v1.7.5

Date: July 8, 2026

Breaking changes

Security updates

  • Bumped Envoy to 1.37.5 (through 1.37.4), which includes multiple security fixes. Refer to the Envoy 1.37.5 release notes.
  • Bumped Envoy ratelimit image to f2fb1577.
  • Bumped Go to 1.26.5 and 1.25.12, which includes security fixes to the crypto/tls and os packages.

New features

Bug fixes

  • Fixed the EnvoyProxy resource not allowing IPv6 ranges in loadBalancerSourceRanges when configuring the envoy service.
  • Fixed Backend TLS alpnProtocols: [] to disable upstream ALPN instead of inheriting EnvoyProxy BackendTLS defaults.
  • Fixed API key auth credential ordering to avoid unnecessary xDS updates.
  • Fixed an ExternalName Service referenced as a route backend producing an invalid xDS cluster (with an empty address) that failed IR validation and stalled config delivery for the whole snapshot. ExternalName Services are now explicitly rejected as backends with a ResolvedRefs: False route condition; use an Envoy Gateway Backend resource with an FQDN endpoint instead.
  • Fixed Gateway status reporting Programmed: False with reason AddressNotAssigned when the Envoy LoadBalancer service has no load balancer ingress (e.g. bare-metal clusters without a load balancer controller) but has addresses configured in spec.externalIPs, such as via an EnvoyProxy service patch. The external IPs are now used as a fallback for the Gateway status addresses.
  • Fixed EnvoyGateway config hot-reload to apply defaults before validation, so validators always run against a fully-defaulted struct on both the startup and reload paths.
  • Fixed a nil-pointer panic when provider.kubernetes.deploy is configured without a type.
  • Fixed DaemonSet pod not using the configured custom ServiceAccount name.
  • Fixed the rate limit requests CRD field to use format: int64 so Kubernetes 1.36 accepts the maximum constraint.

Performance improvements

Deprecations

Other changes