v1.95.1-0

Release Notes v1.95

Yake release notes and upgrade guide

Related upstream release notes / changelogs

Update external-dns-management to 0.18.5

[gardener/external-dns-management]

🐛 Bug Fixes

• [OPERATOR] As AWS "us-gov" zones do not support alias target records, they are excluded from the list of canonical hosted zones used to decide if ALIAS records are created instead of CNAME records. by @MartinWeindel [#365]
• [USER] Keep stale entries of other providers of the same zone untouched if all providers but one have invalid credentials and last valid provider is removed. by @MartinWeindel [#364]

🏃 Others

• [OPERATOR] Update golang from 1.21.6 to 1.22.2 by @MartinWeindel [#366]

Docker Images

• dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager:v0.18.5

Update shoot-dns-service to 1.47.0

[gardener/external-dns-management]

🐛 Bug Fixes

• [USER] Keep stale entries of other providers of the same zone untouched if all providers but one have invalid credentials and last valid provider is removed. by @MartinWeindel [gardener/external-dns-management#364]
• [OPERATOR] As AWS "us-gov" zones do not support alias target records, they are excluded from the list of canonical hosted zones used to decide if ALIAS records are created instead of CNAME records. by @MartinWeindel [gardener/external-dns-management#365]

🏃 Others

• [OPERATOR] Update golang from 1.21.6 to 1.22.2 by @MartinWeindel [gardener/external-dns-management#366]

[gardener/gardener-extension-shoot-dns-service]

🏃 Others

• [OPERATOR] Bumps github.com/gardener/gardener from 1.91.0 to 1.92.0. by @dependabot[bot] [#318]

Docker Images

• gardener-extension-admission-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-shoot-dns-service:v1.47.0
• gardener-extension-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-dns-service:v1.47.0

Update shoot-dns-service to 1.47.1

[gardener/gardener-extension-shoot-dns-service]

🐛 Bug Fixes

• [OPERATOR] fix regression bug "secret name is not defined as named resource references at 'spec.resources'" introduced with #320 by Martin Weindel <martin.weindel@sap.com> [$490d837737a4f524b83b8997a18f31e860f23fc3]

Docker Images

• gardener-extension-admission-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-shoot-dns-service:v1.47.1
• gardener-extension-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-dns-service:v1.47.1

Update gardener-metrics-exporter to 0.30.0

[gardener/gardener-metrics-exporter]

🏃 Others

• [OPERATOR] The costObject for workerless shoots is now determined correctly. by @vicwicker [#103]
• [OPERATOR] Add garden_version to the garden_shoot_info metric by @Kumm-Kai [#101]
• [OPERATOR] Rename garden_version label to gardener_version on garden_shoot_info metric. by @rickardsjp [#102]

Docker Images

• metrics-exporter: europe-docker.pkg.dev/gardener-project/releases/gardener/metrics-exporter:0.30.0

Update gardener-metrics-exporter to 0.30.0

[gardener/gardener-metrics-exporter]

🏃 Others

• [OPERATOR] The costObject for workerless shoots is now determined correctly. by @vicwicker [#103]
• [OPERATOR] Add garden_version to the garden_shoot_info metric by @Kumm-Kai [#101]
• [OPERATOR] Rename garden_version label to gardener_version on garden_shoot_info metric. by @rickardsjp [#102]

Docker Images

• metrics-exporter: europe-docker.pkg.dev/gardener-project/releases/gardener/metrics-exporter:0.30.0

Update provider-aws to 1.54.1

[gardener/gardener-extension-provider-aws]

🐛 Bug Fixes

• [OPERATOR] DNSRecord controller will not create ALIAS DNS records for AWS "us-gov" zones anymore. by @AndreasBurger [#930]

🏃 Others

• [OPERATOR] Bump github.com/gardener/external-dns-management from 0.18.4 to 0.18.5. by @AndreasBurger [#930]

Docker Images

• gardener-extension-admission-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-aws:v1.54.1
• gardener-extension-provider-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-aws:v1.54.1

Update cert-management to 0.14.1

[gardener/cert-management]

🏃 Others

• [OPERATOR] Fix cluster configuration for new source controllers istio-gateways-dns and k8s-gateways-dns. by @MartinWeindel [#175]

Docker Images

• cert-management: europe-docker.pkg.dev/gardener-project/releases/cert-controller-manager:v0.14.1

Update shoot-cert-service to 1.43.0

[gardener/gardener-extension-shoot-cert-service]

🏃 Others

• [OPERATOR] Bumps github.com/gardener/gardener from 1.91.0 to 1.92.0. by @dependabot[bot] [#249]
• [OPERATOR] Bumps golang from 1.22.1 to 1.22.2. by @dependabot[bot] [#247]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.92.0 to 1.93.0. by @dependabot[bot] [#251]
• [USER] The defaults for the private key of new certificates have been changed from RSA 2048bit to RSA 3072bit. Existing certificates will make use of these new defaults when they are renewed. by @gardener-robot-ci-3 [#253]

[gardener/cert-management]

✨ New Features

• [USER] The Istio resource Gateway can now be annotated with cert.gardener.cloud/purpose=managed to enable the automatic creation of Certificate resources for domain names extracted from hosts fields in this resource or related VirtualServices resources.
  The Gateway and HTTPRoute resources from the Gateway API are supported in a similar way. by @MartinWeindel [gardener/cert-management#174]

🏃 Others

• [OPERATOR] Fix cluster configuration for new source controllers istio-gateways-dns and k8s-gateways-dns. by @MartinWeindel [gardener/cert-management#175]
• [OPERATOR] Support deployment specific default values for private key algorithm and size with the new command line options --default-private-key-algorithm, --default-rsa-private-key-size, --default-ecdsa-private-key-size by @MartinWeindel [gardener/cert-management#171]

Docker Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.43.0

Update dashboard to 1.74.1

[gardener/dashboard]

🐛 Bug Fixes

• [USER] Ticket titles start with [<projectName>/<shootName>], unless overridden by a Gardener administrator's configuration. by @petersutter [#1830]

Docker Images

• dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.74.1

Update dashboard to 1.74.1

[gardener/dashboard]

🐛 Bug Fixes

• [USER] Ticket titles start with [<projectName>/<shootName>], unless overridden by a Gardener administrator's configuration. by @petersutter [#1830]

Docker Images

• dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.74.1

Update provider-alicloud to 1.52.0

[gardener/gardener-extension-provider-alicloud]

⚠️ Breaking Changes

• [OPERATOR] provider-alicloud no longer supports Shoots with Кubernetes version == 1.24. by @shafeeqes [#678]

🐛 Bug Fixes

• [DEVELOPER] source- prefix of BackupEntry name is being ignored when performing entry deletion by @Kostov6 [#698]

🏃 Others

• [OPERATOR] Update csi-plugin-alicloud to v1.30.1-242df8a-aliyun by @kevin-lacoo [#709]
• [OPERATOR] The code related to machine-controller-manager management has been cleaned up because gardenlet is responsible for it since gardener/gardener@v1.83. by @kevin-lacoo [#706]
• [OPERATOR] add os information as labels in machine class objects. by @tedteng [#703]
• [DEVELOPER] Add GetBucketInfo to OSS client interface. by @MartinWeindel [#694]
• [DEPENDENCY] The following golang dependencies have been upgraded :
  • gardener/gardener: v1.86.0->v1.91.1
  • k8s.io/* : v0.28.3 -> v0.29.3
  • sigs.k8s.io/controller-runtime: v0.16.3-> v0.17.2 by @shafeeqes [#704]

[gardener/terraformer]

🏃 Others

• [OPERATOR] Update go -> v1.21.5 by @kon-angelo [gardener/terraformer#146]
• [OPERATOR] Update alpine -> v1.29.0 by @kon-angelo [gardener/terraformer#146]

Docker Images

• gardener-extension-admission-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.52.0
• gardener-extension-provider-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.52.0

Update provider-gcp to 1.35.0

[gardener/gardener-extension-provider-gcp]

⚠️ Breaking Changes

• [USER] [csi-snapshotter] Enable prevent-volume-mode-conversion feature flag by default. Volume mode change can still be triggered with the respective annotations. You can read more in the KEP by @kon-angelo [#719]
• [OPERATOR] provider-gcp no longer supports Shoots with Кubernetes version == 1.24. by @shafeeqes [#677]

📰 Noteworthy

• [USER] Added support for the EnableDynamicPortAllocation flag and the related configuration of the related MaxPortsPerVM value on cloudNATs.
  IcmpIdleTimeoutSec, TcpEstablishedIdleTimeoutSec, TcpTimeWaitTimeoutSec, TcpTransitoryIdleTimeoutSec, and UdpIdleTimeoutSec can now be configured on cloudNATs. by @AndreasBurger [#706]
• [USER] DisableGardenerServiceAccountCreation feature gate has been promoted to beta and therefore is enabled by default. by @AndreasBurger [#711]

✨ New Features

• [DEVELOPER] Dependency update to github.com/gardener/gardener@v1.90.4. by @oliver-goetz [#714]

🐛 Bug Fixes

• [DEVELOPER] source- prefix of BackupEntry name is being ignored when performing entry deletion by @Kostov6 [#710]

🏃 Others

• [OPERATOR] [infrastructure] General stability flow reconciliation improvements. by @kon-angelo [#715]
• [OPERATOR] add os information as labels in machine class objects. by @tedteng [#689]
• [OPERATOR] NodeGroupAutoscalingOptions can now be specified per worker group via the worker through the field worker.spec.pools.clusterAutoscaler by @aaronfern [#733]
• [USER] An error text which better indicates the reason for the failure is displayed when a user tries to create a SecretBinding resource which references a Secret with a serviceaccount.json field in invalid json format. by @plkokanov [#723]

[gardener/terraformer]

🏃 Others

• [OPERATOR] Update go -> v1.21.5 by @kon-angelo [gardener/terraformer#146]
• [OPERATOR] Update alpine -> v1.29.0 by @kon-angelo [gardener/terraformer#146]

Docker Images

• gardener-extension-admission-gcp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-gcp:v1.35.0
• gardener-extension-provider-gcp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-gcp:v1.35.0

Update provider-azure to 1.42.3

[gardener/gardener-extension-provider-azure]

🏃 Others

• [OPERATOR] Fix a bug where the terraform-provider-azure would not properly delete shoot resource groups. The infrastructure-controller will issue an additional delete operation for the shoot's resource group. by @kon-angelo [#842]
• [OPERATOR] The extension will now try to delete empty resource groups on infrastructure creation after an unsuccessful terraform-apply operation.
  A resource group may not be ready for some time after a successful create call returns. The azurerm terraform-provider on resource group does not respect that and the GET call may result in a NotFound error creating a deadlock. The extension will try to workaround this by deleting empty resource groups under the condition that this is a Create operation. by @AndreasBurger [#844]

Docker Images

• gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.42.3
• gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.42.3

Update cert-management to 0.14.2

[gardener/cert-management]

🐛 Bug Fixes

• [USER] Fix regression for annotations on ingress resources: dns.gardener.cloud/dnsnames annotation must be ignored. by @MartinWeindel [#176]

Docker Images

• cert-management: europe-docker.pkg.dev/gardener-project/releases/cert-controller-manager:v0.14.2

Update shoot-cert-service to 1.43.1

[gardener/cert-management]

🐛 Bug Fixes

• [USER] Fix regression for annotations on ingress resources: dns.gardener.cloud/dnsnames annotation must be ignored. by @MartinWeindel [gardener/cert-management@1dafe3a]

Docker Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.43.1

Update provider-azure to 1.43.0

[gardener/gardener-extension-provider-azure]

⚠️ Breaking Changes

• [USER] [csi-snapshotter] Enable prevent-volume-mode-conversion feature flag by default. Volume mode change can still be triggered with the respective annotations. You can read more in the KEP by @hebelsan [#809]
• [OPERATOR] provider-azure no longer supports Shoots with Кubernetes version == 1.24. by @shafeeqes [#769]

🏃 Others

• [OPERATOR] Update clients for dns, storage, compute, and msi to use the new Azure SDK libraries by @AndreasBurger [#833]
• [OPERATOR] add os information as labels in machine class objects. by @tedteng [#816]
• [OPERATOR] Deployment of the Remedy Controller can now additionally be controlled using the DisableRemedyController feature gate. by @AndreasBurger [#806]
• [OPERATOR] The Azure instance to connect to can now be configured in the CloudProfile and BackupBucket/BackupEntry. by @AndreasBurger [#815]
• [OPERATOR] NodeGroupAutoscalingOptions can now be specified per worker group via the worker through the field worker.spec.pools.clusterAutoscaler by @aaronfern [#831]
• [DEPENDENCY] The following golang dependencies have been upgraded :
  • gardener/gardener: v1.87.0->v1.91.1
  • k8s.io/* : v0.28.3 -> v0.29.3
  • sigs.k8s.io/controller-runtime: v0.16.3-> v0.17.2
  • sigs.k8s.io/controller-tools v0.13.0-> v0.14.0 by @hebelsan [#814]

[gardener/machine-controller-manager-provider-azure]

🏃 Others

• [USER] Bugfix:- During VM deletion, the cascade delete option is set only for the resources part of VM creation. by @rishabh-11 [gardener/machine-controller-manager-provider-azure#143]

Docker Images

• gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.43.0
• gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.43.0

Update gardener-controlplane to 1.94.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fix an issue in the etcd component which caused Shoot deletion to fail when the VPAForETCD feature gate was enabled by @voelzmo [#9703]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.94.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.94.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.94.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.94.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.94.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.94.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.94.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.94.1

Update gardener-controlplane to 1.94.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fix an issue in the etcd component which caused Shoot deletion to fail when the VPAForETCD feature gate was enabled by @voelzmo [#9703]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.94.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.94.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.94.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.94.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.94.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.94.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.94.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.94.1

Update gardenlet to 1.94.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fix an issue in the etcd component which caused Shoot deletion to fail when the VPAForETCD feature gate was enabled by @voelzmo [#9703]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.94.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.94.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.94.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.94.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.94.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.94.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.94.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.94.1

Update shoot-networking-problemdetector to 0.21.0

[gardener/network-problem-detector]

🏃 Others

• [OPERATOR] Drop support for obsolete PodSecurityPolicy by @MartinWeindel [gardener/network-problem-detector#60]
• [OPERATOR] Bumps golang from 1.22.0 to 1.22.1. by @dependabot[bot] [gardener/network-problem-detector#59]
• [OPERATOR] Bumps golang from 1.21.5 to 1.21.6. by @dependabot[bot] [gardener/network-problem-detector#56]
• [OPERATOR] Bumps golang from 1.22.1 to 1.22.2. by @dependabot[bot] [gardener/network-problem-detector#61]
• [OPERATOR] Bumps golang from 1.21.6 to 1.22.0. by @dependabot[bot] [gardener/network-problem-detector#57]
• [OPERATOR] Drop CPU limit for agents by @MartinWeindel [gardener/network-problem-detector#63]

[gardener/gardener-extension-shoot-networking-problemdetector]

⚠️ Breaking Changes

• [OPERATOR] extension-shoot-networking-filter no longer supports Shoots with Кubernetes version == 1.24. by @shafeeqes [#113]

🏃 Others

• [OPERATOR] Bumps github.com/gardener/gardener from 1.88.0 to 1.89.0. by @dependabot[bot] [#123]
• [OPERATOR] Drop CPU limit for controller by @gardener-robot-ci-3 [#140]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.91.0 to 1.92.0. by @dependabot[bot] [#136]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.89.0 to 1.90.0. by @dependabot[bot] [#126]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.92.0 to 1.93.0. by @dependabot[bot] [#138]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.87.2 to 1.88.0. by @dependabot[bot] [#122]
• [OPERATOR] Bump github.com/gardener/gardener from 1.86.0 to 1.87.0. by @dependabot[bot] [#117]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.90.0 to 1.91.0. by @dependabot[bot] [#132]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.93.0 to 1.94.0. by @dependabot[bot] [#139]

Docker Images

• gardener-extension-shoot-networking-problemdetector: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-problemdetector:v0.21.0

Update shoot-flux to 0.5.0

✨ New Features

• Allow setting controller image repository and tag independently by @j2L4e in stackitcloud/gardener-extension-shoot-flux#66

ℹ️ Other Changes

• 🤖 Update ghcr.io/stackitcloud/gardener-extension-shoot-flux Docker tag to v0.4.0 by @renovate in stackitcloud/gardener-extension-shoot-flux#54
• 🤖 Update module github.com/onsi/ginkgo/v2 to v2.17.1 by @renovate in stackitcloud/gardener-extension-shoot-flux#56
• 🤖 Update k8s and gardener packages (patch) by @renovate in stackitcloud/gardener-extension-shoot-flux#58
• 🤖 Update module golang.org/x/tools to v0.21.0 by @renovate in stackitcloud/gardener-extension-shoot-flux#57
• 🤖 Update module github.com/onsi/gomega to v1.33.1 by @renovate in stackitcloud/gardener-extension-shoot-flux#60
• 🤖 Update module github.com/fluxcd/source-controller/api to v1.2.5 by @renovate in stackitcloud/gardener-extension-shoot-flux#63
• 🤖 Update module k8s.io/utils to v0.0.0-20240502163921-fe8a2dddb1d0 by @renovate in stackitcloud/gardener-extension-shoot-flux#65
• 🤖 Update module github.com/onsi/ginkgo/v2 to v2.17.3 by @renovate in stackitcloud/gardener-extension-shoot-flux#64
• 🤖 Update k8s and gardener packages (patch) by @renovate in stackitcloud/gardener-extension-shoot-flux#61

New Contributors

• @j2L4e made their first contribution in stackitcloud/gardener-extension-shoot-flux#66

Full Changelog: stackitcloud/gardener-extension-shoot-flux@v0.4.0...v0.5.0

Update provider-azure to 1.43.1

[gardener/gardener-extension-provider-azure]

🏃 Others

• [OPERATOR] Fix a bug causing nil pointer exceptions on the backupbucket reconciliation when no BackupBucket providerConfig was provided. by @ialidzhikov [#856]

Docker Images

• gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.43.1
• gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.43.1

Update runtime-gvisor to 0.14.0

[gardener/gardener-extension-runtime-gvisor]

⚠️ Breaking Changes

• [OPERATOR] runtime-gvisor extension no longer supports Shoots with Кubernetes version == 1.24. by @shafeeqes [#110]

🏃 Others

• [OPERATOR] Fix CVE-2024-0727 by @marwinski [#124]

Docker Images

• gardener-extension-runtime-gvisor-installation: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor-installation:v0.14.0
• gardener-extension-runtime-gvisor: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor:v0.14.0

Update provider-alicloud to 1.52.1

no release notes available

Docker Images

• gardener-extension-admission-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.52.1
• gardener-extension-provider-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.52.1

Update cloudprofiles to 0.7.7

Full Changelog: gardener-community/cloudprofiles@0.7.6...0.7.7

Update cloudprofiles to 0.7.8

Full Changelog: gardener-community/cloudprofiles@0.7.7...0.7.8

Update dashboard to 1.75.0

[gardener/dashboard]

✨ New Features

• [USER] The Dashboard now recognizes and displays automatic update notifications according to the configured update strategy for machine image vendors by @grolu [#1807]
• [OPERATOR] Promoting experimentalUseWatchCacheForListShoots to Stable
  • The experimentalUseWatchCacheForListShoots feature flag in the gardener-dashboard Helm chart, which was introduced with #1637, has now been promoted to stable and removed. Previously, this feature was gated behind the Values.global.dashboard.experimentalUseWatchCacheForListShoots Helm chart value. With this release, the feature is now enabled by default, which is equivalent to setting Values.global.dashboard.experimentalUseWatchCacheForListShoots: always by @petersutter [#1822]
• [OPERATOR] The dashboard supports a previous session secret. It allows for a seamless rotation of the session secret by supporting both the current and previous secrets. When installed using the helm chart, provide Values.global.dashboard.sessionSecretPrevious. Set this value to the previous sessionSecret during secret rotation, and leave it empty otherwise. by @petersutter [#1856]

🐛 Bug Fixes

• [USER] Fixed: Addressed an issue where the Dashboard incorrectly reported no available update paths to a Kubernetes version when no immediate supported minor version updates were available by @grolu [#1848]
• [USER] During session secret rotation, an unexpected error with code 500 could occur, requiring manual deletion of session cookies to resolve. This situation is now properly handled, and the user will be redirected to the login page accordingly. by @holgerkoser [#1869]

🏃 Others

• [USER] The last error description of the Terminal resource is shown on timeout. by @petersutter [#1810]
• [OPERATOR] Terminal: terminal-controller-manager v0.32.0 required in order to display the last error description of the Terminal resource. by @petersutter [#1810]
• [OPERATOR] The component name is changed from dashboard to gardener-dashboard. by @ialidzhikov [#1857]
• [OPERATOR] The Helm chart was adapted to mount Kubernetes secrets as read-only files instead of storing them as environment variables, in order to comply with DISA STIG V-242415. by @petersutter [#1842]
• [OPERATOR] Values.global.dashboard.oidc.clientSecret is now optional. The dashboard can now also use a public OIDC client. by @petersutter [#1835]
• [DEVELOPER] The Lease object is no longer included in the Helm chart. Instead, it is now created dynamically during runtime if it does not already exist by @petersutter [#1823]

Docker Images

• gardener-dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.75.0

Update dashboard to 1.75.0

[gardener/dashboard]

✨ New Features

• [USER] The Dashboard now recognizes and displays automatic update notifications according to the configured update strategy for machine image vendors by @grolu [#1807]
• [OPERATOR] Promoting experimentalUseWatchCacheForListShoots to Stable
  • The experimentalUseWatchCacheForListShoots feature flag in the gardener-dashboard Helm chart, which was introduced with #1637, has now been promoted to stable and removed. Previously, this feature was gated behind the Values.global.dashboard.experimentalUseWatchCacheForListShoots Helm chart value. With this release, the feature is now enabled by default, which is equivalent to setting Values.global.dashboard.experimentalUseWatchCacheForListShoots: always by @petersutter [#1822]
• [OPERATOR] The dashboard supports a previous session secret. It allows for a seamless rotation of the session secret by supporting both the current and previous secrets. When installed using the helm chart, provide Values.global.dashboard.sessionSecretPrevious. Set this value to the previous sessionSecret during secret rotation, and leave it empty otherwise. by @petersutter [#1856]

🐛 Bug Fixes

• [USER] Fixed: Addressed an issue where the Dashboard incorrectly reported no available update paths to a Kubernetes version when no immediate supported minor version updates were available by @grolu [#1848]
• [USER] During session secret rotation, an unexpected error with code 500 could occur, requiring manual deletion of session cookies to resolve. This situation is now properly handled, and the user will be redirected to the login page accordingly. by @holgerkoser [#1869]

🏃 Others

• [USER] The last error description of the Terminal resource is shown on timeout. by @petersutter [#1810]
• [OPERATOR] Terminal: terminal-controller-manager v0.32.0 required in order to display the last error description of the Terminal resource. by @petersutter [#1810]
• [OPERATOR] The component name is changed from dashboard to gardener-dashboard. by @ialidzhikov [#1857]
• [OPERATOR] The Helm chart was adapted to mount Kubernetes secrets as read-only files instead of storing them as environment variables, in order to comply with DISA STIG V-242415. by @petersutter [#1842]
• [OPERATOR] Values.global.dashboard.oidc.clientSecret is now optional. The dashboard can now also use a public OIDC client. by @petersutter [#1835]
• [DEVELOPER] The Lease object is no longer included in the Helm chart. Instead, it is now created dynamically during runtime if it does not already exist by @petersutter [#1823]

Docker Images

• gardener-dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.75.0

Update gardener-controlplane to 1.95.0

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] The .monitoring.shoot.remoteWrite.queueConfig field is no longer available in the gardenlet component configuration. If needed, you have to register a webhook for the monitoring.coreos.com/v1.Prometheus object named shoot in the shoot namespaces. The webhook can inject the needed configuration in .spec.remoteWrite[0].queueConfig. by @rfranzke [#9695]

📰 Noteworthy

• [DEVELOPER] The extensions.gardener.cloud/v1alpha1.Worker resource now has a new .spec.pools[].userDataSecretRef field which references a Secret containing the actual user data. the .spec.pools[].userData field is deprecated and will be removed in a future version. Worker extensions should fetch the user data from the secret and can use the extensions/pkg/controller/worker.FetchUserData helper function for it. by @rfranzke [#9722]
• [DEVELOPER] The legacy method for extensions to provide observability configuration for shoot clusters (via ConfigMaps labelled with extensions.gardener.cloud/configuration=monitoring) is deprecated and will be removed in a future release. Please refer to this document to get information about the new, recommended way, and start migrating to it. by @rfranzke [#9695]

✨ New Features

• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.30. To allow creation/update of 1.30 clusters you will have to update the version of your provider extension(s) to a version that supports 1.30 as well. Please consult the respective releases and notes in the provider extension's repository. by @shafeeqes [#9689]
• [OPERATOR] A new feature gate named VPAAndHPAForAPIServer is introduced to gardenlet. When enabled, the Shoot Kubernetes API Server is scaled simultaneously by VPA and HPA on the same metric (CPU and memory usage). The new feature aims to replace the existing HVPA autoscaling mechanism for the Shoot Kubernetes API server. by @ialidzhikov [#9678]
• [USER] It is now possible to configure Projects with the "four-👀 approval concept for deletion" concept. For now, this can only be applied to Shoots. If configured, the user confirming a Shoot deletion (via the confirmation.gardener.cloud/deletion annotation) must not be the same user who is sending the DELETE request. This can help preventing accidental/unintentional Shoot deletion. Find all information about the feature in this document. by @rfranzke [#9680]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.30. Extension developers have to prepare individual extensions as well to work with 1.30. by @shafeeqes [#9689]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which caused regeneration of managedresource-shoot-core-system-* Secrets on each Shoot reconciliation. by @rfranzke [#9718]
• [USER] A bug has has been fixed which caused unneeded gardener-node-agent reconciliations after each Shoot reconciliation even if the underlying OperatingSystemConfig did not contain relevant changes. by @rfranzke [#9723]

🏃 Others

• [OPERATOR] e2e-kind tests can now run successfully in an IPv4-only environment by @ScheererJ [#9693]
• [OPERATOR] Validation of DNSRecords: allow domain names starting with an underscore "_" by @MartinWeindel [#9714]
• [OPERATOR] The istio ingress gateway access log now includes the connections initiated via apiserver-proxy, i.e. cluster-internal communication via kubernetes.default.svc.cluster.local. by @ScheererJ [#9686]
• [OPERATOR] Replaced HVPA for the vali StatefulSet with VPA. Additionally, the curator kube-rbac-proxy and telegraf containers of the vali StatefulSet now specify CPU resource requests of 5m each. by @plkokanov [#9611]
• [OPERATOR] Updated MCM metrics list used to configure prometheus by @rishabh-11 [#9684]
• [OPERATOR] The kube-controller-manager component is now scaled by VPA, instead of HVPA. by @andrerun [#9698]
• [OPERATOR] Modified the CPU and memory resource requests for the plutono container to 5m and 45Mi, respectively. Additionally, reduced the vali container CPU resource requests to 20m. by @plkokanov [#9754]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.95.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.95.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.95.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.95.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.95.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.95.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.95.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.95.0

Update gardener-controlplane to 1.95.0

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] The .monitoring.shoot.remoteWrite.queueConfig field is no longer available in the gardenlet component configuration. If needed, you have to register a webhook for the monitoring.coreos.com/v1.Prometheus object named shoot in the shoot namespaces. The webhook can inject the needed configuration in .spec.remoteWrite[0].queueConfig. by @rfranzke [#9695]

📰 Noteworthy

• [DEVELOPER] The extensions.gardener.cloud/v1alpha1.Worker resource now has a new .spec.pools[].userDataSecretRef field which references a Secret containing the actual user data. the .spec.pools[].userData field is deprecated and will be removed in a future version. Worker extensions should fetch the user data from the secret and can use the extensions/pkg/controller/worker.FetchUserData helper function for it. by @rfranzke [#9722]
• [DEVELOPER] The legacy method for extensions to provide observability configuration for shoot clusters (via ConfigMaps labelled with extensions.gardener.cloud/configuration=monitoring) is deprecated and will be removed in a future release. Please refer to this document to get information about the new, recommended way, and start migrating to it. by @rfranzke [#9695]

✨ New Features

• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.30. To allow creation/update of 1.30 clusters you will have to update the version of your provider extension(s) to a version that supports 1.30 as well. Please consult the respective releases and notes in the provider extension's repository. by @shafeeqes [#9689]
• [OPERATOR] A new feature gate named VPAAndHPAForAPIServer is introduced to gardenlet. When enabled, the Shoot Kubernetes API Server is scaled simultaneously by VPA and HPA on the same metric (CPU and memory usage). The new feature aims to replace the existing HVPA autoscaling mechanism for the Shoot Kubernetes API server. by @ialidzhikov [#9678]
• [USER] It is now possible to configure Projects with the "four-👀 approval concept for deletion" concept. For now, this can only be applied to Shoots. If configured, the user confirming a Shoot deletion (via the confirmation.gardener.cloud/deletion annotation) must not be the same user who is sending the DELETE request. This can help preventing accidental/unintentional Shoot deletion. Find all information about the feature in this document. by @rfranzke [#9680]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.30. Extension developers have to prepare individual extensions as well to work with 1.30. by @shafeeqes [#9689]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which caused regeneration of managedresource-shoot-core-system-* Secrets on each Shoot reconciliation. by @rfranzke [#9718]
• [USER] A bug has has been fixed which caused unneeded gardener-node-agent reconciliations after each Shoot reconciliation even if the underlying OperatingSystemConfig did not contain relevant changes. by @rfranzke [#9723]

🏃 Others

• [OPERATOR] e2e-kind tests can now run successfully in an IPv4-only environment by @ScheererJ [#9693]
• [OPERATOR] Validation of DNSRecords: allow domain names starting with an underscore "_" by @MartinWeindel [#9714]
• [OPERATOR] The istio ingress gateway access log now includes the connections initiated via apiserver-proxy, i.e. cluster-internal communication via kubernetes.default.svc.cluster.local. by @ScheererJ [#9686]
• [OPERATOR] Replaced HVPA for the vali StatefulSet with VPA. Additionally, the curator kube-rbac-proxy and telegraf containers of the vali StatefulSet now specify CPU resource requests of 5m each. by @plkokanov [#9611]
• [OPERATOR] Updated MCM metrics list used to configure prometheus by @rishabh-11 [#9684]
• [OPERATOR] The kube-controller-manager component is now scaled by VPA, instead of HVPA. by @andrerun [#9698]
• [OPERATOR] Modified the CPU and memory resource requests for the plutono container to 5m and 45Mi, respectively. Additionally, reduced the vali container CPU resource requests to 20m. by @plkokanov [#9754]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.95.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.95.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.95.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.95.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.95.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.95.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.95.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.95.0

Update gardenlet to 1.95.0

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] The .monitoring.shoot.remoteWrite.queueConfig field is no longer available in the gardenlet component configuration. If needed, you have to register a webhook for the monitoring.coreos.com/v1.Prometheus object named shoot in the shoot namespaces. The webhook can inject the needed configuration in .spec.remoteWrite[0].queueConfig. by @rfranzke [#9695]

📰 Noteworthy

• [DEVELOPER] The extensions.gardener.cloud/v1alpha1.Worker resource now has a new .spec.pools[].userDataSecretRef field which references a Secret containing the actual user data. the .spec.pools[].userData field is deprecated and will be removed in a future version. Worker extensions should fetch the user data from the secret and can use the extensions/pkg/controller/worker.FetchUserData helper function for it. by @rfranzke [#9722]
• [DEVELOPER] The legacy method for extensions to provide observability configuration for shoot clusters (via ConfigMaps labelled with extensions.gardener.cloud/configuration=monitoring) is deprecated and will be removed in a future release. Please refer to this document to get information about the new, recommended way, and start migrating to it. by @rfranzke [#9695]

✨ New Features

• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.30. To allow creation/update of 1.30 clusters you will have to update the version of your provider extension(s) to a version that supports 1.30 as well. Please consult the respective releases and notes in the provider extension's repository. by @shafeeqes [#9689]
• [OPERATOR] A new feature gate named VPAAndHPAForAPIServer is introduced to gardenlet. When enabled, the Shoot Kubernetes API Server is scaled simultaneously by VPA and HPA on the same metric (CPU and memory usage). The new feature aims to replace the existing HVPA autoscaling mechanism for the Shoot Kubernetes API server. by @ialidzhikov [#9678]
• [USER] It is now possible to configure Projects with the "four-👀 approval concept for deletion" concept. For now, this can only be applied to Shoots. If configured, the user confirming a Shoot deletion (via the confirmation.gardener.cloud/deletion annotation) must not be the same user who is sending the DELETE request. This can help preventing accidental/unintentional Shoot deletion. Find all information about the feature in this document. by @rfranzke [#9680]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.30. Extension developers have to prepare individual extensions as well to work with 1.30. by @shafeeqes [#9689]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which caused regeneration of managedresource-shoot-core-system-* Secrets on each Shoot reconciliation. by @rfranzke [#9718]
• [USER] A bug has has been fixed which caused unneeded gardener-node-agent reconciliations after each Shoot reconciliation even if the underlying OperatingSystemConfig did not contain relevant changes. by @rfranzke [#9723]

🏃 Others

• [OPERATOR] e2e-kind tests can now run successfully in an IPv4-only environment by @ScheererJ [#9693]
• [OPERATOR] Validation of DNSRecords: allow domain names starting with an underscore "_" by @MartinWeindel [#9714]
• [OPERATOR] The istio ingress gateway access log now includes the connections initiated via apiserver-proxy, i.e. cluster-internal communication via kubernetes.default.svc.cluster.local. by @ScheererJ [#9686]
• [OPERATOR] Replaced HVPA for the vali StatefulSet with VPA. Additionally, the curator kube-rbac-proxy and telegraf containers of the vali StatefulSet now specify CPU resource requests of 5m each. by @plkokanov [#9611]
• [OPERATOR] Updated MCM metrics list used to configure prometheus by @rishabh-11 [#9684]
• [OPERATOR] The kube-controller-manager component is now scaled by VPA, instead of HVPA. by @andrerun [#9698]
• [OPERATOR] Modified the CPU and memory resource requests for the plutono container to 5m and 45Mi, respectively. Additionally, reduced the vali container CPU resource requests to 20m. by @plkokanov [#9754]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.95.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.95.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.95.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.95.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.95.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.95.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.95.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.95.0