Bump github.com/gardener/gardener from 1.127.1 to 1.128.0

[dependabot]

Bumps github.com/gardener/gardener from 1.127.1 to 1.128.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.128.0

[github.com/gardener/gardener:v1.128.0]

⚠️ Breaking Changes

• [USER] The validation logic for Project resources has been changed: .spec.description and .spec.purpose fields may only contain letters, numbers and some punctuation characters. Existing projects are not affected by this change unless their description or purpose is updated. by @​timuthy [#12902]
• [OPERATOR] The long time deprecated legacy ScrapeConfig roles in monitoring.coreos.com have been removed from CRD. by @​oliver-goetz [#12908]
• [USER] In the Shoot API, the .spec.kubernetes.kubelet.cpuManagerPolicy and .spec.provider.workers[].kubelet.cpuManagerPolicy fields are now validated to ensure they can only be set to static or none. by @​shafeeqes [#12914]
• [USER] In the Shoot API, the .spec.kubernetes.kubelet.containerLogMaxSize and .spec.provider.workers[].kubelet.containerLogMaxSize fields are now validated to ensure they contain a valid resource quantity. by @​shafeeqes [#12914]
• [OPERATOR] The ShootVPAEnabledByDefault admission plugin is now enabled by default for the Gardener API server. Disable this admission plugin explicitly if you don't want VPA to be enabled by default for newly created Shoots. If you already have the admission plugin enabled, you can remove the explicit enablement after upgrading to this version of Gardener as the plugin is now enabled by default. by @​georgibaltiev [#12854]
• [OPERATOR] The following fields in the CloudProfile have been renamed:
  • spec.capabilities -> spec.machineCapabilities
  • spec.MachineImages[].Versions[].capabilitySets -> spec.MachineImages[].Versions[].capabilityFlavors
    Please update your CloudProfiles accordingly if you are using capabilities (currently in alpha state). by @​Roncossek [#12751]

📰 Noteworthy

• [USER] The rotate-etcd-encryption-start and rotate-etcd-encryption-complete operation annotations have been deprecated in favour of rotate-etcd-encryption-key. by @​AleksandarSavchev [#12605]
• [DEVELOPER] Usages of the deprecated gopkg.in/yaml.v{2|3} packages were dropped. Please refrain from using them. Instead, please use the go.yaml.in/yaml/v4 package instead. by @​tobschli [#12895]

✨ New Features

• [OPERATOR] It is now allowed backups to use WorkloadIdentity as credentials via the seed.spec.backup.credentialsRef and backupBucket.spec.credentialsRef APIs. In order to make use of this feature, the infrastructure and provider extension must support WorkloadIdentity credentials. by @​vpnachev [#12924]
• [DEVELOPER] A developer guideline on validation in Gardener extensions has been added. Please consult this document as an extension developer or reviewer to ensure consistency in validation code across the Gardener extensions codebase. Check out the Validation Guidelines for Extensions document. by @​ialidzhikov [#12811]
• [DEVELOPER] A developer guideline on validation in Gardener components has been added. Please consult this document as a developer or reviewer to ensure consistency in validation code across the Gardener codebase. Check out the Validation Guidelines document. by @​ialidzhikov [#12811]
• [USER] Added operation annotation rotate-etcd-encryption-key which can be set to the Shoot and Garden resource to perform an etcd encryption key rotation. by @​AleksandarSavchev [#12605]

🐛 Bug Fixes

• [DEPENDENCY] The certificate issuance and renewal flow for webhooks has been improved. Previously, controller restarts during the renewal process could leave the system in an unrecoverable error state, preventing the extension from starting. by @​timuthy [#12852]
• [OPERATOR] An issue causing the update of existing CustomResourceDefinitions to be no-op is now fixed. by @​shafeeqes [#12963]
• [OPERATOR] A bug in the gardenlet start-up migration of the Admin and Viewer Kubeconfig ClusterRoleBindings where a ManagedResource secret could be deleted leading to gardenlet being unable to startup is fixed. by @​vpnachev [#12923]

🏃 Others

• [OPERATOR] gardener-node-agent no longer reboots a node if it flaps too often between ready/non-ready in a short period of time. by @​ScheererJ [#12930]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.82.0 to 1.82.1. Release Notes by @​gardener-ci-robot [#12982]
• [OPERATOR] Monitoring the Istio Ingress Gateways is temporarily disabled to mitigate a metric leak issue. This does not affect the monitoring of the shoot control planes where these metrics are not used. by @​istvanballok [#12896]
• [OPERATOR] Reduce the CPU resource requests of istio-ingressgateway to 450m for the case with enabled L7 loadbalancing. by @​voelzmo [#12881]
• [DEPENDENCY] The following dependencies have been updated:
  • envoyproxy/envoy from distroless-v1.35.0 to v1.35.3. Release Notes by @​gardener-ci-robot [#12909]
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.25.4 to 1.25.5.
  • gcr.io/istio-release/proxyv2 from 1.25.4 to 1.25.5.
  • istio.io/api from v1.25.4 to v1.25.5. by @​gardener-ci-robot [#12886]
• [DEPENDENCY] The following dependencies have been updated:
  • perses/perses from v0.51.1 to v0.52.0. Release Notes by @​gardener-ci-robot [#12951]
• [DEVELOPER] Add ensure capabilities for HA vpn statefulsets by @​RiRa12621 [#12949]
• [OPERATOR] Ensure that enabling node-local-dns for all shoot clusters does not alter DNS behaviour. To maintain consistency the custom CoreDNS configmap is mounted into the node-local-dns pods and the custom overwrite rules defined in the custom CoreDNS configuration is applied onto the node-local-dns pods. by @​DockToFuture [#12893]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.81.3 to 1.82.0. Release Notes by @​gardener-ci-robot [#12970]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/ingress-default-backend from 0.23.0 to 0.24.0. Release Notes by @​gardener-ci-robot [#12945]
• [OPERATOR] Adds Machine Capabilities support for provider local. Read more about Machine Capabilities here by @​Roncossek [#12751]

... (truncated)

Commits

• 7f52dea release v1.128.0
• e87eed9 Update dependency gardener/dashboard to v1.82.1 (#12982)
• 19105a4 Support processing field/label selectors in SeedAuthorizer (#12958)
• 94922d5 add semver-compliant resource-version for envoy-proxy (#12941)
• 7431bb3 Provide WebsocketAllowedOrigins configuration (#12968)
• 80d9cdd Fix CustomResourceDefinition update deployments (#12963)
• aca26eb Update dependency gardener/dashboard to v1.82.0 (#12970)
• 6638e5f Update dependency perses/perses to v0.52.0 (#12951)
• 708d542 Update golang.org/x/exp digest to df92998 (#12931)
• 2d0c0b3 Add archive suffixes to gardenadm artifacts (#12962)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

This pull request focuses on updating Go module dependencies across the project. Key libraries such as Gardener, etcd-druid, and various Kubernetes components have been bumped to their newer versions. This is a standard maintenance activity aimed at incorporating the latest upstream bug fixes, security patches, and performance enhancements. The changes are limited to dependency management files (go.mod and go.sum), ensuring the project remains current and secure without altering its core logic.

Walkthrough

• Chore: Updated multiple Go dependencies to their latest versions, including core components like Gardener and Kubernetes libraries.
• Chore: This maintenance task incorporates recent upstream bug fixes, security patches, and performance improvements. While there are no new user-facing features, this ensures the overall stability, security, and compatibility of the system.

_{Model: gemini-2.5-pro | Prompt Tokens: 23789 | Completion Tokens: 161}

[gardener-robot-ci-2]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[dependabot]

Superseded by #1305.