github kgateway-dev/kgateway v2.4.0-alpha.2
on GitHub

pre-release3 hours ago

🎉 Welcome to the v2.4.0-alpha.2 release of the kgateway project!

Release Notes

Changes since v2.4.0-alpha.1

New Features

  • Added BackendConfigPolicy zone-aware routing with native Envoy prefer-local and force-local support, including bootstrap locality wiring for Envoy proxies. (#13978)
  • Add requestAttributes field to GatewayExtension ext_proc config, allowing
    Envoy attributes (e.g. source.address) to be forwarded to ext_proc servers.
    (#14109)
  • Added Envoy local reply configuration to ListenerPolicy (#14146)
  • Added an AssumeRole AWS auth type to the Backend API (spec.aws.auth.assumeRole) for per-Backend STS role chaining, used for both Lambda request signing and EC2 instance discovery. The previous spec.aws.ec2.roleArn field is replaced by spec.aws.auth.assumeRole.roleArn. (#14148)
  • EC2 backends now report an EndpointsDiscovered status condition reflecting whether runtime endpoint discovery succeeded, including credential, authorization, and zero-match failures. (#14173)
  • added reference grant mode (#14209)
  • Added support for GatewayHTTPListenerIsolation conformance behavior for HTTP listeners. (#14234)

Bug Fixes

  • kgateway no longer overwrites an existing Kubernetes Service for a Gateway unless the Service has a matching Gateway ownerReference or kgateway ownership metadata. (#14145)
  • Fixed a bug where a BackendConfigPolicy health check host (HTTP host or gRPC authority) was ignored for Static backends because the endpoint-level hostname overrode it, causing health checks to use the wrong Host header. (#14201)
  • Fixed route Hostname/ServiceEntry backendRefs to the requested port on multi-port hosts (#14212)
  • Advertise support for the Gateway API BackendTLSPolicySANValidation conformance feature. (#14214)
  • ServiceEntry clusters with workloadSelector-backed pod endpoints now respect pod readiness: NotReady pods are excluded from routing, matching the EndpointSlice-based Service behavior and enabling locality failover when all locally selected pods are NotReady. WorkloadEntry and inline ServiceEntry endpoints are unaffected. (#14222)
  • Fixed EC2 backend discovery serving endpoints resolved under an outdated config (e.g. the old port) for up to a refresh interval after a Backend spec change. Spec changes and newly created EC2 backends now trigger an immediate discovery refresh, and a credential rotation combined with a transient AWS API failure no longer drops healthy endpoints. (#14228)
  • fix: resolve FrontendTLS CA certificate references in the Gateway's namespace when listeners are contributed by a ListenerSet, rather than incorrectly looking in the ListenerSet's namespace. (#14232)
  • Strict validation (KGW_VALIDATION_MODE=STRICT) now caches validation verdicts by config content
    hash, eliminating redundant envoy invocations across per-client translation and recomputes. New
    settings: KGW_VALIDATOR_MODE (CACHE [default] | BINARY) and KGW_VALIDATOR_CACHE_SIZE (default
    4096).
    (#14253)
  • Fix ListenerPolicy with clientCertificateValidation not being marked as Attached if there are other policies applied to the same target (#14278)
  • Fix excessive DNS queries from gateway pods by rendering the xDS cluster address as a rooted FQDN (trailing dot), preventing DNS search-domain expansion under the default ndots:5 resolver config. (#14291)
  • Fixed a bug where a Gateway, Route, Backend, or ListenerSet status observedGeneration could intermittently freeze at a stale value after a spec change, due to a skew between the translation cache and the status syncer's cache. (#14302)

Cleanup

  • Added kgateway validation metrics for Envoy validation calls, cache behavior, results, and duration by validation caller. (#14026)
  • Reduced controller memory usage by interning policy ref ID strings retained in policy merge tracking. (#14217)
  • Fixed GatewayExtension equality to include the object source, and Listener equality to ignore parent object metadata churn (e.g. resourceVersion bumps from status writes), preventing missed updates and spurious recomputation. (#14248)
  • Improved strict HTTPRoute validation performance by batching full-route Envoy validation per virtual host. (#14269)

Dependency Updates

  • upgrade envoy to v1.38.3 (#14314)

Contributors

Thanks to all the contributors who made this release possible:

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm charts are available at:

  • cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

  • cr.kgateway.dev/kgateway-dev/kgateway:v2.4.0-alpha.2
  • cr.kgateway.dev/kgateway-dev/sds:v2.4.0-alpha.2
  • cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.4.0-alpha.2

Quickstart

Try installing this release: 

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.4.0-alpha.2 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.4.0-alpha.2 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Check out latest releases or
releases around kgateway-dev/kgateway v2.4.0-alpha.2

Don't miss a new kgateway release

NewReleases is sending notifications on new releases.

Get notifications