|
| 1 | +--- |
| 2 | +title: Announcing Envoy Gateway v1.6 |
| 3 | +subtitle: Minor Update |
| 4 | +linktitle: Release v1.6 |
| 5 | +description: Envoy Gateway v1.6 release announcement. |
| 6 | +publishdate: 2025-11-10 |
| 7 | +release: v1.6.0 |
| 8 | +skip_list: true |
| 9 | +--- |
| 10 | + |
| 11 | +We are excited to announce the release of Envoy Gateway v1.6.0. |
| 12 | + |
| 13 | +This release delivers new capabilities across traffic management, security, extensibility, observability, and infrastructure — along with key bug fixes and performance improvements. We extend our thanks to the entire Envoy Gateway community for your ongoing contributions, feedback, and collaboration. Your efforts make each release possible. |
| 14 | + |
| 15 | +| [Release Notes][] | [Docs][docs] | [Compatibility Matrix][matrix] | [Install][] | |
| 16 | +|-------------------|--------------|--------------------------------|--------------| |
| 17 | + |
| 18 | +## What's New |
| 19 | + |
| 20 | +Envoy Gateway v1.6.0 introduces powerful enhancements, resolves critical issues, and continues to improve the platform's reliability and performance. |
| 21 | + |
| 22 | +--- |
| 23 | + |
| 24 | +## 🚨 Breaking Changes |
| 25 | + |
| 26 | +- **ALPNProtocols Default**: `ALPNProtocols` in `EnvoyProxy` Backend TLS settings now default to `[h2, http/1.1]` when not explicitly configured. |
| 27 | +- **Upstream TLS SNI**: When a `Backend` resource specifies TLS settings and SNI is not specified or a `BackendTLSPolicy` is not attached to it, the upstream TLS SNI value is now automatically determined from the HTTP Host header. |
| 28 | +- **Upstream Certificate Validation**: When a `Backend` resource specifies TLS settings and SNI is not specified or a `BackendTLSPolicy` is not attached to it, upstream certificate validation now requires DNS SAN to match the SNI value that is sent. |
| 29 | +- **MirrorPolicy Cluster Naming**: When a `MirrorPolicy` is used, the shadow host suffix is no longer automatically appended to the mirrored cluster name. |
| 30 | +- **egctl collect SDS Data**: When running `egctl experimental collect`, SDS (Secret Discovery Service) data is no longer included by default. To include SDS data, enable it by adding the `--sds true` flag. |
| 31 | +- **Consecutive Gateway Failure**: When setting `consecutiveGatewayFailure`, `enforcingConsecutiveGatewayFailure` is automatically set to 100. |
| 32 | +- **OIDC Refresh Token Behavior**: When the OIDC provider issues a refresh token, Envoy Gateway will now automatically use it to refresh access and ID tokens when they expire. To maintain the previous behavior (not using refresh tokens), set `refreshToken` to false in the OIDC authentication configuration. See https://gateway.envoyproxy.io/docs/api/extension_types/#securitypolicyspec for details. |
| 33 | + |
| 34 | +--- |
| 35 | + |
| 36 | +## 🔒 Security Updates |
| 37 | + |
| 38 | +--- |
| 39 | + |
| 40 | +## ✨ New Features |
| 41 | + |
| 42 | +### API & Traffic Management Enhancements |
| 43 | + |
| 44 | +- Added support for configuring RetryPolicy in gRPC External Authentication callouts via `SecurityPolicy` backend settings fields, allowing fine-grained control over retry behavior for authentication requests. |
| 45 | +- Added support for configuring late response headers in `ClientTrafficPolicy`, enabling headers to be added to responses after the response body has started. |
| 46 | +- Added support for configuring maximum connection duration, stream duration, and maximum requests per connection in `ClientTrafficPolicy` to provide better control over connection lifecycle and resource usage. |
| 47 | +- Added `PercentageEnabled` configuration option to ZoneAware load balancing configuration, enabling gradual rollout of zone-aware routing. |
| 48 | +- Added support for HTTP/2 stream timeout configuration, providing control over stream-level timeouts in HTTP/2 connections. |
| 49 | +- Added support for Envoy `PreconnectPolicy` in `BackendTrafficPolicy`, enabling proactive connection establishment to backend services for reduced latency. |
| 50 | +- Added support for binaryData in ConfigMap referenced by `HTTPRouteFilter` for direct response, allowing binary content to be served directly from ConfigMaps. |
| 51 | +- Added support for rate limiting based on HTTP path and method in `BackendTrafficPolicy`, enabling more granular rate limiting policies. |
| 52 | +- Added support for both Global and Local rate limiting in `BackendTrafficPolicy` simultaneously. |
| 53 | +- Added support for returning HTTP 503 Service Unavailable responses when no valid backend endpoints exist, improving observability and user experience during service outages. |
| 54 | + |
| 55 | +### Security Enhancements |
| 56 | + |
| 57 | +- Added support for mutual TLS (mTLS) configuration for ExtensionServer to enable secure communication between Envoy Gateway and extension servers. |
| 58 | +- Added `cacheDuration` configuration for remoteJWKS (Remote JSON Web Key Set) in `SecurityPolicy`, allowing customization of JWKS caching behavior for improved performance. |
| 59 | +- Added support for `DisableTokenEncryption` in OIDC authentication to disable encryption of ID and access tokens stored in cookies, providing flexibility for environments with alternative security mechanisms. |
| 60 | +- Added support for OCSP (Online Certificate Status Protocol) stapling in listener TLS certificates, improving TLS handshake performance and enabling real-time certificate revocation checking. |
| 61 | +- Added support for per-backend client TLS settings in `Backend` resources, enabling configuration of client certificates, ciphers, TLS versions, and ALPN protocols on a per-backend basis for granular TLS control. |
| 62 | +- Added support for `CSRFTokenTTL` configuration in OIDC authentication to customize the lifetime of CSRF tokens used during the OAuth2 authorization code flow, enhancing security and session management. |
| 63 | +- Added support for Certificate Revocation Lists (CRLs) in `ClientTrafficPolicy`, enabling certificate revocation checking for enhanced security. |
| 64 | +- Added support for applying `SecurityPolicy` Authorization to `TCPRoute` (client IP / allow-deny list for TCP traffic). |
| 65 | + |
| 66 | +### Infrastructure |
| 67 | + |
| 68 | +- Added support for PodDisruptionBudget (PDB) configuration for the rate limit service, improving availability during cluster maintenance operations. |
| 69 | +- Added automatic generation of TLS certificates in host mode when they do not exist, simplifying deployment and reducing manual certificate management overhead. |
| 70 | +- Added automatic implicit support for OPTIONS HTTP method when `HTTPRoute` CORS filter is used, simplifying CORS configuration for preflight requests. |
| 71 | + |
| 72 | +--- |
| 73 | + |
| 74 | +## 🐞 Bug Fixes |
| 75 | + |
| 76 | +- Fixed `%ROUTE_KIND%` operator to be properly lower-cased when used by `clusterStatName` in `EnvoyProxy` API, ensuring consistent metric naming conventions. |
| 77 | +- Fixed `maxAcceptPerSocketEvent` configuration being ignored in `ClientTrafficPolicy`, now correctly applying the configured value to limit connections accepted per socket event. |
| 78 | +- Fixed an issue where `topologyInjectorDisabled` was enabled but the local cluster was not defined, causing configuration inconsistencies. |
| 79 | +- Fixed log formatting of improper key-value pairs to prevent DPANIC errors in controller-runtime logger, improving stability and log readability. |
| 80 | +- Fixed handling of context-related transient errors to prevent incorrect state reconciliation and unintended behavior during API server communication interruptions. |
| 81 | +- Fixed an issue where the controller could not read `EnvoyProxy` resources that are attached only to `GatewayClass`, improving resource discovery and reconciliation. |
| 82 | +- Fixed adding metadata for proxyService and OIDC xDS clusters, ensuring proper metadata propagation for service discovery and authentication. |
| 83 | +- Fixed handling of millisecond-level retry durations and token TTLs in OIDC authentication, ensuring precise time-based configuration values are correctly processed. |
| 84 | +- Fixed indexer and controller crashing when `BackendTrafficPolicy` has a redirect response override, improving stability during policy configuration updates. |
| 85 | +- Fixed Lua validator log level to be suppressed by default, reducing log noise and improving performance during Lua script validation. |
| 86 | +- Fixed `ProxyTopologyInjector` cache sync race condition that caused injection failures, ensuring reliable topology injection during concurrent operations. |
| 87 | +- Fixed validation for gRPC routes with extension reference filters, ensuring proper validation and processing of gRPC routes with extension integrations. |
| 88 | +- Fixed service account token handling in `GatewayNamespaceMode` to use SDS (Secret Discovery Service) for properly refreshing expired tokens, ensuring continuous service availability. |
| 89 | +- Fixed handling of regex meta characters in prefix match replace for URL rewrite, ensuring special characters are correctly processed during URL transformations. |
| 90 | +- Disabled the default emission of `x-envoy-ratelimited` headers from the rate limit filter to reduce header bloat. Re-enable with the `enableEnvoyHeaders` setting in `ClientTrafficPolicy` if needed. |
| 91 | +- Fixed a nil pointer panic in the XDS translator when building API key authentication filter configurations with `sanitize` enabled and no `forwardClientIDHeader` set, improving stability and error handling. |
| 92 | +- Truncated Gateway API status condition messages to stay within Kubernetes limits and prevent update failures, ensuring reliable status updates for large message payloads. |
| 93 | +- Fixed an issue in `EnvoyPatchPolicy` where it didn't match the target Gateway or GatewayClass due to an incorrect name reference, ensuring proper policy application. |
| 94 | +- Fixed certificate SAN (Subject Alternative Name) overlap detection in gateway listeners, improving TLS certificate validation and error reporting. |
| 95 | +- Fixed description and translation behavior for `PreserveXRequestID` configuration, ensuring consistent request ID preservation across HTTP requests. |
| 96 | +- Fixed race condition in proxy context map used in host mode, preventing concurrent access issues and ensuring reliable proxy context management. |
| 97 | +- Fixed Listener port limit typo 65353 -> 65535. |
| 98 | +- Fixed issue where reloading invalid envoy gateway configuration. |
| 99 | +- Fixed missing JWT provider configuration when JWT authentication is configured on multiple HTTP listeners sharing the same port. |
| 100 | +- Fixed issue where header modifier doesn't permit multiple values with commas. |
| 101 | + |
| 102 | +--- |
| 103 | + |
| 104 | +## 🚀 Performance Improvements |
| 105 | + |
| 106 | +- Set `LastTransitionTime` in status conditions at subscriber instead of publisher of watcher to prevent applying unnecessary status updates. |
| 107 | +- Coalesce updates from watcher layer to skip applying intermediate states. |
| 108 | + |
| 109 | +--- |
| 110 | + |
| 111 | +## 🛑 Deprecations |
| 112 | + |
| 113 | +--- |
| 114 | + |
| 115 | +We encourage all users to upgrade to v1.6.0 to take advantage of the new features, security improvements, and performance gains. For full details, see the [Release Notes][] and updated [Documentation][docs]. |
| 116 | + |
| 117 | +[Release Notes]: ./notes/v1.6.0.md |
| 118 | +[docs]: https://gateway.envoyproxy.io |
| 119 | +[matrix]: https://gateway.envoyproxy.io/news/releases/matrix/ |
| 120 | +[Install]: https://gateway.envoyproxy.io/docs/tasks/quickstart/ |
| 121 | + |
0 commit comments