chore(deps): update iac-support-deps

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout (changelog)	action	digest	de0fac2 → df4cb1c
actions/checkout	action	patch	v6.0.2 → v6.0.3
aws-actions/configure-aws-credentials (changelog)	action	digest	d979d5b → e7f100c
aws-load-balancer-controller		minor	3.3.0 → 3.4.0
kubernetes-sigs/aws-load-balancer-controller		minor	v3.3.0 → v3.4.0
longhorn (source)		minor	1.11.2 → 1.12.0
opentofu/opentofu		patch	1.12.0 → 1.12.1
terraform-aws-modules/eks/aws (source)	module	minor	~> 21.20.0 → ~> 21.23.0
terraform-aws-modules/s3-bucket/aws (source)	module	minor	5.13.0 → 5.14.0

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

kubernetes-sigs/aws-load-balancer-controller (kubernetes-sigs/aws-load-balancer-controller)

v3.4.0

Compare Source

📚 Quick Links

v3.4.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.4.0
Thanks to all our contributors! 😊

🎉 Ingress to Gateway Migration Tool

We are excited to introduce the Ingress to Gateway Migration Tool, the biggest addition in this release! This tooling helps you migrate AWS Load Balancer Controller (LBC) Ingress resources to Gateway API resources, step by step. The migration is designed to be safe and non-disruptive — new ALBs are created alongside your existing ones, so current workloads keep running throughout the entire process.

Two tools are provided to help you migrate with confidence:s

• lbc-migrate CLI: Translates your Ingress manifests (annotations, rules, and IngressGroups) into equivalent Gateway API YAML. Supports cluster scraping (--from-cluster), file input (-f), directory input (--input-dir), single-Ingress and multi-namespace scoping, and per-namespace output splitting.
• Migration Console: A local, in-cluster web UI that compares the AWS resource stack produced by both the Ingress and Gateway controllers, field by field. This lets you verify equivalence before applying your Gateway manifests for real.

To get started, see the Migration Guide for the end-to-end walkthrough.

We encourage you to try it out and welcome any feedback via GitHub Issues.

⚠️ Gateway API Behavior Change

Only one L4 route per listener is eligible for traffic when using an NLB Gateway

• Change: When multiple L4 (TCP/UDP/TLS) routes target the same listener, the controller only forwards traffic to the oldest route. (#​4745).
• Impact: If you currently attach more than one TCP/UDP/TLS route to the same listener, only the oldest route will continue serving traffic after upgrading. Review your L4 route configurations and consolidate to a single route per listener to avoid unexpected traffic changes.

🔧 Enhancements and Fixes

• Regex path reconcile loop: Ignore the top-level RegexValues field that AWS mirrors in DescribeRules responses, preventing an unnecessary ModifyRule on every reconcile (#​4749)
• Service reconciler nil check: Return early in the service reconciler when the load balancer is nil (#​4751)
• TGC health check for ALB target groups: Fixed an error when updating health check settings in TargetGroupConfiguration for Gateway API ALB target groups (#​4741)
• NLB weighted target groups: Allow weight 0 for NLB weighted target groups, with a guard requiring at least one non-zero weight (#​4738)
• Capacity units validation: Validate CapacityUnits on capacity reservation annotations instead of silently dropping parse errors (which reset the reservation to 0) (#​4750)
• Checkpoint early-exit race: Ensure pods with pending readiness gates are always reconciled, fixing a checkpoint early-exit race with same-IP re-registration (#​4737)
• Retryable error wrapping: Wrap the last retryable error with a timeout error for clearer failure reporting (#​4761)
• Readiness gate efficiency: The TargetGroupBinding controller now watches pod events instead of requeueing on a fixed timer when using readiness gates, responding faster while avoiding unnecessary requeues (#​4678)
• Unit-test workflow permissions: Declare contents: read on the unit-test workflow to pin the default GITHUB_TOKEN to read-only (#​4736)
• Webhooks upgraded to v1: Admission webhooks were upgraded from v1beta1 to v1. Applied automatically on upgrade — no action needed (#​4743)
• Listener rule tag reconcile: Reconcile listener rule tags for all matched rules (#​4772)

🌟 Complete Change Log

• [feat i2g]support split by namespace output by @​shuqz in #​4733
• [feat i2g] Fix user tag propagation to ListenerRuleConfigurations in lbc-migrate by @​shuqz in #​4735
• [feat i2g] Add IngressPlanAnnotation feature gate for dry-run plan by @​shuqz in #​4734
• fix checkpoint early-exit by @​wweiwei-li in #​4737
• [fix]allow weight zero in NLB target group by @​shuqz in #​4738
• Watch pod events for updating TargetGroupBindings with ReadinessGates by @​cezarsa in #​4678
• [feat i2g] multi-ingress TGC with RouteConfigurations by @​shuqz in #​4742
• upgrade webhooks to v1 by @​zac-nixon in #​4743
• Fix error when updating health check settings in TGC for Gateway API ALB target groups by @​shraddhabang in #​4741
• reject multiple l4 routes for same listener by @​zac-nixon in #​4745
• fix: return early in service reconciler when lb is nil by @​wweiwei-li in #​4751
• Validate load balancer capacity units annotations by @​immanuwell in #​4750
• [feat i2g] bug fix by @​shuqz in #​4746
• [feat i2g]setup e2e test for migration tool by @​shuqz in #​4739
• ci(test): declare contents: read on the unit-test workflow by @​arpitjain099 in #​4736
• [feat i2g]add in-cluster console for model comparison by @​shuqz in #​4728
• fix: ignore top-level RegexValues mirrored by AWS in DescribeRules response by @​pataraktw in #​4749
• [feat i2g] add e2e tests for ingress2gateway migration tool by @​shuqz in #​4771
• [feat i2g] docs: migration guide, lbc-migrate reference, and in-cluster console by @​shuqz in #​4759
• Add multiple ingress test that sorts rules based on priority by @​jupdec in #​4756
• Reconcile listener rule tags for all matched rules by @​andreybutenko in #​4772
• cut v3.4.0 release by @​shuqz in #​4776

New Contributors

• @​immanuwell made their first contribution in #​4750
• @​arpitjain099 made their first contribution in #​4736
• @​pataraktw made their first contribution in #​4749

Full Changelog: kubernetes-sigs/aws-load-balancer-controller@v3.3.0...v3.4.0

longhorn/charts (longhorn)

v1.12.0

Compare Source

Longhorn is a distributed block storage system for Kubernetes.

opentofu/opentofu (opentofu/opentofu)

v1.12.1

Compare Source

SECURITY ADVISORIES:

• Previous releases in the v1.12 series could be affected by several vulnerabilities:

  • ssh usage through OpenTofu generate hangs or panics.
  • Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

  This is fixed now by (#​4145)

BUG FIXES:

• Address a bug introduced in v1.12.0 causing excessive memory usage by providers. (#​4126)
• Address a bug introduced in v1.12.0 where replace_triggered_by was validated incorrectly. (#​4133
• The Azure key provider will now accept the tenant_id, subscription_id, environment, and metadata_host variables; a bug previously only allowed these to be set through environment variables. (#​4091)

Full Changelog: https://github.com/opentofu/opentofu/blob/v1.12/CHANGELOG.md

terraform-aws-modules/terraform-aws-eks (terraform-aws-modules/eks/aws)

v21.23.0

Compare Source

Features

• Add nested_virtualization cpu_option (#​3686) (ddec8b9), closes #​3685
• Add support for launch template network_performance_options (#​3714) (9be4cbd)

v21.22.0

Compare Source

Features

• Remove is_enabled deprecation warning from Karpenter event_rules output (#​3707) (4bd70c7)

v21.21.0

Compare Source

Features

• Add support for EKS addon namespace_config (#​3716) (8828bd9)

terraform-aws-modules/terraform-aws-s3-bucket (terraform-aws-modules/s3-bucket/aws)

v5.14.0

Compare Source

Features

• Support Vector Buckets (#​392) (7fd971d)

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.