1.25.0 (January 18, 2023)¶
Incompatible behavior changes¶
Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required
build: moved the
strict_dns
,original_dst
,logical_dns
,static
, andeds
clusters to extensions. If you use these clusters and overrideextensions_build_config.bzl
you will now need to include it explicitly.build: removed the c-ares and apple resolvers as required extensions. Envoy now only creates DNS resolvers when necessary (e.g. for logical DNS cluster); as such, it does not require these resolvers to always be included. If your Envoys do DNS resolution and override
extensions_build_config.bzl
you will need to include c-ares / apple resolver explicitly.listener: Previously a listener update with different transparent, freebind, tcp_fast_open_queue_length or socket_options was ignored. Now, when those fields are updated, a new socket will be created for the listener and the updated values of those fields will be applied to it. This only happens when enable_reuse_port is true. Otherwise if those fields change the update is rejected. The runtime flag
envoy.reloadable_features.enable_update_listener_socket_options
can be used to revert this behavior.loadbalancing: When active health checking is enabled per cluster, slow start calculations will now start after first passing health check. The cluster membership duration condition is dropped from the slow start calculation. Endpoints can now re-enter slow start if active health checking is configured per cluster, on each
unhealthy
->healthy
state transition.stats http ext_authz: Fixed
ext_authz
metric tag extraction so that stat_prefix is properly extracted. This changes the Prometheus name fromenvoy_http_ext_authz_prefixval_denied{}
toenvoy_http_ext_authz_denied{envoy_ext_authz_prefix="prefixval"}
.envoy_cluster_X_ext_authz_Y_denied
follows the same pattern.
Minor behavior changes¶
Changes that may cause incompatibilities for some users, but should not for most
cache_filter: add a completion callback to
updateHeaders
interface. Any external cache implementations should be updated to match this new interface. See changes to simple_http_cache in PR #23666 for example.cache_filter: api path of work-in-progress extension changed from
api/extensions/cache/simple_http_cache
toapi/extensions/http/cache/simple_http_cache
, and source code moved to match extension category.config: add support for thrift connection draining. This can be disabled by setting the runtime guard
envoy.reloadable_features.thrift_connection_draining
to false.http: reverted the behavioral change to have
CONNECT
and upgrade requests over HTTP/1.1 not delay close. One can reinstate delay close for upgrades by settingenvoy.reloadable_features.no_delay_close_for_upgrades
totrue
.http filter: Avoid re-entrant filter invocations if we do a local reply via the filter chain when executing decoder filters. This behavioral change can be temporarily reverted by setting runtime flag
envoy_reloadable_features_http_filter_avoid_reentrant_local_reply
to false.http filters: change
StreamEncoderFilter::encode1xxHeaders
to use its own enum classHttp::Filter1xxHeadersStatus
. Previously we shared the same enum class for general headers, but the implementation did not support most of them. We also fixedStreamEncoderFilter::encode1xxHeaders
to send local replies without trailing 1xx headers afterward.jwt_authn: adjust the refetch time for
remote_jwks
async_fetch
feature. For a good fetch, refetch 5 seconds before jwks cache duration. For a failed fetch, refetch time can be specified by failed_refetch_duration with default 1 second.oauth2: Requests which match the passthrough header now have their own metric
oauth_passthrough
and aren’t included inoauth_success
anymore.oauth2: query parameters in the authorization_endpoint are now preserved.
rate_limit: add
MONTH
andYEAR
to the unit of time for rate limit.router: Virtual cluster statistics are no longer created for routes without any
virtual_clusters
. Previously statistics for acatch all
virtual cluster were created, but never updated.tcp: added idle_timeout to support per client idle timeout for tcp connection pool. The timeout is guarded by
envoy.reloadable_features.tcp_pool_idle_timeout
and timeout defaults to 10 minutes if runtime flag is enabled.tls: added support for intermediate CA as trusted CA. The peer certificate issued by an intermediate CA will be trusted by building valid partial chain. Before, it could not be verified without trusting its ancestor root CA and building a full chain. trust_ca. This change can be reverted via the runtime flag
envoy.reloadable_features.enable_intermediate_ca
.upstream: detailed health status is used for override host selection. This behavior can be reverted by setting runtime flag
envoy.reloadable_features.validate_detailed_override_host_statuses
to false.
Bug fixes¶
Changes expected to improve the state of the world and are unlikely to have negative effects
aws_lambda: fix a bug when PerRouteConfig is defined and was routing to a target cluster’s AWS Lambda endpoint in a region that is different from the region obtained in arn of
aws_lambda
http_filter
configuration then the authorization header included in the request towards AWS Lambda was not signed with the region specified inPerRouteConfig
.generic_proxy: fixed a bug that encoder filters and decoder filters of generic proxy will be executed in the same order. The encoder filters’ execuate order should be the reverse of decoder filters’ in the generic proxy.
grpc_http_bridge: fixed a bug where response data could be lost for requests that were upgraded from Protobuf.
grpc_json_transcoder: fix a bug when using http2, request body has
google.api.HttpBody
and the size is < 16KB, it will cause EOF from the backend grpc server.health_checker: prevent writing pending data for health checkers by introducing
ConnectionCloseType::Abort
to avoid cascading handshake overhead from health checker’s requests on timeout. This fix is related to issue #23718.http: fixed a bug where
Utility::PercentEncoding::encode()
encodes some characters incorrectly because it was treating the value as negative.jwt_authn: fix a bug that
jwt_cache
breaks the provider_and_audiences JWT requirement.oauth2: fixed a bug when passthrough header was matched, envoy would always remove the authorization header. This behavioral change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.oauth_header_passthrough_fix
to false.quic: reject configs that specify require_client_certificate with QUIC since clients certificates are currently unsupported in QUIC. This behavioral change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.reject_require_client_certificate_with_quic
to false.router: fixed a bug that incorrectly rewrote the path when using
regex_rewrite
for redirects matched on prefix.router: fixed a bug that truncated query parameters from paths rewritten with a
path_rewrite_policy
, query parameters are now appended.envoy_reloadable_features_append_query_parameters_path_rewriter
can be used to revert to truncation.skywalking: fixed a crash that could happen when skywalking tracer is enabled and illegal
sw8
header is received.tcp_proxy: When tunneling TCP over HTTP, mark the upstream connection as done reading when upstream trailers are read. This behavioral change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.finish_reading_on_decode_trailers
to false.upstream: fixed a bug for tcp upstream where we did not count the header and data to/from the upstream.
upstream: fixed a bug that only coarse health status is used for override host selection.
upstream: fixed a bug when specify both a single address in bootstrap and cluster upstream binding config but with a different IP version. It should be allowed but it is rejected.
validation: fixed a crash that could happen when optional
engine_type
is not provided in regex.
Removed config or runtime¶
Normally occurs at the end of the deprecation period
ecds: removed
envoy.reloadable_features.top_level_ecds_stats
and legacy code paths.eds: removed
envoy.reloadable_features.support_locality_update_on_eds_cluster_endpoints
and legacy code paths.http: removed
envoy.reloadable_features.allow_adding_content_type_in_local_replies
and legacy code paths.http: removed
envoy.reloadable_features.allow_upstream_inline_write
and legacy code paths.http: removed
envoy.reloadable_features.append_or_truncate
and legacy code paths.http: removed
envoy.reloadable_features.deprecate_global_ints
and legacy code paths.http: removed
envoy.reloadable_features.http_100_continue_case_insensitive
and legacy code paths. removedenvoy.reloadable_features.override_request_timeout_by_gateway_timeout
and legacy code paths.http: removed
envoy.reloadable_features.skip_delay_close
and legacy code paths.http: removed
envoy.reloadable_features.use_new_codec_wrapper
and legacy code paths. removedenvoy.reloadable_features.append_to_accept_content_encoding_only_once
and legacy code paths. removedenvoy.reloadable_features.http1_lazy_read_disable
and legacy code paths.listener: removed
envoy.reloadable_features.strict_check_on_ipv4_compat
and legacy code paths.router: removed
envoy.reloadable_features.do_not_await_headers_on_upstream_timeout_to_emit_stats
and legacy code paths.
New features¶
access_log: added a new field intermediate_log_entry to detect if the gRPC log entry is an intermediate log entry or not and added support to flush TCP log entries periodly according to the configured inteval.
access_log: added support for %STREAM_ID% for stream unique identifier.
attributes: added attributes for looking up xDS configuration information.
aws: added support to prefer fetching AWS instance role credentials securely (IMDSv2) from EC2 instance metadata by getting the token first or falling back to insecure way (IMDSv1) if token fetch fails.
bandwidth_limit: added two new response trailers
bandwidth-request-filter-delay-ms
andbandwidth-response-filter-delay-ms
to measure the delays added by this filter.build: added an option
--define=library_autolink=disabled
to disable autolinking libraries.build: added compile-time option
--define=static_extension_registration=disabled
to disable the automatic static registration of extension factories.compression: added CompressorPerRoute proto for per-route configuration.
custom response http filter: added custom response http filter which adds the ability to customize responses sent to downstreams using local or remote sources.
ext_authz: added support to allowlist headers included in the check request to gRPC authorization server (previously only available for HTTP authorization server). Pre-existing field allowed_headers is deprecated in favour of the new field allowed_headers.
gcp_authn: added support for configuring header that holds token fetched from GCE metadata server in new field token_header.
generic_proxy: added dubbo codec support to the generic_proxy filter.
generic_proxy: added generic rds support.
generic_proxy: added drain support to generic proxy to doing graceful closes on connections when possible.
golang: added new HTTP golang extension filter.
grpc_json_transcoder: added
max_request_body_size
andmax_response_body_size
fields, which can either increase or decrease the size of messages that can be processed. It can increase (but does not decrease) the stream buffer size, and can reject messages even if they’re smaller than the stream buffer size if configured smaller.health_check: added an optional bool flag disable_active_health_check to disable the active health check for the endpoint.
http: added append_x_forwarded_port to append the
x-forwarded-port
header to HTTP upstream requests.http: added support of header mutation to the HTTP connection manager via early header mutation field.
http: enhanced dynamic forward proxy cluster to allow_coalesced_connections for HTTP/2 and HTTP/3 connections.
jwt_authn: added support for copying jwt claims to http headers.
listener: added
continueFilterChain()
anddispatcher()
methods to theListenerFilterCallback
. This allows listener filters to continue listener filter iteration after stopping iteration e.g. if the listener filter depends on an async process.listener: added a new field socket_options to the
AdditionalAddress
, allowing specifying discrete socket options for each listener address.matching: support filter chain selection based on the dynamic metadata and the filter state using formatter actions.
mobile: merged the Envoy mobile library into the main Envoy repo.
postgres: added support for upstream SSL.
redis: extended cluster support by adding a dns_cache_config option that can be used to resolve hostnames returned by
MOVED
/ASK
responses.router: added RouteList to support route list in VirtualHost.matcher.
router: added a x-envoy-is-timeout-retry request header on retries initiated by request timeouts; enabled by setting include_is_timeout_retry_header to
true
.stats: added
includeHistogram()
method toStats::SinkPredicates
to filter histograms to be flushed to stat sinks. Useenvoy.reloadable_features.enable_include_histograms
to enable this feature, which is disabled by default.tcp: added idle_timeout to support per client idle timeout for tcp connection pool. See also minor behaviour changes.
tcp_proxy: added new config post_path field to specifiy a custom path for HTTP tunneling with POST method.
thrift: added payload to metadata filter which matches a given payload field’s value would be extracted and attached to the request as dynamic metadata.
thrift_proxy: added
envoy.reloadable_features.thrift_allow_negative_field_ids
to support negative field ids for legacy thrift service.tls: added support for SNI-based cert selection in tls downstream transport socket. Detailed documentation is available cert selection. New config option full_scan_certs_on_sni_mismatch is introduced to disable or enable full scan when no cert matches to SNI, defaults to false. New runtime flag
envoy.reloadable_features.no_full_scan_certs_on_sni_mismatch
can be used for override the default value.tracing: added support for setting the hostname used when sending spans to a Datadog collector using the collector_hostname field.
udp_proxy: added support for proxy_access_log.
upstream: added least request extension to suppport the load balancer policy.
upstream: added random extension to suppport the load balancer policy.
upstream: added round robin extension to suppport the load balancer policy.
upstream: added a new field socket_options to the
ExtraSourceAddress
, allowing specifying discrete socket options for each source address.upstream: allow configuring cluster bind config and cluster manager bind config without specifying a source_address. This allows setting socket options when using the default unspecified bind address is desired.
xds: added an api configuration xds_config_tracker_extension in the bootstrap to allow tracking xDS responses in external components, and provided the extension interface.