v1.4.0-rc.1

  3 minute read  

Date: May 1, 2025

Breaking Changes

  • Use a dedicated listener port (19003) for EnvoyProxy readiness.
  • Use the Envoy JSON formatter for the default access log instead of the text formatter.
  • EnvoyGateway now skips xDS snapshot updates in case of errors during xDS translation.
  • When the Extension Manager is configured to Fail Open, translation errors are logged and suppressed.
  • When the Extension Manager is configured not to Fail Open, Envoy Gateway will no longer replace affected resources. Instead, the xDS snapshot update is skipped.

Security Updates

  • Fixed CVE-2025-25294.

New Features

  • Added support for configuring maxUnavailable in KubernetesPodDisruptionBudgetSpec.
  • Added support for percentage-based request mirroring.
  • Added support for matchExpressions in TargetSelector.
  • Added a defaulter for Gateway API resources loaded from files to set default values.
  • Added support for defining Lua EnvoyExtensionPolicies.
  • Added a RequestID field in ClientTrafficPolicy.HeaderSettings to configure Envoy’s X-Request-ID behavior.
  • Added support for HorizontalPodAutoscaler in the Helm chart.
  • Added support for distinct header and distinct source CIDR-based local rate limiting.
  • Added support for forwarding the authenticated username to the backend via a configurable header in BasicAuth.
  • Added support for HTTP Methods and Headers-based authorization in SecurityPolicy.
  • Added support for zone-aware routing.
  • Added support for BackendTLSPolicy to target ServiceImport.
  • Added support for the kubernetes.io/h2c application protocol in ServiceImport.
  • Added support for per-host circuit breaker thresholds.
  • Added support for injecting credentials from a Kubernetes Secret into a request header. Credentials can be injected using either an HTTPRouteFilter or a BackendRef filter.
  • Added support for egctl WebSocket in addition to SPDY.
  • Added a Helm chart configuration option to set the TrafficDistribution field in the Envoy Gateway Service.
  • Added support for setting the Envoy Proxy log level to trace.
  • Added support for global imageRegistry and imagePullSecrets in the Helm chart.
  • Added support for using a local JWKS (inline string or in a ConfigMap) to validate JWT tokens in SecurityPolicy.
  • Added support for logging resource statuses in standalone mode.
  • Added support for per-route tracing in BackendTrafficPolicy.
  • Added support for configuring retry settings for Extension Service hooks in EnvoyGateway config.
  • Added support for request buffering using the Envoy Buffer filter.
  • Added support for the merge type in BackendTrafficPolicy.
  • Added support for the OverlappingTLSConfig condition in Gateway status. This condition is set if there are overlapping hostnames or certificates between listeners. The ALPN protocol is set to HTTP/1.1 for overlapping listeners to avoid HTTP/2 Connection Coalescing.

Bug Fixes

  • Fixed traffic splitting when filters are attached to the backendRef.
  • Added support for Secret and ConfigMap parsing in standalone mode.
  • Bypassed overload manager for stats and ready listeners.
  • Fixed translation of backendSettings for extAuth.
  • Fixed an issue where the stats compressor was not working.
  • Added support for BackendTLSPolicy and EnvoyExtensionPolicy parsing in standalone mode.
  • Retriggered reconciliation when a backendRef of type ServiceImport is updated or when EndpointSlice(s) for a ServiceImport are updated.
  • Fixed an issue where errors were not logged and returned in the Kubernetes Reconcile method when a GatewayClass is not accepted.
  • Fixed allowing an empty text field for OpenTelemetry sink when using JSON format.
  • Fixed an issue where SamplingFraction was not working.
  • Fixed Kubernetes resources not being deleted when a customized name was used.
  • No longer treating essential resources (e.g., namespace) as missing while loading from a file.
  • No longer setting retriable status codes to 503 when RetryOn is configured in BackendTrafficPolicy.

Performance Improvements

  • Added a cache for Wasm OCI image permission checks and now checking pullSecrets against the OCI image registry in a background goroutine.

Deprecations

  • Deprecated the PreserveXRequestID field.

Other Changes

  • Updated gateway-api to v1.3.0.

Last modified July 22, 2025: compress (42fecf5)