v1.7.1

Updated Envoy Gateway to v1.7.2.

Breaking Changes

• Changed the default WAF body processing directives to reduce buffering-related traffic degradation. The default request body limits are now SecRequestBodyLimit 4096 and SecRequestBodyInMemoryLimit 4096 with SecRequestBodyLimitAction ProcessPartial. The default response body limit is now SecResponseBodyLimit 4096 with SecResponseBodyLimitAction ProcessPartial, but response body inspection is disabled by default with SecResponseBodyAccess Off; users who need response body inspection only need to override SecResponseBodyAccess.

Security Updates

• Bump golang to 1.26.2 for security fixes to the crypto/tls and crypto/x509 packages.
• Bump Envoy Proxy image to v1.37.2 for fixing several bugs. For more details, please refer to the Envoy Proxy v1.37.2 release notes.
• Bump Envoy ratelimit image to 05c08d03.

Bug Fixes

• Rejected ClientTrafficPolicy if invalid TLS cipher suites are configured.
• Fixed validation of XListenerSet certificateRefs
• Fixed standalone mode emitting non-actionable error logs for missing secrets and unsupported ratelimit deletion on every startup.
• Fixed xPolicy resources being processed from all namespaces when NamespaceSelector watch mode is configured in the Kubernetes provider.
• Fixed route status parent aggregation when the number of parents exceeds the Gateway API cap of 32.
• Fixed ratelimit deployment missing metrics container port (19001), which prevented PodMonitor/ServiceMonitor from targeting the metrics endpoint.
• Fixed GRPCRoute RequestMirror filter backend not being indexed, causing “service not found” errors for mirror targets that exist in the cluster.
• Fixed GRPCRoute not detecting conflicting RequestMirror and DirectResponse filters, which caused the mirror to be silently dropped.
• Fixed per-endpoint hostname override not working because the auto-generated wildcard hostname.
• Fixed Basic Authentication failing when htpasswd secrets use CRLF line endings by normalizing to LF before passing to Envoy.
• BackendTLSPolicy was ignored when configuring TLS for telemetry backends (access logs, tracing, metrics).
• Fixed client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth/jwt/oidc Backend.
• Fixed xRoute status condition when route has mirror filter and the mirror backend has no endpoints.
• Fixed gateway-helm RBAC in GatewayNamespace mode with explicit watch.namespaces list by adding controller-namespace secret read permissions to infra-manager.

Performance Improvements

• Reduced chances of listener drain due to Lua policy updates by migrating to LuaPerRoute.