v1.6.1

[gardener-extensions]

Improvements

• [DEVELOPER] A bug in the worker controller's utility function for applying the machine CRDs has been fixed. (d910022)

v1.6.0

[gardener-extensions]

Most notable changes

• [DEVELOPER] A generic CSI migration controller has been added. It can be used by provider extensions to implement migration from in-tree volume plugins to CSI with just a few steps. Please find more information in this document. (#635, @rfranzke)
• [DEVELOPER] Due to the introduction of the new ContainerRuntime extensibility contract a new generic controller + reconciler has been introduced. It allows developing an external container runtime extension controller that works on the extensions.gardener.cloud/v1alpha1.ContainerRuntime resource (similar to the other extension resources). Information for developing such an extension can be found here. (#630, @nimrodoron)

Improvements

• [OPERATOR] g/gardener-extensions does now require the g/terraformer@v1.0.0. (#624, @ialidzhikov)
• [OPERATOR] Add Separate sidecar controller to save worker state under Worker.Status.State (#600, @vlvasilev)
  • Add Worker.Status.State restoration functionality
  • Add migration functionality
• [DEVELOPER] The machine.sapcloud.io CRDs applied by the ./pkg/controller/worker package do now get a protection label for accidental deletion. See also: gardener/gardener#2066 (#625, @rfranzke)

v1.5.0

[gardener-extensions]

Action Required

• [DEVELOPER] The generic health check actuator can now take a pre-check function that is performed before the health check is executed. If it returns false then the health check will be skipped. This accommodates extensions that only want to perform their health checks conditionally based on the object's or the cluster's settings. (#627, @rfranzke)
• [DEVELOPER] All methods of pkg/webhook/controlplane/genericmutator.Ensurer now have an additional argument which can optionally contain the old value of the object. If the admission request was CREATE this value is always nil. (#622, @mvladev)

Improvements

• [USER] An issue in the machine reconciliation has been fixed that caused the reconciliation being stuck in some cases where a previously broken worker configuration (e.g., due to the specification of machine types that are not available in certain availability zones) has been corrected. (#626, @rfranzke)
• [USER] Allow force deletion of machines incase of cluster hibernation (#609, @prashanth26)
• [OPERATOR] Credentials used by machine-controller-manager are now updated during worker deletion. (#606, @EmoinLanyu)
• [OPERATOR] An issue causing running terraformer container to leak on the Node without associated Pod resource is now fixed. This will prevent multiple containers to execute apply/destroy commands simultaneously in some cases (especially for long running terraformer Pods). (#605, @ialidzhikov)
• [DEVELOPER] The Terraformer functions IsStateEmpty, NumberOfResources, CleanupConfiguration, and GetState are now exported. (#610, @rfranzke)
• [DEVELOPER] github.com/gardener/gardener dependency updated to v1.1.0 (#608, @mvladev)

v1.4.0

[gardener-extensions]

Action Required

• [DEVELOPER] Extension controllers having a controlplanebackup webhook that was injecting the backup-restore sidecar into the etcd statefulset should remove the webhook as it is managed by the etcd-druid now. The controlplaneexposure webhook is still responsible for injecting the volume claim templates, however, no longer for StatefulSet but for the new Etcd resource. See also: gardener/gardener#1762 (#603, @georgekuruvillak)

Most notable changes

• [DEVELOPER] Removed unnecessary install command from Makefile (#591, @plkokanov)

Improvements

• [OPERATOR] Use internal Gardener secret for health checks. (#602, @zanetworker)
• [DEVELOPER] You can now pass an IP address to --webhook-config-url and the extensions library will generate a webhook certificate containing a matching IP address SAN. This can be used to run an extension webhook on your host machine and accessing it from your local cluster via an IP address. (#601, @tim-ebert)
• [DEVELOPER] hack/generate-controller-registration.sh now generates ControllerRegistrations in version v1beta1. Please regenerate the ControllerRegistrations of your extensions. (#596, @tim-ebert)

v1.3.0

[gardener-extensions]

Action Required

• [DEVELOPER] This repository is no longer used to maintain the actual extension controller implementations. Instead, it is considered as library for extension controllers. Please consult the various new repositories under github.com/gardener/gardener-extension-<name>. (6f860db)

Most notable changes

• [DEVELOPER] All extension controllers can now provide multiple extension types instead of only one. This allows to bundle multiple responsibilities into the same extension controller. (#572, @majst01)
• [DEVELOPER] The provider-aws extension controller has been moved to https://github.com/gardener/gardener-extension-provider-aws (based on e879ddb). (f3fe4f9)
• [DEVELOPER] The provider-alicloud extension controller has been moved to https://github.com/gardener/gardener-extension-provider-alicloud (based on e879ddb). (5a55457)
• [DEVELOPER] The provider-openstack extension controller has been moved to https://github.com/gardener/gardener-extension-provider-openstack (based on e879ddb). (f569659)
• [DEVELOPER] The provider-gcp extension controller has been moved to https://github.com/gardener/gardener-extension-provider-gcp (based on e879ddb). (a385f74)
• [DEVELOPER] The provider-azure extension controller has been moved to https://github.com/gardener/gardener-extension-provider-azure (based on e879ddb). (9516da0)
• [DEVELOPER] The provider-vsphere extension controller has been moved to https://github.com/gardener/gardener-extension-provider-vsphere (based on e879ddb). (3c934f5)
• [DEVELOPER] The provider-packet extension controller has been moved to https://github.com/gardener/gardener-extension-provider-packet (based on e879ddb). (45dea13)
• [DEVELOPER] The shoot-dns-service extension controller has been moved to https://github.com/gardener/gardener-extension-shoot-dns-service (based on e879ddb). (6ee55fd)
• [DEVELOPER] The shoot-cert-service extension controller has been moved to https://github.com/gardener/gardener-extension-shoot-cert-service (based on e879ddb). (42e6dc5)
• [DEVELOPER] The networking-calico extension controller has been moved to https://github.com/gardener/gardener-extension-networking-calico (based on 058d03a). (95b9092)
• [DEVELOPER] The os-suse-jeos extension controller has been moved to https://github.com/gardener/gardener-extension-os-suse-jeos (based on fb49017). (83d5467)
• [DEVELOPER] The os-coreos extension controller has been moved to https://github.com/gardener/gardener-extension-os-coreos (based on fb49017). (8b4fe29)
• [DEVELOPER] The os-coreos-alicloud extension controller has been moved to https://github.com/gardener/gardener-extension-os-coreos-alicloud (based on fb49017). (8b4fe29)
• [DEVELOPER] The os-ubuntu extension controller has been moved to https://github.com/gardener/gardener-extension-os-ubuntu (based on fb49017). (a7f5d03)
• [DEVELOPER] The os-ubuntu-alicloud extension controller has been moved to https://github.com/gardener/gardener-extension-os-ubuntu-alicloud (based on fb49017). (a7f5d03)

Improvements

• [DEVELOPER] hack/generate-controller-registration.sh now works with helm 3. (#588, @tim-ebert)

v1.2.1

[gardener-extensions]

Most notable changes

• [OPERATOR] The AWS validating webhook chart now also includes v1beta1 shoots in group core.gardener.cloud. (1c1b0fc)

Improvements

• [OPERATOR] In Alicloud, volumes could be attached on every node regardless taints. (104d51c)

Docker Images

gardener-extension-hyper: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper:v1.2.1

v1.2.0

[gardener-extensions]

Action Required

• [USER] The networks.zones[].worker field in the alicloud.provider.extensions.gardener.cloud/v1alpha1.InfrastructureConfig resource is deprecated in favour of the new networks.zones[].workers field. Please switch to the new field as the old one will be removed in a future version. Also, please note that this field is exclusively usable with Gardener's core.gardener.cloud API group. (#521, @rfranzke)
• [USER] The networks.worker field in the gcp.provider.extensions.gardener.cloud/v1alpha1.InfrastructureConfig resource is deprecated in favour of the new networks.workers field. Please switch to the new field as the old one will be removed in a future version. Also, please note that this field is exclusively usable with Gardener's core.gardener.cloud API group. (#521, @rfranzke)
• [USER] The networks.worker field in the openstack.provider.extensions.gardener.cloud/v1alpha1.InfrastructureConfig resource is deprecated in favour of the new networks.workers field. Please switch to the new field as the old one will be removed in a future version. Also, please note that this field is exclusively usable with Gardener's core.gardener.cloud API group. (#521, @rfranzke)
• [OPERATOR] A breaking change has been introduced to all provider Helm charts: The .config.vpa field is now moved to top-level (.vpa). Please adapt your ControllerRegistration resources accordingly. (#549, @rfranzke)
• [OPERATOR] The Validatingwebhookconfiguration for gardener-extensions-validator-aws now requires a minimum Kubernetes version of 1.15.x. (#525, @timuthy)
• [OPERATOR] The image mappings in the provider configuration section of the cloud profiles are now taken into account as mapping source. The mappings in the configuration of the extension controllers are not used anymore. (#455, @mandelsoft)
• [OPERATOR] The image mappings in the provider configuration section of the cloud profiles were not used so far. Instead a controller configuration described as part of the extension registration was used. Now this configuration is not used anymore and the image mappings must be configured as part of the provider configuration section of the cloud profile. All the image mappings must have been added to the cloud profile configuration in advance before deploying this version. (#455, @mandelsoft)

Most notable changes

• [USER] It is now possible to remove the ECR permission that is part of the AWS IAM role policy attached to all shoot worker nodes by specifying aws.provider.extensions.gardener.cloud/v1alpha1.InfrastructureConfig.enableECRAccess=false. If the field is not provided then it is defaulted to true, preserving the old behaviour where ECR access is always granted. (#520, @rfranzke)
• [OPERATOR] The OpenStack CloudProfileConfig now features a new keyStoneURLs field. It is a mapping of regions to keystone URLs. Also, the constraints.loadBalancerProviders and constraints.floatingPools fields now can optionally have a region property. This allows to only have one CloudProfile for an OpenStack environment in which the keystone URL, floating pools, and/or load balancer providers differ per region. See this document for an example resource. :important: Please note that these fields will only be usable with gardener/gardener once the deprecated garden.sapcloud.io/v1beta1 API group has been removed. (#482, @rfranzke)
• [DEVELOPER] The deprecated certificate-service extension has been removed (it was replaced some months back by the shoot-cert-service extension). (#518, @rfranzke)
• [DEVELOPER] Developers need to set the ignoreResources variable of the extension chart to true in their extension controller-registration. (#509, @zanetworker)
• [DEVELOPER] Developers need to point their local kubeconfig to a target development seed cluster. (#509, @zanetworker)

Improvements

• [OPERATOR] The networking-calico extension now defines a log filter and parser for fluentd via a ConfigMap in every seed's garden namespace. (#550, @rfranzke)
• [OPERATOR] Azure cloud-controller-manager is now able to create Service events which are helpful to easily identify the underground errors of Azure API. (#533, @ialidzhikov)
• [OPERATOR] An issue where cloud controller manager was self-rate-limited for azure shoot clusters with more than 10 nodes has been fixed. (#532, @vpnachev)
• [OPERATOR] The AWS validation webhook now requires a specified .spec.networking.nodes field for AWS shotos. (#530, @rfranzke)
• [OPERATOR] Alicloud, AWS, Azure, GCP and OpenStack providers are now capable of managing hibernated shoots which don't have a Kube-Apiserver service. (#529, @timuthy)
• [OPERATOR] Validating AWS shoots of version v1beta1 as well as v1alpha1 (group core.gardener.cloud) is now supported by the webhook gardener-extensions-validator-aws. (#525, @timuthy)
• [OPERATOR] Kubernetes dependencies are updated to kubernetes-1.16.0. (#512, @ialidzhikov)
• [OPERATOR] Infrastructure creation and deletion are optimized for Azure. (#499, @dkistner)
• [OPERATOR] extension providers write health check conditions into extension resources. Extensions can contribute to the Health of the Shoot. The gardener watches conditions with type SystemComponentsHealthy, EveryNodeReady, ControlPlaneHealthy on the extension resource. (#472, @danielfoehrKn)
• [OPERATOR] It is possible now to specify regional image IDs in the OpenStack CloudProfile configuration. (#455, @mandelsoft)
• [DEVELOPER] Documentation for the networking-calico extensions has been added. (#526, @zanetworker)

[cert-management]

Improvements

• [OPERATOR] keep existing labels and annotations in certificate secret (gardener/cert-management#14, @MartinWeindel)
• [OPERATOR] Minor improvement for handling concurrent pending challenges. (gardener/cert-management#13, @MartinWeindel)
  • More logging for troubleshooting.

[external-dns-management]

Improvements

• [OPERATOR] DNS entry with empty target is recognised as invalid. (gardener/external-dns-management#52, @MartinWeindel)

Docker Images

gardener-extension-hyper: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper:v1.2.0

v1.1.1

[gardener-extensions]

Improvements

• [OPERATOR] An issue where cloud controller manager was self-rate-limited for azure shoot clusters with more than 10 nodes has been fixed. (aae3ee9)

Docker Images

gardener-extension-hyper: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper:v1.1.1

v1.1.0

[gardener-extensions]

Action Required

• [USER] Calico network configuration has been extended with parameters suitable for bare metal environments (allows setting pool types, modes and additional backend types). Old fields and defaults are kept for backwards-compatibility but will be removed in future Gardener release. (#460, @majst01)

Most notable changes

• [USER] If you wish to configure the MTU value of calico then you can set the .spec.vethMTU field in the calico.networking.extensions.gardener.cloud/v1alpha1.NetworkConfig. Please make sure that all the MTUs in your environment, failure to do so will result in performance penalties and packet loss. (#502, @jiangytcn)
• [USER] The AWS infrastructure controller does now remove all ingress and egress rules from the default VPC security group in case it is managed by Gardener. It doesn't touch the default VPC security group in case a shoot uses an already existing VPC. (#478, @rfranzke)
• [USER] ⚠️ In order to prevent undesired rolling updates of machine resources the hash value computation has changed. A rolling update of worker nodes is now only happening if one of the following properties is changed: Kubernetes major/minor version, machine image name or version, machine type, volume type or size, worker pool provider configuration. Deploying this change will, one last time, roll out all nodes of all clusters. (#474, @rfranzke)
• [USER] The minimum number of ports allocated to a VM in the CloudNAT resource can be defined in the gcp.provider.extensions.gardener.cloud/v1alpha1.InfrastructureConfig.networks.cloudNAT.minPortsPerVM (#450, @vpnachev)
• [OPERATOR] All extension controllers are now able to work with all versions of Gardener's core.gardener.cloud API group. (#505, @rfranzke)
• [OPERATOR] The gardener-extensions now offers a validating webhook which checks shoot resources of type aws in the recently introduced core.gardener.cloud group. Operators should register this webhook in the Garden cluster to further prevent invalid modifications on aws shoots. (#438, @timuthy)

Improvements

• [USER] An issue where calico typha was not working with SuSE nodes has been fixed. Now SuSE based cluster can enable calico typha again and benefit from it. (#500, @vpnachev)
• [USER] Issue CVE-2019-11255 is fixed, which only affected shoot clusters in k8s version 1.13. (#448, @jia-jerry)
• [USER] provider-alicloud extension now automatically shares customized images to Shoot's alicloud account during infrastructure reconcile. (#427, @EmoinLanyu)
• [OPERATOR] Added support for OpenStack CCM v1.17.0 (#503, @afritzler)
• [OPERATOR] SuSE nodes are now using mtu of 1460 on all infrastructures. (#500, @vpnachev)
• [OPERATOR] VPA for provider extension controllers is now configurable via ControllerRegistration. (#488, @danielfoehrKn)
• [OPERATOR] The AWS infrastructure provider now takes care of deleting stale NLBs. (#485, @zanetworker)
• [OPERATOR] Customized image sharing is now optional for extension-provider-alicloud and no default secret is created in extension's namespace unless explicitly configured. (#483, @EmoinLanyu)
• [OPERATOR] sigs.k8s.io/controller-runtime is updated to v0.2.2. (#481, @ialidzhikov)
• [OPERATOR] Extension-shoot-cert-service can now use imagevector overwrite. A bug that causes deployment resources configuration of extension-shoot-cert-service to not work has been fixed. (#477, @EmoinLanyu)
• [OPERATOR] All Infrastructure extension controllers do now copy the Terraformer state into the Infrastructure's .status.state field. (#476, @vlvasilev)
• [OPERATOR] The release tags from now are prefixed with v. (#473, @ialidzhikov)
• [OPERATOR] An issue preventing extension-shoot-dns-service to be properly installed is now fixed. (#469, @ialidzhikov)
• [OPERATOR] Add bucket lifecycle rule on AWS S3 and OSS bucket to cleanup incomplete multipart uploads after expiration period. (#464, @swapnilgm)
• [OPERATOR] Fix the backupEntry deletion error in case of more than 1000 backups accumulated for provider-aws. (#459, @swapnilgm)
• [OPERATOR] An issue preventing calico-typha-vertical-autoscaler to patch (scale) calico-typha-deploy is now fixed. (#456, @ialidzhikov)
• [OPERATOR] An issue with dropped packets by CloudNAT for GCP clusters has been fixed. (#450, @vpnachev)

[cert-management]

Improvements

• [OPERATOR] improved behaviour if same certificate is requested multiple times simultaneously (gardener/cert-management#12, @MartinWeindel)
• [OPERATOR] The release tags from now are prefixed with v. (gardener/cert-management#10, @MartinWeindel)
• [OPERATOR] Existing certificate secrets with type kubernetes.io/tls can be updated (gardener/cert-management#9, @MartinWeindel)
  • to simplify migration from cert-broker/cert-manager.
• [OPERATOR] fix for "Panic if ingress spec.tls.hosts not specified" (issue #6) (gardener/cert-management#7, @MartinWeindel)
• [OPERATOR] fix for "Panic if ingress spec.tls.hosts not specified" (issue #6) (gardener/cert-management@80a07c0)

[external-dns-management]

Improvements

• [OPERATOR] The release tags from now are prefixed with v. (gardener/external-dns-management#47, @ialidzhikov)
• [OPERATOR] aws-route53: avoid temporary deletion of DNS records after restart with unavailable or throttled route53 API (gardener/external-dns-management#50, @MartinWeindel)

[machine-controller-manager]

Improvements

• [OPERATOR] AliCloud: When nodes are rolling updated, pods with Persistent volume attached can now be evicted correctly/serially before the node is drained. (gardener/machine-controller-manager#366, @jia-jerry)
• [OPERATOR] Bugfix: Remove dependency on MachineClass while deleting MachineDeployment/MachineSets (gardener/machine-controller-manager#365, @prashanth26)
• [OPERATOR] Bugfix: Allow deletion of machine without status.currentStatus.phase (gardener/machine-controller-manager#364, @prashanth26)
• [OPERATOR] The release tags from now are prefixed with v. (gardener/machine-controller-manager#362, @ialidzhikov)
• [OPERATOR] OpenStack: Ensure VMs are deleted after unsuccessful create operation (gardener/machine-controller-manager#356, @kayrus)
• [DEVELOPER] The golang version has been updated to 1.13. Please upgrade your local go installation to 1.13. (gardener/machine-controller-manager#360, @ialidzhikov)

[terraformer]

Improvements

• [OPERATOR] added NSX-T Terraform provider for VMware vSphere (gardener/terraformer#32, @MartinWeindel)

Docker Images

gardener-extension-hyper: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper:v1.1.0

1.0.6

[gardener-extensions]

Improvements

• [OPERATOR] The AWS infrastructure provider now takes care of deleting stale NLBs. (88026a2)

Docker Images

gardener-extension-hyper: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper:1.0.6