feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.8.0 [release-v1.42]

[electricjesus]

Companion to #4832 on master. Lands on release-v1.42 ahead of v3.23 GA that v1.8 behavior changes (samplingFraction, OIDC consolidation, DirectResponse interpolation) are inside the e2e coverage envelope for v3.23.

Description

Bumps Envoy Gateway from v1.7.2 to v1.8.0 on release-v1.42, including ListenerSet support requested by community users.

Type: enhancement.

Why

EG v1.8.0 (released 2026-05-13) adds first-class ListenerSet support, which is what cert-manager and external-dns integrate against on Gateway-API installs. Without this, teams using those tools cannot migrate off ingress-nginx onto our Gateway-API offering.

Community ask: #4534 (comment) (sebhoss, referencing envoyproxy/gateway#8409).

Scope

• Makefile: ENVOY_GATEWAY_VERSION v1.7.2 → v1.8.0.
• go.mod: github.com/envoyproxy/gateway v1.7.2 → v1.8.0. Cascades sigs.k8s.io/gateway-api v1.4.1 → v1.5.1 (CRDs bumped upstream). No k8s.io/* or controller-runtime jumps (v1.8 is compatible with the same k8s line release-v1.42 already runs).
• pkg/render/gatewayapi/gateway_api_resources.yaml: regenerated from oci://docker.io/envoyproxy/gateway-helm at v1.8.0.
• pkg/render/gatewayapi/gateway_api.go: loader extended to handle two new resource kinds shipped in the v1.8 chart: ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. These back the upstream gateway-api "safe-upgrades" admission policy — they're passed through to Objects() unchanged, no special handling.
• pkg/render/gatewayapi/gateway_api_test.go: expected resource lists updated to include the two new admission policies; core-object count bumped from 20 to 22.

Behavior changes inherited from upstream v1.8.0

Per v1.8.0 release notes:

• DirectResponse HTTPFilter body now supports Envoy command operators — existing CRs with literal % characters will be interpreted as template directives.
• SecurityPolicy 0s timeout now means infinite rather than immediate termination — semantic flip.
• samplingFraction translation corrected — existing CRs sample 100× their previous rate; users must divide by 100 to preserve prior behavior.
• Default controller logging encoder is now production JSON — log-shipping pipelines that parse the older text format will need updating.
• OIDC SecurityPolicy now generates a single native envoy.filters.http.oauth2 HTTP filter in the HCM filter chain — breaks EnvoyPatchPolicy configs that matched per-route oauth2 instances.
• IR/xDS resource naming for merged SecurityPolicy resources changed — affected EnvoyPatchPolicy refs need updating.
• Gateway API CRDs bumped to v1.5.1; safe-upgrades admission policy now ships to prevent unsafe in-place CRD migrations.

These ride through to whichever release branch picks up this commit — they are not appropriate for backport to a stable release branch as-is. Recommend landing on release-v1.42 only for now; let a future CE minor (post-v3.23) include them through normal release cadence.

Companion repos

A v1.8 EG controller binary expects upstream Envoy proxy distroless-v1.38.0. release-v1.42 currently builds tigera/envoy-proxy from tigera/envoybinary at v1.37.2. To fully align release-v1.42, follow-up PRs needed:

• tigera/envoybinary main: ENVOY_VERSION v1.37.2 → v1.38.x.
• tigera/calico-private release-v1.42 third_party/envoy-proxy/Dockerfile: bump the envoybinary digest pin to the new v1.38.x image build.

This operator PR is functional on its own — xDS is generally forward/backward compatible — but the proxy-side bumps are needed before any release that ships this commit goes to customers, otherwise EG v1.8 features that emit v1.38-specific xDS config will silently degrade on v1.37 envoy pods.

Testing

• go vet ./pkg/render/gatewayapi/... ./pkg/controller/gatewayapi/...
• go build ./pkg/render/gatewayapi/... ./pkg/controller/gatewayapi/...
• go test ./pkg/render/gatewayapi/... — 20/20 pass
• go test ./pkg/controller/gatewayapi/... — pass
• grep ListenerSet pkg/render/gatewayapi/gateway_api_resources.yaml — present (65 hits)
• make ut full suite — pending reviewer environment
• FV against a real cluster with ListenerSet, lateResponseHeaders, and safe-upgrades admission policy — pending

Components affected

• pkg/render/gatewayapi only on operator-side. Companion bumps tracked separately for tigera/envoybinary + tigera/calico-private.

Related PRs

• Supersedes feat: bump Envoy Gateway to v1.7.0 #4534 (my draft for v1.7.0, predates Pasan's feat: bump Envoy Gateway to v1.7.0 #4566 which landed v1.7.0 on release-v1.42).
• Hotfix backport on release-v1.40 for the v1.5.9 → v1.7.2 chart drift on CE v3.22.4: feat(gatewayapi): bump bundled Envoy Gateway helm chart to v1.7.2 [release-v1.40] #4831.

Release Note

Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class `ListenerSet` support (enables cert-manager and external-dns integration with Gateway-API), the `safe-upgrades` ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup. Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy `0s` timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see https://gateway.envoyproxy.io/news/releases/notes/v1.8.0/.

For PR author

• Tests for change — pkg/render/gatewayapi/gateway_api_test.go updated for new admission policy resources.
• If changing pkg/apis/, run make gen-files — N/A
• If changing versions, run make gen-versions — N/A (EG chart version, not a CE component version)

For PR reviewers

• Milestone set according to targeted release.
• Appropriate labels:
  • kind/enhancement
  • enterprise (Calico Enterprise gateway-api install affected)
  • release-note-required
  • docs-pr-required (ListenerSet integration with cert-manager / external-dns warrants a docs update)

cc @nelljerram @pasanw @sebhoss

[sebhoss]

this is awesome - thanks a lot!