Skip to main content
logoTetrate Enterprise Gateway for EnvoyVersion: v1.7.x

Release Announcement TEG 1.7

Date: March 19, 2026

info

Please ensure you upgrade to version 1.7.0 by September 1, 2026.

New Feature Highlights

Tetrate Enterprise Gateway (TEG) 1.7.0 is a FIPS-verified distribution of Envoy Gateway 1.7.1 and includes new traffic management capabilities, enhanced security controls, richer observability, and infrastructure improvements, along with critical security patches and bug fixes.

This release combines the feature set from:

  • Envoy Gateway 1.7.0
  • Envoy Gateway 1.7.1 (security + stability patch)
tip

We recommend that you update directly from TEG 1.6.x to 1.7.0 if you are not already on 1.7.0.

Traffic Handling

  • WAF in MergedGateway Mode: Added support for ExtendedSecurityPolicy with merged gateways. ExtendedSecurityPolicy can now target a GatewayClass to apply to all Gateways of that class in mergedGateway deployment mode.
  • Conditional Header Addition: Added addIfAbsent header action in ClientTrafficPolicy EarlyRequestHeaders and LateResponseHeaders to add headers only when they don't already exist.
  • Cookie-Based Route Matching: Added cookie matching support to HTTPRouteFilter matches, combined with HTTPRoute rule matches.
  • Compression Threshold: Configure minimum response size for compression via minContentLength field in BackendTrafficPolicy.
  • Per-Backend URL Rewrite: Added support for URLRewrite filter on individual backendRefs.
  • Global Rate Limit Shadow Mode: Evaluate global rate limiting rules without enforcing them, enabling safe rollout of rate limit policies.
  • Pattern-Based Header Removal: Remove headers based on matching criteria (Exact, Prefix, Suffix, RegularExpression) in ClientTrafficPolicy EarlyRequestHeaders and LateResponseHeaders.
  • Backend Traffic Splitting: Added support for weight in BackendRef API to enable traffic splitting for non-xRoute resources.

Security Controls

  • Lua Runtime Restrictions: Restricted access to critical system resources via Lua EnvoyExtensionPolicies in the gateway controller. Safe defaults and resource limits are set for the Lua runtime, with an option to disable Lua entirely.

Security Updates in 1.7.1

  • Envoy Proxy upgraded to v1.37.1 addressing several security issues and bug fixes. For more details, see the Envoy Proxy v1.37.1 release notes.
  • Go runtime updated to 1.25.8 with security fixes for the go command and the crypto/tls package.
  • Envoy ratelimit image bumped to c8765e89 with security fixes for Go.

Observability

  • Flexible Access Log Format: Specify both text (body) and attributes in access log format by making the type field optional.
  • OTLP Resource Attributes: Added support for resource attributes on OTLP metrics and tracing sinks via the resources field.
  • Enhanced Tracing Tags: Use Envoy string command operators such as %ENVIRONMENT(...)% in tracing tags.
  • TLS Telemetry Backends: Added support for TLS-secured gRPC backends for telemetry data.
  • Custom Span Names: Configure custom span names for distributed tracing.
  • Custom OTLP Export Headers: Added support for custom headers on OTLP exports (metrics, tracing, access logs).

Management & Operations

  • XListenerSet API (Experimental): Define listeners in a separate resource and attach them to a Gateway. Supports HTTPRoute (HTTP/HTTPS), GRPCRoute, TLSRoute, TCPRoute, and UDPRoute. Enabled via the XListenerSet flag in EnvoyGateway configuration.
  • Configurable Initial Fetch Timeout: Set default initial_fetch_timeout to 0s, with support for updating it in the bootstrap configuration.
  • Pod Priority Classes: Added priorityClassName support in KubernetesPodSpec for Envoy Proxy pods.
  • Deprecated Field Warnings: Set warning status condition for deprecated fields in xPolicy CRDs.
  • Scheme Header Transformation: Configure the scheme field in ClientTrafficPolicy to match backend transport protocol, allowing gateways with HTTP listeners to proxy to HTTPS services without protocol errors.

Performance Improvements

  • Deterministic IR Comparison: Converted IR map fields to slices to ensure deterministic DeepEqual.
  • Reduced Memory Usage: Included only needed keys in Secret and ConfigMap data to reduce memory footprint.

Deprecations

  • OpenTelemetry access log resources field is deprecated; use resourceAttributes instead.

Other Notable Changes

  • Added scheme field to ClientTrafficPolicy enabling scheme header transformation to match backend transport protocol

Bug Fixes (Major Highlights)

  • Fixed ratelimit ConfigMap and HPA not being cleaned up when the parent envoy-gateway Deployment was deleted
  • Fixed SecurityPolicy route-target status including unmanaged Gateway parents when HTTPRoute had mixed parentRefs
  • Fixed API key authentication dropping non-first client IDs when credential Secrets contain multiple keys
  • Fixed XListenerSet not allowing xRoutes from the same namespace when configured to allow them
  • Fixed local object reference resolution from parent policy in merged BackendTrafficPolicies
  • Fixed computeHosts not working when both listener and route had wildcard hostnames
  • Fixed endpoint hostname not being respected during active health checks
  • Fixed route and policy status aggregation across multiple GatewayClasses, so resources preserve status from all relevant parents and ancestors
  • Fixed ConnectionLimit not using the Envoy default value when Value was absent
  • Fixed TCPRoute not correctly handling mTLS settings
  • Fixed controller pods reporting as ready before successful cache sync
  • Fixed wrong cluster type selection when an HTTPRoute mixes Service backends with Backend (FQDN) references
  • Fixed route match rule order when merging with empty path match
  • Fixed HTTP/3 listeners not handling multiple hostnames
  • Fixed 500 errors caused by partially invalid BackendRefs; traffic is now correctly routed between valid backends
  • Fixed configured OIDC authorization endpoint being overridden by discovered endpoints from issuer's well-known URL

Summary

TEG 1.7.0 delivers flexible traffic management, stronger security defaults, richer observability, and improved operational tooling—making it a compelling upgrade for enterprises running mission-critical API and AI workloads.

Key Benefits:

  • Enhanced traffic control with conditional headers, cookie matching, per-backend rewrites, and rate limit shadow mode
  • Stronger security posture with Lua runtime restrictions, CVE-patched Envoy v1.37.1, and Go 1.25.8
  • Richer observability with flexible access log formats, OTLP resource attributes, and custom tracing spans
  • Better infrastructure management with XListenerSet, pod priority classes, and scheme header transformation
  • Improved reliability with 15+ bug fixes across routing, mTLS, health checks, and status aggregation

Upgrade to TEG 1.7.0 to take full advantage of these improvements.

Upgrade Guidance

Be aware of the following breaking changes when upgrading from 1.6 → 1.7.

Breaking Changes

  • HTTP Filter Ordering Changed:
    • Default HTTP filter ordering now places envoy.filters.http.custom_response first, which can change the behavior of local replies and header processing.
  • Prometheus Metrics stats_tags Changed:
    • Default stats_tags values have been updated. Affected metrics: envoy_cluster_*_rq_time_count, envoy_cluster_*_total_match_count, envoy_cluster_circuit_breakers_*_cx_open.
  • Accept-Encoding Header Removed:
    • Removed from requests to backends when compression is enabled to avoid double compression.
  • RequestMirror + DirectResponse/RequestRedirect:
    • HTTPRoute Accepted status is set to False when RequestMirror filter is used together with DirectResponse or RequestRedirect filters.
  • Host-Rewrite With Dynamic Resolver Backend:
    • When an HTTPRoute rule is configured with host-rewrite filters and routes to a Dynamic Resolver backend, the rewritten Host header is used for both DNS resolution and as the Host header in upstream requests.
  • Invalid Filters Return 500:
    • Direct responses for HTTPRoute and GRPCRoute with invalid filters now return 500.
  • OAuth2 Filter Metrics Stat Prefix:
    • The SecurityPolicy name has been added to the stat prefix for OAuth2 filter metrics.

Manual Migration Steps from 1.6 → 1.7.0

1. Update Gateway-API and Envoy Gateway CRDs

helm pull oci://docker.io/tetrate/teg-envoy-gateway-helm --version v1.7.0 --untar

kubectl apply --force-conflicts --server-side \
  -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/gatewayapi-crds.yaml

kubectl apply --force-conflicts --server-side \
  -f ./teg-envoy-gateway-helm/charts/gateway-helm/crds/generated

2. Upgrade Tetrate Enterprise Gateway

helm upgrade teg \
  oci://docker.io/tetrate/teg-envoy-gateway-helm \
  --version v1.7.0 \
  -n envoy-gateway-system

3. Post-Upgrade Validation

  • Review HTTP filter ordering changes and test local reply / header processing behavior
  • Verify Prometheus metrics dashboards for updated stats_tags values
  • Test compression behavior if relying on Accept-Encoding header passthrough
  • Validate HTTPRoutes using RequestMirror combined with DirectResponse or RequestRedirect
  • Check OIDC/OAuth2 monitoring for updated stat prefix in metrics