Bump github.com/gardener/gardener from 1.126.0 to 1.127.0

[dependabot]

Bumps github.com/gardener/gardener from 1.126.0 to 1.127.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.127.0

[github.com/gardener/gardener:v1.127.0]

⚠️ Breaking Changes

• [OPERATOR] The ProjectValidator admission plugin is now renamed to ProjectMutator. If you have references to the old name of the admission plugin, make sure to adapt them before upgrading to this version of Gardener. by @​georgibaltiev [#12818]

• [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.28. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @​seshachalam-yv [#12486]

• [USER] It is not allowed anymore to specify a comma ",", as well as duplicate values, within the entries of theShoot.spec.kubernetes.kubeAPIServer.apiAudiences[]. Please update your Shoots accordingly. by @​tobschli [#12788]

• [DEVELOPER] The Priority field for the MachineDeployment API is now required instead of optional. Provider extensions need to make sure that the MachineDeployments they generate specify this field. by @​tobschli [#12742]

• [OPERATOR] The CredentialsRotationWithoutWorkersRollout feature gate has been promoted to GA and is enabled unconditionally. by @​rfranzke [#12857]

• [OPERATOR] The GA-ed and unconditionally enabled NewVPN feature gates is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @​ialidzhikov [#12807]

• [OPERATOR] A Project resource's .spec.namespace field is now validated in the storage layer. It was previously validated in the ProjectValidator admission plugin due to backwards-compatibility reasons. With this change, gardener-apiserver unconditionally accepts only garden and values with prefix garden- as valid Project namespaces. by @​georgibaltiev [#12784]

• [USER] gardener-apiserver no longer serves the /openapi/v2 endpoint. kubectl < 1.27 relies on this endpoint. Make sure to use kubectl 1.27+ against this version of gardener-apiserver. by @​seshachalam-yv [#12486]

• [USER] The spec.seedSelector field in the Shoot API is now validated for invalid label values. by @​shafeeqes [#12708]

• [OPERATOR] The following fields of resources in the core.gardener.cloud group are now validated for invalid label values:

  • spec.seedSelector in the CloudProfile API
  • spec.deployment.seedSelector in the ControllerRegistration API
  • scheduling.seedSelector in the ExposureClass API

  The following fields of resources in the operator.gardener.cloud group are now validated for invalid label values:

  • spec.virtualCluster.gardener.gardenerControllerManager.defaultProjectQuotas.projectSelector in the Garden API

  The following fields of resources in the controllermanager.config.gardener.cloud group are now validated for invalid label values:

  • controllers.project.quotas[].projectSelector

  The following fields of resources in the seedmanagement.gardener.cloud group are now validated for invalid label values:

  • spec.selector in the ManagedSeedSet API

  The following fields of resources in the settings.gardener.cloud group are now validated for invalid label values:

  • spec.projectSelector in the ClusterOpenIDConnectPreset API by @​shafeeqes [#12708]

📰 Noteworthy

• [USER] shoot.spec.secretBindingName field is deprecated in favour of shoot.spec.credentialsBindingName and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. If users do not perform the migration on their own, the migration will be forced and newly created CredentialsBindings will be labeled with credentialsbinding.gardener.cloud/status=force-migrated. by @​dimityrmirchev [#12804]
• [USER] It is now forbidden to specify configuration for admission plugins that are not configurable (via Shoot.spec.kubernetes.kubeAPIServer.admissionPlugins[].config) by @​tobschli [#12768]
• [OPERATOR] When gardenlet starts up, it now checks the version skew with the gardener-apiserver (click here for the policy document). by @​rfranzke [#12863]
• [OPERATOR] On startup gardenlets will configure .spec.dns.internal settings for its respective Seed. Operators should adapt their Seed manifests to explicitly configure internal DNS as .spec.dns.internal will become a mandatory configuration after release v1.129.0. by @​dimityrmirchev [#12663]
• [USER] SecretBinding API is deprecated in favour of CredentialsBinding and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. by @​dimityrmirchev [#12804]

✨ New Features

• [OPERATOR] Enabling feature gate OpenTelemetryCollector will now route logs through the collector in the Shoot control-plane before reaching Vali. by @​rrhubenov [#12568]
• [OPERATOR] The Seed spec was extended to allow explicit configuration for internal DNS settings. Operators can configure these by setting .spec.dns.internal. The implicit configuration that involved selecting a DNS secret from the Garden cluster based on labels will be eventually removed. Operators should adapt their Seed manifests to explicitly configure internal DNS. by @​dimityrmirchev [#12663]

🐛 Bug Fixes

• [DEVELOPER] Ambiguous go.mod dependencies were removed when calling make import-tools-bin. by @​timuthy [#12810]
• [OPERATOR] A misconfiguration has been fixed which was preventing gardener-admission-controller from being called for ConfigMap creations of gardenlet. by @​rfranzke [#12858]
• [OPERATOR] Flip the status of a set EmergencyStopShootReconciliations Seed condition from False to True. by @​LucaBernstein [#12823]
• [OPERATOR] Fix shoot creation failure for shoots with kubernetes version >=1.32 and openidconnect preset present by @​p53 [#12743]

🏃 Others

• [OPERATOR] GOMAXPROCS for the gardener-controller-manager is set by the Go runtime instead of the external go.uber.org/automaxprocs/maxprocs library. by @​timuthy [#12801]
• [DEPENDENCY] The following dependencies have been updated:

... (truncated)

Commits

• dfbd4d5 release v1.127.0
• 8c9a280 provider-local: fix NetworkPolicy for coredns ingress on nodePort (#12891)
• d51a36a Change image source of envoyproxy/envoy (#12868)
• a6be446 Update module k8s.io/autoscaler/vertical-pod-autoscaler to v1.4.2 (#12877)
• 6c54684 Add missing configmaps resource to seed-restriction webhook config (#12858)
• b35aa8a Update module github.com/spf13/pflag to v1.0.10 (#12876)
• d7f6fb8 Make gardenlet check version skew with gardener-apiserver when starting (...
• 8d37930 [GEP-28] gardener-scheduler no longer tries scheduling autonomous Shoots ...
• 92b908a [GEP-28] gardenadm bootstrap: enable provider-local DNS config (#12836)
• 1ca77d5 Promote CredentialsRotationWithoutWorkersRollout feature gate to GA (#12857)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[ghost]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[hebelsan]

/lgtm