feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.8.0

[electricjesus]

Description

Bumps Envoy Gateway from v1.7.2 to v1.8.0 on master, including ListenerSet support requested by community users.

Type: enhancement.

Why

EG v1.8.0 (released 2026-05-13) adds first-class ListenerSet support, which is what cert-manager and external-dns integrate against on Gateway-API installs. Without this, teams using those tools cannot migrate off ingress-nginx onto our Gateway-API offering.

Community ask: #4534 (comment) (sebhoss, referencing envoyproxy/gateway#8409).

Scope

• Makefile: ENVOY_GATEWAY_VERSION v1.7.2 → v1.8.0.
• go.mod: github.com/envoyproxy/gateway v1.7.2 → v1.8.0. Cascades sigs.k8s.io/gateway-api v1.4.1 → v1.5.1 (CRDs bumped upstream). No k8s.io/* or controller-runtime jumps (v1.8 is compatible with the same k8s line master already runs).
• pkg/render/gatewayapi/gateway_api_resources.yaml: regenerated from oci://docker.io/envoyproxy/gateway-helm at v1.8.0.
• pkg/render/gatewayapi/gateway_api.go: loader extended to handle two new resource kinds shipped in the v1.8 chart: ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. These back the upstream gateway-api "safe-upgrades" admission policy — they're passed through to Objects() unchanged, no special handling.
• pkg/render/gatewayapi/gateway_api_test.go: expected resource lists updated to include the two new admission policies; core-object count bumped from 20 to 22.

Behavior changes inherited from upstream v1.8.0

Per v1.8.0 release notes:

• DirectResponse HTTPFilter body now supports Envoy command operators — existing CRs with literal % characters will be interpreted as template directives.
• SecurityPolicy 0s timeout now means infinite rather than immediate termination — semantic flip.
• samplingFraction translation corrected — existing CRs sample 100× their previous rate; users must divide by 100 to preserve prior behavior.
• Default controller logging encoder is now production JSON — log-shipping pipelines that parse the older text format will need updating.
• OIDC SecurityPolicy now generates a single native envoy.filters.http.oauth2 HTTP filter in the HCM filter chain — breaks EnvoyPatchPolicy configs that matched per-route oauth2 instances.
• IR/xDS resource naming for merged SecurityPolicy resources changed — affected EnvoyPatchPolicy refs need updating.
• Gateway API CRDs bumped to v1.5.1; safe-upgrades admission policy now ships to prevent unsafe in-place CRD migrations.

These ride through to whichever release branch picks up this commit — they are not appropriate for backport to a stable release branch as-is. Recommend landing on master only for now; let a future CE minor (post-v3.23) include them through normal release cadence.

Companion repos

A v1.8 EG controller binary expects upstream Envoy proxy distroless-v1.38.0. Master currently builds tigera/envoy-proxy from tigera/envoybinary at v1.37.2. To fully align master, follow-up PRs needed:

• tigera/envoybinary main: ENVOY_VERSION v1.37.2 → v1.38.x.
• tigera/calico-private master third_party/envoy-proxy/Dockerfile: bump the envoybinary digest pin to the new v1.38.x image build.

This operator PR is functional on its own — xDS is generally forward/backward compatible — but the proxy-side bumps are needed before any release that ships this commit goes to customers, otherwise EG v1.8 features that emit v1.38-specific xDS config will silently degrade on v1.37 envoy pods.

Testing

• go vet ./pkg/render/gatewayapi/... ./pkg/controller/gatewayapi/...
• go build ./pkg/render/gatewayapi/... ./pkg/controller/gatewayapi/...
• go test ./pkg/render/gatewayapi/... — 20/20 pass
• go test ./pkg/controller/gatewayapi/... — pass
• grep ListenerSet pkg/render/gatewayapi/gateway_api_resources.yaml — present (65 hits)
• make ut full suite — pending reviewer environment
• FV against a real cluster with ListenerSet, lateResponseHeaders, and safe-upgrades admission policy — pending

Components affected

• pkg/render/gatewayapi only on operator-side. Companion bumps tracked separately for tigera/envoybinary + tigera/calico-private.

Related PRs

• Supersedes feat: bump Envoy Gateway to v1.7.0 #4534 (my draft for v1.7.0, predates Pasan's feat: bump Envoy Gateway to v1.7.0 #4566 which landed v1.7.0 on master).
• Hotfix backport on release-v1.40 for the v1.5.9 → v1.7.2 chart drift on CE v3.22.4: feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.7.2 [release-v1.40] #4831.

Release Note

```release-note
Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class ListenerSet support (enables cert-manager and external-dns integration with Gateway-API), the safe-upgrades ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup. Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy 0s timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see https://gateway.envoyproxy.io/news/releases/notes/v1.8.0/.
```

For PR author

• Tests for change — pkg/render/gatewayapi/gateway_api_test.go updated for new admission policy resources.
• If changing pkg/apis/, run `make gen-files` — N/A
• If changing versions, run `make gen-versions` — N/A (EG chart version, not a CE component version)

For PR reviewers

• Milestone set according to targeted release.
• Appropriate labels:
  • `kind/enhancement`
  • `enterprise` (Calico Enterprise gateway-api install affected)
  • `release-note-required`
  • `docs-pr-required` (ListenerSet integration with cert-manager / external-dns warrants a docs update)

cc @nelljerram @pasanw @sebhoss