Announcing Envoy Gateway v1.1

We are thrilled to announce the arrival of Envoy Gateway v1.1.0.

This release represents a significant achievement, and we extend our heartfelt gratitude to the entire Envoy Gateway community for their contributions, dedication, and support. Your collaborative efforts have been instrumental in reaching this pivotal release.

Thank you for being an integral part of this journey. We are excited to see how Envoy Gateway v1.1.0 will empower your operations and look forward to continuing our work together to drive the future of Cloud Native API Gateway.

What’s New

The release adds a ton of features and functionality. Here are some highlights:

Documentation

• Added Concepts Doc
• Added User Guide for Wasm Extension
• Added User Guide for patching Envoy Service
• Added User Guide for Backend MTLS
• Added User Guide for Backend TLS Parameters
• Added User Guide for IP Allowlist/Denylist
• Added User Guide for Extension Server
• Added User Guide for building Wasm image
• Added Performance Benchmarking Document
• Added User Guide for Zipkin Tracing
• Added User Guide for Customizing Ordering of Filters
• Added User Guide for External Processing Filter in EnvoyExtensionPolicy
• Added User Guide for installation of egctl with brew
• Added User Guide for Client Buffer Size Limit
• Added User Guide for Client Idle Timeout
• Added Chinese translation for release notes, roadmap, installation, development, contribution and several User Guides
• Added User Guide for Backend resource
• Added GA Blog Post
• Added Threat Model
• Added Adopters section to docs
• Added User Guide and Dashboards for Control Plane and Resource Observability
• Added User Guide for Connection Limits in ClientTrafficPolicy
• Added User Guide on using Private Key Provider
• Added Design Doc for Authorization
• Added Design Doc for XDS Metadata
• Added Design Doc for Backend resource
• Added Design Doc for Control Plane Observability
• Added Design Doc for EnvoyExtensionPolicy
• Added Design Doc for External Processing in EnvoyExtensionPolicy
• Updated Access Logging User Guide to include filtering with CEL Expression
• Updated Access Logging User Guide to include Metadata
• Updated Development Guide to require Golang 1.22
• Updated Quickstart User Guide to fetch GATEWAY_HOST from Gateway resource
• Updated Site to reflect GA status
• Updated HTTP Redirect User Guide to not set a redirect port or require a BackendRef
• Updated Observability User Guides to use gateway-addons-helm
• Updated Gateway-API User Guide to reflect support for BackendRef filters
• Updated HTTP Timeouts User Guide to highlight default Envoy timeouts
• Updated Installation Guide to use server-side apply
• Updated Installation Guide to refer to values.yaml docs
• Updated BackendTLSPolicy User Guide to GW-API v1.1.0
• Updated User Guides to use tabs when applying yaml from file or stdin
• Updated OIDC User Guide to use HTTPS redirect URLs
• Updated Order of versions in Site
• Updated Extensbility User Gudie to use yaml-format patches
• Updated Quickstart Guide to include next steps
• Updated CRD docs to include enum values
• Updated Extensibility User Guide with Envoy Patch Policy examples
• Updated structure of docs: rename Guides to Tasks, move Contribution
• Updated Support Matrix
• Updated egctl x status docs for xRoute and xPolicy
• Updated egctl User Guide with Install and Uninstall commands
• Updated GRPCRoute docs to use v1 instead of v1alpha2
• Fixed Rate Limiting User Guide to use correct CIDR matcher type names
• Fixed User Guide for JWT-based routing
• Fixed JSON Access Log Example
• Use linkinator to detect dead links in docs
• Use helm-docs to generate chart docs
• Support Not-Implemented-Hide marker in API docs

Installation

• Added startupProbe to all provisioned containers to reduce risk of restart
• Added new gateway-addons-helm chart for Observability
• Added support for global image settings for all images in Envoy Gateway helm chart
• Added Support for PodDistruptionBudget for Envoy Gateway
• Added Support for TopologySpreadConstraints for Envoy Gateway
• Added Support for Tolerations for Envoy Gateway
• Added Support for Ratelimit image pull secrets and pull policy
• Updated ttlSecondsAfterFinished on certgen job to 30 by default
• Updated Envoy Gateway ImagePullPolicy to IfNotPresent released charts
• Remove envoy-gateway-metrics-service and merge its contents into envoy-gateway service

API

• Added Support for Gateway-API v1.1.0
• Added new Backend CRD
• Added new EnvoyExtensionPolicy CRD
• Added Support for Plural Target Refs and Target Selectors in xPolicy CRDs
• Added Support for Backend CRD BackendRefs in HTTPRoute, GRPCRoute and EnvoyExtensionPolicy CRDs
• Added Support for Custom Extension Server Policy CRDs in EnvoyGateway Config
• Added Support for Custom ShutDownManager Image in EnvoyGateway Config
• Added Support for Leader Election in EnvoyGateway Config
• Added Support for Connecting to Extension Server over Unix Domain Socket in EnvoyGateway Config
• Added Support for Proxy PodDisruptionBudget in EnvoyProxy CRD
• Added Support for Running Envoy Proxy as a Daemonset in EnvoyProxy CRD
• Added Support for Proxy Loadbalancer Source Ranges in EnvoyProxy CRD
• Added Support for Proxy Prometheus Metrics Compression in EnvoyProxy CRD
• Added Support for BackendRefs in Access Log, Metric and Trace Sinks in EnvoyProxy CRD
• Added Support for Rate Limiting Tracing in EnvoyProxy CRD
• Added Support for Routing to Service IP in EnvoyProxy CRD
• Added Support for Access Log CEL filters in EnvoyProxy CRD
• Added Support for Access Log Formatters for File and OpenTelemetry in EnvoyProxy CRD
• Added Support for Zipkin Tracing in EnvoyProxy CRD
• Added Support for using the Listener port as a the Container port in EnvoyProxy CRD
• Added Support for OpenTelemtry Sink Export Settings in EnvoyProxy CRD
• Added Support for Backend Client Certificate Authentication in EnvoyProxy CRD
• Added Support for Backend TLS Settings in EnvoyProxy CRD
• Added Support for HTTP Filter Ordering in EnvoyProxy CRD
• Added Support for gRPC Access Log Service (ALS) Sink in EnvoyProxy CRD
• Added Support for OpenTelelemetry Sinks as a BackendRef in EnvoyProxy CRD
• Added Support for User-Provided name for generate Kubernetes resources in EnvoyProxy CRD
• Added Support for Per-Endpoint stats in EnvoyProxy CRD
• Added Support for Targeting SectionNames in ClientTrafficPolicy CRD
• Added Support for Preserving X-Request-ID header in ClientTrafficPolicy CRD
• Added Support for Using Downstream Protocol in Upstream connections in ClientTrafficPolicy CRD
• Added Support for HTTP/2 settings in ClientTrafficPolicy CRD
• Added Support for Connection Buffer Size Limit in ClientTrafficPolicy CRD
• Added Support for HTTP Health Check in ClientTrafficPolicy CRD
• Added Support for Optionally requiring a Client Certificate in ClientTrafficPolicy CRD
• Added Support for Headers with Underscores CRD in ClientTrafficPolicy CRD
• Added Support for XFCC header processing in ClientTrafficPolicy CRD
• Added Support for TCP Listener Idle Timeout in ClientTrafficPolicy CRD
• Added Support for IdleTimeout in ClientTrafficPolicy CRD
• Added Support for Connection Limits in ClientTrafficPolicy CRD
• Added Support for additional OIDC settings related to Resource, Token and Cookie in SecurityPolicy CRD
• Added Support for Optionally requiring a JWT in SecurityPolicy CRD
• Added Support for BackendRefs for Ext-Auth in SecurityPolicy CRD
• Added Support for Authorization in SecurityPolicy CRD
• Added Support for Ext-Auth failOpen in SecurityPolicy CRD
• Added Support for Loadbalancer Cookie Consistent Hashing in BackendTrafficPolicy CRD
• Added Support for Disabling X-RateLimit headers in BackendTrafficPolicy CRD
• Added Support for Connection Buffer Size Limit in BackendTrafficPolicy CRD
• Added Support for Loadbalancing Consistent Hash Table Size in BackendTrafficPolicy CRD
• Added Support for Loadbalancing Header Hash Policy in BackendTrafficPolicy CRD
• Added Support for Cluster Connection Buffer Size Limit in BackendTrafficPolicy
• Added Support for more Rate Limit Rules in BackendTrafficPolicy CRD
• Added Support for Wasm extension in EnvoyExtensionPolicy CRD
• Added Support for External Processing extension in EnvoyExtensionPolicy CRD
• Removed Status Print Column from xPolicy CRDs

Breaking Changes

• SecurityPolicy translation failures will now cause routes referenced by the policy to return an immediate 500 response
• Gateway-API BackendTLSPolicy v1alpha3 is incompatible with previous versions of the CRD
• xPolicy targetRefs can no longer specify a namespace, since Gateway-API v1.1.0 uses LocalPolicyTargetReferenceWithSectionName in Policy resources

Deprecations

• xPolicy targetRef is deprecated, use targetRefs instead
• SecurityPolicy ExtAuth BackendRef is deprecated, use BackendRefs instead
• OpenTelemetry Proxy Access Log Host and Port are deprecated, use backendRefs instead
• OpenTelemetry Proxy Metrics Sink Host and Port are deprecated, use backendRefs instead
• Proxy Tracing Provider Host and Port are deprecated, use backendRefs instead
• Envoy Gateway Extension Server Host and Port are deprecated, use BackendEndpoint instead

Conformance

• Added Supported Features to Gateway Class

Testing

• Added e2e test for Client MTLS
• Added e2e test for Load Balancing
• Added performance benchmarking test
• Added e2e test for Zipking Tracing
• Added e2e test for HTTP Health Checks
• Added e2e test for CEL Access Log Filter
• Added e2e test for GRPC Access Log Service Sink
• Added e2e test for XDS Metadata
• Added e2e test for Wasm from OCI Images and HTTP Source
• Added e2e test for Service IP Routing
• Added e2e test for Multiple GatewayClasses
• Added e2e test for HTTP Full Path rewrite
• Added e2e test for Backend API
• Added e2e test for Backend TLS Settings
• Added e2e test for disabling X-RateLimit Headers
• Added e2e test for Authorization
• Added e2e test for BackendRefs in Ext-Auth
• Added e2e test for Using Client Protocol in Upstream Connection
• Added e2e test for Backend Client Cert Authentication
• Added e2e test for External Processing Filter
• Added e2e test for Merge Gateways Feature
• Added e2e test for Option JWT authentication
• Added e2e test for Infrastructure using Server-Side Apply
• Added e2e test for Connection Limits
• Added e2e test for Envoy Graceful Shutdown
• Updated e2e test for Limit to cover multiple listeners
• Updated e2e test for CORS to not require access-control-expose-headers
• Run CEL tests on all supported K8s versions
• Added OSV Scanner for Golang Vulnerabilities and Licenses
• Added Trivy scanner for Docker images

Translator

• Added Support for BackendRef HTTP Filters
• Added Support for attaching EnvoyProxy to Gateways
• Added Support for cross-namespace EnvoyProxy reference from GatewayClass
• Added Support for Backend Traffic Policy for UDPRoute and TCPRoute
• Added Support for ClientTrafficPolicy for UDPRoute and TCPRoute
• Added Support for multiple BackendRefs in TCPRoute and UDPRoute
• Added Metrics related to XDS Server, Infra Manager and Controller
• Added Support for PolicyStatus in EnvoyPatchPolicy
• Added Support for Websocket upgrades in HTTP/1 Routes
• Added Support for custom controller name in egctl
• Added Support for BackendTLSPolicy CA Certificate reference to Secret
• Added names to Filter Chains
• Added Support extension server hooks for TCP and UDP listeners
• Added Support for attaching EnvoyProxy resource to Gateways
• Added Support for Exposing Prometheus Port in Rate Limiter Service
• Added Support for Optional Rate Limit Backend Redis
• Updated OAuth2 filter to preserve Authorization header if OIDC token forwarding is enabled
• Updated Default Filter Order to have Fault filter first in the HTTP Filter Chain
• Updated Ext-Auth Per-Route config to use filter-specific Config Type
• Updated Overload Manager configuration according to Envoy recommendations by default
• Updated Infrastructure resource management to user Server-Side Apply
• Updated Reflection of Errors in Gateway Status when too many addresses are assigned
• Fixed enforcement of same-namespace for BackendTLSPolicy and target
• Fixed processing all listeners before returning with an error
• Fixed creation of infrastructure resources if there are no listeners
• Fixed use GatewayClass Name for Observability if Merge Gateways is enabled
• Fixed CORS to not forward Not-Matching Preflights to Backends
• Fixed BackendTLSPolicy status to fully conform with PolicyStatus
• Fixed duplication of Ext-Auth, OIDC and Basic Auth Filters
• Fixed Proxy Protocol Filter to always be the first Listener Filter
• Fixed Translation Consistency by sorting Gateways
• Fixed QUIC Listener to only Advertise HTTP/3 over ALPN
• Fixed SNI matching for TCP Routes with TLS termination
• Fixed Reconciliation when EnvoyProxy backendRefs changes
• Fixed Reconciliation when a referenced Secret or ConfigMap changes
• Fixed ReplaceFullPath not working for root path
• Fixed Default Application Protocol to TCP for Zipkin Tracing
• Fixed not appending well-known ports (80, 443) in rediret Location header

Providers

• Bumped K8s Client to v0.30.0

XDS

• Bumped go-control-plane to v0.12.1

CLI

• Added egctl x collect command
• Added Support for Install and Uninstall commands to egctl
• Added Support for xRoute and xPolicy in egctl x status
• Added Golang version to Envoy Gateway version command
• Fixed egctl x status gatewayclass example message