[ci:component:github.com/gardener/gardener:v1.18.1->v1.19.2]

[gardener-robot-ci-3]

*Release Notes:

Infrastructure dependency errors containing the `RetryableError` will not stop automatic reconciliation attempts.

An issue causing causing the deletion of hibernated Shoot to fail is now fixed.

A transient error which may occur when a hibernated shoot cluster is woken up again right away has been fixed.

Fix a bug where the `gardenlet` was not updating the `allow-to-seed-apiserver` network policy with the IP address of the seed's API server when the `APIServerSNI` feature gate is just enabled.

`istio-ingressgateway` memory limit is increased to `2048Mi`

An issue causing nil pointer dereference in the extension library is now fixed.

The default leader election resource lock of `gardener-controller-manager`, `gardener-scheduler` and `gardenlet` has been changed to `leases`.
Please make sure, that the components have permissions to create, get, watch and update `leases.coordination.k8s.io` in the respective clusters.
And please make sure, that you had at least `gardener@v1.17` running before upgrading to `v1.19`, so that all components have successfully required leadership with the hybrid resource lock (`configmapsleases`) at least once.

Every shoot worker node now randomly delays the execution of the cloud-config user data by up to `5m` (earlier, the maximum delay was ~`30s`). This is to prevent too many systemd unit restarts (e.g., kubelet restarts) at the ~same time when there is a change (e.g., a Kubernetes patch version update).

The `istiod` deployment in the `istio-system` namespace now has replicas set to 2 and can be properly scaled by its corresponding VPA.

Added resource requests and limits to the `apiserver-proxy-pod-mutator` container which should allow the corresponding HPA to properly read CPU metrics from the `kube-apiserver` when SNI is enabled.

The golang base image is updated to `1.15.9`. The alpine base image is updated to `3.13.2`.

Allow ingress traffic to coredns from a pod running with `hostNetwork: true` and `dnsPolicy: ClusterFirstWithHostNet`

A bug preventing seed deletion to hang due to already deleted CRD `etcds.druid.gardener.cloud` is now fixed.

An issue preventing kube-controller-manager to approve the CSR for kubelet certificate renewal is now fixed.

VPA minAllowed configuration for metrics-server.

An issue causing gardenlet to fail to remove the finalizer of the Seed Secret (`.spec.secretRef`) is now fixed.

Increase CoreDNS memory limits to avoid OOMKill.

An issue preventing the status of the BackupBucket to be properly updated is now fixed.

When a shoot is erroring with `ERR_INFRA_INSUFFICIENT_PRIVILEGES`, `ERR_INFRA_QUOTA_EXCEEDED` or `ERR_INFRA_DEPENDENCIES` then it is now immediately set to the `Failed` status (this already happens also for `ERR_INFRA_UNAUTHORIZED` or `ERR_CONFIGURATION_PROBLEM`). This prevents Gardener from automatically retrying the operation. If you are hit by it, please manually retry the operation once you have resolved the issue.

The GEP [template](https://github.com/gardener/gardener/blob/master/docs/proposals/00-template.md) and [process description](https://github.com/gardener/gardener/blob/master/docs/proposals/README.md) was updated. Please take a few minutes to familiarize yourself with the latest changes before working on a GEP.

Some issues with hanging `ControllerInstallations` have been resolved, that caused the `Seed` deletion to deadlock and required manual cleanup.

⚠️ Go dependencies to `kubernetes/*` and `kubernetes-sigs/controller-runtime` were updated to `v0.20.2` and `v0.8.3` respectively.

A new error code for retryable configuration problems (for example misconfigured PodDisruptoinBudget that does not allow voluntary Pod evictions) is now added.

The `ManagedIstio` and `APIServerSNI` feature gates in the `gardenlet` have been promoted to beta and are now enabled by default. If you run your own istio installation then you have to disable the `ManagedIstio` feature gate (and probably also the `APIServerSNI`) in your gardenlet configurations.

`extensions/pkg/controller/controlplane/genericactuator.Actuator` can now use a separate ManagedResource for ControlPlane CRDs that are installed in the Shoot cluster to separate the deletion of CRDs from the deletion of the RBAC for controller leader election.

[gardener-robot]

@gardener-robot-ci-3 Thank you for your contribution.