Skip to main content
logoTetrate Enterprise Gateway for EnvoyVersion: v1.8.x

v1.8.1

Updated Envoy Gateway to v1.8.1.

Breaking Changes

  • Moved the Gateway API safe-upgrades ValidatingAdmissionPolicy resources out of the CRD bundle and into the gateway-helm chart templates. If Gateway API CRDs are installed separately, add Helm ownership metadata to the existing safe-upgrades policy resources before upgrading. If those resources are provider-managed, disable rendering with crds.gatewayAPI.safeUpgradePolicy.enabled=false.

Security Updates

  • Bumped golang to 1.26.4 for security and bug fixes.
  • Bumped Envoy Gateway to v1.8.1 to address GHSA-22xc-xg2r-9j7v, GHSA-wcrf-9vrr-854f, GHSA-8fv2-88gg-hm7q, GHSA-m2v6-2jmh-4c68, GHSA-h7pq-86h8-rp5x, GHSA-fcrp-7gc2-93g7, and GHSA-cxpq-8v7q-cg56.
  • Bumped Envoy Proxy to v1.38.1 to address CVE-2026-47774.
  • Note: If legitimate HTTP/2 traffic with many cookie crumbs or large cookies is reset after the CVE-2026-47774 fix, use EnvoyPatchPolicy to apply HCM header limit mitigations; see envoyproxy/gateway#9185.

Bug Fixes

  • Fixed the xDS server in GatewayNamespaceMode serving a stale certificate after cert-manager rotation.
  • Fixed controller panic when processing backend TLS settings.
  • Fixed BackendTLSPolicy selection to prefer section name over wildcard match on the same backend.
  • Fixed ClientTrafficPolicy TLS cipher validation rejecting supported IANA/RFC cipher suite names.
  • Fixed namespace-scoped Kubernetes watches to include the controller namespace so Envoy Gateway can read its own infrastructure resources.
  • Fixed TLS secrets with non-canonical PEM formatting being passed verbatim to Envoy.
  • Fixed MaxStreamDuration not being set on CommonHttpProtocolOptions for non-route clusters.
  • Fixed egctl x status commands failing when optional Gateway API CRDs are not installed.
  • Fixed ws and wss Backend appProtocols to force HTTP/1.1 upstream connections instead of negotiating HTTP/2.
  • Fixed Gateway getting stuck at Programmed=False after its LoadBalancer Service IP was restored.
  • Fixed HPA maxReplicas required message typo in the gateway-helm chart.
  • Fixed invalid listeners blocking valid ones during conflict detection.

Other Changes

  • Bumped the BOE composer dynamic module to 0.7.0.
  • Bumped Keycloak to 26.6.3.
  • Bumped the ratelimit service to 1e50889b, including golang 1.26.4 and golang.org/x/net 0.55.0 updates, init-phase retry instead of direct panic, bounded Redis cluster pipeline parallelism, and quota-mode descriptor proto support.
  • Bumped Redis to 8.6.4.