[gardener/gardener]

📰 Noteworthy

• [OPERATOR] gardener-resource-manager now disables cache only for Secrets and ConfigMap if DisableCachedClient set to true. by @gardener-ci-robot [#8476]

🐛 Bug Fixes

• [USER] Applying Gardener resources server-side has caused the the server is currently unable to handle the request error which is now fixed. by @gardener-ci-robot [#8473]
• [OPERATOR] Several default settings of Kubernetes feature gates have been corrected. by @gardener-ci-robot [#8469]
• [OPERATOR] A bug has been fixed that prevented ControllerInstallations from getting deleted when the backing ControllerRegistration with .spec.deployment.policy={Always,AlwaysExceptNoShoots} was deleted. by @gardener-ci-robot [#8451]

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] uncachedObjects under pkg/client/kubernetes/options.go is now removed from Config struct which is used to set options for new ClientSets. Now the uncached objects can be directly set under clientOptions.Cache.DisableFor field. by @ary1992 [#8245]

📰 Noteworthy

• [OPERATOR] The DisablingScalingClassesForShoots feature gate has been promoted to beta. by @rfranzke [#8428]

✨ New Features

• [OPERATOR] Operators can now use the annotation gardener.cloud/operation=rotate-observability-credentials on the garden resource to rotate the observability credentials. by @acumino [#8393]
• [OPERATOR] Configuring multiple reserve-excess-capacity deployments on Seeds is supported now by specifying .spec.settings.excessCapacityReservation.configs. by @oliver-goetz [#8356]
• [USER] When the Kubernetes control plane version is at least v1.28, it is now possible to set the worker pool Kubernetes version to be at most three versions behind the control plane version. Earlier, only a skew of at most two versions was allowed. Find more details here. by @shafeeqes [#8402]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which was causing the garbage collector in gardener-resource-manager to wrongfully collect Secrets related to ManagedResources when the source and the target cluster are equal. by @dimityrmirchev [#8398]
• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @rfranzke [#8407]
• [OPERATOR] Update Kubernetes dependencies (especially k8s.io/client-go) from v0.26.3 to v0.26.4 to resolve panic on working with special shoots. by @MartinWeindel [#8422]

🏃 Others

• [OPERATOR] Add Prometheus alert for pending seed pods by @StenlyTU [#8406]
• [OPERATOR] The admission controllers of common provider extensions are automatically installed in the local extensions development setup by @ScheererJ [#8311]
• [OPERATOR] The WorkerlessShoots feature gate has been promoted to beta and is now turned on by default. Before deploying this Gardener version, make sure that all your registered extensions support this feature gate. by @acumino [#8417]
• [OPERATOR] The following image is updated:
  • quay.io/prometheus/alertmanager: v0.24.0 -> v0.26.0 by @istvanballok [#8408]
• [DEVELOPER] The following dependencies are updated:
  • k8s.io/* : v0.26.4 -> v0.27.5
  • sigs.k8s.io/controller-runtime: v0.14.6 -> v0.15.2 by @ary1992 [#8245]

[gardener/apiserver-proxy]

🏃 Others

• [OPERATOR] Update golang base container image to 1.21.0. by @dependabot[bot] [gardener/apiserver-proxy#43]
• [OPERATOR] Update alpine base image components to 3.18.3. by @dependabot[bot] [gardener/apiserver-proxy#42]
• [OPERATOR] Removed apiserver-proxy pod webhook as it is now included in Gardener Resource Manager. by @ScheererJ [gardener/apiserver-proxy#39]
• [OPERATOR] Update gardener/gardener to 1.77.1. by @dependabot[bot] [gardener/apiserver-proxy#44]

[gardener/vpn2]

📰 Noteworthy

• [OPERATOR] Update to golang v1.21 by @ScheererJ [gardener/vpn2#42]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.79.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.79.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.79.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.79.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.79.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.79.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.79.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Update Kubernetes dependencies (especially k8s.io/client-go) from v0.26.3 to v0.26.4 to resolve panic on working with special shoots. by @gardener-ci-robot [#8425]
• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @gardener-ci-robot [#8409]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.76.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.76.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.76.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.76.4
operator: eu.gcr.io/gardener-project/gardener/operator:v1.76.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.76.4
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.76.4

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Update Kubernetes dependencies (especially k8s.io/client-go) from v0.26.3 to v0.26.4 to resolve panic on working with special shoots. by @gardener-ci-robot [#8424]
• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @gardener-ci-robot [#8410]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.77.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.77.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.77.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.77.3
operator: eu.gcr.io/gardener-project/gardener/operator:v1.77.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.77.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.77.3

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @gardener-ci-robot [#8411]
• [OPERATOR] Update Kubernetes dependencies (especially k8s.io/client-go) from v0.26.3 to v0.26.4 to resolve panic on working with special shoots. by @gardener-ci-robot [#8423]

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which was causing the garbage collector in gardener-resource-manager to wrongfully collect Secrets related to ManagedResources when the source and the target cluster are equal. by @gardener-ci-robot [#8404]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.77.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.77.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.77.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.77.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.77.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.77.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.77.2

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which was causing the garbage collector in gardener-resource-manager to wrongfully collect Secrets related to ManagedResources when the source and the target cluster are equal. by @gardener-ci-robot [#8403]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.78.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.78.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.78.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.78.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.78.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.78.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.78.1

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] The following mapper funcs from the extension library no longer accept a context.Context arg - ClusterToContainerResourceMapper, ClusterToControlPlaneMapper, ClusterToDNSRecordMapper, ClusterToExtensionMapper, ClusterToInfrastructureMapper, ClusterToNetworkMapper, ClusterToWorkerMapper and ClusterToObjectMapper. The context.Context arg was redundant and not used. by @acumino [#8321]
• [USER] Deprecated annotation alpha.featuregates.shoot.gardener.cloud/node-local-dns is removed. Use field .spec.systemComponents.nodeLocalDNS.enabled in Shoot instead. Switching on node-local-dns via shoot specification will roll the nodes even if node-local-dns was enabled beforehand via annotation. by @acumino [#8364]
• [USER] Deprecated annotation alpha.featuregates.shoot.gardener.cloud/node-local-dns-force-tcp-to-{cluster-dns, upstream-dns} is removed. Use field .spec.systemComponents.nodeLocalDNS.{forceTCPToClusterDNS, forceTCPToUpstreamDNS} in Shoot instead. by @acumino [#8364]

✨ New Features

• [OPERATOR] kubectl get garden now features additional printer column Observability providing information about the Observability components of the runtime cluster. by @gardener-ci-robot [#8384]
• [OPERATOR] It is possible now to trigger a seed reconciliation by annotating the Seed with gardener.cloud/operation=reconcile. by @shafeeqes [#8347]
• [OPERATOR] Status of garden now includes the ObservabilityComponentsHealthy condition which show the health of observability components in the garden runtime-cluster. by @oliver-goetz [#8346]

🐛 Bug Fixes

• [OPERATOR] operator now deletes ManagedResources deployed to the virtual-garden before deleting virtual-garden-kube-apiserver. by @oliver-goetz [#8368]
• [OPERATOR] A bug is fixed that prevented scraping the metrics of etcd in the shoot control plane. by @istvanballok [#8371]
• [OPERATOR] A bug is fixed that rendered the "CPU usage" panel of the "VPN" Plutono dashboard blank. by @gardener-ci-robot [#8392]
• [OPERATOR] A bug is fixed in the Prometheus alert definitions that caused false positive KubePodNotReadyControlPlane alerts related to the etcd compaction job. by @rickardsjp [#8361]

🏃 Others

• [OPERATOR] Shoot node network and seed pod network need to be disjoint. This will be checked during scheduling of a shoot cluster, i.e. during initial admission or on control-plane migration. by @ScheererJ [#8353]
• [OPERATOR] Prometheus scrape job configs for targets in the shoot cluster have been improved. by @rickardsjp [#8360]
• [OPERATOR] The following images are updated:
  • registry.k8s.io/metrics-server/metrics-server: v0.6.3 -> v0.6.4
  • registry.k8s.io/cpa/cluster-proportional-autoscaler: v1.8.8 -> v1.8.9
  • registry.k8s.io/coredns/coredns: v1.10.0 -> v1.10.1
  • quay.io/prometheus/blackbox-exporter: v0.23.0 -> v0.24.0
  • quay.io/prometheus/node-exporter: v1.5.0 -> v1.6.1
  • ghcr.io/credativ/plutono: v7.5.22 -> v7.5.23
  • ghcr.io/prometheus-operator/prometheus-config-reloader: v0.61.1 -> v0.67.1
  • registry.k8s.io/dns/k8s-dns-node-cache: 1.22.20 -> 1.22.23 by @ialidzhikov [#8324]
• [OPERATOR] The following images are updated:
  • registry.k8s.io/kube-state-metrics/kube-state-metrics: v2.5.0 -> v2.8.2 by @gardener-ci-robot [#8391]
• [OPERATOR] gardener-operator now takes over management of plutono. by @acumino [#8301]
• [OPERATOR] kubectl proxy now works as expected in the local development setup in conjunction with highly available vpn by @ScheererJ [#8370]
• [DEPENDENCY] Backupbucket/backupentry controllers: watch secret metadata only by @MartinWeindel [#8348]
• [DEVELOPER] Test-machinery integration tests are now using upstream K8s e2e test images such as registry.k8s.io/e2e-test-images/busybox, registry.k8s.io/e2e-test-images/agnhost instead Gardener images such as eu.gcr.io/gardener-project/3rd/busybox, eu.gcr.io/gardener-project/3rd/alpine and others. by @ialidzhikov [#8341]

[gardener/etcd-druid]

🏃 Others

• [OPERATOR] Upgrade gardener/gardener from 1.65.0 to 1.76.0 by @acumino [gardener/etcd-druid#657]
• [OPERATOR] All default images are now present in images.yaml by @aaronfern [gardener/etcd-druid#673]

[gardener/dependency-watchdog]

🏃 Others

• [OPERATOR] Bump g/g version to remove stale client-go dependency by @rishabh-11 [gardener/dependency-watchdog#92]

[gardener/hvpa-controller]

🏃 Others

• [OPERATOR] Updated go to 1.20.7 by @voelzmo [gardener/hvpa-controller#126]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.78.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.78.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.78.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.78.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.78.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.78.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.78.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug is fixed that prevented scraping the metrics of etcd in the shoot control plane. by @gardener-ci-robot [#8372]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.77.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.77.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.77.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.77.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.77.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.77.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.77.1

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @gardener-ci-robot [#8305]

🏃 Others

• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @gardener-ci-robot [#8315]

[gardener/hvpa-controller]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused HVPA reconciliation to fail with expected pointer, but got v2beta1.MetricSpec type when the HPA spec had changed. by @voelzmo [gardener/hvpa-controller#125]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.75.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.75.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.75.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.75.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.75.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.75.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.75.2

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @gardener-ci-robot [#8304]

🏃 Others

• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @gardener-ci-robot [#8316]

[gardener/hvpa-controller]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused HVPA reconciliation to fail with expected pointer, but got v2beta1.MetricSpec type when the HPA spec had changed. by @voelzmo [gardener/hvpa-controller#125]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.74.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.74.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.74.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.74.3
operator: eu.gcr.io/gardener-project/gardener/operator:v1.74.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.74.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.74.3

[gardener/hvpa-controller]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused HVPA reconciliation to fail with expected pointer, but got v2beta1.MetricSpec type when the HPA spec had changed. by @voelzmo [gardener/hvpa-controller#125]

[gardener/gardener]

🏃 Others

• [OPERATOR] A bug preventing prometheus ingress to use wildcard-certificate is fixed. by @gardener-ci-robot [#8320]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.76.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.76.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.76.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.76.3
operator: eu.gcr.io/gardener-project/gardener/operator:v1.76.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.76.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.76.3

[gardener/etcd-backup-restore]

📰 Noteworthy

• [OPERATOR] Etcd-backup-restore now uses a distroless image as its base image. It is no longer compatible with etcd-custom-image, and must be used with etcd-wrapper instead. by @aaronfern [gardener/etcd-backup-restore#637]
• [OPERATOR] Etcd-backup-restore now uses the user home directory to create files. by @aaronfern [gardener/etcd-backup-restore#637]

🏃 Others

• [OPERATOR] While scaling up a non-HA etcd cluster to HA skipping the scale-up checks for first member of etcd cluster as first member can never be a part of scale-up scenarios. by @ishan16696 [gardener/etcd-backup-restore#649]
• [OPERATOR] Backup-restore waits for its etcd to be ready before attempting to update peerUrl by @aaronfern [gardener/etcd-backup-restore#628]
• [DEVELOPER] Add CVE categorization for etcd-backup-restore. by @shreyas-s-rao [gardener/etcd-backup-restore#644]

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] If you are using provider-extension setup you should adapt your files in example/provider-extensions/garden/controlplane because default-domain and internal-domain secrets are removed from gardener-controlplane Helm chart. by @oliver-goetz [#8308]
• [DEVELOPER] Package pkg/utils/managedresources now works with immutable secrets for managed resources under the hood. Existing secrets will be marked for garbage collection and replaced with immutable ones during the first reconciliation of the managed resource. by @dimityrmirchev [#8116]
• [DEVELOPER] The Secrets type as well as the Delete functions for secrets were removed from pkg/utils/managedresources/builder since their usage was prone to errors. The higher level package pkg/utils/managedresources should be used instead. by @dimityrmirchev [#8116]
• [DEPENDENCY] hack/generate.sh has been renamed to hack/generate-sequential.sh. by @shafeeqes [#8289]
• [DEPENDENCY] The deprecated extensions/pkg/controller/worker.{Options,ApplyMachineResources{ForConfig}} symbols have been dropped since gardenlet takes over management of the machine.gardener.cloud/v1alpha1 API CRDs since gardener/[email protected]. by @rfranzke [#8280]
• [OPERATOR] The virtual-garden-kube-apiserver service (for the virtual-garden cluster) was switched from type LoadBalancer to ClusterIP. Please make sure to migrate all DNS records from the virtual-garden-kube-apiserver to the istio-ingressgateway endpoint before upgrading to this Gardener version. by @timuthy [#8302]
• [OPERATOR] gardenlet no longer reports the Bootstrapped condition on Seeds. Instead, it now reports the progress in .status.lastOperation, similar to how it's done for Shoots. by @rfranzke [#8290]
• [OPERATOR] default-domain, internal-domain, alerting and openvpn-diffie-hellman secrets are removed from gardener-controlplane Helm chart. Please ensure to update them in a different way before upgrading Gardener. If you would like to prevent Helm from deleting these secret during the upgrade, you could annotate them with "helm.sh/resource-policy": keep. by @oliver-goetz [#8308]

📰 Noteworthy

• [DEVELOPER] The charts/images.yaml file was moved to imagevector/images.yaml. by @rfranzke [#8250]
• [DEPENDENCY] pkg/utils/chart does now support embedded charts. The already deprecated methods in the ChartApplier and ChartRenderer will be removed in a few releases, so extensions should adapt to embedded charts. by @rfranzke [#8250]
• [OPERATOR] Gardenlet can now set feature gates for etcd-druid. They can be specified via the gardenlet configuration GardenletConfiguration.EtcdConfig.FeatureGates by @gardener-ci-robot [#8335]

✨ New Features

• [OPERATOR] The garbage collection controller now also considers managed resources when deciding if secrets/configmaps should be garbage collected. by @dimityrmirchev [#8116]
• [OPERATOR] Gardener Scheduler's Minimal Distance strategy can take scheduling decisions based on region distances configured by operators. This especially improves the allocation for shoots of providers regions for which the standard Levenshtein distance is inappropriate. Please see docs/concepts/scheduler.md for more information. by @timuthy [#8277]
• [OPERATOR] Operators can now view and manage dashboards for compaction jobs running in shoot control plane. by @abdasgupta [#8206]
• [OPERATOR] maintenance-controller now disables PodSecurityPolicy admission controller when forcefully upgrading the Kubernetes version of a Shoot to v1.25. It also ensures maximum workers of each for group is greater or equal to its number of zone for forceful upgrades to v1.27. by @oliver-goetz [#8281]
• [OPERATOR] kubectl get garden now features additional printer columns providing more information about the substantial configuration values and statuses. by @rfranzke [#8279]
• [OPERATOR] The gardener-apiserver now drops expired Kubernetes and MachineImage versions from Cloudprofiles during creation. by @shafeeqes [#8297]
• [OPERATOR] gardener-operator now takes over management of fluent-operator and vali. by @vlvasilev [#8240]
• [USER] Two additional labels worker.gardener.cloud/image-name and worker.gardener.cloud/image-version are attached to worker nodes to identify which operating system they are running. This can then be used in selectors that target only workers with a specific operating system and is helpful for e.g. driver deployment. by @MrBatschner [#8295]
• [USER] A new feature gate named ContainerdRegistryHostsDir is introduced to gardenlet. When enabled, the /etc/containerd/certs.d directory is created on the Node and containerd is configured to look up for registries/mirrors configuration in this directory (if there is any configuration applied). In future, the registry-cache extension will add such registries/mirrors configuration under this directory (via OperatingSystemConfig mutation). by @ialidzhikov [#8094]
• [USER] The Shoot maintenance controller now updates the CRI of worker pools from docker to containerd when force-upgrading from Kubernetes v1.22 to v1.23. by @oliver-goetz [#8272]
• [DEVELOPER] Extensions running on seed clusters can get access to the garden cluster by using the injected kubeconfig specified by the GARDEN_KUBECONFIG environment variable. You can read about the details in this doc. by @timebertt [#8264]

🐛 Bug Fixes

• [OPERATOR] When Shoots were updated from non high-availability to zone high-availability, it could happen that the control-plane was scheduled to two instead of three zones. This issue is relevant for cloud providers with an inconsistent zone naming (Azure is currently the only candidate to our knowledge).
  Existing shoots with the before mentioned problem must be fixed manually be operators if required. An automatic move of etcds and their volumes is not part of this fix due to availability reasons. by @gardener-ci-robot [#8345]
• [OPERATOR] gardenlet: A regression causing metering related recording rules for the aggregate-prometheus not to be applied is now fixed. by @istvanballok [#8284]
• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @timuthy [#8303]

🏃 Others

• [OPERATOR] A bug preventing prometheus ingress to use wildcard-certificate is fixed. by @acumino [#8319]
• [OPERATOR] A bug preventing plutono ingress to use wildcard-certificate is fixed. by @acumino [#8317]
• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @istvanballok [#8310]
• [DEVELOPER] The github.com/golang/mock/gomock dependency is replaced by go.uber.org/mock. by @afritzler [#8269]
• [DEVELOPER] Add failure tolerance option to the CreateShoot test. by @hendrikKahl [#8298]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ etcd.Status.ClusterSize, etcd.Status.ServiceName, etcd.Status.UpdatedReplicas have been marked as deprecated and users should refrain from depending on these fields. by @unmarshall [gardener/etcd-druid#594]
• [OPERATOR] File ownership for var/etcd/data will be changed to non-root user (65532). by @aaronfern [gardener/etcd-druid#620]
• [OPERATOR] Etcd-druid will now deploy distroless etcd-wrapper and etcd-backup-restore images. Please refer to etcd-wrapper for more information. by @aaronfern [gardener/etcd-druid#620]
• [OPERATOR] Etcd-related secrets will now be mounted onto the /var/ directory instead of /root/. by @aaronfern [gardener/etcd-druid#620]
• [DEVELOPER] Developer Action Required: The make deploy command has been replaced with make deploy-via-kustomize. Please update your deployment workflows accordingly. by @seshachalam-yv [gardener/etcd-druid#599]

✨ New Features

• [DEVELOPER] Makefile has been updated to use Skaffold for deploying etcd-druid with the make deploy target, simplifying the deployment process and eliminating the need to push the image to the container registry for each local development testing. by @seshachalam-yv [gardener/etcd-druid#599]
• [OPERATOR] Feature gates have been introduced in etcd-druid, and can be specified using CLI flag --feature-gate. by @aaronfern [gardener/etcd-druid#646]
• [OPERATOR] Druid now exposes metrics related to snapshot compaction, on default port 8080. Please expose the desired metrics port via the etcd-druid service to allow metrics to be scraped by a Prometheus instance. by @abdasgupta [gardener/etcd-druid#569]
• [OPERATOR] UseEtcdWrapper feature gate has been introduced to allow users to opt for the new etcd-wrapper image. by @aaronfern [gardener/etcd-druid#646]

🐛 Bug Fixes

• [OPERATOR] A bug causing incorrect volume mount path for Etcds and EtcdCopyBackupsTasks using Local snapshot storage provider while using distroless etcd-backup-restore image v0.25.x has been resolved. by @aaronfern [gardener/etcd-druid#662]
• [OPERATOR] AllMembersReady condition has now been fixed to eventually show the correct overall readiness of an etcd cluster. by @unmarshall [gardener/etcd-druid#594]
• [OPERATOR] A bug causing EtcdCopyBackupsTask jobs to fail to create temp snapshot directory while using distroless etcd-backup-restore image v0.25.x has been resolved. by @aaronfern [gardener/etcd-druid#662]

🏃 Others

• [OPERATOR] Print build version and go runtime info. by @shreyas-s-rao [gardener/etcd-druid#636]
• [OPERATOR] Bumped up the custom image version to v3.4.13-bootstrap-11 by @abdasgupta [gardener/etcd-druid#623]
• [OPERATOR] When scaling from single-node to multi-node etcd cluster, Etcd Druid will now first ensure that any change to the peer URL (e.g TLS enablement) is seen by the existing etcd process running within the etcd member pod. Once that is confirmed then it will scale up the Etcd StatefulSet and add relevant annotations. by @unmarshall [gardener/etcd-druid#598]
• [DEVELOPER] Refactored statefulset, service, poddisruptionbudget, lease, and configmap components to use default labels and owner references from etcd. by @seshachalam-yv [gardener/etcd-druid#559]
• [DEVELOPER] Add CVE categorization for etcd-druid. by @shreyas-s-rao [gardener/etcd-druid#634]

[gardener/vpn2]

📰 Noteworthy

• [OPERATOR] Bump builder image golang from 1.20.4 to 1.20.6 by @axel7born [gardener/vpn2#33]

[gardener/hvpa-controller]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused HVPA reconciliation to fail with expected pointer, but got v2beta1.MetricSpec type when the HPA spec had changed. by @voelzmo [gardener/hvpa-controller#125]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.77.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.77.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.77.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.77.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.77.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.77.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.77.0

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @gardener-ci-robot [#8306]

🏃 Others

• [OPERATOR] A bug preventing plutono ingress to use wildcard-certificate is fixed. by @gardener-ci-robot [#8318]
• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @gardener-ci-robot [#8314]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.76.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.76.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.76.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.76.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.76.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.76.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.76.2

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] gardenlet: A regression causing metering related recording rules for the aggregate-prometheus not to be applied is now fixed. by @gardener-ci-robot [#8286]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.76.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.76.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.76.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.76.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.76.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.76.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.76.1

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] Removed service.beta.kubernetes.io/aws-load-balancer-type: nlb annotation from istio-ingressgateway service template. Set this annotation in seed configuration. Note: Changing load balancer type creates a new one, old one requires manual clean-up. by @axel7born [#8214]
• [OPERATOR] When deploying this version of gardener-operator, make sure that you update your Garden resources with the new .spec.virtualCluster.gardener.clusterIdentity field. If you already have a gardener-apiserver deployment, make sure that the value matches the --cluster-identity flag of the current gardener-apiserver deployment. by @rfranzke [#8234]
• [OPERATOR] gardener-operator no longer reports the Reconciled condition. Instead, it now reports the progress in .status.lastOperation, similar to how it's done for Shoots. by @rfranzke [#8238]
• [OPERATOR] ⚠️ The deprecated field .spec.settings.ownerChecks has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @dimitar-kostadinov [#8109]
• [DEVELOPER] So far the github.com/gardener/gardener/pkg/utils/managedresources.{NewForShoot,CreateForShoot} funcs were ignoring the passed origin func parameter and were always using gardener as value. These funcs will now respect and use the passed origin value. by @ialidzhikov [#8260]
• [DEVELOPER] A new field errorCodeCheckFunc is introduced in the generic Worker actuator. This should be set to parse the Gardener error codes from the error returned in Worker reconciliation. by @acumino [#8242]

✨ New Features

• [OPERATOR] Add Care reconciler to Garden controller in gardener-operator. by @oliver-goetz [#8158]
• [OPERATOR] Shoots allow to optionally configure a specific scheduler via .spec.schedulerName. The default-scheduler is used in case non is configured. Please note, that Shoots will remain Pending in case a scheduler name is configured but an adequate scheduler is not available in the landscape. by @timuthy [#8261]

🐛 Bug Fixes

• [USER] An issue has been fixed which caused CoreDNS to not rewrite CNAME values in DNS answers. by @axel7born [#8231]
• [DEVELOPER] A bug in the local development environment has been fixed which prevented admission of Gardener resources by extension webhooks. by @vpnachev [#8239]
• [OPERATOR] The obsolete addons ManagedResource is now properly cleaned up. by @shafeeqes [#8233]
• [OPERATOR] Now the vali ingress definition points to the shoot logging service. by @nickytd [#8252]

🏃 Others

• [OPERATOR] Stability of the ssh tunnel in the local extension setup should improve due to better failure handling. by @ScheererJ [#8236]
• [OPERATOR] Following dependency has been updated:-
  • github.com/gardener/etcd-druid v0.18.1 -> v0.18.4 by @acumino [#8228]
• [USER] It is now possible to enable disabled APIs for workerless shoot clusters via spec.kubernetes.kubeAPIServer.runtimeConfig. by @timuthy [#8258]

[gardener/dependency-watchdog]

🏃 Others

• [DEVELOPER] update client-go version and exclude the old one in go.mod by @acumino [gardener/dependency-watchdog#90]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.76.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.76.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.76.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.76.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.76.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.76.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.76.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Now the vali ingress definition points to the shoot logging service. by @vpnachev [#8253]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.74.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.74.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.74.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.74.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.74.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.74.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.74.2

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] The obsolete addons ManagedResource is now properly cleaned up. by @gardener-ci-robot [#8255]
• [OPERATOR] Now the vali ingress definition points to the shoot logging service. by @vpnachev [#8254]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.75.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.75.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.75.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.75.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.75.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.75.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.75.1

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] Added new option to ./hack/generate-controller-registration.sh script [-e, --pod-security-enforce[=pod-security-standard] which sets the security.gardener.cloud/pod-security-enforce annotation of the generated ControllerRegistration. When not set this option defaults to baseline. by @AleksandarSavchev [#8099]
• [DEVELOPER] Shoot fields .spec.dns.providers[].domains and .spec.dns.providers[].zones are now deprecated and expected to be removed in version v1.87. Please plan ahead to drop using those fields in extensions. by @timuthy [#8199]
• [DEVELOPER] Usage of the deprecated injection mechanisms in controller-runtime (like InjectScheme, InjectLogger, InjectConfig, InjectClient, InjectCache etc) as well as package extensions/pkg/controller/common are dropped in a preparation to upgrade to the next version where injection is removed entirely. With this, Inject* functions on controllers, predicates, actuators, delegates, and friends are not called anymore. When upgrading the gardener/gardener dependency to this version, all injection implementations need to be removed. As a replacement, you can get the needed clients and similar from the manager during initialisation of the component. by @ary1992 [#8217]
• [OPERATOR] gardener-operator is now managing the nginx-ingress-controller and nginx-ingress-k8s-backend components. Make sure that your Garden resource specifies the .spec.runtimeCluster.ingress section. by @StenlyTU [#7945]
• [OPERATOR] Support for nip.io shoot domains is discontinued. by @timuthy [#8199]
• [USER] Adding Gardener-managed finalizers (e.g., gardener or gardener.cloud/reference-protection) to the Shoot on creation is now forbidden. by @shafeeqes [#8209]
• [USER] Shoot fields .spec.dns.providers[].domains and .spec.dns.providers[].zones are now deprecated and expected to be removed in version v1.87. Please use the extensions' configuration to configure providers with this ability. by @timuthy [#8199]
• [DEPENDENCY] github.com/gardener/gardener/pkg/utils/gardener.ShootAccessSecret was renamed to AccessSecret. by @timebertt [#8204]

✨ New Features

• [OPERATOR] Added pod security enforce level baseline label to Istio-related namespaces. The garden and shoot namespaces have the privileged level. For extension namespaces, the new security.gardener.cloud/pod-security-standard-enforce annotation on ControllerRegistration resources specifies the level. When set, the extension namespace is created with pod-security.kubernetes.io/enforce label set to security.gardener.cloud/pod-security-standard-enforce's value. by @AleksandarSavchev [#8099]
• [USER] Gardener now allows to omit or to only partially define Kubernetes versions in Shoots. The version will automatically be defaulted to the latest minor and/or patch version found in the linked CloudProfile. by @timuthy [#8198]
• [USER] A new optional constraint CRDsWithProblematicConversionWebhooks is introduced in the Shoot status. This constraint indicates that there is at least one CRD in the cluster which has multiple stored versions and a conversion webhook configured, which could break the reconciliation flow of a Shoot in some cases. by @shafeeqes [#8159]
• [USER] It is now possible to reference Secrets containing kubeconfigs for admission plugins in Shoots. The referenced Secret must be referenced in.spec.resources as well as in .spec.kubernetes.kubeAPIServer.admissionPlugins[].kubeconfigSecretName. by @acumino [#8110]

🐛 Bug Fixes

• [OPERATOR] Fix network annotations to allow fluent-bit connecting to shoot Valis. by @vlvasilev [#8197]
• [OPERATOR] A bug causing the gardenlet to panic when a ETCD encryption key rotation operation is triggered for a hibernated Shoot is now fixed. Now, triggering ETCD encryption key rotation or ServiceAccount signing key rotation is forbidden when the Shoot is in waking up phase. by @shafeeqes [#8184]

🏃 Others

• [OPERATOR] nginx-ingress-controller image is updated to v1.8.1 for Kubernetesv1.24+ clusters. by @shafeeqes [#8205]
• [OPERATOR] The eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler image has been updated from v1.26.2 to v1.27.0 (for Kubernetes >= 1.27). by @rishabh-11 [#8187]
• [OPERATOR] The shoots/adminkubeconfig relies on the ca-client InternalSecret only and does not use the ShootState object anymore. by @timebertt [#8195]
• [OPERATOR] Update Prometheus job tunnel-probe-apiserver-proxy to fix for HA VPN mode by @Sallyan [#7954]
• [OPERATOR] Update vertical-pod-autoscaler to v0.14.0. by @voelzmo [#8166]
• [DEVELOPER] Go version is updated to 1.20.6. by @oliver-goetz [#8224]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ etcd.Status.ClusterSize, etcd.Status.ServiceName, etcd.Status.UpdatedReplicas have been marked as deprecated and users should refrain from depending on these fields. by @shreyas-s-rao [gardener/etcd-druid#637]

🐛 Bug Fixes

• [OPERATOR] AllMembersReady condition has now been fixed to eventually show the correct overall readiness of an etcd cluster. by @shreyas-s-rao [gardener/etcd-druid#637]

🏃 Others

• [OPERATOR] Print build version and go runtime info. by @shreyas-s-rao [gardener/etcd-druid#637]
• [DEVELOPER] Add CVE categorization for etcd-druid. by @shreyas-s-rao [gardener/etcd-druid#637]

[gardener/etcd-backup-restore]

🏃 Others

• [OPERATOR] Bump alpine base version for Docker build to 3.18.2. by @shreyas-s-rao [gardener/etcd-backup-restore#638]
• [DEVELOPER] Add CVE categorization for etcd-backup-restore. by @shreyas-s-rao [gardener/etcd-backup-restore#644]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.75.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.75.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.75.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.75.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.75.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.75.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.75.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed for Istio-Ingress Gateways for seeds that use ExposureClassHandlers. Earlier, annotations in seed.spec.settings.loadBalancerServices caused an override of the ones specified in gardenletConfiguration.exposureClassHandler[].loadBalancerService for zonal Istios. Now, annotations in gardenletConfiguration.exposureClassHandler[].loadBalancerService are given priority, like it was already the case of the global Istio. by @gardener-ci-robot [#8179]

🏃 Others

• [OPERATOR] Adapt vpa-updater QPS limits such that it doesn't get throttled on large clusters by @gardener-ci-robot [#8175]

Docker Images

apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.73.2
admission-controller: eu.gcr.io/gardener-project/gardener/apiserver:v1.73.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.73.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.73.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.73.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.73.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.73.2