github kgateway-dev/kgateway v2.4.0-alpha.1
on GitHub

pre-release4 hours ago

🎉 Welcome to the v2.4.0-alpha.1 release of the kgateway project!

Release Notes

Changes since v2.3.0-rc.1

Breaking Changes

  • Breaking: Using APIs to override image tags clears any digest. Non-breaking: Using APIs to change image digests now clears the image tag by default. Kubernetes did not use the tag when a digest was provided, and you can still provide both if you choose.

    This break applies only to users who have GatewayParameters that use a non-empty sha256 image digest. (Default parameters only use image tags, never image digests.)
    (#13953)

  • remove deprecated perConnectionBufferLimitBytes gateway annotation support. Use ListenerPolicy instead. (#14156)

New Features

  • Add support for gateway-level TrafficPolicy application to routes. TrafficPolicies attached to Gateways now apply to child HTTPRoutes, with route-level policies taking precedence over gateway-level ones. (#13596)
  • Add filterStage configuration to ExtProc GatewayExtension, allowing control over filter chain positioning via stage, predicate, and weight fields. (#13845)
  • Add GatewayParameters.spec.kube.envoyContainer.bootstrap.staticListenerProxyProtocol to enable the Envoy PROXY protocol listener filter on the readiness listener port. (#13879)
  • TrafficPolicy headerModifiers now supports secret-backed header values via secretRef on set/add entries. name and key are both optional: each defaults to the other when only one is specified, and omitting both injects all entries from the secret as headers. The secret namespace defaults to the policy namespace. Cross-namespace references require a ReferenceGrant. (#13880)
  • Add maxRequestsPerConnection to ListenerPolicy.httpSettings to cap downstream keepalive connections per client. Useful for rebalancing long-lived HTTP/2 and gRPC connections across gateway pods when using L4 load balancers such as AWS NLB. (#13922)
  • Added forwardClientCertDetails to httpSettings on ListenerPolicy for forwarding selected fields of the downstream client certificate to upstream backends via the x-forwarded-client-cert (XFCC) header. (#13925)
  • Added AWS EC2 backend support behind the controller.enableAwsEc2Discovery setting, allowing Backend resources to dynamically discover tagged EC2 instances and route to them through Envoy EDS. Lambda backends now prefer spec.aws.lambda.accountId, while the existing top-level spec.aws.accountId remains supported for backward compatibility. (#13961)
  • Added http2ProtocolOptions support to ListenerPolicy and HTTPListenerPolicy for configuring downstream HTTP/2 settings on Envoy listeners. (#13991)
  • Add downstream TCP keepalive configuration to ListenerPolicy. (#13994)
  • Add kgateway_routing_replacements_total counter metric. (#14019)
  • Users can now customize the readiness and startup probes (#14020)
  • Added stripHostPortMode to ListenerPolicy HTTPSettings, providing the option to strip ports
    from Host/authority headers before forwarding to upstream backends.
    (#14031)
  • Add merge semantics for BackendConfigPolicy and define precedence between BackendConfigPolicy and BackendTLSPolicy when both target the same backend. (#14043)
  • Add an opt-in admin bind address setting for the kgateway control-plane admin server. (#14135)
  • Add optional jwksBackendRef field to OAuth2JWTConfig in GatewayExtension, allowing JWKS endpoint to be fetched through a different backend than the OAuth2 token endpoint. (#14147)
  • added max_headers_count setting to ListenerPolicy (#14188)

Bug Fixes

  • The controller Helm chart omits Prometheus annotations only if explicitly configured to do so, whereas before any ServiceMonitor usage would cause their omission. (#13981)
  • implemented http-acl policy merge logic (#13996)
  • Fixes strict validation on delegating routes (#14000)
  • Fixed Gateway deployment apply operations to respect controller cancellation, preventing in-flight resource patches from continuing after the controller is shutting down. (#14013)
  • Fix a bug that can lead to multiple leaders during upgrades (#14017)
  • Fix STRICT validation for BackendConfigPolicy when tls.wellKnownCACertificates is set to System. (#14037)
  • Fix xDS TLS env var name in Helm chart: KGW_XDS_TLS_ENABLED is renamed to KGW_XDS_TLS to match the runtime settings key. Users who set controller.xds.tls.enabled: true will now have xDS TLS correctly enabled without requiring a manual extraEnv workaround. (#14050)
  • Fixed BackendTLSPolicy status reporting for TCPRoute and terminated TLSRoute backends. (#14071)
  • Fixed HTTPRoute RequestRedirect handling so redirect Location headers no longer include default ports (:80 for HTTP, :443 for HTTPS). (#14086)
  • Backend translation errors are now surfaced on the Backend's Accepted status condition. (#14113)
  • bundled dynamic module in controller image to fix strict validation (#14119)
  • Always set Path attribute to / for cookie-based session persistence.
    Note: This intentionally differs from the behavior that GEP-1619 describes. If you wish to mimic the per-matched-path session persistence specified there, use multiple rules with different cookie names.
    (#14124)
  • fix: Allows all X.509 certificates that Envoy itself allows, regardless of the sign of the serial number. (#14154)
  • Fix global rate limit descriptor translation: multiple descriptors now correctly produce separate Envoy RateLimit actions instead of being merged into a single combined action. (#14157)
  • Register the xDS TLS certificate watcher with the controller manager so that failures to start it are surfaced as fatal errors rather than silently disabling certificate rotation. (#14187)

Cleanup

  • bump alpine base image used to build images (#14051)

Dependency Updates

  • upgraded envoy to 1.38.1 (#14004)
  • Default Istio proxy version bumped. (#14056)
  • Because v2.3.0 has been released, v2.4.0-main is now the rolling tag for the very latest main prerelease artifacts. (#14099)
  • Updated dependencies. (#14103)

Contributors

Thanks to all the contributors who made this release possible:

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm charts are available at:

  • cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

  • cr.kgateway.dev/kgateway-dev/kgateway:v2.4.0-alpha.1
  • cr.kgateway.dev/kgateway-dev/sds:v2.4.0-alpha.1
  • cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.4.0-alpha.1

Quickstart

Try installing this release: 

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.4.0-alpha.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.4.0-alpha.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Check out latest releases or
releases around kgateway-dev/kgateway v2.4.0-alpha.1

Don't miss a new kgateway release

NewReleases is sending notifications on new releases.

Get notifications