fix(deps): update kubernetes packages to v0.36.2

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
k8s.io/api	v0.35.3 → v0.36.2
k8s.io/apiextensions-apiserver	v0.35.3 → v0.36.2
k8s.io/apimachinery	v0.35.3 → v0.36.2
k8s.io/cli-runtime	v0.35.3 → v0.36.2
k8s.io/client-go	v0.35.3 → v0.36.2

---

Release Notes

kubernetes/api (k8s.io/api)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/cli-runtime (k8s.io/cli-runtime)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.36.2

Compare Source

v0.36.1

Compare Source

v0.36.0

Compare Source

v0.35.6

Compare Source

v0.35.5

Compare Source

v0.35.4

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ️ Artifact update notice

File name: api/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.26.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.26.0

[coderabbitai]

📝 Walkthrough

Walkthrough

Go toolchain updated to 1.26.0 in both api/go.mod and go.mod. Kubernetes dependencies (k8s.io/apimachinery, k8s.io/apiextensions-apiserver, and in root module also k8s.io/api, k8s.io/cli-runtime, k8s.io/client-go) bumped from v0.35.3 to v0.36.2. Two indirect dependencies (github.com/google/go-cmp and github.com/gregjones/httpcache) removed from root go.mod.

Changes

Go and Kubernetes dependency upgrades

Layer / File(s)	Summary
Go toolchain and Kubernetes dependencies api/go.mod, go.mod	Go directive bumped to 1.26.0 in both files. k8s.io/apimachinery and k8s.io/apiextensions-apiserver upgraded to v0.36.2 in both. Root go.mod additionally upgrades k8s.io/api, k8s.io/cli-runtime, and k8s.io/client-go to v0.36.2. Two indirect dependencies (github.com/google/go-cmp and github.com/gregjones/httpcache) removed from root go.mod.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the main change: updating Kubernetes packages to v0.36.2, which is the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description documents Kubernetes dependency updates from v0.35.3 to v0.36.2 with release notes and configuration details relevant to the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/go.mod`:
- Around line 6-7: Update k8s.io/apiextensions-apiserver from v0.35.3 to v0.36.2
in both go.mod files to align with the versions of k8s.io/apimachinery and other
Kubernetes packages. In api/go.mod at lines 6-7, change the
k8s.io/apiextensions-apiserver version to v0.36.2. In go.mod at lines 8-12, find
and update the k8s.io/apiextensions-apiserver entry to v0.36.2 as well. These
Kubernetes-staged packages must use matching versions to ensure API
compatibility.
- Line 3: The test agent Dockerfile contains an outdated Go version reference
that does not match the updated go.mod version. Locate the FROM statement in the
test agent Dockerfile that references golang:1.25.7-bookworm and update it to
golang:1.26.0-bookworm to align with the go.mod files which have been updated to
go 1.26.0. This ensures the test agent image builds correctly without version
mismatches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b8af7b22-a7b7-4b5e-9878-b0ab1186069f

📥 Commits

Reviewing files that changed from the base of the PR and between 0955903 and c8fdc67.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check Dockerfile Go version directive
grep -n "golang:" test/agent/Dockerfile

Repository: openshift/lightspeed-agentic-operator

Length of output: 122

---

🏁 Script executed:

#!/bin/bash
# Find all Dockerfiles to check for stale Go versions
find . -name "Dockerfile*" -o -name "dockerfile*" | xargs ls -la 2>/dev/null

Repository: openshift/lightspeed-agentic-operator

Length of output: 216

---

🏁 Script executed:

#!/bin/bash
# Check for Go version references in all Dockerfiles
find . \( -name "Dockerfile*" -o -name "dockerfile*" \) -type f -exec grep -Hn "golang:" {} \;

Repository: openshift/lightspeed-agentic-operator

Length of output: 146

---

🏁 Script executed:

#!/bin/bash
# Check the root go.mod to confirm the version bump
head -10 go.mod | grep -E "^go "

Repository: openshift/lightspeed-agentic-operator

Length of output: 91

---

🏁 Script executed:

#!/bin/bash
# Check CI/CD workflows to see if Go version is enforced
find . -path ./.git -prune -o \( -name "*.yaml" -o -name "*.yml" \) -type f -exec grep -l "go.*version\|golang\|Go" {} \; | grep -E "(\.github|\.gitlab|\.circleci|Makefile)" | head -10

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check if go.mod version directive is strictly enforced (Go 1.21+)
rg "^go 1\.[0-9]+" go.mod api/go.mod

Repository: openshift/lightspeed-agentic-operator

Length of output: 119

---

🏁 Script executed:

#!/bin/bash
# Check the root Dockerfile for Go version
cat -n Dockerfile | head -15

Repository: openshift/lightspeed-agentic-operator

Length of output: 700

---

🏁 Script executed:

#!/bin/bash
# Check the test/agent Dockerfile full content
cat -n test/agent/Dockerfile

Repository: openshift/lightspeed-agentic-operator

Length of output: 1207

---

🏁 Script executed:

#!/bin/bash
# Check Makefile or build scripts for how these Dockerfiles are used
rg "Dockerfile|docker build" -i Makefile README.md 2>/dev/null || echo "Checking build references..."

Repository: openshift/lightspeed-agentic-operator

Length of output: 656

---

🏁 Script executed:

#!/bin/bash
# Check if there's a way to determine what Go version UBI9 go-toolset:9.8 provides
# or if there are other references to Go version requirements
rg "go.*1\.26|1\.25" --type go --type md --type txt | head -20

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check if there are CI workflows that would catch this mismatch
find . -path ./.git -prune -o -type d -name ".github" -o -name ".gitlab-ci" -o -name ".circleci" -print

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Check .github for workflow files
find .github -name "*.yml" -o -name "*.yaml" 2>/dev/null | xargs cat 2>/dev/null | grep -A 5 -B 5 "test/agent\|docker" | head -40

Repository: openshift/lightspeed-agentic-operator

Length of output: 63

---

test/agent/Dockerfile Go version must be updated to 1.26.0.

The go.mod files were updated to go 1.26.0, but test/agent/Dockerfile (line 7) still pins golang:1.25.7-bookworm. This will cause build failures when the test agent image is built (e.g., make -C test/agent docker-build). Update line 7 to FROM golang:1.26.0-bookworm AS builder to match the go.mod version.

The root Dockerfile is unaffected—it uses registry.redhat.io/ubi9/go-toolset:9.8, which does not pin an explicit Go version.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/go.mod` at line 3, The test agent Dockerfile contains an outdated Go
version reference that does not match the updated go.mod version. Locate the
FROM statement in the test agent Dockerfile that references
golang:1.25.7-bookworm and update it to golang:1.26.0-bookworm to align with the
go.mod files which have been updated to go 1.26.0. This ensures the test agent
image builds correctly without version mismatches.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 7c9a717 and 2 for PR HEAD c8fdc67 in total

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: Update the Go version directive in go.mod from 1.26.0 to 1.26.4 or
later to patch multiple security vulnerabilities (CVEs 2026-27137, 2026-27138,
2026-27142, 2026-25679, 2026-27139, and 2026-27144). Change the go statement at
line 3 to specify Go 1.26.4, which is the current stable release that addresses
all known security issues in the crypto/x509, html/template, net/url, os
package, and compiler components.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 686edd05-bdf2-4125-bd91-dd08a3e8d345

📥 Commits

Reviewing files that changed from the base of the PR and between c8fdc67 and 5870a0c.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• api/go.mod

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

3-3: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Go 1.26.0 contains multiple unpatched security vulnerabilities; upgrade to 1.26.4 or later.

Go 1.26.0 has 6 known CVEs affecting crypto/x509 (CVE-2026-27137, CVE-2026-27138), html/template XSS (CVE-2026-27142), net/url IPv6 validation (CVE-2026-25679), os package root escape (CVE-2026-27139), and compiler memory corruption (CVE-2026-27144). Use Go 1.26.4, the current stable release, to patch these security issues.

🔧 Proposed fix

-go 1.26.0
+go 1.26.4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The go.mod file specifies Go 1.26.0 which contains
multiple unpatched security vulnerabilities including CVEs in crypto/x509,
html/template, net/url, os package, and the compiler. Update the Go version
directive from 1.26.0 to 1.26.4 (or a later stable release) to address these
security issues.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod file specifies Go version 1.26.0, but the Dockerfile
builder stage in test/agent/Dockerfile uses golang:1.25.7-bookworm which is an
older version. When the Go 1.25.7 toolchain tries to build a module requiring
1.26.0, the build will fail. Update the builder image in test/agent/Dockerfile
from golang:1.25.7-bookworm to golang:1.26.4-bookworm (or any later 1.26.x
version) to match the go.mod requirement.

---

Duplicate comments:
In `@go.mod`:
- Line 3: The go.mod file specifies Go 1.26.0 which contains multiple unpatched
security vulnerabilities including CVEs in crypto/x509, html/template, net/url,
os package, and the compiler. Update the Go version directive from 1.26.0 to
1.26.4 (or a later stable release) to address these security issues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 30214f68-d3a8-40b6-a625-897105b9574b

📥 Commits

Reviewing files that changed from the base of the PR and between 5870a0c and 949016e.

⛔ Files ignored due to path filters (2)

• api/go.sum is excluded by !**/*.sum, !api/go.sum
• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (2)

• api/go.mod
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• api/go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the go.mod file for the Go version directive
head -5 go.mod

Repository: openshift/lightspeed-agentic-operator

Length of output: 159

---

🏁 Script executed:

#!/bin/bash
# Check the test/agent/Dockerfile for Go base image
cat test/agent/Dockerfile | head -20

Repository: openshift/lightspeed-agentic-operator

Length of output: 831

---

🌐 Web query:

golang:1.26.4-bookworm docker hub official go image releases 1.26

💡 Result:

The Go 1.26 release branch is officially available and supported [1][2]. As of June 16, 2026, the latest minor version in this branch is Go 1.26.4, which was released on June 2, 2026 [1]. Regarding the Docker Hub official image, golang:1.26.4-bookworm is a valid, officially supported tag [3][4]. The golang Docker Official Image provides comprehensive tag support for the 1.26 release branch, including specific Debian-based variants like bookworm and trixie, as well as Alpine-based variants [5][4]. Summary of relevant tags for the 1.26 branch: - golang:1.26.4-bookworm: Specific patch version on Debian Bookworm [5][4]. - golang:1.26-bookworm: Rolling tag that points to the latest 1.26.x minor release on Debian Bookworm [5][4]. - golang:1.26.4: Shared tag for the 1.26.4 release across supported operating systems [4]. - golang:1.26: Shared tag for the latest 1.26.x minor release [5][4]. You can pull the image using: docker pull golang:1.26.4-bookworm [3][4]

Citations:

• 1: https://go.dev/doc/devel/release
• 2: https://versionlog.com/golang/1.26/
• 3: https://hub.docker.com/_/golang/tags
• 4: https://hub.docker.com/_/golang?tab=tags
• 5: https://github.com/docker-library/official-images/blob/master/library/golang

---

Dockerfile build will fail: go.mod requires 1.26.0 but test/agent/Dockerfile uses golang:1.25.7-bookworm.

The Dockerfile's builder stage (test/agent/Dockerfile:6) pins golang:1.25.7-bookworm, but go.mod specifies go 1.26.0. Go 1.25.7's toolchain will reject a module requiring 1.26.0 and fail the build.

Update the builder to golang:1.26.4-bookworm (or later 1.26.x) to match the go.mod requirement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The go.mod file specifies Go version 1.26.0, but the
Dockerfile builder stage in test/agent/Dockerfile uses golang:1.25.7-bookworm
which is an older version. When the Go 1.25.7 toolchain tries to build a module
requiring 1.26.0, the build will fail. Update the builder image in
test/agent/Dockerfile from golang:1.25.7-bookworm to golang:1.26.4-bookworm (or
any later 1.26.x version) to match the go.mod requirement.

[openshift-ci]

@red-hat-konflux[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/api-lint	949016e	link	true	/test api-lint
ci/prow/generate	949016e	link	true	/test generate
ci/prow/unit	949016e	link	true	/test unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.