chore(build): update golang to 1.25.11 (#15378)

This addresses the following CVEs:
[GO-2026-5039](https://pkg.go.dev/vuln/GO-2026-5039) with alias [CVE-2026-42507](https://www.cve.org/CVERecord?id=CVE-2026-42507)
[GO-2026-5038](https://pkg.go.dev/vuln/GO-2026-5038) with alias [CVE-2026-42504](https://www.cve.org/CVERecord?id=CVE-2026-42504)
[GO-2026-5037](https://pkg.go.dev/vuln/GO-2026-5037) with alias [CVE-2026-27145](https://www.cve.org/CVERecord?id=CVE-2026-27145)

Signed-off-by: Allison Richardet <allison@buoyant.io>

Edge release for 2026-06-05.

fix(policy-k8s): use correct resource labels in outbound indexer logs (…

…#15314)

* fix(policy-k8s): use egress_network label in EgressNetwork indexer logs

The EgressNetwork indexer warning messages used service=name as the
structured log field, which is misleading when the resource being
indexed is an EgressNetwork. Change to egress_network=name in the four
warning lines (accrual config, timeouts, http retry, grpc retry) so
operators see the correct resource type when investigating parse
errors.

Signed-off-by: Alejandro Martinez Ruiz <amr@buoyant.io>

* fix(policy-k8s): use labeled fields in outbound indexer debug logs

The Service and EgressNetwork indexer debug!() calls used bare name
and ns fields, while their sibling warn!() calls used explicit
service=name and egress_network=name labels. Use labeled fields in
the debug lines as well so structured log output is consistent within
each indexer implementation.

Signed-off-by: Alejandro Martinez Ruiz <amr@buoyant.io>

---------

Signed-off-by: Alejandro Martinez Ruiz <amr@buoyant.io>

proxy: v2.353.0 (#15296)

Release notes: https://github.com/linkerd/linkerd2-proxy/releases/tag/release/v2.353.0

Signed-off-by: l5d-bot <l5d-bot@users.noreply.github.com>
Co-authored-by: l5d-bot <l5d-bot@users.noreply.github.com>

feat(charts): make honorTimestamps configurable for PodMonitors (#15080)

**Why is this PR necessary?**
In clusters with frequent pod restarts, Prometheus may drop scrapes
due to duplicate timestamps reported by the exporter. Allowing
honorTimestamps to be disabled lets Prometheus use scrape time
instead, preventing those drops.

**What does it do?**
Adds an optional honorTimestamps field to the controller, proxy and
serviceMirror PodMonitors in the linkerd-control-plane chart. The
field is rendered only when set, preserving backward compatibility.

**References:**
N/A

**Notes:**
N/A

Signed-off-by: bezarsnba <bezarsnba@gmail.com>

chore: update MSKV to 1.31 (#15221)

Increase the minimum supported kubernetes version from 1.23 to 1.31

Signed-off-by: Alex Leong <alex@buoyant.io>

proxy: v2.350.0 (#15198)

Release notes: https://github.com/linkerd/linkerd2-proxy/releases/tag/release/v2.350.0

Signed-off-by: l5d-bot <l5d-bot@users.noreply.github.com>
Co-authored-by: l5d-bot <l5d-bot@users.noreply.github.com>

proxy: v2.349.0 (#15173)

Release notes: https://github.com/linkerd/linkerd2-proxy/releases/tag/release/v2.349.0

Signed-off-by: l5d-bot <l5d-bot@users.noreply.github.com>
Co-authored-by: l5d-bot <l5d-bot@users.noreply.github.com>

tests: introduce `kubectlRun` to avoid conflating stdin and stdout in…

… tests (#15151)

* tests: introduce `kubectlRun` to avoid conflating stdin and stdout in tests

Introduce a new test helper `TestHelper.KubectlRun` (and mark `TestHelper.Kubectl` as deprecated), that keeps stdout and stderr separate when invoking `kubectl`. This avoids failures on Kubernetes 1.35+, where deprecation warnings for Endpoints are emitted alongside command output and can break deserialization in `TestDestinationAPIStreamTracksRolloutEndpoints`.