Bump github.com/gardener/gardener from 1.86.0 to 1.87.0

[dependabot]

Bumps github.com/gardener/gardener from 1.86.0 to 1.87.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.87.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The signature of github.com/gardener/gardener/pkg/chartrenderer.RenderedChart#Files has changed. by @​acumino #8877
• [OPERATOR] The deprecated field seed.spec.secretRef has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @​acumino #8896
• [OPERATOR] Migration code for Plutono and Vali is now removed. Consider manual cleanup for longterm broken Shoots as described in the PR to avoid leaking Loki's PV. by @​rickardsjp #8999
• [DEVELOPER] The pkg/resourcemanager/predicate.ClassFilter.Active function was replaced by IsTransferringResponsibility and IsWaitForCleanupRequired.
  • pkg/resourcemanager/predicate.ClassFilter.IsTransferringResponsibility should be used to check whether the .spec.class field of a ManagedResource has changed and let the controller which was previously responsible for the ManagedResource perform any additional/cleanup tasks.
  • pkg/resourcemanager/predicate.ClassFilter.IsWaitForCleanupRequired should be used by the controller to which the responsibility was transferred to determine whether it should wait for any tasks/cleanup activities made by the previously responsible controller. by @​Kostov6 #8886

📰 Noteworthy

• [OPERATOR] The ContainerdRegistryHostsDir feature gate has been promoted to GA and is now locked to "enabled by default". by @​ialidzhikov #8979

✨ New Features

• [OPERATOR] When hibernating a cluster, Gardener now assigns an error code ERR_CLEANUP_CLUSTER_RESOURCES to shoot clusters if (user) pods are still running in namespaces other than kube-system. by @​benedictweis #9060
• [OPERATOR] node-agent checks health of containerd and kubelet now. This replaces the previous bash implementation of these health checks. by @​majst01 #8786
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.29. To allow creation/update of 1.29 clusters you will have to update the version of your provider extension(s) to a version that supports 1.29 as well. Please consult the respective releases and notes in the provider extension's repository. by @​acumino #8976
• [OPERATOR] The components managed by gardener now use PDBs with unhealthyPodEvictionPolicy: AlwaysAllow for clusters with kubernetes version >= 1.26. (For v1.26 clusters (shoots and virtual-garden cluster), the featuregate PDBUnhealthyPodEvictionPolicy needs to be turned on in the kube-apiserver. From v1.27 this is enabled by default.) by @​shafeeqes #8969
• [DEVELOPER] Add local setup for dual-stack seeds. by @​axel7born #8983
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.29. Extension developers have to prepare individual extensions as well to work with 1.29. by @​acumino #8976

🐛 Bug Fixes

• [OPERATOR] False positive PrometheusCantScrape alerts for the etcd-druid job in the shoot control plane are no longer firing, even if the --enable-backup-compaction feature of etcd-druid is not turned on. by @​istvanballok #8988
• [OPERATOR] Allow the dependency-watchdog-prober to patch deployments and deployments/scale resources. by @​aaronfern #9036
• [DEVELOPER] Local single-zone gardener development setups should now work as expected again even if the istio ingress pods are not scheduled on the control plane node. by @​ScheererJ #8998
• [DEVELOPER] Local gardener-operator and multi-zone gardener development setups now use externalTrafficPolicy: Local for inbound communication to mitigate cross-node network problems. by @​ScheererJ #8972

🏃 Others

• [OPERATOR] The following dependency has been updated:
  • k8s.io/helm@v2.17.0+incompatible -> helm.sh/helm/v3@v3.10.3 by @​acumino #8877
• [OPERATOR] Spreading istio pods across hosts is now enforced if there are enough hosts in a particular zone. by @​ScheererJ #8970
• [OPERATOR] The following images are updated:
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-operator: v2.3.0 -> v2.7.0
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-bit: v2.1.4 -> v2.2.0 by @​nickytd #9031
• [OPERATOR] The reliability of kube-state-metrics in the garden namespace of the Seed cluster has been improved to minimize periods of unavailability for Prometheus metric collection by @​petersutter #8931
• [OPERATOR] The following image is updated:
  • quay.io/prometheus/prometheus: v2.47.0 -> v2.48.1 by @​istvanballok #8994
• [OPERATOR] kube-proxy is now running in non-privileged mode for K8s >= 1.29 Shoots. The work that needs privileged mode is extracted to an init container. See https://www.kubernetes.dev/blog/2024/01/05/kube-proxy-non-privileged/. by @​shafeeqes #9000
• [OPERATOR] Plutono is updated to v7.5.28.
  Vali and Valitail are updated to v2.2.13. by @​nickytd #9010
• [OPERATOR] nginx-ingress-controller image is updated to v1.9.5. by @​shafeeqes #8997
• [OPERATOR] Istio ingress gateway dashboard now always shows a graph for all istio namespaces even if no traffic was received in some of them. by @​ScheererJ #9032
• [OPERATOR] kube-proxy's sidecar container no longer installs its tools at runtime, but comes with its toolset pre-installed. by @​ScheererJ #9006
• [DEVELOPER] On startup, gardenlet now removes the resources.gardener.cloud/gardener-resource-manager finalizer from Secrets related to ManagedResources. by @​Kostov6 #8912

[gardener/etcd-druid]

⚠️ Breaking Changes

... (truncated)

Commits

• 9e714b1 Release v1.87.0
• 1256410 Don't add error code for dashboard namespace (#9070)
• e80ff82 [release-v1.87] Fix nil pointer panic (#9068)
• 831084b use artifact registry for IPv6 support (#8748)
• 8cb5d0f Remove migration code for Plutono and Vali (#8999)
• 0f6b8b6 Improved error reporting using ERR_CLEANUP_CLUSTER_RESOURCES when hibernati...
• ac3b43d Replace deprecated .Capabilities.KubeVersion.GitVersion with `.Capabilities...
• 3dfe315 Add zero line per default for tcp traffic per istio namespace in the ingress ...
• bfc9cdb update docs (#9057)
• add9a48 Deflake Renew gardenlet kubeconfig e2e test (#9054)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Release note:

Bump github.com/gardener/gardener from 1.86.0 to 1.87.0.

[gardener-robot]

@dependabot[bot] Thank you for your contribution.

[gardener-robot-ci-2]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[MartinWeindel]

/lgtm