fix(deps): update kubernetes

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
filippo.io/keygen	require	digest	7f162ef → 8e2790e
github.com/cert-manager/cert-manager	require	minor	v1.18.6 → v1.20.2
github.com/gin-gonic/gin	require	minor	v1.10.0 → v1.12.0
github.com/go-jose/go-jose/v4	require	patch	v4.1.3 → v4.1.4
github.com/grpc-ecosystem/go-grpc-middleware/v2	require	minor	v2.2.0 → v2.3.3
github.com/grpc-ecosystem/grpc-gateway/v2	require	minor	v2.24.0 → v2.29.0
github.com/onsi/ginkgo/v2	require	minor	v2.28.1 → v2.31.0
github.com/onsi/ginkgo/v2	require	minor	v2.22.2 → v2.31.0
github.com/onsi/gomega	require	minor	v1.39.1 → v1.42.0
github.com/onsi/gomega	require	minor	v1.36.2 → v1.42.0
github.com/openshift/api	require	digest	98e18da → 261e3a0
github.com/zitadel/oidc/v3	require	minor	v3.34.1 → v3.47.5
golang.org/x/exp	require	digest	8a7402a → c48552f
golang.org/x/sync	require	minor	v0.19.0 → v0.21.0
google.golang.org/genproto/googleapis/api	require	digest	b8f7ae3 → 62b3387
google.golang.org/grpc	require	minor	v1.80.0 → v1.81.1
k8s.io/api	require	minor	v0.33.0 → v0.36.2
k8s.io/api	require	minor	v0.34.1 → v0.36.2
k8s.io/apimachinery	require	minor	v0.33.0 → v0.36.2
k8s.io/apimachinery	require	minor	v0.34.1 → v0.36.2
k8s.io/apiserver	require	minor	v0.33.0 → v0.36.2
k8s.io/apiserver	require	minor	v0.34.1 → v0.36.2
k8s.io/client-go	require	minor	v0.33.0 → v0.36.2
k8s.io/client-go	require	minor	v0.34.1 → v0.36.2
k8s.io/utils	require	digest	3ea5e8c → ff6756f
k8s.io/utils	require	digest	0af2bda → ff6756f
sigs.k8s.io/controller-runtime	require	minor	v0.21.0 → v0.24.1
sigs.k8s.io/controller-runtime	require	minor	v0.22.3 → v0.24.1
sigs.k8s.io/yaml	require	minor	v1.4.0 → v1.6.0

---

Release Notes

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.20.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config
and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies
to address reported vulnerabilities.

Changes by Kind

Bug or Regression

• Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#​8665, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#​8704, @​erikgb)
• Bump go to 1.26.2 (#​8703, @​erikgb)

v1.20.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression

• Fixed duplicate parentRef bug when both issuer config and annotations are present. (#​8658, @​hjoshi123)
• Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. (#​8655, @​erikgb)
• Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. (#​8657, @​erikgb)

v1.20.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.

Changes by Kind

Feature

• Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. (#​8370, @​jcpunk)
• Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#​8256, @​tareksha)
• Added support for specifying imagePullSecrets in the startupapicheck-job Helm template to enable pulling images from private registries. (#​8186, @​mathieu-clnk)
• Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#​8355, @​dancmeyers)
• Added parentRef override annotations on the Certificate resource. (#​8518, @​hjoshi123)
• Added support for azure private zones for dns01 issuer. (#​8494, @​hjoshi123)
• Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. (#​7642, @​robertlestak)
• Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#​7728, @​jcpunk)
• For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#​8301, @​k0da)
• Improve error message when CA issuers are misconfigured to use a clashing secret name (#​8374, @​majiayu000)
• Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#​8244, @​lunarwhite)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8195, @​StingRayZA)
• Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#​8228, @​terinjokes)
• Added experimental XListenerSets feature gate (#​8394, @​hjoshi123)

Documentation

• Add GWAPI documentation to NOTES.TXT in helm chart (#​8353, @​jaxels10)

Bug or Regression

• Adds logs for cases when acme server returns us a fatal error in the order controller (#​8199, @​Peac36)
• Fixed an issue where kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#​8160, @​inteon)
• Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. (#​8232, @​eleanor-merry)
• Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS. (#​8456, @​tkna)
• Fix unregulated retries with the DigitalOcean DNS-01 solver
  Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging (#​8221, @​wallrj-cyberark)
• Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8403, @​calm329)
• Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8424, @​SlashNephy)
• Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. (#​8443, @​alviss7)
• Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#​8173, @​erikgb)
• Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8469, @​SgtCoDFish)
• Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8290, @​octo-sts[bot])
• When Prometheus monitoring is enabled, the metrics label is now set to the intended value of cert-manager. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). (#​8162, @​LiquidPL)

Other (Cleanup or Flake)

• Promoted the OtherNames feature to Beta and enabled it by default (#​8288, @​wallrj-cyberark)
• Promoting XListenerSets feature gate to ListenerSets (#​8501, @​hjoshi123)
• Rebranding of the Venafi Issuer to CyberArk (#​8215, @​iossifbenbassat123)
• Switched to SSA for challenge finalizer updates (#​8519, @​inteon)
• The default container user (UID) is now 65532 (previously 1000) and the default container group (GID) is now 65532 (previously 0) (#​8408, @​wallrj-cyberark)
• The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to GA and can no longer be disabled. (#​8287, @​wallrj-cyberark)
• Update cert-manager's ACME client, forked from golang/x/crypto (#​8268, @​SgtCoDFish)
• Use the latest version of Kyverno (1.16.2) in the best-practice installation tests (#​8389, @​wallrj-cyberark)
• We stopped testing with Coutour due to it not supporting the new XListenerSet resource, and moved to kgateway. (#​8426, @​hjoshi123)

v1.19.5

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This is a simple patch release to fix some reported vulnerabilities. All users are recommended to upgrade.

Changes by Kind

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#​8706, @​erikgb)
• Bump go to 1.25.8 to address several reported vulnerabilities (#​8628, @​SgtCoDFish)
• Bump go to 1.25.9 (#​8705, @​erikgb)

v1.19.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.19.4 is a simple patch release to fix some reported vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should upgrade.

Changes by Kind

Bug or Regression

• Bump go to address CVE-2025-68121 (#​8526, @​SgtCoDFish)
• Bump otel SDK to address GO-2026-4394 (#​8531, @​SgtCoDFish)

v1.19.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.

Changes by Kind

Bug or Regression

• Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8415, @​cert-manager-bot)
• Fixed an issue where HTTP-01 challenges failed when the Host header contained an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8436, @​cert-manager-bot)
• Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8468, @​SgtCoDFish)

Other (Cleanup or Flake)

• Bump go to 1.25.6 (#​8459, @​SgtCoDFish)

v1.19.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We updated Go to fix some vulnerabilities in the standard library.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.1

Bug or Regression

• Address false positive vulnerabilities CVE-2025-47914 and CVE-2025-58181 which were reported by Trivy. (#​8283, @​SgtCoDFish)
• Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8294, @​wallrj-cyberark)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8233, @​cert-manager-bot)

Other (Cleanup or Flake)

• Update cert-manager's ACME client, forked from golang/x/crypto (#​8270, @​SgtCoDFish)
• Updated Debian 12 distroless base images (#​8326, @​wallrj-cyberark)

v1.19.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We reverted the CRD-based API defaults for Certificate.Spec.IssuerRef and CertificateRequest.Spec.IssuerRef after they were found to cause unexpected certificate renewals after upgrading to 1.19.0. We will try re-introducing these API defaults in cert-manager 1.20.
We fixed a bug that caused certificates to be re-issued unexpectedly if the issuerRef kind or group was changed to one of the "runtime" default values.
We upgraded Go to 1.25.3 to address the following security vulnerabilities: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.0:

Bug or Regression

• BUGFIX: in case kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#​8175, @​cert-manager-bot)
• Bump Go to 1.25.3 to fix a backwards incompatible change to the validation of DNS names in X.509 SAN fields which prevented the use of DNS names with a trailing dot (#​8177, @​wallrj-cyberark)
• Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#​8178, @​cert-manager-bot)

v1.19.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known issues: The following known issues are fixed in v1.19.1:

• Unexpected certificate renewal after upgrading to 1.19.0

This release focuses on expanding platform compatibility, improving deployment flexibility, enhancing observability, and addressing key reliability issues.

📖 Read the full release notes at cert-manager.io: https://cert-manager.io/docs/releases/release-notes/release-notes-1.19

Changes since v1.18.0:

Feature

• Add IPv6 rules to the default network policy (#​7726, @​jcpunk)
• Add global.nodeSelector to helm chart to allow for a single nodeSelector to be set across all services. (#​7818, @​StingRayZA)
• Add a feature gate to default to Ingress pathType Exact in ACME HTTP01 Ingress challenge solvers. (#​7795, @​sspreitzer)
• Add generated applyconfigurations allowing clients to make type-safe server-side apply requests for cert-manager resources. (#​7866, @​erikgb)
• Added API defaults to issuer references group (cert-manager.io) and kind (Issuer). (#​7414, @​erikgb)
• Added certmanager_certificate_challenge_status Prometheus metric. (#​7736, @​hjoshi123)
• Added protocol field for rfc2136 DNS01 provider (#​7881, @​hjoshi123)
• Added experimental field hostUsers flag to all pods. Not set by default. (#​7973, @​hjoshi123)
• Support configurable resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer and Issuer specifications, allowing granular resource management that overrides global --acme-http01-solver-resource-* settings. (#​7972, @​lunarwhite)
• The CAInjectorMerging feature has been promoted to BETA and is now enabled by default (#​8017, @​ThatsMrTalbot)
• The controller, webhook and ca-injector now log their version and git commit on startup for easier debugging and support. (#​8072, @​prasad89)
• Updated certificate metrics to the collector approach. (#​7856, @​hjoshi123)

Bug or Regression

• ACME: Increased challenge authorization timeout to 2 minutes to fix error waiting for authorization (#​7796, @​hjoshi123)
• BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints (#​7816, @​kinolaev)
• Enforced ACME HTTP-01 solver validation to properly reject configurations when multiple ingress options (class, ingressClassName, name) are specified simultaneously (#​8021, @​lunarwhite)
• Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities (#​7961, @​SgtCoDFish)
• Reverted adding the global.rbac.disableHTTPChallengesRole Helm option. (#​7836, @​inteon)
• This change removes the path label of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics. (#​8109, @​mladen-rusev-cyberark)
• Use the latest version of ingress-nginx in E2E tests to ensure compatibility (#​7792, @​wallrj)

Other (Cleanup or Flake)

• Helm: Fix naming template of tokenrequest RoleBinding resource to improve consistency (#​7761, @​lunarwhite)
• Improve error messages when certificates, CRLs or private keys fail admission due to malformed or missing PEM data (#​7928, @​SgtCoDFish)
• Major upgrade of Akamai SDK. NOTE: The new version has not been fully tested end-to-end due to the lack of cloud infrastructure. (#​8003, @​hjoshi123)
• Update kind images to include the Kubernetes 1.33 node image (#​7786, @​wallrj)
• Use maps.Copy for cleaner map handling (#​8092, @​quantpoet)
• Vault: Migrate Vault E2E add-on tests from deprecated vault-client-go to the new vault/api client. (#​8059, @​armagankaratosun)

gin-gonic/gin (github.com/gin-gonic/gin)

v1.12.0

Compare Source

Features

• feat(render): add bson protocol (#​4145)
• feat(context): add GetError and GetErrorSlice methods for error retrieval (#​4502)
• feat(binding): add support for encoding.UnmarshalText in uri/query binding (#​4203)
• feat(gin): add option to use escaped path (#​4420)
• feat(context): add Protocol Buffers support to content negotiation (#​4423)
• feat(context): implemented Delete method (#​38e7651)
• feat(logger): color latency (#​4146)

Enhancements

• perf(tree): reduce allocations in findCaseInsensitivePath (#​4417)
• perf(recovery): optimize line reading in stack function (#​4466)
• perf(path): replace regex with custom functions in redirectTrailingSlash (#​4414)
• perf(tree): optimize path parsing using strings.Count (#​4246)
• chore(logger): allow skipping query string output (#​4547)
• chore(context): always trust xff headers from unix socket (#​3359)
• chore(response): prevent Flush() panic when the underlying ResponseWriter does not implement http.Flusher (#​4479)
• refactor(recovery): smart error comparison (#​4142)
• refactor(context): replace hardcoded localhost IPs with constants (#​4481)
• refactor(utils): move util functions to utils.go (#​4467)
• refactor(binding): use maps.Copy for cleaner map handling (#​4352)
• refactor(context): using maps.Clone (#​4333)
• refactor(ginS): use sync.OnceValue to simplify engine function (#​4314)
• refactor: replace magic numbers with named constants in bodyAllowedForStatus (#​4529)
• refactor: for loop can be modernized using range over int (#​4392)

Bug Fixes

• fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#​4535)
• fix(render): write content length in Data.Render (#​4206)
• fix(context): ClientIP handling for multiple X-Forwarded-For header values (#​4472)
• fix(binding): empty value error (#​2169)
• fix(recover): suppress http.ErrAbortHandler in recover (#​4336)
• fix(gin): literal colon routes not working with engine.Handler() (#​4415)
• fix(gin): close os.File in RunFd to prevent resource leak (#​4422)
• fix(response): refine hijack behavior for response lifecycle (#​4373)
• fix(binding): improve empty slice/array handling in form binding (#​4380)
• fix(debug): version mismatch (#​4403)
• fix: correct typos, improve documentation clarity, and remove dead code (#​4511)

Build process updates / CI

• ci: update Go version support to 1.25+ across CI and docs (#​4550)
• chore(binding): upgrade bson dependency to mongo-driver v2 (#​4549)

v1.11.0

Compare Source

Features

• feat(gin): Experimental support for HTTP/3 using quic-go/quic-go (#​3210)
• feat(form): add array collection format in form binding (#​3986), add custom string slice for form tag unmarshal (#​3970)
• feat(binding): add BindPlain (#​3904)
• feat(fs): Export, test and document OnlyFilesFS (#​3939)
• feat(binding): add support for unixMilli and unixMicro (#​4190)
• feat(form): Support default values for collections in form binding (#​4048)
• feat(context): GetXxx added support for more go native types (#​3633)

Enhancements

• perf(context): optimize getMapFromFormData performance (#​4339)
• refactor(tree): replace string(/) with "/" in node.insertChild (#​4354)
• refactor(render): remove headers parameter from writeHeader (#​4353)
• refactor(context): simplify "GetType()" functions (#​4080)
• refactor(slice): simplify SliceValidationError Error method (#​3910)
• refactor(context):Avoid using filepath.Dir twice in SaveUploadedFile (#​4181)
• refactor(context): refactor context handling and improve test robustness (#​4066)
• refactor(binding): use strings.Cut to replace strings.Index (#​3522)
• refactor(context): add an optional permission parameter to SaveUploadedFile (#​4068)
• refactor(context): verify URL is Non-nil in initQueryCache() (#​3969)
• refactor(context): YAML judgment logic in Negotiate (#​3966)
• tree: replace the self-defined 'min' to official one (#​3975)
• context: Remove redundant filepath.Dir usage (#​4181)

Bug Fixes

• fix: prevent middleware re-entry issue in HandleContext (#​3987)
• fix(binding): prevent duplicate decoding and add validation in decodeToml (#​4193)
• fix(gin): Do not panic when handling method not allowed on empty tree (#​4003)
• fix(gin): data race warning for gin mode (#​1580)
• fix(context): verify URL is Non-nil in initQueryCache() (#​3969)
• fix(context): YAML judgment logic in Negotiate (#​3966)
• fix(context): check handler is nil (#​3413)
• fix(readme): fix broken link to English documentation (#​4222)
• fix(tree): Keep panic infos consistent when wildcard type build faild (#​4077)

Build process updates / CI

• ci: integrate Trivy vulnerability scanning into CI workflow (#​4359)
• ci: support Go 1.25 in CI/CD (#​4341)
• build(deps): upgrade github.com/bytedance/sonic from v1.13.2 to v1.14.0 (#​4342)
• ci: add Go version 1.24 to GitHub Actions (#​4154)
• build: update Gin minimum Go version to 1.21 (#​3960)
• ci(lint): enable new linters (testifylint, usestdlibvars, perfsprint, etc.) (#​4010, #​4091, #​4090)
• ci(lint): update workflows and improve test request consistency (#​4126)

Dependency updates

• chore(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.9 (#​4346, #​4356)
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 (#​4347)
• chore(deps): bump actions/setup-go from 5 to 6 (#​4351)
• chore(deps): bump github.com/quic-go/quic-go from 0.53.0 to 0.54.0 (#​4328)
• chore(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 (#​4178, #​4221)
• chore(deps): bump github.com/go-playground/validator/v10 from 10.20.0 to 10.22.1 (#​4052)

Documentation updates

• docs(changelog): update release notes for Gin v1.10.1 (#​4360)
• docs: Fixing English grammar mistakes and awkward sentence structure in doc/doc.md (#​4207)
• docs: update documentation and release notes for Gin v1.10.0 (#​3953)
• docs: fix typo in Gin Quick Start (#​3997)
• docs: fix comment and link issues (#​4205, #​3938)
• docs: fix route group example code (#​4020)
• docs(readme): add Portuguese documentation (#​4078)
• docs(context): fix some function names in comment (#​4079)

---

v1.10.1

Compare Source

Features

• refactor: strengthen HTTPS security and improve code organization
• feat(binding): Support custom BindUnmarshaler for binding. (#​3933)

Enhancements

• chore(deps): bump github.com/bytedance/sonic from 1.11.3 to 1.11.6 (#​3940)
• chore(deps): bump golangci/golangci-lint-action from 4 to 5 (#​3941)
• chore: update external dependencies to latest versions (#​3950)
• chore: update various Go dependencies to latest versions (#​3901)
• chore: refactor configuration files for better readability (#​3951)
• chore: update changelog categories and improve documentation (#​3917)
• feat: update version constant to v1.10.0 (#​3952)

Build process updates

• ci(release): refactor changelog regex patterns and exclusions (#​3914)
• ci(Makefile): vet command add .PHONY (#​3915)

go-jose/go-jose (github.com/go-jose/go-jose/v4)

v4.1.4

Compare Source

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

grpc-ecosystem/go-grpc-middleware (github.com/grpc-ecosystem/go-grpc-middleware/v2)

v2.3.3

Compare Source

What's Changed

• add WithLabelsFromContext prometheus interceptor option by @​benjibuiltit in #​758
• fix: correct comment typo in StreamServerInterceptor function by @​haru-256 in #​760
• Minor refactor to remove duplication by @​nwnt in #​761
• chore: migrate golangci-lint to v2.3.0 by @​mmorel-35 in #​765
• chore: enable misspell linter with golangci-lint by @​mmorel-35 in #​768
• chore: enable errorlint by @​mmorel-35 in #​774
• chore: update buf to v1.55.1 by @​mmorel-35 in #​767
• chore: update dependabot configuration for gomod and github-actions by @​mmorel-35 in #​775
• chore: enable testifylint linter by @​mmorel-35 in #​769
• chore: enable several rules from go-critic by @​mmorel-35 in #​766
• chore: enable several rules from govet by @​mmorel-35 in #​773
• chore: enable contextcheck and fatcontext linters by @​mmorel-35 in #​770
• chore: enable usestdlibvars linter by @​mmorel-35 in #​772
• chore: enable promlinter linter by @​mmorel-35 in #​771
• chore: enable usetesting linter by @​mmorel-35 in #​784
• build(deps): bump google.golang.org/grpc from 1.67.1 to 1.74.2 by @​mmorel-35 in #​785
• chore: enable hugeParam rule from go-critic by @​mmorel-35 in #​786
• chore: use actions/setup-go native cache by @​mmorel-35 in #​787
• fix(#​794): Wrapping codes.OK should not cause panic by @​floppyzedolfin in #​795
• feat(prometheus): add ContextLabels to ClientMetrics by @​ArtARTs36 in #​798
• fix(ci): tidy module before linting by [@​manute](https://redir

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • "before 5am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: controller/deploy/operator/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 42 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.26.0
github.com/coreos/go-oidc	v2.3.0+incompatible -> v2.5.0+incompatible
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/go-openapi/jsonpointer	v0.22.1 -> v0.22.4
github.com/go-openapi/jsonreference	v0.21.2 -> v0.21.4
github.com/go-openapi/swag/jsonname	v0.25.1 -> v0.25.4
github.com/google/gnostic-models	v0.7.0 -> v0.7.1
github.com/google/pprof	v0.0.0-20241210010833-40e02aabc2ad -> v0.0.0-20260402051712-545e8a4df936
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.1 -> v2.27.7
github.com/mailru/easyjson	v0.9.0 -> v0.9.1
github.com/prometheus/common	v0.66.1 -> v0.67.5
github.com/prometheus/procfs	v0.17.0 -> v0.19.2
github.com/spf13/cobra	v1.10.1 -> v1.10.2
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.65.0
go.opentelemetry.io/otel	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.37.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.37.0 -> v1.40.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.39.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.43.0
go.opentelemetry.io/proto/otlp	v1.7.0 -> v1.9.0
go.uber.org/zap	v1.27.0 -> v1.27.1
go.yaml.in/yaml/v2	v2.4.2 -> v2.4.3
golang.org/x/crypto	v0.47.0 -> v0.50.0
golang.org/x/exp	v0.0.0-20250718183923-645b1fa84792 -> v0.0.0-20251219203646-944ab1f22d93
golang.org/x/net	v0.49.0 -> v0.53.0
golang.org/x/oauth2	v0.34.0 -> v0.35.0
golang.org/x/sync	v0.19.0 -> v0.20.0
golang.org/x/sys	v0.40.0 -> v0.43.0
golang.org/x/term	v0.39.0 -> v0.42.0
golang.org/x/text	v0.33.0 -> v0.36.0
golang.org/x/time	v0.13.0 -> v0.14.0
golang.org/x/tools	v0.40.0 -> v0.44.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260120221211-b8f7ae30c516 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260120221211-b8f7ae30c516 -> v0.0.0-20260319201613-d00831a3d3e7
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/apiextensions-apiserver	v0.34.1 -> v0.36.0
k8s.io/component-base	v0.34.1 -> v0.36.2
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260317180543-43fb72c5454a
sigs.k8s.io/apiserver-network-proxy/konnectivity-client	v0.33.0 -> v0.34.0
sigs.k8s.io/gateway-api	v1.4.0 -> v1.5.0
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

File name: controller/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 45 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.26.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
filippo.io/bigmod	v0.0.3 -> v0.1.1-0.20260103110540-f8a47775ebe5
github.com/bmatcuk/doublestar/v4	v4.8.0 -> v4.10.0
github.com/bytedance/sonic	v1.11.6 -> v1.15.0
github.com/cloudwego/base64x	v0.1.4 -> v0.1.6
github.com/coreos/go-oidc	v2.3.0+incompatible -> v2.5.0+incompatible
github.com/emicklei/go-restful/v3	v3.11.0 -> v3.13.0
github.com/fsnotify/fsnotify	v1.7.0 -> v1.9.0
github.com/fxamacker/cbor/v2	v2.7.0 -> v2.9.0
github.com/gabriel-vasile/mimetype	v1.4.3 -> v1.4.12
github.com/gin-contrib/sse	v0.1.0 -> v1.1.0
github.com/go-chi/chi/v5	v5.2.0 -> v5.2.5
github.com/go-playground/validator/v10	v10.20.0 -> v10.30.1
github.com/goccy/go-json	v0.10.2 -> v0.10.5
github.com/google/cel-go	v0.23.2 -> v0.26.0
github.com/google/gnostic-models	v0.6.9 -> v0.7.0
github.com/google/pprof	v0.0.0-20241210010833-40e02aabc2ad -> v0.0.0-20260402051712-545e8a4df936
github.com/klauspost/cpuid/v2	v2.2.7 -> v2.3.0
github.com/modern-go/reflect2	v1.0.2 -> v1.0.3-0.20250322232337-35a7c28c31ee
github.com/pelletier/go-toml/v2	v2.2.2 -> v2.2.4
github.com/prometheus/client_golang	v1.22.0 -> v1.23.2
github.com/prometheus/client_model	v0.6.1 -> v0.6.2
github.com/prometheus/common	v0.62.0 -> v0.67.5
github.com/prometheus/procfs	v0.15.1 -> v0.19.2
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4
github.com/spf13/cobra	v1.8.1 -> v1.10.2
github.com/spf13/pflag	v1.0.5 -> v1.0.9
github.com/ugorji/go/codec	v1.2.12 -> v1.3.1
github.com/zitadel/logging	v0.6.1 -> v0.7.0
github.com/zitadel/schema	v1.3.0 -> v1.3.2
go.opentelemetry.io/otel	v1.39.0 -> v1.43.0
go.uber.org/zap	v1.27.0 -> v1.27.1
golang.org/x/arch	v0.8.0 -> v0.22.0
golang.org/x/crypto	v0.47.0 -> v0.53.0
golang.org/x/net	v0.49.0 -> v0.56.0
golang.org/x/oauth2	v0.34.0 -> v0.36.0
golang.org/x/sys	v0.40.0 -> v0.46.0
golang.org/x/term	v0.39.0 -> v0.44.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260120221211-b8f7ae30c516 -> v0.0.0-20260610212136-7ab31c22f7ad
gopkg.in/evanphx/json-patch.v4	v4.12.0 -> v4.13.0
k8s.io/apiextensions-apiserver	v0.33.0 -> v0.36.0
k8s.io/component-base	v0.33.0 -> v0.36.2
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250318190949-c8a335a9a2ff -> v0.0.0-20260317180543-43fb72c5454a
sigs.k8s.io/json	v0.0.0-20241010143419-9aa6b5e7a4b3 -> v0.0.0-20250730193827-2d320260d730

File name: e2e/test/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
github.com/google/pprof	v0.0.0-20260115054156-294ebfa9ad83 -> v0.0.0-20260402051712-545e8a4df936
golang.org/x/mod	v0.32.0 -> v0.35.0
golang.org/x/net	v0.49.0 -> v0.53.0
golang.org/x/sync	v0.19.0 -> v0.20.0
golang.org/x/sys	v0.40.0 -> v0.43.0
golang.org/x/text	v0.33.0 -> v0.36.0
golang.org/x/tools	v0.41.0 -> v0.44.0

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 35b1013a-0792-4c6a-a2dd-224ff8514ea1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/kubernetes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}