From 9f004997831531a334f3161b470afc661eb1a194 Mon Sep 17 00:00:00 2001 From: MergeCheck Date: Tue, 7 Jul 2026 10:52:57 -0300 Subject: [PATCH 1/2] chore(envoy-gateway): bump envoy gateway to 1.8.2 --- charts/envoy-gateway/Chart.yaml | 2 +- charts/envoy-gateway/README.md | 34 ++++++++----------- charts/envoy-gateway/docs/certificates.md | 2 +- charts/envoy-gateway/tests/certgen_test.yaml | 2 +- .../tests/envoyproxy_config_test.yaml | 4 +-- charts/envoy-gateway/values.schema.json | 4 +-- charts/envoy-gateway/values.yaml | 6 ++-- 7 files changed, 25 insertions(+), 29 deletions(-) diff --git a/charts/envoy-gateway/Chart.yaml b/charts/envoy-gateway/Chart.yaml index eb29794ae..6cfd72905 100644 --- a/charts/envoy-gateway/Chart.yaml +++ b/charts/envoy-gateway/Chart.yaml @@ -4,7 +4,7 @@ name: envoy-gateway description: Production-ready Envoy Gateway operator with Gateway API support, cert generation, and advanced traffic policies type: application version: 1.7.3 -appVersion: "v1.8.1" +appVersion: "v1.8.2" kubeVersion: ">=1.24.0-0" home: https://helmforge.dev/docs/charts/envoy-gateway sources: diff --git a/charts/envoy-gateway/README.md b/charts/envoy-gateway/README.md index 5667d0434..ffd0be84a 100644 --- a/charts/envoy-gateway/README.md +++ b/charts/envoy-gateway/README.md @@ -1,7 +1,7 @@ # Envoy Gateway A Helm chart for deploying [Envoy Gateway](https://gateway.envoyproxy.io/) -v1.8.1 on Kubernetes. Envoy Gateway is a **Kubernetes operator** — it manages +v1.8.2 on Kubernetes. Envoy Gateway is a **Kubernetes operator** — it manages Envoy proxy pods automatically in response to Gateway API resources. ## Installation @@ -27,7 +27,7 @@ The Envoy Gateway operator CRDs (`gateway.envoyproxy.io/*`: `EnvoyProxy`, chart's `crds/` directory, so Helm installs them automatically on first install when they are absent (and skips them if already present). Only the upstream **Gateway API** CRDs (`gateway.networking.k8s.io/*`) are a separate cluster -prerequisite, installed once below. Envoy Gateway v1.8.1 requires the Gateway API +prerequisite, installed once below. Envoy Gateway v1.8.2 requires the Gateway API **experimental** channel (v1.5.1) — it watches `ListenerSet`, which only ships in the experimental channel; the standard channel is not sufficient. These CRDs are cluster-scoped and shared, so they are NOT bundled in the chart (Helm's release @@ -173,7 +173,7 @@ highAvailability: |-----|---------|-------------| | `controller.replicaCount` | `1` | Number of controller replicas (overridden by profile) | | `controller.image.repository` | `docker.io/envoyproxy/gateway` | Controller image repository | -| `controller.image.tag` | `v1.8.1` | Controller image tag | +| `controller.image.tag` | `v1.8.2` | Controller image tag | | `controller.image.pullPolicy` | `IfNotPresent` | Image pull policy | | `controller.resources.requests.cpu` | `100m` | CPU request (overridden by profile) | | `controller.resources.requests.memory` | `128Mi` | Memory request (overridden by profile) | @@ -191,7 +191,7 @@ highAvailability: |-----|---------|-------------| | `certgen.enabled` | `true` | Run certgen pre-install/pre-upgrade job for controller TLS certs | | `certgen.image.repository` | `docker.io/envoyproxy/gateway` | Certgen image (same as controller) | -| `certgen.image.tag` | `v1.8.1` | Certgen image tag | +| `certgen.image.tag` | `v1.8.2` | Certgen image tag | | `certgen.resources.requests.cpu` | `10m` | CPU request | | `certgen.resources.requests.memory` | `64Mi` | Memory request | | `certgen.resources.limits.cpu` | `100m` | CPU limit | @@ -210,7 +210,7 @@ highAvailability: | `proxy.image.tag` | `distroless-v1.38.0` | Proxy image tag | | `proxy.image.pullPolicy` | `IfNotPresent` | Image pull policy | | `proxy.shutdownManager.image.repository` | `docker.io/envoyproxy/gateway` | Shutdown manager sidecar image repository | -| `proxy.shutdownManager.image.tag` | `v1.8.1` | Shutdown manager sidecar image tag | +| `proxy.shutdownManager.image.tag` | `v1.8.2` | Shutdown manager sidecar image tag | | `proxy.shutdownManager.image.pullPolicy` | `IfNotPresent` | Shutdown manager image pull policy | | `proxy.resources.requests.cpu` | `100m` | CPU request (overridden by profile) | | `proxy.resources.requests.memory` | `128Mi` | Memory request (overridden by profile) | @@ -445,25 +445,21 @@ Major architectural redesign to align with the EG operator model. ## Upgrade Notes -`docker.io/envoyproxy/gateway:v1.8.1` is the upstream patch update from -`v1.8.0`. The automatically generated issue referenced `1.8.1`, but Docker Hub +`docker.io/envoyproxy/gateway:v1.8.2` is the upstream patch update from +`v1.8.1`. The automatically generated issue referenced `1.8.2`, but Docker Hub publishes the canonical Envoy Gateway image tag with the `v` prefix. This chart also updates the managed Envoy proxy image to `docker.io/envoyproxy/envoy:distroless-v1.38.0`, matching the upstream v1.8 compatibility matrix. -Envoy Gateway v1.8.1 includes security fixes for GatewayNamespaceMode xDS -authentication, Lua validator sandbox path normalization, Wasm HTTP fetch gzip -decompression limits, ReferenceGrant bypass handling, and related controller -runtime issues. The chart now also pins the EG-managed `shutdown-manager` -sidecar to `docker.io/envoyproxy/gateway:v1.8.1` through the EnvoyProxy strategic -merge patch, avoiding the upstream-generated `gateway-dev:latest` runtime image. -It also moves Gateway API safe-upgrades ValidatingAdmissionPolicy resources from -the CRD bundle into the gateway Helm templates upstream. Before upgrading -production controllers, review ownership of existing -`safe-upgrades.gateway.networking.k8s.io` ValidatingAdmissionPolicy resources, -verify Gateway API and Envoy Gateway CRDs in staging, and test existing Gateway, -HTTPRoute, EnvoyProxy, and policy resources. +Envoy Gateway v1.8.2 includes upstream bug fixes for Gateway API conditions, +Backend TLS ALPN handling, ExternalName backends, Kubernetes 1.36 rate limit +validation, EnvoyGateway config hot reload, and route timeout handling. It also +tightens admission validation for `SecurityPolicy.spec.apiKeyAuth.extractFrom`: +each entry must specify exactly one of `headers`, `params`, or `cookies`, and +source names must be non-empty. Before upgrading production controllers, verify +Gateway API and Envoy Gateway CRDs in staging, and test existing Gateway, +HTTPRoute, EnvoyProxy, `BackendTrafficPolicy`, and `SecurityPolicy` resources. ### Version 1.0.0 diff --git a/charts/envoy-gateway/docs/certificates.md b/charts/envoy-gateway/docs/certificates.md index 5ef274481..9e2a0fe4f 100644 --- a/charts/envoy-gateway/docs/certificates.md +++ b/charts/envoy-gateway/docs/certificates.md @@ -34,7 +34,7 @@ certgen: enabled: true # Enable the certgen job (required for EG to function) image: repository: docker.io/envoyproxy/gateway - tag: v1.8.1 + tag: v1.8.2 resources: requests: cpu: 10m diff --git a/charts/envoy-gateway/tests/certgen_test.yaml b/charts/envoy-gateway/tests/certgen_test.yaml index b727e15c3..30bffd039 100644 --- a/charts/envoy-gateway/tests/certgen_test.yaml +++ b/charts/envoy-gateway/tests/certgen_test.yaml @@ -79,7 +79,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].image - pattern: "envoyproxy/gateway:v1.8.1" + pattern: "envoyproxy/gateway:v1.8.2" documentIndex: 3 - it: should grant ClusterRole secrets permission diff --git a/charts/envoy-gateway/tests/envoyproxy_config_test.yaml b/charts/envoy-gateway/tests/envoyproxy_config_test.yaml index c912e0eeb..3f7fa11aa 100644 --- a/charts/envoy-gateway/tests/envoyproxy_config_test.yaml +++ b/charts/envoy-gateway/tests/envoyproxy_config_test.yaml @@ -40,7 +40,7 @@ tests: value: shutdown-manager - equal: path: spec.provider.kubernetes.envoyDeployment.patch.value.spec.template.spec.containers[0].image - value: docker.io/envoyproxy/gateway:v1.8.1 + value: docker.io/envoyproxy/gateway:v1.8.2 - it: should configure DaemonSet mode when kind is DaemonSet set: @@ -53,7 +53,7 @@ tests: path: spec.provider.kubernetes.envoyDeployment - equal: path: spec.provider.kubernetes.envoyDaemonSet.patch.value.spec.template.spec.containers[0].image - value: docker.io/envoyproxy/gateway:v1.8.1 + value: docker.io/envoyproxy/gateway:v1.8.2 - it: should set proxy service type set: diff --git a/charts/envoy-gateway/values.schema.json b/charts/envoy-gateway/values.schema.json index 948e14d6e..b3eb93a45 100644 --- a/charts/envoy-gateway/values.schema.json +++ b/charts/envoy-gateway/values.schema.json @@ -88,7 +88,7 @@ "tag": { "type": "string", "description": "Controller image tag", - "default": "v1.8.1" + "default": "v1.8.2" }, "pullPolicy": { "type": "string", @@ -239,7 +239,7 @@ "tag": { "type": "string", "description": "Shutdown manager sidecar image tag", - "default": "v1.8.1" + "default": "v1.8.2" }, "pullPolicy": { "type": "string", diff --git a/charts/envoy-gateway/values.yaml b/charts/envoy-gateway/values.yaml index 88d6ca777..4ad131f3f 100644 --- a/charts/envoy-gateway/values.yaml +++ b/charts/envoy-gateway/values.yaml @@ -28,7 +28,7 @@ controller: # -- Controller image pull policy pullPolicy: IfNotPresent # -- Controller image tag (defaults to chart appVersion) - tag: "v1.8.1" + tag: "v1.8.2" # -- Resources for controller (overridden by profile) resources: @@ -70,7 +70,7 @@ certgen: # -- Certgen image pull policy pullPolicy: IfNotPresent # -- Certgen image tag (defaults to chart appVersion) - tag: "v1.8.1" + tag: "v1.8.2" ## Proxy configuration via EnvoyProxy CRD (EG manages the actual proxy pods) proxy: @@ -94,7 +94,7 @@ proxy: # -- Shutdown manager sidecar image repository repository: docker.io/envoyproxy/gateway # -- Shutdown manager sidecar image tag - tag: "v1.8.1" + tag: "v1.8.2" # -- Shutdown manager image pull policy pullPolicy: IfNotPresent From b757429e4848f32b61da62f937e24cc895ec8d76 Mon Sep 17 00:00:00 2001 From: MergeCheck Date: Tue, 7 Jul 2026 11:02:55 -0300 Subject: [PATCH 2/2] docs(envoy-gateway): clarify proxy image note --- charts/envoy-gateway/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/envoy-gateway/README.md b/charts/envoy-gateway/README.md index ffd0be84a..375316311 100644 --- a/charts/envoy-gateway/README.md +++ b/charts/envoy-gateway/README.md @@ -448,9 +448,9 @@ Major architectural redesign to align with the EG operator model. `docker.io/envoyproxy/gateway:v1.8.2` is the upstream patch update from `v1.8.1`. The automatically generated issue referenced `1.8.2`, but Docker Hub publishes the canonical Envoy Gateway image tag with the `v` prefix. This chart -also updates the managed Envoy proxy image to -`docker.io/envoyproxy/envoy:distroless-v1.38.0`, matching the upstream v1.8 -compatibility matrix. +keeps the managed Envoy proxy image pinned to +`docker.io/envoyproxy/envoy:distroless-v1.38.0`, which remains aligned with the +upstream v1.8 compatibility matrix. Envoy Gateway v1.8.2 includes upstream bug fixes for Gateway API conditions, Backend TLS ALPN handling, ExternalName backends, Kubernetes 1.36 rate limit