fix(deps): update kubernetes packages to v0.36.2

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
k8s.io/api	v0.35.3 → v0.36.2
k8s.io/apiextensions-apiserver	v0.35.3 → v0.36.2
k8s.io/apimachinery	v0.35.3 → v0.36.2
k8s.io/cli-runtime	v0.35.3 → v0.36.2
k8s.io/client-go	v0.35.3 → v0.36.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

kubernetes/api (k8s.io/api)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/cli-runtime (k8s.io/cli-runtime)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ️ Artifact update notice

File name: api/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.26.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 8 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.26.0
go.opentelemetry.io/otel	v1.39.0 -> v1.41.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.34.0 -> v1.40.0
go.opentelemetry.io/otel/sdk	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.41.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.26.3 -> v2.27.7
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.34.0 -> v1.40.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.41.0
go.opentelemetry.io/proto/otlp	v1.5.0 -> v1.9.0

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Go toolchain updated to 1.26.0 in both api/go.mod and go.mod. Kubernetes dependencies (k8s.io/apimachinery, k8s.io/apiextensions-apiserver, and in root module also k8s.io/api, k8s.io/cli-runtime, k8s.io/client-go) bumped from v0.35.3 to v0.36.2. Two indirect dependencies (github.com/google/go-cmp and github.com/gregjones/httpcache) removed from root go.mod.

Changes

Go and Kubernetes dependency upgrades

Layer / File(s)	Summary
API module toolchain and Kubernetes update api/go.mod	Go directive bumped to 1.26.0. k8s.io/apimachinery upgraded to v0.36.2; k8s.io/apiextensions-apiserver remains at v0.35.3.
Root module toolchain, Kubernetes, and indirect dependency updates go.mod	Go directive bumped to 1.26.0. k8s.io/api, k8s.io/apiextensions-apiserver, k8s.io/apimachinery, k8s.io/cli-runtime, and k8s.io/client-go upgraded to v0.36.2. Two indirect dependencies (github.com/google/go-cmp and github.com/gregjones/httpcache) removed from indirect require block.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the main change: updating Kubernetes packages to v0.36.2.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description clearly lists all Kubernetes package updates with version changes from v0.35.3 to v0.36.2, matching the changeset in go.mod and api/go.mod files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/go.mod`:
- Around line 6-7: Update k8s.io/apiextensions-apiserver from v0.35.3 to v0.36.2
in both go.mod files to align with the versions of k8s.io/apimachinery and other
Kubernetes packages. In api/go.mod at lines 6-7, change the
k8s.io/apiextensions-apiserver version to v0.36.2. In go.mod at lines 8-12, find
and update the k8s.io/apiextensions-apiserver entry to v0.36.2 as well. These
Kubernetes-staged packages must use matching versions to ensure API
compatibility.
- Line 3: The test agent Dockerfile contains an outdated Go version reference
that does not match the updated go.mod version. Locate the FROM statement in the
test agent Dockerfile that references golang:1.25.7-bookworm and update it to
golang:1.26.0-bookworm to align with the go.mod files which have been updated to
go 1.26.0. This ensures the test agent image builds correctly without version
mismatches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b8af7b22-a7b7-4b5e-9878-b0ab1186069f

📥 Commits

Reviewing files that changed from the base of the PR and between 0955903 and c8fdc67.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check Dockerfile Go version directive
grep -n "golang:" test/agent/Dockerfile

Repository: openshift/lightspeed-agentic-operator

Length of output: 122

---

🏁 Script executed:

#!/bin/bash
# Find all Dockerfiles to check for stale Go versions
find . -name "Dockerfile*" -o -name "dockerfile*" | xargs ls -la 2>/dev/null

Repository: openshift/lightspeed-agentic-operator

Length of output: 216

---

🏁 Script executed:

#!/bin/bash
# Check for Go version references in all Dockerfiles
find . \( -name "Dockerfile*" -o -name "dockerfile*" \) -type f -exec grep -Hn "golang:" {} \;

Repository: openshift/lightspeed-agentic-operator

Length of output: 146

---

🏁 Script executed:

#!/bin/bash
# Check the root go.mod to confirm the version bump
head -10 go.mod | grep -E "^go "

Repository: openshift/lightspeed-agentic-operator

Length of output: 91

---

🏁 Script executed:

#!/bin/bash
# Check CI/CD workflows to see if Go version is enforced
find . -path ./.git -prune -o \( -name "*.yaml" -o -name "*.yml" \) -type f -exec grep -l "go.*version\|golang\|Go" {} \; | grep -E "(\.github|\.gitlab|\.circleci|Makefile)" | head -10

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check if go.mod version directive is strictly enforced (Go 1.21+)
rg "^go 1\.[0-9]+" go.mod api/go.mod

Repository: openshift/lightspeed-agentic-operator

Length of output: 119

---

🏁 Script executed:

#!/bin/bash
# Check the root Dockerfile for Go version
cat -n Dockerfile | head -15

Repository: openshift/lightspeed-agentic-operator

Length of output: 700

---

🏁 Script executed:

#!/bin/bash
# Check the test/agent Dockerfile full content
cat -n test/agent/Dockerfile

Repository: openshift/lightspeed-agentic-operator

Length of output: 1207

---

🏁 Script executed:

#!/bin/bash
# Check Makefile or build scripts for how these Dockerfiles are used
rg "Dockerfile|docker build" -i Makefile README.md 2>/dev/null || echo "Checking build references..."

Repository: openshift/lightspeed-agentic-operator

Length of output: 656

---

🏁 Script executed:

#!/bin/bash
# Check if there's a way to determine what Go version UBI9 go-toolset:9.8 provides
# or if there are other references to Go version requirements
rg "go.*1\.26|1\.25" --type go --type md --type txt | head -20

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check if there are CI workflows that would catch this mismatch
find . -path ./.git -prune -o -type d -name ".github" -o -name ".gitlab-ci" -o -name ".circleci" -print

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check .github for workflow files
find .github -name "*.yml" -o -name "*.yaml" 2>/dev/null | xargs cat 2>/dev/null | grep -A 5 -B 5 "test/agent\|docker" | head -40

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

test/agent/Dockerfile Go version must be updated to 1.26.0.

The go.mod files were updated to go 1.26.0, but test/agent/Dockerfile (line 7) still pins golang:1.25.7-bookworm. This will cause build failures when the test agent image is built (e.g., make -C test/agent docker-build). Update line 7 to FROM golang:1.26.0-bookworm AS builder to match the go.mod version.

The root Dockerfile is unaffected—it uses registry.redhat.io/ubi9/go-toolset:9.8, which does not pin an explicit Go version.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/go.mod` at line 3, The test agent Dockerfile contains an outdated Go
version reference that does not match the updated go.mod version. Locate the
FROM statement in the test agent Dockerfile that references
golang:1.25.7-bookworm and update it to golang:1.26.0-bookworm to align with the
go.mod files which have been updated to go 1.26.0. This ensures the test agent
image builds correctly without version mismatches.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 7c9a717 and 2 for PR HEAD c8fdc67 in total

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: Update the Go version directive in go.mod from 1.26.0 to 1.26.4 or
later to patch multiple security vulnerabilities (CVEs 2026-27137, 2026-27138,
2026-27142, 2026-25679, 2026-27139, and 2026-27144). Change the go statement at
line 3 to specify Go 1.26.4, which is the current stable release that addresses
all known security issues in the crypto/x509, html/template, net/url, os
package, and compiler components.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 686edd05-bdf2-4125-bd91-dd08a3e8d345

📥 Commits

Reviewing files that changed from the base of the PR and between c8fdc67 and 5870a0c.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• api/go.mod

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

3-3: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Go 1.26.0 contains multiple unpatched security vulnerabilities; upgrade to 1.26.4 or later.

Go 1.26.0 has 6 known CVEs affecting crypto/x509 (CVE-2026-27137, CVE-2026-27138), html/template XSS (CVE-2026-27142), net/url IPv6 validation (CVE-2026-25679), os package root escape (CVE-2026-27139), and compiler memory corruption (CVE-2026-27144). Use Go 1.26.4, the current stable release, to patch these security issues.

🔧 Proposed fix

-go 1.26.0
+go 1.26.4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The go.mod file specifies Go 1.26.0 which contains
multiple unpatched security vulnerabilities including CVEs in crypto/x509,
html/template, net/url, os package, and the compiler. Update the Go version
directive from 1.26.0 to 1.26.4 (or a later stable release) to address these
security issues.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod file specifies Go version 1.26.0, but the Dockerfile
builder stage in test/agent/Dockerfile uses golang:1.25.7-bookworm which is an
older version. When the Go 1.25.7 toolchain tries to build a module requiring
1.26.0, the build will fail. Update the builder image in test/agent/Dockerfile
from golang:1.25.7-bookworm to golang:1.26.4-bookworm (or any later 1.26.x
version) to match the go.mod requirement.

---

Duplicate comments:
In `@go.mod`:
- Line 3: The go.mod file specifies Go 1.26.0 which contains multiple unpatched
security vulnerabilities including CVEs in crypto/x509, html/template, net/url,
os package, and the compiler. Update the Go version directive from 1.26.0 to
1.26.4 (or a later stable release) to address these security issues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 30214f68-d3a8-40b6-a625-897105b9574b

📥 Commits

Reviewing files that changed from the base of the PR and between 5870a0c and 949016e.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• api/go.mod

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

♻️ Duplicate comments (1)

api/go.mod (1)

6-7: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Align k8s.io/apiextensions-apiserver with the rest of the Kubernetes stack.

api/go.mod still pins k8s.io/apiextensions-apiserver to v0.35.3 while the sibling Kubernetes modules are on v0.36.2. These staged modules are meant to move in lockstep; leaving one behind risks API/compile incompatibility at the boundary.

As per coding guidelines, pin exact versions and keep dependency updates consistent across module boundaries.

🔎 Verification script

#!/bin/bash
set -euo pipefail
rg -n 'k8s.io/(apiextensions-apiserver|apimachinery|api|cli-runtime|client-go)' api/go.mod go.mod

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/go.mod` around lines 6 - 7, The k8s.io/apiextensions-apiserver dependency
in api/go.mod is pinned to v0.35.3 while other Kubernetes modules like
k8s.io/apimachinery are on v0.36.2, creating a version mismatch that risks API
incompatibility. Update the k8s.io/apiextensions-apiserver version from v0.35.3
to v0.36.2 to align it with the rest of the Kubernetes dependency stack in the
module, ensuring all staged Kubernetes modules move in lockstep.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@api/go.mod`:
- Around line 6-7: The k8s.io/apiextensions-apiserver dependency in api/go.mod
is pinned to v0.35.3 while other Kubernetes modules like k8s.io/apimachinery are
on v0.36.2, creating a version mismatch that risks API incompatibility. Update
the k8s.io/apiextensions-apiserver version from v0.35.3 to v0.36.2 to align it
with the rest of the Kubernetes dependency stack in the module, ensuring all
staged Kubernetes modules move in lockstep.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 06259c74-c430-4722-8007-37d25fd004ac

📥 Commits

Reviewing files that changed from the base of the PR and between 13643e9 and 5c2dc69.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

[openshift-ci]

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/generate	a307507	link	true	/test generate
ci/prow/unit	a307507	link	true	/test unit
ci/prow/api-lint	a307507	link	true	/test api-lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.