Bump github.com/gardener/gardener from 1.135.1 to 1.136.0

[dependabot]

Bumps github.com/gardener/gardener from 1.135.1 to 1.136.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.136.0

[github.com/gardener/gardener:v1.136.0]

⚠️ Breaking Changes

• [OPERATOR] The Garden's .spec.virtualCluster.kubernetes.kubeAPIServer.eventTTL field's valid values range is restricted from [0, 168h] to [0, 24h]. The new range is imposed for new Garden creations and for field value updates. Already existing Gardens which specify invalid values (more than 24h) are not affected. by @​ialidzhikov [#13830]
• [OPERATOR] The ManagedSeedSet's .spec.shootTemplate.spec.kubernetes.kubeAPIServer.eventTTL field's valid values range is restricted from [0, 168h] to [0, 24h]. The new range is imposed for new ManagedSeedSet creations and for field value updates. Already existing ManagedSeedSets which specify invalid values (more than 24h) are not affected. by @​ialidzhikov [#13830]
• [USER] Shoot addons (.spec.addons) have been deprecated and will be forbidden starting with Kubernetes 1.35. Their usage was already discouraged for productive clusters, as they now only include unmaintained components (Kubernetes dashboard and Ingress NGINX Controller). by @​timuthy [#13845]
• [USER] The shoot field .spec.kubernetes.kubeScheduler.kubeMaxPDVols has been deprecated and will be forbidden starting with Kubernetes 1.35. The maximum number of attachable volumes is maintained by the respective CSI plugin. by @​timuthy [#13845]
• [USER] The Shoot's .spec.kubernetes.kubeAPIServer.eventTTL field's valid values range is restricted from [0, 168h] to [0, 24h]. The new range is imposed for new Shoots creations and for field value updates. Already existing Shoots which specify invalid values (more than 24h) are not affected. by @​ialidzhikov [#13830]
• [USER] Downgrading the machine image version (.spec.provider.workers[].machine.image.version) is not allowed for worker pools using the AutoInPlaceUpdate or ManualInPlaceUpdate strategy, as Gardener does not support machine image downgrades for any operating system currently. For AutoRollingUpdate, the entire node is replaced, so this limitation does not apply. by @​shafeeqes [#13828]
• [USER] The shoot field .spec.kubernetes.kubeAPIServer.watchCacheSizes.default has been deprecated and will be forbidden starting with Kubernetes 1.35. Watch cache sizes are automatically sized by Kubernetes. by @​timuthy [#13845]
• [USER] Setting .spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication in the Shoot spec is forbidden for clusters with Kubernetes version >= 1.35. Users that enable anonymous authentication should use Structured Authentication with anonymous authenticator instead. by @​dimityrmirchev [#13707]
• [DEVELOPER] The healthcheck controller now supports the garden extension class. Health check client interfaces have been renamed from SeedClient/ShootClient to SourceClient/TargetClient for better abstraction across extension classes. The PreCheckFunc method signature has been changed to accept any for cluster or garden object. by @​theoddora [#13789]

📰 Noteworthy

• [OPERATOR] New health and readiness checks have been added to vpn-seed-server to improve availability and reduce log clutter. by @​domdom82 [#13802]
• [OPERATOR] The Shoot spec has a new field spec.kubernetes.kubeAPIServer.encryptionConfig.provider.type, which currently can only be set to aescbc. by @​AleksandarSavchev [#13732]
• [OPERATOR] For Kubernetes virtual clusters >= 1.33, we now deploy both Endpoints and EndpointSlice resources for the APIService connection between virtual-garden-kube-apiserver and gardener-apiserver. by @​acumino [#14041]
• [OPERATOR] The Garden spec has 2 new fields spec.virtualCluster.kubernetes.kubeAPIServer.encryptionConfig.provider.typeand spec.virtualCluster.gardener.gardenerAPIServer.encryptionConfig.provider.type, which currently can only be set to aescbc. by @​AleksandarSavchev [#13732]
• [OPERATOR] The OpenTelemetryCollector feature gate has been promoted to Beta and is enabled by default. by @​rrhubenov [#13851]
• [USER] The field .spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication in the Shoot spec will be automatically set to nil if users set it false as these two are equivalent across the codebase. The field is deprecated and users that enable anonymous authentication should migrate to Structured Authentication with anonymous authenticator instead. by @​dimityrmirchev [#13707]
• [USER] It is now explicitly supported to use short worker OS image versions in the CloudProfile, which are not defaulted when creating or updating the Shoot spec. by @​Gerrit91 [#13785]
• [USER] The shoot deletion flow has been enhanced to tolerate leftover resources in the following situations:
  • Objects that belong to namespaces which have already been deleted (finalized).
  • Objects that were created after the cleanup process began for the first time, plus the finalize grace period. by @​timuthy [#13918]

✨ New Features

• [OPERATOR] Gardener now supports pulling Helm charts from OCI registries that use custom or self-signed TLS certificates. This is particularly useful for air-gapped environments or when using private container registries with custom certificate authorities.

  A new caBundleSecretRef field has been added to the ociRepository configuration in the following resources:

  • core.gardener.cloud/v1.ControllerDeployment: .helm.ociRepository.caBundleSecretRef
  • core.gardener.cloud/v1beta1.ControllerDeployment: .helm.ociRepository.caBundleSecretRef
  • operator.gardener.cloud/v1alpha1.Extension: .spec.deployment.{admission.{runtimeCluster,virtualCluster},extension}.helm.ociRepository.caBundleSecretRef

  The field references a secret in the garden namespace containing a PEM-encoded CA certificate bundle (data key: bundle.crt). For gardenlet usage, the secret must be labeled with gardener.cloud/role=oci-ca-bundle. by @​shafeeqes [#13868]

• [OPERATOR] The gardener-controller-manager now increases all ResourceQuotas in project namespaces when a Gardener update leads to Gardener creating more resources in them. This was introduced to prevent failing Shoot reconciliations when ResourceQuotas of projects are near their limit. by @​tobschli [#13850]

• [OPERATOR] Introduce fluent-bit-plugin v1 with OTLP support behind the OpenTelemetryCollector feature gate and adjust fluent-bit resources to select OTLP. by @​nickytd [#13961]

• [OPERATOR] Introduced the Victoria Operator as a component to Seed & Garden Clusters. by @​rrhubenov [#13708]

• [OPERATOR] When configuring a custom CNI path for containerd, GNA will now - in addition to checking the version of the config.toml config file - query containerd for its version and use the bin_dirs path with a string array if the config file version is 3 and containerd >= 2.2 is detected. by @​MrBatschner [#13826]

• [OPERATOR] An instance of OpenTelemetry Collector is now deployed to the garden namespace of both Garden and Seed clusters. by @​rrhubenov [#13481]

• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.35. To allow creation/update of 1.35 clusters you will have to update the version of your provider extension(s) to a version that supports 1.35 as well. Please consult the respective releases and notes in the provider extension's repository. by @​timuthy [#13845]

• [USER] The Shoot field .spec.seedSelector can now be adjusted for already scheduled shoots, as long as the new selector still selects the assigned seed. by @​timuthy [#13920]

• [DEVELOPER] gardenctl in local setup by @​hown3d [#13842]

• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.35. Extension developers have to prepare individual extensions as well to work with 1.35. by @​timuthy [#13845]

• [DEVELOPER] Environment variable MAX_PARALLEL_WORKERS can now be used to control the number of parallel workers that are spawned during the call to the make generate target. by @​rrhubenov [#13903]

🐛 Bug Fixes

• [OPERATOR] An issue causing unwanted reconciliations of Secrets and other objects due to cache resyncs in the project activity reconciler is now fixed. by @​shafeeqes [#13945]
• [OPERATOR] This PR fixes webhook certificate reconciliation to properly apply changes in webhook configurations. by @​acumino [#13971]
• [OPERATOR] Fixes a bug when feature gate UseUnifiedHTTPProxyPort was used in conjunction with a seed load balancer using proxy protocol. by @​maboehm [#13832]

... (truncated)

Commits

• f7a1de9 release v1.136.0
• a686800 Fix endpointslice group (#14069)
• af9174b [release-v1.136] Rename test CLI flags for gardener and k8s (#14055)
• faf1372 [release-v1.136] Ensure shoot opentelemetry collectors pipeline migration (#1...
• 4fe2a9b [release-v1.136] Compaction Alerts : Adapt Existing Alert + Introduce Two New...
• d140348 [release-v1.136] Use k8s >=1.34 for EndpointSlice for Apiservices (#14041)
• b5b2b41 Unconditionally enable discovery.k8s.io/v1 for workerless shoots (#14027)
• 5ee535c [gardenadm join] Ensure no active Shoot reconciliation (#14004)
• e2cee15 Split the ShootDNS admission plugin into mutating and validating admission ...
• 7bf0230 Update module golang.org/x/tools to v0.42.0 (#14001)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[domdom82]

/lgtm

/approve

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: d0df88321bd52717c54c49f8fb3acd4a58bfc960

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: domdom82

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [domdom82]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment