chore(deps): bump github.com/gardener/gardener/pkg/apis from 1.138.0 to 1.139.0

[dependabot]

Bumps github.com/gardener/gardener/pkg/apis from 1.138.0 to 1.139.0.

Release notes

Sourced from github.com/gardener/gardener/pkg/apis's releases.

v1.139.0

[github.com/gardener/gardener:v1.139.0]

⚠️ Breaking Changes

• [OPERATOR] The type of the Gardenlet's configuration field .controllers.tokenRequestorWorkloadIdentity.tokenExpirationDuration has been changed from time.Duration to k8s.io/apimachinery/pkg/apis/meta/v1.Duration. by @​vpnachev [#14333]
• [OPERATOR] Garden .status.encryptedResources field is removed, use Garden .status.credentials.encryptionAtRest.resources instead. by @​iypetrov [#14354]
• [OPERATOR] The raise-spec-limits verb has been removed for NamespacedCloudProfiles because it is no-longer needed. by @​mimiteto [#14344]
• [USER] ⚠️ The Shoot field .spec.dns.providers[].secretName has been forbidden for clusters running on Kubernetes version v1.35.0 or higher. Please, use .spec.dns.providers[].credentialsRef instead. by @​vpnachev [#14309]
• [USER] Shoot .status.encryptedResources field is removed, use Shoot .status.credentials.encryptionAtRest.resources instead. by @​iypetrov [#14354]
• [DEVELOPER] ⚠️ A default reconciliation timeout of 3 minutes has been set for the extension controllers:
  • github.com/gardener/gardener/extensions/pkg/controller/backupbucket
  • github.com/gardener/gardener/extensions/pkg/controller/backupentry
  • github.com/gardener/gardener/extensions/pkg/controller/containerruntime
  • github.com/gardener/gardener/extensions/pkg/controller/controlplane
  • github.com/gardener/gardener/extensions/pkg/controller/dnsrecord
  • github.com/gardener/gardener/extensions/pkg/controller/extension
  • github.com/gardener/gardener/extensions/pkg/controller/healthcheck
  • github.com/gardener/gardener/extensions/pkg/controller/heartbeat
  • github.com/gardener/gardener/extensions/pkg/controller/network
  • github.com/gardener/gardener/extensions/pkg/controller/operatingsystemconfig
    A default reconciliation timeout of 20 minutes has been set for the extension controllers:
  • github.com/gardener/gardener/extensions/pkg/controller/bastion
  • github.com/gardener/gardener/extensions/pkg/controller/infrastructure
  • github.com/gardener/gardener/extensions/pkg/controller/worker
    Extension developers can define own reconciliation timeout via the sigs.k8s.io/controller-runtime/pkg/controller.Options provided to the respective controller. by @​vpnachev [#14105]
• [DEVELOPER] ⚠️ The deprecated Seed field secretRef in spec.dns.provider has been removed, use credentialsRef instead. by @​vpnachev [#14308]

📰 Noteworthy

• [OPERATOR] AdminKubeconfigRequest now uses the static username prefix gardener.cloud:admin:, and ViewerKubeconfigRequest uses gardener.cloud:viewer: to generate the username for the resulting kubeconfig. Previously, this prefix was randomized." by @​timuthy [#14252]
• [DEVELOPER] gardenadm bootstrap etcd version is updated from v3.4.34 to v3.5.27. by @​LucaBernstein [#14352]
• [DEPENDENCY] During the Shoot reconciliation, control plane and extension readiness is waited for before further system components are reconciled. by @​LucaBernstein [#14338]

✨ New Features

• [OPERATOR] Deletion of the Garden CRD installed via the gardener-operator Helm chart is now prevented unless annotated with confirmation.gardener.cloud/deletion=true by @​maboehm [#14373]
• [OPERATOR] A new spec.settings.zoneSelection field on Seed resources allows operators to configure whether the control plane namespace of non-HA Shoots (or those with failure tolerance type node) is placed in the same availability zone as the shoot's worker nodes (Prefer) or strictly required to match (Enforce). by @​rfranzke [#14238]
• [OPERATOR] The istio-ingressgateway now uses a dual autoscaling approach with both VPA (VerticalPodAutoscaler) and HPA (HorizontalPodAutoscaler) working together without causing pod-thrashing. by @​oliver-goetz [#14313]
• [OPERATOR] The Gardener Dashboard RBAC now allows listing and watching ManagedSeeds to support newer dashboard functionality around ManagedSeed-related Shoot information. by @​petersutter [#14321]
• [DEVELOPER] gardener-node-agent can now resolve .spec.files[].content.secretRef from Secrets in kube-system, enabling OperatingSystemConfig files to reference secrets instead of requiring inlined content. by @​rfranzke [#14319]

🐛 Bug Fixes

• [OPERATOR] A bug causing the nil pointer panic in gardenlet config validation when staleExtensionHealthChecks.threshold is nil is fixed. by @​acumino [#14317]
• [OPERATOR] An issue preventing the shootstate-controller of gardenlet to populate all required states to the ShootState for a self-hosted Shoot is now fixed. by @​ialidzhikov [#14339]
• [OPERATOR] An issue causing gardener-operator to fail to create resource events in API group events.k8s.io is now fixed. by @​shafeeqes [#14327]
• [OPERATOR] A bug causing the gardenlet to crash during startup was fixed. Earlier, the startup procedure occasionally failed on large-scale seed clusters due to cache sync timeouts. by @​timuthy [#14408]
• [DEVELOPER] The nodePort auto-remediation in the local setup service controller no longer incorrectly targets ClusterIP services. by @​rfranzke [#14390]

🏃 Others

• [OPERATOR] The .spec.trafficDistribution field of the topology-aware etcd-{events,main}-client Services will be automatically switched from the deprecated PreferClose to the new PreferSameZone option for Kubernetes 1.34+. by @​ialidzhikov [#14278]
• [OPERATOR] The following dependencies have been updated:
  • gardener/etcd-druid from v0.35.1 to v0.36.1. Release Notes

... (truncated)

Commits

• 7e67b14 release v1.139.0
• 69105e0 Update dependency gardener/dashboard to v1.83.11 (#14438)
• 86f75a9 [release-v1.139] Increase timeout for Seed secrets renewal during Garden cred...
• b8969a3 [release-v1.139] Add script for dependencies (e.g., extensions) to generate R...
• 6d81253 Update dependency mikefarah/yq to v4.52.5 (#14413)
• aa2dfb7 Fix gardenlet cache sync timeout (#14408)
• e9c48f8 Fix ShootState resource deployment for a self-hosted Shoot (#14339)
• 70b698c fix: show pod name in vpn-shoot dashboard panel (#14393)
• 9e84714 Remove the raise-spec-limits verb for NamespacedCloudProfiles (#14344)
• 15373b1 Add custom unmarshaling logic to restore backwards compatibility for `tokenEx...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rrhubenov for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment