[Automation] Bump product version numbers

[elastic-observability-automation]

Bump release versions in the config/versions.yml

Update config/versions.yml elasticsearch-client-java 9.4.0

change detected: * key "$.versioning_systems.elasticsearch-client-java.current" updated from "9.3.4" to "9.4.0", in file "config/versions.yml"

v9.4.0

## What's Changed

Check the official [release notes](https://www.elastic.co/docs/release-notes/elasticsearch/clients/java/9-4-0) - in particular the breaking changes.

**Full Changelog**: https://github.com/elastic/elasticsearch-java/compare/v9.3.4...v9.4.0

Update config/versions.yml eck 3.4.0

change detected: * key "$.versioning_systems.eck.current" updated from "3.3.2" to "3.4.0", in file "config/versions.yml"

v3.4.0

# Elastic Cloud on Kubernetes 3.4.0
- [Quickstart guide](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s#eck-quickstart)

### Release Highlights

#### Elasticsearch client certificate authentication support

ECK now supports configuring Elasticsearch to require client certificates for authentication. This allows you to enforce mutual TLS (mTLS) between clients and Elasticsearch, strengthening security by requiring both the client and server to present valid certificates. Currently, Elasticsearch and Kibana support this feature - Kibana can be configured to present client certificates when connecting to Elasticsearch. Support for the remaining components that connect to Elasticsearch (Beats, Elastic Agent, APM Server, Logstash, and so on) will follow in future releases. For more details, refer to the [client certificate authentication documentation](https://www.elastic.co/docs/deploy-manage/security/k8s-es-client-certificate-auth).

#### Rolling restarts of Elasticsearch clusters

ECK now supports triggering rolling restarts of Elasticsearch clusters through a new annotation-based mechanism. This enables operators to gracefully restart all nodes in a cluster without manual intervention, useful for troubleshooting. The [rolling restart documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/nodes-orchestration#cluster-rolling-restart) provides more details.

#### Simplified zone awareness configuration

ECK simplifies the configuration of zone awareness for Elasticsearch clusters, reducing the amount of boilerplate configuration needed to set up topology-aware allocation. For more details, refer to the [zone awareness documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/advanced-elasticsearch-node-scheduling#k8s-zone-awareness).

#### ECK container image signing

ECK container images are now signed using [Sigstore cosign](https://docs.sigstore.dev/cosign/). This allows users to verify the authenticity and integrity of ECK operator images before deployment, strengthening the supply chain security of their Kubernetes clusters.

#### Automatic password-protected keystore for Elasticsearch in FIPS mode

ECK now automatically manages a password-protected keystore for Elasticsearch when FIPS mode is enabled. When `xpack.security.fips_mode.enabled` is set to `true` in the Elasticsearch configuration, the operator generates, stores, and configures a password-protected keystore — eliminating the need for manual `podTemplate` overrides. This feature activates for Elasticsearch 9.4.0+ and respects any existing user-provided keystore password configuration. For more details, refer to the [Elasticsearch FIPS keystore password documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/deploy-fips-compatible-version-of-eck#k8s-fips-keystore-password).

### Features and enhancements

- Implement client certificate required support for Elasticsearch [#9229](https://github.com/elastic/cloud-on-k8s/pull/9229)
- Implement Kibana support for presenting client certificates to Elasticsearch [#9230](https://github.com/elastic/cloud-on-k8s/pull/9230)
- Support rolling restarts of Elasticsearch clusters [#9172](https://github.com/elastic/cloud-on-k8s/pull/9172)
- Simplify zone awareness [#9148](https://github.com/elastic/cloud-on-k8s/pull/9148)
- Operator-managed FIPS keystore password support for Elasticsearch [#9287](https://github.com/elastic/cloud-on-k8s/pull/9287) (issue: [#9171](https://github.com/elastic/cloud-on-k8s/issues/9171))
- Surface webhook warnings; Refactor webhooks to use controller-runtime's Validator [#9235](https://github.com/elastic/cloud-on-k8s/pull/9235)
- Add `extraObjects` support to ECK Helm charts [#9069](https://github.com/elastic/cloud-on-k8s/pull/9069)
- Add `kubeAPIServerPort` configuration option to Helm chart [#8980](https://github.com/elastic/cloud-on-k8s/pull/8980)
- Set `seccompProfile` to `RuntimeDefault` [#9012](https://github.com/elastic/cloud-on-k8s/pull/9012)
- Validate user-supplied HTTP CA certificate [#8992](https://github.com/elastic/cloud-on-k8s/pull/8992)
- Sign ECK container images (v2) [#9078](https://github.com/elastic/cloud-on-k8s/pull/9078)
- Improve license signature verification error to diagnose wrong license type [#9262](https://github.com/elastic/cloud-on-k8s/pull/9262)
- Improve AutoOpsAgentPolicy status reporting [#9095](https://github.com/elastic/cloud-on-k8s/pull/9095)
- Support `runAsNonRoot` true for recent versions of EPR [#8974](https://github.com/elastic/cloud-on-k8s/pull/8974)
- Reduce operator memory footprint by stripping managed fields from informer caches [#9321](https://github.com/elastic/cloud-on-k8s/pull/9321)
- Add version-gated querylog fileset to Filebeat sidecar config [#9291](https://github.com/elastic/cloud-on-k8s/pull/9291)
- Bump default Kibana memory limit from 1Gi to 2Gi [#9328](https://github.com/elastic/cloud-on-k8s/pull/9328)
- Add image digest support to eck-operator Helm chart [#9362](https://github.com/elastic/cloud-on-k8s/pull/9362)

### Fixes

- Prevent StackConfigPolicy controller from performing unnecessary file-settings secret updates on every reconciliation [#9316](https://github.com/elastic/cloud-on-k8s/pull/9316)
- Correct NetworkPolicy namespace selector label for soft multi-tenancy [#9153](https://github.com/elastic/cloud-on-k8s/pull/9153)
- Prevent using a nodeSet name while the equivalent StatefulSet already exists [#9036](https://github.com/elastic/cloud-on-k8s/pull/9036)
- Skip default PVC if volume with same name exists [#9199](https://github.com/elastic/cloud-on-k8s/pull/9199) (issue: [#8744](https://github.com/elastic/cloud-on-k8s/issues/8744))
- Avoid empty reconcile requests in StackConfigPolicy secret watch [#9179](https://github.com/elastic/cloud-on-k8s/pull/9179)
- Make remote-ca secret generation failures non-blocking [#9271](https://github.com/elastic/cloud-on-k8s/pull/9271)
- Garbage collect Agent soft-owned secrets on deletion [#9090](https://github.com/elastic/cloud-on-k8s/pull/9090)
- Detect stale CA in certificate chain and trigger certificates reissuance [#9197](https://github.com/elastic/cloud-on-k8s/pull/9197)
- Skip per-shard replica checks for GREEN clusters in `require_started_replica` predicate [#9188](https://github.com/elastic/cloud-on-k8s/pull/9188)
- Handle server side default for `TrafficDistribution` [#8994](https://github.com/elastic/cloud-on-k8s/pull/8994)
- Set default security context to Kibana init container [#9218](https://github.com/elastic/cloud-on-k8s/pull/9218)
- Validate user-supplied CA for the transport layer of Elasticsearch [#8953](https://github.com/elastic/cloud-on-k8s/pull/8953)
- Align DaemonSet `UpdateReconciled` with Deployment reconciler [#9256](https://github.com/elastic/cloud-on-k8s/pull/9256) (issue: [#9246](https://github.com/elastic/cloud-on-k8s/issues/9246))

### Documentation improvements

- Add recipe for manual mTLS configuration [#9124](https://github.com/elastic/cloud-on-k8s/pull/9124)
- Mention `PodTopologyLabelsAdmission` in Elasticsearch sample [#9035](https://github.com/elastic/cloud-on-k8s/pull/9035)
- Logstash Chart improvements [#9087](https://github.com/elastic/cloud-on-k8s/pull/9087)

### Dependency updates

- Go 1.25.8 => 1.26.2
- github.com/elastic/go-ucfg v0.8.9-0.20251017163010-3520930bed4f => v0.9.1
- github.com/gkampitakis/go-snaps v0.5.19 => v0.5.21
- github.com/google/go-containerregistry v0.20.7 => v0.21.4
- github.com/hashicorp/vault/api v1.22.0 => v1.23.0
- go.elastic.co/apm/v2 v2.7.2 => v2.7.6
- golang.org/x/crypto v0.46.0 => v0.49.0
- k8s.io/api v0.35.0 => v0.35.3
- k8s.io/apimachinery v0.35.0 => v0.35.3
- k8s.io/client-go v0.35.0 => v0.35.3
- k8s.io/klog/v2 v2.130.1 => v2.140.0
- sigs.k8s.io/controller-runtime v0.22.4 => v0.23.3
- sigs.k8s.io/controller-tools v0.20.0 => v0.20.1
- New direct dependencies: cloud.google.com/go/auth, cloud.google.com/go/storage, github.com/Azure/azure-sdk-for-go/sdk/storage/azblob, github.com/aws/aws-sdk-go-v2, google.golang.org/api

Update config/versions.yml edot-node 1.12.0

change detected: * key "$.versioning_systems.edot-node.current" updated from "1.11.0" to "1.12.0", in file "config/versions.yml"

v1.12.0

## Changelog

### Chores

* Update all `@opentelemetry/*` upstream package dependencies to the latest releases:
    - [`v2.7.1` release](https://github.com/open-telemetry/opentelemetry-js/releases/tag/v2.7.1) from opentelemetry-js
    - [`experimental/v0.216.0` release](https://github.com/open-telemetry/opentelemetry-js/releases/tag/experimental%2Fv0.216.0) from opentelemetry-js
    - [opentelemetry-js-contrib release](https://github.com/open-telemetry/opentelemetry-js-contrib/pull/3481#issuecomment-4346720287)

---

[README](https://github.com/elastic/elastic-otel-node/tree/main/packages/opentelemetry-node#readme) | [Full Release Notes](https://github.com/elastic/elastic-otel-node/blob/main/docs/release-notes/index.md) | [Breaking Changes](https://github.com/elastic/elastic-otel-node/blob/main/docs/release-notes/breaking-changes.md)

Update config/versions.yml edot-cf-aws 1.5.1

change detected: * key "$.versioning_systems.edot-cf-aws.current" updated from "1.5.0" to "1.5.1", in file "config/versions.yml"

v1.5.1

## [1.5.1](https://github.com/elastic/edot-cloud-forwarder-aws/compare/v1.5.0...v1.5.1) (2026-04-22)


### 🧹 Chore

* Document ECS mode ([#429](https://github.com/elastic/edot-cloud-forwarder-aws/issues/429)) ([b93691e](https://github.com/elastic/edot-cloud-forwarder-aws/commit/b93691edcd2307877a3b127a84e659ff16e7c533))


### 📚 Documentation

* Restructure EDOT Cloud Forwarder for AWS landing page ([#431](https://github.com/elastic/edot-cloud-forwarder-aws/issues/431)) ([231b5ec](https://github.com/elastic/edot-cloud-forwarder-aws/commit/231b5ec934ff379f84a7a69e0cf098a2253645d7))

GitHub Action workflow link

---

Created automatically by Updatecli Options: Most of Updatecli configuration is done via its manifest(s). If you close this pull request, Updatecli will automatically reopen it, the next time it runs. If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made. Feel free to report any issues at github.com/updatecli/updatecli. If you find this tool useful, do not hesitate to star our GitHub repository as a sign of appreciation, and/or to tell us directly on our chat!