🤖 Update gardener/gardener to v1.143.0 (minor)

[ske-renovate-ce]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gardener/gardener	v1.142.2 → v1.143.0
github.com/gardener/gardener/pkg/apis	v1.142.2 → v1.143.0

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.143.0

Compare Source

[github.com/gardener/gardener:v1.143.0]

⚠️ Breaking Changes

• [OPERATOR] gardener-operator's ValidatingWebhookConfiguration no longer accepts invalid values for the Garden's .spec.virtualCluster.kubernetes.kubeAPIServer.eventTTL field even for existing Garden resources with already invalid values. Invalid values are values outside of the range [0, 24h]. The gardener-operator webhook caps the eventTTL to 24h for already persisted Gardens with a value exceeding the allowed maximum. by @​ialidzhikov [#​14707]
• [OPERATOR] The GA-ed and unconditionally enabled NewWorkerPoolHash feature gate is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @​ialidzhikov [#​14800]
• [OPERATOR] ⚠️ The secrets in the gardener-system-shoot-issuer namespace containing shoot's OIDC discovery documents will stop to be labeled with authentication.gardener.cloud/public-keys=serviceaccount after Gardener v1.145.0 is released. Clients relying on this label must migrate to discovery.gardener.cloud/public=serviceaccount before that. For backward compatibility, it is advised to support both labels for some time. by @​vpnachev [#​14670]
• [OPERATOR] gardener-apiserver no longer accepts invalid values for ManagedSeedSet's .spec.shootTemplate.spec.kubernetes.kubeAPIServer.eventTTL field even for existing ManagedSeedSet resources with already invalid values. Invalid values are values outside of the range [0, 24h]. gardener-apiserver caps the eventTTL to 24h for already persisted ManagedSeedSets with a value exceeding the allowed maximum. by @​ialidzhikov [#​14707]
• [OPERATOR] The deprecated gardenClusterCACert field was removed from the GardenletConfiguration. The CA is now always automatically set by Gardener. by @​timuthy [#​14803]
• [USER] gardener-apiserver no longer accepts invalid values for the Shoot's .spec.kubernetes.kubeAPIServer.eventTTL field even for existing Shoot resources with already invalid values. Invalid values are values outside of the range [0, 24h]. gardener-apiserver caps the eventTTL to 24h for already persisted Shoots with a value exceeding the allowed maximum. by @​ialidzhikov [#​14707]
• [DEPENDENCY] In Gardener v1.142.0 the hack/push-helm.sh script was moved to dev-setup/push-helm.sh. It is now moved to back from dev-setup/push-helm.sh to hack/push-helm.sh to allow reuse from the extensions as before. by @​ialidzhikov [#​14838]

📰 Noteworthy

• [OPERATOR] Garden status now contains the AdvertisedAddresses of the virtual garden kube-apiserver by @​hown3d [#​14831]
• [USER] The release binary artifact names have changed to include an archive suffix, which is removed from the contained binary. by @​LucaBernstein [#​14814]
• [DEVELOPER] e2e tests are now running with Kubernetes v1.35. by @​timuthy [#​14766]

✨ New Features

• [USER] A new Kubelet option SingleProcessOOMKill was added to the Shoot API. Users can use this field to configure single process termination in case it ran out of memory. By default, all processes in the same cgroup are killed when an OOM occurs. by @​timuthy [#​14866]

🐛 Bug Fixes

• [OPERATOR] Fixed intermittent gRPC "server closed the stream without sending trailers" errors for shoot-node log collection by setting useClientProtocol: true on the otel-collector DestinationRule to ensure HTTP/2 is used for upstream connections. by @​rrhubenov [#​14730]
• [OPERATOR] A bug causing the gardener-resource-manager to panic whenever a VirtualService update event is processed and the Http/Tls/Tcp spec fields need element-by-element comparison is now fixed. by @​shafeeqes [#​14888]
• [OPERATOR] Skip unusable machine types in search for suitable bastion host image by @​matthias-horne [#​14813]
• [OPERATOR] A bug has been fixed where the SystemComponentsRunning was showing and error for self-hosted shoots on unmanaged infrastructure. by @​tobschli [#​14804]
• [OPERATOR] Fixed unreachability of gardener-discovery server if a custom URL is configured by @​crigertg [#​14815]
• [OPERATOR] The gardener-resource-manager deployment procedure was hardened. In rare situations, the procedure became stuck indefinitely after the seed's CA rotation. by @​timuthy [#​14765]
• [USER] Fix an issue where shoot node logging is broken when the valitail and opentelemetry-collector systemd units start before their auth-token file is written to disk. The units now wait for the token file to exist before starting, ensuring logs and telemetry from worker nodes are reliably shipped by @​iypetrov [#​14905]
• [USER] Fixed a bug where Shoot deletion could get permanently stuck if triggered while Shoot creation was still in progress. The delete flow incorrectly created a new ControlPlane extension resource that could never be reconciled due to missing shoot access secrets. by @​acumino [#​14706]
• [DEVELOPER] make generate no longer skips CRD regeneration when only a transitively-referenced type changed; CI runs manifest generation in sequential mode to catch any remaining drift. by @​shafeeqes [#​14894]

🏃 Others

• [OPERATOR] Add alpha.control-plane.shoot.gardener.cloud/vpn-auto-mtu annotation to enable automatic MTU configuration for VPN connections. When set to true, the OPENVPN_AUTO_MTU flag is propagated to all VPN components (seed server, shoot client, kube-apiserver sidecars).` by @​axel7born [#​14768]
• [OPERATOR] The images of the registry caches used in the dev setups are now updated to distribution/distribution@v3.1.1. by @​dimitar-kostadinov [#​14791]
• [OPERATOR] The gardener-node-init now performs a connectivity check to the kube-apiserver and fatal errors of the gardener-node-agent are forwarded to the machine console. This should improve the visibility when bootstrapping of machines fail. by @​vknabel [#​14760]
• [OPERATOR] Gardener observability components are accessible even if web browsers try to coalesce connections. by @​ScheererJ [#​14867]
• [OPERATOR] DestinationRules, VirtualServices & Services are now exported to the Istio Ingress namespaces where they are used only. by @​oliver-goetz [#​14842]
• [OPERATOR] The secrets reconciler in the gardener-controller-manager no longer copies secrets with labels gardener.cloud/role:{helm-pull-secret, oci-ca-bundle} from garden namespace to the seed namespaces in the virtual cluster. Gardenlet can already access this secret if the secret is referred in a ControllerDeployment and the seed has a ControllerInstallation referring this deployment. by @​shafeeqes [#​14419]
• [OPERATOR] Plutono's prometheus-longterm datasource now correctly targets the Cortex query frontend (port 81) instead of Prometheus's local API (port 80), fixing timed-out longterm queries. by @​rickardsjp [#​14873]
• [OPERATOR] The provider-local now implements the SelfHostedShootExposure extension. by @​cerealsnow [#​14723]
• [OPERATOR] Federation short-circuit from aggregate to garden Prometheus when both instances run on the runtime cluster has been adapted for Istio virtual services. by @​vicwicker [#​14868]
• [OPERATOR] The opentelemetry-operator and prometheus-operator deployed by Gardener now have the required RBAC for Events in the events.k8s.io API group. by @​plkokanov [#​14808]
• [OPERATOR] Disable IPIP encapsulation for IPv6 IP pools for local setup. by @​axel7born [#​14790]
• [OPERATOR] Memory usage and garbage collection metrics are exposed for cluster-autoscaler. by @​takoverflow [#​14764]
• [DEVELOPER] remote setup: Garden VPA is disabled by default to avoid two VPA deployments to act on the same cluster causing endless eviction loops. by @​ialidzhikov [#​14680]
• [DEVELOPER] The SetLoggerSuffix implementations in the extension healthcheck package now emit provider and extension as independent structured log fields instead of embedding them in the logger name. by @​AnantKumar17 [#​14752]
• [DEPENDENCY] The following dependencies have been updated:
  • open-telemetry/opentelemetry-operator from v0.145.0 to v0.150.0. Release Notes by @​gardener-ci-robot [#​14263]
• [DEPENDENCY] The following dependencies have been updated:
  • europe-docker.pkg.dev/gardener-project/releases/gardener/fluent-bit-plugin from v1.4.0 to v1.5.0. by @​iypetrov [#​14787]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/ingress-default-backend from 0.25.0 to 0.26.0. Release Notes by @​gardener-ci-robot [#​14828]
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.29.2 to 1.29.3.
  • gcr.io/istio-release/proxyv2 from 1.29.2 to 1.29.3.
  • istio.io/api from v1.29.2 to v1.29.3. by @​gardener-ci-robot [#​14859]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/autoscaler from v1.34.1 to v1.34.2. Release Notes by @​gardener-ci-robot [#​14851]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.84.0 to 1.84.1. Release Notes by @​gardener-ci-robot [#​14759]
• [DEPENDENCY] The gardener/autoscaler image for Shoots with Kubernetes version 1.35 has been updated to v1.35.0. Release Notes by @​timuthy [#​14857]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.32 to v2.2.33. Release Notes by @​gardener-ci-robot [#​14843]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.47 to v7.5.48. Release Notes by @​gardener-ci-robot [#​14845]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/kiwigrid/k8s-sidecar from 2.7.1 to 2.7.3. by @​gardener-ci-robot [#​14811]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.11 to 1.84.0. Release Notes by @​gardener-ci-robot [#​14683]

application/spdx+json

• admission-controller-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller@sha256:5dde901e0ff7bd63c13eda1243a584e3dd946d9a0dfeb0259799b33f6d799eb5
• admission-controller-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller@sha256:f1e475ed15b1e10b5a25851635847095fb1c248a2e55a6423b3fb8f670731c0e
• apiserver-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver@sha256:c293a293e778432bcf115af8f135c78b55e34e90e6259ed0fe55e39aa9497c1e
• apiserver-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver@sha256:d8b6055487dca31e827e29ab21bcd003926359453118545c5926cb93158903d3
• controller-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager@sha256:392f8eba1b194ab63d294967522087022dec8ceacdfbfeb39c794edfaebc7e7a
• controller-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager@sha256:4018034f952908789c15a61d1f8fb78ddcecc28ac550bf5efc17f5dd14f48458
• gardenadm-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm@sha256:e3e812dc935cf468eb2967a7d350f10bc7d26727703f90fb0307753bea7450a9
• gardenadm-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm@sha256:fe8679f370392b3f43feea219439b1ffa299fefd864f9d98c3bee260f8769b76
• gardenlet-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet@sha256:52dd456f2695a04337df1c5a9037f3b0d6dce523e146f43d645a19301a82358b
• gardenlet-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet@sha256:ad2641181f056eba9f140755211ca78d076fb832fc17335b65d9e64c8f9a5046
• node-agent-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent@sha256:0a385a6354b242e8f8da4c606b9987afcf5228a3d142d5d6e5fc66ebc8953989
• node-agent-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent@sha256:abea47497cd65b22a8128e4dc6114d61164baf92e2fb9086753d13af312b02a7
• operator-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/operator@sha256:a0a1baa82955db596b04bbb693bf5c9b66b2233948a3d7004c81389d08590aef
• operator-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/operator@sha256:bfbe9909794318f49c6e28b520e515977a3a594d3f982fc1b80c5bf495867d53
• resource-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager@sha256:41e7302b9583a4ce8a0f72426f157612500be0754132939a2a601319e495c269
• resource-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager@sha256:a5428183d1a68bb881b443773ad22cfd610cfb2db2a9d86ae6ac38f6402900dc
• scheduler-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler@sha256:8eb293e3f0570fb84424943fed6674a2ed682f99eaa7ee69eb73ac9dd4f952c0
• scheduler-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler@sha256:ef29b8c580d8499e7f2ca6580b859fa090640d03359cad558ff524cb2a1d0fa6

Helm Charts

• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.143.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.143.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.143.0

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.143.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.143.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.143.0
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.143.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.143.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.143.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.143.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.143.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.143.0

v1.142.3

Compare Source

[github.com/gardener/gardener:v1.142.3]

🐛 Bug Fixes

• [USER] Fix an issue where shoot node logging is broken when the valitail and opentelemetry-collector systemd units start before their auth-token file is written to disk. The units now wait for the token file to exist before starting, ensuring logs and telemetry from worker nodes are reliably shipped by @​iypetrov [#​14902]

application/spdx+json

• admission-controller-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller@sha256:7467d1267b97d5fc383e68b29cccc52858f4655ff465511c80efae90786fb2de
• admission-controller-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller@sha256:b6b5b46852a514bfc3cc91d385d54785e9e9a5f90783fb602a93a643cc7b433d
• apiserver-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver@sha256:acac5b71d77c2f6c58202f903e5739be5de13bf714937885b0fa4a1b9ffbb8fc
• apiserver-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver@sha256:d35fd217874755be96e577dfb54d0b7594e1fa34a61752e7ea1f0e83330380b5
• controller-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager@sha256:57b816366d315548c75657c3ae98ae28c94a6ec3e4fdb81f98eccc706b278396
• controller-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager@sha256:cbcc326f14a2a6d6c54f72d8595e2b3a9f8bd997525d4a99eb7884681532d504
• gardenadm-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm@sha256:70e0ffa1c580fa7efe7d9c2488205416cf74b52bd76747d07e91de601a648198
• gardenadm-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm@sha256:a1bc88de1b39f35a0be28596638bb142678f86029aa3eeb38c98970f20fa3080
• gardenlet-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet@sha256:6b0cc54036542458a1b570898b7f2a017d12e7d36852e79eb902101c393e031a
• gardenlet-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet@sha256:c27d727d2b9326a715b2d188a6df1333bf79476add58d7ee550b6afac5b443db
• node-agent-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent@sha256:065e475b1abb90f4f773181f2d7c2d869d047278b4a65a7a2eed580e27030924
• node-agent-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent@sha256:1429ffedb63f5f05b6fa02f21c6b97e6a47a5defea71e875ff1e5d07f6800b54
• operator-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/operator@sha256:763162d58313828431f22c9952782640807a22da4426508fe61eb7fbb5e0909a
• operator-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/operator@sha256:8985b1aca2624fbdba67d2fe27b4dc74c467b41a69fb884d7513118241aaff08
• resource-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager@sha256:18dcb5262591871aacd61d1cd7b254d7a35293c6221f975a567f1cf3f4724613
• resource-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager@sha256:c7794be3f764d43b6e9c7eee35abc15ae433ca0d82319a1052ef255095e3f035
• scheduler-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler@sha256:5553f6e2784c3080fe585977efc4cb1f24f8aba74df534c0fd2266cec9318715
• scheduler-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler@sha256:fb5ffbc8d849bd7726ce7b7a28181d777e02b2651476db79c2291e6302e5004a

Helm Charts

• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.142.3
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.142.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.142.3

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.142.3
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.142.3
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.142.3
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.142.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.142.3
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.142.3
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.142.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.142.3
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.142.3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[ske-renovate-ce]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 21 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.35.4 -> v0.35.5
k8s.io/apiextensions-apiserver	v0.35.4 -> v0.35.5
k8s.io/apimachinery	v0.35.4 -> v0.35.5
k8s.io/client-go	v0.35.4 -> v0.35.5
k8s.io/code-generator	v0.35.4 -> v0.35.5
k8s.io/component-base	v0.35.4 -> v0.35.5
k8s.io/kubelet	v0.35.4 -> v0.35.5
k8s.io/utils	v0.0.0-20260319190234-28399d86e0b5 -> v0.0.0-20260507154919-ff6756f316d2
github.com/fatih/color	v1.18.0 -> v1.19.0
github.com/klauspost/compress	v1.18.5 -> v1.18.6
github.com/perses/perses	v0.53.0 -> v0.53.1
github.com/perses/perses-operator	v0.3.2 -> v0.4.0
github.com/prometheus/client_golang	v1.23.2 -> v1.23.3-0.20260518105423-c9d5bc4c50a9
github.com/prometheus/common	v0.67.5 -> v0.67.6-0.20260224092343-e4c38a0aea47
istio.io/api	v1.29.2 -> v1.29.3
k8s.io/apiserver	v0.35.4 -> v0.35.5
k8s.io/cluster-bootstrap	v0.35.4 -> v0.35.5
k8s.io/component-helpers	v0.35.4 -> v0.35.5
k8s.io/kube-aggregator	v0.35.4 -> v0.35.5
k8s.io/metrics	v0.35.4 -> v0.35.5
k8s.io/pod-security-admission	v0.35.4 -> v0.35.5

[ske-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign breuerfelix for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment