From 329a6b49af412b55699cf2c266bb2ab21f4adda3 Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Wed, 13 May 2026 13:46:06 -0700 Subject: [PATCH] Move envoy management to calico --- Makefile | 63 +++++++++++++++++--------------------------- docs/common_tasks.md | 60 +++++++++++++++++++++-------------------- 2 files changed, 55 insertions(+), 68 deletions(-) diff --git a/Makefile b/Makefile index a4c900358e..d1534bd132 100644 --- a/Makefile +++ b/Makefile @@ -19,14 +19,6 @@ KUSTOMIZE_DOWNLOAD_URL = https://github.com/kubernetes-sigs/kustomize/releases/d OPERATOR_SDK_VERSION = v1.42.2 OPERATOR_SDK_URL = https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(NATIVE_OS)_$(NATIVE_ARCH) -# Our version of helm3 - Note that we use BUILD_ARCH here instead of NATIVE_ARCH because -# that's what we used before and we don't want to break things if that's necessary. -HELM3_VERSION = v3.20.2 -HELM3_URL = https://get.helm.sh/helm-$(HELM3_VERSION)-$(NATIVE_OS)-$(BUILDARCH).tar.gz -HELM_BUILDARCH_BINARY = $(HACK_BIN)/helm-$(BUILDARCH) -HELM_BUILDARCH_VERSIONED_BINARY = $(HELM_BUILDARCH_BINARY)-$(HELM3_VERSION) - - # The directory into which we download binaries we need to run certain # processes, e.g. generating bundles HACK_BIN ?= hack/bin @@ -244,37 +236,11 @@ $(ISTIO_RESOURCES_DIR)/%.tgz: @echo "Downloading Istio chart $* version $(ISTIO_VERSION)..." @curl -fsSL -o $@ $(ISTIO_HELM_REPO)/$*-$(ISTIO_VERSION).tgz -# To update the Envoy Gateway version, see "Updating the bundled version of -# Envoy Gateway" in docs/common_tasks.md. -ENVOY_GATEWAY_HELM_CHART ?= oci://docker.io/envoyproxy/gateway-helm -ENVOY_GATEWAY_VERSION ?= v1.7.2 -ENVOY_GATEWAY_PREFIX ?= tigera-gateway-api -ENVOY_GATEWAY_NAMESPACE ?= tigera-gateway +# Helm-rendered Envoy Gateway bundle. The file is committed in this repo +# and refreshed by `make gen-versions` (target: update-envoy-gateway-resources), +# which copies it from projectcalico/calico. ENVOY_GATEWAY_RESOURCES = pkg/render/gatewayapi/gateway_api_resources.yaml -$(ENVOY_GATEWAY_RESOURCES): $(HACK_BIN)/helm-$(BUILDARCH) - echo "---" > $@ - echo "apiVersion: v1" >> $@ - echo "kind: Namespace" >> $@ - echo "metadata:" >> $@ - echo " name: $(ENVOY_GATEWAY_NAMESPACE)" >> $@ - $(HELM_BUILDARCH_BINARY) template $(ENVOY_GATEWAY_PREFIX) $(ENVOY_GATEWAY_HELM_CHART) \ - --version $(ENVOY_GATEWAY_VERSION) \ - -n $(ENVOY_GATEWAY_NAMESPACE) \ - --include-crds \ - >> $@ - -$(HELM_BUILDARCH_BINARY): $(HELM_BUILDARCH_VERSIONED_BINARY) - $(info ░▒▓ symlink $(HELM_BUILDARCH_VERSIONED_BINARY) -> $(HELM_BUILDARCH_BINARY)) - @ln -sf helm-$(BUILDARCH)-$(HELM3_VERSION) $(HACK_BIN)/helm-$(BUILDARCH) - -$(HELM_BUILDARCH_VERSIONED_BINARY): | $(HACK_BIN) - $(info ░▒▓ Downloading helm3 $(HELM3_VERSION) for $(BUILDARCH) to $(HELM_BUILDARCH_VERSIONED_BINARY)) - @rm -f $(HELM_BUILDARCH_VERSIONED_BINARY) - @curl -fsSL --retry 5 $(HELM3_URL) | tar --extract --gzip -C $(HACK_BIN) --strip-components=1 $(NATIVE_OS)-$(BUILDARCH)/helm -O > $(HELM_BUILDARCH_VERSIONED_BINARY) - @chmod a+x $(HELM_BUILDARCH_VERSIONED_BINARY) - - build: $(BINDIR)/operator-$(ARCH) $(BINDIR)/operator-$(ARCH): $(SRC_FILES) $(ENVOY_GATEWAY_RESOURCES) $(ISTIO_CHART_FILES) mkdir -p $(BINDIR) @@ -621,7 +587,7 @@ EE_VERSIONS?=config/enterprise_versions.yml gen-versions: gen-versions-calico gen-versions-enterprise -gen-versions-calico: $(BINDIR)/gen-versions update-calico-crds +gen-versions-calico: $(BINDIR)/gen-versions update-calico-crds update-envoy-gateway-resources $(BINDIR)/gen-versions -os-versions=$(OS_VERSIONS) > pkg/components/calico.go gen-versions-enterprise: $(BINDIR)/gen-versions update-enterprise-crds @@ -683,7 +649,7 @@ define copy_admission_policies endef .PHONY: read-libcalico-version read-libcalico-enterprise-version -.PHONY: update-calico-crds update-enterprise-crds +.PHONY: update-calico-crds update-enterprise-crds update-envoy-gateway-resources .PHONY: fetch-calico-crds fetch-enterprise-crds .PHONY: prepare-for-calico-crds prepare-for-enterprise-crds @@ -702,6 +668,25 @@ update-calico-crds: fetch-calico-crds $(call copy_k8s_policy_crds,"calico") $(call copy_admission_policies, $(CALICO_CRDS_DIR),"calico") +# pkg/render/gatewayapi/gateway_api_resources.yaml is the helm-rendered Envoy +# Gateway bundle, produced and version-pinned by projectcalico/calico's +# third_party/envoy-gateway/Makefile (gen-gateway-api-resources). It rides along +# in the calico clone that fetch-calico-crds prepares. We also bump +# go.mod's github.com/envoyproxy/gateway in lockstep with calico's pin so the +# Go decoder version always matches the rendered YAML. +update-envoy-gateway-resources: fetch-calico-crds + @cp $(CALICO_CRDS_DIR)/third_party/envoy-gateway/gateway_api_resources.yaml $(ENVOY_GATEWAY_RESOURCES) + @echo "Copied envoy-gateway resources" + @new=$$(grep -E '^ENVOY_GATEWAY_VERSION=' $(CALICO_CRDS_DIR)/third_party/envoy-gateway/Makefile | cut -d= -f2 | tr -d ' '); \ + cur=$$(awk '/^[[:space:]]*github\.com\/envoyproxy\/gateway[[:space:]]+v/ {print $$2}' go.mod); \ + if [ -z "$$new" ]; then echo "Failed to parse ENVOY_GATEWAY_VERSION from calico Makefile" >&2; exit 1; fi; \ + if [ "$$new" != "$$cur" ]; then \ + echo "Bumping envoyproxy/gateway in go.mod: $$cur -> $$new"; \ + $(CONTAINERIZED) $(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) go mod edit -require=github.com/envoyproxy/gateway@'"$$new"' && go mod tidy'; \ + else \ + echo "envoyproxy/gateway already pinned at $$new in go.mod"; \ + fi + prepare-for-calico-crds: $(call prep_local_crds,"calico") diff --git a/docs/common_tasks.md b/docs/common_tasks.md index 2d3080c36b..02bd60b19a 100644 --- a/docs/common_tasks.md +++ b/docs/common_tasks.md @@ -176,44 +176,46 @@ spec: ### Updating the bundled version of Envoy Gateway -1. In `go.mod`, update the version for `github.com/envoyproxy/gateway`. +The Envoy Gateway version pin, the rendered manifest bundle, and the source-built +image all live in `projectcalico/calico`. The operator pulls the rendered +`gateway_api_resources.yaml` out of a calico clone during `make gen-versions`. +A version bump therefore lands in two PRs — calico first, operator second. -1. Run `make mod-tidy`. If this indicates needing other changes, e.g. bumping the go-build version, do that. (For example, for a possible move to Envoy Gateway v1.3.2 - not yet committed - I needed to update `GO_BUILD_VER` from `v0.95` to `1.23.6-llvm18.1.8-k8s1.31.5`, because Envoy Gateway v1.3.2 requires golang v1.23.6.) +**In `projectcalico/calico`:** -1. In `Makefile`, update `ENVOY_GATEWAY_VERSION`. +1. Bump `ENVOY_GATEWAY_VERSION` in `third_party/envoy-gateway/Makefile`. (Renovate + normally does this automatically — see `renovate.json` — and runs the next + step for you.) -1. Delete `pkg/render/gatewayapi/gateway_api_resources.yaml`. +1. Run `make -C third_party/envoy-gateway gen-gateway-api-resources` to + regenerate `third_party/envoy-gateway/gateway_api_resources.yaml`. Review the + diff for any incompatible changes, new CRDs, or new resource kinds. -1. Run `make build`. This will generate a new version of `pkg/render/gateway_api_resources.yaml` and then build the operator image. +1. Update `third_party/envoy-proxy/Makefile` and + `third_party/envoy-ratelimit/Makefile` to the matching `proxy` and + `ratelimit` versions. Versions are listed in the Envoy Gateway release notes + ([for example](https://github.com/envoyproxy/gateway/releases/tag/v1.3.2)) + and the [compatibility matrix](https://gateway.envoyproxy.io/news/releases/matrix/). -1. Review diffs between the old and new versions of `pkg/render/gateway_api_resources.yaml` (e.g. using `git diff`) to identify: +1. For each of `third_party/envoy-{gateway,proxy,ratelimit}`: review whether + existing patches still apply cleanly and remain required; update or drop + them as needed. - - any incompatible changes that would need changes in our Gateway-related operator coding or image building +1. Commit and post as a `projectcalico/calico` PR. - - any entirely new CRDs or resources, that would need changes in `pkg/render/gateway_api.go`. +**In `tigera/operator` (after the calico PR merges):** -1. Address build issues if there are any. +1. In `go.mod`, update `github.com/envoyproxy/gateway` to match. Run + `make mod-tidy`. If this indicates other changes (e.g. a `GO_BUILD_VER` bump), + address them. -1. Run `make ut`, and address issues if there are any. +1. Run `make gen-versions`. This refreshes + `pkg/render/gatewayapi/gateway_api_resources.yaml` from the calico clone (via + `update-envoy-gateway-resources`). -1. Commit everything and post as a `tigera/operator` PR. +1. If the YAML diff introduced new CRDs or resource kinds, update + `pkg/render/gatewayapi/gateway_api.go` to parse them. -1. Identify the corresponding new versions of the `gateway`, `proxy` and `ratelimit` images. +1. Run `make ut`, address issues. - - The `gateway` version can be found by looking for "envoyproxy/gateway" in `pkg/render/gateway_api_resources.yaml`, and probably also in the Envoy Gateway release notes ([for example](https://github.com/envoyproxy/gateway/releases/tag/v1.3.2)). It should be the same as the nominal Envoy Gateway version that you're updating to. - - - The `proxy` version can be found in the Envoy Gateway release notes, or by referring to [this compatibility matrix](https://gateway.envoyproxy.io/news/releases/matrix/). - - - The `ratelimit` version can be found by looking for "envoyproxy/ratelimit" in `pkg/render/gateway_api_resources.yaml`, and probably also in the Envoy Gateway release notes. - -1. Switching to the `projectcalico/calico` repo, update the code under `third_party/envoy-{gateway,proxy,ratelimit}` to build those new image versions. In each case: - - - Update the relevant version (e.g. `ENVOY_GATEWAY_VERSION`) in `Makefile`. - - - Review if any existing patches are still required, and remove them if not. - - - Review if any existing patches still apply cleanly, and update them if not. - -1. Commit everything and post as a `projectcalico/calico` PR. - -1. Review, address issues, merge, monitor hashrelease builds, address any further issues, etc. +1. Commit and post as a `tigera/operator` PR.