GEP-0036: Self-Hosted Shoot Exposure

• 📌 GEP Tracking Issue: https://github.com/gardener/enhancements/issues/36
• 📖 GEP Link: https://github.com/gardener/enhancements/tree/main/geps/0036-self-hosted-shoot-exposure
• ✍🏻 Author(s): @timebertt (Tim Ebert)
• 🗓️ Presentation: 2026-01-19, 16:00 - 17:00 CET
• 🎥 Recording: https://youtu.be/OodgUQ-cZNA
• 👨‍⚖️ Decisions:
  • Proceed with the proposed approach; the GEP will be merged and implemented as described.
  • Default domains are not relevant, as DNS is required already during bootstrapping; default domains only exist in the garden cluster (accessible only after gardenadm connect).
  • DNS strategy does not support health checks, but can support maintenance scenarios (e.g., cordoning nodes removes them from the endpoint set in the SelfHostedShootExposure API).
  • Disabling exposure should be possible and fall back to internal DNS (as it is used in the bootstrap phase).
  • provider-local implementations with native support for Services of type LoadBalancer (e.g., via cloud-provider-kind, see Hackathon results) is independent, but we try to support it as part of this story.
  • What was previously considered a "future optimization" in the GEP is now part of the immediate optimization scope.
  • Direct Node querying (PR discussion) in the extension remains unchanged: prefer the existing approach over introducing a generic actuator, leveraging the existing gardenlet controller and port field in the SelfHostedShootExposure API.