kubernetes-sigs/gateway-api v1.5.0-rc.1

on GitHub

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

Since TLSRoute and ListenerSet have graduated to the Standard channel, TLSRoute v1alpha2 and XListenerSet are no longer included in the Experimental channel.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

• It prevents installing Experimental CRDs once you've installed Standard CRDs.
• It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

• Gateway Client Certificate validation (GEP-91, GEP-3567)
• Certificate selection for Gateway TLS origination (GEP-3155)
• ListenerSet support (GEP-1713)
• HTTPRoute CORS filter (GEP-1767)
• TLSRoute v1 (GEP-2643)

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

• Gateway/HTTPRoute level authentication (GEP-1494)

Changes by Kind

Test

• Add conformance test to check that only Accepted Routes are considered as attachedRoute on Gateway status (#4362, @davidesalerno)
• Added conformance tests for invalid backend TLS configurations and the Gateway ResolvedRefs condition (#4389, @snorwin)
• Adds a conformance test for BackendTLSPolicy so that when a ConfigMap contents are changed, it should be reconciled by the controller. (#4360, @Thealisyed)

GEPs

• Adding initial conformance tests for XListenerSets (#3890, @davidjumani)
• Adds the AttachedListeners conditions to the Gateway status which is the count of successful ListenerSet attachments to the gateway (#4211, @davidjumani)
• Allow only static port ports for listenerSets (#4426, @davidjumani)
• Fix the description of what conditions count as a valid attachedRoute on Gateway status (#4341, @davidesalerno)
• TLSRoute gep creation (#4064, @rikatz)

Feature

• Adds TLS mode validation for TLS protocol on ListenerSet Listener. (#4451, @rostislavbobo)
• Allow implementation-specific values for wellKnownCACertificates in BackendTLSPolicy (#4401, @snorwin)
• Promote ReferenceGrant to v1 (#4458, @rikatz)
• Support for client certificate validation for TLS terminating at the Gateway is now in Standard (#4496, @kl52752)
• Support for defining Gateway client certificate when Gateways originate TLS connection to Backends is now in Standard. (#4489, @kl52752)
• TLSRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" and "v1alpha3" version of this API are deprecated and will be removed in the future. (#4439, @rostislavbobo)

Documentation

• Added a "When to Use GRPCRoute" section to the GRPCRoute API types documentation, with guidance on when to use HTTPRoute vs GRPCRoute and for controller implementers. (#4502, @kahirokunn)
• Adds the AttachedListeners conditions to the Gateway status for the GEP and details for ListenerSets conformance tests (#4205, @davidjumani)
• Define a new Reason type for Listener's Condition status to reflect invalid Client Certificate Validation Configuration for Gateway. (#4443, @kl52752)
• Updating versioning docs located at https://gateway-api.sigs.k8s.io/concepts/versioning/ (#4308, @bexxmodd)

Bug or Regression

• Added minItems=1 validation to HTTPRoute.spec.rules to prevent creation of HTTPRoute resources without any rules. (#4301, @snorwin)
• Only allow cookieConfig with type: Cookie (#4411, @LiorLieberman)

Other (Cleanup or Flake)

• Remove TCPRoute support from TLS listeners (#4427, @rikatz)
• Update the Gateway status to include AttachedListenerSets - the count of ListenerSets that have successfully attached to the gateway (#4358, @davidjumani)

Uncategorized

• Added conformance tests validating Gateway behavior for connection coalescing when SNI and Host headers do not match, including correct use of HTTP 421 for potentially misdirected requests. (#4364, @snorwin)
• Adds TLS mode validation for TLS protocol on Gateway Listener. (#4441, @rostislavbobo)
• Adds conformance tests for ListenerSets (#4445, @davidjumani)
• Https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v3.0.0 (#4453, @shuqz)
• Implement conformance test for CORS (#4494, @rikatz)
• Promote ListenerSet to standard (#4499, @davidjumani)

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/chzyer/readline: v1.5.1
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/ianlancetaylor/demangle: f615e6b
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5

Changed

• cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
• github.com/cncf/xds/go: 2ac532f → 0feb691
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
• github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
• github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
• github.com/google/pprof: d1b30fe → 294ebfa
• github.com/mailru/easyjson: v0.9.0 → v0.9.1
• github.com/miekg/dns: v1.1.68 → v1.1.72
• github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
• github.com/onsi/gomega: v1.38.1 → v1.39.1
• github.com/prometheus/client_golang: v1.23.0 → v1.23.2
• github.com/prometheus/common: v0.65.0 → v0.66.1
• github.com/prometheus/procfs: v0.17.0 → v0.19.2
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• github.com/spf13/cobra: v1.9.1 → v1.10.2
• github.com/spf13/pflag: v1.0.7 → v1.0.10
• github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
• github.com/stretchr/testify: v1.11.0 → v1.11.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
• go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
• go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel: v1.37.0 → v1.38.0
• go.opentelemetry.io/proto/otlp: v1.5.0 → v1.7.0
• go.uber.org/zap: v1.27.0 → v1.27.1
• go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
• golang.org/x/crypto: v0.41.0 → v0.47.0
• golang.org/x/mod: v0.27.0 → v0.32.0
• golang.org/x/net: v0.43.0 → v0.49.0
• golang.org/x/oauth2: v0.30.0 → v0.34.0
• golang.org/x/sync: v0.16.0 → v0.19.0
• golang.org/x/sys: v0.35.0 → v0.40.0
• golang.org/x/telemetry: 1a19826 → bd525da
• golang.org/x/term: v0.34.0 → v0.39.0
• golang.org/x/text: v0.28.0 → v0.33.0
• golang.org/x/time: v0.12.0 → v0.14.0
• golang.org/x/tools: v0.36.0 → v0.41.0
• google.golang.org/genproto/googleapis/api: 8d1bb00 → ab9386a
• google.golang.org/genproto/googleapis/rpc: ef028d9 → ab9386a
• google.golang.org/grpc: v1.75.1 → v1.78.0
• google.golang.org/protobuf: v1.36.8 → v1.36.11
• k8s.io/api: v0.34.1 → v0.35.0
• k8s.io/apiextensions-apiserver: v0.34.1 → v0.35.0
• k8s.io/apimachinery: v0.34.1 → v0.35.0
• k8s.io/apiserver: v0.34.1 → v0.35.0
• k8s.io/client-go: v0.34.1 → v0.35.0
• k8s.io/code-generator: v0.34.1 → v0.35.0
• k8s.io/component-base: v0.34.1 → v0.35.0
• k8s.io/gengo/v2: c297c0c → ec3ebc5
• k8s.io/kms: v0.34.1 → v0.35.0
• k8s.io/kube-openapi: d7b6acb → 589584f
• k8s.io/utils: 0af2bda → 914a6e7
• sigs.k8s.io/controller-runtime: v0.22.1 → v0.23.1
• sigs.k8s.io/controller-tools: v0.19.0 → v0.20.0
• sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → d9cc664

Removed

• github.com/kisielk/errcheck: v1.5.0
• github.com/kisielk/gotool: v1.0.0
• github.com/pkg/errors: v0.9.1
• github.com/zeebo/errs: v1.4.0
• golang.org/x/xerrors: 5ec99f8

Full Changelog: v1.4.1...v1.5.0-rc.1