Bump github.com/gardener/gardener from 1.21.0 to 1.22.0

[dependabot]

Bumps github.com/gardener/gardener from 1.21.0 to 1.22.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.22.0

[gardener]

⚠️ Breaking Changes

• [OPERATOR] There are now dedicated ClusterRoles for the gardener-apiserver and gardener-controller-manager. As the roleRef fields of the binding ClusterRoleBindings are immutable, also the names of the ClusterRoleBindings have been changed. When you apply this version of Gardener then you have to make sure to cleanup the old resources that will be still left in your system be running the following command: (#3975, @​rfranzke)
  • kubectl delete clusterrolebinding/gardener.cloud:apiserver:admin clusterrolebinding/gardener.cloud:controller-manager:admin clusterrole/gardener.cloud:system:gardener-scheduler clusterrolebinding/gardener.cloud:system:gardener-scheduler --ignore-not-found --wait=false
• [OPERATOR] The .gardener.garden.identity value (deprecated with v1.11.0) is removed and no longer passed to the Helm chart values of ControllerInstallations. Gardener operators have to make sure to update affected provider extensions accordingly. (#3941, @​rfranzke)
• [OPERATOR] Gardener API server does no longer allow creating a Seed and ManagedSeed with . (dot) in the name. Before upgrading to this version of Gardener, make sure that you don't have Seed or ManagedSeed with . (dot) in the system. (#3927, @​ialidzhikov)
• [OPERATOR] The legacy garden/gardener-controller-manager-internal-config ConfigMap is now deleted on start-up of gardener-controller-manager. Please ensure that you run at least v1.20 of your gardenlets before upgrading to this version. (#3888, @​rfranzke)
• [DEVELOPER] Because of the new optional field spec.machineTypes[].storage.minSize, spec.machineTypes[].storage.size is now optional as well. Please perform a nil check before accessing this field. (#3976, @​timuthy)

✨ New Features

• [OPERATOR] A new field minSize has been added to spec.volumeTypes[] and spec.machineTypes[].storage of the CloudProfile. It allows to configure the minimum allowed size of a volume configured for shoots (shoot.spec.workers[].volume.size). (#3976, @​timuthy)
• [OPERATOR] It is now possible to set custom values for kube-controller-manager --node-monitor-grace-period via .spec.kubernetes.kubeControllerManager.nodeMonitorGracePeriod (should not be less than 2m). (#3947, @​mwennrich)
• [OPERATOR] The Gardenlet supports a new ReversedVPN feature gate (disabled by default). If enabled, the network connection between the shoot control plane in the seed and the shoot worker nodes will be established from shoot to seed instead of seed to shoot like earlier. Furthermore, in this case the additional "vpn-shoot" load balancer in the shoot cluster will no longer be required. Please note that the feature is in alpha state and might be promoted in future Gardener releases. (#3812, @​DockToFuture)
  • This feature allows seed and shoot clusters to operate in different network domains. Only the shoot clusters need to be able to establish connections to the seed clusters. The other direction is not required.
  • ReversedVPN only works if APIServerSNI is enabled.
  • Apart from the feature gate, which enables/disables the feature per gardenlet for all managed shoot clusters, it is also possible to enable/disable the functionality on a per shoot basis. The shoot cluster annotation alpha.featuregates.shoot.gardener.cloud/reversed-vpn can be used for this purpose.
  • Please note that this feature is only compatible with Kubernetes >= 1.18. Clusters with older Kubernetes releases will continue to use the previous approach, i.e. the standard VPN-based tunnel.

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed which could cause Projects not to be reconciled immediately when corresponding RoleBindings were changed. (#3985, @​timebertt)
• [OPERATOR] The restoration flow for the Worker resource no longer enters a “rolling update” loop which was causing the restoration flow to take too much time. (#3970, @​kris94)
• [OPERATOR] The ManagedSeed controller no longer watches secrets in the garden cluster. (#3939, @​stoyanr)
• [OPERATOR] Migration and restoration of extensions.gardener.cloud.BackupEntry resources is now handled by the BackupEntry controller in the gardenlet. (#3880, @​plkokanov)
• [OPERATOR] The core.gardener.cloud.BackupEntry resource is no longer reconciled multiple times in a row. (#3880, @​plkokanov)
• [OPERATOR] Fixes a possible caching issue by directly returning an error when updating the Shoot.Status to reflect the start of a reconcile, restore or migrate operation, instead of retrying the update on conflict. (#3845, @​plkokanov)

🏃 Others

• [USER] The following image is updated: (#3944, @​ialidzhikov)
  • k8s.gcr.io/metrics-server/metrics-server: v0.4.2 -> v0.4.3 (see CHANGELOG)
• [USER] Grafana is upgraded to version 7.5.4 (#3891, @​Kristian-ZH)
• [OPERATOR] istio-ingressgateway memory limit is increased to 2560Mi (#3984, @​dguendisch)
• [OPERATOR] Error code detection has been improved and is now enabled for more steps in the shoot reconciliation, deletion and migration. (#3969, @​timuthy)
• [OPERATOR] The kube-scheduler VPA does now specify minAllowed values to prevent too low resource recommendations from VPA that lead to OOM. (#3966, @​ialidzhikov)
• [OPERATOR] gardener-resource-manager now uses the default leader election settings again (retries leader election every 2s). (#3964, @​timebertt)
• [OPERATOR] New alert FluentBitIdleInputPlugins for idle fluent-bit pods. (#3943, @​vlvasilev)
• [OPERATOR] Ensure gardener-resource-manager is present during hibernation. (#3926, @​timebertt)
• [OPERATOR] It is now possible to specify the shoot purpose as infrastructure and to leave the machine image version empty in a ManagedSeedSet's shootTemplate. (#3924, @​stoyanr)
• [OPERATOR] It is now possible to trigger an immediate reconciliation of a ManagedSeedSet by adding the annotation gardener.cloud/operation=reconcile. (#3922, @​stoyanr)
• [OPERATOR] Gardener now finalizes all VolumeAttachments on hibernation to unblock hibernation of clusters with custom CSI drivers. (#3916, @​timebertt)
• [OPERATOR] ManagedSeedSets can now be scaled via the scale command, e.g. kubectl scale mss/my-seeds --replicas 3 (#3911, @​stoyanr)
• [OPERATOR] Add HVPA for all prometheus instances managed by seed-bootstrap (#3903, @​wyb1)
• [OPERATOR] Loki is upgraded to version 2.2.1 and Fluent-bit to 1.7.3 (#3891, @​Kristian-ZH)
• [DEPENDENCY] The Terraformer library now conducts the Pod's termination message for improved readability of error messages. (#3950, @​timebertt)

📰 Noteworthy

• [USER] Shoot operations that error due to cloud provider rate limit exceeded errors are now classified with the new ERR_INFRA_REQUEST_THROTTLING error code. Previously these errors were classified as ERR_INFRA_QUOTA_EXCEEDED and they were no longer retried. There is now a new control loop in GCM that is responsible for retrying such failed Shoots due to rate limit exceeded errors. (#3925, @​ialidzhikov)
• [DEVELOPER] When using the local garden development environment, the Gardener components do now use dedicated kubeconfigs constrained by RBAC rules (earlier, they were always using the admin kubeconfig). (#3901, @​rfranzke)

[gardener-resource-manager]

⚠️ Breaking Changes

• [OPERATOR] The default leader election resource lock of gardener-resource-manager has been changed from configmapsleases to leases. (Switch leader election to leases gardener-attic/gardener-resource-manager#119, @​timebertt)
  • Please make sure, that you had at least gardener-resource-manager@v0.22 running before upgrading to v0.24, so that it has successfully required leadership with the hybrid resource lock (configmapsleases) at least once.

[vpn2]

📰 Noteworthy

... (truncated)

Commits

• 90c39dd Release v1.22.0
• 2565b86 fixed external alertmanager mtls doc example - added missing required field t...
• 5307571 Merge pull request #3988 from voelzmo/more-inclusive-language
• 26afd86 Fix apiserver docs to use more inclusive language
• f731492 increase istio ingressgateway memory limits (#3984)
• 99ca5aa Merge pull request #3986 from timebertt/fix/local-rbac
• dd3a3c6 Parse the webhook URL to detect and remove port given for SAN (#3959)
• b65f719 Add missing cloudprofile permission for scheduler
• b013b1f Don't use KUBECONFIG if set in start-* scripts
• 0f78114 Merge pull request #3985 from timebertt/fix/gcm-field-selector
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)