updating to latest dot release of controller runtime and k8s 1.26

[acornett21]

Description of the change:
Updating controller runtime and k8's dependency versions to latest dot release for k8s 1.26 to adress go http cve.

• Fixes: Rebuild of operator sdk to incorporate http2 fixes #6615

Motivation for the change:
To release CVE's in the repo.

Checklist

If the pull request includes user-facing changes, extra documentation is required:

• Add a new changelog fragment in changelog/fragments (see changelog/fragments/00-template.yaml)
• Add or update relevant sections of the docs website in website/content/en/docs

[acornett21]

@varshaprasad96 @everettraven I think these are all the changes to address the CVE issue. After this is merged would a release be possible?

[varshaprasad96]

/lgtm

Seems good for a patch release, with the caution that scaffolding has not changed. Releasing patched binaries would still be a helpful step for operator authors. (I assume ansible-operator image and java needs to also be updated)

[acornett21]

Releasing patched binaries would still be a helpful step for operator authors. (I assume ansible-operator image and java needs to also be updated)

I think it's more about the runtime images (scorecard, helm, etc) not having any CVE's. I did a spot checked and all the Dockerfiles in this repo are go 1.21, I'm not sure how the ansible or java repos are managed or handle CVE's.

[varshaprasad96]

@acornett21 Helm (and other) binary should be good if we have all the Dockerfiles updated here. Ansible image is now being built from ansible-plugins-repo (afaik), we would just need to check if it is also updated. After which we should be good to cut a release.
But this PR is good to go 👍

[joelanford]

I think it's more about the runtime images (scorecard, helm, etc) not having any CVE's

There's also the scaffolding for Go operators, which we should fix. Kubebuilder's most recent release has all the scaffolding fixes in its Go plugin: https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v3.13.0

[acornett21]

There's also the scaffolding for Go operators

@joelanford CVE's in the scaffolding process? Or are you saying in addition to fixing CVE's we should also fix the scaffolding issues?

[varshaprasad96]

@joelanford Operator SDK still uses 3.9.0 version of Kubebuilder. Scaffolding fixes IMO can be handled when we bump k8s to 1.27 in master and bring down the latest version of Kubebuilder. Though I doubt we would want to back port them to SDK 1.32.

That being said, if we really want scaffolding fixes back ported, we need a separate discussion on KB's end (at least for go and its dependent plugins). KB has had 4 releases since then and has also changed plugin scaffolding and versions. I doubt making patch releases for all those versions behind would be helpful from upstream's perspective, but we can have a discussion with an issue opened if needed.

Having at least the binaries fixed for now with this PR and do a patch release would be helpful as the first step, till we are able to bump everything in master.

[varshaprasad96]

Going ahead and merging this, we can look into the scaffolding as the next step.