Tetrate Enterprise Gateway for EnvoyVersion: v1.7.x

v1.7.3

Updated Envoy Gateway to v1.7.4.

Bumped golang to 1.26.4 for security and bug fixes.
Bumped Envoy Gateway to v1.7.4 to address GHSA-22xc-xg2r-9j7v, GHSA-wcrf-9vrr-854f, GHSA-8fv2-88gg-hm7q, GHSA-m2v6-2jmh-4c68, GHSA-h7pq-86h8-rp5x, GHSA-fcrp-7gc2-93g7, and GHSA-cxpq-8v7q-cg56.
Bumped Envoy Proxy to v1.37.3 to address CVE-2026-47774.
Note: If legitimate HTTP/2 traffic with many cookie crumbs or large cookies is reset after the CVE-2026-47774 fix, use EnvoyPatchPolicy to apply HCM header limit mitigations; see envoyproxy/gateway#9185.

Fixed TLS secrets with non-canonical PEM formatting being passed verbatim to Envoy.
Fixed the xDS server in GatewayNamespaceMode serving a stale certificate after cert-manager rotation.
Fixed Gateway getting stuck at Programmed=False after its LoadBalancer Service IP was restored.
Fixed HPA maxReplicas required message typo in the gateway-helm chart.
Fixed BackendTLSPolicy selection to prefer section name over wildcard match on the same backend.
Fixed invalid listeners blocking valid ones during conflict detection.

Bumped Keycloak to 26.6.3.
Bumped the ratelimit service to 1e50889b, including golang 1.26.4 and golang.org/x/net 0.55.0 updates, init-phase retry instead of direct panic, bounded Redis cluster pipeline parallelism, and quota-mode descriptor proto support.
Bumped Redis to 8.6.4.