3.15.0

[garden-setup]

✨ New Features

• [OPERATOR] Upgrade Gardener to v1.29.0 (#595, @Diaphteiros)
• [OPERATOR] In preparation of the kubernetes dockershim removal, containerd has been added as container runtime to the default cloudprofiles. See here for further information. (#595, @Diaphteiros)
  • In addition, the gvisor extension is now deployed by default and can be used in combination with containerd.
• [OPERATOR] Update default kubernetes versions in cloudprofile (#595, @Diaphteiros)
• [OPERATOR] Upgrade Gardener dashboard to v1.51.2 (#595, @Diaphteiros)

🏃 Others

• [OPERATOR] Upgrade Gardener extension provider-gcp to v1.18.0 (#595, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension os-gardenlinux to v0.10.0 (#595, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension os-suse-chost to v1.13.0 (#595, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension provider-azure to v1.21.2 (#595, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension shoot-cert-service to v1.17.1 (#595, @Diaphteiros)

[cert-management]

🐛 Bug Fixes

• [OPERATOR] fix nil pointer dereference in RememberAltIssuerSecret if an issuer secret contains no data (gardener/cert-management#85, @MartinWeindel)

[cloud-provider-azure]

🏃 Others

• [OPERATOR] k8s.io/legacy-cloud-providers is now updated to v0.19.14. (gardener-attic/cloud-provider-azure#7, @vpnachev)
• [OPERATOR] k8s.io/legacy-cloud-providers is now updated to v0.20.10. (gardener-attic/cloud-provider-azure#6, @vpnachev)
• [OPERATOR] k8s.io/legacy-cloud-providers is now updated to v0.21.4. (gardener-attic/cloud-provider-azure#5, @vpnachev)

[dashboard]

⚠️ Breaking Changes

• [OPERATOR] The Dashboard no longer adds dockerto the list of available CRIs. You need to adapt all CloudProfiles and explicitly add docker to all MachineImageVersions which support it (gardener/dashboard#1059, @grolu)

✨ New Features

• [USER] Container Runtime is now a required field for cluster workers and defaulted to containerd for cluster kubernetes versions 1.22 and higher. Clusters with older kubernetes versions keep docker as default container runtime. If default runtime is not in the list of supported runtimes of a machine image it defaults to the first one specified in the cloud profile (gardener/dashboard#1059, @grolu)
• [USER] Added support to authenticate against GKE clusters using google service account key. In this case, the referenced secret needs to have the serviceaccount.json data key in addition to the kubeconfig data key (gardener/dashboard#1058, @holgerkoser)
• [USER] Container runtimes of existing workers can now be changed (gardener/dashboard#1044, @grolu)
• [USER] Support for the hetzner cloud extension (hcloud) (gardener/dashboard#1043, @poelzi)
• [USER] External DNS Provider Support (gardener/dashboard#1026, @grolu)
  • Add and manage DNS Provider Secrets
  • Configure Shoot DNS Providers
• [USER] Added extended search capabilities to cluster search: (gardener/dashboard#1021, @grolu)
  • Search params are now ANDed, allowing one to refine the search
  • Use quotes for exact words or phrases
  • Use minus sign to exclude words that you don't want
• [OPERATOR] It is now possible to add configurable hints for machine image vendors (gardener/dashboard#1066, @grolu)
• [OPERATOR] Added support for ERR_RETRYABLE_INFRA_DEPENDENCIES and ERR_INFRA_REQUEST_THROTTLING error codes (gardener/dashboard#1040, @grolu)
• [OPERATOR] The option to Hide user issues for operators has been replaced by an option to remove both user issues and temporary issues. This new filter is labelled as Hide no operator action required issues (gardener/dashboard#1040, @grolu)

🐛 Bug Fixes

• [USER] Fixed a problem in the DNS provider configuration that caused a newly added DNS provider to always be disabled on an existing cluster (gardener/dashboard#1086, @holgerkoser)
• [USER] Fixed some issues regarding creating and editing worker groups (gardener/dashboard#1084, @grolu)
  • Existing worker groups may keep cri.name empty without failing validation
  • Additional container runtimes selection did no longer show up
  • Machine worker.machine.image included internal properties in create shoot editor
• [USER] Fixed an issue in the TicketComment component causes it not to be rendered anymore (gardener/dashboard#1080, @holgerkoser)
• [USER] Fixes a bug with the size of dialogs. In some cases the dialogs were too small to display the complete content clearly. The size of all dialogs has been adjusted and unified (gardener/dashboard#1075, @holgerkoser)
• [USER] Fixed an issue on the cluster creation page where the networking section was empty because of a permission issue: Users could not read list of networking types and registered dns provider extensions (gardener/dashboard#1074, @grolu)
• [USER] Preserve the initial URL hostname during the OIDC login process (gardener/dashboard#1054, @holgerkoser)
• [USER] Fixed an issue where the terminal container was not created with privileged set to true of the containers securityContext when enabling the Privileged flag on the terminal settings UI (gardener/dashboard#1051, @petersutter)

📖 Documentation

• [OPERATOR] Please note the following changes in the values.yaml file of the gardener-dashboard helm chart: (gardener/dashboard#1054, @holgerkoser)
  • The configuration property .Values.oidc.redirectUri is no longer used and has been removed. Instead, the list of valid OIDC redirect URIs is determined based on the ingress hosts .Values.ingress.hosts. If tls .Values.ingress.tls is active the redirect URI scheme is assumed to be https for all hosts.

[gardener]

⚠️ Breaking Changes

• [USER] Earlier, Gardener created certificates with Common Name: system:apiserver for the Kube-Apiserver. In order to be DNS-1123 compliant, this certificate field is changed to Common Name: kube-apiserver for new shoot clusters. (gardener/gardener#4467, @timuthy)
• [OPERATOR] Kubernetes will remove the built-in dockershim, which means eventually all Gardener Shoots will need to switch to containerd. Operators of Gardener and Shoot owners need to take action, please continue reading our detailed guide about the why, what, and when! (gardener/gardener#4452, @voelzmo)
• [OPERATOR] The following changes have been made incompatibly to the GardenerSchedulerConfiguration: (gardener/gardener#4320, @xrstf)
  • The configuration key server has been refined into healthProbes and metrics. Note that both cannot be listening on the same port.
  • The CachedRuntimeClients feature gate has been removed, objects are now always cached.
  • lockObjectName was removed in favor of resourceName.
  • lockObjectNamespace was removed in favor of resourceNamespace.
• [OPERATOR] If you deploy Gardener with the provided Helm charts, note that the metrics endpoint for the Gardener-Scheduler is now exposed via a service on port 9090. (gardener/gardener#4320, @xrstf)

🐛 Bug Fixes

• [USER] The symmetric keys HS256, HS384 and HS512 are now removed from the valid OIDC Signing algorithms as they are not supported by the kubernetes API server. (gardener/gardener#4470, @plkokanov)
• [OPERATOR] Keep the already available replicas of kube-controller-manager (if any) during Create operations regardless of whether hibernation is enabled or not. (gardener/gardener#4479, @plkokanov)
• [OPERATOR] Keep kube-apiserver HPA scale down mode Auto even when scale down is disabled. The scale down is naturally disabled because minReplicas and maxReplicas are set to be equal. (gardener/gardener#4451, @amshuman-kr)

🏃 Others

• [OPERATOR] A bug has been fixed which prevented the CSR auto-approval process for Gardenlet certificates when the SeedAuthorizer is enabled. Hence, the user certificate used by Gardenlet to connect to the Garden cluster was not renewed successfully. (gardener/gardener#4502, @timuthy)
• [OPERATOR] Azure errors with OverconstrainedZonalAllocationRequest error code are now classified as configuration problems. (gardener/gardener#4482, @plkokanov)
• [OPERATOR] Improved handling of the shoot resource in the shoot controller to ensure that data races are avoided as much as possible. (gardener/gardener#4459, @stoyanr)
• [OPERATOR] Ensured that the backup entry name is generated only once using non-empty strings to prevent issues with backup entry names generated as --. (gardener/gardener#4454, @stoyanr)
• [OPERATOR] Projects are now reconciled every time a shoot is created. (gardener/gardener#4447, @kris94)
• [OPERATOR] Grafana discovers available logging components at runtime for "Controlplane Logs Dashboard" (gardener/gardener#4387, @vlvasilev)
• [DEVELOPER] Added new staticchecks by bumping golangci-lint. Please make sure to update your local installation of golangci-lint, e.g. by running make install-requirements (gardener/gardener#4475, @voelzmo)

[gardener-extension-os-gardenlinux]

⚠️ Breaking Changes

• [OPERATOR] The default leader election resource lock of gardener-extension-os-gardenlinux has been changed from configmapsleases to leases. (gardener/gardener-extension-os-gardenlinux#43, @ialidzhikov)
  • Please make sure, that you had at least [email protected] running before upgrading to v0.10.0, so that it has successfully required leadership with the hybrid resource lock (configmapsleases) at least once.

✨ New Features

• [OPERATOR] It is now possible to specify the leader election resource lock via the chart value leaderElection.resourceLock (defaults to leases). (gardener/gardener-extension-os-gardenlinux#43, @ialidzhikov)

🏃 Others

• [OPERATOR] The /etc/containerd/config.toml file is now ensured before the containerd service to be set to use it via a drop-in. (gardener/gardener-extension-os-gardenlinux#45, @vpnachev)
• [OPERATOR] This extension is no longer restarting the systemd services from the original OperatingSystemConfig units. (gardener/gardener-extension-os-gardenlinux#41, @vpnachev)

[gardener-extension-os-suse-chost]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ This extension no longer support suse-jeos as OperatingSystemConfig.spec.type. Before upgrading to this version of the extension, please update all your cloudprofiles and shoot resources to use suse-chost instead of suse-jeos. (gardener/gardener-extension-os-suse-chost#52, @vpnachev)

🏃 Others

• [OPERATOR] A mitigation for issue with systemd-hostnamed, see here for more details, is now applied only to older SuSE versions that does not contain an upstream fix in the systemd package. (gardener/gardener-extension-os-suse-chost#51, @vpnachev)

[gardener-extension-provider-gcp]

⚠️ Breaking Changes

• [OPERATOR] The default leader election resource lock of gardener-extension-provider-gcp has been changed from configmapsleases to leases. (gardener/gardener-extension-provider-gcp#287, @ialidzhikov)
  • Please make sure, that you had at least [email protected] running before upgrading to v1.18.0, so that it has successfully required leadership with the hybrid resource lock (configmapsleases) at least once.

✨ New Features

• [OPERATOR] It is now possible to specify the leader election resource lock via the chart value leaderElection.resourceLock (defaults to leases). (gardener/gardener-extension-provider-gcp#287, @ialidzhikov)

🐛 Bug Fixes

• [USER] Do not trigger a node rollout when switching from CRI.Name==nil to CRI.Name==docker. (gardener/gardener-extension-provider-gcp#290, @BeckerMax)

🏃 Others

• [USER] The following image is updated: (gardener/gardener-extension-provider-gcp#301, @ialidzhikov)
  • k8s.gcr.io/sig-storage/csi-provisioner: v1.6.0 -> v2.1.2 (see CHANGELOG)
• [OPERATOR] machine-controller-manager logs are exposed to the end-users (gardener/gardener-extension-provider-gcp#300, @vlvasilev)

[logging]

🏃 Others

• [DEVELOPER] Add Telegraf image to the ci pipeline (gardener/logging#104, @vlvasilev)

[machine-controller-manager]

⚠️ Breaking Changes

• [OPERATOR] Draining of pods with PVs (Persistent Volume) now waits for re-attachment of PV on a different node when volumeAttachments support is enabled on the cluster. Else it falls back to the default PV reattachment timeout value configured. The default value is 90s and this can be overwritten via the machine-pv-reattach-timeout flag. Please enable permissions to allow listing of volumeAttachments resource while importing these changes. (gardener/machine-controller-manager#608, @prashanth26)

✨ New Features

• [USER] Increase default concurrent object syncs to 50 to allow more concurrent reconciles to occur. (gardener/machine-controller-manager#629, @prashanth26)
• [USER] Machine rollouts are now more as desired with the number of replicas always maintained to desired + maxSurge. Earlier machines in termination were left out of this calculation but now is considered with this change. (gardener/machine-controller-manager#627, @prashanth26)
• [OPERATOR] Finalizers will be added to the MachineClass which is used by at least one machine. Machines whose backing MachineClass does not have finalizers shall not be reconciled. (gardener/machine-controller-manager#593, @AxiomSamarth)
• [DEVELOPER] Replace integration test with unit test to test the functionality to freeze MachineSet (gardener/machine-controller-manager#620, @AxiomSamarth)

🐛 Bug Fixes

• [OPERATOR] Avoids blocking of drain call when the buffer is full for the volumeAttachmentHandlers. (gardener/machine-controller-manager#627, @prashanth26)
• [DEVELOPER] Test framework now fetches secrets from the correct (control) APIServer while running tests. (gardener/machine-controller-manager#617, @himanshu-kun)

🏃 Others

• [OPERATOR] Nodes attached to the cluster without MCM support are now annotated with "node.machine.sapcloud.io/notManagedByMCM": "1". This is then ignored by the MCM for further processing. (gardener/machine-controller-manager#612, @himanshu-kun)

[machine-controller-manager-provider-gcp]

🏃 Others

• [USER] Added documentation (gardener/machine-controller-manager-provider-gcp#21, @AxiomSamarth)
• [DEVELOPER] Revendored MCM libraries @ v0.40.0 (gardener/machine-controller-manager-provider-gcp#21, @AxiomSamarth)

[terraformer]

⚠️ Breaking Changes

• [DEVELOPER] Once the azurerm provider plugin is updated from v2.36.0 to v2.68.0 the skip_provider_registration flag in the provider section need to be set to true. (gardener/terraformer#99, @dkistner)

🏃 Others

• [OPERATOR] The terraform azurerm provider plugin is updated from v2.36.0 to v2.68.0. (gardener/terraformer#99, @dkistner)
• [OPERATOR] The following terraform provider plugins are updated: (gardener/terraformer#98, @ialidzhikov)
  • hashicorp/terraform-provider-aws: 3.18.0 -> 3.32.0
• [OPERATOR] The following terraform provider plugin is updated: (gardener/terraformer#96, @minchaow)
  • aliyun/terraform-provider-alicloud: 1.124.0 -> 1.124.2