Bump the gardener-dependencies group with 2 updates

[dependabot]

Bumps the gardener-dependencies group with 2 updates: github.com/gardener/gardener and github.com/gardener/gardener/pkg/apis.

Updates github.com/gardener/gardener from 1.139.1 to 1.140.0

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.140.0

[github.com/gardener/gardener:v1.140.0]

⚠️ Breaking Changes

• [OPERATOR] The UseUnifiedHTTPProxyPort feature gate has been promoted to Beta and is enabled by default. If using the Gardener ACL Extension you need make sure that at least version v1.15.0 is installed and all Shoots are reconciled before the upgrade. by @​jamand [#14422]
• [DEVELOPER] The generate-admin-kubeconf.sh script has been renamed to generate-kubeconfig.sh. It now supports generating both admin (default) and viewer kubeconfigs. by @​timuthy [#14464]
• [DEVELOPER] The gardenadm machine pods have their state persisted in a unified PVC. Existing local gardenadm setups need to be recreated. To reset a local machine pod, delete both the pod and its corresponding PVC. by @​LucaBernstein [#14359]
• [DEVELOPER] GEN_CRD_API_REFERENCE_DOCS make command has been replaced with CRD_REF_DOCS. by @​acumino [#14324]
• [DEPENDENCY] The pkg/utils/time package is now removed. Use k8s.io/utils/clock.Clock instead. by @​shafeeqes [#14515]

📰 Noteworthy

• [OPERATOR] The SeedAuthorizer now enforces field/label selectors for gardenlet list/watch requests on ControllerInstallation, Bastion, Gardenlet, Seed, Shoot, and ManagedSeed resources, restricting each gardenlet to only observe resources belonging to its own seed. by @​rfranzke [#14452]
• [OPERATOR] The gardener-resource-manager's NetworkPolicy controller now only creates policies in namespaces that have pods with matching to-* labels, significantly reducing the number of NetworkPolicy objects on seeds. by @​rfranzke [#14410]
• [OPERATOR] RemoveVali FeatureGate has been introduced. When enabled, every Vali instance will be removed. This feature gate is available for both the gardenlet and the gardener-operator. by @​rrhubenov [#14279]
• [DEVELOPER] The sast and sast-report checks have been removed from verify and verify-extended make targets. Please call them explicitly when required. by @​oliver-goetz [#14443]

✨ New Features

• [OPERATOR] The Project API now has a .status.conditions field for allowing controllers to report conditions on Project objects. by @​jamand [#14403]
• [DEVELOPER] The local setup has been augmented to make the self-hosted shoot's API server directly accessible from the host machine without kubectl port-forward. A new unified hack/usage/generate-admin-kubeconfig-local.sh script supports generating kubeconfigs for both the virtual garden and the self-hosted shoot. by @​rfranzke [#14370]

🐛 Bug Fixes

• [OPERATOR] The formatting of event-logger logs when the OpenTelemetryCollector feature gate is enabled is now partially fixed. The event-logger logs are now properly structured with fields as attributes, but to make them searchable with the unpack feature a change in the fluent-bit output plugin is required. by @​iypetrov [#14423]
• [OPERATOR] The gardenlet reconciler in the gardener-operator now uses the virtual cluster client to fetch the pull secret and CA bundle secret. It was wrongly using the runtime cluster client earlier. by @​shafeeqes [#14331]
• [OPERATOR] Fix a bug where the shoot-care controller cannot reconcile shoots with spec.maintenance.confineSpecUpdateRollout=true and updated DNS credentials, i.e. shoot.spec.dns.providers[].credentialsRef, until the shoot is reconciled. by @​vpnachev [#14397]
• [USER] Fixed EveryNodeReady shoot condition incorrectly reporting NodeAgentUnhealthy for nodes not managed by MCM. by @​acumino [#14509]
• [DEVELOPER] Pull secrets in the remote setup are labeled correctly to be automatically propagated by @​matthias-horne [#14502]
• [DEPENDENCY] Extension shoot webhook configs are now always produced even when mergeShootWebhooksIntoSeedWebhooks is true, so that a self-hosted Shoot promoted to a Seed has the correct shoot webhooks registered. by @​rfranzke [#14389]

🏃 Others

• [OPERATOR] Fix KubePodNotReadyControlPlane alert to not trigger for pods in Completed state. by @​adenitiu [#14404]
• [OPERATOR] Create pull secret in garden namespace of virtual garden for remote setup. by @​DockToFuture [#14449]
• [OPERATOR] Introduce seed reconciliation alerts. by @​adenitiu [#14441]
• [OPERATOR] Enable notification flexibility of EtcdDbSizeLimitApproaching and EtcdDbSizeLimitCrossed alert for seeds by @​adenitiu [#14384]
• [OPERATOR] The following dependencies have been updated:
  • gardener/autoscaler from v1.34.0 to v1.34.1. Release Notes
  • gardener/autoscaler from v1.33.0 to v1.33.1. Release Notes
  • gardener/autoscaler from v1.32.2 to v1.32.3. Release Notes
  • gardener/autoscaler from v1.31.0 to v1.31.1. Release Notes
  • gardener/autoscaler from v1.30.2 to v1.30.3. Release Notes by @​aaronfern [#14479]
• [OPERATOR] There is now maxConnectionDuration of 1 day for connections to kube-apiserver endpoints. Their maxConnections limit has been removed. by @​oliver-goetz [#14463]
• [DEVELOPER] The default shoot for test machinery tests was adjusted to work with Kubernetes 1.35. by @​timuthy [#14439]
• [DEVELOPER] In the remote setup Kyverno now always adds imagePullSecret for images in the remote registry. by @​matthias-horne [#14478]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/autoscaling/vpa-admission-controller from 1.5.1 to 1.6.0.
  • registry.k8s.io/autoscaling/vpa-recommender from 1.5.1 to 1.6.0.
  • registry.k8s.io/autoscaling/vpa-updater from 1.5.1 to 1.6.0. by @​gardener-ci-robot [#14036]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.61.2 to v0.61.3. Release Notes
  • github.com/gardener/machine-controller-manager from v0.61.2 to v0.61.3. by @​gardener-ci-robot [#14453]
• [DEPENDENCY] Istio charts and images are updated to v1.29.1 by @​axel7born [#14454]

... (truncated)

Commits

• 0411619 release v1.140.0
• e30f08a Enhance helper script for {Admin,Viewer}KubeconfigRequest (#14464)
• e295fe7 Introduce SeedReconciliation alerts (#14441)
• 52fcf66 Update module github.com/andybalholm/brotli to v1.2.1 (#14543)
• 1ed5f7a Replace the ahmetb/gen-crd-api-reference-docs with elastic/crd-ref-docs (...
• fdda0c2 Replace custom time interfaces with k8s.io/utils/clock (#14515)
• e11998f Update quay.io/kiwigrid/k8s-sidecar Docker tag to v2.5.5 (#14480)
• cf283e1 Remove backup and extensions configuration from gardenlet in remote s...
• 3dcbdbd Update europe-docker.pkg.dev/gardener-project/releases/3rd/registry Docker ta...
• a09a8d5 Update module github.com/distribution/distribution/v3 to v3.1.0 [SECURITY] (#...
• Additional commits viewable in compare view

Updates github.com/gardener/gardener/pkg/apis from 1.139.1 to 1.140.0

Release notes

Sourced from github.com/gardener/gardener/pkg/apis's releases.

v1.140.0

[github.com/gardener/gardener:v1.140.0]

⚠️ Breaking Changes

• [OPERATOR] The UseUnifiedHTTPProxyPort feature gate has been promoted to Beta and is enabled by default. If using the Gardener ACL Extension you need make sure that at least version v1.15.0 is installed and all Shoots are reconciled before the upgrade. by @​jamand [#14422]
• [DEVELOPER] The generate-admin-kubeconf.sh script has been renamed to generate-kubeconfig.sh. It now supports generating both admin (default) and viewer kubeconfigs. by @​timuthy [#14464]
• [DEVELOPER] The gardenadm machine pods have their state persisted in a unified PVC. Existing local gardenadm setups need to be recreated. To reset a local machine pod, delete both the pod and its corresponding PVC. by @​LucaBernstein [#14359]
• [DEVELOPER] GEN_CRD_API_REFERENCE_DOCS make command has been replaced with CRD_REF_DOCS. by @​acumino [#14324]
• [DEPENDENCY] The pkg/utils/time package is now removed. Use k8s.io/utils/clock.Clock instead. by @​shafeeqes [#14515]

📰 Noteworthy

• [OPERATOR] The SeedAuthorizer now enforces field/label selectors for gardenlet list/watch requests on ControllerInstallation, Bastion, Gardenlet, Seed, Shoot, and ManagedSeed resources, restricting each gardenlet to only observe resources belonging to its own seed. by @​rfranzke [#14452]
• [OPERATOR] The gardener-resource-manager's NetworkPolicy controller now only creates policies in namespaces that have pods with matching to-* labels, significantly reducing the number of NetworkPolicy objects on seeds. by @​rfranzke [#14410]
• [OPERATOR] RemoveVali FeatureGate has been introduced. When enabled, every Vali instance will be removed. This feature gate is available for both the gardenlet and the gardener-operator. by @​rrhubenov [#14279]
• [DEVELOPER] The sast and sast-report checks have been removed from verify and verify-extended make targets. Please call them explicitly when required. by @​oliver-goetz [#14443]

✨ New Features

• [OPERATOR] The Project API now has a .status.conditions field for allowing controllers to report conditions on Project objects. by @​jamand [#14403]
• [DEVELOPER] The local setup has been augmented to make the self-hosted shoot's API server directly accessible from the host machine without kubectl port-forward. A new unified hack/usage/generate-admin-kubeconfig-local.sh script supports generating kubeconfigs for both the virtual garden and the self-hosted shoot. by @​rfranzke [#14370]

🐛 Bug Fixes

• [OPERATOR] The formatting of event-logger logs when the OpenTelemetryCollector feature gate is enabled is now partially fixed. The event-logger logs are now properly structured with fields as attributes, but to make them searchable with the unpack feature a change in the fluent-bit output plugin is required. by @​iypetrov [#14423]
• [OPERATOR] The gardenlet reconciler in the gardener-operator now uses the virtual cluster client to fetch the pull secret and CA bundle secret. It was wrongly using the runtime cluster client earlier. by @​shafeeqes [#14331]
• [OPERATOR] Fix a bug where the shoot-care controller cannot reconcile shoots with spec.maintenance.confineSpecUpdateRollout=true and updated DNS credentials, i.e. shoot.spec.dns.providers[].credentialsRef, until the shoot is reconciled. by @​vpnachev [#14397]
• [USER] Fixed EveryNodeReady shoot condition incorrectly reporting NodeAgentUnhealthy for nodes not managed by MCM. by @​acumino [#14509]
• [DEVELOPER] Pull secrets in the remote setup are labeled correctly to be automatically propagated by @​matthias-horne [#14502]
• [DEPENDENCY] Extension shoot webhook configs are now always produced even when mergeShootWebhooksIntoSeedWebhooks is true, so that a self-hosted Shoot promoted to a Seed has the correct shoot webhooks registered. by @​rfranzke [#14389]

🏃 Others

• [OPERATOR] Fix KubePodNotReadyControlPlane alert to not trigger for pods in Completed state. by @​adenitiu [#14404]
• [OPERATOR] Create pull secret in garden namespace of virtual garden for remote setup. by @​DockToFuture [#14449]
• [OPERATOR] Introduce seed reconciliation alerts. by @​adenitiu [#14441]
• [OPERATOR] Enable notification flexibility of EtcdDbSizeLimitApproaching and EtcdDbSizeLimitCrossed alert for seeds by @​adenitiu [#14384]
• [OPERATOR] The following dependencies have been updated:
  • gardener/autoscaler from v1.34.0 to v1.34.1. Release Notes
  • gardener/autoscaler from v1.33.0 to v1.33.1. Release Notes
  • gardener/autoscaler from v1.32.2 to v1.32.3. Release Notes
  • gardener/autoscaler from v1.31.0 to v1.31.1. Release Notes
  • gardener/autoscaler from v1.30.2 to v1.30.3. Release Notes by @​aaronfern [#14479]
• [OPERATOR] There is now maxConnectionDuration of 1 day for connections to kube-apiserver endpoints. Their maxConnections limit has been removed. by @​oliver-goetz [#14463]
• [DEVELOPER] The default shoot for test machinery tests was adjusted to work with Kubernetes 1.35. by @​timuthy [#14439]
• [DEVELOPER] In the remote setup Kyverno now always adds imagePullSecret for images in the remote registry. by @​matthias-horne [#14478]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/autoscaling/vpa-admission-controller from 1.5.1 to 1.6.0.
  • registry.k8s.io/autoscaling/vpa-recommender from 1.5.1 to 1.6.0.
  • registry.k8s.io/autoscaling/vpa-updater from 1.5.1 to 1.6.0. by @​gardener-ci-robot [#14036]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.61.2 to v0.61.3. Release Notes
  • github.com/gardener/machine-controller-manager from v0.61.2 to v0.61.3. by @​gardener-ci-robot [#14453]
• [DEPENDENCY] Istio charts and images are updated to v1.29.1 by @​axel7born [#14454]

... (truncated)

Commits

• 0411619 release v1.140.0
• e30f08a Enhance helper script for {Admin,Viewer}KubeconfigRequest (#14464)
• e295fe7 Introduce SeedReconciliation alerts (#14441)
• 52fcf66 Update module github.com/andybalholm/brotli to v1.2.1 (#14543)
• 1ed5f7a Replace the ahmetb/gen-crd-api-reference-docs with elastic/crd-ref-docs (...
• fdda0c2 Replace custom time interfaces with k8s.io/utils/clock (#14515)
• e11998f Update quay.io/kiwigrid/k8s-sidecar Docker tag to v2.5.5 (#14480)
• cf283e1 Remove backup and extensions configuration from gardenlet in remote s...
• 3dcbdbd Update europe-docker.pkg.dev/gardener-project/releases/3rd/registry Docker ta...
• a09a8d5 Update module github.com/distribution/distribution/v3 to v3.1.0 [SECURITY] (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kon-angelo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

This change updates several key dependencies in the Go module, primarily upgrading the Gardener framework from version 1.139.1 to 1.140.0, along with updates to Kubernetes Vertical Pod Autoscaler, Istio components, and various other indirect dependencies to their latest compatible versions.

Walkthrough

• Chore: Updated Gardener core framework and APIs from v1.139.1 to v1.140.0, bringing latest platform features and bug fixes
• Chore: Upgraded Kubernetes Vertical Pod Autoscaler from v1.5.1 to v1.6.0 for improved auto-scaling capabilities
• Chore: Updated Istio API and client libraries from v1.27.x to v1.29.1 for enhanced service mesh functionality
• Chore: Refreshed multiple indirect dependencies including compression libraries, OpenTelemetry instrumentation, and code generation tools to maintain security and compatibility

_{Model: claude-sonnet-4-20250514 | Prompt Tokens: 7069 | Completion Tokens: 222}