feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.8.0

[electricjesus]

Description

Bumps the bundled Envoy Gateway helm chart from v1.7.2 to v1.8.0 on master, including ListenerSet support requested by community users.

Type: enhancement.

Re-derived onto current master. The original branch predated #4690 (Namespaced Mode), which deleted the static gateway_api_resources.yaml and moved rendering to a runtime helm render + typed parseManifest. The EG-1.8.0 delta has been re-applied onto that new renderer (see Scope), rather than merged, to avoid resurrecting the old string-switch loader.

Why

EG v1.8.0 (released 2026-05-13) adds first-class ListenerSet support, which is what cert-manager and external-dns integrate against on Gateway-API installs. Without this, teams using those tools cannot migrate off ingress-nginx onto our Gateway-API offering.

Community ask: #4534 (comment) (sebhoss, referencing envoyproxy/gateway#8409).

Scope

• Makefile: ENVOY_GATEWAY_VERSION v1.7.2 → v1.8.0. The embedded gateway-helm.tgz is regenerated from this pin at build time (git-ignored, not committed).
• go.mod: github.com/envoyproxy/gateway v1.7.2 → v1.8.0, cascading sigs.k8s.io/gateway-api v1.4.1 → v1.5.1. controller-runtime is left at master's current v0.24.1 (master bumped it since the original branch was cut); go mod tidy confirms the v0.24.1 + gateway-api v1.5.1 + gateway v1.8.0 set resolves cleanly.
• pkg/render/gatewayapi/gateway_api.go: parseManifest now handles the two new admission-policy kinds the v1.8 chart ships — ValidatingAdmissionPolicy + ValidatingAdmissionPolicyBinding (both safe-upgrades.gateway.networking.k8s.io, the upstream gateway-api "safe-upgrades" policy). Without these cases the renderer's fail-loud default (added by Gatewayapi Namespaced Mode #4690) trips on the new objects. Both are emitted in Objects() alongside the existing webhook configs.
• pkg/render/gatewayapi/gateway_api_test.go: controllerExpected gains the safe-upgrades VAP + binding.

Behavior changes inherited from upstream v1.8.0

Per v1.8.0 release notes:

• DirectResponse HTTPFilter body now supports Envoy command operators — existing CRs with literal % characters will be interpreted as template directives.
• SecurityPolicy 0s timeout now means infinite rather than immediate termination — semantic flip.
• samplingFraction translation corrected — existing CRs sample 100× their previous rate; users must divide by 100 to preserve prior behavior.
• Default controller logging encoder is now production JSON — log-shipping pipelines that parse the older text format will need updating.
• OIDC SecurityPolicy now generates a single native envoy.filters.http.oauth2 HTTP filter in the HCM filter chain — breaks EnvoyPatchPolicy configs that matched per-route oauth2 instances.
• IR/xDS resource naming for merged SecurityPolicy resources changed — affected EnvoyPatchPolicy refs need updating.
• Gateway API CRDs bumped to v1.5.1; safe-upgrades admission policy now ships to prevent unsafe in-place CRD migrations.

These ride through to whichever release branch picks up this commit.

Companion repos

A v1.8 EG controller expects Envoy proxy distroless-v1.38.0.

• tigera/envoybinary main is already at v1.38.0 (Add high-level rendering tests #19) ✓. (#21 bumps it to v1.38.1 for a future EG v1.8.1 — not required for this PR.)
• tigera/calico-private master third_party/envoy-proxy/Dockerfile still pins envoybinary v1.37.2 → needs a bump to the v1.38.0 build, tracked as the calico-private master EG-1.8.0 PR. This operator PR is functional on its own (xDS is generally forward/backward compatible), but the proxy-side pin is needed before any release that ships this commit reaches customers.

Testing

• go build ./pkg/render/gatewayapi/... — OK
• go vet ./pkg/render/gatewayapi/... — OK
• go test ./pkg/render/gatewayapi/... — pass (the safe-upgrades VAP + binding are now rendered from the v1.8.0 chart and asserted)
• go mod tidy — clean; validates the controller-runtime v0.24.1 + gateway-api v1.5.1 + gateway v1.8.0 set
• make ut full suite + FV against a real cluster with ListenerSet / safe-upgrades — pending CI / reviewer env

Components affected

• pkg/render/gatewayapi only on the operator side. Companion bump tracked separately for tigera/calico-private master.

Release Note

Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class `ListenerSet` support (enables cert-manager and external-dns integration with Gateway-API), the `safe-upgrades` ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup. Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy `0s` timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see https://gateway.envoyproxy.io/news/releases/notes/v1.8.0/.

For PR author

• Tests for change — pkg/render/gatewayapi/gateway_api_test.go updated for the new admission-policy resources.
• If changing pkg/apis/, run make gen-files — N/A (no pkg/apis changes).
• If changing versions, run make gen-versions — N/A (EG chart version, not a CE component version).

For PR reviewers

• Milestone set according to targeted release.
• Appropriate labels:
  • kind/enhancement
  • enterprise (Calico Enterprise gateway-api install affected)
  • release-note-required
  • docs-pr-required (ListenerSet integration with cert-manager / external-dns warrants a docs update)

cc @nelljerram @pasanw @sebhoss