Tetrate Enterprise Gateway for EnvoyVersion: v1.6.x

Release Announcement TEG 1.6.1

Date: December 08, 2025

info

Please ensure you upgrade to version 1.6.1 by June 1, 2026.

New Feature Highlights

Tetrate Enterprise Gateway (TEG) 1.6.1 is a FIPS-verified distribution of Envoy Gateway 1.6.1 and includes significant security enhancements, traffic management improvements, and operational reliability upgrades, along with critical performance optimizations and bug fixes.

This release combines the feature set from:

Envoy Gateway 1.6.0
Envoy Gateway 1.6.1 (security + stability patch)

tip

We recommend that you update directly from TEG 1.5.x to 1.6.1 if you are not already on 1.6.0.

Traffic Handling

Zone-Aware Routing Gradual Rollout: Added PercentageEnabled configuration for zone-aware load balancing, enabling safe, incremental rollouts.
Connection Lifecycle Controls: Configure:
- Maximum connection duration
- Stream duration
- Maximum requests per connection via ClientTrafficPolicy.
HTTP/2 Stream Timeout Support: Control stream-level timeouts for improved reliability under load.
Proactive Backend Connections: Added PreconnectPolicy in BackendTrafficPolicy to establish backend connections ahead of demand.
Smarter Outage Behavior: Return HTTP 503 when no valid backend endpoints exist for clearer service-outage signaling.
Path + Method Rate Limiting: Added support for rate limiting based on HTTP path and method.
Global + Local Rate Limiting Together: Use both global and local rate limiting simultaneously in BackendTrafficPolicy.
Binary Direct Responses: Serve binary data directly from ConfigMaps using HTTPRouteFilter.
Implicit CORS OPTIONS Support: Automatic support for the OPTIONS method when CORS is enabled.

Security Controls

Extension Server mTLS: Mutual TLS configuration for secure communication between Envoy Gateway and extension servers.
JWT & OIDC Enhancements:
- remoteJWKS.cacheDuration for improved JWKS caching performance.
- Configurable CSRFTokenTTL for better OAuth2 session control.
- Automatic OIDC token refresh using refresh tokens (can be disabled if needed).
Optional Token Encryption: Support for DisableTokenEncryption in OIDC authentication.
Per-Backend TLS Configuration:
- Client certificates
- TLS versions
- Cipher suites
- ALPN protocols
OCSP Stapling Support: Enables real-time certificate revocation checks during TLS handshakes.
Certificate Revocation Lists (CRLs): Supported for upstream certificate verification.
Automatic TLS Certificate Generation (Host Mode): Simplifies secure deployments.
TCP Authorization Policies: SecurityPolicy authorization now applies to TCPRoute.

Security Updates in 1.6.1

Envoy upgraded to 1.36.3 addressing:

Observability

Improved Cluster Stats Naming: Proper lowercasing of %ROUTE_KIND% in clusterStatName.
Better Gateway Status Handling:
- Truncated condition messages to stay within Kubernetes limits
- Improved multi-GatewayClass status reporting
503 Status Signaling for Invalid Backends: Makes outage diagnosis easier.

Management & Operations

Rate Limit Service PDB: PodDisruptionBudget can now be configured for rate limit service.
Late Response Headers: Add headers after response body begins using ClientTrafficPolicy.
Reliable Token Refresh via SDS: GatewayNamespaceMode now refreshes expired ServiceAccount tokens properly.
Improved Multi-Controller Ownership Tracking
Gateway API Upgraded to v1.4.1
CI Disk Reclamation Script Added
golang.org/x/crypto Dependency Updated

Performance Improvements

xDS Snapshot Cache Fix: Clears stale snapshots on stream reconnect.
Watcher Optimization:
- Set LastTransitionTime at subscriber instead of publisher
- Coalesced updates to skip intermediate state churn

Deprecations

No new deprecations introduced in 1.6.x.

Other Notable Changes

Disabled default x-envoy-ratelimited headers (can be re-enabled explicitly)
Improved regex handling in prefix-based URL rewrites
Multiple stability improvements in:
- JWT authentication
- Lua validation
- EnvoyPatchPolicy targeting
- Proxy topology injection
- Header modifier behavior with comma-separated values

Bug Fixes (Major Highlights)

Fixed stale xDS configuration after reconnections
Fixed OIDC authorization endpoint override bug
Fixed partial invalid BackendRefs causing 500 errors
Fixed missing JWT providers on shared listener ports
Fixed incorrect Gateway ownership resolution
Fixed race conditions in:
- Proxy context in host mode
- Topology injection cache
Fixed certificate SAN overlap detection
Fixed multiple indexing and controller crash scenarios
Fixed incorrect listener port limit typo (65353 → 65535)

Summary

TEG 1.6.1 delivers strong security upgrades, advanced traffic lifecycle controls, improved TLS handling, smarter outage signaling, and major reliability fixes—making it a powerful production-ready upgrade for enterprises running mission-critical API and AI workloads.

Key Benefits:

Stronger security posture with CVE-patched Envoy 1.36.3
Enterprise-grade TLS and OIDC enhancements
Better performance under reconnection and control-plane churn
Improved traffic control with preconnect, stream, and rate limit enhancements
More predictable failure behavior with explicit 503 signaling

Upgrade to TEG 1.6.1 to take full advantage of these improvements.

Upgrade Guidance

Be aware of the following breaking changes when upgrading from 1.5 → 1.6.

Breaking Changes

Backend TLS Defaults Changed:
- ALPNProtocols now default to [h2, http/1.1]
Automatic SNI Derivation:
- If SNI is not specified, it is now derived from the HTTP Host header
- DNS SANs must now match the derived SNI value
MirrorPolicy Behavior Change:
- Shadow host suffix is no longer automatically appended
OIDC Refresh Tokens Enabled by Default:
- Previously unused refresh tokens are now automatically applied unless disabled
egctl Data Collection Change:
- SDS data is no longer collected by default (--sds true required)
Consecutive Gateway Failure Enforcement:
- enforcingConsecutiveGatewayFailure is automatically set to 100

Manual Migration Steps from 1.5 → 1.6.1

1. Update Gateway-API and Envoy Gateway CRDs

helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.6.1 --untar

kubectl apply --force-conflicts --server-side \
  -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml

kubectl apply --force-conflicts --server-side \
  -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated

2. Upgrade Tetrate Enterprise Gateway

helm upgrade teg \
  oci://docker.io/tetrate/teg-envoy-gateway-helm \
  --version v1.6.1 \
  -n envoy-gateway-system

3. Post-Upgrade Validation

Review Backend TLS configurations for SNI + SAN behavior
Validate OIDC refresh token behavior in production
Verify rate limit headers and PreconnectPolicy behavior
Check Gateway status reporting across multi-Class environments

New Feature Highlights​

Traffic Handling​

Security Controls​

Security Updates in 1.6.1​

Observability​

Management & Operations​

Performance Improvements​

Deprecations​

Other Notable Changes​

Bug Fixes (Major Highlights)​

Summary​

Upgrade Guidance​

Breaking Changes​

Manual Migration Steps from 1.5 → 1.6.1​

1. Update Gateway-API and Envoy Gateway CRDs​

2. Upgrade Tetrate Enterprise Gateway​

3. Post-Upgrade Validation​