Bump github.com/gardener/etcd-druid from 0.22.5 to 0.23.0

[dependabot[bot]]

Bumps github.com/gardener/etcd-druid from 0.22.5 to 0.23.0.

Release notes

Sourced from github.com/gardener/etcd-druid's releases.

v0.23.0

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] Custodian controller has now been removed in favour of etcd status reconciliation handled by etcd controller. CLI flags --custodian-workers and --custodian-sync-period have now been removed, and are no longer recognised by etcd-druid. by @​unmarshall #777
• [OPERATOR] Labels on druid-managed resources are now streamlined, and no longer include name and instance. Instead, these are now standard labels app.kubernetes.io/managed-by and app.kubernetes.io/part-of, as recommended by Kubernetes. Additionally, app.kubernetes.io/component label is also used to set the type of the component for an etcd cluster. by @​unmarshall #777
• [OPERATOR] Creation of Etcd resource no longer requires annotation gardener.cloud/operation: reconcile to be set on it for etcd-druid to reconcile it. In other words, creation of Etcd resource is immediate, irrespective of whether etcd-spec-auto-reconciliation is enabled or not. by @​unmarshall #777
• [OPERATOR] CLI flag --workers has now been renamed to --etcd-workers. Additionally, etcd controller also accepts new CLI flags enable-etcd-spec-auto-reconcile to control how and when the etcd spec is reconciled, and etcd-status-sync-period to specify the duration after which an event will be re-queued to ensure etcd status reconciliation. CLI flag ignore-operation-annotation has been deprecated, and will be removed in an upcoming release. by @​unmarshall #777
• [OPERATOR] Volume mounts for the etcd StatefulSet have now been fixed, to allow individually specifying TLS secrets for the etcd and backup-restore servers. CA and TLS certificates used for etcd client-server communication, relevant to the container that they are mounted on, can be found at /var/etcd/ssl/. CA and TLS certificates used for etcd peer communication, relevant to the container that they are mounted on, can be found at /var/etcd/ssl/peer. CA and TLS certificates used for etcd-backup-restore client-server communication, relevant to the container that they are mounted on, can be found at /var/etcdbr/ssl. by @​unmarshall #777
• [DEVELOPER] Vendor directory has now been removed from the project. Please run make tidy to pull dependencies into go mod cache initially, and whenever required. by @​shreyas-s-rao #748
• [USER] Before upgrading druid to v0.23.0+, please ensure that druid is running with at least v0.22.3+. This is required to avoid any downtime during the upgrade of the etcds by the new druid version, as well as to ensure backward compatibility of your etcds, in case you wish to downgrade back to v0.22.3+. by @​shreyas-s-rao #823

📰 Noteworthy

• [OPERATOR] A new condition DataVolumesReady has been introduced in etcd.Status to capture and report PVC warnings. by @​unmarshall #777

• [OPERATOR] Annotation druid.gardener.cloud/ignore-reconciliation has been marked as deprecated. Please use druid.gardener.cloud/suspend-etcd-spec-reconcile instead, which provides the same behavior. by @​unmarshall #777

• [OPERATOR] Scale-up logic for single-node etcd clusters with peerTLS disabled to multi-node etcd clusters with peerTLS enabled, has been improved by making it deterministic and eliminates an unnecessary restart of the first etcd member, thus making this process faster and error-free. by @​unmarshall #777

• [OPERATOR] CLI flag --leader-election-resource-lock is now deprecated, and will be set to leases from a future release onwards. by @​unmarshall #777

• [OPERATOR] A new validating webhook named sentinel has been introduced to safeguard resources created by etcd-druid. A new annotation druid.gardener.cloud/disable-etcd-component-protection has been introduced, which if set, tells sentinel webhook to allow manual changes by an operator on any resource managed by etcd-druid.

  This webhook is disabled by default, and can be enabled as follows:

  • If deploying druid via the binary, please pass CLI flag --enable-sentinel-webhook to it. Additionally, CLI flags --webhook-server-bind-address, --webhook-server-port and --webhook-server-tls-server-cert-dir need to be passed when enabling the webhook, which enforces TLS communication using the given certs.
  • If deploying druid via the Helm charts, please set chart value webhooks.sentinel.enabled: true.
  • If deploying druid via Skaffold, please set environment variable DRUID_ENABLE_SENTINEL_WEBHOOK=true. This is also applicable when running Make targets such as deploy, deploy-dev, deploy-debug, test-e2e, etc, except for ci-e2e-kind. by @​unmarshall #777

• [OPERATOR] The component model used for deploying resources has now been replaced with a simplified ResourceOperator model, found under /internal/operator. by @​unmarshall #777

• [OPERATOR] CLI flag --metrics-addr is now deprecated. Please use --metrics-bind-address and --metrics-port instead. by @​unmarshall #777

• [USER] Remove usage of *_STORAGE_API_ENDPOINT` environment variables for Google and Azure providers. Storage API endpoint / domain will instead be directly consumed by etcd-backup-restore from the mounted backup secret. by @​shreyas-s-rao #856

• [DEVELOPER] We are moving towards using golang native tests. This also allowed us to relook at the unit and integration tests that we have. In this PR we have only partially introduced comprehensive golang native tests for specific packages (internal/operator, internal/webhook, internal/controller/etcd/ and internal/utils/). We have also added comprehensive integration tests for etcd controller and the new IT tests are present at test/it/controller/etcd. In future PRs we will replace the ginkgo based tests and replace it with native golang tests for rest of the packages as well. by @​unmarshall #777

• [DEVELOPER] All packages under /pkg and /controllers directories have now been moved to new parent /internal directory. by @​unmarshall #777

✨ New Features

• [OPERATOR] Etcd resource status now includes field LastErrors to indicate any errors encountered in the last reconciliation of the etcd resource. Custom error codes have been introduced to help capture contextual information from the reconciliation run. by @​unmarshall #777
• [OPERATOR] Etcd resource status now includes field LastOperation to indicate the last operation performed on the etcd resource. This includes a unique RunID to help sift through logs containing the specific RunID, improving debuggability. Every reconciler run generates a unique RunID. by @​unmarshall #777
• [DEVELOPER] etcd-druid now supports end-to-end testing with Azurite - the Azure Blob Storage Emulator by @​renormalize #753
• [DEVELOPER] Builds for non-native platforms can now be done using the docker-build make target instead of having to invoke the docker buildx command. The platform can be specified using the PLATFORM variable which is passed while invoking make. by @​renormalize #873
• [USER] Added support for new backup store provider stackit which is an alias for S3. by @​unmarshall #777

🏃 Others

• [OPERATOR] etcd-backup-restore container was started with SYS_PTRACE linux capability. This prevented creating etcd cluster with Pod Security Standards. This linux capability has now been removed as it is no longer required. by @​unmarshall #777
• [OPERATOR] set cpu and memory requests for compaction pods by @​anveshreddy18 #853
• [OPERATOR] Etcd pods now mount files with DefaultMode set to 0640. by @​unmarshall #777
• [OPERATOR] Upgrade github.com/gardener/etcd-backup-restore dependency from 0.26.0 to 0.29.0 by @​anveshreddy18 #830
• [OPERATOR] 1. Dependency version upgrades done to gardener/gardener, controller-runtime, controller-tools, k8s.io/*, logr, zap, ginkgo, uber mock, uuid dependencies.
  2. Adapted golanglint-ci recommendations.
  3. Removed dependency on gardener/gardener hack/scripts.
  by @​unmarshall #834
• [OPERATOR] Enhanced parallel execution support in e2e tests, reducing time and improving test suite robustness. by @​seshachalam-yv #833
• [OPERATOR] Upgrades to golang version 1.22.4 by @​unmarshall #826
• [OPERATOR] Updated e2e tests to support label changes during HA upgrades, preventing the reconciliation process from getting stuck and ensuring smooth transitions in deployment scenarios.

... (truncated)

Commits

• 8569ac3 Release v0.23.0
• 81dbd51 Enhance the docker-build make target to build for multiple platforms. (#873)
• 4fb2b05 Fix make deploy-debug (#876)
• d3ac301 Remove usage of *_STORAGE_API_ENDPOINT` environment variables for providers (...
• 92a3192 Fix peer TLS enablement during scale-up of etcd cluster (#874)
• 55efca1 [ci:component:github.com/gardener/etcd-backup-restore:v0.30.0->v0.30.1] (#871)
• f1eb37e [ci:component:github.com/gardener/etcd-backup-restore:v0.29.0->v0.30.0] (#865)
• a314438 Update images.yaml file path in .ci/hack/set_dependency_version
• 7f0a897 Fix .ci/component_descriptor script (#864)
• db00d1a Switch from deprecated pkg k8s.io/utils/pointer to recommended `k8s.io/util...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[gardener-robot-ci-2]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[gardener-robot]

@dependabot[bot] Thank you for your contribution.

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.