Release Announcement

Release Date: January 30, 2025

Check out the v1.3 release announcement to learn more about the release.

The Envoy Gateway v1.3.0 release brings a host of new features, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below.

🚨 Breaking Changes

Proxy Pod Template: The Container ports field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version.
TLS Defaults: ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension.
Default Passive Health Checks: Outlier detection (passive health check) is now disabled by default. Refer to BackendTrafficPolicy for working with passive health checks.
Extension Manager Fails Closed: Envoy Gateway treats errors in calls to an extension service as fail-closed by default. Any error returned from the extension server will replace the affected resource with an "Internal Server Error" immediate response. The previous behavior can be enabled by setting the failOpen field to true in the extension service configuration.
ClientTrafficPolicy Translation Failures: Envoy Gateway now return a 500 response when a ClientTrafficPolicy translation fails for HTTP/GRPC routes, and forwards client traffic to an empty cluster when a ClientTrafficPolicy translation fails for TCP routes.
Envoy Proxy Reference Failures: Any issues with EnvoyProxy reference in a Gateway will prevent the Envoy fleet from being created or result in the deletion of an existing Envoy fleet.
BackendTLSPolicy Translation Failures: Envoy Gateway now returns a 500 response when a BackendTLSPolicy translation fails for HTTP/GRPC/TLS routes.

✨ New Features

API & Traffic Management Enhancements

Compression: Added support for Response Compression in BackendTrafficPolicy CRD.
Route Order: Added support for preserving the user defined HTTPRoute match order in EnvoyProxy CRD.
Rate Limiting with Cost: Added support for cost specifier in the rate limit BackendTrafficPolicy CRD.
Gateway API 1.2 Retries: Added support for Retries (GEP-1731) in HTTPRoute CRD.
Backend Routing: Added support for referencing Backend resources in RPCRoute, TCPRoute and UDPRoute CRDs.
Response Override: Added support for status code override in BackendTrafficPolicy.

Security Enhancements

Client IP Detection: Added support for trusted CIDRs in the ClientIPDetectionSettings of ClientTrafficPolicy CRD.
API Key Authentication: Added support for API Key Authentication in the SecurityPolicy CRD.
External Auth: Added support for sending body to Ext-Auth server in SecurityPolicy CRD.
JWT Auth: Added support for configuring remote JWKS settings with BackendCluster in SecurityPolicy CRD.
Backend TLS System Trust Store: Added support for dynamic reload of System WellKnownCACertificates in BackendTLSPolicy.
Draining Endpoints: Continue using and drain endpoints during their graceful termination, as indicated by their respective EndpointConditions.

Observability & Tracing

Trace Sampling: Added support for configuring tracing sampling rate with Fraction EnvoyProxy CRD.
Static Metadata: Gateway API Route rule name is propagated to XDS metadata as sectionName.
Envoy Gateway Panics: Added metrics and dashboards for Envoy Gateway panics in watchables.

Infra

Proxy: Added support for patching HPA and PDB settings in EnvoyProxy CRD.
Rate Limit: added support for HPA in EnvoyGateway configuration.

Extensibility

External Processing Filter: Added support for Attributes, Dynamic Metadata and Processing Mode Override in EnvoyExtensionPolicy CRD.
Wasm: Added support for injecting Host Env in EnvoyExtensionPolicy CRD.
Extension Manager: Added support for configuring Max GRPC message size for the Extension Manager in EnvoyGateway configuration.

🐞 Bug Fixes

Fixed a panic in the provider goroutine when the body in the direct response configuration was nil.
Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes.
Fixed failed to update SecurityPolicy resources with the backendRef field specified.
Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname.
Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn.
Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs.
Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected.
Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined.
Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration.
Fixed traffic splitting not working when some backends were invalid.
Fixed a nil pointer error that occurred when a SecurityPolicy referred to a UDS backend.
Fixed an issue where the Gateway API translator did not use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider’s well-known endpoint.
Fixed a validation failure that occurred when multiple HTTPRoutes referred to the same extension filter.
Fixed a nil pointer error caused by accessing the cookie TTL without verifying if it was valid.
Fixed unexpected port number shifting in standalone mode.
Fixed an issue where the shutdown-manager did not respect the security context of the container spec.
Fixed readiness checks failing for single-stack IPv6 Envoy Gateway deployments on dual-stack clusters.
Fixed IPv6 dual-stack support not working as intended.
Fixed the ability to overwrite control plane certs with the certgen command by using a new command arg (-o).
Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap.
Fixed prometheus format conversion of ratelimit metrics for remote address.
Fixed limitations that prevented creation of FQDN Endpoints with a single-character subdomain in [Backend].
Fixed issue where SecurityContext of shutdown-manager container was not updated by overriding helm values.
Fixed issue with incorrect IPFamily detection for backends.
Fixed validation of interval values in Retry settings.

⚠️ Vulnerabilities

Fixed CVE-2025-24030 which exposed the Envoy admin interface through the prometheus stats endpoint. Refer to Advisory.

⚙️ Other Notable Changes

Envoy Upgrade: Now using Envoy v1.33.0.
Ratelimit Upgrade: Now using Ratelimit 60d8e81b.
Gateway API: Now using Gateway API v1.2.1
Envoy Gateway Base Image: Modified the base container image to gcr.io/distroless/base-nossl:nonroot.
K8s Version Matrix: Add support for Kubernetes 1.32.x in the test matrix, and remove support for Kubernetes 1.28.x.
Go Control Plane: Now using v0.13.4.
XDS Validations: Envoy Gateway validates additional resources before adding them to snapshot.
Backend Routing: Increased the maximum amount of endpoints to 64 in Backend.

What's Changed

feat: set full URI for the envoy-gateway service using name and namespace by @rajatvig in #4533
Reduce the amount of configuration logging, and make it line-delimeted friendly by @evankanderson in #4505
feat: enable load backend resources by @shawnh2 in #4535
build(deps): bump actions/setup-node from 4.0.4 to 4.1.0 by @dependabot in #4537
chore: optimized code by @zirain in #4514
build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #4538
build(deps): bump distroless/static from 26f9b99 to 3a03fc0 in /tools/docker/envoy-gateway by @dependabot in #4541
build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 in /tools/github-actions/setup-deps by @dependabot in #4540
build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.1 to 0.107.4 by @dependabot in #4543
build(deps): bump github.com/tsaarni/certyaml from 0.9.3 to 0.10.0 by @dependabot in #4546
build(deps): bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #4539
build(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0 by @dependabot in #4545
e2e test for Gateway with EnvoyProxy by @zhaohuabing in #4548
make watching alpha CRDs optional by @arkodg in #4519
fix: validate proto messages before converting them to anypb.Any by @zhaohuabing in #4499
Fix: xds translation failed when wasm http code source configured without sha by @zhaohuabing in #4547
build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 by @dependabot in #4544
feat(chart): Make security context configurable by @tamalsaha in #4536
helm: make eg-addons support IPv6 cluster by @zirain in #4559
ci: cleanup osv-scanner config by @shahar-h in #4579
fix egctl release artifacts by @arkodg in #4580
fix debug level logging for IR by @arkodg in #4584
docs: remove List type by @zirain in #4585
ci: enable test for dual stack cluster by @zirain in #4574
build(deps): bump the k8s-io group across 2 directories with 6 updates by @dependabot in #4542
chore: remove dump by @zirain in #4593
fix: trigger reconcile for Secret updates referenced by a BackendTLSP… by @arkodg in #4581
chore: use net.JoinHostPort by @zirain in #4599
fix keycloak ipv6 issue by @zhaohuabing in #4601
fix: Route with multiple parents has incorrect namespace in parentRef status by @zhaohuabing in #4592
add envoy-gateway binary to release artifacts by @arkodg in #4588
[release/v1.1] release v1.1.3 by @guydc in #4600
chore: donot use space in short name by @zirain in #4608
Move v1.1 docs tag to v1.1.2 by @arkodg in #4615
fix: HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses by @zhaohuabing in #4587
direct response docs and tests by @arkodg in #4583
build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 by @dependabot in #4619
build(deps): bump github.com/bufbuild/buf from 1.45.0 to 1.46.0 in /tools/src/buf by @dependabot in #4616
remove myself from maintainers by @Alice-Lilith in #4624
e2e: move apps to examples and pre-built by @zirain in #4576
fix: wasm oci image source e2e test failed when IP_FAMILY=ipv6 by @zhaohuabing in #4623
workaroud for the flaky oidc e2e test by @zhaohuabing in #4603
build(deps): bump softprops/action-gh-release from 2.0.8 to 2.0.9 by @dependabot in #4622
Set ignore_health_on_host_removal to true for static clusters by @arkodg in #4612
build(deps): bump github.com/prometheus/common from 0.60.0 to 0.60.1 by @dependabot in #4620
build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.4 to 0.107.5 by @dependabot in #4621
add docker.io registry name in image name by @arkodg in #4628
docs: Jwt claim based authorization by @zhaohuabing in #4617
build(deps): bump github.com/ohler55/ojg from 1.24.1 to 1.25.0 by @dependabot in #4618
e2e: use grafana alloy instead of fluent-bit by @zirain in #4525
chore: update site docs link for latest release by @guydc in #4634
fix: push a helm chart without v in ther version by @zhaohuabing in #4636
add envoy-gateway binary to latest release artifacts by @arkodg in #4638
fix: BackendTlsPolicy specify multiple targetRefs of the same service, only one will work by @zhaohuabing in #4630
fix build by @zhaohuabing in #4641
Add release docs for v1.2.0 by @zhaohuabing in #4570
Update compatiblility matrix for v1.2. by @zhaohuabing in #4571
docs for release v1.2.0 by @zhaohuabing in #4642
docs: Active Passive Failover by @arkodg in #4637
docs: add failover docs to v1.2.0 by @zhaohuabing in #4646
Release News for v1.2.0 by @arkodg in #4650
fix panic in provider when the direct response body is nil by @arkodg in #4647
update concepts to include reference to HTTPRouteFilter by @arkodg in #4648
rm timeout section from direct response docs by @arkodg in #4649
docs: update upgrade notes by @arkodg in #4651
v1.2.1 release notes by @arkodg in #4655
docs: unhide cookiedomain for OIDC by @zhaohuabing in #4653
fix release build (#4645) by @zhaohuabing in #4652
bump version to v1.2.1 by @arkodg in #4656
v1.2.1: update helm version short code by @zhaohuabing in #4664
Docs: fix incorrect namespace mention by @klmz in #4563
Feat: add HTTPRoute-rule name to envoy route metadata by @Ido-Itz in #4561
update the lastVersionTag of the upgrade test by @zhaohuabing in #4666
api: support setting trusted CIDRs by @rudrakhp in #4500
add link to install EG in release news by @arkodg in #4674
docs: unhide jwt claim authz by @zhaohuabing in #4676
docs: add a note of helm not updating CRDs in the upgrade section by @arkodg in #4675
docs: response override by @zhaohuabing in #4668
Use custom marshaller to clarify redactions by @evankanderson in #4506
chore: net.JoinHostPort by @zirain in #4692
chore: dnsSearch on kind cluster by @zirain in #4691
build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.0 by @dependabot in #4696
build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #4701
build(deps): bump sigs.k8s.io/kind from 0.24.0 to 0.25.0 in /tools/src/kind by @dependabot in #4700
build(deps): bump github.com/golangci/golangci-lint from 1.61.0 to 1.62.0 in /tools/src/golangci-lint by @dependabot in #4699
build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #4694
build(deps): bump github.com/google/cel-go from 0.21.0 to 0.22.0 by @dependabot in #4695
docs: fix api doc by @zirain in #4711
chore: bump golang to 1.23.3 by @zirain in #4716
fix: recover from panics that occur during envoy gateway's reconciliation by @liorokman in #4643
feat(translator): allow configuration of hostEnvKeys on WASM extensions by @sgargan in #4470
fix: remove backendrefs validation by @zhaohuabing in #4705
ci: use static file server instead of github.com by @zirain in #4715
build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates by @dependabot in #4693
fix: loosen JWT issuer validation by @ardikabs in #4662
e2e: skip some test on IPv6/non-dual by @zirain in #4726
e2e: fix EnvoyGatewayBackend/TLSRouteBackendIP test not working on IPv6 first cluster by @zirain in #4727
update OIDC docs by @zhaohuabing in #4723
doc: add standalone deployment doc by @shawnh2 in #4518
build(deps): bump github/codeql-action from 3.27.1 to 3.27.4 by @dependabot in #4733
build(deps): bump distroless/static from 3a03fc0 to d71f4b2 in /tools/docker/envoy-gateway by @dependabot in #4730
build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /examples/extension-server by @dependabot in #4737
build(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 by @dependabot in #4736
build(deps): bump github.com/bufbuild/buf from 1.46.0 to 1.47.2 in /tools/src/buf by @dependabot in #4738
build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 by @dependabot in #4735
build(deps): bump fortio.org/fortio from 1.67.1 to 1.68.0 by @dependabot in #4734
build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 by @dependabot in #4731
e2e: fix some tests by @zirain in #4729
fix: tcp listener is rejected when no route attached by @zhaohuabing in #4681
fix: translator reports errors for existing clusters and secretes by @zhaohuabing in #4707
xds: use Cluster_AUTO DnsLookupFamily by @zirain in #4740
fix: remove container's ports field by @kebe7jun in #4714
api: support disable ALPN in CTP by @guydc in #4515
docs: fix wrong description on ALSEnvoyProxyAccessLog by @zirain in #4751
xds: always use :: and IPv4Compact for dynamic listener by @zirain in #4743
dont run docs workflows on release branches by @arkodg in #4755
chore: fix unchanged files with check annotations by @zirain in #4763
docs: added JSONPatch example for modifying Bootstrap config using the EnvoyProxy resource by @alrai in #4772
build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2 by @dependabot in #4732
build(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1 by @dependabot in #4778
build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #4775
build(deps): bump github.com/google/cel-go from 0.22.0 to 0.22.1 by @dependabot in #4777
Revert "build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2" by @zhaohuabing in #4783
xds: use V4_PREFERRED dnsLookupFamily by default by @zirain in #4745
[docs] Add Teleport as an Adopter by @arkodg in #4785
community: add tencent cloud as an adopter by @Xunzhuo in #4786
Fix: frequent 503 errors when connecting to a Service experiencing high Pod churn by @zhaohuabing in #4754
chore: remove adopters.md by @Xunzhuo in #4787
api: ext-proc attributes by @guydc in #4794
[release/v1.1] release: v1.1.4 by @guydc in #4795
v1.2.2 release note by @zhaohuabing in #4788
update release process by @zhaohuabing in #4665
xds: use IPv4Compat on ready server by @zirain in #4798
xds: use ::1 if IPFamily is IPv6 on admin server by @zirain in #4801
build(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #4774
build(deps): bump busybox from 768e5c6 to db142d4 in /tools/docker/envoy-gateway by @dependabot in #4773
use a waitGroup instead of an enabled channel in the status updater by @arkodg in #4809
fix: remove the default retry policy for jwks fetch by @zhaohuabing in #4802
[release/v1.2] release note for v1.2.3 by @zhaohuabing in #4813
Revert "[release/v1.2] release note for v1.2.3 (#4813)" by @arkodg in #4816
listen on ipv4 addresses by default by @arkodg in #4817
fix license check by @zhaohuabing in #4821
[release/v1.2] release note for v1.2.3 by @zhaohuabing in #4820
build(deps): bump the k8s-io group across 2 directories with 6 updates by @dependabot in #4776
chore: increase backend endpoints max items to 64 by @nothinux in #4822
update EG website docs links to 1.2.3 by @zhaohuabing in #4825
chore: Bump gateway api to 1.2.1 by @zhaohuabing in #4832
Update v1.2.3 release note by @zhaohuabing in #4833
Update upgrade test by @zhaohuabing in #4830
[docs] Add QuantCo as an Adopter by @arkodg in #4834
Revert "[release/v1.1] release: v1.1.4 (#4795)" by @guydc in #4836
feat(translator): ext-proc attributes by @guydc in #4796
build(deps): bump sigs.k8s.io/gateway-api from 1.2.0 to 1.2.1 in /examples/extension-server by @dependabot in #4827
build(deps): bump distroless/static from d71f4b2 to 6cd937e in /tools/docker/envoy-gateway by @dependabot in #4828
build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.7 by @dependabot in #4829
xds: fix ipFamily always nil by @juwon8891 in #4782
build(deps): bump github.com/golangci/golangci-lint from 1.62.0 to 1.62.2 in /tools/src/golangci-lint by @dependabot in #4831
refactor: reuse the filewatcher for file-provider by @shawnh2 in #4807
fix: EnvoyExtensionPolicy reference grant by @guydc in #4851
feat: add body to ext auth by @AurelienPillevesse in #4671
ci: enable ipv6 test by @zirain in #4853
chore: bump buf by @zirain in #4855
fix: btlsp section name doesn't support port name by @zhaohuabing in #4784
refactor: return 500 when BackendTLSPolicy translation fails by @alexwo in #4363
build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 by @dependabot in #4872
fix: Fix example documentation to include all the expected privileges for extension server policies by @liorokman in #4879
docs: update BackendTLSPolicy docs by @zhaohuabing in #4868
fix: outlier detection disabled by default by @lsjostro in #4856
fix: Gateway-target BTP ignored when route timeout defined by @guydc in #4860
ci: fix license scan by @shahar-h in #4887
chore: fix gen check by @zhaohuabing in #4888
chore: remove whitespace in osv-scanner config by @shahar-h in #4890
build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in #4877
build(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 by @dependabot in #4876
build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #4870
ci: ignore vulnerabilities on license scan by @shahar-h in #4895
docs: customize envoyproxy dualstack by @juwon8891 in #4639
build(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in #4901
[docs] Add Titan Email as an Adopter by @arkodg in #4896
chore: fix osv license scan config and add license override by @shahar-h in #4906
[docs] added desc for titan by @luvk1412 in #4905
chore: organize go.mod require sections by @shahar-h in #4893
[release/v1.1] release: v1.1.4 by @guydc in #4899
fix: decouple gateway status updates from the reconciler by @zhaohuabing in #4767
build(deps): bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /tools/src/helm-docs by @dependabot in #4902
Fix Weighted Invalid Backend Logic by @arkodg in #4911
chore: support k8s v1.32.x by @zhaohuabing in #4898
update docsy version by @arkodg in #4914
v1.2.4 release note by @zhaohuabing in #4915
build(deps): bump golang.org/x/crypto from 0.22.0 to 0.31.0 in /tools/src/crd-ref-docs by @dependabot in #4903
docs: update site link to 1.2.4 by @zhaohuabing in #4918
chore: bump and fix gen by @zirain in #4917
build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #4921
feat: support patching on EnvoyProxy.spec.provider.kubernetes.envoyHpa and EnvoyProxy.spec.provider.kubernetes.envoyPDB by @keithfz in #4910
feat: data plane & envoyproxy resilience test suite by @alexwo in #4862
docs: Set GA4 ID by @arkodg in #4919
chore: set go version for the osv scanner by @zhaohuabing in #4941
build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 by @dependabot in #4922
fix: fixing some misleading unit test case names by @keithfz in #4934
docs: how to connect to an OIDC provider with a self-signed cert by @zhaohuabing in #4889
docs(favicon): upload icons by @Xunzhuo in #4949
build(deps): bump github.com/prometheus/common from 0.60.1 to 0.61.0 by @dependabot in #4873
build(deps): bump busybox from db142d4 to 2919d01 in /tools/docker/envoy-gateway by @dependabot in #4920
build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 in /tools/github-actions/setup-deps by @dependabot in #4924
build(deps): bump github.com/docker/cli from 27.3.1+incompatible to 27.4.0+incompatible by @dependabot in #4928
chore: fix typo by @zhaohuabing in #4958
test: add test for file-provider by @shawnh2 in #4864
build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates by @dependabot in #4926
build(deps): bump helm.sh/helm/v3 from 3.16.3 to 3.16.4 by @dependabot in #4966
build(deps): bump github.com/docker/docker from 27.3.1+incompatible to 27.4.1+incompatible by @dependabot in #4965
build(deps): bump github.com/bufbuild/buf from 1.47.3-0.20241205173812-f93c18a3b7ff to 1.48.0 in /tools/src/buf by @dependabot in #4963
build(deps): bump sigs.k8s.io/kind from 0.25.0 to 0.26.0 in /tools/src/kind by @dependabot in #4964
build(deps): bump the golang-org group across 2 directories with 3 updates by @dependabot in #4970
chore: rollback softprops/action-gh-release by @zirain in #4967
fix the incorrect binary names in the latest release by @zhaohuabing in #4962
build(deps): bump github.com/envoyproxy/go-control-plane from 0.13.1 to 0.13.2 in /examples/extension-server by @dependabot in #4973
build(deps): bump github.com/docker/cli from 27.4.0+incompatible to 27.4.1+incompatible by @dependabot in #4972
chore: bump k8s.io by @zirain in #4974
feat(default-memory-limits): set default memory limits by @ryanhristovski in #4960
Revert "feat(default-memory-limits): set default memory limits " by @zirain in #4979
chore: bump osv scanner to 1.9.2 by @zhaohuabing in #4956
build(deps): bump github.com/ohler55/ojg from 1.25.0 to 1.25.1 by @dependabot in #4980
fix: nil pointer error by @zhaohuabing in #5000
fix: shutdown-manager not respecting security context of container spec by @Dean-Coakley in #4938
build(deps): bump github.com/envoyproxy/go-control-plane from 0.13.2 to 0.13.3 in /examples/extension-server by @dependabot in #5009
build(deps): bump github.com/ohler55/ojg from 1.25.1 to 1.26.0 by @dependabot in #5008
e2e: add test case for basic auth by @zhaohuabing in #5003
build(deps): bump the golang-org group across 2 directories with 1 update by @dependabot in #5006
build(deps): bump github.com/golangci/golangci-lint from 1.62.2 to 1.63.4 in /tools/src/golangci-lint by @dependabot in #5010
feat(infra): Add rateLimitHpa support in EnvoyGateway API by @keithfz in #4983
api: support infra deployment in the gateway namespace by @cnvergence in #4982
fix: allow hostname to use subdomain with single label/character by @nothinux in #4803
fix: store one copy of HTTPRoute Extension Filters by @guydc in #5002
chore: always validate the proto messages by @zhaohuabing in #4984
fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. by @zhaohuabing in #4857
feat(translator): preserve route order in EnvoyProxy by @guydc in #4955
ci: fix osv-scanner by @zirain in #5016
fix: explicitly set ip family and family policy in gateway spec by @tekulvw in #5019
api: lua support in EnvoyExtensionPolicy by @rudrakhp in #4932
docs: explain panic mode by @zhaohuabing in #4990
fix: enable ipv4 compat mode for dual stack cluster support by @tekulvw in #5018
bump envoyproxy/go-control-plane by @zirain in #5020
dont reset replicas when hpa is set by @arkodg in #5021
feat(translator): extension server should fail close by @liorokman in #4936
api: adds cost specifier to RateLimitRule by @mathetake in #4957
docs: fix extension-server instructions by @Dean-Coakley in #5013
fix: check before setting cookie TTL in sessionPersistence by @arkodg in #5026
fix: dont shift listener ports for Standalone mode by @arkodg in #5027
fix: validate SecurityPolicy on controller and egctl translate by @sanposhiho in #4987
feat(translator): support ext-proc dynamic metadata options by @guydc in #5023
docs: show API default value by @zirain in #5031
build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #5043
feat: implement API Key Auth security policy by @sanposhiho in #4986
feat: support GEP-1731 by @zirain in #5024
use distroless-base-nossl image by @arkodg in #5034
feat: implement response compression by @zhaohuabing in #5001
v1.2.5 release note by @zhaohuabing in #5049
docs: version URL and image support baseURL by @zirain in #5037
docs: add warning for GEP-1731 by @zirain in #5052
update links to v1.2.5 by @zhaohuabing in #5055
feat:support configuring xff trusted cidrs by @rudrakhp in #4702
Translation: return 500 when CTP translation fails by @zhaohuabing in #5030
build(deps): bump github.com/bufbuild/buf from 1.48.0 to 1.49.0 in /tools/src/buf by @dependabot in #5039
Skip AuthorizationClientIPTrustedCidrsTest by @arkodg in #5062
feat(translator): implement ratelimit costs by @mathetake in #5035
e2e: fix trusted cidr e2e tests for ipv6 by @rudrakhp in #5067
feat: add backend support for GRPCRoute/TCPRoute/UDPRoute by @zhaohuabing in #5038
ratelimit: make sure remote address ratelimit metrics worked as expected by @zirain in #5070
feat(certgen): add flag for certificate overwrite by @guydc in #5045
Adds *.yaml-e into .gitignore by @mathetake in #5051
chore: align yaml lint with github by @zirain in #5069
feat: support BackendCluster for Remote JWKS by @zhaohuabing in #5011
feat: continue using and drain serving endpointslices during termination by @fogninid in #4946
docs(README): intended links extension by @guspan-tanadi in #5090
update grafana dashboard and exported metrics doc for watchable_panics_recovered_total by @DeeBi9 in #5036
fix panic when updating the envoy-gateway-config configMap by @zhaohuabing in #5066
chore: detect gnu-sed by @zirain in #5092
e2e: make conformance test not rely on eg-addon by @zirain in #5091
build(deps): bump distroless/base-nossl from 2a803cc to e9554da in /tools/docker/envoy-gateway by @dependabot in #5102
build(deps): bump the golang-org group across 2 directories with 2 updates by @dependabot in #5109
build(deps): bump github.com/andybalholm/brotli from 1.0.1 to 1.1.1 by @dependabot in #5111
build(deps): bump github.com/bufbuild/buf from 1.49.0 to 1.50.0 in /tools/src/buf by @dependabot in #5101
build(deps): bump busybox from 2919d01 to a5d0ce4 in /tools/docker/envoy-gateway by @dependabot in #5103
rm overwriteControlPlaneCerts from the EnvoyGateway API by @arkodg in #5088
chore: set default filter orders by @zhaohuabing in #5095
api: adds AllowModeOverride for extproc by @mathetake in #5099
api: allow tracing sampleRate smaller than 1% by @zirain in #5096
build(deps): bump google/osv-scanner-action from f8115f2f28022984d4e8070d2f0f85abcf6f3458 to 764c91816374ff2d8fc2095dab36eecd42d61638 by @dependabot in #5106
build(deps): bump nosborn/github-action-markdown-cli from 3.3.0 to 3.4.0 by @dependabot in #5104
build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 by @dependabot in #5107
update notImplementedHide markers by @arkodg in #5122
build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.1 by @dependabot in #5105
feat(extension-manager): make grpc message size configurable by @guydc in #5077
build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2 by @dependabot in #5108
chore: bump deps by @zirain in #5124
fix the gateway accepted condition by @zhaohuabing in #5117
build(deps): bump github.com/prometheus/common from 0.61.0 to 0.62.0 by @dependabot in #5110
feat: Add support for overriding status code in response overrides by @arkodg in #4900
fix(translator): check for default FC existence before clearing it on… by @guydc in #5121
[release/v1.2] v1.2.6 release note by @zhaohuabing in #5128
tracing: support SamplingFraction by @zirain in #5125
update links to 1.2.6 by @zhaohuabing in #5132
trivy: ignore unfixed CVEs by @arkodg in #5060
add changes between v1.2.0 to v1.2.6 back to the current.yaml by @zhaohuabing in #5134
feat(translator): use SDS to deliver system trust store to support dynamic reload by @guydc in #5084
[release/v1.3] v1.3.0-rc.1 release note by @guydc in #5138
[release/v1.3] pin envoy and ratelimit image version by @guydc in #5141
[release/v1.3] release v1.3.0 cherry-pick from main by @guydc in #5179

New Contributors

@rajatvig made their first contribution in #4533
@evankanderson made their first contribution in #4505
@tamalsaha made their first contribution in #4536
@klmz made their first contribution in #4563
@Ido-Itz made their first contribution in #4561
@sgargan made their first contribution in #4470
@kebe7jun made their first contribution in #4714
@alrai made their first contribution in #4772
@AurelienPillevesse made their first contribution in #4671
@lsjostro made their first contribution in #4856
@keithfz made their first contribution in #4910
@ryanhristovski made their first contribution in #4960
@tekulvw made their first contribution in #5019
@fogninid made their first contribution in #4946
@guspan-tanadi made their first contribution in #5090

Full Changelog: v1.2.0...v1.3.0

envoyproxy/gateway v1.3.0 on GitHub