build(deps): bump the go-operator-dependencies group across 1 directory with 9 updates

[dependabot]

Bumps the go-operator-dependencies group with 1 update in the /controller/deploy/operator directory: github.com/cert-manager/cert-manager.

Updates github.com/cert-manager/cert-manager from 1.18.6 to 1.20.2

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies to address reported vulnerabilities.

Changes by Kind

Bug or Regression

• Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#8665, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#8704, @​erikgb)
• Bump go to 1.26.2 (#8703, @​erikgb)

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression

• Fixed duplicate parentRef bug when both issuer config and annotations are present. (#8658, @​hjoshi123)
• Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. (#8655, @​erikgb)
• Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. (#8657, @​erikgb)

v1.20.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.

Changes by Kind

Feature

• Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. (#8370, @​jcpunk)
• Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#8256, @​tareksha)
• Added support for specifying imagePullSecrets in the startupapicheck-job Helm template to enable pulling images from private registries. (#8186, @​mathieu-clnk)
• Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#8355, @​dancmeyers)
• Added parentRef override annotations on the Certificate resource. (#8518, @​hjoshi123)
• Added support for azure private zones for dns01 issuer. (#8494, @​hjoshi123)
• Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. (#7642, @​robertlestak)
• Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#7728, @​jcpunk)
• For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#8301, @​k0da)
• Improve error message when CA issuers are misconfigured to use a clashing secret name (#8374, @​majiayu000)
• Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#8244, @​lunarwhite)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#8195, @​StingRayZA)
• Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#8228, @​terinjokes)
• Added experimental XListenerSets feature gate (#8394, @​hjoshi123)

Documentation

• Add GWAPI documentation to NOTES.TXT in helm chart (#8353, @​jaxels10)

... (truncated)

Commits

• e5b7b18 Merge pull request #8704 from erikgb/1-20-fix-vuln-go-deps
• e7ec855 Merge pull request #8703 from erikgb/1-20-bump-go-base-images
• cd96b95 [release-1.20] Bump go dependencies with reported vulnerabilities
• a1b6f11 [release-1.20] Bump go to 1.26.2 and bump base images
• 6dee676 Merge pull request #8665 from cert-manager-bot/cherry-pick-8664-to-release-1.20
• 9ccf555 Fix indentation in webhook-deployment when both webhook.volumes and webhook.c...
• dc96863 Merge pull request #8658 from cert-manager-bot/cherry-pick-8619-to-release-1.20
• 7e66079 removing duplicate parentRefs
• 75f90e4 Merge pull request #8657 from erikgb/fix-grpc-vuln
• f27364c Update module google.golang.org/grpc to v1.79.3 [security] (release-1.20)
• Additional commits viewable in compare view

Updates github.com/onsi/ginkgo/v2 from 2.22.2 to 2.28.0

Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.28.0

2.28.0

Ginkgo's SemVer filter now supports filtering multiple components by SemVer version:

It("should work in a specific version range (1.0.0, 2.0.0) and third-party dependency redis in [8.0.0, ~)", SemVerConstraint(">= 3.2.0"), ComponentSemVerConstraint("redis", ">= 8.0.0") func() {
    // This test will only run when version is between 1.0.0 (exclusive) and 2.0.0 (exclusive) and redis version is >= 8.0.0
})

can be filtered in or out with an invocation like:

ginkgo --sem-ver-filter="2.1.1, redis=8.2.0"

Huge thanks to @​Icarus9913 for working on this!

v2.27.5

2.27.5

Fixes

Don't make a new formatter for each GinkgoT(); that's just silly and uses precious memory

v2.27.4

2.27.4

Fixes

• CurrentTreeConstructionNodeReport: fix for nested container nodes [59bc751]

v2.27.3

2.27.3

Fixes

report exit result in case of failure [1c9f356] fix data race [ece19c8]

v2.27.2

2.27.2

Fixes

• inline automaxprocs to simplify dependencies; this will be removed when Go 1.26 comes out [a69113a]

Maintenance

• Fix syntax errors and typo [a99c6e0]
• Fix paragraph position error [f993df5]

v2.27.1

2.27.1

... (truncated)

Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.28.0

Ginkgo's SemVer filter now supports filtering multiple components by SemVer version:

It("should work in a specific version range (1.0.0, 2.0.0) and third-party dependency redis in [8.0.0, ~)", SemVerConstraint(">= 3.2.0"), ComponentSemVerConstraint("redis", ">= 8.0.0") func() {
    // This test will only run when version is between 1.0.0 (exclusive) and 2.0.0 (exclusive) and redis version is >= 8.0.0
})

can be filtered in or out with an invocation like:

ginkgo --sem-ver-filter="2.1.1, redis=8.2.0"

Huge thanks to @​Icarus9913 for working on this!

2.27.5

Fixes

Don't make a new formatter for each GinkgoT(); that's just silly and uses precious memory

2.27.4

Fixes

• CurrentTreeConstructionNodeReport: fix for nested container nodes [59bc751]

2.27.3

Fixes

report exit result in case of failure [1c9f356] fix data race [ece19c8]

2.27.2

Fixes

• inline automaxprocs to simplify dependencies; this will be removed when Go 1.26 comes out [a69113a]

Maintenance

• Fix syntax errors and typo [a99c6e0]
• Fix paragraph position error [f993df5]

2.27.1

Fixes

• Fix Ginkgo Reporter slice-bounds panic [606c1cb]
• Bug Fix: Add GinkoTBWrapper.Attr() and GinkoTBWrapper.Output() [a6463b3]

2.27.0

... (truncated)

Commits

• 2b2305b v2.28.0
• 71d2d89 feat: support component semantic version filtering
• 8cbbcb4 Fix doclink for ginkgo run
• a928307 v2.27.5
• 0d0e96d don't make a new formatter for each GinkgoT(); that's just silly and uses pre...
• 867ce95 v2.27.4
• 59bc751 CurrentTreeConstructionNodeReport: fix for nested container nodes
• f331739 v2.27.3
• 1c9f356 ginkgo: report exit result in case of failure
• ece19c8 ginkgo: fix data race
• Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.36.2 to 1.39.1

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.39.1

1.39.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

v1.39.0

1.39.0

Features

Add MatchErrorStrictly which only passes if errors.Is(actual, expected) returns true. MatchError, by contrast, will fallback to string comparison.

v1.38.3

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

v1.38.2

1.38.2

• roll back to go 1.23.0 [c404969]

v1.38.1

1.38.1

Fixes

Numerous minor fixes and dependency bumps

v1.38.0

1.38.0

Features

• gstruct handles extra unexported fields [4ee7ed0]

Fixes

• support [] in IgnoringTopFunction function signatures (#851) [36bbf72]

Maintenance

• Bump golang.org/x/net from 0.40.0 to 0.41.0 (#846) [529d408]
• Fix typo [acd1f55]
• Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 (#835) [bae65a0]
• Bump nokogiri from 1.18.4 to 1.18.8 in /docs (#842) [8dda91f]
• Bump golang.org/x/net from 0.39.0 to 0.40.0 (#843) [212d812]
• Bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 (#839) [59bd7f9]
• Bump nokogiri from 1.18.1 to 1.18.4 in /docs (#834) [328c729]
• Bump uri from 1.0.2 to 1.0.3 in /docs (#826) [9a798a1]
• Bump golang.org/x/net from 0.37.0 to 0.39.0 (#841) [04a72c6]

... (truncated)

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.39.1

Update all dependencies. This auto-updated the required version of Go to 1.24, consistent with the fact that Go 1.23 has been out of support for almost six months.

1.39.0

Features

Add MatchErrorStrictly which only passes if errors.Is(actual, expected) returns true. MatchError, by contrast, will fallback to string comparison.

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

1.38.2

• roll back to go 1.23.0 [c404969]

1.38.1

Fixes

Numerous minor fixes and dependency bumps

1.38.0

Features

• gstruct handles extra unexported fields [4ee7ed0]

Fixes

• support [] in IgnoringTopFunction function signatures (#851) [36bbf72]

Maintenance

• Bump golang.org/x/net from 0.40.0 to 0.41.0 (#846) [529d408]
• Fix typo [acd1f55]
• Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 (#835) [bae65a0]
• Bump nokogiri from 1.18.4 to 1.18.8 in /docs (#842) [8dda91f]
• Bump golang.org/x/net from 0.39.0 to 0.40.0 (#843) [212d812]
• Bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 (#839) [59bd7f9]
• Bump nokogiri from 1.18.1 to 1.18.4 in /docs (#834) [328c729]
• Bump uri from 1.0.2 to 1.0.3 in /docs (#826) [9a798a1]
• Bump golang.org/x/net from 0.37.0 to 0.39.0 (#841) [04a72c6]

1.37.0

Features

• add To/ToNot/NotTo aliases for AsyncAssertion [5666f98]

1.36.3

... (truncated)

Commits

• 1a25a36 v1.39.1
• 406faee bump all deps
• 49561ad v1.39.0
• 8f7f425 document MatchErrorStrictly
• bae643d add matcher relecting errors.Is behavior
• a3ca2ca v1.38.3
• 4dada36 fix failing have http tests
• d40c691 make string formatitng more consistent for users who use format.Object directly
• 2a37b46 doc: fix typos
• ee26170 docs: fix HaveValue example
• Additional commits viewable in compare view

Updates k8s.io/api from 0.34.1 to 0.35.2

Commits

• 8a137cd Update dependencies to v0.35.2 tag
• bbcbaa8 Merge remote-tracking branch 'origin/master' into release-1.35
• 5bced61 Bump golang.org/x/crypto to v0.45.0
• 39e2e26 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• c22b4a1 vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• e3b1f3d Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 3da327c Update vendored dependencies
• c764b44 Merge pull request #132919 from ndixita/pod-level-in-place-pod-resize
• aced136 Generated files from API changes
• 02d790d Adding Resources and AllocatedResoures fields to the list of expected fields ...
• Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.34.1 to 0.35.2

Commits

• 72d71ea Merge remote-tracking branch 'origin/master' into release-1.35
• e2a2dbc Bump golang.org/x/crypto to v0.45.0
• 2e9c228 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• f274aac vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• 9445443 Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 52154f7 Update vendored dependencies
• 5a348c5 KEP-5471: Extend tolerations operators (#134665)
• 6f89492 Merge pull request #133648 from richabanker/merged-discovery
• c77dde2 util/sort: Add MergePreservingRelativeOrder for topological sorting
• 729c13d Merge pull request #134624 from yt2985/podcertificates-beta
• Additional commits viewable in compare view

Updates k8s.io/apiserver from 0.34.1 to 0.35.2

Commits

• 9120deb Update dependencies to v0.35.2 tag
• 4d42711 Merge pull request #135815mborsz/automated-cherry-pick-of-#135367
• 7401388 Merge pull request #135838lalitc375/automated-cherry-pick-of-#135714
• 2b143d6 refactor: Ensure metricIdentifier uses scheme for kind resolution
• 131539d Merge remote-tracking branch 'origin/master' into release-1.35
• 3e0a914 Merge pull request #135536 from dims/bump-x/crypto-to-v0.45.0
• f6430f6 Merge remote-tracking branch 'origin/master' into release-1.35
• 095ead6 Merge pull request #135560 from lalitc375/map-debug
• 60ad4b7 Remove TestWatchStreamSeparation from storage/cacher related tests
• 7dde12d Fix MAP failure on objects with duplicate list items
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.34.1 to 0.35.2

Commits

• a21b329 Update dependencies to v0.35.2 tag
• 2d83546 Merge remote-tracking branch 'origin/master' into release-1.35
• 56b4af2 Merge pull request #135591 from p0lyn0mial/upstream-watchlist-reflector-log-f...
• 891f94c Merge remote-tracking branch 'origin/master' into release-1.35
• 65ffe04 Merge pull request #135580 from serathius/client-go-transformer
• 2fe4ac2 downgrade reflector watchlist fallback log to V(4)
• 97256a6 Bump golang.org/x/crypto to v0.45.0
• 46360b5 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• 171ef8c Use transformer in consistency checker
• 3878a64 vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• Additional commits viewable in compare view

Updates k8s.io/utils from 0.0.0-20250820121507-0af2bda4dd1d to 0.0.0-20260210185600-b8788abfbbc2

Commits

• See full diff in compare view

Updates sigs.k8s.io/controller-runtime from 0.22.3 to 0.23.1

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.23.1

What's Changed

• 🐛 Cache reader: Wait for cache sync when ReaderFailOnMissingInformer is true by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3433
• 🐛 Fix panic when using CRs with embedded pointer structs by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3436
• 🌱 Test cache reader waits for cache sync by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3438
• 🐛 Fakeclient: Fix status apply if existing object has managedFields set by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3437

Full Changelog: kubernetes-sigs/controller-runtime@v0.23.0...v0.23.1

v0.23.0

🔆 Highlights

• Client: Add subresource Apply support by @​alvaroaleman in kubernetes-sigs/controller-runtime#3321
• Conversion: Enable implementation of conversion outside of API packages by @​sbueringer in kubernetes-sigs/controller-runtime#3335
• Priorityqueue: Various improvements, bug fixes and now enabled per default
• Webhooks: Generic Validator and Defaulter by @​alvaroaleman in kubernetes-sigs/controller-runtime#3360

⚠️ Breaking changes

• Dependencies: Update to k8s.io/* v1.35 by @​alvaroaleman @​dongjiang1989 @​kannon92 (#3316, #3349, #3386, #3391, #3401)
• Client: Add subresource Apply support by @​alvaroaleman in kubernetes-sigs/controller-runtime#3321
• Events: Migration to the new events API by @​clebs in kubernetes-sigs/controller-runtime#3262
  • Using the new GetEventRecorderFor requires updating your rbac for events to use the events.k8s.io apiGroup rather than the `` (core) apiGroup
• Fakeclient: Set ResourceVersion for SSA Create by @​alvaroaleman in kubernetes-sigs/controller-runtime#3311
• Webhooks: Generic Validator and Defaulter by @​alvaroaleman in kubernetes-sigs/controller-runtime#3360
  • Existing code of the form builder.WebhookManagedBy(mgr).For(&corev1.Deployment{}) has to be changed to builder.WebhookManagedBy(mgr, &appsv1.Deployment{})
  • Existing webhook implementations have to be changed to take the concrete object rather than runtime.Object, for example from ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) to ValidateCreate(ctx context.Context, obj *appsv1.Deployment) (admission.Warnings, error)

✨ Features

• Cache: Allow fine-granular SyncPeriod configuration by @​sbueringer in kubernetes-sigs/controller-runtime#3376
• Client: Add FieldOwner option to client.Options by @​aerfio in kubernetes-sigs/controller-runtime#3389
• Client: Add FieldValidation option to client.Options by @​aerfio in kubernetes-sigs/controller-runtime#3393
• Conversion: Enable implementation of conversion outside of API packages by @​sbueringer in kubernetes-sigs/controller-runtime#3335
• Metrics: Add controller_runtime_reconcile_timeouts_total metric to track ReconciliationTimeout timeouts by @​godwinpang in kubernetes-sigs/controller-runtime#3382
• Priorityqueue: Add optional Priority field to reconcile.Result by @​sbueringer in kubernetes-sigs/controller-runtime#3333
• Priorityqueue: Enable per default by @​sbueringer in kubernetes-sigs/controller-runtime#3332
• Priorityqueue: Use a buffer to optimize priority queue AddWithOpts performance by @​zach593 in kubernetes-sigs/controller-runtime#3415
• Source/Kind: Delay reconciliation until handlers sync by @​GonzaloLuminary in kubernetes-sigs/controller-runtime#3406
• Webhooks: Add WithContextFunc to WebhookBuilder by @​dmvolod in kubernetes-sigs/controller-runtime#3324

🐛 Bugfixes

• Client: Allow SSA after normal resource creation by @​filipcirtog in kubernetes-sigs/controller-runtime#3346
• Client: Fix List in namespaced client to list objects that are cluster scoped by @​troy0820 in kubernetes-sigs/controller-runtime#3351 kubernetes-sigs/controller-runtime#3353
• Envtest: Respect pre-configured binary paths in ControlPlane by @​mzhaom in kubernetes-sigs/controller-runtime#3372
• Fakeclient: Fix a number of bugs when updating through apply by @​alvaroaleman in kubernetes-sigs/controller-runtime#3319
• FakeClient: Fix Apply with Unstructured ApplyConfiguration and resourceVersion unset by @​sbueringer in kubernetes-sigs/controller-runtime#3403
• Fakeclient: Fix SSA after List with non-list kind by @​sbueringer in kubernetes-sigs/controller-runtime#3364

... (truncated)

Commits

• f52bbb8 Merge pull request #3437 from k8s-infra-cherrypick-robot/cherry-pick-3430-to-...
• 4f41337 Merge pull request #3438 from k8s-infra-cherrypick-robot/cherry-pick-3434-to-...
• e29a1b9 seedling: Test cache reader waits for cache sync
• 83c8dc3 bug: Fakeclient: Fix status apply if existing object has managedFields set
• bf6bcd5 Merge pull request #3436 from k8s-infra-cherrypick-robot/cherry-pick-3431-to-...
• b6a3a46 bug: Fix panic when using CRs with embedded pointer structs
• 7866fb0 Merge pull request #3433 from k8s-infra-cherrypick-robot/cherry-pick-3425-to-...
• 90b26f7 check to see if informer is synced and started before returning cache
• 129853d Merge pull request #3419 from alvaroaleman/limit-cardinality
• 00b8b07 🐛 Limit depthWithPriorityMetric cardinality to 25
• Additional commits viewable in compare view

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e61fabbe-1417-4305-a0c9-b96b3c2eeb79

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/controller/deploy/operator/go-operator-dependencies-6616201f9b

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ambient-code]

Dependabot PR Review Summary — K8s Version Bump

cc @mangelajo @bzlotnik @kirkbrauer — This PR bumps Kubernetes dependencies, please review.

Overview

This PR bumps 9 Go dependencies in controller/deploy/operator/go.mod, including a Kubernetes minor version bump from 0.34.1 → 0.35.2 (Kubernetes 1.34 → 1.35) and controller-runtime from 0.22.3 → 0.23.1. It also bumps the Go version from 1.24 → 1.25.

Why is this bump requested?

Kubernetes 1.35 is the latest stable release. Key motivations:

• Go 1.25 requirement: K8s 1.35 requires Go 1.25.x (built with Go 1.25.7)
• cert-manager: Bumped from 1.18.6 → 1.20.2 (fixes Helm chart YAML generation bugs, Go vulnerability patches)
• controller-runtime: 0.22.3 → 0.23.1 (aligned with k8s 1.35)

K8s 1.35 Breaking API Changes Worth Noting

• gogo/protobuf runtime usage removed from API Go types (re-enable with build tag kubernetes_protomessage_one_more_release for one more release)
• structured-merge-diff moved from v4 to v6
• StorageVersionMigration and VolumeAttributesClass v1alpha1 APIs removed
• cgroup v1 deprecated by default

CI Failures Analysis

1. build-operator-image — FAILING
Build failures likely due to Go 1.25 / k8s API incompatibilities. The CI environment may need Go 1.25 toolchain.

2. tests — FAILING (go: no such tool "covdata")
Go coverage tool covdata is not available in Go 1.24 but is used with Go 1.25 module. The test runner downloads Go 1.25.9 automatically but encounters tool compatibility issues.

3. deploy-kind / e2e-test-operator — FAILING (downstream of build failures)

⚠️ Cross-Module Issue: Other go.mod files NOT updated

This PR only modifies controller/deploy/operator/go.mod. However, the operator has a replace directive (replace github.com/jumpstarter-dev/jumpstarter-controller => ../../) that creates a dependency on the controller module.

Currently:

• controller/go.mod: k8s 0.33.0, controller-runtime 0.21.0, Go 1.24
• controller/deploy/operator/go.mod (this PR): k8s 0.35.2, controller-runtime 0.23.1, Go 1.25
• e2e/test/go.mod: No k8s deps (only ginkgo/gomega)

The version mismatch between the controller (k8s 0.33.0) and operator (k8s 0.35.2) will cause build failures because the replace directive makes the operator compile the controller code against k8s 0.35.2 via Go's MVS. The controller code at 0.33.0 may not be compatible with 0.35.2 APIs (especially the gogo/protobuf removal and structured-merge-diff v4→v6 change).

Also: PR #609 bumps controller to k8s 0.35.4

There's a parallel PR #609 that bumps controller/go.mod to k8s 0.35.4. These two PRs should be coordinated — ideally merged together or combined into a single PR.

Recommendation

1. Coordinate with PR build(deps): bump the go-dependencies group in /controller with 16 updates #609 — both PRs need to land together for the cross-module dependencies to resolve.
2. Consider whether to bump to k8s 0.35.x now or wait — if there's no pressing CVE, a bugfix version of k8s 0.34.x might be safer (e.g., 0.34.2+ if available). However, if the goal is k8s 1.35 support, both PRs need coordinated merging.
3. CI toolchain needs Go 1.25 — the setup-go action and golangci-lint need to be updated.
4. The gogo/protobuf removal may require code changes in the controller if it registers types into the global gogo type registry.