Upgrade Gardener, extensions, and dependencies (#880)

* [ci:component:github.com/gardener/gardener:v1.44.6->v1.50.1] (#832)

* Upgrade github_com_gardener_gardener

from v1.44.6 to v1.50.1

Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com>
Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-2 <gardener.ci.user2@gmail.com>

* upgrade Gardener to v1.50.2

* update Gardener supported feature gates

* Upgrade github_com_gardener_gardener-extension-os-gardenlinux (#867)

from v0.12.0 to v0.14.0

* Upgrade github_com_gardener_gardener-extension-os-ubuntu (#866)

from v1.16.0 to v1.18.0

Co-authored-by: gardener-robot-ci-3 <gardener.ci.user3@gmail.com>

* Upgrade github_com_gardener_gardener-extension-os-suse-chost (#865)

from v1.16.0 to v1.18.0

* [ci:component:github.com/gardener/gardener-extension-provider-openstack:v1.26.3->v1.28.0] (#863)

* Upgrade github_com_gardener_gardener-extension-provider-openstack

from v1.26.3 to v1.28.0

Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com>
Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-1 <gardener.ci.user@gmail.com>

* [ci:component:github.com/gardener/external-dns-management:v0.12.3->v0.13.0] (#858)

* Upgrade github_com_gardener_external-dns-management

from v0.12.3 to v0.13.0

Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-2 <gardener.ci.user2@gmail.com>

* [ci:component:github.com/gardener/gardener-extension-provider-azure:v1.28.1->v1.29.0] (#856)

* Upgrade github_com_gardener_gardener-extension-provider-azure

from v1.28.1 to v1.29.0

Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-1 <gardener.ci.user@gmail.com>

* [ci:component:github.com/gardener/gardener-extension-provider-gcp:v1.22.1->v1.24.0] (#854)

* Upgrade github_com_gardener_gardener-extension-provider-gcp

from v1.22.1 to v1.24.0

Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com>
Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-1 <gardener.ci.user@gmail.com>

* [ci:component:github.com/gardener/gardener-extension-provider-aws:v1.35.0->v1.37.0] (#853)

* Upgrade github_com_gardener_gardener-extension-provider-aws

from v1.35.0 to v1.37.0

Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com>
Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>

* [ci:component:github.com/gardener/gardener-extension-networking-calico:v1.24.3->v1.25.0] (#840)

* Upgrade github_com_gardener_gardener-extension-networking-calico

from v1.24.3 to v1.25.0

Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com>
Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-2 <gardener.ci.user2@gmail.com>

* [ci:component:github.com/gardener/gardener-extension-shoot-cert-service:v1.21.0->v1.23.0] (#833)

* Upgrade github_com_gardener_gardener-extension-shoot-cert-service

from v1.21.0 to v1.23.0

Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-1 <gardener.ci.user@gmail.com>

* [ci:component:github.com/gardener/gardener-extension-provider-vsphere:v0.13.0->v0.17.0] (#849)

* Upgrade github_com_gardener_gardener-extension-provider-vsphere

from v0.13.0 to v0.17.0

Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-3 <gardener.ci.user3@gmail.com>

* [ci:component:github.com/gardener/dashboard:1.56.0->1.60.0] (#844)

* Upgrade github_com_gardener_dashboard

from 1.56.0 to 1.60.0

Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>

* [ci:component:github.com/gardener/terminal-controller-manager:v0.18.0->v0.21.0] (#848)

* Upgrade github_com_gardener_terminal-controller-manager

from v0.18.0 to v0.21.0

Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-1 <gardener.ci.user@gmail.com>

* adapt garden-setup to new Gardener and terminal-controller-manager versions

* make terraform providers arm64 compatible

* upgrade kube-apiserver to v1.20.15 and nginx-ingress-controller to v1.3.0

* Upgrade github_com_gardener_sow (#879)

from 3.5.0 to 3.6.0

Co-authored-by: gardener-robot-ci-2 <gardener.ci.user2@gmail.com>

Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com>
Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com>
Co-authored-by: gardener-robot-ci-2 <gardener.ci.user2@gmail.com>
Co-authored-by: Gardener CI Robot 1 <gardener.ci.user@gmail.com>
Co-authored-by: gardener-robot-ci-3 <gardener.ci.user3@gmail.com>

SOW_VERSION

@@ -1 +1 @@
-3.5.0
+3.6.0

acre.yaml

@@ -27,7 +27,7 @@ landscape:
   versions:
     kube-apiserver:
       image_repo: k8s.gcr.io/kube-apiserver
-      image_tag: v1.19.15
+      image_tag: v1.20.15
     kube-controller-manager:
       image_repo: k8s.gcr.io/kube-controller-manager
       image_tag: (( kube-apiserver.image_tag ))
@@ -179,7 +179,7 @@ landscape:
       repo: https://github.com/kubernetes/ingress-nginx.git
       image_tag: (( valid( tag ) ? substr(tag, length("controller-")) :~~ ))
       image_repo: eu.gcr.io/k8s-artifacts-prod/ingress-nginx/controller
-      tag: (( valid( branch ) -or valid( commit ) ? ~~ :"controller-v1.1.3" ))
+      tag: (( valid( branch ) -or valid( commit ) ? ~~ :"controller-v1.3.0" ))
     nginx-ingress-k8s-backend:
       <<: (( merge ))
       image_tag: "0.9.0"
@@ -606,16 +606,29 @@ validation:
           - ["optionalfield", "HVPAForShootedSeed", ["type", "bool"]]
           - ["optionalfield", "ManagedIstio", ["type", "bool"]]
           - ["optionalfield", "APIServerSNI", ["type", "bool"]]
-          - ["optionalfield", "CachedRuntimeClients", ["type", "bool"]]
           - ["optionalfield", "SeedChange", ["type", "bool"]]
           - ["optionalfield", "SeedKubeScheduler", ["type", "bool"]]
           - ["optionalfield", "ReversedVPN", ["type", "bool"]]
+          - ["optionalfield", "CopyEtcdBackupsDuringControlPlaneMigration", ["type", "bool"]]
+          - ["optionalfield", "ForceRestore", ["type", "bool"]]
+          - ["optionalfield", "ShootCARotation", ["type", "bool"]]
+          - ["optionalfield", "ShootSARotation", ["type", "bool"]]
+          - ["optionalfield", "HAControlPlanes", ["type", "bool"]]
+          - ["optionalfield", "NodeLocalDNS", ["type", "bool"]]
+          - ["optionalfield", "KonnectivityTunnel", ["type", "bool"]]
+          - ["optionalfield", "MountHostCADirectories", ["type", "bool"]]
+          - ["optionalfield", "DisallowKubeconfigRotationForShootInDeletion", ["type", "bool"]]
+          - ["optionalfield", "Logging", ["type", "bool"]]
           - ["optionalfield", "AdminKubeconfigRequest", ["type", "bool"]]
           - ["optionalfield", "UseDNSRecords", ["type", "bool"]]
-          - ["optionalfield", "DisallowKubeconfigRotationForShootInDeletion", ["type", "bool"]]
-          - ["optionalfield", "DisallowKubeconfigRotationForShootInDeletion", ["type", "bool"]]
-          - ["optionalfield", "RotateSSHKeypairOnMaintenance", ["type", "bool"]]
+          - ["optionalfield", "CachedRuntimeClients", ["type", "bool"]]
           - ["optionalfield", "DenyInvalidExtensionResources", ["type", "bool"]]
+          - ["optionalfield", "RotateSSHKeypairOnMaintenance", ["type", "bool"]]
+          - ["optionalfield", "ShootMaxTokenExpirationOverwrite", ["type", "bool"]]
+          - ["optionalfield", "ShootMaxTokenExpirationValidation", ["type", "bool"]]
+          - ["optionalfield", "WorkerPoolKubernetesVersion", ["type", "bool"]]
+          - ["optionalfield", "DisableDNSProviderManagement", ["type", "bool"]]
+          - ["optionalfield", "SecretBindingProviderValidation", ["type", "bool"]]
       - - optionalfield
         - gardenClientConnection
         - - and

components/etcd/backupinfra/provider/abs/main.tf

@@ -3,7 +3,7 @@ provider "azurerm" {
   client_secret   = var.CLIENT_SECRET
   tenant_id       = var.TENANT_ID
   subscription_id = var.SUBSCRIPTION_ID
-  version         = "=2.8"
+  version         = "=2.48"
   features          {}
 }
 
@@ -24,6 +24,7 @@ resource "azurerm_storage_account" "storageAccount" {
   access_tier              = "Hot"
   account_tier             = "Standard"
   account_replication_type = "LRS"
+  min_tls_version          = "TLS1_2"
 }
 
 resource "azurerm_storage_container" "container" {

components/etcd/backupinfra/provider/gcs/main.tf

@@ -16,7 +16,7 @@ provider "google" {
   credentials = var.SERVICEACCOUNT
   project     = var.PROJECT
   region      = var.REGION
-  version     = "=3.20"
+  version     = "=3.63"
 }
 
 //=====================================================================

components/etcd/backupinfra/provider/s3/main.tf

@@ -16,7 +16,7 @@ provider "aws" {
   access_key = var.ACCESS_KEY
   secret_key = var.SECRET_KEY
   region     = var.REGION
-  version    = "=2.60"
+  version    = "=3.30"
 }
 
 //=====================================================================
@@ -25,7 +25,6 @@ provider "aws" {
 
 resource "aws_s3_bucket" "bucket" {
   bucket_prefix = var.BUCKETNAME
-  region        = var.REGION
   force_destroy = true
   tags = {
     Name = var.LANDSCAPE

components/gardencontent/seeds/manifests/seed_manifests.yaml

@@ -223,7 +223,7 @@ gardenletSpec:
           leaseDuration: 15s
           renewDeadline: 10s
           retryPeriod: 2s
-          resourceLock: configmaps
+          resourceLock: configmapsleases
         logLevel: info
         logging:
           <<: (( configValues.config.logging || ~~ ))

components/gardener/virtual/deployment.yaml

@@ -224,7 +224,7 @@ gardener:
             leaderElect: true
             leaseDuration: 15s
             renewDeadline: 10s
-            resourceLock: configmaps
+            resourceLock: configmapsleases
             retryPeriod: 2s
           logLevel: info
           server:

components/ingress-controller/deployment.yaml

@@ -34,7 +34,7 @@ ingresscontroller:
   name: "nginx-ingress"
   namespace: "kube-system"
   flags:
-    deploy: "--kube-version=1.19.0"
+    deploy: "--kube-version=1.20.0"
   values:
     fullnameOverride: (( .ingresscontroller.name ))
     controller:

components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml

@@ -94,6 +94,7 @@ spec:
         - --etcd-certfile=/srv/kubernetes/etcd/client/tls.crt
         - --etcd-keyfile=/srv/kubernetes/etcd/client/tls.key
         - --etcd-servers={{ .Values.etcd.main.endpoints }}
+        - --external-hostname={{ .Values.apiServer.externalHostname }}
 {{ if .Values.etcd.events.endpoints }}
 {{ end }}
         - --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP
@@ -116,7 +117,9 @@ spec:
         - --requestheader-username-headers=X-Remote-User
         - --secure-port=443
         - --service-cluster-ip-range=100.64.0.0/13
+        - --service-account-issuer={{ .Values.apiServer.serviceAccountIssuer }}
         - --service-account-key-file=/srv/kubernetes/service-account-key/service_account.key
+        - --service-account-signing-key-file=/srv/kubernetes/service-account-key/service_account.key
         - --tls-cert-file=/srv/kubernetes/apiserver/tls.crt
         - --tls-private-key-file=/srv/kubernetes/apiserver/tls.key
         - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

components/kube-apiserver/chart/values.yaml

@@ -21,6 +21,7 @@ images:
 replicas: 3
 apiServer:
   hostname: 127.0.0.1
+  externalHostname: api.foo.com
   serviceName: garden-kube-apiserver
   oidcIssuerURL: https://identity.URL
 

components/kube-apiserver/deployment.yaml

@@ -103,6 +103,8 @@ kubeapiserver:
       hostname: (( .settings.apiserver_dns ))
       serviceName: (( name ))
       oidcIssuerURL: (( .imports.identity.export.issuer_url ))
+      externalHostname: (( .settings.apiserver_dns ))
+      serviceAccountIssuer: (( "https://" externalHostname ))
     tls:
       kubeAPIServer:
         ca: (( spec.KeyCert(.state.kube_apiserver_ca) ))

components/terminals/deployment.yaml

@@ -37,7 +37,7 @@ kubectl_sa:
     - apiVersion: v1
       kind: ServiceAccount
       metadata:
-        name: default
+        name: terminal-controller-manager
         namespace: terminal-system
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRole
@@ -101,7 +101,7 @@ settings:
   namespace: terminal-system                                                                              # terminal controller manager namespace
   kubeconfig_secret_name: garden-kubeconfig-for-admin                                                     # name of admin kubeconfig secret
   kubeconfig_path: (( env.GENDIR "/" kubeconfig_secret_name ".kubeconfig" ))                              # path to admin kubeconfig
-  kubeconfig_secret_path_sa: (( env.GENDIR "/kubectl_sa/sa_default.kubeconfig" ))                         # path to secret manifest for sa kubeconfig
+  kubeconfig_secret_path_sa: (( env.GENDIR "/kubectl_sa/sa_terminal-controller-manager.kubeconfig" ))     # path to secret manifest for sa kubeconfig
   kubeconfig_secret_path_admin: (( env.GENDIR "/kcfg_admin/secret_" kubeconfig_secret_name ".yaml" ))     # path to secret manifest for admin kubeconfig
   repo_path: (( env.GENDIR "/git/repo" ))                                                                 # path to checked-out git repo for easy access
   cert_path: (( repo_path "/config/secret/tls" ))                                                         # path to tls folder in checked-out git repo

dependency-versions.yaml

@@ -3,64 +3,64 @@
     "gardener": {
       "core": {
         "repo": "https://github.com/gardener/gardener.git",
-        "version": "v1.49.4"
+        "version": "v1.50.2"
       },
       "extensions": {
         "dns-external": {
           "repo": "https://github.com/gardener/external-dns-management.git",
-          "version": "v0.12.3"
+          "version": "v0.13.0"
         },
         "networking-calico": {
           "repo": "https://github.com/gardener/gardener-extension-networking-calico.git",
-          "version": "v1.24.3"
+          "version": "v1.25.0"
         },
         "os-coreos": {
           "repo": "https://github.com/gardener/gardener-extension-os-coreos.git",
           "version": "v1.12.0"
         },
         "os-suse-chost": {
           "repo": "https://github.com/gardener/gardener-extension-os-suse-chost.git",
-          "version": "v1.16.0"
+          "version": "v1.18.0"
         },
         "os-ubuntu": {
           "repo": "https://github.com/gardener/gardener-extension-os-ubuntu.git",
-          "version": "v1.16.0"
+          "version": "v1.18.0"
         },
         "os-gardenlinux": {
           "repo": "https://github.com/gardener/gardener-extension-os-gardenlinux.git",
-          "version": "v0.12.0"
+          "version": "v0.14.0"
         },
         "provider-aws": {
           "repo": "https://github.com/gardener/gardener-extension-provider-aws.git",
-          "version": "v1.35.0"
+          "version": "v1.37.0"
         },
         "provider-azure": {
           "repo": "https://github.com/gardener/gardener-extension-provider-azure.git",
-          "version": "v1.28.1"
+          "version": "v1.29.0"
         },
         "provider-gcp": {
           "repo": "https://github.com/gardener/gardener-extension-provider-gcp.git",
-          "version": "v1.22.1"
+          "version": "v1.24.0"
         },
         "provider-alicloud": {
           "repo": "https://github.com/gardener/gardener-extension-provider-alicloud.git",
           "version": "v1.35.0"
         },
         "provider-openstack": {
           "repo": "https://github.com/gardener/gardener-extension-provider-openstack.git",
-          "version": "v1.26.3"
+          "version": "v1.28.0"
         },
         "shoot-cert-service": {
           "repo": "https://github.com/gardener/gardener-extension-shoot-cert-service.git",
-          "version": "v1.21.0"
+          "version": "v1.23.0"
         },
         "shoot-dns-service": {
           "repo": "https://github.com/gardener/gardener-extension-shoot-dns-service.git",
           "version": "v1.21.0"
         },
         "provider-vsphere": {
           "repo": "https://github.com/gardener/gardener-extension-provider-vsphere.git",
-          "version": "v0.14.1"
+          "version": "v0.17.0"
         },
         "runtime-gvisor": {
           "repo": "https://github.com/gardener/gardener-extension-runtime-gvisor.git",
@@ -71,7 +71,7 @@
     "dashboard": {
       "core": {
         "repo": "https://github.com/gardener/dashboard.git",
-        "version": "1.56.0"
+        "version": "1.60.0"
       },
       "identity": {
         "repo": "(( dashboard.core.repo ))",
@@ -80,7 +80,7 @@
       "terminals": {
         "terminal-controller-manager": {
           "repo": "https://github.com/gardener/terminal-controller-manager.git",
-          "version": "v0.18.0"
+          "version": "v0.21.0"
         }
       }
     }