Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ci:component:github.com/gardener/gardener:v1.50.2->v1.53.2] #872

Merged
merged 1 commit into from
Sep 6, 2022

Conversation

gardener-robot-ci-1
Copy link
Contributor

Release Notes:

Add Bastion config validator
The kubeReserved and systemReserved specs of workers are now validated against the node allocatable resources of the corresponding machine type.
Removed unnecessary `PATCH` to `machine.status.node` during restoration of machine objects.
Fixed an issue that could cause a `Shoot`'s control plane namespace to be orphaned. This could happen when control plane migration is triggered, but does not start because the destination `Seed` is not `Ready` yet, and meanwhile the `Shoot` is deleted.
A shoot `event-logger` is introduced, which collects logs from shoot `control-plane` and shoot `kube-system`.
- Events older than 5 seconds are omitted. Thus when the event logger is restarted it will repeat only the logs few recent events.
- The version of the event logger is well formatted and accurate.
The following images are updated:
- registry.k8s.io/kube-state-metrics/kube-state-metrics: v1.9.7 -> v2.1.1 (for kubernetes < 1.20)
- registry.k8s.io/kube-state-metrics/kube-state-metrics: v1.9.7 -> v2.5.0 (for kubernetes >= 1.20)
Gardenlet now uses PriorityClass: gardener-system-critical
The `SecretBindingProviderValidation` feature gate of `gardener-apiserver` is now promoted to beta and enabled by default. This enables the following validations:
- requires the provider type of a `SecretBinding` to be set (on `SecretBinding` creation)
- requires the `SecretBinding` provider type to match the `Shoot` provider type (on `Shoot` creation)
- enforces immutability on the provider type of a `SecretBinding`
The GA-ed or deprecated `ShootMaxTokenExpiration{Overwrite,Validation}` and `RotateSSHKeypairOnMaintenance` feature gates have been removed.
Updated vertical-pod-autoscaler to v0.11.0
A new testing strategy and developer guideline has been added. Make sure to check out the [document](https://github.com/gardener/gardener/blob/master/docs/development/testing.md#writing-test-machinery-tests) if you want to learn more about the different kinds of tests we use and how to best write them!
The recent changes to the "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config".HealthCheckConfig type that added client configuration settings are now reverted.
The Shoot spec now supports selecting scheduling profiles. Apart from the "balanced" (aka "default") profile it is possible to configure a `bin-packing` profile (alpha feature). For more details see the [usage docs](https://github.com/ialidzhikov/gardener/blob/75d786fcecf3ddf52ca29947fab777d1e40d389d/docs/usage/shoot_scheduling_profiles.md).
The `ShootCARotation` and `ShootSARotation` feature gates have been promoted to beta and are now enabled by default. Make sure that all provider extensions registered to your system support these features before upgrading to this Gardener version.
The minimum Kubernetes version for garden and seed clusters is now `1.20`. Make sure to upgrade your clusters to at least `1.20` before deploying this Gardener version.
Update istio to v1.14.1.
Allow passing custom REST configuration settings (QPS, Burst, Timeout) to extension shoot clients.
Extension health check types are moved from `github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config` to `github.com/gardener/gardener/extensions/pkg/apis/config`
A bug has been fixed which prevented automatic remediation of webhooks in case there was at least one webhook with `failurePolicy=Ignore`.
The new `ShootNodeLocalDNSEnabledByDefault` admission plugin of the `gardener-apiserver` (disabled by default) controls whether the `.spec.systemComponents.nodeLocalDNS.enabled` field for newly created `Shoot` resources is defaulted to `true`. Existing `Shoot`s are not modified. Shoot's can still explicitly disable the node local dns cache by setting `.spec.systemComponents.nodeLocalDNS.enabled=false`. See [this document](https://github.com/gardener/gardener/blob/master/docs/concepts/apiserver_admission_plugins.md#shootnodelocaldnsenabledbydefault).
A GEP proposing changes to support HA Shoot control planes is now added.
Gardener extensions which contain a worker controller need to implement functions: `PreReconcileHook`, `PostReconcileHook`, `PreDeleteHook`, `PostDeleteHook`. The functions `DeployMachineDependencies` and `CleanupMachineDependencies` are now deprecated and will be removed in a future release. The logic of those deprecated functions can be moved to the respective pre/post hook functions.
`provider-local` does now support `ManagedSeed`s in the `Skaffold`-based environment.
It is now possible to provide additional `containerd` configuration for shoot worker nodes, please take a look at [this document](https://github.com/gardener/gardener/blob/master/docs/usage/custom-containerd-config.md) for more information.
The TestMachinery-based `ManagedSeed` tests (including the related `TestDefinition`s in the `.test-defs` directory) have been deleted in favor of new e2e tests.
The following images are updated:
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.20.1` -> `v1.20.2` (for Kubernetes `< 1.21`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.21.1` -> `v1.21.2` (for Kubernetes `1.21`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.21.1` -> `v1.22.2` (for Kubernetes `>= 1.22`)
Strict schema validation is now performed for VerticalPodAutoscaler resources.
Golang version is updated to 1.18.4
Differentiate the vpa metrics for the seed and control planes to avoid conflicts in prometheus when the recording rules are evaluated.
If a resource in the `ManagedResource` is annotated with `resources.gardener.cloud/skip-health-check=true` then the resource will be skipped during health checks by the health controller. The ManagedResource conditions will not reflect the health condition of this resource anymore. The `ResourcesProgressing` condition will also be set to `False`.
Downloading several tools vial `./hack/tools.mk` has been fixed for ARM64 based Linux machines.
Update envoy proxy to v1.21.4 (used in reversed vpn and apiserver-proxy)
gardenlet's base image is updated from `alpine:3.15.4` to `alpine:3.16.0`.
`hack/install-requirements.sh` is removed. You can use `hack/tools.mk` to install tools needed for development and CI.
The machine image defaulting does now work based on the CPU architecture of the machine in a given worker pool.
The `Shoot` maintenance controller has been enhanced to auto-update the machine image of the worker pool in a `Shoot` based on the CPU architecture of the machines.
Additional dashboards for monitoring conntrack insertion failures most likely due to conntrack races
All `Actuator` interfaces for extension controllers have been extended and now receive a `logr.Logger` passed from the reconciler with the proper context of the reconciled object.
Gardener's component configuration APIs have been changed in the following breaking ways:
- `kubernetesLogLevel` has been removed from all component configs
- `ControllerManagerConfiguration.server.http` has been split into `server.{healthProbes,metrics}` (health endpoints and metrics are now served on different ports)
- `ControllerManagerConfiguration.server.https` has been removed
`gardener-controller-manager` serves health endpoints and metrics on different ports now. Adapt your scrape configs accordingly to port `metrics`.
The loki/telegraf container no longer runs in privileged mode.
The following images are updated:
- quay.io/prometheus/blackbox-exporter: v0.20.0 -> v0.21.1
`metric-server` image is updated to `v0.6.1`
Fix an issue where the HVPA would set Requests higher than Limits if `ControlledValues: RequestsOnly` is set
Published docker images for HVPA-Controller are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.
The `DisableDNSProviderManagement` feature gate has been promoted to GA and is now unconditionally enabled. If the `shoot-dns-service` extension is deployed, please make sure following prerequistes are given for a smoothly transition:
 - The `shoot-dns-service` extension must be installed in a version >= `v1.20.0`.
 - The controller deployment of the `shoot-dns-service` sets `providerConfig.values.dnsProviderManagement.enabled=true`
 - Its admission controller (`gardener-extension-admission-shoot-dns-service`) is deployed on the garden cluster
 - the `dns-external` extension must still be installed
The vpn-seed-server/vpn-seed-server container no longer runs in privileged mode.
VPN shoot client can now be run with a privileged init container and a non-privileged runtime container
The vpn-shoot/vpn-shoot container no longer runs in privileged mode (when ReversedVPN feature gate is enabled). As it still needs to still modify some kernel settings, this part is moved to init container that still has to run in privileged but the risk to cluster security is minimal because of the ephemeral nature of init containers.
The GA-ed `WorkerPoolKubernetesVersion` feature gate is now removed.
Some signatures in `pkg/controllerutils/mapper` have changed to support the simple injection of a proper context and logger.
Fixed a bug that prevented Shoots from being able to use `expander: priority` for cluster-autoscaler
The `apiserver-proxy-pod-webhook` now uses `distroless` instead of `alpine` as a base image.
Minimize apiserver-proxy-sidecar image by using a scratch image.
The `API Server` dashboard in Grafana now shows the actual DB size per instance (`etcd-main`, `etcd-events`). Earlier those values were summed up and distorted if more than one kube-apiserver replica existed in the control plane.
vpn-seed-server and vpn-shoot-client container images now contain only a reduced set of binary/libaries.
The already deprecated `shoot.gardener.cloud/use-as-seed` annotation (since v1.18.0) is no longer supported for creating Shooted Seed clusters. Please check the following [documentation](https://github.com/gardener/gardener/blob/v1.51.0/docs/usage/managed_seed.md#migrating-from-the-use-as-seed-annotation-to-managedseeds) on how to migrate from the `use-as-seed` annotation to `ManagedSeeds`. Before updating to this version of Gardener, make sure that you migrated to `ManagedSeeds` and that you no longer have usages of the `use-as-seed` annotation on the landscape.
A warning in vpn-shoot about the private key being group/other accessible is now addressed.
livenessProbe of etcd container has been updated to `ETCDCTL_API=3 etcdctl get foo --consistency=s` making the consistency `serializable`.
failureThreshold has been updated to `5` for both livenessProbe and readinessProbe of etcd.
The `etcd-druid` now uses `distroless` instead of `alpine` as a base image.
`etcd-druid` will now also add statefulset permissions to the etcd role
Published docker images for Etcd-Druid are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.
Added a new condition `BackupReady` to the etcd status
Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.
The Etcd-Backup-Restore image has been updated to `Alpine 3.15.4`.
Added new package `membergarbagecollector` to remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to list `pods` and `statefulsets`.
Added new package `membergarbagecollector` to remove superfluous members from the ETCD cluster.
Etcd can now scale up itself from a single member cluster to a multi member cluster
Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64.
Added pod permission in etcd_role that now enable `etcd-backup-restore` to get/list/watch pods
Fixed a bug where etcd calls related to multi node operation were used in single node operation
Temp fix: skip the single member restoration if data-dir found to be invalid.
Fixed a bug in Scaleup feature in func: `IsMemberInCluster()` which can cause Scaleup feature to get fail.
Assigned the correct Peer address to the Etcd after it restores from backup-bucket.
No attempt is made to update member Peer URL when trying to promote a member
The Loki, Prometheus, and the VPN seed server envoy proxy parsers parse timezone and milliseconds from the timestamp.
The Gardener API server now enforces the following configuration options for ManagedSeed resources:
1. The vertical pod autoscaler should be enabled from the Shoot specification.
2. The nginx-ingress addon should not be enabled for a Shoot referred by a ManagedSeed.

Before upgrading to this version of Gardener make sure that all ManagedSeeds and the Shoots they refer to conform the newly enforced configuration options.
A bug that prevented Shoot deletion when the OS image version or kubernetes version was beyond its expiration date is now fixed.
Add missing sleep command to minimized container image.
Switched openvpn topology to subnet and ensured that the chosen cipher is always selected.
It is now possible to disable an admission plugin for the shoot kube-apiserver in the `ShootSpec` by setting the AdmissionPlugin.Disabled field to `true`.
An issue causing a panel in the `Node/Worker Pool Overview` dashboard to fail to load due to invalid query is now fixed.
A bug causing `gardenlet` to panic in case of shoot using namespace which doesn't have the required project label is fixed.
Owner checks (which are used by the `backup-restore` sidecar to determine whether the owner domain name resolves to the specified owner ID and if not, take a final full snapshot and disable the cluster), will no longer be enabled by `gardenlet`, if the `HAControlPlanes` feature gate is enabled, the `Shoot` is annotated with `alpha.control-plane.shoot.gardener.cloud/high-availability` and the `Shoot`'s ETCDs are started as a cluster (with more than 1 replica).
Updating CRD for `DNSEntries` to allow specifying routing policy
`node-problem-detector` image is updated from `k8s.gcr.io/node-problem-detector/node-problem-detector:v0.8.7` to `eu.gcr.io/gardener-project/3rd/node-problem-detector:v0.8.10-gardener.1`.
The node-exporter is configured to collect filesystem metrics for the /run mount point.
The following image is updated:
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.22.2` -> `v1.23.1` (for Kubernetes >= `1.23`)
The `SecretBindingProviderValidation` feature gate of `gardener-apiserver` is promoted to GA and is now unconditionally enabled.
A bug causing `gardenlet` helm chart deployment to fail is fixed.
Add option to disable gardener shoot monitoring
A bug has been fixed for HA shoots and their underlying etcd clusters. In some occasions, Gardenlet didn't wait for changes to be completely rolled out to etcd. Especially in combination with the CA-rotation feature this could cause the cluster being stuck in an unrecoverable state.
A bug is fixed which allowed dependency-watchdog to not ignore scaling operations on deployment which are not enabled/deployed in a given cluster
A bug with uploading of a rotated dependency-watchdog-probe secrets is now fixed by refreshing the clients with updated secrets.
Switch default leader election resource lock for `dependency-watchdog` from `endpointsleases` to `leases`.
A dependent's scaling up/down can be ignored by DWD now by adding the annotation `dependency-watchdog.gardener.cloud/ignore-scaling` to the deployment
Published docker images for Dependency-Watchdog are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.
The `dependency-watchdog` now uses `distroless` instead of `alpine` as a base image.
DWD client shall no longer use long running TCP connections when attempting to probe Kube ApiServer via internal endpoint.
K8s dependencies are upgraded to v0.24.3 to adopt a fix in the `k8s.io/apiserver` module that causes gardener-apiserver to do not always return the expected result when the client requests resources with the `--selector` / `--field-selector` flags.
Latency metrics of the proxy subresource are not considered for the KubeApiServerLatency alert and API Server / Request Latency dashboard panel.
The following images are updated:
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.20.2` -> `v1.20.3` (for Kubernetes `1.20`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.21.2` -> `v1.21.3` (for Kubernetes `1.21`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.22.2` -> `v1.22.3` (for Kubernetes `1.22`)
The node-local-dns/node-cache container no longer runs in privileged mode.
The `SeedChange` and `CopyEtcdBackupsDuringControlPlaneMigration` feature gates have been promoted to beta and are now enabled by default.
The following images is updated:
- `k8s.gcr.io/dns/k8s-dns-node-cache`: `1.22.5` -> `v1.22.8`
Workaround for https://issues.k8s.io/109286 is now only executed for < 1.25 Shoots. In K8s 1.25+ the issue is fixed with https://github.com/kubernetes/kubernetes/pull/109288 and we no longer need to execute the workaround.
The `logging.loki.garden.priority` field is removed from gardenlet's component config as it is no longer used after the [new concept for PriorityClasses in Gardener](https://github.com/gardener/gardener/blob/v1.52.2/docs/development/priority-classes.md).
Enhance pod permissions for etcd-druid.
Use single-zone HA shoot for e2e rotation tests.
Use priority class `gardener-system-500` for etcd, as per https://github.com/gardener/gardener/issues/5634.
Fixed a bug where etcd calls related to multi node operation were used in single node operation
Assigned the correct Peer address to the Etcd after it restores from backup-bucket.
No attempt is made to update member Peer URL when trying to promote a member
An issue has been fixed that caused the `Backup-Restore` component to connect to the wrong etcd cluster for initializing and member-add procedures.
A bug has been fixed that caused the `etcd-backup-restore` side-car to connect to the etcd cluster via the `peer-service` URL. The side-car is supposed to use the `client-service` instead since it a) exposes client port `2379` and b)  redirects traffic only to members which are ready to service traffic.
The definition of the `etcd.status.ready` field was defined more precisely due to changed semantics of multi-node etcd clusters. `etcd.status.ready` is `true` whenever all underlying etcd replicas are ready. Please note, that the implementation for this check was not changed.
A new flag `--service-endpoints` has been added to the `etcdbrctl server` command. These (Kubernetes) service URLs ensure that `etcd-backup-restore` only connects to etcd member which are ready to server traffic. Especially the `MemberAdd` and `Init` steps require this.
Dropping the feature of passing storage container credentials through ENV for the following storage provider: S3, Swift, OCS, ABS, OSS. Please switch to pass the storage container credentials through volume file mount.
For multi-node etcd: Added a feature of single member etcd restoration in case of data/data-dir of etcd member found to be corrupted or invalid.
An issue has been fixed that caused the `liveness` and `readiness` probes of `etcd` to always succeed even though an error was reported. This prevented defective etcd pods from being restarted automatically and caused unready candidates being considered as ready to serve traffic via the `etcd service`.
A `startup` probe has been added to `etcd` to allow 2 minutes of initialization time before checking for etcd liveness.
Add support for running envtest on M1 Macbooks.
Fixed an issue in the release job needed to add the correct image version `config/default/manager_image_patch.yaml`.
Added a new condition `BackupReady` to the etcd status
livenessProbe of etcd container has been updated to `ETCDCTL_API=3 etcdctl get foo --consistency=s` making the consistency `serializable`.
failureThreshold has been updated to `5` for both livenessProbe and readinessProbe of etcd.
The `etcd-druid` now uses `distroless` instead of `alpine` as a base image.
The entrypoint for `etcd-druid` in its container image has been modified.
Deploying the etcd StatefulSet through a Helm chart has been abandoned. A codified version (component concept) is now used for this purpose.
`etcd` Statefulsets are not claimed anymore based on labels. Instead, the statefulsets are fetched using Name and Namespace combination. Thus, `etcd.spec.selector` does not have an effect on statefulsets anymore.
`etcd-druid` will now also add statefulset permissions to the etcd role
Published docker images for Etcd-Druid are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.
Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.
The Etcd-Backup-Restore image has been updated to `Alpine 3.15.4`.
Added new package `membergarbagecollector` to remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to list `pods` and `statefulsets`.
Etcd can now scale up itself from a single member cluster to a multi member cluster
Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64.
Added pod permission in etcd_role that now enable `etcd-backup-restore` to get/list/watch pods
Etcd-Druid's Golang version has been update to `1.18.4.`.
The correct image version has been set in `config/default/manager_image_patch.yaml` to match the current release.
An issue causing the Seed nginx-ingress to fail on 1.22 GKE Seed cluster (or any 1.22 Seed cluster with K8s version that has a suffix - for example `v1.22.12-gke.300`) is now fixed.
Fix statefulset volumeClaimTemplate `StorageClassName` value population if etcd storageClass is an empty string.
Temporarily fix issue where `PodManagementPolicy` was trying to be updated from `OrderedReady` to `Parallel` for older shoots (created using etcd-druid:v0.8.5 and before), but the statefulset forbids updates to this field.
Temporarily fixes an issue where druid tries to set `spec.ServiceName` to `PeerServiceName` by default, although older single-node etcds would have this field set to `ClientServiceName`, and updation of statefulset `spec.ServiceName` field is forbidden.
An issue causing the guestbook integration test to fail against alicloud Shoot clusters is now fixed.
An issue causing the loki PriorityClass to be deleted too early when there are still loki StatefulSets that reference it is now mitigated.
Health checks of `ManagedResources` are more reliable now when updating resources in the referenced secrets.

@gardener-robot-ci-1 gardener-robot-ci-1 requested a review from a team as a code owner August 17, 2022 09:48
@gardener-robot
Copy link

@gardener-robot-ci-1 Thank you for your contribution.

@gardener-robot gardener-robot added needs/review Needs review size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) labels Aug 17, 2022
@Diaphteiros Diaphteiros merged commit 003af98 into update Sep 6, 2022
@Diaphteiros Diaphteiros deleted the ci-norwgtfpi branch September 6, 2022 08:14
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Sep 6, 2022
Diaphteiros added a commit that referenced this pull request Sep 8, 2022
* Upgrade github_com_gardener_gardener (#872)

from v1.50.2 to v1.53.2

Co-authored-by: gardener-robot-ci-2 <gardener.ci.user2@gmail.com>

* [ci:component:github.com/gardener/gardener-extension-runtime-gvisor:v0.5.1->v0.6.0] (#883)

* Upgrade github_com_gardener_gardener-extension-runtime-gvisor

from v0.5.1 to v0.6.0

Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com>
Co-authored-by: Johannes Aubart <johannes.aubart@sap.com>
Co-authored-by: gardener-robot-ci-1 <gardener.ci.user@gmail.com>
Co-authored-by: gardener-robot-ci-3 <gardener.ci.user3@gmail.com>

* upgrade Gardener to v1.53.4

* add finalizer to apiserver ingress

Co-authored-by: Gardener CI Robot 1 <gardener.ci.user@gmail.com>
Co-authored-by: gardener-robot-ci-2 <gardener.ci.user2@gmail.com>
Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com>
Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com>
Co-authored-by: gardener-robot-ci-3 <gardener.ci.user3@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs/review Needs review size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants