Skip to content

feat: bump Envoy Gateway to v1.6.4#4535

Draft
electricjesus wants to merge 1 commit intomasterfrom
seth/bump-envoy-gateway-1.6
Draft

feat: bump Envoy Gateway to v1.6.4#4535
electricjesus wants to merge 1 commit intomasterfrom
seth/bump-envoy-gateway-1.6

Conversation

@electricjesus
Copy link
Member

@electricjesus electricjesus commented Mar 12, 2026
edited
Loading

Summary

  • Bumps Envoy Gateway from v1.5.x to v1.6.4
  • Regenerates gateway_api_resources.yaml from updated helm chart
  • Adapts to upstream API rename: ProviderTypeKubernetesEnvoyProxyProviderTypeKubernetes
  • Updates go.mod dependencies

Context

Envoy Gateway v1.5 reached EOL on 2026/02/13. v1.6 maintains the same Kubernetes floor (v1.30) as v1.5, making it a safer upgrade path than v1.7 (which raises the floor to v1.32).

Per the compatibility matrix, v1.6.4 requires:

  • Envoy Proxy: v1.36.4
  • Gateway API: v1.4.0
  • Kubernetes: v1.30–v1.33

v1.6 EOL: 2026/05/13. See also the v1.7 upgrade PR (#4534) for discussion on the next jump.

Companion PRs

Envoy Gateway v1.6 behavioral changes

These are upstream Envoy Gateway changes that may affect user-facing behavior:

  • ALPN protocol defaults: Backend TLS now defaults to [h2, http/1.1] when not explicitly configured. Users relying on implicit HTTP/1.1-only backend connections may see different behavior.
  • Upstream TLS SNI: Automatically determined from the HTTP Host header when not specified. Certificate validation now requires the DNS SAN to match the SNI — users with mismatched certs may see TLS failures.
  • OIDC refresh tokens: Envoy Gateway now automatically uses refresh tokens to renew expired access/ID tokens. Previously, expired tokens required re-authentication.
  • Consecutive gateway failure: enforcingConsecutiveGatewayFailure is now automatically set to 100, which may change outlier detection behavior for users who relied on the previous default.

Full release notes: v1.6

Test plan

  • CI passes (build + unit tests)
  • Gateway API controller tests pass (verified locally: 13/13 on v1.7; same API change)
  • Review gateway_api_resources.yaml diffs for new RBAC requirements
  • Companion calico-private PR builds images successfully
  • E2E gateway tests pass on a test cluster — especially TLS and OIDC flows given the behavioral changes above

@electricjesus
feat: bump Envoy Gateway from v1.5.x to v1.6.4
8770fab 
Update Envoy Gateway dependency to v1.6.4 and regenerate gateway API
resources. Adapts to upstream API rename:
- ProviderTypeKubernetes -> EnvoyProxyProviderTypeKubernetes
@marvin-tigera marvin-tigera added this to the v1.42.0 milestone Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.42.0

Development

Successfully merging this pull request may close these issues.

2 participants

@electricjesus @marvin-tigera