Bump github.com/gardener/gardener from 1.101.0 to 1.102.0

[dependabot]

Bumps github.com/gardener/gardener from 1.101.0 to 1.102.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.102.0

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] When the NewWorkerPoolHash feature gate is enabled, the calculation now also rolls worker nodes of Shoots when changing systemReserved in the kubelet configuration. Worker pools are not rolled if the sum of kubeReserved and systemReserved does not change. If the feature gate is already enabled, then the worker pools of Shoots with non-zero values in systemReserved will be rolled once. by @​MichaelEischer #10290

📰 Noteworthy

• [USER] The spec.client field in the {Cluster}OpenIDConnectPreset APIs is deprecated and will be removed after support for Kubernetes 1.30 is dropped. by @​AleksandarSavchev #10253
• [USER] The spec.kubernetes.kubeAPIServer.oidcConfig.clientAuthentication field in the Shoot API is deprecated and will be removed after support for Kubernetes 1.30 is dropped. by @​AleksandarSavchev #10253
• [USER] The Shoot specification field .spec.kubernetes.kubeAPIServer.oidcConfig.signingAlgs for Kubernetes versions >= v1.30 is not supported anymore. by @​AleksandarSavchev #10244
• [OPERATOR] The .spec.deployment.vpa field in the seedmanagement.gardener.cloud/v1alpha1.{Gardenlet,ManagedSeed} APIs is deprecated and has no effect anymore. It will be removed in a future version. Now, gardenlet deploys its own VPA as part of the Seed reconciliation (after it ensured the VPA CRD exists). by @​rfranzke #10299

✨ New Features

• [USER] Structured authentication configuration can now be set by creating a ConfigMap in the project namespace with the AuthenticationConfiguration file set in the config.yaml data key and referencing the ConfigMap in the new Shoot specification field .spec.kubernetes.kubeAPIServer.structuredAuthentication.configMapName for Kubernetes versions >= v1.30. Only one authenticator can be set via the authentication configuration until k8s.io/* Golang dependencies are upgraded to version >= v0.30. by @​AleksandarSavchev #10244
• [USER] The following vpa-recommender flags are now configurable via the Shoot specification:
  • --recommendation-lower-bound-cpu-percentile: .spec.kubernetes.verticalPodAutoscaler.recommendationLowerBoundCPUPercentile
  • --recommendation-upper-bound-cpu-percentile: .spec.kubernetes.verticalPodAutoscaler.recommendationUpperBoundCPUPercentile
  • --target-memory-percentile: .spec.kubernetes.verticalPodAutoscaler.targetMemoryPercentile
  • --recommendation-lower-bound-memory-percentile: .spec.kubernetes.verticalPodAutoscaler.recommendationLowerBoundMemoryPercentile
  • --recommendation-upper-bound-memory-percentile: .spec.kubernetes.verticalPodAutoscaler.recommendationUpperBoundMemoryPercentile by @​ialidzhikov #10221
• [OPERATOR] Performing control plane migration across Seeds with different provider types is now possible. Before triggering the migration, make sure that pods in the Shoot's control plane, once it is moved to the Destination Seed, will have network connectivity to the storage provider of the Source Seed (so that ETCD backups can be copied automatically). Additionally, make sure that the Shoot's nodes will have network connectivity to the Shoot's control plane after it is moved to the Destination Seed. by @​plkokanov #10323
• [OPERATOR] gardenlet now runs a new controller called TokenRequestorWorkloadIdentity which requests workload identity tokens and writes them into Secret resources in the seed cluster. These tokens can be then used by control plane components in order to present the said WorkloadIdentity before external systems. Please see here for more details. by @​dimityrmirchev #10298
• [OPERATOR] Quotas can now have scope of type WorkloadIdentity. by @​dimityrmirchev #10346

🐛 Bug Fixes

• [USER] Fixes a bug preventing shoot clusters with annotation shoot.gardener.cloud/skip-readiness: "true" to be created. by @​ScheererJ #10317
• [OPERATOR] An issue causing the vpn-seed-server VPA's to be created with wrong targetRef for highly available Shoots is now fixed. by @​ialidzhikov #10366

🏃 Others

• [OPERATOR] vpa-updater and vpa-recommender components do now run with leader election enabled (unconditionally) and support running in HA mode. by @​ialidzhikov #10302
• [OPERATOR] Reduce kubelet http2 timeouts. by @​axel7born #10223
• [OPERATOR] Gardener now temporarily uses a vpa-recommender built from a fork to add additional logging and metrics for debugging an issue where the vpa-recommender could recommend lower than minAllowed memory requests for pods that actually have high memory usage. by @​plkokanov #10342
• [OPERATOR] The vertical pod autoscaler component is updated to v1.2.0. Release Notes by @​ialidzhikov #10275
• [OPERATOR] Migrate VPA metrics to CustomResourceState metrics and upgrade kube-state-metrics to v2.13.0. by @​vicwicker #9941
• [OPERATOR] An issue in gardener-node-agent causing registry hosts probe to fail when the spec.criConfig.containerd.registries.hosts.caCerts field of OperatingSystemConfig is set is now fixed. by @​dimitar-kostadinov #10375
• [OPERATOR] Shoot clusters with Kubernetes version >= v1.30 will use cluster-autoscaler v1.30.0. Release Notes. by @​ashwani2k #10309
• [DEPENDENCY] The credativ/plutono image has been updated to v7.5.33. Release Notes by @​gardener-ci-robot #10296
• [DEPENDENCY] A wildcard option was added to the SwitchOptions to disable all webhooks at once via --disable-webhooks="*" by @​timuthy #10255
• [DEPENDENCY] The following dependencies have been updated:
  • europe-docker.pkg.dev/gardener-project/releases/gardener/autoscaler/cluster-autoscaler: v1.25.3 -> v1.25.4 (for Kubernetes v1.25)
  • europe-docker.pkg.dev/gardener-project/releases/gardener/autoscaler/cluster-autoscaler: v1.26.2 -> v1.26.3 (for Kubernetes v1.26) by @​rishabh-11 #10362
• [DEPENDENCY] The credativ/vali image has been updated to v2.2.18. Release Notes by @​gardener-ci-robot #10292
• [DEPENDENCY] The registry.k8s.io/autoscaling/vpa-admission-controller image has been updated to 1.2.1. by @​gardener-ci-robot #10350
• [DEPENDENCY] The registry.k8s.io/autoscaling/vpa-updater image has been updated to 1.2.1. by @​gardener-ci-robot #10351
• [DEPENDENCY] The quay.io/prometheus/prometheus image has been updated to v2.54.0. by @​gardener-ci-robot #10297
• [DEPENDENCY] The gardener/ext-authz-server image has been updated to 0.10.0. Release Notes by @​gardener-ci-robot #10321
• [DEPENDENCY] The quay.io/prometheus-operator/prometheus-config-reloader image has been updated to v0.76.0. by @​gardener-ci-robot #10332
• [USER] Grant get, list and watch permissions to the customresourcedefinitions resource in the virtual cluster for authenticated users. Shoot owners can now generate their own shoot metrics using custom resource state configurations by kube-state-metrics. by @​vicwicker #10293

📖 Documentation

... (truncated)

Commits

• 1040631 Release v1.102.0
• fa42ac0 [release-v1.102] Fix Shoot Structured Authentication API conflict (#10385)
• adc2419 Fix registry hosts probing when OSC `criConfig.containerd.registries.hosts.ca...
• a9d81c0 Fix vpn-seed-server VPA's targerRef when HA is enabled (#10366)
• 4427e10 Prevent reconciliation errors in hibernated shoots while migrating KSM (#10363)
• ae04623 Support for Structured Authentication for Shoots >= Kubernetes v1.30 (#10244)
• 4c29c97 fix(deps): update module k8s.io/autoscaler/vertical-pod-autoscaler to v1.2.1 ...
• f307d8a Allow control plane migration across seeds w/ different provider types (#10323)
• 84d4cb2 update CA image for k8s v1.25 and v1.26 (#10362)
• ad1bb57 Allow quota scope to reference WorkloadIdentity (#10346)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Release note:

Bumps github.com/gardener/gardener from 1.101.0 to 1.102.0.

[gardener-robot]

@dependabot[bot] Thank you for your contribution.

[gardener-robot-ci-1]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[MartinWeindel]

/lgtm