Skip to content

Consolidate envoy gateway into calico #12757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MichalFupso wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Consolidate envoy gateway into calico #12757

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2bfb366
Consolidate envoy gateway into calico
MichalFupso May 13, 2026
12d73b1
Add the gateway manifest to yaml-lint ignore
MichalFupso May 13, 2026
2f2f6de
Merge remote-tracking branch 'tigera/master' into migrate-envoy
MichalFupso May 27, 2026
c37f3b5
Address comments
MichalFupso May 27, 2026
62dd5b1
Update envoy version management
MichalFupso Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,14 @@
"depNameTemplate": "calico/base",
"datasourceTemplate": "docker",
"versioningTemplate": "regex:^(?<compatibility>ubi\\d+)-(?<patch>\\d+)$"
},
{
"description": "Renovate only manages ENVOY_GATEWAY_VERSION. On any bump, manually verify the Envoy Gateway compatibility matrix (https://gateway.envoyproxy.io/news/releases/matrix/) is satisfied for envoy-proxy (ENVOYBINARY_IMAGE in third_party/envoy-proxy/Makefile) and envoy-ratelimit (ENVOY_RATELIMIT_VERSION in third_party/envoy-ratelimit/Makefile), which Renovate does not track.",
"customType": "regex",
"managerFilePatterns": ["/^third_party\\/envoy-gateway\\/Makefile$/"],
"matchStrings": ["ENVOY_GATEWAY_VERSION=(?<currentValue>v\\d+\\.\\d+\\.\\d+)"],
"depNameTemplate": "envoyproxy/gateway",
"datasourceTemplate": "github-releases"
}
],
"packageRules": [
Expand Down Expand Up @@ -90,13 +98,23 @@
"groupName": "dependency-updates"
},
{
"description": "Run gen-deps-files on selected branches only",
"matchBaseBranches": ["release-v3.31", "release-v3.32", "master"],
"description": "Run gen-deps-files after updates",
"postUpgradeTasks": {
"commands": ["make gen-deps-files"],
"fileFilters": ["**/deps.txt"],
"executionMode": "branch"
}
},
{
"description": "envoy-gateway: only patch updates allowed (block minor/major/digest)",
"matchPackageNames": ["envoyproxy/gateway"],
"matchUpdateTypes": ["minor", "major", "digest"],
"enabled": false

@electricjesus electricjesus May 21, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR body already documents this as a known limitation, but it's worth pinning the follow-up here so it doesn't get lost: when envoy-gateway eventually moves to a new minor (v1.8.0+), whoever does the bump has to manually update the matching versions in third_party/envoy-proxy/Makefile and third_party/envoy-ratelimit/Makefile per the compatibility matrix — Renovate won't help. Could you file a follow-up issue for automating that derivation and link it from a description field on this rule (or a comment immediately above)? Otherwise the next minor bump in ~6 months will rediscover this gap from scratch.

},
{
"description": "Group envoy-gateway updates into a dedicated PR",
"matchPackageNames": ["envoyproxy/gateway"],
"groupName": "envoy-gateway"
}
]
}
14 changes: 12 additions & 2 deletions third_party/envoy-gateway/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,18 @@ PACKAGE_NAME ?= github.com/projectcalico/calico/third_party/envoy-gateway
ENVOY_GATEWAY_IMAGE ?= envoy-gateway
BUILD_IMAGES ?= $(ENVOY_GATEWAY_IMAGE)

# For updating this version please see
# https://github.com/tigera/operator/blob/master/docs/common_tasks.md#updating-the-bundled-version-of-envoy-gateway
# This is the single source of truth for the Envoy Gateway version. Renovate
# bumps it here; tigera/operator picks it up via `make gen-versions`, which reads
# this line and pins github.com/envoyproxy/gateway in the operator's go.mod (see
# the operator's update-envoy-gateway-version target). The operator then pulls and
# embeds the matching gateway-helm chart itself.
# Keep literal `KEY=value` form (no spaces, no `?=`); Renovate regex + the
# operator's update-envoy-gateway-version both parse this line.
# Renovate only bumps this version, and patch releases only. On any bump,
# especially a minor, manually verify the Envoy Gateway compatibility
# matrix (https://gateway.envoyproxy.io/news/releases/matrix/) and update the
# matching envoy-proxy (ENVOYBINARY_IMAGE) and envoy-ratelimit
# (ENVOY_RATELIMIT_VERSION) pins; Renovate does not track those.
ENVOY_GATEWAY_VERSION=v1.7.2

##############################################################################
Expand Down
Loading