Bump github.com/gardener/gardener from 1.136.3 to 1.137.0

[dependabot]

Bumps github.com/gardener/gardener from 1.136.3 to 1.137.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.137.0

[github.com/gardener/gardener:v1.137.0]

⚠️ Breaking Changes

• [OPERATOR] The garden_garden_last_operation metric structure has changed: the last_operation label has been renamed to type, and a new state label has been added to expose the operation state. Existing queries and dashboards using the last_operation label must be updated to use type instead. Additionally, two new alerts have been introduced: GardenLastOperationInErrorState and GardenLastOperationStuckProcessing. by @​rickardsjp [#13827]
• [DEVELOPER] The pkg/utils/secrets/manager.New function's signature has been reworked to accept config functions. Namespaces are now passed via WithNamespaces(...string), automatic CA secret rotation can be disabled via WithoutCASecretAutoRotation(), and the map of secret names to "last rotation initiation times" is passed via WithSecretNamesToTimes(map[string]time.Time). Accordingly, pkg/utils/secrets/manager.Config has been removed. by @​rfranzke [#14000]
• [DEVELOPER] All Gardener Enhancement Proposals (GEPs) have been moved out of gardener/gardener to the new gardener/enhancements repository. Read the Slack thread to learn more about it. by @​rfranzke [#14043]
• [DEVELOPER] When using ModeService in the extension webhook library, the specified service port is now properly propagated when constructing the admissionregistrationv1.WebhookClientConfig for {Validating,Mutating}WebhookConfigurations (previously, it was not specified at all and defaulted to 443 by Kubernetes). Make sure to specify --webhook-config-service-port to prevent falling back to the --webhook-config-server-port (if configured). by @​rfranzke [#14063]
• [DEVELOPER] The package github.com/gardener/gardener/pkg/apis has been made a Go submodule. Validations and helpers from ./pkg/apis have been moved to ./pkg/api. The package pkg/utils/timewindow has been moved to pkg/apis/utils/timewindow. The component configs ./pkg/{admissioncontroller,controllermanager,gardenlet,nodeagent,operator,resourcemanager,scheduler} have been moved to ./pkg/apis/config/... and their helper and validation packages to ./pkg/api/config/.... Extension developers can use the commands provided in this Gist to update the import paths programmatically. by @​LucaBernstein [#13536]

✨ New Features

• [OPERATOR] A default .machineControllerManager.machineCreationTimeout can be provided for a machine type in the CloudProfile. by @​LucaBernstein [#14032]
• [OPERATOR] Operators can configure workload identity token expiration duration via gardenlet's configuration by setting .controllers.tokenRequestorWorkloadIdentity.tokenExpirationDuration. by @​dimityrmirchev [#13752]
• [OPERATOR] Feature gate VictoriaLogsBackend has been introduced to the gardenlet and gardener-operator. When enabled, an instance of VictoriaLogs is deployed in the respective cluster. by @​rrhubenov [#13988]
• [OPERATOR] The "Reversed VPN OpenVPN Server (HA)" dashboard now shows packet loss statistics. by @​domdom82 [#14088]
• [DEVELOPER] Secrets Manager: The automatic renewal of Secrets about to expire can now be disabled with the config function WithoutAutomaticSecretRenewal() passed to New(). This is useful if you want to prevent your secrets manager instance from listing all existing Secrets in the cluster when instantiated. by @​rfranzke [#14000]
• [DEVELOPER] gardener-node-agent now supports node-specific configuration files, i.e. files which are only applied to a specified node. by @​ScheererJ [#13412]
• [DEVELOPER] The secrets manager now allows to load missing signing CA certificate secrets directly from the cluster in case they were not generated upfront. This is helpful when the secrets manager instance generating certificates is not the same managing the signing CA certificate lifecycle. by @​rfranzke [#14000]

🐛 Bug Fixes

• [OPERATOR] Fixed the shoot-care controller panic for clusters where .status.credentials.rotation exists but .status.credentials.encryptionAtRest is nil. by @​maboehm [#14147]
• [OPERATOR] Fixed an issue with the maximum batch size that the OpenTelemetry Collector instances can send. by @​rrhubenov [#14108]
• [OPERATOR] Systemd logs are now collected from seed clusters as expected. by @​nickytd [#14071]
• [OPERATOR] Additional finetuning to the Collector configuration has been applied for improved memory usage. by @​rrhubenov [#14127]
• [OPERATOR] A bug is fixed in the extension scrape configuration in the seed Prometheus, where the scrape address was not correctly configured on IPv4 setups. by @​vicwicker [#14111]
• [OPERATOR] An issue causing the control-plane migration to get stuck if the source backup entry deployment was retried is now fixed. by @​shafeeqes [#14091]
• [USER] An issue which lead to a nil pointer in gardenlet when a Shoot had an empty .spec.addons structure defined is now fixed. by @​voelzmo [#14112]
• [DEPENDENCY] extension library: Extension admission webhooks now return http.StatusForbidden when validation/mutation fails. With this, the failure reason is now properly displayed when updating the resource with kubectl edit. by @​dnaeon [#14026]

🏃 Others

• [OPERATOR] When L7 load-balancing is active, connections to kube-apiservers have a timeout of 1 day now. by @​oliver-goetz [#14061]
• [OPERATOR] All VerticalPodAutoscaler resources managed by Gardener are enhanced to define an explicit container policy for all containers that need to be auto-scaled and to have a catch-all container policy (containerName: '*' and mode: Off) always. by @​voelzmo [#14009]
• [OPERATOR] Resource limits are dropped from apiserver-proxy to increase shoot connectivity. by @​domdom82 [#14110]
• [OPERATOR] fluent-bit is now updated to v4.2.2, fluent-operator to v3.6.0, fluent-bit-plugin to v1.1.0. Small fine-tunings of the logging stack. by @​nickytd [#14093]
• [DEVELOPER] golang-test images for Go 1.26 are built now. Those for Go 1.24 are not built anymore because it is out of maintenance. by @​marc1404 [#14024]
• [DEVELOPER] The following dependencies are updated:
  • k8s.io/*: v0.34.3 -> v0.35.0
  • sigs.k8s.io/controller-runtime: v0.22.5 -> v0.23.1
  • sigs.k8s.io/controller-tools: v0.19.0 -> v0.20.0 by @​timuthy [#13982]
• [DEVELOPER] New slice functions were added to the pkg/utils package that can be used to transform and filter elements. by @​timuthy [#14042]
• [DEVELOPER] The message for the recently introduced Prometheus health checks that is part of the status conditions of Garden, Seed or Shoot resources is improved. It provides more detailed information about the failing Prometheus health checks to facilitate troubleshooting. by @​vicwicker [#14006]
• [DEVELOPER] etcd-druid is now configured with OperatorConfiguration instead of the deprecated CLI flags. by @​CaptainIRS [#13674]
• [DEPENDENCY] make format target supports sequential run (again) by passing MODE=sequential. by @​LucaBernstein [#14076]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/node-problem-detector/node-problem-detector from v0.8.24 to v0.8.25. by @​gardener-ci-robot [#14017]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dependency-watchdog from v1.6.0 to v1.7.0. Release Notes by @​gardener-ci-robot [#14154]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/node-problem-detector/node-problem-detector from v1.35.1 to v1.35.2. by @​gardener-ci-robot [#14019]
• [DEPENDENCY] The following dependencies have been updated:

... (truncated)

Commits

• eef5209 release v1.137.0
• 208e1b4 fix(ci): Prevent trailing newline in additional release tags (#14171)
• daea1c4 Update dependency gardener/dependency-watchdog to v1.7.0 (#14154)
• d989786 Allow maximum worker pool nodes to exceed configured limit (#14139)
• 5d8468d [GEP-34] Fine-Tune Batch Size and Update Migration Script (#14127)
• 56221da Switch to OIDC Federation Service instead of GitHub App (#14122)
• bef1895 Update missing controller and webhooks details in docs (#14109)
• e6d886f Use OperatorConfiguration to setup etcd-druid instead of CLI flags (#13674)
• 4be0bb3 Update etcd-druid to v0.35.1 (#14146)
• 19e1ac0 Update getting_started_locally.md (#14132)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[MartinWeindel]

/kind task

[MartinWeindel]

/kind task

[MartinWeindel]

/lgtm

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: c6299acef9516a64b995f747a628e26af7b7fc19

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MartinWeindel

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MartinWeindel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment