deps: bumps EG (#1770)

**Description**

EG got a CVE recently. It doesn't affect AIGW users but upgrading it to
the latest patch version silences CVE scanners.

---------

Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com>

Author: mathetake

.github/workflows/build_and_test.yaml

@@ -212,8 +212,8 @@ jobs:
         include:
           - name: latest
             envoy_gateway_version: v0.0.0-latest
-          - name: v1.6.0
-            envoy_gateway_version: v1.6.0
+          - name: v1.6.2
+            envoy_gateway_version: v1.6.2
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v5

cmd/aigw/download_envoy.go

@@ -7,33 +7,27 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"io"
 	"os"
-	"regexp"
-	"strings"
 
-	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	func_e "github.com/tetratelabs/func-e"
 	func_e_api "github.com/tetratelabs/func-e/api"
 )
 
-var envoyVersionRe = regexp.MustCompile(`\d+\.\d+\.\d+`)
+// This matches the version in the .envoy-version file at the repo root. That is ensured in tests.
+// The reason why we don't use the constant defined in the EG as a library is that when we depend
+// on the main branch, it will be a non-released development version that func-e may not have.
+const envoyVersion = "1.37.0"
 
 // downloadEnvoy downloads the Envoy binary used by Envoy Gateway.
 func downloadEnvoy(ctx context.Context, funcERun func_e_api.RunFunc, tmpDir, dataHome string, stdout, stderr io.Writer) error {
-	version, err := getEnvoyVersion(egv1a1.DefaultEnvoyProxyImage)
-	if err != nil {
-		return err
-	}
-
 	return funcERun(ctx, []string{"--version"},
 		func_e_api.ConfigHome(tmpDir),
 		func_e_api.DataHome(dataHome),
 		func_e_api.StateHome(tmpDir),
 		func_e_api.RuntimeDir(tmpDir),
 		func_e_api.RunID("0"),
-		func_e_api.EnvoyVersion(version),
+		func_e_api.EnvoyVersion(envoyVersion),
 		func_e_api.Out(stdout),
 		func_e_api.EnvoyOut(stdout),
 		func_e_api.EnvoyErr(stderr),
@@ -43,18 +37,3 @@ func downloadEnvoy(ctx context.Context, funcERun func_e_api.RunFunc, tmpDir, dat
 func downloadEnvoyCmd(ctx context.Context, c *cmdDownloadEnvoy, stdout, stderr io.Writer) error {
 	return downloadEnvoy(ctx, func_e.Run, os.TempDir(), c.dataHome, stdout, stderr)
 }
-
-func getEnvoyVersion(image string) (string, error) {
-	if version := os.Getenv("ENVOY_VERSION"); version != "" {
-		return version, nil
-	}
-	parts := strings.Split(image, ":")
-	if len(parts) < 2 {
-		return "", fmt.Errorf("no tag in default Envoy image: %s", image)
-	}
-	semver := envoyVersionRe.FindString(parts[len(parts)-1])
-	if semver == "" {
-		return "", fmt.Errorf("no semver in tag: %s", parts[len(parts)-1])
-	}
-	return semver, nil
-}

cmd/aigw/download_envoy_test.go

@@ -8,52 +8,28 @@ package main
 import (
 	"context"
 	"io"
+	"os"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	func_e_api "github.com/tetratelabs/func-e/api"
+
+	internaltesting "github.com/envoyproxy/ai-gateway/internal/testing"
 )
 
 func Test_downloadEnvoy(t *testing.T) {
+	t.Run("ensure the version constant matches the .envoy-version file", func(t *testing.T) {
+		root := internaltesting.FindProjectRoot()
+		envoyVersionInRoot, err := os.ReadFile(root + "/.envoy-version")
+		require.NoError(t, err)
+		require.Equal(t, envoyVersion, strings.TrimSpace(string(envoyVersionInRoot)))
+	})
+
 	err := downloadEnvoy(t.Context(), func(_ context.Context, args []string, opts ...func_e_api.RunOption) error {
 		require.Equal(t, []string{"--version"}, args)
 		require.Len(t, opts, 9) // opts are internal so we can just count them
 		return nil
 	}, t.TempDir(), t.TempDir(), io.Discard, io.Discard)
 	require.NoError(t, err)
 }
-
-func Test_getEnvoyVersion(t *testing.T) {
-	tests := []struct {
-		name            string
-		envVersion      string
-		egVersion       string
-		expectedVersion string
-	}{
-		{
-			name:            "env override wins",
-			envVersion:      "1.37.0",
-			egVersion:       "1.36.2",
-			expectedVersion: "1.37.0",
-		},
-		{
-			name:            "fallback to default",
-			envVersion:      "",
-			egVersion:       "1.36.2",
-			expectedVersion: "1.36.2",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Setenv("ENVOY_VERSION", tt.envVersion)
-			version, err := getEnvoyVersion("docker.io/envoyproxy/envoy:distroless-v" + tt.egVersion)
-			require.NoError(t, err)
-			require.Equal(t, tt.expectedVersion, version)
-		})
-	}
-	t.Run("invalid image tag", func(t *testing.T) {
-		_, err := getEnvoyVersion("docker.io/envoyproxy/envoy")
-		require.Error(t, err)
-	})
-}

cmd/aigw/run.go

@@ -93,7 +93,7 @@ func run(ctx context.Context, c *cmdRun, o *runOpts, stdout, stderr io.Writer) e
 	// First, we need to create the self-signed certificates used for communication between the EG and Envoy.
 	// Certificates will be placed at ~/.config/envoy-gateway/certs, which is the default location used by Envoy Gateway.
 	certGenOut := &bytes.Buffer{}
-	certGen := root.GetRootCommand()
+	certGen := root.GetRootCommand(nil)
 	certGen.SetOut(certGenOut)
 	certGen.SetErr(certGenOut)
 	certGen.SetArgs([]string{"certgen", "--local"})
@@ -211,7 +211,7 @@ func run(ctx context.Context, c *cmdRun, o *runOpts, stdout, stderr io.Writer) e
 	// Now running the `envoy-gateway` CLI alternative below by passing `--config-path` to `egConfigPath`.
 	// Then the agent will read the resources from the file pointed inside the config and start the Envoy process.
 
-	server := root.GetRootCommand()
+	server := root.GetRootCommand(nil)
 	// TODO: enable the log by default after the issue is resolved: https://github.com/envoyproxy/gateway/issues/6596
 	if c.Debug {
 		server.SetOut(stdout)

go.mod

@@ -19,9 +19,9 @@ require (
 	github.com/cohere-ai/cohere-go/v2 v2.16.1
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/docker/docker v28.5.2+incompatible
-	github.com/envoyproxy/gateway v1.6.0
+	github.com/envoyproxy/gateway v1.7.0-rc.0
 	github.com/envoyproxy/go-control-plane v0.14.0
-	github.com/envoyproxy/go-control-plane/envoy v1.36.0
+	github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260115164926-066cbd5b3989
 	github.com/go-logr/logr v1.4.3
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/cel-go v0.26.1
@@ -69,7 +69,7 @@ require (
 	k8s.io/client-go v0.35.0
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/controller-runtime v0.23.0
-	sigs.k8s.io/gateway-api v1.4.0
+	sigs.k8s.io/gateway-api v1.4.1
 	sigs.k8s.io/gateway-api-inference-extension v1.0.2
 	sigs.k8s.io/yaml v1.6.0
 )
@@ -87,8 +87,7 @@ require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/avast/retry-go v3.0.0+incompatible // indirect
+	github.com/avast/retry-go/v5 v5.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.7 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
@@ -107,30 +106,30 @@ require (
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
-	github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
+	github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.17.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
 	github.com/containers/image/v5 v5.36.2 // indirect
 	github.com/containers/storage v1.59.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v28.5.1+incompatible // indirect
+	github.com/docker/cli v29.1.5+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/docker-credential-helpers v0.9.4 // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dominikbraun/graph v0.23.0 // indirect
-	github.com/ebitengine/purego v0.9.0 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
-	github.com/envoyproxy/go-control-plane/contrib v1.32.5-0.20251029084203-42a4a9261f66 // indirect
-	github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20251029084203-42a4a9261f66 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 // indirect
+	github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 // indirect
 	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
@@ -141,24 +140,24 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-openapi/analysis v0.24.0 // indirect
-	github.com/go-openapi/errors v0.22.3 // indirect
-	github.com/go-openapi/jsonpointer v0.22.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.2 // indirect
-	github.com/go-openapi/loads v0.23.1 // indirect
-	github.com/go-openapi/spec v0.22.0 // indirect
-	github.com/go-openapi/strfmt v0.24.0 // indirect
+	github.com/go-openapi/analysis v0.24.1 // indirect
+	github.com/go-openapi/errors v0.22.4 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/jsonreference v0.21.4 // indirect
+	github.com/go-openapi/loads v0.23.2 // indirect
+	github.com/go-openapi/spec v0.22.3 // indirect
+	github.com/go-openapi/strfmt v0.25.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
-	github.com/go-openapi/swag/conv v0.25.1 // indirect
+	github.com/go-openapi/swag/conv v0.25.4 // indirect
 	github.com/go-openapi/swag/fileutils v0.25.1 // indirect
-	github.com/go-openapi/swag/jsonname v0.25.1 // indirect
-	github.com/go-openapi/swag/jsonutils v0.25.1 // indirect
-	github.com/go-openapi/swag/loading v0.25.1 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
+	github.com/go-openapi/swag/loading v0.25.4 // indirect
 	github.com/go-openapi/swag/mangling v0.25.1 // indirect
-	github.com/go-openapi/swag/stringutils v0.25.1 // indirect
-	github.com/go-openapi/swag/typeutils v0.25.1 // indirect
-	github.com/go-openapi/swag/yamlutils v0.25.1 // indirect
-	github.com/go-openapi/validate v0.25.0 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
+	github.com/go-openapi/validate v0.25.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -175,14 +174,14 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
-	github.com/klauspost/compress v1.18.1 // indirect
+	github.com/klauspost/compress v1.18.3 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
 	github.com/lyft/gostats v0.4.1 // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
-	github.com/miekg/dns v1.1.68 // indirect
+	github.com/miekg/dns v1.1.70 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/go-archive v0.1.0 // indirect
@@ -197,7 +196,7 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/ohler55/ojg v1.26.10 // indirect
+	github.com/ohler55/ojg v1.28.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
@@ -208,32 +207,32 @@ require (
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.9 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.12 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/spf13/cobra v1.10.1 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20251023124752-b61f268f75b6 // indirect
+	github.com/spf13/cobra v1.10.2 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
-	github.com/vbatts/tar-split v0.12.1 // indirect
+	github.com/vbatts/tar-split v0.12.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
 	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
-	go.mongodb.org/mongo-driver v1.17.4 // indirect
+	go.mongodb.org/mongo-driver v1.17.6 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/bridges/prometheus v0.64.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.39.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.39.0 // indirect