kgateway-dev/kgateway v2.2.0 on GitHub

🎉 Welcome to the v2.2.0 release of the kgateway project!

Release Notes

Changes since v2.1.0

Breaking Changes

Introduces a new setting KGW_ENABLE_EXPERIMENTAL_GATEWAY_API_FEATURES to gate experimental Gateway API features and APIs. Defaults to false (#12695)
Added new AgentgatewayPolicy to replace TrafficPolicy for agentgateway. Added support for backend and frontend configuration. (#12723)
The deprecated spec.kube.floatingUserId field has been removed from the GatewayParameters CRD. This field was previously used to unset runAsUser values in security contexts. When migrating, users should use the supported spec.kube.omitDefaultSecurityContext field instead. When set to true, this field prevents the controller from injecting opinionated default security contexts, allowing your platform (e.g. OCP) to dynamically provide the appropriate securitycontexts. (#12747)
Remove AI policy from TrafficPolicy. (#12901)
Add option to allow missing JWT.
[Internal break only] Changed the gateway extension API. Providers are now nested within JWT.
(#12998)
Updated agentgateway resources to use new agentgateway.dev group. DirectResponse for agentgateway is now only configurable through the AgentgatewayPolicy instead of the separate DirectResponse CRD. (#13013)
agentgateway can no longer be configured with GatewayParameters, only with AgentgatewayParameters. (#13054)
Split helm UX into dedicated charts for Envoy based kgateway and agentgateway (#13062)
Renames controller kgateway.dev/agentgateway to agentgateway.dev/agentgateway, breaking legacy agentgateway installations. (#13088)
AgentgatewayParameters rawConfig breaking change to allow configuring binds, e.g., and other things in config.yaml but outside of its config section (#13127)
[Internal break only] TrafficPolicy jwt renamed to jwtAuth, apiKeyAuthentication renamed to apiKeyAuth (#13254)
Agentgateway ExtAuth policies will now fail closed when the backendRef to the auth server is invalid (#13273)

New Features

Add modelAliases support to AgentgatewayPolicy to allow friendly model name aliases. (#12479)
Added CSRF support in agentgateway (#12516)
Add RouteType configuration to AI backends for path-based API format routing (completions, messages, models, passthrough) (#12590)
Allow using kgateway.dev/http-redirect-status-code annotation to
configure the allowed HTTP redirect status codes as an override
API with the RequestRedirect filter.
(#12610)
Adds retry policy to configure retries for the gRPC
streams associated with GatewayExtension services.
(#12669)
Allows users to define GatewayClasses using any controller. E.g., a user can create a custom GatewayClass with an arbitrary name that uses controllerName kgateway.dev/agentgateway to duplicate the behavior of the built-in GatewayClass agentgateway. A user may still choose to patch the built-in GatewayClass to change its behavior via GatewayParameters, but now it is also possible to choose to just create a new GatewayClass that refers to equivalent GatewayParameters. One motivation: two different teams that want different GatewayParameters for class agentgateway. Another motivation: clean GitOps with entirely new resources, no patching required. (#12733)
The kgateway GatewayClass now supports labels and annotations in the Gateway API infrastructure field, in addition to the previously supported parametersRef field. When a Gateway using the kgateway class specifies infrastructure labels or annotations, these values will be propagated to all managed Kubernetes resources including the Deployment, Service, ConfigMap, and ServiceAccount. When both infrastructure metadata and GatewayParameters are configured (via parametersRef or the Gateway's parametersRef field), the values are merged together. In cases where the same key is defined in both locations, the infrastructure value takes precedence over the GatewayParameters "extraLabels" or "extraAnnotations" value. This allows infrastructure-level configuration to override parameter-level settings when necessary. (#12735)
Added event reporting for agentgateway gateways that indicates when a gateway has nacked an update (#12770)
Added JWT Authentication configuration to the TrafficPolicy and support for JWT Providers to the GatewayExtension. (#12811)
Add support for Azure OpenAI backends with agentgateway. (#12836)
rustformation: implemented remove headers and some jinja custom functions (#12848)
Introduced support for remote jwks in JWTAuthentication policies. (#12850)
Added support for OpenAI Responses API and Anthropic token counting route types. Added prompt caching configuration for Bedrock enabling up to 90% cost reduction and significantly faster response times. (#12855)
Add multi-network support to agentgateway syncer for cross-network workload discovery and routing in ambient mode. (#12858)
Introduce support for basic auth, api-key auth, and inline jwt auth policies to agentgateway (#12886)
Add support for multiple certificateRefs in listener tls section (#12895)
support TLS termination for TCPRoutes (#12906)
Allow configuring cipher suites, ecdh curves, minimum TLS version, maximum TLS version using tls options map. (#12917)
add support for remote JWKS (#12939)
Add global disable option for JWT policy (#12945)
Adds priorityClassName to the Pod struct used in GatewayParameters in order to set the corresponding priorityClassName field in the gateway-proxy pod. (#12949)
[rustformation] support parsing body as json and implemented all documented jinja custom functions (#12950)
Add HTTP support for ExtAuth (#12952)
Add support for circuit breakers in BackendConfigPolicy. (#12957)
Add helm values for setting custom GatewayParameters for bundled gatewayclasses (#12960)
Add support for configuring an API key authentication in TrafficPolicy with keys defined in secret(s) (#12962)
Added support for MCP authentication for agentgateway. (#12966)
Add a ListenerPolicy CRD and ProxyProtocol config in it. (#12979)
Add basic auth configuration to TrafficPolicy. (#12983)
Add stats matcher config to GatewayPparameters (#12985)
Add support for gzip response compression and request decompression in TrafficPolicy. (#12986)
Add earlyRequestHeaderModifier to HTTPListenerPolicy. this allows performing header modifications before a route is selected. (#12992)
add regex path rewrite (#13001)
Added metrics and logs for envoy xDS errors. (#13003)
Support setting of tls options in connections to remote jwks sources. (#13014)
Add PerConnectionBufferLimit to ListenerPolicy
Deprecate PerConnectionBufferLimit annotation on Gateway resources
(#13016)
Added a new AgentgatewayParameters API in agentgateway.dev/v1alpha1 (#13018)
Adds OAuth2 policy to enable OAuth2 and OIDC flows with Envoy as the
Gateway.
(#13051)
Implement FrontendTLConfig in the Gateway API
Implementation specific details:
- Allow multiple caCertificateRefs
- Allow caCertificateRefs to reference secrets as well as configmaps
- Added the kgateway.dev/verify-certificate-hash to listener TLS options to allow configuration of validate client certificates.
  (#13064)
Support Gateway.spec.addresses. We currently support one IP address type value that will be used in the gateway's Service loadbalancerIP. (#13070)
Added kgateway.dev/verify-subject-alt-names TLS option (#13097)
OAuth2: allow customizing cookie settings and denying redirects for
matching requests.
(#13099)
Added mode for MCP authentication and support for Unspecified IDPs. (#13111)
backendTLSPolicy: support secret ref kind for caCertificateRefs (#13117)
Add new multi-arch controller image for agentgateway (#13194)
Support Gateway.spec.addresses for agentgateway (#13197)
Bump Agentgateway to 0.11.0
Add support for Canadian Social Insurance Number prompt guards for Agentgateway
(#13199)
Added configuration for stateful/stateless session routng for mcp backends. (#13201)
Added timeout to agentgateway's ExtAuth policy (#13202)
Add disable field to API key authentication in TrafficPolicy, allowing routes to selectively opt-out of gateway-level authentication requirements. (#13217)
Added support for CipherSuite configuration on frontend tls policy. (#13219)
support maxRequestHeadersKb field in ListenerPolicy (#13224)
Added tracing support for AgentgatewayPolicy. (#13226)
PodDisruptionBudget and HorizontalPodAutoscaler are now options for the agentgateway proxy via AgentgatewayParameters. (#13237)
PodDisruptionBudget is now an option for the agentgateway and envoy control planes. (#13238)
add preserveExternalRequestId generateRequestId to HttpListenerPolicy and ListenerPolicy users can now disable the generation of Request ID and preserve external request ID (#13250)
switch to rustformation by default (#13319)
Add multi-arch support for kgateway with envoy using upstream envoy for ARM.
Strict validation is currently not supported for transformation policies with multi-arch builds.
(#13356)

Bug Fixes

The agentgateway.enabled Helm parameter is now enabled by default. Note: this just enables the controllers for agentgateway; agentgateway is not deployed until a Gateway is created.
The agentgateway control plane has been refactored, improving performance by up to 25x.
(#12415)
Fixed TCP Routes translation in agentgateway. (#12578)
Propagate backend error to backend crd status (#12608)
agentgateway: Bumps version from 0.10.2 to 0.10.3. (#12665)
Fix policy status Attached condition true when Accepted=false (#12691)
Fixed HTTPRoute mirror filters to support multiple mirrors per rule and correct percentage-based mirroring. Previously, percentage values were off by 100x (e.g., 50% mirrored only 0.5% of traffic). (#12734)
Fix a bug where agw did not work with listenersets allowed by the namespace selector (#12838)
Clear stale HTTPRoute status after the route has all invalid ParentRefs (#12852)
Clear stale TrafficPolicy and HTTPListenerPolicy status after the policy has all invalid TargetRefs (#12883)
Fixed mcp authorization parsing for backend policy on AgentgatewayPolicy. (#12897)
fix: set default alpn on transport socket
Allow configuring ALPN protocols using kgateway.dev/alpn-protocols TLS option
(#12903)
Fix a bug where a listener on a listenerset can not read a secret in its own namespace (#12936)
Enforce ReferenceGrants for cross namespace Secrets references used by XListenerSets (#12954)
Fixed agentgateway global ratelimit translation for token unit. (#12959)
Fixed issue with stale configuration when changing a service traffic distribution. (#13005)
Fixes a bug with GatewayParameters on a Gateway that use OmitDefaultSecurityContext when parameters are also present on the GatewayClass. (#13046)
Use TARGETPLATFORM when building envoyinit container (#13048)
Enhanced agentgateway backend error handling and status condition propagation. (#13073)
Support DNS lookup family settings in the ingress-use-waypoint cluster config (#13085)
Server-side apply field manager name cleanup. (#13108)
Fixed agentgateway passthrough auth policy. (#13125)
Fixed the AI prompt guard api to align with other enums MASK is now Mask and REJECT is now Reject. These are enforced by CEL in the API. (#13177)
Detect the port for listeners without a defined port. It selects 80 for HTTP and 443 for HTTPS. Other protocols do not support automatic port detection and listeners without a defined port are not accepted (#13253)
Header lookups in rustformation are now correctly case-insensitive (#13386)
Fixed the ancestor ref on AgentgatewayPolicy to resolve to Gateway. (#13387)

Deprecations

HTTPListenerPolicy is now deprecated. Use the httpSettings under ListenerPolicy instead. (#13066)
Deprecate agentgateway fields for GatewayParameters (#13101)

Documentation

Add rate limiting tests (#12538)
CRDs not include descriptions for fields (#12626)
Updates API docs regarding server-side apply (SSA) and AgentgatewayParameters (#13300)
Updates API docs regarding server-side apply (SSA) and AgentgatewayParameters (#13306)

Cleanup

Added support for PartiallyValid on agentgateway TrafficPolicies. (#12454)
Use native envoy per-route config in rustformation dynamic module (#12499)
Add the HTTPRouteCORS conformance test to the supported features (#12593)
cleanup: remove NET_BIND_SERVICE from data plane pods. (#12624)
Added codeowners for kgateway for API maintainers and CI maintainers. (#12635)
updated envoy to v1.36.2 (#12685)
Support for InferencePool with the kgateway class, which was deprecated in v2.1, has been removed. Support is available with the agentgateway class. (#12689)
Support for AI backends with the kgateway class, which was deprecated in v2.1, has been removed. Support is available with the agentgateway class. (#12690)
Helm chart cleanup re: appVersion/version which should better support Flux. (#12730)
rustformations module reorganization, doc and build improvement (#12764)
Use the TransformationPolicy API directly as rustformation config (#12803)
Removes the deprecated spec.kube.aiExtension from the GatewayParameters API. Users should migrate to using the agentgateway dataplane for AI capabilities. (#12840)
Adds TCPRoute && TLSRoute to the list of gated experimental gateway API features.
Enable experimental gateway API features by default.
(#12881)
Inference: Moves InferencePool status code to agentgateway package. (#12902)
Removed enabled from agentgateway in GatewayParameters as it should only use controllerName to know if its agentgateway or envoy (#13017)
Isolated GoReleaser build tool dependencies to separate tools submodule, reducing main module size by ~31% (#13205)
Switched to credential_injector filter for xds Authorization header (#13212)
Migrated from deprecated dockers + docker_manifests to dockers_v2 in GoReleaser configuration (#13218)
Envoy controller: Changes the k8s Container name from 'kgateway' to 'controller' (#13232)
updated to use envoy 1.36.4; prep for multi-arch build (#13242)
updated to use envoy 1.36.4; prep for multi-arch build (#13288)
[rustformation] create per config minijinja env (#13289)
[rustformation] create per config minijinja env (#13304)

Dependency Updates

bump envoy-gloo to v1.36.3-patch1 (#13058)