latest

This is the "latest" release of Envoy Gateway, which contains the most recent commits from the main branch.

This release might not be stable.

It is only intended for developers wishing to try out the latest features in Envoy Gateway, some of which may not be fully implemented.

We use v0.0.0-latest as the latest chart version to install latest envoy-gateway:

helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace

Try latest version of egctl with:

curl -Ls https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash

v1.3.0

Release Announcement

Release Date: January 30, 2025

Check out the v1.3 release announcement to learn more about the release.

The Envoy Gateway v1.3.0 release brings a host of new features, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below.

🚨 Breaking Changes

• Proxy Pod Template: The Container ports field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version.
• TLS Defaults: ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension.
• Default Passive Health Checks: Outlier detection (passive health check) is now disabled by default. Refer to BackendTrafficPolicy for working with passive health checks.
• Extension Manager Fails Closed: Envoy Gateway treats errors in calls to an extension service as fail-closed by default. Any error returned from the extension server will replace the affected resource with an "Internal Server Error" immediate response. The previous behavior can be enabled by setting the failOpen field to true in the extension service configuration.
• ClientTrafficPolicy Translation Failures: Envoy Gateway now return a 500 response when a ClientTrafficPolicy translation fails for HTTP/GRPC routes, and forwards client traffic to an empty cluster when a ClientTrafficPolicy translation fails for TCP routes.
• Envoy Proxy Reference Failures: Any issues with EnvoyProxy reference in a Gateway will prevent the Envoy fleet from being created or result in the deletion of an existing Envoy fleet.
• BackendTLSPolicy Translation Failures: Envoy Gateway now returns a 500 response when a BackendTLSPolicy translation fails for HTTP/GRPC/TLS routes.

---

✨ New Features

API & Traffic Management Enhancements

• Compression: Added support for Response Compression in BackendTrafficPolicy CRD.
• Route Order: Added support for preserving the user defined HTTPRoute match order in EnvoyProxy CRD.
• Rate Limiting with Cost: Added support for cost specifier in the rate limit BackendTrafficPolicy CRD.
• Gateway API 1.2 Retries: Added support for Retries (GEP-1731) in HTTPRoute CRD.
• Backend Routing: Added support for referencing Backend resources in RPCRoute, TCPRoute and UDPRoute CRDs.
• Response Override: Added support for status code override in BackendTrafficPolicy.

Security Enhancements

• Client IP Detection: Added support for trusted CIDRs in the ClientIPDetectionSettings of ClientTrafficPolicy CRD.
• API Key Authentication: Added support for API Key Authentication in the SecurityPolicy CRD.
• External Auth: Added support for sending body to Ext-Auth server in SecurityPolicy CRD.
• JWT Auth: Added support for configuring remote JWKS settings with BackendCluster in SecurityPolicy CRD.
• Backend TLS System Trust Store: Added support for dynamic reload of System WellKnownCACertificates in BackendTLSPolicy.
• Draining Endpoints: Continue using and drain endpoints during their graceful termination, as indicated by their respective EndpointConditions.

Observability & Tracing

• Trace Sampling: Added support for configuring tracing sampling rate with Fraction EnvoyProxy CRD.
• Static Metadata: Gateway API Route rule name is propagated to XDS metadata as sectionName.
• Envoy Gateway Panics: Added metrics and dashboards for Envoy Gateway panics in watchables.

Infra

• Proxy: Added support for patching HPA and PDB settings in EnvoyProxy CRD.
• Rate Limit: added support for HPA in EnvoyGateway configuration.

Extensibility

• External Processing Filter: Added support for Attributes, Dynamic Metadata and Processing Mode Override in EnvoyExtensionPolicy CRD.
• Wasm: Added support for injecting Host Env in EnvoyExtensionPolicy CRD.
• Extension Manager: Added support for configuring Max GRPC message size for the Extension Manager in EnvoyGateway configuration.

---

🐞 Bug Fixes

• Fixed a panic in the provider goroutine when the body in the direct response configuration was nil.
• Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes.
• Fixed failed to update SecurityPolicy resources with the backendRef field specified.
• Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname.
• Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn.
• Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
• Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs.
• Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected.
• Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined.
• Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration.
• Fixed traffic splitting not working when some backends were invalid.
• Fixed a nil pointer error that occurred when a SecurityPolicy referred to a UDS backend.
• Fixed an issue where the Gateway API translator did not use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider’s well-known endpoint.
• Fixed a validation failure that occurred when multiple HTTPRoutes referred to the same extension filter.
• Fixed a nil pointer error caused by accessing the cookie TTL without verifying if it was valid.
• Fixed unexpected port number shifting in standalone mode.
• Fixed an issue where the shutdown-manager did not respect the security context of the container spec.
• Fixed readiness checks failing for single-stack IPv6 Envoy Gateway deployments on dual-stack clusters.
• Fixed IPv6 dual-stack support not working as intended.
• Fixed the ability to overwrite control plane certs with the certgen command by using a new command arg (-o).
• Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap.
• Fixed prometheus format conversion of ratelimit metrics for remote address.
• Fixed limitations that prevented creation of FQDN Endpoints with a single-character subdomain in [Backend].
• Fixed issue where SecurityContext of shutdown-manager container was not updated by overriding helm values.
• Fixed issue with incorrect IPFamily detection for backends.
• Fixed validation of interval values in Retry settings.

---

⚠️ Vulnerabilities

• Fixed CVE-2025-24030 which exposed the Envoy admin interface through the prometheus stats endpoint. Refer to Advisory.

---

⚙️ Other Notable Changes

• Envoy Upgrade: Now using Envoy v1.33.0.
• Ratelimit Upgrade: Now using Ratelimit 60d8e81b.
• Gateway API: Now using Gateway API v1.2.1
• Envoy Gateway Base Image: Modified the base container image to gcr.io/distroless/base-nossl:nonroot.
• K8s Version Matrix: Add support for Kubernetes 1.32.x in the test matrix, and remove support for Kubernetes 1.28.x.
• Go Control Plane: Now using v0.13.4.
• XDS Validations: Envoy Gateway validates additional resources before adding them to snapshot.
• Backend Routing: Increased the maximum amount of endpoints to 64 in Backend.

---

What's Changed

• feat: set full URI for the envoy-gateway service using name and namespace by @rajatvig in #4533
• Reduce the amount of configuration logging, and make it line-delimeted friendly by @evankanderson in #4505
• feat: enable load backend resources by @shawnh2 in #4535
• build(deps): bump actions/setup-node from 4.0.4 to 4.1.0 by @dependabot in #4537
• chore: optimized code by @zirain in #4514
• build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #4538
• build(deps): bump distroless/static from 26f9b99 to 3a03fc0 in /tools/docker/envoy-gateway by @dependabot in #4541
• build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 in /tools/github-actions/setup-deps by @dependabot in #4540
• build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.1 to 0.107.4 by @dependabot in #4543
• build(deps): bump github.com/tsaarni/certyaml from 0.9.3 to 0.10.0 by @dependabot in #4546
  ...

v1.3.0-rc.1

What's Changed

• feat: set full URI for the envoy-gateway service using name and namespace by @rajatvig in #4533
• Reduce the amount of configuration logging, and make it line-delimeted friendly by @evankanderson in #4505
• feat: enable load backend resources by @shawnh2 in #4535
• build(deps): bump actions/setup-node from 4.0.4 to 4.1.0 by @dependabot in #4537
• chore: optimized code by @zirain in #4514
• build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #4538
• build(deps): bump distroless/static from 26f9b99 to 3a03fc0 in /tools/docker/envoy-gateway by @dependabot in #4541
• build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 in /tools/github-actions/setup-deps by @dependabot in #4540
• build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.1 to 0.107.4 by @dependabot in #4543
• build(deps): bump github.com/tsaarni/certyaml from 0.9.3 to 0.10.0 by @dependabot in #4546
• build(deps): bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #4539
• build(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0 by @dependabot in #4545
• e2e test for Gateway with EnvoyProxy by @zhaohuabing in #4548
• make watching alpha CRDs optional by @arkodg in #4519
• fix: validate proto messages before converting them to anypb.Any by @zhaohuabing in #4499
• Fix: xds translation failed when wasm http code source configured without sha by @zhaohuabing in #4547
• build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 by @dependabot in #4544
• feat(chart): Make security context configurable by @tamalsaha in #4536
• helm: make eg-addons support IPv6 cluster by @zirain in #4559
• ci: cleanup osv-scanner config by @shahar-h in #4579
• fix egctl release artifacts by @arkodg in #4580
• fix debug level logging for IR by @arkodg in #4584
• docs: remove List type by @zirain in #4585
• ci: enable test for dual stack cluster by @zirain in #4574
• build(deps): bump the k8s-io group across 2 directories with 6 updates by @dependabot in #4542
• chore: remove dump by @zirain in #4593
• fix: trigger reconcile for Secret updates referenced by a BackendTLSP… by @arkodg in #4581
• chore: use net.JoinHostPort by @zirain in #4599
• fix keycloak ipv6 issue by @zhaohuabing in #4601
• fix: Route with multiple parents has incorrect namespace in parentRef status by @zhaohuabing in #4592
• add envoy-gateway binary to release artifacts by @arkodg in #4588
• [release/v1.1] release v1.1.3 by @guydc in #4600
• chore: donot use space in short name by @zirain in #4608
• Move v1.1 docs tag to v1.1.2 by @arkodg in #4615
• fix: HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses by @zhaohuabing in #4587
• direct response docs and tests by @arkodg in #4583
• build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 by @dependabot in #4619
• build(deps): bump github.com/bufbuild/buf from 1.45.0 to 1.46.0 in /tools/src/buf by @dependabot in #4616
• remove myself from maintainers by @Alice-Lilith in #4624
• e2e: move apps to examples and pre-built by @zirain in #4576
• fix: wasm oci image source e2e test failed when IP_FAMILY=ipv6 by @zhaohuabing in #4623
• workaroud for the flaky oidc e2e test by @zhaohuabing in #4603
• build(deps): bump softprops/action-gh-release from 2.0.8 to 2.0.9 by @dependabot in #4622
• Set ignore_health_on_host_removal to true for static clusters by @arkodg in #4612
• build(deps): bump github.com/prometheus/common from 0.60.0 to 0.60.1 by @dependabot in #4620
• build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.4 to 0.107.5 by @dependabot in #4621
• add docker.io registry name in image name by @arkodg in #4628
• docs: Jwt claim based authorization by @zhaohuabing in #4617
• build(deps): bump github.com/ohler55/ojg from 1.24.1 to 1.25.0 by @dependabot in #4618
• e2e: use grafana alloy instead of fluent-bit by @zirain in #4525
• chore: update site docs link for latest release by @guydc in #4634
• fix: push a helm chart without v in ther version by @zhaohuabing in #4636
• add envoy-gateway binary to latest release artifacts by @arkodg in #4638
• fix: BackendTlsPolicy specify multiple targetRefs of the same service, only one will work by @zhaohuabing in #4630
• fix build by @zhaohuabing in #4641
• Add release docs for v1.2.0 by @zhaohuabing in #4570
• Update compatiblility matrix for v1.2. by @zhaohuabing in #4571
• docs for release v1.2.0 by @zhaohuabing in #4642
• docs: Active Passive Failover by @arkodg in #4637
• docs: add failover docs to v1.2.0 by @zhaohuabing in #4646
• Release News for v1.2.0 by @arkodg in #4650
• fix panic in provider when the direct response body is nil by @arkodg in #4647
• update concepts to include reference to HTTPRouteFilter by @arkodg in #4648
• rm timeout section from direct response docs by @arkodg in #4649
• docs: update upgrade notes by @arkodg in #4651
• v1.2.1 release notes by @arkodg in #4655
• docs: unhide cookiedomain for OIDC by @zhaohuabing in #4653
• fix release build (#4645) by @zhaohuabing in #4652
• bump version to v1.2.1 by @arkodg in #4656
• v1.2.1: update helm version short code by @zhaohuabing in #4664
• Docs: fix incorrect namespace mention by @klmz in #4563
• Feat: add HTTPRoute-rule name to envoy route metadata by @Ido-Itz in #4561
• update the lastVersionTag of the upgrade test by @zhaohuabing in #4666
• api: support setting trusted CIDRs by @rudrakhp in #4500
• add link to install EG in release news by @arkodg in #4674
• docs: unhide jwt claim authz by @zhaohuabing in #4676
• docs: add a note of helm not updating CRDs in the upgrade section by @arkodg in #4675
• docs: response override by @zhaohuabing in #4668
• Use custom marshaller to clarify redactions by @evankanderson in #4506
• chore: net.JoinHostPort by @zirain in #4692
• chore: dnsSearch on kind cluster by @zirain in #4691
• build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.0 by @dependabot in #4696
• build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #4701
• build(deps): bump sigs.k8s.io/kind from 0.24.0 to 0.25.0 in /tools/src/kind by @dependabot in #4700
• build(deps): bump github.com/golangci/golangci-lint from 1.61.0 to 1.62.0 in /tools/src/golangci-lint by @dependabot in #4699
• build(deps): bump the golang-org group across 2 directories with 2 updates by ...

v1.2.6

Release Announcement

Check out the v1.2.6 release announcement to learn more about the release.

Security updates

• Fixed vulnerability CVE-2025-24030, which exposed the Envoy admin interface via the Prometheus stats endpoint. For more details, refer to GHSA-j777-63hf-hx76.

Bug fixes

• Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap.

What's Changed

• fix panic when updating the envoy-gateway-config configMap (#5066) by @zhaohuabing in #5115
• Merge commit from fork by @guydc
• [release/v1.2] v1.2.6 release note (#5128) by @zhaohuabing in #5129

Full Changelog: v1.2.5...v1.2.6

v1.2.5

Release Announcement

Check out the v1.2.5 release announcement to learn more about the release.

Bug fixes

• Fixed a nil pointer error that occurred when a SecurityPolicy referred to a UDS backend.
• Fixed an issue where the Gateway API translator did not use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider’s well-known endpoint.
• Fixed a validation failure that occurred when multiple HTTPRoutes referred to the same extension filter.
• Fixed a nil pointer error caused by accessing the cookie TTL without verifying if it was valid.
• Fixed unexpected port number shifting in standalone mode.
• Fixed an issue where the shutdown-manager did not respect the security context of the container spec.
• Fixed readiness checks failing for single-stack IPv6 Envoy Gateway deployments on dual-stack clusters.
• Fixed IPv6 dual-stack support not working as intended.

Other changes

• Bumped Envoy to version 1.32.3.

What's Changed

• [release/v1.2] Bump envoy v1.32.3 by @zhaohuabing in #4948
• [release/v1.2] cherry pick for v1.2.5 by @zhaohuabing in #5029
• [release/v1.2] v1.2.5 release note (#5049) by @zhaohuabing in #5053

Full Changelog: v1.2.4...v1.2.5

v1.2.4

Release Announcement

Check out the v1.2.4 release announcement to learn more about the release.

Bug fixes

• Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs.
• Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected.
• Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined.
• Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration.
• Fixed traffic splitting not working when some backends were invalid.

Other changes

• Bumped Envoy to version 1.32.2.

What's Changed

• [release/v1.2] Bump envoy to v1.32.2 by @zhaohuabing in #4871
• [release/v1.2] Add registry for envoy proxy image by @arkodg in #4886
• [release/v1.2] cherry pick v1.2.4 by @zhaohuabing in #4913
• [release/v1.2] cherry pick v1.2.4 release note by @zhaohuabing in #4916

Full Changelog: v1.2.3...v1.2.4

v1.1.4

Release Announcement

Check out the v1.1.4 release announcement to learn more about the release.

Bug fixes

• Fixed validate proto messages before converting them to anypb.Any
• Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work
• Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes
• Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn
• Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected
• Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined

Other changes

• Bumped Rate Limit to 49af5cca
• Bumped golang.org/x/crypto to 0.31.0

What's Changed

• [release/v1.1] fix: validate proto messages before converting them to anypb.Any (#4499) by @zhaohuabing in #4558
• [release/v1.1] Bump ratelimit to 49af5cca by @arkodg in #4752
• [release/v1.1] dont run docs workflows on release branches (#4755) by @arkodg in #4759
• [release/v1.1] v1.1.4 cherry pick by @guydc in #4789
• [release/v1.1] Release v1.1.4 by @guydc in #4800
• [release/v1.1] cherry-pick for v1.1.4 by @guydc in #4897
• [release/v1.1] release: v1.1.4 (#4899) by @guydc in #4907

Full Changelog: v1.1.3...v1.1.4

v1.2.3

Release Announcement

Check out the v1.2.3 release announcement to learn more about the release.

Bug fixes

• Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
• Used a waitGroup instead of an enabled channel in the status updater.

Other changes

• EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack.
• Bumped Gateway API to v1.2.1.

What's Changed

• [release/v1.2] Cherry pick v1.2.3 by @zhaohuabing in #4810
• [release/v1.2] Bump to Gateway API v1.2.1 by @arkodg in #4815
• [release/v1.2] Cherry pick IPv6 support to v1.2.3 by @zhaohuabing in #4819
• [release/v1.2] cherry pick release note for v1.2.3 (#4820) by @zhaohuabing in #4824

Full Changelog: v1.2.2...v1.2.3

v1.2.2

Release Announcement

Check out the v1.2.2 release announcement to learn more about the release.

Bug fixes

• Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes.
• Fixed failed to update SecurityPolicy resources with the backendRef field specified.
• Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname.
• Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn.

Other changes

• Bump the RateLimit image to 49af5cca.
• Always use :: and IPv4Compact enabled on dynamic listeners.
• Use V4_PREFERRED instead of V4_ONLY by default for the cluster's DnsLookupFamily.

What's Changed

• [release/v1.2] Bump ratelimit image 49af5cca by @arkodg in #4749
• [release/v1.2] dont run docs workflows on release branches (#4755) by @arkodg in #4760
• [release/v1.2] cherry pick bug fixes and IPv6 to v1.2.2 by @zhaohuabing in #4765
• v1.2.2 release note (#4788) by @zhaohuabing in #4797
• [release/v1.2] fix gen-check by @zhaohuabing in #4799

Full Changelog: v1.2.1...v1.2.2

v1.2.1

Release Announcement

Check out the v1.2.1 release announcement to learn more about the release.

Bug fixes

• Fixed a panic in the provider goroutine when the body in the direct response configuration was nil.

What's Changed

• [release/v1.2] fix panic in provider when the direct response body is nil (#4647) by @arkodg in #4654
• [release/v1.2] Cherry-pick release note and version bump by @arkodg in #4657
• [release/v1.2] fix lint by @arkodg in #4659

Full Changelog: v1.2.0...v1.2.1