1.34.0 (Pending)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • dfp: Setting dns_query_timeout to 0 will disable the the Envoy DNS query timeout and use the underlying DNS implementation timeout.

  • http2: Sets runtime guard envoy.reloadable_features.http2_use_oghttp2 to true by default.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • dfp: Fixes a bug when loading a DNS cache entry with an empty authority/host header. This fix can be reverted by setting runtime guard envoy.reloadable_features.dfp_fail_on_empty_host_header to false.* oauth2: Fixed OAuth2 credential injector to send scope (if specified) to authorization server when requesting new access token using client_credentials flow.

  • router: Fixed query parameter matcher to properly implement present_match. Previously, the matcher would incorrectly handle present_match configurations by treating them as default present checks. This behavior can be temporarily reverted by setting runtime feature envoy_reloadable_features_enable_new_query_param_present_match_behavior to false.

  • tcp_proxy: Fixes a bug when TCP is tunneled over HTTP and upstream connection closed before response headers received to the stream. The fix is to run the retry logic in a different event loop iteration to allow cleanup of the closed connection before retrying. This fix can be reverted by setting runtime guard envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop to false.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • access_log: Removed runtime guard envoy.reloadable_features.upstream_remote_address_use_connection and legacy code paths.

  • dns: Removed runtime flag envoy.reloadable_features.dns_details and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.consistent_header_validation and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.sanitize_http2_headers_without_nghttp2 and legacy code paths.

  • local_ratelimit: Removed runtime guard envoy.reloadable_features.no_timer_based_rate_limit_token_bucket and legacy code paths.

  • runtime: Removed runtime flag envoy.reloadable_features.reject_invalid_yaml and legacy code paths.

  • thread_local: Removed runtime guard envoy.reloadable_features.allow_slot_destroy_on_worker_threads and legacy code paths.

  • xds: Removed runtime guard envoy.reloadable_features.xdstp_path_avoid_colon_encoding and legacy code paths.

New features

  • dfp: Added a feature to disable DNS refresh on failure by setting disable_dns_refresh_on_failure to true. By enabling this feature, the failed hosts will now be treated as a cache miss.

  • dfp: The DFP cluster will now use the async lookup path to do DNS resolutions for null hosts. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.dfp_cluster_resolves_hosts to false.

  • ext_proc: Adding support for a new body mode: FULL_DUPLEX_STREAMED in the ext_proc filter processing_mode.

  • formatter: Added QUERY_PARAM support for substitution formatter. See access log formatter for more details.

  • http: Added max_metadata_size to make HTTP/2 metadata limits configurable.

  • http: Added alpha support for asynchronous load balancing. See load balancing policies overview for more details. Support can be temporarily reverted by setting runtime guard envoy.reloadable_features.async_host_selection to false.

  • lua: Added virtualClusterName() API to the Stream Info Object to get the name of the virtual cluster matched.

  • oauth2: Add the option to specify SameSite cookie attribute values for oauth2 supported cookies. To specify SameSite attribute, choose one of the values from strict, lax or none. If not specified, a default value of disabled will be assigned and there will be no SameSite value in the cookie attribute. See apply_on_stream_done for more details.

  • redis: Added support for multi-key commands on transactions.

  • resource_monitors: Added support to monitor container CPU utilization in Linux K8s environment using existing extension.

  • spiffe: Added trust_bundles to the SPIFFE certificate validator configuration. This field allows specifying a SPIFFE trust bundle mapping as a DataSource. If both trust_bundles and trust_domains are specified, trust_bundles takes precedence.

  • tap: Added an UDP extension for tap custom sink.

  • tcp_proxy: Added support for backoff_options to configure the backoff strategy for TCP proxy retries.

  • udp_proxy: Added support for outlier detection in UDP proxy. This change can be temporarily reverted by setting runtime guard envoy.reloadable_features.enable_udp_proxy_outlier_detection to false.

  • xds: Reporting a locality_stats to LRS server when rq_issued > 0, disable by setting runtime guard envoy.reloadable_features.report_load_with_rq_issued to false.