Update k8s packages (minor)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/gardener/gardener	v1.107.3 -> v1.111.1
github.com/gardener/gardener-extension-provider-openstack	v1.41.2 -> v1.45.0
k8s.io/api	v0.31.2 -> v0.32.1
k8s.io/apiextensions-apiserver	v0.31.2 -> v0.32.1
k8s.io/apimachinery	v0.31.2 -> v0.32.1
k8s.io/client-go	v0.31.2 -> v0.32.1
k8s.io/code-generator	v0.31.2 -> v0.32.1
k8s.io/component-base	v0.31.2 -> v0.32.1
sigs.k8s.io/controller-runtime	v0.19.1 -> v0.20.1

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.111.1

Compare Source

[gardener/gardener]

✨ New Features

• [DEVELOPER] A wrapper function for OperatingSystemConfig provisioning bash script has been implemented. Using the wrapper ensures that the script exits early in case it has been executed successfully before. by @​oliver-goetz [#​11257]

🏃 Others

• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.1. Release Notes by @​gardener-ci-robot [#​11262]
• [OPERATOR] An issue has been fixed that caused the garden reconciliation to stop when structured authentication was used in combination with the gardener-dashboard oidcConfig. by @​timuthy [#​11233]
• [DEVELOPER] testing framework: The RootPodExecutor no longer requires output from command execution to interpret the command execution as successful. by @​ialidzhikov [#​11253]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.1

v1.111.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] The OperatorConfiguration changed incompatibly: extensionRequired was renamed to extensionRequiredRuntime. by @​timuthy [#​11001]

• [OPERATOR] The ShootManagedIssuer feature gate was removed. Enablement of the feature is now dependent on the existence of a secret in the garden namespace labeled with gardener.cloud/role: shoot-service-account-issuer. by @​dimityrmirchev [#​11078]

• [OPERATOR] The ShootForceDeletion feature gate has been graduated to GA and is locked to true. by @​shafeeqes [#​11107]

• [OPERATOR] This change applies to IPv4 clusters only.
  Gardener uses the CIDR range of 240.0.0.0/8 which is reserved as per IANA db to map the cluster ip of the kubernetes api-server in the seed to a different network range before exposing it to the shoot in the kubernetes service. This frees up address space in the shoot and removes potential clashes with shoot workload ips.

  Seed operators need to check if any of the following properties collide with the 240.0.0.0/8 range:

  spec:  
    networks:  
      pods: < check here >  
      nodes: < check here >  
      services: < check here >  
      shootDefaults:  
        pods: < check here >  
        nodes: < check here >  
        services: < check here >  
  

  by @​domdom82 [#​10949]

• [OPERATOR] The wildcard TLS certificate for the runtime cluster must now be labelled with gardener.cloud/role=garden-cert instead of gardener.cloud/role=controlplane-cert to avoid duplicate role assignments for runtime and seed certificate secrets if Gardener runtime and seed run on the same cluster.
  The old role name is deprecated for the runtime cluster. It will not be accepted anymore with the next Gardener release. by @​MartinWeindel [#​11113]

• [DEPENDENCY] Client-related functions have been adapted to use the external version of k8s.io/component-base/config.ClientConnectionConfiguration. If you need a helper function for transitioning to the external version, use pkg/client/kubernetes.ConvertClientConnectionConfigurationToExternal. by @​timebertt [#​11052]

• [DEPENDENCY] The package github.com/gardener/gardener/extensions/pkg/apis/config has been dropped. Use the versioned variant of the package instead: github.com/gardener/gardener/extensions/pkg/apis/config/v1alpha1. by @​timebertt [#​11056]

📰 Noteworthy

• [USER] Expired versions from the NamespacedCloudProfile are always dropped, except for already applied versions. by @​LucaBernstein [#​10910]
• [OPERATOR] The vpa field (ineffective since v1.102) has been removed from the ManagedSeed API. by @​rfranzke [#​11047]
• [OPERATOR] Now "vali" contains the managed control plane logs from the early stages of shoot reconcile. by @​nickytd [#​11082]

✨ New Features

• [OPERATOR] Gardener-Operator handles generic Gardener extensions in the Garden-Runtime cluster (type: Extension). Such extensions can be configured via spec.extensions in the Garden resource. by @​timuthy [#​11192]
• [OPERATOR] gardener-node-agent now persists its applied changes after each step when reconciling the OSC. This should avoid unnecessary work and systemd unit restarts. by @​maboehm [#​10969]
• [OPERATOR] Add vpa histogram decay half-life parameters to the Shoot spec. by @​voelzmo [#​10959]
• [OPERATOR] The Gardener Admission Controller now implements a handler that can prevent tampering with system Secrets and ConfigMaps if they are labeled with gardener.cloud/update-restriction=true. by @​dimityrmirchev [#​11108]
• [OPERATOR] Add flow and flow task metrics for timing duration, delay and result count to gardenlet metrics. by @​LucaBernstein [#​10967]
• [USER] Gardener now allows to omit or to only partially define the machine image version in shoot.Spec.Provider.Workers[].Machine.Image.Version. The version will automatically be defaulted to the latest minor/patch version found in the referenced CloudProfile. by @​LucaBernstein [#​10954]
• [DEVELOPER] The extension library now supports adding watches via WatchBuilder for other resources in the generic extension controller. by @​domdom82 [#​11064]
• [DEVELOPER] Add option to register flow metrics on monitoring registry. by @​LucaBernstein [#​10967]
• [DEVELOPER] A local setup for trying out, developing, and testing the autonomous shoot cluster functionality of gardenadm has been introduced. You can find the documentation here. by @​rfranzke [#​10977]

🐛 Bug Fixes

• [OPERATOR] Gardener can now delete and migrate shoots that use dynamic node network allocation, even if the infrastructure creation has never been successfully completed. by @​timebertt [#​11038]
• [OPERATOR] An issue was fixed in gardener-operator that prevented configuring OIDC for gardener-dashboard while using Structured Authentication. by @​timuthy [#​11080]
• [OPERATOR] gardener-node-agent does not restart containerd.service on every OSC reconciliation anymore. by @​oliver-goetz [#​11120]
• [USER] Fix the NamespacedCloudProfile status mutation. by @​LucaBernstein [#​11036]
• [DEVELOPER] Avoid calling GetCluster for non-shoot namespaces in shootNotFailedPredicate and dnsrecord controller. by @​MartinWeindel [#​11123]
• [DEVELOPER] gardener-node-agent deletes unit files and drop-ins only if it created them previously. by @​oliver-goetz [#​11015]

🏃 Others

• [USER] Custom machine images and machine types in NamespacedCloudProfile are not interfered by later added conflicting entries in the parent CloudProfile. by @​LucaBernstein [#​11093]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.29.0. by @​gardener-ci-robot [#​11138]
• [DEPENDENCY] The gardener/etcd-druid image has been updated to v0.26.1. Release Notes by @​gardener-ci-robot [#​11202]
• [DEPENDENCY] The gcr.io/istio-release/pilot image has been updated to 1.23.4. by @​gardener-ci-robot [#​11071]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.33.0. Release Notes by @​gardener-ci-robot [#​11167]
• [DEPENDENCY] The registry.k8s.io/ingress-nginx/controller-chroot image has been updated to v1.12.0. by @​gardener-ci-robot [#​11087]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.28.4. by @​gardener-ci-robot [#​11053]
• [DEPENDENCY] The gardener/logging image has been updated to v0.63.0. Release Notes by @​gardener-ci-robot [#​11195]
• [DEPENDENCY] The registry.k8s.io/dns/k8s-dns-node-cache image has been updated to 1.24.0. by @​gardener-ci-robot [#​11032]
• [DEPENDENCY] The gardener/alpine-conntrack image has been updated to 3.21.0. Release Notes by @​gardener-ci-robot [#​11023]
• [DEPENDENCY] The gardener/dashboard image has been updated to 1.79.0. Release Notes by @​gardener-ci-robot [#​11199]
• [DEPENDENCY] The quay.io/prometheus/alertmanager image has been updated to v0.28.0. by @​gardener-ci-robot [#​11176]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.32.3. Release Notes by @​gardener-ci-robot [#​11068]
• [DEPENDENCY] The gardener/ingress-default-backend image has been updated to 0.21.0. Release Notes by @​gardener-ci-robot [#​11046]
• [DEPENDENCY] The gardener/terminal-controller-manager image has been updated to v0.34.0. Release Notes by @​gardener-ci-robot [#​11212]
• [DEPENDENCY] The gardener/alpine-conntrack image has been updated to 3.21.1. Release Notes by @​gardener-ci-robot [#​11151]
• [DEVELOPER] Fix malformed file path error on go get github.com/gardener/gardener@master by @​MartinWeindel [#​11145]
• [DEVELOPER] drop unused codepath from component_descriptor creation script. by @​ccwienk [#​11124]
• [DEVELOPER] The images of the registry caches used in the extensions local setup are now updated to distribution/[email protected] rc.2. by @​ialidzhikov [#​11079]
• [OPERATOR] Add additional context to shoot admission DNS errors so that it is more obvious what should be changed. by @​ScheererJ [#​11022]
• [OPERATOR] Allow specifying the IP families for the shoot creation tests. by @​ScheererJ [#​11135]
• [OPERATOR] Switch vpa-recommender back to the image built from the vertical-pod-autoscaler upstream repo . by @​plkokanov [#​11122]
• [OPERATOR] The gardener-dashboard configuration was enhanced in the garden API with fields gardenerDashboard.oidcConfig.clientIDPublic and gardenerDashboard.oidcConfig.issuerURL.
  Those are required to switch from the deprecated kubeAPIServer.oidcConfig to kubeAPIServer.structuredAuthentication. by @​timuthy [#​11080]
• [OPERATOR] gardener-operator now maintains a new condition RequiredVirtual for Extension resources. The new condition indicates whether the extension is related to required ControllerInstallations in the virtual garden cluster. by @​timuthy [#​11001]
• [OPERATOR] Add alerts for capped VPA recommendations by @​vicwicker [#​11136]
• [OPERATOR] Retry failed Cluster resource sync after otherwise successful Shoot reconciliation. by @​LucaBernstein [#​11144]
• [OPERATOR] gardener-operator restarts itself when the garden resource is deleted. This is required to stop controllers gracefully that depend on the existence of a virtual garden cluster. by @​timuthy [#​11058]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.111.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.111.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.111.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.111.0

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.111.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.111.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.111.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.111.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.111.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.111.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.111.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.111.0

v1.110.4

Compare Source

[gardener/gardener]

🏃 Others

• [DEPENDENCY] The following images have been updated:
  • registry.k8s.io/autoscaling/vpa-admission-controller: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-recommender: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-updater: 1.2.1 -> 1.2.2 by @​ialidzhikov [#​11179]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.4
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.4

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.4
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.4
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.4
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.4
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.4
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.4

v1.110.3

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fix bug where gardenlet was missing permissions to read v1.Events in the istio ingress namespace in the seed cluster. by @​vpnachev [#​11163]

🏃 Others

• [DEPENDENCY] The gardener/vpn2 image has been updated to 0.34.0. Release Notes by @​gardener-ci-robot [#​11161]
• [OPERATOR] Fix a bug in the gardener operator where the issuer URL domain for workload identity tokens was not prefixed with discovery. resulting in invalid OIDC tokens and discovery documents. by @​vpnachev [#​11158]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.3
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.3

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.3
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.3
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.3
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.3
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.3
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.3

v1.110.2

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A permission issue was fixed that prevented the VPAEvictionRequirements controller to patch VPA resources in the garden runtime cluster, in case it is also registered as a seed. by @​timuthy [#​11143]

🏃 Others

• [DEVELOPER] The order of the predicates for extension controllers has been changed to ensure that class and types are checked first.
  This avoids side effects by the passed predicates especially if the controller runs on the runtime cluster. by @​oliver-goetz [#​11133]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.2

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.2

v1.110.1

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [USER] Fix initial scheduling of Shoot with NamespacedCloudProfile reference. by @​LucaBernstein [#​11076]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.1

v1.110.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] The autoscaling.k8s.io/v1alpha1.Hvpa and autoscaling.k8s.io/v1alpha1.HvpaList resources were removed from the pkg/client/kubernetes.SeedScheme and pkg/operator/client.RuntimeScheme by @​plkokanov [#​10921]
• [DEVELOPER] Extension webhooks need to remove the provider type Predicates and add an ObjectSelector against the object's provider type label instead. by @​LucaBernstein [#​10896]

✨ New Features

• [OPERATOR] Secrets for the TokenRequestor can be additionally annotated with serviceaccount.resources.gardener.cloud/inject-ca-bundle=true to get the current CA bundle injected as well by @​maboehm [#​10988]

🐛 Bug Fixes

• [OPERATOR] seed-authorizer and structured authorization webhooks of shoot kube-apiservers no longer use the default TTL for AuthorizedTTL and UnauthorizedTTL. by @​oliver-goetz [#​10703]
• [OPERATOR] An issue was fixed in gardener-operator that led to an inactive Gardenlet controller after a certain period. Thus, the operator needed a restart to react on Gardenlet resources. by @​timuthy [#​10663]
• [OPERATOR] Fixes the bug where ManagedResource were still in progressing phase because of Completed pods by @​ary1992 [#​10961]

🏃 Others

• [OPERATOR] Fixes the calculation of the maximum number of nodes for cluster autoscaling for dual-stack shoots. by @​axel7born [#​10994]
• [OPERATOR] RBAC rules related to HVPA resources have been removed from gardenlet and gardener-operator - they are no longer necessary. by @​plkokanov [#​10921]
• [OPERATOR] The resource-manager is no longer HVPA-aware. by @​ialidzhikov [#​10860]
• [OPERATOR] [NewVPN] Enable IPv6 for non-HA if needed. by @​MartinWeindel [#​10997]
• [OPERATOR] Custom CAs are updated on existing nodes too. by @​oliver-goetz [#​10923]
• [OPERATOR] Set env variables for dual-stack in kube-apiserver. by @​axel7born [#​10970]
• [DEPENDENCY] The gardener/machine-controller-manager image has been updated to v0.55.1. Release Notes by @​gardener-ci-robot [#​10956]
• [DEPENDENCY] The quay.io/brancz/kube-rbac-proxy image has been updated to v0.18.2. by @​gardener-ci-robot [#​10953]
• [DEPENDENCY] The credativ/vali image has been updated to v2.2.20. Release Notes by @​gardener-ci-robot [#​10993]
• [DEPENDENCY] The credativ/plutono image has been updated to v7.5.35. Release Notes by @​gardener-ci-robot [#​10995]
• [DEPENDENCY] The quay.io/kiwigrid/k8s-sidecar image has been updated to 1.28.1. by @​gardener-ci-robot [#​10981]
• [DEPENDENCY] The gardener/apiserver-proxy image has been updated to v0.18.0. Release Notes by @​gardener-ci-robot [#​10933]
• [DEPENDENCY] The registry.k8s.io/coredns/coredns image has been updated to v1.12.0. by @​gardener-ci-robot [#​10909]
• [DEPENDENCY] The gardener/vpn2 image has been updated to 0.33.0. Release Notes by @​gardener-ci-robot [#​10996]
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.32.2. Release Notes by @​gardener-ci-robot [#​11000]
• [DEPENDENCY] The gardener/gardener-metrics-exporter image has been updated to 0.31.0. Release Notes by @​gardener-ci-robot [#​10941]
• [DEPENDENCY] The gardener/gardener-metrics-exporter image has been updated to 0.33.0. Release Notes by @​gardener-ci-robot [#​10952]
• [DEPENDENCY] The gardener/ext-authz-server image has been updated to 0.11.0. Release Notes by @​gardener-ci-robot [#​10935]
• [DEVELOPER] The HVPA CRD has been removed from the codebase and is no longer generated. by @​plkokanov [#​10921]

📖 Documentation

• [OPERATOR] Improve shoot credential rotation documentation. by @​marc1404 [#​10998]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.110.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.110.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.110.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.110.0

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.110.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.110.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.110.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.110.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.110.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.110.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.110.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.110.0

v1.109.1

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fix bug where gardenlet was missing permissions to read v1.Events in the istio ingress namespace in the seed cluster. by @​vpnachev [#​11164]

🏃 Others

• [OPERATOR] Fix a bug in the gardener operator where the issuer URL domain for workload identity tokens was not prefixed with discovery. resulting in invalid OIDC tokens and discovery documents. by @​vpnachev [#​11159]
• [DEPENDENCY] The following images have been updated:
  • registry.k8s.io/autoscaling/vpa-admission-controller: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-recommender: 1.2.1 -> 1.2.2
  • registry.k8s.io/autoscaling/vpa-updater: 1.2.1 -> 1.2.2 by @​ialidzhikov [#​11180]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.109.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.109.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.109.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.109.1

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.109.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.109.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.109.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.109.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.109.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.109.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.109.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.109.1

v1.109.0

Compare Source

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] The HVPA autoscaling option (which is unconditionally disabled since v1.105.0) is removed from the etcd component. Before updating to this version of Gardener, make sure that you upgraded to v1.106.0 and all Seed and Garden resources reconciled with that version. This is required to ensure that the HVPA component and its CRD were properly cleaned up. by @​plkokanov [#​10800]
• [OPERATOR] The Baseline and HVPA autoscaling modes (which are unconditionally disabled since v1.105.0) are removed for {gardener,kube}-apiserver. Before updating to this version of Gardener, make sure that you upgraded to v1.106.0 and all Seed and Garden resources reconciled with that version. This is required to ensure that the HVPA component and its CRD were properly cleaned up. by @​plkokanov [#​10796]
• [OPERATOR] The deprecated and unconditionally disabled HVPA and HVPAForShootedSeed feature gates are removed. The GA-ed and unconditionally enabled VPAForETCD and VPAAndHPAForAPIServer features gates are removed. If you have references to the feature gates, clean them up before upgrading to this version of Gardener. by @​ialidzhikov [#​10853]
• [DEVELOPER] Rename the controlplane exposure webhook (ExposureWebhookName) to seed provider webhook (SeedProviderWebhookName). by @​LucaBernstein [#​10788]

📰 Noteworthy

• [OPERATOR] The gardener-scheduler was improved to consider reconciliation backoffs. In the past, unassigned shoots were affected by frequent scheduler reconciliations and status updates which potentially strained the scheduler and etcd. by @​timuthy [#​10821]
• [DEVELOPER] extension library: Provider extensions should rename control plane exposure webhook related packages to seed provider to reflect the naming change on their side (for example rename pkg/webhook/controlplaneexposure to pkg/webhook/seedprovider). by @​LucaBernstein [#​10788]

✨ New Features

• [OPERATOR] NodeAgentAuthorizer feature gate was introduced. It allows a webhook based authorization of gardener-node-agents with reduced permissions.
  ❗ This feature gate requires changes in machine-controller-manager-provider-*. Please check that you run a supported version before activating it. ❗ by @​oliver-goetz [#​10781]
• [USER] Allow dual-stack shoots creation. by @​axel7born [#​10803]
• [USER] shoot spec.kubernetes.clusterAutoscaler: Add support for startupTaints and statusTaints by @​dhague [#​10858]

🐛 Bug Fixes

• [USER] Fixed a bug where SSH key rotations for Shoots did not properly update the authorized keys on the worker nodes (hence, the new key was unusable until a node restart or rollout). by @​tobschli [#​10671]
• [USER] On Shoot deletion, Gardener now properly skips certain validation checks that are only relevant for creations or updates of Shoot resources. by @​rfranzke [#​10902]
• [OPERATOR] Fixed an error in BackupBucket reconciliation by replacing StrategicMergePatch with MergePatch to properly handle runtime.RawExtension fields. by @​seshachalam-yv [#​10904]

🏃 Others

• [OPERATOR] update alpine to get latest security fixes by @​DockToFuture [#​10922]
• [OPERATOR] Add support for node-local-dns in dual-stack cluster. by @​axel7born [#​10891]
• [OPERATOR] Add dual stack support for VPN. by @​DockToFuture [#​10767]
• [OPERATOR] Fix kubelet CSRs to allow IPv6 addresses to be used by @​kron4eg [#​10876]
• [OPERATOR] Add dashboard for VPA admission-controller by @​voelzmo [#​10741]
• [OPERATOR] The HVPA component is removed. Before updating to this version of Gardener, make sure that you upgraded to v1.106.0 and all Seed and Garden resources reconciled with that version. This is required to ensure that the HVPA component and its CRD were properly cleaned up. by @​ialidzhikov [#​10851]
• [OPERATOR] Added validation for issuerURL in the OIDC configuration to reject URLs containing fragments. by @​acumino [#​10888]
• [OPERATOR] The gardener/dependency-watchdog image has been updated to v1.3.0. Release Notes by @​rishabh-11 [#​10930]
• [OPERATOR] Adapt configure-admission.sh for new extension releases with changed value names for Helm charts. by @​MartinWeindel [#​10877]
• [DEPENDENCY] The registry.k8s.io/cpa/cluster-proportional-autoscaler image has been updated to v1.9.0. by @​gardener-ci-robot [#​10898]
• [DEPENDENCY] The gardener/autoscaler image has been updated to v1.30.1. Release Notes by @​gardener-ci-robot [#​10914]
• [DEPENDENCY] The gardener/vpn2 image has been updated to 0.30.0. Release Notes by @​gardener-ci-robot [#​10872]
• [DEPENDENCY] The registry.k8s.io/coredns/coredns image has been updated to v1.11.4. by @​gardener-ci-robot [#​10856]
• [DEPENDENCY] The gardener/gardener-discovery-server image has been updated to v0.3.0. Release Notes by @​gardener-ci-robot [#​10849]
• [DEPENDENCY] The gardener/etcd-druid image has been updated to v0.25.0. Release Notes by @​gardener-ci-robot [#​10932]
• [DEPENDENCY] The gardener/machine-controller-manager image has been updated to v0.55.0. Release Notes by @​rishabh-11 [#​10908]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.109.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.109.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.109.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.109.0

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.109.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.109.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.109.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.109.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.109.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.109.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.109.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.109.0

v1.108.2

Compare Source

[gardener/gardener]

🐛 Bug Fixes

• [USER] On Shoot deletion, Gardener now properly skips certain validation checks that are only relevant for creations or updates of Shoot resources. by [@​rfranzke](http

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.