π Welcome to the 1.1.0 release of the agentgateway project!
Artifacts
Docker images are available:
cr.agentgateway.dev/agentgateway:v1.1.0cr.agentgateway.dev/controller:v1.1.0
Helm charts are available:
cr.agentgateway.dev/charts/agentgateway:v1.1.0cr.agentgateway.dev/charts/agentgateway-crds:v1.1.0
Binaries are available below.
Quick Start
Follow the Kubernetes or Standalone quick start guide to get started!
π₯ Breaking changes
MCP authentication moved to route level
MCP authentication is now configured at the route level. This aligns MCP auth with other route-level policies and allows JWT claims to be reused in authorization, rate limiting, and transformations.
- Kubernetes: MCP authentication is configured under
traffic.jwtAuthentication.mcpofAgentgatewayPolicyinstead ofbackend.mcp.authentication. The previousbackend.mcp.authenticationfield is deprecated but still works for backward compatibility. If both are set on the same route, the backend-level configuration is ignored. For more information, see Set up MCP auth. - Standalone: MCP authentication is configured under
routes[].policies.mcpAuthentication. No YAML structure changes are required for existing standalone configs, but any automation that treats MCP authentication as a backend-level concept should be updated. For more information, see MCP authentication.
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
name: mcp-authn
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: mcp
traffic:
jwtAuthentication:
mode: Strict
providers:
- issuer: http://keycloak.example.com/realms/myrealm
audiences:
- http://localhost:8080/mcp
jwks:
remote:
backendRef:
name: keycloak
kind: Service
namespace: keycloak
port: 8080
jwksPath: /realms/master/protocol/openid-connect/certs
mcp:
provider: Keycloak
resourceMetadata:
resource: http://localhost:8080/mcp
scopesSupported:
- email
bearerMethodsSupported:
- headerAdditionally, on AgentgatewayBackend, previously an MCP authentication and MCP authorization policy could be attached to spec.mcp.targets.static.policies.mcp.{authentication,authorization}.
These fields were not intended to be able to be set, and had no impact on the behavior of the proxy.
These fields are now removed.
If you previously set these fields (which, again, had no behavioral impact and was ignored) these will now fail to be applied.
π New features
OIDC browser authentication (Standalone)
A new oidc route policy provides built-in OpenID Connect browser authentication with PKCE support, encrypted session cookies, and automatic redirect handling. The OIDC policy is a native alternative to deploying an external proxy like oauth2-proxy.
policies:
oidc:
issuer: http://keycloak.example.com/realms/myrealm
clientId: agentgateway-browser
clientSecret: my-secret
redirectURI: http://localhost:3000/oauth/callback
scopes:
- profile
- emailFor more information, see OIDC browser authentication.
Network authorization
A new networkAuthorization policy enables Layer 4 network authorization for non-HTTP traffic based on source IP, port, and mTLS client identity. You can combine it with HTTP authorization for layered L4+L7 controls.
- Kubernetes: Available under
frontend.networkAuthorization. For more information, see Policies. - Standalone: Available under
frontendPolicies.networkAuthorization. For more information, see Network authorization.
Authorization require rules
Authorization policies now support require rules in addition to allow and deny. All require rules must match for the request to proceed, which provides clearer semantics for expressing mandatory conditions.
MCP improvements
- Stateless sessions: OpenAPI and SSE upstreams can now use stateless sessions. For Kubernetes docs, see Stateful MCP. For Standalone docs, see OpenAPI connectivity and Backends.
- Explicit service reference lists: MCP backends can specify targets with explicit service references. For Kubernetes docs, see Static MCP.
- Tool payloads in CEL context: Tool names and payloads are available in CEL expressions for logging.
LLM gateway enhancements
- Path prefixes: LLM providers now support custom API base path prefixes. For Standalone docs, see Providers.
- Azure default authentication: Azure OpenAI providers can use platform-default authentication. For Kubernetes docs, see Azure OpenAI. For Standalone docs, see Azure.
- Vertex region optional: Vertex AI region configuration is now optional with a global default. For Kubernetes docs, see Vertex AI. For Standalone docs, see Vertex AI.
What's Changed
- fix keycloak mcp auth by @npolshakova in #1306
- deps: try dependabot by @howardjohn in #1303
- build(deps): bump rustls-webpki from 0.103.9 to 0.103.10 by @dependabot[bot] in #1309
- feat(llm): azure default authentication by @jgreeer in #1033
- perf: optimize timecaching and client string allocation by @BV-Venky in #1315
- cel: catch struct usage by @howardjohn in #1319
- policy: better failure modes for translation failures by @howardjohn in #1245
- controller: do not allow policy backends to target InferencePool by @howardjohn in #1321
- refactor: remove some setup indirection. by @howardjohn in #1320
- controller: consistently use Gateway as policy parent by @howardjohn in #1323
- proxy: respect Service SANs field by @stevenctl in #1322
- cel: fix lookup string in list by @howardjohn in #1324
- cel: fix LLM RL by avoiding using removed req extensions by @howardjohn in #1317
- helm: add valueFrom support to extraEnv by @lgadban in #1329
- release: fix chart registry by @howardjohn in #1336
- feat(vertex): make region optional with global default by @rajatvig in #1330
- controller: add backend plugins and extensible reference types by @howardjohn in #1326
- Use TLSRoute v1 for status writing by @howardjohn in #1325
- Bump cargo deps by @howardjohn in #1327
- controller: more extension points by @howardjohn in #1342
- fix: route non-success streaming responses through buffered error path by @akos-zsolt-toth in #1348
- ci: pin GHA by @howardjohn in #1350
- Better rendering of json schema to markdown by @howardjohn in #1343
- expose ancestor backends from plugins by @stevenctl in #1351
- allow plugging in parentRef resolution by @stevenctl in #1352
- feat(mcp): merge upstream instructions when multiplexing by @tot19 in #1347
- Add auto-TLS protocol detection with BindProtocol::auto by @EItanya in #1333
- controller: better CRD documentation formatting by @howardjohn in #1354
- controller: refactor out MCP translation by @howardjohn in #1356
- read oas doc servers and pick out the path prefixes, not the full ser⦠by @christian-posta in #1289
- allow attaching routes to services by @stevenctl in #1353
- feat(mcp): Expose tool payloads on the MCP CEL context by @apexlnc in #1331
- build(deps): bump the npm_and_yarn group across 1 directory with 1 update by @dependabot[bot] in #1360
- fix: coalesce consecutive same-role messages in Bedrock Converse translation by @akos-zsolt-toth in #1358
- authorization: add new Require mode by @howardjohn in #1223
- build(deps): bump requests from 2.32.5 to 2.33.0 in /examples/a2a/strands-agents in the uv group across 1 directory by @dependabot[bot] in #1362
- feat(llm): add support for path prefix by @markuskobler in #1364
- Update cargo deps by @howardjohn in #1112
- Add k8 support for setting a llm provider path prefix by @markuskobler in #1365
- cel: add sha256, sha1, and md5 encoding by @howardjohn in #1338
- More CEL validation in controller by @howardjohn in #1287
- Add network authorization policy by @howardjohn in #1363
- control: add failure mode to ext authz and remote Rl by @howardjohn in #1270
- add test for network authz by @howardjohn in #1368
- Better handle invalid route backends by @howardjohn in #1339
- mcp: when stdio server fails, send error to client by @howardjohn in #1377
- Update architecture diagram by @rvennam in #1379
- Update README key features, description, and getting started section by @rvennam in #1380
- bedrock: respect buffer limit by @howardjohn in #1378
- Controller: refactor dead code and weird packages by @howardjohn in #1375
- build(deps): bump cryptography from 46.0.5 to 46.0.6 in /examples/a2a/strands-agents in the uv group across 1 directory by @dependabot[bot] in #1388
- build(deps): bump path-to-regexp from 8.3.0 to 8.4.0 in /ui in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1387
- feat(metrics): add retry metrics by @rajatvig in #1393
- build(deps): bump the cargo-weekly group with 8 updates by @dependabot[bot] in #1394
- fix: use protocol-filtered matching in detect_misdirected by @EItanya in #1395
- mcp: allow explicit list of service refs by @howardjohn in #1381
- Filter unused secrets by @howardjohn in #1383
- mcp: allow OpenAPI and SSE stateless sessions by @howardjohn in #1399
- mcp authentication: move to route level by @howardjohn in #1357
- feat: support OTEL_SERVICE_NAME and OTEL_RESOURCE_ATTRIBUTES env vars by @ExpertVagabond in #1396
- fix finding listener for HBONE path by @stevenctl in #1403
- Prune unused deps in cargo by @howardjohn in #1404
- fix: Vertex AI compatibility for Claude Code proxy requests by @ksc98 in #1359
- Wait for bind before becoming ready by @howardjohn in #1407
- fix(mcp): propagate maxBufferSize to MCP upstream HTTP requests by @adschwartz in #1413
- llm: support serviceTier, image and audio tokens by @howardjohn in #1414
- client: better error messages by @howardjohn in #1416
- feat(auth): Add built-in OIDC browser auth flow by @apexlnc in #1233
- nightly: add a usable helm tag by @howardjohn in #1376
- api: do not allow invalid MCP policies by @howardjohn in #1374
- Fix make run: no v prefix by @npolshakova in #1422
- controller: stricter controller securityContext by default by @howardjohn in #1406
- Misc refactoring after oidc by @howardjohn in #1424
- cleanup logging: executor is now cheap by @howardjohn in #1425
- cleanup misc hyper-util cruft that is unused by @howardjohn in #1431
- ext_proc: better handling of immediate response and fail_open by @howardjohn in #1430
- Add tests for reference grant by @howardjohn in #1428
- Enhance waypoint support in proxy by @howardjohn in #1185
- Use agentgateway.dev annotations by @npolshakova in #1439
- proxy: apply service targeted policy by @stevenctl in #1441
- xds: cleanup error paths that cannot fail by @howardjohn in #1432
- Move proxy-test CI config validation to Rust integration tests by @Copilot in #1468
- .github/workflows: Migrate workflows to Blacksmith runners by @blacksmith-sh[bot] in #1473
- Add sponsors to readme by @howardjohn in #1479
- make sponsor icon bigger by @howardjohn in #1480
- Bump Istio dependency by @ymesika in #1477
- controller: faster deployer tests by @howardjohn in #1469
- fix(controller): Service-targeted policies dropped due to init ordering and missing PolicyAttachment traversal by @ruigulala in #1474
- build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in the go_modules group across 1 directory by @dependabot[bot] in #1481
- Fix #900: system-assigned managed identity crashes with NoopClient panic by @stbattula-research in #1433
- fix: make index lookup nil-safe after Istio bump by @howardjohn in #1483
- update async-openai with new types by @filintod in #1453
- fix(llm/bedrock): correct output_index in Responses API stream events by @filintod in #1455
- build(deps): bump aiohttp from 3.13.3 to 3.13.4 in /examples/a2a/strands-agents in the uv group across 1 directory by @dependabot[bot] in #1427
- feat: add cacheMessageOffset to PromptCachingConfig by @akos-zsolt-toth in #1412
- api: documented that backend MCP auth is deprecated by @howardjohn in #1437
- fix(ui): parse namespace from service name when matching A2A policies by @syn-zhu in #1487
- build(deps): bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #1489
- mcp: omit expected 405 error logs by @howardjohn in #1484
- restrict nightly workflow to upstream repo only by @Copilot in #1466
- fixup release post-blacksmith by @howardjohn in #1493
- test: add MCP level tests for extauth and ratelimit policies by @rajatvig in #1421
- allow expanding references in traffic plugin by @stevenctl in #1482
- feat: support OTEL_SERVICE_NAME and OTEL_RESOURCE_ATTRIBUTES env vars by @markdingram-anaplan in #1452
- build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from 0.14.0 to 0.19.0 in the go_modules group across 1 directory by @dependabot[bot] in #1495
- fix(openai): passthrough responses input by @filintod in #1454
- fix: handle missing fields in Vertex AI Gemini completions responses by @rajatvig in #1465
- Headers by @therealmitchconnors in #1497
- allow plugins to effect route status by @stevenctl in #1499
- adding support to handle limit field to override with dynamic metadata by @day0ops in #1373
New Contributors
- @dependabot[bot] made their first contribution in #1309
- @jgreeer made their first contribution in #1033
- @BV-Venky made their first contribution in #1315
- @rajatvig made their first contribution in #1330
- @akos-zsolt-toth made their first contribution in #1348
- @tot19 made their first contribution in #1347
- @ExpertVagabond made their first contribution in #1396
- @ksc98 made their first contribution in #1359
- @adschwartz made their first contribution in #1413
- @blacksmith-sh[bot] made their first contribution in #1473
- @ruigulala made their first contribution in #1474
- @stbattula-research made their first contribution in #1433
- @markdingram-anaplan made their first contribution in #1452
- @therealmitchconnors made their first contribution in #1497
- @day0ops made their first contribution in #1373
Full Changelog: v1.0.1...v1.1.0