Release Notes v1.91

Yake release notes and upgrade guide

Related upstream release notes / changelogs

Update gardener-controlplane to 1.90.2

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed which caused Shoot reconciliation to get stuck because the API discovery used to generate the read-only ClusterRole for shoots/viewerkubeconfig subresource failed. by @rfranzke [#9361]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.90.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.90.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.90.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.90.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.90.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.90.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.90.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.90.2

Update gardener-controlplane to 1.90.2

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed which caused Shoot reconciliation to get stuck because the API discovery used to generate the read-only ClusterRole for shoots/viewerkubeconfig subresource failed. by @rfranzke [#9361]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.90.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.90.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.90.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.90.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.90.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.90.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.90.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.90.2

Update gardenlet to 1.90.2

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed which caused Shoot reconciliation to get stuck because the API discovery used to generate the read-only ClusterRole for shoots/viewerkubeconfig subresource failed. by @rfranzke [#9361]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.90.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.90.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.90.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.90.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.90.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.90.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.90.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.90.2

Update etcd to 6.1.0

What's Changed

• Pass through .values.backup.secretData by @j2L4e in https://github.com/gardener-community/etcd/pull/15

New Contributors

• @j2L4e made their first contribution in https://github.com/gardener-community/etcd/pull/15

Full Changelog: https://github.com/gardener-community/etcd/compare/6.0.0...6.1.0

Update etcd to 6.1.0

What's Changed

• Pass through .values.backup.secretData by @j2L4e in https://github.com/gardener-community/etcd/pull/15

New Contributors

• @j2L4e made their first contribution in https://github.com/gardener-community/etcd/pull/15

Full Changelog: https://github.com/gardener-community/etcd/compare/6.0.0...6.1.0

Update gardener-controlplane to 1.90.3

The release-notes for component github.com/gardener/gardener in version v1.90.3 exceeded the maximum length of 25000 characters allowed by GitHub for release-bodies. They have been uploaded as release-asset and can be found at https://github.com/gardener/gardener/releases/download/v1.90.3/release_notes.md.

Update gardener-controlplane to 1.90.3

The release-notes for component github.com/gardener/gardener in version v1.90.3 exceeded the maximum length of 25000 characters allowed by GitHub for release-bodies. They have been uploaded as release-asset and can be found at https://github.com/gardener/gardener/releases/download/v1.90.3/release_notes.md.

Update gardenlet to 1.90.3

The release-notes for component github.com/gardener/gardener in version v1.90.3 exceeded the maximum length of 25000 characters allowed by GitHub for release-bodies. They have been uploaded as release-asset and can be found at https://github.com/gardener/gardener/releases/download/v1.90.3/release_notes.md.

Update provider-alicloud to 1.51.2

no release notes available

Docker Images

• gardener-extension-admission-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.51.2
• gardener-extension-provider-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.51.2

Update cloudprofiles to 0.7.1

Full Changelog: https://github.com/gardener-community/cloudprofiles/compare/0.7.0...0.7.1

Update etcd to 6.2.0

What's Changed

• Define images repository and tag as seperate keys, fallback to old style by @lotharbach in https://github.com/gardener-community/etcd/pull/16
• Switch to new upstream registry

Full Changelog: https://github.com/gardener-community/etcd/compare/6.1.0...6.2.0

Update etcd to 6.2.0

What's Changed

• Define images repository and tag as seperate keys, fallback to old style by @lotharbach in https://github.com/gardener-community/etcd/pull/16
• Switch to new upstream registry

Full Changelog: https://github.com/gardener-community/etcd/compare/6.1.0...6.2.0

Update gardener-controlplane to 1.90.4

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A configuration issue of the prometheus-operator managed alertmanager instances is fixed. by @istvanballok [#9420]
• [OPERATOR] A bug has been fixed which prevented pods from starting on clusters of at least 1.28 if they were using old PersistentVolumes created with the deprecated failure-domain.beta.kubernetes.io/{zone,region} labels. by @rfranzke [#9413]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.90.4
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.90.4
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.90.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.90.4
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.90.4
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.90.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.90.4
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.90.4

Update gardener-controlplane to 1.90.4

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A configuration issue of the prometheus-operator managed alertmanager instances is fixed. by @istvanballok [#9420]
• [OPERATOR] A bug has been fixed which prevented pods from starting on clusters of at least 1.28 if they were using old PersistentVolumes created with the deprecated failure-domain.beta.kubernetes.io/{zone,region} labels. by @rfranzke [#9413]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.90.4
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.90.4
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.90.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.90.4
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.90.4
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.90.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.90.4
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.90.4

Update gardenlet to 1.90.4

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A configuration issue of the prometheus-operator managed alertmanager instances is fixed. by @istvanballok [#9420]
• [OPERATOR] A bug has been fixed which prevented pods from starting on clusters of at least 1.28 if they were using old PersistentVolumes created with the deprecated failure-domain.beta.kubernetes.io/{zone,region} labels. by @rfranzke [#9413]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.90.4
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.90.4
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.90.4
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.90.4
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.90.4
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.90.4
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.90.4
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.90.4

Update provider-azure to 1.42.0

[gardener/machine-controller-manager]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [gardener/machine-controller-manager#878]

🐛 Bug Fixes

• [OPERATOR] Fix for edge case of Node object deletion missed during machine termination. by @elankath [gardener/machine-controller-manager#887]
• [DEVELOPER] MCM restart happens properly in integration tests now. This fix will get activated, once this version is vendored in your mcm-provider by @sssash18 [gardener/machine-controller-manager#879]

🏃 Others

• [DEVELOPER] Bump k8s.io/* deps to v0.28.2 by @afritzler [gardener/machine-controller-manager#858]
• [DEVELOPER] go-git now removed from dependencies due to CVE's. by @elankath [gardener/machine-controller-manager#896]
• [OPERATOR] fixed IT for seed with k8s >= 1.27 as control cluster by @piyuagr [gardener/machine-controller-manager#869]
• [OPERATOR] Architecture field added in the nodetemplate. This will allow CA to pickup architecture from machine class and schedule pods on relevant arch nodes. by @sssash18 [gardener/machine-controller-manager#894]
• [OPERATOR] machine controller won't reconcile machine on non-spec update events by @himanshu-kun [gardener/machine-controller-manager#877]

📖 Documentation

• [DEVELOPER] Phase transition diagram for a machine object is added to FAQs by @himanshu-kun [gardener/machine-controller-manager#886]

[gardener/gardener-extension-provider-azure]

✨ New Features

• [OPERATOR] Updated the default storage account SKU from StandardLRS to StandardZRS to enhance data durability and availability. by @seshachalam-yv [#790]

🐛 Bug Fixes

• [DEVELOPER] source- prefix of BackupEntry name is being ignored when performing entry deletion by @Kostov6 [#805]

🏃 Others

• [OPERATOR] fix an issue where an empty infrastructure state would cause issues when picking the proper reconciler. by @kon-angelo [#787]
• [OPERATOR] Fix an issue where backupentry secrets would not be deleted due to incorrect credential format error. by @kon-angelo [#795]

[gardener/machine-controller-manager-provider-azure]

🏃 Others

• [OPERATOR] Fixed handling for data disk in ToBeDetached=true state during vm deletion by @unmarshall [gardener/machine-controller-manager-provider-azure#132]
• [OPERATOR] Fixed the gap where VM marketplace images with no plans were not handled properly. Now one can start VMs having marketplace image with no plan. by @unmarshall [gardener/machine-controller-manager-provider-azure#134]
• [USER] Fixed recording of erroneous metrics for driver and API requests by @unmarshall [gardener/machine-controller-manager-provider-azure#130]
• [USER] Uses new Azure SDK as the older go-autorest is out of support.
  Adds 2 new metrics which compute driver API call duration and Azure API call duration for all successful API calls.
  Recently introduced Azure fakes are used extensively for unit tests.
  Driver.GetMachineStatus now only gets the status from the Machine and not from associated NIC(s).
  Deletion of a machine now cascade deletes NIC(s) and Disk(s) (OSDisk and DataDisk(s)) as well. Previously it was a 2 step process of detatch followed by a delete.
  In the API following have been marked as deprecated:
  • Constants: [api.AzureClientID, api.AzureClientSecret, api.AzureSubscriptionID, api.AzureTenantID, api.AzureAlternativeClientID, api.AzureAlternativeClientSecret, api.AzureAlternativeSubscriptionID, api.AzureAlternativeTenantID, api.MachineSetKindVMO and api.MachineSetKindAvailabilitySet]
  • AzureVirtualMachineProperties.MachineSet has been marked as deprecated by @unmarshall [gardener/machine-controller-manager-provider-azure#105]

• [USER] Updated the following dependencies:

  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 [v5.3.0-beta.2 to v5.3.0]
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/marketplaceordering/armmarketplaceordering [v1.2.0-beta.3 to v1.2.0]
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v4 [v4.3.0-beta.1 to v4.3.0]
  • github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources [v1.2.0-beta.3 to v1.2.0] by @unmarshall [gardener/machine-controller-manager-provider-azure#117]

[gardener/terraformer]

🏃 Others

• [OPERATOR] Update go -> v1.21.5 by @kon-angelo [gardener/terraformer#146]
• [OPERATOR] Update alpine -> v1.29.0 by @kon-angelo [gardener/terraformer#146]

Docker Images

• gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.42.0
• gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.42.0

Update gardener-controlplane to 1.91.0

[gardener/gardener]

⚠️ Breaking Changes

• [USER] Deprecated .spec.kubernetes.allowPrivilegedContainers field in the Shoot API is now removed. by @shafeeqes [#9274]
• [USER] The .status.advertisedAddresses[] list in a Shoot's status now includes the Shoot's service account issuer under the name service-account-issuer. Please revisit any logic that might depend on all advertised addresses being used for communication with the kube-apiserver of a shoot cluster. by @dimityrmirchev [#9196]
• [OPERATOR] The ShootForceDeletion feature gate has been promoted to beta and is turned on by default. by @acumino [#9325]

✨ New Features

• [DEVELOPER] The {garden,seed,shoot}-care controllers now incorporate ManagedResources into all relevant conditions, and it is possible to override the condition type into which a ManagedResource's status gets incorporated via the care.gardener.cloud/condition-type label. Please consult the respective documentation for more information (garden-care, seed-care, shoot-care). by @rfranzke [#9313]
• [OPERATOR] The gardenlet now synchronizes the service account public keys of shoot clusters that have managed issuer enabled. The public keys are stored in a dedicated gardener-system-shoot-issuer namespace in the Garden cluster. by @dimityrmirchev [#9354]
• [OPERATOR] gardener-resource-manager now considers the health and the progressing status for Certificate and Issuer resources (see cert-management) managed via ManagedResources. by @timuthy [#9326]
• [OPERATOR] The Shoot maintenance controller now removes unsupported feature gates and admission plugins from the Shoot during force upgrades. by @shafeeqes [#9365]
• [OPERATOR] gardener-operator now deploys two Alertmanager replicas into the garden namespace. They don't come with any configuration by default. It is in the responsibility of the human operators to create monitoring.coreos.com/v1alpha1.AlertmanagerConfig resources with the proper configuration suitable for their needs. Read more about it here. by @rfranzke [#9301]
• [OPERATOR] The ControlPlaneHealthy condition in Shoots now reports an issue when {kube,machine}-controller-manager or cluster-autoscaler are scaled down to 0 replicas. The EveryNodeReady condition in Shoots now reports an issue when at least 20% of the Leases related to nodes in the kube-node-lease namespace are expired. by @rfranzke [#9376]

🐛 Bug Fixes

• [DEVELOPER] Function NewClientFromBytes in package pkg/client/kubernetes/client.go was fixed to consider AllowedUserFields. Earlier, it failed when creating a Kubernetes client with a special but allowed fields in the Kubeconfig (e.g. auth-provider). by @timuthy [#9333]

🏃 Others

• [OPERATOR] Update CoreDNS to v1.11.1. by @DockToFuture [#8945]
• [OPERATOR] The gardener operator documentation now closes resembles the reality of the coding. by @ScheererJ [#9342]
• [OPERATOR] The istio ingress gateway orphan namespace detection no longer interferes with the istio ingress gateway zone migration in case the target zone names are unknown and there is no active usage. by @ScheererJ [#9460]
• [OPERATOR] The ingress domain of kube-apiserver should work again for single-zonal shoot control planes. by @ScheererJ [#9393]
• [OPERATOR] There is a new plutono dashboard named Container Images that currently contains 2 panels for image pull durations. by @ialidzhikov [#9422]
• [OPERATOR] Port 8132 of istio ingress gateway will respond to all ordinary http requests with a redirect (301) to the https port by @ScheererJ [#9332]
• [OPERATOR] The operating system config reconciler of the gardener-node-agent now creates directories with 0755 permissions when it creates files listed in the corresponding OperatingSystemConfig on the node. Previously these directories were created with no permissions. by @plkokanov [#9443]
• [OPERATOR] Seed clusters with a wildcard certificate no longer use Ingress resources to expose kube-apiserver. Instead, Istio resources are directly used now. by @ScheererJ [#9300]
• [OPERATOR] Shoot clusters should stay accessible after istio ingress gateway migration via annotation alpha.istio-ingress.gardener.cloud/migrate-to was triggered. by @ScheererJ [#9423]
• [OPERATOR] Operators can create duplicate istio ingress gateways for migration if the zone names should be changed in the seed specification by @ScheererJ [#9304]
• [DEVELOPER] Now the observability applications which are also targets of the authentication & authorization proxies share common label. by @nickytd [#9385]
• [DEVELOPER] Local dev setup can now deploy a cluster with volume resize support. by @dnaeon [#9363]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.91.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.91.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.91.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.91.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.91.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.91.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.91.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.91.0

Update gardener-controlplane to 1.91.0

[gardener/gardener]

⚠️ Breaking Changes

• [USER] Deprecated .spec.kubernetes.allowPrivilegedContainers field in the Shoot API is now removed. by @shafeeqes [#9274]
• [USER] The .status.advertisedAddresses[] list in a Shoot's status now includes the Shoot's service account issuer under the name service-account-issuer. Please revisit any logic that might depend on all advertised addresses being used for communication with the kube-apiserver of a shoot cluster. by @dimityrmirchev [#9196]
• [OPERATOR] The ShootForceDeletion feature gate has been promoted to beta and is turned on by default. by @acumino [#9325]

✨ New Features

• [DEVELOPER] The {garden,seed,shoot}-care controllers now incorporate ManagedResources into all relevant conditions, and it is possible to override the condition type into which a ManagedResource's status gets incorporated via the care.gardener.cloud/condition-type label. Please consult the respective documentation for more information (garden-care, seed-care, shoot-care). by @rfranzke [#9313]
• [OPERATOR] The gardenlet now synchronizes the service account public keys of shoot clusters that have managed issuer enabled. The public keys are stored in a dedicated gardener-system-shoot-issuer namespace in the Garden cluster. by @dimityrmirchev [#9354]
• [OPERATOR] gardener-resource-manager now considers the health and the progressing status for Certificate and Issuer resources (see cert-management) managed via ManagedResources. by @timuthy [#9326]
• [OPERATOR] The Shoot maintenance controller now removes unsupported feature gates and admission plugins from the Shoot during force upgrades. by @shafeeqes [#9365]
• [OPERATOR] gardener-operator now deploys two Alertmanager replicas into the garden namespace. They don't come with any configuration by default. It is in the responsibility of the human operators to create monitoring.coreos.com/v1alpha1.AlertmanagerConfig resources with the proper configuration suitable for their needs. Read more about it here. by @rfranzke [#9301]
• [OPERATOR] The ControlPlaneHealthy condition in Shoots now reports an issue when {kube,machine}-controller-manager or cluster-autoscaler are scaled down to 0 replicas. The EveryNodeReady condition in Shoots now reports an issue when at least 20% of the Leases related to nodes in the kube-node-lease namespace are expired. by @rfranzke [#9376]

🐛 Bug Fixes

• [DEVELOPER] Function NewClientFromBytes in package pkg/client/kubernetes/client.go was fixed to consider AllowedUserFields. Earlier, it failed when creating a Kubernetes client with a special but allowed fields in the Kubeconfig (e.g. auth-provider). by @timuthy [#9333]

🏃 Others

• [OPERATOR] Update CoreDNS to v1.11.1. by @DockToFuture [#8945]
• [OPERATOR] The gardener operator documentation now closes resembles the reality of the coding. by @ScheererJ [#9342]
• [OPERATOR] The istio ingress gateway orphan namespace detection no longer interferes with the istio ingress gateway zone migration in case the target zone names are unknown and there is no active usage. by @ScheererJ [#9460]
• [OPERATOR] The ingress domain of kube-apiserver should work again for single-zonal shoot control planes. by @ScheererJ [#9393]
• [OPERATOR] There is a new plutono dashboard named Container Images that currently contains 2 panels for image pull durations. by @ialidzhikov [#9422]
• [OPERATOR] Port 8132 of istio ingress gateway will respond to all ordinary http requests with a redirect (301) to the https port by @ScheererJ [#9332]
• [OPERATOR] The operating system config reconciler of the gardener-node-agent now creates directories with 0755 permissions when it creates files listed in the corresponding OperatingSystemConfig on the node. Previously these directories were created with no permissions. by @plkokanov [#9443]
• [OPERATOR] Seed clusters with a wildcard certificate no longer use Ingress resources to expose kube-apiserver. Instead, Istio resources are directly used now. by @ScheererJ [#9300]
• [OPERATOR] Shoot clusters should stay accessible after istio ingress gateway migration via annotation alpha.istio-ingress.gardener.cloud/migrate-to was triggered. by @ScheererJ [#9423]
• [OPERATOR] Operators can create duplicate istio ingress gateways for migration if the zone names should be changed in the seed specification by @ScheererJ [#9304]
• [DEVELOPER] Now the observability applications which are also targets of the authentication & authorization proxies share common label. by @nickytd [#9385]
• [DEVELOPER] Local dev setup can now deploy a cluster with volume resize support. by @dnaeon [#9363]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.91.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.91.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.91.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.91.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.91.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.91.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.91.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.91.0

Update gardenlet to 1.91.0

[gardener/gardener]

⚠️ Breaking Changes

• [USER] Deprecated .spec.kubernetes.allowPrivilegedContainers field in the Shoot API is now removed. by @shafeeqes [#9274]
• [USER] The .status.advertisedAddresses[] list in a Shoot's status now includes the Shoot's service account issuer under the name service-account-issuer. Please revisit any logic that might depend on all advertised addresses being used for communication with the kube-apiserver of a shoot cluster. by @dimityrmirchev [#9196]
• [OPERATOR] The ShootForceDeletion feature gate has been promoted to beta and is turned on by default. by @acumino [#9325]

✨ New Features

• [DEVELOPER] The {garden,seed,shoot}-care controllers now incorporate ManagedResources into all relevant conditions, and it is possible to override the condition type into which a ManagedResource's status gets incorporated via the care.gardener.cloud/condition-type label. Please consult the respective documentation for more information (garden-care, seed-care, shoot-care). by @rfranzke [#9313]
• [OPERATOR] The gardenlet now synchronizes the service account public keys of shoot clusters that have managed issuer enabled. The public keys are stored in a dedicated gardener-system-shoot-issuer namespace in the Garden cluster. by @dimityrmirchev [#9354]
• [OPERATOR] gardener-resource-manager now considers the health and the progressing status for Certificate and Issuer resources (see cert-management) managed via ManagedResources. by @timuthy [#9326]
• [OPERATOR] The Shoot maintenance controller now removes unsupported feature gates and admission plugins from the Shoot during force upgrades. by @shafeeqes [#9365]
• [OPERATOR] gardener-operator now deploys two Alertmanager replicas into the garden namespace. They don't come with any configuration by default. It is in the responsibility of the human operators to create monitoring.coreos.com/v1alpha1.AlertmanagerConfig resources with the proper configuration suitable for their needs. Read more about it here. by @rfranzke [#9301]
• [OPERATOR] The ControlPlaneHealthy condition in Shoots now reports an issue when {kube,machine}-controller-manager or cluster-autoscaler are scaled down to 0 replicas. The EveryNodeReady condition in Shoots now reports an issue when at least 20% of the Leases related to nodes in the kube-node-lease namespace are expired. by @rfranzke [#9376]

🐛 Bug Fixes

• [DEVELOPER] Function NewClientFromBytes in package pkg/client/kubernetes/client.go was fixed to consider AllowedUserFields. Earlier, it failed when creating a Kubernetes client with a special but allowed fields in the Kubeconfig (e.g. auth-provider). by @timuthy [#9333]

🏃 Others

• [OPERATOR] Update CoreDNS to v1.11.1. by @DockToFuture [#8945]
• [OPERATOR] The gardener operator documentation now closes resembles the reality of the coding. by @ScheererJ [#9342]
• [OPERATOR] The istio ingress gateway orphan namespace detection no longer interferes with the istio ingress gateway zone migration in case the target zone names are unknown and there is no active usage. by @ScheererJ [#9460]
• [OPERATOR] The ingress domain of kube-apiserver should work again for single-zonal shoot control planes. by @ScheererJ [#9393]
• [OPERATOR] There is a new plutono dashboard named Container Images that currently contains 2 panels for image pull durations. by @ialidzhikov [#9422]
• [OPERATOR] Port 8132 of istio ingress gateway will respond to all ordinary http requests with a redirect (301) to the https port by @ScheererJ [#9332]
• [OPERATOR] The operating system config reconciler of the gardener-node-agent now creates directories with 0755 permissions when it creates files listed in the corresponding OperatingSystemConfig on the node. Previously these directories were created with no permissions. by @plkokanov [#9443]
• [OPERATOR] Seed clusters with a wildcard certificate no longer use Ingress resources to expose kube-apiserver. Instead, Istio resources are directly used now. by @ScheererJ [#9300]
• [OPERATOR] Shoot clusters should stay accessible after istio ingress gateway migration via annotation alpha.istio-ingress.gardener.cloud/migrate-to was triggered. by @ScheererJ [#9423]
• [OPERATOR] Operators can create duplicate istio ingress gateways for migration if the zone names should be changed in the seed specification by @ScheererJ [#9304]
• [DEVELOPER] Now the observability applications which are also targets of the authentication & authorization proxies share common label. by @nickytd [#9385]
• [DEVELOPER] Local dev setup can now deploy a cluster with volume resize support. by @dnaeon [#9363]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.91.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.91.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.91.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.91.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.91.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.91.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.91.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.91.0

Update cert-management to 0.13.0

[gardener/cert-management]

✨ New Features

• [USER] The algorithm and size for the private key can now be specified in the certificate spec section to override the default algorithm RSA with key size 2048.
  Supported algorithms are RSA and ECDSA. For RSA the allowed key sizes are 2048, 3072, and 4096 with 2048 as default is not specified explicitly. For ECDSA the allowed key sizes are 256 and 384 with 256 as default.
  These algorithms and key sizes are supported by Let's Encrypt. For other ACME servers please check their documentation for information about supported combinations. by @MartinWeindel [#168]

Docker Images

• cert-management: europe-docker.pkg.dev/gardener-project/releases/cert-controller-manager:v0.13.0

Update shoot-cert-service to 1.42.0

[gardener/gardener-extension-shoot-cert-service]

⚠️ Breaking Changes

• [OPERATOR] extension-shoot-cert-service no longer supports Shoots with Кubernetes version == 1.24. by @shafeeqes [#223]

🏃 Others

• [OPERATOR] Bumps github.com/gardener/gardener from 1.90.0 to 1.91.0. by @dependabot[bot] [#244]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.89.0 to 1.90.0. by @dependabot[bot] [#238]

[gardener/cert-management]

✨ New Features

• [USER] The algorithm and size for the private key can now be specified in the certificate spec section to override the default algorithm RSA with key size 2048.
  Supported algorithms are RSA and ECDSA. For RSA the allowed key sizes are 2048, 3072, and 4096 with 2048 as default is not specified explicitly. For ECDSA the allowed key sizes are 256 and 384 with 256 as default.
  These algorithms and key sizes are supported by Let's Encrypt. For other ACME servers please check their documentation for information about supported combinations. by @MartinWeindel [gardener/cert-management#168]

Docker Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.42.0

Update provider-hcloud to 0.6.25

[gardener-extension-provider-hcloud] v0.6.25

Update provider-hcloud to 0.6.26

[gardener-extension-provider-hcloud] v0.6.26

Update provider-hcloud to 0.6.27

[gardener-extension-provider-hcloud] v0.6.27