v0.20.0

This release adds certificate management capabilities to the k8s subcommands and improves local development workflows.

Features

• Add certificate management subcommands for listing, rotating, and revoking certificates (8c90478)
• Support --local flag for k8s installations against dev cosmos environment (b721dfb)

Improvements

• Reduce reconciliation log volume by tightening watch predicates in gateway (4f73290)

v0.19.3

This release focuses on infrastructure improvements to the API server, enhanced tunnel diagnostics and metrics, and gateway configuration updates.

Features

• Agent-side debug RPC over QUIC control channel (3592719)
• MTU/PTB kernel-metric collector and connect-ip ICMP counter for tunnels (ae63923)
• Automatic CLI version check with upgrade prompts (3b84338)
• Tunnel per-connection uptime metric and agent-process identifier (042dc2d)
• Opt-in metadata.generation tracking on default builder strategy (8fe2939)
• Expose resource.Apply/ReadInputs/SplitYAMLDocuments in CLI (435f287)

Bug Fixes

• Fix auth --check by hitting /version instead of listing proxies (d199937)
• Lowercase Backend.spec.protocol on write (25bb559)
• Revert server-side reconnect circuit breaker (c823174)

Improvements

• Bump default HTTPRoute timeout from 15s to 100s (162899b)
• Advertise CLI build version as agent label (38e535f)
• Disable health and metrics endpoints in TUI mode (fca57c2)
• Extract IsInteractive helper and migrate call sites (936292a)

Infrastructure

• Bump envoyproxy/gateway to v1.4.0 (8355495)
• Remove apiserver-runtime dependency (3c49790)
• Replace sample-apiserver and add integration coverage (1c4ae63)
• Remove unused Docker driver package from ratelimit (1c5a612)

v0.19.2

This release improves the CLI upgrade experience and Kubernetes installation workflow, plus fixes CI publishing issues.

Features

• Wait for workloads to become healthy after k8s install (617b503)

Bug Fixes

• Fix apoxy upgrade version parsing and add --force flag (287679e)

Infrastructure

• Publish checksums.txt and goarch-named tarballs for apoxy upgrade (d5c5cb2)
• Skip arm64 goarch tarball copies to avoid GitHub asset name collision (fe10797)

v0.19.1

This release pins the OpenTelemetry gRPC dependency to maintain compatibility with Temporal v1.23.

Infrastructure

• Pin otelgrpc to v0.59.0 to maintain Temporal v1.23 compatibility (60c9364)

v0.19.0

This release focuses on significant performance improvements to the tunnel subsystem and enhanced reliability through better connection management and monitoring.

Features

• Add async send queues per connection in muxer (35ccced)
• Add push-based TCP stats metrics (d04674d)
• Replace overlay metrics scraping with push over HTTP/3 (744e089)
• Add BFD server onDown callback for proactive endpoint drain (e08e06a)
• Distribute tunnel workers across multiple relay addresses (385787d)

Bug Fixes

• Fix BFD goroutine leak and missing connections gauge decrement (9faf84b)
• Fix Geneve MTU update on reload (17435fb)
• Fix homebrew tap updater by embedding formula template (a618679)

Improvements

• Tune TCP stack for high throughput (74add4f, 050d125)
• Bump TUN MTU to 1420 (17435fb)
• Bump upstream per-connection buffer limit to 1 MiB (cf38c3d)

Infrastructure

• Bump builder image to golang:1.25-bookworm (8657bfd)
• Switch quic-go and gvisor to remote fork refs (4cd8125)
• Add workflow_dispatch to release for manual homebrew formula updates (d03ad8c)

v0.18.1

This release introduces a new generic delete command, domain record replacement capabilities, and HTTP response compression support, along with several reliability improvements.

Features

• Generic delete command: Add support for deleting resources using file-based and type/name modes (1ef4659)
• Domain record replacement: Add DomainReplaceAnnotation for atomic record-type changes (abc339f)
• HTTP response compression: Add HTTPRouteFilter CRD with default-on response compression (aae75f2)

Bug Fixes

• Tunnel metrics registration: Guard RegisterAgentMetrics with sync.Once to prevent double-registration (8f437c4)

Improvements

• Tunnel metrics: Move agent-only metrics out of init() into explicit RegisterAgentMetrics() (9c9417e)

Infrastructure

• CLI documentation: Update CLI reference with delete command and k8s install --version flag (14fceee)

v0.18.0

This release adds enhanced tunnel monitoring capabilities and improves Kubernetes operations with automatic namespace handling and version information.

Features

• Tunnel agent metrics and overlay scraper: Add comprehensive agent metrics collection and overlay scraper with re-export collector support (1894a0b)
• Traffic pause with auto-detection: Implement automatic traffic pause detection for high throughput scenarios (938c50f)
• Version flag for install command: Add --version flag to Kubernetes install command (8e9d8a1)

Bug Fixes

• Namespace creation in Kubernetes: Ensure namespace exists before performing server-side dry-run operations (23ed5ab)

v0.17.0

This release introduces BFD-lite liveness detection for tunnel connections and comprehensive audit logging for the API server, alongside significant performance optimizations and Apple code signing for macOS binaries.

Features

• BFD-lite liveness detection: Add BFD-lite protocol for connection liveness monitoring between agent and tunnelproxy (1ad0b30)
• Graceful connection draining: Add support for graceful drain with BFD AdminDown and TCP connection tracking (e8283f8)
• Audit logging: Add audit logging options with policy file and log rotation support (c63e7d5)
• UID-scoped connection management: Add CloseConnectionsByUID method for tunnel connections (5b524ad)

Bug Fixes

• Echo amplification loop: Fix echo amplification loop between BFDL client and server (0da1bed)
• Audit log identity: Fix audit log identity headers and add version to user-agent (03c5ee8)
• Tunnel address reconciliation: Remove tunnel address writing from server reconciler (384f712)

Improvements

• Tunnel performance optimizations: Reduce hot-path allocations in packet processing pipeline and BFDL implementation (0f86e0f, e98a2b9, 0187328, 2bab37c)
• Endpoint probing efficiency: Cache endpoint selection to avoid re-probing on every reconcile and cancel remaining probes after first success (443068e, e456ea2)
• TUI traffic filtering: Filter out ping packets from TUI traffic view by default (6dd4b43)
• Documentation: Update CLI descriptions and regenerate command reference (eb7733d)

Infrastructure

• Apple code signing: Add Apple code signing and notarization to release pipeline for macOS binaries (a5e7d79, e93bb05, 964105a, 2a8f0f4, d128d38, 33a5dc1)
• CI improvements: Decouple GitHub release from image publish and pin edge-runtime to stable version (cbeac26, 2344672, d4f3dc7)

v0.16.1

Bug Fixes

• Fix Homebrew formula publish using POSIX-compatible shell syntax (2c64e97)

Features

• Add Addresses field to ProxyStatus (3a57d27)

v0.16.0

I'll help you generate release notes for version v0.16.0. Let me read through the commits and organize them by category.

Features

• Homebrew tap support - Add official Homebrew tap for easier CLI installation (5007d92)
• Tunnel connection management - Add CloseConnection method for disconnecting individual connections (0310192)
• Cluster liveness tracking - Add agent connection labels for monitoring cluster liveness (9fcda94)
• Coordination lease heartbeat - Add coordination lease heartbeat and mirror protection types for improved reliability (d7fb8d5)
• Interactive cluster selection - CLI k8s install now defaults cluster-name to kube context with interactive picker (8d225f0)
• Cross-platform compilation - Add build tags and non-Linux stub for lwtunnel to support cross-platform builds (a34284f)
• Kubernetes context override - Add k8s install context override option (d3f2153)

Bug Fixes

• DNS resolution - Fix ndots search domain resolution and start DNS proxy in tunnel runtime (ca4745a)
• Gateway route CRDs - Skip unavailable gateway route CRDs to prevent errors (8d04f8b)
• Tunnel race condition - Fix race between agent registration and endpoint address allocation (849f400)

Improvements

• Tunnel resource cleanup - Close active connections when TunnelNode is deleted (560e629)
• Enhanced TUI - Improve tunnel TUI with full UUIDs, wider IP columns, dashboard link, and general cleanup (d7e13ac)
• Runtime high availability - Remove leader election from tunnel for per-pod connections and add runtime HA support (0e1f8d8, f98bcca)
• Better logging - Improve runtime and reverse proxy logging (40ab984)
• Faster endpoint propagation - Implement aggressive DNS refresh for faster tunnel endpoint propagation (5124f0f)
• Overlay network advertising - Advertise overlay network prefix to tunnel clients (be67ec6)
• Default TLS on DomainRecords - Enable TLS by default on ref-target DomainRecords (d4acfe0)

Infrastructure

• Proxy source pinning - Pin tunnel proxy source to apoxynet (c26d6f2)
• Proxy monitoring restrictions - Lock down proxy object monitoring changes for cloud infrastructure (d82a5cd)
• Coordination API updates - Add coordination/v1 to openapi-gen inputs (0e6bbc0)
• Mirror coordination - Use coordination.apoxy.dev for mirror lease heartbeat (0b319d9)
• Tunnel reconciliation - Bootstrap reconcile on tunnel startup (0848501)
• Runtime reorganization - Reorganize runtime components and fix tunnel startup (5561519)
• Certificate separation - Separate serving certs from upstream mTLS (810c04a)
• API cleanup - Remove deprecated Domain v1alpha2 API entirely (ac33949)