Default k8s versions and machine image versions have been upgraded.
Upgrade Gardener extension os-gardenlinux to `v0.20.0`
Upgrade Gardener extension suse-chost to `v1.22.0`
Upgrade Gardener extension os-ubuntu to `v1.22.0`
Upgrade Gardener dns-controller-manager to `v0.15.8`
Upgrade Gardener extension provider-gcp to `v1.32.0`
Upgrade Gardener extension provider-aws to `v1.46.0`
Upgrade Gardener extension provider-openstack to `v1.36.0`
Upgrade Gardener extension provider-azure to `v1.38.1`
Upgrade Gardener extension networking-calico to `v1.36.0`
Upgrade Gardener extension runtime-gvisor to `v0.11.0`
Upgrade Gardener extension provider-vsphere to `v0.31.2`
Upgrade Gardener extension shoot-dns-service to `v1.38.1`
Upgrade Gardener cert-manager to `v0.11.0`
Upgrade Gardener extension shoot-cert-service to `v1.36.0`
Upgrade Gardener to `v1.67.2`
Upgrade Gardener Dashboard to `v1.68.2`
⚠️ Since Gardener now automatically deploys `NetworkPolicy` resources into the `gardener` namespace of a seed - which messes up the communication on the base cluster - the network policies deployed by garden-setup itself had to be modified: if the network policies are activated, garden-setup will now deploy an additional `allow-all-ingress` policy, allowing all ingress traffic in the base cluster's `garden` namespace. If the network policies are deactivated, garden-setup instead uses an `allow-all` policy that simply allows all egress and ingress traffic in the `garden` namespace. There are no changes required, unless you are actively working with network policies in the base cluster's `garden` namespace.
⚠️ Due to some changes in Gardener's certificate handling, the ingress certificate changed slightly: instead of just using the wildcard ingress domain as Common Name, it now uses the dashboard's domain as CN and has the wildcard ingress domain configured as SAN. There are no changes required, unless you are interacting with the ingress certificate in some way and rely on its CN value.
Release note: