v1.4.2

Release Announcement

Check out the v1.4.2 release announcement to learn more about the release.

Security Updates

• Disabled automountServiceAccountToken for proxy and ratelimit deployments and serviceAccounts.

Bug Fixes

• Fixed issue where EnvoyExtensionPolicy ExtProc body processing mode was set to FullDuplexStreamed, but trailers were not sent.
• Fixed validation issue where EnvoyExtensionPolicy ExtProc with failOpen set to true did not reject the FullDuplexStreamed body processing mode.
• Fixed issue where EnvoyPatchPolicy could not replace the telemetry cluster.
• Added validation for section names in Gateway listeners.
• Added ConfigMap indexers for EnvoyExtensionPolicies to reconcile Lua changes.
• Fixed issue where the default access log format was not working.
• Fixed bug where backendRequestTimeout was incorrectly set when retries were enabled.
• Fixed certificate SANs overlap detection in listeners.
• Fixed issue where telemetry did not work when using host port.
• Fixed bug where BackendTLSPolicy incorrectly referenced ConfigMaps or Secrets across namespaces.

What's Changed

• [release/v1.4] cherry pick v1.4.2 by @shawnh2 in #6452
• [release/1.4] release note for 1.4.2 by @zhaohuabing in #6465

Full Changelog: v1.4.1...v1.4.2

latest

This is the "latest" release of Envoy Gateway, which contains the most recent commits from the main branch.

This release might not be stable.

It is only intended for developers wishing to try out the latest features in Envoy Gateway, some of which may not be fully implemented.

We use v0.0.0-latest as the latest chart version to install latest envoy-gateway:

helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace

Try latest version of egctl with:

curl -Ls https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash

v1.4.1

Release Announcement

Check out the v1.4.1 release announcement to learn more about the release.

New Features

• Added support for configuring Subject Alternative Names (SANs) for upstream TLS validation via BackendTLSPolicy.validation.subjectAltNames.
• Added support for setting ownerreference to infra resources when Gateway Namespace mode is enabled.

Bug Fixes

• Fixed OverlappingTLSConfig condition for merged Gateways.
• Fixed an issue with shared rules in the rate limit translator when clientSelector is not specified.
• Fixed an issue with handling integer values in zone annotations.
• Fixed an issue where routes without WASM in their EnvoyExtensionPolicies returned HTTP 500 responses when WASM cache initialization failed.
• Fixed an issue where UDP listeners were not created in the Envoy proxy’s xDS configuration.
• Fixed broken rate limit merging for BackendTrafficPolicy when the Gateway target defines rate limiting but the Route target does not.
• Fixed an issue that preserves ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy.
• Replaced static UID with a dynamic UID for the global rate limit Grafana dashboard.

Other changes

• Fixed backend TLS e2e test.
• Bumped go version to 1.24.3.

What's Changed

• [release/v1.4] fix: custom controller namespace refs in gateway namespace mode by @cnvergence in #6067
• [release/v1.4] fix: missing v1.4 deployment yaml to Gateway Namespace Mode docs by @cnvergence in #6141
• [release/v1.4] Cherry Pick fixes into v1.4.1 by @arkodg in #6258
• [release/v1.4] pin ratelimit tag by @shawnh2 in #6255
• [release/v1.4] add release notes by @shawnh2 in #6260
• [release/v1.4] update version by @shawnh2 in #6261
• [release/v1.4] skip RateLimitGlobalMergeTest for gateway namespace mode by @arkodg in #6262

Full Changelog: v1.4.0...v1.4.1

v1.4.0

Release Announcement

Check out the v1.4.0 release announcement to learn more about the release.

What's Changed

• docs: tracing sampling fraction by @zirain in #5131
• doc: response compression by @zhaohuabing in #5071
• docs: how to specify a self-signed ca for the remote jwks host in the SP JWT settings. by @zhaohuabing in #5085
• chore: fix gen by @zhaohuabing in #5166
• docs: add api key auth instructions by @nothinux in #5097
• add SECURITY.md by @arkodg in #5167
• chore: link SECURITY.md by @arkodg in #5168
• build(deps): bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #5162
• docs: rm sectionName from some of the examples by @arkodg in #5173
• ci(fix): osv-scanner PR mode by @shahar-h in #5174
• wip: docs: add standalone in container instruction by @dshatokhin in #5172
• docs: update prerequisites files with installation and connectivity t… by @DeeBi9 in #5094
• [release/v1.3] fix 1.3.0-rc.1 release note by @guydc in #5175
• fail validation if baseInterval is 0s by @arkodg in #5176
• [release/1.3] release notes by @guydc in #5177
• add link for adopters by @arkodg in #5183
• copy some docs into current docs by @arkodg in #5185
• fix shortcodes and version location by @guydc in #5184
• Make panic threshold configurable for cluster by @nezdolik in #5118
• docs: add a adopter readme by @arkodg in #5187
• build(deps): bump actions/setup-node from 4.1.0 to 4.2.0 by @dependabot in #5163
• build(deps): bump the k8s-io group across 2 directories with 1 update by @dependabot in #5157
• build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #5158
• build(deps): bump helm.sh/helm/v3 from 3.16.4 to 3.17.0 by @dependabot in #5160
• build(deps): bump codecov/codecov-action from 5.1.2 to 5.3.1 by @dependabot in #5164
• build(deps): bump github.com/ohler55/ojg from 1.26.0 to 1.26.1 by @dependabot in #5044
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 in /tools/github-actions/setup-deps by @dependabot in #5165
• add title for adopters by @arkodg in #5196
• build(deps): bump github/codeql-action from 3.27.9 to 3.28.8 by @dependabot in #5189
• build(deps): bump github.com/docker/cli from 27.5.0+incompatible to 27.5.1+incompatible by @dependabot in #5159
• chore: bump go 1.23.5 by @zirain in #5190
• fix build extension-server by @zirain in #5199
• chore: bump go 1.23.6 by @zirain in #5204
• Update Code Reviewers by @arkodg in #5218
• Gateway API - support percentage-based-request-mirroring by @LiorLieberman in #5212
• chore: fix wrong example by @zirain in #5224
• chore: add test for patch ratelimit env by @zirain in #5221
• chore: run gofumpt by @zirain in #5222
• Add conformance e2e test for panic mode by @nezdolik in #5213
• docs: add docs link for envoyGateway configuration in helm chart by @arkodg in #5231
• chore: add coactiveai adopter logo svg and data by @ross-at-coactive in #5233
• build(deps): bump github.com/miekg/dns from 1.1.62 to 1.1.63 by @dependabot in #5243
• build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #5239
• fix: implement num-route-per-host for benchmark scale_httproutes case by @shawnh2 in #5235
• docs: fix config for api key by @arkodg in #5250
• feat: Add support for MaxUnavailable in KubernetesPodDisruptionBudgetSpec by @jukie in #5209
• docs: fixed the documentation for multiple request mirrorfilter docs by @Anu-Ra-g in #5234
• xds: use a dedicated listener port for envoy proxy readiness by @zirain in #5197
• build(deps): bump github.com/docker/docker from 27.5.0+incompatible to 27.5.1+incompatible by @dependabot in #5242
• chore: read go version from gomod by @zirain in #5262
• build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @dependabot in #5244
• feat: add defaulter for gateway-api resources loading from file by @shawnh2 in #5232
• chore: bump deps by @zirain in #5263
• Add support for MatchExpressions by @dprotaso in #5201
• feat: implement Lua EnvoyExtensionPolicy by @rudrakhp in #5171
• docs: Lua EnvoyExtensionPolicy by @rudrakhp in #5270
• docs: added BootstrapConfig for Merge Option by @Anu-Ra-g in #5259
• chore: refactor ext auth e2e by @zirain in #5271
• chore: add canva to ignore lint list by @Xunzhuo in #5279
• docs: add Canva logo to the adopters list by @harrisonturton in #5274
• docs: add secret enum in envoyPatchPolicy by @arkodg in #5268
• fix: Fixed egctl build for windows by @Anu-Ra-g in #5284
• fix: sort the missing resources to fix the gen-check by @shawnh2 in #5286
• docs: fix broken steps in prerequisites by @Nishikoh in #5296
• docs: site design update by @missBerg in #5285
• chore: bump go to 1.24 by @zirain in #5287
• build(deps): bump sigs.k8s.io/kind from 0.26.0 to 0.27.0 in /tools/src/kind by @dependabot in #5295
• build(deps): bump helm.sh/helm/v3 from 3.17.0 to 3.17.1 by @dependabot in #5291
• build(deps): bump the golang-org group across 2 directories with 1 update by @dependabot in #5290
• build(deps): bump github.com/golangci/golangci-lint from 1.63.4 to 1.64.5 in /tools/src/golangci-lint by @dependabot in #5294
• build(deps): bump github.com/evanphx/json-patch/v5 from 5.9.0 to 5.9.11 by @dependabot in #5293
• api: BackendTrafficPolicy DNSLookupFamily by @guydc in #5249
• chore: ignore sched.co by @zirain in #5305
• build(deps): bump the k8s-io group by @zirain in #5309
• fix: latest release failed for cache overlimit by @Xunzhuo in #5316
• validate all xds resources before returning the translation result by @zhaohuabing in #5148
• chore: move ratelimit per-route config to typedPerFilterConfig by @zhaohuabing in #5072
• chore: use go tool by @zirain in #5304
• feat: support HPA in helm chart by @Dean-Coakley in #5127
• fix: Allow weights to be zero on endpoints by @tobrien-nydig in #5278
• feat: Add RequestID to ClientTrafficPolicy for controlling X-Request-ID header behavior by @jukie in #5283
• api: HTTP header and method based authz by @zhaohuabing in #5310
• site: fix styling issues wrt fonts and headings by @missBerg in #5333
• docs: adding SAP as an adopter by @guydc in #5343
• feat: support adding additional labels to dashboard configmap by @fengxsong in #5317
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in https://github.com/envoyproxy/gatew...

v1.3.3

Release Announcement

Check out the v1.3.3 release announcement to learn more about the release.

Bug fixes

• Fix issue where ReferenceGrant from SecurityPolicy to the referenced RemoteJWKS backend was not respected.
• Fix HTTPRoute precedence by correctly considering header and query match types.
• Fix to return an error if direct response size exceeds the limit.
• Fix to avoid adding the TLS inspector filter to QUIC listeners.
• Fix to continue processing remaining GatewayClasses after encountering an error.
• Add validation for header values.

Other changes

• Bumped envoy to v1.33.3.
• Bumped ratelimit to 3e085e5b.

What's Changed

• [release/v1.3] release v1.3.3 cherry-pick by @guydc in #5951
• [release/v1.3] pin envoy and ratelimit by @guydc in #5968
• [release/v1.3] Release version v1.3.3 by @guydc in #5970
• [release/v1.3] bump cc action by @guydc in #5975

Full Changelog: v1.3.2...v1.3.3

v1.4.0-rc.2

Envoy Gateway v1.4.0-rc.2 Release Candidate

v1.4.0-rc.1

What's Changed

• docs: tracing sampling fraction by @zirain in #5131
• doc: response compression by @zhaohuabing in #5071
• docs: how to specify a self-signed ca for the remote jwks host in the SP JWT settings. by @zhaohuabing in #5085
• chore: fix gen by @zhaohuabing in #5166
• docs: add api key auth instructions by @nothinux in #5097
• add SECURITY.md by @arkodg in #5167
• chore: link SECURITY.md by @arkodg in #5168
• build(deps): bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in #5162
• docs: rm sectionName from some of the examples by @arkodg in #5173
• ci(fix): osv-scanner PR mode by @shahar-h in #5174
• wip: docs: add standalone in container instruction by @dshatokhin in #5172
• docs: update prerequisites files with installation and connectivity t… by @DeeBi9 in #5094
• [release/v1.3] fix 1.3.0-rc.1 release note by @guydc in #5175
• fail validation if baseInterval is 0s by @arkodg in #5176
• [release/1.3] release notes by @guydc in #5177
• add link for adopters by @arkodg in #5183
• copy some docs into current docs by @arkodg in #5185
• fix shortcodes and version location by @guydc in #5184
• Make panic threshold configurable for cluster by @nezdolik in #5118
• docs: add a adopter readme by @arkodg in #5187
• build(deps): bump actions/setup-node from 4.1.0 to 4.2.0 by @dependabot in #5163
• build(deps): bump the k8s-io group across 2 directories with 1 update by @dependabot in #5157
• build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #5158
• build(deps): bump helm.sh/helm/v3 from 3.16.4 to 3.17.0 by @dependabot in #5160
• build(deps): bump codecov/codecov-action from 5.1.2 to 5.3.1 by @dependabot in #5164
• build(deps): bump github.com/ohler55/ojg from 1.26.0 to 1.26.1 by @dependabot in #5044
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 in /tools/github-actions/setup-deps by @dependabot in #5165
• add title for adopters by @arkodg in #5196
• build(deps): bump github/codeql-action from 3.27.9 to 3.28.8 by @dependabot in #5189
• build(deps): bump github.com/docker/cli from 27.5.0+incompatible to 27.5.1+incompatible by @dependabot in #5159
• chore: bump go 1.23.5 by @zirain in #5190
• fix build extension-server by @zirain in #5199
• chore: bump go 1.23.6 by @zirain in #5204
• Update Code Reviewers by @arkodg in #5218
• Gateway API - support percentage-based-request-mirroring by @LiorLieberman in #5212
• chore: fix wrong example by @zirain in #5224
• chore: add test for patch ratelimit env by @zirain in #5221
• chore: run gofumpt by @zirain in #5222
• Add conformance e2e test for panic mode by @nezdolik in #5213
• docs: add docs link for envoyGateway configuration in helm chart by @arkodg in #5231
• chore: add coactiveai adopter logo svg and data by @ross-at-coactive in #5233
• build(deps): bump github.com/miekg/dns from 1.1.62 to 1.1.63 by @dependabot in #5243
• build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #5239
• fix: implement num-route-per-host for benchmark scale_httproutes case by @shawnh2 in #5235
• docs: fix config for api key by @arkodg in #5250
• feat: Add support for MaxUnavailable in KubernetesPodDisruptionBudgetSpec by @jukie in #5209
• docs: fixed the documentation for multiple request mirrorfilter docs by @Anu-Ra-g in #5234
• xds: use a dedicated listener port for envoy proxy readiness by @zirain in #5197
• build(deps): bump github.com/docker/docker from 27.5.0+incompatible to 27.5.1+incompatible by @dependabot in #5242
• chore: read go version from gomod by @zirain in #5262
• build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @dependabot in #5244
• feat: add defaulter for gateway-api resources loading from file by @shawnh2 in #5232
• chore: bump deps by @zirain in #5263
• Add support for MatchExpressions by @dprotaso in #5201
• feat: implement Lua EnvoyExtensionPolicy by @rudrakhp in #5171
• docs: Lua EnvoyExtensionPolicy by @rudrakhp in #5270
• docs: added BootstrapConfig for Merge Option by @Anu-Ra-g in #5259
• chore: refactor ext auth e2e by @zirain in #5271
• chore: add canva to ignore lint list by @Xunzhuo in #5279
• docs: add Canva logo to the adopters list by @harrisonturton in #5274
• docs: add secret enum in envoyPatchPolicy by @arkodg in #5268
• fix: Fixed egctl build for windows by @Anu-Ra-g in #5284
• fix: sort the missing resources to fix the gen-check by @shawnh2 in #5286
• docs: fix broken steps in prerequisites by @Nishikoh in #5296
• docs: site design update by @missBerg in #5285
• chore: bump go to 1.24 by @zirain in #5287
• build(deps): bump sigs.k8s.io/kind from 0.26.0 to 0.27.0 in /tools/src/kind by @dependabot in #5295
• build(deps): bump helm.sh/helm/v3 from 3.17.0 to 3.17.1 by @dependabot in #5291
• build(deps): bump the golang-org group across 2 directories with 1 update by @dependabot in #5290
• build(deps): bump github.com/golangci/golangci-lint from 1.63.4 to 1.64.5 in /tools/src/golangci-lint by @dependabot in #5294
• build(deps): bump github.com/evanphx/json-patch/v5 from 5.9.0 to 5.9.11 by @dependabot in #5293
• api: BackendTrafficPolicy DNSLookupFamily by @guydc in #5249
• chore: ignore sched.co by @zirain in #5305
• build(deps): bump the k8s-io group by @zirain in #5309
• fix: latest release failed for cache overlimit by @Xunzhuo in #5316
• validate all xds resources before returning the translation result by @zhaohuabing in #5148
• chore: move ratelimit per-route config to typedPerFilterConfig by @zhaohuabing in #5072
• chore: use go tool by @zirain in #5304
• feat: support HPA in helm chart by @Dean-Coakley in #5127
• fix: Allow weights to be zero on endpoints by @tobrien-nydig in #5278
• feat: Add RequestID to ClientTrafficPolicy for controlling X-Request-ID header behavior by @jukie in #5283
• api: HTTP header and method based authz by @zhaohuabing in #5310
• site: fix styling issues wrt fonts and headings by @missBerg in #5333
• docs: adding SAP as an adopter by @guydc in #5343
• feat: support adding additional labels to dashboard configmap by @fengxsong in #5317
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in #5341
• build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 by @dependabot in #5340
• build(deps): bump a...

v1.2.8

Release Announcement

Check out the v1.2.8 release announcement to learn more about the release.

Security updates

• Fixed vulnerability CVE-2025-30157, where local replies were incorrectly sent to the ext_proc server.
• Included ratelimit security fixes related to the golang net/http package.

Bug fixes

• Added support for BackendTLSPolicy and EnvoyExtensionPolicy parsing in Standalone mode.
• Fixed endpoint updates when mirrored backend Pod IPs change.
• Fix not logging an error and returning it in the K8s Reconcile method when a GatewayClass is not accepted.
• Fixed validation of host header in RequestHeaderModifier filter.
• Fixed an OpenTelemetry access log sink failure caused by an 'otel.Text is nil' error.

Performance improvements

• Added a cache for the Wasm OCI image permission checks and check the pullSecrets against the OCI image registry in a background goroutine.

Other changes

• Bumped envoy to v1.32.4.
• Bumped ratelimit to 0141a24f.

What's Changed

• [release/v1.2.8] cherry pick by @zhaohuabing in #5566

Full Changelog: v1.2.7...v1.2.8

v1.3.2

Release Announcement

Check out the v1.3.2 release announcement to learn more about the release.

Bug fixes

• Added support for BackendTLSPolicy and EnvoyExtensionPolicy parsing in Standalone mode.
• Fixed updates of endpoints when mirrored backend Pod IPs are changed.
• Fix not logging an error and returning it in the K8s Reconcile method when a GatewayClass is not accepted.
• Fix allowing empty text field for opentelemetry sink when using JSON format.
• Fixed validation of host header in RequestHeaderModifier filter.
• Retrigger reconciliation when backendRef of type ServiceImport is updated or when EndpointSlice(s) for a ServiceImport are updated.

Performance improvements

• Added a cache for the Wasm OCI image permission checks and check the pullSecrets against the OCI image registry in a background goroutine.

Other changes

• Bumped envoy to v1.33.1.
• Bumped ratelimit to 0141a24f.

What's Changed

• [release/v1.3] Release v1.3.2 cherry-pick by @guydc in #5576

Full Changelog: v1.3.1...v1.3.2

v1.2.7

Release Announcement

Check out the v1.2.7 release announcement to learn more about the release.

Security updates

• Fixed CVE-2025-25294: log injection vulnerability in Envoy Gateway when using default access log.

Bug fixes

• Fixed translating of backendSettings for extAuth.
• Fixed allowing weights to be zero on endpoints for backendRefs in TCPRoute and UDPRoute.
• Fixed validation of all xDS resources before sending them to the Envoy fleet.
• Added support for Secret and ConfigMap parsing in Standalone mode.

Other changes

• Bumped the version of the ratelimit image to ae4cee11.

What's Changed

• [release/v1.2] chore: fix gen (#5166) by @arkodg in #5273
• release: v1.2.7 by @zhaohuabing in #5410

Full Changelog: v1.2.6...v1.2.7