fix(deps): update module github.com/projectcapsule/capsule to v0.13.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/projectcapsule/capsule	v0.12.4 → v0.13.0

---

Release Notes

projectcapsule/capsule (github.com/projectcapsule/capsule)

v0.13.0

Compare Source

Changelog

✨ Breaking Changes

• 0515880: feat: use cert-manager certificates by default. By default, Capsule now uses self-signed cert-manager certificates for its admission webhooks. This used to be an optional setting and has now become the default. If you don’t have cert-manager installed, you must explicitly re-enable the Capsule TLS controller as documented here. (#​1818) (@​oliverbaehler)

Security 🔒

• Advisory GHSA-qjjm-7j9w-pw72 - High - Users can create cluster scoped resources anywhere in the cluster if they are allowed to create TenantResources. To immediately mitigate this, make sure to use Impersonation for TenantResources.
• Advisory GHSA-2ww6-hf35-mfjm - Moderate - Users may hijack namespaces via namespaces/status privileges. These privileges must have been explicitly granted by Platform Administrators through RBAC rules to be affected. Requests for the namespaces/status subresource are now sent to the Capsule admission webhook as well.

✨ New Features

• cc4fb45: feat: add new Quota System with GlobalCustomQuotas and CustomQuotas(#​1841) (@​oliverbaehler)
• cc4fb45: feat: refactor of GlobalTenantResources and TenantResources (#​1841) (@​oliverbaehler)
• cc4fb45: feat: added new label projectcapsule.dev/tenant which is added for all namespaced resources belonging to a Tenant (#​1841) (@​oliverbaehler)
• cc4fb45: feat: Resources labeled with projectcapsule.dev/managed-by=controller can only be created, updated or deleted by the Capsule controller and administrators, and are rejected for all other operations. This prevents deletion of managed resources by users, which are not identified as capsule users (current behavior) (#​1841) (@​oliverbaehler)
• cc4fb45: feat: migrated event emissions to events.k8s.io/v1 from legacy core/v1 (#​1841) (@​oliverbaehler)
• cc4fb45: feat: tenant scoped additional metadata is validated via admission (#​1841) (@​oliverbaehler)
• cc4fb45: feat: adding .spec.data for Tenant to allow providing custom data for templating purposes (#​1841) (@​oliverbaehler)
• cc4fb45: feat: Added configuration options for managed RBAC (#​1841) (@​oliverbaehler)
• cc4fb45: feat: Added configuration options for Impersonation (#​1841) (@​oliverbaehler)
• cc4fb45: feat: Added configuration options for Cache invalidation (#​1841) (@​oliverbaehler)
• cc4fb45: feat: Added configuration options for Dynamic Admission Webhooks (#​1841) (@​oliverbaehler)
• 730151c: feat: add dynamic capsule user evaluation (#​1811) (@​oliverbaehler)
• 0744924: feat: add e2e openshift support (#​1894) (@​Svarrogh1337)
• a6b830b: feat: add ruleset api(#​1844) (@​oliverbaehler)
• 0abc77b: feat: diverse performance improvements (#​1861) (@​oliverbaehler)
• cc4fb45: feat: upstream enterprise preview (#​1841) (@​oliverbaehler)

🐛 Bug fixes

• cc4fb45: fix: Improved matchConditions for admission webhooks that intercept all namespaced items, to avoid processing subresource requests and Events, improving performance and reducing log noise. (#​1841) (@​oliverbaehler)
• cc4fb45: fix: PersistentVolumeClaims support now providing .spec.selector. When .spec.selector is provided we always aggregate a custom matchExpressions for the PersistentVolumeClaims to ensure that only the PersistentVolumeClaims created in the Tenant can mount PersistentVolumes provisioned from/for the same Tenant (#​1841) (@​oliverbaehler)
• cc4fb45: fix: Regex-Selectors were not considered on classes driven Tenant status reconciles (#​1841) (@​oliverbaehler)
• cc4fb45: fix: A single Unready namespace could cause the entire Tenant reconcilation to be incomplete. Now unready or terminating namespaces are ignored for further processing ensuring that ready/new namespaces get their required contents (#​1841) (@​oliverbaehler)
• cc4fb45: fix: When a Tenant is cordoned, namespaces can no longer be deleted. (#​1841) (@​oliverbaehler)
• cc4fb45: fix: TLS controller correctly patches all the webhooks with the same CA Bundle, to avoid issues with multiple webhooks and ensure that all webhooks are correctly secured, if enabled (#​1841) (@​oliverbaehler)
• 61429d1: fix(docs): update home in chart.yaml (#​1864) (@​sandert-k8s)
• 58b25e3: fix(webhook): adapt to controller-runtime breaking change in newwebhookmanagedby (#​1898) (@​Svarrogh1337)
• c6e109c: fix: release workflows (#​1919) (@​oliverbaehler)

🛠 Dependency updates

• 9c02af5: fix(deps): update k8s.io/utils digest to 383b50a (#​1804) (@​renovate[bot])
• aaa3ec4: fix(deps): update k8s.io/utils digest to 718f0e5 (#​1806) (@​renovate[bot])
• e8bb238: fix(deps): update k8s.io/utils digest to 914a6e7 (#​1822) (@​renovate[bot])
• 53a4f5d: fix(deps): update k8s.io/utils digest to 98d557b (#​1803) (@​renovate[bot])
• 7efaa9e: fix(deps): update kubernetes packages to v0.35.0 (#​1797) (@​renovate[bot])
• 7e2dc68: fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.3 (#​1776) (@​renovate[bot])
• 45e3a5d: fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.4 (#​1825) (@​renovate[bot])
• 768b334: fix(deps): update module github.com/onsi/gomega to v1.38.3 (#​1777) (@​renovate[bot])
• 1f91adc: fix(deps): update module github.com/onsi/gomega to v1.39.0 (#​1826) (@​renovate[bot])
• b8d3852: fix(deps): update module k8s.io/dynamic-resource-allocation to v0.35.0 (#​1798) (@​renovate[bot])
• abc03ad: fix(deps): update module sigs.k8s.io/cluster-api to v1.12.1 (#​1784) (@​renovate[bot])

🚀 Build process updates

• 77e7532: ci: pin slsa provenance workflow (#​1903) (@​AkashKumar7902)

Full Changelog: projectcapsule/capsule@v0.12.4...v0.13.0

Check out what's new in this release

Docker Images

• ghcr.io/projectcapsule/capsule:0.13.0
• ghcr.io/projectcapsule/capsule:latest

Helm Chart
View this release on Artifact Hub or use the OCI helm chart:

• ghcr.io/projectcapsule/charts/capsule:0.13.0

Review the Major Changes section first before upgrading to a new version

[!IMPORTANT]
Kubernetes compatibility

Note that the Capsule project offers support only for the latest minor version of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors.

Kubernetes version	Minimum required
v1.35	>= 1.35.0

Thanks to all the contributors! 🚀 🦄

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: module github.com/projectcapsule/capsule@v0.13.0 requires go >= 1.26.3; switching to go1.26.3
go: downloading go1.26.3 (linux/amd64)
go: downloading github.com/projectcapsule/capsule v0.13.0
go: downloading k8s.io/apiextensions-apiserver v0.35.5
go: downloading k8s.io/apimachinery v0.35.5
go: downloading k8s.io/client-go v0.35.5
go: downloading k8s.io/component-base v0.35.5
go: downloading sigs.k8s.io/controller-runtime v0.23.0
go: downloading github.com/onsi/ginkgo/v2 v2.27.5
go: downloading github.com/onsi/gomega v1.39.0
go: downloading k8s.io/api v0.35.5
go: downloading k8s.io/apiserver v0.35.5
go: downloading google.golang.org/protobuf v1.36.11
go: downloading golang.org/x/oauth2 v0.36.0
go: downloading filippo.io/age v1.3.1
go: downloading github.com/BurntSushi/toml v1.6.0
go: downloading github.com/go-sprout/sprout v1.0.3
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading filippo.io/hpke v0.4.0
go: downloading golang.org/x/crypto v0.51.0
go: downloading github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6
go: downloading github.com/spf13/cast v1.10.0
go: downloading dario.cat/mergo v1.0.2
go: downloading github.com/mitchellh/copystructure v1.2.0
go: downloading github.com/mitchellh/reflectwalk v1.0.2
go: github.com/projectcapsule/capsule-proxy imports
	github.com/projectcapsule/capsule/pkg/indexer: cannot find module providing package github.com/projectcapsule/capsule/pkg/indexer
go: github.com/projectcapsule/capsule-proxy imports
	github.com/projectcapsule/capsule/pkg/indexer/tenant: cannot find module providing package github.com/projectcapsule/capsule/pkg/indexer/tenant

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (a94dce3) to head (610a3f4).

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #1036   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files          1       1           
  Lines        316     316           
=====================================
  Misses       316     316           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.