Announcing Envoy Gateway v1.5

We are excited to announce the release of Envoy Gateway v1.5.0.

This release delivers new capabilities across traffic management, security, extensibility, observability, and infrastructure — along with key bug fixes and performance improvements. We extend our thanks to the entire Envoy Gateway community for your ongoing contributions, feedback, and collaboration. Your efforts make each release possible.

What’s New

Envoy Gateway v1.5.0 introduces powerful enhancements, resolves critical issues, and lays the groundwork for upcoming changes in v1.6.

🚨 Breaking Changes

• Gateway Namespace Mode Naming: Gateway name is now used as the proxy fleet name when running in gateway namespace mode.
• Endpoint Removal Behavior: Endpoints absent from service discovery are removed even if their active health checks succeed.
• xDS Listener Naming: Listeners are now named based on listening port and protocol instead of Gateway and section names.
  • This affects existing EnvoyPatchPolicies and ExtensionManagers.
  • Controlled by the XDSNameSchemeV2 runtime flag (disabled in v1.5, enabled in v1.6).
  • See the migration guide to prepare.
• Metrics Label Change: Removed xds-translator and xds-server values from the runner label in watchable_subscribe_total; use xds instead.
• ALS Access Loggers: ALS now has HTTP/2 enabled on the cluster by default.

🔒 Security Updates

• Disabled automountServiceAccountToken for Proxy and RateLimit deployments and their ServiceAccounts.

✨ New Features

API & Traffic Management Enhancements

• Added initialJitter option to BackendTrafficPolicy active health checks.
• Option to bypass OIDC authentication and defer to JWT when the request includes Authorization: Bearer ....
• Configure Subject Alternative Names (SANs) for upstream TLS validation via BackendTLSPolicy.validation.subjectAltNames.
• Added local rate limit header support.
• Added zone-aware routing configuration via BackendTrafficPolicy.
• Added endpoint override policy based on request header.
• Added rate limiting support for month and year periods.
• Configure maxConnectionsToAcceptPerSocketEvent via ClientTrafficPolicy.
• Configure cluster stat name for HTTPRoute and GRPCRoute in EnvoyProxy CRD.
• Enhanced route rule support in SecurityPolicy targets.

Security Enhancements

• Client certificate validation (SPKI, hash, SAN) in ClientTrafficPolicy.
• Forward client ID header and sanitize API keys for API Key authentication in SecurityPolicy.
• OIDC RP-initiated logout when end session endpoint is specified or discovered.
• Configure SameSite attribute for OAuth cookies in OIDC authentication.
• Support for ClusterTrustBundle as a CA.
• Use Kubernetes Secret as the OIDC client ID source.
• Allow SecurityPolicy and EnvoyExtensionPolicy to target ServiceImport via BackendRefs.

Extensibility

• Added XDS metadata for clusters and endpoints from xRoutes and backend resources.
• Support for extension server policies in PostTranslateModify hook.
• Support for custom backendRefs via extension server using PostClusterModify hook.
• Support for listeners and routes in PostTranslateModifyHook.
• Validation strictness levels for Lua scripts in EnvoyExtensionPolicies.
• Extended BackendTLSSettings support to all Backend types.

Infrastructure

• Support for setting OwnerReferences to infra resources in gateway namespace mode.
• Support for GatewayClass OwnerReferences in all other cases.
• Configure deployment annotations via Helm chart.
• Customize the name of the ServiceAccount used by the Proxy.
• Configure hostname in active HTTP health checks.
• Configure cache sync period for Kubernetes provider.
• Fallback to first key when loading CA certificate from Secret or ConfigMap.
• Configure user-provided names for generated HPA and PDB resources.
• Added admin console with web UI for the Envoy Gateway admin server.

Observability

• Added metric watchable_publish_total counting store events in watchable message queues.

🐞 Bug Fixes

• Fixed WASM cache initialization failures affecting EnvoyExtensionPolicies without WASM filters.
• Restored UDP listener creation when Gateway is created.
• Retained ALPN configuration for listeners with overlapping certificates when explicitly set in ClientTrafficPolicy.
• Fixed BackendTLSPolicy SAN type enum handling and namespace reference validation.
• Fixed SAN overlap detection in listeners.
• Fixed trailers not sent in ExtProc FullDuplexStreamed mode.
• Fixed validation for ExtProc with failOpen=true and FullDuplexStreamed mode.
• Added ConfigMap indexers for Lua change reconciliation in EnvoyExtensionPolicies.
• Fixed default access log format not applying.
• Fixed Redis rateLimit URL parsing with multiple comma-separated hosts.
• Fixed DualStack NodePort Gateway addresses in status.
• Allowed overriding Prometheus annotation in EnvoyProxy CRD.
• Skipped invalid FailOpen configurations for ExtProc, Wasm, and ExtAuth.
• Fixed policy status update failures with more than 16 ancestors.
• Fixed race condition in watchable.Map Snapshot subscription.
• Fixed listener drain caused by HTTPRoute with sessionPersistence.
• Fixed deployment creation block when EnvoyProxy secret is missing.
• Increased earlyRequestHeaders limit from 16 to 64.

🚀 Performance Improvements

• Reduced xDS cluster DNS lookups.
• Combined xds-translator and xds-server runners into a single xds runner, reducing memory usage by up to 25%.
• Removed custom Equal functions for watchable types by pre-sorting Gateway API resources in the provider layer.

🛑 Deprecations

• EnableProxyProtocol is deprecated, and use ProxyProtocol instead in ClientTrafficPolicy

We encourage all users to upgrade to v1.5.0 to take advantage of the new features, security improvements, and performance gains, and to prepare for the XDSNameSchemeV2 migration in v1.6. For full details, see the Release Notes and updated Documentation.