Update dependencies (minor)

[gardener-ci-robot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/gardener/gardener	require	minor	v1.110.5 -> v1.113.0
github.com/gardener/gardener-extension-provider-openstack	require	minor	v1.44.1 -> v1.46.0
github.com/gardener/machine-controller-manager	require	minor	v0.55.1 -> v0.56.1
github.com/spf13/cobra	require	minor	v1.8.1 -> v1.9.1
golang.org/x/crypto	require	minor	v0.32.0 -> v0.35.0

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.113.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] There is an incompatible change in the Garden (gardens.operator.gardener.cloud) custom resource: Fields .spec.runtimeCluster.networking.{nodes,pods,services} and .spec.virtualCluster.networking.services were changed from type string to type []string, e.g., in JSON format, replace "nodes": "10.0.0.0/16" with "nodes": ["10.0.0.0/16"]. by @​ScheererJ [#​11251]

📰 Noteworthy

• [OPERATOR] Incoming reverse VPN connections no longer get authenticated by the reversed-vpn-auth-server as the authentication logic was moved to envoy itself. by @​Wieneo [#​11328]
• [OPERATOR] The apiserver-proxy component does not use the proxy protocol anymore, see GEP-30. by @​Wieneo [#​11364]
• [OPERATOR] The shoot.gardener.cloud/managed-seed-api-server annotation is deprecated and will be removed in a future release. Instead, consider enabling high availability for the ManagedSeed's Shoot control plane. by @​ialidzhikov [#​11372]
• [OPERATOR] Added a new feature gate called "RemoveAPIServerProxyLegacyPort", which disables the unused proxy port (8443) on the istio-ingressgateway Services. Operators can choose to remove the legacy apiserver-proxy port as soon as all shoots have switched to the new apiserver-proxy configuration. They might want to do so if they activate the ACL extension, which is vulnerable to proxy protocol headers of untrusted clients on the apiserver-proxy port. by @​Wieneo [#​11380]

✨ New Features

• [USER] gardener-operator maintains information about Gardener API Server configuration in the world readable ConfigMap gardener-info in the gardener-system-public Namespace, read here for more details about the content of theConfigMap. by @​vpnachev [#​11238]
• [OPERATOR] Enhance the gardener-operator to allow specification of more than a single network range for .spec.runtimeCluster.networking.nodes, .spec.runtimeCluster.networking.pods, .spec.runtimeCluster.networking.services, and .spec.virtualCluster.networking.services, which also allows dual-stack configurations. by @​ScheererJ [#​11251]
• [OPERATOR] Introduces shoot_operation_duration_seconds metric to record Shoot operation Create and Delete. by @​simcod [#​10971]
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.32. To allow creation/update of 1.32 clusters you will have to update the version of your provider extension(s) to a version that supports 1.32 as well. Please consult the respective releases and notes in the provider extension's repository. by @​marc1404 [#​11197]
• [OPERATOR] CloudProfile.spec.limits.maxNodesTotal can be used to limit the maximum number of nodes a shoot can have during runtime. See the documentation for more details. by @​timebertt [#​11279]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.32. Extension developers have to prepare individual extensions as well to work with 1.32. by @​marc1404 [#​11197]

🐛 Bug Fixes

• [OPERATOR] A bug which prevented usage of labels with seed.gardener.cloud/ prefix on Seed, ManagedSeed, BackupEntry, and Shoot resources has been fixed. by @​rfranzke [#​11485]
• [OPERATOR] A misleading error message appearing when an operator has wrongly configured OIDC config for the Gardener Dashboard in the Garden resource was fixed. by @​dimityrmirchev [#​11432]
• [USER] The ETCD encryption config now properly configures a 32-byte key. by @​dimityrmirchev [#​11150]

🏃 Others

• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dependency-watchdog from v1.3.0 to v1.4.0. Release Notes
  • github.com/gardener/dependency-watchdog from v1.3.0 to v1.4.0. by @​gardener-ci-robot [#​11423]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/brancz/kube-rbac-proxy from v0.18.2 to v0.19.0. by @​gardener-ci-robot [#​11419]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.35 to v7.5.36. Release Notes by @​gardener-ci-robot [#​11316]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/alpine-conntrack from 3.21.1 to 3.21.3. Release Notes by @​gardener-ci-robot [#​11409]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/apiserver-proxy from v0.18.0 to v0.19.0. Release Notes by @​gardener-ci-robot [#​11330]
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.23.4 to 1.23.5.
  • gcr.io/istio-release/proxyv2 from 1.23.4 to 1.23.5. by @​gardener-ci-robot [#​11371]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.34.0 to 0.35.0. Release Notes by @​gardener-ci-robot [#​11348]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.35.0 to 0.36.0. Release Notes by @​gardener-ci-robot [#​11438]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.20 to v2.2.21. Release Notes by @​gardener-ci-robot [#​11313]
• [DEVELOPER] The following dependencies are updated:
  • k8s.io/*: v0.31.6 -> v0.32.2
  • sigs.k8s.io/controller-runtime: v0.19.6 -> v0.20.2
  • sigs.k8s.io/controller-tools: v0.16.5 -> v0.17.2 by @​LucaBernstein [#​11418]
• [DEVELOPER] github.com/gardener/gardener/pkg/utils/managedresources.{WaitUntilHealthy,WaitUntilHealthyAndNotProgressing} funcs now accept a client.Reader instead of a client.Client. by @​ialidzhikov [#​11321]
• [DEVELOPER] golang-test images for Go 1.24 are built now. Those for Go 1.22 are not built anymore because it is out of maintenance. by @​oliver-goetz [#​11369]
• [OPERATOR] Remove wildcards * from RBAC roles for the cluster-autoscaler, machine-controller-manager and prometheus-operator components. by @​AleksandarSavchev [#​11314]
• [OPERATOR] Shoot system and Shoot control plane containers, which do not require privilege escalations, now forbid privilege escalation explicitly. There is an issue in Kubernetes about the privilege escalation configuration being true by default. by @​georgibaltiev [#​11241]
• [OPERATOR] Fix the shoot-annotated-seed-service-endpoints scrape configuration by adding the address port by @​vicwicker [#​11413]
• [OPERATOR] Revisit the VerticalPodAutoscalerCappedRecommendation alert to fix a race condition and other small improvements by @​vicwicker [#​11325]
• [OPERATOR] Remove CPU as controlled resource from VPA for alertmanager and vpn-authzserver.
  Remove CPU requests from alertmanager and vpn-authzserver. by @​voelzmo [#​11366]
• [OPERATOR] The gardener-resource-manager no longer syncs all resources every minute for virtual garden and shoot clusters. It already watches its desired resources anyways, i.e., it already reacts instantly, so there is no need to additionally apply them every minute. by @​rfranzke [#​11394]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.113.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.113.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.113.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.113.0

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.113.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.113.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.113.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.113.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.113.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.113.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.113.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.113.0

v1.112.3

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug which prevented usage of labels with seed.gardener.cloud/ prefix on Seed, ManagedSeed, BackupEntry, and Shoot resources has been fixed. by @​rfranzke [#​11486]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.112.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.112.3
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.112.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.112.3

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.112.3
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.112.3
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.112.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.112.3
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.112.3
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.112.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.112.3
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.112.3

v1.112.2

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue was fixed that caused a downtime of Gardener API services up to 1m every time the virtual-garden-kube-controller-manager changed its leader. by @​plkokanov [#​11454]
• [OPERATOR] Fixed a bug that caused the Gardenlet to crash when deleting a hibernated shoot if the NodeAgentAuthorizer feature gate was enabled by @​Wieneo [#​11415]

🏃 Others

• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.56.0 to v0.56.1. Release Notes
  • github.com/gardener/machine-controller-manager from v0.56.0 to v0.56.1. by @​plkokanov [#​11451]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.112.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.112.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.112.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.112.2

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.112.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.112.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.112.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.112.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.112.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.112.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.112.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.112.2

v1.112.1

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Specifying Seed labels in ManagedSeed.spec.gardenlet.config.seedConfig.metadata.labels is fixed. by @​timebertt [#​11368]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.112.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.112.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.112.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.112.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.112.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.112.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.112.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.112.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.112.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.112.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.112.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.112.1

v1.112.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The Garden.spec.virtualCluster.gardener.gardenerControllerManager.defaultProjectQuotas[].config type has been changed from runtime.RawExtension to corev1.ResourceQuota. by @​timebertt [#​11098]
• [DEPENDENCY] The temporary helper functions github.com/gardener/gardener/pkg/client/kubernetes.{ConvertClientConnectionConfigurationToExternal,RESTConfigFromInternalClientConnectionConfiguration} have been removed. Please use the external version of k8s.io/component-base/config.ClientConnectionConfiguration directly. by @​timebertt [#​11243]
• [USER] Users are no longer able to modify shoot CA bundle configmaps. Such system resources are considered sensitive to modification because the data stored in them cannot be trusted unless its authenticity is guaranteed. by @​dimityrmirchev [#​11224]
• [DEVELOPER] The following functions are moved from the github.com/gardener/gardener/pkg/client/kubernetes package to the github.com/gardener/gardener/pkg/utils/kubernetes package:
  • HasDeploymentRolloutCompleted
  • WaitUntilDeploymentRolloutIsComplete
  • GetPodLogs
  • ScaleStatefulSet
  • ScaleDeployment
  • WaitUntilDeploymentScaledToDesiredReplicas
  • WaitUntilStatefulSetScaledToDesiredReplicas
  • ScaleStatefulSetAndWaitUntilScaled by @​RadaBDimitrova [#​11153]
• [DEVELOPER] The following var is removed from the github.com/gardener/gardener/pkg/client/kubernetes package:
  • ForceDeleteOptions by @​RadaBDimitrova [#​11153]

📰 Noteworthy

• [OPERATOR] The new CredentialsRotationWithoutWorkersRollout feature gate should only be enabled when all registered Gardener provider extensions vendor at least gardener/[email protected]+. by @​rfranzke [#​11027]
• [OPERATOR] The ClientConnectionConfiguration and LeaderElectionConfiguration in the component config APIs are now validated. by @​timebertt [#​11254]

✨ New Features

• [USER] All Seeds are now automatically labeled with seed.gardener.cloud/<name>=true where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. by @​rfranzke [#​11062]
• [USER] The feature gate UseNamespacedCloudProfile has been graduated to Beta and is now enabled by default. by @​LucaBernstein [#​11289]
• [USER] It is now possible to specify the the priority of worker groups with the Shoot.spec.provider.workers[].priority field. When at least one priority is specified, the CA will respect this configuration before other expanders.
  WARNING: When using this feature, Gardener will overwrite existing configurations that were made manual beforehand. by @​tobschli [#​11045]
• [USER] New Shoot operation annotations rotate-{ca,serviceaccount-key,credentials}-start-without-workers-rollout are being introduced in order to start a credentials rotation without causing an immediately rolling update of all worker nodes. Such rolling updates can later be triggered by the end-user at a time of their convenience with the rotate-rollout-workers=<pool1-name>[,<pool2-name>,...] operation annotation. Read all about it here. by @​rfranzke [#​11027]
• [OPERATOR] Introduces shoot_operation_duration_seconds metric to record Shoot operation Create and Delete. by @​simcod [#​10971]
• [OPERATOR] Add VPA parameters memoryAggregationInterval and memoryAggregationIntervalCount to the Shoot spec. by @​voelzmo [#​11215]
• [DEVELOPER] A wrapper function for OperatingSystemConfig provisioning bash script has been implemented. Using the wrapper ensures that the script exits early in case it has been executed successfully before. by @​oliver-goetz [#​11208]

🐛 Bug Fixes

• [OPERATOR] A bug preventing the deletion of Shoots that previously failed to create due to an erroneous kube-apiserver has been fixed. by @​shafeeqes [#​11284]
• [OPERATOR] Fixed checking etcd cluster readiness when rolling out spec changes. On rare occasions this led to failing credential rotations. by @​timuthy [#​11231]
• [OPERATOR] A bug which leads to a gardenlet nil pointer exception when running shoot deletion or migration flow for shoots where shoot.status.networking == nil has been fixed. by @​oliver-goetz [#​11304]
• [OPERATOR] A bug which might lead to duplicate config entries for node-agent-authorizer webhook has been fixed. by @​oliver-goetz [#​11281]

🏃 Others

• [OPERATOR] Local dual-stack setup for development now running with IPv6 as primary address family. by @​ScheererJ [#​11226]
• [OPERATOR] An issue has been fixed that caused the garden reconciliation to stop when structured authentication was used in combination with the gardener-dashboard oidcConfig. by @​timuthy [#​11230]
• [OPERATOR] Rewrite Setup Gardener document by @​hendrikKahl [#​11260]
• [OPERATOR] Disable default node range in test machinery tests for IPv6-only tests. by @​ScheererJ [#​11221]
• [OPERATOR] Deploy runtime extension in own namespace. by @​MartinWeindel [#​11204]
• [OPERATOR] Allow the apiserver_admission_webhook_request_total metric in the shoot Prometheus by @​vicwicker [#​11225]
• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.1. Release Notes by @​gardener-ci-robot [#​11256]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.35 to v7.5.36. Release Notes by @​gardener-ci-robot [#​11316]
• [DEPENDENCY] The gardener/machine-controller-manager image has been updated to v0.56.0. Release Notes by @​gardener-ci-robot [#​11278]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.30.0. by @​gardener-ci-robot [#​11274]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.29.1. by @​gardener-ci-robot [#​11239]
• [DEPENDENCY] The registry.k8s.io/kube-state-metrics/kube-state-metrics image has been updated to v2.15.0. by @​gardener-ci-robot [#​11282]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.20 to v2.2.21. Release Notes by @​gardener-ci-robot [#​11313]
• [DEPENDENCY] The gardener/autoscaler image has been updated to v1.30.2. Release Notes by @​gardener-ci-robot [#​11295]
• [DEPENDENCY] The gardener/logging image has been updated to v0.64.0. Release Notes by @​gardener-ci-robot [#​11269]
• [DEPENDENCY] The registry.k8s.io/dns/k8s-dns-node-cache image has been updated to 1.25.0. by @​gardener-ci-robot [#​11235]
• [DEPENDENCY] The gardener/ingress-default-backend image has been updated to 0.22.0. Release Notes by @​gardener-ci-robot [#​11265]
• [DEPENDENCY] The gardener/gardener-metrics-exporter image has been updated to 0.34.0. Release Notes by @​gardener-ci-robot [#​11300]
• [DEVELOPER] testing framework: The RootPodExecutor no longer requires output from command execution to interpret the command execution as successful. by @​ialidzhikov [#​11250]

v1.111.3

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused the Gardenlet to crash when deleting a hibernated shoot if the NodeAgentAuthorizer feature gate was enabled by @​Wieneo [#​11424]
• [OPERATOR] A bug which prevented usage of labels with seed.gardener.cloud/ prefix on BackupEntry, and Shoot resources has been fixed. by @​plkokanov [#​11492]
• [OPERATOR] An issue was fixed that caused a downtime of Gardener API services up to 1m every time the virtual-garden-kube-controller-manager changed its leader. by @​plkokanov [#​11453]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.3
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.3

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.3
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.3
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.3
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.3
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.3
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.3

v1.111.2

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug preventing the deletion of Shoots that previously failed to create due to an erroneous kube-apiserver has been fixed. by @​shafeeqes [#​11296]
• [OPERATOR] A bug which leads to a gardenlet nil pointer exception when running shoot deletion or migration flow for shoots where shoot.status.networking == nil has been fixed. by @​oliver-goetz [#​11307]
• [OPERATOR] A bug which might lead to duplicate config entries for node-agent-authorizer webhook has been fixed. by @​oliver-goetz [#​11302]

🏃 Others

• [DEPENDENCY] The gardener/machine-controller-manager image has been updated to v0.56.0. Release Notes by @​gardener-ci-robot [#​11299]
• [DEPENDENCY] The gardener/autoscaler image has been updated to v1.30.2. Release Notes by @​gardener-ci-robot [#​11298]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.2

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.2

v1.111.1

Compare Source

[gardener/gardener]

✨ New Features

• [DEVELOPER] A wrapper function for OperatingSystemConfig provisioning bash script has been implemented. Using the wrapper ensures that the script exits early in case it has been executed successfully before. by @​oliver-goetz [#​11257]

🏃 Others

• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.1. Release Notes by @​gardener-ci-robot [#​11262]
• [OPERATOR] An issue has been fixed that caused the garden reconciliation to stop when structured authentication was used in combination with the gardener-dashboard oidcConfig. by @​timuthy [#​11233]
• [DEVELOPER] testing framework: The RootPodExecutor no longer requires output from command execution to interpret the command execution as successful. by @​ialidzhikov [#​11253]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.1

v1.111.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] The OperatorConfiguration changed incompatibly: extensionRequired was renamed to extensionRequiredRuntime. by @​timuthy [#​11001]

• [OPERATOR] The ShootManagedIssuer feature gate was removed. Enablement of the feature is now dependent on the existence of a secret in the garden namespace labeled with gardener.cloud/role: shoot-service-account-issuer. by @​dimityrmirchev [#​11078]

• [OPERATOR] The ShootForceDeletion feature gate has been graduated to GA and is locked to true. by @​shafeeqes [#​11107]

• [OPERATOR] This change applies to IPv4 clusters only.
  Gardener uses the CIDR range of 240.0.0.0/8 which is reserved as per IANA db to map the cluster ip of the kubernetes api-server in the seed to a different network range before exposing it to the shoot in the kubernetes service. This frees up address space in the shoot and removes potential clashes with shoot workload ips.

  Seed operators need to check if any of the following properties collide with the 240.0.0.0/8 range:

  spec:  
    networks:  
      pods: < check here >  
      nodes: < check here >  
      services: < check here >  
      shootDefaults:  
        pods: < check here >  
        nodes: < check here >  
        services: < check here >  
  

  by @​domdom82 [#​10949]

• [OPERATOR] The wildcard TLS certificate for the runtime cluster must now be labelled with gardener.cloud/role=garden-cert instead of gardener.cloud/role=controlplane-cert to avoid duplicate role assignments for runtime and seed certificate secrets if Gardener runtime and seed run on the same cluster.
  The old role name is deprecated for the runtime cluster. It will not be accepted anymore with the next Gardener release. by @​MartinWeindel [#​11113]

• [DEPENDENCY] Client-related functions have been adapted to use the external version of k8s.io/component-base/config.ClientConnectionConfiguration. If you need a helper function for transitioning to the external version, use pkg/client/kubernetes.ConvertClientConnectionConfigurationToExternal. by @​timebertt [#​11052]

• [DEPENDENCY] The package github.com/gardener/gardener/extensions/pkg/apis/config has been dropped. Use the versioned variant of the package instead: github.com/gardener/gardener/extensions/pkg/apis/config/v1alpha1. by @​timebertt [#​11056]

📰 Noteworthy

• [USER] Expired versions from the NamespacedCloudProfile are always dropped, except for already applied versions. by @​LucaBernstein [#​10910]
• [OPERATOR] The vpa field (ineffective since v1.102) has been removed from the ManagedSeed API. by @​rfranzke [#​11047]
• [OPERATOR] Now "vali" contains the managed control plane logs from the early stages of shoot reconcile. by @​nickytd [#​11082]

✨ New Features

• [OPERATOR] Gardener-Operator handles generic Gardener extensions in the Garden-Runtime cluster (type: Extension). Such extensions can be configured via spec.extensions in the Garden resource. by @​timuthy [#​11192]
• [OPERATOR] gardener-node-agent now persists its applied changes after each step when reconciling the OSC. This should avoid unnecessary work and systemd unit restarts. by @​maboehm [#​10969]
• [OPERATOR] Add vpa histogram decay half-life parameters to the Shoot spec. by @​voelzmo [#​10959]
• [OPERATOR] The Gardener Admission Controller now implements a handler that can prevent tampering with system Secrets and ConfigMaps if they are labeled with gardener.cloud/update-restriction=true. by @​dimityrmirchev [#​11108]
• [OPERATOR] Add flow and flow task metrics for timing duration, delay and result count to gardenlet metrics. by @​LucaBernstein [#​10967]
• [USER] Gardener now allows to omit or to only partially define the machine image version in shoot.Spec.Provider.Workers[].Machine.Image.Version. The version will automatically be defaulted to the latest minor/patch version found in the referenced CloudProfile. by @​LucaBernstein [#​10954]
• [DEVELOPER] The extension library now supports adding watches via WatchBuilder for other resources in the generic extension controller. by @​domdom82 [#​11064]
• [DEVELOPER] Add option to register flow metrics on monitoring registry. by @​LucaBernstein [#​10967]
• [DEVELOPER] A local setup for trying out, developing, and testing the autonomous shoot cluster functionality of gardenadm has been introduced. You can find the documentation here. by @​rfranzke [#​10977]

🐛 Bug Fixes

• [OPERATOR] Gardener can now delete and migrate shoots that use dynamic node network allocation, even if the infrastructure creation has never been successfully completed. by @​timebertt [#​11038]
• [OPERATOR] An issue was fixed in gardener-operator that prevented configuring OIDC for gardener-dashboard while using Structured Authentication. by @​timuthy [#​11080]
• [OPERATOR] gardener-node-agent does not restart containerd.service on every OSC reconciliation anymore. by @​oliver-goetz [#​11120]
• [USER] Fix the NamespacedCloudProfile status mutation. by @​LucaBernstein [#​11036]
• [DEVELOPER] Avoid calling GetCluster for non-shoot namespaces in shootNotFailedPredicate and dnsrecord controller. by @​MartinWeindel [#​11123]
• [DEVELOPER] gardener-node-agent deletes unit files and drop-ins only if it created them previously. by @​oliver-goetz [#​11015]

🏃 Others

• [USER] Custom machine images and machine types in NamespacedCloudProfile are not interfered by later added conflicting entries in the parent CloudProfile. by @​LucaBernstein [#​11093]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.29.0. by @​gardener-ci-robot [#​11138]
• [DEPENDENCY] The gardener/etcd-druid image has been updated to v0.26.1. Release Notes by @​gardener-ci-robot [#​11202]
• [DEPENDENCY] The gcr.io/istio-release/pilot image has been updated to 1.23.4. by @​gardener-ci-robot [#​11071]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.33.0. Release Notes by @​gardener-ci-robot [#​11167]
• [DEPENDENCY] The registry.k8s.io/ingress-nginx/controller-chroot image has been updated to v1.12.0. by @​gardener-ci-robot [#​11087]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.28.4. by @​gardener-ci-robot [#​11053]
• [DEPENDENCY] The gardener/logging image has been updated to v0.63.0. Release Notes by @​gardener-ci-robot [#​11195]
• [DEPENDENCY] The registry.k8s.io/dns/k8s-dns-node-cache image has been updated to 1.24.0. by @​gardener-ci-robot [#​11032]
• [DEPENDENCY] The gardener/alpine-conntrack image has been updated to 3.21.0. Release Notes by @​gardener-ci-robot [#​11023]
• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.0. Release Notes by @​gardener-ci-robot [#​11199]
• [DEPENDENCY] The quay.io/prometheus/alertmanager image has been updated to v0.28.0. by @​gardener-ci-robot [#​11176]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.32.3. Release Notes by @​gardener-ci-robot [#​11068]
• [DEPENDENCY] The gardener/ingress-default-backend image has been updated to 0.21.0. Release Notes by @​gardener-ci-robot [#​11046]
• [DEPENDENCY] The gardener/terminal-controller-manager image has been updated to v0.34.0. Release Notes by @​gardener-ci-robot [#​11212]
• [DEPENDENCY] The gardener/alpine-conntrack image has been updated to 3.21.1. Release Notes by @​gardener-ci-robot [#​11151]
• [DEVELOPER] Fix malformed file path error on go get github.com/gardener/gardener@master by @​MartinWeindel [#​11145]
• [DEVELOPER] drop unused codepath from component_descriptor creation script. by @​ccwienk [#​11124]
• [DEVELOPER] The images of the registry caches used in the extensions local setup are now updated to distribution/[email protected] rc.2. by @​ialidzhikov [#​11079]
• [OPERATOR] Add additional context to shoot admission DNS errors so that it is more obvious what should be changed. by @​ScheererJ [#​11022]
• [OPERATOR] Allow specifying the IP families for the shoot creation tests. by @​ScheererJ [#​11135]
• [OPERATOR] Switch vpa-recommender back to the image built from the vertical-pod-autoscaler upstream repo . by @​plkokanov [#​11122]
• [OPERATOR] The gardener-dashboard configuration was enhanced in the garden API with fields gardenerDashboard.oidcConfig.clientIDPublic and gardenerDashboard.oidcConfig.issuerURL.
  Those are required to switch from the deprecated kubeAPIServer.oidcConfig to kubeAPIServer.structuredAuthentication. by @​timuthy [#​11080]
• [OPERATOR] gardener-operator now maintains a new condition RequiredVirtual for Extension resources. The new condition indicates whether the extension is related to required ControllerInstallations in the virtual garden cluster. by @​timuthy [#​11001]
• [OPERATOR] Add alerts for capped VPA recommendations by @​vicwicker [#​11136]
• [OPERATOR] Retry failed Cluster resource sync after otherwise successful Shoot reconciliation. by @​LucaBernstein [#​11144]
• [OPERATOR] gardener-operator restarts itself when the garden resource is deleted. This is required to stop controllers gracefully that depend on the existence of a virtual garden cluster. by @​timuthy [#​11058]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.0

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.0
• scheduler: `europe-docker.pkg.dev/gardener-project/releases/g

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[gardener-ci-robot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 52 additional dependencies were updated

Details:

Package	Change
github.com/onsi/ginkgo/v2	v2.22.0 -> v2.22.2
github.com/onsi/gomega	v1.36.0 -> v1.36.2
golang.org/x/term	v0.28.0 -> v0.29.0
k8s.io/api	v0.31.3 -> v0.32.2
k8s.io/apimachinery	v0.31.3 -> v0.32.2
k8s.io/cli-runtime	v0.31.3 -> v0.32.2
k8s.io/client-go	v0.31.3 -> v0.32.2
k8s.io/component-base	v0.31.3 -> v0.32.2
sigs.k8s.io/controller-runtime	v0.19.3 -> v0.20.2
github.com/Azure/go-ansiterm	v0.0.0-20210617225240-d185dfc1b5a1 -> v0.0.0-20230124172434-306776ec8161
github.com/cpuguy83/go-md2man/v2	v2.0.4 -> v2.0.6
github.com/cyphar/filepath-securejoin	v0.3.4 -> v0.3.6
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
github.com/fsnotify/fsnotify	v1.7.0 -> v1.8.0
github.com/gardener/cert-management	v0.17.1 -> v0.17.5
github.com/gardener/etcd-druid	v0.25.0 -> v0.27.0
github.com/go-openapi/errors	v0.20.4 -> v0.22.0
github.com/google/btree	v1.0.1 -> v1.1.3
github.com/google/gnostic-models	v0.6.8 -> v0.6.9
github.com/google/pprof	v0.0.0-20241029153458-d1b30febd7db -> v0.0.0-20241210010833-40e02aabc2ad
github.com/gorilla/websocket	v1.5.1 -> v1.5.3
github.com/gregjones/httpcache	v0.0.0-20180305231024-9cad4c3443a7 -> v0.0.0-20190611155906-901d90724c79
github.com/klauspost/compress	v1.17.9 -> v1.17.11
github.com/mailru/easyjson	v0.7.7 -> v0.9.0
github.com/moby/spdystream	v0.4.0 -> v0.5.0
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring	v0.78.2 -> v0.80.1
github.com/prometheus/common	v0.61.0 -> v0.62.0
github.com/spf13/afero	v1.11.0 -> v1.12.0
golang.org/x/exp	v0.0.0-20241204233417-43b7b7cde48d -> v0.0.0-20250218142911-aa4b98e5adaa
golang.org/x/mod	v0.22.0 -> v0.23.0
golang.org/x/net	v0.33.0 -> v0.35.0
golang.org/x/oauth2	v0.24.0 -> v0.26.0
golang.org/x/sync	v0.10.0 -> v0.11.0
golang.org/x/sys	v0.29.0 -> v0.30.0
golang.org/x/text	v0.21.0 -> v0.22.0
golang.org/x/time	v0.8.0 -> v0.10.0
golang.org/x/tools	v0.28.0 -> v0.30.0
google.golang.org/genproto/googleapis/api	v0.0.0-20241015192408-796eee8c2d53 -> v0.0.0-20241209162323-e6fa225c2576
google.golang.org/protobuf	v1.35.2 -> v1.36.1
helm.sh/helm/v3	v3.16.3 -> v3.17.1
istio.io/api	v1.23.3 -> v1.24.3
istio.io/client-go	v1.23.3 -> v1.24.2
k8s.io/apiextensions-apiserver	v0.31.3 -> v0.32.2
k8s.io/autoscaler/vertical-pod-autoscaler	v1.2.1 -> v1.2.2
k8s.io/kube-aggregator	v0.31.3 -> v0.32.2
k8s.io/kube-openapi	v0.0.0-20240903163716-9e1beecbcb38 -> v0.0.0-20241212222426-2c72e554b1e7
k8s.io/kubelet	v0.31.3 -> v0.32.2
k8s.io/metrics	v0.31.3 -> v0.32.2
sigs.k8s.io/json	v0.0.0-20221116044647-bc3834ca7abd -> v0.0.0-20241014173422-cfa47c3a1cc8
sigs.k8s.io/kustomize/api	v0.17.2 -> v0.18.0
sigs.k8s.io/kustomize/kyaml	v0.17.1 -> v0.18.1
sigs.k8s.io/structured-merge-diff/v4	v4.4.3 -> v4.5.0

[gardener-robot]

@gardener-ci-robot Thank you for your contribution.