Skip to content

Consolidate envoy gateway into calico #12757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MichalFupso wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Consolidate envoy gateway into calico #12757

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2bfb366
Consolidate envoy gateway into calico
MichalFupso May 13, 2026
12d73b1
Add the gateway manifest to yaml-lint ignore
MichalFupso May 13, 2026
2f2f6de
Merge remote-tracking branch 'tigera/master' into migrate-envoy
MichalFupso May 27, 2026
c37f3b5
Address comments
MichalFupso May 27, 2026
62dd5b1
Update envoy version management
MichalFupso Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .semaphore/renovate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ blocks:
- name: RENOVATE_REPOSITORIES
value: projectcalico/calico
- name: RENOVATE_ALLOWED_COMMANDS
value: '["^make gen-deps-files$"]'
value: '["^make gen-deps-files$", "^make -C third_party/envoy-gateway gen-gateway-api-resources$"]'
- name: RENOVATE_GIT_AUTHOR
value: "marvin-tigera <marvin-tigera@users.noreply.github.com>"
- name: LOG_LEVEL
Expand Down
2 changes: 1 addition & 1 deletion .semaphore/semaphore-scheduled-builds.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .semaphore/semaphore.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .semaphore/semaphore.yml.d/blocks/20-envoy-gateway.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
- name: Envoy Gateway
run:
when: "${FORCE_RUN} or change_in(['/metadata.mk', '/lib.Makefile', '/third_party/envoy-gateway'], {pipeline_file: 'ignore', exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
when: "${FORCE_RUN} or change_in(['/metadata.mk', '/lib.Makefile', '/third_party/envoy-gateway'], {pipeline_file: 'ignore', exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE', '/third_party/envoy-gateway/gateway_api_resources.yaml']})"

@nelljerram nelljerram May 14, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this addition? I wouldn't expect the image building to depend on the YAMLs.

@MichalFupso MichalFupso May 14, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's part of the ignore config, so if there is a change in the yaml and nothing else we won't run the build.

@nelljerram nelljerram May 14, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right - nice.

execution_time_limit:
minutes: 30
dependencies:
Expand Down
2 changes: 2 additions & 0 deletions .yamllint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,5 @@ ignore:
- pod2daemon/node-driver-registrar/
- whisker/node_modules/
- felix/bpf-gpl/libbpf/
# helm-rendered upstream manifest; regenerated by `make -C third_party/envoy-gateway gen-gateway-api-resources`
- third_party/envoy-gateway/gateway_api_resources.yaml
31 changes: 29 additions & 2 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,14 @@
"depNameTemplate": "calico/base",
"datasourceTemplate": "docker",
"versioningTemplate": "regex:^(?<compatibility>ubi\\d+)-(?<patch>\\d+)$"
},
{
"description": "Renovate only manages ENVOY_GATEWAY_VERSION. On any bump, manually verify the Envoy Gateway compatibility matrix (https://gateway.envoyproxy.io/news/releases/matrix/) is satisfied for envoy-proxy (ENVOYBINARY_IMAGE in third_party/envoy-proxy/Makefile) and envoy-ratelimit (ENVOY_RATELIMIT_VERSION in third_party/envoy-ratelimit/Makefile), which Renovate does not track.",
"customType": "regex",
"managerFilePatterns": ["/^third_party\\/envoy-gateway\\/Makefile$/"],
"matchStrings": ["ENVOY_GATEWAY_VERSION=(?<currentValue>v\\d+\\.\\d+\\.\\d+)"],
"depNameTemplate": "envoyproxy/gateway",
"datasourceTemplate": "github-releases"
}
],
"packageRules": [
Expand Down Expand Up @@ -90,13 +98,32 @@
"groupName": "dependency-updates"
},
{
"description": "Run gen-deps-files on selected branches only",
"matchBaseBranches": ["release-v3.31", "release-v3.32", "master"],
"description": "Run gen-deps-files after updates",
"postUpgradeTasks": {
"commands": ["make gen-deps-files"],
"fileFilters": ["**/deps.txt"],
"executionMode": "branch"
}
},
{
"description": "envoy-gateway: only patch updates allowed (block minor/major/digest)",
"matchPackageNames": ["envoyproxy/gateway"],
"matchUpdateTypes": ["minor", "major", "digest"],
"enabled": false

@electricjesus electricjesus May 21, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR body already documents this as a known limitation, but it's worth pinning the follow-up here so it doesn't get lost: when envoy-gateway eventually moves to a new minor (v1.8.0+), whoever does the bump has to manually update the matching versions in third_party/envoy-proxy/Makefile and third_party/envoy-ratelimit/Makefile per the compatibility matrix — Renovate won't help. Could you file a follow-up issue for automating that derivation and link it from a description field on this rule (or a comment immediately above)? Otherwise the next minor bump in ~6 months will rediscover this gap from scratch.

},
{
"description": "Group envoy-gateway updates into a dedicated PR",
"matchPackageNames": ["envoyproxy/gateway"],
"groupName": "envoy-gateway"
},
{
"description": "Regenerate envoy-gateway helm-rendered resources after version bump",
"matchPackageNames": ["envoyproxy/gateway"],
"postUpgradeTasks": {

@electricjesus electricjesus May 21, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two flags on the new postUpgradeTasks:

  1. Bot-side allowlist. postUpgradeTasks.commands is not honoured by Renovate unless the bot is allowed to execute it. There's precedent for that in this repo (the make gen-deps-files task at line 103 already works), so it's likely fine, but some Mend setups allowlist per-command-prefix rather than blanket — worth a quick confirmation with whoever owns the Renovate config that make -C third_party/envoy-gateway gen-gateway-api-resources is permitted. If it isn't, Renovate will happily open the version-bump PR with the rendered YAML untouched, and the manifest will silently drift from the pin.

  2. Missing matchBaseBranches. The existing gen-deps-files rule at lines 100–107 is scoped to ["master", "release-v3.31", "release-v3.32"]. The new envoy-gateway rules (108–127) have no such filter, so Renovate will try to bump envoy-gateway on every branch it scans, including older release branches that should be frozen. Suggest mirroring the same matchBaseBranches list on the envoy-gateway rules.

@MichalFupso MichalFupso May 27, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 2. I think we don't need it, 100 - 107 was added because we ran renovate on release 3.30 that did not contain the deps files, but renovate is only allowed to run on 3.31, 3.32 and master. Line 6. We can now remove the scope for make gen deps

"commands": ["make -C third_party/envoy-gateway gen-gateway-api-resources"],
"fileFilters": ["third_party/envoy-gateway/gateway_api_resources.yaml"],
"executionMode": "branch"
}
}
]
}
33 changes: 33 additions & 0 deletions third_party/envoy-gateway/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ BUILD_IMAGES ?= $(ENVOY_GATEWAY_IMAGE)

# For updating this version please see
# https://github.com/tigera/operator/blob/master/docs/common_tasks.md#updating-the-bundled-version-of-envoy-gateway
# Keep literal `KEY=value` form (no spaces, no `?=`); Renovate regex + operator's
# update-envoy-gateway-resources both parse this line.
# Renovate only bumps this version, and patch releases only. On any bump,
# especially a minor, manually verify the Envoy Gateway compatibility
# matrix (https://gateway.envoyproxy.io/news/releases/matrix/) and update the
# matching envoy-proxy (ENVOYBINARY_IMAGE) and envoy-ratelimit
# (ENVOY_RATELIMIT_VERSION) pins; Renovate does not track those.
ENVOY_GATEWAY_VERSION=v1.7.2

@electricjesus electricjesus May 21, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know it's not part of your changes but reading your operator change, it seems to depend on having this strict format. if this changes format, renovate will silently fail. maybe adding commentary here helps? Idk what a better way would be

Suggested change
# NB: keep literal `KEY=value` form (no spaces, no `?=`); Renovate regex + operator's
# update-envoy-gateway-resources both parse this line.
ENVOY_GATEWAY_VERSION=v1.7.2


##############################################################################
Expand Down Expand Up @@ -58,6 +65,32 @@ clean:
rm -fr bin/ envoy-gateway/
-docker image rm -f $$(docker images $(ENVOY_GATEWAY_IMAGE) -a -q)

##############################################################################
# Helm-rendered manifests
#
# gateway_api_resources.yaml is the bundle of resources tigera/operator consumes
# (via //go:embed). Operator's update-envoy-gateway-resources target copies this
# file from a calico clone, keeping the helm-template recipe, the image build,
# and the CVE patch set in lockstep at a single version pin.
##############################################################################
ENVOY_GATEWAY_HELM_CHART ?= oci://docker.io/envoyproxy/gateway-helm
ENVOY_GATEWAY_PREFIX ?= tigera-gateway-api
ENVOY_GATEWAY_NAMESPACE ?= tigera-gateway
ENVOY_GATEWAY_RESOURCES ?= gateway_api_resources.yaml

.PHONY: gen-gateway-api-resources
gen-gateway-api-resources: bin/helm
echo "---" > $(ENVOY_GATEWAY_RESOURCES)
echo "apiVersion: v1" >> $(ENVOY_GATEWAY_RESOURCES)
echo "kind: Namespace" >> $(ENVOY_GATEWAY_RESOURCES)
echo "metadata:" >> $(ENVOY_GATEWAY_RESOURCES)
echo " name: $(ENVOY_GATEWAY_NAMESPACE)" >> $(ENVOY_GATEWAY_RESOURCES)
bin/helm template $(ENVOY_GATEWAY_PREFIX) $(ENVOY_GATEWAY_HELM_CHART) \
--version $(ENVOY_GATEWAY_VERSION) \
-n $(ENVOY_GATEWAY_NAMESPACE) \
--include-crds \
>> $(ENVOY_GATEWAY_RESOURCES)

##############################################################################
# Image
##############################################################################
Expand Down
Loading
Loading