Bump github.com/gardener/gardener from 1.134.2 to 1.135.0

[dependabot]

Bumps github.com/gardener/gardener from 1.134.2 to 1.135.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.135.0

[github.com/gardener/gardener:v1.135.0]

⚠️ Breaking Changes

• [OPERATOR] Internal dns configuration for seeds .spec.dns.internal is now required. Make sure to set this field in your templates before upgrading Gardener to the current version. by @​dimityrmirchev [#13529]
• [OPERATOR] gardener-resource-manager now enforces the desired OwnerReferences for objects it manages. Previously, it set OwnerReferences only when creating objects and did not update them afterwards. by @​oliver-goetz [#13606]
• [USER] ⚠️ The Seed API field spec.dns.provider.secretRef has been deprecated in favor of spec.dns.provider.credentialsRef. The secretRef field will be removed in Gardener version >= v1.139.0, until then - please consider migrating to the new credentialsRef field.
  • :info: Gardener takes care to keep both fields in sync when the configured credentials is of type Secret. by @​vpnachev [#13680]
• [USER] ⚠️ The Shoot API field spec.dns.providers.secretName has been deprecated in favor of spec.dns.providers.credentialsRef. The secretName field will be disallowed to be used by shoots running on Kubernetes 1.35 or newer, until then - please consider migrating to the new credentialsRef field.
  • Gardener API server takes care to keep both fields in sync when Secret is the type of the configured credentials. by @​vpnachev [#13552]
• [DEVELOPER] Change the registry port in the local setup to :5001. by @​LucaBernstein [#13661]
• [DEVELOPER] The extension-class flag has been renamed to extension-classes to support multiple extension classes per controller deployment. If the extension depends on cmd.ReconcilerOptions, the renaming will automatically take effect. Please adjust your deployment manifest to reflect this change. by @​timuthy [#13718]
• [DEVELOPER] The SecretData field has been removed from the github.com/gardener/gardener/pkg/component/extensions/dnsrecord.Values struct, use github.com/gardener/gardener/pkg/component/extensions/dnsrecord.CredentialsDeployFunc instead to deploy secret data into a secret. by @​vpnachev [#13720]
• [DEVELOPER] The function github.com/gardener/gardener/pkg/utils/gardener.GenerateDNSProviderName has been removed. by @​vpnachev [#13552]
• [DEVELOPER] github.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderSecretNamesEqual has been removed, use github.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderCredentialsRefsEqual instead. by @​vpnachev [#13552]
• [DEVELOPER] The SecretData field of the github.com/gardener/gardener/pkg/utils/gardener.Domain struct has been replaced with Credentials field of type sigs.k8s.io/controller-runtime/pkg/client.Object. by @​vpnachev [#13720]
• [DEPENDENCY] The naming logic for automatically generated webhooks has changed. If the extension name passed to extensionscmdwebhook.NewAddToManagerOptions starts with gardener-, the extension's webhook names are no longer prefixed with gardener-extension-. by @​timuthy [#13786]

📰 Noteworthy

• [OPERATOR] Adapted the policy in the Kubernetes version support process to retain only the latest 4 minor versions, improving security by dropping older, unpatched versions. Additionally, a minimum period of 14 months has been added, during which Gardener will maintain support for any given Kubernetes version before removing it again. by @​marc1404 [#13471]
• [USER] The order of entries in the NamespacedCloudProfile.Status.CloudProfileSpec is now the same as in the parent CloudProfile.Spec. by @​LucaBernstein [#13772]
• [DEVELOPER] The function github.com/gardener/gardener/pkg/utils/kubernetes.GetCredentialsByObjectReference has been changed to accept client.Reader instead of client.Client. by @​vpnachev [#13552]
• [DEVELOPER] The script hack/vgopath-setup.sh and hack/tools.mk entry for $(VGOPATH) are deprecated and will be removed after gardener/gardener@v1.142 has been released. It is recommended that consumers stop using them from the gardener/gardener repository. by @​LucaBernstein [#13556]
• [DEVELOPER] Source code changes that break various aspects of the monitoring stack in ways that were previously unnoticed are now detected during pull request validation. by @​vicwicker [#13341]
• [DEVELOPER] The generic actuator of the control plane now wraps seed-related charts into ManagedResources . Any imperative logic in your provider extension that does not consider management through the gardener-resource-manager can potentially be cleaned up. by @​kon-angelo [#13585]
• [DEVELOPER] The usages of VGOPATH have been removed. by @​LucaBernstein [#13556]
• [DEVELOPER] A new rule was added to the Component Checklist - Drop unutilised capabilities. Additionally, the Do not run containers as root rule was extended. For more details, check the Component Checklist. by @​mstueer [#13204]
• [DEPENDENCY] CredentialsBindings can now reference core.gardener.cloud/v1beta1.InternalSecret resources. Provider extensions should start validating them similar to references for v1.Secret resources. by @​rfranzke [#13759]

✨ New Features

• [OPERATOR] A new VPNBondingModeRoundRobin feature gate is introduced for gardenlet. When enabled, HA VPN uses round-robin bonding mode to increase availability under network degradation. by @​domdom82 [#13649]
• [OPERATOR] gardenlet can now propagate static manifests stored in the seed cluster's garden namespace to all shoot namespaces. Read all about it here. by @​rfranzke [#13614]
• [OPERATOR] Support replacement of individual assets for the gardener dashboard (gardener/dashboard#2687) by @​grolu [#13640]
• [OPERATOR] Extend gardener-operator and gardenlet care controllers to query the Prometheus instances for health checks of the monitoring components. If the new health checks fail, they are reflected in the status condition of the Shoot, Seed or Garden resources. These health checks are introduced behind a feature gate PrometheusHealthChecks that is disabled by default. by @​vicwicker [#13341]
• [OPERATOR] It is now possible to configure custom namespaces in the virtual cluster that the virtual-garden-gardener-resource-manager should handle. Use .spec.virtualCluster.gardener.gardenerResourceManager.additionalTargetNamespaces in Garden resource. by @​rfranzke [#13761]
• [OPERATOR] WorkloadIdentity credentials are now allowed to be used for Shoot DNS domains, Seed ingress, default and internal DNS domains. by @​vpnachev [#13720]
• [OPERATOR] Add new Plutono dashboard for monitoring VPA Updater operations across Shoot, Seed and Garden clusters. by @​vitanovs [#13477]
• [USER] Rotation for the ssh keypair for worker nodes, observability passwords and etcd encryption key can now be done in the maintenance window via the .spec.maitenance.autoRotation.credentials field of a Shoot. by @​AleksandarSavchev [#13493]
• [USER] A new Seed API field credentialsRef has been introduced in spec.dns.provider structure. It is designed to support diverse types of credentials, as of now v1.Secrets and security.gardener.cloud/v1alpha1.WorkloadIdentity are allowed, but only Secrets are supported. by @​vpnachev [#13680]
• [USER] You can now specify nftables as proxy mode implementation of kube-proxy in the Shoot spec like so if your Kubernetes version is >= 1.31: .spec.kubernetes.kubeProxy.mode=NFTables, please consult https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/ for all glory details. by @​majst01 [#13558]
• [USER] A new optional Shoot API field credentialsRef has been introduced in spec.dns.providers structure. It is designed to support diverse types of credentials. As of now only v1.Secrets are supported. by @​vpnachev [#13552]
• [USER] The Shoot resource does now support configuring the vpa-recommender concurrent workers to update VerticalPodAutoscalers and VerticalPodAutoscalerCheckpoints via the new .spec.kubernetes.verticalPodAutoscaler.recommenderUpdateWorkerCount field. by @​voelzmo [#13591]
• [DEVELOPER] Shoots and Seeds are now allowed to reference WorkloadIdentity resources via their respective field spec.resources, extensions can leverage this mechanism in order to use workload identity credentials for authentication with external services supporting trust based authentication. by @​vpnachev [#13469]
• [DEVELOPER] CredentialsBindings can now reference core.gardener.cloud/v1beta1.InternalSecret resources. This can be beneficial if shoot credentials are not managed directly by end-users but by the service provider/Gardener operators. by @​rfranzke [#13759]
• [DEVELOPER] It is now possible to create a SecretsManager based on a Garden resource. Extensions can, for instance, manage certificates for webhooks in the garden runtime cluster while leveraging Gardener's certificate automation features (such as CA rotation, renewal, etc.). by @​timuthy [#13662]
• [DEPENDENCY] The certificate library for extension webhooks now supports skipping the component name prefixing with gardener-extension when DoNotPrefixComponentName is set to true. by @​rfranzke [#13765]
• [DEPENDENCY] extensionscmdcontroller.GeneralOptions can now be shared between controllers and webhooks. It contains general deployment information that are relevant to both. by @​timuthy [#13786]

🐛 Bug Fixes

• [OPERATOR] Refactor the collector journald receiver to capture kernel logs via a more stable method. by @​rrhubenov [#13664]

... (truncated)

Commits

• d2cc547 release v1.135.0
• a9c5c91 Remove obsolete GOPATH reference (#13900)
• 2133dd8 [release-v1.135] Fix a flaky Prometheus healthcheck (#13897)
• 079298c Update dependency gardener/dashboard to v1.83.2 (#13884)
• 4ab43ff [flake] Ensure in-flight operator.Gardenlet reconciliation loops are done i...
• 95dd448 Update local CloudProfile to Kubernetes 1.34.3 (#13874)
• 00020a1 [release-v1.135] Delete ManagedResources even if shoot resources don't need...
• 346dd25 Increase maximum values for inflight kube-apiserver requests (#13877)
• cf7ce57 HA config: Skip worker pools with Maximum=0 (#13873)
• 8e2a6af Revert "Use debian 13 (trixie) distroless image as base image (#13660)" (#13864)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[MartinWeindel]

/lgtm

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MartinWeindel

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MartinWeindel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: 39f2fd61bf0db4e1c56f1f37a4cea886d3c9dc5a