Backport of [NET-2420] security: Upgrade helm containerd and several other dependencies into release/1.3.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #3625 to be assessed for backporting due to the inclusion of the label backport/1.3.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul-k8s/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

This upgrades several dependencies to address open CVEs in the cli module (caused by our consumption of 3rd-party libs for API clients that are bundled w/ unused runtimes, where a non-impacting vulnerability actually exists) and cross-compatibility between upgraded modules.

This will allow us to re-enable release blocks on Go module scan results in CRT, previously disabled in:

• disable go mod scanning #1974
• [CRT] Disable security scans (for now) #1160

Changes proposed in this PR

Upgrade the following (split by commit to aid review):

• helm/v3 3.9.4 -> 3.11.3
  • Later versions have introduced breaking changes. I believe we will eventually want to match our helm version to K8s per this matrix, but the current goal is to address open CVEs, not correct the version alignment.
• k8s.io/ dependencies 1.26.? -> 1.26.10 to match controller-runtime / helm
• containerd 1.3.0 -> 1.7.13 (latest)
• docker/docker 23.0.3+incompatible -> 25.0.2+incompatible (latest)
• oras.land/oras-go 1.2.2 -> 1.2.5 to fix docker incompatibility
• docker/distribution 2.8.1+incompatible -> 2.8.3+incompatible (latest)
• cyphar/filepath-securejoin 0.2.3 -> 0.2.4 (latest 0.x patch)

Automated backports will almost certainly fail, but I've added the labels JIC they're successful and to make it clear this should be backported.

How I've tested this PR

CI and acceptance tests continue to pass.

How I expect reviewers to test this PR

👀 + 💭

Checklist

• Tests added
• CHANGELOG entry added

---

Overview of commits

• 18ab5b1 - 3449458 - 22343e3 - 0ffcb83 - ae2348a - c950489 - 57a10bc - 8e9f1e6

[hashicorp-cla]

All committers have signed the CLA.

[zalimeni]

I've hand-checked this diff for alignment w/ the original change after manually applying each individual bump from that PR. I don't see any red-flag differences in the deps diffs, and they're mostly-similar due to backports apart from a few that were apparently missed on some branches in the past.