Announcing Envoy Gateway v1.3

We are thrilled to announce the arrival of Envoy Gateway v1.3.0.

This release represents a significant achievement, and we extend our heartfelt gratitude to the entire Envoy Gateway community for their contributions, dedication, and support. Your collaborative efforts have been instrumental in reaching this pivotal release.

Thank you for being an integral part of this journey. We are excited to see how Envoy Gateway v1.3.0 will empower your operations and look forward to continuing our work together to drive the future of Cloud Native API Gateway.

What’s New

The release adds a ton of features and functionality. Here are some highlights:

🚨 Breaking Changes

• Proxy Pod Template: The Container ports field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version.
• TLS Defaults: ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension.
• Default Passive Health Checks: Outlier detection (passive health check) is now disabled by default. Refer to BackendTrafficPolicy for working with passive health checks.
• Extension Manager Fails Closed: Envoy Gateway treats errors in calls to an extension service as fail-closed by default. Any error returned from the extension server will replace the affected resource with an “Internal Server Error” immediate response. The previous behavior can be enabled by setting the failOpen field to true in the extension service configuration.
• ClientTrafficPolicy Translation Failures: Envoy Gateway now return a 500 response when a ClientTrafficPolicy translation fails for HTTP/GRPC routes, and forwards client traffic to an empty cluster when a ClientTrafficPolicy translation fails for TCP routes.
• Envoy Proxy Reference Failures: Any issues with EnvoyProxy reference in a Gateway will prevent the Envoy fleet from being created or result in the deletion of an existing Envoy fleet.
• BackendTLSPolicy Translation Failures: Envoy Gateway now returns a 500 response when a BackendTLSPolicy translation fails for HTTP/GRPC/TLS routes.

✨ New Features

API & Traffic Management Enhancements

• Compression: Added support for Response Compression in BackendTrafficPolicy CRD.
• Route Order: Added support for preserving the user defined HTTPRoute match order in EnvoyProxy CRD.
• Rate Limiting with Cost: Added support for cost specifier in the rate limit BackendTrafficPolicy CRD.
• Gateway API 1.2 Retries: Added support for Retries (GEP-1731) in HTTPRoute CRD.
• Backend Routing: Added support for referencing Backend resources in RPCRoute, TCPRoute and UDPRoute CRDs.
• Response Override: Added support for status code override in BackendTrafficPolicy.

Security Enhancements

• Client IP Detection: Added support for trusted CIDRs in the ClientIPDetectionSettings of ClientTrafficPolicy CRD.
• API Key Authentication: Added support for API Key Authentication in the SecurityPolicy CRD.
• External Auth: Added support for sending body to Ext-Auth server in SecurityPolicy CRD.
• JWT Auth: Added support for configuring remote JWKS settings with BackendCluster in SecurityPolicy CRD.
• Backend TLS System Trust Store: Added support for dynamic reload of System WellKnownCACertificates in BackendTLSPolicy.
• Draining Endpoints: Continue using and drain endpoints during their graceful termination, as indicated by their respective EndpointConditions.

Observability & Tracing

• Trace Sampling: Added support for configuring tracing sampling rate with Fraction EnvoyProxy CRD.
• Static Metadata: Gateway API Route rule name is propagated to XDS metadata as sectionName.
• Envoy Gateway Panics: Added metrics and dashboards for Envoy Gateway panics in watchables.

Infra

• Proxy: Added support for patching HPA and PDB settings in EnvoyProxy CRD.
• Rate Limit: added support for HPA in EnvoyGateway configuration.

Extensibility

• External Processing Filter: Added support for Attributes, Dynamic Metadata and Processing Mode Override in EnvoyExtensionPolicy CRD.
• Wasm: Added support for injecting Host Env in EnvoyExtensionPolicy CRD.
• Extension Manager: Added support for configuring Max GRPC message size for the Extension Manager in EnvoyGateway configuration.

🐞 Bug Fixes

• Fixed a panic in the provider goroutine when the body in the direct response configuration was nil.
• Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes.
• Fixed failed to update SecurityPolicy resources with the backendRef field specified.
• Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname.
• Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn.
• Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
• Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs.
• Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected.
• Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined.
• Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration.
• Fixed traffic splitting not working when some backends were invalid.
• Fixed a nil pointer error that occurred when a SecurityPolicy referred to a UDS backend.
• Fixed an issue where the Gateway API translator did not use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider’s well-known endpoint.
• Fixed a validation failure that occurred when multiple HTTPRoutes referred to the same extension filter.
• Fixed a nil pointer error caused by accessing the cookie TTL without verifying if it was valid.
• Fixed unexpected port number shifting in standalone mode.
• Fixed an issue where the shutdown-manager did not respect the security context of the container spec.
• Fixed readiness checks failing for single-stack IPv6 Envoy Gateway deployments on dual-stack clusters.
• Fixed IPv6 dual-stack support not working as intended.
• Fixed the ability to overwrite control plane certs with the certgen command by using a new command arg (-o).
• Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap.
• Fixed prometheus format conversion of ratelimit metrics for remote address.
• Fixed limitations that prevented creation of FQDN Endpoints with a single-character subdomain in [Backend].
• Fixed issue where SecurityContext of shutdown-manager container was not updated by overriding helm values.
• Fixed issue with incorrect IPFamily detection for backends.
• Fixed validation of interval values in Retry settings.

⚠️ Vulnerabilities

• Fixed CVE-2025-24030 which exposed the Envoy admin interface through the prometheus stats endpoint. Refer to Advisory.

⚙️ Other Notable Changes

• Envoy Upgrade: Now using Envoy v1.33.0.
• Ratelimit Upgrade: Now using Ratelimit 60d8e81b.
• Gateway API: Now using Gateway API v1.2.1
• Envoy Gateway Base Image: Modified the base container image to gcr.io/distroless/base-nossl:nonroot.
• K8s Version Matrix: Add support for Kubernetes 1.32.x in the test matrix, and remove support for Kubernetes 1.28.x.
• Go Control Plane: Now using v0.13.4.
• XDS Validations: Envoy Gateway validates additional resources before adding them to snapshot.
• Backend Routing: Increased the maximum amount of endpoints to 64 in Backend.