v1.8.2
Updated Envoy Gateway to v1.8.2.
Breaking Changes
- The
XRateLimitHeadersOptionDisabledconstant inBackendTrafficPolicynow uses"Off"instead of"Disabled"to match the CRD enum. Because"Disabled"was never a valid CRD value (it would have been rejected by the API server), no existing manifests are affected. SecurityPolicyvalidation forspec.apiKeyAuth.extractFromis now stricter, requiring non-empty lists with unambiguous source specifications. Policies with empty or ambiguous configurations will now be rejected and must be corrected before upgrading.
New Features
- The default data-plane Envoy image now bundles the WAF dynamic module, so the Web Application Firewall (configured via
ExtendedSecurityPolicy) works out of the box — you no longer need to override the Envoy proxy image in your Helm values to enable WAF. This default image is published to the publicdocker.io/tetrate/teg-envoyrepository and can be pulled without Tetrate-internal credentials. FIPS deployments must still override the Envoy proxy image with the FIPS variant, which bundles the FIPS-compliant WAF module. Because the dynamic module is now baked in, the Envoy images are slightly larger and are tagged with the TEG release version (e.g.distroless-v1.8.2) rather than the upstream Envoy version. - Added the ability to disable the
crdsdependency on thegateway-helmchart via thecrds.enabledconfiguration variable.
Security Updates
- Bumped Envoy Proxy to v1.38.3 to address multiple CVEs. See the Envoy Proxy v1.38.3 release notes.
- Bumped Envoy Gateway to v1.8.2 for security and bug fixes.
Bug Fixes
- Optimized API key credential ordering.
- Fixed IPv6 support in
loadBalancerSourceRanges. - Fixed route condition handling when a TLS certificate is missing.
- Fixed backend TLS ALPN protocol handling.
- Fixed
BackendTrafficPolicyrate limit validation failing on Kubernetes 1.36. - Fixed duplicate
ValidatingAdmissionPolicyresource resolution. - Fixed ExternalName Service backend rejection to report a proper error.
- Improved ListenerSet hostname conflict resolution.
- Fixed Gateway status address fallback for bare-metal environments.
- Fixed
EnvoyGatewayconfig hot-reload validation ordering. - Fixed HTTPRoute per-retry timeout application.
- Fixed the global rate-limit rule cost field functionality.
- Prevented a panic when the
EnvoyGatewayKubernetes provider sets adeployblock without atype.
Other Changes
- Bumped the BOE composer dynamic module to v0.9.0.
- Bumped the ratelimit service to aba2384d.