Announcing Envoy Gateway v1.7

We are excited to announce the release of Envoy Gateway v1.7.0.

This release delivers new capabilities across traffic management, security, extensibility, observability, and infrastructure — along with key bug fixes and performance improvements. We extend our thanks to the entire Envoy Gateway community for your ongoing contributions, feedback, and collaboration. Your efforts make each release possible.

What’s New

Envoy Gateway v1.7.0 introduces powerful enhancements, resolves critical issues, and continues to improve the platform’s reliability and performance.

🚨 Breaking Changes

• SecurityPolicy OAuth2 Filter Metrics Added The SecurityPolicy name has been added to the stat prefix for oauth2 filter metrics to provide better granularity. Example: http.https-10443.securitypolicy/default/oidc-example.oauth_success: 0.
• Invalid Filters Return 500 direct responses for HTTPRoute and GRPCRoute with invalid filters.
• HTTPRoute Host-Rewrite With Dynamic Resolver Backend When an HTTPRoute rule is configured with host-rewrite filters and routes to a Dynamic Resolver backend, the rewritten Host header is used for both DNS resolution and as the Host header in upstream requests.
• HTTPRoute RequestMirror Filter Status Set HTTPRoute Accepted status to False when RequestMirror filter is used together with DirectResponse or RequestRedirect filters.
• Removed Accept-Encoding Header Removed from requests to backends when compression is enabled to avoid double compression issues.
• stats_tags Changed The default value stats_tags has been changed to improve the prometheus metrics output. Following metrics are affected: envoy_cluster_*_rq_time_count, envoy_cluster_*_total_match_count, envoy_cluster_circuit_breakers_*_cx_open.
• HTTP Filter Ordering Default HTTP filter ordering now places envoy.filters.http.custom_response at the first, which can change the behavior of local replies and header processing.

🔒 Security Updates

• Restrict access to critical system resources via Lua EnvoyExtensionPolicies in the gateway controller. Set safe defaults and resource limits for the Lua runtime. Also support disabling Lua feature in extension policies.

✨ New Features

API & Traffic Management Enhancements

• Added support for weight in BackendRef API to enable traffic splitting for non-x-route resources.
• Added support for removing headers based on matching criteria (Exact, Prefix, Suffix, RegularExpression) in ClientTrafficPolicy EarlyRequestHeaders and LateResponseHeaders.
• Added support for Global rate limit shadow mode.
• Added support for URLRewrite filter on individual backendRefs.
• Added support for configuring minimum response size for compression via minContentLength field in BackendTrafficPolicy.
• Added cookie matching support to HTTPRouteFilter matches, combined with HTTPRoute rule matches.
• Added support for addIfAbsent header action in ClientTrafficPolicy EarlyRequestHeaders and LateResponseHeaders to add headers only when they don’t already exist.

Infrastructure

• Added support for priorityClassName in KubernetesPodSpec for Envoy Proxy pods.
• Set warning status condition for deprecated fields in xPolicy CRDs.
• Added support for updating initial_fetch_timeout in the bootstrap configuration.
• Set default initial_fetch_timeout to 0s.
• Added support for the experimental XListenerSet API, allowing listeners to be defined in a separate resource and attached to a Gateway. This feature is disabled by default and can be enabled by setting the ‘XListenerSet’ flag in the EnvoyGateway configuration. Supported route types: HTTPRoute (HTTP/HTTPS), GRPCRoute, TLSRoute, TCPRoute, and UDPRoute. Note: XListenerSet as a TargetRef for xPolicies is not yet supported.

Observability

• Added support for custom headers on OTLP exports (metrics, tracing, access logs).
• Added support for custom span name.
• Added support for TLS telemetry gRPC backends.
• Added support for tracing tag, which allows to use Envoy string command operators such as %ENVIRONMENT(...)%.
• Added support for resource attributes on OTLP metrics and tracing sinks via the resources field.
• Added support for specifying both text (body) and attributes in access log format by making the type field optional.

🐞 Bug Fixes

• Fixed configured OIDC authorization endpoint being overridden by discovered endpoints from issuer’s well-known URL.
• Fixed 500 errors caused by partially invalid BackendRefs; traffic is now correctly routed between valid backends and 500 responses according to their configured weights.
• Fixed an issue where BackendTrafficPolicy does not validate maximum value of requestBuffer limit.
• Fixed an issue where observedGeneration is missing from the EnvoyPatchPolicy status.
• Fixed a nil pointer error when applying BackendTrafficPolicy to HTTPRoutes with no backendRefs.
• Fixed ExternalTrafficPolicy not being applied to Envoy Service when ServiceType is NodePort.
• Fixed CRL ref not processed by gateway controller.
• Fixed an issue where HTTP/3 listeners could not handle multiple hostnames.
• Fixed gateway continuing with incomplete resources after unrecoverable Kubernetes discovery errors when checking optional CRDs by failing fast and propagating errors so pods restart instead of skipping optional CRDs.
• Fixed an issue where listener translation fails when it contains invalid certificate in multiple TLS certificateRefs.
• Fixed an issue where auto-detect upstream protocol breaks with multiple backends (HTTP + HTTPS).
• Fixed validation of certificates in a CA bundle when some certificates are invalid.
• Fixed an issue where route match rule order is wrong when merging with empty path match.
• Fixed wrong cluster type selection when an HTTPRoute mixes Service backends with Backend (FQDN) references, ensuring STRICT_DNS clusters are generated for the FQDN targets.
• Fixed JWT scope authorization to accept the scp claim in addition to scope.
• Fixed SecurityPolicy BasicAuth validation to reject invalid {SHA} htpasswd entries.
• Allowed single-label backend hostnames when running with the Host infrastructure, enabling Docker Compose service names for telemetry backends.
• Fixed an issue where message package didn’t adopt logging level.
• Fixed issue with controller pods reporting as ready before successful cache sync.
• Fixed issue where TCPRoute was not correctly handling mTLS settings.
• Fixed validation of XListenerSet certificateRefs

🚀 Performance Improvements

• Included only needed keys in Secret and ConfigMap data to reduce memory usage.
• Converted IR map fields to slices to ensure deterministic DeepEqual

🛑 Deprecations

• OpenTelemetry access log resources field is deprecated, use resourceAttributes instead.

📝 Other Changes

• Added scheme field to ClientTrafficPolicy enabling scheme header transformation to match backend transport protocol, allowing gateways with HTTP listeners to proxy to HTTPS services without protocol errors

📝 Upgrade Notes

• We encourage all users to upgrade to v1.7.0 to take advantage of the new features, security improvements, and performance gains. For full details, see the Release Notes and updated Documentation.
• See upgrading from previous version via helm install or yaml install for more. Note that CRDs should be upgraded first before gateway controller.