Merge branch 'main' into feat-bandwidth

jukie · web-flow · commit d897c15facdb · 2026-04-27T21:41:02.000-07:00
Signed-off-by: Isaac Wilson &lt;isaac.wilson514@gmail.com&gt;
diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md
@@ -113,6 +113,9 @@ helm uninstall eg -n envoy-gateway-system
 | global.images.envoyGateway.image | string | `nil` |  |
 | global.images.envoyGateway.pullPolicy | string | `nil` |  |
 | global.images.envoyGateway.pullSecrets | list | `[]` |  |
+| global.images.envoyProxy.image | string | `""` |  |
+| global.images.envoyProxy.pullPolicy | string | `""` |  |
+| global.images.envoyProxy.pullSecrets | list | `[]` |  |
 | global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` |  |
 | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` |  |
 | global.images.ratelimit.pullSecrets | list | `[]` |  |
diff --git a/charts/gateway-helm/templates/_helpers.tpl b/charts/gateway-helm/templates/_helpers.tpl
@@ -158,11 +158,61 @@ imagePullSecrets: {{ toYaml list }}
 {{- end }}
 {{- end }}
 
+{{/*
+Resolve the Envoy Proxy image.
+*/}}
+{{- define "eg.envoyProxy.image" -}}
+{{-   $imageParts := splitn "/" 2 .Values.global.images.envoyProxy.image -}}
+{{/*    if global.imageRegistry is defined, it takes precedence always */}}
+{{-   $registryName := default $imageParts._0 .Values.global.imageRegistry -}}
+{{-   $repositoryTag := $imageParts._1 -}}
+{{-   $repositoryParts := splitn ":" 2 $repositoryTag -}}
+{{-   $repositoryName := $repositoryParts._0 -}}
+{{-   $imageTag := default "distroless-dev" $repositoryParts._1 -}}
+{{-   printf "%s/%s:%s" $registryName $repositoryName $imageTag -}}
+{{- end -}}
+
+{{/*
+Resolve the Envoy Proxy image pull secrets.
+*/}}
+{{- define "eg.envoyProxy.image.pullSecrets" -}}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{ toYaml .Values.global.imagePullSecrets }}
+{{- else if .Values.global.images.envoyProxy.pullSecrets -}}
+imagePullSecrets:
+{{ toYaml .Values.global.images.envoyProxy.pullSecrets }}
+{{- else }}
+imagePullSecrets: {{ toYaml list }}
+{{- end }}
+{{- end }}
 
 {{/*
 The default Envoy Gateway configuration.
 */}}
 {{- define "eg.default-envoy-gateway-config" -}}
+{{- if or .Values.global.images.envoyProxy.image .Values.config.envoyGateway.envoyProxy }}
+{{- $envoyProxyBase := .Values.config.envoyGateway.envoyProxy | default dict }}
+{{- $imageOverride := dict }}
+{{- if .Values.global.images.envoyProxy.image }}
+  {{- $container := dict "image" (include "eg.envoyProxy.image" .) }}
+  {{- if .Values.global.images.envoyProxy.pullPolicy }}
+    {{- $_ := set $container "imagePullPolicy" .Values.global.images.envoyProxy.pullPolicy }}
+  {{- end }}
+  {{- $deployment := dict "container" $container }}
+  {{- if or .Values.global.imagePullSecrets .Values.global.images.envoyProxy.pullSecrets }}
+    {{- $pullSecretsYaml := include "eg.envoyProxy.image.pullSecrets" . }}
+    {{- $pullSecrets := dict "imagePullSecrets" ($pullSecretsYaml | fromYaml).imagePullSecrets }}
+    {{- $_ := set $deployment "pod" $pullSecrets }}
+  {{- end }}
+  {{- $kubernetes := dict "envoyDeployment" $deployment }}
+  {{- $provider := dict "type" "Kubernetes" "kubernetes" $kubernetes }}
+  {{- $imageOverride = dict "provider" $provider }}
+{{- end }}
+{{- $merged := mustMergeOverwrite (dict) $envoyProxyBase $imageOverride }}
+envoyProxy:
+{{ toYaml $merged | indent 2 }}
+{{- end }}
 provider:
   type: Kubernetes
   kubernetes:
diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml
@@ -1,6 +1,6 @@
 # Global settings
 global:
-  # If set, these take highest precedence and change both envoyGateway and ratelimit's container registry and pull secrets.
+  # If set, these take highest precedence and change envoyGateway, envoyProxy, and ratelimit's container registry and pull secrets.
   # -- Global override for image registry
   imageRegistry: ""
   # -- Global override for image pull secrets
@@ -25,6 +25,15 @@ global:
       pullPolicy: IfNotPresent
       # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
       pullSecrets: []
+    envoyProxy:
+      # This is the full image name including the hub, repo, and tag for the Envoy Proxy data plane.
+      # If not specified, uses the default image built into envoy-gateway.
+      image: ""
+      # Specify image pull policy if default behavior isn't desired.
+      # Default behavior: IfNotPresent.
+      pullPolicy: ""
+      # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+      pullSecrets: []
 
 # -- Labels to apply to all resources
 commonLabels: {}
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -48,6 +48,7 @@ new features: |
   Added support for sending Envoy Gateway route metadata to external authorization backends via `SecurityPolicy.spec.extAuth.includeRouteMetadata`.
   Added support for path override in ExtAuth HTTP service.
   Added support for bandwidth limit.
+  Added support for defining Envoy Proxy image, pullPolicy, and pullSecrets via the helm chart.  Note that to merge these helm-configured values with EnvoyProxy resources, the EnvoyProxy must include `mergeType: StrategicMerge` or `mergeType: JSONMerge`.
 
 bug fixes: |
   Fixed local rate limit rules with identical sourceCIDR client selectors producing conflicting descriptors.
diff --git a/release-notes/v1.6.7.yaml b/release-notes/v1.6.7.yaml
@@ -0,0 +1,28 @@
+date: April 27, 2026
+
+# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs.
+breaking changes: |
+
+# Updates addressing vulnerabilities, security flaws, or compliance requirements.
+security updates: |
+  Bumped `google.golang.org/grpc` to v1.79.3 to address CVE-2026-33186 (Critical, gRPC-Go authorization bypass via non-canonical HTTP/2 `:path` header).
+  Bumped `go.opentelemetry.io/otel/sdk` to v1.40.0 to address CVE-2026-24051 (High, OpenTelemetry Go SDK path hijacking on macOS/Darwin).
+
+# New features or capabilities added in this release.
+new features: |
+
+bug fixes: |
+  Fixed a control plane panic caused by concurrent Status mutation racing with the watchable Map coalesce goroutine.
+  Fixed status conditions not being updated when a route is rejected due to multiple errors.
+  Fixed unresolved or unsupported HTTPRoute filters using `BackendNotFound` as the `ResolvedRefs` reason; they now correctly use `UnsupportedValue`.
+  Fixed benchmark JSON report emitting `0` for p99 and p999 percentiles by using the nearest Nighthawk histogram percentiles.
+
+# Enhancements that improve performance.
+performance improvements: |
+  Introduced a translator context with preprocessed resource maps in the Gateway API translator, reducing translation time by up to ~45% on large workloads.
+
+# Deprecated features or APIs.
+deprecations: |
+
+# Other notable changes not covered by the above sections.
+Other changes: |
diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md
@@ -77,6 +77,9 @@ The Helm chart for Envoy Gateway
 | global.images.envoyGateway.image | string | `nil` |  |
 | global.images.envoyGateway.pullPolicy | string | `nil` |  |
 | global.images.envoyGateway.pullSecrets | list | `[]` |  |
+| global.images.envoyProxy.image | string | `""` |  |
+| global.images.envoyProxy.pullPolicy | string | `""` |  |
+| global.images.envoyProxy.pullSecrets | list | `[]` |  |
 | global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` |  |
 | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` |  |
 | global.images.ratelimit.pullSecrets | list | `[]` |  |
diff --git a/site/content/en/news/releases/notes/v1.6.7.md b/site/content/en/news/releases/notes/v1.6.7.md
@@ -0,0 +1,31 @@
+---
+title: "v1.6.7"
+publishdate: 2026-04-27
+---
+
+Date: April 27, 2026
+
+## Breaking changes
+-
+
+## Security updates
+- Bumped `google.golang.org/grpc` to v1.79.3 to address [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) (Critical, gRPC-Go authorization bypass via non-canonical HTTP/2 `:path` header).
+- Bumped `go.opentelemetry.io/otel/sdk` to v1.40.0 to address [CVE-2026-24051](https://nvd.nist.gov/vuln/detail/CVE-2026-24051) (High, OpenTelemetry Go SDK path hijacking on macOS/Darwin).
+
+## New features
+-
+
+## Bug fixes
+- Fixed a control plane panic caused by concurrent Status mutation racing with the watchable Map coalesce goroutine.
+- Fixed status conditions not being updated when a route is rejected due to multiple errors.
+- Fixed unresolved or unsupported HTTPRoute filters using `BackendNotFound` as the `ResolvedRefs` reason; they now correctly use `UnsupportedValue`.
+- Fixed benchmark JSON report emitting `0` for p99 and p999 percentiles by using the nearest Nighthawk histogram percentiles.
+
+## Performance improvements
+- Introduced a translator context with preprocessed resource maps in the Gateway API translator, reducing translation time by up to ~45% on large workloads.
+
+## Deprecations
+-
+
+## Other changes
+-
diff --git a/site/static/js/benchmark-dashboard.js b/site/static/js/benchmark-dashboard.js
diff --git a/site/tools/benchmark-dashboard/src/data/index.ts b/site/tools/benchmark-dashboard/src/data/index.ts
@@ -46,8 +46,11 @@ import { benchmarkData as v166TestSuite } from './versions/v1.6.6';
 
 import { benchmarkData as v172TestSuite } from './versions/v1.7.2';
 
+import { benchmarkData as v167TestSuite } from './versions/v1.6.7';
+
 // Import all version data
 export const allTestSuites: TestSuite[] = [
+  v167TestSuite,
   v172TestSuite,
   v166TestSuite,
   v171TestSuite,
diff --git a/site/tools/benchmark-dashboard/src/data/versions/v1.6.7.ts b/site/tools/benchmark-dashboard/src/data/versions/v1.6.7.ts
diff --git a/test/helm/gateway-helm/global-images-config.in.yaml b/test/helm/gateway-helm/global-images-config.in.yaml
diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml
