Introduction

The release notes include important installation changes and known issues. They also highlight ways that you can take advantage of new features or enhancements to improve your product usage.

For more information, see the following related resources:

đŸ”Ĩ Breaking changes

Review details about the following breaking changes. To review when breaking changes were released, you can use the comparison feature of the open source changelog or enterprise changelog. The severity is intended as a guide to help you assess how much attention to pay to this area during the upgrade, but can vary depending on your environment.

🚨 High

Review severe changes that can impact production and require manual intervention.

AuthPlugin removed

The AuthPlugin auth config type is removed in 1.20. If you use this config type, you must remove it from your Helm values file before upgrading Gloo Gateway. If you need to configure your own auth server, check out the Passthrough auth guides instead.

Discovery disabled by default

To improve performance, service discovery is now disabled by default in the Gloo Gateway Helm chart. In the example Helm values in all installation guides for Gloo Gateway with the Kubernetes Gateway API, discovery is set to false. However, if you use discovery, ensure that the discovery.enabled=true for Gloo Gateway OSS or gloo.discovery.enabled=true for Gloo Gateway Enterprise fields are explicitly set to true before you upgrade. For more information, see the discovery overview.

Envoy version upgrade

The Envoy dependency in Gloo Gateway 1.20 was upgraded from 1.33.x to 1.35.x. This change includes the following upstream breaking changes.

Envoy 1.34:
For more information about these changes, see the Envoy changelog documentation.

  • Extproc - Tracing changes: When the modeOverride fields of the header and trailer modes have the value DEFAULT or are unset, no change is made to the processing mode that is set in the filter configuration. Additionally, a bug was fixed in which local replies were incorrectly sent to the extProc server for external processing. You can temporarily revert this change by setting the runtime guard field envoy.reloadable_features.skip_ext_proc_on_local_reply to false.
  • TLS - Envoy FIPS: The Envoy FIPS build is updated to use the same version of BoringSSL as the Envoy standard build to meet the requirements of the revised FedRAMP policy. Default values might have changed in the encryption settings due to the large version bump.
  • HTTP connection manager - Generate request ID: When the x-request-id header is empty, generateRequestId now generates a request ID on the request. Previously, it only generated an ID when the header was missing.
  • Formatters: The %CEL% and %METADATA% formatters are now considered built-in, and can be used directly in substitution format strings if the related extensions are linked.

Envoy 1.35:

For more information about these changes, see the Envoy changelog documentation.

  • Tracing changes: Added max_cache_size to the OpenTelemetry tracer config. This limits the number of spans that can be cached before the cache is flushed. The default is 1024 spans. Previously, flushing only happened at the interval that you set. You can change this setting based on the expected telemetry volume in your environment.

Caching filter deprecated

The caching filter is deprecated and planned to be removed in Gloo Gateway version 1.21.

🔔 Medium

Review changes that might have impact to production and require manual intervention, but possibly not until the next version is released.

  • No medium-severity changes are currently reported.

ℹī¸ Low

Review informational updates that you might want to implement but that are unlikely to materially impact production.

  • No low-severity changes are currently reported.

⚒ī¸ Installation changes

In addition to comparing differences across versions in the changelog, review the following installation changes from the previous minor version to version 1.20.

  • No installation changes are currently reported.

🌟 New features

Review the following new features that are introduced in version 1.20 and that you can enable in your environment.

Amazon Bedrock in Gloo AI Gateway

Amazon Bedrock is now supported as an LLM provider with Gloo AI Gateway. For more information, see the Amazon Bedrock docs.

Kubernetes 1.33 and 1.34 support

Starting in version 1.20.0, Gloo Gateway can now run on Kubernetes 1.33 and 1.34. For more information about supported Kubernetes, Envoy, and Istio versions, see the version support matrix.

Istio 1.26 and 1.27 support

Starting in version 1.20.0, Gloo Gateway can now run with Istio 1.26 and 1.27. For more information about supported Kubernetes, Envoy, and Istio versions, see the version support matrix.

Add usedonly filter to Prometheus stats endpoint

By default, Gloo Gateway exposes the /metrics scraping endpoint on Gloo Gateway proxies. This endpoint is used by instances, such as Prometheus, to scrape metrics from your proxies. Gloo Gateway rewrites the /metrics endpoint to Envoy’s /stats/prometheus endpoint. Envoy proxies emit large numbers of metrics on the /stats/prometheus endpoint. These metrics include downstream statistics to analyze incoming requests and connections, upstream statistics to understand outgoing requests and connections, and statistics about the Envoy server instance itself. Depending on your environment, the number of metrics that Prometheus scrapes from the Envoy proxies might be too large and can lead to performance issues and failures in Prometheus.

You can change the scraping path and apply a query parameter to the /stats/prometheus endpoint, such as the usedonly parameter. This parameter configures your proxy to emit only the metrics that Envoy changed, such as when counters were incremented, gauges were changed, and histograms were added at least once. Endpoints that did not receive or send traffic are not included in these metrics. This way, you can reduce the number of metrics that Prometheus scrapes from the proxies significantly. For more information about the usedonly parameter and other query parameters that you can apply, see the Envoy documentation.

To change the Prometheus scraping endpoint for your proxies, you can update the default GatewayParameters resource through your Gloo Gateway Helm values file. For custom proxy configurations, add the scraping endpoint to your custom GatewayParameters resource.

To update the default GatewayParameters resource, add the following snippet to your Helm values file. Then, upgrade your Gloo Gateway installation.

  • OSS:

      
kubeGateway:
  gatewayParameters:
    glooGateway:
      stats:
        enabled: true
        routePrefixRewrite: "/stats/prometheus?usedonly"

  • Enterprise:

      
gloo: 
  kubeGateway:
    gatewayParameters:
      glooGateway:
        stats:
          enabled: true
          routePrefixRewrite: "/stats/prometheus?usedonly"

If you use a custom GatewayParameters resource for your proxies, set the new scraping endpoint in the spec.kube.stats.routePrefixRewrite field.

  kubectl apply -f- <<EOF
apiVersion: gateway.gloo.solo.io/v1alpha1
kind: GatewayParameters
metadata:
  name: custom-gw-params
  namespace: gloo-system
spec:
  kube:
    stats:
      routePrefixRewrite: "/stats/prometheus?usedonly"
EOF

ecdh-curves in TLS settings

You can now specify ECDHE elliptic-curve key exchange algorithms, such as the hybrid post-quantum algorithm X25519MLKEM768, to secure the TLS handshake between your gateway proxy and your clients.

For more information, see Additional TLS settings.

Additional dynamic metadata for AI Gateway

The following metrics are now exposed as dynamic metadata when using AI Gateway.

  • ai.gloo.solo.io:prompt_audio_tokens: The number of audio tokens used in the prompt.
  • ai.gloo.solo.io:prompt_cached_tokens: The number of cached tokens used in the prompt.
  • ai.gloo.solo.io:reasoning_tokens: The number of reasoning tokens that were generated during the reasoning process.
  • ai.gloo.solo.io:completion_audio_tokens: The number of audio tokens used in the completion.
  • ai.gloo.solo.io:accepted_prediction_tokens: The number of prediction tokens that the model accepted.
  • ai.gloo.solo.io:rejected_prediction_tokens: The number of prediction tokens that the model rejected.
  • ai.gloo.solo.io:service_tier: The LLM service tier that was used for a request.

You can add these dynamic metadata to your access logs. For more information, see the Dynamic metadata guide guide.

Custom host URL and path for LLMs

By default, Gloo Gateway uses the default host URL for a particular LLM, such as https://api.openai.com for OpenAI when sending a request to the LLM. You can customize the host URL and specify the base or full path that you want to use for your requests. This setup is useful in cases where your LLM is hosted through a different provider, such as IBM API Connect.

For more information, see Custom host URL and path.

Mutual TLS in passthrough auth

You can configure the Gloo Gateway external auth client to use mutual TLS when connecting to the passthrough server. For information for how to set up passthrough auth, see Passthrough auth.

🔄 Feature changes

Review the following changes that might impact how you use certain features in your Gloo Gateway environment.

  • No feature changes are currently reported.