Tetrate Enterprise Gateway for EnvoyVersion: v1.4.xRelease Announcement TEG 1.4
Date: 10 June 2025
info
Please ensure you upgrade to version 1.4 by December 1st 2025.
New Feature Highlights
Envoy Gateway 1.4 introduces 34 new features spanning security, traffic management, and operations, along with 19 bug fixes improving stability and reliability.
Below is a list of highlights of new features in Envoy Gateway 1.4, which TEG is a FIPS verified distribution of.
Traffic Handling
- Enhanced Rate Limiting:
- Shared Global RateLimit buckets: Allows platform teams to add a common limit for a Gateway applicable for all traffic for all routes attached to it, preventing resource exhaustion
- Distinct Match support for Local Ratelimiting: Enables creating per user/client buckets with minimal config for fine-grained rate limiting policies
- Zone Aware Routing: Route requests to the closest upstream backend endpoint, reducing latency and cost - especially useful for large scale Kubernetes deployments
- Circuit Breaker Enhancements: New circuit breaker support for per-endpoint thresholds, allowing you to safeguard upstream endpoints more effectively
- Percentage-based Request Mirroring: Mirror a fraction of total application traffic to a separate backend for testing and analysis
- Lua-based EnvoyExtensionPolicy: Easily add custom Lua scripts to Envoy for implementing custom logic
- Dynamic Upstream Target Selection: Support for HTTP dynamic forward proxy when the upstream target isn't known ahead of time
Security Controls
- Finer-grained Authorization Rules: Support for HTTP method and header-based authorization via the
SecurityPolicyresource, enabling more precise access control - Upstream Credentials Injection: Support for injecting credentials from Kubernetes Secrets into request headers via
HTTPRouteFilter - Local JWKS Source: Support for local JWKS sources (inline or via ConfigMap) to validate JWT tokens, reducing external dependencies
- Enhanced Basic Authentication: Improved basic authentication capabilities with better credential management
Observability
- Tracing Improvements: Per-route tracing configuration in
BackendTrafficPolicyfor more granular observability - RequestID Header: Added RequestID header configuration via
ClientTrafficPolicyfor better request tracking - Backend API Support for Telemetry Backends: Connect to telemetry providers over Unix Domain Sockets, enabling more direct and efficient communication with observability tools
- Enhanced Extension Processing: Support for
FullDuplexedStreamedmode in External Processor filter - Extension Server Improvements: Support for Extension Server in standalone mode with retry support for Extension Service hooks
Management
- High Availability: Enhanced control over pod termination with
maxUnavailableinPodDisruptionBudget, ensuring zero-downtime during maintenance and updates - Selective CRD Installation: Added support for CRD installation via
gateway-crds-helmchart, allowing selective installation of Envoy Gateway CRDs and/or Gateway API CRDs fromstandardorexperimentalchannels - Helm Chart Improvements: HPA support, global registry configuration, and enhanced traffic distribution control
- Infrastructure Flexibility: Option to run infrastructure Envoy proxies in the Gateway namespace (experimental)
Upgrade Guidance
Be aware of breaking changes as you move to upgrade to 1.4 from 1.3.
Breaking Changes
Breaking Changes
- Envoy Readiness Port: A dedicated listener port (19003) is now used for Envoy proxy readiness.
- Access Log Format: The default access log now uses the Envoy JSON formatter instead of the plain text formatter.
- xDS Snapshot Behavior: Envoy Gateway now skips xDS snapshot updates if errors occur during xDS translation.
- Extension Manager Behavior:
- With
failOpen: true, translation errors are logged and suppressed. - With
failOpen: false, xDS updates are skipped for affected resources (no longer replaced).
- With
Manual Migration Steps from 1.3 to 1.4
1. Update Gateway-API and Envoy Gateway CRDs
helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.4.0 --untar
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated
2. Install Tetrate Enterprise Gateway v1.4.0
helm upgrade teg oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.4.0 -n envoy-gateway-system
Bug Fixes
- Traffic Splitting: Traffic splitting now works correctly when filters are attached to
backendRef - Header and Field Validation: Fixed handling and validation of headers, OpenTelemetry fields, and duplicated API keys
- Component Behavior: Stats compressor and overload manager behavior corrected
- Route Matching: Correct precedence in
HTTPRouteheader and query matching - TLS Handling: Fixed behavior of TLS inspector filters for UDP/QUIC
- Retry Behavior: Corrected
retryOnbehavior forBackendTrafficPolicy - HTTP/2 Optimization: Avoid HTTP/2 Connection Coalescing scenarios
Performance Improvements
- Wasm Optimization: Added cache for Wasm OCI image permission checks and pulled secrets asynchronously for better performance
Deprecations
- The
PreserveXRequestIDfield inClientTrafficPolicy.Spec.Headersis deprecated. Use the newRequestIDfield instead.
Other Notable Changes
- Updated to use
gateway-apiv1.3.0 for the latest Gateway API features and improvements
Deprecated Fields
- ClientTrafficPolicy: The
PreserveXRequestIDfield is deprecated in favor of the newRequestIDfield configuration
Summary
Envoy Gateway 1.4 delivers enhanced security, advanced traffic management, and streamlined operations for production environments.
Key Benefits:
- Enhanced security with granular authorization controls
- Improved performance through zone-aware routing and advanced rate limiting
- Better operations with high availability features and simplified management
- Enhanced observability with improved tracing and monitoring
Upgrade to v1.4.0 to leverage these improvements. See official release notes for complete details.