Release Announcement TEG 1.8

Date: May 19, 2026

info

Please ensure you upgrade to version 1.8.0 by November 1, 2026.

New Feature Highlights

Tetrate Enterprise Gateway (TEG) 1.8.0 is a FIPS-verified distribution of Envoy Gateway 1.8.0, adding expanded traffic management controls (GeoIP-based routing, bandwidth limiting, retry budgets, local rate-limit shadow mode, new load-balancing policies), strengthened security posture (mTLS client validation modes, cross-namespace policy attachment, TLS configuration for WASM sources), richer observability (upstream access logs, control-plane tracing, OpenTelemetry sampler configuration), and infrastructure improvements (Dynamic Modules, multiple ExtensionManager chaining, merged EnvoyProxy settings), along with Go runtime and dependency security patches.

tip

We recommend upgrading directly from TEG 1.7.x to 1.8.0. Platform teams running TEG 1.6.x should first upgrade to 1.7.x before proceeding to 1.8.0.

Traffic Handling

• GeoIP-Based Routing: Route and filter traffic based on the geographic origin of client IP addresses using the new GeoIP filter in SecurityPolicy. Platform teams can enforce region-based access controls or route requests to geographically appropriate backends without external middleware.
• Bandwidth Limiting: Enforce ingress and egress bandwidth caps per route or backend via the new bandwidth limit field in BackendTrafficPolicy. This bounds the data rate for individual connections, protecting backend capacity from high-volume clients.
• Retry Budget in BackendTrafficPolicy: Configure a retry budget — a cap on the ratio of retries to active requests — via BackendTrafficPolicy. Previously, per-request retry counts could amplify load during partial outages; a retry budget bounds total retry traffic across the cluster.
• Local Rate-Limit Shadow Mode: Evaluate local rate-limit rules without enforcing them. Platform teams can stage and validate new local rate-limit policies against production traffic before flipping enforcement on, reducing the risk of customer impact during rollout.
• Per-Rule XRateLimitOption in BackendTrafficPolicy: Configure rate-limit options at the individual rule level within BackendTrafficPolicy, enabling fine-grained control over rate-limit behavior per route rule rather than applying a single policy to all rules.
• WeightedZones and BackendUtilization Load Balancing: Added the BackendUtilization LoadBalancerType to BackendTrafficPolicy, which adjusts backend weights dynamically based on observed error rates and utilization metrics reported via ORCA. Combined with WeightedZones and PreferLocalZones, this gives platform teams zone-aware traffic distribution with utilization-based weighting.
• alwaysEjectOneEndpoint in Outlier Detection: Added alwaysEjectOneEndpoint to BackendTrafficPolicy.healthCheck.passive, ensuring at least one unhealthy endpoint is ejected even when the maxEjectionPercent threshold would otherwise prevent it.
• Admission Control in BackendTrafficPolicy: Configure request admission control thresholds in BackendTrafficPolicy to shed load before backends become saturated, reducing cascading failure risk.
• Stream Idle Timeout in BackendTrafficPolicy: Configure per-backend stream idle timeouts via BackendTrafficPolicy to bound how long idle HTTP/2 or gRPC streams are held open against upstream services.
• HTTP/2 Connection Keepalive: Configure HTTP/2 keepalive parameters for both client-facing (ClientTrafficPolicy) and backend (BackendTrafficPolicy) connections, enabling operators to tune connection health probing independently on each side.
• gRPC-Web Support: Added gRPC-Web protocol support and gRPC stats settings, allowing gRPC-Web clients to communicate through TEG without a separate transcoding proxy.
• HTTPRoute 303/307/308 Redirect Support: HTTPRoute now supports 303, 307, and 308 HTTP redirect status codes in addition to the previously supported 301 and 302.
• Command Operators in HTTPRoute DirectResponse: Use Envoy string command operators (e.g. %REQ(header)%, %ENVIRONMENT(var)%) in HTTPRoute DirectResponse filter bodies, enabling dynamic response content without an external backend.
• Configurable append_x_forwarded_host in HTTPRouteFilter: The append_x_forwarded_host behavior in HTTPRouteFilter is now configurable, giving operators explicit control over whether the original Host header is appended to X-Forwarded-Host on upstream requests.
• IgnoredUpgradeTypes in ClientTrafficPolicy HTTP1Settings: Configure HTTP upgrade types that TEG should not attempt to upgrade, preventing unintended protocol upgrades for specific connection classes.
• Rate Limit SourceCIDR Invert: Added invert to SourceCIDR in BackendTrafficPolicy rate-limit clientSelectors. Operators can now rate-limit all clients except those in a specified CIDR (allow-list), reducing per-request descriptor work for excluded clients.
• Source Filtering in ResponseOverride: Added source-based conditions to responseOverride in BackendTrafficPolicy, enabling response overrides that apply only to traffic from specific origins.
• Optional Health Check Configuration: Health check parameters in BackendTrafficPolicy are now optional, with retriable status codes configurable independently. Operators can define which HTTP status codes trigger a retry during active health checks.
• RoutingType in BackendTrafficPolicy: Added RoutingType field to BackendTrafficPolicy to configure custom redirect behavior for backend traffic, enabling operators to control how TEG handles routing decisions at the backend level.
• Gateway TLS Frontend/Backend Configuration: Added tls.frontend and tls.backend fields to Gateway configuration, giving operators explicit control over TLS termination and origination settings at the Gateway level.

Security Controls

• mTLS ClientValidationMode: Added ClientValidationMode to mTLS configuration in ClientTrafficPolicy, allowing operators to configure whether client certificate validation is required, optional, or disabled — without changing the TLS listener configuration. The clientValidation.optional field is now deprecated in favor of this explicit mode.
• Cross-Namespace Policy Attachment: SecurityPolicy and related policies can now attach to resources across namespaces, enabling platform teams to manage shared security policies from a central namespace without duplicating policy objects per tenant namespace.
• TLS Configuration for WASM Code Sources: Added TLS configuration support for WASM code sources in EnvoyExtensionPolicy, allowing operators to fetch WASM modules from TLS-secured registries without disabling certificate verification.
• JA3/JA4 TLS Fingerprinting: Added JA3 and JA4 TLS fingerprint support in ClientTrafficPolicy. Platform teams can extract client TLS fingerprints for use in access logging, routing decisions, or downstream fraud detection pipelines.
• SecurityPolicy MergeType: Added MergeType to SecurityPolicy to control how multiple policies targeting the same resource are merged, giving operators explicit governance over policy composition behavior.
• OIDC Per-Route Configuration: OIDC/OAuth2 settings in SecurityPolicy can now be configured per-route, enabling different authentication parameters for different paths on the same Gateway listener.
• OIDC ID Token Forwarding: Added configuration to forward the OIDC ID token to upstream services after successful authentication, removing the need for a separate token-forwarding sidecar.
• External Authorization Path Override: Configure a custom path for ext_auth requests in SecurityPolicy, allowing operators to route authorization checks to a specific endpoint on the ext-auth service rather than mirroring the original request path.
• External Authorization Status on Error: Configure the HTTP status code returned to clients when the ext-auth service is unavailable via the new status_on_error field in SecurityPolicy, replacing the hardcoded 403 response.
• Route Metadata Forwarding to Ext Auth: Pass HTTPRoute metadata to the external authorization service, enabling authorization decisions that incorporate route-level context without requiring custom headers.
• Invalid TLS Cipher Rejection: ClientTrafficPolicy now rejects configurations specifying invalid TLS cipher suites at admission time, surfacing misconfiguration before it reaches the data plane.
• Certificate Fetching via SDS Reference Secret: Added support for fetching certificates via SDS reference secrets, enabling integration with external secret stores for certificate delivery without restarting the gateway.
• Stabilized Lua XDS Filters: Listener-level Lua XDS filters are now stabilized to avoid unnecessary listener drain on configuration updates, reducing connection disruption during policy changes.
• TEG WAF Defaults: The TEG Envoy image now packages the default WAF tuning directives at /etc/teg/waf/teg-default.conf so custom WAF configurations can include them directly.
• Envoy Proxy upgraded to v1.38.0 addressing several security and stability fixes. For the full list of CVEs and behavior changes, see the Envoy Proxy v1.38.0 release notes.
• Go runtime bumped to 1.26.3 to address CVE-related security fixes included in the Go 1.26.x release series.

Observability

• Upstream Access Logs: Configure access logging for upstream (backend) connections separately from downstream access logs in EnvoyProxy telemetry settings. Platform teams can now capture upstream request/response details — including backend latency and upstream headers — without post-processing downstream logs.
• Control Plane Tracing: Added support for distributed tracing of the TEG control plane itself, enabling operators to trace configuration reconciliation and xDS push latency through their existing tracing infrastructure.
• OpenTelemetry Tracing Sampler Configuration: Configure the OTLP tracing sampler type and parameters (e.g. parentbased_traceidratio) in EnvoyProxy telemetry settings, replacing the previous all-or-nothing sampling behavior.
• BackendTLSPolicy for Telemetry Backends: Telemetry backends (OTLP metrics, tracing, access log sinks) now support BackendTLSPolicy for TLS configuration, consistent with how other backend TLS is managed.
• Ratelimit Metrics Port Exposed: The rate-limit container's metrics port is now included in the container spec, making Prometheus scraping of rate-limit metrics available without manual port configuration.
• JSON Log Encoder with Abbreviated Field Keys: The JSON log encoder now uses abbreviated field keys, reducing log volume for high-throughput deployments.

Management & Operations

• Dynamic Modules (Experimental): Load custom Envoy Dynamic Modules — compiled shared libraries — into the data plane via EnvoyExtensionPolicy, with support for both local and remote (HTTP/OCI) sources. This enables operators to extend data-plane behavior without rebuilding Envoy.
• Bundled Built On Envoy (BOE) Extensions: TEG ships with all Built On Envoy extensions pre-bundled in the TEG Envoy image and auto-registered with the data plane. Platform teams can reference modules like composer directly from EnvoyExtensionPolicy without separately mounting or registering them. See the Built On Envoy extensions guide for the full set of bundled extensions and end-to-end usage examples.
• Auto-Mount ConfigMaps and Secrets: Label a ConfigMap or Secret with teg.tetrate.io/auto-mount: "true" and target one or more Gateway resources; the controller automatically creates the necessary volumes and mounts the resource into the Envoy deployment at /etc/teg/auto-mounts/{name} (where {name} is the ConfigMap or Secret name). Auto-mounted files are addressable from EnvoyExtensionPolicy dynamic-module configuration — see the Built On Envoy extensions guide for worked examples.
• Multiple ExtensionManager Chaining: EnvoyGateway configuration now supports multiple ExtensionManager entries with sequential chaining, allowing platform teams to compose independent extension servers without merging them into a single service.
• Merged EnvoyProxy Settings: Added support for merging EnvoyProxy settings across multiple resources, enabling platform teams to compose base and overlay configurations rather than duplicating full EnvoyProxy objects per environment.
• EDS Modification Hook: Added an EDS (Endpoint Discovery Service) modification hook in the extension server API, allowing operators to intercept and transform endpoint sets before they are pushed to the data plane.
• egctl config envoy-gateway Command: Added egctl config envoy-gateway subcommand to retrieve the active EnvoyGateway configuration from a running TEG control plane, aiding in configuration auditing and troubleshooting.
• Optional Active Health Checks: Health check parameters in BackendTrafficPolicy are now optional, with retriable status codes configurable independently. Operators can opt out of active health checks per backend rather than per policy.
• Helm Chart: commonLabels Support: Added commonLabels to the gateway-helm chart, allowing operators to inject consistent labels across all chart-managed resources for cost allocation, policy targeting, or inventory tooling.
• Helm Chart: namespaceOverride Support: Added namespaceOverride to the gateway-helm chart, enabling deployment into a namespace that differs from the Helm release namespace without patching templates.
• Helm Chart: extraEnv for Controller Deployment: Added extraEnv support to the envoy-gateway controller deployment in the helm chart, allowing operators to inject environment variables (e.g. proxy settings, feature flags) without forking the chart.
• Helm Chart: extraVolumes and extraVolumeMounts: Added extraVolumes and extraVolumeMounts to the envoy-gateway controller deployment, enabling operators to mount custom secrets, configmaps, or host paths without chart modifications.
• Helm Chart: Configurable Envoy Proxy Image: The Envoy Proxy image used by the data plane is now configurable via the helm chart, enabling operators to pin to a specific image digest or use a mirrored registry.
• CRDs as Sub-Chart: Gateway API and Envoy Gateway CRDs are now packaged as a sub-chart, reducing the base chart size and allowing CRD lifecycle to be managed independently from the controller deployment.
• Gateway API v1.5.1: TEG 1.8.0 tracks Gateway API v1.5.1, which promotes XListenerSet and other previously experimental resources. See Breaking Changes below for CRD update requirements and the Gateway API v1.5.1 release notes for the full delta.
• Invalid Listener Does Not Block IR: An invalid listener configuration no longer blocks the entire IR from being processed. Valid listeners on the same Gateway continue to serve traffic while the invalid listener is reported in status.
• Namespace Selector Filtering for List Operations: The controller now applies namespace selector filtering to Kubernetes List operations, reducing the volume of objects watched and processed in large multi-tenant clusters.
• Deprecated Field Warnings for clientValidation.optional: The clientValidation.optional field in ClientTrafficPolicy now emits a deprecation warning status condition. Use ClientValidationMode instead.

Performance Improvements

• LuaPerRoute Filter Optimization: Refactored Lua filter configuration to use LuaPerRoute instead of per-filter config, reducing the size of xDS updates when Lua policies are applied to many routes.
• Cached Kubernetes Client for Infra Runner: The infrastructure runner now uses a cached Kubernetes client, reducing API server load during high-frequency reconciliation cycles.
• Snapshot Cache Mutex Fix: Added mutex locking to OnStreamResponse and OnStreamDeltaResponse in the xDS snapshot cache, eliminating a race condition that could cause inconsistent xDS state under concurrent stream updates.

Deprecations

• The clientValidation.optional field in ClientTrafficPolicy is deprecated. Use the new ClientValidationMode field to configure mTLS client certificate validation behavior explicitly.

Bug Fixes (Major Highlights)

• Client certificate secrets referenced exclusively by a SecurityPolicy ext-auth or JWT/OIDC backend were never delivered to the data plane, causing TLS handshake failures for those backends. Certificates are now correctly propagated.
• Rate-limit ConfigMap and HPA resources were not cleaned up when the parent envoy-gateway Deployment was deleted. Owner references are now set correctly so these resources are garbage-collected.
• Duplicate CIDR entries in local rate-limit rules caused incorrect rule evaluation. Duplicate CIDRs are now deduplicated before rule generation.
• Active health checks did not respect the configured endpoint hostname, causing health probes to be sent to the wrong host. The endpoint hostname is now used correctly.
• Per-endpoint hostname overrides were blocked by an auto-generated wildcard host entry. The wildcard no longer suppresses explicit per-endpoint hostname configuration.
• TCPRoute mTLS settings were not applied correctly, leaving TCP routes without the configured mutual TLS enforcement.
• HTTP/3 was not automatically disabled when client TLS was configured on a listener, which could result in protocol negotiation failures. HTTP/3 is now correctly disabled in this configuration.
• WebSocket (WS/WSS) backends were incorrectly negotiated over HTTP/2, causing connection failures. TEG now forces HTTP/1.1 for upstream connections to WS and WSS backends.
• Basic auth validation failed for htpasswd secrets containing Windows-style CRLF line endings. Line endings are now normalized before validation.
• API key authentication dropped all but the first client ID when a credential Secret contained multiple keys. All keys are now correctly registered.
• Cross-namespace SecretObjectReference resolution failed in certain policy configurations. Cross-namespace secret references are now resolved correctly.
• Invalid EnvoyPatchPolicy entries blocked all subsequent xDS processing. TEG now skips invalid patch policies and continues processing the remaining xDS configuration.
• Route and policy statuses were not correctly aggregated across multiple GatewayClass resources, causing some parents to lose status entries. Status aggregation now preserves entries from all relevant parents and ancestors.
• The requestBuffer and httpUpgrade fields in ClientTrafficPolicy are mutually incompatible but were previously accepted without error. TEG now rejects configurations that specify both fields simultaneously.
• The ContextExtensions merge behavior in ext-auth configurations was incorrect, causing extensions from one policy to overwrite those from another rather than merging them.
• The GRPCRoute mirror filter did not function correctly, causing mirrored requests to be dropped. Mirror behavior for GRPCRoute is now consistent with HTTPRoute.
• The attachedRoutes count on Gateway status was incorrect in certain multi-listener configurations. The count now accurately reflects the number of routes attached to each listener.
• Helm chart secrets RBAC was missing entries for gateways deployed in watched namespaces, causing the controller to fail secret lookups in those namespaces.
• TLS passthrough routes with empty route tables now use SNI-based filter chain matching, preventing connection failures when no explicit routes are configured.

---

Summary

TEG 1.8.0 tracks Envoy Gateway 1.8.0 and Gateway API v1.5.1, adding GeoIP-based routing, bandwidth limiting, retry budgets, local rate-limit shadow mode, JA3/JA4 fingerprinting, cross-namespace policy attachment, Dynamic Modules, and multiple ExtensionManager chaining — alongside Go 1.26.3 security patches and over a dozen customer-visible bug fixes across mTLS, health checks, API key auth, and xDS processing.

• Safe: mTLS ClientValidationMode, JA3/JA4 fingerprinting, cross-namespace SecurityPolicy attachment, TLS for WASM sources, invalid TLS cipher rejection at admission, and Go 1.26.3 security patches harden the security posture without requiring data-plane restarts.
• Safe: Local rate-limit shadow mode lets platform teams validate new rate-limit policies against live traffic before enforcement, reducing the risk of inadvertent customer impact during rollout.
• Fast: LuaPerRoute filter optimization, cached Kubernetes client for the infra runner, and snapshot cache mutex fixes reduce xDS update size and control-plane CPU under concurrent stream load.
• Profitable: Dynamic Modules with remote source support, multiple ExtensionManager chaining, merged EnvoyProxy settings, and bundled Built On Envoy extensions with auto-mounted ConfigMap/Secret materialization reduce the need to fork or duplicate configuration objects across environments, lowering operational toil.
• Profitable: Helm chart additions (commonLabels, namespaceOverride, extraEnv, extraVolumes, configurable proxy image, CRDs as sub-chart) reduce the number of chart customizations that require upstream patches or chart forks.
• Safe: Sixteen bug fixes covering client certificate delivery, TCPRoute mTLS, WebSocket upstream protocol negotiation, CRLF basic auth, and xDS patch policy isolation reduce the blast radius of misconfiguration in production.

---

Upgrade Guidance

Be aware of the following breaking changes and behavioral differences when upgrading from TEG 1.7 to 1.8.0. Review each item against your current configuration before promoting to production.

Breaking Changes

• Gateway API CRDs updated to v1.5.1:
  • Gateway API v1.5.1 promotes several previously experimental resources and fields. CRDs must be updated before upgrading the controller. Review the Gateway API v1.5.x changelog for promoted and removed fields, particularly around XListenerSet and inference extension resources.
• CRDs now packaged as a sub-chart:
  • CRDs are now managed as a separate sub-chart (gateway-helm/charts/crds). If you previously managed CRDs via the parent chart, update your Helm install/upgrade commands to account for the new sub-chart structure. The migration steps below reflect the updated CRD paths.
• clientValidation.optional deprecated in ClientTrafficPolicy:
  • The clientValidation.optional field is deprecated and will emit a warning status condition. Migrate to the new ClientValidationMode field before this field is removed in a future release.
• requestBuffer and httpUpgrade are now mutually exclusive in ClientTrafficPolicy:
  • Configurations that set both requestBuffer and httpUpgrade in ClientTrafficPolicy are now rejected at admission. Review existing ClientTrafficPolicy objects and remove one of the conflicting fields before upgrading.
• HTTP/3 automatically disabled when client TLS is configured:
  • Listeners with client TLS configured will no longer advertise HTTP/3 (QUIC). If you rely on HTTP/3 with client TLS, this combination is not supported and the listener will fall back to HTTP/1.1 and HTTP/2.
• WebSocket backends forced to HTTP/1.1:
  • Upstream connections to WS and WSS backends are now forced to HTTP/1.1. If you previously relied on HTTP/2 multiplexing for WebSocket backends, those connections will now use HTTP/1.1 per-connection semantics.
• Lua XDS filter stabilization may change filter ordering:
  • Listener-level Lua XDS filters are now stabilized to prevent listener drain. This may change the order in which Lua filters appear in the filter chain relative to other HTTP filters. Validate Lua-based EnvoyExtensionPolicy behavior after upgrade.
• EnvoyProxy.telemetry.tracing.samplingFraction correction (~100× more traces):
  • Pre-1.8.0, samplingFraction under-sampled by a factor of 100 — numerator: 1, denominator: 1000 produced 0.001% sampling instead of the intended 0.1%. EG 1.8.0 fixes the calculation. Existing configurations using samplingFraction will now produce roughly 100× more traces than before. Audit your tracing backend capacity and adjust samplingFraction (or switch to samplingRate) before upgrading. See envoyproxy/gateway#8282.
• SecurityPolicy 0s timeout now means infinite:
  • A 0s timeout on the ext-auth or rate-limit clients in SecurityPolicy was previously treated as an immediate timeout (request fails). It is now treated as no timeout (infinite). Any policy with an explicit 0s will flip behavior on upgrade. Set an explicit non-zero timeout if you previously relied on the immediate-fail behavior.
• OIDC filter generation rewritten:
  • SecurityPolicy OIDC now generates a single native envoy.filters.http.oauth2 HTTP filter in the HCM filter chain and moves route-specific OAuth2 configuration to route typed_per_filter_config. This breaks EnvoyPatchPolicy resources and extension managers that referenced the previous per-route filter generation.
• Merged SecurityPolicy IR/xDS resource names changed:
  • Names for merged OIDC, BasicAuth, ExtAuth, and JWT resources now derive from the policy that contributes the field — parent or route — rather than always using the route-level policy. Anything that referenced the old resource names by string match must be updated.
• DirectResponse body % interpolation:
  • DirectResponse bodies now support Envoy command operators (e.g. %REQ(header)%). Existing bodies that contain literal % characters will now be interpreted as command operators and may fail to render. Escape literal % as %% before upgrading.
• Controller logging defaults changed:
  • The controller now uses the production logging encoder by default, changing the JSON output keys. Update any log-parsing tooling that depends on the previous development-mode key names.
• TLSRoute and BackendTLSPolicy promoted to GA:
  • The TEG resources chart now emits Gateway API GA versions: TLSRoute v1alpha2 → v1 and BackendTLSPolicy v1alpha3 → v1. Automation, kustomize patches, and Helm templates that pin the old API versions must be updated before upgrading the controller.

---

Manual Migration Steps from 1.7 → 1.8.0

1. Update Gateway-API and Envoy Gateway CRDs

Pull the TEG 1.8.0 chart and apply the updated CRDs. Note that CRDs are now packaged as a sub-chart under charts/gateway-helm/charts/crds.

helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.8.0 --untar

kubectl apply --force-conflicts --server-side \
  -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml

kubectl apply --force-conflicts --server-side \
  -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated

2. Upgrade Tetrate Enterprise Gateway

helm upgrade teg \
  oci://docker.io/tetrate/teg-envoy-gateway-helm \
  --version v1.8.0 \
  -n envoy-gateway-system

3. Post-Upgrade Validation

• Verify that all ClientTrafficPolicy objects using clientValidation.optional have been migrated to ClientValidationMode and that no deprecation warning conditions are present.
• Check that any ClientTrafficPolicy objects previously combining requestBuffer and httpUpgrade have been corrected; the controller will reject these at admission.
• Validate TCPRoute mTLS behavior — previously broken mTLS enforcement on TCPRoutes is now active and may change traffic behavior for routes that were silently passing without mutual TLS.
• Test WebSocket backends to confirm HTTP/1.1 upstream behavior is acceptable; HTTP/2 multiplexing is no longer used for WS/WSS backends.
• Review Lua-based EnvoyExtensionPolicy filter chain ordering after the XDS filter stabilization change.
• Confirm that Prometheus dashboards and alerting rules account for the rate-limit metrics port now being exposed by default.
• Validate OIDC/OAuth2 flows if using per-route OIDC configuration or ID token forwarding — these are new code paths that should be tested against your identity provider.
• Inspect attachedRoutes counts on Gateway status objects to confirm they reflect the expected number of attached routes after the fix.
• If using Dynamic Modules (experimental), verify that module sources are reachable and that the EnvoyExtensionPolicy objects are accepted without validation errors.
• Audit EnvoyProxy.telemetry.tracing.samplingFraction configurations and adjust for the ~100× sampling-rate correction before upgrading; confirm your tracing backend has capacity headroom.
• Review SecurityPolicy ext-auth and rate-limit timeout values, particularly any explicit 0s — that now means infinite rather than immediate.
• Update any EnvoyPatchPolicy resources or extension managers that target the previous per-route OIDC OAuth2 filter generation or the merged-SecurityPolicy IR/xDS resource names.
• Escape literal % characters in DirectResponse bodies as %% to avoid them being interpreted as Envoy command operators.
• Update log-parsing tooling for the new production JSON encoder field keys.
• Update any manifests, kustomizations, or Helm values that pin TLSRoute to v1alpha2 or BackendTLSPolicy to v1alpha3 — those resources are now emitted at v1.