Update k8s packages to v1.139.0 (minor) by renovate[bot] · Pull Request #263 · stackitcloud/gardener-extension-acl

renovate · 2026-03-27T21:12:12Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gardener/gardener	`v1.138.1` → `v1.139.0`
github.com/gardener/gardener/pkg/apis	`v1.138.1` → `v1.139.0`

Release Notes

gardener/gardener (github.com/gardener/gardener)

`v1.139.0`

Compare Source

[github.com/gardener/gardener:v1.139.0]

⚠️ Breaking Changes

[OPERATOR] The type of the Gardenlet's configuration field .controllers.tokenRequestorWorkloadIdentity.tokenExpirationDuration has been changed from time.Duration to k8s.io/apimachinery/pkg/apis/meta/v1.Duration. by @vpnachev [#14333]
[OPERATOR] Garden .status.encryptedResources field is removed, use Garden .status.credentials.encryptionAtRest.resources instead. by @iypetrov [#14354]
[OPERATOR] The raise-spec-limits verb has been removed for NamespacedCloudProfiles because it is no-longer needed. by @mimiteto [#14344]
[USER] ⚠️ The Shoot field .spec.dns.providers[].secretName has been forbidden for clusters running on Kubernetes version v1.35.0 or higher. Please, use .spec.dns.providers[].credentialsRef instead. by @vpnachev [#14309]
[USER] Shoot .status.encryptedResources field is removed, use Shoot .status.credentials.encryptionAtRest.resources instead. by @iypetrov [#14354]
[DEVELOPER] ⚠️ A default reconciliation timeout of 3 minutes has been set for the extension controllers:
- github.com/gardener/gardener/extensions/pkg/controller/backupbucket
- github.com/gardener/gardener/extensions/pkg/controller/backupentry
- github.com/gardener/gardener/extensions/pkg/controller/containerruntime
- github.com/gardener/gardener/extensions/pkg/controller/controlplane
- github.com/gardener/gardener/extensions/pkg/controller/dnsrecord
- github.com/gardener/gardener/extensions/pkg/controller/extension
- github.com/gardener/gardener/extensions/pkg/controller/healthcheck
- github.com/gardener/gardener/extensions/pkg/controller/heartbeat
- github.com/gardener/gardener/extensions/pkg/controller/network
- github.com/gardener/gardener/extensions/pkg/controller/operatingsystemconfig
  A default reconciliation timeout of 20 minutes has been set for the extension controllers:
- github.com/gardener/gardener/extensions/pkg/controller/bastion
- github.com/gardener/gardener/extensions/pkg/controller/infrastructure
- github.com/gardener/gardener/extensions/pkg/controller/worker
  Extension developers can define own reconciliation timeout via the sigs.k8s.io/controller-runtime/pkg/controller.Options provided to the respective controller. by @vpnachev [#14105]
[DEVELOPER] ⚠️ The deprecated Seed field secretRef in spec.dns.provider has been removed, use credentialsRef instead. by @vpnachev [#14308]

📰 Noteworthy

[OPERATOR] AdminKubeconfigRequest now uses the static username prefix gardener.cloud:admin:, and ViewerKubeconfigRequest uses gardener.cloud:viewer: to generate the username for the resulting kubeconfig. Previously, this prefix was randomized." by @timuthy [#14252]
[DEVELOPER] gardenadm bootstrap etcd version is updated from v3.4.34 to v3.5.27. by @LucaBernstein [#14352]
[DEPENDENCY] During the Shoot reconciliation, control plane and extension readiness is waited for before further system components are reconciled. by @LucaBernstein [#14338]

✨ New Features

[OPERATOR] Deletion of the Garden CRD installed via the gardener-operator Helm chart is now prevented unless annotated with confirmation.gardener.cloud/deletion=true by @maboehm [#14373]
[OPERATOR] A new spec.settings.zoneSelection field on Seed resources allows operators to configure whether the control plane namespace of non-HA Shoots (or those with failure tolerance type node) is placed in the same availability zone as the shoot's worker nodes (Prefer) or strictly required to match (Enforce). by @rfranzke [#14238]
[OPERATOR] The istio-ingressgateway now uses a dual autoscaling approach with both VPA (VerticalPodAutoscaler) and HPA (HorizontalPodAutoscaler) working together without causing pod-thrashing. by @oliver-goetz [#14313]
[OPERATOR] The Gardener Dashboard RBAC now allows listing and watching ManagedSeeds to support newer dashboard functionality around ManagedSeed-related Shoot information. by @petersutter [#14321]
[DEVELOPER] gardener-node-agent can now resolve .spec.files[].content.secretRef from Secrets in kube-system, enabling OperatingSystemConfig files to reference secrets instead of requiring inlined content. by @rfranzke [#14319]

🐛 Bug Fixes

[OPERATOR] A bug causing the nil pointer panic in gardenlet config validation when staleExtensionHealthChecks.threshold is nil is fixed. by @acumino [#14317]
[OPERATOR] An issue preventing the shootstate-controller of gardenlet to populate all required states to the ShootState for a self-hosted Shoot is now fixed. by @ialidzhikov [#14339]
[OPERATOR] An issue causing gardener-operator to fail to create resource events in API group events.k8s.io is now fixed. by @shafeeqes [#14327]
[OPERATOR] A bug causing the gardenlet to crash during startup was fixed. Earlier, the startup procedure occasionally failed on large-scale seed clusters due to cache sync timeouts. by @timuthy [#14408]
[DEVELOPER] The nodePort auto-remediation in the local setup service controller no longer incorrectly targets ClusterIP services. by @rfranzke [#14390]

🏃 Others

[OPERATOR] The .spec.trafficDistribution field of the topology-aware etcd-{events,main}-client Services will be automatically switched from the deprecated PreferClose to the new PreferSameZone option for Kubernetes 1.34+. by @ialidzhikov [#14278]
[OPERATOR] The following dependencies have been updated:
- gardener/etcd-druid from v0.35.1 to v0.36.1. Release Notes
- github.com/gardener/etcd-druid/api from v0.35.1 to v0.36.1. by @Shreyas-s14 [#14341]
[OPERATOR] Status updates for Shoot resources during reconciliation are now minimized when the associated Seed is not ready. Previously, this could lead to excessive growth of the gardener's etcd key space. by @timuthy [#14377]
[OPERATOR] Opentelemetry collector migration implemented in gardener - v1.136.0 is no longer needed. by @nickytd [#14138]
[OPERATOR] During the restore phase of control plane migration, Machines and MachineSets are now deployed in parallel across 10 go routines. Additionally, the restoration logic now checks if a Machine or MachineSet already exists, and if that is the case, it does not attempt to create it. This should speed up the restoration of the Worker resource. by @plkokanov [#14219]
[OPERATOR] Now victorialogs streams follow opentelemetry semantic convention fields. by @nickytd [#14381]
[OPERATOR] victoria-logs pods are now labeled according oidc-apps semantic. by @nickytd [#14325]
[OPERATOR] Unused bootstrap secrets from the gardener-resource-manager are cleaned up properly. Earlier, the shoot reconciliation left a considerable amount of unused secrets in the control-plane, if the GRM bootstrap procedure was stuck. by @timuthy [#14343]
[OPERATOR] Fix Istio Gateway metric retention and reenable metric scraping. by @Bobi-Wan [#14337]
[OPERATOR] apiserver-proxy connection for shoots with legacy single-dash namespace format has been fixed. by @axel7born [#14406]
[OPERATOR] Timeout for credentials renewal during rotation of Garden secrets was increased to 10 minutes. by @dimityrmirchev [#14433]
[OPERATOR] The v1alpha1 perses CRDs are deleted and replaced with v1alpha2 versions during reconciliation. by @rickardsjp [#14264]
[USER] VPN Dashboard now displays the pod name in the legend for the VPN Shoot Network I/O panel by @domdom82 [#14393]
[DEVELOPER] The remote local setup has been updated to the latest changes in Gardener. by @vicwicker [#14289]
[DEVELOPER] Added hack/generate-renovate-ignore-deps.sh to generate the renovate ignoreDeps section from the intersection of a downstream repo's go.mod and gardener/gardener's go.mod. Downstream repos can now remove their local copies and call the script from $GARDENER_HACK_DIR. by @LucaBernstein [#14425]
[DEVELOPER] Remote setup garden template has been updated with gardenerDiscoveryServer configuration by @domdom82 [#14306]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.15.0 to v1.15.1. by @gardener-ci-robot [#14363]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.14.3 to v1.15.0. by @gardener-ci-robot [#14267]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/coredns/coredns from v1.14.1 to v1.14.2. by @gardener-ci-robot [#14290]
[DEPENDENCY] The following dependencies have been updated:
- gardener/dashboard from 1.83.8 to 1.83.9. Release Notes by @gardener-ci-robot [#14312]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/brancz/kube-rbac-proxy from v0.21.0 to v0.21.1. by @gardener-ci-robot [#14332]
[DEPENDENCY] The following dependencies have been updated:
- gardener/dashboard from 1.83.9 to 1.83.10. Release Notes by @gardener-ci-robot [#14380]
[DEPENDENCY] The following dependencies have been updated:
- europe-docker.pkg.dev/gardener-project/releases/gardener/fluent-bit-plugin from v1.2.0 to v1.4.0. by @nickytd [#14357]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/brancz/kube-rbac-proxy from v0.21.1 to v0.21.2. by @gardener-ci-robot [#14382]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.14.4 to v1.14.5. by @gardener-ci-robot [#14362]
[DEPENDENCY] The following dependencies have been updated:
- gardener/vpn2 from 0.47.0 to 0.48.0. Release Notes by @gardener-ci-robot [#14374]
[DEPENDENCY] The following dependencies have been updated:
- perses/perses from v0.53.0 to v0.53.1. Release Notes by @gardener-ci-robot [#14307]
[DEPENDENCY] The following dependencies have been updated:
- gardener/dashboard from 1.83.10 to 1.83.11. Release Notes by @gardener-ci-robot [#14438]
[DEPENDENCY] The following dependencies have been updated:
- gcr.io/istio-release/pilot from 1.27.7 to 1.27.8.
- gcr.io/istio-release/proxyv2 from 1.27.7 to 1.27.8.
- istio.io/api from v1.27.7 to v1.27.8. by @gardener-ci-robot [#14280]

📖 Documentation

[DEPENDENCY] Extension admission components deployed via gardener-operator should set the --webhook-config-owner-namespace flag to prevent ValidatingWebhookConfiguration resources from leaking in the virtual garden cluster upon uninstall. by @theoddora [#14360]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.139.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.139.0
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.139.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.139.0

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.139.0
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.139.0
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.139.0
gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.139.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.139.0
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.139.0
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.139.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.139.0
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.139.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-03-27T21:12:14Z

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

59 additional dependencies were updated

Details:

Package	Change
`istio.io/api`	`v1.27.7` -> `v1.27.8`
`github.com/BurntSushi/toml`	`v1.5.0` -> `v1.6.0`
`github.com/bmatcuk/doublestar/v4`	`v4.9.1` -> `v4.10.0`
`github.com/brunoga/deep`	`v1.2.5` -> `v1.3.1`
`github.com/gardener/etcd-druid/api`	`v0.35.1` -> `v0.36.1`
`github.com/go-openapi/jsonpointer`	`v0.22.1` -> `v0.22.4`
`github.com/go-openapi/jsonreference`	`v0.21.2` -> `v0.21.4`
`github.com/go-openapi/swag`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/cmdutils`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/conv`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/fileutils`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/jsonname`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/jsonutils`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/loading`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/mangling`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/netutils`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/stringutils`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/typeutils`	`v0.25.1` -> `v0.25.4`
`github.com/go-openapi/swag/yamlutils`	`v0.25.1` -> `v0.25.4`
`github.com/golang-jwt/jwt/v5`	`v5.3.0` -> `v5.3.1`
`github.com/google/cel-go`	`v0.26.1` -> `v0.27.0`
`github.com/google/gnostic-models`	`v0.7.0` -> `v0.7.1`
`github.com/labstack/echo/v4`	`v4.13.4` -> `v4.15.1`
`github.com/perses/common`	`v0.27.1-0.20250326140707-96e439b14e0e` -> `v0.30.2`
`github.com/perses/perses`	`v0.51.0` -> `v0.53.0`
`github.com/perses/perses-operator`	`v0.2.0` -> `v0.3.2`
`github.com/prometheus/procfs`	`v0.19.2` -> `v0.20.1`
`github.com/sirupsen/logrus`	`v1.9.3` -> `v1.9.4`
`github.com/zitadel/oidc/v3`	`v3.38.1` -> `v3.45.4`
`github.com/zitadel/schema`	`v1.3.1` -> `v1.3.2`
`go.opentelemetry.io/contrib/otelconf`	`v0.21.0` -> `v0.22.0`
`go.opentelemetry.io/otel`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc`	`v0.17.0` -> `v0.18.0`
`go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`	`v0.17.0` -> `v0.18.0`
`go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/exporters/otlp/otlptrace`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/exporters/prometheus`	`v0.63.0` -> `v0.64.0`
`go.opentelemetry.io/otel/exporters/stdout/stdoutlog`	`v0.17.0` -> `v0.18.0`
`go.opentelemetry.io/otel/exporters/stdout/stdoutmetric`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/exporters/stdout/stdouttrace`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/log`	`v0.17.0` -> `v0.18.0`
`go.opentelemetry.io/otel/metric`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/sdk`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/sdk/log`	`v0.17.0` -> `v0.18.0`
`go.opentelemetry.io/otel/sdk/metric`	`v1.41.0` -> `v1.42.0`
`go.opentelemetry.io/otel/trace`	`v1.41.0` -> `v1.42.0`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20260209200024-4cfbd4190f57` -> `v0.0.0-20260226221140-a57be14db171`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20260209200024-4cfbd4190f57` -> `v0.0.0-20260226221140-a57be14db171`
`google.golang.org/grpc`	`v1.79.1` -> `v1.79.3`
`helm.sh/helm/v3`	`v3.19.5` -> `v3.20.1`
`k8s.io/kube-aggregator`	`v0.35.2` -> `v0.35.3`
`k8s.io/kube-openapi`	`v0.0.0-20250910181357-589584f1c912` -> `v0.0.0-20260127142750-a19766b6e2d4`
`k8s.io/kubelet`	`v0.35.2` -> `v0.35.3`
`k8s.io/metrics`	`v0.35.2` -> `v0.35.3`
`k8s.io/pod-security-admission`	`v0.35.2` -> `v0.35.3`
`sigs.k8s.io/structured-merge-diff/v6`	`v6.3.2-0.20260122202528-d9cc6641c482` -> `v6.3.2`

renovate bot added the dependencies Upgrade dependencies and tools label Mar 27, 2026

renovate bot requested review from hown3d, maboehm, robinschneider and timebertt as code owners March 27, 2026 21:12

renovate bot added the dependencies Upgrade dependencies and tools label Mar 27, 2026

Update k8s packages to v1.139.0

2dbbbde

renovate bot force-pushed the renovate/k8s-go branch from 6890ea2 to 2dbbbde Compare March 28, 2026 00:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update k8s packages to v1.139.0 (minor)#263

Update k8s packages to v1.139.0 (minor)#263
renovate[bot] wants to merge 1 commit intomainfrom
renovate/k8s-go

renovate bot commented Mar 27, 2026 •

edited

Loading

Uh oh!

renovate bot commented Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v1.139.0

[github.com/gardener/gardener:v1.139.0]

⚠️ Breaking Changes

📰 Noteworthy

✨ New Features

🐛 Bug Fixes

🏃 Others

📖 Documentation

Helm Charts

Container (OCI) Images

Configuration

Uh oh!

renovate bot commented Mar 27, 2026

ℹ️ Artifact update notice

File name: go.mod

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Mar 27, 2026 •

edited

Loading

`v1.139.0`