1.34.0 (Pending)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • aws: AWS request signing and AWS Lambda extensions will now no longer return empty credentials (and fail to sign) when credentials are still pending from the async credential providers. If all providers are unable to retrieve credentials then the original behaviour with a signing failure will occur.

  • cel: Support extension regex fuctions(e.g. re.extract, re.capture`, ``re.captureN) in CEL.

  • dfp: Setting dns_query_timeout to 0 will disable the the Envoy DNS query timeout and use the underlying DNS implementation timeout.

  • ext_proc: Ignore request_header_mode field of mode_override when comparing the mode_override against allowed_override_modes as request_header mode override is not applicable.

  • ext_proc: When mode_override headers/trailers modes have the value DEFAULT (unset), no change will be made to the processing mode set in the filter configuration.

  • http: generate_request_id will generate a request id on non-present and now on empty x-request-id header.

  • http2: Sets runtime guard envoy.reloadable_features.http2_use_oghttp2 to true by default.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • dfp: Fixes a bug when loading a DNS cache entry with an empty authority/host header. This fix can be reverted by setting runtime guard envoy.reloadable_features.dfp_fail_on_empty_host_header to false.

  • ext_authz: Removed validation constraint on disabled so that it can be set to false to enable the filter when it is by default-disabled for the filter chain.

  • http: Fixed the jwks fetcher to set the :scheme pseudo header according to the uri (‘http’ or ‘https’). Before the :scheme header was always ‘http’. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.jwt_fetcher_use_scheme_from_uri to false.

  • listener: Fixed a bug where socket options specified only on an additional address were not applied unless socket_options on the listener is set. Now additional address socket_options are correctly applied even if the listener has no socket options configured.

  • listener: Fixed a bug where the addresses cannot be updated partially even if the reuse port is enabled.

  • oauth2: Fixed OAuth2 credential injector to send scope (if specified) to authorization server when requesting new access token using client_credentials flow.

  • original_src filter: Set IP_BIND_ADDRESS_NO_PORT socket option in the original_src filter to prevent port exhaustion caused by the kernel prematurely reserving ephemeral ports. This behavior change can be reverted by setting runtime guard envoy.reloadable_features.original_src_fix_port_exhaustion to false.

  • router: Fixed query parameter matcher to properly implement present_match. Previously, the matcher would incorrectly handle present_match configurations by treating them as default present checks. This behavior can be temporarily reverted by setting runtime feature envoy_reloadable_features_enable_new_query_param_present_match_behavior to false.

  • tcp_proxy: Fixes a bug when TCP is tunneled over HTTP and upstream connection closed before response headers received to the stream. The fix is to run the retry logic in a different event loop iteration to allow cleanup of the closed connection before retrying. This fix can be reverted by setting runtime guard envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop to false.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • access_log: Removed runtime guard envoy.reloadable_features.upstream_remote_address_use_connection and legacy code paths.

  • config: Removed runtime guard envoy.reloadable_features.strict_duration_validation and legacy code paths.

  • dns: Removed runtime flag envoy.reloadable_features.dns_details and legacy code paths.

  • dns: Removed runtime guard envoy.reloadable_features.dns_nodata_noname_is_success and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.consistent_header_validation and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.sanitize_http2_headers_without_nghttp2 and legacy code paths.

  • local_ratelimit: Removed runtime guard envoy.reloadable_features.no_timer_based_rate_limit_token_bucket and legacy code paths.

  • runtime: Removed runtime flag envoy.reloadable_features.reject_invalid_yaml and legacy code paths.

  • thread_local: Removed runtime guard envoy.reloadable_features.allow_slot_destroy_on_worker_threads and legacy code paths.

  • xds: Removed runtime guard envoy.reloadable_features.xdstp_path_avoid_colon_encoding and legacy code paths.

New features

  • admin: Add support for the inbound_only and graceful query params of /drain_listeners to be used together by implementing directional draining in DrainManager.

  • attributes: Added attribute upstream.locality to obtain upstream locality information.

  • dfp: Added a feature to disable DNS refresh on failure by setting disable_dns_refresh_on_failure to true. By enabling this feature, the failed hosts will now be treated as a cache miss.

  • dfp: The DFP cluster will now use the async lookup path to do DNS resolutions for null hosts. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.dfp_cluster_resolves_hosts to false.

  • dynamic_modules: Added the initial support for shared libraries to be loaded by Envoy at runtime. Please refer to the overview documentation for the feature here.

  • ext_proc: Added an extension to save the response from the external processor to filter state.

  • ext_proc: Adding support for a new body mode: FULL_DUPLEX_STREAMED in the ext_proc filter processing_mode.

  • formatter: Added CUSTOM_FLAGS support for substitution formatter. See access log formatter for more details.

  • formatter: Added QUERY_PARAM support for substitution formatter. See access log formatter for more details.

  • http: Added max_metadata_size to make HTTP/2 metadata limits configurable.

  • http: Added alpha support for asynchronous load balancing. See load balancing policies overview for more details. Support can be temporarily reverted by setting runtime guard envoy.reloadable_features.async_host_selection to false.

  • http: Made the credential injector filter work as an upstream filter.

  • http: Made the lua work as an upstream filter.

  • jwt_authn: Added jwt_max_token_size to make max token size configurable.

  • local_rate_limit: Added support for dynamic token buckets in local rate limit filter for http requests.

  • lua: Added clear_route_cache support to control the route cache clearing behavior in the Lua filter.

  • lua: Added virtualClusterName() API to the Stream Info Object to get the name of the virtual cluster matched.

  • lua: Added support for clearing the route cache explicitly in the Lua filter. See clearRouteCache() for more details.

  • oauth2: Add the option to specify SameSite cookie attribute values for oauth2 supported cookies. To specify SameSite attribute, choose one of the values from strict, lax or none. If not specified, a default value of disabled will be assigned and there will be no SameSite value in the cookie attribute. See apply_on_stream_done for more details.

  • proxy_protocol: Added support for injecting custom Type-Length-Value (TLV) entries into the Proxy Protocol v2 header for upstream transport sockets. Custom TLVs can be defined both in the endpoint host’s typed metadata under the envoy.transport_sockets.proxy_protocol namespace and at the configuration level via the ProxyProtocolConfig’s added_tlvs field. Host-level TLV definitions override config-level entries when the same type is specified, allowing default TLVs to be set globally, while enabling further per-endpoint customizations.

  • quic: Added an extension to support QUIC-LB draft standard for connection ID generation.

  • redis: Added support for multi-key commands on transactions.

  • resource_monitors: Added support to monitor container CPU utilization in Linux K8s environment using existing extension.

  • sockets: Added an io_uring option in default socket interface to support io_uring.

  • spiffe: Added trust_bundles to the SPIFFE certificate validator configuration. This field allows specifying a SPIFFE trust bundle mapping as a DataSource. If both trust_bundles and trust_domains are specified, trust_bundles takes precedence.

  • tap: Added an UDP extension for tap custom sink.

  • tcp_proxy: Added proxy_protocol_tlvs to the TCP proxy filter. This field allows specifying PROXY protocol TLVs to be added in the PROXY protocol state created by the TCP proxy filter. TLVs added in the PROXY protocol state will be added to the PROXY protocol v2 header sent upstream.

  • tcp_proxy: Added support for backoff_options to configure the backoff strategy for TCP proxy retries.

  • tcp_proxy: added an option to allow filters to read from the downstream connection before TCP proxy has opened the upstream connection, by setting a filter state object for the key envoy.tcp_proxy.receive_before_connect.

  • udp_proxy: Added support for outlier detection in UDP proxy. This change can be temporarily reverted by setting runtime guard envoy.reloadable_features.enable_udp_proxy_outlier_detection to false.

  • xds: Reporting a locality_stats to LRS server when rq_issued > 0, disable by setting runtime guard envoy.reloadable_features.report_load_with_rq_issued to false.