Skip to main content
logoTetrate Enterprise Gateway for Envoy (TEG)Version: v1.2.x

Release Announcement TEG 1.2

Date: 27 November 2024

Please ensure you upgrade to version 1.2 by March 1st 2025.

This distribution brings you a FIPS verified build of Envoy Gateway 1.2 that implements version 1.2 of the Kubernetes Gateway API. To view FIPS build installation steps, please refer to the FIPS installation documentation.

Please contact client support for help with use-case specific upgrade guidance.

New Feature Highlights

Below is a list of highlights of new features in Envoy Gateway 1.2, which TEG is a FIPS verified distribution of. TEG is now using Envoy v1.32.1 for added stability and performance.

Traffic Handling

  • Gateway-API v1.2.0 Support: Fully compatible with the latest Gateway-API standards.
  • IPv4/IPv6 Dual Stack: Now available for EnvoyProxy fleet and BackendRef resources.
  • Response Override: Added support for Response Override and RequestTimeout in BackendTrafficPolicy.
  • Active Passive Failover: Supported with the new fallback field in the Backend API.
  • Session Persistence in HTTPRoute: Session persistence is supported in HTTPRoute rules for stateful traffic management.
  • HTTPRouteFilter: Adds support for Direct Response and Path Regex Rewrites in HTTPRouteFilter

Security Controls

  • JWT Claims-Based Authorization: Advanced security control with claims-based policies in SecurityPolicy.
  • CORS Wildcard Matching: Wildcard matching for AllowMethods and AllowHeaders settings.
  • OIDC Flow Support: Added nonce support for OIDC authorization.

Observability

  • Datadog Tracing Integration: Improved support for Datadog tracing in EnvoyProxy CRD.
  • Listener Access Logs: Adds support for configuring Listener level Access Logs for EnvoyProxy.
  • Native Prometheus Metrics: Introduced a Prometheus metrics endpoint for rate limit monitoring.

Management

  • SecurityContext Options: Customizable security context for improved deployment.
  • NodeSelector and PriorityClassName: Added for more granular deployment configuration.
  • Standalone Mode: Experimental support for Envoy Gateway standalone (host deployment) mode.
  • Optional Alpha CRD Watching: Allows Envoy Gateway to run with older Gateway API versions.

Performance Improvements

  • Memory Optimization: Enhanced memory usage by eliminating redundant resource storage.

Upgrade Guidance

Be aware of breaking changes as you move to upgrade to 1.2 from 1.1

🚨 Breaking Changes

  • Gateway API Updates: Removed support for the v1alpha2 versions for GRPCRoute and ReferenceGrant. See the Gateway API v1.2.0 documentation for details.
  • CPU Limits: Removed default CPU limit for Envoy Gateway deployment to avoid throttling.
  • Envoy Shutdown Settings: Drain strategy set to immediate, with default values as follows:
    • minDrainDuration: 10s
    • drainTimeout: 60s
    • terminationGracePeriodSeconds: 360s
  • Endpoint Health On Host Removal: Enabled ignore_health_on_host_removal for clusters with static endpoints to allow faster removal of endpoints that have been deleted by the control plane, without waiting for the results of an active health check.
  • Logging Level Adjustment: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. You can change the logging level to debug to view them.

TEG 1.2

SecurityPolicy translation failures will now cause routes referenced by the policy to return an immediate 500 response.

Manual Migration Steps from 1.1 to 1.2

1. Update Gateway-API and Envoy Gateway CRDs
helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.2.0 --untar
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated
2. Update your ReferenceGrant and GRPCRoute v1alpha2 Resources

Follow instructions according to Gateway API v1.2 Upgrade Notes

3. Install Tetrate Enterprise Gateway v1.2.0
helm upgrade teg oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.2.0 -n envoy-gateway-system

Deprecated Fields

The following fields are deprecated and will be removed in a future release.

Please prepare by updating your configuration to use the new fields:

  • xPolicy targetRef is deprecated, use targetRefs instead
  • SecurityPolicy ExtAuth BackendRef is deprecated, use BackendRefs instead
  • OpenTelemetry Proxy Access Log Host and Port are deprecated, use backendRefs instead
  • OpenTelemetry Proxy Metrics Sink Host and Port are deprecated, use backendRefs instead
  • Proxy Tracing Provider Host and Port are deprecated, use backendRefs instead
  • Envoy Gateway Extension Server Host and Port are deprecated, use BackendEndpoint instead