Skip to content

3.9.0
Compare
Choose a tag to compare
@gardener-robot-ci-2 gardener-robot-ci-2 released this 04 May 07:45
· 288 commits to master since this release
3.9.0
bc8b6f8

[garden-setup]

⚠️ Breaking Changes

  • [OPERATOR] ⚠️ Due to the updated terraform plugins, this version of garden-setup requires terraform 0.13 or higher. If the sow image is used, version 3.3.0 or higher of sow is required. (#452, @Diaphteiros)
  • [OPERATOR] Replace nginx shoot addon with managed ingress feature for shooted seeds. The behaviour when deploying over an existing landscape has not been tested. In theory, this should work, although you might experience a downtime of the seeds. This change should not cause any problems for new landscapes and for landscapes without shooted seeds created by garden-setup. (#389, @Diaphteiros)

🐛 Bug Fixes

  • [OPERATOR] Fixed a bug that created an invalid DNS secret for the openstack-designate DNS service. (#455, @Diaphteiros)
  • [OPERATOR] Fixed a bug that caused the dashboard component to fail if landscape.identity.users was not defined. (#440, @Diaphteiros)

🏃 Others

  • [OPERATOR] Upgrade Gardener extension provider-vsphere to v0.7.1 (#459, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener extension provider-gcp to v1.16.0 (#459, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener extension provider-openstack to v1.18.0 (#455, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener extension provider-aws to v1.23.0 (#455, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener extension networking-calico to v1.17.0 (#455, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener extension shoot-dns-service to v1.10.0 (#455, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener dns-controller-manager to v0.8.3 (#455, @Diaphteiros)
  • [OPERATOR] The terraform modules for creation of the etcd backup bucket have been adapted for terraform 0.13 (#452, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener extension provider-azure to v1.19.1 (#443, @Diaphteiros)

📰 Noteworthy

  • [OPERATOR] The recommended sow version is now 3.3.0 (#459, @Diaphteiros)
  • [OPERATOR] Upgrade Gardener to v1.21.0 (#455, @Diaphteiros)
  • [OPERATOR] The default kubernetes versions in the cloudprofile have been updated. (#443, @Diaphteiros)
  • [OPERATOR] Starting with version v1.20, Gardener deploys a managed istio into each seed cluster. This behaviour is deactivated in garden-setup by default. To activate the managed istio for a seed, add featureGates.ManagedIstio: true and featureGates.APIServerSNI: true to that seed's landscape.iaas entry. Please be aware that there currently is no easy way of removing istio again - if a seed with the feature gate active is deleted, the istio namespaces will be removed, but cluster-scoped resources and resources in other namespaces will be leaked in your cluster. This shouldn't be a big problem for shooted seeds though, as they will be gone when the shoot is deleted. (#443, @Diaphteiros)

[autoscaler]

📰 Noteworthy

  • [USER] Enable configuraiton of flags such as control-apiserver-burst, control-apiserver-qps, target-apiserver-burst, target-apiserver-qps and min-resync-period for kubernetes client configurations while fetching objects for MCM cloud provider. (gardener/autoscaler#73, @prashanth26)
  • [OPERATOR] Switch to using cached informers to fetch cloud provider details more optimally. (gardener/autoscaler#73, @prashanth26)

[cloud-provider-aws]

✨ New Features

🏃 Others

[cloud-provider-azure]

✨ New Features

🏃 Others

[cloud-provider-gcp]

✨ New Features

🏃 Others

[external-dns-management]

🐛 Bug Fixes

🏃 Others

[gardener]

⚠️ Breaking Changes

  • [USER] Extension resources configs, namely ControlPlaneConfig and WorkerConfig, are now deserialized in "strict" mode. This means that deserializing resources with fields that are not allowed by the API schema will result in errors. Shoots containing such resources will fail with an appropriate error until you manually update the shoot to make sure any extension resources contained in it are valid. Note that due to other changes will not be able to create new shoots containing such resources, since they will be rejected by validation. (gardener/gardener#3804, @stoyanr)
  • [OPERATOR] The temporary workaround in the ProblematicWebhooks check that was skipping Shoot webhooks is now removed. Before updating to this version of Gardener, please make sure that the provider extensions in the system vendor at least github.com/gardener/[email protected]. (gardener/gardener#3867, @ialidzhikov)
  • [OPERATOR] ⚠️ Gardener does no longer support shoot clusters with Kubernetes versions < 1.15. With this change, the .spec.kubernetes.kubeControllerManager.horizontalPodAutoscaler.{up,down}scaleDelay fields have been dropped because they are no longer meaningful. Make sure to upgrade all existing clusters before upgrading to this Gardener version. (gardener/gardener#3862, @rfranzke)
  • [OPERATOR] ⚠️ The minimum Kubernetes version for seed clusters has been raised from v1.11 to v1.15. Make sure that all your registered seed clusters meet this requirement before upgrading to this Gardener version. (gardener/gardener#3862, @rfranzke)
  • [OPERATOR] Invalid image vectors and component image vector overwrites will cause validation errors upon reading. If you encounter such errors, make sure image vectors specified in ConfigMap or ComponentRegistration resources are valid. (gardener/gardener#3853, @stoyanr)
  • [DEPENDENCY] ⚠️ The utility functions for working with ManagedResources have been mostly moved from pkg/operation/common to pkg/utils/managedresources. Please note that the signature of the functions might have changed. Especially, the order of the name, namespace string parameters is now namespace, name string. (gardener/gardener#3780, @rfranzke)

✨ New Features

  • [USER] New .status.advertisedAddresses field in the Shoot resource now provides a list of advertised URLs of the Kubernetes API Server. (gardener/gardener#3883, @mvladev)
  • [OPERATOR] Seed clusters with less than three nodes are now supported. In earlier versions of Gardener the seed-admission-controller deployment was causing unhealthy managed resources for small seed clusters, preventing seed bootstrapping from succeeding. (gardener/gardener#3811, @Gerrit91)
  • [OPERATOR] Gardener-Controller-Manager now reads Gardener configuration secrets like internal-domain, default-domain, etc. dynamically during reconciliation. Earlier the secrets were only read and stored in memory during start-up, so that any changes to those secrets were not reflected until the next restart. (gardener/gardener#3700, @timuthy)
  • [OPERATOR] Gardenlet now reads Gardener configuration secrets like internal-domain, default-domain, etc. dynamically during shoot reconciliation. Earlier the secrets were only read and stored in memory during start-up, so that any changes to those secrets were not reflected until the next restart. (gardener/gardener#3700, @timuthy)
  • [DEVELOPER] Gardener can now support shoot clusters with Kubernetes version 1.21. In order to allow creation/update of 1.21 clusters you will have to update the version of your provider extension(s) to a version that supports 1.21 as well. Please consult the respective releases and notes in the provider extension's repository. (gardener/gardener#3860, @rfranzke)
  • [DEVELOPER] A new package pkg/envtest has been added, which can be used to bootstrap a temporary Kubernetes control plane including gardener-apiserver in integration tests. With this, developers can start writing integration tests for controllers, webhooks and so on that work on Gardener API resources. (gardener/gardener#3796, @timebertt)

🐛 Bug Fixes

  • [USER] An issue has been fixed which prevented DNS entries being created correctly. Only requests coming from shoot clusters were affected. (gardener/gardener#3863, @MartinWeindel)
  • [USER] Several regressions related to the AuditPolicy validation are fixed. (gardener/gardener#3855, @timebertt)
  • [USER] An issue has been fixed which prevented DNS entries being created correctly. Only requests coming from shoot clusters were affected. (gardener/gardener#3864, @timuthy)
  • [USER] Several regressions related to the AuditPolicy validation are fixed. (gardener/gardener#3856, @timebertt)
  • [USER] An issue causing the deletion of hibernated Shoot to fail is now fixed. (gardener/gardener#3790, @ialidzhikov)
  • [USER] A rare issue with the Infrastructure destruction that may result in Shoot resources stuck in deletion has been fixed. (gardener/gardener#3738, @rfranzke)
  • [USER] A transient error which may occur when a hibernated shoot cluster is woken up again right away has been fixed. (gardener/gardener#3727, @rfranzke)
  • [OPERATOR] Gardener care operations now only consider conditions of relevant BackupEntries. Earlier, the controller retrieved all entries instead of only checking the one that is associated to the processed shoot. (gardener/gardener#3854, @timuthy)
  • [OPERATOR] An issue has been fixed which led to Shoots not being reconciled immediately after changing the referenced AuditPolicy ConfigMap. (gardener/gardener#3848, @timebertt)
  • [OPERATOR] Gardener care operations now only consider conditions of relevant BackupEntries. Earlier, the controller retrieved all entries instead of only checking the one that is associated to the processed shoot. (gardener/gardener#3859, @timebertt)
  • [OPERATOR] An issue has been fixed which led to Shoots not being reconciled immediately after changing the referenced AuditPolicy ConfigMap. (gardener/gardener#3849, @timebertt)
  • [OPERATOR] Logging integration test get the name of the Loki PriorityClass from the Loki StatefulSet (gardener/gardener#3827, @vlvasilev)
  • [OPERATOR] The Gardenlet is now creating/updating the Seed resource from GardenletConfiguration.seedConfig earlier in the start-up flow to allow Gardener Controller Manager to replicate the required credentials in the namespace dedicated to the configured seed. (gardener/gardener#3822, @vpnachev)
  • [OPERATOR] A bug in the internal domain secret admission controller preventing the replication of the internal domain secrets in seed namespaces is now fixed. (gardener/gardener#3819, @vpnachev)
  • [OPERATOR] A bug in the internal domain secret admission controller preventing deletion of the internal domain secret replica in the seed namespace when there is no shoot scheduled on the seed is now fixed. (gardener/gardener#3819, @vpnachev)
  • [OPERATOR] Fix a bug where the gardenlet was not updating the allow-to-seed-apiserver network policy with the IP address of the seed's API server when the APIServerSNI feature gate is just enabled. (gardener/gardener#3741, @vpnachev)
  • [DEVELOPER] A bug that prevented gardenlet to start-up when there is no seed in the garden cluster is now fixed. (gardener/gardener#3840, @vpnachev)

📖 Documentation

🏃 Others

📰 Noteworthy

  • [USER] Shoot clusters with production purpose have now at least two kube-apiserver replicas. (gardener/gardener#3764, @rfranzke)
  • [OPERATOR] The gardener-admission-controller does now have a new handler for validating the internal domain Secret (earlier, there was no API validation at all). (gardener/gardener#3756, @rfranzke)
  • [DEVELOPER] The Golang version has been updated to v1.16.2. Support of packr and go-bindata has been dropped in favor of the native go:embed. (gardener/gardener#3739, @rfranzke)

[gardener-extension-networking-calico]

⚠️ Breaking Changes

  • [USER] Extension resource configs (NetworkConfig) are now deserialized in "strict" mode. This means that deserializing resources with fields that are not allowed by the API schema will result in errors. Shoots containing such resources will fail with an appropriate error until you manually update the shoot to make sure any extension resource configs contained in it are valid. (gardener/gardener-extension-networking-calico#76, @stoyanr)

🏃 Others

[gardener-extension-provider-aws]

⚠️ Breaking Changes

  • [USER] Extension resource configs (InfrastructureConfig, ControlPlaneConfigs, WorkerConfig) are now deserialized in "strict" mode, including during validation by the admission webhook. This means that resources with fields that are not allowed by the API schema will be rejected by validation. Creating new shoots containing such resources will not be possible, and reconciling existing shoots will fail with an appropriate error until you manually update the shoot to make sure any extension resource configs contained in it are valid. (gardener/gardener-extension-provider-aws#307, @stoyanr)

✨ New Features

🐛 Bug Fixes

🏃 Others

[gardener-extension-provider-azure]

⚠️ Breaking Changes

  • [USER] Extension resources (Infrastructure, ControlPlane, etc.) are now deserialized in "strict" mode, including during validation by the validating webhook. This means that resources with fields that are not allowed by the API schema will be rejected by validation. Creating new shoots containing such resources will not be possible, and updating existing shoots will fail with an appropriate error until you manually update the shoot to make sure any extension resources contained in it are valid. (gardener/gardener-extension-provider-azure#271, @stoyanr)

🐛 Bug Fixes

🏃 Others

📰 Noteworthy

  • [OPERATOR] The validator/admission component's Helm chart is now deploying a VerticalPodAutoscaler resource by default. If undesired or no VPA is available in the garden cluster then it can be turned of via .Values.global.vpa.enabled=false. (gardener/gardener-extension-provider-azure#246, @rfranzke)

[gardener-extension-provider-gcp]

⚠️ Breaking Changes

  • [USER] Extension resource configs (InfrastructureConfig, ControlPlaneConfigs, WorkerConfig) are now deserialized in "strict" mode, including during validation by the admission webhook. This means that resources with fields that are not allowed by the API schema will be rejected by validation. Creating new shoots containing such resources will not be possible, and reconciling existing shoots will fail with an appropriate error until you manually update the shoot to make sure any extension resource configs contained in it are valid. (gardener/gardener-extension-provider-gcp#249, @stoyanr)

✨ New Features

🏃 Others

[gardener-extension-provider-openstack]

⚠️ Breaking Changes

  • [USER] Extension resource configs (InfrastructureConfig, ControlPlaneConfigs, WorkerConfig) are now deserialized in "strict" mode, including during validation by the admission webhook. This means that resources with fields that are not allowed by the API schema will be rejected by validation. Creating new shoots containing such resources will not be possible, and reconciling existing shoots will fail with an appropriate error until you manually update the shoot to make sure any extension resource configs contained in it are valid. (gardener/gardener-extension-provider-openstack#253, @stoyanr)
  • [OPERATOR] The gardener-extension-validator-openstack Helm chart as well as different assets inside have been renamed to the more general term gardener-extension-admission-openstack. Please consider to take corresponding action if you don't use Helm to manage your deployment in the Garden cluster. (gardener/gardener-extension-provider-openstack#265, @ialidzhikov)
  • [OPERATOR] The Docker image eu.gcr.io/gardener-project/gardener/extensions/validator-openstack will no longer be maintained as of this release in favor of the successor eu.gcr.io/gardener-project/gardener/extensions/admission-openstack. Please consider replacing any references to the image eu.gcr.io/gardener-project/gardener/extensions/validator-openstack by eu.gcr.io/gardener-project/gardener/extensions/admission-openstack. (gardener/gardener-extension-provider-openstack#265, @ialidzhikov)

✨ New Features

🐛 Bug Fixes

🏃 Others

📰 Noteworthy

  • [OPERATOR] The validator/admission component's Helm chart is now deploying a VerticalPodAutoscaler resource by default. If undesired or no VPA is available in the garden cluster then it can be turned of via .Values.global.vpa.enabled=false. (gardener/gardener-extension-provider-openstack#223, @rfranzke)

[gardener-extension-provider-vsphere]

⚠️ Breaking Changes

  • [USER] Extension resource configs (InfrastructureConfig, ControlPlaneConfigs, WorkerConfig) are now deserialized in "strict" mode, including during validation by the admission webhook. This means that resources with fields that are not allowed by the API schema will be rejected by validation. Creating new shoots containing such resources will not be possible, and reconciling existing shoots will fail with an appropriate error until you manually update the shoot to make sure any extension resource configs contained in it are valid. (gardener/gardener-extension-provider-vsphere#141, @stoyanr)

✨ New Features

🐛 Bug Fixes

🏃 Others

[gardener-extension-shoot-dns-service]

🏃 Others

[gardener-resource-manager]

✨ New Features

  • [OPERATOR] It is now possible to specify the leader election resource lock via the command line flag --leader-election-resource-lock (defaults to configmapsleases) and the chart value leaderElection.resourceLock. Please be careful when changing the resource lock and always migrate via multilocks in order to prevent situations where multiple instances of the controller are running with leader election and thus acting on the same resources. (gardener-attic/gardener-resource-manager#117, @timebertt)

🏃 Others

[machine-controller-manager]

🐛 Bug Fixes

[machine-controller-manager-provider-openstack]

🏃 Others

[sow]

⚠️ Breaking Changes

  • [OPERATOR] Several dependency versions have changed and might require changes in components that use the corresponding plugins (most notably: terraform). (gardener/sow#43, @Diaphteiros)

🏃 Others

📰 Noteworthy

[terraformer]

🐛 Bug Fixes

  • [OPERATOR] The aws provider has been downgraded from 3.32.0 to 3.18.0 due to issue with additionally required permission for the AWS accounts. (gardener/terraformer#87, @vpnachev)
  • [OPERATOR] A bug was fixed that caused terraform to leak its finalizer on ConfigMaps and Secrets in case of an interrupt during terraform destroy. (gardener/terraformer#71, @timebertt)
  • [OPERATOR] A bug was fixed that caused terraform to leak its finalizer on ConfigMaps and Secrets in case of an interrupt during terraform destroy. (gardener/terraformer#72, @timebertt)

🏃 Others

  • [OPERATOR] The following terraform provider plugins are updated: (gardener/terraformer#88, @ialidzhikov)
    • hashicorp/terraform-provider-google: 3.59.0 -> 3.62.0
    • hashicorp/terraform-provider-google-beta: 3.59.0 -> 3.62.0
  • [OPERATOR] The following terraform provider plugins are updated: (gardener/terraformer#84, @ialidzhikov)
    • hashicorp/terraform-provider-aws: 3.18.0 -> 3.32.0
    • hashicorp/terraform-provider-google: 3.27.0 -> 3.59.0
    • hashicorp/terraform-provider-google-beta: 3.27.0 -> 3.59.0
  • [OPERATOR] The Terraformer now instantly removes its finalizer from the state ConfigMap if the state is empty and destroy is called. A separate Terraform destroy is not executed. (gardener/terraformer#80, @timuthy)
  • [OPERATOR] Terraformer will now publish an additional image without any pre-installed terraform plugins. (gardener/terraformer#77, @Diaphteiros)
  • [OPERATOR] Provides support for the Equinix Metal provider, which replaces the Packet one (gardener/terraformer#73, @deitch)
  • [OPERATOR] The terraformer-openstack use now the openstack provider in version v1.37.0 (gardener/terraformer#70, @kon-angelo)
  • [OPERATOR] The terraformer-openstack use now the openstack provider in version v1.36.0 (gardener/terraformer#68, @dkistner)
  • [DEVELOPER] The golang has been updated to 1.16.2, the alpine has been updated to 3.13.2. (gardener/terraformer#85, @vpnachev)

📰 Noteworthy

Assets 3
Loading