Bump the gardener-dependencies group with 2 updates

[dependabot]

Bumps the gardener-dependencies group with 2 updates: github.com/gardener/gardener and github.com/gardener/gardener/pkg/apis.

Updates github.com/gardener/gardener from 1.142.1 to 1.143.0

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.143.0

[github.com/gardener/gardener:v1.143.0]

⚠️ Breaking Changes

• [OPERATOR] gardener-operator's ValidatingWebhookConfiguration no longer accepts invalid values for the Garden's .spec.virtualCluster.kubernetes.kubeAPIServer.eventTTL field even for existing Garden resources with already invalid values. Invalid values are values outside of the range [0, 24h]. The gardener-operator webhook caps the eventTTL to 24h for already persisted Gardens with a value exceeding the allowed maximum. by @​ialidzhikov [#14707]
• [OPERATOR] The GA-ed and unconditionally enabled NewWorkerPoolHash feature gate is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @​ialidzhikov [#14800]
• [OPERATOR] ⚠️ The secrets in the gardener-system-shoot-issuer namespace containing shoot's OIDC discovery documents will stop to be labeled with authentication.gardener.cloud/public-keys=serviceaccount after Gardener v1.145.0 is released. Clients relying on this label must migrate to discovery.gardener.cloud/public=serviceaccount before that. For backward compatibility, it is advised to support both labels for some time. by @​vpnachev [#14670]
• [OPERATOR] gardener-apiserver no longer accepts invalid values for ManagedSeedSet's .spec.shootTemplate.spec.kubernetes.kubeAPIServer.eventTTL field even for existing ManagedSeedSet resources with already invalid values. Invalid values are values outside of the range [0, 24h]. gardener-apiserver caps the eventTTL to 24h for already persisted ManagedSeedSets with a value exceeding the allowed maximum. by @​ialidzhikov [#14707]
• [OPERATOR] The deprecated gardenClusterCACert field was removed from the GardenletConfiguration. The CA is now always automatically set by Gardener. by @​timuthy [#14803]
• [USER] gardener-apiserver no longer accepts invalid values for the Shoot's .spec.kubernetes.kubeAPIServer.eventTTL field even for existing Shoot resources with already invalid values. Invalid values are values outside of the range [0, 24h]. gardener-apiserver caps the eventTTL to 24h for already persisted Shoots with a value exceeding the allowed maximum. by @​ialidzhikov [#14707]
• [DEPENDENCY] In Gardener v1.142.0 the hack/push-helm.sh script was moved to dev-setup/push-helm.sh. It is now moved to back from dev-setup/push-helm.sh to hack/push-helm.sh to allow reuse from the extensions as before. by @​ialidzhikov [#14838]

📰 Noteworthy

• [OPERATOR] Garden status now contains the AdvertisedAddresses of the virtual garden kube-apiserver by @​hown3d [#14831]
• [USER] The release binary artifact names have changed to include an archive suffix, which is removed from the contained binary. by @​LucaBernstein [#14814]
• [DEVELOPER] e2e tests are now running with Kubernetes v1.35. by @​timuthy [#14766]

✨ New Features

• [USER] A new Kubelet option SingleProcessOOMKill was added to the Shoot API. Users can use this field to configure single process termination in case it ran out of memory. By default, all processes in the same cgroup are killed when an OOM occurs. by @​timuthy [#14866]

🐛 Bug Fixes

• [OPERATOR] Fixed intermittent gRPC "server closed the stream without sending trailers" errors for shoot-node log collection by setting useClientProtocol: true on the otel-collector DestinationRule to ensure HTTP/2 is used for upstream connections. by @​rrhubenov [#14730]
• [OPERATOR] A bug causing the gardener-resource-manager to panic whenever a VirtualService update event is processed and the Http/Tls/Tcp spec fields need element-by-element comparison is now fixed. by @​shafeeqes [#14888]
• [OPERATOR] Skip unusable machine types in search for suitable bastion host image by @​matthias-horne [#14813]
• [OPERATOR] A bug has been fixed where the SystemComponentsRunning was showing and error for self-hosted shoots on unmanaged infrastructure. by @​tobschli [#14804]
• [OPERATOR] Fixed unreachability of gardener-discovery server if a custom URL is configured by @​crigertg [#14815]
• [OPERATOR] The gardener-resource-manager deployment procedure was hardened. In rare situations, the procedure became stuck indefinitely after the seed's CA rotation. by @​timuthy [#14765]
• [USER] Fix an issue where shoot node logging is broken when the valitail and opentelemetry-collector systemd units start before their auth-token file is written to disk. The units now wait for the token file to exist before starting, ensuring logs and telemetry from worker nodes are reliably shipped by @​iypetrov [#14905]
• [USER] Fixed a bug where Shoot deletion could get permanently stuck if triggered while Shoot creation was still in progress. The delete flow incorrectly created a new ControlPlane extension resource that could never be reconciled due to missing shoot access secrets. by @​acumino [#14706]
• [DEVELOPER] make generate no longer skips CRD regeneration when only a transitively-referenced type changed; CI runs manifest generation in sequential mode to catch any remaining drift. by @​shafeeqes [#14894]

🏃 Others

• [OPERATOR] Add alpha.control-plane.shoot.gardener.cloud/vpn-auto-mtu annotation to enable automatic MTU configuration for VPN connections. When set to true, the OPENVPN_AUTO_MTU flag is propagated to all VPN components (seed server, shoot client, kube-apiserver sidecars).` by @​axel7born [#14768]
• [OPERATOR] The images of the registry caches used in the dev setups are now updated to distribution/distribution@v3.1.1. by @​dimitar-kostadinov [#14791]
• [OPERATOR] The gardener-node-init now performs a connectivity check to the kube-apiserver and fatal errors of the gardener-node-agent are forwarded to the machine console. This should improve the visibility when bootstrapping of machines fail. by @​vknabel [#14760]
• [OPERATOR] Gardener observability components are accessible even if web browsers try to coalesce connections. by @​ScheererJ [#14867]
• [OPERATOR] DestinationRules, VirtualServices & Services are now exported to the Istio Ingress namespaces where they are used only. by @​oliver-goetz [#14842]
• [OPERATOR] The secrets reconciler in the gardener-controller-manager no longer copies secrets with labels gardener.cloud/role:{helm-pull-secret, oci-ca-bundle} from garden namespace to the seed namespaces in the virtual cluster. Gardenlet can already access this secret if the secret is referred in a ControllerDeployment and the seed has a ControllerInstallation referring this deployment. by @​shafeeqes [#14419]
• [OPERATOR] Plutono's prometheus-longterm datasource now correctly targets the Cortex query frontend (port 81) instead of Prometheus's local API (port 80), fixing timed-out longterm queries. by @​rickardsjp [#14873]
• [OPERATOR] The provider-local now implements the SelfHostedShootExposure extension. by @​cerealsnow [#14723]
• [OPERATOR] Federation short-circuit from aggregate to garden Prometheus when both instances run on the runtime cluster has been adapted for Istio virtual services. by @​vicwicker [#14868]
• [OPERATOR] The opentelemetry-operator and prometheus-operator deployed by Gardener now have the required RBAC for Events in the events.k8s.io API group. by @​plkokanov [#14808]
• [OPERATOR] Disable IPIP encapsulation for IPv6 IP pools for local setup. by @​axel7born [#14790]
• [OPERATOR] Memory usage and garbage collection metrics are exposed for cluster-autoscaler. by @​takoverflow [#14764]
• [DEVELOPER] remote setup: Garden VPA is disabled by default to avoid two VPA deployments to act on the same cluster causing endless eviction loops. by @​ialidzhikov [#14680]
• [DEVELOPER] The SetLoggerSuffix implementations in the extension healthcheck package now emit provider and extension as independent structured log fields instead of embedding them in the logger name. by @​AnantKumar17 [#14752]
• [DEPENDENCY] The following dependencies have been updated:
  • open-telemetry/opentelemetry-operator from v0.145.0 to v0.150.0. Release Notes by @​gardener-ci-robot [#14263]
• [DEPENDENCY] The following dependencies have been updated:
  • europe-docker.pkg.dev/gardener-project/releases/gardener/fluent-bit-plugin from v1.4.0 to v1.5.0. by @​iypetrov [#14787]

... (truncated)

Commits

• 94a9a9b release v1.143.0
• e20fb02 [release-v1.143] Add missing RBAC for CA v1.35 (#14908)
• 90fe58f [release-v1.143] Add validation for auth-token file for valitail and otel-col...
• be8165b [release-v1.143] Fix gardener-resource-manager crash in `VirtualServicePred...
• fd68c78 [release-v1.143] Fix make generate skipping CRDs when only transitive deps ...
• da222d3 Add handling of HTTP/2 connection coalescing. (#14867)
• 54b2ba1 Fix Garden Plutono prometheus-longterm datasource (#14873)
• 44436fe Export DestinationRules, VirtualServices & Services to the Istio Ingres...
• 67ea7d1 Prepare serviceaccount discovery secret migration from `v1beta1constants.Labe...
• 15bb1ec Fix federation short-circuit from aggregate to garden Prometheus (#14868)
• Additional commits viewable in compare view

Updates github.com/gardener/gardener/pkg/apis from 1.142.1 to 1.143.0

Release notes

Sourced from github.com/gardener/gardener/pkg/apis's releases.

v1.143.0

[github.com/gardener/gardener:v1.143.0]

⚠️ Breaking Changes

• [OPERATOR] gardener-operator's ValidatingWebhookConfiguration no longer accepts invalid values for the Garden's .spec.virtualCluster.kubernetes.kubeAPIServer.eventTTL field even for existing Garden resources with already invalid values. Invalid values are values outside of the range [0, 24h]. The gardener-operator webhook caps the eventTTL to 24h for already persisted Gardens with a value exceeding the allowed maximum. by @​ialidzhikov [#14707]
• [OPERATOR] The GA-ed and unconditionally enabled NewWorkerPoolHash feature gate is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @​ialidzhikov [#14800]
• [OPERATOR] ⚠️ The secrets in the gardener-system-shoot-issuer namespace containing shoot's OIDC discovery documents will stop to be labeled with authentication.gardener.cloud/public-keys=serviceaccount after Gardener v1.145.0 is released. Clients relying on this label must migrate to discovery.gardener.cloud/public=serviceaccount before that. For backward compatibility, it is advised to support both labels for some time. by @​vpnachev [#14670]
• [OPERATOR] gardener-apiserver no longer accepts invalid values for ManagedSeedSet's .spec.shootTemplate.spec.kubernetes.kubeAPIServer.eventTTL field even for existing ManagedSeedSet resources with already invalid values. Invalid values are values outside of the range [0, 24h]. gardener-apiserver caps the eventTTL to 24h for already persisted ManagedSeedSets with a value exceeding the allowed maximum. by @​ialidzhikov [#14707]
• [OPERATOR] The deprecated gardenClusterCACert field was removed from the GardenletConfiguration. The CA is now always automatically set by Gardener. by @​timuthy [#14803]
• [USER] gardener-apiserver no longer accepts invalid values for the Shoot's .spec.kubernetes.kubeAPIServer.eventTTL field even for existing Shoot resources with already invalid values. Invalid values are values outside of the range [0, 24h]. gardener-apiserver caps the eventTTL to 24h for already persisted Shoots with a value exceeding the allowed maximum. by @​ialidzhikov [#14707]
• [DEPENDENCY] In Gardener v1.142.0 the hack/push-helm.sh script was moved to dev-setup/push-helm.sh. It is now moved to back from dev-setup/push-helm.sh to hack/push-helm.sh to allow reuse from the extensions as before. by @​ialidzhikov [#14838]

📰 Noteworthy

• [OPERATOR] Garden status now contains the AdvertisedAddresses of the virtual garden kube-apiserver by @​hown3d [#14831]
• [USER] The release binary artifact names have changed to include an archive suffix, which is removed from the contained binary. by @​LucaBernstein [#14814]
• [DEVELOPER] e2e tests are now running with Kubernetes v1.35. by @​timuthy [#14766]

✨ New Features

• [USER] A new Kubelet option SingleProcessOOMKill was added to the Shoot API. Users can use this field to configure single process termination in case it ran out of memory. By default, all processes in the same cgroup are killed when an OOM occurs. by @​timuthy [#14866]

🐛 Bug Fixes

• [OPERATOR] Fixed intermittent gRPC "server closed the stream without sending trailers" errors for shoot-node log collection by setting useClientProtocol: true on the otel-collector DestinationRule to ensure HTTP/2 is used for upstream connections. by @​rrhubenov [#14730]
• [OPERATOR] A bug causing the gardener-resource-manager to panic whenever a VirtualService update event is processed and the Http/Tls/Tcp spec fields need element-by-element comparison is now fixed. by @​shafeeqes [#14888]
• [OPERATOR] Skip unusable machine types in search for suitable bastion host image by @​matthias-horne [#14813]
• [OPERATOR] A bug has been fixed where the SystemComponentsRunning was showing and error for self-hosted shoots on unmanaged infrastructure. by @​tobschli [#14804]
• [OPERATOR] Fixed unreachability of gardener-discovery server if a custom URL is configured by @​crigertg [#14815]
• [OPERATOR] The gardener-resource-manager deployment procedure was hardened. In rare situations, the procedure became stuck indefinitely after the seed's CA rotation. by @​timuthy [#14765]
• [USER] Fix an issue where shoot node logging is broken when the valitail and opentelemetry-collector systemd units start before their auth-token file is written to disk. The units now wait for the token file to exist before starting, ensuring logs and telemetry from worker nodes are reliably shipped by @​iypetrov [#14905]
• [USER] Fixed a bug where Shoot deletion could get permanently stuck if triggered while Shoot creation was still in progress. The delete flow incorrectly created a new ControlPlane extension resource that could never be reconciled due to missing shoot access secrets. by @​acumino [#14706]
• [DEVELOPER] make generate no longer skips CRD regeneration when only a transitively-referenced type changed; CI runs manifest generation in sequential mode to catch any remaining drift. by @​shafeeqes [#14894]

🏃 Others

• [OPERATOR] Add alpha.control-plane.shoot.gardener.cloud/vpn-auto-mtu annotation to enable automatic MTU configuration for VPN connections. When set to true, the OPENVPN_AUTO_MTU flag is propagated to all VPN components (seed server, shoot client, kube-apiserver sidecars).` by @​axel7born [#14768]
• [OPERATOR] The images of the registry caches used in the dev setups are now updated to distribution/distribution@v3.1.1. by @​dimitar-kostadinov [#14791]
• [OPERATOR] The gardener-node-init now performs a connectivity check to the kube-apiserver and fatal errors of the gardener-node-agent are forwarded to the machine console. This should improve the visibility when bootstrapping of machines fail. by @​vknabel [#14760]
• [OPERATOR] Gardener observability components are accessible even if web browsers try to coalesce connections. by @​ScheererJ [#14867]
• [OPERATOR] DestinationRules, VirtualServices & Services are now exported to the Istio Ingress namespaces where they are used only. by @​oliver-goetz [#14842]
• [OPERATOR] The secrets reconciler in the gardener-controller-manager no longer copies secrets with labels gardener.cloud/role:{helm-pull-secret, oci-ca-bundle} from garden namespace to the seed namespaces in the virtual cluster. Gardenlet can already access this secret if the secret is referred in a ControllerDeployment and the seed has a ControllerInstallation referring this deployment. by @​shafeeqes [#14419]
• [OPERATOR] Plutono's prometheus-longterm datasource now correctly targets the Cortex query frontend (port 81) instead of Prometheus's local API (port 80), fixing timed-out longterm queries. by @​rickardsjp [#14873]
• [OPERATOR] The provider-local now implements the SelfHostedShootExposure extension. by @​cerealsnow [#14723]
• [OPERATOR] Federation short-circuit from aggregate to garden Prometheus when both instances run on the runtime cluster has been adapted for Istio virtual services. by @​vicwicker [#14868]
• [OPERATOR] The opentelemetry-operator and prometheus-operator deployed by Gardener now have the required RBAC for Events in the events.k8s.io API group. by @​plkokanov [#14808]
• [OPERATOR] Disable IPIP encapsulation for IPv6 IP pools for local setup. by @​axel7born [#14790]
• [OPERATOR] Memory usage and garbage collection metrics are exposed for cluster-autoscaler. by @​takoverflow [#14764]
• [DEVELOPER] remote setup: Garden VPA is disabled by default to avoid two VPA deployments to act on the same cluster causing endless eviction loops. by @​ialidzhikov [#14680]
• [DEVELOPER] The SetLoggerSuffix implementations in the extension healthcheck package now emit provider and extension as independent structured log fields instead of embedding them in the logger name. by @​AnantKumar17 [#14752]
• [DEPENDENCY] The following dependencies have been updated:
  • open-telemetry/opentelemetry-operator from v0.145.0 to v0.150.0. Release Notes by @​gardener-ci-robot [#14263]
• [DEPENDENCY] The following dependencies have been updated:
  • europe-docker.pkg.dev/gardener-project/releases/gardener/fluent-bit-plugin from v1.4.0 to v1.5.0. by @​iypetrov [#14787]

... (truncated)

Commits

• 94a9a9b release v1.143.0
• e20fb02 [release-v1.143] Add missing RBAC for CA v1.35 (#14908)
• 90fe58f [release-v1.143] Add validation for auth-token file for valitail and otel-col...
• be8165b [release-v1.143] Fix gardener-resource-manager crash in `VirtualServicePred...
• fd68c78 [release-v1.143] Fix make generate skipping CRDs when only transitive deps ...
• da222d3 Add handling of HTTP/2 connection coalescing. (#14867)
• 54b2ba1 Fix Garden Plutono prometheus-longterm datasource (#14873)
• 44436fe Export DestinationRules, VirtualServices & Services to the Istio Ingres...
• 67ea7d1 Prepare serviceaccount discovery secret migration from `v1beta1constants.Labe...
• 15bb1ec Fix federation short-circuit from aggregate to garden Prometheus (#14868)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[federated-github-access]

The PR needs to be labeled with ok-to-test by a maintainer to trigger the automated validation of the change

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wpross for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[federated-github-access]

The PR needs to be labeled with ok-to-test by a maintainer to trigger the automated validation of the change

[federated-github-access]

The PR needs to be labeled with ok-to-test by a maintainer to trigger the automated validation of the change