Skip to main content
logoTetrate Enterprise Gateway for EnvoyVersion: v1.4.x

Release Announcement TEG 1.4

Date: 10 June 2025

info

Please ensure you upgrade to version 1.4 by December 1st 2025.

New Feature Highlights

Envoy Gateway 1.4 introduces 34 new features spanning security, traffic management, and operations, along with 19 bug fixes improving stability and reliability.

Below is a list of highlights of new features in Envoy Gateway 1.4, which TEG is a FIPS verified distribution of.

Traffic Handling

  • Enhanced Rate Limiting:
    • Shared Global RateLimit buckets: Allows platform teams to add a common limit for a Gateway applicable for all traffic for all routes attached to it, preventing resource exhaustion
    • Distinct Match support for Local Ratelimiting: Enables creating per user/client buckets with minimal config for fine-grained rate limiting policies
  • Zone Aware Routing: Route requests to the closest upstream backend endpoint, reducing latency and cost - especially useful for large scale Kubernetes deployments
  • Circuit Breaker Enhancements: New circuit breaker support for per-endpoint thresholds, allowing you to safeguard upstream endpoints more effectively
  • Percentage-based Request Mirroring: Mirror a fraction of total application traffic to a separate backend for testing and analysis
  • Lua-based EnvoyExtensionPolicy: Easily add custom Lua scripts to Envoy for implementing custom logic
  • Dynamic Upstream Target Selection: Support for HTTP dynamic forward proxy when the upstream target isn't known ahead of time

Security Controls

  • Finer-grained Authorization Rules: Support for HTTP method and header-based authorization via the SecurityPolicy resource, enabling more precise access control
  • Upstream Credentials Injection: Support for injecting credentials from Kubernetes Secrets into request headers via HTTPRouteFilter
  • Local JWKS Source: Support for local JWKS sources (inline or via ConfigMap) to validate JWT tokens, reducing external dependencies
  • Enhanced Basic Authentication: Improved basic authentication capabilities with better credential management

Observability

  • Tracing Improvements: Per-route tracing configuration in BackendTrafficPolicy for more granular observability
  • RequestID Header: Added RequestID header configuration via ClientTrafficPolicy for better request tracking
  • Backend API Support for Telemetry Backends: Connect to telemetry providers over Unix Domain Sockets, enabling more direct and efficient communication with observability tools
  • Enhanced Extension Processing: Support for FullDuplexedStreamed mode in External Processor filter
  • Extension Server Improvements: Support for Extension Server in standalone mode with retry support for Extension Service hooks

Management

  • High Availability: Enhanced control over pod termination with maxUnavailable in PodDisruptionBudget, ensuring zero-downtime during maintenance and updates
  • Selective CRD Installation: Added support for CRD installation via gateway-crds-helm chart, allowing selective installation of Envoy Gateway CRDs and/or Gateway API CRDs from standard or experimental channels
  • Helm Chart Improvements: HPA support, global registry configuration, and enhanced traffic distribution control
  • Infrastructure Flexibility: Option to run infrastructure Envoy proxies in the Gateway namespace (experimental)

Upgrade Guidance

Be aware of breaking changes as you move to upgrade to 1.4 from 1.3.

Breaking Changes

Breaking Changes

  • Envoy Readiness Port: A dedicated listener port (19003) is now used for Envoy proxy readiness.
  • Access Log Format: The default access log now uses the Envoy JSON formatter instead of the plain text formatter.
  • xDS Snapshot Behavior: Envoy Gateway now skips xDS snapshot updates if errors occur during xDS translation.
  • Extension Manager Behavior:
    • With failOpen: true, translation errors are logged and suppressed.
    • With failOpen: false, xDS updates are skipped for affected resources (no longer replaced).

Manual Migration Steps from 1.3 to 1.4

1. Update Gateway-API and Envoy Gateway CRDs
helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.4.0 --untar
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml
kubectl apply --force-conflicts --server-side -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated
2. Install Tetrate Enterprise Gateway v1.4.0
helm upgrade teg oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.4.0 -n envoy-gateway-system

Bug Fixes

  • Traffic Splitting: Traffic splitting now works correctly when filters are attached to backendRef
  • Header and Field Validation: Fixed handling and validation of headers, OpenTelemetry fields, and duplicated API keys
  • Component Behavior: Stats compressor and overload manager behavior corrected
  • Route Matching: Correct precedence in HTTPRoute header and query matching
  • TLS Handling: Fixed behavior of TLS inspector filters for UDP/QUIC
  • Retry Behavior: Corrected retryOn behavior for BackendTrafficPolicy
  • HTTP/2 Optimization: Avoid HTTP/2 Connection Coalescing scenarios

Performance Improvements

  • Wasm Optimization: Added cache for Wasm OCI image permission checks and pulled secrets asynchronously for better performance

Deprecations

  • The PreserveXRequestID field in ClientTrafficPolicy.Spec.Headers is deprecated. Use the new RequestID field instead.

Other Notable Changes

  • Updated to use gateway-api v1.3.0 for the latest Gateway API features and improvements

Deprecated Fields

  • ClientTrafficPolicy: The PreserveXRequestID field is deprecated in favor of the new RequestID field configuration

Summary

Envoy Gateway 1.4 delivers enhanced security, advanced traffic management, and streamlined operations for production environments.

Key Benefits:

  • Enhanced security with granular authorization controls
  • Improved performance through zone-aware routing and advanced rate limiting
  • Better operations with high availability features and simplified management
  • Enhanced observability with improved tracing and monitoring

Upgrade to v1.4.0 to leverage these improvements. See official release notes for complete details.