chore: update Envoy Gateway to v1.5.0

[electricjesus]

Summary

Update Envoy Gateway from the previous version to v1.5.0 following the provided upgrade instructions.

Changes Made

• Dependencies: Updated go.mod to use Envoy Gateway v1.5.0
• Configuration: Updated Makefile to use envoy-gateway/gateway-helm chart reference
• Resources: Regenerated pkg/render/gateway_api_resources.yaml with updated resources
• Tests: Fixed CRD count expectation in pkg/render/gateway_api.go from 11 to 10 k8s CRDs, fixed resource render expectation from 17 to 21 (20 core resources + 1 resource per envoygatewayclass)

The following CRDs are packaged in this change

Gateway API-Specific CRDs

Resource Kind	Version	Notes
BackendTLSPolicy	v1alpha3	Gateway API specific (standard resource for TLS backend configuration).
GatewayClass	v1, v1beta1	Gateway API specific (standard resource for gateway classes).
Gateway	v1, v1beta1	Gateway API specific (standard resource for gateways).
GRPCRoute	v1	Gateway API specific (standard resource for gRPC routing).
HTTPRoute	v1, v1beta1	Gateway API specific (standard resource for HTTP routing).
ReferenceGrant	v1beta1	Gateway API specific (standard resource for cross-namespace references).
TCPRoute	v1alpha2	Gateway API specific (standard resource for TCP routing).
TLSRoute	v1alpha2	Gateway API specific (standard resource for TLS routing).
UDPRoute	v1alpha2	Gateway API specific (standard resource for UDP routing).
XBackendTrafficPolicy	v1alpha1	Gateway API experimental (extended resource for backend traffic policies, from gateway.networking.x-k8s.io).
XListenerSet	v1alpha1	Gateway API experimental (extended resource for listener sets, from gateway.networking.x-k8s.io).

Envoy-Specific CRDs

Resource Kind	Version	Notes
Backend	v1alpha1	Envoy Gateway specific (custom resource for backend endpoints, from gateway.envoyproxy.io).
BackendTrafficPolicy	v1alpha1	Envoy Gateway specific (custom resource for backend traffic policies, from gateway.envoyproxy.io).
ClientTrafficPolicy	v1alpha1	Envoy Gateway specific (custom resource for client-side traffic policies, from gateway.envoyproxy.io).
EnvoyExtensionPolicy	v1alpha1	Envoy Gateway specific (custom resource for Envoy extensions like Lua/WASM, from gateway.envoyproxy.io).
EnvoyPatchPolicy	v1alpha1	Envoy Gateway specific (custom resource for patching Envoy xDS resources, from gateway.envoyproxy.io).
EnvoyProxy	v1alpha1	Envoy Gateway specific (custom resource for Envoy proxy configuration, from gateway.envoyproxy.io).
HTTPRouteFilter	v1alpha1	Envoy Gateway specific (custom resource for HTTP route filters, from gateway.envoyproxy.io).
SecurityPolicy	v1alpha1	Envoy Gateway specific (custom resource for security policies like JWT/OIDC, from gateway.envoyproxy.io).

New Features

This update includes new Envoy Gateway v1.5.0 features such as the SecurityPolicy CRD and other enhancements.

Testing

• Ran focused Gateway API tests with go test ./pkg/render -v -ginkgo.focus ".*Gateway.*"
• Executed full unit test suite with make ut
• All tests pass successfully

Description

Release Note

Envoy Gateway updated to v1.5.0. This now includes envoy `SecurityPolicy` CRD

For PR author

• Tests for change.
• If changing pkg/apis/, run make gen-files
• If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

• Milestone set according to targeted release.
• Appropriate labels:
  • kind/bug if this is a bugfix.
  • kind/enhancement if this is a a new feature.
  • enterprise if this PR applies to Calico Enterprise only.

[nelljerram]

I'd like to understand the MutatingWebhook better.

• What does it do?
• It is correct to configure it before the gateway controller is deployed?

We'll need doc updates for the CRD changes. BackendLBPolicy removed, XBackendTraffic and XListenerSet added, and version changes for other CRDs.

A few other specific points.

[nelljerram]

Moving the gateway API rendering into its own package seems like a nice move to me, but I'd appreciate an operator-dev OK'ing this as well, in case there's some gotcha with not having all of our rendering in a single package.

[electricjesus]

we do already have existing component-specific subdirectories under pkg/render.. so I think that's okay? (cc @tigera/tigera-operator-maintainers maybe i'm not seeing something here)

[nelljerram]

Really? That's such an obviously terrible name. But I presume this isn't your choice at all. Out of interest do you have a pointer to the deprecation notice?

[nelljerram]

Oh I see, it was a typo.

[electricjesus]

sorry that was a search-and-replace fail!

here's the specific release we've upgrade to, take a look at Breaking Changes https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.21.0

[nelljerram]

Please note that this function is quite careful about the order of objsToCreate - so that when object A depends on other objects {B}, {B} are emitted first, then A. Considering the insertions here:

• I think the extra cluster role (binding) for certgen job is fine, because the job itself is created later.
• Not sure about the mutating web hook. Does this depend on the envoy-gateway controller already running, since that what it points to? Perhaps it's fine because of its policy to ignore failures. I'm curious what happens later when the envoy-gateway controller is actually deployed... then the webhook fires and tries to call the controller while it's still being created?

[electricjesus]

@nelljerram apparently the webhook's only job is to label gateway proxy pods with node topology labels. these seem to be mostly informational doesn't seem to affect operation. perhaps it's used for something else? taxonomy purposes?

[nelljerram]

PR description mentions a new SecurityPolicy CRD, but I didn't spot that in the YAML changes. Is the PR description correct?

[nelljerram]

UT failures look related to the Requeue -> RequeueAfter change

[nelljerram]

https://gateway.envoyproxy.io/news/releases/v1.5/ says:

xDS Listener Naming: Listeners are now named based on listening port and protocol instead of Gateway and section names.
This affects existing EnvoyPatchPolicies and ExtensionManagers.

Is that going to need changes to our WAF implementation?

[electricjesus]

gateway.envoyproxy.io/news/releases/v1.5 says:

xDS Listener Naming: Listeners are now named based on listening port and protocol instead of Gateway and section names.
This affects existing EnvoyPatchPolicies and ExtensionManagers.

Is that going to need changes to our WAF implementation?

yes you're right.. looks like it's deprecated in 1.5, removed in 1.6. it doesn't change the WAF implementation but it will affect the documentation: https://docs.tigera.io/calico-enterprise/3.22/threat/deploying-waf-ingress-gateway#customizing-your-waf-configuration-for-an-ingress-gateway

that's fine, seems like a quick change after this PR is merged.

[electricjesus]

PR description mentions a new SecurityPolicy CRD, but I didn't spot that in the YAML changes. Is the PR description correct?

updated the description

UT failures look related to the Requeue -> RequeueAfter change

now fixed, i think!

[nelljerram]

updated the description

It still says "SecurityPolicy" in the PR description, unless my eyes are fooling me!

[nelljerram]

Oh I see, it was a typo.

[nelljerram]

@electricjesus Is your last commit a necessary part of bumping to 1.5.0 ?

[electricjesus]

@nelljerram no that's not necessary, just trying to figure out why that FV is timing out. seems that it does tend to help so i separated the tweaks out to its own PR: #4150

also reverted the commit