gardener-controlplane-1.78.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which was causing the garbage collector in gardener-resource-manager to wrongfully collect Secrets related to ManagedResources when the source and the target cluster are equal. by @gardener-ci-robot [#8403]

gardener-controlplane-1.78.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] The following mapper funcs from the extension library no longer accept a context.Context arg - ClusterToContainerResourceMapper, ClusterToControlPlaneMapper, ClusterToDNSRecordMapper, ClusterToExtensionMapper, ClusterToInfrastructureMapper, ClusterToNetworkMapper, ClusterToWorkerMapper and ClusterToObjectMapper. The context.Context arg was redundant and not used. by @acumino [#8321]
• [USER] Deprecated annotation alpha.featuregates.shoot.gardener.cloud/node-local-dns is removed. Use field .spec.systemComponents.nodeLocalDNS.enabled in Shoot instead. Switching on node-local-dns via shoot specification will roll the nodes even if node-local-dns was enabled beforehand via annotation. by @acumino [#8364]
• [USER] Deprecated annotation alpha.featuregates.shoot.gardener.cloud/node-local-dns-force-tcp-to-{cluster-dns, upstream-dns} is removed. Use field .spec.systemComponents.nodeLocalDNS.{forceTCPToClusterDNS, forceTCPToUpstreamDNS} in Shoot instead. by @acumino [#8364]

✨ New Features

• [OPERATOR] kubectl get garden now features additional printer column Observability providing information about the Observability components of the runtime cluster. by @gardener-ci-robot [#8384]
• [OPERATOR] It is possible now to trigger a seed reconciliation by annotating the Seed with gardener.cloud/operation=reconcile. by @shafeeqes [#8347]
• [OPERATOR] Status of garden now includes the ObservabilityComponentsHealthy condition which show the health of observability components in the garden runtime-cluster. by @oliver-goetz [#8346]

🐛 Bug Fixes

• [OPERATOR] operator now deletes ManagedResources deployed to the virtual-garden before deleting virtual-garden-kube-apiserver. by @oliver-goetz [#8368]
• [OPERATOR] A bug is fixed that prevented scraping the metrics of etcd in the shoot control plane. by @istvanballok [#8371]
• [OPERATOR] A bug is fixed that rendered the "CPU usage" panel of the "VPN" Plutono dashboard blank. by @gardener-ci-robot [#8392]
• [OPERATOR] A bug is fixed in the Prometheus alert definitions that caused false positive KubePodNotReadyControlPlane alerts related to the etcd compaction job. by @rickardsjp [#8361]

🏃 Others

• [OPERATOR] Shoot node network and seed pod network need to be disjoint. This will be checked during scheduling of a shoot cluster, i.e. during initial admission or on control-plane migration. by @ScheererJ [#8353]
• [OPERATOR] Prometheus scrape job configs for targets in the shoot cluster have been improved. by @rickardsjp [#8360]
• [OPERATOR] The following images are updated:
  • registry.k8s.io/metrics-server/metrics-server: v0.6.3 -> v0.6.4
  • registry.k8s.io/cpa/cluster-proportional-autoscaler: v1.8.8 -> v1.8.9
  • registry.k8s.io/coredns/coredns: v1.10.0 -> v1.10.1
  • quay.io/prometheus/blackbox-exporter: v0.23.0 -> v0.24.0
  • quay.io/prometheus/node-exporter: v1.5.0 -> v1.6.1
  • ghcr.io/credativ/plutono: v7.5.22 -> v7.5.23
  • ghcr.io/prometheus-operator/prometheus-config-reloader: v0.61.1 -> v0.67.1
  • registry.k8s.io/dns/k8s-dns-node-cache: 1.22.20 -> 1.22.23 by @ialidzhikov [#8324]
• [OPERATOR] The following images are updated:
  • registry.k8s.io/kube-state-metrics/kube-state-metrics: v2.5.0 -> v2.8.2 by @gardener-ci-robot [#8391]
• [OPERATOR] gardener-operator now takes over management of plutono. by @acumino [#8301]
• [OPERATOR] kubectl proxy now works as expected in the local development setup in conjunction with highly available vpn by @ScheererJ [#8370]
• [DEPENDENCY] Backupbucket/backupentry controllers: watch secret metadata only by @MartinWeindel [#8348]
• [DEVELOPER] Test-machinery integration tests are now using upstream K8s e2e test images such as registry.k8s.io/e2e-test-images/busybox, registry.k8s.io/e2e-test-images/agnhost instead Gardener images such as eu.gcr.io/gardener-project/3rd/busybox, eu.gcr.io/gardener-project/3rd/alpine and others. by @ialidzhikov [#8341]

[gardener/etcd-druid]

🏃 Others

• [OPERATOR] Upgrade gardener/gardener from 1.65.0 to 1.76.0 by @acumino [gardener/etcd-druid#657]
• [OPERATOR] All default images are now present in images.yaml by @aaronfern [gardener/etcd-druid#673]

[gardener/dependency-watchdog]

🏃 Others

• [OPERATOR] Bump g/g version to remove stale client-go dependency by @rishabh-11 [gardener/dependency-watchdog#92]

[gardener/hvpa-controller]

🏃 Others

• [OPERATOR] Updated go to 1.20.7 by @voelzmo [gardener/hvpa-controller#126]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.78.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.78.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.78.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.78.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.78.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.78.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.78.0

gardener-controlplane-1.77.6

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue causing several tasks from the Shoot reconciliation flow to fail with transient errors of type duplicate filename in registry is now fixed. by @gardener-ci-robot [#8557]

gardener-controlplane-1.77.5

[gardener/gardener]

🏃 Others

• [OPERATOR] extension library: State update for a Worker object can be now skipped by annotating it with worker.gardener.cloud/skip-state-update=true. by @gardener-ci-robot [#8494]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.77.5
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.77.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.77.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.77.5
operator: eu.gcr.io/gardener-project/gardener/operator:v1.77.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.77.5
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.77.5

gardener-controlplane-1.77.4

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed that prevented ControllerInstallations from getting deleted when the backing ControllerRegistration with .spec.deployment.policy={Always,AlwaysExceptNoShoots} was deleted. by @rfranzke [#8455]
• [OPERATOR] Several default settings of Kubernetes feature gates have been corrected. by @gardener-ci-robot [#8471]

gardener-controlplane-1.77.3

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Update Kubernetes dependencies (especially k8s.io/client-go) from v0.26.3 to v0.26.4 to resolve panic on working with special shoots. by @gardener-ci-robot [#8424]
• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @gardener-ci-robot [#8410]

gardener-controlplane-1.77.2

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which was causing the garbage collector in gardener-resource-manager to wrongfully collect Secrets related to ManagedResources when the source and the target cluster are equal. by @gardener-ci-robot [#8404]

gardener-controlplane-1.77.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug is fixed that prevented scraping the metrics of etcd in the shoot control plane. by @gardener-ci-robot [#8372]

gardener-controlplane-1.77.0

[gardener/etcd-backup-restore]

📰 Noteworthy

• [OPERATOR] Etcd-backup-restore now uses a distroless image as its base image. It is no longer compatible with etcd-custom-image, and must be used with etcd-wrapper instead. by @aaronfern [gardener/etcd-backup-restore#637]
• [OPERATOR] Etcd-backup-restore now uses the user home directory to create files. by @aaronfern [gardener/etcd-backup-restore#637]

🏃 Others

• [OPERATOR] While scaling up a non-HA etcd cluster to HA skipping the scale-up checks for first member of etcd cluster as first member can never be a part of scale-up scenarios. by @ishan16696 [gardener/etcd-backup-restore#649]
• [OPERATOR] Backup-restore waits for its etcd to be ready before attempting to update peerUrl by @aaronfern [gardener/etcd-backup-restore#628]
• [DEVELOPER] Add CVE categorization for etcd-backup-restore. by @shreyas-s-rao [gardener/etcd-backup-restore#644]

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] If you are using provider-extension setup you should adapt your files in example/provider-extensions/garden/controlplane because default-domain and internal-domain secrets are removed from gardener-controlplane Helm chart. by @oliver-goetz [#8308]
• [DEVELOPER] Package pkg/utils/managedresources now works with immutable secrets for managed resources under the hood. Existing secrets will be marked for garbage collection and replaced with immutable ones during the first reconciliation of the managed resource. by @dimityrmirchev [#8116]
• [DEVELOPER] The Secrets type as well as the Delete functions for secrets were removed from pkg/utils/managedresources/builder since their usage was prone to errors. The higher level package pkg/utils/managedresources should be used instead. by @dimityrmirchev [#8116]
• [DEPENDENCY] hack/generate.sh has been renamed to hack/generate-sequential.sh. by @shafeeqes [#8289]
• [DEPENDENCY] The deprecated extensions/pkg/controller/worker.{Options,ApplyMachineResources{ForConfig}} symbols have been dropped since gardenlet takes over management of the machine.gardener.cloud/v1alpha1 API CRDs since gardener/[email protected]. by @rfranzke [#8280]
• [OPERATOR] The virtual-garden-kube-apiserver service (for the virtual-garden cluster) was switched from type LoadBalancer to ClusterIP. Please make sure to migrate all DNS records from the virtual-garden-kube-apiserver to the istio-ingressgateway endpoint before upgrading to this Gardener version. by @timuthy [#8302]
• [OPERATOR] gardenlet no longer reports the Bootstrapped condition on Seeds. Instead, it now reports the progress in .status.lastOperation, similar to how it's done for Shoots. by @rfranzke [#8290]
• [OPERATOR] default-domain, internal-domain, alerting and openvpn-diffie-hellman secrets are removed from gardener-controlplane Helm chart. Please ensure to update them in a different way before upgrading Gardener. If you would like to prevent Helm from deleting these secret during the upgrade, you could annotate them with "helm.sh/resource-policy": keep. by @oliver-goetz [#8308]

📰 Noteworthy

• [DEVELOPER] The charts/images.yaml file was moved to imagevector/images.yaml. by @rfranzke [#8250]
• [DEPENDENCY] pkg/utils/chart does now support embedded charts. The already deprecated methods in the ChartApplier and ChartRenderer will be removed in a few releases, so extensions should adapt to embedded charts. by @rfranzke [#8250]
• [OPERATOR] Gardenlet can now set feature gates for etcd-druid. They can be specified via the gardenlet configuration GardenletConfiguration.EtcdConfig.FeatureGates by @gardener-ci-robot [#8335]

✨ New Features

• [OPERATOR] The garbage collection controller now also considers managed resources when deciding if secrets/configmaps should be garbage collected. by @dimityrmirchev [#8116]
• [OPERATOR] Gardener Scheduler's Minimal Distance strategy can take scheduling decisions based on region distances configured by operators. This especially improves the allocation for shoots of providers regions for which the standard Levenshtein distance is inappropriate. Please see docs/concepts/scheduler.md for more information. by @timuthy [#8277]
• [OPERATOR] Operators can now view and manage dashboards for compaction jobs running in shoot control plane. by @abdasgupta [#8206]
• [OPERATOR] maintenance-controller now disables PodSecurityPolicy admission controller when forcefully upgrading the Kubernetes version of a Shoot to v1.25. It also ensures maximum workers of each for group is greater or equal to its number of zone for forceful upgrades to v1.27. by @oliver-goetz [#8281]
• [OPERATOR] kubectl get garden now features additional printer columns providing more information about the substantial configuration values and statuses. by @rfranzke [#8279]
• [OPERATOR] The gardener-apiserver now drops expired Kubernetes and MachineImage versions from Cloudprofiles during creation. by @shafeeqes [#8297]
• [OPERATOR] gardener-operator now takes over management of fluent-operator and vali. by @vlvasilev [#8240]
• [USER] Two additional labels worker.gardener.cloud/image-name and worker.gardener.cloud/image-version are attached to worker nodes to identify which operating system they are running. This can then be used in selectors that target only workers with a specific operating system and is helpful for e.g. driver deployment. by @MrBatschner [#8295]
• [USER] A new feature gate named ContainerdRegistryHostsDir is introduced to gardenlet. When enabled, the /etc/containerd/certs.d directory is created on the Node and containerd is configured to look up for registries/mirrors configuration in this directory (if there is any configuration applied). In future, the registry-cache extension will add such registries/mirrors configuration under this directory (via OperatingSystemConfig mutation). by @ialidzhikov [#8094]
• [USER] The Shoot maintenance controller now updates the CRI of worker pools from docker to containerd when force-upgrading from Kubernetes v1.22 to v1.23. by @oliver-goetz [#8272]
• [DEVELOPER] Extensions running on seed clusters can get access to the garden cluster by using the injected kubeconfig specified by the GARDEN_KUBECONFIG environment variable. You can read about the details in this doc. by @timebertt [#8264]

🐛 Bug Fixes

• [OPERATOR] When Shoots were updated from non high-availability to zone high-availability, it could happen that the control-plane was scheduled to two instead of three zones. This issue is relevant for cloud providers with an inconsistent zone naming (Azure is currently the only candidate to our knowledge).
  Existing shoots with the before mentioned problem must be fixed manually be operators if required. An automatic move of etcds and their volumes is not part of this fix due to availability reasons. by @gardener-ci-robot [#8345]
• [OPERATOR] gardenlet: A regression causing metering related recording rules for the aggregate-prometheus not to be applied is now fixed. by @istvanballok [#8284]
• [USER] An issue has been fixed for highly-available Shoots whose etcd clusters didn't get ready in the Completing phase of a CA credentials rotation. by @timuthy [#8303]

🏃 Others

• [OPERATOR] A bug preventing prometheus ingress to use wildcard-certificate is fixed. by @acumino [#8319]
• [OPERATOR] A bug preventing plutono ingress to use wildcard-certificate is fixed. by @acumino [#8317]
• [OPERATOR] gardenlet: A regression preventing the alertmanager in the garden namespace from sending email notifications is now fixed. by @istvanballok [#8310]
• [DEVELOPER] The github.com/golang/mock/gomock dependency is replaced by go.uber.org/mock. by @afritzler [#8269]
• [DEVELOPER] Add failure tolerance option to the CreateShoot test. by @hendrikKahl [#8298]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ etcd.Status.ClusterSize, etcd.Status.ServiceName, etcd.Status.UpdatedReplicas have been marked as deprecated and users should refrain from depending on these fields. by @unmarshall [gardener/etcd-druid#594]
• [OPERATOR] File ownership for var/etcd/data will be changed to non-root user (65532). by @aaronfern [gardener/etcd-druid#620]
• [OPERATOR] Etcd-druid will now deploy distroless etcd-wrapper and etcd-backup-restore images. Please refer to etcd-wrapper for more information. by @aaronfern [gardener/etcd-druid#620]
• [OPERATOR] Etcd-related secrets will now be mounted onto the /var/ directory instead of /root/. by @aaronfern [gardener/etcd-druid#620]
• [DEVELOPER] Developer Action Required: The make deploy command has been replaced with make deploy-via-kustomize. Please update your deployment workflows accordingly. by @seshachalam-yv [gardener/etcd-druid#599]

✨ New Features

• [DEVELOPER] Makefile has been updated to use Skaffold for deploying etcd-druid with the make deploy target, simplifying the deployment process and eliminating the need to push the image to the container registry for each local development testing. by @seshachalam-yv [gardener/etcd-druid#599]
• [OPERATOR] Feature gates have been introduced in etcd-druid, and can be specified using CLI flag --feature-gate. by @aaronfern [gardener/etcd-druid#646]
• [OPERATOR] Druid now exposes metrics related to snapshot compaction, on default port 8080. Please expose the desired metrics port via the etcd-druid service to allow metrics to be scraped by a Prometheus instance. by @abdasgupta [gardener/etcd-druid#569]
• `[OPE...

gardener-controlplane-1.76.4

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Update Kubernetes dependencies (especially k8s.io/client-go) from v0.26.3 to v0.26.4 to resolve panic on working with special shoots. by @gardener-ci-robot [#8425]
• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @gardener-ci-robot [#8409]