.. _version_history_1.34.0: 1.34.0 (Pending) ================= Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **aws**: AWS request signing and AWS Lambda extensions will now no longer return empty credentials (and fail to sign) when credentials are still pending from the async credential providers. If all providers are unable to retrieve credentials then the original behaviour with a signing failure will occur. * **cel**: Support extension regex fuctions(e.g. ``re.extract``, ``re.capture`, ``re.captureN``) in CEL. * **dfp**: Setting :ref:`dns_query_timeout ` to 0 will disable the the Envoy DNS query timeout and use the underlying DNS implementation timeout. * **ext_proc**: Ignore request_header_mode field of :ref:`mode_override ` when comparing the mode_override against allowed_override_modes as request_header mode override is not applicable. * **ext_proc**: When :ref:`mode_override ` headers/trailers modes have the value ``DEFAULT`` (unset), no change will be made to the processing mode set in the filter configuration. * **http**: :ref:`generate_request_id ` will generate a request id on non-present and now on empty ``x-request-id`` header. * **http2**: Sets runtime guard ``envoy.reloadable_features.http2_use_oghttp2`` to true by default. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **dfp**: Fixes a bug when loading a DNS cache entry with an empty authority/host header. This fix can be reverted by setting runtime guard ``envoy.reloadable_features.dfp_fail_on_empty_host_header`` to ``false``. * **ext_authz**: Removed validation constraint on :ref:`disabled ` so that it can be set to false to enable the filter when it is by :ref:`default-disabled for the filter chain `. * **http**: Fixed the jwks fetcher to set the :scheme pseudo header according to the uri ('http' or 'https'). Before the :scheme header was always 'http'. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.jwt_fetcher_use_scheme_from_uri`` to false. * **listener**: Fixed a bug where socket options specified only on an additional address were not applied unless :ref:`socket_options ` on the listener is set. Now additional address :ref:`socket_options ` are correctly applied even if the listener has no socket options configured. * **listener**: Fixed a bug where the addresses cannot be updated partially even if the reuse port is enabled. * **oauth2**: Fixed OAuth2 credential injector to send scope (if specified) to authorization server when requesting new access token using ``client_credentials`` flow. * **original_src filter**: Set IP_BIND_ADDRESS_NO_PORT socket option in the original_src filter to prevent port exhaustion caused by the kernel prematurely reserving ephemeral ports. This behavior change can be reverted by setting runtime guard ``envoy.reloadable_features.original_src_fix_port_exhaustion`` to ``false``. * **router**: Fixed query parameter matcher to properly implement :ref:`present_match `. Previously, the matcher would incorrectly handle ``present_match`` configurations by treating them as default present checks. This behavior can be temporarily reverted by setting runtime feature ``envoy_reloadable_features_enable_new_query_param_present_match_behavior`` to ``false``. * **tcp_proxy**: Fixes a bug when TCP is tunneled over HTTP and upstream connection closed before response headers received to the stream. The fix is to run the retry logic in a different event loop iteration to allow cleanup of the closed connection before retrying. This fix can be reverted by setting runtime guard ``envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop`` to ``false``. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **access_log**: Removed runtime guard ``envoy.reloadable_features.upstream_remote_address_use_connection`` and legacy code paths. * **config**: Removed runtime guard ``envoy.reloadable_features.strict_duration_validation`` and legacy code paths. * **dns**: Removed runtime flag ``envoy.reloadable_features.dns_details`` and legacy code paths. * **dns**: Removed runtime guard ``envoy.reloadable_features.dns_nodata_noname_is_success`` and legacy code paths. * **http**: Removed runtime guard ``envoy.reloadable_features.consistent_header_validation`` and legacy code paths. * **http**: Removed runtime guard ``envoy.reloadable_features.sanitize_http2_headers_without_nghttp2`` and legacy code paths. * **local_ratelimit**: Removed runtime guard ``envoy.reloadable_features.no_timer_based_rate_limit_token_bucket`` and legacy code paths. * **runtime**: Removed runtime flag ``envoy.reloadable_features.reject_invalid_yaml`` and legacy code paths. * **thread_local**: Removed runtime guard ``envoy.reloadable_features.allow_slot_destroy_on_worker_threads`` and legacy code paths. * **xds**: Removed runtime guard ``envoy.reloadable_features.xdstp_path_avoid_colon_encoding`` and legacy code paths. New features ------------ * **admin**: Add support for the inbound_only and graceful query params of /drain_listeners to be used together by implementing directional draining in DrainManager. * **attributes**: Added :ref:`attribute ` ``upstream.locality`` to obtain upstream locality information. * **dfp**: Added a feature to disable DNS refresh on failure by setting :ref:`disable_dns_refresh_on_failure ` to ``true``. By enabling this feature, the failed hosts will now be treated as a cache miss. * **dfp**: The DFP cluster will now use the async lookup path to do DNS resolutions for null hosts. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.dfp_cluster_resolves_hosts`` to false. * **dynamic_modules**: Added the initial support for shared libraries to be loaded by Envoy at runtime. Please refer to the overview documentation for the feature :ref:`here `. * **ext_proc**: Added an :ref:`extension ` to save the :ref:`response ` from the external processor to filter state. * **ext_proc**: Adding support for a new body mode: ``FULL_DUPLEX_STREAMED`` in the ``ext_proc`` filter :ref:`processing_mode `. * **formatter**: Added ``CUSTOM_FLAGS`` support for substitution formatter. See :ref:`access log formatter ` for more details. * **formatter**: Added ``QUERY_PARAM`` support for substitution formatter. See :ref:`access log formatter ` for more details. * **http**: Added :ref:`max_metadata_size ` to make HTTP/2 metadata limits configurable. * **http**: Added alpha support for asynchronous load balancing. See :ref:`load balancing policies overview ` for more details. Support can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.async_host_selection`` to ``false``. * **http**: Made the :ref:`credential injector filter ` work as an upstream filter. * **http**: Made the :ref:`lua ` work as an upstream filter. * **jwt_authn**: Added :ref:`jwt_max_token_size ` to make max token size configurable. * **local_rate_limit**: Added support for dynamic token buckets in local rate limit filter for http requests. * **lua**: Added :ref:`clear_route_cache ` support to control the route cache clearing behavior in the Lua filter. * **lua**: Added :ref:`virtualClusterName() ` API to the Stream Info Object to get the name of the virtual cluster matched. * **lua**: Added support for clearing the route cache explicitly in the Lua filter. See :ref:`clearRouteCache() ` for more details. * **oauth2**: Add the option to specify SameSite cookie attribute values for oauth2 supported cookies. To specify ``SameSite`` attribute, choose one of the values from ``strict``, ``lax`` or ``none``. If not specified, a default value of ``disabled`` will be assigned and there will be no ``SameSite`` value in the cookie attribute. See :ref:`apply_on_stream_done ` for more details. * **proxy_protocol**: Added support for injecting custom Type-Length-Value (TLV) entries into the Proxy Protocol v2 header for upstream transport sockets. Custom TLVs can be defined both in the endpoint host's typed metadata under the ``envoy.transport_sockets.proxy_protocol`` namespace and at the configuration level via the ``ProxyProtocolConfig``'s ``added_tlvs`` field. Host-level TLV definitions override config-level entries when the same type is specified, allowing default TLVs to be set globally, while enabling further per-endpoint customizations. * **quic**: Added an :ref:`extension ` to support QUIC-LB draft standard for connection ID generation. * **redis**: Added support for multi-key commands on transactions. * **resource_monitors**: Added support to monitor container CPU utilization in Linux K8s environment using :ref:`existing extension `. * **sockets**: Added an :ref:`io_uring ` option in default socket interface to support io_uring. * **spiffe**: Added :ref:`trust_bundles ` to the SPIFFE certificate validator configuration. This field allows specifying a SPIFFE trust bundle mapping as a ``DataSource``. If both ``trust_bundles`` and ``trust_domains`` are specified, ``trust_bundles`` takes precedence. * **tap**: Added an UDP extension for tap custom sink. * **tcp_proxy**: Added :ref:`proxy_protocol_tlvs ` to the TCP proxy filter. This field allows specifying PROXY protocol TLVs to be added in the PROXY protocol state created by the TCP proxy filter. TLVs added in the PROXY protocol state will be added to the PROXY protocol v2 header sent upstream. * **tcp_proxy**: Added support for :ref:`backoff_options ` to configure the backoff strategy for TCP proxy retries. * **tcp_proxy**: added :ref:`an option ` to allow filters to read from the downstream connection before TCP proxy has opened the upstream connection, by setting a filter state object for the key ``envoy.tcp_proxy.receive_before_connect``. * **udp_proxy**: Added support for outlier detection in UDP proxy. This change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` to ``false``. * **xds**: Reporting a locality_stats to LRS server when ``rq_issued > 0``, disable by setting runtime guard ``envoy.reloadable_features.report_load_with_rq_issued`` to ``false``.