chore(deps): update dependency gardener/gardener to v1.133.0

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change	OpenSSF
gardener/gardener	minor	v1.130.1 -> v1.133.0

---

Release Notes

gardener/gardener (gardener/gardener)

v1.133.0

Compare Source

[github.com/gardener/gardener:v1.133.0]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ Gardener does no longer support Garden, Seed, or Shoot clusters with Kubernetes versions <= 1.29. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @​ScheererJ [#​13487]
• [USER] The Shoot .spec.provider.workers[].sysctls field is now validated for valid sysctl keys and non-empty values. by @​MrBatschner [#​13435]
• [DEVELOPER] The github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring module is updated from v0.86.2 to v0.87.0. In the new version the type of the ServiceMonitor's .spec.endpoints[].scheme field is changed from string to *monitoringv1.Scheme. by @​gardener-ci-robot [#​13512]
• [DEVELOPER] The types from the extension healthcheck package which perform health checks on Deployments, StatefulSets and DaemonSets have been renamed. The respective constructor functions now return the concrete types instead of an interface. The types still implement the interface that was returned before. We do not expect this change to affect existing code in the majority of cases. by @​dimityrmirchev [#​13329]

📰 Noteworthy

• [OPERATOR] The ShootCredentialsBinding feature gate of gardenlet is promoted to GA and is unconditionally enabled. by @​dimityrmirchev [#​13530]
• [OPERATOR] The .status.encryptedResources field for Shoot and Garden resources has been deprecated in favour of the new .status.credentials.encryptionAtRest.resources field. by @​AleksandarSavchev [#​12894]
• [DEVELOPER] The ValidatingAdmissionPolicy admission plugin is now enabled by default for the Gardener API server. If you already have the admission plugin enabled, you can remove the explicit enablement after upgrading to this version of Gardener as the plugin is now enabled by default. by @​ScheererJ [#​13487]

✨ New Features

• [OPERATOR] A new VPAInPlaceUpdates feature gate is introduced for gardenlet and gardener-operator. When enabled, the corresponding VerticalPodAutoscaler resources are mutated to perform in-place updates, (i.e mutated with .spec.updatePolicy.updateMode=InPlaceOrRecreate). For more information, see Enabling In-Place Updates of Pod Resources. by @​vitanovs [#​12940]
• [OPERATOR] The gardener.cloud/operation annotation for the Garden resource has been extended to allow specifying multiple operations to be run in parallel. by @​AleksandarSavchev [#​12717]
• [USER] The gardener.cloud/operation and maintenance.gardener.cloud/operation Shoot annotations have been extended to allow specifying multiple operations to be run in parallel. by @​AleksandarSavchev [#​12717]

🐛 Bug Fixes

• [OPERATOR] A bug where the Shoot relevant ClusterRoleBindings responsible for the AdminKubeconfig and ViewerKubeconfig permissions were deployed into the virtual Garden cluster has been fixed. by @​vpnachev [#​13492]
• [OPERATOR] Add --skip-metadata flag to ctr images pull in the node-agent init script for better container registry compatibility. by @​Nuckal777 [#​13265]
• [OPERATOR] An issue where Plutono would not detect all fields when the OpenTelemetryCollector feature gate is enabled is now fixed. by @​rrhubenov [#​13531]
• [OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @​oliver-goetz [#​13459]
• [OPERATOR] Gardener generally prefers the sshd.service unit when trying to enable/disable the SSH server on worker nodes and bastions. If the sshd.service unit doesn't exist, it falls back to ssh.service. by @​timebertt [#​13456]
• [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @​DockToFuture [#​13511]
• [USER] An issue causing vpa-updater RBAC resources for in-place updates not to be deployed when the VPA InPlaceOrRecreate feature gate is not explicitly enabled is now fixed. The VPA InPlaceOrRecreate feature gate is enabled by default with the VPA 1.5.1 version which is used by Gardener. That's why the needed in-place updates RBAC resources are now deployed unconditionally. by @​vitanovs [#​13499]
• [DEVELOPER] Fixed a bug causing types part of the extension healthcheck package to be injected with clients that they do not actually use. by @​dimityrmirchev [#​13329]

🏃 Others

• [OPERATOR] Vali can now ingest logs through the standard ingress in the Shoot control plane even when the OpenTelemetryCollector feature gate is enabled. This allows other parties that rely on it to migrate at their pace while it matures. by @​rrhubenov [#​13446]
• [OPERATOR] gardener-apiserver: The ShootValidator admission plugin's type is now changed from mutating to validating. All mutations that were previously performed by the ShootValidator were extracted over time to the new ShootMutator admission plugin. by @​ialidzhikov [#​13352]
• [OPERATOR] Defaulting of the Shoot machine image version (.spec.provider.workers[].machine.image.{name,version}) is moved from the ShootValidator to the ShootMutator admission plugin. by @​ialidzhikov [#​13351]
• [OPERATOR] Logging stack components are updated from v0.69.0 to v0.70.0. Along the way, performance optimizations are applied. by @​nickytd [#​13563]
• [OPERATOR] gardener-apiserver: The Shoot .spec.provider.workers[].machine.image field is now a required field. This change has impact only when the ShootMutator admission plugin (which defaults the machine image) is disabled. The admission plugin is enabled by default. by @​ialidzhikov [#​13399]
• [OPERATOR] A new field spec.resources was added to the Garden API. The field can be used by extensions to reference Secrets and ConfigMaps. See this documentation for more details. by @​timuthy [#​13464]
• [OPERATOR] The Shoot .spec.kubernetes.kubeAPIServer.oidcConfig field is now validated only in the storage layer. Previously, the required .spec.kubernetes.kubeAPIServer.{oidcConfig,issuerURL} fields were validated in the ShootValidator admission plugin due to backwards-compatibility reasons. by @​dimitar-kostadinov [#​13505]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.5 to 1.26.7. by @​gardener-ci-robot [#​13474]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.28 to v2.2.29. Release Notes by @​gardener-ci-robot [#​13501]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/gardener-metrics-exporter from 0.41.0 to 0.42.0. Release Notes by @​gardener-ci-robot [#​13455]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/brancz/kube-rbac-proxy from v0.20.0 to v0.20.1. by @​gardener-ci-robot [#​13533]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/logging from v0.68.0 to v0.69.0. Release Notes by @​gardener-ci-robot [#​13450]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.43 to v7.5.44. Release Notes by @​gardener-ci-robot [#​13504]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/cortexproject/cortex from v1.19.1 to v1.20.0. by @​gardener-ci-robot [#​13390]

📖 Documentation

• [OPERATOR] A new guide has been added containing instruction and information about how to upgrade a Gardener installation. by @​rfranzke [#​13401]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.133.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.133.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.133.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.133.0

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.133.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.133.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.133.0
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.133.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.133.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.133.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.133.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.133.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.133.0

v1.132.2

Compare Source

[github.com/gardener/gardener:v1.132.2]

🐛 Bug Fixes

• [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @​ialidzhikov [#​13523]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.2

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.2
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.2

v1.132.1

Compare Source

[github.com/gardener/gardener:v1.132.1]

🐛 Bug Fixes

• [OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @​oliver-goetz [#​13467]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.1

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.1
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.1

v1.132.0

Compare Source

[github.com/gardener/gardener:v1.132.0]

⚠️ Breaking Changes

• [DEPENDENCY] The .gardener.autonomousShootCluster is no longer part of the Helm values when extension charts are rendered. The field has been renamed to gardener.selfHostedShootCluster. In addition, the previous flag --autonomous-shoot-cluster has been renamed to --self-hosted-shoot-cluster. Extension developers should adapt their Helm charts. by @​rfranzke [#​13273]
• [DEVELOPER] "Autonomous Shoot Clusters" have been renamed to "Self-Hosted Shoot Clusters". The "medium-touch" scenario has been renamed to "managed infrastructure" scenario. The "high-touch" scenario has been renamed to "unmanaged infrastructure" scenario. by @​rfranzke [#​13273]
• [DEVELOPER] The github.com/gardener/gardener/pkg/controllerutils.GetMainReconciliationContext function is removed. Instead, use the ReconciliationTimeout field of the sigs.k8s.io/controller-runtime/pkg/controller.Options type when registering the controller to the controller manager. by @​ScheererJ [#​13238]

📰 Noteworthy

• [DEVELOPER] A new document has been added describing the development tasks for removing support for a Kubernetes version. See Removing Support For a Kubernetes Version. by @​RadaBDimitrova [#​12859]

✨ New Features

• [OPERATOR] It is now possible to restrict the total count of objects for non-namespaced resources. You can set it through the admission controller configuration's server.resourceAdmissionConfiguration.limits[].count field. by @​tobschli [#​12916]
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.34. To allow creation/update of 1.34 clusters you will have to update the version of your provider extension(s) to a version that supports 1.34 as well. Please consult the respective releases and notes in the provider extension's repository. by @​tobschli [#​12883]
• [USER] gardener-node-agent now labels worker nodes in shoot clusters with the node-role.kubernetes.io/worker="" label. by @​rfranzke [#​13387]
• [USER] Individual worker pools can now be scheduled for manual rollout using a new annotation on the shoot: gardener.cloud/operation=rollout-workers=<pool1>,<pool2>,...,<poolN>. by @​rrhubenov [#​12829]
• [OPERATOR] Operators can set Seed.spec.settings.loadBalancerServices.class (docs) and/or GardenletConfiguration.exposureClassHandlers[].loadBalancerService.class (docs) to specify a non-default loadBalancerClass for the corresponding istio-ingressgateway services on seeds. by @​timebertt [#​13305]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.34. Extension developers have to prepare individual extensions as well to work with 1.34. by @​tobschli [#​12883]
• [DEVELOPER] Gardener container images now can be built for multiple platforms locally via the variable TARGET_PLATFORMS, e.g. make docker-images TARGET_PLATFORMS=linux/amd64,linux/arm64. If the variable is unset, the container images are built for the platform linux/<host-arch> only. by @​vpnachev [#​13324]

🐛 Bug Fixes

• [OPERATOR] UnauthenticatedHTTP2DOSMitigation feature gate is now always disabled for kube-apiservers where IstioTLSTermination (aka L7 load-balancing) is activated. This prevents unwanted side-effects when unauthenticated requests are sent. HTTP/2 "Rapid Reset" DoS Vulnerability is mitigated by Envoy in this case. by @​oliver-goetz [#​13405]
• [DEVELOPER] Fix make kind-up command to work correctly with Docker>=v29.0.0. by @​oliver-goetz [#​13410]
• [OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @​vpnachev [#​13282]
• [OPERATOR] Gardener no longer deploys the node-exporter ServiceMonitor in the kube-system namespace on unmanaged Seeds. by @​rickardsjp [#​13382]
• [USER] The feature for supporting custom server blocks in node-local-dns is now reverted. by @​Kostov6 [#​13344]
• [USER] An issue with the configuration for the OpenTelemetryCollector on the nodes that leads to missing kernel logs in Vali is now fixed. by @​rrhubenov [#​13328]
• [OPERATOR] The Istio Gateway dashboard now correctly displays the total resource usage across pod restarts. by @​rickardsjp [#​13402]
• [DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @​vpnachev [#​13282]

🏃 Others

• [OPERATOR] gardener-resource-manager now uses kubernetes.io/metadata.name label instead of gardener.cloud/purpose in its webhook namespace selectors. The kubernetes.io/metadata.name is added to all namespaces automatically by Kubernetes. by @​shafeeqes [#​13398]
• [DEPENDENCY] Updated dependency containerd to v2.1.4 (release notes). by @​gardener-ci-robot [#​13311]
• [OPERATOR] Removed obsolete validation for shootDefaults network disjointedness with SeedNetworks. by @​domdom82 [#​13349]
• [OPERATOR] The gardener-operator now does not wait for verticalpodautoscalercheckpoints.autoscaling.k8s.io to be present when the Gardens .spec.runtimeCluster.settings.verticalPodAutoscaler.enabled is false. This allows externally managed VPAs, that do not use the vpa checkpoint api, to be used with the gardener-operator. by @​tobschli [#​13314]
• [OPERATOR] When IstioTLSTermination is active memory of istio-ingressgateways is now scaled by VPA instead of HPA. VPA uses updateMode: Initial that it does not evict pods but only sets reasonable memory requests when new pods are created. by @​oliver-goetz [#​13370]
• [USER] The Shoot .spec.kubernetes.kubeAPIServer.serviceAccountConfig.{issuer,acceptedIssuers} fields are now validated against the OpenID Discovery 1.0 specification. by @​acumino [#​13325]
• [OPERATOR] Logging stack has been upgraded to fluent-bit v4.1.1 and logging plugin v0.68.0. by @​nickytd [#​13358]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/kiwigrid/k8s-sidecar from 2.1.1 to 2.1.2. by @​gardener-ci-robot [#​13384]
• [OPERATOR] fluent-bit now supports IPv6 as well. by @​damyan [#​12003]
• [OPERATOR] Readiness probe was added to vpn-shoot tunnel-controller to improve VPN availability during shoot reconciliation. by @​domdom82 [#​13366]
• [OPERATOR] gardener-admission-controller VerticalPodAutoscaler name is changed from gardener-admission-controller to gardener-admission-controller-vpa to fix an issue with duplicate VPA resources for the gardener-admission-controller Deployment. The VPA resource name with the deprecated controlplane chart was gardener-controller-manager-vpa. Previously, switching to the gardener-operator created a VPA with name gardener-controller-manager that targets the same Deployment. by @​ialidzhikov [#​13430]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/prometheus/alertmanager from v0.28.1 to v0.29.0. by @​gardener-ci-robot [#​13350]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.13.3 to v1.13.4. by @​gardener-ci-robot [#​13318]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.43.0 to 0.44.0. Release Notes by @​gardener-ci-robot [#​13339]
• [OPERATOR] The following dependencies are updated:
  • k8s.io/*: v0.33.5 -> v0.34.1
  • sigs.k8s.io/controller-runtime: v0.21.0 -> v0.22.3
  • sigs.k8s.io/controller-tools: v0.18.0 -> v0.19.0 by @​ScheererJ [#​13238]
• [OPERATOR] Defaulting of the Shoot Kubernetes versions (.spec.kubernetes.version and .spec.provider.workers[].kubernetes.version) is moved from the ShootValidator to the ShootMutator admission plugin. by @​ialidzhikov [#​13252]
• [OPERATOR] Add system load average (1min avg) panel to the Node Details dashboard by @​IndritFejza [#​13280]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/prometheus/node-exporter from v1.9.1 to v1.10.2. by @​gardener-ci-robot [#​13266]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/gardener-metrics-exporter from 0.40.0 to 0.41.0. Release Notes by @​gardener-ci-robot [#​13291]
• [DEPENDENCY] The following dependencies have been updated:
  • fluent/fluent-operator from v3.3.0 to v3.5.0 (Release Notes). by @​gardener-ci-robot [#​13292]
• [USER] It is possible now to create IPv6 workerless shoots without specifying a service range. by @​axel7born [#​13224]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/kiwigrid/k8s-sidecar from 1.30.9 to 2.0.3. by @​gardener-ci-robot [#​13288]
• [OPERATOR] Shoot api now supports configuring additional CA Flags for node group backoff namely initialNodeGroupBackoffDuration, maxNodeGroupBackoffDuration and nodeGroupBackoffResetTimeout. by @​ashwani2k [#​13403]
• [OPERATOR] Defaulting of the Shoot networks is moved from the ShootValidator to the ShootMutator admission plugin. by @​ialidzhikov [#​13207]
• [OPERATOR] Support custom server blocks in node-local-dns. by @​DockToFuture [#​13375]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/kiwigrid/k8s-sidecar from 2.0.3 to 2.1.1. by @​gardener-ci-robot [#​13374]
• [OPERATOR] maxEmptyBulkDelete is explicitly set to nil, since it can no longer be set for Kubernetes versions >= v1.33. by @​RadaBDimitrova [#​13054]
• [OPERATOR] Migration from dual-stack [IPv4, IPv6] to [IPv4] networking is now allowed. by @​axel7born [#​12967]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.13.4 to v1.14.0. by @​gardener-ci-robot [#​13319]
• [OPERATOR] Increase client-side rate limits for kube-controller-manager to --kube-api-qps=100 and --kube-api-burst=200 by @​voelzmo [#​13251]
• [OPERATOR] Additional input validations for the SecurityBinding and CredentialsBinding resources are now implemented. by @​georgibaltiev [#​13258]
• [OPERATOR] NamespacedCloudprofiles are now compatible with parent CloudProfiles that use MachineCapabilities. Read more about capabilities in GEP-33. by @​Roncossek [#​13138]

📖 Documentation

• [OPERATOR] Add disaster recovery guide for the garden cluster by @​hendrikKahl [#​13239]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.0

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.0
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.0

v1.131.4

Compare Source

[github.com/gardener/gardener:v1.131.4]

🐛 Bug Fixes

• [OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @​oliver-goetz [#​13466]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.131.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.131.4
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.131.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.131.4

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.131.4
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.131.4
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.131.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.131.4
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.131.4
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.131.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.131.4
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.131.4

v1.131.3

Compare Source

[github.com/gardener/gardener:v1.131.3]

🐛 Bug Fixes

• [DEVELOPER] Fix make kind-up command to work correctly with Docker>=v29.0.0. by @​oliver-goetz [#​13417]
• [OPERATOR] UnauthenticatedHTTP2DOSMitigation feature gate is now always disabled for kube-apiservers where IstioTLSTermination (aka L7 load-balancing) is activated. This prevents unwanted side-effects when unauthenticated requests are sent. HTTP/2 "Rapid Reset" DoS Vulnerability is mitigated by Envoy in this case. by @​oliver-goetz [#​13425]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.131.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.131.3
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.131.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.131.3

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.131.3
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.131.3
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.131.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.131.3
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.131.3
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.131.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.131.3
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.131.3

v1.131.2

Compare Source

[github.com/gardener/gardener:v1.131.2]

🐛 Bug Fixes

• [OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @​vpnachev [#​13364]
• [DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @​vpnachev [#​13364]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.131.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.131.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.131.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.131.2

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.131.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.131.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.131.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.131.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.131.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.131.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.131.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.131.2

v1.131.1

Compare Source

[github.com/gardener/gardener:v1.131.1]

🐛 Bug Fixes

• [USER] The feature for supporting custom server blocks in node-local-dns is now reverted. by @​Kostov6 [#​13354]
• [USER] An issue with the configuration for the OpenTelemetryCollector on the nodes that leads to missing kernel logs in Vali is now fixed. by @​rrhubenov [#​13330]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.131.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.131.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.131.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.131.1

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.131.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.131.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.131.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.131.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.131.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.131.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.131.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.131.1

v1.131.0

Compare Source

[github.com/gardener/gardener:v1.131.0]

📰 Noteworthy

• [OPERATOR] On startup gardenlets will configure .spec.dns.defaults settings for its respective Seed. Operators should adapt their Seed manifests to explicitly configure default DNS as .spec.dns.defaults will become a mandatory configuration after release v1.131.0. by @​dimityrmirchev [#​12884]

✨ New Features

• [OPERATOR] Valitail is now replaced with an instance of OpenTelemetry Collector. by @​rrhubenov [#​12846]
• [OPERATOR] Introduced spec.settings.loadBalancerServices.zonalIngress.enabled in the Seed API. When disabled, zonal istio ingress gateways are removed and the global istio ingress gateway is used instead. by @​cerealsnow [#​12956]
• [OPERATOR] gardenlet now evaluates extension health conditions first when computing the conditions of a Shoot. by @​rfranzke [#​13231]
• [USER] The KubeApiServerTooManyAuditlogFailures alert is now sent also to the shoot owners. by @​vpnachev [#​13177]
• [OPERATOR] The Seed spec was extended to allow explicit configuration for default DNS settings. Operators can configure these by setting .spec.dns.defaults. The implicit configuration that involved selecting a DNS secrets from the Garden cluster based on labels will be eventually removed. Operators should adapt their Seed manifests to explicitly configure default DNS. by @​dimityrmirchev [#​12884]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed which was preventing gardenlet from registering its Gardenlet resource when selfUpgrade was set in its Helm chart values. by @​rfranzke [#​13241]
• [OPERATOR] A bug causing gardenlet to panic during CoreDNS migration check if the Shoot is hibernated is now fixed. by @​shafeeqes [#​13302]
• [USER] The early access (before the cluster creation is completed) to a Shoot cluster via AdminKubeconfig credentials is restored now when dedicated groups gardener.cloud:system:admins and gardener.cloud:project:admins are used for authorization. by @​vpnachev [#​13299]

🏃 Others

• [DEPENDENCY] The following dependencies have been updated:
  • envoyproxy/envoy from distroless-v1.35.4 to v1.36.1. Release Notes by @​gardener-ci-robot [#​13170]
• [DEPENDENCY] The following dependencies have been updated:
  • envoyproxy/envoy from distroless-v1.35.3 to v1.35.4. Release Notes by @​gardener-ci-robot [#​13159]
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.27.2 to 1.27.3.
  • gcr.io/istio-release/proxyv2 from 1.27.2 to 1.27.3.
  • istio.io/api from v1.27.2 to v1.27.3. by @​gardener-ci-robot [#​13235]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.60.0 to v0.60.1. Release Notes
  • github.com/gardener/machine-controller-manager from v0.60.0 to v0.60.1. by @​gardener-ci-robot [#​13181]
• [OPERATOR] Increase client-side rate limits for provider-specific container in machine-controller-manager to --kube-api-qps=100 and --kube-api-burst=200 by @​voelzmo [#​13254]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.42.0 to 0.43.0. Release Notes by @​gardener-ci-robot [#​13176]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.27 to v2.2.28. Release Notes by @​gardener-ci-robot [#​13197]
• [OPERATOR] Report Gardener Operator Extension conditions as metrics by @​hown3d [#​13015]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/coredns-config-adapter from v0.2.0 to v0.3.0. Release Notes by @​DockToFuture [#​13277]
• [OPERATOR] Mutation of the Shoot metadata annotations such as shoot.gardener.cloud/tasks and maintenance.shoot.gardener.cloud/needs-retry-operation is moved from the ShootValidator to the ShootMutator admission plugin. by @​ialidzhikov [#​13171]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.42 to v7.5.43. Release Notes by @​gardener-ci-robot [#​13202]
• [OPERATOR] The local multi-node setup no longer relies on externalTrafficPolicy: Local and forcing traffic through a pod on the control plane node. by @​ScheererJ [#​13182]
• [OPERATOR] Add support for scraping metrics for OpenTelemetry collector on nodes by @​dnaeon [#​13228]
• [OPERATOR] Support custom server blocks in node-local-dns. by @​DockToFuture [#​13160]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/prometheus/prometheus from v3.7.1 to v3.7.2. by @​gardener-ci-robot [#​13253]
• [OPERATOR] Fixed an issue that caused the worker-pools-operatingsystemconfig-hashes secret to be created as immutable during the restore phase of control plane migration. by @​plkokanov [#​13263]
• [OPERATOR] A new mutating admission plugin is introduced - ShootMutator. It is enabled by default. For more details, see the ShootMutator admission plugin docs. by @​ialidzhikov [#​13156]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.60.1 to v0.60.2. Release Notes
  • github.com/gardener/machine-controller-manager from v0.60.1 to v0.60.2. by @​gardener-ci-robot [#​13267]
• [OPERATOR] The NodeNotHealthy and SeedNodeNotHealthy alerts are now removed. by @​vicwicker [#​13150]
• [OPERATOR] ScrapeConfigs & PrometheusRules of blackbox-exporter are now deployed as managed-resource when type is shoot by @​oliver-goetz [#​13178]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/autoscaler from v1.32.1 to v1.32.2. Release Notes by @​gardener-ci-robot [#​13240]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.82.4 to 1.82.5. Release Notes by @​gardener-ci-robot [#​13250]
• [DEPENDENCY] The following dependencies have been updated:
  • envoyproxy/envoy from distroless-v1.36.1 to v1.36.2. Release Notes by @​gardener-ci-robot [#​13225]

Helm Charts

• controlplane: `europe-docker.pkg.dev/gardener-project/releases/charts/

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.