build(deps): bump github.com/open-policy-agent/gatekeeper/v3 from 3.19.2 to 3.21.0

[dependabot]

Bumps github.com/open-policy-agent/gatekeeper/v3 from 3.19.2 to 3.21.0.

Release notes

Sourced from github.com/open-policy-agent/gatekeeper/v3's releases.

v3.21.0

🚀 Notable Changes

• 🛠️ New flag: sync-vap-enforcement has been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper's ValidatingWebhookConfigurations, Config resource exclusions, and exempt-namespace–based exemptions. This improves enforcement consistency across all policy mechanisms.
• 🧩 Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
• 📈 Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.

Features

• Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
• gator verify - support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)
• Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
• External data status metrics (#4115) #4115 (Jaydip Gabani)
• Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
• support DELETE operation type when generate VAP (#4030) #4030 (DahuK)

Bug Fixes

• spelling errors in deprecated documentation (#4138) #4138 (Copilot)
• updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
• Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
• Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
• load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)

Documentation

• update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
• add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
• adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)

Continuous Integration

• adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)

Chores

• Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
• bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-reader (#4072) #4072 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot])
• bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
• updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot])
• bump golang from ef8c5c7 to 2679c15 in /test/export/fake-reader (#4097) #4097 (dependabot[bot])
• bump frameworks (#4104) #4104 (Noah Reisch)
• updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
• bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
• bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
• bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
• bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
• bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-reader (#4091) #4091 (dependabot[bot])
• bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 (#4096) #4096 (dependabot[bot])

... (truncated)

Commits

• a50c1a2 chore: Prepare v3.21.0 release (#4247)
• dedfccc chore: Prepare v3.21.0-rc.1 release (#4226)
• 53cae28 fix: bumping frameworks (#4221) (#4224)
• db9de90 chore: Prepare v3.21.0-rc.0 release (#4214)
• 6f5c549 chore: bumping cert-controller (#4213)
• edb1fa4 docs: adding post release checklist for cutting dep releases (#4212)
• 912d5fb chore: bumping frameworks (#4208)
• 16c3467 chore: bump the all group with 2 updates (#4209)
• 97165ed chore: bump golang from 61226c6 to 7534a62 in /build/tooling (#4210)
• a941cea chore: bump golang from c8c8d55 to 61226c6 in /test/export/fake-reader (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)