v1.2.6

Release Announcement

Check out the v1.2.6 release announcement to learn more about the release.

Security updates

• Fixed vulnerability CVE-2025-24030, which exposed the Envoy admin interface via the Prometheus stats endpoint. For more details, refer to GHSA-j777-63hf-hx76.

Bug fixes

• Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap.

What's Changed

• fix panic when updating the envoy-gateway-config configMap (#5066) by @zhaohuabing in #5115
• Merge commit from fork by @guydc
• [release/v1.2] v1.2.6 release note (#5128) by @zhaohuabing in #5129

Full Changelog: v1.2.5...v1.2.6

latest

This is the "latest" release of Envoy Gateway, which contains the most recent commits from the main branch.

This release might not be stable.

It is only intended for developers wishing to try out the latest features in Envoy Gateway, some of which may not be fully implemented.

We use v0.0.0-latest as the latest chart version to install latest envoy-gateway:

helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace

Try latest version of egctl with:

curl -Ls https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash

v1.2.5

Release Announcement

Check out the v1.2.5 release announcement to learn more about the release.

Bug fixes

• Fixed a nil pointer error that occurred when a SecurityPolicy referred to a UDS backend.
• Fixed an issue where the Gateway API translator did not use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider’s well-known endpoint.
• Fixed a validation failure that occurred when multiple HTTPRoutes referred to the same extension filter.
• Fixed a nil pointer error caused by accessing the cookie TTL without verifying if it was valid.
• Fixed unexpected port number shifting in standalone mode.
• Fixed an issue where the shutdown-manager did not respect the security context of the container spec.
• Fixed readiness checks failing for single-stack IPv6 Envoy Gateway deployments on dual-stack clusters.
• Fixed IPv6 dual-stack support not working as intended.

Other changes

• Bumped Envoy to version 1.32.3.

What's Changed

• [release/v1.2] Bump envoy v1.32.3 by @zhaohuabing in #4948
• [release/v1.2] cherry pick for v1.2.5 by @zhaohuabing in #5029
• [release/v1.2] v1.2.5 release note (#5049) by @zhaohuabing in #5053

Full Changelog: v1.2.4...v1.2.5

v1.2.4

Release Announcement

Check out the v1.2.4 release announcement to learn more about the release.

Bug fixes

• Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs.
• Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected.
• Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined.
• Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration.
• Fixed traffic splitting not working when some backends were invalid.

Other changes

• Bumped Envoy to version 1.32.2.

What's Changed

• [release/v1.2] Bump envoy to v1.32.2 by @zhaohuabing in #4871
• [release/v1.2] Add registry for envoy proxy image by @arkodg in #4886
• [release/v1.2] cherry pick v1.2.4 by @zhaohuabing in #4913
• [release/v1.2] cherry pick v1.2.4 release note by @zhaohuabing in #4916

Full Changelog: v1.2.3...v1.2.4

v1.1.4

Release Announcement

Check out the v1.1.4 release announcement to learn more about the release.

Bug fixes

• Fixed validate proto messages before converting them to anypb.Any
• Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work
• Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes
• Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn
• Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected
• Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined

Other changes

• Bumped Rate Limit to 49af5cca
• Bumped golang.org/x/crypto to 0.31.0

What's Changed

• [release/v1.1] fix: validate proto messages before converting them to anypb.Any (#4499) by @zhaohuabing in #4558
• [release/v1.1] Bump ratelimit to 49af5cca by @arkodg in #4752
• [release/v1.1] dont run docs workflows on release branches (#4755) by @arkodg in #4759
• [release/v1.1] v1.1.4 cherry pick by @guydc in #4789
• [release/v1.1] Release v1.1.4 by @guydc in #4800
• [release/v1.1] cherry-pick for v1.1.4 by @guydc in #4897
• [release/v1.1] release: v1.1.4 (#4899) by @guydc in #4907

Full Changelog: v1.1.3...v1.1.4

v1.2.3

Release Announcement

Check out the v1.2.3 release announcement to learn more about the release.

Bug fixes

• Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
• Used a waitGroup instead of an enabled channel in the status updater.

Other changes

• EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack.
• Bumped Gateway API to v1.2.1.

What's Changed

• [release/v1.2] Cherry pick v1.2.3 by @zhaohuabing in #4810
• [release/v1.2] Bump to Gateway API v1.2.1 by @arkodg in #4815
• [release/v1.2] Cherry pick IPv6 support to v1.2.3 by @zhaohuabing in #4819
• [release/v1.2] cherry pick release note for v1.2.3 (#4820) by @zhaohuabing in #4824

Full Changelog: v1.2.2...v1.2.3

v1.2.2

Release Announcement

Check out the v1.2.2 release announcement to learn more about the release.

Bug fixes

• Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes.
• Fixed failed to update SecurityPolicy resources with the backendRef field specified.
• Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname.
• Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn.

Other changes

• Bump the RateLimit image to 49af5cca.
• Always use :: and IPv4Compact enabled on dynamic listeners.
• Use V4_PREFERRED instead of V4_ONLY by default for the cluster's DnsLookupFamily.

What's Changed

• [release/v1.2] Bump ratelimit image 49af5cca by @arkodg in #4749
• [release/v1.2] dont run docs workflows on release branches (#4755) by @arkodg in #4760
• [release/v1.2] cherry pick bug fixes and IPv6 to v1.2.2 by @zhaohuabing in #4765
• v1.2.2 release note (#4788) by @zhaohuabing in #4797
• [release/v1.2] fix gen-check by @zhaohuabing in #4799

Full Changelog: v1.2.1...v1.2.2

v1.2.1

Release Announcement

Check out the v1.2.1 release announcement to learn more about the release.

Bug fixes

• Fixed a panic in the provider goroutine when the body in the direct response configuration was nil.

What's Changed

• [release/v1.2] fix panic in provider when the direct response body is nil (#4647) by @arkodg in #4654
• [release/v1.2] Cherry-pick release note and version bump by @arkodg in #4657
• [release/v1.2] fix lint by @arkodg in #4659

Full Changelog: v1.2.0...v1.2.1

v1.2.0

Envoy Gateway v1.2.0 Release Notes

Release Date: November 6, 2024

The Envoy Gateway v1.2.0 release brings a host of new features, performance improvements, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below.

---

🚨 Breaking Changes

• Gateway API Updates: Removed support for the v1alpha2 versions for GRPCRoute and ReferenceGrant. See the Gateway API v1.2.0 documentation for details.
• CPU Limits: Removed default CPU limit for Envoy Gateway deployment to avoid throttling.
• Envoy Shutdown Settings: Drain strategy set to immediate, with default values as follows:
  • minDrainDuration: 10s
  • drainTimeout: 60s
  • terminationGracePeriodSeconds: 360s
• Endpoint Health On Host Removal: Enabled ignore_health_on_host_removal for clusters with static endpoints to allow faster removal of endpoints that have been deleted by the control plane, without waiting for the results of an active health check.
• Logging Level Adjustment: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. You can change the logging level to debug to view them.

---

✨ New Features

API & Traffic Management Enhancements

• Gateway-API v1.2.0 Support: Fully compatible with the latest Gateway-API standards.
• IPv4/IPv6 Dual Stack: Now available for EnvoyProxy fleet and BackendRef resources.
• Standalone Mode: Experimental support for Envoy Gateway standalone (host deployment) mode.
• Response Override: Added support for Response Override and RequestTimeout in BackendTrafficPolicy.
• Active Passive Failover: Supported with the new fallback field in the Backend API.
• Session Persistence in HTTPRoute: Session persistence is supported in HTTPRoute rules for stateful traffic management.
• HTTPRouteFilter: Adds support for Direct Response and Path Regex Rewrites in HTTPRouteFilter

Security Enhancements

• JWT Claims-Based Authorization: Advanced security control with claims-based policies in SecurityPolicy.
• CORS Wildcard Matching: Wildcard matching for AllowMethods and AllowHeaders settings.
• OIDC Flow Support: Added nonce support for OIDC authorization.

Observability & Tracing

• Datadog Tracing Integration: Improved support for Datadog tracing in EnvoyProxy CRD.
• Listener Access Logs: Adds support for configuring Listener level Access Logs for EnvoyProxy.
• Native Prometheus Metrics: Introduced a Prometheus metrics endpoint for rate limit monitoring.

Helm Customization

• SecurityContext Options: Customizable security context for improved deployment.
• NodeSelector and PriorityClassName: Added for more granular deployment configuration.

---

🐞 Bug Fixes

• Fixed xDS translation failure when the WASM HTTP code source was configured without an SHA.
• Resolved unsupported listener protocol types causing errors in Gateway status updates.
• Fixed BackendTLSPolicy causing crashes due to invalid sectionName in Backend configurations.
• Fixed propagation delays in SecurityPolicy updates for HTTPRoute when using targetSelectors.
• Improved JSONPath to JSONPatch translation accuracy.
• Fixed unwanted / appearing in paths when using prefix rewrites.
• Corrected nil pointer errors when configuring hash load balancing.
• Fixed active health check issues where expectedStatuses was not functioning properly.
• Ensured correct status updates for Backend resources and HTTPRoute.

---

🚀 Performance Improvements

• Memory Optimization: Enhanced memory usage by eliminating redundant resource storage.

---

⚙️ Other Notable Changes

• Envoy Upgrade: Now using Envoy v1.32.1 for added stability and performance.
• Optional Alpha CRD Watching: Allows Envoy Gateway to run with older Gateway API versions.

For more information and full API documentation, please visit the Envoy Gateway Documentation.

---

This release strengthens Envoy Gateway with enhanced API support, security policies, and observability features to better serve high-demand environments.

What's Changed

• fix quickstart link in helm chart by @zhaohuabing in #3793
• fix release note file name by @guydc in #3792
• build(deps): bump golang.org/x/sys from 0.21.0 to 0.22.0 by @dependabot in #3780
• build(deps): bump distroless/static from e9ac71e to 8dd8d3c in /tools/docker/envoy-gateway by @dependabot in #3778
• build(deps): bump fortio.org/log from 1.12.2 to 1.14.0 by @dependabot in #3782
• build(deps): bump google.golang.org/grpc from 1.64.0 to 1.65.0 by @dependabot in #3783
• docs: move release-notes out of version by @zirain in #3765
• ci: update cherry-pick v1.1.0 by @guydc in #3803
• doc: how to build a wasm image by @zhaohuabing in #3806
• Use Wasm instead of WASM by @mathetake in #3812
• docs: generate v1.1.0-rc.1 release note by @Xunzhuo in #3794
• chore: release-notes-docs be part of generate by @zirain in #3815
• fix: enable client timeout test by @guydc in #3811
• chore: add benchmark report into release artifacts by @shawnh2 in #3756
• docs: fix grafana link by @zirain in #3818
• e2e: make sure ALS server is ready by @zirain in #3816
• Revert "docs: fix grafana link" by @zirain in #3822
• feat: support target selectors on Envoy Gateway Extension Server policies by @liorokman in #3800
• docs: updating the documentation for Extension Servers and adding an example extension server by @liorokman in #3788
• docs for ip allowlist/denylist by @zhaohuabing in #3784
• docs: gRPC Access Log Service (ALS) sink by @zirain in #3768
• docs: update v1.1.0-rc.1 release notes by @guydc in #3821
• docs: add task for wasm extensions by @zhaohuabing in #3796
• community: promote shawnh2 to maintainer and move qicz to emeritus by @Xunzhuo in #3760
• chore: report a translate error to errChan to make it observed correctly by @sanposhiho in #3827
• chore: upgrade to golang v1.22.5 by @sanposhiho in #3829
• chore: add make lint.fix-golint to address auto fixable lint issues by @sanposhiho in #3828
• docs: patch field within EnvoyService by @shawnh2 in #3820
• accesslog: remove ALS gRPC initialMetadata by @zirain in #3751
• docs: add fixed links to the current version of eg docs by @zhaohuabing in #3819
• fix: backendtls minversion by @guydc in #3835
• fix: enable use-client-protocol test by @guydc in #3825
• fix: backendtls client cert by @guydc in #3839
• fix: prevent xdsIR updates from overwriting RateLimit configs from other xdsIR by @sanposhiho in #3771
• docs: use v[x.y] instead of v[x.y.z] by @zirain in #3836
• e2e: fix basic auth flaky by @zirain in #3833
• design: add wasm extension supports OCI image code source by @zhaohuabing in #3313
• fix: enable upgrade test by @guydc in #3764
• chore: go mod tidy by @zirain in #3842
• fix flaky authorization tests by @zhaohuabing in #3844
• build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #3849
• build(deps): bump fortio.org/fortio from 1.65.0 to 1.66.0 by @dependabot in #3848
• build(deps): bump helm.sh/helm/v3 from 3.15.2 to 3.15.3 by @dependabot in #3850
• chore: move UDP test resources out of the base by @zhaohuabing in #3857
• chore: replace targetRef with targetRefs in e2e by @shawnh2 in #3858
• docs: Remove...

v1.1.3

Release Announcement

Check out the v1.1.3 release announcement to learn more about the release.

Breaking changes

New features

Bug fixes

• Fixed unsupported listener protocol type causing an error while updating Gateway Status
• Fixed some status updates were being discarded by the status updater
• Fixed error level logging for admin and metrics modules
• Fixed Dashboard typos
• Fixed Ratelimit Deployment ignoring pod labels and annotation merge
• Fixed the API Server receives unnecessary requests
• Fixed set invalid Listener.SupportedKinds to empty list
• Fixed losing timeout settings that originate from the route when translating the backend traffic policy
• Fixed xds translation failure when wasm http code source configured without sha

Performance improvements

Other changes

• Bumped Envoy proxy to 1.31.3
• Bumped github.com/docker/docker to 27.3.1+incompatible

What's Changed

• [release/v1.1] fix: don't lose timeout settings that originate from the route when t… by @zhaohuabing in #4450
• [release/v1.1] Fix: xds translation failed when wasm http code source configured wit… by @zhaohuabing in #4557
• Release v1.1.3 cherry-pick by @guydc in #4578
• [release/v1.1] bump envoy by @guydc in #4596
• [release/v1.1] Release/v1.1.3 by @guydc in #4613

Full Changelog: v1.1.2...v1.1.3