gardener-controlplane-1.76.3

[gardener/hvpa-controller]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused HVPA reconciliation to fail with expected pointer, but got v2beta1.MetricSpec type when the HPA spec had changed. by @voelzmo [gardener/hvpa-controller#125]

[gardener/gardener]

🏃 Others

• [OPERATOR] A bug preventing prometheus ingress to use wildcard-certificate is fixed. by @gardener-ci-robot [#8320]

gardener-controlplane-1.76.2

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @gardener-ci-robot [#8306]

🏃 Others

• [OPERATOR] A bug preventing plutono ingress to use wildcard-certificate is fixed. by @gardener-ci-robot [#8318]
• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @gardener-ci-robot [#8314]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.76.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.76.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.76.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.76.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.76.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.76.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.76.2

gardener-controlplane-1.76.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] gardenlet: A regression causing metering related recording rules for the aggregate-prometheus not to be applied is now fixed. by @gardener-ci-robot [#8286]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.76.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.76.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.76.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.76.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.76.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.76.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.76.1

gardener-controlplane-1.76.0

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] Removed service.beta.kubernetes.io/aws-load-balancer-type: nlb annotation from istio-ingressgateway service template. Set this annotation in seed configuration. Note: Changing load balancer type creates a new one, old one requires manual clean-up. by @axel7born [#8214]
• [OPERATOR] When deploying this version of gardener-operator, make sure that you update your Garden resources with the new .spec.virtualCluster.gardener.clusterIdentity field. If you already have a gardener-apiserver deployment, make sure that the value matches the --cluster-identity flag of the current gardener-apiserver deployment. by @rfranzke [#8234]
• [OPERATOR] gardener-operator no longer reports the Reconciled condition. Instead, it now reports the progress in .status.lastOperation, similar to how it's done for Shoots. by @rfranzke [#8238]
• [OPERATOR] ⚠️ The deprecated field .spec.settings.ownerChecks has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @dimitar-kostadinov [#8109]
• [DEVELOPER] So far the github.com/gardener/gardener/pkg/utils/managedresources.{NewForShoot,CreateForShoot} funcs were ignoring the passed origin func parameter and were always using gardener as value. These funcs will now respect and use the passed origin value. by @ialidzhikov [#8260]
• [DEVELOPER] A new field errorCodeCheckFunc is introduced in the generic Worker actuator. This should be set to parse the Gardener error codes from the error returned in Worker reconciliation. by @acumino [#8242]

✨ New Features

• [OPERATOR] Add Care reconciler to Garden controller in gardener-operator. by @oliver-goetz [#8158]
• [OPERATOR] Shoots allow to optionally configure a specific scheduler via .spec.schedulerName. The default-scheduler is used in case non is configured. Please note, that Shoots will remain Pending in case a scheduler name is configured but an adequate scheduler is not available in the landscape. by @timuthy [#8261]

🐛 Bug Fixes

• [USER] An issue has been fixed which caused CoreDNS to not rewrite CNAME values in DNS answers. by @axel7born [#8231]
• [DEVELOPER] A bug in the local development environment has been fixed which prevented admission of Gardener resources by extension webhooks. by @vpnachev [#8239]
• [OPERATOR] The obsolete addons ManagedResource is now properly cleaned up. by @shafeeqes [#8233]
• [OPERATOR] Now the vali ingress definition points to the shoot logging service. by @nickytd [#8252]

🏃 Others

• [OPERATOR] Stability of the ssh tunnel in the local extension setup should improve due to better failure handling. by @ScheererJ [#8236]
• [OPERATOR] Following dependency has been updated:-
  • github.com/gardener/etcd-druid v0.18.1 -> v0.18.4 by @acumino [#8228]
• [USER] It is now possible to enable disabled APIs for workerless shoot clusters via spec.kubernetes.kubeAPIServer.runtimeConfig. by @timuthy [#8258]

[gardener/dependency-watchdog]

🏃 Others

• [DEVELOPER] update client-go version and exclude the old one in go.mod by @acumino [gardener/dependency-watchdog#90]

gardener-controlplane-1.75.2

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @gardener-ci-robot [#8305]

🏃 Others

• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @gardener-ci-robot [#8315]

[gardener/hvpa-controller]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused HVPA reconciliation to fail with expected pointer, but got v2beta1.MetricSpec type when the HPA spec had changed. by @voelzmo [gardener/hvpa-controller#125]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.75.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.75.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.75.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.75.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.75.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.75.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.75.2

gardener-controlplane-1.75.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] The obsolete addons ManagedResource is now properly cleaned up. by @gardener-ci-robot [#8255]
• [OPERATOR] Now the vali ingress definition points to the shoot logging service. by @vpnachev [#8254]

gardener-controlplane-1.75.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] Added new option to ./hack/generate-controller-registration.sh script [-e, --pod-security-enforce[=pod-security-standard] which sets the security.gardener.cloud/pod-security-enforce annotation of the generated ControllerRegistration. When not set this option defaults to baseline. by @AleksandarSavchev [#8099]
• [DEVELOPER] Shoot fields .spec.dns.providers[].domains and .spec.dns.providers[].zones are now deprecated and expected to be removed in version v1.87. Please plan ahead to drop using those fields in extensions. by @timuthy [#8199]
• [DEVELOPER] Usage of the deprecated injection mechanisms in controller-runtime (like InjectScheme, InjectLogger, InjectConfig, InjectClient, InjectCache etc) as well as package extensions/pkg/controller/common are dropped in a preparation to upgrade to the next version where injection is removed entirely. With this, Inject* functions on controllers, predicates, actuators, delegates, and friends are not called anymore. When upgrading the gardener/gardener dependency to this version, all injection implementations need to be removed. As a replacement, you can get the needed clients and similar from the manager during initialisation of the component. by @ary1992 [#8217]
• [OPERATOR] gardener-operator is now managing the nginx-ingress-controller and nginx-ingress-k8s-backend components. Make sure that your Garden resource specifies the .spec.runtimeCluster.ingress section. by @StenlyTU [#7945]
• [OPERATOR] Support for nip.io shoot domains is discontinued. by @timuthy [#8199]
• [USER] Adding Gardener-managed finalizers (e.g., gardener or gardener.cloud/reference-protection) to the Shoot on creation is now forbidden. by @shafeeqes [#8209]
• [USER] Shoot fields .spec.dns.providers[].domains and .spec.dns.providers[].zones are now deprecated and expected to be removed in version v1.87. Please use the extensions' configuration to configure providers with this ability. by @timuthy [#8199]
• [DEPENDENCY] github.com/gardener/gardener/pkg/utils/gardener.ShootAccessSecret was renamed to AccessSecret. by @timebertt [#8204]

✨ New Features

• [OPERATOR] Added pod security enforce level baseline label to Istio-related namespaces. The garden and shoot namespaces have the privileged level. For extension namespaces, the new security.gardener.cloud/pod-security-standard-enforce annotation on ControllerRegistration resources specifies the level. When set, the extension namespace is created with pod-security.kubernetes.io/enforce label set to security.gardener.cloud/pod-security-standard-enforce's value. by @AleksandarSavchev [#8099]
• [USER] Gardener now allows to omit or to only partially define Kubernetes versions in Shoots. The version will automatically be defaulted to the latest minor and/or patch version found in the linked CloudProfile. by @timuthy [#8198]
• [USER] A new optional constraint CRDsWithProblematicConversionWebhooks is introduced in the Shoot status. This constraint indicates that there is at least one CRD in the cluster which has multiple stored versions and a conversion webhook configured, which could break the reconciliation flow of a Shoot in some cases. by @shafeeqes [#8159]
• [USER] It is now possible to reference Secrets containing kubeconfigs for admission plugins in Shoots. The referenced Secret must be referenced in.spec.resources as well as in .spec.kubernetes.kubeAPIServer.admissionPlugins[].kubeconfigSecretName. by @acumino [#8110]

🐛 Bug Fixes

• [OPERATOR] Fix network annotations to allow fluent-bit connecting to shoot Valis. by @vlvasilev [#8197]
• [OPERATOR] A bug causing the gardenlet to panic when a ETCD encryption key rotation operation is triggered for a hibernated Shoot is now fixed. Now, triggering ETCD encryption key rotation or ServiceAccount signing key rotation is forbidden when the Shoot is in waking up phase. by @shafeeqes [#8184]

🏃 Others

• [OPERATOR] nginx-ingress-controller image is updated to v1.8.1 for Kubernetesv1.24+ clusters. by @shafeeqes [#8205]
• [OPERATOR] The eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler image has been updated from v1.26.2 to v1.27.0 (for Kubernetes >= 1.27). by @rishabh-11 [#8187]
• [OPERATOR] The shoots/adminkubeconfig relies on the ca-client InternalSecret only and does not use the ShootState object anymore. by @timebertt [#8195]
• [OPERATOR] Update Prometheus job tunnel-probe-apiserver-proxy to fix for HA VPN mode by @Sallyan [#7954]
• [OPERATOR] Update vertical-pod-autoscaler to v0.14.0. by @voelzmo [#8166]
• [DEVELOPER] Go version is updated to 1.20.6. by @oliver-goetz [#8224]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ etcd.Status.ClusterSize, etcd.Status.ServiceName, etcd.Status.UpdatedReplicas have been marked as deprecated and users should refrain from depending on these fields. by @shreyas-s-rao [gardener/etcd-druid#637]

🐛 Bug Fixes

• [OPERATOR] AllMembersReady condition has now been fixed to eventually show the correct overall readiness of an etcd cluster. by @shreyas-s-rao [gardener/etcd-druid#637]

🏃 Others

• [OPERATOR] Print build version and go runtime info. by @shreyas-s-rao [gardener/etcd-druid#637]
• [DEVELOPER] Add CVE categorization for etcd-druid. by @shreyas-s-rao [gardener/etcd-druid#637]

[gardener/etcd-backup-restore]

🏃 Others

• [OPERATOR] Bump alpine base version for Docker build to 3.18.2. by @shreyas-s-rao [gardener/etcd-backup-restore#638]
• [DEVELOPER] Add CVE categorization for etcd-backup-restore. by @shreyas-s-rao [gardener/etcd-backup-restore#644]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.75.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.75.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.75.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.75.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.75.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.75.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.75.0

gardener-controlplane-1.74.3

[gardener/gardener]

🐛 Bug Fixes

• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @gardener-ci-robot [#8304]

🏃 Others

• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @gardener-ci-robot [#8316]

[gardener/hvpa-controller]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that caused HVPA reconciliation to fail with expected pointer, but got v2beta1.MetricSpec type when the HPA spec had changed. by @voelzmo [gardener/hvpa-controller#125]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.74.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.74.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.74.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.74.3
operator: eu.gcr.io/gardener-project/gardener/operator:v1.74.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.74.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.74.3

gardener-controlplane-1.74.2

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Now the vali ingress definition points to the shoot logging service. by @vpnachev [#8253]

gardener-controlplane-1.74.1

[gardener]

🐛 Bug Fixes

• [OPERATOR] Fix network annotations to allow fluent-bit connecting to shoot Valis. (gardener/gardener#8200, @gardener-ci-robot)