Skip to content

Update module github.com/gardener/gardener to v1.120.0 #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update module github.com/gardener/gardener to v1.120.0 #876

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 5, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/gardener/gardener v1.117.5 -> v1.120.0 age adoption passing confidence

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.120.0

Compare Source

[gardener/gardener]
⚠️ Breaking Changes
  • [DEPENDENCY] The machinecontrollermanager.ProviderSidecarContainer now expects additional shoot and controlPlaneNamespace params. In controlplane webhooks, extensions can use GardenContext.GetCluster to retrieve the shoot from the Cluster object. by @​timebertt [#​12152]
  • [OPERATOR] The graduated and unconditionally enabled ShootForceDeletion feature gate has been removed. If you have references to the feature gate, clean them up before upgrading to this version of Gardener. by @​acumino [#​12078]
  • [OPERATOR] The field .seedConfig.spec.backup.credentialsRef/secretRef will no longer be defaulted in GardenletConfiguration when backup is configured but reference to credentials is not provided. Operators are responsible to provide a valid credentials reference when configuring backup for seeds. Please consult the deploy gardenlet documentation for more information. by @​dimityrmirchev [#​12087]
  • [OPERATOR] The BackupBucket API field spec.secretRef has been deprecated and will be removed in a future version of Gardener in favor of spec.credentialsRef, please adapt your BackupBucket manifests to use the new credentialsRef field. by @​vpnachev [#​12032]
  • [OPERATOR] A new field, clusterCompatibility, has been added to the Extension API. If your landscape is managed by gardener-operator and your garden specifies spec.extensions, please add the garden cluster type value to your corresponding Extension resources. by @​timuthy [#​11982]
  • [DEVELOPER] WorkerPoolHash now includes a new parameter additionalDataInPlace to support hash calculation for worker pools using the InPlace update strategy. by @​acumino [#​12178]
  • [DEVELOPER] The already deprecated github.com/gardener/gardener/pkg/utils/gardener.ReconcileTopologyAwareRoutingMetadata func is now removed. Instead, use github.com/gardener/gardener/pkg/utils/gardener.ReconcileTopologyAwareRoutingSettings. by @​ialidzhikov [#​12091]
📰 Noteworthy
  • [DEVELOPER] The Shoot Pod autoscaling best practices guide now recommends for a container under VPA to not set initial resource requests less than VPA's minAllowed or 10m and 10Mi. 10m and 10Mi are the minimum resources VPA can recommend for a Pod (for a Pod, not a container). When a Pod with a single container under VPA defines initial resource requests less than VPA's minAllowed or 10m and 10Mi, it gets evicted right away so that the Pod minimum recommendation gets applied. by @​ialidzhikov [#​12030]
  • [DEVELOPER] The .spec.purpose field in the ControlPlane resource is now deprecated and will be removed in Gardener v1.123. In the times before SNI was introduced and unconditionally enabled it was previously used to manage control plane exposure. by @​theoddora [#​12161]
  • [OPERATOR] The field globallyEnabled in the Extension and ControllerRegistration APIs is deprecated and will be removed in Gardener v1.122. Please use autoEnable instead. by @​timuthy [#​11982]
  • [OPERATOR] The initial resource requests of etcd container are reduced as follows:
✨ New Features
  • [OPERATOR] New configuration options were added to Extension and ControllerRegistration APIs:
    • autoEnable controls which cluster types an extension is automatically enabled (previously globallyEnabled - deprecated now)
    • clusterCompatibility controls which cluster types an extension is compatible with.
      Both fields are supposed to be set for kind: Extension and accept the cluster types shoot, seed and garden. by @​timuthy [#​11982]
  • [OPERATOR] The Garden resource has been enhanced with a new field, spec.VirtualCluster.ETCD.Main.Backup.Region, which enables the configuration of the backup bucket region. Previously, the region was derived from the provider (spec.runtimeCluster.provider.region). This behavior remains as a fallback if the backup region is not explicitly specified. by @​timuthy [#​12186]
  • [OPERATOR] The BackupBucket API feature new field spec.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. by @​vpnachev [#​12032]
  • [USER] It's now possible to configure the MaxParallelImagePulls field for the kubelet configuration in the Shoot spec via the .spec.{provider.workers[]}.kubernetes.kubelet.maxParallelImagePulls field. by @​theoddora [#​12093]
  • [DEVELOPER] BackupBucket extension controllers: Instead of always creating the Secret referenced in .status.generatedSecretRef in the garden namespace, the controller should read the annotation backupbucket.extensions.gardener.cloud/generated-secret-ref-namespace and use its value. by @​rfranzke [#​12123]
  • [DEVELOPER] The cloud provider Secret is now deployed into the autonomous shoot cluster (if specified). by @​ScheererJ [#​12146]
🐛 Bug Fixes
  • [USER] gardenlet: An issue causing the CA bundle on the Nodes to contain wrong certificates when a worker specifies a custom CA bundle (spec.provider.workers[].caBundle) is now fixed. by @​dimitar-kostadinov [#​12150]
  • [OPERATOR] The deletion of NamespacedCloudProfiles has been fixed. Previously, users could not delete these resources if objects with the same name but in different namespaces existed in the landscape. Gardener incorrectly reported them as still being referenced by shoot clusters. by @​timuthy [#​12188]
  • [OPERATOR] Fixed a bug that caused the gardener operator to never reconcile the Garden object, when there was no gardenerDashboard defined. by @​Wieneo [#​12153]
🏃 Others
  • [DEVELOPER] The github.com/gardener/gardener/pkg/component/nodemanagement/machinecontrollermanager.ProviderSidecarContainer func does now set initial resource requests for the machine-controller-manager provider sidecar container in order to avoid unnecessary VPA eviction for the machine-controller-manager Pod after the first VPA recommendation. by @​ialidzhikov [#​12160]
  • [DEVELOPER] GEP-34 Introducing OpenTelemetry Operator and Collectors in Shoot Control Planes by @​nickytd [#​11861]
  • [DEVELOPER] Remove unused codepath from the hack/.ci/component_descriptor script. by @​ccwienk [#​12173]
  • [DEVELOPER] Shoot creation test supports using CredentialsBindings. by @​hendrikKahl [#​12190]
  • [OPERATOR] Fix a race condition in dual-stack migration where kube-dns service gets created with an arbitrary assigned IPv6 clusterIP address. by @​DockToFuture [#​12170]
  • [OPERATOR] The terminal-controller-manager no longer needs to list Secrets from the (virtual) garden cluster. by @​petersutter [#​12145]
  • [OPERATOR] gardener-node-agent now executes readiness probe when the registry config is updated. Previously, the readiness probe was not executed if the corresponding hosts.toml file was present. by @​ialidzhikov [#​11864]
  • [OPERATOR] Obsolete journald-kubelet-monitor ClusterFilter and ClusterInput resources are now deleted. The systemd unit kubelet-monitor was replaced by a healthcheck controller in the gardener-node-agent in Gardener v1.87.0. by @​ialidzhikov [#​12094]
  • [OPERATOR] Field garden.spec.virtualCluster.kubernetes.kubeAPIServer.sni.secretName has been made optional. Instead gardener-operator falls back to a gardener.cloud/role: garden-cert labelled secret for the SNI setup. by @​timuthy [#​12133]
  • [OPERATOR] The etcd VerticalPodAutoscaler resources now target the Etcd instead of the StatefulSet resource. On the first Seed reconciliation that deploys [email protected] etcd VerticalPodAutoscaler resources might be not operating for up to 10min due to this migration of the VerticalPodAutoscaler target from the StatefulSet to the Etcd resource. by @​shreyas-s-rao [#​12176]
  • [OPERATOR] The cpu resource requests for cluster-autoscaler, gardener-resource-manager, kube-controller-manager, kube-scheduler and machine-controller-manager is increased from 5m to 10m in order to avoid unnecessary VPA eviction for these components after the first VPA recommendation. by @​ialidzhikov [#​12148]
  • [OPERATOR] gardenadm artefacts uploaded as part of a release are now compressed. by @​ScheererJ [#​12179]
  • [OPERATOR] Terraformer pod no longer defines resource limits. by @​kon-angelo [#​12200]
  • [OPERATOR] Drop Istio histogram metrics from Prometheus by @​vicwicker [#​12142]
  • [OPERATOR] node-problem-detector: the readonly-monitor is now enabled as part of the system-log-monitor.
    This monitor detects read-only filesystems and reports them as a nodeCondition on the Node object. by @​rgroemmer [#​12095]
  • [OPERATOR] Clean up garden_shoots_custom_privileged_containers_total metric collection. by @​chrkl [#​12174]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
Helm Charts
  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.120.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.120.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.120.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.120.0
Container (OCI) Images
  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.120.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.120.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.120.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.120.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.120.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.120.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.120.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.120.0

v1.119.0

Compare Source

[gardener/gardener]
🛡️ Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2025-47284: Metadata injection for a project secret can lead to privilege escalation

A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • gardenlet < v1.116.4
  • gardenlet < v1.117.5
  • gardenlet < v1.118.2
  • gardenlet < v1.119.0

Fixed Versions:

  • gardenlet >= v1.116.4
  • gardenlet >= v1.117.5
  • gardenlet >= v1.118.2
  • gardenlet >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H

CVE-2025-47283: Bypassing project secret validation can lead to privilege escalation

A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • Gardener < v1.116.4
  • Gardener < v1.117.5
  • Gardener < v1.118.2
  • Gardener < v1.119.0

Fixed Versions:

  • Gardener >= v1.116.4
  • Gardener >= v1.117.5
  • Gardener >= v1.118.2
  • Gardener >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/MA:H

⚠️ Breaking Changes
  • [OPERATOR] The already deprecated autoscaling.k8s.io/v1beta2 API version is no longer served. Before upgrading to this version of Gardener, make sure that all components use the autoscaling.k8s.io/v1 API version for managing VerticalPodAutoscaler resources. by @​ialidzhikov [#​11840]
  • [OPERATOR] The support for the already deprecated shoot.gardener.cloud/managed-seed-api-server annotation is now removed. Instead, consider enabling high availability for the ManagedSeed's Shoot control plane. by @​ialidzhikov [#​11838]
  • [USER] The already deprecated autoscaling.k8s.io/v1beta2 API version is no longer served. Instead, use the autoscaling.k8s.io/v1 API version for managing VerticalPodAutoscaler resources. by @​ialidzhikov [#​11840]
📰 Noteworthy
  • [USER] The spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication field in the Shoot API is deprecated and will be removed in a future release. Before removal, it will be forbidden to set the field when using a future Kubernetes version that graduates the feature gate AnonymousAuthConfigurableEndpoints. by @​marc1404 [#​11984]
  • [OPERATOR] The RemoveAPIServerProxyLegacyPort feature gate has been promoted to beta and is now turned on by default. by @​Wieneo [#​11902]
✨ New Features
  • [OPERATOR] Garden.spec.virtualCluster.gardener.gardenerDashboard.ingress.enabled can now be used to control whether the gardener-operator should deploy a Ingress resource for the dashboard. by @​Wieneo [#​12002]
  • [OPERATOR] Garden.spec.virtualCluster.gardener.gardenerDashboard.oidcConfig.certificateAuthoritySecretRef can now be used to specify a secret containing a custom CA certificate for talking to the OIDC endpoint. The certificate must be stored under the ca.crt key. by @​Wieneo [#​11967]
  • [OPERATOR] Gardener supports gardener-node-agent images built by ko. by @​timebertt [#​12021]
  • [OPERATOR] It is now possible forcing gardener-operator to re-deploy gardenlets by annotating the responsible seedmanagement.gardener.cloud/v1alpha1.Gardenlet resource with gardener.cloud/operation=force-redeploy. Read all about it here. by @​rfranzke [#​11972]
🐛 Bug Fixes
  • [OPERATOR] gardenlet's shoot-care controller : An issue causing gardenlet to report a misleading reason (NodesScalingDown) during rolling update of Shoot Nodes is now fixed. by @​RadaBDimitrova [#​11869]
  • [DEVELOPER] Fix extension webhook registration for autonomous shoot clusters. by @​ScheererJ [#​12040]
🏃 Others
  • [OPERATOR] It is now ensured that extension admission webhooks have validated WorkloadIdentitys/Secrets referenced in Shoots. by @​rfranzke [#​12075]
  • [OPERATOR] Annotations and labels are now ignored when creating referenced resources in the shoot control plane namespaces in seed clusters. by @​rfranzke [#​12064]
  • [OPERATOR] Set minAllowed CPU to 150m for prometheus-shoot to avoid frequent evictions by @​voelzmo [#​12069]
  • [OPERATOR] A new check ensures that only owners and project members with a UAM role are allowed to modify the project owner. by @​timuthy [#​12082]
  • [OPERATOR] The utilization of the VPN containers running in the seed is now improved by adapting their initial/static requests and by changing the corresponding VPA configuration:
    • autoscaling is disabled for the vpn-seed-server and openvpn-exporter containers
    • initial/static resource requests are reduced
    • limits are removed
    • minAllowed for the envoy-proxy container is removed by @​axel7born [#​12023]
  • [OPERATOR] Remove sum for VPA Pod metrics in 'recommendations' dashboard by @​voelzmo [#​12057]
  • [OPERATOR] Spreading Istio ingress-gateway pods across hosts is enforced only for zonal Istio deployments now. by @​oliver-goetz [#​12007]
  • [OPERATOR] kube-proxy no longer fails its readiness probe in case the node is about to be deleted by cluster-autoscaler. by @​ScheererJ [#​12015]
  • [DEPENDENCY] The following dependencies have been updated:
    • gcr.io/istio-release/pilot from 1.25.2 to 1.25.3.
    • gcr.io/istio-release/proxyv2 from 1.25.2 to 1.25.3.
    • istio.io/api from v1.25.2 to v1.25.3. by @​gardener-ci-robot [#​12074]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEVELOPER] The admission-local deployment was fixed to work with KinD based test setup. by @​timuthy [#​12106]
📖 Documentation
  • [USER] Dual-Stack Migration documentation now clearly states the precondition of overlay removal. by @​ScheererJ [#​12053]
Helm Charts
  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.119.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.119.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.119.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.119.0
Container (OCI) Images
  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.119.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.119.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.119.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.119.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.119.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.119.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.119.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.119.0

v1.118.2

Compare Source

[gardener/gardener]
🛡️ Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2025-47284: Metadata injection for a project secret can lead to privilege escalation

A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • gardenlet < v1.116.4
  • gardenlet < v1.117.5
  • gardenlet < v1.118.2
  • gardenlet < v1.119.0

Fixed Versions:

  • gardenlet >= v1.116.4
  • gardenlet >= v1.117.5
  • gardenlet >= v1.118.2
  • gardenlet >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H

CVE-2025-47283: Bypassing project secret validation can lead to privilege escalation

A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • Gardener < v1.116.4
  • Gardener < v1.117.5
  • Gardener < v1.118.2
  • Gardener < v1.119.0

Fixed Versions:

  • Gardener >= v1.116.4
  • Gardener >= v1.117.5
  • Gardener >= v1.118.2
  • Gardener >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/MA:H

🐛 Bug Fixes
  • [OPERATOR] A bug preventing the system:serviceaccount:kube-system:gardener-internal service account, used by gardener-operator, to label restricted resources was fixed. by @​dimityrmirchev [#​12063]
🏃 Others
  • [OPERATOR] Annotations and labels are now ignored when creating referenced resources in the shoot control plane namespaces in seed clusters. by @​rfranzke [#​12064]
  • [OPERATOR] Set minAllowed CPU to 150m for prometheus-shoot to avoid frequent evictions by @​voelzmo [#​12069]
  • [OPERATOR] A new check ensures that only owners and project members with a UAM role are allowed to modify the project owner. by @​timuthy [#​12082]
  • [OPERATOR] It is now ensured that extension admission webhooks have validated WorkloadIdentitys/Secrets referenced in Shoots. by @​rfranzke [#​12075]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEVELOPER] The admission-local deployment was fixed to work with KinD based test setup. by @​timuthy [#​12106]
Helm Charts
  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.118.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.118.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.118.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.118.2
Container (OCI) Images
  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.118.2
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.118.2
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.118.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.118.2
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.118.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.118.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.118.2
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.118.2

v1.118.1

Compare Source

[gardener/gardener]
🐛 Bug Fixes
  • [OPERATOR] Fix a regression that prevented the cache Prometheus in a Gardener managed seed from scraping the cadvisor and kubelet metrics of the seed nodes, and hence the shoot control plane Plutono dashboards could not show e.g. the CPU usage of the control plane components. (part 2) by @​istvanballok [#​12049]
  • [OPERATOR] An issue preventing vpa-updater to patch events when recording eviction event on VerticalPodAutoscaler resource is now fixed. by @​ialidzhikov [#​12035]
🏃 Others
Helm Charts
  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.118.1
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.118.1
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.118.1
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.118.1
Container (OCI) Images
  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.118.1
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.118.1
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.118.1
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.118.1
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.118.1
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.118.1
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.118.1
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.118.1

v1.118.0

Compare Source

[gardener/gardener]
⚠️ Breaking Changes
  • [OPERATOR] The Seed API field spec.backup.secretRef has been deprecated and will be removed in a future version of Gardener in favor of spec.backup.credentialsRef, please adapt your seed manifests to use the new credentialsRef field. by @​vpnachev [#​11583]
  • [OPERATOR] Gardener no longer sets the flags --audit-log-(path|maxsize|maxbackups) on shoot kube-apiservers, gardener-apiserver or Garden's virtual-garden-kube-apiserver. If you rely on the audit logs being available in the file /tmp/audit/audit.log in the container's file system, please follow controlplane-webhooks and set the required flags via mutating webhook. by @​vpnachev [#​11935]
  • [OPERATOR] The ManagedSeed API field spec.gardenlet.config.seedConfig.spec.backup.secretRef has been deprecated and will be removed in a future version of Gardener in favor of spec.gardenlet.config.seedConfig.spec.backup.credentialsRef, please adapt your managedseed manifests to use the new credentialsRef field. by @​vpnachev [#​11583]
  • [OPERATOR] The legacy support.gardener.cloud/eu-access* labels and annotations on CloudProfiles and Seeds are no longer synced automatically. You have to use the new API established in Gardener v1.107 (released in 11/2024). Read more about it here. Please make sure to manually remove these labels and annotations from your CloudProfiles and Seeds! by @​rfranzke [#​11913]
  • [OPERATOR] The Gardenlet API field spec.config.seedConfig.spec.backup.secretRef has been deprecated and will be removed in a future version of Gardener in favor of spec.config.seedConfig.spec.backup.credentialsRef, please adapt your gardenlet manifests to use the new credentialsRef field. by @​vpnachev [#​11583]
  • [OPERATOR] The GardenletConfiguration configuration file field seedConfig.spec.backup.secretRef has been deprecated and will be removed in future version of Gardener in favor of seedConfig.spec.backup.credentialsRef, please adapt your GardenletConfiguration configuration files to use the new credentialsRef field. by @​vpnachev [#​11583]
  • [USER] The legacy support.gardener.cloud/eu-access* labels and annotations on Shoots are no longer synced automatically. You have to use the new API established in Gardener v1.107 (released in 11/2024). Read more about it here. Please make sure to manually remove these labels and annotations from your Shoots! by @​rfranzke [#​11913]
📰 Noteworthy
  • [USER] The CA bundle of the kubelet is now available via a ConfigMap the project's namespace, called <shoot-name>.ca-kubelet. by @​tobschli [#​11916]
✨ New Features
  • [USER] The Stale Project Controller now also considers WorkloadIdentity resources when deciding if a Project is stale or not. by @​dimityrmirchev [#​11962]
  • [OPERATOR] Gardener core components are automatically restarted (due to a failing liveness probe) in case their Kubernetes API server watch caches do not sync for 3m. by @​rfranzke [#​11966]
  • [OPERATOR] The Seed API feature new field spec.backup.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. by @​vpnachev [#​11583]
  • [OPERATOR] Add alpha feature gate CloudProfileCapabilities to enable usage of architecture capability instead of current architecture fields in machine images and types. by @​LucaBernstein [#​11736]
  • [OPERATOR] The GardenletConfiguration configuration file feature new field seedConfig.spec.backup.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. by @​vpnachev [#​11583]
  • [OPERATOR] The ManagedSeed API feature new field spec.gardenlet.config.seedConfig.spec.backup.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. by @​vpnachev [#​11583]
  • [OPERATOR] The Gardenlet API feature new field spec.config.seedConfig.spec.backup.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. by @​vpnachev [#​11583]
🐛 Bug Fixes
  • [OPERATOR] The gardenlet deployer would not try to copy the shoot infrastructure secret for seed backup credentials if the shoot uses workload identity. by @​dimityrmirchev [#​11983]
  • [DEVELOPER] The DumpLogsForPodsWithLabelsInNamespace function in the test framework now supports dumping pods with multiple containers. by @​domdom82 [#​11878]
🏃 Others
  • [OPERATOR] Virtual extended resources can now be set on the NodeTemplate without triggering rollout by @​elankath [#​11809]
  • [OPERATOR] The gardener/autoscaler image has been updated to v1.32.0. Release Notes by @​marc1404 [#​11903]
  • [OPERATOR] The etcd-druid component no longer defines resource limits. by @​ialidzhikov [#​11973]
  • [OPERATOR] Fixed an issue, where IPv6 shoots without configured pod and service ranges can't be scheduled on seeds without configured shootDefaults. by @​axel7born [#​11955]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/autoscaling/vpa-admission-controller from 1.3.0 to 1.3.1.
    • registry.k8s.io/autoscaling/vpa-recommender from 1.3.0 to 1.3.1.
    • registry.k8s.io/autoscaling/vpa-updater from 1.3.0 to 1.3.1. by @​gardener-ci-robot [#​11985]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEVELOPER] The hack/tools/extension-generator tool now automatically sets the .spec.deployment.extension.injectGardenKubeconfig: true field in the generated provider Extension resources . by @​plkokanov [#​11837]
  • [DEVELOPER] A new flag -i|--inject-garden-kubeconfig was added to the hack/generate-controller-registration.sh script. When the flag is set, the injectGardenKubeconfig: true field is added to the generated ControllerDeployment. by @​plkokanov [#​11837]
Helm Charts
  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.118.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.118.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.118.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.118.0
Docker Images
  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.118.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.118.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.118.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.118.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.118.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.118.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.118.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.118.0

v1.117.6

Compare Source

[gardener/gardener]
🐛 Bug Fixes
  • [OPERATOR] The deletion of NamespacedCloudProfiles has been fixed. Previously, users could not delete these resources if objects with the same name but in different namespaces existed in the landscape. Gardener incorrectly reported them as still being referenced by shoot clusters. by @​timuthy [#​12193]
Helm Charts
  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.117.6
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.117.6
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.117.6
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.117.6
Container (OCI) Images
  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.117.6
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.117.6
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.117.6
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.117.6
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.117.6
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.117.6
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.117.6
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.117.6

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner May 5, 2025 02:01
@renovate renovate bot added area/dependency Issues or PRs related to dependency changes kind/chore Categorizes issue or PR as related to a chore. labels May 5, 2025
@renovate renovate bot enabled auto-merge (squash) May 5, 2025 02:01
@Disper Disper added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 5, 2025
@Disper
Copy link
Member

Disper commented May 5, 2025

/hold
until we double check breaking changes around eu-access

@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch 12 times, most recently from a452baa to 9e6d843 Compare May 6, 2025 10:57
@Disper Disper mentioned this pull request May 7, 2025
Closed
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch from 9e6d843 to b55fcaf Compare May 12, 2025 07:57
@tobiscr
Copy link
Contributor

tobiscr commented May 12, 2025
edited
Loading

DO NOT MERGE - impacts have to be verified in #897

@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch from b55fcaf to b2786b7 Compare May 12, 2025 15:24
@renovate renovate bot changed the title Update module github.com/gardener/gardener to v1.118.0 Update module github.com/gardener/gardener to v1.118.1 May 12, 2025
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch 7 times, most recently from 11bda26 to 5963853 Compare May 13, 2025 07:58
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch from 5963853 to 0554134 Compare May 17, 2025 10:33
@renovate renovate bot changed the title Update module github.com/gardener/gardener to v1.118.1 Update module github.com/gardener/gardener to v1.118.2 May 17, 2025
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch 3 times, most recently from 7f65c71 to 50fbcc3 Compare May 19, 2025 08:42
@renovate renovate bot changed the title Update module github.com/gardener/gardener to v1.118.2 Update module github.com/gardener/gardener to v1.119.0 May 19, 2025
@renovate renovate bot changed the title Update module github.com/gardener/gardener to v1.119.0 Update module github.com/gardener/gardener to v1.119.0 - autoclosed May 19, 2025
@renovate renovate bot closed this May 19, 2025
auto-merge was automatically disabled May 19, 2025 20:20

Pull request was closed

@renovate renovate bot deleted the renovate/github.com-gardener-gardener-1.x branch May 19, 2025 20:20
@renovate renovate bot changed the title Update module github.com/gardener/gardener to v1.119.0 - autoclosed Update module github.com/gardener/gardener to v1.119.0 May 23, 2025
@renovate renovate bot reopened this May 23, 2025
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch from 2c9da32 to 50fbcc3 Compare May 23, 2025 11:04
@renovate renovate bot enabled auto-merge (squash) May 23, 2025 11:06
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch 4 times, most recently from 13d9c21 to 4a3150a Compare May 28, 2025 15:20
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch from 4a3150a to ce4500c Compare May 30, 2025 13:00
@renovate renovate bot force-pushed the renovate/github.com-gardener-gardener-1.x branch from ce4500c to be44720 Compare May 30, 2025 19:28
@renovate renovate bot changed the title Update module github.com/gardener/gardener to v1.119.0 Update module github.com/gardener/gardener to v1.120.0 May 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/dependency Issues or PRs related to dependency changes do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/chore Categorizes issue or PR as related to a chore.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Disper @tobiscr