chore(deps): bump github.com/gardener/gardener from 1.105.0 to 1.107.0

[dependabot]

Bumps github.com/gardener/gardener from 1.105.0 to 1.107.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.107.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] The unused method WithShootCredentials have been removed from github.com/gardener/gardener/pkg/gardenlet/operation/shoot.Builder. by @​vpnachev #10672
• [DEVELOPER] In the local development setup, the images are pushed to garden.local.gardener.cloud:5001 instead of localhost:5001 now. Please add 127.0.0.1 garden.local.gardener.cloud to your /etc/hosts. by @​rrhubenov #10257
• [OPERATOR] Feature gate IPv6SingleStack has been removed. Infrastructure-specific validations will be added in parallel to the corresponding provider extensions. by @​ScheererJ #10716

📰 Noteworthy

• [OPERATOR] ManagedSeed's .spec.gardenlet.config.seedConfig.spec.ingress.controller.kind field is now defaulted to nginx when
  .spec.gardenlet.config.seedConfig or .spec.gardenlet.config.seedConfig.spec.ingress is nil.
  This allows the creation of ManagedSeed without specifying the .spec.gardenlet field. by @​RadaBDimitrova #10655
• [OPERATOR] A new required controller was added to gardener-operator. It maintains the RequiredRuntime condition for Extension resources to indicate that the extension deployment is required in the Garden-Runtime cluster. by @​timuthy #10650
• [OPERATOR] The gardener/controlplane Helm chart has been deprecated and will be removed after v1.135 has been released (around beginning of 2026). We urge you to switch to a gardener-operator-based installation. Read all about it here. by @​rfranzke #10706
• [DEVELOPER] .spec.gardenlet of ManagedSeed is now a required field. This was already the case from an API perspective, enforced by validation. by @​RadaBDimitrova #10648
• [USER] The spec.kubernetes.kubeAPIServer.oidcConfig field in the Shoot API is deprecated and will be removed after support for Kubernetes 1.31 is dropped. by @​AleksandarSavchev #10666

✨ New Features

• [OPERATOR] If an admission webhook which was deployed via Extension resource by gardener-operator is deleted again, its webhook configuration in the virtual-cluster is cleaned up automatically. by @​oliver-goetz #10585
• [OPERATOR] The CloudProfile, Seed, and Shoot APIs are now allowing to configure access restrictions (e.g., to enable "EU access"-only or similar policies). The legacy approach with the seed.gardener.cloud/eu-access labels is deprecated and will be removed in a future release. Make sure to adapt to the new APIs. Read all about it here. by @​rfranzke #10654
• [USER] The viewer kubeconfigs for shoot clusters now allow the pods/log subresource. by @​rfranzke #10711
• [USER] Service Account Managed Issuer can be now enabled for workerless shoot clusters. by @​dimityrmirchev #10689
• [USER] Structured authorization configuration can now be set by creating a ConfigMap with the AuthorizationConfiguration file set in the config.yaml data key and referencing it (in the Shoot via .spec.kubernetes.kubeAPIServer.structuredAuthorization, in the Garden via .spec.virtualCluster.kubernetes.kubeAPIServer.structuredAuthorization for Kubernetes versions >= v1.30. Read all about it here. by @​rfranzke #10682
• [USER] Gardener reports the cluster's egress CIDRs in Shoot.status.networking.egressCIDRs if supported by the used provider extension. by @​timebertt #10240

🐛 Bug Fixes

• [OPERATOR] Fix Prometheus rule shoot-kube-proxy. by @​LucaBernstein #10757
• [OPERATOR] The TopologySpreadConstraints calculation was improved for StatefulSets to always use a stable label selector. This led to issues in the past when shoots were upgraded to HA. by @​timuthy #10750
• [OPERATOR] valitail version is now pinned to v2.2.15 (depends on glibc 2.32). by @​ialidzhikov #10776

🏃 Others

• [DEPENDENCY] The credativ/plutono image has been updated to v7.5.34. Release Notes by @​gardener-ci-robot #10732
• [DEPENDENCY] The gardener/etcd-druid image has been updated to v0.23.2. Release Notes by @​gardener-ci-robot #10747
• [DEPENDENCY] The gardener/cert-management image has been updated to v0.16.0. Release Notes by @​gardener-ci-robot #10684
• [DEPENDENCY] The credativ/vali image has been updated to v2.2.19. Release Notes by @​gardener-ci-robot #10680
• [DEPENDENCY] The gcr.io/istio-release/pilot image has been updated to 1.23.3. by @​gardener-ci-robot #10725
• [DEPENDENCY] The quay.io/prometheus/prometheus image has been updated to v2.55.0. by @​gardener-ci-robot #10697
• [DEPENDENCY] The quay.io/prometheus-operator/prometheus-config-reloader image has been updated to v0.77.2. by @​gardener-ci-robot #10692
• [DEPENDENCY] The envoyproxy/envoy image has been updated to v1.32.1. Release Notes by @​gardener-ci-robot #10755
• [DEPENDENCY] The gardener/dashboard image has been updated to 1.78.0. Release Notes by @​gardener-ci-robot #10731
• [OPERATOR] The admission automatically adds the provider.extensions.gardener.cloud label to NamespacedCloudProfiles. by @​LucaBernstein #10742
• [OPERATOR] Add dual-stack support for coredns. by @​DockToFuture #10733
• [OPERATOR] Allow extensions to be scraped in garden runtime cluster even outside garden namespace by @​ScheererJ #10720
• [OPERATOR] Add label selector to ShootResourceReservation plugin to control for which Shoots the ShootResourceReservation Plugin sets kubeReserved according to the GKE formula when useGKEFormula: true is set. by @​voelzmo #10492
• [OPERATOR] Increase the readiness probe timeout for the gardener-metrics-exporter from 1s to 10s. by @​vicwicker #10771
• [OPERATOR] The gardener/etcd-druid image has been updated to v0.23.1. Release Notes v0.23.1, Release Notes v0.23.0 by @​shreyas-s-rao #10526
• [OPERATOR] The autoscaler/cluster-autoscaler image has been updated to v1.29.2 (for Kubernetes v1.29). Release Notes by @​rishabh-11 #10700
• [OPERATOR] Gardener API Server feature gate ShootCredentialsBinding has been promoted to beta and is enabled by default. by @​dimityrmirchev #10662
• [DEVELOPER] Add Make target make operator-seed-dev for local development of the gardenlet in the operator setup. by @​marc1404 #10710

... (truncated)

Commits

• 3bb8cdc Release v1.107.0
• cac3a69 Fix network validation for Shoot control plane migration case. (#10777)
• 4af74fa Revert "chore(deps): update dependency kyverno/kyverno to v1.13.0 (#10746)" (...
• 93593d0 Pin valitail version to v2.2.15 (#10776)
• bb89282 [release-v1.107] Fix index out of range error in access restriction handling ...
• 60b675c Increase the readiness probe timeout for the gardener-metrics-exporter (#10771)
• c03003d Fix Prometheus rule shoot-kube-proxy (kube-proxy.rules) (#10757)
• 3544c00 Add check for using plain http on helm push only if registry is glgc (#10743)
• 55caa7f chore(deps): update dependency envoyproxy/envoy to v1.32.1 (#10755)
• ee2de9a Fix TSC for StatefulSets (#10750)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[gardener-robot]

@dependabot[bot] Thank you for your contribution.

[gardener-robot-ci-2]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[gardener-robot]

@dependabot[bot] You need rebase this pull request with latest master branch. Please check.

[gardener-prow]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-extension-networking-calico	8e6fc1b	link	true	/test pull-extension-networking-calico
pull-extension-networking-calico-e2e-kind	8e6fc1b	link	true	/test pull-extension-networking-calico-e2e-kind

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dependabot]

Looks like github.com/gardener/gardener is up-to-date now, so this is no longer needed.