Modernize k8s stack to v0.33.11 and refactor for generics

[sameerforge]

What this PR does / why we need it:

This PR performs a comprehensive modernization of the kapp-controller and kctrl dependency stacks. We have aligned the project with the Kubernetes v0.33.11 (LTS) baseline and controller-runtime v0.21.0.

Technical Breakdown

1. Controller Generics Migration
The jump to controller-runtime v0.21.0 required a refactor of the controller’s event bus:
Typed Event Handlers: Updated PackageInstall, ConfigMap, and Secret handlers to satisfy the new dual-type Generic signatures.
Typed Workqueues: Migrated reconciliation loops from untyped interfaces to TypedRateLimitingInterface[reconcile.Request].

2. APIServer Lifecycle Refactor
Modernized the background APIService CA reconciliation logic:
Context Propagation: Replaced legacy channel-based StopCh patterns with context.Context. This aligns the internal APIServer with modern Kubernetes server hooks and ensures graceful shutdowns.

3. CLI (kctrl) Interface Alignment
The kubernetes.Interface in v0.33.11 introduced significant drift. We updated the MinCoreClient mock stubs to implement:
Resource API: Added support for v1alpha3, v1beta1, and v1beta2 (Dynamic Resource Allocation).
Coordination API: Added v1alpha2 interface stubs.

4. Security Hardening
Bumped secondary dependencies to their latest stable releases:
golang.org/x/crypto: Updated to v0.50.0 for optimized cryptographic performance.
spf13/cobra & pflag: Updated to v1.10.2 and v1.0.10 respectively.

Important: Module Replacement

I have added a replace directive in cli/go.mod pointing to ../. This is necessary to allow the CLI module to build atomically against the refactored pkg/ logic in the root. This should be removed following the next official release tag of the root package.

Verification Results

1. Binary Build & Toolchain Validation
Go Version: Verified compatibility with Go 1.25. Confirmed that the build does not trigger the Go 1.26 toolchain upgrade, maintaining alignment with existing Rocky8 build-host constraints.
Controller Build: go build -o kapp-controller ./cmd/controller/ successful. Binary size (~109MB) is consistent with the expanded K8s v0.33 dependency tree.
CLI Build: go build -o kctrl ./cmd/kctrl/ successful. Verified that the replace directive correctly links to the refactored root pkg/ logic.

2. Automated Test Suite (100% Pass)
Executed the full internal test suite with a focus on the packages most affected by the Generics and Context refactors:
pkg/packageinstall: All 30+ tests passed. Verified that PackageInstall reconciliation, version matching, and status updates remain functional under the new TypedRateLimitingInterface.
pkg/app: 17 tests passed. Confirmed that App-level reconciliation and secret/configmap tracking are unaffected by the dependency bump.
pkg/apiserver: 12 tests passed. Specifically validated Test_updateAPIService, confirming the new Context-based CA bundle reconciliation loop functions as expected without leaks or deadlocks.
pkg/template & pkg/fetch: Verified that core Carvel functions (ytt, helm, git fetch) continue to operate correctly with the updated K8s credential providers.

3. Dependency & Integrity Checks
Checksum Verification: Ran go mod verify in both Root and CLI directories; all module hashes match the go.sum entries.
Vendoring: Performed a clean go mod vendor to ensure the vendor/ directory is fully synchronized with the v0.33.11/v0.21.0 stack.
Interface Compliance: Confirmed MinCoreClient in cli/ now fully implements the expanded kubernetes.Interface required by the v0.33.11 client-go library, including new Resource and Coordination API groups.

4. Manual Smoke Testing (CLI)
Executed ./kctrl package --help and ./kctrl package available list to verify that the CLI command-line parsing (via the updated cobra/pflag) and the MinCoreClient stubs do not cause runtime panics during standard UX flows.