chore(deps): bump github.com/gardener/gardener/pkg/apis from 1.140.0 to 1.141.0

[dependabot]

Bumps github.com/gardener/gardener/pkg/apis from 1.140.0 to 1.141.0.

Release notes

Sourced from github.com/gardener/gardener/pkg/apis's releases.

v1.141.0

[github.com/gardener/gardener:v1.141.0]

⚠️ Breaking Changes

• [OPERATOR] The NewWorkerPoolHash feature gate has been promoted to GA and can no longer be disabled. by @​timuthy [#14531]
• [OPERATOR] ⚠️ Gardener does no longer support Garden, Seed, or Shoot clusters with Kubernetes versions <= 1.30. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @​timuthy [#14501]
• [USER] Newly created Shoots now have a set period of 28d for etcd encryption key rotation. by @​AleksandarSavchev [#14034]
• [DEVELOPER] make gardenadm-up SCENARIO=connect now deploys the Gardener (gardener-operator and Garden resource) directly into the self-hosted shoot. Previously, it was deploying them next to the machine pods of the self-hosted shoot in the kind cluster. Use make gardenadm-up SCENARIO=connect-kind for the out-of-self-hosted-shoot deployment mode. by @​rfranzke [#14387]
• [DEPENDENCY] The obsolete Provider field was removed from the extensionswebhook.Webhook struct. The field can be removed without substitution. by @​timuthy [#14460]

📰 Noteworthy

• [OPERATOR] The gardener-resource-manager HA config webhook now uses ScheduleAnyway instead of DoNotSchedule for the hostname topology spread constraint when there is at most one node in the cluster. A new node-high-availability-config controller re-triggers the webhook when the node count crosses this threshold. by @​rfranzke [#14595]
• [OPERATOR] machine-controller-manager's RBAC permissions for the source cluster have been reduced to follow the principle of least privilege. by @​dimityrmirchev [#14372]
• [DEVELOPER] Added panic recovery to flow.Task to prevent a single task failure from crashing the entire controller. If you previously implemented custom panic recovery within your tasks, you can consider removing that custom panic recovery. by @​dergeberl [#14606]
• [DEVELOPER] The local setup now includes a cloud-controller-manager-local, which is deployed for kind clusters (in the kube-system namespace) and for shoot clusters (in the control plane namespace). The cloud-controller-manager implements Services of type LoadBalancer by creating dedicated Docker containers listening on external IPs (automatically added to the host's loopback interface on kind cluster creation). This replaces previous hacks for implementing load balancers in provider-local and supports load balancers in shoot clusters for the first time. by @​timebertt [#14415]
• [DEPENDENCY] Extension charts deployed on self-hosted shoot clusters may not receive .Values.gardener.seed when the shoot has not yet been promoted to a Seed. Charts should guard Seed-dependent values with {{ if .Values.gardener.seed }}. by @​rfranzke [#14395]
• [DEPENDENCY] A new helper function BuildExtensionTypeNamespaceSelector has been introduced. It builds proper namespaces selectors for extension webhooks, based on the extension type and class attributes. by @​timuthy [#14460]

✨ New Features

• [OPERATOR] Added spec.runtimeCluster.settings.loadBalancerServices.proxyProtocol.allowed and spec.runtimeCluster.settings.loadBalancerServices.externalTrafficPolicy to the Garden resource. When Allowed set to true, gardener-operator configures the Istio ingress gateway to terminate PROXY protocol, enabling preservation of the original client IP address for load balancers that use PROXY protocol. The explicit nature of the setting allows a seamless migration while enforcing a good security posture. ExternalTrafficPolicy allows configuring the Gateway either as Cluster (default) or Local, similar to the Seed. by @​jamand [#14420]
• [OPERATOR] The gardener-node-agent now monitors the health of systemd units declared in the OperatingSystemConfig and reports a SystemdUnitsReady condition on the Node. Unhealthy units are surfaced on the Shoot via the EveryNodeReady condition. by @​rfranzke [#14496]
• [USER] The Shoot spec field spec.kubernetes.kubeAPIServer.encryptionConfig.provider.type now supports the aesgcm and secretbox encryption provider types. The field is immutable. by @​AleksandarSavchev [#14034]
• [USER] The Garden spec fields spec.virtualCluster.kubernetes.kubeAPIServer.encryptionConfig.provider.typeand spec.virtualCluster.gardener.gardenerAPIServer.encryptionConfig.provider.type now support the aesgcm and secretbox encryption provider types. The fields are immutable. by @​AleksandarSavchev [#14034]

🐛 Bug Fixes

• [OPERATOR] The garbage collection logic now also deletes pods that are stuck due to preemption by the kubelet or scheduler. by @​rfranzke [#14519]
• [OPERATOR] The observability setup is deleted as late as possible so that, in case an error occurs during the deletion of any components, there is still enough information available to investigate the issue. by @​iypetrov [#14475]
• [OPERATOR] A bug was fixed where gardenadm init could fail due to a transient error while fetching the shoot-gardener-node-agent ManagedResource when the Kubernetes API server is temporarily unavailable due to static pod rollout. by @​ialidzhikov [#14601]
• [OPERATOR] A bug has been fixed that caused unintentional ShootState creations for Shoots running on managed seed clusters (those backed by ManagedSeed objects). The affected ShootState resources are automatically cleaned up by gardenlet during start-up. by @​plkokanov [#14666]
• [USER] Cluster-proportional autoscaling of coredns now works with Kubernetes >= 1.33 by @​ScheererJ [#14638]
• [DEPENDENCY] The golangci-lint makefile install recipe can be used in Gardener extensions again. by @​timebertt [#14555]

🏃 Others

• [OPERATOR] Gardener Discovery Server is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#14587]
• [OPERATOR] Alertmanager is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#14575]
• [OPERATOR] Vali is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#14567]
• [OPERATOR] OpenTelemetry Collector is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#14585]
• [OPERATOR] Use Info logging for admission denials instead of Error so that the full stack trace to every denial log entry does not get logged by @​DockToFuture [#14561]
• [OPERATOR] Apiserver-Proxy uses a dedicated network interface apiserver-proxy for its advertised IP address. Requests from nodes such as kubelet probes will use the proper IP as per the route table again. by @​domdom82 [#14440]
• [OPERATOR] Shoot advertised addresses are now configurable by extension components for Shoot VirtualService resources. by @​ScheererJ [#14534]
• [OPERATOR] During Shoot reconciliation MachineDeployments are now deployed in parallel. This should speed up the reconciliation of the Worker resource. by @​plkokanov [#14220]
• [OPERATOR] Resource limits have been removed for node-problem-detector by @​domdom82 [#14450]
• [OPERATOR] Prometheus is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#14573]
• [OPERATOR] Additional per nodegroup metrics can be exposed by cluster-autoscaler via the field .spec.kubernetes.clusterAutoscaler.emitPerNodeGroupMetrics in the Shoot API . by @​aaronfern [#14557]
• [OPERATOR] Gardener Dashboard is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#14586]
• [OPERATOR] Patch is now used to label all Machines with force-deletion: True instead of Update when the Shoot is being hibernated or deleted. Additionally, the function used to do this during the reconciliation of the Worker resource is now only executed once instead of for each MachineDeployment. by @​plkokanov [#14220]
• [OPERATOR] The gardenadm init flow now determines Pod network availability by checking the Node's NetworkUnavailable condition instead of the shoot-core-coredns ManagedResource health. This is a prerequisite improvement for the control plane Node restoration feature. by @​ialidzhikov [#14523]
• [OPERATOR] The following dependencies have been updated:
  • gardener/etcd-druid from v0.36.2 to v0.36.3. Release Notes
  • github.com/gardener/etcd-druid/api from v0.36.2 to v0.36.3. by @​Shreyas-s14 [#14661]

... (truncated)

Commits

• d3824a3 release v1.141.0
• 9dc3f80 Fix TM kubernetes update test when upgrading from 1.34 to 1.35 (#14656)
• ed65cf6 Fix logging testmachinery tests after istio-native exposure (#14673)
• 03f3cfd [release-v1.141] Automated cherry pick of #14651: 🐛 [gardenlet] Prevent undes...
• d5f572f bump etcd-druid version to 0.36.3 (#14661)
• 86187e7 Update module github.com/gardener/cert-management to v0.22.0 (#14402)
• b1309c2 Fix istio-native opentelemetry-collector exposure. (#14640)
• 25cf834 Add support for the aesgcm and secretbox encryption provider types for `S...
• d1e165b Fix cluster-proportional autoscaling of coredns in Kubernetes >= 1.33 (#14638)
• 6fdfe8c Update DinD to v29 in the remote local setup (#14644)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dnaeon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dependabot]

Superseded by #358.