feat: bump envoy third-party components for EG v1.7.0#12168
Merged
electricjesus merged 3 commits intoprojectcalico:masterfrom Mar 27, 2026
Merged
feat: bump envoy third-party components for EG v1.7.0#12168electricjesus merged 3 commits intoprojectcalico:masterfrom
electricjesus merged 3 commits intoprojectcalico:masterfrom
Conversation
- envoy-gateway: v1.5.9 → v1.7.0 - envoy-proxy: v1.35.8 → v1.37.0 (envoybinary tag TBD, pending tigera/envoybinary build) - envoy-ratelimit: c8765e89 → 3fb70258 - Drops all 3 CVE patches — v1.7.0 ships with equal or newer deps (containerd v1.7.30, docker/cli v29.2.0, otel/sdk v1.39.0 verified clean via govulncheck) - Adds xmeshes.gateway.networking.x-k8s.io to operator RBAC (new experimental CRD in Gateway API v1.4.1) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
marvin-tigera
added
release-note-required
Contributor
There was a problem hiding this comment.
Pull request overview
Updates Calico’s bundled Envoy Gateway stack to align with Envoy Gateway v1.7.0 requirements (including newer Envoy Proxy), removes now-obsolete CVE patch carry, and expands operator RBAC for a newly introduced experimental Gateway API CRD.
Changes:
- Bump third_party versions: Envoy Gateway to v1.7.0 and Envoy Ratelimit commit to
3fb70258. - Remove three Envoy Gateway dependency bump patches that are no longer needed with v1.7.0.
- Add
xmeshes.gateway.networking.x-k8s.ioto operator RBAC across manifests and Helm chart template.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| third_party/envoy-ratelimit/Makefile | Updates the pinned envoy-ratelimit commit SHA used for source builds. |
| third_party/envoy-proxy/Makefile | Updates the envoybinary image reference for Envoy Proxy builds (currently left as a placeholder). |
| third_party/envoy-gateway/Makefile | Bumps the Envoy Gateway version to v1.7.0 for source/image builds. |
| third_party/envoy-gateway/patches/0001-Bump-containerd-to-v1.7.29.patch | Removes an obsolete CVE-related dependency bump patch. |
| third_party/envoy-gateway/patches/0002-Bump-otel-sdk-to-v1.40.0.patch | Removes an obsolete CVE-related dependency bump patch. |
| third_party/envoy-gateway/patches/0003-Bump-docker-cli-to-v29.2.0.patch | Removes an obsolete CVE-related dependency bump patch. |
| manifests/tigera-operator.yaml | Extends operator RBAC to include xmeshes CRD updates. |
| manifests/tigera-operator-ocp-upgrade.yaml | Extends OCP upgrade RBAC to include xmeshes CRD updates. |
| manifests/ocp/02-role-tigera-operator.yaml | Extends OCP role RBAC to include xmeshes CRD updates. |
| charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml | Extends Helm-templated RBAC to include xmeshes CRD updates. |
You can also share your feedback on Copilot code review. Take the survey.
| ENVOYBINARY_IMAGE ?= quay.io/tigera/envoybinary:v1.35.8-6ddb700081 | ||
| # TODO: Update with actual envoybinary v1.37.0 image tag once built. | ||
| # See https://gateway.envoyproxy.io/news/releases/matrix/ for version compatibility. | ||
| ENVOYBINARY_IMAGE ?= quay.io/tigera/envoybinary:v1.37.0-TODO |
electricjesus
approved these changes
Mar 18, 2026
| ENVOYBINARY_IMAGE ?= quay.io/tigera/envoybinary:v1.35.8-6ddb700081 | ||
| # TODO: Update with actual envoybinary v1.37.0 image tag once built. | ||
| # See https://gateway.envoyproxy.io/news/releases/matrix/ for version compatibility. | ||
| ENVOYBINARY_IMAGE ?= quay.io/tigera/envoybinary:v1.37.0-TODO |
Member
There was a problem hiding this comment.
Please replace this as soon as the image is available
electricjesus
requested changes
Mar 18, 2026
Member
electricjesus
left a comment
electricjesus
left a comment
There was a problem hiding this comment.
Sorry I selected the wrong review option - was supposed to block because of the TODO image!
10 tasks
v1.37.0 has a broken Bazel dependency checksum (colm repo rename). v1.37.1 includes the fix plus 5 security CVE patches. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
electricjesus
approved these changes
Mar 27, 2026
Member
electricjesus
left a comment
electricjesus
left a comment
There was a problem hiding this comment.
I replaced the TODOs. should be good to go
MichalFupso
pushed a commit
to MichalFupso/calico
that referenced
this pull request
Apr 15, 2026
stevegaossou
pushed a commit
that referenced
this pull request
Apr 15, 2026
* Bump go 1.25.9 k8s 1.35.3 * Merge pull request #12168 from pasanw/pasan/bump-envoy-gateway-1.7.0 * Merge pull request #12426 from MichalFupso/cve-update-3.31 * Bump envoy dependencies * make generate * Update rust version --------- Co-authored-by: Seth Malaki <seth@projectcalico.org> Co-authored-by: marvin-tigera <marvin-tigera@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
c8765e89→3fb70258xmeshes.gateway.networking.x-k8s.ioto operator RBAC (new experimental CRD in Gateway API v1.4.1)Context
Envoy Gateway v1.5 reached EOL on 2026/02/13. Per the compatibility matrix, v1.7.0 requires:
Blockers before merging
quay.io/tigera/envoybinary:v1.37.1-0a0b20ed98Test plan
make -C third_party/envoy-gateway image)3fb70258(make -C third_party/envoy-ratelimit image)Release note: