1.33.0 (Pending)
Incompatible behavior changes
Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required
http: RFC1918 addresses are no longer considered to be internal addresses by default. This addresses a security issue for Envoy’s in multi-tenant mesh environments. Please explicit set internal_address_config to retain the prior behavior. This change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.explicit_internal_address_config
tofalse
.wasm: Remove previously deprecated xDS attributes from
get_property
, usexds
attributes instead.wasm: The route cache will not be cleared by default if the wasm extension modified the request headers and the ABI version of wasm extension is larger then 0.2.1.
Minor behavior changes
Changes that may cause incompatibilities for some users, but should not for most
access_log: New implementation of the JSON formatter will be enabled by default. The sort_properties field will be ignored in the new implementation because the new implementation always sorts properties. And the new implementation will always keep the value type in the JSON output. For example, the duration field will always be rendered as a number instead of a string. This behavior change could be disabled temporarily by setting the runtime
envoy.reloadable_features.logging_with_fast_json_formatter
to false.formatter: The NaN and Infinity values of float will be serialized to
null
and"inf"
respectively in the metadata (DYNAMIC_METADATA
,CLUSTER_METADATA
, etc.) formatter.http: If the pack_trace_reason is set to false, Envoy will not parse the trace reason from the
x-request-id
header to ensure reads and writes of trace reason be consistant. If the pack_trace_reason is set to true and externalx-request-id
value is used, the trace reason in the external request id will not be trusted and will be cleared.oauth2: use_refresh_token is now enabled by default. This behavioral change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.oauth2_use_refresh_token
to false.quic: Enable UDP GRO in QUIC client connections by default. This behavior can be reverted by setting the runtime guard
envoy.reloadable_features.prefer_quic_client_udp_gro
to false.scoped_rds: The route_configuration field is supported when the
ScopedRouteConfiguration
resource is delivered via SRDS.sds: Relaxed the backing cluster validation for Secret Discovery Service(SDS). Currently, the cluster that supports SDS, needs to be a primary cluster i.e. a non-EDS cluster defined in bootstrap configuration. This change relaxes that restriction i.e. SDS cluster can be a dynamic cluster. This change is enabled by default, and can be reverted by setting the runtime flag
envoy.restart_features.skip_backing_cluster_check_for_sds
tofalse
.xds: A minor delta-xDS optimization that avoids copying resources when ingesting them was introduced. No impact to the behavior is expected, but a runtime flag was added as this may impact config-ingestion related extensions (e.g., custom-config-validators, config-tracker), as the order of the elements passed to the callback functions may be different. This change can be temporarily reverted by setting
envoy.reloadable_features.xds_prevent_resource_copy
tofalse
.
Bug fixes
Changes expected to improve the state of the world and are unlikely to have negative effects
DNS: Fixed bug where setting
dns_jitter <envoy_v3_api_field_config.cluster.v3.Cluster.dns_jitter>
to large values caused Envoy Bug to fire.access_log: Relaxed the restriction on SNI logging to allow the
_
character, even ifenvoy.reloadable_features.sanitize_sni_in_access_log
is enabled.scoped_rds: Fixes scope key leak and spurious scope key conflicts when an update to an SRDS resource changes the key.
stats ads grpc: Fixed metric for ADS disconnection counters using Google GRPC client. This extracts the GRPC client prefix specified in the google_grpc resource used for ADS, and adds that as a tag
envoy_google_grpc_client_prefix
to the Prometheus stats.tls: Support operations on IP SANs when the IP version is not supported by the host operating system, for example an IPv6 SAN can now be used on a host not supporting IPv6 addresses.
Removed config or runtime
Normally occurs at the end of the deprecation period
dns: Removed runtime flag
envoy.reloadable_features.dns_reresolve_on_eai_again
and legacy code paths.grpc: Removed runtime guard
envoy.reloadable_features.validate_grpc_header_before_log_grpc_status
.http: Removed runtime flag
envoy.reloadable_features.http_route_connect_proxy_by_default
and legacy code paths.http2: Removed runtime flag
envoy.reloadable_features.defer_processing_backedup_streams
and legacy code paths.load balancing: Removed runtime guard
envoy.reloadable_features.edf_lb_host_scheduler_init_fix
and legacy code paths.load balancing: Removed runtime guard
envoy.reloadable_features.edf_lb_locality_scheduler_init_fix
and legacy code paths.quic: Removed runtime flag
envoy.restart_features.quic_handle_certs_with_shared_tls_code
and legacy code paths.router: Removed runtime guard
envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request
.upstream: Removed runtime flag
envoy.restart_features.allow_client_socket_creation_failure
and legacy code paths.
New features
CEL-attributes: Added attribute
upstream.request_attempt_count
to get the number of times a request is attempted upstream.access_log: Added %DOWNSTREAM_LOCAL_EMAIL_SAN%, %DOWNSTREAM_PEER_EMAIL_SAN%, %DOWNSTREAM_LOCAL_OTHERNAME_SAN% and %DOWNSTREAM_PEER_OTHERNAME_SAN% substitution formatters.
access_log: Added support for %UPSTREAM_HOST_NAME_WITHOUT_PORT% for the upstream host identifier without the port value.
access_log: Added support for logging upstream connection establishment duration in the %COMMON_DURATION% access log formatter operator. The following time points were added:
%US_CX_BEG%
,%US_CX_END%
,%US_HS_END%
.aws_request_signing: Added an optional field credential_provider to the AWS request signing filter to explicitly specify a source for AWS credentials.
c-ares: added nameserver rotation option to c-ares resolver. When enabled via :ref:rotate_nameservers <envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.rotate_nameservers>, this performs round-robin selection of the configured nameservers for each resolution to help distribute query load.
c-ares: added two new options to c-ares resolver for configuring custom timeouts and tries while resolving DNS queries. Custom timeouts could be configured by specifying query_timeout_seconds and custom tries could be configured by specifying query_tries.
http_inspector: Added default-false
envoy.reloadable_features.http_inspector_use_balsa_parser
for HttpInspector to use BalsaParser.ip-tagging: Adds support for specifying an alternate header ip_tag_header for appending IP tags via ip-tagging filter instead of using the default header
x-envoy-ip-tags
.lua: Added ssl parsedSubjectPeerCertificate() API.
lua cluster specifier: Added ability for a Lua script to query clusters for current requests and connections.
overload: Added support for scaling max connection duration. This can be used to reduce the max connection duration in response to overload.
quic: Added QUIC stats debug visitor to get more stats from the QUIC transport.
rbac: added sourced_metadata which allows specifying an optional source for the metadata to be matched in addition to the metadata matcher.
tls: Added an option to change the upstream SNI to the configured hostname for the upstream.
tls: Added an option to validate the upstream server certificate SANs against the actual SNI value sent, regardless of the method of configuring SNI.
tls: Added support for P-384 and P-521 curves for TLS server certificates.
tracers: Set resource
telemetry.sdk.*
and scopeotel.scope.name|version
attributes for the OpenTelemetry tracer.udp_proxy: Added support for coexistence of dynamic and static clusters in the same udp proxy, so we can use dynamic clusters for some sessions by setting a per-session state object under the key
envoy.upstream.dynamic_host
and routing to dynamic cluster, and we can use static clusters for other sessions by setting a per-session state object under the keyenvoy.udp_proxy.cluster
without settingenvoy.upstream.dynamic_host
.udp_proxy: Added support for dynamic cluster selection in UDP proxy. The cluster can be set by one of the session filters by setting a per-session state object under the key
envoy.udp_proxy.cluster
.wasm: Added the wasm vm reload support to reload wasm vm when the wasm vm is failed with runtime errors. See failure_policy for more details. The
FAIL_RELOAD
reload policy will be used by default.wasm: added
clear_route_cache
foreign function to clear the route cache.xds: Added support for ADS replacement by invoking
xdsManager().setAdsConfigSource()
with a new config source.
Deprecated
rbac: metadata metadata is now deprecated in the favor of sourced_metadata.