🤖 Update gardener/gardener to v1.139.1 (minor)

[ske-renovate-ce]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gardener/gardener	v1.138.2 → v1.139.1
github.com/gardener/gardener/pkg/apis	v1.138.2 → v1.139.1

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.139.1

Compare Source

[github.com/gardener/gardener:v1.139.1]

🐛 Bug Fixes

• [OPERATOR] Fix a bug where the shoot-care controller cannot reconcile shoots with spec.maintenance.confineSpecUpdateRollout=true and updated DNS credentials, i.e. shoot.spec.dns.providers[].credentialsRef, until the shoot is reconciled. by @​vpnachev [#​14444]

🏃 Others

• [OPERATOR] There is now maxConnectionDuration of 1 day for connections to kube-apiserver endpoints. Their maxConnections limit has been removed. by @​oliver-goetz [#​14471]
• [OPERATOR] The following dependencies have been updated:
  • gardener/autoscaler from v1.34.0 to v1.34.1. Release Notes
  • gardener/autoscaler from v1.33.0 to v1.33.1. Release Notes
  • gardener/autoscaler from v1.32.2 to v1.32.3. Release Notes
  • gardener/autoscaler from v1.31.0 to v1.31.1. Release Notes
  • gardener/autoscaler from v1.30.2 to v1.30.3. Release Notes by @​aaronfern [#​14500]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.61.2 to v0.61.3. Release Notes
  • github.com/gardener/machine-controller-manager from v0.61.2 to v0.61.3. by @​gardener-ci-robot [#​14485]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.139.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.139.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.139.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.139.1

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.139.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.139.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.139.1
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.139.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.139.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.139.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.139.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.139.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.139.1

v1.139.0

Compare Source

[github.com/gardener/gardener:v1.139.0]

⚠️ Breaking Changes

• [OPERATOR] The type of the Gardenlet's configuration field .controllers.tokenRequestorWorkloadIdentity.tokenExpirationDuration has been changed from time.Duration to k8s.io/apimachinery/pkg/apis/meta/v1.Duration. by @​vpnachev [#​14333]
• [OPERATOR] Garden .status.encryptedResources field is removed, use Garden .status.credentials.encryptionAtRest.resources instead. by @​iypetrov [#​14354]
• [OPERATOR] The raise-spec-limits verb has been removed for NamespacedCloudProfiles because it is no-longer needed. by @​mimiteto [#​14344]
• [USER] ⚠️ The Shoot field .spec.dns.providers[].secretName has been forbidden for clusters running on Kubernetes version v1.35.0 or higher. Please, use .spec.dns.providers[].credentialsRef instead. by @​vpnachev [#​14309]
• [USER] Shoot .status.encryptedResources field is removed, use Shoot .status.credentials.encryptionAtRest.resources instead. by @​iypetrov [#​14354]
• [DEVELOPER] ⚠️ A default reconciliation timeout of 3 minutes has been set for the extension controllers:
  • github.com/gardener/gardener/extensions/pkg/controller/backupbucket
  • github.com/gardener/gardener/extensions/pkg/controller/backupentry
  • github.com/gardener/gardener/extensions/pkg/controller/containerruntime
  • github.com/gardener/gardener/extensions/pkg/controller/controlplane
  • github.com/gardener/gardener/extensions/pkg/controller/dnsrecord
  • github.com/gardener/gardener/extensions/pkg/controller/extension
  • github.com/gardener/gardener/extensions/pkg/controller/healthcheck
  • github.com/gardener/gardener/extensions/pkg/controller/heartbeat
  • github.com/gardener/gardener/extensions/pkg/controller/network
  • github.com/gardener/gardener/extensions/pkg/controller/operatingsystemconfig
    A default reconciliation timeout of 20 minutes has been set for the extension controllers:
  • github.com/gardener/gardener/extensions/pkg/controller/bastion
  • github.com/gardener/gardener/extensions/pkg/controller/infrastructure
  • github.com/gardener/gardener/extensions/pkg/controller/worker
    Extension developers can define own reconciliation timeout via the sigs.k8s.io/controller-runtime/pkg/controller.Options provided to the respective controller. by @​vpnachev [#​14105]
• [DEVELOPER] ⚠️ The deprecated Seed field secretRef in spec.dns.provider has been removed, use credentialsRef instead. by @​vpnachev [#​14308]

📰 Noteworthy

• [OPERATOR] AdminKubeconfigRequest now uses the static username prefix gardener.cloud:admin:, and ViewerKubeconfigRequest uses gardener.cloud:viewer: to generate the username for the resulting kubeconfig. Previously, this prefix was randomized." by @​timuthy [#​14252]
• [DEVELOPER] gardenadm bootstrap etcd version is updated from v3.4.34 to v3.5.27. by @​LucaBernstein [#​14352]
• [DEPENDENCY] During the Shoot reconciliation, control plane and extension readiness is waited for before further system components are reconciled. by @​LucaBernstein [#​14338]

✨ New Features

• [OPERATOR] Deletion of the Garden CRD installed via the gardener-operator Helm chart is now prevented unless annotated with confirmation.gardener.cloud/deletion=true by @​maboehm [#​14373]
• [OPERATOR] A new spec.settings.zoneSelection field on Seed resources allows operators to configure whether the control plane namespace of non-HA Shoots (or those with failure tolerance type node) is placed in the same availability zone as the shoot's worker nodes (Prefer) or strictly required to match (Enforce). by @​rfranzke [#​14238]
• [OPERATOR] The istio-ingressgateway now uses a dual autoscaling approach with both VPA (VerticalPodAutoscaler) and HPA (HorizontalPodAutoscaler) working together without causing pod-thrashing. by @​oliver-goetz [#​14313]
• [OPERATOR] The Gardener Dashboard RBAC now allows listing and watching ManagedSeeds to support newer dashboard functionality around ManagedSeed-related Shoot information. by @​petersutter [#​14321]
• [DEVELOPER] gardener-node-agent can now resolve .spec.files[].content.secretRef from Secrets in kube-system, enabling OperatingSystemConfig files to reference secrets instead of requiring inlined content. by @​rfranzke [#​14319]

🐛 Bug Fixes

• [OPERATOR] A bug causing the nil pointer panic in gardenlet config validation when staleExtensionHealthChecks.threshold is nil is fixed. by @​acumino [#​14317]
• [OPERATOR] An issue preventing the shootstate-controller of gardenlet to populate all required states to the ShootState for a self-hosted Shoot is now fixed. by @​ialidzhikov [#​14339]
• [OPERATOR] An issue causing gardener-operator to fail to create resource events in API group events.k8s.io is now fixed. by @​shafeeqes [#​14327]
• [OPERATOR] A bug causing the gardenlet to crash during startup was fixed. Earlier, the startup procedure occasionally failed on large-scale seed clusters due to cache sync timeouts. by @​timuthy [#​14408]
• [DEVELOPER] The nodePort auto-remediation in the local setup service controller no longer incorrectly targets ClusterIP services. by @​rfranzke [#​14390]

🏃 Others

• [OPERATOR] The .spec.trafficDistribution field of the topology-aware etcd-{events,main}-client Services will be automatically switched from the deprecated PreferClose to the new PreferSameZone option for Kubernetes 1.34+. by @​ialidzhikov [#​14278]
• [OPERATOR] The following dependencies have been updated:
  • gardener/etcd-druid from v0.35.1 to v0.36.1. Release Notes
  • github.com/gardener/etcd-druid/api from v0.35.1 to v0.36.1. by @​Shreyas-s14 [#​14341]
• [OPERATOR] Status updates for Shoot resources during reconciliation are now minimized when the associated Seed is not ready. Previously, this could lead to excessive growth of the gardener's etcd key space. by @​timuthy [#​14377]
• [OPERATOR] Opentelemetry collector migration implemented in gardener - v1.136.0 is no longer needed. by @​nickytd [#​14138]
• [OPERATOR] During the restore phase of control plane migration, Machines and MachineSets are now deployed in parallel across 10 go routines. Additionally, the restoration logic now checks if a Machine or MachineSet already exists, and if that is the case, it does not attempt to create it. This should speed up the restoration of the Worker resource. by @​plkokanov [#​14219]
• [OPERATOR] Now victorialogs streams follow opentelemetry semantic convention fields. by @​nickytd [#​14381]
• [OPERATOR] victoria-logs pods are now labeled according oidc-apps semantic. by @​nickytd [#​14325]
• [OPERATOR] Unused bootstrap secrets from the gardener-resource-manager are cleaned up properly. Earlier, the shoot reconciliation left a considerable amount of unused secrets in the control-plane, if the GRM bootstrap procedure was stuck. by @​timuthy [#​14343]
• [OPERATOR] Fix Istio Gateway metric retention and reenable metric scraping. by @​Bobi-Wan [#​14337]
• [OPERATOR] apiserver-proxy connection for shoots with legacy single-dash namespace format has been fixed. by @​axel7born [#​14406]
• [OPERATOR] Timeout for credentials renewal during rotation of Garden secrets was increased to 10 minutes. by @​dimityrmirchev [#​14433]
• [OPERATOR] The v1alpha1 perses CRDs are deleted and replaced with v1alpha2 versions during reconciliation. by @​rickardsjp [#​14264]
• [USER] VPN Dashboard now displays the pod name in the legend for the VPN Shoot Network I/O panel by @​domdom82 [#​14393]
• [DEVELOPER] The remote local setup has been updated to the latest changes in Gardener. by @​vicwicker [#​14289]
• [DEVELOPER] Added hack/generate-renovate-ignore-deps.sh to generate the renovate ignoreDeps section from the intersection of a downstream repo's go.mod and gardener/gardener's go.mod. Downstream repos can now remove their local copies and call the script from $GARDENER_HACK_DIR. by @​LucaBernstein [#​14425]
• [DEVELOPER] Remote setup garden template has been updated with gardenerDiscoveryServer configuration by @​domdom82 [#​14306]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.15.0 to v1.15.1. by @​gardener-ci-robot [#​14363]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.14.3 to v1.15.0. by @​gardener-ci-robot [#​14267]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/coredns/coredns from v1.14.1 to v1.14.2. by @​gardener-ci-robot [#​14290]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.8 to 1.83.9. Release Notes by @​gardener-ci-robot [#​14312]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/brancz/kube-rbac-proxy from v0.21.0 to v0.21.1. by @​gardener-ci-robot [#​14332]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.9 to 1.83.10. Release Notes by @​gardener-ci-robot [#​14380]
• [DEPENDENCY] The following dependencies have been updated:
  • europe-docker.pkg.dev/gardener-project/releases/gardener/fluent-bit-plugin from v1.2.0 to v1.4.0. by @​nickytd [#​14357]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/brancz/kube-rbac-proxy from v0.21.1 to v0.21.2. by @​gardener-ci-robot [#​14382]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.14.4 to v1.14.5. by @​gardener-ci-robot [#​14362]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.47.0 to 0.48.0. Release Notes by @​gardener-ci-robot [#​14374]
• [DEPENDENCY] The following dependencies have been updated:
  • perses/perses from v0.53.0 to v0.53.1. Release Notes by @​gardener-ci-robot [#​14307]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.10 to 1.83.11. Release Notes by @​gardener-ci-robot [#​14438]
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.27.7 to 1.27.8.
  • gcr.io/istio-release/proxyv2 from 1.27.7 to 1.27.8.
  • istio.io/api from v1.27.7 to v1.27.8. by @​gardener-ci-robot [#​14280]

📖 Documentation

• [DEPENDENCY] Extension admission components deployed via gardener-operator should set the --webhook-config-owner-namespace flag to prevent ValidatingWebhookConfiguration resources from leaking in the virtual garden cluster upon uninstall. by @​theoddora [#​14360]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.139.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.139.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.139.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.139.0

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.139.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.139.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.139.0
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.139.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.139.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.139.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.139.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.139.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.139.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[ske-renovate-ce]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 68 additional dependencies were updated

Details:

Package	Change
github.com/gardener/etcd-druid/api	v0.35.1 -> v0.36.1
k8s.io/api	v0.35.2 -> v0.35.3
k8s.io/apiextensions-apiserver	v0.35.2 -> v0.35.3
k8s.io/apimachinery	v0.35.2 -> v0.35.3
k8s.io/client-go	v0.35.2 -> v0.35.3
k8s.io/code-generator	v0.35.2 -> v0.35.3
k8s.io/component-base	v0.35.2 -> v0.35.3
k8s.io/kubelet	v0.35.2 -> v0.35.3
k8s.io/utils	v0.0.0-20260210185600-b8788abfbbc2 -> v0.0.0-20260319190234-28399d86e0b5
github.com/BurntSushi/toml	v1.5.0 -> v1.6.0
github.com/bmatcuk/doublestar/v4	v4.9.1 -> v4.10.0
github.com/brunoga/deep	v1.2.5 -> v1.3.1
github.com/go-openapi/jsonpointer	v0.22.1 -> v0.22.4
github.com/go-openapi/jsonreference	v0.21.2 -> v0.21.4
github.com/go-openapi/swag	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/cmdutils	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/conv	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/fileutils	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/jsonname	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/jsonutils	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/loading	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/mangling	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/netutils	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/stringutils	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/typeutils	v0.25.1 -> v0.25.4
github.com/go-openapi/swag/yamlutils	v0.25.1 -> v0.25.4
github.com/google/cel-go	v0.26.1 -> v0.27.0
github.com/google/gnostic-models	v0.7.0 -> v0.7.1
github.com/labstack/echo/v4	v4.13.4 -> v4.15.1
github.com/perses/common	v0.27.1-0.20250326140707-96e439b14e0e -> v0.30.2
github.com/perses/perses	v0.51.0 -> v0.53.0
github.com/perses/perses-operator	v0.2.0 -> v0.3.2
github.com/prometheus/procfs	v0.19.2 -> v0.20.1
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4
github.com/zitadel/oidc/v3	v3.38.1 -> v3.45.4
github.com/zitadel/schema	v1.3.1 -> v1.3.2
go.opentelemetry.io/contrib/otelconf	v0.21.0 -> v0.22.0
go.opentelemetry.io/otel	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc	v0.17.0 -> v0.18.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.17.0 -> v0.18.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/exporters/prometheus	v0.63.0 -> v0.64.0
go.opentelemetry.io/otel/exporters/stdout/stdoutlog	v0.17.0 -> v0.18.0
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/exporters/stdout/stdouttrace	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/log	v0.17.0 -> v0.18.0
go.opentelemetry.io/otel/metric	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/sdk	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/sdk/log	v0.17.0 -> v0.18.0
go.opentelemetry.io/otel/sdk/metric	v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/trace	v1.41.0 -> v1.42.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260209200024-4cfbd4190f57 -> v0.0.0-20260226221140-a57be14db171
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260209200024-4cfbd4190f57 -> v0.0.0-20260226221140-a57be14db171
google.golang.org/grpc	v1.79.1 -> v1.79.3
helm.sh/helm/v3	v3.19.5 -> v3.20.1
istio.io/api	v1.27.7 -> v1.27.8
k8s.io/apiserver	v0.35.2 -> v0.35.3
k8s.io/cluster-bootstrap	v0.35.2 -> v0.35.3
k8s.io/component-helpers	v0.35.2 -> v0.35.3
k8s.io/kube-aggregator	v0.35.2 -> v0.35.3
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260127142750-a19766b6e2d4
k8s.io/metrics	v0.35.2 -> v0.35.3
k8s.io/pod-security-admission	v0.35.2 -> v0.35.3
sigs.k8s.io/structured-merge-diff/v6	v6.3.2-0.20260122202528-d9cc6641c482 -> v6.3.2

[dergeberl]

/retest

[ske-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dergeberl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dergeberl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ske-prow]

LGTM label has been added.

Details

Git tree hash: b03b9ce8064bac9899f75f3ff3a6f4bc20c3cb2e