Release Announcement TEG 1.5

Date: August 22, 2025

info

Please ensure you upgrade to version 1.5.0 by March 1, 2026.

New Feature Highlights

Envoy Gateway 1.5 introduces significant enhancements spanning security, traffic management, and operations, along with comprehensive bug fixes improving stability and reliability.

Below is a list of highlights of new features in Envoy Gateway 1.5.0, which TEG is a FIPS verified distribution of.

Traffic Handling

• Enhanced Health Check Configuration: Added initialJitter option to BackendTrafficPolicy active health checks, providing better distribution of health check requests to prevent thundering herd scenarios
• Advanced Zone-Aware Routing: Enhanced zone-aware routing configuration via BackendTrafficPolicy, enabling intelligent traffic distribution based on geographic proximity for reduced latency
• Dynamic Endpoint Override: Added endpoint override policy based on request header, allowing dynamic routing decisions based on request context
• Extended Rate Limiting Periods: Added rate limiting support for month and year periods, enabling long-term traffic control policies for subscription-based services
• Connection Management: Configure maxConnectionsToAcceptPerSocketEvent via ClientTrafficPolicy for fine-tuned connection handling and performance optimization
• Enhanced Route Statistics: Configure cluster stat name for HTTPRoute and GRPCRoute in EnvoyProxy CRD for better observability and monitoring
• Flexible Security Targeting: Enhanced route rule support in SecurityPolicy targets, providing more granular security policy application
• Local Rate Limit Headers: Added local rate limit header support for better client-side rate limit awareness

Security Controls

• Coraza WAF Integration: Configure Coraza WAF via new ExtendedSecurityPolicy CRD for Kubernetes-native configuration experience, providing enterprise-grade web application firewall capabilities
• Enhanced WAF Performance: Improved Coraza WAF integration with lower latency and dynamic loading of WAF configurations, ensuring minimal impact on request processing
• Advanced Client Certificate Validation: Client certificate validation (SPKI, hash, SAN) in ClientTrafficPolicy for enhanced mutual TLS authentication
• API Key Management: Forward client ID header and sanitize API keys for API Key authentication in SecurityPolicy, improving API security and audit capabilities
• OIDC Logout Support: OIDC RP-initiated logout when end session endpoint is specified or discovered, enabling proper session termination
• Cookie Security: Configure SameSite attribute for OAuth cookies in OIDC authentication for enhanced security against CSRF attacks
• Certificate Authority Support: Support for ClusterTrustBundle as a CA, enabling centralized certificate management
• Secret-based OIDC Configuration: Use Kubernetes Secret as the OIDC client ID source for secure credential management
• Flexible Authentication: Option to bypass OIDC authentication and defer to JWT when the request includes Authorization: Bearer ... for hybrid authentication scenarios
• TLS Validation Enhancement: Configure Subject Alternative Names (SANs) for upstream TLS validation via BackendTLSPolicy.validation.subjectAltNames

Observability

• Enhanced Metrics: Added metric watchable_publish_total counting store events in watchable message queues for better system monitoring
• Admin Console: Added admin console with web UI for the Envoy Gateway admin server, providing intuitive management and debugging capabilities
• Health Check Monitoring: Configure hostname in active HTTP health checks for more accurate upstream health validation

Management

• Resource Ownership: Support for setting OwnerReferences to infra resources in gateway namespace mode and GatewayClass OwnerReferences in all other cases for better resource lifecycle management
• Deployment Customization: Configure deployment annotations via Helm chart and customize the name of the ServiceAccount used by the Proxy for enhanced deployment flexibility
• Performance Tuning: Configure cache sync period for Kubernetes provider for optimized resource synchronization
• Certificate Management: Fallback to first key when loading CA certificate from Secret or ConfigMap for improved reliability
• Resource Naming: Configure user-provided names for generated HPA and PDB resources for better resource organization
• TLS Settings Extension: Extended BackendTLSSettings support to all Backend types for comprehensive TLS configuration
• Manage Resources with Helm: You can now configure and manage TEG resources with Helm using the teg-resources-helm chart.
• teg-manager Pod Security Control: Configure the Pod SecurityContext for teg-manager via Helm chart.

Performance Improvements

• DNS Optimization: Reduced xDS cluster DNS lookups for improved network efficiency
• Memory Optimization: Combined xds-translator and xds-server runners into a single xds runner, reducing memory usage by up to 25%
• Resource Processing: Removed custom Equal functions for watchable types by pre-sorting Gateway API resources in the provider layer for faster comparisons

Deprecations

• The EnableProxyProtocol field in ClientTrafficPolicy is deprecated. Use the new ProxyProtocol field instead.

Deprecated Fields

• ClientTrafficPolicy: The EnableProxyProtocol field is deprecated in favor of the new ProxyProtocol field configuration

Other Notable Changes

• Disabled automountServiceAccountToken for Proxy and RateLimit deployments and their ServiceAccounts for enhanced security
• Added XDS metadata for clusters and endpoints from xRoutes and backend resources
• Support for extension server policies in PostTranslateModify hook
• Support for custom backendRefs via extension server using PostClusterModify hook
• Support for listeners and routes in PostTranslateModifyHook
• Validation strictness levels for Lua scripts in EnvoyExtensionPolicies
• Allow SecurityPolicy and EnvoyExtensionPolicy to target ServiceImport via BackendRefs

Bug Fixes

• Extension Policy Stability: Fixed WASM cache initialization failures affecting EnvoyExtensionPolicies without WASM filters
• Protocol Support: Restored UDP listener creation when Gateway is created
• TLS Configuration: Retained ALPN configuration for listeners with overlapping certificates when explicitly set in ClientTrafficPolicy
• Backend TLS Validation: Fixed BackendTLSPolicy SAN type enum handling and namespace reference validation
• Listener Management: Fixed SAN overlap detection in listeners
• External Processing: Fixed trailers not sent in ExtProc FullDuplexStreamed mode and validation for ExtProc with failOpen=true
• Configuration Reconciliation: Added ConfigMap indexers for Lua change reconciliation in EnvoyExtensionPolicies
• Access Logging: Fixed default access log format not applying correctly
• Rate Limiting: Fixed Redis rateLimit URL parsing with multiple comma-separated hosts
• Network Configuration: Fixed DualStack NodePort Gateway addresses in status reporting
• Monitoring Integration: Allowed overriding Prometheus annotation in EnvoyProxy CRD
• Policy Management: Skipped invalid FailOpen configurations for ExtProc, Wasm, and ExtAuth
• Status Reporting: Fixed policy status update failures with more than 16 ancestors
• Concurrency: Fixed race condition in watchable.Map Snapshot subscription
• Session Management: Fixed listener drain caused by HTTPRoute with sessionPersistence
• Deployment Reliability: Fixed deployment creation block when EnvoyProxy secret is missing
• Header Processing: Increased earlyRequestHeaders limit from 16 to 64 for enhanced request processing

Summary

Envoy Gateway 1.5 delivers enhanced security, advanced traffic management, and streamlined operations for production environments.

Key Benefits:

• Enhanced security with Kubernetes-native Coraza WAF integration and advanced client certificate validation
• Improved performance through optimized resource processing and up to 25% memory usage reduction
• Better operations with enhanced management capabilities and comprehensive observability
• Advanced traffic handling with zone-aware routing and extended rate limiting options

Upgrade to v1.5.0 to leverage these improvements. See official release notes for complete details.

---

Upgrade Guidance

Be aware of breaking changes as you move to upgrade to 1.5 from 1.4.

Breaking Changes

• Coraza WAF Configuration: Helm-based Coraza WAF enablement is no longer available in 1.5. Users must migrate to the new ExtendedSecurityPolicy CRD for WAF configuration.
• Gateway Namespace Mode Naming: Gateway name is now used as the proxy fleet name when running in gateway namespace mode.
• Endpoint Removal Behavior: Endpoints absent from service discovery are removed even if their active health checks succeed.
• xDS Listener Naming: Listeners are now named based on listening port and protocol instead of Gateway and section names.
  • This affects existing EnvoyPatchPolicies and ExtensionManagers.
  • Controlled by the XDSNameSchemeV2 runtime flag (disabled in v1.5, enabled in v1.6).
• Metrics Label Change: Removed xds-translator and xds-server values from the runner label in watchable_subscribe_total; use xds instead.
• ALS Access Loggers: ALS now has HTTP/2 enabled on the cluster by default.

Manual Migration Steps from 1.4 to 1.5

1. Update Gateway-API and Envoy Gateway CRDs

helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.5.0 --untar
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated

2. Migrate Coraza WAF Configuration

If using Helm-based Coraza WAF configuration, migrate to the new ExtendedSecurityPolicy CRD:

# Review existing WAF configuration and create ExtendedSecurityPolicy resources
# Remove Helm-based WAF configuration from values.yaml

3. Install Tetrate Enterprise Gateway v1.5.0

helm upgrade teg oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.5.0 -n envoy-gateway-system

4. Post-Upgrade Validation

• Review existing EnvoyPatchPolicies and ExtensionManagers for xDS listener naming changes
• Update monitoring dashboards to use the new xds runner label instead of xds-translator and xds-server
• Test endpoint removal behavior if using custom health check configurations