🤖 Update gardener/gardener to v1.140.0 (minor)

[ske-renovate-ce]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gardener/gardener	v1.139.1 → v1.140.0
github.com/gardener/gardener/pkg/apis	v1.139.1 → v1.140.0

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.140.0

Compare Source

[github.com/gardener/gardener:v1.140.0]

⚠️ Breaking Changes

• [OPERATOR] The UseUnifiedHTTPProxyPort feature gate has been promoted to Beta and is enabled by default. If using the Gardener ACL Extension you need make sure that at least version v1.15.0 is installed and all Shoots are reconciled before the upgrade. by @​jamand [#​14422]
• [DEVELOPER] The generate-admin-kubeconf.sh script has been renamed to generate-kubeconfig.sh. It now supports generating both admin (default) and viewer kubeconfigs. by @​timuthy [#​14464]
• [DEVELOPER] The gardenadm machine pods have their state persisted in a unified PVC. Existing local gardenadm setups need to be recreated. To reset a local machine pod, delete both the pod and its corresponding PVC. by @​LucaBernstein [#​14359]
• [DEVELOPER] GEN_CRD_API_REFERENCE_DOCS make command has been replaced with CRD_REF_DOCS. by @​acumino [#​14324]
• [DEPENDENCY] The pkg/utils/time package is now removed. Use k8s.io/utils/clock.Clock instead. by @​shafeeqes [#​14515]

📰 Noteworthy

• [OPERATOR] The SeedAuthorizer now enforces field/label selectors for gardenlet list/watch requests on ControllerInstallation, Bastion, Gardenlet, Seed, Shoot, and ManagedSeed resources, restricting each gardenlet to only observe resources belonging to its own seed. by @​rfranzke [#​14452]
• [OPERATOR] The gardener-resource-manager's NetworkPolicy controller now only creates policies in namespaces that have pods with matching to-* labels, significantly reducing the number of NetworkPolicy objects on seeds. by @​rfranzke [#​14410]
• [OPERATOR] RemoveVali FeatureGate has been introduced. When enabled, every Vali instance will be removed. This feature gate is available for both the gardenlet and the gardener-operator. by @​rrhubenov [#​14279]
• [DEVELOPER] The sast and sast-report checks have been removed from verify and verify-extended make targets. Please call them explicitly when required. by @​oliver-goetz [#​14443]

✨ New Features

• [OPERATOR] The Project API now has a .status.conditions field for allowing controllers to report conditions on Project objects. by @​jamand [#​14403]
• [DEVELOPER] The local setup has been augmented to make the self-hosted shoot's API server directly accessible from the host machine without kubectl port-forward. A new unified hack/usage/generate-admin-kubeconfig-local.sh script supports generating kubeconfigs for both the virtual garden and the self-hosted shoot. by @​rfranzke [#​14370]

🐛 Bug Fixes

• [OPERATOR] The formatting of event-logger logs when the OpenTelemetryCollector feature gate is enabled is now partially fixed. The event-logger logs are now properly structured with fields as attributes, but to make them searchable with the unpack feature a change in the fluent-bit output plugin is required. by @​iypetrov [#​14423]
• [OPERATOR] The gardenlet reconciler in the gardener-operator now uses the virtual cluster client to fetch the pull secret and CA bundle secret. It was wrongly using the runtime cluster client earlier. by @​shafeeqes [#​14331]
• [OPERATOR] Fix a bug where the shoot-care controller cannot reconcile shoots with spec.maintenance.confineSpecUpdateRollout=true and updated DNS credentials, i.e. shoot.spec.dns.providers[].credentialsRef, until the shoot is reconciled. by @​vpnachev [#​14397]
• [USER] Fixed EveryNodeReady shoot condition incorrectly reporting NodeAgentUnhealthy for nodes not managed by MCM. by @​acumino [#​14509]
• [DEVELOPER] Pull secrets in the remote setup are labeled correctly to be automatically propagated by @​matthias-horne [#​14502]
• [DEPENDENCY] Extension shoot webhook configs are now always produced even when mergeShootWebhooksIntoSeedWebhooks is true, so that a self-hosted Shoot promoted to a Seed has the correct shoot webhooks registered. by @​rfranzke [#​14389]

🏃 Others

• [OPERATOR] Fix KubePodNotReadyControlPlane alert to not trigger for pods in Completed state. by @​adenitiu [#​14404]
• [OPERATOR] Create pull secret in garden namespace of virtual garden for remote setup. by @​DockToFuture [#​14449]
• [OPERATOR] Introduce seed reconciliation alerts. by @​adenitiu [#​14441]
• [OPERATOR] Enable notification flexibility of EtcdDbSizeLimitApproaching and EtcdDbSizeLimitCrossed alert for seeds by @​adenitiu [#​14384]
• [OPERATOR] The following dependencies have been updated:
  • gardener/autoscaler from v1.34.0 to v1.34.1. Release Notes
  • gardener/autoscaler from v1.33.0 to v1.33.1. Release Notes
  • gardener/autoscaler from v1.32.2 to v1.32.3. Release Notes
  • gardener/autoscaler from v1.31.0 to v1.31.1. Release Notes
  • gardener/autoscaler from v1.30.2 to v1.30.3. Release Notes by @​aaronfern [#​14479]
• [OPERATOR] There is now maxConnectionDuration of 1 day for connections to kube-apiserver endpoints. Their maxConnections limit has been removed. by @​oliver-goetz [#​14463]
• [DEVELOPER] The default shoot for test machinery tests was adjusted to work with Kubernetes 1.35. by @​timuthy [#​14439]
• [DEVELOPER] In the remote setup Kyverno now always adds imagePullSecret for images in the remote registry. by @​matthias-horne [#​14478]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/autoscaling/vpa-admission-controller from 1.5.1 to 1.6.0.
  • registry.k8s.io/autoscaling/vpa-recommender from 1.5.1 to 1.6.0.
  • registry.k8s.io/autoscaling/vpa-updater from 1.5.1 to 1.6.0. by @​gardener-ci-robot [#​14036]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.61.2 to v0.61.3. Release Notes
  • github.com/gardener/machine-controller-manager from v0.61.2 to v0.61.3. by @​gardener-ci-robot [#​14453]
• [DEPENDENCY] Istio charts and images are updated to v1.29.1 by @​axel7born [#​14454]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/gardener-metrics-exporter from 0.43.0 to 0.44.0. Release Notes by @​gardener-ci-robot [#​14486]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/kiwigrid/k8s-sidecar from 2.5.0 to 2.5.5. by @​gardener-ci-robot [#​14480]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/coredns-config-adapter from v0.4.0 to v0.5.0. Release Notes by @​DockToFuture [#​14490]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.140.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.140.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.140.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.140.0

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.140.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.140.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.140.0
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.140.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.140.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.140.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.140.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.140.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.140.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[ske-renovate-ce]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
k8s.io/autoscaler/vertical-pod-autoscaler	v1.5.1 -> v1.6.0
github.com/andybalholm/brotli	v1.2.0 -> v1.2.1
istio.io/api	v1.27.8 -> v1.29.1
istio.io/client-go	v1.27.2 -> v1.29.1

[ske-renovate-ce]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[ske-prow]

LGTM label has been added.

Details

Git tree hash: b59d3acd0b2e2aba4dbca76b70a260fb99706730

[ske-prow]

LGTM label has been added.

Details

Git tree hash: 71fe2bc805cf2bf74bf0983a6809b1ae33b38ecf

[ske-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ftl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ftl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment