Release notes

Review summaries of the main changes in the Solo Enterprise for kgateway 2.1 release.

Make sure that you review the breaking changes 🔥 that were introduced in this release and the impact that they have on your current environment.

General information

The release notes on this page cover the new features that were introduced in 2.1.x.

The release notes include important installation changes and known issues. They also highlight ways that you can take advantage of new features or enhancements to improve your product usage.

For more information, see the following related resources:

Kgateway OSS release notes: Release notes for the kgateway open source project that Solo Enterprise for kgateway depends on.

Upgrade guide: Steps to upgrade from the previous minor version to the current version.
Version reference: Information about Solo’s version support.

🔥 Breaking changes

Review details about the following breaking changes. The severity is intended as a guide to help you assess how much attention to pay to this area during the upgrade, but can vary depending on your environment.

🚨 High

Review severe changes that can impact production and require manual intervention.

New: Solo Enterprise for kgateway

Starting in 2.1, Gloo Gateway is renamed to Solo Enterprise for kgateway, an enterprise version of the kgateway open source project version 2.2. The update standardizes Solo.io’s branding by removing Gloo from all resources, such as Kubernetes custom resource definitions (CRDs) and Helm charts.

You can still access the documentation of previous versions of Gloo Gateway here. However, keep in mind that Solo Enterprise for kgateway version 2.1 is the recommended version for Kubernetes Gateway API support.

Migrate your Gloo 2.0 resources to Solo Enterprise for kgateway 2.1
Review the rest of these release notes for any other changes that you want to prepare before you upgrade.
Upgrade from Gloo Gateway to Solo Enterprise for kgateway.

Separate product: Solo Enterprise for agentgateway

Previously, the Solo Enterprise for agentgateway product was included in Gloo Gateway and could be enabled during the Gloo Gateway installation. Now, Solo Enterprise for agentgateway is separated into its own product with product-specific Helm charts, controllers, APIs, GatewayClasses, and more. You cannot use Solo Enterprise for kgateway to manage both Envoy-based kgateway and agentgateway data plane proxies. However, you can install both products separately, depending on your use case.

You can no longer use Gloo Gateway-specific resources, such as GlooGatewayParameters, GlooTrafficPolicy, or Gloo Gateway Helm charts to configure agentgateway resources. You must use Solo Enterprise for agentgateway-specific resources instead.

To upgrade any existing agentgateway proxies, refer to the upgrade guide in the Solo Enterprise for agentgateway docs.

External auth fail-closed

External auth policies now fail closed when the backendRef to the auth server is invalid. This way, requests are rejected if the auth server cannot be reached or is misconfigured. Before upgrading, ensure that all external auth backend references are valid and reachable.

🔔 Medium

Review changes that might have impact to production and require manual intervention, but possibly not until the next version is released.

HTTPListenerPolicy deprecated

The HTTPListenerPolicy is deprecated. Use the httpSettings field under the ListenerPolicy instead. The HTTPListenerPolicy CRD will be removed in a future release. Migrate your HTTP listener configurations to the unified ListenerPolicy API.

For more information, see ListenerPolicy.

PerConnectionBufferLimit annotation deprecated

The PerConnectionBufferLimit annotation on Gateway resources is deprecated. Use the perConnectionBufferLimit field in the ListenerPolicy instead for configuring per-connection buffer limits.

For more information, see Buffering.

ℹ️ Low

Review informational updates that you might want to implement but that are unlikely to materially impact production.

No low impact changes are included in the release.

⚒️ Installation changes

In addition to comparing differences across versions in the changelog, review the following installation changes from the previous minor version to version .

New Helm charts

With the separation from Gloo Gateway, Solo Enterprise for kgateway now provides its own Helm charts to install the control and data plane. To find the new Helm charts, see the breaking changes.

You cannot upgrade from Gloo Gateway to Solo Enterprise for kgateway by using the old Gloo Gateway-specific Helm charts. Make sure that you **update your CI/CD pipelines to pull the Helm charts from the new repositories**.

For instructions, see the Get started, Install, or Upgrade guides. To install Solo Enterprise for kgateway with the new Helm charts, you can refer to the Install guides

Experimental Gateway API features gated by default

A new setting, KGW_ENABLE_GATEWAY_API_EXPERIMENTAL_FEATURES, is introduced to gate experimental Gateway API features and APIs, including TCPRoute and TLSRoute. This setting defaults to true in this release. If you are using experimental Gateway API features, make sure that this environment variable is set to true on the controller deployment.

To install Solo Enterprise for kgateway with experimental Gateway API support, use this command:

helm upgrade -i enterprise-kgateway oci://us-docker.pkg.dev/solo-public/enterprise-kgateway/charts/enterprise-kgateway \
-n kgateway-system \
--version 2.1.0 \
--set-string licensing.licenseKey=$LICENSE_KEY \
--set controller.extraEnv.KGW_ENABLE_GATEWAY_API_EXPERIMENTAL_FEATURES=true

🌟 New features

Review the following new features that are introduced in version and that you can enable in your environment.

Downstream mTLS

Configure mutual TLS (mTLS) for downstream connections between clients and the gateway. This feature allows you to require client certificates during the TLS handshake for enhanced security.

Additionally, use the kgateway.dev/verify-subject-alt-names and kgateway.dev/verify-certificate-hash annotations to limit connections to clients that can present a TLS certificate with a specific Subject Alternative Name and certificate hash.

For more information, see the mTLS listener guide.

Additional TLS settings

You can now configure cipher suites, ECDH curves, minimum TLS version, and maximum TLS version by using annotations on the Gateway.

For more information, see Additional TLS settings.

Circuit breakers

Circuit breaker configuration is added to the BackendConfigPolicy, enabling automatic failure detection and traffic protection for unhealthy backends.

For more information, see Circuit breakers.

ProxyProtocol

Preserve a client’s IP address to ensure that upstream services receive the full network information, even when traffic is proxied through other components, such as an AWS Network Load Balancer or the gateway proxy itself.

For more information, see Proxy protocol.

API key authentication with secrets

Store API keys in a Kubernetes secret and configure EnterpriseKgatewayTrafficPolicy to use the credentials from the secret. For more information, see API keys.

Max request headers size

The maxRequestHeadersKb field is added to ListenerPolicy for controlling the maximum size of request headers as shown in the following example.

kubectl apply -f- <<EOF
apiVersion: gateway.kgateway.dev/v1alpha1
kind: ListenerPolicy
metadata:
  name: remove-header
  namespace: kgateway-system
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: http
  default:
    httpSettings:
      maxRequestHeadersKb: 30
EOF

For more information, see the API docs

Request ID configuration

You can use the preserveExternalRequestId and generateRequestId fields in the ListenerPolicy to control request ID generation and preservation behavior as shown in the following example.

kubectl apply -f- <<EOF
apiVersion: gateway.kgateway.dev/v1alpha1
kind: ListenerPolicy
metadata:
  name: remove-header
  namespace: kgateway-system
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: http
  default:
    httpSettings:
      preserveExternalRequestId: true
      generateRequestId: true
EOF

For more information, see the API docs.

Response compression and request decompression

Reduce bandwidth usage and improve performance by using gzip response compression and request decompression as shown in the following example.

apiVersion: enterprisekgateway.solo.io/v1alpha1
kind: EnterpriseKgatewayTrafficPolicy
metadata:
  name: route-compression
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: httpbin
  compression:
    responseCompression: {}

For more information, see the API docs

Regex path rewrite

Regex-based path rewriting is supported, enabling advanced URL transformation capabilities.

Airgap install

You can install Solo Enterprise for kgateway in an airgapped environment. For more information, see the Install in airgapped environments guide.

HTTP ExtAuth support

You can now integrate with external auth services that support the HTTP protocol. Previously, only GRPC services were supported.

kubectl apply -f - <<EOF
apiVersion: gateway.kgateway.dev/v1alpha1
kind: GatewayExtension
metadata:
  namespace: kgateway-system
  name: basic-ext-auth
  labels:
    app: ext-authz
spec:
  type: ExtAuth
  extAuth:
    httpService:
      backendRef:
        name: ext-authz
        port: 8080
EOF

Global JWT policy disable

A global disable option is added for JWT policies, allowing routes to selectively opt out of gateway-level JWT authentication requirements.

apiVersion: enterprisekgateway.solo.io/v1alpha1
kind: EnterpriseKgatewayTrafficPolicy
metadata:
  name: jwt-policy-disabled
  namespace: default
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: httpbin
  jwtAuth:
    disable: {}

TLS termination for TCPRoutes

TLS termination is now supported for TCPRoute resources, allowing encrypted TCP connections to be decrypted on the gateway as shown in the following example.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: tls-listener-tcp-gateway
spec:
  gatewayClassName: enterprise-kgateway
  listeners:
    - name: listener-8443
      protocol: TLS
      port: 8443
      hostname: example.com
      tls:
        mode: Terminate
        certificateRefs:
          - kind: Secret
            name: tls-secret
      allowedRoutes:
        kinds:
          - kind: TCPRoute

Early request header modification

Add, set, or remove HTTP request headers at the listener level, before route selection and other request processing occurs with early request header modification.

For more information, see Early request header modification.

EnterpriseListenerSets CRD installation option

A new installEnterpriseListenerSetCRD Helm flag is added to install the EnterpriseListenerSets API as a stable alternative to XListenerSet. This CRD installation is disabled by default. Set this flag to true to enable the EnterpriseListenerSets API as shown in the following command.

helm upgrade -i enterprise-kgateway oci://us-docker.pkg.dev/solo-public/enterprise-kgateway/charts/enterprise-kgateway \
-n kgateway-system \
--version 2.1.0 \
--set-string licensing.licenseKey=$LICENSE_KEY \
--set installEnterpriseListenerSetCRD=true

Custom HTTP redirect status codes

Use the kgateway.dev/http-redirect-status-code annotation to configure allowed HTTP redirect status codes. This setting overrides the status code that is set in the RequestRedirect filter of the HTTPRoute as shown in the following example.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: route-level-override
  annotations:
    kgateway.dev/http-redirect-status-code: "307"
spec:
  parentRefs:
    - name: http
  hostnames:
    - "route-level-override.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /rule0
    filters:
    - type: RequestRedirect
      requestRedirect:
        statusCode: 301
  - matches:
    - path:
        type: PathPrefix
        value: /rule1
    filters:
    - type: RequestRedirect
      requestRedirect:
        statusCode: 302