Bump github.com/gardener/gardener from 1.136.0 to 1.138.0

[dependabot]

Bumps github.com/gardener/gardener from 1.136.0 to 1.138.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.138.0

[github.com/gardener/gardener:v1.138.0]

⚠️ Breaking Changes

• [DEVELOPER] provider-extensions setup has been replaced by remote setup which is gardener-operator based. by @​oliver-goetz [#13994]

• [DEVELOPER] Makefile target make check-vulnerabilities and GO_VULN_CHECK has been removed. by @​acumino [#14143]

• [DEVELOPER] The local setup no longer requires manipulating the /etc/hosts file manually. Instead, a bind9 hosts the local.gardener.cloud DNS zone (accessible via 172.18.255.53 or fd00:ff::53).

  Manual actions:

  • Cleanup your /etc/hosts file by removing all entries for local.gardener.cloud
  • If you are neither using macOS nor systemd-resolved you must manually configure the resolution of the local.gardener.cloud DNS zone via the local bind9 server. by @​timebertt [#14062]

• [DEVELOPER] The kubeconfig of the runtime cluster in local setup was moved from ./example/gardener-local/kind/multi-zone/kubeconfig to ./dev-setup/kubeconfigs/runtime/kubeconfig. by @​oliver-goetz [#13994]

📰 Noteworthy

• [OPERATOR] Garden.spec.virtualCluster.gardener.gardenerDiscoveryServer now accepts optional domain and tlsSecretName fields. Operators can use these to expose the OIDC discovery endpoint under a custom domain and optionally with a non-wildcard certificate. Additionally, validation now prevents disabling the discovery server once it is enabled, protecting already-issued tokens. The default behaviour is unchanged. by @​jamand [#14126]
• [OPERATOR] prometheus-garden aggregates volume usage metrics from all seeds by @​Kostov6 [#13818]
• [OPERATOR] Hard limits on nodelocaldns node cache have been removed. by @​domdom82 [#14200]
• [OPERATOR] Hard memory limit on istio-ingress has been removed. Memory is managed by VPA in all cases now. by @​domdom82 [#14197]
• [OPERATOR] The VPAInPlaceUpdates feature gate has been promoted to Beta and is enabled by default. by @​vitanovs [#14145]

✨ New Features

• [USER] gardenadm init/join now supports --zone / -z flag to specify the node's availability zone. by @​acumino [#14081]
• [DEVELOPER] Added optional DisplayName field to ShootAdvertisedAddress allowing UI friendly names for advertised endpoints via the endpoint.shoot.gardener.cloud/displayName Ingress label. by @​nickytd [#14140]
• [DEVELOPER] gardener-node-agent can optionally coordinate OperatingSystemConfig reconciliation amongst other instances. This is helpful if you want to ensure that only one instance reconciles at a time. Read all about it here. by @​rfranzke [#14129]

🐛 Bug Fixes

• [OPERATOR] Fixed a race condition in the ControllerInstallation reconciler that could create duplicate installations due to reading from a stale informer cache instead of the API server. by @​rickardsjp [#14274]
• [OPERATOR] Add a network policy label for allowing communication from the OpenTelemetryCollector in the control plane to the Shoot Kubernetes API Server. by @​rrhubenov [#14196]
• [OPERATOR] The per-worker-pool node-local-dns Daemonsets now also include the name of the worker in their label selector and in their Pods' labels. This resolves an issue where each of the corresponding VPAs targeted all node-cache containers from all of these Daemonsets resulting in incorrect resource recommendations. by @​plkokanov [#14294]
• [OPERATOR] An issues has been fixed causing gardener-resource-manager crash loops in large clusters. by @​timuthy [#14212]
• [USER] The machines of a deleted worker pool are able to join back cluster in healthy state. by @​aniruddha2000 [#13715]
• [DEVELOPER] The healthcheck controller now supports the seed extension class. by @​hown3d [#14162]
• [DEPENDENCY] Fixing an issue where CA scale-downs were getting stuck when MCD replicas was updated with stale cache value of worker-controller by @​r4mek [#14291]

🏃 Others

• [OPERATOR] The dependency-watchdog component no longer defines resource limits. by @​ashwani2k [#14193]
• [OPERATOR] Fluent-bit resource limits are increased. by @​nickytd [#14205]
• [OPERATOR] CoreDNS memory limit has been removed. by @​domdom82 [#14163]
• [OPERATOR] The following dependency has been updated:
  • golang.org/x/net from v0.50.0 to v0.51.0. by @​ScheererJ [#14234]
• [OPERATOR] Fix CRD conversion webhook metric name by @​chrkl [#14209]
• [OPERATOR] Following logging stack components are updated fluent-bit to v4.2.3, fluent-bit-plugin to v1.2.0 and fluent-operator to v3.7.0 by @​nickytd [#14256]
• [OPERATOR] A regression in Gardener Node Agent that can occur on Debian based OS images and that prevents it to successfully reconcile nodes that run a containerd version that contains - according to semver - invalid characters in its version number was fixed. by @​MrBatschner [#14177]
• [OPERATOR] The UseUnifiedHTTPProxyPort (part of GEP-30) can be disabled without disruption to shoots already using the unified HTTP proxy port. by @​maboehm [#14169]
• [OPERATOR] Add startup probe to gardener-metrics-exporter by @​chrkl [#14207]
• [OPERATOR] Added nodeCIDRMaskSizeIPv6 field to KubeControllerManagerConfig to allow configuring the IPv6 node CIDR mask size (defaults to 64). This enables more flexible IPv6 network configurations in both dual-stack and IPv6-only clusters. by @​axel7born [#13955]
• [DEVELOPER] A new supported-kubernetes-versions.yaml file is introduced in the root of the project. It describes the supported Kubernetes versions by Gardener in a machine-readable format. A machinery can use this file to build automation for the supported Kubernetes versions in a CloudProfile. by @​ialidzhikov [#14191]
• [DEVELOPER] The RBAC for fluent-operator is allowing watching pods and namespaces resources, required by gardener-otelcol-extension scenario. by @​nickytd [#14265]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.7 to 1.83.8. Release Notes by @​gardener-ci-robot [#14225]

... (truncated)

Commits

• 19966ec release v1.138.0
• 38e804a [release-v1.138] Add worker name to node-local-dns label selector (#14294)
• 522cf51 [release-v1.138] Avoid unintended MCD replicas modification by worker-control...
• 157649b List ControllerInstallations via APIReader (#14274)
• 11d0d31 Discovery server custom domain (#14126)
• a50d6b1 Code improvements (#14166)
• 5cc7e73 Extend fluent-operator ClusterRole RBAC permissions (#14265)
• 8e35d7c Deactivate scaling memory of istio-ingressgateway by HPA (#14261)
• 4607c23 [GEP-36] Add SelfHostedShootExposure controller to extension library (#14114)
• afe5378 gardenadm: Properly disable the vpa-in-place-updates webhook (#14224)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign vpnachev for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gardener-prow]

@dependabot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-auditlog-forwarder-unit	f55d1de	link	true	/test pull-auditlog-forwarder-unit

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dependabot]

Superseded by #67.