v1.5.0-rc1

  4 minute read  

Date: July 30, 2025

Breaking changes

  • Use gateway name as proxy fleet name for gateway namespace mode.
  • Endpoints that are absent from service discovery are removed even if their active health checks succeed.
  • The xDS listener name are now renamed based on its listening port and protocol, instead of the Gateway name and section name. This breaks existing EnvoyPatchPolicies and ExtensionManagers as they depend on the old naming scheme. This change is guarded by the XDSNameSchemeV2 runtime flag. This flag is disabled by default in v1.5, and it will be enabled in v1.6. We recommend users to migrate their EnvoyPatchPolicies and ExtensionManagers to use the new listener names before v1.6.

Security updates

  • Disable automountServiceAccountToken for proxy and ratelimit deployments and serviceAccounts

New features

  • Added support for percentage-based request mirroring
  • Added support for setting initialJitter in the BackendTrafficPolicy active health check.
  • Add an option to OIDC authentication to bypass it and defer to JWT when the request contains an “Authorization: Bearer …” header.
  • Added support for configuring Subject Alternative Names (SANs) for upstream TLS validation via BackendTLSPolicy.validation.subjectAltNames.
  • Added support for local rate limit header.
  • Added XDS metadata for clusters and endpoints from xRoutes and referenced backend resources (Backend, Service, ServiceImport).
  • Added support for setting ownerreference to infra resources when enable gateway namespace mode.
  • Added support for configuring hostname in active HTTP healthchecks.
  • Added support for GatewayInfrastructure in gateway namespace mode.
  • Added support for configuring maxConnectionsToAcceptPerSocketEvent in listener via ClientTrafficPolicy.
  • Added support for setting GatewayClass ownerreference to infra resources when all cases except gateway namespace mode.
  • Added support for setting previous priorities retry predicate.
  • Added support for using extension server policies to in PostTranslateModify hook.
  • Added support for configuring cluster stat name for HTTPRoute and GRPCRoute in EnvoyProxy CRD.
  • Added support for configuring SameSite attribute for Oauth cookies for OIDC authentication.
  • Added support for configuring the cache sync period for K8s provider.
  • Added support for fallback to first key when load ca certificate from Secret or ConfigMap.
  • Added support for configuring user provided name to generated HorizontalPodAutoscaler and PodDisruptionBudget resources.
  • Added support for client certificate validation (SPKI, hash, SAN) in ClientTrafficPolicy.
  • Added support for OIDC RP initialized logout. If the end session endpoint is explicitly specified or discovered from the issuer’s well-known url, the end session endpoint will be invoked when the user logs out.
  • Added support for specifying deployment annotations through the helm chart.
  • Added support for customizing the name of the ServiceAccount used by the Proxy.
  • Added support for custom backendRefs via extension server using PostClusterModify hook.
  • Added support for SecurityPolicy and EnvoyExtensionPolicy to target ServiceImport via BackendRefs.
  • Introduce validation strictness levels for Lua scripts in EnvoyExtensionPolicies.
  • Added metric watchable_publish_total counting store events in watchable message queues.
  • Added support for forwarding client ID header and sanitizing API keys for API Key authentication in SecurityPolicy.
  • Accessloggers of type ALS now have http2 enabled on the cluster by default.
  • Extends BackendTLSSettings support to all Backend types.
  • Added support for using ClusterTrustBundle as CA.
  • Added support for using Secret as a source of the OIDC client ID.
  • Added support for listeners and routes in PostTranslateModifyHook extension hook.
  • Added admin console support with web UI for the Envoy Gateway admin server.
  • Added support for configuring Zone Aware Routing via BackendTrafficPolicy.
  • Added support for endpoint override policy based on Header.

Bug fixes

  • Handle integer zone annotation values
  • Fixed issue where WASM cache init failure caused routes with WASM-less EnvoyExtensionPolicies to have 500 direct responses.
  • Fixed issue which UDP listeners were not created in the Envoy proxy config when Gateway was created.
  • Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy.
  • Fixed issue that switch on wrong SubjectAltNameType enum value in BackendTLSPolicy.
  • Fixed issue that BackendTLSPolicy should not reference ConfigMap or Secret across namespace.
  • Fixed bug in certificate SANs overlap detection in listeners.
  • Fixed issue where EnvoyExtensionPolicy ExtProc body processing mode is set to FullDuplexStreamed, but trailers were not sent.
  • Fixed validation issue where EnvoyExtensionPolicy ExtProc failOpen is true, and body processing mode FullDuplexStreamed is not rejected.
  • Add ConfigMap indexers for EnvoyExtensionPolicies to reconcile Lua changes
  • Fixed issue that default accesslog format not working.
  • Fixed validation errors when the rateLimit url for Redis in the EnvoyGateway API includes multiple comma separated hosts.
  • Fixes addresses in status of DualStack NodePort Gateways.
  • Fixed issue that not able to override the prometheus annotation in EnvoyProxy CRD.
  • Skipped ExtProc, Wasm, and ExtAuth when they are configured FailOpen and the configuration is invalid, e.g. missing backendRefs or invalid port.
  • Fixed issue that failed to update policy status when there are more than 16 ancestors.
  • Fixed race condition in watchable.Map Snapshot subscription.
  • Fixed issue where HTTPRoutes with sessionPersistence caused the Envoy listeners to drain.

Performance improvements

Deprecations

Other changes


Last modified August 2, 2025: docs: skipping TLS verification (#6653) (ec3340c)