Releases: kgateway-dev/kgateway
Releases · kgateway-dev/kgateway
v2.3.0-beta.7
🎉 Welcome to the v2.3.0-beta.7 release of the kgateway project!
Release Notes
Changes since v2.3.0-beta.6
New Features
- Implement Gateway API BackendTLSPolicy core conformance semantics, including Gateway ancestor status reporting, ResolvedRefs conditions, and deterministic conflict handling. (#13801)
Bug Fixes
- Add support for Gateway backend client certificates via Gateway.spec.tls.backend.clientCertificateRef. (#13705)
- Fix a reconnect-time xDS race where Envoy could briefly receive routes and listeners before all referenced backend clusters were present, causing transient NC/500 responses during controller restart. (#13868)
- fix: PathPrefix now ignores trailing slash (#13893)
- SDS updates now retries reading a secret until tls.X509KeyPair() confirms the cert and private key match, and the fsnotify loop now debounces bursts of file events for 500ms before attempting a reload. (#13932)
- fix: PathPrefix path match now ignores trailing slash (#13938)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.0-beta.7
- cr.kgateway.dev/kgateway-dev/sds:v2.3.0-beta.7
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.0-beta.7
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.0-beta.7 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.0-beta.7 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.3.0-beta.6
🎉 Welcome to the v2.3.0-beta.6 release of the kgateway project!
Release Notes
Changes since v2.3.0-beta.5
New Features
- Add runtime_filter to available accessLog filters (#13825)
- Add
auth_succeededmetadata after successful authentication (#13846) - Added
allowRequestsWithoutProxyProtocoltoListenerPolicy.proxyProtocolto support a single listener to accept both PROXY and direct connections. (#13870) - Add
trackRemainingfield toBackendConfigPolicycircuit breakers. When set totrue, Envoy populates theremaining_cx,remaining_pending,remaining_rq, andremaining_retriesgauge statistics for the circuit breaker threshold group, enabling observability of remaining capacity. Defaults tofalse. (#13884) - Support exclusion of WorkloadEntries by label keys (#13888)
- Added
spec.kube.envoyContainer.extraArgsto GatewayParameters so users can pass additional Envoy CLI arguments to the managed proxy container. (#13897) - Added HTTP ACL filter to envoy dynamic module (#13903)
- Added HTTP ACL Feature (#13906)
Bug Fixes
- Fixes compatibility with more versions of the Gateway API regardless of which channel (standard or experimental) is installed. The TLSRoute CRD was not working with the standard channel at any version that included TLSRoute v1, leading to a crash on startup or to incorrect TLSRoute status and passthrough behavior. (#13806)
omitDefaultSecurityContextno longer erases envoy security context overrides when GatewayParameters are present on both the Gateway (omitting) and the GatewayClass (not omitting). (#13811)- Ensure data plane pods do not become ready prior to retrieving configuration from the control plane. (#13832)
- Fix nodePort being ignored for LoadBalancer services in GatewayParameters. (#13864)
- Multiple TCPRoutes attached to the same listener now report Accepted=False/Reason=Conflicted on losing routes instead of silently dropping them. (#13883)
- fixes an issue where when a requestRedirect filter attaches to multiple Gateway listeners on different ports, every listener's redirect emits the same (wrong) port (#13894)
- Fix ID or access token only decoding in OAuth2 traffic policy (#13901)
- Fix TrafficPolicy RBAC
action: Denyincorrectly denying all traffic when using CEL match expressions. (#13911)
Cleanup
- Re-structured dynamic modules to make adding new filters easier (#13869)
- Optimizes watching Kubernetes Secrets (#13875)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.0-beta.6
- cr.kgateway.dev/kgateway-dev/sds:v2.3.0-beta.6
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.0-beta.6
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.0-beta.6 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.0-beta.6 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.3.0-beta.5
Release Notes
Changes since v2.3.0-beta.4
New Features
- Add Envoy network RBAC support to ListenerPolicy for IP-based access control at the network layer (#13528)
- Enable parsing and verification of OAuth2/OIDC access and ID tokens as JWT with dynamic metadata support (#13558)
- Expose Envoy's
body_formatforDirectResponse(#13678) - Added
upstreamProxyProtocolfield toBackendConfigPolicyto support sending PROXY protocol headers to upstream backends (#13689) - Deployments can be scaled to zero. (#13712)
- Add DNS refresh rate and jitter configuration to BackendConfigPolicy (#13722)
- Add fault injection support to TrafficPolicy for chaos engineering and resiliency testing. Supports delay injection, abort injection (HTTP/gRPC), response rate limiting, and per-route disable override. (#13730)
- rustformation: allow default buffering behavior to be bypassed; auto-detect websocket and other tunnel upgrade request to bypass buffering; (#13796)
kubectl get DirectResponseshows ACCEPTED and ATTACHED columns. (#13834)- Adds the ability to set request and response dynamic metadata via rustformations (#13835)
Bug Fixes
- Fixed BackendTLSPolicy not being attached when
sectionNameis specified intargetRefs. (#13780) - Fix context leak in cliPortForwarder when StdoutPipe or StderrPipe fails (#13781)
- Fixed a TOCTOU race in OIDC provider config discovery that could cause redundant HTTP requests when the cache is refreshed under concurrent access. (#13797)
- Bump github.com/go-jose/go-jose/v4 to v4.1.4 to address GHSA-78h2-9frx-2jm8. (#13821)
Cleanup
- Replace usage of Envoy STRICT_DNS cluster type with DNSCluster (#13710)
- Helm: add controller-scoped overrides for controller deployment pod/scheduling/resource values, and deprecate the equivalent top-level chart values in favor of
controller.*. (#13787)
Dependency Updates
- Bumps go to 1.26.2 (#13812)
Contributors
Thanks to all the contributors who made this release possible:
v2.2.3
🎉 Welcome to the v2.2.3 release of the kgateway project!
Release Notes
Changes since v2.2.2
Dependency Updates
Contributors
Thanks to all the contributors who made this release possible:
d
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.2.3
- cr.kgateway.dev/kgateway-dev/sds:v2.2.3
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.3
- cr.agentgateway.dev/agentgateway-controller:v2.2.3
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.3 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.3 --namespace kgateway-system --create-namespace
helm install agentgateway-crds oci://cr.agentgateway.dev/charts/agentgateway-crds --version v2.2.3 --namespace agentgateway-system --create-namespace
helm install agentgateway oci://cr.agentgateway.dev/charts/agentgateway --version v2.2.3 --namespace agentgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.1.3
v2.3.0-beta.4
🎉 Welcome to the v2.3.0-beta.4 release of the kgateway project!
Release Notes
Changes since v2.3.0-beta.3
Bug Fixes
- expose http-monitoring port on gateway service (#13614)
- Publish Gateway InsecureFrontendValidationMode status when frontend TLS validation is configured with AllowInsecureFallback. (#13698)
- Revert: exposing http-monitoring port on gateway service (#13704)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.0-beta.4
- cr.kgateway.dev/kgateway-dev/sds:v2.3.0-beta.4
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.0-beta.4
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.0-beta.4 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.0-beta.4 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.3.0-beta.3
🎉 Welcome to the v2.3.0-beta.3 release of the kgateway project!
Changes since v2.3.0-beta.2
New Features
- Add
allow_mode_overrideandallowed_override_modessupport in ExtProc GatewayExtensions (#13394) - support GRPCRoutes attaching to HTTPS listeners (#13493)
- Support per listener mTLS client cert validation (#13518)
- Support attaching TrafficPolicy to GRPCRoutes (#13519)
- Add
loadBalancerSourceRangessupport toGatewayParameters.spec.kube.servicefor the dynamically provisioned gateway service (#13545) - Support TLS Termination for TLSRoute on TLS listener (#13548)
- Allow setting Envoy's
xff_trusted_cidrsandskip_xff_appendviaListenerPolicy(#13551) - Allow configuring Envoy application log format, either as JSON or custom text (#13561)
- Controller helm chart exposes topologySpreadConstraints (#13573)
- Add default OTel resource attributes for listeners (#13585)
- Add default k8s resource identifiers in OTel resource attributes (#13606)
- Add app.kubernetes.io/component labels (controller and proxy) to kgateway deployments (#13619)
- Add per-route tracing configuration to TrafficPolicy, allowing sampling rate overrides, custom attributes, and the ability to disable tracing for specific routes. (#13648)
- ListenerSets pass GWAPI 1.5.1 conformance tests (#13691)
Bug Fixes
- Stop forwarding non-matching preflight cors requests (#13474)
- Fix Rustformations returning HTTP 400 on small JSON request bodies arriving in a single chunk. (#13480)
- Introduce kgateway-base manifests and migrate tests to base gateway for faster tests
(chore): use native go instead of curl pod to create http reqs for ExtAuth, BackendTLS, Backends, Accesslogs, BasicRouting, DFP, HTTPRoute
(#13515) - Fixed no endpoints for services/namespaces without an
ingress-use-waypointlabel when at least one other has it (#13531) - Fix cross-namespace
extensionRefinTrafficPolicy.spec.jwtAuthresulting in brokenrequirement_namein Envoy filter config (#13540) - fix: Deployer deploys RBAC changes etc. first since later changes depend on them (#13552)
- Fix crash when a Waypoint has an AuthorizationPolicy with action CUSTOM (#13607)
- Skip Istio resource watching when KGW_ENABLE_ISTIO_INTEGRATION is disabled (#13611)
- expose http-monitoring port on gateway service (#13614)
- fix nil panic in TrafficPolicy when attaching to redirect rules in HTTPRoute (#13625)
- Fixed DirectResponse policy status reporting to ensure attached policies surface Accepted and Attached conditions without misleading handler registration errors. (#13647)
- Fix stale routing when no endpoints are available by emitting an explicit empty ClusterLoadAssignment so Envoy returns 503 instead of routing to a stale pod IP. (#13670)
- Fixed promoted TLSRoute handling for Gateway API v1.5.1, including status reporting, hostname intersection, and several conformance cases. (#13694)
- Improve Gateway API TLSRoute conformance for TLS passthrough listeners by rejecting unsupported TCPRoute kinds and reporting TLSRoute in listener supportedKinds. (#13696)
Documentation
- GracefulShutdownSpec API doc correction (#13577)
Cleanup
- Removes deprecated Gateway API Inference Extension support, which had already moved to agentgateway (#13514)
- remove classic transformation support (#13651)
- upgrade to envoy v1.37.1 and removed envoy-gloo (#13660)
Dependency Updates
- Upgrade to latest Go 1.26 (#13517)
- Bumps to go version 1.26.1 (#13639)
- Bumped Gateway API to v1.5.1. As part of the upstream schema update, non-spec CORS
allowOriginspatterns such ashttps://a.b*are no longer accepted. Use spec-compliant wildcard origins such ashttps://*.a.binstead. (#13671)
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.0-beta.3
- cr.kgateway.dev/kgateway-dev/sds:v2.3.0-beta.3
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.0-beta.3
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.0-beta.3 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.0-beta.3 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
Contributors
Thanks to all the contributors who made this release possible:
v2.2.2
🎉 Welcome to the v2.2.2 release of the kgateway project!
Release Notes
Changes since v2.2.1
Bug Fixes
- add PreRouting phase support for authentication policies (#13544)
- Fixed no endpoints for services/namespaces without an
ingress-use-waypointlabel when at least one other has it. (#13550) - fix nil panic in TrafficPolicy when attaching to redirect rules in HTTPRoute (#13625)
- fix nil panic in TrafficPolicy when attaching to redirect rules in HTTPRoute (#13627)
Dependency Updates
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
- cr.kgateway.dev/kgateway-dev/charts/kgateway-crds
- cr.kgateway.dev/kgateway-dev/charts/kgateway
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.2.2
- cr.kgateway.dev/kgateway-dev/sds:v2.2.2
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.2
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.2 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.2 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
Contributors
Thanks to all the contributors who made this release possible:
v2.2.1
🎉 Welcome to the v2.2.1 release of the kgateway project!
What's Changed
- backports: from initial v2.2.x cut to commit 1459d34 by @danehans in #13505
- [v2.2.x] fix: AgentgatewayParameters merging bug by @chandler-solo in #13512
- Adds InferencePool Status Management by @danehans in #13501
- [v2.2.x] Update codeowners by @jenshu in #13532
- Fix body to header transformation (#13480) by @andy-fong in #13537
- tooling: fixes release validation job by @danehans in #13536
- [v2.2.x backport] fix: HPA/VPA/PDB support forgot about RBAC by @chandler-solo in #13533
Full Changelog: v2.2.0...v2.2.1
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.2.1
- cr.kgateway.dev/kgateway-dev/sds:v2.2.1
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.1
- cr.agentgateway.dev/agentgateway-controller:v2.2.1
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.1 --namespace kgateway-system --create-namespace
helm install agentgateway-crds oci://cr.agentgateway.dev/charts/agentgateway-crds --version v2.2.1 --namespace agentgateway-system --create-namespace
helm install agentgateway oci://cr.agentgateway.dev/charts/agentgateway --version v2.2.1 --namespace agentgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
Contributors
danehans, jenshu, and 2 other contributors
Assets 5
v2.3.0-beta.2
🎉 Welcome to the v2.3.0-beta.2 release of the kgateway project!
Release Notes
Changes since v2.3.0-beta.1
Bug Fixes
- Relaxed CEL rules for BackendConfigPolicy to support Istio Hostname as a target (#13374)
- fix: RBAC is expanded to include VPA, HPA, and PDB because data planes can be configured to come along with these resources since #13266 (#13497)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.0-beta.2
- cr.kgateway.dev/kgateway-dev/sds:v2.3.0-beta.2
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.0-beta.2
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.0-beta.2 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.0-beta.2 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.