1.10.0 (Apr 5, 2019)

Changes

  • access log: added a new flag for upstream retry count exceeded.

  • access log: added a gRPC filter to allow filtering on gRPC status.

  • access log: added a new flag for stream idle timeout.

  • access log: added a new field for upstream transport failure reason in file access logger and gRPC access logger for HTTP access logs.

  • access log: added new fields for downstream x509 information (URI sans and subject) to file and gRPC access logger.

  • admin: the admin server can now be accessed via HTTP/2 (prior knowledge).

  • admin: changed HTTP response status code from 400 to 405 when attempting to GET a POST-only route (such as /quitquitquit).

  • buffer: fix vulnerabilities when allocation fails.

  • build: releases are built with GCC-7 and linked with LLD.

  • build: dev docker images have been split from tagged images for easier discoverability in Docker Hub. Additionally, we now build images for point releases.

  • config: added support of using google.protobuf.Any in opaque configs for extensions.

  • config: logging warnings when deprecated fields are in use.

  • config: removed deprecated –v2-config-only from command line config.

  • config: removed deprecated_v1 sds_config from Bootstrap config.

  • config: removed the deprecated_v1 config option from ring hash.

  • config: removed REST_LEGACY as a valid ApiType.

  • config: finish cluster warming only when a named response i.e. ClusterLoadAssignment associated to the cluster being warmed comes in the EDS response. This is a behavioural change from the current implementation where warming of cluster completes on missing load assignments also.

  • config: use Envoy cpuset size to set the default number or worker threads if --cpuset-threads is enabled.

  • config: added support for initial_fetch_timeout. The timeout is disabled by default.

  • cors: added filter_enabled & shadow_enabled RuntimeFractionalPercent flags to filter.

  • csrf: added

  • ext_authz: added support for buffering request body.

  • ext_authz: migrated from v2alpha to v2 and improved docs.

  • ext_authz: added a configurable option to make the gRPC service cross-compatible with V2Alpha. Note that this feature is already deprecated. It should be used for a short time, and only when transitioning from alpha to V2 release version.

  • ext_authz: migrated from v2alpha to v2 and improved the documentation.

  • ext_authz: authorization request and response configuration has been separated into two distinct objects: authorization request and authorization response. In addition, client headers and upstream headers replaces the previous allowed_authorization_headers object. All the control header lists now support string matcher instead of standard string.

  • fault: added the max_active_faults setting, as well as statistics for the number of active faults and the number of faults the overflowed.

  • fault: added response rate limit fault injection.

  • fault: added HTTP header fault configuration to the HTTP fault filter.

  • governance: extending Envoy deprecation policy from 1 release (0-3 months) to 2 releases (3-6 months).

  • health check: expected response codes in http health checks are now configurable.

  • http: added new grpc_http1_reverse_bridge filter for converting gRPC requests into HTTP/1.1 requests.

  • http: fixed a bug where Content-Length:0 was added to HTTP/1 204 responses.

  • http: added max request headers size. The default behaviour is unchanged.

  • http: added modifyDecodingBuffer/modifyEncodingBuffer to allow modifying the buffered request/response data.

  • http: added encodeComplete/decodeComplete. These are invoked at the end of the stream, after all data has been encoded/decoded respectively. Default implementation is a no-op.

  • outlier_detection: added support for outlier detection event protobuf-based logging.

  • mysql: added a MySQL proxy filter that is capable of parsing SQL queries over MySQL wire protocol. Refer to MySQL proxy for more details.

  • performance: new buffer implementation (disabled by default; to test it, add “–use-libevent-buffers 0” to the command-line arguments when starting Envoy).

  • jwt_authn: added filter_state_rules to allow specifying requirements from filterState by other filters.

  • ratelimit: removed deprecated rate limit configuration from bootstrap.

  • redis: added hashtagging to guarantee a given key’s upstream.

  • redis: added latency stats for commands.

  • redis: added success and error stats for commands.

  • redis: migrate hash function for host selection to MurmurHash2 from std::hash. MurmurHash2 is compatible with std::hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled on Linux and not macOS.

  • redis: added latency_in_micros to specify the redis commands stats time unit in microseconds.

  • router: added ability to configure a retry policy at the virtual host level.

  • router: added reset reason to response body when upstream reset happens. After this change, the response body will be of the form upstream connect error or disconnect/reset before headers. reset reason:

  • router: added rq_reset_after_downstream_response_started counter stat to router stats.

  • router: added per-route configuration of internal redirects.

  • router: removed deprecated route-action level headers_to_add/remove.

  • router: made max retries header take precedence over the number of retries in route and virtual host retry policies.

  • router: added support for prefix wildcards in virtual host domains

  • stats: added support for histograms in prometheus

  • stats: added usedonly flag to prometheus stats to only output metrics which have been updated at least once.

  • stats: added gauges tracking remaining resources before circuit breakers open.

  • tap: added new alpha HTTP tap filter.

  • tls: enabled TLS 1.3 on the server-side (non-FIPS builds).

  • upstream: add hash_function to specify the hash function for ring hash as either xxHash or murmurHash2. MurmurHash2 is compatible with std::hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled on Linux and not macOS.

  • upstream: added degraded health value which allows routing to certain hosts only when there are insufficient healthy hosts available.

  • upstream: add cluster factory to allow creating and registering custom cluster type.

  • upstream: added a circuit breaker to limit the number of concurrent connection pools in use.

  • tracing: added verbose to support logging annotations on spans.

  • upstream: added support for host weighting and locality weighting in the ring hash load balancer, and added a maximum_ring_size config parameter to strictly bound the ring size.

  • zookeeper: added a ZooKeeper proxy filter that parses ZooKeeper messages (requests/responses/events). Refer to ZooKeeper proxy for more details.

  • upstream: added configuration option to select any host when the fallback policy fails.

  • upstream: stopped incrementing upstream_rq_total for HTTP/1 conn pool when request is circuit broken.

Deprecated

  • Use of use_alpha in Ext-Authz Authorization Service is deprecated. It should be used for a short time, and only when transitioning from alpha to V2 release version.

  • Use of enabled in CorsPolicy, found in route.proto. Set the filter_enabled field instead.

  • Use of the type field in the FaultDelay message (found in fault.proto) has been deprecated. It was never used and setting it has no effect. It will be removed in the following release.