This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

News

News about Envoy Gateway

This is the news section. It has three categories: Blogs, Presentations and Releases.

Files in these directories will be listed in reverse chronological order.

1 - Blogs

Blogs about Envoy Gateway

1.1 - Announcing Envoy Gateway’s 1.0 Release!

v1.0.0 is here !

Today we’re ecstatic to announce the 1.0 release of Envoy Gateway (EG) for Kubernetes. A mature version ready for widespread adoption in production that simplifies the use of Envoy for managing North-South traffic.

After nearly two years with contributions from over 90 engineers we are proud to say EG meets the goals that Matt outlined in the original post introducing the project, summarized here:

  • Built around the (then emerging) Kubernetes Gateway API
  • Addresses common needs with a solution that is simple to configure and understand
  • Provides great docs for common use cases to enable ease of adoption
  • Empowers the community and vendors to drive the project forward through an extensible API

Can’t wait to try it? Visit the EG tasks to get started with Envoy Gateway 1.0

Envoy Gateway 1.0

The 1.0 release brings a lot of functionality. In addition to implementing the full Kubernetes Gateway API – including the awesome Envoy L7 features you love like per-request policy, load balancing, and best-in-class observability – it also goes further, Envoy Gateway 1.0:

  • Provides support for common features such as Rate Limiting and OAuth2.0
  • Deploys and upgrades Envoy on your behalf, easing operations and lifecycle management
  • Introduces extensions to the Kubernetes Gateway API to address Client, Backend, and Security settings and features
  • Is easily extensible through the EnvoyPatchPolicy API to allow you to configure any Envoy behavior (including stuff you build yourself!)
  • Has a CLI, egctl, for interacting with and debugging the system
  • Comes with a large (and growing!) set of scenarios to make common use cases straightforward to implement

What Does 1.0 Mean for the Project?

We won’t be slowing down on feature velocity – if anything, we expect more features to ship as many users who have been following the project and waiting on the GA release get involved. For us, 1.0 means two big things:

  • A commitment to ensuring stability with releases for CVE fixes. From 1.0 onwards you can have confidence that the configuration you write today will continue to work in the same way for the foreseeable future.
  • That the community is confident in the system’s readiness for general use by everyone, not just Envoy experts.

How We Got Here

The project has moved so fast it feels like a whirlwind, but a high level recap is in order.

  • 2022

    • In May, Matt Klein published the original post introducing the project
    • In November, Envoy Gateway passed the entire Kubernetes Gateway API conformance suite for the first time.
  • 2023

    • We enabled early adopters to understand target use cases by providing configuration escape valves.
    • The number of project contributors and early adopters were growing and shaping the direction of Envoy Gateway
    • Extensions to Envoy Gateway and the Gateway API to tackle client, backend, and security challenges early adopters were facing, were introduced by the community
  • 2024

    • Envoy Gateway 1.0 is ready for widespread adoption thanks to over 90 contributors and the engagement from early production adopters

What’s Next?

Following the 1.0 release, we’ll be focusing on:

  • Ease of operation: Continuing to improve the Journey to Production and operability of the system
    • Better metrics dashboards for control plane and data plane observability
    • Exposing more knobs to fine tune more traffic shaping parameters
  • Features: More API Gateway features such as authorization (IP Addresses, JWT Claims, API Key, etc.) and compression
  • Scale: Building out a performance benchmarking tool into our CI
  • Extensibility: We plan on providing a first-class API for data plane extensions such as Lua, Wasm, and Ext Proc to enable users to implement their custom use cases
  • Outside of Kubernetes: Running Envoy Gateway in non-k8s environments - this has been an explicit goal and we’d like to focus on this in the coming months. Envoy Proxy already supports running on bare metal environments, with Envoy Gateway users getting the added advantage of a simpler API
  • Debug: And a lot of capabilities with the egctl CLI

Get Started

If you’ve been looking to use Envoy as a Gateway, check out our quickstart guide and give it a try! If you’re interested in contributing, check out our guide for getting involved!

1.2 - Welcome to new website!

We migrate our docs from Sphinx to Hugo now!

Introduction

In the realm of static site generators, two names often come up: Sphinx and Hugo. While both are powerful tools, we recently made the decision to migrate our documentation from Sphinx to Hugo. This article aims to shed light on the reasons behind this move and the advantages we’ve discovered in using Hugo for static blogging.

Why Migrate?

Sphinx, originally created for Python documentation, has served us well over the years. It offers a robust and flexible solution for technical documentation. However, as our needs evolved, we found ourselves seeking a tool that could offer faster build times, ease of use, and a more dynamic community. This led us to Hugo.

Advantages of Hugo

  • Speed: Hugo is renowned for its speed. It can build a site in a fraction of the time it takes other static site generators. This is a significant advantage when working with large sites or when quick updates are necessary.

  • Ease of Use: Hugo’s simplicity is another strong point. It doesn’t require a runtime environment, and its installation process is straightforward. Moreover, Hugo’s content management is intuitive, making it easy for non-technical users to create and update content.

  • Flexibility: Hugo supports a wide range of content types, from blog posts to documentation. It also allows for custom outputs, enabling us to tailor our site to our specific needs.

  • Active Community: Hugo boasts a vibrant and active community. This means regular updates, a wealth of shared themes and plugins, and a responsive support network.

  • Multilingual Support: Hugo’s built-in support for multiple languages is a boon for global teams. It allows us to create content in various languages without the need for additional plugins or tools.

  • Markdown Support: Hugo’s native support for Markdown makes it easy to write and format content. This is particularly beneficial for technical writing, where code snippets and technical formatting are common.

Challenges Encountered During the Migration

While the migration from Sphinx to Hugo has brought numerous benefits, it was not without its challenges and it really took me a lot of time on it. Here are some of the difficulties we encountered during the process:

  • Converting RST to Markdown: Our documentation contained a large number of reStructuredText (RST) files, which needed to be converted to Markdown, the format Hugo uses. This required a careful and meticulous conversion process to ensure no information was lost or incorrectly formatted.

  • Adding Headings to tons of Markdown Files: Hugo requires headings in its Markdown files, which our old documents did not have. We had to write scripts to add these headings in bulk, a task that required a deep understanding of both our content and Hugo’s requirements.

  • Handling Multiple Versions: Our documentation had already gone through five iterations, resulting in a large number of files to manage. We had to ensure that all versions were correctly migrated and that the versioning system in Hugo was correctly set up.

  • Designing a New Page Structure and Presentation: To provide a better reading experience, we needed to design a new way to organize and present our pages. This involved understanding our readers’ needs and how best to structure our content to meet those needs.

  • Updating Existing Toolchains: The migration also required us to update our existing toolchains, including Makefile, CI, release processes, and auto-generation tools. This was a complex task that required a deep understanding of both our old and new systems.

Despite these challenges, the benefits of migrating to Hugo have far outweighed the difficulties. The process, while complex, has provided us with a more efficient, user-friendly, and flexible system for managing our static blog. It’s a testament to the power of Hugo and the value of continuous improvement in the tech world.

Conclusion

While Sphinx has its strengths, our migration to Hugo has opened up new possibilities for our static blogging. The speed, ease of use, flexibility, and active community offered by Hugo have made it a powerful tool in our arsenal.

Some Words

From the inception of my involvement in the project, I have placed great emphasis on user experience, including both developer and end-user experiences. I have built a rich toolchain, automated pipelines, Helm Charts, command-line tools, and documentation to enhance the overall experience of interacting with the project.

My dedication to improving user experience was a driving force behind the decision to migrate from Sphinx to Hugo. I recognized the potential for Hugo to provide a more intuitive and efficient platform for managing the project’s static blog. Despite the challenges encountered during the migration, my commitment to enhancing user experience ensured a successful transition.

Through this migration, I have further demonstrated my commitment to continuous improvement and my ability to adapt to the evolving needs of the project. My work serves as a testament to the importance of user experience in software development and the value of embracing new tools and technologies to meet these needs.

Enjoy new Envoy Gateway Website! ❤️

2 - Presentations

Presentations, Talks and Events about Envoy Gateway

2.1 - KubeCon China 2023

Envoy Gateway: The API Gateway in the Cloud Native Era

Watch Videos

2.2 - KubeCon Europe 2023

Envoy Gateway Update

Watch Videos

2.3 - KubeCon North America 2022

Envoy Gateway Update

Watch Videos

3 - Release Announcements

Envoy Gateway Release Announcements

This document provides details for Envoy Gateway releases. Envoy Gateway follows the Semantic Versioning v2.0.0 spec for release versioning.

Stable Releases

Stable releases of Envoy Gateway include:

  • Minor Releases- A new release branch and corresponding tag are created from the main branch. A minor release is supported for 6 months following the release date. As the project matures, Envoy Gateway maintainers will reassess the support timeframe.

Minor releases happen quarterly and follow the schedule below.

Release Management

Minor releases are handled by a designated Envoy Gateway maintainer. This maintainer is considered the Release Manager for the release. The details for creating a release are outlined in the release guide. The Release Manager is responsible for coordinating the overall release. This includes identifying issues to be fixed in the release, communications with the Envoy Gateway community, and the mechanics of the release.

QuarterRelease Manager
2022 Q4Daneyon Hansen (danehans)
2023 Q1Xunzhuo Liu (Xunzhuo)
2023 Q2Alice Wasko (Alice-Lilith)
2023 Q3Arko Dasgupta (arkodg)
2023 Q4Arko Dasgupta (arkodg)
2024 Q1Xunzhuo Liu (Xunzhuo)
2024 Q3Guy Daich (guydc)
2024 Q4Huabing Zhao (zhaohuabing)

Release Schedule

In order to align with the Envoy Proxy release schedule, Envoy Gateway releases are produced on a fixed schedule (the 22nd day of each quarter), with an acceptable delay of up to 2 weeks, and a hard deadline of 3 weeks.

VersionExpectedActualDifferenceEnd of Life
0.2.02022/10/222022/10/20-2 days2023/4/20
0.3.02023/01/222023/02/09+17 days2023/08/09
0.4.02023/04/222023/04/24+2 days2023/10/24
0.5.02023/07/222023/08/02+10 days2024/01/02
0.6.02023/10/222023/11/02+10 days2024/05/02
1.0.x2024/03/062023/03/13+7 days2024/09/13
1.1.x2024/07/162024/07/22+6 days2024/01/22
1.2.x2024/10/222024/11/06+14 days2025/05/06

3.1 - Notes

This section includes Releases Notes of Envoy Gateway.

3.1.1 - v1.2.4

Date: December 13, 2024

Bug fixes

  • Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs.
  • Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected.
  • Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined.
  • Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration.
  • Fixed traffic splitting not working when some backends were invalid.

Other changes

  • Bumped Envoy to version 1.32.2.

3.1.2 - v1.1.4

Date: December 12, 2024

Bug fixes

  • Fixed validate proto messages before converting them to anypb.Any
  • Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work
  • Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes
  • Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn
  • Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected
  • Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined

Other changes

  • Bumped Rate Limit to 49af5cca
  • Bumped golang.org/x/crypto to 0.31.0

3.1.3 - v1.2.3

Date: December 2, 2024

Bug fixes

  • Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
  • Used a waitGroup instead of an enabled channel in the status updater.

Other changes

  • EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack.
  • Bumped Gateway API to v1.2.1.

3.1.4 - v1.2.2

Date: November 28, 2024

Bug fixes

  • Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes.
  • Fixed failed to update SecurityPolicy resources with the backendRef field specified.
  • Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname.
  • Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn.

Other changes

  • Bump the RateLimit image to 49af5cca.
  • Always use :: and IPv4Compact enabled on dynamic listeners.
  • Use V4_PREFERRED instead of V4_ONLY by default for the cluster’s DnsLookupFamily.

3.1.5 - v1.2.1

Date: November 7, 2024

Bug fixes

  • Fixed a panic in the provider goroutine when the body in the direct response configuration was nil.

3.1.6 - v1.2.0

Date: November 06, 2024

Breaking Changes

  • Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed
  • Please refer to the Gateway API v1.2.0 documentation for more information
  • Removed default CPU limit of the Envoy Gateway deployment, to eliminate CPU throttling
  • Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively
  • Set ignore_health_on_host_removal to true for clusters with static endpoints This was done to speed up removal of static endpoints by the control plane when active health check is configured
  • Xds and Infra IR logs are logged at Debug level instead of Info level. They will now not be seen by default in Envoy Gateway logs. You can change the logging level to default: debug to view them

New Features

  • Added support for Gateway-API v1.2.0
  • Added support for IPv4/IPv6 Dual Stack for EnvoyProxy fleet and BackendRef resources
  • Added experimental support for EG standalone(host deployment) mode
  • Added support for JWT claims based Authorization in SecurityPolicy CRD
  • Added support for Response Override in BackendTrafficPolicy CRD
  • Added support for RequestTimeout in BackendTrafficPolicy CRD
  • Added support for inverting header matches for Rate Limit in BackendTrafficPolicy CRD
  • Added support for client TLS session resumption in ClientTrafficPolicy CRD
  • Added support for HTTPRouteFilter and path regex rewrite
  • Added support for host header rewrite in HTTPRouteFilter CRD
  • Added support for Listener Access Log in EnvoyProxy CRD
  • Added support for Datadog tracing support in EnvoyProxy CRD
  • Added support for request response sizes stats in EnvoyProxy CRD
  • Added support for modifying container SecurityContext for Envoy Gateway deployment in Helm
  • Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD
  • Added support for match conditions for access log in EnvoyProxy CRD
  • Added support for using BackendCluster to represent OIDCProvider
  • Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD
  • Added support for sharing token cookies between multiple domains in SecurityPolicy CRD
  • Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD
  • Added support for Active Passive Failover Backends
  • Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD
  • Added support for early request header mutation in the ClientTrafficPolicy CRD
  • Added support for JsonPath in the EnvoyPatchPolicy CRD
  • Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD
  • Added support for cluster settings for non xRoute-generated backend refs
  • Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD
  • Added support for http2 upstream settings in BackendTrafficPolicy CRD
  • Added support for DNS resolution settings in BackendTrafficPolicy CRD
  • Added support for configuring service annotations in the Envoy Gateway helm chart
  • Added support for configuring priorityClassName to Envoy Gateway helm chart
  • Added support for ratelimit metrics monitoring in grafana in the addons helm chart
  • Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart
  • Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart
  • Added support for configuring NodeSelector in the Envoy Gateway helm chart
  • Added support for nonce in the OIDC auth flow
  • Added support for choosing an HTTPRoute’s non-wildcard hostname as the default Host
  • Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails
  • Added support for returning 500 when SecurityPolicy translation fails
  • Added support for multiple backendRefs for ExtAuth and ExtProc
  • Added support for session persistence in HTTPRoute rules
  • Added support for the Backend resource for ExtAuth
  • Added support for target selectors on Envoy Gateway Extension Server policies
  • Added support for non-Kubernetes Backends for TLSRoute
  • Added support for fallback to the Backend API
  • Added support for reloadable EnvoyGateway configuration
  • Added support for adding Labels to the Envoy Service
  • Added support for custom name for ratelimit deployment
  • Added default SecurityContext for EG components
  • Added startupProbe to all provisioned containers
  • Added support for local validations for egctl translate and file provider
  • Added support for egctl x collect to collect information from the cluster for debugging
  • Added support for a native prometheus metrics endpoint in the ratelimit server

Bug Fixes

  • Fixed xDS translation failing when the WASM HTTP code source was configured without an SHA
  • Fixed unsupported listener protocol types causing errors while updating Gateway status
  • Fixed unsupported listener protocol types causing errors while updating Gateway status
  • Fixed invalid sectionName in BackendTLSPolicy for Backend
  • Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors
  • Fixed JSONPath not being correctly translated to JSONPatch paths
  • Fixed allowing an empty slowStart value when using LeastRequest
  • Fixed updating the HTTPRoute status correctly when the linked Backend resource is invalid
  • Fixed timeout settings originating from the route being lost when translating the backend traffic policy
  • Fixed Backend resources not receiving status updates
  • Fixed active health checks requiring the expectedStatuses field to function correctly
  • Fixed HTTPHeaderFilter processing not correctly supporting multiple header values
  • Fixed reconciling multiple ReferenceGrants within the same namespace
  • Fixed unwanted / appearing in the Path when using Prefix Rewrites
  • Fixed incorrect gateway being selected as the HTTPRoute parent
  • Fixed override issues for EnvoyExtensionPolicy
  • Fixed nil pointer error when translating hash load balancing
  • Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not
  • Fixed empty connection limits causing xDS rejection
  • Fixed rate limiting not working with both headers and CIDR matches
  • Fixed EDS not updating when deployments were created after services
  • Fixed RBAC issue for deleting infrastructure resources
  • Fixed gateways never reaching ready/programmed status when running Envoy as a Daemonset
  • Fixed rate limit deployment ignoring pod labels and annotation merges
  • Fixed the API Server receives unnecessary requests
  • Fixed egctl experimental translate using an incorrect namespace
  • Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy
  • Fixed xDS translation failure when WASM HTTP code source was configured without an SHA
  • Fixed HTTPRoute status displaying only one parent when targeting multiple gateways from different GatewayClasses
  • Fixed Route with multiple parents having an incorrect namespace in the parentRef status
  • Fixed BackendTlsPolicy specifying multiple targetRefs for the same service, to work

Performance Improvements

  • Optimize memory usage by only storing distinct resources
  • SecurityPolicy translation failures will now cause routes referenced by the policy to return an immediate 500 response
  • Gateway-API BackendTLSPolicy v1alpha3 is incompatible with previous versions of the CRD
  • xPolicy targetRefs can no longer specify a namespace, since Gateway-API v1.1.0 uses LocalPolicyTargetReferenceWithSectionName in Policy resources

Other changes

  • Upgraded Envoy Proxy to v1.32.1
  • Reduced the amount of configuration logging, and make it line-delimited friendly
  • Made watching alpha CRDs optional, so that Envoy Gateway can run with older Gateway Api versions
  • Removed grafana test framework from the addons helm chart
  • Disabled ALPN for non-HTTP routes
  • Added statPrefix for HCM and TCPProxy
  • Enabled GatewayHTTPListenerIsolation conformance test
  • Enabled GRPC conformance profile
  • Enabled HTTPRouteBackendRequestHeaderModifier conformance test
  • Added e2e test for Daemonset mode
  • Fixed OVS scanner wrong license warnings
  • Added e2e test for Gateway with EnvoyProxy
  • Added e2e test for TLS session resumption
  • Added heap profile into benchmark report
  • Added e2e test for RecomputeRoute in ExtAuth
  • Added benchmark memory profiles into report
  • Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test
  • Fixed flaky Zipkin Tracing e2e test
  • Added e2e test for cookie based consistent hash load balancing
  • Added e2e test for load balancing
  • Fixed flaky authorization tests
  • Enabled upgrade test
  • Fixed flaky basic auth e2e test
  • Enabled use-client-protocol e2e test
  • Added performance benchmarking test for 1000 HTTPRoutes
  • Added e2e test for Datadog tracing
  • Added e2e tests for ratelimit invert matching headers
  • Reduced readinessProbe failureThreshold and periodSeconds
  • Bumped go-control-plane to v0.13.1
  • Enabled e2e tests for dual stack
  • Use grafana alloy instead of fluent-bit for e2e tests
  • Push tags without the v prefix for helm charts to support Flux HelmReleases
  • Use a stable label selector when creating Envoy Proxy fleet pods

3.1.7 - v1.1.3

Date: November 1, 2024

Breaking changes

New features

Bug fixes

  • Fixed unsupported listener protocol type causing an error while updating Gateway Status
  • Fixed some status updates were being discarded by the status updater
  • Fixed error level logging for admin and metrics modules
  • Fixed Dashboard typos
  • Fixed Ratelimit Deployment ignoring pod labels and annotation merge
  • Fixed the API Server receives unnecessary requests
  • Fixed set invalid Listener.SupportedKinds to empty list
  • Fixed losing timeout settings that originate from the route when translating the backend traffic policy
  • Fixed xds translation failure when wasm http code source configured without sha

Performance improvements

Other changes

  • Bumped Envoy proxy to 1.31.3
  • Bumped github.com/docker/docker to 27.3.1+incompatible

3.1.8 - v1.2.0-rc.1

Date: October 25, 2024

Breaking changes

  • Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed.
  • Please refer to the Gateway API v1.2.0 documentation for more information.
  • Removed default CPU limit of the Envoy Gateway deployment
  • Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively

New features

  • Added support for Gateway-API v1.2.0
  • Added support for IPv4/IPv6 Dual Stack for Envoy listeners and BackendRef resources
  • Added support for EG standalone(host deployment) mode (experimental)
  • Added support for JWT claims based Authorization in SecurityPolicy CRD
  • Added support for Direct Response in HTTPRouteFilter CRD
  • Added support for Response Override in BackendTrafficPolicy CRD
  • Added support for RequestTimeout in BackendTrafficPolicy CRD
  • Added support for inverting header matches for rate limit in BackendTrafficPolicy CRD
  • Added support for client TLS session resumption in ClientTrafficPolicy CRD
  • Added support for HTTPRouteFilter and path regex rewrite
  • Added support for host header rewrite in HTTPRouteFilter CRD
  • Added support for Listener Access Log in EnvoyProxy CRD
  • Added support for Datadog tracing support in EnvoyProxy CRD
  • Added support for request response sizes stats in EnvoyProxy CRD
  • Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD
  • Added support for match conditions for access log in EnvoyProxy CRD
  • Added support for using BackendCluster to represent OIDCProvider
  • Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD
  • Added support for sharing token cookies between multiple domains in SecurityPolicy CRD
  • Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD
  • Added support for LB priority for non xRoute endpoints
  • Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD
  • Added support for early request header mutation in the ClientTrafficPolicy CRD
  • Added support for JsonPath in the EnvoyPatchPolicy CRD
  • Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD
  • Added support for cluster settings for non xRoute-generated backend refs
  • Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD
  • Added support for http2 upstream settings in BackendTrafficPolicy CRD
  • Added support for DNS resolution settings in BackendTrafficPolicy CRD
  • Added support for configuring service annotations in the Envoy Gateway helm chart
  • Added support for configuring priorityClassName to Envoy Gateway helm chart
  • Added support for ratelimit metrics monitoring in grafana in the addons helm chart
  • Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart
  • Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart
  • Added support for configuring NodeSelector in the Envoy Gateway helm chart
  • Added support for nonce in the OIDC auth flow
  • Added support for choosing an HTTPRoute’s non-wildcard hostname as the default Host
  • Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails
  • Added support for returning 500 when SecurityPolicy translation fails
  • Added support for multiple backendRefs for ExtAuth and ExtProc
  • Added support for session persistence in HTTPRoute rules
  • Added support for the Backend resource for ExtAuth
  • Added support for target selectors on Envoy Gateway Extension Server policies
  • Added support for non-Kubernetes Backends for TLSRoute
  • Added support for fallback to the Backend API
  • Added support for reloadable EnvoyGateway configuration
  • Added support for adding Labels to the Envoy Service
  • Added support for custom name for ratelimit deployment
  • Added default SecurityContext for EG components
  • Added startupProbe to all provisioned containers
  • Added support for local validations for egctl translate and file provider
  • Added support for egctl x collect to collect information from the cluster for debugging
  • Added support for a native prometheus metrics endpoint in the ratelimit server

Bug fixes

  • Fixed unsupported listener protocol type causing an error while updating Gateway Status
  • Fixed some status updates were being discarded by the status updater
  • Fixed Gateway crash adding BackendTLSPolicy to External Backend of an HTTPRoute
  • Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors
  • Fixed JSONPath not correctly translated to JSONPatch paths
  • Fixed allow empty slowStart when using LeastRequest
  • Fixed Backends which should be rejected are still used as an HTTPRoute’s destination
  • Fixed losing timeout settings that originate from the route when translating the backend traffic policy
  • Fixed Backend resources don’t get status updates
  • Fixed Active Health check requires expectedStatuses field to work
  • Fixed HTTPHeaderFilter processing doesn’t correctly support multiple header values
  • Fixed multiple reference grants in same namespace
  • Fixed upstream get unwanted /.
  • Fixed creation of SecurityPolicy with targetSelectors fails
  • Fixed wrong gateway is chosen as HTTPRoute parent
  • Fixed override issue for EEP
  • Fixed nil pointer err translating hash load balancing
  • Fixed ratelimit does not work across multiple GatewayClasses
  • Fixed upstream mTLS only works for HTTPS listeners
  • Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not
  • Fixed empty connection limit causes XDS rejection
  • Fixed ratelimit not working with both headers and cidr matches
  • Fixed EDS didn’t update when deployments was created after services
  • Fixed RBAC issue for deleting infrastructure resources
  • Fixed customized infrastructure resources not being deleted
  • Fixed Gateways never become ready/programmed when running Envoy as a Daemonset
  • Fixed Ratelimit Deployment ignoring pod labels and annotation merge
  • Fixed the API Server receives unnecessary requests
  • Fixed terminating envoy pods don’t respond with “Connection: close” (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy
  • Fixed ratelimit statsd not working
  • Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy
  • Fixed egctl experimental translate using a wrong ns

Performance improvements

  • Fixed repeated resources and optimize memory usage

Other changes

  • Removed grafana test framework from the addons helm chart
  • Disabled ALPN for non-HTTP routes
  • Added statPrefix for HCM and TCPProxy
  • Enabled GatewayHTTPListenerIsolation conformance test
  • Enabled GRPC conformance profile
  • Enabled HTTPRouteBackendRequestHeaderModifier conformance test
  • Added e2e test for Daemonset mode
  • Updated upgrades tests to use VERSION env variable
  • Fixed OVS scanner wrong license warnings
  • Added e2e test for TLS session resumption
  • Added heap profile into benchmark report
  • Added e2e test for RecomputeRoute in ExtAuth
  • Added benchmark memory profiles into report
  • Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test
  • Fixed flaky Zipkin Tracing e2e test
  • Added e2e test for cookie based consistent hash load balancing
  • Added e2e test for load balancing
  • Fixed flaky authorization tests
  • Enabled upgrade test
  • Fixed flaky basic auth e2e test
  • Enabled use-client-protocol e2e test
  • Added performance benchmarking test for 1000 HTTPRoutes
  • Added e2e test for Datadog tracing
  • Added e2e tests for ratelimit invert matching headers
  • Reduced readinessProbe failureThreshold and periodSeconds
  • Bumped go-control-plane to v0.13.1

3.1.9 - v1.1.2

Date: September 24, 2024

Translator

  • Fixed handling of sectionName in BackendTLSPolicy for Backend resource

Infra-manager

  • Pin Envoy Proxy version to v1.32.2
  • Change Envoy listener drain strategy from gradual to immediate

Providers

  • Fixed reconciliation of HTTPRoutes when labels change

3.1.10 - v1.1.1

Date: September 11, 2024

Documentation

  • Bumped Golang version to 1.22.7

Conformance

  • Enabled GatewayHTTPListenerIsolation test

Testing

  • Fix download URL of envoy proxy WASM examples used in tests

Translator

  • Fixed url rewrite to remove trailing slash
  • Isolate HTTP route tables to listener according to Gateway-API specifications
  • Fixed identification of ReferenceGrant when multiple ReferenceGrants exist in a namespace
  • Fixed added header values as a command and space delimited list
  • Fixed assertion on expected status in active HTTP healthcheck
  • Fixed rejection of invalid Backends referenced by xRoutes
  • Fixed support for empty SlowStart configuration when using LeastRequest loadbalancing
  • Fixed update of status for Backends

Infra-manager

  • Pin ratelimit version to 26f28d78
  • Reduce readinessProbe failureThreshold and periodSeconds of proxy
  • Expose ratelimit statsd

Providers

  • Fixed error returned when referenced Configmap or Secret is not found
  • Use component name in Envoy Gateway logs

3.1.11 - v1.1.0

Date: July 22, 2024

Documentation

  • Added Concepts Doc
  • Added User Guide for Wasm Extension
  • Added User Guide for patching Envoy Service
  • Added User Guide for Backend MTLS
  • Added User Guide for Backend TLS Parameters
  • Added User Guide for IP Allowlist/Denylist
  • Added User Guide for Extension Server
  • Added User Guide for building Wasm image
  • Added Performance Benchmarking Document
  • Added User Guide for Zipkin Tracing
  • Added User Guide for Customizing Ordering of Filters
  • Added User Guide for External Processing Filter in EnvoyExtensionPolicy
  • Added User Guide for installation of egctl with brew
  • Added User Guide for Client Buffer Size Limit
  • Added User Guide for Client Idle Timeout
  • Added Chinese translation for release notes, roadmap, installation, development, contribution and several User Guides
  • Added User Guide for Backend resource
  • Added GA Blog Post
  • Added Threat Model
  • Added Adopters section to docs
  • Added User Guide and Dashboards for Control Plane and Resource Observability
  • Added User Guide for Connection Limits in ClientTrafficPolicy
  • Added User Guide on using Private Key Provider
  • Added Design Doc for Authorization
  • Added Design Doc for XDS Metadata
  • Added Design Doc for Backend resource
  • Added Design Doc for Control Plane Observability
  • Added Design Doc for EnvoyExtensionPolicy
  • Added Design Doc for External Processing in EnvoyExtensionPolicy
  • Updated Access Logging User Guide to include filtering with CEL Expression
  • Updated Access Logging User Guide to include Metadata
  • Updated Development Guide to require Golang 1.22
  • Updated Quickstart User Guide to fetch GATEWAY_HOST from Gateway resource
  • Updated Site to reflect GA status
  • Updated HTTP Redirect User Guide to not set a redirect port or require a BackendRef
  • Updated Observability User Guides to use gateway-addons-helm
  • Updated Gateway-API User Guide to reflect support for BackendRef filters
  • Updated HTTP Timeouts User Guide to highlight default Envoy timeouts
  • Updated Installation Guide to use server-side apply
  • Updated Installation Guide to refer to values.yaml docs
  • Updated BackendTLSPolicy User Guide to GW-API v1.1.0
  • Updated User Guides to use tabs when applying yaml from file or stdin
  • Updated OIDC User Guide to use HTTPS redirect URLs
  • Updated Order of versions in Site
  • Updated Extensbility User Gudie to use yaml-format patches
  • Updated Quickstart Guide to include next steps
  • Updated CRD docs to include enum values
  • Updated Extensibility User Guide with Envoy Patch Policy examples
  • Updated structure of docs: rename Guides to Tasks, move Contribution
  • Updated Support Matrix
  • Updated egctl x status docs for xRoute and xPolicy
  • Updated egctl User Guide with Install and Uninstall commands
  • Updated GRPCRoute docs to use v1 instead of v1alpha2
  • Fixed Rate Limiting User Guide to use correct CIDR matcher type names
  • Fixed User Guide for JWT-based routing
  • Fixed JSON Access Log Example
  • Use linkinator to detect dead links in docs
  • Use helm-docs to generate chart docs
  • Support Not-Implemented-Hide marker in API docs

Installation

  • Added startupProbe to all provisioned containers to reduce risk of restart
  • Added new gateway-addons-helm chart for Observability
  • Added support for global image settings for all images in Envoy Gateway helm chart
  • Added Support for PodDistruptionBudget for Envoy Gateway
  • Added Support for TopologySpreadConstraints for Envoy Gateway
  • Added Support for Tolerations for Envoy Gateway
  • Added Support for Ratelimit image pull secrets and pull policy
  • Updated ttlSecondsAfterFinished on certgen job to 30 by default
  • Updated Envoy Gateway ImagePullPolicy to IfNotPresent released charts
  • Remove envoy-gateway-metrics-service and merge its contents into envoy-gateway service

API

  • Added Support for Gateway-API v1.1.0
  • Added new Backend CRD
  • Added new EnvoyExtensionPolicy CRD
  • Added Support for Plural Target Refs and Target Selectors in xPolicy CRDs
  • Added Support for Backend CRD BackendRefs in HTTPRoute, GRPCRoute and EnvoyExtensionPolicy CRDs
  • Added Support for Custom Extension Server Policy CRDs in EnvoyGateway Config
  • Added Support for Custom ShutDownManager Image in EnvoyGateway Config
  • Added Support for Leader Election in EnvoyGateway Config
  • Added Support for Connecting to Extension Server over Unix Domain Socket in EnvoyGateway Config
  • Added Support for Proxy PodDisruptionBudget in EnvoyProxy CRD
  • Added Support for Running Envoy Proxy as a Daemonset in EnvoyProxy CRD
  • Added Support for Proxy Loadbalancer Source Ranges in EnvoyProxy CRD
  • Added Support for Proxy Prometheus Metrics Compression in EnvoyProxy CRD
  • Added Support for BackendRefs in Access Log, Metric and Trace Sinks in EnvoyProxy CRD
  • Added Support for Rate Limiting Tracing in EnvoyProxy CRD
  • Added Support for Routing to Service IP in EnvoyProxy CRD
  • Added Support for Access Log CEL filters in EnvoyProxy CRD
  • Added Support for Access Log Formatters for File and OpenTelemetry in EnvoyProxy CRD
  • Added Support for Zipkin Tracing in EnvoyProxy CRD
  • Added Support for using the Listener port as a the Container port in EnvoyProxy CRD
  • Added Support for OpenTelemtry Sink Export Settings in EnvoyProxy CRD
  • Added Support for Backend Client Certificate Authentication in EnvoyProxy CRD
  • Added Support for Backend TLS Settings in EnvoyProxy CRD
  • Added Support for HTTP Filter Ordering in EnvoyProxy CRD
  • Added Support for gRPC Access Log Service (ALS) Sink in EnvoyProxy CRD
  • Added Support for OpenTelelemetry Sinks as a BackendRef in EnvoyProxy CRD
  • Added Support for User-Provided name for generate Kubernetes resources in EnvoyProxy CRD
  • Added Support for Per-Endpoint stats in EnvoyProxy CRD
  • Added Support for Targeting SectionNames in ClientTrafficPolicy CRD
  • Added Support for Preserving X-Request-ID header in ClientTrafficPolicy CRD
  • Added Support for Using Downstream Protocol in Upstream connections in ClientTrafficPolicy CRD
  • Added Support for HTTP/2 settings in ClientTrafficPolicy CRD
  • Added Support for Connection Buffer Size Limit in ClientTrafficPolicy CRD
  • Added Support for HTTP Health Check in ClientTrafficPolicy CRD
  • Added Support for Optionally requiring a Client Certificate in ClientTrafficPolicy CRD
  • Added Support for Headers with Underscores CRD in ClientTrafficPolicy CRD
  • Added Support for XFCC header processing in ClientTrafficPolicy CRD
  • Added Support for TCP Listener Idle Timeout in ClientTrafficPolicy CRD
  • Added Support for IdleTimeout in ClientTrafficPolicy CRD
  • Added Support for Connection Limits in ClientTrafficPolicy CRD
  • Added Support for additional OIDC settings related to Resource, Token and Cookie in SecurityPolicy CRD
  • Added Support for Optionally requiring a JWT in SecurityPolicy CRD
  • Added Support for BackendRefs for Ext-Auth in SecurityPolicy CRD
  • Added Support for Authorization in SecurityPolicy CRD
  • Added Support for Ext-Auth failOpen in SecurityPolicy CRD
  • Added Support for Loadbalancer Cookie Consistent Hashing in BackendTrafficPolicy CRD
  • Added Support for Disabling X-RateLimit headers in BackendTrafficPolicy CRD
  • Added Support for Connection Buffer Size Limit in BackendTrafficPolicy CRD
  • Added Support for Loadbalancing Consistent Hash Table Size in BackendTrafficPolicy CRD
  • Added Support for Loadbalancing Header Hash Policy in BackendTrafficPolicy CRD
  • Added Support for Cluster Connection Buffer Size Limit in BackendTrafficPolicy
  • Added Support for more Rate Limit Rules in BackendTrafficPolicy CRD
  • Added Support for Wasm extension in EnvoyExtensionPolicy CRD
  • Added Support for External Processing extension in EnvoyExtensionPolicy CRD
  • Removed Status Print Column from xPolicy CRDs

Breaking Changes

  • SecurityPolicy translation failures will now cause routes referenced by the policy to return an immediate 500 response
  • Gateway-API BackendTLSPolicy v1alpha3 is incompatible with previous versions of the CRD
  • xPolicy targetRefs can no longer specify a namespace, since Gateway-API v1.1.0 uses LocalPolicyTargetReferenceWithSectionName in Policy resources

Deprecations

  • xPolicy targetRef is deprecated, use targetRefs instead
  • SecurityPolicy ExtAuth BackendRef is deprecated, use BackendRefs instead
  • OpenTelemetry Proxy Access Log Host and Port are deprecated, use backendRefs instead
  • OpenTelemetry Proxy Metrics Sink Host and Port are deprecated, use backendRefs instead
  • Proxy Tracing Provider Host and Port are deprecated, use backendRefs instead
  • Envoy Gateway Extension Server Host and Port are deprecated, use BackendEndpoint instead

Conformance

  • Added Supported Features to Gateway Class

Testing

  • Added e2e test for Client MTLS
  • Added e2e test for Load Balancing
  • Added performance benchmarking test
  • Added e2e test for Zipking Tracing
  • Added e2e test for HTTP Health Checks
  • Added e2e test for CEL Access Log Filter
  • Added e2e test for GRPC Access Log Service Sink
  • Added e2e test for XDS Metadata
  • Added e2e test for Wasm from OCI Images and HTTP Source
  • Added e2e test for Service IP Routing
  • Added e2e test for Multiple GatewayClasses
  • Added e2e test for HTTP Full Path rewrite
  • Added e2e test for Backend API
  • Added e2e test for Backend TLS Settings
  • Added e2e test for disabling X-RateLimit Headers
  • Added e2e test for Authorization
  • Added e2e test for BackendRefs in Ext-Auth
  • Added e2e test for Using Client Protocol in Upstream Connection
  • Added e2e test for Backend Client Cert Authentication
  • Added e2e test for External Processing Filter
  • Added e2e test for Merge Gateways Feature
  • Added e2e test for Option JWT authentication
  • Added e2e test for Infrastructure using Server-Side Apply
  • Added e2e test for Connection Limits
  • Added e2e test for Envoy Graceful Shutdown
  • Updated e2e test for Limit to cover multiple listeners
  • Updated e2e test for CORS to not require access-control-expose-headers
  • Run CEL tests on all supported K8s versions
  • Added OSV Scanner for Golang Vulnerabilities and Licenses
  • Added Trivy scanner for Docker images

Translator

  • Added Support for BackendRef HTTP Filters
  • Added Support for attaching EnvoyProxy to Gateways
  • Added Support for cross-namespace EnvoyProxy reference from GatewayClass
  • Added Support for Backend Traffic Policy for UDPRoute and TCPRoute
  • Added Support for ClientTrafficPolicy for UDPRoute and TCPRoute
  • Added Support for multiple BackendRefs in TCPRoute and UDPRoute
  • Added Metrics related to XDS Server, Infra Manager and Controller
  • Added Support for PolicyStatus in EnvoyPatchPolicy
  • Added Support for Websocket upgrades in HTTP/1 Routes
  • Added Support for custom controller name in egctl
  • Added Support for BackendTLSPolicy CA Certificate reference to Secret
  • Added names to Filter Chains
  • Added Support extension server hooks for TCP and UDP listeners
  • Added Support for attaching EnvoyProxy resource to Gateways
  • Added Support for Exposing Prometheus Port in Rate Limiter Service
  • Added Support for Optional Rate Limit Backend Redis
  • Updated OAuth2 filter to preserve Authorization header if OIDC token forwarding is enabled
  • Updated Default Filter Order to have Fault filter first in the HTTP Filter Chain
  • Updated Ext-Auth Per-Route config to use filter-specific Config Type
  • Updated Overload Manager configuration according to Envoy recommendations by default
  • Updated Infrastructure resource management to user Server-Side Apply
  • Updated Reflection of Errors in Gateway Status when too many addresses are assigned
  • Fixed enforcement of same-namespace for BackendTLSPolicy and target
  • Fixed processing all listeners before returning with an error
  • Fixed creation of infrastructure resources if there are no listeners
  • Fixed use GatewayClass Name for Observability if Merge Gateways is enabled
  • Fixed CORS to not forward Not-Matching Preflights to Backends
  • Fixed BackendTLSPolicy status to fully conform with PolicyStatus
  • Fixed duplication of Ext-Auth, OIDC and Basic Auth Filters
  • Fixed Proxy Protocol Filter to always be the first Listener Filter
  • Fixed Translation Consistency by sorting Gateways
  • Fixed QUIC Listener to only Advertise HTTP/3 over ALPN
  • Fixed SNI matching for TCP Routes with TLS termination
  • Fixed Reconciliation when EnvoyProxy backendRefs changes
  • Fixed Reconciliation when a referenced Secret or ConfigMap changes
  • Fixed ReplaceFullPath not working for root path
  • Fixed Default Application Protocol to TCP for Zipkin Tracing
  • Fixed not appending well-known ports (80, 443) in rediret Location header

Providers

  • Bumped K8s Client to v0.30.0

xDS

  • Bumped go-control-plane to v0.12.1

Cli

  • Added egctl x collect command
  • Added Support for Install and Uninstall commands to egctl
  • Added Support for xRoute and xPolicy in egctl x status
  • Added Golang version to Envoy Gateway version command
  • Fixed egctl x status gatewayclass example message

3.1.12 - v1.1.0-rc.1

Date: July 8, 2024

Documentation

  • Added Performance Benchmarking Document
  • Added User Guide for Zipkin Tracing
  • Added User Guide for Customizing Ordering of Filters
  • Added User Guide for External Processing Filter in EnvoyExtensionPolicy
  • Added User Guide for installation of egctl with brew
  • Added User Guide for Client Buffer Size Limit
  • Added User Guide for Client Idle Timeout
  • Added Chinese translation for release notes, roadmap, installation, development, contribution and several User Guides
  • Added User Guide for Backend resource
  • Added GA Blog Post
  • Added Threat Model
  • Added Adopters section to docs
  • Added User Guide and Dashboards for Control Plane and Resource Observability
  • Added User Guide for Connection Limits in ClientTrafficPolicy
  • Added User Guide on using Private Key Provider
  • Added Design Doc for Authorization
  • Added Design Doc for XDS Metadata
  • Added Design Doc for Backend resource
  • Added Design Doc for Control Plane Observability
  • Added Design Doc for EnvoyExtensionPolicy
  • Added Design Doc for External Processing in EnvoyExtensionPolicy
  • Updated Access Logging User Guide to include filtering with CEL Expression
  • Updated Access Logging User Guide to include Metadata
  • Updated Development Guide to require Golang 1.22
  • Updated Quickstart User Guide to fetch GATEWAY_HOST from Gateway resource
  • Updated Site to reflect GA status
  • Updated HTTP Redirect User Guide to not set a redirect port or require a BackendRef
  • Updated Observability User Guides to use gateway-addons-helm
  • Updated Gateway-API User Guide to reflect support for BackendRef filters
  • Updated HTTP Timeouts User Guide to highlight default Envoy timeouts
  • Updated Installation Guide to use server-side apply
  • Updated Installation Guide to refer to values.yaml docs
  • Updated BackendTLSPolicy User Guide to GW-API v1.1.0
  • Updated User Guides to use tabs when applying yaml from file or stdin
  • Updated OIDC User Guide to use HTTPS redirect URLs
  • Updated Order of versions in Site
  • Updated Extensbility User Gudie to use yaml-format patches
  • Updated Quickstart Guide to include next steps
  • Updated CRD docs to include enum values
  • Updated Extensibility User Guide with Envoy Patch Policy examples
  • Updated structure of docs: rename Guides to Tasks, move Contribution
  • Updated Support Matrix
  • Updated egctl x status docs for xRoute and xPolicy
  • Updated egctl User Guide with Install and Uninstall commands
  • Updated GRPCRoute docs to use v1 instead of v1alpha2
  • Fixed Rate Limiting User Guide to use correct CIDR matcher type names
  • Fixed User Guide for JWT-based routing
  • Fixed JSON Access Log Example
  • Use linkinator to detect dead links in docs
  • Use helm-docs to generate chart docs
  • Support Not-Implemented-Hide marker in API docs

Installation

  • Added new gateway-addons-helm chart for Observability
  • Added support for global image settings for all images in Envoy Gateway helm chart
  • Added Support for PodDistruptionBudget for Envoy Gateway
  • Added Support for TopologySpreadConstraints for Envoy Gateway
  • Added Support for Tolerations for Envoy Gateway
  • Added Support for Ratelimit image pull secrets and pull policy
  • Updated ttlSecondsAfterFinished on certgen job to 30 by default
  • Updated Envoy Gateway ImagePullPolicy to IfNotPresent released charts
  • Remove envoy-gateway-metrics-service and merge its contents into envoy-gateway service

API

  • Added Support for Gateway-API v1.1.0
  • Added new Backend CRD
  • Added new EnvoyExtensionPolicy CRD
  • Added Support for Plural Target Refs and Target Selectors in xPolicy CRDs
  • Added Support for Backend CRD BackendRefs in HTTPRoute, GRPCRoute and EnvoyExtensionPolicy CRDs
  • Added Support for Custom Extension Server Policy CRDs in EnvoyGateway Config
  • Added Support for Custom ShutDownManager Image in EnvoyGateway Config
  • Added Support for Leader Election in EnvoyGateway Config
  • Added Support for Connecting to Extension Server over Unix Domain Socket in EnvoyGateway Config
  • Added Support for Proxy PodDisruptionBudget in EnvoyProxy CRD
  • Added Support for Running Envoy Proxy as a Daemonset in EnvoyProxy CRD
  • Added Support for Proxy Loadbalancer Source Ranges in EnvoyProxy CRD
  • Added Support for Proxy Prometheus Metrics Compression in EnvoyProxy CRD
  • Added Support for BackendRefs in Access Log, Metric and Trace Sinks in EnvoyProxy CRD
  • Added Support for Rate Limiting Tracing in EnvoyProxy CRD
  • Added Support for Routing to Service IP in EnvoyProxy CRD
  • Added Support for Access Log CEL filters in EnvoyProxy CRD
  • Added Support for Access Log Formatters for File and OpenTelemetry in EnvoyProxy CRD
  • Added Support for Zipkin Tracing in EnvoyProxy CRD
  • Added Support for using the Listener port as a the Container port in EnvoyProxy CRD
  • Added Support for OpenTelemtry Sink Export Settings in EnvoyProxy CRD
  • Added Support for Backend Client Certificate Authentication in EnvoyProxy CRD
  • Added Support for Backend TLS Settings in EnvoyProxy CRD
  • Added Support for HTTP Filter Ordering in EnvoyProxy CRD
  • Added Support for gRPC Access Log Service (ALS) Sink in EnvoyProxy CRD
  • Added Support for OpenTelelemetry Sinks as a BackendRef in EnvoyProxy CRD
  • Added Support for User-Provided name for generate Kubernetes resources in EnvoyProxy CRD
  • Added Support for Per-Endpoint stats in EnvoyProxy CRD
  • Added Support for Targeting SectionNames in ClientTrafficPolicy CRD
  • Added Support for Preserving X-Request-ID header in ClientTrafficPolicy CRD
  • Added Support for Using Downstream Protocol in Upstream connections in ClientTrafficPolicy CRD
  • Added Support for HTTP/2 settings in ClientTrafficPolicy CRD
  • Added Support for Connection Buffer Size Limit in ClientTrafficPolicy CRD
  • Added Support for HTTP Health Check in ClientTrafficPolicy CRD
  • Added Support for Optionally requiring a Client Certificate in ClientTrafficPolicy CRD
  • Added Support for Headers with Underscores CRD in ClientTrafficPolicy CRD
  • Added Support for XFCC header processing in ClientTrafficPolicy CRD
  • Added Support for TCP Listener Idle Timeout in ClientTrafficPolicy CRD
  • Added Support for IdleTimeout in ClientTrafficPolicy CRD
  • Added Support for Connection Limits in ClientTrafficPolicy CRD
  • Added Support for additional OIDC settings related to Resource, Token and Cookie in SecurityPolicy CRD
  • Added Support for Optionally requiring a JWT in SecurityPolicy CRD
  • Added Support for BackendRefs for Ext-Auth in SecurityPolicy CRD
  • Added Support for Authorization in SecurityPolicy CRD
  • Added Support for Ext-Auth failOpen in SecurityPolicy CRD
  • Added Support for Loadbalancer Cookie Consistent Hashing in BackendTrafficPolicy CRD
  • Added Support for Disabling X-RateLimit headers in BackendTrafficPolicy CRD
  • Added Support for Connection Buffer Size Limit in BackendTrafficPolicy CRD
  • Added Support for Loadbalancing Consistent Hash Table Size in BackendTrafficPolicy CRD
  • Added Support for Loadbalancing Header Hash Policy in BackendTrafficPolicy CRD
  • Added Support for Cluster Connection Buffer Size Limit in BackendTrafficPolicy
  • Added Support for more Rate Limit Rules in BackendTrafficPolicy CRD
  • Added Support for Wasm extension in EnvoyExtensionPolicy CRD
  • Added Support for External Processing extension in EnvoyExtensionPolicy CRD
  • Removed Status Print Column from xPolicy CRDs

Breaking Changes

  • Gateway-API BackendTLSPolicy v1alpha3 is incompatible with previous versions of the CRD
  • xPolicy targetRefs can no longer specify a namespace, since Gateway-API v1.1.0 uses LocalPolicyTargetReferenceWithSectionName in Policy resources

Deprecations

  • xPolicy targetRef is deprecated, use targetRefs instead
  • SecurityPolicy ExtAuth BackendRef is deprecated, use BackendRefs instead
  • OpenTelemetry Proxy Access Log Host and Port are deprecated, use backendRefs instead
  • OpenTelemetry Proxy Metrics Sink Host and Port are deprecated, use backendRefs instead
  • Proxy Tracing Provider Host and Port are deprecated, use backendRefs instead
  • Envoy Gateway Extension Server Host and Port are deprecated, use BackendEndpoint instead

Conformance

  • Added Supported Features to Gateway Class

Testing

  • Added performance benchmarking test
  • Added e2e test for Zipking Tracing
  • Added e2e test for HTTP Health Checks
  • Added e2e test for CEL Access Log Filter
  • Added e2e test for GRPC Access Log Service Sink
  • Added e2e test for XDS Metadata
  • Added e2e test for Wasm from OCI Images and HTTP Source
  • Added e2e test for Service IP Routing
  • Added e2e test for Multiple GatewayClasses
  • Added e2e test for HTTP Full Path rewrite
  • Added e2e test for Backend API
  • Added e2e test for Backend TLS Settings
  • Added e2e test for disabling X-RateLimit Headers
  • Added e2e test for Authorization
  • Added e2e test for BackendRefs in Ext-Auth
  • Added e2e test for Using Client Protocol in Upstream Connection
  • Added e2e test for Backend Client Cert Authentication
  • Added e2e test for External Processing Filter
  • Added e2e test for Merge Gateways Feature
  • Added e2e test for Option JWT authentication
  • Added e2e test for Infrastructure using Server-Side Apply
  • Added e2e test for Connection Limits
  • Added e2e test for Envoy Graceful Shutdown
  • Updated e2e test for Limit to cover multiple listeners
  • Updated e2e test for CORS to not require access-control-expose-headers
  • Run CEL tests on all supported K8s versions
  • Added OSV Scanner for Golang Vulnerabilities and Licenses
  • Added Trivy scanner for Docker images

Translator

  • Added Support for BackendRef HTTP Filters
  • Added Support for attaching EnvoyProxy to Gateways
  • Added Support for cross-namespace EnvoyProxy reference from GatewayClass
  • Added Support for Backend Traffic Policy for UDPRoute and TCPRoute
  • Added Support for ClientTrafficPolicy for UDPRoute and TCPRoute
  • Added Support for multiple BackendRefs in TCPRoute and UDPRoute
  • Added Metrics related to XDS Server, Infra Manager and Controller
  • Added Support for PolicyStatus in EnvoyPatchPolicy
  • Added Support for Websocket upgrades in HTTP/1 Routes
  • Added Support for custom controller name in egctl
  • Added Support for BackendTLSPolicy CA Certificate reference to Secret
  • Added names to Filter Chains
  • Added Support extension server hooks for TCP and UDP listeners
  • Added Support for attaching EnvoyProxy resource to Gateways
  • Added Support for Exposing Prometheus Port in Rate Limiter Service
  • Added Support for Optional Rate Limit Backend Redis
  • Updated OAuth2 filter to preserve Authorization header if OIDC token forwarding is enabled
  • Updated Default Filter Order to have Fault filter first in the HTTP Filter Chain
  • Updated Ext-Auth Per-Route config to use filter-specific Config Type
  • Updated Overload Manager configuration according to Envoy recommendations by default
  • Updated Infrastructure resource management to user Server-Side Apply
  • Updated Reflection of Errors in Gateway Status when too many addresses are assigned
  • Fixed enforcement of same-namespace for BackendTLSPolicy and target
  • Fixed processing all listeners before returning with an error
  • Fixed creation of infrastructure resources if there are no listeners
  • Fixed use GatewayClass Name for Observability if Merge Gateways is enabled
  • Fixed CORS to not forward Not-Matching Preflights to Backends
  • Fixed BackendTLSPolicy status to fully conform with PolicyStatus
  • Fixed duplication of Ext-Auth, OIDC and Basic Auth Filters
  • Fixed Proxy Protocol Filter to always be the first Listener Filter
  • Fixed Translation Consistency by sorting Gateways
  • Fixed QUIC Listener to only Advertise HTTP/3 over ALPN
  • Fixed SNI matching for TCP Routes with TLS termination
  • Fixed Reconciliation when EnvoyProxy backendRefs changes
  • Fixed Reconciliation when a referenced Secret or ConfigMap changes
  • Fixed ReplaceFullPath not working for root path
  • Fixed Default Application Protocol to TCP for Zipkin Tracing
  • Fixed not appending well-known ports (80, 443) in rediret Location header

Providers

  • Bumped K8s Client to v0.30.0

xDS

  • Bumped go-control-plane to v0.12.1

Cli

  • Added Support for Install and Uninstall Commands to egctl
  • Added Support for xRoute and xPolicy in egctl x status
  • Added Golang version to Envoy Gateway version command
  • Fixed egctl x status gatewayclass example message

3.1.13 - v1.0.2

Date: June 12, 2024

Installation

  • Updated EnvoyProxy to 1.29.5
  • Use Patch API for infra-client
  • Use ServerSideApply instead of CreateOrUpdate for infra-client

Testing

  • Fixed failures due to an expired certificate in one of the translator tests

Translator

  • Use - for naming service and container ports
  • Added proxy protocol always as first listenerFilter
  • Set ignoreCase for header matchers in extAuth
  • Added backend TLS SAN validation
  • Fixed ReplaceFullPath not working for root path (/)

Providers

  • Fixed duplicated xroutes are added to gatewayapi Resources
  • Fixed security policy reference grant from field type
  • Fixed Route extension filters with different types but the same name and namespace aren’t correctly cached
  • Fixed secrets/configmap updates to trigger a controller reconcile by removing the generationChanged predicate
  • Removed namespace restriction for EnvoyProxy parametersRef

3.1.14 - v1.0.1

Date: April 9, 2024

Installation

  • Updated EnvoyProxy version to v1.29.3
  • Fixed certgen to support creating the hmac secret during an upgrade

Translator

  • Fixed nil secret in resourceversiontable
  • Add missing http filters to the http filter chain when ClientTrafficPolicy and MergeGateways is enabled
  • Allow websockets when url rewrite is enabled
  • Set the Host header for http health checker
  • Fixed double slashes in redirect URL
  • Allow ClientTrafficPolicy to attach to multiple http (non https) listeners within the same Gateway
  • Set path prefix for the http ext auth service
  • Set the route matching precedence order to Exact > RegularExpression > PathPrefix
  • Fixed infraIR duplicate port translation for merged gateways
  • Set SpawnUpstreamSpan to true
  • Allow rate limit to work with multiple listeners

Infra-manager

  • Skip creating infra resources when the InfraIR has empty listeners

3.1.15 - v1.0.0

Date: March 13, 2024

Documentation

  • Added User Guide for Local Ratelimit
  • Added User Guide for Circuit Breaker
  • Added User Guide for fault injection
  • Added User Guide for EnvoyProxy extraArgs
  • Added User Guide for Timeouts in ClientTrafficPolicy
  • Added User Guide for JWT claim base routing
  • Added User Guide for HTTP Timeout
  • Added User Guide for Retry in BackendTrafficPolicy
  • Added User Guide for Basic Auth
  • Added User Guide for OIDC
  • Added User Guide for ClientTrafficPolicy
  • Added User Guide for BackendTrafficPolicy
  • Added User Guide for Basic Auth using HTTPS
  • Added User Guide for External Authorization
  • Added User Guide for Routing Outside Kubernetes
  • Added User Guide for BackendTLSPolicy
  • Added User Guide for Mutual TLS from External Clients to the Gateway
  • Added User Guide for Control Plane Authentication using custom certs
  • Added User Guide for Multiple Gatewayclass and Merge Gateways Deployment Mode
  • Added Type and required for CRD API doc
  • Refactored Structure of User Guide docs
  • Refactored Move Design docs under “Get Involved”
  • Updated crd-ref-docs to 0.0.10
  • Updated Envoy proxy image to envoy:distroless-dev in main

Installation

  • Added Support for Pulling envoyGateway image from a private registry
  • Added Support for Configuring resources for certgen job
  • Added Support for Configuring affinity for EnvoyGateway pod

API

  • Added Support for Downstream QUIC/HTTP3 in ClientTrafficPolicy CRD
  • Added Support for Downstream MTLS in ClientTrafficPolicy CRD
  • Added Support for Enabling EnvoyHeaders in ClientTrafficPolicy CRD
  • Added Support for DisableMergeSlash and escapedSlashesAction in ClientTrafficPolicy CRD
  • Added Support for EnableTrailers in HTTP/1.1 in ClientTrafficPolicy CRD
  • Added Support for Preserving header letter-case on HTTP/1 in ClientTrafficPolicy CRD
  • Added Support for Enabling HTTP/1.0 and HTTP/0.9 in ClientTrafficPolicy CRD
  • Added Support for Client IP Detection using XFF in ClientTrafficPolicy CRD
  • Added Support for Client IP Detection using Custom Header in ClientTrafficPolicy CRD
  • Added Support for Connection Timeouts in ClientTrafficPolicy CRD
  • Added Support for Common TLS configuration properties in ClientTrafficPolicy CRD
  • Added Support for Proxy protocol in ClientTrafficPolicy CRD
  • Added Support for TCPKeepAlive in ClientTrafficPolicy CRD
  • Added Support for Local rate limit in BackendTrafficPolicy CRD
  • Added Support for CircuitBreaker in BackendTrafficPolicy CRD
  • Added Support for Fault injection in BackendTrafficPolicy CRD
  • Added Support for Passive Health Checks in BackendTrafficPolicy CRD
  • Added Support for Active Health Checks in BackendTrafficPolicy CRD
  • Added Support for Connection Timeouts in BackendTrafficPolicy CRD
  • Added Support for Compressor/Decompressor in BackendTrafficPolicy CRD
  • Added Support for Retry in BackendTrafficPolicy CRD
  • Added Support for Slow start mode in BackendTrafficPolicy CRD
  • Added Support for Proxy protocol in BackendTrafficPolicy CRD
  • Added Support for TCPKeepAlive in BackendTrafficPolicy CRD
  • Added Support for PolicyStatus in BackendTrafficPolicy CRD
  • Added Support for PolicyStatus in ClientTrafficPolicy CRD
  • Added Support for PolicyStatus in SecurityPolicy CRD
  • Added Support for OIDC in SecurityPolicy CRD
  • Added Support for Basic Auth in SecurityPolicy CRD
  • Added Support for RedirectURL and signoutPath to OIDC in SecurityPolicy CRD
  • Added Support for ExtractFrom headers and params to JWT in SecurityPolicy CRD
  • Added Support for External Authorization in SecurityPolicy CRD
  • Added Support for RecomputeRoute field to JWT in SecurityPolicy CRD
  • Added Support for AllowCredentials knob to CORS setting in SecurityPolicy CRD
  • Added Support for Extract from different identifier to JWT in SecurityPolicy CRD
  • Added Support for Secret resource in EnvoyPatchPolicy CRD
  • Added Support for Making the value optional for JSONPatchOperation in EnvoyPatchPolicy CRD
  • Added Support for From field to JSONPatchOperation in EnvoyPatchPolicy CRD
  • Added Support for MergeGateways in EnvoyPatchPolicy CRD
  • Added Support for Upstream TLS by implementing BackendTLSPolicy CRD
  • Added Support for LabelSelector type for NamespaceSelectors in EnvoyGateway Configuration
  • Added Support for Ratelimit prometheus in EnvoyGateway Configuration
  • Added Support for Gracefully drain listeners before envoy shutdown on pod termination in EnvoyProxy CRD
  • Added Support for Configuring externalTrafficPolicy to the envoy service in EnvoyProxy CRD
  • Added Support for Envoy extra args in EnvoyProxy CRD
  • Added Support for Mergepatch to envoyproxy/ratelimit deployment in EnvoyProxy CRD
  • Added Support for Mergepatch to envoyproxy service in EnvoyProxy CRD
  • Added Support for NodeSelector to PodSpec in EnvoyProxy CRD
  • Added Support for HorizontalPodAutoscaler in EnvoyProxy CRD
  • Added Support for TopologySpreadConstraints to PodSpec in EnvoyProxy CRD
  • Added Support for ImagePullSecrets to PodSpec in EnvoyProxy CRD

Breaking Changes

  • Use wildcard to match AllowOrigins to CORS in SecurityPolicy CRD
  • Remove Hostnetwork support in EnvoyProxy CRD

Conformance

  • Replaced backend image from gcr.io/k8s-staging-ingressconformance/echoserver to gcr.io/k8s-staging-gateway-api/echo-basic

Testing

  • Added e2e test for Header Case-Preserving
  • Added e2e test for Timeout in ClientTrafficPolicy
  • Added e2e test for JWT claim base routing
  • Added e2e test for OIDC
  • Added e2e test for BackendTrafficPolicy Retry
  • Added e2e test for Backend Upgrade
  • Added e2e test for External Authorization
  • Added e2e test for Backend TLS policy
  • Added e2e test for Envoy Gateway Release Upgrade
  • Added e2e test for Weighted backend
  • Added validation for LoadBalancerIP to prevent trailing period

Translator

  • Fixed Prefix match to prevent mismatching routes with the same prefix
  • Fixed Multiple reconciling by implementing comparable interface for ir.Infra
  • Fixed EndpointSlice with empty conditions {}
  • Fixed Error handling when parsing the http request timeout
  • Fixed No status when EnvoyPatchPolicy is disabled
  • Fixed Printable for xds and infra IRs
  • Fixed Skip backendRefs with weight set to 0
  • Fixed AND Header matches in ratelimiting not working
  • Fixed Deletion logics when no gatewayclasses exist
  • Fixed Match mergedGateways irKey for ClientTrafficPolicy
  • Fixed Policies should apply only to gateways they were attached to when mergeGateways is true
  • Fixed Listener status is not surfaced for gateways when MergeGateways enabled
  • Fixed GRPCroute websocket not working by moving web socket upgrade config from hcm to route
  • Fixed Configure idle timeout when timeout is set on HTTPRoute
  • Fixed Relaxing HTTPS restriction for OIDC token endpoint
  • Fixed Panic when translating routes with empty backends
  • Fixed Xds translation should be done in a best-effort manner
  • Fixed Delete unused status keys from watchable
  • Fixed Ignoring finalizers when comparing envoy proxy service
  • Fixed Don’t override the ALPN array if HTTP/3 is enabled
  • Fixed Add h3 ALPN by default if HTTP/3 is enabled
  • Fixed Change the Merge behavior to Replace for SecurityPolicy/BackendTrafficPolicy
  • Fixed Use service port in alt-svc header if HTTP/3 is enabled
  • Fixed Prevent policies targeting non-TLS listeners on the same port from conflicting
  • Fixed Skip the ReasonTargetNotFound for all policies
  • Fixed Skip publishing empty status for all policies
  • Added Support for validating regex before sending to Envoy
  • Added Support for setting spec.addresses.value into ClusterIP when Service Type is ClusterIP
  • Added Unsupported status condition for filters within BackendRef
  • Added List instead of map for Provider Resources for order stability
  • Added Suffix for oauth cookies to prevent multiple oauth filters from overwriting each other’s cookies
  • Added Support for overriding condition to BackendTrafficPolicy and SecurityPolicy
  • Added Support for default retry budget and retry host predicate
  • Added Support for implementing gateway.spec.infrastructure
  • Added Support for Upstream TLS to multiple Backends
  • Added Validation for CA Cert in ClientTrafficPolicy

Providers

  • Added Support for multiple GatewayClass per controller
  • Added SecurityPolicyIndexers in Kubernetes Provider
  • Added Support for generating HMAC secret in CertGen Job
  • Fixed Finalizer logic when deleting Gatewayclasses
  • Fixed MergeGateways panics when restarting control plane

xDS

  • Added Support for EDS cache
  • Added Support for ADS cache to ensure the rule order
  • Fixed Deprecated field error when using RequestHeaderModifier filter
  • Fixed Envoy rejects XDS at runtime losing all routes on restart
  • Fixed Requests not matching defined routes trigger per-route filters
  • Bumped go-control-plane to v0.12.0

Cli

  • Added Support for egctl x status
  • Added Support for egctl experimental dashboard envoy-proxy
  • Added Support for egctl config ratelimit
  • Added Support for egctl translate from gateway-api resources to IR

3.1.16 - v0.6.0

Date: Nov 1, 2023

Documentation

  • Introduced a new website based on Hugo
  • Added Grafana dashboards and integration docs for EnvoyProxy metrics
  • Added Grafana integration docs for Gateway API metrics

Installation

  • Updated EnvoyProxy image to be a distroless variant.
  • Removed resources around kube-rbac-proxy

API

  • Upgraded to Gateway API v1.0.0
  • Added the ClientTrafficPolicy CRD with Keep Alive Support
  • Added the BackendTrafficPolicy CRD with RateLimit and LoadBalancer Support
  • Added the SecurityPolicy CRD with CORS and JWT Support
  • Added EnvoyGateway Metrics with Prometheus and OpenTelemetry support
  • Added Support for InitContainers in EnvoyProxy CRD
  • Added Support for LoadBalancerIP in EnvoyProxy CRD
  • Added Support for AllocateLoadBalancerNodePorts in EnvoyProxy CRD
  • Added Support for LoadBalancerClass in EnvoyProxy CRD
  • Added Support for selecting EnvoyProxy stats to be generated
  • Added Support for enabling EnvoyProxy Virtual Host metrics
  • Added Support for Merging Gateway resources onto the same infrastructure

Breaking Changes

  • Removed the AuthenticationFilter CRD
  • Removed the RateLimitFilter CRD
  • Moved EnvoyProxy CRD from config.gateway.envoyproxy.io to gateway.envoyproxy.io
  • Enabled EnvoyProxy Prometheus Endpoint by default with an option to disable it
  • Updated the Bootstrap field within the EnvoyProxy CRD with an additional value
  • field to specify bootstrap config

Conformance

  • Added Support for HTTPRouteBackendProtocolH2C Test
  • Added Support for HTTPRouteBackendProtocolWebSocket Test
  • Added Support for HTTPRouteRequestMultipleMirrors Test
  • Added Support for HTTPRouteTimeoutRequest Test
  • Added Support for HTTPRouteTimeoutBackendRequest Test
  • Added Support for HTTPRouteRedirectPortAndScheme Test

Watchable

  • Improved caching of resource by implementing a compare function agnostic of resource order

Translator

  • Added support for routing to EndpointSlice endpoints
  • Added support for HTTPRoute Timeouts
  • Added support for multiple RequestMirror filters per HTTPRoute rule
  • Use / instead of - in IR Route Names
  • Added Support to ignore ports in Host header

Providers

  • Added the generationChangedPredicate to most resources to limit resource reconiliation
  • Improved reconiliation by using the same enqueue request for all resources
  • Added support for reconciling ServiceImport CRD
  • Added support for selectively watching resources based on Namespace Selector

xDS

  • Fixed Layered Runtime warnings
  • Upgraded to the latest version of go-control-plane that fixed xDS Resource ordering issues for ADS.
  • Added HTTP2 Keep Alives to the xds connection

Cli

  • Added Support for egctl stats command

3.1.17 - v1.0.0-rc.1

Date: Nov 1, 2023

Documentation

  • Added User Guide for local rate limit
  • Added User Guide for circuit breaker
  • Added User Guide for fault injection
  • Added User Guide for EnvoyProxy extraArgs
  • Added User Guide for Timeouts in ClientTrafficPolicy
  • Added User Guide for JWT claim base routing
  • Added User Guide for HTTP Timeout
  • Added User Guide for Retry in BackendTrafficPolicy
  • Added User Guide for basic auth
  • Added User Guide for OIDC
  • Added User Guide for ClientTrafficPolicy
  • Added User Guide for BackendTrafficPolicy
  • Added Type and required for CRD API doc
  • Updated crd-ref-docs to 0.0.10
  • Updated Envoy proxy image to envoy:distroless-dev in main

Installation

  • Added Support for Pulling envoyGateway image from a private registry
  • Added Support for Configuring resources for certgen job
  • Added Support for Configuring affinity for EnvoyGateway pod

API

  • Added Support for Downstream QUIC/HTTP3 in ClientTrafficPolicy CRD
  • Added Support for Downstream MTLS in ClientTrafficPolicy CRD
  • Added Support for enabling EnvoyHeaders in ClientTrafficPolicy CRD
  • Added Support for DisableMergeSlash and escapedSlashesAction in ClientTrafficPolicy CRD
  • Added Support for EnableTrailers in HTTP/1.1 in ClientTrafficPolicy CRD
  • Added Support for Preserving header letter-case on HTTP/1 in ClientTrafficPolicy CRD
  • Added Support for enabling HTTP/1.0 and HTTP/0.9 in ClientTrafficPolicy CRD
  • Added Support for Client IP Detection using XFF in ClientTrafficPolicy CRD
  • Added Support for Client IP Detection using Custom Header in ClientTrafficPolicy CRD
  • Added Support for Connection Timeouts in ClientTrafficPolicy CRD
  • Added Support for Common TLS configuration properties in ClientTrafficPolicy CRD
  • Added Support for Proxy protocol in ClientTrafficPolicy CRD
  • Added Support for TCPKeepAlive in ClientTrafficPolicy CRD
  • Added Support for Local rate limit in BackendTrafficPolicy CRD
  • Added Support for CircuitBreaker in BackendTrafficPolicy CRD
  • Added Support for Fault injection in BackendTrafficPolicy CRD
  • Added Support for Passive Health Checks in BackendTrafficPolicy CRD
  • Added Support for Active Health Checks in BackendTrafficPolicy CRD
  • Added Support for Connection Timeouts in BackendTrafficPolicy CRD
  • Added Support for Compressor/Decompressor in BackendTrafficPolicy CRD
  • Added Support for Retry in BackendTrafficPolicy CRD
  • Added Support for Slow start mode in BackendTrafficPolicy CRD
  • Added Support for Proxy protocol in BackendTrafficPolicy CRD
  • Added Support for TCPKeepAlive in BackendTrafficPolicy CRD
  • Added Support for OIDC in SecurityPolicy CRD
  • Added Support for Basic Auth in SecurityPolicy CRD
  • Added Support for RedirectURL and signoutPath to OIDC in SecurityPolicy CRD
  • Added Support for ExtractFrom headers and params to JWT in SecurityPolicy CRD
  • Added Support for External authorization in SecurityPolicy CRD
  • Added Support for RecomputeRoute field to JWT in SecurityPolicy CRD
  • Added Support for AllowCredentials knob to CORS setting in SecurityPolicy CRD
  • Added Support for Extract from different identifier to JWT in SecurityPolicy CRD
  • Added Support for Secret resource in EnvoyPatchPolicy CRD
  • Added Support for Making the value optional for JSONPatchOperation in EnvoyPatchPolicy CRD
  • Added Support for From field to JSONPatchOperation in EnvoyPatchPolicy CRD
  • Added Support for MergeGateways in EnvoyPatchPolicy CRD
  • Added Support for Upstream TLS by implementing BackendTLSPolicy CRD
  • Added Support for LabelSelector type for NamespaceSelectors in EnvoyGateway Configuration
  • Added Support for ratelimit prometheus in EnvoyGateway Configuration
  • Added Support for Gracefully drain listeners before envoy shutdown on pod termination in EnvoyProxy CRD
  • Added Support for Configuring externalTrafficPolicy to the envoy service in EnvoyProxy CRD
  • Added Support for Envoy extra args in EnvoyProxy CRD
  • Added Support for Mergepatch to envoyproxy/ratelimit deployment in EnvoyProxy CRD
  • Added Support for Mergepatch to envoyproxy service in EnvoyProxy CRD
  • Added Support for NodeSelector to PodSpec in EnvoyProxy CRD
  • Added Support for HorizontalPodAutoscaler in EnvoyProxy CRD
  • Added Support for TopologySpreadConstraints to PodSpec in EnvoyProxy CRD
  • Added Support for ImagePullSecrets to PodSpec in EnvoyProxy CRD

Breaking Changes

  • Use wildcard to match AllowOrigins to CORS in SecurityPolicy CRD

Conformance

  • Replaced backend image from gcr.io/k8s-staging-ingressconformance/echoserver to gcr.io/k8s-staging-gateway-api/echo-basic

Testing

  • Added e2e test for header case-preserving
  • Added LoadBalancerIP validation to prevent trailing period
  • Added e2e test for Timeout in ClientTrafficPolicy
  • Added e2e test for jwt claim base routing
  • Added e2e test for OIDC
  • Added e2e test for BackendTrafficPolicy Retry

Translator

  • Fixed Prefix match to prevent mismatching routes with the same prefix
  • Fixed Multiple reconciling by implementing comparable interface for ir.Infra
  • Fixed EndpointSlice with empty conditions {}
  • Fixed Error handling when parsing the http request timeout
  • Fixed No status when EnvoyPatchPolicy is disabled
  • Fixed Printable for xds and infra IRs
  • Fixed Skip backendRefs with weight set to 0
  • Fixed AND Header matches in ratelimiting not working
  • Fixed Deletion logics when no gatewayclasses exist
  • Fixed Match mergedGateways irKey for ClientTrafficPolicy
  • Fixed Policies should apply only to gateways they were attached to when mergeGateways is true
  • Fixed Listener status is not surfaced for gateways when MergeGateways enabled
  • Fixed GRPCroute websocket not working by moving web socket upgrade config from hcm to route
  • Fixed Configure idle timeout when timeout is set on HTTPRoute
  • Fixed Relaxing HTTPS restriction for OIDC token endpoint
  • Fixed Panic when translating routes with empty backends
  • Fixed Xds translation should be done in a best-effort manner
  • Added Support for validating regex before sending to Envoy
  • Added Support for setting spec.addresses.value into ClusterIP when Service Type is ClusterIP
  • Added Unsupported status condition for filters within BackendRef
  • Added List instead of map for Provider Resources for order stability
  • Added Suffix for oauth cookies to prevent multiple oauth filters from overwriting each other’s cookies
  • Added Support for overriding condition to BackendTrafficPolicy and SecurityPolicy
  • Added Support for default retry budget and retry host predicate
  • Added Support for implementing gateway.spec.infrastructure
  • Added Validation for CA Cert in ClientTrafficPolicy

Providers

  • Added Support for multiple GatewayClass per controller
  • Added SecurityPolicyIndexers in Kubernetes Provider
  • Added Support for generating HMAC secret in CertGen Job
  • Fixed Finalizer logic when deleting Gatewayclasses
  • Fixed MergeGateways panics when restarting control plane

xDS

  • Added Support for EDS cache
  • Added Support for ADS cache to ensure the rule order
  • Fixed Deprecated field error when using RequestHeaderModifier filter
  • Fixed Envoy rejects XDS at runtime losing all routes on restart
  • Fixed Requests not matching defined routes trigger per-route filters
  • Bumped go-control-plane to v0.12.0

Cli

  • Added Support for egctl x status
  • Added Support for egctl experimental dashboard envoy-proxy
  • Added Support for egctl config ratelimit

3.1.18 - v0.6.0-rc.1

Date: Oct 27, 2023

Documentation

  • Introduced a new website based on Hugo
  • Added Grafana dashboards and integration docs for EnvoyProxy metrics
  • Added Grafana integration docs for Gateway API metrics

Installation

  • Added Support for configuring Envoy Gateway Label and Annotations using Helm
  • Increased default Resource defaults for Envoy Gateway to 100m CPU and 256Mi Memory
  • Fixes Helm values for EnvoyGateway startup configuration
  • Added opt-in field to skip creating control plane TLS Certificates allowing users to bring their own certificates.

API

  • Upgraded to Gateway API v1.0.0
  • Added the ClientTrafficPolicy CRD with Keep Alive Support
  • Added the BackendTrafficPolicy CRD with RateLimit and LoadBalancer Support
  • Added the SecurityPolicy CRD with CORS and JWT Support
  • Added EnvoyGateway Metrics with Prometheus and OpenTelemetry support
  • Added Support for InitContainers in EnvoyProxy CRD
  • Added Support for LoadBalancerIP in EnvoyProxy CRD
  • Added Support for AllocateLoadBalancerNodePorts in EnvoyProxy CRD
  • Added Support for LoadBalancerClass in EnvoyProxy CRD
  • Added Support for selecting EnvoyProxy stats to be generated
  • Added Support for enabling EnvoyProxy Virtual Host metrics
  • Added Support for Merging Gateway resources onto the same infrastructure

Breaking Changes

  • Removed the AuthenticationFilter CRD
  • Removed the RateLimitFilter CRD
  • Enabled EnvoyProxy Prometheus Endpoint by default with an option to disable it
  • Updated the Bootstrap field within the EnvoyProxy CRD with an additional value
  • field to specify bootstrap config

Ci tooling testing

Conformance

Watchable

  • Improved caching of resource by implementing a compare function agnostic of resource order

Translator

Breaking Changes

  • Added support for routing to EndpointSlice endpoints
  • Added support for HTTPRoute Timeouts
  • Added support for multiple RequestMirror filters per HTTPRoute rule
  • Use / instead of - in IR Route Names
  • Added Support to ignore ports in Host header

Providers

  • Added the generationChangedPredicate to most resources to limit resource reconiliation
  • Improved reconiliation by using the same enqueue request for all resources
  • Added support for reconciling ServiceImport CRD
  • Added support for selectively watching resources based on Namespace Selector

xDS

  • Fixed Layered Runtime warnings
  • Upgraded to the latest version of go-control-plane that fixed xDS Resource ordering issues for ADS.
  • Added HTTP2 Keep Alives to the xds connection

Cli

  • Added Support for egctl stats command

3.1.19 - v0.5.0

Date: July 26, 2023

Documentation

  • Added Docs for Installation page using Helm
  • Added Docs for Cert Manager Integration
  • Added Docs for Presentation Links
  • Added Docs for configuring multiple TLS Certificates per Listener

Installation

  • Added Support for configuring Envoy Gateway Label and Annotations using Helm
  • Increased default Resource defaults for Envoy Gateway to 100m CPU and 256Mi Memory
  • Fixes Helm values for EnvoyGateway startup configuration
  • Added opt-in field to skip creating control plane TLS Certificates allowing users to bring their own certificates.

API

  • Upgraded to Gateway API v0.7.1
  • Added Support for EnvoyPatchPolicy
  • Added Support for EnvoyProxy Telemetry - Access Logging, Traces and Metrics
  • Added Support for configuring EnvoyProxy Pod Labels
  • Added Support for configuring EnvoyProxy Deployment Strategy Settings, Volumes and Volume Mounts
  • Added Support for configuring EnvoyProxy as a NodePort Type Service
  • Added Support for Distinct RateLimiting for IP Addresses
  • Added Support for converting JWT Claims to Headers, to be used for RateLimiting
  • Added Admin Server for Envoy Gateway
  • Added Pprof Debug Support for Envoy Gateway
  • Added Support to Watch for Resources in Select Namespaces

Breaking Changes

  • Renamed field in EnvoyGateway API from Extension to ExtensionManager

Ci tooling testing

  • Added Retest Github Action
  • Added CherryPick Github Action
  • Added E2E Step in Github CI Workflow
  • Added RateLimit E2E Tests
  • Added JWT Claim based RateLimit E2E Tests
  • Added Access Logging E2E tests
  • Added Metrics E2E tests
  • Added Tracing E2E tests

Conformance

  • Enabled GatewayWithAttachedRoutes Test
  • Enabled HttpRouteRequestMirror Test
  • Skipped HTTPRouteRedirectPortAndScheme Test

Translator

Breaking Changes

  • Renamed IR resources from - to /
  • which also affects generated Xds Resources

Providers

  • Reconcile Node resources to be able to compute Status Addresses for Gateway
  • Discard Status before publishing Provider resources to reduce memory consumption

xDS

  • Fix Init Race in Xds Runner when starting Xds Server and receiving Xds Input
  • Switched to Xds SOTW Server for RateLimit Service Configuration
  • Added Control Plane TLS between EnvoyProxy and RateLimit Service
  • Enabled adding RateLimit Headers when RateLimit is set
  • Allowed GRPCRoute and HTTPRoute to be linked to the same HTTPS Listener
  • Set ALPN in the Xds Listener with TLS enabled.
  • Added Best Practices Default Edge Settings to Xds Resources
  • Compute and Publish EnvoyPatchPolicy status from xds-translator runner

Cli

  • Added egctl x translate Support to generate default missing Resources
  • Added egctl x translate Support for AuthenticationFilter and EnvoyPatchPolicy

3.1.20 - v0.5.0-rc.1

Date: July 26, 2023

Documentation

  • Added Docs for Installation page using Helm
  • Added Docs for Cert Manager Integration
  • Added Docs for Presentation Links
  • Added Docs for configuring multiple TLS Certificates per Listener

Installation

  • Added Support for configuring Envoy Gateway Label and Annotations using Helm
  • Increased default Resource defaults for Envoy Gateway to 100m CPU and 256Mi Memory
  • Fixes Helm values for EnvoyGateway startup configuration
  • Added opt-in field to skip creating control plane TLS Certificates allowing users to bring their own certificates.

API

  • Upgraded to Gateway API v0.7.1
  • Added Support for EnvoyPatchPolicy
  • Added Support for EnvoyProxy Telemetry - Access Logging, Traces and Metrics
  • Added Support for configuring EnvoyProxy Pod Labels
  • Added Support for configuring EnvoyProxy Deployment Strategy Settings, Volumes and Volume Mounts
  • Added Support for configuring EnvoyProxy as a NodePort Type Service
  • Added Support for Distinct RateLimiting for IP Addresses
  • Added Support for converting JWT Claims to Headers, to be used for RateLimiting
  • Added Admin Server for Envoy Gateway
  • Added Pprof Debug Support for Envoy Gateway
  • Added Support to Watch for Resources in Select Namespaces

Breaking Changes

  • Renamed field in EnvoyGateway API from Extension to ExtensionManager

Ci tooling testing

  • Added Retest Github Action
  • Added CherryPick Github Action
  • Added E2E Step in Github CI Workflow
  • Added RateLimit E2E Tests
  • Added JWT Claim based RateLimit E2E Tests
  • Added Access Logging E2E tests
  • Added Metrics E2E tests
  • Added Tracing E2E tests

Conformance

  • Enabled GatewayWithAttachedRoutes Test
  • Enabled HttpRouteRequestMirror Test
  • Skipped HTTPRouteRedirectPortAndScheme Test

Translator

Breaking Changes

  • Renamed IR resources from - to /
  • which also affects generated Xds Resources

Providers

  • Reconcile Node resources to be able to compute Status Addresses for Gateway
  • Discard Status before publishing Provider resources to reduce memory consumption

xDS

  • Fix Init Race in Xds Runner when starting Xds Server and receiving Xds Input
  • Switched to Xds SOTW Server for RateLimit Service Configuration
  • Added Control Plane TLS between EnvoyProxy and RateLimit Service
  • Enabled adding RateLimit Headers when RateLimit is set
  • Allowed GRPCRoute and HTTPRoute to be linked to the same HTTPS Listener
  • Set ALPN in the Xds Listener with TLS enabled.
  • Added Best Practices Default Edge Settings to Xds Resources
  • Compute and Publish EnvoyPatchPolicy status from xds-translator runner

Cli

  • Added egctl x translate Support to generate default missing Resources
  • Added egctl x translate Support for AuthenticationFilter and EnvoyPatchPolicy

3.1.21 - v0.4.0

Date: April 24, 2023

Documentation

  • Added Docs for Installing and Using egctl

Installation

  • Added Helm Installation Support
  • Added Support for Ratelimiting Based On IP Subnet
  • Added Gateway API Support Doc
  • Added Namespace Resource to Helm Templates
  • Updated Installation Yaml to Use the envoy-gateway-system Namespace

API

  • Upgraded to Gateway API v0.6.2
  • Added Support for Custom Envoy Proxy Bootstrap Config
  • Added Support for Configuring the Envoy Proxy Image and Service
  • Added Support for Configuring Annotations, Resources, and Securitycontext Settings on Ratelimit Infra and Envoy Proxy
  • Added Support for Using Multiple Certificates on a Single Fully Qualified Domain Name
  • Gateway Status Address is now Populated for ClusterIP type Envoy Services
  • Envoy Proxy Pod and Container SecurityContext is now Configurable
  • Added Custom Envoy Gateway Extensions Framework
  • Added Support for Service Method Match in GRPCRoute
  • Fixed a Bug in the Extension Hooks for xDS Virtual Hosts and Routes

Ci tooling testing

  • Fixed CI Flakes During Helm Install
  • Added Test To Ensure Static xDS Cluster Has Same Field Values as Dynamic Cluster
  • Added egctl to Build and Test CI Workflow
  • Code Coverage Thresholds are now Enforced by CI
  • Fixed latest-release-check CI Job Failures
  • Added Auto Release Tooling for Charts

Conformance

  • Enabled GatewayWithAttachedRoutes Test
  • Enabled Enable HTTPRouteInvalidParentRefNotMatchingSectionName Test
  • Enabled Enable HTTPRouteDisallowedKind Test
  • Re-Enabled Gateway/HTTPRouteObservedGenerationBump Test

Translator

  • Added Support for Dynamic GatewayControllerName in Route Status

Providers

  • Update GatewayClass Status Based on EnvoyProxy Config Validation

xDS

  • Added EDS Support
  • Fixed PathSeparatedPrefix and Optimized Logic for Prefixes Ending With Trailing Slash
  • Updated Deprecated RegexMatcher
  • Refactored Authn and Ratelimit Features to Reuse buildXdsCluster

Cli

  • Added egctl CLI Tool
  • Added egctl Support for Dry Runs of Gateway API Config
  • Added egctl Support for Dumping Envoy Proxy xDS Resources

3.1.22 - v0.4.0-rc.1

Date: April 13, 2023

Documentation

  • Added Docs for Installing and Using egctl

Installation

  • Added Helm Installation Support
  • Added Support for Ratelimiting Based On IP Subnet
  • Added Gateway API Support Doc

API

  • Upgraded to Gateway API v0.6.2
  • Added Support for Custom Envoy Proxy Bootstrap Config
  • Added Support for Configuring the Envoy Proxy Image and Service
  • Added Support for Configuring Annotations, Resources, and Securitycontext Settings on Ratelimit Infra and Envoy Proxy
  • Added Support for Using Multiple Certificates on a Single Fully Qualified Domain Name
  • Gateway Status Address is now Populated for ClusterIP type Envoy Services
  • Envoy Proxy Pod and Container SecurityContext is now Configurable
  • Added Custom Envoy Gateway Extensions Framework
  • Added Support for Service Method Match in GRPCRoute

Ci tooling testing

  • Fixed CI Flakes During Helm Install
  • Added Test To Ensure Static xDS Cluster Has Same Field Values as Dynamic Cluster
  • Added egctl to Build and Test CI Workflow
  • Code Coverage Thresholds are now Enforced by CI
  • Fixed latest-release-check CI Job Failures
  • Added Auto Release Tooling for Charts

Conformance

  • Enabled GatewayWithAttachedRoutes Test
  • Enabled Enable HTTPRouteInvalidParentRefNotMatchingSectionName Test
  • Enabled Enable HTTPRouteDisallowedKind Test
  • Re-Enabled Gateway/HTTPRouteObservedGenerationBump Test

Translator

  • Added Support for Dynamic GatewayControllerName in Route Status

Providers

  • Update GatewayClass Status Based on EnvoyProxy Config Validation

xDS

  • Added EDS Support
  • Fixed PathSeparatedPrefix and Optimized Logic for Prefixes Ending With Trailing Slash
  • Updated Deprecated RegexMatcher
  • Refactored Authn and Ratelimit Features to Reuse buildXdsCluster

Cli

  • Added egctl CLI Tool
  • Added egctl Support for Dry Runs of Gateway API Config
  • Added egctl Support for Dumping Envoy Proxy xDS Resources

3.1.23 - v0.3.0

Date: February 09, 2023

Documentation

  • Added Global Rate Limit User Docs
  • Added Request Authentication User Docs
  • Added TCP Routing User Docs
  • Added UDP Routing User Docs
  • Added GRPC Routing User Docs
  • Added HTTP Response Headers User Docs
  • Added TCP and UDP Proxy Design Docs
  • Added egctl Design Docs
  • Added Rate Limit Design Docs
  • Added Request Authentication Design Docs
  • Added Support for Versioned Docs
  • Added Support for Multiple Release Versions
  • Added Release Details Docs
  • Added API Docs Generating Tooling
  • Refactored Layout for User Docs

API

  • Upgraded to v0.6.1 Gateway API
  • Added Support for the TCPRoute API
  • Added Support for the UDPRoute API
  • Added Support for the GRPCRoute API
  • Added Support for HTTPRoute URLRewrite Filter
  • Added Support for HTTPRoute RequestMirror Filter
  • Added Support for HTTPRoute ResponseHeaderModifier Filter
  • Added Support for Request Authentication
  • Added Support for Global Rate Limiting
  • Added Support for Routes ReferenceGrant
  • Added Support for Namespace Server Config Type
  • Added initial management of Envoy Proxy deployment via EnvoyProxy API

Ci tooling testing

  • Fixed Make Image Failed in Darwin
  • Fixed Wait for Job Succeeded before conformance test
  • Upgraded Echoserver Image Tag
  • Added Support for User-Facing Version
  • Added Support for Testing EG against Multiple Kubernetes Versions

Conformance

  • Enabled GatewayClassObservedGenerationBump conformance test
  • Enabled GatewayInvalidTLSConfiguration conformance test
  • Enabled GatewayInvalidRouteKind conformance test
  • Enabled HTTPRouteReferenceGrant conformance test
  • Enabled HTTPRouteMethodMatching conformance test
  • Enabled HTTPRoutePartiallyInvalidViaInvalidReferenceGrant conformance test
  • Enabled HTTPRouteInvalidParentRefNotMatchingListenerPort conformance test
  • (Currently EG passes all conformance tests except redirect and gateway/httproute ObservedGenerationBump tests. Redirect tests are failing due to a possible issue with the way upstream conformance tests have made assumptions. Skip them for now until below issues #992 #993 #994 are resolved)

IR

  • Added TCP Listener per TLSRoute

Translator

  • Fixes Remove Stale Listener Condition
  • Added Support for Suffix Matches for Headers
  • Added Support for HTTP Method Matching to HTTPRoute
  • Added Support for Regex Match Type
  • Added Support for HTTPQueryParamMatch

Providers

  • Refactored Kubernetes Provider to Single Reconciler
  • Upgraded Kube Provider Test Data Manifests to v0.6.1
  • Removed Duplicate Settings from Bootstrap Config
  • Updated Certgen to Use EG Namespace Env
  • Added EnvoyProxy to Translator and Kube Infra Manager
  • Upgraded Envoyproxy Image to envoy-dev latest in Main
  • Removed EG Logs Private Key

xDS

  • Fixed Start xDS Server Watchable Map Panics
  • Enabled Access Logging for xDS Components

3.1.24 - v0.3.0-rc.1

Date: February 02, 2023

Documentation

  • Added Support for Multiple Release Versions
  • Added Support for Versioned Docs
  • Added Release Details Docs
  • Refactored Layout for User Docs

API

  • Upgraded to v0.6.0 Gateway API
  • Added Support for the TCPRoute API
  • Added Support for the UDPRoute API
  • Added Support for the GRPCRoute API (Add to the ListenerStatus.SupportedKinds Field until https://github.com/envoyproxy/gateway/issues/950 is fixed.)
  • Added Support for HTTPRoute URLRewrite Filter
  • Added Support for HTTPRoute RequestMirror Filter
  • Added Support for HTTPRoute ResponseHeaderModifier Filter
  • Added APIs to Manage Envoy Deployment
  • Added Support for Request Authentication
  • Added Support for Global Rate Limiting
  • Added Support for Routes ReferenceGrant
  • Added Support for Namespace Server Config Type

Ci tooling testing

  • Fixes Make Image Failed in Darwin
  • Fixes Wait for Job Succeeded before conformance test
  • Upgraded Echoserver Image Tag
  • Added Support for User-Facing Version
  • Added Support for Testing EG against Multiple Kubernetes Versions

Conformance

  • Enabled HTTPRouteInvalidParentRefNotMatchingListenerPort conformance test
  • Enabled GatewayInvalidTLSConfiguration conformance test
  • Enabled GatewayInvalidRouteKind conformance test
  • Enabled HTTPRoutePartiallyInvalidViaInvalidReferenceGrant conformance test
  • Enabled HTTPRouteReferenceGrant conformance test
  • Enabled HTTPRouteMethodMatching conformance test

IR

  • Added TCP Listener per TLSRoute

Translator

  • Fixes Remove Stale Listener Condition
  • Added Support for Suffix Matches for Headers
  • Added Support for HTTP Method Matching to HTTPRoute
  • Added Support for Regex Match Type
  • Added Support for HTTPQueryParamMatch

Providers

  • Refactored Kubernetes Provider to Single Reconciler
  • Upgraded Kube Provider Test Data Manifests to v0.6.0
  • Removed Duplicate Settings from Bootstrap Config
  • Updated Certgen to Use EG Namespace Env
  • Added EnvoyProxy to Translator and Kube Infra Manager
  • Upgraded Envoyproxy Image to envoy-dev latest in Main
  • Removed EG Logs Private Key

xDS

  • Fixed Start xDS Server Watchable Map Panics
  • Enabled Access Logging for xDS Components

3.1.25 - v0.2.0

Date: October 19, 2022

Documentation

  • Added Config API, translator, roadmap, and message bus design documentation.
  • Added documentation for releasing Envoy Gateway.
  • Added user guides for configuring common tasks, e.g. HTTP request routing.
  • Added support for the Sphinx documentation generator.

API

  • Added the EnvoyGateway API type for configuring Envoy Gateway.
  • Added the EnvoyProxy API type for configuring managed Envoys.

Ci tooling testing

  • Added tooling to build, run, etc. Envoy Gateway.
  • Added Gateway API conformance tests.
  • Added Make-based tooling to fetch all tools so checks (code lint, spellchecks) and tests can be run locally.
  • Added support for releasing latest artifacts to GitHub.
  • Added code coverage with a minimum 60% threshold.

IR

  • Added xds and infra IRs to decouple user-facing APIs from Envoy Gateway.
  • Added IR validation.

Translator

  • Added the gatewayapi translator to translate Gateway API and associated resources to the IR and manage the
  • status of Gateway API resources.
  • Added the xDS translator to translate the xds IR to xDS resources.

Message-service

  • Added infra and xds IR watchable map messages for inter-component communication.
  • Added a Runner to each Envoy Gateway component to support pub/sub between components.
  • Added support for managing multiple separate Envoy proxy fleets.

Infra-manager

  • Added Kubernetes Infra Manager to manage Envoy infrastructure running in a Kubernetes cluster.
  • Added support for managing a separate Envoy infrastructure per Gateway.

Providers

  • Added the Kubernetes provider with support for managing GatewayClass, Gateway, HTTPRoute, ReferenceGrant, and
  • TLSRoute resources.
  • Due to Issue #539, a ReferenceGrant is not removed from the system when unreferenced.
  • Due to Issue #577, TLSRoute is not being tested for Gateway API conformance.
  • Added watchers for dependent resources of managed Envoy infrastructure to trigger reconciliation.
  • Added support for labeling managed infrastructure using Gateway namespace/name labels.
  • Added support for finalizing the managed GatewayClass.

xDS

  • Added xDS server support to configure managed Envoys using Delta xDS.
  • Added initial support for mTLS between the xDS server and managed Envoys.
  • Due to envoyproxy/go-control-plane Issue #599, Envoy Gateway logs the private key of HTTPS listeners.

3.1.26 - v0.2.0-rc2

Date: September 29, 2022

Documentation

  • Updated and expanded developer documentation.
  • Added kube-demo target to demonstrate Envoy Gateway functionality.
  • Added developer debugging documentation.

Ci

  • Added Gateway API conformance tests.

Providers

  • Added watchers for dependent resources of managed Envoy infrastructure.
  • Added Gateway namespace/name labels to managed resources.
  • Added support for finalizing the managed GatewayClass.

xDS

  • Updated xds server and Envoy bootstrap config to use Delta xDS.
  • Added initial support for mTLS between the xDS server and Envoy.

Translator

  • Expanded support for Gateway API status.
  • Added support for request modifier and redirect filters.
  • Added support to return 500 responses for invalid backends.

Message service

  • Updated IRs to support managing multiple Envoy fleets.

Infra manager

  • Separate Envoy infrastructure is created per Gateway.

3.1.27 - v0.2.0-rc1

Date: August 31, 2022

Documentation

  • Added a quickstart guide for users to run and use Envoy Gateway.

API

  • Added the EnvoyGateway API type for configuring Envoy Gateway.
  • Added the EnvoyProxy API type for configuring managed Envoys.

Ci

  • Added tooling to build, run, etc. Envoy Gateway.

Providers

  • Added the Kubernetes provider.

xDS

  • Added xDS server to configure managed Envoys.

IR

  • Added xds and infra IRs to decouple user-facing APIs from Envoy Gateway.
  • Added IR validation.

Translator

  • Added the gatewayapi translator to translate Gateway API and associated resources to the IR and manage
  • Gateway API status.

Message service

  • Added infra and xds IR watchable map messages for inter-component communication.
  • Added a Runner to each component to support pub/sub between components.

Infra manager

  • Added Kubernetes Infra Manager to manage Envoy infrastructure running in a Kubernetes cluster.

3.1.28 - v0.1.0

Date: May 16, 2022

Documentation

  • The initial open source release describing project goals and high-level design.

3.2 - Announcing Envoy Gateway v1.2

Envoy Gateway v1.2 release announcement.

We are thrilled to announce the arrival of Envoy Gateway v1.2.0.

This release represents a significant achievement, and we extend our heartfelt gratitude to the entire Envoy Gateway community for their contributions, dedication, and support. Your collaborative efforts have been instrumental in reaching this pivotal release.

Thank you for being an integral part of this journey. We are excited to see how Envoy Gateway v1.2.0 will empower your operations and look forward to continuing our work together to drive the future of Cloud Native API Gateway.

Release NotesDocsCompatibility MatrixInstall

What’s New

The release adds a ton of features and functionality. Here are some highlights:


🚨 Breaking Changes

  • Gateway API Updates: Removed support for the v1alpha2 versions for GRPCRoute and ReferenceGrant. See the Gateway API v1.2.0 documentation for details.
  • CPU Limits: Removed default CPU limit for Envoy Gateway deployment to avoid throttling.
  • Envoy Shutdown Settings: Drain strategy set to immediate, with default values as follows:
    • minDrainDuration: 10s
    • drainTimeout: 60s
    • terminationGracePeriodSeconds: 360s
  • Endpoint Health On Host Removal: Enabled ignore_health_on_host_removal for clusters with static endpoints to allow faster removal of endpoints that have been deleted by the control plane, without waiting for the results of an active health check.
  • Logging Level Adjustment: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. You can change the logging level to debug to view them.

✨ New Features

API & Traffic Management Enhancements

  • Gateway-API v1.2.0 Support: Fully compatible with the latest Gateway-API standards.
  • IPv4/IPv6 Dual Stack: Now available for EnvoyProxy fleet and BackendRef resources.
  • Standalone Mode: Experimental support for Envoy Gateway standalone (host deployment) mode.
  • Response Override: Added support for Response Override and RequestTimeout in BackendTrafficPolicy.
  • Active Passive Failover: Supported with the new fallback field in the Backend API.
  • Session Persistence in HTTPRoute: Session persistence is supported in HTTPRoute rules for stateful traffic management.
  • HTTPRouteFilter: Adds support for Direct Response and Path Regex Rewrites in HTTPRouteFilter

Security Enhancements

  • JWT Claims-Based Authorization: Advanced security control with claims-based policies in SecurityPolicy.
  • CORS Wildcard Matching: Wildcard matching for AllowMethods and AllowHeaders settings.
  • OIDC Flow Support: Added nonce support for OIDC authorization.

Observability & Tracing

  • Datadog Tracing Integration: Improved support for Datadog tracing in EnvoyProxy CRD.
  • Listener Access Logs: Adds support for configuring Listener level Access Logs for EnvoyProxy.
  • Native Prometheus Metrics: Introduced a Prometheus metrics endpoint for rate limit monitoring.

Helm Customization

  • SecurityContext Options: Customizable security context for improved deployment.
  • NodeSelector and PriorityClassName: Added for more granular deployment configuration.

🐞 Bug Fixes

  • Fixed xDS translation failure when the WASM HTTP code source was configured without an SHA.
  • Resolved unsupported listener protocol types causing errors in Gateway status updates.
  • Fixed BackendTLSPolicy causing crashes due to invalid sectionName in Backend configurations.
  • Fixed propagation delays in SecurityPolicy updates for HTTPRoute when using targetSelectors.
  • Improved JSONPath to JSONPatch translation accuracy.
  • Fixed unwanted / appearing in paths when using prefix rewrites.
  • Corrected nil pointer errors when configuring hash load balancing.
  • Fixed active health check issues where expectedStatuses was not functioning properly.
  • Ensured correct status updates for Backend resources and HTTPRoute.

🚀 Performance Improvements

  • Memory Optimization: Enhanced memory usage by eliminating redundant resource storage.

⚙️ Other Notable Changes

  • Envoy Upgrade: Now using Envoy v1.32.1 for added stability and performance.
  • Optional Alpha CRD Watching: Allows Envoy Gateway to run with older Gateway API versions.

3.3 - Announcing Envoy Gateway v1.1

Envoy Gateway v1.1 release announcement.

We are thrilled to announce the arrival of Envoy Gateway v1.1.0.

This release represents a significant achievement, and we extend our heartfelt gratitude to the entire Envoy Gateway community for their contributions, dedication, and support. Your collaborative efforts have been instrumental in reaching this pivotal release.

Thank you for being an integral part of this journey. We are excited to see how Envoy Gateway v1.1.0 will empower your operations and look forward to continuing our work together to drive the future of Cloud Native API Gateway.

Release NotesDocsCompatibility MatrixDownload

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Documentation

  • Added Concepts Doc
  • Added User Guide for Wasm Extension
  • Added User Guide for patching Envoy Service
  • Added User Guide for Backend MTLS
  • Added User Guide for Backend TLS Parameters
  • Added User Guide for IP Allowlist/Denylist
  • Added User Guide for Extension Server
  • Added User Guide for building Wasm image
  • Added Performance Benchmarking Document
  • Added User Guide for Zipkin Tracing
  • Added User Guide for Customizing Ordering of Filters
  • Added User Guide for External Processing Filter in EnvoyExtensionPolicy
  • Added User Guide for installation of egctl with brew
  • Added User Guide for Client Buffer Size Limit
  • Added User Guide for Client Idle Timeout
  • Added Chinese translation for release notes, roadmap, installation, development, contribution and several User Guides
  • Added User Guide for Backend resource
  • Added GA Blog Post
  • Added Threat Model
  • Added Adopters section to docs
  • Added User Guide and Dashboards for Control Plane and Resource Observability
  • Added User Guide for Connection Limits in ClientTrafficPolicy
  • Added User Guide on using Private Key Provider
  • Added Design Doc for Authorization
  • Added Design Doc for XDS Metadata
  • Added Design Doc for Backend resource
  • Added Design Doc for Control Plane Observability
  • Added Design Doc for EnvoyExtensionPolicy
  • Added Design Doc for External Processing in EnvoyExtensionPolicy
  • Updated Access Logging User Guide to include filtering with CEL Expression
  • Updated Access Logging User Guide to include Metadata
  • Updated Development Guide to require Golang 1.22
  • Updated Quickstart User Guide to fetch GATEWAY_HOST from Gateway resource
  • Updated Site to reflect GA status
  • Updated HTTP Redirect User Guide to not set a redirect port or require a BackendRef
  • Updated Observability User Guides to use gateway-addons-helm
  • Updated Gateway-API User Guide to reflect support for BackendRef filters
  • Updated HTTP Timeouts User Guide to highlight default Envoy timeouts
  • Updated Installation Guide to use server-side apply
  • Updated Installation Guide to refer to values.yaml docs
  • Updated BackendTLSPolicy User Guide to GW-API v1.1.0
  • Updated User Guides to use tabs when applying yaml from file or stdin
  • Updated OIDC User Guide to use HTTPS redirect URLs
  • Updated Order of versions in Site
  • Updated Extensbility User Gudie to use yaml-format patches
  • Updated Quickstart Guide to include next steps
  • Updated CRD docs to include enum values
  • Updated Extensibility User Guide with Envoy Patch Policy examples
  • Updated structure of docs: rename Guides to Tasks, move Contribution
  • Updated Support Matrix
  • Updated egctl x status docs for xRoute and xPolicy
  • Updated egctl User Guide with Install and Uninstall commands
  • Updated GRPCRoute docs to use v1 instead of v1alpha2
  • Fixed Rate Limiting User Guide to use correct CIDR matcher type names
  • Fixed User Guide for JWT-based routing
  • Fixed JSON Access Log Example
  • Use linkinator to detect dead links in docs
  • Use helm-docs to generate chart docs
  • Support Not-Implemented-Hide marker in API docs

Installation

  • Added startupProbe to all provisioned containers to reduce risk of restart
  • Added new gateway-addons-helm chart for Observability
  • Added support for global image settings for all images in Envoy Gateway helm chart
  • Added Support for PodDistruptionBudget for Envoy Gateway
  • Added Support for TopologySpreadConstraints for Envoy Gateway
  • Added Support for Tolerations for Envoy Gateway
  • Added Support for Ratelimit image pull secrets and pull policy
  • Updated ttlSecondsAfterFinished on certgen job to 30 by default
  • Updated Envoy Gateway ImagePullPolicy to IfNotPresent released charts
  • Remove envoy-gateway-metrics-service and merge its contents into envoy-gateway service

API

  • Added Support for Gateway-API v1.1.0
  • Added new Backend CRD
  • Added new EnvoyExtensionPolicy CRD
  • Added Support for Plural Target Refs and Target Selectors in xPolicy CRDs
  • Added Support for Backend CRD BackendRefs in HTTPRoute, GRPCRoute and EnvoyExtensionPolicy CRDs
  • Added Support for Custom Extension Server Policy CRDs in EnvoyGateway Config
  • Added Support for Custom ShutDownManager Image in EnvoyGateway Config
  • Added Support for Leader Election in EnvoyGateway Config
  • Added Support for Connecting to Extension Server over Unix Domain Socket in EnvoyGateway Config
  • Added Support for Proxy PodDisruptionBudget in EnvoyProxy CRD
  • Added Support for Running Envoy Proxy as a Daemonset in EnvoyProxy CRD
  • Added Support for Proxy Loadbalancer Source Ranges in EnvoyProxy CRD
  • Added Support for Proxy Prometheus Metrics Compression in EnvoyProxy CRD
  • Added Support for BackendRefs in Access Log, Metric and Trace Sinks in EnvoyProxy CRD
  • Added Support for Rate Limiting Tracing in EnvoyProxy CRD
  • Added Support for Routing to Service IP in EnvoyProxy CRD
  • Added Support for Access Log CEL filters in EnvoyProxy CRD
  • Added Support for Access Log Formatters for File and OpenTelemetry in EnvoyProxy CRD
  • Added Support for Zipkin Tracing in EnvoyProxy CRD
  • Added Support for using the Listener port as a the Container port in EnvoyProxy CRD
  • Added Support for OpenTelemtry Sink Export Settings in EnvoyProxy CRD
  • Added Support for Backend Client Certificate Authentication in EnvoyProxy CRD
  • Added Support for Backend TLS Settings in EnvoyProxy CRD
  • Added Support for HTTP Filter Ordering in EnvoyProxy CRD
  • Added Support for gRPC Access Log Service (ALS) Sink in EnvoyProxy CRD
  • Added Support for OpenTelelemetry Sinks as a BackendRef in EnvoyProxy CRD
  • Added Support for User-Provided name for generate Kubernetes resources in EnvoyProxy CRD
  • Added Support for Per-Endpoint stats in EnvoyProxy CRD
  • Added Support for Targeting SectionNames in ClientTrafficPolicy CRD
  • Added Support for Preserving X-Request-ID header in ClientTrafficPolicy CRD
  • Added Support for Using Downstream Protocol in Upstream connections in ClientTrafficPolicy CRD
  • Added Support for HTTP/2 settings in ClientTrafficPolicy CRD
  • Added Support for Connection Buffer Size Limit in ClientTrafficPolicy CRD
  • Added Support for HTTP Health Check in ClientTrafficPolicy CRD
  • Added Support for Optionally requiring a Client Certificate in ClientTrafficPolicy CRD
  • Added Support for Headers with Underscores CRD in ClientTrafficPolicy CRD
  • Added Support for XFCC header processing in ClientTrafficPolicy CRD
  • Added Support for TCP Listener Idle Timeout in ClientTrafficPolicy CRD
  • Added Support for IdleTimeout in ClientTrafficPolicy CRD
  • Added Support for Connection Limits in ClientTrafficPolicy CRD
  • Added Support for additional OIDC settings related to Resource, Token and Cookie in SecurityPolicy CRD
  • Added Support for Optionally requiring a JWT in SecurityPolicy CRD
  • Added Support for BackendRefs for Ext-Auth in SecurityPolicy CRD
  • Added Support for Authorization in SecurityPolicy CRD
  • Added Support for Ext-Auth failOpen in SecurityPolicy CRD
  • Added Support for Loadbalancer Cookie Consistent Hashing in BackendTrafficPolicy CRD
  • Added Support for Disabling X-RateLimit headers in BackendTrafficPolicy CRD
  • Added Support for Connection Buffer Size Limit in BackendTrafficPolicy CRD
  • Added Support for Loadbalancing Consistent Hash Table Size in BackendTrafficPolicy CRD
  • Added Support for Loadbalancing Header Hash Policy in BackendTrafficPolicy CRD
  • Added Support for Cluster Connection Buffer Size Limit in BackendTrafficPolicy
  • Added Support for more Rate Limit Rules in BackendTrafficPolicy CRD
  • Added Support for Wasm extension in EnvoyExtensionPolicy CRD
  • Added Support for External Processing extension in EnvoyExtensionPolicy CRD
  • Removed Status Print Column from xPolicy CRDs

Breaking Changes

  • SecurityPolicy translation failures will now cause routes referenced by the policy to return an immediate 500 response
  • Gateway-API BackendTLSPolicy v1alpha3 is incompatible with previous versions of the CRD
  • xPolicy targetRefs can no longer specify a namespace, since Gateway-API v1.1.0 uses LocalPolicyTargetReferenceWithSectionName in Policy resources

Deprecations

  • xPolicy targetRef is deprecated, use targetRefs instead
  • SecurityPolicy ExtAuth BackendRef is deprecated, use BackendRefs instead
  • OpenTelemetry Proxy Access Log Host and Port are deprecated, use backendRefs instead
  • OpenTelemetry Proxy Metrics Sink Host and Port are deprecated, use backendRefs instead
  • Proxy Tracing Provider Host and Port are deprecated, use backendRefs instead
  • Envoy Gateway Extension Server Host and Port are deprecated, use BackendEndpoint instead

Conformance

  • Added Supported Features to Gateway Class

Testing

  • Added e2e test for Client MTLS
  • Added e2e test for Load Balancing
  • Added performance benchmarking test
  • Added e2e test for Zipking Tracing
  • Added e2e test for HTTP Health Checks
  • Added e2e test for CEL Access Log Filter
  • Added e2e test for GRPC Access Log Service Sink
  • Added e2e test for XDS Metadata
  • Added e2e test for Wasm from OCI Images and HTTP Source
  • Added e2e test for Service IP Routing
  • Added e2e test for Multiple GatewayClasses
  • Added e2e test for HTTP Full Path rewrite
  • Added e2e test for Backend API
  • Added e2e test for Backend TLS Settings
  • Added e2e test for disabling X-RateLimit Headers
  • Added e2e test for Authorization
  • Added e2e test for BackendRefs in Ext-Auth
  • Added e2e test for Using Client Protocol in Upstream Connection
  • Added e2e test for Backend Client Cert Authentication
  • Added e2e test for External Processing Filter
  • Added e2e test for Merge Gateways Feature
  • Added e2e test for Option JWT authentication
  • Added e2e test for Infrastructure using Server-Side Apply
  • Added e2e test for Connection Limits
  • Added e2e test for Envoy Graceful Shutdown
  • Updated e2e test for Limit to cover multiple listeners
  • Updated e2e test for CORS to not require access-control-expose-headers
  • Run CEL tests on all supported K8s versions
  • Added OSV Scanner for Golang Vulnerabilities and Licenses
  • Added Trivy scanner for Docker images

Translator

  • Added Support for BackendRef HTTP Filters
  • Added Support for attaching EnvoyProxy to Gateways
  • Added Support for cross-namespace EnvoyProxy reference from GatewayClass
  • Added Support for Backend Traffic Policy for UDPRoute and TCPRoute
  • Added Support for ClientTrafficPolicy for UDPRoute and TCPRoute
  • Added Support for multiple BackendRefs in TCPRoute and UDPRoute
  • Added Metrics related to XDS Server, Infra Manager and Controller
  • Added Support for PolicyStatus in EnvoyPatchPolicy
  • Added Support for Websocket upgrades in HTTP/1 Routes
  • Added Support for custom controller name in egctl
  • Added Support for BackendTLSPolicy CA Certificate reference to Secret
  • Added names to Filter Chains
  • Added Support extension server hooks for TCP and UDP listeners
  • Added Support for attaching EnvoyProxy resource to Gateways
  • Added Support for Exposing Prometheus Port in Rate Limiter Service
  • Added Support for Optional Rate Limit Backend Redis
  • Updated OAuth2 filter to preserve Authorization header if OIDC token forwarding is enabled
  • Updated Default Filter Order to have Fault filter first in the HTTP Filter Chain
  • Updated Ext-Auth Per-Route config to use filter-specific Config Type
  • Updated Overload Manager configuration according to Envoy recommendations by default
  • Updated Infrastructure resource management to user Server-Side Apply
  • Updated Reflection of Errors in Gateway Status when too many addresses are assigned
  • Fixed enforcement of same-namespace for BackendTLSPolicy and target
  • Fixed processing all listeners before returning with an error
  • Fixed creation of infrastructure resources if there are no listeners
  • Fixed use GatewayClass Name for Observability if Merge Gateways is enabled
  • Fixed CORS to not forward Not-Matching Preflights to Backends
  • Fixed BackendTLSPolicy status to fully conform with PolicyStatus
  • Fixed duplication of Ext-Auth, OIDC and Basic Auth Filters
  • Fixed Proxy Protocol Filter to always be the first Listener Filter
  • Fixed Translation Consistency by sorting Gateways
  • Fixed QUIC Listener to only Advertise HTTP/3 over ALPN
  • Fixed SNI matching for TCP Routes with TLS termination
  • Fixed Reconciliation when EnvoyProxy backendRefs changes
  • Fixed Reconciliation when a referenced Secret or ConfigMap changes
  • Fixed ReplaceFullPath not working for root path
  • Fixed Default Application Protocol to TCP for Zipkin Tracing
  • Fixed not appending well-known ports (80, 443) in rediret Location header

Providers

  • Bumped K8s Client to v0.30.0

XDS

  • Bumped go-control-plane to v0.12.1

CLI

  • Added egctl x collect command
  • Added Support for Install and Uninstall commands to egctl
  • Added Support for xRoute and xPolicy in egctl x status
  • Added Golang version to Envoy Gateway version command
  • Fixed egctl x status gatewayclass example message

3.4 - Announcing Envoy Gateway v1.0

Envoy Gateway v1.0 release announcement.

We are thrilled to announce the arrival of Envoy Gateway v1.0.0, marking the official General Availability (GA) milestone for the project!

This release represents a significant achievement, and we extend our heartfelt gratitude to the entire Envoy Gateway community for their contributions, dedication, and support. Your collaborative efforts have been instrumental in reaching this pivotal release.

Thank you for being an integral part of this journey. We are excited to see how Envoy Gateway v1.0.0 will empower your operations and look forward to continuing our work together to drive the future of Cloud Native API Gateway.

Release NotesDocsCompatibility MatrixDownload

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Documentation

  • Added User Guide for Local Ratelimit
  • Added User Guide for Circuit Breaker
  • Added User Guide for fault injection
  • Added User Guide for EnvoyProxy extraArgs
  • Added User Guide for Timeouts in ClientTrafficPolicy
  • Added User Guide for JWT claim base routing
  • Added User Guide for HTTP Timeout
  • Added User Guide for Retry in BackendTrafficPolicy
  • Added User Guide for Basic Auth
  • Added User Guide for OIDC
  • Added User Guide for ClientTrafficPolicy
  • Added User Guide for BackendTrafficPolicy
  • Added User Guide for Basic Auth using HTTPS
  • Added User Guide for External Authorization
  • Added User Guide for Routing Outside Kubernetes
  • Added User Guide for BackendTLSPolicy
  • Added User Guide for Mutual TLS from External Clients to the Gateway
  • Added User Guide for Control Plane Authentication using custom certs
  • Added User Guide for Multiple Gatewayclass and Merge Gateways Deployment Mode
  • Added Type and required for CRD API doc
  • Refactored Structure of User Guide docs
  • Refactored Move Design docs under “Get Involved”
  • Updated crd-ref-docs to 0.0.10
  • Updated Envoy proxy image to envoy:distroless-dev in main

Installation

  • Added Support for Pulling envoyGateway image from a private registry
  • Added Support for Configuring resources for certgen job
  • Added Support for Configuring affinity for EnvoyGateway pod

API

  • Added Support for Downstream QUIC/HTTP3 in ClientTrafficPolicy CRD
  • Added Support for Downstream MTLS in ClientTrafficPolicy CRD
  • Added Support for Enabling EnvoyHeaders in ClientTrafficPolicy CRD
  • Added Support for DisableMergeSlash and escapedSlashesAction in ClientTrafficPolicy CRD
  • Added Support for EnableTrailers in HTTP/1.1 in ClientTrafficPolicy CRD
  • Added Support for Preserving header letter-case on HTTP/1 in ClientTrafficPolicy CRD
  • Added Support for Enabling HTTP/1.0 and HTTP/0.9 in ClientTrafficPolicy CRD
  • Added Support for Client IP Detection using XFF in ClientTrafficPolicy CRD
  • Added Support for Client IP Detection using Custom Header in ClientTrafficPolicy CRD
  • Added Support for Connection Timeouts in ClientTrafficPolicy CRD
  • Added Support for Common TLS configuration properties in ClientTrafficPolicy CRD
  • Added Support for Proxy protocol in ClientTrafficPolicy CRD
  • Added Support for TCPKeepAlive in ClientTrafficPolicy CRD
  • Added Support for Local rate limit in BackendTrafficPolicy CRD
  • Added Support for CircuitBreaker in BackendTrafficPolicy CRD
  • Added Support for Fault injection in BackendTrafficPolicy CRD
  • Added Support for Passive Health Checks in BackendTrafficPolicy CRD
  • Added Support for Active Health Checks in BackendTrafficPolicy CRD
  • Added Support for Connection Timeouts in BackendTrafficPolicy CRD
  • Added Support for Compressor/Decompressor in BackendTrafficPolicy CRD
  • Added Support for Retry in BackendTrafficPolicy CRD
  • Added Support for Slow start mode in BackendTrafficPolicy CRD
  • Added Support for Proxy protocol in BackendTrafficPolicy CRD
  • Added Support for TCPKeepAlive in BackendTrafficPolicy CRD
  • Added Support for PolicyStatus in BackendTrafficPolicy CRD
  • Added Support for PolicyStatus in ClientTrafficPolicy CRD
  • Added Support for PolicyStatus in SecurityPolicy CRD
  • Added Support for OIDC in SecurityPolicy CRD
  • Added Support for Basic Auth in SecurityPolicy CRD
  • Added Support for RedirectURL and signoutPath to OIDC in SecurityPolicy CRD
  • Added Support for ExtractFrom headers and params to JWT in SecurityPolicy CRD
  • Added Support for External Authorization in SecurityPolicy CRD
  • Added Support for RecomputeRoute field to JWT in SecurityPolicy CRD
  • Added Support for AllowCredentials knob to CORS setting in SecurityPolicy CRD
  • Added Support for Extract from different identifier to JWT in SecurityPolicy CRD
  • Added Support for Secret resource in EnvoyPatchPolicy CRD
  • Added Support for Making the value optional for JSONPatchOperation in EnvoyPatchPolicy CRD
  • Added Support for From field to JSONPatchOperation in EnvoyPatchPolicy CRD
  • Added Support for MergeGateways in EnvoyPatchPolicy CRD
  • Added Support for Upstream TLS by implementing BackendTLSPolicy CRD
  • Added Support for LabelSelector type for NamespaceSelectors in EnvoyGateway Configuration
  • Added Support for Ratelimit prometheus in EnvoyGateway Configuration
  • Added Support for Gracefully drain listeners before envoy shutdown on pod termination in EnvoyProxy CRD
  • Added Support for Configuring externalTrafficPolicy to the envoy service in EnvoyProxy CRD
  • Added Support for Envoy extra args in EnvoyProxy CRD
  • Added Support for Mergepatch to envoyproxy/ratelimit deployment in EnvoyProxy CRD
  • Added Support for Mergepatch to envoyproxy service in EnvoyProxy CRD
  • Added Support for NodeSelector to PodSpec in EnvoyProxy CRD
  • Added Support for HorizontalPodAutoscaler in EnvoyProxy CRD
  • Added Support for TopologySpreadConstraints to PodSpec in EnvoyProxy CRD
  • Added Support for ImagePullSecrets to PodSpec in EnvoyProxy CRD

Breaking Changes

  • Use wildcard to match AllowOrigins to CORS in SecurityPolicy CRD
  • Remove Hostnetwork support in EnvoyProxy CRD

Conformance

  • Replaced backend image from gcr.io/k8s-staging-ingressconformance/echoserver to gcr.io/k8s-staging-gateway-api/echo-basic

Testing

  • Added e2e test for Header Case-Preserving
  • Added e2e test for Timeout in ClientTrafficPolicy
  • Added e2e test for JWT claim base routing
  • Added e2e test for OIDC
  • Added e2e test for BackendTrafficPolicy Retry
  • Added e2e test for Backend Upgrade
  • Added e2e test for External Authorization
  • Added e2e test for Backend TLS policy
  • Added e2e test for Envoy Gateway Release Upgrade
  • Added e2e test for Weighted backend
  • Added validation for LoadBalancerIP to prevent trailing period

Translator

  • Fixed Prefix match to prevent mismatching routes with the same prefix
  • Fixed Multiple reconciling by implementing comparable interface for ir.Infra
  • Fixed EndpointSlice with empty conditions {}
  • Fixed Error handling when parsing the http request timeout
  • Fixed No status when EnvoyPatchPolicy is disabled
  • Fixed Printable for xds and infra IRs
  • Fixed Skip backendRefs with weight set to 0
  • Fixed AND Header matches in ratelimiting not working
  • Fixed Deletion logics when no gatewayclasses exist
  • Fixed Match mergedGateways irKey for ClientTrafficPolicy
  • Fixed Policies should apply only to gateways they were attached to when mergeGateways is true
  • Fixed Listener status is not surfaced for gateways when MergeGateways enabled
  • Fixed GRPCroute websocket not working by moving web socket upgrade config from hcm to route
  • Fixed Configure idle timeout when timeout is set on HTTPRoute
  • Fixed Relaxing HTTPS restriction for OIDC token endpoint
  • Fixed Panic when translating routes with empty backends
  • Fixed Xds translation should be done in a best-effort manner
  • Fixed Delete unused status keys from watchable
  • Fixed Ignoring finalizers when comparing envoy proxy service
  • Fixed Don’t override the ALPN array if HTTP/3 is enabled
  • Fixed Add h3 ALPN by default if HTTP/3 is enabled
  • Fixed Change the Merge behavior to Replace for SecurityPolicy/BackendTrafficPolicy
  • Fixed Use service port in alt-svc header if HTTP/3 is enabled
  • Fixed Prevent policies targeting non-TLS listeners on the same port from conflicting
  • Fixed Skip the ReasonTargetNotFound for all policies
  • Fixed Skip publishing empty status for all policies
  • Added Support for validating regex before sending to Envoy
  • Added Support for setting spec.addresses.value into ClusterIP when Service Type is ClusterIP
  • Added Unsupported status condition for filters within BackendRef
  • Added List instead of map for Provider Resources for order stability
  • Added Suffix for oauth cookies to prevent multiple oauth filters from overwriting each other’s cookies
  • Added Support for overriding condition to BackendTrafficPolicy and SecurityPolicy
  • Added Support for default retry budget and retry host predicate
  • Added Support for implementing gateway.spec.infrastructure
  • Added Support for Upstream TLS to multiple Backends
  • Added Validation for CA Cert in ClientTrafficPolicy

Providers

  • Added Support for multiple GatewayClass per controller
  • Added SecurityPolicyIndexers in Kubernetes Provider
  • Added Support for generating HMAC secret in CertGen Job
  • Fixed Finalizer logic when deleting Gatewayclasses
  • Fixed MergeGateways panics when restarting control plane

XDS

  • Added Support for EDS cache
  • Added Support for ADS cache to ensure the rule order
  • Fixed Deprecated field error when using RequestHeaderModifier filter
  • Fixed Envoy rejects XDS at runtime losing all routes on restart
  • Fixed Requests not matching defined routes trigger per-route filters
  • Bumped go-control-plane to v0.12.0

CLI

  • Added Support for egctl x status
  • Added Support for egctl experimental dashboard envoy-proxy
  • Added Support for egctl config ratelimit
  • Added Support for egctl translate from gateway-api resources to IR

3.5 - Announcing Envoy Gateway v0.6

Envoy Gateway v0.6 release announcement.

We are pleased to announce the release of Envoy Gateway v0.6!

This is the fifth functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for helping publish the release.

Release NotesDocsCompatibility MatrixDownload

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Gateway API

  • Upgraded to Gateway API v1.0
  • Added support for HTTPRoute Timeouts

Add Control Plane Proxy Telemetry

  • Added Support for Metrics Telemetry

Add Support for directly configuring xDS

  • Added Support for the EnvoyPatchPolicy API

ClientTrafficPolicy

  • Added Support for configuring Downstream Keep Alives

BackendTrafficPolicy

  • Added Support for configuring Rate limiting
  • Added Support for configuring load balancing

SecurityPolicy

  • Added Support for configuring JWT
  • Added Support for configuring CORS

API Updates

  • Added support for selectively watching resources based on Namespace Selector
  • Added EnvoyGateway Metrics with Prometheus and OpenTelemetry support
  • Added Support for InitContainers in EnvoyProxy CRD
  • Added Support for LoadBalancerIP in EnvoyProxy CRD
  • Added Support for AllocateLoadBalancerNodePorts in EnvoyProxy CRD
  • Added Support for LoadBalancerClass in EnvoyProxy CRD
  • Added Support for selecting EnvoyProxy stats to be generated
  • Added Support for enabling EnvoyProxy Virtual Host metrics
  • Added Support for Merging Gateway resources onto the same infrastructure

CLI

  • Added egctl stats command

Kubernetes Provider

  • Improved reconiliation by using the same enqueue request for all resources
  • Added support for reconciling ServiceImport CRD

Breaking changes

  • Removed RateLimitFilter, and replaced it with BackendTrafficPolicy
  • Removed AuthenticationFilter, and replaced it with SecurityPolicy
  • Moved the EnvoyProxy CRD from config.gateway.envoyproxy.io to gateway.envoyproxy.io
  • Converted the bootstrap field within EnvoyProxy into a struct to support merge operations.

3.6 - Announcing Envoy Gateway v0.5

Envoy Gateway v0.5 release announcement.

We are pleased to announce the release of Envoy Gateway v0.5!

This is the fourth functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for helping publish the release.

Release NotesDocsCompatibility MatrixDownload

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Upgrade Gateway API Dependency

  • Upgraded to Gateway API v0.7.1

Add Data Plane Proxy Telemetry

  • Added Support for Access Logging, Tracing and Metrics Telemetry

Add Support for directly configuring xDS

  • Added Support for the EnvoyPatchPolicy API

Ratelimiting

  • Added Support for Distinct Ratelimiting Based On IP Addresses
  • Added Support for JWT Claim based Ratelimiting
  • Switched to Xds SOTW Server for RateLimit Service Configuration

API Updates

  • Added Support for configuring EnvoyProxy Pod Labels
  • Added Support for configuring EnvoyProxy Deployment Strategy Settings, Volumes and Volume Mounts
  • Added Support for configuring EnvoyProxy as a NodePort Type Service
  • Added Admin Server for Envoy Gateway
  • Added Pprof Debug Support for Envoy Gateway
  • Added Support to Watch for Resources in Select Namespaces

Envoy Proxy

  • Added Best Practices Default Edge Settings to Xds Resources

3.7 - Announcing Envoy Gateway v0.4

Envoy Gateway v0.4 release announcement.

We are pleased to announce the release of Envoy Gateway v0.4!

This is the third functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for helping publish the release.

Release NotesDocsCompatibility MatrixDownload

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Upgrade Gateway API Dependency

  • Upgraded to Gateway API v0.6.2

Add Helm Support

  • Installation of Envoy Gateway can now be done through helm

Add egctl CLI Tool

  • Added egctl Support for Dry Runs of Gateway API Config
  • Added egctl Support for Dumping Envoy Proxy xDS Resources

Add Support for extending Envoy Gateway

  • Added Initial Framework for Building an Extension on top of Envoy Gateway

Ratelimiting

  • Added Support for Ratelimiting Based On IP Subnet

API Updates

  • Added Support for Custom Envoy Proxy Bootstrap Config
  • Added Support for Configuring the Envoy Proxy Image and Service
  • Added Support for Configuring Annotations, Resources, and Securitycontext Settings on Ratelimit Infra and Envoy Proxy
  • Added Support for Using Multiple Certificates on a Single Fully Qualified Domain Name
  • Envoy Proxy Pod and Container SecurityContext is now Configurable
  • Added Support for Service Method Match in GRPCRoute
  • Added EDS Support

3.8 - Announcing Envoy Gateway v0.3

Envoy Gateway v0.3 release announcement.

We are pleased to announce the release of Envoy Gateway v0.3!

This is the second functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for helping publish the release.

Release NotesDocsCompatibility MatrixDownload

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Add Support for extended Gateway API fields

  • Added Support for HTTPRoute URLRewrite Filter
  • Added Support for HTTPRoute RequestMirror Filter
  • Added Support for HTTPRoute ResponseHeaderModifier Filter

Add Support for experimental Gateway APIs

  • Added Support for the TCPRoute API
  • Added Support for the UDPRoute API
  • Added Support for the GRPCRoute API

Add Support for Rate Limiting

  • Added Support for Global Rate Limiting

Add Support for Authentication

  • Added Support for Request Authentication

3.9 - Announcing Envoy Gateway v0.2

Envoy Gateway v0.2 release announcement.

We are pleased to announce the release of Envoy Gateway v0.2!

This is the first functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for helping publish the release.

Release NotesDocsCompatibility MatrixDownload

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Kubernetes Support

Run Envoy Gateway in a Kubernetes cluster. Checkout the quickstart guide to get started with Envoy Gateway in a few simple steps.

Gateway API Support

Envoy Gateway supports Gateway API resources for running and configuring a managed fleet of Envoy proxies. Envoy Gateway passes Gateway API core conformance tests and supports GatewayClass, Gateway, HTTPRoute, and TLSRoute resources. See the documentation for additional details on how to use Envoy Gateway for your edge proxy and API gateway needs.

Envoy Gateway at EnvoyCon NA

Envoy Gateway will be at EnvoyCon NA this October in Detroit. Don’t miss our talk to learn more about the release and future direction of the project.

3.10 - Compatibility Matrix

This section includes Compatibility Matrix of Envoy Gateway.

Envoy Gateway relies on the Envoy Proxy and the Gateway API, and runs within a Kubernetes cluster. Not all versions of each of these products can function together for Envoy Gateway. Supported version combinations are listed below; bold type indicates the versions of the Envoy Proxy and the Gateway API actually compiled into each Envoy Gateway release.

Envoy Gateway versionEnvoy Proxy versionRate Limit versionGateway API versionKubernetes version
latestdev-latestmasterv1.2.0v1.29, v1.30, v1.31, v1.32
v1.2distroless-v1.32.128b1629av1.2.0v1.28, v1.29, v1.30, v1.31
v1.1distroless-v1.31.091484c59v1.1.0v1.27, v1.28, v1.29, v1.30
v1.0distroless-v1.29.219f2079fv1.0.0v1.26, v1.27, v1.28, v1.29
v0.6distroless-v1.28-latestb9796237v1.0.0v1.26, v1.27, v1.28
v0.5v1.27-lateste059638dv0.7.1v1.25, v1.26, v1.27
v0.4v1.26-latest542a6047v0.6.2v1.25, v1.26, v1.27
v0.3v1.25-latestf28024e3v0.6.1v1.24, v1.25, v1.26
v0.2v1.23-latestv0.5.1v1.24