fix(deps): update kubernetes packages to v0.36.2

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
k8s.io/api	v0.35.3 → v0.36.2
k8s.io/apiextensions-apiserver	v0.35.3 → v0.36.2
k8s.io/cli-runtime	v0.35.3 → v0.36.2
k8s.io/client-go	v0.35.3 → v0.36.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

kubernetes/api (k8s.io/api)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/cli-runtime (k8s.io/cli-runtime)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ️ Artifact update notice

File name: api/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.26.0
k8s.io/apimachinery	v0.35.3 -> v0.36.2

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.26.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.34.0 -> v1.40.0
k8s.io/apimachinery	v0.35.3 -> v0.36.2
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.34.0 -> v1.40.0

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 758dfeee-16cd-464e-8e13-0575cd5db631

📥 Commits

Reviewing files that changed from the base of the PR and between 5f28583 and 1bcd74f.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (2)

• api/go.mod
• go.mod

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated the Go toolchain from 1.25.7 to 1.26.0
  • Upgraded Kubernetes-related dependencies to 0.36.2
  • Upgraded OpenTelemetry OTLP trace exporter components to 1.40.0
  • Updated the backoff library to a newer major version
  • Refreshed Go module dependencies (including removing unused indirect dependencies) for consistency

Walkthrough

Go toolchain directive updated to 1.26.0 in both api/go.mod and go.mod. Kubernetes module versions bumped from v0.35.3 to v0.36.2. OpenTelemetry exporters upgraded from v1.34.0 to v1.40.0. Backoff dependency migrated from v4 to v5. Two indirect dependencies removed.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Go toolchain and Kubernetes module alignment api/go.mod, go.mod	go directive bumped to 1.26.0 in both files. All k8s.io/* modules (api, apiextensions-apiserver, apimachinery, cli-runtime, client-go) updated from v0.35.3 to v0.36.2.
OpenTelemetry transitive dependency upgrade go.mod	Indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace upgraded to align with direct exporter versions.
Transitive dependency cleanup and backoff migration go.mod	Removed github.com/google/go-cmp and github.com/gregjones/httpcache. Replaced github.com/cenkalti/backoff/v4 v4.3.0 with github.com/cenkalti/backoff/v5 v5.0.3.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating Kubernetes packages to v0.36.2. It's concise and clearly identifies the primary objective of the PR.
Description check	✅ Passed	The description is directly related to the changeset, detailing the Kubernetes package updates with version changes, release notes, and configuration information from the automated dependency management system.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/go.mod`:
- Around line 6-7: Update k8s.io/apiextensions-apiserver from v0.35.3 to v0.36.2
in both go.mod files to align with the versions of k8s.io/apimachinery and other
Kubernetes packages. In api/go.mod at lines 6-7, change the
k8s.io/apiextensions-apiserver version to v0.36.2. In go.mod at lines 8-12, find
and update the k8s.io/apiextensions-apiserver entry to v0.36.2 as well. These
Kubernetes-staged packages must use matching versions to ensure API
compatibility.
- Line 3: The test agent Dockerfile contains an outdated Go version reference
that does not match the updated go.mod version. Locate the FROM statement in the
test agent Dockerfile that references golang:1.25.7-bookworm and update it to
golang:1.26.0-bookworm to align with the go.mod files which have been updated to
go 1.26.0. This ensures the test agent image builds correctly without version
mismatches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b8af7b22-a7b7-4b5e-9878-b0ab1186069f

📥 Commits

Reviewing files that changed from the base of the PR and between 0955903 and c8fdc67.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check Dockerfile Go version directive
grep -n "golang:" test/agent/Dockerfile

Repository: openshift/lightspeed-agentic-operator

Length of output: 122

---

🏁 Script executed:

#!/bin/bash
# Find all Dockerfiles to check for stale Go versions
find . -name "Dockerfile*" -o -name "dockerfile*" | xargs ls -la 2>/dev/null

Repository: openshift/lightspeed-agentic-operator

Length of output: 216

---

🏁 Script executed:

#!/bin/bash
# Check for Go version references in all Dockerfiles
find . \( -name "Dockerfile*" -o -name "dockerfile*" \) -type f -exec grep -Hn "golang:" {} \;

Repository: openshift/lightspeed-agentic-operator

Length of output: 146

---

🏁 Script executed:

#!/bin/bash
# Check the root go.mod to confirm the version bump
head -10 go.mod | grep -E "^go "

Repository: openshift/lightspeed-agentic-operator

Length of output: 91

---

🏁 Script executed:

#!/bin/bash
# Check CI/CD workflows to see if Go version is enforced
find . -path ./.git -prune -o \( -name "*.yaml" -o -name "*.yml" \) -type f -exec grep -l "go.*version\|golang\|Go" {} \; | grep -E "(\.github|\.gitlab|\.circleci|Makefile)" | head -10

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check if go.mod version directive is strictly enforced (Go 1.21+)
rg "^go 1\.[0-9]+" go.mod api/go.mod

Repository: openshift/lightspeed-agentic-operator

Length of output: 119

---

🏁 Script executed:

#!/bin/bash
# Check the root Dockerfile for Go version
cat -n Dockerfile | head -15

Repository: openshift/lightspeed-agentic-operator

Length of output: 700

---

🏁 Script executed:

#!/bin/bash
# Check the test/agent Dockerfile full content
cat -n test/agent/Dockerfile

Repository: openshift/lightspeed-agentic-operator

Length of output: 1207

---

🏁 Script executed:

#!/bin/bash
# Check Makefile or build scripts for how these Dockerfiles are used
rg "Dockerfile|docker build" -i Makefile README.md 2>/dev/null || echo "Checking build references..."

Repository: openshift/lightspeed-agentic-operator

Length of output: 656

---

🏁 Script executed:

#!/bin/bash
# Check if there's a way to determine what Go version UBI9 go-toolset:9.8 provides
# or if there are other references to Go version requirements
rg "go.*1\.26|1\.25" --type go --type md --type txt | head -20

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check if there are CI workflows that would catch this mismatch
find . -path ./.git -prune -o -type d -name ".github" -o -name ".gitlab-ci" -o -name ".circleci" -print

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check .github for workflow files
find .github -name "*.yml" -o -name "*.yaml" 2>/dev/null | xargs cat 2>/dev/null | grep -A 5 -B 5 "test/agent\|docker" | head -40

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

test/agent/Dockerfile Go version must be updated to 1.26.0.

The go.mod files were updated to go 1.26.0, but test/agent/Dockerfile (line 7) still pins golang:1.25.7-bookworm. This will cause build failures when the test agent image is built (e.g., make -C test/agent docker-build). Update line 7 to FROM golang:1.26.0-bookworm AS builder to match the go.mod version.

The root Dockerfile is unaffected—it uses registry.redhat.io/ubi9/go-toolset:9.8, which does not pin an explicit Go version.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/go.mod` at line 3, The test agent Dockerfile contains an outdated Go
version reference that does not match the updated go.mod version. Locate the
FROM statement in the test agent Dockerfile that references
golang:1.25.7-bookworm and update it to golang:1.26.0-bookworm to align with the
go.mod files which have been updated to go 1.26.0. This ensures the test agent
image builds correctly without version mismatches.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 7c9a717 and 2 for PR HEAD c8fdc67 in total

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: Update the Go version directive in go.mod from 1.26.0 to 1.26.4 or
later to patch multiple security vulnerabilities (CVEs 2026-27137, 2026-27138,
2026-27142, 2026-25679, 2026-27139, and 2026-27144). Change the go statement at
line 3 to specify Go 1.26.4, which is the current stable release that addresses
all known security issues in the crypto/x509, html/template, net/url, os
package, and compiler components.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 686edd05-bdf2-4125-bd91-dd08a3e8d345

📥 Commits

Reviewing files that changed from the base of the PR and between c8fdc67 and 5870a0c.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• api/go.mod

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

3-3: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Go 1.26.0 contains multiple unpatched security vulnerabilities; upgrade to 1.26.4 or later.

Go 1.26.0 has 6 known CVEs affecting crypto/x509 (CVE-2026-27137, CVE-2026-27138), html/template XSS (CVE-2026-27142), net/url IPv6 validation (CVE-2026-25679), os package root escape (CVE-2026-27139), and compiler memory corruption (CVE-2026-27144). Use Go 1.26.4, the current stable release, to patch these security issues.

🔧 Proposed fix

-go 1.26.0
+go 1.26.4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The go.mod file specifies Go 1.26.0 which contains
multiple unpatched security vulnerabilities including CVEs in crypto/x509,
html/template, net/url, os package, and the compiler. Update the Go version
directive from 1.26.0 to 1.26.4 (or a later stable release) to address these
security issues.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod file specifies Go version 1.26.0, but the Dockerfile
builder stage in test/agent/Dockerfile uses golang:1.25.7-bookworm which is an
older version. When the Go 1.25.7 toolchain tries to build a module requiring
1.26.0, the build will fail. Update the builder image in test/agent/Dockerfile
from golang:1.25.7-bookworm to golang:1.26.4-bookworm (or any later 1.26.x
version) to match the go.mod requirement.

---

Duplicate comments:
In `@go.mod`:
- Line 3: The go.mod file specifies Go 1.26.0 which contains multiple unpatched
security vulnerabilities including CVEs in crypto/x509, html/template, net/url,
os package, and the compiler. Update the Go version directive from 1.26.0 to
1.26.4 (or a later stable release) to address these security issues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 30214f68-d3a8-40b6-a625-897105b9574b

📥 Commits

Reviewing files that changed from the base of the PR and between 5870a0c and 949016e.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• api/go.mod

[coderabbitai]

♻️ Duplicate comments (1)

api/go.mod (1)

6-7: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Align k8s.io/apiextensions-apiserver with the rest of the Kubernetes stack.

api/go.mod still pins k8s.io/apiextensions-apiserver to v0.35.3 while the sibling Kubernetes modules are on v0.36.2. These staged modules are meant to move in lockstep; leaving one behind risks API/compile incompatibility at the boundary.

As per coding guidelines, pin exact versions and keep dependency updates consistent across module boundaries.

🔎 Verification script

#!/bin/bash
set -euo pipefail
rg -n 'k8s.io/(apiextensions-apiserver|apimachinery|api|cli-runtime|client-go)' api/go.mod go.mod

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/go.mod` around lines 6 - 7, The k8s.io/apiextensions-apiserver dependency
in api/go.mod is pinned to v0.35.3 while other Kubernetes modules like
k8s.io/apimachinery are on v0.36.2, creating a version mismatch that risks API
incompatibility. Update the k8s.io/apiextensions-apiserver version from v0.35.3
to v0.36.2 to align it with the rest of the Kubernetes dependency stack in the
module, ensuring all staged Kubernetes modules move in lockstep.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@api/go.mod`:
- Around line 6-7: The k8s.io/apiextensions-apiserver dependency in api/go.mod
is pinned to v0.35.3 while other Kubernetes modules like k8s.io/apimachinery are
on v0.36.2, creating a version mismatch that risks API incompatibility. Update
the k8s.io/apiextensions-apiserver version from v0.35.3 to v0.36.2 to align it
with the rest of the Kubernetes dependency stack in the module, ensuring all
staged Kubernetes modules move in lockstep.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 06259c74-c430-4722-8007-37d25fd004ac

📥 Commits

Reviewing files that changed from the base of the PR and between 13643e9 and 5c2dc69.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	1bcd74f	link	true	/test unit
ci/prow/api-lint	1bcd74f	link	true	/test api-lint
ci/prow/generate	1bcd74f	link	true	/test generate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.