Skip to main content
logoTetrate Enterprise Gateway for EnvoyVersion: v1.8.x

v1.8.2

Updated Envoy Gateway to v1.8.2.

Breaking Changes

  • The XRateLimitHeadersOptionDisabled constant in BackendTrafficPolicy now uses "Off" instead of "Disabled" to match the CRD enum. Because "Disabled" was never a valid CRD value (it would have been rejected by the API server), no existing manifests are affected.
  • SecurityPolicy validation for spec.apiKeyAuth.extractFrom is now stricter, requiring non-empty lists with unambiguous source specifications. Policies with empty or ambiguous configurations will now be rejected and must be corrected before upgrading.

New Features

  • The default data-plane Envoy image now bundles the WAF dynamic module, so the Web Application Firewall (configured via ExtendedSecurityPolicy) works out of the box — you no longer need to override the Envoy proxy image in your Helm values to enable WAF. This default image is published to the public docker.io/tetrate/teg-envoy repository and can be pulled without Tetrate-internal credentials. FIPS deployments must still override the Envoy proxy image with the FIPS variant, which bundles the FIPS-compliant WAF module. Because the dynamic module is now baked in, the Envoy images are slightly larger and are tagged with the TEG release version (e.g. distroless-v1.8.2) rather than the upstream Envoy version.
  • Added the ability to disable the crds dependency on the gateway-helm chart via the crds.enabled configuration variable.

Security Updates

Bug Fixes

  • Optimized API key credential ordering.
  • Fixed IPv6 support in loadBalancerSourceRanges.
  • Fixed route condition handling when a TLS certificate is missing.
  • Fixed backend TLS ALPN protocol handling.
  • Fixed BackendTrafficPolicy rate limit validation failing on Kubernetes 1.36.
  • Fixed duplicate ValidatingAdmissionPolicy resource resolution.
  • Fixed ExternalName Service backend rejection to report a proper error.
  • Improved ListenerSet hostname conflict resolution.
  • Fixed Gateway status address fallback for bare-metal environments.
  • Fixed EnvoyGateway config hot-reload validation ordering.
  • Fixed HTTPRoute per-retry timeout application.
  • Fixed the global rate-limit rule cost field functionality.
  • Prevented a panic when the EnvoyGateway Kubernetes provider sets a deploy block without a type.

Other Changes

  • Bumped the BOE composer dynamic module to v0.9.0.
  • Bumped the ratelimit service to aba2384d.