Gloo Gateway changelog

🛜 RSS feed

Changelog entry types link

Changelog entries are categorized into the following types:

• Breaking Changes: An API is changed in a way that is not backwards compatible, such as a changed format for an API field.
• Bug Fixes: A bug is resolved in this release.
• Dependency Bumps: The version for a dependency in Gloo Gateway is bumped in this release.
• New Features: A new feature is implemented in the release.

v2.1 link

2.1.0-alpha.1 link

Published on: 2025-11-05

What’s Changed

• Fix docs workflow by @Rachael-Graham in https://github.com/solo-io/gloo-gateway/pull/865
• block merge if PR has work in progress label by @jenshu in https://github.com/solo-io/gloo-gateway/pull/869
• kind is great, but CRC is great too. Support both local k8s envs. by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/837
• tests: internal_helm_test.go double-checking by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/873
• show Accepted and Attached status for GlooTrafficPolicy by @puertomontt in https://github.com/solo-io/gloo-gateway/pull/862
• add unparam linter by @puertomontt in https://github.com/solo-io/gloo-gateway/pull/876
• labeler workflow cleanup by @jenshu in https://github.com/solo-io/gloo-gateway/pull/880
• Rm duplicates from changelog and add publish date by @Nadine2016 in https://github.com/solo-io/gloo-gateway/pull/893
• helm charts fixes to allow for custom Secret(s) for license keys by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/890
• Bumps kgw to latest 2.1.x by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/894
• CEL ratelimiting by @npolshakova in https://github.com/solo-io/gloo-gateway/pull/850
• kgw bump to main by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/897
• update release workflow to use 2.1.0 by @jenshu in https://github.com/solo-io/gloo-gateway/pull/900
• Bump kgw to the latest main by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/914
• Removes some merging code from downstream that was copypasta. by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/875
• bump rate limiter and ext auth by @puertomontt in https://github.com/solo-io/gloo-gateway/pull/925
• add agentgateway configuration to gloo gateway params by @puertomontt in https://github.com/solo-io/gloo-gateway/pull/867
• Deletes debug-deployer-helm by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/929
• Hack release note scripts by @josh-pritchard in https://github.com/solo-io/gloo-gateway/pull/932
• add nightly tests wf with istio k8s versions matrix by @rpunia1 in https://github.com/solo-io/gloo-gateway/pull/741
• Bump kgateway dep by @howardjohn in https://github.com/solo-io/gloo-gateway/pull/920
• fix run-ci typo by @rpunia1 in https://github.com/solo-io/gloo-gateway/pull/939
• tests: Build tag paranoia by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/938
• go: bump kgateway to a63fa9f by @shashankram in https://github.com/solo-io/gloo-gateway/pull/940
• bump envoy-gloo-ee to v1.36.2-patch1 by @andy-fong in https://github.com/solo-io/gloo-gateway/pull/928
• helm: Remove kgateway branding in generated NOTES.txt by @timflannagan in https://github.com/solo-io/gloo-gateway/pull/952
• Expand & restructure docs workflow for versioning by @Rachael-Graham in https://github.com/solo-io/gloo-gateway/pull/949
• tests: Adds run-e2e-test.sh & run-test.sh; adds SKIP_ALL_TEARDOWN by @chandler-solo in https://github.com/solo-io/gloo-gateway/pull/906
• agentgateway: add ratelimit token e2e test by @puertomontt in https://github.com/solo-io/gloo-gateway/pull/950
• .github/workflows: Enable CI by default, keep existing run-ci infra by @timflannagan in https://github.com/solo-io/gloo-gateway/pull/960
• Bump the kgw dependency to 80600bfdc15c by @timflannagan in https://github.com/solo-io/gloo-gateway/pull/954
• mount istio-token volume for agentgateway waypoint by default, re-enable agw waypoint test by @jmcguire98 in https://github.com/solo-io/gloo-gateway/pull/943 Full Changelog: https://github.com/solo-io/gloo-gateway/compare/2.0.0...2.1.0-alpha.1
• mount istio-token volume for agentgateway waypoint by default, re-enable agw waypoint test by @jmcguire98 in https://github.com/solo-io/gloo-gateway/pull/943

v2.0 link

2.0.1 link

Published on: 2025-10-23

Changes since 2.0.0

New Features

• [Upstream] Allow using kgateway.dev/http-redirect-status-code annotation to configure the allowed HTTP redirect status codes as an override API with the RequestRedirect filter. (#12612)

Bug Fixes

• [Upstream] Allow using kgateway.dev/http-redirect-status-code annotation to configure the allowed HTTP redirect status codes as an override API with the RequestRedirect filter. (#12612)
• Helm chart installation bug fix when providing your own Kubernetes Secret(s)

Cleanup

• Helm chart installation bug fix when providing your own Kubernetes Secret(s)
• upgrade envoy-gloo-ee to v1.35.6-patch1
• Bump ext-auth to 0.73.4 and rate limit to 0.16.4

2.0.0 link

Published on: 2025-10-13

New Features

• Update gateway class name to gloo-gateway-v2
• Change gloo-agentgateway class name to agentgateway-enterprise.
• Disable gloo-gateway-v2-waypoint to only allow agentgateway-enterprise-waypoint as the waypoint gatewayclass.
• GlooTrafficPolicy can now do everything a TrafficPolicy can.
• Support enterprise rate-limit and ext-authz APIs
• Add Retry and Timeouts to GlooTrafficPolicy.
• Added ee transformation api
• Adds support for automatic discovery of openAPI specifications belonging to services or external endpoints which is a foundational component for the portal feature.
• Implements Enterprise AWS Lambda transformations with GlooTrafficPolicy.
• Add Enterprise JWT functionality
• Added support for deploying of shared ext-auth and rate-limiter services
• Implements gloo-gateway control plane metrics using the upstream pkg/metrics library from kgateway.
• Adds support for Gloo RBAC policies
• The GlooTrafficPolicy plugin now respects the route replacement mode setting (KGW_ROUTE_REPLACEMENT_MODE). When in strict mode, the plugin performs additional validation to catch invalid configurations before they reach Envoy. Invalid policies that would cause Envoy to NACK at runtime (e.g. malformed templates) will now be replaced with a direct response (HTTP 500) and report clear status conditions. This prevents fail-open scenarios where invalid policies could allow unintended traffic.
• Make the ratelimitConfigRef namespace configurable for rate limit policies.
• Distroless images for Envoyinit/SDS components
• Add FIPS builds for all components
• Add helm fields to the CRD chart to allow conditional install of extension CRDs. New fields installExtAuthCRDs & installRateLimitCRDs are available.
• This change allows users to define actions in the RateLimitConfig spec’s raw.rateLimits field, with a GlooTrafficPolicy that references this resource in the spec’s glooRateLimit.global.rateLimitConfigRef field. Users can now specify rate limit descriptors and actions in the same RateLimitConfig resource.
• Adds a helm chart: gloo-gateway-dashboards, to deploy monitoring dashboards which can be automatically detected by kube-prometheus-stack.
• Add support for configuring nodeSelector, affinity (including the antiAffinity sub field), tolerations, and topologySpreadConstraints for shared resources via GatewayParameters
• Adds support for a GlooTrafficPolicy referencing a GatewayExtension in a different namespace than the policy using a new namespace field.
• Added agentgateway extauth support.
• Add initial support for configuring agentgateway with GlooJWT traffic policies.
• Added support for agentgateway as a waypoint.
• Adds license logging for agentgateway.
• Added AGENTGATEWAY_LICENSE_KEY for agentgateway license.
• Allows for configuring extensions’ images.
• Support specifying omitReplicas in the GlooGatewayParameters to allow custom HPA control it
• API changes to GlooGatewayParameters to better support real-world configuration of extensions.
• Add support in the agentgateway syncer for basic status reporting on gloo traffic policies
• Convert GlooTrafficPolicy.spec.glooRateLimit.global.RateLimitConfigRef into a list of refs and rename it to RateLimitConfigRefs
• [Upstream] Updates the status API for TrafficPolicy and HTTPListenerPolicy to use Gateway API v1alpha2.PolicyStatus API. (#11141)
• [Upstream] Enables kgateway to act as the control plane for agentgateway. (#11151)
• [Upstream] Enables policy attachment using labels using the targetSelectors API for kgateway policy APIs. (#11163)
• [Upstream] Introduce BYO global rate limiting so operators can expose an external rate-limit service through a GatewayExtension resource and reference that extension from a TrafficPolicy. This enables users to configure both local and cluster-wide quotas within the same API surface. (#11169)
• [Upstream] Add a setting to toggle the listener bind address to either ipv4 or ipv6 (#11196)
• [Upstream] Add support for dynamic forward proxy. (#11197)
• [Upstream] Introduce BackendConfigPolicy api to allow configuring envoy clusters. (#11214)
• [Upstream] Enables setting annotations on Deployment generated by kgateway Helm chart. (#11224)
• [Upstream] Adds InferencePool status management to Inference Extension endpointpicker (EPP) Plugin. (#11230)
• [Upstream] Enables multiple kgateway installs in separate namespaces, and implements discoveryNamespaceSelectors to control the namespaces that are considered for config discovery by a kgateway instance based on label selectors. (#11238)
• [Upstream] Respect DestinationRule TCP keepalive settings (#11246)
• [Upstream] CORS support has been added and can be configured in the TrafficPolicy or in HTTPRoute, depending on the desired policy. (#11252)
• [Upstream] Allows a Kubernetes gateway to have more than 64 listeners by implementing ListenerSets defined in https://gateway-api.sigs.k8s.io/geps/gep-1713. Listener Sets can define their own listeners and be mapped to a parent gateway via their parentRef. The Kubernetes gateway will have the merged list of all listeners from itself and attached ListenerSets. This experimental feature requires the xlistenersets.gateway.networking.x-k8s.io CRD to be present. (#11255)
• [Upstream] Invalid durations in our CRDs will now be rejected using CEL, before the CR is admitted. (#11266)
• [Upstream] Allow TrafficPolicy to targetRef using section name. (#11272)
• [Upstream] Add PathOverride and AuthHeaderOverride fields for custom LLM provider endpoints (#11282)
• [Upstream] add TargetSelectors field in BackendConfigPolicySpec to enable selection of resources with matchLabels. (#11289)
• [Upstream] Support for CSRF policy has been added to the TrafficPolicy. (#11302)
• [Upstream] backendconfigpolicy: add ssl config (#11308)
• [Upstream] Support sessionPersistence on HTTPRoute (#11320)
• [Upstream] Add control plane metrics support for observability of controller, collections, and translation operations. (#11342)
• [Upstream] Adds initial InferencePool e2e tests (#11344)
• [Upstream] added support for extended gateway parameters (#11346)
• [Upstream] Support Service appProtocols http2, grpc, and grpc-web. (#11352)
• [Upstream] backendconfigpolicy: add load balancer configuration (#11365)
• [Upstream] Enables configuring the payload transformation mode for AWS Lambda backends. (#11381)
• [Upstream] Allow configuring app protocol on Static Backends. (#11384)
• [Upstream] add health check config to backendconfigpolicy (#11393)
• [Upstream] For kubernetes services, set IgnoreHealthOnHostRemoval to true on the cluster. (#11395)
• [Upstream] Adds support for OpenTelemetry Tracing & Access Log Support. This can be configured via the HTTPListenerPolicy (#11396)
• [Upstream] add http2 protocol options to backendconfigpolicy (#11455)
• [Upstream] Add useRemoteAddress, xffNumTrustedHops, serverHeaderTransformation, and streamIdleTimeout to HTTPListenerPolicy https://github.com/kgateway-dev/kgateway/issues/11231 (#11462)
• [Upstream] Users can now define custom environment variables for the envoy proxy container via the gateway parameters. It can be specified as a list via GatewayParameters.spec.kube.envoyContainer.env (#11463)
• [Upstream] Added image, security context and resource configuration on GatewayParameters for agentgateway. (#11464)
• [Upstream] Enables sorting of HTTPRoutes using weights assigned with the kgateway.dev/route-weight annotation when KGW_WEIGHTED_ROUTE_PRECEDENCE=true. (#11470)
• [Upstream] Added CEL validation to enforce proper attachment semantics for policy APIs. This ensures that policies can only be attached to valid Gateway API resources. (#11499)
• [Upstream] Allow setting listener-level perConnectionBufferLimitBytes by setting the kgateway.dev/per-connection-buffer-limit annotation on the gateway. (#11505)
• [Upstream] Privileged ports used (< 1024) on a listener are no longer mapped to a higher port. If listeners are using privileged ports before upgrading, there may be down time when the port mapping is updated. (#11508)
• [Upstream] Add support for setting request buffer limit using TrafficPolicy (#11523)
• [Upstream] The TrafficPolicy plugin now respects the route replacement mode setting (KGW_ROUTE_REPLACEMENT_MODE). When in strict mode, the plugin performs additional validation to catch invalid configurations before they reach Envoy. Invalid policies that would cause Envoy to NACK at runtime (e.g. malformed templates) will now be replaced with a direct response (HTTP 500) and report clear status conditions. This prevents fail-open scenarios where invalid policies could allow unintended traffic. (#11553)
• [Upstream] CORS’s allowOrigins now fully supports the format defined by the gateway api v1.3.0 spec, including wildcards. (#11581)
• [Upstream] add hash policy to TrafficPolicy for configuring hashing loadbalancers (#11583)
• [Upstream] Adds the ability for resources to attach to policies defined in the global policy namespace when using targetSelectors. (#11585)
• [Upstream] Added comprehensive KGateway load testing framework implementing gateway-api-bench methodology with VCluster simulation for fake cluster resources, baseline (1000 routes) and production (5000 routes) performance tests measuring Gateway API control plane performance through incremental route testing with real traffic validation, event-driven monitoring for precise timing measurements, GitHub Actions integration for CI/CD workflows with optional release validation and nightly testing across multiple Kubernetes versions, Makefile targets for easy execution, VS Code debug configurations for development, and complete documentation. (#11598)
• [Upstream] Adds support for Envoy HealthCheck filter policy to HTTPListenerPolicy (#11629)
• [Upstream] Add OTel instrumentation for AI non-streaming requests following Gen AI semantic conventions (#11670)
• [Upstream] Use kgateway.dev/inherited-policy-priority: ShallowMergePreferParent instead of delegation.kgateway.dev/inherited-policy-priority: PreferParent and kgateway.dev/inherited-policy-priority: ShallowMergePreferChild instead of delegation.kgateway.dev/inherited-policy-priority: PreferChild, as annotations to define inherited policy priority for delegated routes. By default, child HTTPRoute policies take precedence over parent HTTPRoute policies for delegated routes. (#11675)
• [Upstream] CI: Adds support for running Gateway API Inference Extension conformance tests. (#11679)
• [Upstream] Add InsecureSkipVerify option to backendconfigpolicy. This allows for TLS without verifying server certificates. (#11743)
• [Upstream] Support traffic distribution modes to prefer endpoints close to the kgateway / waypoint with failover to other priorities. (#11793)
• [Upstream] Updated kgateway agentgateway integration to support the latest agentgateway. (#11816)
• [Upstream] Add option for preserving http1 header case to httplistenerpolicy (#11829)
• [Upstream] Add option to preserve http1 header casing in BackendConfigPolicy (#11836)
• [Upstream] Enable the IngressUseWaypoint feature by default. Users can still opt-out by setting an environment variable KGW_INGRESS_USE_WAYPOINTS to false. (#11857)
• [Upstream] Added DirectResponse Support in agentgateway (#11859)
• [Upstream] Add support for leader election. This is enabled by default and can be disabled by setting the disableLeaderElection setting (#11890)
• [Upstream] Adds disable field to extAuth, extProc, cors, buffer policies to allow disabling the policies per-route. (#11893)
• [Upstream] Adds topologySpreadConstraints to the Pod struct used in GatewayParameters in order to set the corresponding topologySpreadConstrains field in the gateway-proxy pod. (#11913)
• [Upstream] Added AWS Bedrock support for agentgateway. Bumped agentgateway to v0.7.3. (#11933)
• [Upstream] Extend the route replacement functionality so that when kgateway runs in STRICT mode it prevents invalid Envoy route configuration from ever reaching the proxies. It primarily covers HTTPRoute rules that either 1.) define invalid matchers (e.g. bad regular expressions) or 2.) use built-in Gateway API filters that translate into invalid Envoy xDS. (#11939)
• [Upstream] Inference: Replaces InferencePool v1alpha2 with v1 (#11965)
• [Upstream] TrafficPolicy supports configuring timeouts at the route level, and retries at the route and gateway listener level. (#11970)
• [Upstream] Add header modifiers, using the API from HTTPHeaderFilter, to TrafficPolicy resources. (#11985)
• [Upstream] Added support for extauth in agentgateway TrafficPolicies. (#11993)
• [Upstream] Expose acceptHttp10 and defaultHostForHttp10 options via httplistenerpolicy to accept incoming HTTP 1.0 and HTTP 0.9 requests. (#12009)
• [Upstream] Added custom configmap support for agentgatway. (#12013)
• [Upstream] Add support for resource attributes in OTel access logs (#12019)
• [Upstream] Expose envoy’s idle_timeout via HTTPListenerPolicy. (#12020)
• [Upstream] Supports passive health checking (outlier detection). (#12025)
• [Upstream] Support applying HPA for a gateway by setting a flag in the GatewayParameters (#12045)
• [Upstream] Added CEL-based rbac support. (#12054)
• [Upstream] Added agentgateway rbac support. (#12066)
• [Upstream] Adds support for a TrafficPolicy referencing a GatewayExtension in a different namespace than the policy using a new namespace field. (#12067)
• [Upstream] Added externaltrafficpolicy support. (#12089)
• [Upstream] Enables optional deep merging of extAuth, extProc, transformation policies in TrafficPolicy for policies attached to the same resource. Enables the ability to prioritize policies and GatewayExtensions using the kgateway.dev/policy-weight annotation. (#12111)
• [Upstream] Added the ability to configure additional resources to agentgateway syncer. Added the ability to configure ExtraVolumes and ExtraVolumeMount via GatewayParameters. (#12117)
• [Upstream] backendconfigpolicy: option to use system CA certs for TLS (#12149)
• [Upstream] Added support for specifying a backend annotation that will disable Istio auto-mtls for that backend when Istio is enabled (#12176)
• [Upstream] Added Transformation support in agentgateway (#12202)
• [Upstream] Add generic gRPC request timeout to GatewayExtension gRPC services Add failOpen support to all GatewayExtension external providers Change ExtProc GatewayExtension provider to failOpen by default (#12239)
• [Upstream] Add default support for graceful shutdown and zero-downtime rollout of gateway proxies. (#12242)
• [Upstream] Helm charts allow for specifying a rollout strategy for the controller; GatewayParameters allows for specifying a rollout strategy for Envoy. (#12247)
• [Upstream] Add various configuration options to the various external service providers in GatewayExtensions (#12252)
• [Upstream] Added statuses to TrafficPolicies in agentgateway. (#12256)
• [Upstream] Add “Accepted” column to TrafficPolicy and BackendConfigPolicy kubectl output for easier status monitoring (#12303)
• [Upstream] Rename agentgateway controller to kgateway.dev/agentgateway. Added separate xds port (agw-grpc-xds) for agentgateway. (#12323)
• [Upstream] Enable per-provider BackendTLSPolicy attachment for AI backends. (#12369)
• [Upstream] Allow downstreams to provide extra AgentgatewayPolicyStatusSyncHandler for policy status reporting with agentgateway (#12377)
• [Upstream] Added CEL validation to TrafficPolicy transformation policy when using agentgateway. (#12404)
• [Upstream] Deprecates GatewayParameters.FloatingUserId in favor of OmitDefaultSecurityContext (#12418)
• [Upstream] Bumps Gateway API dependency to v1.4.0. Gateway API CRDs should be updated to v1.4.0. BackendTLSPolicy is promoted from v1alpha3 to v1. (#12439)
• [Upstream] Updates gateway-api-inference-extension version to v1.0.1 (#12466)
• [Upstream] Uses JWT based authentication for xDS by default. (#12471)
• [Upstream] The new gateway.networking.k8s.io/gateway-class-name label is added to all resources created by Kgateway to represent which GatewayClass was responsible for creating the resource. (#12472)
• [Upstream] pkg/deployer now exports DeepMergeImage and DeepMergeSecurityContext (#12473)
• [Upstream] Introduce server-side TLS support for the xDS gRPC server. Users can enable this feature in the controller.xds.tls.enabled field in the helm values. When enabled, they must create a Secret with the kgateway-xds-cert name of type kubernetes.io/tls containing tls.crt, tls.key, and ca.crt. This feature is opt-in and is disabled by default. (#12498)
• [Upstream] Add version info and endpoint to the admin server (#12547)

Bug Fixes

• Fix a bug where RateLimitConfigs were assumed to always exist in the Gloo Gateway install namespace.
• Fix an issue where the namespaces for controller managed external services (e.g. ext-auth-server) was hardcoded to the gloo-gateway-system namespace. This limitation breaks installations that installed to custom namespaces and prevents native support for multiple GG control plane installations on the same cluster. The controller has been updated to remove the hardcoded assumption and properly support custom installation namespaces.
• Ensure the graceful shutdown on termination signals for the gloo-gateway controller component
• Fixed a bug which caused the EDS for a backend to have 0 endpoints on the gateway.
• Fixed gloo-agentgateway helm value merging for gloo-gateway deployer.
• Fix JWT validation option (validationPolicy field) being ignored with single provider
• Fixed an invalid Envoy config when not specifying path specifiers in the matcher. Renamed transformation request matcher for regex from safeRegex to regex.
• Fixed a panic in solo matcher filter with specific cases of prefixes in the transformation matcher
• Updated the remote jwks url validation rule
• Fixed support for kgateway v1alpha1.GatewayParameters.
• ExtAuth and RateLimiter resources will be cleaned up when those extensions are disabled via GlooGatewayParameters.
• Fix ability to use the jwt field as part of a booleanExpr in an AuthConfig
• Deploy gloo-ext-cache (redis) as a standalone extension instead of being tied to the rate-limit extension
• Fixed licensing requirements.
• Updated the stages of the JWT filters and the gloo ExtAuth to be earlier in the filter chain
• Fixed the agentgateway waypoint controller name.
• Fixes helm installation in the case of having just one license key
• Support of token-base LLM rate-limiting
• Bump kgateway to v2.1.0-main.0.20250926231554-6d73107c4ddf
• Improved gateway parameter handling to support configuration overrides for all gateway types including Agentgateway Waypoint, with code cleanup and enhanced testing.
• Install the agentgateway-enterprise-waypoint gateway class only when the agentgateway feature is enabled.
• Fixes bug in OmitDefaultSecurityContext when Gateway directly references parameters.
• [Upstream] Backend targeted policy such as BackendTLSPolicy can now target ServiceEntry either via the networking.istio.io/ServiceEntry group/kind, or the synthetic networking.istio.io/Hostname group/kind. (#11212)
• [Upstream] Turn off ambient DNS capture by default for kgateway-waypoint, fixing traffic loops in ServiceEntry with DNS resolution. (#11216)
• [Upstream] Gateways’ Status.Addresses will now include Spec.Addresses. This allows other controllers that rely on Status.Addresses to read what is specified for self-managed gateways. An example of this is Istio reading the address for a self-managed Waypoint. (#11311)
• [Upstream] Fix a bug where the AttachedListenerSets condition is sometimes incorrectly set. (#11321)
• [Upstream] Header modification now works on backendRefs inside http route rules. (#11336)
• [Upstream] bugfix: only Apply deployed objects if they are different. (#11338)
• [Upstream] Fix BackendTLSPolicy to use multiple targetRefs if provided (#11364)
• [Upstream] fix an issue with BackendConfigPolicy where Envoy would reject configuration if only CommonHttpProtocolOptions were specified (#11420)
• [Upstream] Fixed an issue where HTTPRoute status updates could fail when reporting translation errors. Previously, status updates would fail schema validation when routes had invalid configurations (like invalid path prefix matchers). Status conditions are now properly set with valid reason fields and detailed error messages. (#11427)
• [Upstream] Makes HTTPBackendRef.Port optional when referencing an InferencePool, ignoring the port if specified. (#11448)
• [Upstream] prevent BackendConfigPolicy with http1protocoloptions set from overwriting an http2 backend (#11449)
• [Upstream] Fixes deprecation warning by replacing deprecated MatchSubjectAltNames field with MatchTypedSubjectAltNames in TLS validation context for BackendConfigPolicy. (#11520)
• [Upstream] enforce max limit on HTTP/2 initial stream and connection window sizes, reporting an error on the policy if max is exceeded. (#11525)
• [Upstream] add validation to ensure maxRequestSize is greater than 0 (#11564)
• [Upstream] validate that HTTPRoute backendRef weights add to greater than zero (#11567)
• [Upstream] Parent HTTPRoutes with unresolved child routes will return a 500 direct response. (#11604)
• [Upstream] Fix HTTPRoute session persistence: marshal StatefulSessionPerRoute per‐route config instead of StatefulSession (#11618)
• [Upstream] fix: handle changing the value of the PerConnectionBufferLimitBytes annotation on the gateway (#11626)
• [Upstream] fix: correctly set Gateway listener status when protocol is unsupported (#11631)
• [Upstream] Support having ingress-use-waypoint on backend service alias namespace. (#11680)
• [Upstream] use lower case for log level and use JSON format for krt logs to be consistent (#11688)
• [Upstream] Adds retries to gateway controller and proxy syncer when updating Gateway status. (#11697)
• [Upstream] Correctly report status for attached policies and gatewayExtensions when only errors change (#11721)
• [Upstream] Validation improvements for TrafficPolicy rate limit descriptors (#11803)
• [Upstream] Fixed the agentgateway TCPRoutes. Fixed the label selector MCP route translation. (#11854)
• [Upstream] Fix consistent CI failures in GIE conformance tests (#11858)
• [Upstream] HTTPRoute status now correctly reflects error when referencing a missing extensionRef (#11883)
• [Upstream] Fixed an issue when dynamically modifying the traffic distribution won’t change the distribution. (#11953)
• [Upstream] Add error messages to ListenerSet status conditions (#12044)
• [Upstream] The data-plane backend builder now resolves endpoints from all pods that match the InferencePool’s selector. (#12050)
• [Upstream] - Implement listener precedence with listenersets

• Fix listenersets not to inherit gateway routes
• Updated status reporting on listenersets (#12091)

• [Upstream] Added support for listener and route rule policy attachment, bumped agentgateway to 0.7.8. (#12136)
• [Upstream] gateway translator: don’t add listener with no filter chains (#12165)
• [Upstream] Use DelayedInformer for BackendTLSPolicy to handle missing CRDs (#12178)
• [Upstream] Descriptive ResolvedRefs condition error message about specifying port in the backendRef (#12190)
• [Upstream] FIX CEL rule evaluation in Backend API for k8s <= 1.31. (#12194)
• [Upstream] Change ExtAuth ext_authz filter to the earlier AuthN stage in the chain (#12300)
• [Upstream] Validate the CA certificate referenced in BackendTLSPolicy (#12402)
• [Upstream] Fixed BackendConfigPolicy outlier detection interval validation to prevent “0s” values that cause Envoy NACKs. (#12403)
• [Upstream] Fixed BackendConfigPolicy TLS parsing to prevent nil pointer panic when minVersion or maxVersion is omitted. (#12409)
• [Upstream] Fix a bug caused by sharing a securityContext between Agentgateway and EnvoyContainer that leads to the gateway inheriting the Agentgateway’s securityContext instead of the EnvoyContainer’s securityContext (#12436)
• [Upstream] Fixed no access log when specific filter conditions were added to it (#12457)
• [Upstream] Fixes bugs with OmitDefaultSecurityContext and agentgateway and GatewayParameters attached to Gateways directly. (#12494)
• [Upstream] Make Bedrock model field optional to allow user-specified models, matching OpenAI/Anthropic behavior (#12514)
• [Upstream] Fix a bug where the volumeMounts were rendered in the proxy deployment when no volume mounts are defined (#12525)
• [Upstream] Fixes a bug where a user-defined GatewayParameters has a different probe from the default one, resulting in an invalid podTemplate with multiple probe actions for the given probe (#12526)

Deprecations

• [Upstream] Deprecated Envoy-based AI Gateway, Envoy-based Inference Extension, and Inference Extension auto-provisioning. (#12437)

Documentation

• [Upstream] Docs update for Helm values file descriptions. (#11350)
• [Upstream] Adds release workflow document. (#11542)

Cleanup

• Replace the usage of deprecated HeaderMatcher fields.
• [Upstream] Switching to Envoy’s /stats/prometheus?usedonly endpoint to only get statistics that Envoy has updated (counters incremented at least once, gauges changed at least once, and histograms added to at least once). (#11358)
• glooExtAuth.disable allows disabling all extAuth providers. Breaking change: glooJWT and glooRBAC use an empty struct value instead of bool value to disable the filters.
• Removes WAF-related API types and fields from the GlooTrafficPolicy CRD
• Bump envoy version to gloo-envoy-ee v1.35.0-patch1
• Set the default ratelimit service timeout to 100ms (increased from 20ms).
• Supports licensing via a manual Kubernetes Secret or via the gloo-gateway helm chart.
• Updated envoy to v1.35.2
• Bring in envoy-gloo changes to disable loading template file from transformation template by default.
• [Upstream] Add kgateway label to data plane pods (#11241)
• [Upstream] moved reusable parts of Deployer into pkg/deployer; default GatewayParameter values can be reused in downstream projects (#11377)
• [Upstream] rename ssl config to tls (#11401)
• [Upstream] remove HeadersWithUnderscoresAction from BackendConfigPolicy (#11440)
• [Upstream] Refactored settings test suites to use consistent standard library testing patterns (#11518)
• [Upstream] Bumps the inference extension CRDs to sync with upstream commit 842603b. (#11539)
• [Upstream] Update policy APIs to use pointer types for optional fields, and value types within slices. (#11606)
• [Upstream] Endpoint-picker:
• Rebuild InferencePool.status.parents deterministically, eliminating flapping.
• Reconcile InferencePool status based on HTTPRoute, Service, and InferencePool events.
• Honor HTTPBackendRef.namespace when matching pools.
• Avoid data races in Service reconciliation by using a mutex to lock inferencePool IR errors. (#11621)
• [Upstream] Inference: Bumps Kgateway to support release v0.5.0-rc.2 (#11715)
• [Upstream] Inference: Replaces deprecated AddToScheme() with Install() to install the Inference Extension v1alpha2 scheme. (#11729)
• [Upstream] API validation tests now log the output from kubectl apply when an unexpected error occurs, making it easier to debug failing test cases. (#11772)
• [Upstream] Inference: Added EPP fail-open support by refactoring the inference plugin to use static and subset load-balancing clusters. (#11810)
• [Upstream] remove insecureSkipVerify field from Backend and AI ssl validation (#11819)
• [Upstream] Tooling: Adds make targets for managing Gateway API and Gateway API Inference Extension dependencies. (#11830)
• [Upstream] Removed knative dependency for calculating the service FQDN. (#11861)
• [Upstream] Tooling: Splits up the setup Makefile target to support dev and released versions of kgateway. (#11921)
• [Upstream] The global ratelimit filter’s defaults have changed to failOpen=true and timeout=100ms. In addition, removed the statPrefix and turned off enableXRatelimitHeaders. (#12035)
• [Upstream] Bumped agentgateway to v0.7.5. (#12062)
• [Upstream] Bumps InferencePool to v1.0.0-rc.2. inferencePool.spec.endpointPickerRef.portNumber field has been replaced with inferencePool.spec.endpointPickerRef.port.number. (#12166)
• [Upstream] Updated envoy to v1.35.2 (#12209)
• [Upstream] Inference: Bumps the Gateway API Inference Extension (GIE) dependency from v1.0.0-rc.2 to v1.0.0. (#12241)
• [Upstream] Inference: Updates the agentgateway e2e test Helm values to include inference extension. (#12268)
• [Upstream] Report accurate Gateway Status conditions for types Accepted and Programmed based on Listener status. If a Gateway has a any Listener with a ListenerConditionProgrammed condition with a Status of false, the GatewayConditionAccepted on the Gateway will be reported with a “Status: true” and “Reason: ListenersNotValid” (#12290)
• [Upstream] Rename agentGateway to agentgateway for consistency in helm values. Rename GatewayParameters agentGateway field to agentgateway. (#12293)
• [Upstream] AI Backend API has been updated to simplify the API. Use ai.llm. instead of `ai.llm.provider.. Use ai.priorityGroups[].providers[] instead of ai.multipool.priorities[].pool[].provider. (#12327)
• [Upstream] If an XListenerSet has any Listener with a ListenerConditionProgrammed condition with a Status of false, the GatewayConditionAccepted on the XListenerSet will be reported with a “Status: true” and “Reason: ListenersNotValid” (#12342)
• [Upstream] Added gosec to the linter workflow. Fixed int types to follow Kubernetes Gateway API standards for primitive types. (#12358)
• [Upstream] Removed the SupportedVersion status condition from GatewayClass. (#12434)
• [Upstream] API client now uses the correct plural form of GatewayParameters (#12492)
• [Upstream] Disables creating the kgateway-waypoint gatewayclass if it is not enabled (#12519)
• [Upstream] Clean up references to GGv1 APIs in the examples folder (#12521)
• [Upstream] Fix reconcile bug where deployers would not reconcile on changes to parameters on the GatewayClass (#12534)
• [Upstream] Remove omitReplicas from GatewayParameters (#12548)
• [Upstream] As waypoint functionality is alpha, disable it by default. It can be enabled by setting the waypoint.enabled helm value to true (#12385)

Dependency Updates

• [Upstream] sigs.k8s.io/gateway-api bumped from v1.2.1 to 1.3.0 (#11263)

2.0.0-rc.3 link

Published on: 2025-10-10

Changes since 2.0.0-rc.2

Breaking Changes

• [Upstream] Bumps Gateway API dependency to v1.4.0. Previous Gateway API CRDs must be replaced with v1.4.0. API type changes must be manually converted. BackendTLSPolicy is promoted from v1alpha3 to v1. The v1alpha3 scheme is removed due to the BackendTLSPolicy promotion. Users must replace v1alpha3 instances of BackendTLSPolicy with v1 after installing the Gateway API v1.4.0 CRDs. (#12439)
• [Upstream] Updates gateway-api-inference-extension version to v1.0.1 and removes inferencepools.inference.networking.x-k8s.io CRD. (#12466)
• [Upstream] Remove omitReplicas from GatewayParameters. This is only an internal break for previous betas/RC versions (#12548)

New Features

• Convert GlooTrafficPolicy.spec.glooRateLimit.global.RateLimitConfigRef into a list of refs and rename it to RateLimitConfigRefs
• [Upstream] Uses JWT based authentcation for xDS by default. (#12471)
• [Upstream] The new gateway.networking.k8s.io/gateway-class-name label is added to all resources created by Kgateway to represent which GatewayClass was responsible for creating the resource. (#12472)
• [Upstream] pkg/deployer now exports DeepMergeImage and DeepMergeSecurityContext (#12473)
• [Upstream] Introduce server-side TLS support for the xDS gRPC server. Users can enable this feature in the controller.xds.tls.enabled field in the helm values. When enabled, they must create a Secret with the kgateway-xds-cert name of type kubernetes.io/tls containing tls.crt, tls.key, and ca.crt. This feature is opt-in and is disabled by default. (#12498)
• [Upstream] Add version info and endpoint to the admin server (#12547)

Bug Fixes

• Improved gateway parameter handling to support configuration overrides for all gateway types including Agentgateway Waypoint, with code cleanup and enhanced testing.
• Install the agentgateway-enterprise-waypoint gateway class only when the agentgateway feature is enabled.
• Fixes bug in OmitDefaultSecurityContext when Gateway directly references parameters.
• [Upstream] Fixed no access log when specific filter conditions were added to it (#12457)
• [Upstream] Fixes bugs with OmitDefaultSecurityContext and agentgateway and GatewayParameters attached to Gateways directly. (#12494)
• [Upstream] Make Bedrock model field optional to allow user-specified models, matching OpenAI/Anthropic behavior (#12514)
• [Upstream] Fix a bug where the volumeMounts were rendered in the proxy deployment when no volume mounts are defined (#12525)
• [Upstream] Fixes a bug where a user-defined GatewayParameters has a different probe from the default one, resulting in an invalid podTemplate with multiple probe actions for the given probe (#12526)

Cleanup

• Bring in envoy-gloo changes to disable loading template file from transformation template by default.
• [Upstream] Tooling: Splits up the setup Makefile target to support dev and released versions of kgateway. (#11921)
• [Upstream] API client now uses the correct plural form of GatewayParameters (#12492)
• [Upstream] Disables creating the kgateway-waypoint gatewayclass if it is not enabled (#12519)
• [Upstream] Clean up references to GGv1 APIs in the examples folder (#12521)
• [Upstream] Fix reconcile bug where deployers would not reconcile on changes to parameters on the GatewayClass (#12534)

2.0.0-rc.2 link

Published on: 2025-10-01

Changes since 2.0.0-rc.1

Breaking Changes

• Disable gloo-gateway-v2-waypoint to only allow agentgateway-enterprise-waypoint as the waypoint gatewayclass.
• [Upstream] As waypoint functionality is alpha, disable it by default. It can be enabled by setting the waypoint.enabled helm value to true (#12385)

New Features

• Allows for configuring extensions’ images.
• Support specifying omitReplicas in the GlooGatewayParameters to allow custom HPA control it
• API changes to GlooGatewayParameters to better support real-world configuration of extensions.
• Add support in the agentgateway syncer for basic status reporting on gloo traffic policies
• [Upstream] Add default support for graceful shutdown and zero-downtime rollout of gateway proxies. (#12242)
• [Upstream] Enable per-provider BackendTLSPolicy attachment for AI backends. (#12369)
• [Upstream] Allow downstreams to provide extra AgentgatewayPolicyStatusSyncHandler for policy status reporting with agentgateway (#12377)
• [Upstream] Added CEL validation to TrafficPolicy transformation policy when using agentgateway. (#12404)
• [Upstream] Deprecates GatewayParameters.FloatingUserId in favor of OmitDefaultSecurityContext (#12418)

Bug Fixes

• Updated the stages of the JWT filters and the gloo ExtAuth to be earlier in the filter chain
• Fixed the agentgateway waypoint controller name.
• Fixes helm installation in the case of having just one license key
• Support of token-base LLM rate-limiting
• Bump kgateway to v2.1.0-main.0.20250926231554-6d73107c4ddf
• [Upstream] Change ExtAuth ext_authz filter to the earlier AuthN stage in the chain (#12300)
• [Upstream] Validate the CA certificate referenced in BackendTLSPolicy (#12402)
• [Upstream] Fixed BackendConfigPolicy outlier detection interval validation to prevent “0s” values that cause Envoy NACKs. (#12403)
• [Upstream] Fixed BackendConfigPolicy TLS parsing to prevent nil pointer panic when minVersion or maxVersion is omitted. (#12409)
• [Upstream] Fix a bug caused by sharing a securityContext between Agentgateway and EnvoyContainer that leads to the gateway inheriting the Agentgateway’s securityContext instead of the EnvoyContainer’s securityContext (#12436)

Deprecations

• [Upstream] Deprecated Envoy-based AI Gateway, Envoy-based Inference Extension, and Inference Extension auto-provisioning. (#12437)

Cleanup

• [Upstream] Added gosec to the linter workflow. Fixed int types to follow Kubernetes Gateway API standards for primitive types. (#12358)
• [Upstream] Removed the SupportedVersion status condition from GatewayClass. (#12434)

2.0.0-rc.1 link

Published on: 2025-09-22

Changes since 2.0.0-beta.3

Breaking Changes

• Change gloo-agentgateway class name to agentgateway-enterprise.
• [Upstream] Add generic gRPC request timeout to GatewayExtension gRPC services Add failOpen support to all GatewayExtension external providers Change ExtProc GatewayExtension provider to failOpen by default (#12239)
• [Upstream] Rename agentGateway to agentgateway for consistency in helm values. Rename GatewayParameters agentGateway field to agentgateway. (#12293)

New Features

• Added support for agentgateway as a waypoint.
• Added AGENTGATEWAY_LICENSE_KEY for agentgateway license.
• [Upstream] Added the ability to configure additional resources to agentgateway syncer. Added the ability to configure ExtraVolumes and ExtraVolumeMount via GatewayParameters. (#12117)
• [Upstream] Added support for specifying a backend annotation that will disable Istio auto-mtls for that backend when Istio is enabled (#12176)
• [Upstream] Added Transformation support in agentgateway (#12202)
• [Upstream] Helm charts allow for specifying a rollout strategy for the controller; GatewayParameters allows for specifying a rollout strategy for Envoy. (#12247)
• [Upstream] Add various configuration options to the various external service providers in GatewayExtensions (#12252)
• [Upstream] Added statuses to TrafficPolicies in agentgateway. (#12256)
• [Upstream] Add “Accepted” column to TrafficPolicy and BackendConfigPolicy kubectl output for easier status monitoring (#12303)
• [Upstream] Rename agentgateway controller to kgateway.dev/agentgateway. Added separate xds port (agw-grpc-xds) for agentgateway. (#12323)

Bug Fixes

• Deploy gloo-ext-cache (redis) as a standalone extension instead of being tied to the rate-limit extension
• Fixed licensing requirements.

Cleanup

• Updated envoy to v1.35.2
• [Upstream] Tooling: Adds make targets for managing Gateway API and Gateway API Inference Extension dependencies. (#11830)
• [Upstream] Updated envoy to v1.35.2 (#12209)
• [Upstream] Inference: Bumps the Gateway API Inference Extension (GIE) dependency from v1.0.0-rc.2 to v1.0.0. (#12241)
• [Upstream] Inference: Updates the agentgateway e2e test Helm values to include inference extension. (#12268)
• [Upstream] Report accurate Gateway Status conditions for types Accepted and Programmed based on Listener status. If a Gateway has a any Listener with a ListenerConditionProgrammed condition with a Status of false, the GatewayConditionAccepted on the Gateway will be reported with a “Status: true” and “Reason: ListenersNotValid” (#12290)
• [Upstream] AI Backend API has been updated to simplify the API. Use ai.llm. instead of `ai.llm.provider.. Use ai.priorityGroups[].providers[] instead of ai.multipool.priorities[].pool[].provider. (#12327)
• [Upstream] If an XListenerSet has any Listener with a ListenerConditionProgrammed condition with a Status of false, the GatewayConditionAccepted on the XListenerSet will be reported with a “Status: true” and “Reason: ListenersNotValid” (#12342)

2.0.0-beta.3 link

Published on: 2025-09-08

Changes since 2.0.0-beta.2

New Features

• Add initial support for configuring agentgateway with GlooJWT traffic policies.
• Adds license logging for agentgateway.
• [Upstream] backendconfigpolicy: option to use system CA certs for TLS (#12149)

Bug Fixes

• Fixed support for kgateway v1alpha1.GatewayParameters.
• ExtAuth and RateLimiter resources will be cleaned up when those extensions are disabled via GlooGatewayParameters.
• Fix ability to use the jwt field as part of a booleanExpr in an AuthConfig
• [Upstream] gateway translator: don’t add listener with no filter chains (#12165)
• [Upstream] Use DelayedInformer for BackendTLSPolicy to handle missing CRDs (#12178)
• [Upstream] Descriptive ResolvedRefs condition error message about specifying port in the backendRef (#12190)
• [Upstream] FIX CEL rule evaluation in Backend API for k8s <= 1.31. (#12194)

Cleanup

• [Upstream] Bumps InferencePool to v1.0.0-rc.2. inferencePool.spec.endpointPickerRef.portNumber field has been replaced with inferencePool.spec.endpointPickerRef.port.number. (#12166)

2.0.0-beta.2 link

Published on: 2025-08-29

Changes since 2.0.0-beta.1

Breaking Changes

• [Upstream] Inference: Replaces InferencePool v1alpha2 with v1 (#11965)

New Features

• Adds a helm chart: gloo-gateway-dashboards, to deploy monitoring dashboards which can be automatically detected by kube-prometheus-stack.
• Added agentgateway extauth support.
• [Upstream] Added comprehensive KGateway load testing framework implementing gateway-api-bench methodology with VCluster simulation for fake cluster resources, baseline (1000 routes) and production (5000 routes) performance tests measuring Gateway API control plane performance through incremental route testing with real traffic validation, event-driven monitoring for precise timing measurements, GitHub Actions integration for CI/CD workflows with optional release validation and nightly testing across multiple Kubernetes versions, Makefile targets for easy execution, VS Code debug configurations for development, and complete documentation. (#11598)
• [Upstream] Expose envoy’s idle_timeout via HTTPListenerPolicy. (#12020)
• [Upstream] Added CEL-based rbac support. (#12054)
• [Upstream] Added agentgateway rbac support. (#12066)
• [Upstream] Enables optional deep merging of extAuth, extProc, transformation policies in TrafficPolicy for policies attached to the same resource. Enables the ability to prioritize policies and GatewayExtensions using the kgateway.dev/policy-weight annotation. (#12111)
• Supports licensing via a manual Kubernetes Secret or via the gloo-gateway helm chart.

Bug Fixes

• Fixed an invalid Envoy config when not specifying path specifiers in the matcher. Renamed transformation request matcher for regex from safeRegex to regex.
• Updated the remote jwks url validation rule
• [Upstream] - Implement listener precedence with listenersets

• Fix listenersets not to inherit gateway routes
• Updated status reporting on listenersets (#12091)

• [Upstream] Added support for listener and route rule policy attachment, bumped agentgateway to 0.7.8. (#12136)

2.0.0-beta.1 link

Published on: 2025-08-25

Changes since 2.0.0-alpha.4

New Features

• Add support for configuring nodeSelector, affinity (including the antiAffinity sub field), tolerations, and topologySpreadConstraints for shared resources via GatewayParameters
• Adds support for a GlooTrafficPolicy referencing a GatewayExtension in a different namespace than the policy using a new namespace field.
• [Upstream] Add OTel instrumentation for AI non-streaming requests following Gen AI semantic conventions (#11670)
• [Upstream] Added DirectResponse Support in agentgateway (#11859)
• [Upstream] Add support for leader election. This is enabled by default and can be disabled by setting the disableLeaderElection setting (#11890)
• [Upstream] Added AWS Bedrock support for agentgateway. Bumped agentgateway to v0.7.3. (#11933)
• [Upstream] Extend the route replacement functionality so that when kgateway runs in STRICT mode it prevents invalid Envoy route configuration from ever reaching the proxies. It primarily covers HTTPRoute rules that either 1.) define invalid matchers (e.g. bad regular expressions) or 2.) use built-in Gateway API filters that translate into invalid Envoy xDS. (#11939)
• [Upstream] TrafficPolicy supports configuring timeouts at the route level, and retries at the route and gateway listener level. (#11970)
• [Upstream] Add header modifiers, using the API from HTTPHeaderFilter, to TrafficPolicy resources. (#11985)
• [Upstream] Added support for extauth in agentgateway TrafficPolicies. (#11993)
• [Upstream] Expose acceptHttp10 and defaultHostForHttp10 options via httplistenerpolicy to accept incoming HTTP 1.0 and HTTP 0.9 requests. (#12009)
• [Upstream] Added custom configmap support for agentgatway. (#12013)
• [Upstream] Add support for resource attributes in OTel access logs (#12019)
• [Upstream] Supports passive health checking (outlier detection). (#12025)
• [Upstream] Support applying HPA for a gateway by setting a flag in the GatewayParameters (#12045)
• [Upstream] Adds support for a TrafficPolicy referencing a GatewayExtension in a different namespace than the policy using a new namespace field. (#12067)
• [Upstream] Added externaltrafficpolicy support. (#12089)

Bug Fixes

• Fix JWT validation option (validationPolicy field) being ignored with single provider
• Fixed a panic in solo matcher filter with specific cases of prefixes in the transformation matcher
• [Upstream] Fixed an issue when dynamically modifying the traffic distribution won’t change the distribution. (#11953)
• [Upstream] Add error messages to ListenerSet status conditions (#12044)
• [Upstream] The data-plane backend builder now resolves endpoints from all pods that match the InferencePool’s selector. (#12050)

Cleanup

• Bump envoy version to gloo-envoy-ee v1.35.0-patch1
• Set the default ratelimit service timeout to 100ms (increased from 20ms).
• [Upstream] The global ratelimit filter’s defaults have changed to failOpen=true and timeout=100ms. In addition, removed the statPrefix and turned off enableXRatelimitHeaders. (#12035)
• [Upstream] Bumped agentgateway to v0.7.5. (#12062)

2.0.0-alpha.4 link

Published on: 2025-08-12

Changes since 2.0.0-alpha.3

Breaking Changes

• [Upstream] remove insecureSkipVerify field from Backend and AI ssl validation (#11819)
• [Upstream] Adds disable field to extAuth, extProc, cors, buffer policies to allow disabling the policies per-route. Breaking change: extAuth.enablement has been removed in favor of extAuth.disable. (#11893)

New Features

• Implements gloo-gateway control plane metrics using the upstream pkg/metrics library from kgateway.
• The GlooTrafficPolicy plugin now respects the route replacement mode setting (KGW_ROUTE_REPLACEMENT_MODE). When in strict mode, the plugin performs additional validation to catch invalid configurations before they reach Envoy. Invalid policies that would cause Envoy to NACK at runtime (e.g. malformed templates) will now be replaced with a direct response (HTTP 500) and report clear status conditions. This prevents fail-open scenarios where invalid policies could allow unintended traffic.
• Add FIPS builds for all components
• Add helm fields to the CRD chart to allow conditional install of extension CRDs. New fields installExtAuthCRDs & installRateLimitCRDs are available.
• This change allows users to define actions in the RateLimitConfig spec’s raw.rateLimits field, with a GlooTrafficPolicy that references this resource in the spec’s glooRateLimit.global.rateLimitConfigRef field. Users can now specify rate limit descriptors and actions in the same RateLimitConfig resource.
• [Upstream] CI: Adds support for running Gateway API Inference Extension conformance tests. (#11679)
• [Upstream] Add InsecureSkipVerify option to backendconfigpolicy. This allows for TLS without verifying server certificates. (#11743)
• [Upstream] Support traffic distribution modes to prefer endpoints close to the kgateway / waypoint with failover to other priorities. (#11793)
• [Upstream] Updated kgateway agentgateway integration to support the latest agentgateway. (#11816)
• [Upstream] Add option for preserving http1 header case to httplistenerpolicy (#11829)
• [Upstream] Add option to preserve http1 header casing in BackendConfigPolicy (#11836)
• [Upstream] Enable the IngressUseWaypoint feature by default. Users can still opt-out by setting an environment variable KGW_INGRESS_USE_WAYPOINTS to false. (#11857)
• [Upstream] Adds topologySpreadConstraints to the Pod struct used in GatewayParameters in order to set the corresponding topologySpreadConstrains field in the gateway-proxy pod. (#11913)

Bug Fixes

• Fixed a bug which caused the EDS for a backend to have 0 endpoints on the gateway.
• Fixed gloo-agentgateway helm value merging for gloo-gateway deployer.
• [Upstream] Adds retries to gateway controller and proxy syncer when updating Gateway status. (#11697)
• [Upstream] Validation improvements for TrafficPolicy rate limit descriptors (#11803)
• [Upstream] Fixed the agentgateway TCPRoutes. Fixed the label selector MCP route translation. (#11854)
• [Upstream] Fix consistent CI failures in GIE conformance tests (#11858)
• [Upstream] HTTPRoute status now correctly reflects error when referencing a missing extensionRef (#11883)

Cleanup

• glooExtAuth.disable allows disabling all extAuth providers. Breaking change: glooJWT and glooRBAC use an empty struct value instead of bool value to disable the filters.
• [Upstream] Endpoint-picker:
• Rebuild InferencePool.status.parents deterministically, eliminating flapping.
• Reconcile InferencePool status based on HTTPRoute, Service, and InferencePool events.
• Honor HTTPBackendRef.namespace when matching pools.
• Avoid data races in Service reconciliation by using a mutex to lock inferencePool IR errors. (#11621)
• [Upstream] API validation tests now log the output from kubectl apply when an unexpected error occurs, making it easier to debug failing test cases. (#11772)
• [Upstream] Inference: Added EPP fail-open support by refactoring the inference plugin to use static and subset load-balancing clusters. (#11810)
• [Upstream] Removed knative dependency for calculating the service FQDN. (#11861)