Move envoy management to calico

Makefile

@@ -19,14 +19,6 @@ KUSTOMIZE_DOWNLOAD_URL = https://github.com/kubernetes-sigs/kustomize/releases/d
 OPERATOR_SDK_VERSION = v1.42.2
 OPERATOR_SDK_URL = https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(NATIVE_OS)_$(NATIVE_ARCH)
 
-# Our version of helm3 - Note that we use BUILD_ARCH here instead of NATIVE_ARCH because
-# that's what we used before and we don't want to break things if that's necessary.
-HELM3_VERSION = v3.20.2
-HELM3_URL = https://get.helm.sh/helm-$(HELM3_VERSION)-$(NATIVE_OS)-$(BUILDARCH).tar.gz
-HELM_BUILDARCH_BINARY = $(HACK_BIN)/helm-$(BUILDARCH)
-HELM_BUILDARCH_VERSIONED_BINARY = $(HELM_BUILDARCH_BINARY)-$(HELM3_VERSION)
-
-
 # The directory into which we download binaries we need to run certain
 # processes, e.g. generating bundles
 HACK_BIN ?= hack/bin
@@ -244,37 +236,11 @@ $(ISTIO_RESOURCES_DIR)/%.tgz:
 	@echo "Downloading Istio chart $* version $(ISTIO_VERSION)..."
 	@curl -fsSL -o $@ $(ISTIO_HELM_REPO)/$*-$(ISTIO_VERSION).tgz
 
-# To update the Envoy Gateway version, see "Updating the bundled version of
-# Envoy Gateway" in docs/common_tasks.md.
-ENVOY_GATEWAY_HELM_CHART ?= oci://docker.io/envoyproxy/gateway-helm
-ENVOY_GATEWAY_VERSION ?= v1.7.2
-ENVOY_GATEWAY_PREFIX ?= tigera-gateway-api
-ENVOY_GATEWAY_NAMESPACE ?= tigera-gateway
+# Helm-rendered Envoy Gateway bundle. The file is committed in this repo
+# and refreshed by `make gen-versions` (target: update-envoy-gateway-resources),
+# which copies it from projectcalico/calico.
 ENVOY_GATEWAY_RESOURCES = pkg/render/gatewayapi/gateway_api_resources.yaml
 
-$(ENVOY_GATEWAY_RESOURCES): $(HACK_BIN)/helm-$(BUILDARCH)
-	echo "---" > $@
-	echo "apiVersion: v1" >> $@
-	echo "kind: Namespace" >> $@
-	echo "metadata:" >> $@
-	echo "  name: $(ENVOY_GATEWAY_NAMESPACE)" >> $@
-	$(HELM_BUILDARCH_BINARY) template $(ENVOY_GATEWAY_PREFIX) $(ENVOY_GATEWAY_HELM_CHART) \
-		--version $(ENVOY_GATEWAY_VERSION) \
-		-n $(ENVOY_GATEWAY_NAMESPACE) \
-		--include-crds \
-	>> $@
-
-$(HELM_BUILDARCH_BINARY): $(HELM_BUILDARCH_VERSIONED_BINARY)
-	$(info ░▒▓ symlink $(HELM_BUILDARCH_VERSIONED_BINARY) -> $(HELM_BUILDARCH_BINARY))
-	@ln -sf helm-$(BUILDARCH)-$(HELM3_VERSION) $(HACK_BIN)/helm-$(BUILDARCH)
-
-$(HELM_BUILDARCH_VERSIONED_BINARY): | $(HACK_BIN)
-	$(info ░▒▓ Downloading helm3 $(HELM3_VERSION) for $(BUILDARCH) to $(HELM_BUILDARCH_VERSIONED_BINARY))
-	@rm -f $(HELM_BUILDARCH_VERSIONED_BINARY)
-	@curl -fsSL --retry 5 $(HELM3_URL) | tar --extract --gzip -C $(HACK_BIN) --strip-components=1 $(NATIVE_OS)-$(BUILDARCH)/helm -O > $(HELM_BUILDARCH_VERSIONED_BINARY)
-	@chmod a+x $(HELM_BUILDARCH_VERSIONED_BINARY)
-
-
 build: $(BINDIR)/operator-$(ARCH)
 $(BINDIR)/operator-$(ARCH): $(SRC_FILES) $(ENVOY_GATEWAY_RESOURCES) $(ISTIO_CHART_FILES)
 	mkdir -p $(BINDIR)
@@ -621,7 +587,7 @@ EE_VERSIONS?=config/enterprise_versions.yml
 
 gen-versions: gen-versions-calico gen-versions-enterprise
 
-gen-versions-calico: $(BINDIR)/gen-versions update-calico-crds
+gen-versions-calico: $(BINDIR)/gen-versions update-calico-crds update-envoy-gateway-resources
 	$(BINDIR)/gen-versions -os-versions=$(OS_VERSIONS) > pkg/components/calico.go
 
 gen-versions-enterprise: $(BINDIR)/gen-versions update-enterprise-crds
@@ -683,7 +649,7 @@ define copy_admission_policies
 endef
 
 .PHONY: read-libcalico-version read-libcalico-enterprise-version
-.PHONY: update-calico-crds update-enterprise-crds
+.PHONY: update-calico-crds update-enterprise-crds update-envoy-gateway-resources
 .PHONY: fetch-calico-crds fetch-enterprise-crds
 .PHONY: prepare-for-calico-crds prepare-for-enterprise-crds
 
@@ -702,6 +668,25 @@ update-calico-crds: fetch-calico-crds
 	$(call copy_k8s_policy_crds,"calico")
 	$(call copy_admission_policies, $(CALICO_CRDS_DIR),"calico")
 
+# pkg/render/gatewayapi/gateway_api_resources.yaml is the helm-rendered Envoy
+# Gateway bundle, produced and version-pinned by projectcalico/calico's
+# third_party/envoy-gateway/Makefile (gen-gateway-api-resources). It rides along
+# in the calico clone that fetch-calico-crds prepares. We also bump
+# go.mod's github.com/envoyproxy/gateway in lockstep with calico's pin so the
+# Go decoder version always matches the rendered YAML.
+update-envoy-gateway-resources: fetch-calico-crds
+	@cp $(CALICO_CRDS_DIR)/third_party/envoy-gateway/gateway_api_resources.yaml $(ENVOY_GATEWAY_RESOURCES)
+	@echo "Copied envoy-gateway resources"
+	@new=$$(grep -E '^ENVOY_GATEWAY_VERSION=' $(CALICO_CRDS_DIR)/third_party/envoy-gateway/Makefile | cut -d= -f2 | tr -d ' '); \
+	cur=$$(awk '/^[[:space:]]*github\.com\/envoyproxy\/gateway[[:space:]]+v/ {print $$2}' go.mod); \
+	if [ -z "$$new" ]; then echo "Failed to parse ENVOY_GATEWAY_VERSION from calico Makefile" >&2; exit 1; fi; \
+	if [ "$$new" != "$$cur" ]; then \
+		echo "Bumping envoyproxy/gateway in go.mod: $$cur -> $$new"; \
+		$(CONTAINERIZED) $(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) go mod edit -require=github.com/envoyproxy/gateway@'"$$new"' && go mod tidy'; \
+	else \
+		echo "envoyproxy/gateway already pinned at $$new in go.mod"; \
+	fi
+
 prepare-for-calico-crds:
 	$(call prep_local_crds,"calico")
 

docs/common_tasks.md

@@ -176,44 +176,46 @@ spec:
 
 ### Updating the bundled version of Envoy Gateway
 
-1. In `go.mod`, update the version for `github.com/envoyproxy/gateway`.
+The Envoy Gateway version pin, the rendered manifest bundle, and the source-built
+image all live in `projectcalico/calico`. The operator pulls the rendered
+`gateway_api_resources.yaml` out of a calico clone during `make gen-versions`.
+A version bump therefore lands in two PRs — calico first, operator second.
 
-1. Run `make mod-tidy`.  If this indicates needing other changes, e.g. bumping the go-build version, do that.  (For example, for a possible move to Envoy Gateway v1.3.2 - not yet committed - I needed to update `GO_BUILD_VER` from `v0.95` to `1.23.6-llvm18.1.8-k8s1.31.5`, because Envoy Gateway v1.3.2 requires golang v1.23.6.)
+**In `projectcalico/calico`:**
 
-1. In `Makefile`, update `ENVOY_GATEWAY_VERSION`.
+1. Bump `ENVOY_GATEWAY_VERSION` in `third_party/envoy-gateway/Makefile`. (Renovate
+   normally does this automatically — see `renovate.json` — and runs the next
+   step for you.)
 
-1. Delete `pkg/render/gatewayapi/gateway_api_resources.yaml`.
+1. Run `make -C third_party/envoy-gateway gen-gateway-api-resources` to
+   regenerate `third_party/envoy-gateway/gateway_api_resources.yaml`. Review the
+   diff for any incompatible changes, new CRDs, or new resource kinds.
 
-1. Run `make build`.  This will generate a new version of `pkg/render/gateway_api_resources.yaml` and then build the operator image.
+1. Update `third_party/envoy-proxy/Makefile` and
+   `third_party/envoy-ratelimit/Makefile` to the matching `proxy` and
+   `ratelimit` versions. Versions are listed in the Envoy Gateway release notes
+   ([for example](https://github.com/envoyproxy/gateway/releases/tag/v1.3.2))
+   and the [compatibility matrix](https://gateway.envoyproxy.io/news/releases/matrix/).
 
-1. Review diffs between the old and new versions of `pkg/render/gateway_api_resources.yaml` (e.g. using `git diff`) to identify:
+1. For each of `third_party/envoy-{gateway,proxy,ratelimit}`: review whether
+   existing patches still apply cleanly and remain required; update or drop
+   them as needed.
 
-   - any incompatible changes that would need changes in our Gateway-related operator coding or image building
+1. Commit and post as a `projectcalico/calico` PR.
 
-   - any entirely new CRDs or resources, that would need changes in `pkg/render/gateway_api.go`.
+**In `tigera/operator` (after the calico PR merges):**
 
-1. Address build issues if there are any.
+1. In `go.mod`, update `github.com/envoyproxy/gateway` to match. Run
+   `make mod-tidy`. If this indicates other changes (e.g. a `GO_BUILD_VER` bump),
+   address them.
 
-1. Run `make ut`, and address issues if there are any.
+1. Run `make gen-versions`. This refreshes
+   `pkg/render/gatewayapi/gateway_api_resources.yaml` from the calico clone (via
+   `update-envoy-gateway-resources`).
 
-1. Commit everything and post as a `tigera/operator` PR.
+1. If the YAML diff introduced new CRDs or resource kinds, update
+   `pkg/render/gatewayapi/gateway_api.go` to parse them.
 
-1. Identify the corresponding new versions of the `gateway`, `proxy` and `ratelimit` images.
+1. Run `make ut`, address issues.
 
-   - The `gateway` version can be found by looking for "envoyproxy/gateway" in `pkg/render/gateway_api_resources.yaml`, and probably also in the Envoy Gateway release notes ([for example](https://github.com/envoyproxy/gateway/releases/tag/v1.3.2)).  It should be the same as the nominal Envoy Gateway version that you're updating to.
-
-   - The `proxy` version can be found in the Envoy Gateway release notes, or by referring to [this compatibility matrix](https://gateway.envoyproxy.io/news/releases/matrix/).
-
-   - The `ratelimit` version can be found by looking for "envoyproxy/ratelimit" in `pkg/render/gateway_api_resources.yaml`, and probably also in the Envoy Gateway release notes.
-
-1. Switching to the `projectcalico/calico` repo, update the code under `third_party/envoy-{gateway,proxy,ratelimit}` to build those new image versions.  In each case:
-
-   - Update the relevant version (e.g. `ENVOY_GATEWAY_VERSION`) in `Makefile`.
-
-   - Review if any existing patches are still required, and remove them if not.
-
-   - Review if any existing patches still apply cleanly, and update them if not.
-
-1. Commit everything and post as a `projectcalico/calico` PR.
-
-1. Review, address issues, merge, monitor hashrelease builds, address any further issues, etc.
+1. Commit and post as a `tigera/operator` PR.