feat(deps): update gateway-api-crd ( v1.2.1 → v1.5.0 )

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
gateway-api-crd	minor	v1.2.1 → v1.5.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kubernetes-sigs/gateway-api (gateway-api-crd)

v1.5.0

Compare Source

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Gateway API v1.5.0

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

Since TLSRoute and ListenerSet have graduated to the Standard channel, TLSRoute v1alpha2 and XListenerSet are no longer included in the Experimental channel.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

• It prevents installing Experimental CRDs once you've installed Standard CRDs.
• It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

• Gateway Client Certificate validation (GEP-91, GEP-3567)
• Certificate selection for Gateway TLS origination (GEP-3155)
• ListenerSet support (GEP-1713)
• HTTPRoute CORS filter (GEP-1767)
• TLSRoute v1 (GEP-2643)

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

• Gateway/HTTPRoute level authentication (GEP-1494)

Full Changelog

Full Changelog: kubernetes-sigs/gateway-api@v1.4.1...v1.5.0

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/chzyer/readline: v1.5.1
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/ianlancetaylor/demangle: f615e6b
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5

Changed

• cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
• github.com/cncf/xds/go: 2ac532f → 0feb691
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
• github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
• github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
• github.com/google/pprof: d1b30fe → 294ebfa
• github.com/mailru/easyjson: v0.9.0 → v0.9.1
• github.com/miekg/dns: v1.1.68 → v1.1.72
• github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
• github.com/onsi/gomega: v1.38.1 → v1.39.1
• github.com/prometheus/client_golang: v1.23.0 → v1.23.2
• github.com/prometheus/common: v0.65.0 → v0.66.1
• github.com/prometheus/procfs: v0.17.0 → v0.19.2
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• github.com/spf13/cobra: v1.9.1 → v1.10.2
• github.com/spf13/pflag: v1.0.7 → v1.0.10
• github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
• github.com/stretchr/testify: v1.11.0 → v1.11.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
• go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
• go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel: v1.37.0 → v1.38.0
• go.opentelemetry.io/proto/otlp: v1.5.0 → v1.7.0
• go.uber.org/zap: v1.27.0 → v1.27.1
• go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
• golang.org/x/crypto: v0.41.0 → v0.47.0
• golang.org/x/mod: v0.27.0 → v0.32.0
• golang.org/x/net: v0.43.0 → v0.49.0
• golang.org/x/oauth2: v0.30.0 → v0.34.0
• golang.org/x/sync: v0.16.0 → v0.19.0
• golang.org/x/sys: v0.35.0 → v0.40.0
• golang.org/x/telemetry: 1a19826 → bd525da
• golang.org/x/term: v0.34.0 → v0.39.0
• golang.org/x/text: v0.28.0 → v0.33.0
• golang.org/x/time: v0.12.0 → v0.14.0
• golang.org/x/tools: v0.36.0 → v0.41.0
• google.golang.org/genproto/googleapis/api: 8d1bb00 → ab9386a
• google.golang.org/genproto/googleapis/rpc: ef028d9 → ab9386a
• google.golang.org/grpc: v1.75.1 → v1.78.0
• google.golang.org/protobuf: v1.36.8 → v1.36.11
• k8s.io/api: v0.34.1 → v0.35.1
• k8s.io/apiextensions-apiserver: v0.34.1 → v0.35.1
• k8s.io/apimachinery: v0.34.1 → v0.35.1
• k8s.io/apiserver: v0.34.1 → v0.35.1
• k8s.io/client-go: v0.34.1 → v0.35.1
• k8s.io/code-generator: v0.34.1 → v0.35.1
• k8s.io/component-base: v0.34.1 → v0.35.1
• k8s.io/gengo/v2: c297c0c → ec3ebc5
• k8s.io/kms: v0.34.1 → v0.35.1
• k8s.io/kube-openapi: d7b6acb → 589584f
• k8s.io/utils: 0af2bda → 914a6e7
• sigs.k8s.io/controller-runtime: v0.22.1 → v0.23.1
• sigs.k8s.io/controller-tools: v0.19.0 → v0.20.1
• sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2

Removed

• github.com/kisielk/errcheck: v1.5.0
• github.com/kisielk/gotool: v1.0.0
• github.com/pkg/errors: v0.9.1
• github.com/zeebo/errs: v1.4.0
• golang.org/x/xerrors: 5ec99f8

v1.4.1

Compare Source

Warning: Regarding the Experimental CRDs - please note that the experimental CRDs for this release are too large for a standard kubectl apply. You may receive an error like metadata.annotations: Too long: may not be more than 262144 bytes. To work around this please use kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml. We're looking into ways to reduce the size for future releases to avoid this.

Note: The installation YAML originally published with this release on 2025-12-04 mistakenly included changes from PR 3823 in the Standard channel, and from PRs 3774, 3823, and 4158 in the Experimental channel. After discussion among the Gateway API maintainers, we decided that the changes were minor enough that it was safe to modify the YAML in-place, which we did on 2026-02-10. Apologies for the confusion!

Changes Since v1.4.0

BackendTLSPolicy

• BackendTLSPolicy supports only a single targetRef per policy while Gateway API works through edge cases around representing the status of multiple targetRefs in a single policy. This restriction is expected to be lifted in a future release. (#​4316, #​4298)
• SAN validation in BackendTLSPolicy is correctly marked as standard. (#​4194)
• BackendTLSPolicy status is correctly marked as a subresource. (#​4245)

Conformance

• Conformance tests for mesh routing with weights have been made faster. (#​4315)
• BackendTLSPolicy conformance tests are included in the GATEWAY-HTTP profile. (#​4223)

Thanks to

Ciara Stacke, Lior Lieberman, Nick Young, Norwin Schnyder, Ricardo Pchevuzinske Katz, and zirain

Full Changelog

Full Changelog: kubernetes-sigs/gateway-api@v1.4.0...v1.4.1

v1.4.0

Compare Source

Warning: Regarding the Experimental CRDs - please note that the experimental CRDs for this release are too large for a standard kubectl apply. You may receive an error like metadata.annotations: Too long: may not be more than 262144 bytes. To work around this please use kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml. We're looking into ways to reduce the size for future releases to avoid this.

Major Changes since v1.3.0

Breaking Changes

Experimental CORS Support in HTTPRoute - Breaking Change for AllowCredentials Field

Users of the Experimental CORS AllowCredentials field can now specify false.
The underlying API specification type has changed from a enum of type boolean to
just a boolean, so users deploying HTTPRoutes via libraries and evaluating the
experimental CORS support will need to adjust for the change in types. Please
see #​3895 for more details.

Standard GRPCRoute - Spec Field Required (Technicality)

This PR makes grpcroute.spec a required field. This is technically a
backward-incompatible change, as previously the field was unintentionally
treated as optional because we erroneously used omitempty on .spec (unlike
other APIs). Since the codebase didn't yet enforce explicit required markers,
that omitempty allowed a missing .spec.

Because .spec contains essential route configuration, omitting it renders a
GRPCRoute unusable and causes route implementation to fail, so we expect this
change will not have adverse effects, but wanted to call it out all the same.
Please see #​3937 for more details.

GEPs

New Features

In this release, the following major features are moving to the Standard
channel and are now considered generally available:

• GEP-1897 BackendTLSPolicy - Configuration of TLS from the Gateway to Backends
• GEP-3164 SupportedFeatures - Status information about the features that an implementation supports.

In this release, we introduced the following new features are moving to the
Experimental channel, for implementations to evaluate:

• GEP-3949 Mesh Resource - Mesh-wide configuration and supported features.
• GEP-3793 Default Gateways - Allowing Gateways to program some routes by default.
• GEP-1494 HTTP External Auth - Enabling External Auth for HTTPRoute.

Other Iterations

• GEP-1897: standardizing behavior for invalid BackendTLSPolicy by @​snorwin in #​3909
• GEP-1897: describe TargetRefs conflict-resolution rules in BackendTLSPolicy by @​snorwin in #​4048
• GEP-2627: DNS Configuration - Initial Provisional PR by @​maleck13 in #​2712
• GEP-1713: Revisions by @​dprotaso in #​3744
• GEP 91: Update Goals and Prior Art by @​arkodg in #​3838
• GEP-91: Address connection coalescing security issue - API updates by @​kl52752 in #​3960 and #​3942
• GEP-1494: Update gRPC Auth config by @​youngnick in #​4061
• GEP 3779: East/West Identity-Based Authorization by @​LiorLieberman in #​3822
• GEP-3792: Off-Cluster Gateways by @​kflynn in #​3851
• GEP-3798: Adding initial Provisional GEP for client ip based session persistence by @​arihantg in #​3844
• GEP-696: Update the possible states by @​mlavacca in #​3901
• TLSRoute: Require hostnames and bump version to v1alpha3 by @​rostislavbobo in #​3872
• TLSRoute: Require hostnames via +required by @​rostislavbobo in #​3918
• TLSRoute: Set MaxItems=1 for rules[] in v1alpha3 by @​rostislavbobo in #​3971
• Update Auth GEP with Implementable details by @​youngnick in #​3884
• add GRPCRouteExtendedFeatures to AllFeatures list by @​skriss in #​4046
• Allow preprepared CoreDNS image to be used by @​aaronjwood in #​3906
• Specify SAN validation precedence over Hostname validation by @​kl52752 in #​4039
• docs: move GEP-3798 to Deferred for now by @​shaneutt in #​3947

Bug or Regression

• The boolean "TrueField" introduced for CORS can cause generator issues by @​shaneutt in #​3895
• Mark grpcroutes spec as required by @​rikatz in #​3937

Administrative

• chore: remove inactive reviewers by @​shaneutt in #​3829
• Adding Lior to Mesh Leads by @​robscott in #​3877

Changes by Kind

API

HTTPRoute

In the Standard channel, we've now added a Name field to HTTPRouteRule
and HTTPRouteMatch.

Documentation

• Enable dark mode switch on docs by @​rikatz in #​3977
• docs: Add v1.3 conformance report table by @​snorwin in #​3810
• docs: Update HTTPRoute status example by @​jonstacks in #​3784
• Add time extensions to release management doc by @​shaneutt in #​3943
• Update implementations.md with removal policy by @​youngnick in #​3863
• TLSRoute: Hostnames godoc by @​rostislavbobo in #​3925
• Make feature name required for Experimental by @​youngnick in #​3859
• Support comparison of response protocol by @​zirain in #​3986
• docs: note about expectations when a gep misses a release timeline by @​shaneutt in #​3866

CI & Testing

• Enable Kubernetes API Linter by @​rikatz in #​3917
• Use envtest for CRD validation tests by @​rikatz in #​3948

Conformance Tests

• Add mesh conformance tests structure and a first test by @​LiorLieberman in #​3729
• Add mesh conformance tests for httproute redirect(s) by @​LiorLieberman in #​3777
• Improve feature name readability in conformance reports by @​08volt in #​3564
• conformance: add Hook in ConformanceTestSuite by @​zirain in #​3786
• add mesh conformance for request header modifier by @​LiorLieberman in #​3812
• add httproute weight based routing mesh conformance tests by @​LiorLieberman in #​3827
• Add mesh core conformance tests for httproute same-namespace attachment by @​LiorLieberman in #​3833
• add httproute matching conformance mesh by @​LiorLieberman in #​3831
• add mesh conformance for httproute-queryparmas-match by @​LiorLieberman in #​3834
• fix meshredirectport and schemeredirect mesh conformance features by @​LiorLieberman in #​3847
• Add body to http.Request and roundTripper.request to extend conformance testutil ability to send request with body. by @​zetxqx in #​3853
• Infer SupportedFeatures in Conformance Tests (GEP-2162) [#​3759] by @​bexxmodd in #​3848
• Improve distribution tests in conformance for MeshHTTPRouteWeight by @​carsontham in #​3855
• feat(conformance): validate implementation flags by @​mlavacca in #​3715
• Issue 3138 - Conformance Tests for BackendTLSPolicy - normative by @​candita in #​3212
• Fix(conformance report) Add Skip test count in Conformance Report if RunTest is configured. by @​zetxqx in #​3966
• Add Conformance test for Invalid BackendTLSPolicy TLS settings by @​kl52752 in #​3930
• Improve distribution tests in conformance for HTTPRouteWeight by @​carsontham in #​3880
• BackendTLSPolicy conformance tests for observedGeneration bump by @​snorwin in #​3997
• conformance: add test for optional address value by @​EyalPazz in #​3689
• BackendTLSPolicy conformance tests for ResolvedRefs status condition by @​snorwin in #​4010
• conformance: add test to check for proper cors allow-credentials behvior by @​EyalPazz in #​3990
• Add Conformance tests for BackendTLSPolicy validating SANs with Type dsnName by @​kl52752 in #​3983
• fix conformance test HTTPRouteWeight by @​fabian4 in #​4038
• BackendTLSPolicy conformance tests for conflict resolution by @​snorwin in #​4043
• Updated a new field on supported features inference from boolean to enum and remove from report. by @​bexxmodd in #​3885
• Add GRPCRoute weighted backendRefs test by @​sarthyparty in #​3962

Cleanup

• Remove unused dependabot config for Github actions by @​FelipeYepez in #​3816
• rm duplicate explanation by @​naruse666 in #​3780
• fix: remove misleading description by @​snorwin in #​3778
• Fix typo for the file name case type in GEP-2162 doc. by @​bexxmodd in #​3807
• fix(gep-1911): remove duplicated header in table by @​davinkevin in #​3818
• Fix godoc comment for GatewaySpecAddress by @​syw14 in #​3845
• Updated index.md to reflect changes in GEP-2162 by @​bexxmodd in #​3898
• GEP-3792 and GEP-3793 title fixes 🤦‍♂️ by @​kflynn in #​3870
• docs: fix typo and add contents about "ngrok Kubernetes Operator" by @​Seo-yul in #​3874
• docs: Fix links to nonexistent anchors by @​blake in #​3862
• kubecon talk link updated. by @​kundan2707 in #​3660
• Fix Godoc for BackendTLSPolicyValidation struct for Hostname field by @​mayuka-c in #​3923
• Fix malformed URL typo in index.md by @​HaeyoonJo in #​3926
• Lint required optional by @​rikatz in #​3929
• Fix Gateway API community meeting schedule documentation by @​jgreeer in #​3975
• ListenerSet adjust PortNumber kubebuilder validations by @​dprotaso in #​3750
• Fix OpenAPI validations by adding API list markers by @​erikgb in #​3964
• fix typo by @​maheshrijal in #​3976
• Add gateway class label to generated objects by @​howardjohn in #​3955
• Change to ignore Mesh features in GWC instead of erroring out. by @​bexxmodd in #​3938
• fix(docs): remove unnecessary array in incorrect example @​ gep-1767 by @​EyalPazz in #​3991
• Update devguide.md to include docker as a pre-req for verify by @​PronomitaDey in #​4000
• Add ResolvedRefs condition for BackendTLSPolicy by @​snorwin in #​3994
• Update status fields with clearer definitions by @​youngnick in #​4008
• Add API changes for HTTP External Auth by @​youngnick in #​4001
• remove http non mesh features from mesh profile by @​LiorLieberman in #​4029
• Move BackendTLS configuration to GatewayTLSConfig by @​kl52752 in #​4009
• Fix cors cel by @​rikatz in #​4032
• simplify BackendTLSPolicy test infrastructure and remove unnecessary code by @​snorwin in #​4016
• Upgrade dependencies to K8s 1.34 by @​erikgb in #​4044
• chore(build): Clean up excessive warnings from "make generate" by @​kflynn in #​4045
• Update release manager role description by @​youngnick in #​4040
• Clarify terminology for gateway TLS by @​kl52752 in #​4036
• add BackendTLSPolicyExtendedFeatures to AllFeatures list by @​snorwin in #​4047
• Fix PortNumber type to support controller-gen by @​erikgb in #​4049
• prevent controller-runtime stack traces logger by @​aojea in #​4054
• Add new BackendTLSPolicy configuration options to documentation by @​08volt in #​3563
• Add default timeout to UDPRoute test and improve logs by @​cnvergence in #​4027
• API for default Gateways by @​kflynn in #​4031
• Improve some ListenetSet gep descriptions by @​rikatz in #​3978
• Update index.md field after moving BackendTLS struct by @​kl52752 in #​4041
• concepts/tooling.md: Add Headlamp tool by @​illume in #​4083

Release Candidate Fixes

These are patches during the v1.4.0 release candidate cycles from issues found or other small improvements needed for the final release:

• Allow preprepared CoreDNS image to be used by @​aaronjwood in #​3906
• Update index.md field after moving BackendTLS struct by @​kl52752 in #​4041
• Issue 3940: Move BackendTLSPolicy to standard by @​candita in #​4074
• Add allowOrigins configuration to CORSAllowCredentialsBehavior and perform cleanup by @​snorwin in #​4094
• fix: fix validation and wording when making gateway spec addresses value optional by @​bjee19 in #​4084
• Fix broken link in TLS Configuration page by @​4n86rakam1 in #​4091
• Automate GEP TOC generation and validate by @​rikatz in #​4075
• conformance: fix per-test cleanup by @​howardjohn in #​4104
• Added flag for running mesh conformance suite and automatically inferring supported features from Mesh.Status by @​bexxmodd in #​4097
• Fixed couple of typos in conformance tests. by @​bexxmodd in #​4106
• Issue 3940: Update BackendTLSPolicy GEP to move to standard by @​candita in #​4099
• Removing experimental annotation from SupportedFeatures in GWC Status. by @​bexxmodd in #​4115
• conformance: fix invalid BackendTLSPolicy conformance test by @​howardjohn in #​4105
• fix: use inferred supported features to set extendedSupportedFeatures by @​snorwin in #​4113
• conformance: make backend TLS tests IPv6-safe by @​howardjohn in #​4120
• concepts/tooling.md: Add Headlamp tool by @​illume in #​4083
• docs: update implements page by @​zirain in #​3996
• Fix broken link in TLS Configuration page by @​4n86rakam1 in #​4091

New Contributors

• @​szviagintsev made their first contribution in #​3782
• @​jonstacks made their first contribution in #​3784
• @​naruse666 made their first contribution in #​3780
• @​08volt made their first contribution in #​3564
• @​bexxmodd made their first contribution in #​3807
• @​davinkevin made their first contribution in #​3818
• @​FelipeYepez made their first contribution in #​3816
• @​samcrichard made their first contribution in #​3775
• @​dawid-nowak made their first contribution in #​3813
• @​syw14 made their first contribution in #​3845
• @​zetxqx made their first contribution in #​3853
• @​arihantg made their first contribution in #​3844
• @​Seo-yul made their first contribution in #​3874
• @​carsontham made their first contribution in #​3855
• @​rostislavbobo made their first contribution in #​3872
• @​mayuka-c made their first contribution in #​3923
• @​rikatz made their first contribution in #​3917
• @​HaeyoonJo made their first contribution in #​3926
• @​furykerry made their first contribution in #​3968
• @​jgreeer made their first contribution in #​3975
• @​erikgb made their first contribution in #​3964
• @​maheshrijal made their first contribution in #​3976
• @​PronomitaDey made their first contribution in #​4000
• @​idebeijer made their first contribution in #​4018
• @​fabian4 made their first contribution in #​4038
• @​sarthyparty made their first contribution in #​3962
• @​aaronjwood made their first contribution in #​3906
• @​illume made their first contribution in #​4083
• @​aaronjwood made their first contribution in #​3906
• @​illume made their first contribution in #​4083
• @​4n86rakam1 made their first contribution in #​4091

Full Changelog: kubernetes-sigs/gateway-api@v1.3.0...v1.4.0

v1.3.0

Compare Source

Changes since v1.3.0-rc.2

• Fixed typo in Retry Budget configuration (#​3762,@​zirain)

Changes since v1.2.1

Noteworthy Changes for Implementors

This section is intended to be a guide for API changes that might inspire or require implementation changes.
None of these API changes represent breaking changes.

OverlappingTLSConfig for Connection Coalescing

A new OverlappingTLSConfig condition has been added to Gateway Listeners to indicate situations where
Connection Coalescing could be problematic. The Gateway specification for handling Hostname and SNI matching for HTTPS
requests has been clarified and now recommends that implementations return 421 HTTP code responses in certain cases.

• Implementation of GEP-3567 - TLS Updates for Connection Coalescing. (#​3630,@​robscott)
• Add GEP-3567: Gateway TLS Updates for HTTP/2 Connection Coalescing. (#​3572,@​robscott)

Move BackendTLSPolicy SubjectAltNames from Core to Extended

• The SubjectAltNames field of BackendTLSPolicy changed from Core to Extended feature. (#​3591,@​mlavacca)

The backendRef filter must send traffic to the correct backends when weighted routing is configured

• A new conformance test was added to ensure backendRef filters don't affect weighted routing. (#​3604,@​dprotaso)

Clarify reasons for certain object status conditions

• Set proper reason for Gateway parametersRef Accepted condition when parametersRef is invalid. (#​3579,@​mlavacca)
• Improve GatewayClass GatewayClassReasonInvalidParameters reason description. (#​3553,@​mlavacca)

BackendTLSPolicy

• CEL validation for target references in BackendTLSPolicy. (#​3496,@​snorwin)

GRPCRoute

• Increase the GRPCRoute match limit from 8 -> 64 (#​3601,@​EyalPazz)

Gateway.Spec.Addresses changes

A new type GatewaySpecAddress replaces GatewayAddress. In GatewayAddress the Value field was required. In
GatewaySpecAddress the Value field is optional. When the Value is unspecified, if an implementation supports that,
it SHOULD automatically assign an address. If an implementation does not support an empty Value, it MUST set the
Programmed condition in status to false with a reason of "AddressNotAssigned". The Addresses field in
Gateway.Spec has changed from type []GatewayAddress to []GatewaySpecAddress.

• Make the value field in Gateway.Spec.Addresses array optional (#​3616,@​EyalPazz)

Standard Channel Additions and Changes

The Standard channel is Gateway API's set of maximally-stable install files.
Only features with the best testing and support are added to the standard
channel. This channel should be considered GA or stable, and future changes will
be fully backwards compatible.

Percentage-Based Request Mirroring 🎉

This feature enhances the existing request mirroring feature
by allowing users to specify a percentage of requests to be mirrored in both HTTPRoute
and GRPCRoute objects.

This feature has graduated to Standard and is now considered GA or Stable.

This feature's name for conformance tests (and GatewayClass status reporting) is
HTTPRouteRequestPercentageMirror.

This feature's status is Extended, meaning that it is optional for
implementations to support. If you're using Experimental Channel, you can refer
to the supportedFeatures field in the status of any GatewayClass.

Relevant PRs:

• Promote percentage-based-request-mirroring GEP-3171 to standard (#​3638,@​LiorLieberman)
• Add conformance tests for percentage-based request mirroring (#​3508,@​LiorLieberman)

Experimental Channel Additions and Changes

The Experimental Channel is Gateway API's channel for testing out changes and
gaining confidence with them before allowing them to go to Standard.

This channel may include features that are changed or removed later!

New experimental resources now start with "X"

This release introduces 2 new experimental resources:

• XBackendTrafficPolicy
• XListenerSet

Both of these resources are described in more detail below. As you may notice,
these resource names start with X and are part of an effort to distinguish
experimental channel resources from standard channel resources.

In addition to the separate names, these resources are also part of the
x-k8s.io API group instead of k8s.io, as a further effort to signal the
experimental nature of these resources.

In practice this means two things:

1. These resources can coexist with standard channel resources
2. Migrating to standard channel will require recreating these resources with
   the standard channel names and API Group (both lacking the "x" prefix)

For more context on this change, refer to the related discussion.

CORS (Cross Origin Resource Sharing) Filter

GEP-1767 describes how to add
configuration of CORS filters on HTTPRoute objects, and in this release, this change
has moved to Experimental.

Please see the GEP reference document or the API reference for the details.

This feature has graduated to Experimental and should now be used for testing
and verification purposes only. Experimental features may be changed or removed
in a future version.

This feature does not currently have a feature name defined.

This feature's status is Extended, meaning that it is optional for
implementations to support.

As there is no feature name or conformance testing available for this feature
yet, please check your implementation's documentation to see if it is supported.

Relevant PRs:

• Implementing CORS Filter for HTTPRoute (#​3637,@​robscott)
• Change HTTPRouteFilter.CORS.AllowCredentials to expect a boolean and not a string (#​3656,@​EyalPazz)
• Add CORS to HTTPRouteFilterType (#​3668,@​EyalPazz)

XListenerSets (Standard Mechanism to Merge Gateways)

GEP-1713 defines a new mechanism to merge listeners into a single
Gateway, and in this release, this change has moved to Experimental. Following a new naming convention, an
experimental object name is prefaced with an X, thus ListenerSet has changed to XListenerSet.
The object group name has changed from gateway.networking.k8s.io to gateway.networking.x-k8s.io.

Please see the GEP reference document or the API reference for the details.

This feature has graduated to Experimental and should now be used for testing
and verification purposes only. Experimental features may be changed or removed
in a future version.

This feature does not currently have a feature name defined.

This feature's status is Extended, meaning that it is optional for
implementations to support.

As there is no feature name or conformance testing available for this feature
yet, please check your implementation's documentation to see if it is supported.

Relevant PRs:

• Clarified what it means for Gateway Listeners to be distinct (#​3477,@​youngnick)
• GEP-1713: Standard Mechanism to Merge Multiple Gateways (#​3213),@​dprotaso)
• Update GEP-1713 - Support attaching ListenerSets across namespaces (#​3632,@​dprotaso)
• GEP-1713: Standard Mechanism to Merge Multiple Gateways - move GEP Link to Experimental (#​3664),@​gcs278)
• Refactor codegen scripts to make it easier to generate two clients (#​3589,@​dprotaso)
• Add ListenerSet GEP-1713 to the website (#​3587,[@​dprotaso](http

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[carpenike-bot]

🦙 MegaLinter status: ❌ ERROR

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ COPYPASTE	jscpd	yes		2	no	1.45s
✅ REPOSITORY	git_diff	yes		no	no	0.06s
✅ REPOSITORY	secretlint	yes		no	no	3.88s
✅ YAML	prettier	1		0	0	0.44s
✅ YAML	yamllint	1		0	0	0.69s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff