v1.8.0

Updated Envoy Gateway to v1.8.0.

Breaking Changes

• The DirectResponse body in HTTPFilter now supports Envoy command operators for dynamic content. Existing configurations including template syntax (%) will be interpolated.
• The 0s timeout in SecurityPolicy is now treated as infinite timeout instead of immediate timeout.
• Fixed EnvoyProxy samplingFraction translation to correctly convert the Gateway API fraction into Envoy's percentage-based random_sampling field. Existing samplingFraction configurations will now sample 100x more frequently than in previous releases.
• The controller now uses production logging encoder config by default.
• SecurityPolicy OIDC now generates a single native envoy.filters.http.oauth2 HTTP filter in the HCM filter chain and moves route-specific OAuth2 configuration to route typed_per_filter_config.
• Merged SecurityPolicy IR/xDS resource names for OIDC, BasicAuth, ExtAuth, and JWT now derive from the policy that contributes the field rather than always using the route-level policy.
• The TEG resources chart now emits the GA Gateway API version for TLSRoute and BackendTLSPolicy, upgrading TLSRoute from v1alpha2 to v1 and BackendTLSPolicy from v1alpha3 to v1.

New Features

• The TEG Envoy image now packages the default WAF tuning directives at /etc/teg/waf/teg-default.conf so custom WAF configurations can include them directly.
• Added support for auto-mounting ConfigMaps and Secrets into EnvoyProxy resources. When a ConfigMap or Secret is labeled with teg.tetrate.io/auto-mount: "true" and targets one or more Gateway resources, the controller automatically creates the necessary volumes and mounts in the corresponding Envoy deployment. The mount path is fixed to /etc/teg/auto-mounts/<configmap-or-secret-name>.
• Bumped the bundled Gateway API CRDs to v1.5.1.
• Added support for optional active health check configuration.
• Added support for shadow mode in local rate limiting.
• Added support for MergeType in SecurityPolicy to enable route-level policies to merge with parent Gateway or Listener policies.
• Added egctl config envoy-gateway commands to retrieve Envoy Gateway admin config dumps.
• Added HTTP/2 connection keepalive support to ClientTrafficPolicy and BackendTrafficPolicy.
• Added RoutingType field for BackendTrafficPolicy.
• Added support for configuring weights for locality zones.
• Added support for gRPC-Web settings in ClientTrafficPolicy.
• Added support for Envoy Dynamic Modules.
• Added support for weight in BackendRef API to enable traffic splitting for non-xRoute resources.
• Added support for removing headers based on Exact, Prefix, Suffix, and RegularExpression matching in ClientTrafficPolicy.
• Added support for priorityClassName in KubernetesPodSpec for Envoy Proxy pods.
• Added support for global rate limit shadow mode.
• Added support for specifying both text body and attributes in access log format by making the type field optional.
• Added warning status conditions for deprecated fields in xPolicy CRDs.
• Added support for URLRewrite filter on individual backendRefs.
• Added support for custom headers on OTLP exports for metrics, tracing, and access logs.
• Added support for custom TLS configuration when pulling WASM code via HTTP or OCI in EnvoyExtensionPolicy.
• Added support for gRPC stats settings in EnvoyProxy.
• Added the PostEndpointsModify extension hook to allow extensions to modify EDS ClusterLoadAssignments.
• Added support for stream idle timeout in BackendTrafficPolicy.
• Added namespaceOverride support to the gateway-helm chart.
• Added support for configuring statusOnError in ExtAuth settings.
• Added support for GeoIP-based authorization on HTTPRoute and GRPCRoute.
• Added support for retry budget in BackendTrafficPolicy.
• Added support for BackendUtilization load balancing policy in BackendTrafficPolicy.
• Added support for upstream access logs via the Upstream access log type in EnvoyProxy.
• Added support for invert match in CIDR match RateLimit API.
• Added support for ignoring HTTP/1.1 Upgrade requests in ClientTrafficPolicy via http1.ignoredUpgradeTypes.
• Added support for OpenTelemetry sampler configuration for tracing.
• Added support for multiple ExtensionManagers with sequential chaining.
• Added support for default EnvoyProxy settings on EnvoyGatewaySpec that can be overridden by GatewayClass or Gateway-level EnvoyProxy configurations.
• Added support for sending Envoy Gateway route metadata to external authorization backends.
• Added support for cross-namespace policy attachment for ClientTrafficPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy, and SecurityPolicy.
• Added source field to responseOverride rules in BackendTrafficPolicy.
• Added support for path override in ExtAuth HTTP service.
• Added support for bandwidth limiting in BackendTrafficPolicy.
• Added support for defining Envoy Proxy image, pullPolicy, and pullSecrets via the helm chart.
• Added support for Envoy Admission Control to BackendTrafficPolicy.

Bug Fixes

• Fixed local rate limit rules with identical sourceCIDR client selectors producing conflicting descriptors.
• Rejected ClientTrafficPolicy if invalid TLS cipher suites are configured.
• Fixed ClientTrafficPolicy to disable HTTP/3 and surface a warning on the policy when downstream client TLS validation is configured.
• Fixed validation of XListenerSet certificateRefs.
• Fixed XListenerSet not allowing xRoutes from the same namespace when configured to allow them.
• Fixed API key authentication dropping non-first client IDs when credential Secrets contain multiple keys.
• Fixed X-ENVOY-ORIGINAL-HOST not being set when Envoy headers and hostname rewrite are enabled for DynamicResolver backends.
• Fixed standalone mode emitting non-actionable error logs for missing secrets and unsupported ratelimit deletion on every startup.
• Fixed local object reference resolution from parent policy in merged BackendTrafficPolicies.
• Fixed xPolicy resources being processed from all namespaces when NamespaceSelector watch mode is configured.
• Fixed route and policy status aggregation across multiple GatewayClasses managed by the same controller.
• Fixed route status parent aggregation when the number of parents exceeds the Gateway API cap of 32.
• Made ConnectionLimit.Value optional so users can configure other connection limit fields without setting max connections.
• Fixed endpoint hostname not being respected during active health checks.
• Fixed ratelimit deployment missing metrics container port 19001.
• Fixed ratelimit ServiceAccount missing standard Kubernetes app labels.
• Fixed GRPCRoute RequestMirror filter backend indexing.
• Fixed GRPCRoute conflicting RequestMirror and DirectResponse filter detection.
• Fixed BackendTrafficPolicy requestBuffer coexisting with route upgrades by disabling the default WebSocket upgrade on buffered routes and rejecting explicit requestBuffer plus httpUpgrade combinations.
• Fixed per-endpoint hostname override not working due to the auto-generated wildcard hostname.
• Fixed Basic Authentication failing when htpasswd secrets use CRLF line endings.
• Fixed BackendTLSPolicy being ignored when configuring TLS for telemetry backends.
• Fixed client certificate secrets not being delivered when exclusively referenced by a SecurityPolicy extAuth, jwt, or oidc Backend.
• Fixed xRoutes being incorrectly marked unaccepted when a RequestMirror filter referenced a backend with no endpoints.
• Fixed ws and wss Backend appProtocols to force HTTP/1.1 upstream connections instead of negotiating HTTP/2.
• Fixed gateway-helm RBAC in GatewayNamespace mode with explicit watch.namespaces.
• Fixed a control plane panic caused by concurrent Status mutation racing with the watchable Map coalesce goroutine.
• Fixed BackendTrafficPolicy rate limit requests values above uint32 max being silently truncated.
• Fixed status conditions not being updated when a route is rejected due to multiple errors.
• Fixed spurious development-mode panic log from the gatewayapi translator.
• Fixed SecurityPolicy merge using the wrong policy as the owner for resource references and IR generation.
• Fixed ListenerSet and its listeners incorrectly setting Accepted: False for invalid certificate references.
• Fixed active HTTP health checks to use Backend endpoint hostnames before falling back to the effective Route hostname.
• Fixed HTTPS listeners with overlapping hostnames but disjoint certificate SANs to preserve HTTP/2 ALPN by default.
• Removed the spurious cross-namespace policy-attachment warning condition when a ReferenceGrant is missing.
• Fixed an invalid first listener winning hostname or protocol precedence and causing a later valid listener to be marked HostnameConflict.
• Increased RateLimitSelectCondition.headers MaxItems from 16 to 64.
• Fixed Gateway getting stuck at Programmed=False after its LoadBalancer Service IP was restored.

Performance Improvements

• Reduced chances of listener drain due to Lua policy updates by migrating to LuaPerRoute.
• Reduced Kubernetes API server calls by reusing the cached controller-runtime client from the controller manager for infrastructure reconciliation.
• Enabled deferred stat creation to reduce CPU and memory overhead.

Other Changes

• Bumped Envoy Gateway to v1.8.0.
• Bumped the BOE composer dynamic module to 0.6.0.
• Bumped Redis to 8.6.3.
• Moved Envoy Gateway CRDs into a sub-chart to avoid the Helm release secret exceeding the 1MB size limit when adding new API fields.
• Increased the maximum number of rules in a RateLimit policy from 128 to 256.
• Increased the maximum number of JWT providers allowed in SecurityPolicy.spec.jwt.providers from 4 to 16.
• Added runner_event_total metric to track update and delete events in infrastructure and gateway API runners.
• Added common Helm labels to Envoy Gateway RBAC resources.