chore(deps): update dependency gardener/gardener to v1.59.1 (main)

[23t-machine-user]

This PR contains the following updates:

Package	Update	Change
gardener/gardener	minor	v1.57.1 -> v1.59.1

---

Release Notes

gardener/gardener

v1.59.1

Compare Source

[gardener]

🐛 Bug Fixes

• [USER] The CertificateSigningRequests created by kubelets for their server certificates are now also auto-approved when their Node object contains addresses of type InternalDNS, ExternalDNS, or ExternalIP. (gardener/gardener#​6963, @​gardener-ci-robot)
• [USER] A bug has been fixed which caused stuck Shoot on deletion because their Namespaces in the seed cluster were not cleaned up properly. It only affected clusters created prior gardener/gardener@v1.59. (gardener/gardener#​6966, @​gardener-ci-robot)

v1.59.0

Compare Source

[gardener]

⚠️ Breaking Changes

• [OPERATOR] The .spec.highAvailability field in the Seed is deprecated and no longer respected. It will be removed in a future release. The seed.gardener.cloud/multi-zonal label is removed and no longer respected. Instead, the Seed API now has .spec.provider.zones. Operators should enter the names of all availability zones the seed worker nodes run in. (gardener/gardener#​6914, @​rfranzke)
• [OPERATOR] HAControlPlanes feature gate is added to gardener-apiserver and removed from gardenlet. (gardener/gardener#​6915, @​oliver-goetz)
• [OPERATOR] The values for the gardenlet Helm chart are no longer put below .global.gardenlet. For example, before this PR the replica count was controlled via the global.gardenlet.replicaCount value while it's now controlled via replicaCount directly. Please adapt your values files accordingly. (gardener/gardener#​6876, @​rfranzke)
• [OPERATOR] The validate-namespace-deletion ValidatingWebhookConfiguration is renamed to gardener-admission-controller. You might need to cleanup the existing validate-namespace-deletion ValidatingWebhookConfiguration. (gardener/gardener#​6894, @​AleksandarSavchev)
• [OPERATOR] The gardener-shoot-controlplane PriorityClass is now deleted by gardenlet. Before updating to this version of Gardener, make sure that there are no extensions or external components still using this PriorityClass. Refer to this documentation to find out which PriorityClass should be used instead. (gardener/gardener#​6899, @​ialidzhikov)
• [DEVELOPER] The gardener-resource-manager component has been reworked entirely. It now uses a component config instead of CLI flags. Also, its Helm chart has been reworked entirely. (gardener/gardener#​6865, @​rfranzke)

✨ New Features

• [USER] It is now possible to configure the protectKernelDefaults field for the kubelet configuration in the Shoot API via .spec.{provider.workers[]}.kubernetes.kubelet.protectKernelDefaults. This will be unset by default for shoots with k8s version < 1.26 and will be defaulted to true for shoots with k8s version >= 1.26 once Gardener releases support for these versions. (gardener/gardener#​6919, @​dimityrmirchev)
• [USER] It is now possible to configure the streamingConnectionIdleTimeout field for the kubelet configuration in the Shoot API via .spec.{provider.workers[]}.kubernetes.kubelet.streamingConnectionIdleTimeout. This is implicitly defaulted to 4h for shoots with k8s version < 1.26 and will be defaulted to 5m for shoots with k8s version >= 1.26 once Gardener releases support for these versions. (gardener/gardener#​6937, @​dimityrmirchev)
• [USER] Kubelet configurations containerLogMaxSize and containerLogMaxFiles are now supported in the corresponding Shoot resource. Those properties manage rotation policy of the container logs. Under heavy load the default values may result in frequent log rotations. (gardener/gardener#​6702, @​nickytd)
• [OPERATOR] HAControlPlanes feature gate controls if it is possible to create shoots with a HighAvailability configuration in the landscape. (gardener/gardener#​6915, @​oliver-goetz)
• [DEVELOPER] log-level and log-format of provider-local can now be configured. (gardener/gardener#​6875, @​oliver-goetz)
• [DEPENDENCY] Extensions can now use the extensions/pkg/util.{DetermineError,DetermineErrorCodes} functions for conveniently handling errors with codes. (gardener/gardener#​6912, @​acumino)
• [DEPENDENCY] gardener-extensions-controller package includes CLI parameter for --log-level and --log-format now. (gardener/gardener#​6875, @​oliver-goetz)

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed for shoot clusters on multi-zonal seeds that prevented control-plane pods from being scheduled, e.g. after hibernation. With this version of Gardener, zone-pinning for shoot control-planes will be suspended until a new version of the feature will be rolled out in a future release. (gardener/gardener#​6934, @​timuthy)
• [OPERATOR] A bug has been fixed which could prevent gardenlet pods from coming up in case the seccomp-profile webhook served by gardener-resource-manager is unavailable or broken. (gardener/gardener#​6953, @​dimityrmirchev)
• [OPERATOR] The KubeApiServerTooManyAuditlogFailures alert is now fixed to fire also when the audit plugins buffered and truncate are failing to process an audit event. (gardener/gardener#​6871, @​vpnachev)
• [OPERATOR] An issue causing the nginx-ingress-controller installed via the shoot's nginx-ingress addon to fail to start when cluster-wide seccomp defaulting is enabled is now fixed. (gardener/gardener#​6895, @​dimityrmirchev)

🏃 Others

• [USER] The rotation procedure of the ServiceAccount token signing key has been improved. (gardener/gardener#​6943, @​rfranzke)
• [OPERATOR] Profiling is now disabled for kube-controller-manager for shoots that have Kubernetes version >= 1.19. (gardener/gardener#​6922, @​dimityrmirchev)
• [OPERATOR] You should make sure that all Shoots are getting reconciled successfully or deleted in case they still have either the etcd-encryption-secret or service-account-key secrets in their namespaces in the seed cluster. (gardener/gardener#​6929, @​rfranzke)
• [OPERATOR] The zone-pinning feature for control-planes on multi-zonal seeds (introduced by https://github.com/gardener/gardener/pull/6579) has been removed. There will be a new version of the feature soon, that takes a different approach and fixes some bug and flaws along the way. (gardener/gardener#​6934, @​timuthy)
• [OPERATOR] Revert removal DNSProvider from supported extension kinds until v1.60.0 or later. (gardener/gardener#​6951, @​MartinWeindel)
• [OPERATOR] The ManagedResources related to seed system components are now labeled with gardener.cloud/role=system-component. (gardener/gardener#​6836, @​rfranzke)
• [OPERATOR] The gardenlet now waits for all managed resources referring the shoot to be deleted before continuing with the deletion of the shoot's kube-apiserver during shoot deletion or controlplane migration. (gardener/gardener#​6853, @​dimityrmirchev)
• [OPERATOR] Add new Prometheus alert ApiserverRequestsFailureRate for API Server failure rate. (gardener/gardener#​6736, @​cathyzhang05)
• [OPERATOR] gardenlet no longer tries to delete Ingress resources for a Seed via the extensions/v1beta1 API (no longer served as of K8s 1.22). As Gardener supports only Seed clusters with K8s >= 1.20, it is enough to delete the Ingress resources via the networking.k8s.io/v1 API (available since v1.19). (gardener/gardener#​6866, @​ialidzhikov)
• [OPERATOR] The Kubernetes Control Plane Status dashboard has been updated to show correct values for kube-controller-manager and kube-scheduler once they are deployed with multiple replicas for HA shoots. (gardener/gardener#​6874, @​timuthy)
• [DEVELOPER] Update golangci to v1.50.1. (gardener/gardener#​6916, @​oliver-goetz)
• [DEVELOPER] Go is updated to 1.19.3 (gardener/gardener#​6941, @​oliver-goetz)

[apiserver-proxy]

⚠️ Breaking Changes

• [DEVELOPER] bazel is no longer used for builds ands tests. As alternative a Makefile with equivalent targets is now provided. (gardener/apiserver-proxy#​25, @​ialidzhikov)

🐛 Bug Fixes

• [USER] An issue causing the apiserver-proxy-pod-webhook to wrongly remove the grpc field from livenessProbes, readinessProbes and startupProbes when defaulting a Pod is now fixed. (gardener/apiserver-proxy#​24, @​ialidzhikov)
• [OPERATOR] Native arm64 builds (builds on arm hosts) are now supported. Previously only arm64 builds with qemu were supported. (gardener/apiserver-proxy#​25, @​ialidzhikov)

🏃 Others

• [OPERATOR] Updated base image of apiserver-proxy to alpine 3.16.2 (gardener/apiserver-proxy#​21, @​ScheererJ)
• [OPERATOR] The golang version is updated to 1.19.2. (gardener/apiserver-proxy#​22, @​ialidzhikov)
• [OPERATOR] The following dependencies are updated: (gardener/apiserver-proxy#​24, @​ialidzhikov)
  • k8s.io/api: v0.19.2 -> v0.23.5
  • k8s.io/apimachinery: v0.19.2 -> v0.23.5
  • k8s.io/apiserver: v0.19.2 -> v0.23.5
  • k8s.io/client-go: v0.19.2 -> v0.23.5
  • sigs.k8s.io/controller-runtime: v0.7.0-alpha.4 -> v0.11.2

[logging]

🏃 Others

• [OPERATOR] The Telegraf image used by Loki pod is built from scratch with static binary. (gardener/logging#​158, @​vlvasilev)

v1.58.2

Compare Source

[gardener]

🐛 Bug Fixes

• [USER] The CertificateSigningRequests created by kubelets for their server certificates are now also auto-approved when their Node object contains addresses of type InternalDNS, ExternalDNS, or ExternalIP. (gardener/gardener#​6962, @​gardener-ci-robot)

v1.58.1

Compare Source

[gardener]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed for shoot clusters on multi-zonal seeds that prevented control-plane pods from being scheduled, e.g. after hibernation. With this version of Gardener, zone-pinning for shoot control-planes will be suspended until a new version of the feature will be rolled out in a future release. (gardener/gardener#​6938, @​timuthy)
• [OPERATOR] The KubeApiServerTooManyAuditlogFailures alert is now fixed to fire also when the audit plugins buffered and truncate are failing to process an audit event. (gardener/gardener#​6886, @​gardener-ci-robot)

🏃 Others

• [USER] The rotation procedure of the ServiceAccount token signing key has been improved. (gardener/gardener#​6945, @​gardener-ci-robot)
• [OPERATOR] Revert removal DNSProvider from supported extension kinds until v1.60.0 or later. (gardener/gardener#​6952, @​gardener-ci-robot)
• [OPERATOR] The zone-pinning feature for control-planes on multi-zonal seeds (introduced by https://github.com/gardener/gardener/pull/6579) has been removed. There will be a new version of the feature soon, that takes a different approach and fixes some bug and flaws along the way. (gardener/gardener#​6938, @​timuthy)

v1.58.0

Compare Source

[gardener]

⚠️ Breaking Changes

• [USER] Shoots with failure tolerance type node can be scheduled on seeds with .spec.highAvailability != nil only. (gardener/gardener#​6833, @​oliver-goetz)
• [OPERATOR] HAControlPlanes feature flag is removed from gardener-scheduler. (gardener/gardener#​6833, @​oliver-goetz)
• [OPERATOR] Remove DNSProvider from supported extension kinds. (gardener/gardener#​6840, @​MartinWeindel)
• [DEPENDENCY] Health checks performed by the healthcheck library no longer update the extensions resources' status.conditions[].LastUpdateTime on each reconciliation. Instead, a new heartbeat controller was added to the extensions library that will renew a dedicated Lease resource named gardener-extensions-heartbeat every 30 seconds by default. Extension controllers have to enable this controller as the gardener-extensions-heartbeat Lease will be used when gardenlet checks whether the extension resources' conditions are stale or not. gardenlet expects to find this Lease inside the namespace where the extension controller is installed by the corresponding ControllerInstallation. (gardener/gardener#​6626, @​plkokanov)

✨ New Features

• [USER] The kubelets running on shoot worker nodes are now requesting server certificates via the CertificateSigningRequest API. They have the default validity of 30d and are auto-rotated when 80% of their lifetime expires. (gardener/gardener#​6784, @​rfranzke)
• [USER] It is now possible to configure the seccompDefault field for the kubelet configuration in the Shoot API via .spec.{provider.workers[]}.kubernetes.kubelet.seccompDefault. This configuration is only available for k8s version >= 1.25 and it is not turned on by default. (gardener/gardener#​6741, @​AleksandarSavchev)
• [OPERATOR] Short names for machine (mc), machineclass (mcc), machinedeployment (mcd), and machineset (mcs) resources are now added. (gardener/gardener#​6787, @​rishabh-11)
• [OPERATOR] log-level, log-format and verbosity of gardener-apiserver can now be configured. (gardener/gardener#​6817, @​oliver-goetz)
• [OPERATOR] It is now possible to disable PodSecurityPolicy admission plugin, please make sure you have updated the extensions to a version which supports this change. (gardener/gardener#​6700, @​shafeeqes)
• [OPERATOR] log-level and log-format of gardener-resource-manager can now be configured. (gardener/gardener#​6830, @​oliver-goetz)
• [OPERATOR] log-level and log-format of gardener-seed-admission-controller can now be configured. (gardener/gardener#​6831, @​oliver-goetz)
• [OPERATOR] High availability for seed system components can be defined by specifying spec.highAvailability.failureTolerance.type (gardener/gardener#​6723, @​unmarshall)
  • Additional validation is added which checks for the value of seed label seed.gardener.cloud/multi-zonal which was not existing before. The allowed values will be:empty string or a valid boolean value true | false
• [OPERATOR] Gardenlet can now be deployed with multiple replicas and a failureToleranceType of either node or zone. This is supported by the gardenlet Helm chart as well as through deployment options in managedseed objects. The replica spread is implemented via TopologySpreadConstraints. (gardener/gardener#​6750, @​timuthy)
• [OPERATOR] The ManagedResource health status for objects on the seed cluster is now updated immediately on health status changes (switched from periodic checks to proper watching). (gardener/gardener#​6770, @​timebertt)
• [OPERATOR] Updated machine CRD, allowing the display of node name and providerID(using -owide flag) when listing machines in the control plane of the shoot (gardener/gardener#​6779, @​rishabh-11)
• [OPERATOR] Gardenlet will not start in case the seed configuration is incorrect, i.e. if the node, pod or service network specified in the Seed resource do not match to the cluster reality. (gardener/gardener#​6782, @​ScheererJ)
• [DEVELOPER] The local setup has been improved to support tests for HA scenarios (single-zone with node failure tolerance and multi-zone with zone failure tolerance). (gardener/gardener#​6719, @​seshachalam-yv)
• [DEVELOPER] ConditionBuilder interface is extended by a WithClock(...) function. (gardener/gardener#​6729, @​oliver-goetz)
  • ...WithClock(...) condition helper functions are introduced.
  • WithNowFunc(...) function is removed from ConditionBuilder interface.

🐛 Bug Fixes

• [USER] Shoot worker definitions are now validated using .spec.kubernetes.kubelet when .spec.provider.workers[].kubernetes.kubelet is not specified. (gardener/gardener#​6741, @​AleksandarSavchev)
• [OPERATOR] The broken preStop hook from Gardener API Server deployment has been removed. (gardener/gardener#​6793, @​vpnachev)
• [OPERATOR] An issue causing the gardener-shoot-controlplane PriorityClass to be deleted too early when there are still Deployments (vpn-seed-server) that reference it is now mitigated. (gardener/gardener#​6799, @​ialidzhikov)
• [OPERATOR] The gardenlet is no longer put under time pressure during its start-up procedure by preventing its liveness probe from falsely failing. (gardener/gardener#​6808, @​rfranzke)
• [OPERATOR] kube-scheduler and cluster-autoscaler Pods now run with the appropriate priority set according to the following document. Previously these Pods were running without a priority class set and were preempted in favour of less important Pods. (gardener/gardener#​6838, @​ialidzhikov)
• [OPERATOR] Remove /scale subresource from etcd CRD. (gardener/gardener#​6850, @​shreyas-s-rao)

📖 Documentation

• [OPERATOR] The documentation for triggering control-plane migration is updated with a slight change. (gardener/gardener#​6843, @​shafeeqes)

🏃 Others

• [OPERATOR] The following image is updated: (gardener/gardener#​6790, @​ialidzhikov)
  • grafana/grafana: 7.5.16 -> 7.5.17
• [OPERATOR] The following image is updated: (gardener/gardener#​6820, @​Kristian-ZH)
  • quay.io/brancz/kube-rbac-proxy: v0.13.0 -> v0.13.1
• [OPERATOR] The following image is updated: (gardener/gardener#​6824, @​rickardsjp)
  • quay.io/prometheus/prometheus: v2.38.0 -> v2.39.1
• [OPERATOR] kubernetes.io/arch label can now be used for scaling the worker pools from 0 based on CPU architecture. (gardener/gardener#​6825, @​acumino)
• [OPERATOR] Deploy network policies to namespace istio-system to only allow traffic to configured endpoints inside the cluster and the seed api-server. (gardener/gardener#​6826, @​axel7born)
• [OPERATOR] The gardener.cloud/purpose: kube-system label is now added to the kube-system namespace by the gardenlet's Seed controller. (gardener/gardener#​6829, @​bd3lage)
• [OPERATOR] The following image is updated: (gardener/gardener#​6828, @​ialidzhikov)
  • eu.gcr.io/gardener-project/gardener/apiserver-proxy-pod-webhook: v0.6.0 -> v0.7.0
• [OPERATOR] Latency metrics of the attach subresource are not considered for the KubeApiServerLatency alert and API Server / Request Latency dashboard panel. (gardener/gardener#​6844, @​istvanballok)
• [OPERATOR] The ShootBinding admission plugin is removed in favour of existing ShootValidator plugin. All the checks are moved to the latter. (gardener/gardener#​6727, @​shafeeqes)
• [OPERATOR] When gardenlet checks the conditions of extension resources as part of the shoot health check, it checks if the gardener-extensions-heartbeat Lease maintained by the extension controllers has been renewed within the ShootCare controller's staleExtensionHealthChecks.thresholds[] settings and sets the corresponding Shoot condition to Unknown if that is not the case. If the Lease is not found, the status.conditions[].LastUpdateTime of the extension resource is checked as well for backwards compatibility. (gardener/gardener#​6626, @​plkokanov)
• [OPERATOR] Deploy network policies to namespace istio-ingress to only allow egress traffic to configured endpoints inside the cluster. (gardener/gardener#​6765, @​axel7born)
• [OPERATOR] Replace vpa-exporter with kube-state-metrics. (gardener/gardener#​6771, @​istvanballok)
  • The vpa-exporter is no longer used in Gardener.
  • The kube-state-metrics component is exposing the VPA related metrics.
• [DEVELOPER] Go is updated to 1.19.2 (gardener/gardener#​6789, @​oliver-goetz)

[hvpa-controller]

🏃 Others

• [DEPENDENCY] The version of golang used by hvpa-controller was updated from 1.15 to 1.18 (gardener/hvpa-controller#​109, @​andrerun)

[logging]

🏃 Others

• [OPERATOR] Published docker images for Logging are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/logging#​156, @​acumino)
• [OPERATOR] Upgrade the Telegraf version from 1.23.4 to 1.24.2 (gardener/logging#​157, @​vlvasilev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.58.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.58.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.58.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.58.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.58.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.58.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.58.0

v1.57.2

Compare Source

[gardener]

🐛 Bug Fixes

• [OPERATOR] The KubeApiServerTooManyAuditlogFailures alert is now fixed to fire also when the audit plugins buffered and truncate are failing to process an audit event. (gardener/gardener#​6887, @​gardener-ci-robot)

🏃 Others

• [USER] The rotation procedure of the ServiceAccount token signing key has been improved. (gardener/gardener#​6946, @​gardener-ci-robot)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Renovate Bot.