Bump github.com/gardener/gardener from 1.127.1 to 1.129.0

[dependabot]

Bumps github.com/gardener/gardener from 1.127.1 to 1.129.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.129.0

[github.com/gardener/gardener:v1.129.0]

⚠️ Breaking Changes

• [OPERATOR] The GA-ed and unconditionally enabled UseNamespacedCloudProfile feature gates is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @​LucaBernstein [#13020]
• [OPERATOR] It is not allowed anymore to specify the following characters: [, #], as well as capitalized letters, within the entries of the Garden's .spec.virtualCluster.Gardener.apiServer.watchCacheSizes.resources[].apiGroup field. Please update your Gardens accordingly. by @​tobschli [#12839]
• [USER] It is not allowed anymore to specify the following characters: [, #], as well as capitalized letters, within the entries of the Shoot's .spec.kubernetes.kubeAPIServer.watchCacheSizes.resources[].apiGroup field. Please update your Shoots accordingly. by @​tobschli [#12839]
• [OPERATOR] The GA-ed and unconditionally enabled CredentialsRotationWithoutWorkersRollout feature gates is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @​rfranzke [#13041]
• [OPERATOR] It is not allowed anymore to specify the following characters: [,. #], as well as capitalized letters, within the entries of the Garden's .spec.virtualCluster.Gardener.apiServer.watchCacheSizes.resources[].resource field. Please update your Gardens accordingly. by @​tobschli [#12839]
• [USER] The .status.credentials.rotation.kubeconfig field in the Shoot API is removed. This field has been deprecated since Gardener v1.114.0. by @​shafeeqes [#13037]
• [USER] It is not allowed anymore to specify the following characters: [,. #], as well as capitalized letters, within the entries of the Shoot's .spec.kubernetes.kubeAPIServer.watchCacheSizes.resources[].resource field. Please update your Shoots accordingly. by @​tobschli [#12839]

📰 Noteworthy

• [USER] ViewerKubeconfig is no longer using solely the group gardener.cloud:system:viewers to grant viewer access to the shoot cluster, instead it is now granted only to Gardener system viewer users. Project Viewer users are granted viewer access to the shoot cluster via the group gardener.cloud:project:viewers. by @​vpnachev [#12674]
• [USER] AdminKubeconfig is no longer using the group system:masters to grant admin access to the shoot cluster, instead it is now using the groups gardener.cloud:system:admins granted to Gardener system admins and gardener.cloud:project:admins granted to Gardener Project admins. by @​vpnachev [#12674]

✨ New Features

• [OPERATOR] gardener-admission-controller now supports enabling the OwnerReferencesPermissionEnforcement admission plugin for the virtual kube-apiserver. Previously, it was rejecting requests from gardenlet because the shoots/finalizers and backupbuckets/finalizers subresources were not allowed. by @​gardener-ci-robot [#13059]
• [OPERATOR] The OperatingSystemConfig containerd config was enhanced to specify the override_path option which is respected when generating the hosts.toml file for the respective upstream config. by @​timuthy [#13002]

🐛 Bug Fixes

• [USER] A bug causing finalizers to not be removed from Secrets when such are deleted and referenced by both a CredentialsBinding and a SecretBinding is fixed. by @​gardener-ci-robot [#13075]
• [OPERATOR] Fixed an issue that caused Machines to be duplicated when being saved in the ShootState. This caused the ShootState to grow exponentially large and fail to be created. The issue could occur when there are multiple MachineDeployments created for the Shoot. by @​gardener-ci-robot [#13089]
• [OPERATOR] A bug in the gardenletdeployer unable to handle backup credentials of type WorkloadIdentity has been fixed. by @​gardener-ci-robot [#13087]
• [OPERATOR] Fixed the alertmanager-garden peer discovery service port names by @​rickardsjp [#12988]
• [DEVELOPER] An issue preventing extensions.gardener.cloud/v1alpha1.Bastions to be listed due to missing json tags is now fixed. by @​gardener-ci-robot [#13062]
• [DEVELOPER] The Priority field for the MachineDeployment API is optional instead of required again. by @​tobschli [#13014]

🏃 Others

• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.41.1 to 0.42.0. Release Notes by @​gardener-ci-robot [#13009]
• [OPERATOR] Revert server block import of coredns-custom configmap for node-local-dns. by @​DockToFuture [#13028]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.41 to v7.5.42. Release Notes by @​gardener-ci-robot [#13023]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/brancz/kube-rbac-proxy from v0.19.1 to v0.20.0. by @​gardener-ci-robot [#12980]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.26 to v2.2.27. Release Notes by @​gardener-ci-robot [#13022]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.13.2 to v1.13.3. by @​gardener-ci-robot [#13047]
• [DEPENDENCY] The following dependencies have been updated:
  • fluent/fluent-operator from v3.2.5 to v4.0.9 by @​nickytd [#12998]
• [DEVELOPER] An issue with the ssh tunnel in the extensions setup is fixed. by @​axel7born [#13019]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.82.1 to 1.82.2. Release Notes by @​gardener-ci-robot [#13010]
• [DEVELOPER] The optimistic defaulting of priorities for MachineDeployments was introduced again. by @​tobschli [#13014]
• [OPERATOR] Remove migration code to clean up obsolete Prometheus volumes by @​vicwicker [#13021]
• [USER] Gardener API server now serves the OpenAPI v2 schema ( /openapi/v2 endpoint) again and will keep on serving it until Gardener v1.160. In Gardener v1.127.0, the support for OpenAPI v2 schemas was removed. However, terraform-provider-kubernetes does not yet support OpenAPI v3 schema. by @​shafeeqes [#12987]

Helm Charts

... (truncated)

Commits

• d0d9862 release v1.129.0
• 1272022 [release-v1.129] Fixes incorrect Machine duplication when persisting the ma...
• 24a9231 [release-v1.129] [GEP-26] Handle properly backup WorkloadIdentity credentials...
• a5d9c3a [release-v1.129] Fix race conditions occurring when removing finalizers from ...
• 219d447 [release-v1.129] Add missing json tags to extensionsv1alpha1.BastionList (#13...
• 91c698f [release-v1.129] Support enabling the OwnerReferencesPermissionEnforcement ...
• 3f62698 logging: revert logging plugin to v0.65.0 (#13051)
• 9a4da31 Update registry.k8s.io/ingress-nginx/controller-chroot Docker tag to v1.13.3 ...
• 8542a6c Drop test-e2e-local-operator-seed (#13042)
• 7e36572 Remove GA-ed CredentialsRotationWithoutWorkersRollout feature gate (#13041)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

This change primarily involves updating the project's Go dependencies. Key libraries such as Gardener, etcd-druid, and various Kubernetes components have been bumped to newer versions. This is a routine maintenance task aimed at incorporating the latest bug fixes, security patches, and improvements from upstream projects. The update ensures the codebase remains current, secure, and stable without introducing new end-user features.

Walkthrough

• Chore: Updated numerous Go module dependencies, including major ones like Gardener, etcd-druid, and Kubernetes libraries. This maintenance activity ensures the project benefits from the latest upstream security patches, bug fixes, and performance improvements. While this change has no direct impact on end-user features, it is crucial for maintaining the overall stability and security of the application.

_{Model: gemini-2.5-pro | Prompt Tokens: 34286 | Completion Tokens: 155}

[gardener-robot-ci-3]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[dependabot]

Superseded by #1316.