feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.8.0 [release-v1.42]

[electricjesus]

Companion to #4832 on master. Lands on release-v1.42 ahead of v3.23 GA that v1.8 behavior changes (samplingFraction, OIDC consolidation, DirectResponse interpolation) are inside the e2e coverage envelope for v3.23.

Description

Bumps Envoy Gateway from v1.7.2 to v1.8.0 on release-v1.42, including ListenerSet support requested by community users.

Type: enhancement.

Why

EG v1.8.0 (released 2026-05-13) adds first-class ListenerSet support, which is what cert-manager and external-dns integrate against on Gateway-API installs. Without this, teams using those tools cannot migrate off ingress-nginx onto our Gateway-API offering.

Community ask: #4534 (comment) (sebhoss, referencing envoyproxy/gateway#8409).

Scope

• Makefile: ENVOY_GATEWAY_VERSION v1.7.2 → v1.8.0.
• go.mod: github.com/envoyproxy/gateway v1.7.2 → v1.8.0. Cascades sigs.k8s.io/gateway-api v1.4.1 → v1.5.1 (CRDs bumped upstream). No k8s.io/* or controller-runtime jumps (v1.8 is compatible with the same k8s line release-v1.42 already runs).
• pkg/render/gatewayapi/gateway_api_resources.yaml: regenerated from oci://docker.io/envoyproxy/gateway-helm at v1.8.0.
• pkg/render/gatewayapi/gateway_api.go: loader extended to handle two new resource kinds shipped in the v1.8 chart: ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. These back the upstream gateway-api "safe-upgrades" admission policy — they're passed through to Objects() unchanged, no special handling.
• pkg/render/gatewayapi/gateway_api_test.go: expected resource lists updated to include the two new admission policies; core-object count bumped from 20 to 22.

Behavior changes inherited from upstream v1.8.0

Per v1.8.0 release notes:

• DirectResponse HTTPFilter body now supports Envoy command operators — existing CRs with literal % characters will be interpreted as template directives.
• SecurityPolicy 0s timeout now means infinite rather than immediate termination — semantic flip.
• samplingFraction translation corrected — existing CRs sample 100× their previous rate; users must divide by 100 to preserve prior behavior.
• Default controller logging encoder is now production JSON — log-shipping pipelines that parse the older text format will need updating.
• OIDC SecurityPolicy now generates a single native envoy.filters.http.oauth2 HTTP filter in the HCM filter chain — breaks EnvoyPatchPolicy configs that matched per-route oauth2 instances.
• IR/xDS resource naming for merged SecurityPolicy resources changed — affected EnvoyPatchPolicy refs need updating.
• Gateway API CRDs bumped to v1.5.1; safe-upgrades admission policy now ships to prevent unsafe in-place CRD migrations.

These ride through to whichever release branch picks up this commit — they are not appropriate for backport to a stable release branch as-is. Recommend landing on release-v1.42 only for now; let a future CE minor (post-v3.23) include them through normal release cadence.

Companion repos

A v1.8 EG controller binary expects upstream Envoy proxy distroless-v1.38.0. release-v1.42 currently builds tigera/envoy-proxy from tigera/envoybinary at v1.37.2. To fully align release-v1.42, follow-up PRs needed:

• tigera/envoybinary main: ENVOY_VERSION v1.37.2 → v1.38.x.
• tigera/calico-private release-v1.42 third_party/envoy-proxy/Dockerfile: bump the envoybinary digest pin to the new v1.38.x image build.

This operator PR is functional on its own — xDS is generally forward/backward compatible — but the proxy-side bumps are needed before any release that ships this commit goes to customers, otherwise EG v1.8 features that emit v1.38-specific xDS config will silently degrade on v1.37 envoy pods.

Testing

• go vet ./pkg/render/gatewayapi/... ./pkg/controller/gatewayapi/...
• go build ./pkg/render/gatewayapi/... ./pkg/controller/gatewayapi/...
• go test ./pkg/render/gatewayapi/... — 20/20 pass
• go test ./pkg/controller/gatewayapi/... — pass
• grep ListenerSet pkg/render/gatewayapi/gateway_api_resources.yaml — present (65 hits)
• make ut full suite — pending reviewer environment
• FV against a real cluster with ListenerSet, lateResponseHeaders-equivalent (envoy-proxy v1.38 data plane), and safe-upgrades admission policy — see Cluster verification block below.

Cluster verification — EG v1.8 stack end-to-end on a real Calient v3.23 cluster (click to expand)

Stack assembled on a fresh ez Calient v3.23 cluster seth-eg18-v323 (GCP kubeadm, 4 nodes) on 2026-05-22 to exercise this PR end-to-end. Companion calico-private PR with the data-plane / RBAC bumps is tigera/calico-private#12073.

Component	Source	Tag on cluster
tigera-operator	this PR @ 2a5331f08	gcr.io/tigera-dev/seth/tigera-operator:seth-eg18-v323
envoy-gateway controller	tigera/calico-private#12073 @ ceeb20ea61 (third_party/envoy-gateway v1.7.3 → v1.8.0)	gcr.io/tigera-dev/seth/envoy-gateway:seth-eg18-v323
envoy-proxy data plane	tigera/calico-private#12073 (envoybinary v1.37.2 → v1.38.0-ef1b67e315)	gcr.io/tigera-dev/seth/envoy-proxy:seth-eg18-v323
envoy-ratelimit	tigera/calico-private#12073 (ratelimit c8765e892e → ff287602)	gcr.io/tigera-dev/seth/envoy-ratelimit:seth-eg18-v323
tigera-operator ClusterRole	tigera/calico-private#12073's manifests/tigera-operator.yaml	applied via kubectl apply -f

Reported by the envoy-gateway controller running inside the cluster:

ENVOY_GATEWAY_VERSION: v1.8.0
ENVOY_PROXY_VERSION:   distroless-v1.38.0
GATEWAYAPI_VERSION:    v1.5.1
GIT_COMMIT_ID:         ceeb20ea613c03ea727e0edee3901e5493b918cf
GOLANG_VERSION:        go1.26.3

GATEWAYAPI_VERSION: v1.5.1 matches the sigs.k8s.io/gateway-api cascade in this PR's go.mod.

Operator self-RBAC (companion PR adds validatingadmissionpolicies + listenersets rules)

Pre-RBAC-patch state on the cluster reproduced the expected failure from this PR's regenerated gateway_api_resources.yaml trying to reconcile the v1.8 chart's safe-upgrades VAP:

validatingadmissionpolicies.admissionregistration.k8s.io is forbidden:
  User "system:serviceaccount:tigera-operator:tigera-operator" cannot list resource
  "validatingadmissionpolicies" in API group "admissionregistration.k8s.io" at the cluster scope

After applying the companion PR's ClusterRole:

• ✅ listenersets.gateway.networking.k8s.io CRD created by the operator (new GA name in this PR's v1.8 chart).
• ✅ xlistenersets.gateway.networking.x-k8s.io absent (pruned cleanly — no orphan from the v1.7 chart).
• ✅ safe-upgrades.gateway.networking.k8s.io ValidatingAdmissionPolicy + Binding reconciled (proves the new VAP+Binding pair from this PR's regenerated yaml + the new gateway-api loader-case for ValidatingAdmissionPolicy/ValidatingAdmissionPolicyBinding flow through Objects() and apply cleanly).
• ✅ gatewayapi TigeraStatus: Available=True, Progressing=False, Degraded=False, message="All objects available".

Functional tests — Envoy Gateway v1.8 surface

1. Baseline Gateway routing — Gateway + HTTPRoute + httpbin in eg18-test. Curl Host: example.com GET /get → 200 with the expected go-httpbin echo. Programmed by EG controller v1.8.0 with envoy data plane v1.38.0.

2. ListenerSet attach + traffic (new in v1.8 — listenersets.gateway.networking.k8s.io GA) — A ListenerSet references the Gateway as parent and adds two extra listeners on ports 8081, 8082. An HTTPRoute parents-refs the ListenerSet at sectionName: http-8081 with hostname lset.example.com.

$ kubectl -n eg18-test get listenerset eg18-extra-listeners \
    -o jsonpath='{range .status.conditions[*]}{.type}={.status} ({.reason}){"\n"}{end}'
Accepted=True (Accepted)
Programmed=True (Programmed)

$ kubectl run curltest --image=curlimages/curl ... -- \
    curl -sS -H 'Host: lset.example.com' \
      http://envoy-eg18-test-eg18-gw-...tigera-gateway.svc:8081/get
HTTP 200
{ "url": "http://lset.example.com/get", ... }

Envoy admin (/config_dump + /listeners) confirms the ListenerSet listeners are bound on 0.0.0.0:{8081,8082} with RDS pointing to the correct per-listener route configs.

3. safe-upgrades VAP enforcement (new in v1.8 — admission-time blocking) — Attempt to downgrade the httproutes.gateway.networking.k8s.io CRD's bundle-version annotation from v1.5.1 to v1.4.0:

$ kubectl annotate crd httproutes.gateway.networking.k8s.io \
    gateway.networking.k8s.io/bundle-version=v1.4.0 --overwrite
The customresourcedefinitions "httproutes.gateway.networking.k8s.io" is invalid:
  : ValidatingAdmissionPolicy 'safe-upgrades.gateway.networking.k8s.io' with binding
  'safe-upgrades.gateway.networking.k8s.io' denied request: Installing CRDs with
  version before v1.5.0 is prohibited by default. ...

VAP fires with the expected denial message, confirming the new VAP + Binding from this PR's regenerated v1.8 chart yaml are wired through the operator's apply pipeline.

c-ares DNS resolver health (envoy-proxy bake regression check)

Past incident on this image bake: clobbered /etc/nsswitch.conf caused c-ares to reinitialize repeatedly. Verified on the new v1.38 build paired with this PR's chart:

Stat	Value	Verdict
dns.cares.reinits	0	clean — resolv.conf sane from boot
dns.cares.get_addr_failure	0	no syscall-level DNS failures
dns.cares.timeouts	0	no DNS timeouts
dns.cares.pending_resolutions	0	no stuck queries
dns.cares.resolve_total	210	resolver actually working
dns.cares.not_found	105	normal NODATA rate (IPv4-only cluster, AAAA queries)

Image audit (docker export on the built envoy-proxy image) confirmed /etc/nsswitch.conf has hosts: files dns, /etc/host.conf has multi on, and the FROM scratch AS source overlay does not clobber CALICO_BASE's /etc/ contents.

Components affected

• pkg/render/gatewayapi only on operator-side. Companion bumps tracked separately for tigera/envoybinary + tigera/calico-private.

Related PRs

• Supersedes feat: bump Envoy Gateway to v1.7.0 #4534 (my draft for v1.7.0, predates Pasan's feat: bump Envoy Gateway to v1.7.0 #4566 which landed v1.7.0 on release-v1.42).
• Hotfix backport on release-v1.40 for the v1.5.9 → v1.7.2 chart drift on CE v3.22.4: feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.7.2 [release-v1.40] #4831.

Release Note

Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class `ListenerSet` support (enables cert-manager and external-dns integration with Gateway-API), the `safe-upgrades` ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup. Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy `0s` timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see https://gateway.envoyproxy.io/news/releases/notes/v1.8.0/.

For PR author

• Tests for change — pkg/render/gatewayapi/gateway_api_test.go updated for new admission policy resources.
• If changing pkg/apis/, run make gen-files — N/A
• If changing versions, run make gen-versions — N/A (EG chart version, not a CE component version)

For PR reviewers

• Milestone set according to targeted release.
• Appropriate labels:
  • kind/enhancement
  • enterprise (Calico Enterprise gateway-api install affected)
  • release-note-required
  • docs-pr-required (ListenerSet integration with cert-manager / external-dns warrants a docs update)

cc @nelljerram @pasanw @sebhoss

[sebhoss]

this is awesome - thanks a lot!