Bump github.com/gardener/gardener from 1.131.2 to 1.133.0

[dependabot]

Bumps github.com/gardener/gardener from 1.131.2 to 1.133.0.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.133.0

[github.com/gardener/gardener:v1.133.0]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ Gardener does no longer support Garden, Seed, or Shoot clusters with Kubernetes versions <= 1.29. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @​ScheererJ [#13487]
• [USER] The Shoot .spec.provider.workers[].sysctls field is now validated for valid sysctl keys and non-empty values. by @​MrBatschner [#13435]
• [DEVELOPER] The github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring module is updated from v0.86.2 to v0.87.0. In the new version the type of the ServiceMonitor's .spec.endpoints[].scheme field is changed from string to *monitoringv1.Scheme. by @​gardener-ci-robot [#13512]
• [DEVELOPER] The types from the extension healthcheck package which perform health checks on Deployments, StatefulSets and DaemonSets have been renamed. The respective constructor functions now return the concrete types instead of an interface. The types still implement the interface that was returned before. We do not expect this change to affect existing code in the majority of cases. by @​dimityrmirchev [#13329]

📰 Noteworthy

• [OPERATOR] The ShootCredentialsBinding feature gate of gardenlet is promoted to GA and is unconditionally enabled. by @​dimityrmirchev [#13530]
• [OPERATOR] The .status.encryptedResources field for Shoot and Garden resources has been deprecated in favour of the new .status.credentials.encryptionAtRest.resources field. by @​AleksandarSavchev [#12894]
• [DEVELOPER] The ValidatingAdmissionPolicy admission plugin is now enabled by default for the Gardener API server. If you already have the admission plugin enabled, you can remove the explicit enablement after upgrading to this version of Gardener as the plugin is now enabled by default. by @​ScheererJ [#13487]

✨ New Features

• [OPERATOR] A new VPAInPlaceUpdates feature gate is introduced for gardenlet and gardener-operator. When enabled, the corresponding VerticalPodAutoscaler resources are mutated to perform in-place updates, (i.e mutated with .spec.updatePolicy.updateMode=InPlaceOrRecreate). For more information, see Enabling In-Place Updates of Pod Resources. by @​vitanovs [#12940]
• [OPERATOR] The gardener.cloud/operation annotation for the Garden resource has been extended to allow specifying multiple operations to be run in parallel. by @​AleksandarSavchev [#12717]
• [USER] The gardener.cloud/operation and maintenance.gardener.cloud/operation Shoot annotations have been extended to allow specifying multiple operations to be run in parallel. by @​AleksandarSavchev [#12717]

🐛 Bug Fixes

• [OPERATOR] A bug where the Shoot relevant ClusterRoleBindings responsible for the AdminKubeconfig and ViewerKubeconfig permissions were deployed into the virtual Garden cluster has been fixed. by @​vpnachev [#13492]
• [OPERATOR] Add --skip-metadata flag to ctr images pull in the node-agent init script for better container registry compatibility. by @​Nuckal777 [#13265]
• [OPERATOR] An issue where Plutono would not detect all fields when the OpenTelemetryCollector feature gate is enabled is now fixed. by @​rrhubenov [#13531]
• [OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @​oliver-goetz [#13459]
• [OPERATOR] Gardener generally prefers the sshd.service unit when trying to enable/disable the SSH server on worker nodes and bastions. If the sshd.service unit doesn't exist, it falls back to ssh.service. by @​timebertt [#13456]
• [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @​DockToFuture [#13511]
• [USER] An issue causing vpa-updater RBAC resources for in-place updates not to be deployed when the VPA InPlaceOrRecreate feature gate is not explicitly enabled is now fixed. The VPA InPlaceOrRecreate feature gate is enabled by default with the VPA 1.5.1 version which is used by Gardener. That's why the needed in-place updates RBAC resources are now deployed unconditionally. by @​vitanovs [#13499]
• [DEVELOPER] Fixed a bug causing types part of the extension healthcheck package to be injected with clients that they do not actually use. by @​dimityrmirchev [#13329]

🏃 Others

• [OPERATOR] Vali can now ingest logs through the standard ingress in the Shoot control plane even when the OpenTelemetryCollector feature gate is enabled. This allows other parties that rely on it to migrate at their pace while it matures. by @​rrhubenov [#13446]
• [OPERATOR] gardener-apiserver: The ShootValidator admission plugin's type is now changed from mutating to validating. All mutations that were previously performed by the ShootValidator were extracted over time to the new ShootMutator admission plugin. by @​ialidzhikov [#13352]
• [OPERATOR] Defaulting of the Shoot machine image version (.spec.provider.workers[].machine.image.{name,version}) is moved from the ShootValidator to the ShootMutator admission plugin. by @​ialidzhikov [#13351]
• [OPERATOR] Logging stack components are updated from v0.69.0 to v0.70.0. Along the way, performance optimizations are applied. by @​nickytd [#13563]
• [OPERATOR] gardener-apiserver: The Shoot .spec.provider.workers[].machine.image field is now a required field. This change has impact only when the ShootMutator admission plugin (which defaults the machine image) is disabled. The admission plugin is enabled by default. by @​ialidzhikov [#13399]
• [OPERATOR] A new field spec.resources was added to the Garden API. The field can be used by extensions to reference Secrets and ConfigMaps. See this documentation for more details. by @​timuthy [#13464]
• [OPERATOR] The Shoot .spec.kubernetes.kubeAPIServer.oidcConfig field is now validated only in the storage layer. Previously, the required .spec.kubernetes.kubeAPIServer.{oidcConfig,issuerURL} fields were validated in the ShootValidator admission plugin due to backwards-compatibility reasons. by @​dimitar-kostadinov [#13505]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.5 to 1.26.7. by @​gardener-ci-robot [#13474]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.28 to v2.2.29. Release Notes by @​gardener-ci-robot [#13501]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/gardener-metrics-exporter from 0.41.0 to 0.42.0. Release Notes by @​gardener-ci-robot [#13455]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/brancz/kube-rbac-proxy from v0.20.0 to v0.20.1. by @​gardener-ci-robot [#13533]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/logging from v0.68.0 to v0.69.0. Release Notes by @​gardener-ci-robot [#13450]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.43 to v7.5.44. Release Notes by @​gardener-ci-robot [#13504]
• [DEPENDENCY] The following dependencies have been updated:

... (truncated)

Commits

• 017c7a9 release v1.133.0
• 8db80a8 [release-v1.133] Update logging stack v0.70.0 (#13563)
• b031c70 Insecure communication for local registries (#13560)
• e5bd112 [GEP-34] Enable Collector Passthrough Directly to Vali (#13446)
• 23e28c6 Add deprecation notice for SecretBindings (#13543)
• beec1c9 Drop support for Shoots with Kubernetes version <= 1.29 (#13487)
• bce2924 Update prometheus-operator to v0.87.0 (minor) (#13512)
• 7991776 Mention migration to CredentialsBinding in K8s upgrade to 1.34 guide (#13537)
• b2dfcbe Mention forbidden encryption key rotation operations in K8s upgrade docu (#13...
• 07c5446 Update quay.io/brancz/kube-rbac-proxy Docker tag to v0.20.1 (#13533)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

This pull request updates the project's Go module dependencies to newer versions, including major upgrades to Kubernetes components and various supporting libraries. The changes primarily focus on keeping dependencies current with security patches and new features.

Walkthrough

• Chore: Upgraded Gardener core dependency from v1.131.2 to v1.133.0 for latest platform features and bug fixes
• Chore: Updated Kubernetes ecosystem packages from v0.33.5 to v0.34.2, including API, client-go, and component libraries for compatibility with newer Kubernetes versions
• Chore: Bumped Prometheus operator monitoring APIs from v0.85.0 to v0.87.0 for enhanced observability capabilities
• Chore: Updated controller-runtime from v0.21.0 to v0.22.4 and controller-tools from v0.18.0 to v0.19.0 for improved Kubernetes controller functionality
• Chore: Refreshed numerous indirect dependencies including golang.org/x/tools, gRPC, OpenTelemetry components, and Helm libraries for security and performance improvements

_{Model: claude-sonnet-4-20250514 | Prompt Tokens: 34077 | Completion Tokens: 264}

[hebelsan]

Close in favour of #1210

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[gardener-robot]

@dependabot[bot] You need rebase this pull request with latest master branch. Please check.