chore(deps): bump github.com/gardener/gardener from 1.118.3 to 1.125.0

[dependabot]

Bumps github.com/gardener/gardener from 1.118.3 to 1.125.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.125.0

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] spec.addons.nginxIngress.loadBalancerSourceRanges are now validated as CIDRs. by @​ScheererJ #12539
• [OPERATOR] spec.addons.nginxIngress.config is now validated as conforming to config map data rules. by @​ScheererJ #12539
• [OPERATOR] spec.systemComponents.coreDNS.rewriting.commonSuffixes are now validated against DNS rules. by @​ScheererJ #12539
• [OPERATOR] The UseNamespacedCloudProfile feature gate has been graduated to GA and is locked to true. by @​LucaBernstein #12620
• [OPERATOR] spec.networking.type is now validated as being a label name. by @​ScheererJ #12539
• [OPERATOR] All annotations of kube-apiserver service in the shoot control planes will be replaced by the minimum required set of annotations. Manually added annotations will be removed. by @​ScheererJ #12630
• [OPERATOR] The name of ExposureClass resources is now properly checked to be compliant to the DNS label rules. by @​ScheererJ #12539
• [USER] Setting shoot's .spec.providers.workers[].{maxSurge, maxUnavailable} will be denied in future versions of Gardener for workers with updateStrategy ManualInPlaceUpdate. Users should unset these values with this version of Gardener. by @​acumino #12607

✨ New Features

• [USER] The Shoot resource does now support configuring the global maximum allowed resources the vpa-recommender can recommend for a container. The corresponding upstream configuration option solves a known limitation of vpa-recommender where it can make a Pod unschedulable by recommending resource requests more than largest Node's allocatable. For more details, see Specifying global maximum allowed resources to prevent pods from being unschedulable. by @​ialidzhikov #12481
• [OPERATOR] The Seed and Garden resources do now support configuring the global maximum allowed resources the vpa-recommender can recommend for a container. The corresponding upstream configuration option solves a known limitation of vpa-recommender where it can make a Pod unschedulable by recommending resource requests more than largest Node's allocatable. For more details, see Specifying global maximum allowed resources to prevent pods from being unschedulable. by @​ialidzhikov #12481

🐛 Bug Fixes

• [OPERATOR] Fixed local gardenadm development setup for non-amd64 systems. by @​ScheererJ #12619
• [OPERATOR] A bug which could cause istio service and workload dashboards to show "many-to-many matching errors" after kube-apiserver pods were rolling has been fixed. by @​oliver-goetz #12635
• [OPERATOR] Fix cluster-autoscaler specific annotations on machine deployment upon update in worker specific cluster autoscaler options. by @​takoverflow #12548
• [OPERATOR] Seed registration was fixed for ManagedSeeds with seed templates configuring spec.resources. by @​timuthy #12652
• [OPERATOR] Fixed a bug in the cluster overview dashboard that showed cluster-autoscaler as down when not deployed. by @​rickardsjp #12654
• [OPERATOR] A bug which was causing the gardener-node-agent to enter crash-loop when its config was updated with breaking changes was fixed. by @​AleksandarSavchev #12589
• [USER] The Kubernetes feature gate ValidatingAdmissionPolicy is now marked as removed in Kubernetes 1.32. Previously, it was possible to upgrade a Shoot cluster to Kubernetes 1.32 with this feature gate enabled, which resulted in kube-apiserver failing to start due to an unrecognized feature gate. by @​marc1404 #12643

🏃 Others

• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.40.0 to 0.41.0. Release Notes by @​gardener-ci-robot #12675
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.81.0 to 1.81.1. Release Notes by @​gardener-ci-robot #12616
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.25.3 to 1.25.4.
  • gcr.io/istio-release/proxyv2 from 1.25.3 to 1.25.4.
  • istio.io/api from v1.25.3 to v1.25.4. by @​gardener-ci-robot #12655
• [DEPENDENCY] The following dependencies have been updated:
  • envoyproxy/envoy from v1.34.3 to v1.35.0. Release Notes by @​gardener-ci-robot #12598
• [USER] Updates to spec.networking.ipFamiles are now validated. by @​axel7born #12523
• [DEVELOPER] migrate CICD-Pipeline to GitHub-Actions by @​ccwienk #12592
• [DEVELOPER] The hostname of provider-local Machines/Nodes can be resolved via DNS, similar to typical cloud infrastructure environments. This allows connecting from a Bastion to a Node via its hostname. by @​timebertt #12657
• [DEVELOPER] DNSRecord may now use non-canonical IPv6 addresses. by @​ScheererJ #12667
• [OPERATOR] Adds machine capability based image defaulting to Shoots created with Cloudprofiles using Capabilities. by @​Roncossek #12529
• [OPERATOR] The Shoot Prometheus RBAC is now restricted to the control-plane and the garden namespace. by @​chrkl #12264
• [OPERATOR] A new validation for the following (Namespaced)CloudProfile fields has been added, ensuring qualified names:
  • .spec.machineImages[].name
  • .spec.machineImages[].versions[].cri[].containerRuntimes[].type
  • .spec.machineTypes[].name
  • .spec.capabilities.name
  • .spec.capabilities.values

... (truncated)

Commits

• 4ea7d14 release v1.125.0
• 474363f Update prometheus-operator to v0.84.1 (#12681)
• b03126f Update dependency gardener/vpn2 to v0.41.0 (#12675)
• 2e5c9fa [GEP-28] gardenadm bootstrap: Compile ShootState (#12669)
• 022c500 Harden (Namespaced)CloudProfile field validation (#12666)
• 3f8f06c Move the do not use note from the FeatureGates field to the `KubernetesCo...
• 94b6f57 Refine defaults and validation for worker with ManualInPlaceUpdate strategy (...
• bd98f29 [GEP-28] Make provider-local machine hostnames resolvable (#12657)
• 83614cf [GEP-33] Add Capabilities support to Worker MachineImage Version defaulting (...
• b0f52e1 [GEP-26] Prepare local setup with extensions for WorkloadIdentities (#12519)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #785.