRDsWithProblematicConversionWebhooks"
-	// ShootAPIServerProxyUsesHTTPProxy is a constant for a constraint type indicating that the Shoot cluster uses
-	// the new HTTP proxy connection method for in-cluster API server traffic (See https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md)
-	ShootAPIServerProxyUsesHTTPProxy ConditionType = "APIServerProxyUsesHTTPProxy"
 	// ShootManualInPlaceWorkersUpdated is a constant for a condition type indicating that the Shoot cluster does not have
 	// any worker pools with update strategy "ManualInPlaceUpdate" and pending update.
 	ShootManualInPlaceWorkersUpdated ConditionType = "ManualInPlaceWorkersUpdated"

api/external/gardener/pkg/apis/core/v1beta1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 apis:
   gardener:
     # renovate: datasource=github-releases
-    base: https://raw.githubusercontent.com/gardener/gardener/v1.123.1
+    base: https://raw.githubusercontent.com/gardener/gardener/v1.126.0
     vendor: github.com/gardener/gardener
     patches:
     - replace: "github.com/gardener/gardener/pkg/apis/core"