Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update gateway-helm docker tag to v1.3.0 #6260

Closed
wants to merge 1 commit into from
Closed

chore(deps): update gateway-helm docker tag to v1.3.0 #6260

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 3, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
gateway-helm (source) minor 1.2.6 -> 1.3.0

Release Notes

envoyproxy/gateway (gateway-helm)

v1.3.0

Compare Source

Release Announcement

Release Date: January 30, 2025

Check out the v1.3 release announcement to learn more about the release.

The Envoy Gateway v1.3.0 release brings a host of new features, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below.

🚨 Breaking Changes

  • Proxy Pod Template: The Container ports field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version.
  • TLS Defaults: ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension.
  • Default Passive Health Checks: Outlier detection (passive health check) is now disabled by default. Refer to BackendTrafficPolicy for working with passive health checks.
  • Extension Manager Fails Closed: Envoy Gateway treats errors in calls to an extension service as fail-closed by default. Any error returned from the extension server will replace the affected resource with an "Internal Server Error" immediate response. The previous behavior can be enabled by setting the failOpen field to true in the extension service configuration.
  • ClientTrafficPolicy Translation Failures: Envoy Gateway now return a 500 response when a ClientTrafficPolicy translation fails for HTTP/GRPC routes, and forwards client traffic to an empty cluster when a ClientTrafficPolicy translation fails for TCP routes.
  • Envoy Proxy Reference Failures: Any issues with EnvoyProxy reference in a Gateway will prevent the Envoy fleet from being created or result in the deletion of an existing Envoy fleet.
  • BackendTLSPolicy Translation Failures: Envoy Gateway now returns a 500 response when a BackendTLSPolicy translation fails for HTTP/GRPC/TLS routes.

✨ New Features

API & Traffic Management Enhancements
  • Compression: Added support for Response Compression in BackendTrafficPolicy CRD.
  • Route Order: Added support for preserving the user defined HTTPRoute match order in EnvoyProxy CRD.
  • Rate Limiting with Cost: Added support for cost specifier in the rate limit BackendTrafficPolicy CRD.
  • Gateway API 1.2 Retries: Added support for Retries (GEP-1731) in HTTPRoute CRD.
  • Backend Routing: Added support for referencing Backend resources in RPCRoute, TCPRoute and UDPRoute CRDs.
  • Response Override: Added support for status code override in BackendTrafficPolicy.
Security Enhancements
  • Client IP Detection: Added support for trusted CIDRs in the ClientIPDetectionSettings of ClientTrafficPolicy CRD.
  • API Key Authentication: Added support for API Key Authentication in the SecurityPolicy CRD.
  • External Auth: Added support for sending body to Ext-Auth server in SecurityPolicy CRD.
  • JWT Auth: Added support for configuring remote JWKS settings with BackendCluster in SecurityPolicy CRD.
  • Backend TLS System Trust Store: Added support for dynamic reload of System WellKnownCACertificates in BackendTLSPolicy.
  • Draining Endpoints: Continue using and drain endpoints during their graceful termination, as indicated by their respective EndpointConditions.
Observability & Tracing
  • Trace Sampling: Added support for configuring tracing sampling rate with Fraction EnvoyProxy CRD.
  • Static Metadata: Gateway API Route rule name is propagated to XDS metadata as sectionName.
  • Envoy Gateway Panics: Added metrics and dashboards for Envoy Gateway panics in watchables.
Infra
  • Proxy: Added support for patching HPA and PDB settings in EnvoyProxy CRD.
  • Rate Limit: added support for HPA in EnvoyGateway configuration.
Extensibility
  • External Processing Filter: Added support for Attributes, Dynamic Metadata and Processing Mode Override in EnvoyExtensionPolicy CRD.
  • Wasm: Added support for injecting Host Env in EnvoyExtensionPolicy CRD.
  • Extension Manager: Added support for configuring Max GRPC message size for the Extension Manager in EnvoyGateway configuration.

🐞 Bug Fixes

  • Fixed a panic in the provider goroutine when the body in the direct response configuration was nil.
  • Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes.
  • Fixed failed to update SecurityPolicy resources with the backendRef field specified.
  • Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname.
  • Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn.
  • Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s.
  • Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs.
  • Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected.
  • Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined.
  • Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration.
  • Fixed traffic splitting not working when some backends were invalid.
  • Fixed a nil pointer error that occurred when a SecurityPolicy referred to a UDS backend.
  • Fixed an issue where the Gateway API translator did not use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider’s well-known endpoint.
  • Fixed a validation failure that occurred when multiple HTTPRoutes referred to the same extension filter.
  • Fixed a nil pointer error caused by accessing the cookie TTL without verifying if it was valid.
  • Fixed unexpected port number shifting in standalone mode.
  • Fixed an issue where the shutdown-manager did not respect the security context of the container spec.
  • Fixed readiness checks failing for single-stack IPv6 Envoy Gateway deployments on dual-stack clusters.
  • Fixed IPv6 dual-stack support not working as intended.
  • Fixed the ability to overwrite control plane certs with the certgen command by using a new command arg (-o).
  • Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap.
  • Fixed prometheus format conversion of ratelimit metrics for remote address.
  • Fixed limitations that prevented creation of FQDN Endpoints with a single-character subdomain in [Backend].
  • Fixed issue where SecurityContext of shutdown-manager container was not updated by overriding helm values.
  • Fixed issue with incorrect IPFamily detection for backends.
  • Fixed validation of interval values in Retry settings.

⚠️ Vulnerabilities

  • Fixed CVE-2025-24030 which exposed the Envoy admin interface through the prometheus stats endpoint. Refer to Advisory.

⚙️ Other Notable Changes

  • Envoy Upgrade: Now using Envoy v1.33.0.
  • Ratelimit Upgrade: Now using Ratelimit 60d8e81b.
  • Gateway API: Now using Gateway API v1.2.1
  • Envoy Gateway Base Image: Modified the base container image to gcr.io/distroless/base-nossl:nonroot.
  • K8s Version Matrix: Add support for Kubernetes 1.32.x in the test matrix, and remove support for Kubernetes 1.28.x.
  • Go Control Plane: Now using v0.13.4.
  • XDS Validations: Envoy Gateway validates additional resources before adding them to snapshot.
  • Backend Routing: Increased the maximum amount of endpoints to 64 in Backend.

What's Changed

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
chore(deps): update gateway-helm docker tag to v1.3.0
ffa0bec 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot added dependency/docker Dependency Docker kind/renovate Categorizes issue or PR as related to Renovate lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/medium This issue or PR may be useful, and needs some attention size/xs Size XS status/review_needed The issue or PR needs to be reviewed labels Feb 3, 2025
@dosubot dosubot bot added dependencies Pull requests that update a dependency file dependency/helm Dependency Helm labels Feb 3, 2025
@nlamirault nlamirault closed this Feb 4, 2025
@renovate renovate bot deleted the renovate/gateway-helm-1.x branch February 4, 2025 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nlamirault nlamirault

Labels
dependencies Pull requests that update a dependency file dependency/docker Dependency Docker dependency/helm Dependency Helm kind/renovate Categorizes issue or PR as related to Renovate lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/medium This issue or PR may be useful, and needs some attention size/xs Size XS status/review_needed The issue or PR needs to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nlamirault