Tetrate Enterprise Gateway for Envoy (TEG)Version: v1.3.xRelease Announcement TEG 1.3
Date: 5 February 2025
Please ensure you upgrade to version 1.3 by June 1st 2025.
New Feature Highlights
Below is a list of highlights of new features in Envoy Gateway 1.3, which TEG is a FIPS verified distribution of.
Traffic Handling
- Extended Protocol Support: Added support for routing to Backend resources in
GRPCRoute,TCPRoute, andUDPRouteAPIs - Response Compression: New support for response compression in the
BackendTrafficPolicyAPI - Implemented GEP-1731: HTTPRoute Retries for the Kubernetes Gateway API is now implemented in Envoy Gateway, which now enables you to make specific retries via the Gateway API rather than Envoy Gateway API.
- Dynamic Cost Based Rate Limiting: Added support for cost specifier in the rate limit API able to take values from dynamic metadata, allowing you to control client usage when serving requests have different costs
- User-Defined Route Order: Added support for preserving the user-defined
HTTPRoutematch order in theEnvoyProxyCRD.
Security Controls
- API Key Authentication: New support in
SecurityPolicyAPI enables API key-based access control, simplifying migration from other Gateway solutions - Security Policy Improvements: Enhanced capabilities for ext-auth server integration and JWKS configuration with custom TLS configurations
- Client IP from XFF Header: Simplified true client IP retrieval from
X-Forwarded-Forheader - Extension Service calls now fail-closed by default: Ensuring that any error returned from the extension server will replace the affected resource with an “Internal Server Error” immediate response.
Observability
- Tracing Improvements: Better control of tracing sampling by defining sample with fractions
- Enhanced Metrics: New metrics and dashboards for monitoring Envoy Gateway panics
- Extension Processing: Improved attribute handling and configuration options for external processors
Management
- Enhanced HPA Support: New capabilities available for configuring
EnvoyProxyHPA and PDB configurations - Improved IPv6 Support: Improved dual-stack support and fixed IPv6-related issues
- Graceful Termination: Enhanced endpoint management during graceful termination periods
Security Updates
- Fixed CVE-2025-25294: Log injection vulnerability in Envoy Gateway when using default access log.
Upgrade Guidance
Be aware of breaking changes as you move to upgrade to 1.3 from 1.2.
🚨 Breaking Changes
Breaking Changes
- The
Container portsfield of thegateway instancehas been removed, which will cause the gateway Pod to be rebuilt when upgrading the version. ClientTrafficPolicypreviously treated an emptyTLS ALPNProtocolslist as being undefined and applied Envoy Gateway defaults. An emptyTLS ALPNProtocolslist is now treated as user-defined disablement of the TLS ALPN extension.- Outlier detection (passive health check) is now disabled by default. refer to BackendTrafficPolicy for working with passive health checks.
- Envoy Gateway treats errors in calls to an extension service as fail-closed by default. Any error returned from the extension server will replace the affected resource with an “Internal Server Error” immediate response. The previous behavior can be enabled by setting the
failOpenfield totruein the extension service configuration. - Envoy Gateway now return a 500 response when a
ClientTrafficPolicytranslation fails for HTTP/GRPC routes, and forwards client traffic to an empty cluster when aClientTrafficPolicytranslation fails for TCP routes. - Any issues with
EnvoyProxyreference in a Gateway will prevent the Envoy fleet from being created or result in the deletion of an existing Envoy fleet. - Envoy Gateway now returns a 500 response when a
BackendTLSPolicytranslation fails for HTTP/GRPC/TLS routes.
Manual Migration Steps from 1.2 to 1.3
1. Update Gateway-API and Envoy Gateway CRDs
helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.3.0 --untar
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated
2. Install Tetrate Enterprise Gateway v1.3.0
helm upgrade teg oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.3.0 -n envoy-gateway-system