Bump github.com/gardener/gardener from 1.95.0 to 1.96.0

[dependabot]

Bumps github.com/gardener/gardener from 1.95.0 to 1.96.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.96.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] The pkg/utils/kubernetes.{Key,ObjectMeta{FromKey}} functions have been dropped. Use client.ObjectKey or metav1.ObjectMeta instead. by @​rfranzke #9808
• [DEVELOPER] ControllerDeployment objects using a custom type (other than helm) are deprecated. Support for custom types will be removed when the core.gardener.cloud/v1beta1 API version is dropped. by @​timebertt #9771
• [DEVELOPER] Packages extensions/pkg/util/{secret,index} were removed. by @​dimityrmirchev #9784
• [DEVELOPER] The allow-shoot-networks NetworkPolicy has been dropped entirely, hence, the networking.gardener.cloud/to-shoot-networks=allowed label has no effect anymore and should be removed. by @​rfranzke #9752
• [DEPENDENCY] With the removal of the github.com/gardener/gardener/extensions/pkg/webhook/controlplane/genericmutator.Ensurer#EnsureKubeAPIServerService func, the provider extensions using the genericmutator.Ensurer no longer need to mutate Services and should no longer mutate Services to prevent no-op webhook invocations. by @​ialidzhikov #9770
• [DEPENDENCY] The github.com/gardener/gardener/extensions/pkg/webhook/controlplane/genericmutator.Ensurer#EnsureKubeAPIServerService func is removed. This func was used before the introduction of ManagedIstio/APIServerSNI (when the kube-apiserver Service was of type LoadBalancer) to set cloud provider specific annotations to the Service. However, after ManagedIstio/APIServerSNI are unconditionally enabled (the kube-apiserver Service is of type ClusterIP) this func is no longer used. Nowadays, istio-ingressgateway Service annotations can be provided via the Seed spec. by @​ialidzhikov #9770

📰 Noteworthy

• [DEVELOPER] The hack/generate-controller-registration.sh script now generates a ControllerDeployment object in the core.gardener.cloud/v1 API version. by @​timebertt #9771

✨ New Features

• [DEVELOPER] The secrets manager has new option for controlling the secret rotation. If the new generate option RenewAfterValidityPercentage(v) is set, a secret will be renewed based on whichever comes first: The percentage of validity you specify in RenewAfterValidityPercentage or 10 days before the secret's end of validity. If not specified, the default 80% is used as before. by @​MartinWeindel #9819
• [DEVELOPER] Extensions deploying shoot cluster system components can now make use of the pkg/component/observability/monitoring/prometheus/shoot.ClusterComponentScrapeConfigSpec function in order to generate a ScrapeConfig for the shoot's Prometheus. by @​rfranzke #9737
• [DEVELOPER] Skaffold now rebuilds components if embedded files have changed. by @​maboehm #9778
• [OPERATOR] A new core.gardener.cloud/v1 API version is introduced which only includes the ControllerDeployment resource for now. The new version of the ControllerDeployment drops the type and providerConfig fields in favor of a well-structured section for helm-based ControllerDeployments. by @​timebertt #9771
• [OPERATOR] Use .spec.settings.loadBalancerServices.proxyProtocol and .spec.settings.loadBalancerServices.zones[].proxyProtocol to specify whether your seed's load balancer services should terminate proxy protocol. The explicit nature of the setting allows a seamless migration while enforcing a good security posture. by @​ScheererJ #9844
• [OPERATOR] The VPAAndHPAForAPIServer feature gate is now also implemented for the gardener-operator. When enabled, the virtual-garden-kube-apiserver and gardener-apiserver are scaled simultaneously by VPA and HPA on the same metric (CPU and memory usage). by @​ialidzhikov #9735
• [OPERATOR] gardener-operator is now able to manage gardener-discovery-server. For details, please check the Discovery Server configuration section. by @​dimityrmirchev #9746
• [OPERATOR] It is now possible to specify an OCI repository in ControllerDeployments describing from where the Helm chart can be pulled (instead of specifying a base64-encoded chart in the specification). by @​maboehm #9823
• [USER] Users can now enable managed service account issuers for their shoots if the Gardener installation has this capability enabled. For details, please check the Managed Service Account Issuer documentation. by @​dimityrmirchev #9746

🐛 Bug Fixes

• [USER] A bug has been fixed which prevented Shoot deletion in case it was still annotated with maintenance.gardener.cloud/operation. by @​rfranzke #9854
• [USER] An issue causing the node-problem-detector to be OOMKilled is now fixed. Previously, too low memory limit was set when VPA was enabled for the Shoot. by @​ialidzhikov #9797
• [OPERATOR] gardenlet: An issue causing Shoot deletion to fail due to "Secret etcd-backup not found" error caused by not yet created shoot namespace is now fixed. by @​Kostov6 #9871
• [OPERATOR] A regression is fixed and now the shoot control plane Prometheus forwards its alerts to the seed alertmanager. by @​istvanballok #9876
• [OPERATOR] gardenlet: An issue causing gardenlet to trigger unnecessary kube-apiserver rolling updates by reverting the VPN sidercar containers resource requests set by HVPA for HA Shoots is now fixed by disabling autoscaling for the VPN sidecar containers. by @​ialidzhikov #9875
• [DEVELOPER] The {virtual|runtime}-garden Prometheus / blackbox-exporter probes in the local gardener-operator setup are fixed. by @​istvanballok #9832

🏃 Others

• [OPERATOR] Nodes are now labeled with "worker.gardener.cloud/gardener-node-agent-secret-name", which includes the expected name of the secret used by gardener-node-agent. by @​MichaelEischer #9757
• [OPERATOR] The Cache Prometheus scrapes the kubelet and cadvisor metrics directly, without using the proxy feature of the API server. by @​istvanballok #9716
• [OPERATOR] The CoreDNSQueryRewriting feature gate has been promoted to beta and is turned on by default. by @​ScheererJ #9820
• [OPERATOR] Introduce a unified single alert for all seed conditions. Previous seed alerts GardenletDown, GardenletUnknown, SeedAPIServerUnavailable, SeedControlPlaneUnhealthy and SeedSystemComponentsUnhealthy are removed. by @​vicwicker #9750
• [OPERATOR] The resource requests of the vpn-client-{0,1} sidecar container are reduced from 100m and 100Mi to 20m and 10Mi. The resource requests of the vpn-controller-path sidecar container are reduced from 20Mi to 10Mi. by @​ialidzhikov #9875
• [OPERATOR] Port 8132 of istio ingress gateway will respond to all ordinary http requests regardless of the target domain with a redirect (301) to the https port by @​ScheererJ #9831
• [OPERATOR] Introduce new label shoot_dashboard_url in the alerts from the garden Prometheus by @​vicwicker #9818
• [OPERATOR] Resource limits are removed for the observability components by @​istvanballok #9785
• [OPERATOR] The MutableShootSpecNetworkingNodes feature gate has been promoted to beta and is turned on by default. by @​ScheererJ #9824
• [OPERATOR] Shoot clusters with Kubernetes version >= v1.29 will use cluster-autoscaler v1.29.0. by @​rishabh-11 #9822
• [DEPENDENCY] The registry.k8s.io/pause image has been updated to 3.10. by @​gardener-ci-robot #9837

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.96.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.96.0

... (truncated)

Commits

• 83277e0 Release v1.96.0
• e00541e [release-v1.96] The shoot control plane Prometheus forwards its alerts to the...
• c8171ef [release-v1.96] VPN sidecar containers: Disable autoscaling and reduce resour...
• 80a6514 [release-v1.96] Fix Secret etcd-backup not found (#9871)
• 3b61cb9 [provider-local] Harmonize local VPN setup with real-world scenario (#9752)
• b47f592 Shoot deletion: Prevent false negative validation when maintenance operation ...
• 9f3b254 [GEP-19] Adapt monitoring configuration for shoot control plane components (#...
• 210b15a Fix the {virtual|runtime}-garden probes in the local gardener-operator setup ...
• c72cab2 Add the VPAAndHPAForAPIServer feature gate for the gardener-operator (#9735)
• 694b31b Extend Seed API to explicitly enable/disable support for terminating proxy ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[gardener-robot-ci-1]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[gardener-robot]

@dependabot[bot] Thank you for your contribution.

[dependabot]

Superseded by #266.