forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
current.yaml
219 lines (212 loc) · 13.5 KB
/
current.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
date: Pending
behavior_changes:
# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
- area: oauth2
change: |
OAuth filter now URL-encodes URL in query parameters. These query parameters are decoded, leaving intact character sequences that must remain encoded in URLs. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.oauth_use_url_encoding`` to false.
- area: admin
change: |
Adds a new admin stats format option 'html-active' to display a periodically updated list of the top most frequently changed stats.
minor_behavior_changes:
# *Changes that may cause incompatibilities for some users, but should not for most*
- area: quic
change: |
Access logging is now deferred to the QUIC ack listener, and roundtrip response time is added as a downstream timing metric. New runtime flag ``envoy.reloadable_features.quic_defer_logging_to_ack_listener`` can be used for revert this behavior.
- area: healthcheck
change: |
If active HC is enabled and a host is ejected by outlier detection, a successful active health check unejects the host and consider it healthy. This also clears all the outlier detection counters. This behavior change can be reverted by setting ``envoy.reloadable_features_successful_active_health_check_uneject_host`` to ``false``.
- area: local_ratelimit
change: |
Tokens from local descriptor's token buckets are burned before tokens from the default token bucket.
- area: http2
change: |
Request authorities are now validated with a library function from QUICHE rather than nghttp2. This behavior change can be reverted by setting ``envoy.reloadable_features.http2_validate_authority_with_quiche`` to ``false``.
- area: lua
change: |
dropped moonjit support.
- area: ext_proc
change: |
Make the :ref:`grpc service <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.grpc_service>` required.
- area: http2
change: |
Metadata is parsed with the QUICHE HPACK library, rather than nghttp2. This behavior change can be reverted by setting ``envoy.reloadable_features.http2_decode_metadata_with_quiche`` to ``false``.
- area: upstream
change: |
Changed HTTP/1 and HTTP/3 upstream streams not to disable reading (in case where downstream buffer reaches high watermark) till the full response headers have been received. This fixes a bug where Envoy upstream timeouts were not correctly adjusting to the fact that the response headers have already been sent from upstream. This behavior change can be reverted by setting ``envoy.reloadable_features.upstream_wait_for_response_headers_before_disabling_read`` to ``false``.
- area: custom response
change: |
Changed how the uri for redirect policy is specified. It can now be specified either as a single fully qualified string, or by specifying individual components of the uri.
- area: matchers
change: |
Moved all of the network input matchers to extensions. If you use network matchers and override extensions_build_config.bzl you will now need to include them explicitly.
bug_fixes:
# *Changes expected to improve the state of the world and are unlikely to have negative effects*
- area: stats
change: |
now updating upstream total connection stats as happy eyeballs connections are created.
- area: eds
change: |
added ``envoy.reloadable_features.multiplex_eds`` to disable eds multiplexing. Eds multiplexing is enabled by default, so that all subscriptions for the same resource type and management server reuse a single channel/mux.
When eds multiplexing is disabled each subscription uses a dedicated channel/mux.
- area: router
change: |
fixed the bug that custom tags of the route metadata type are not set for upstream spans.
- area: ext_proc
change: |
ensure the route configuration will be used to overwrite global configuration when processing the local reply.
- area: router
change: |
fixed outlier detection ejections caused by opened circuit breakers.
- area: dependency
change: |
Add boringssl patch to resolve CVE-2023-0286. Note that the FIPS build is not patched/fixed.
- area: access log
change: |
in JSON logs, port numbers were logged as strings and are now logged as numbers (``%DOWNSTREAM_LOCAL_PORT%``, ``%DOWNSTREAM_REMOTE_PORT%``, ``%DOWNSTREAM_DIRECT_REMOTE_PORT%``, ``%UPSTREAM_LOCAL_PORT%``, ``%UPSTREAM_REMOTE_PORT%``).
This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.format_ports_as_numbers`` to false.
- area: ext_proc
change: |
Let onData always raise StopIterationAndWatermark when waiting for headers response, to avoid http errors (413 on request path, and 500 on response path) when data size goes above high watermark.
- area: http filter
change: |
Fix possible illegal memory access in the header_mutaion filter when the request is aborted before the request headers are received completely.
- area: upstream
change: |
Initialize upstream network read filters via their ``onNewConnection()`` callback once the upstream connection has been established even if there is no data available for reading on the new upstream connection. This behavior change can be reverted by setting ``envoy.reloadable_features.initialize_upstream_filters`` to ``false``.
removed_config_or_runtime:
# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
- area: config
change: |
removed ``envoy.reloadable_features.admin_stats_filter_use_re2`` and legacy code paths.
removed ``envoy.reloadable_features.combine_sds_requests`` and legacy code paths.
- area: dns
change: |
removed ``envoy.reloadable_features.dns_multiple_addresses`` runtime flag and legacy code paths.
- area: router
change: |
removed ``envoy.reloadable_features.get_route_config_factory_by_type`` runtime flag. The flag is no longer needed as the behavior is now the default.
- area: http
change: |
removed ``envoy.reloadable_features.http2_delay_keepalive_timeout`` and legacy code paths.
- area: http
change: |
removed ``envoy.reloadable_features.local_ratelimit_match_all_descriptors`` and legacy code paths.
- area: http
change: |
removed ``envoy.reloadable_features.use_rfc_connect`` and legacy code path.
- area: http
change: |
removed ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` and legacy code path.
- area: http
change: |
removed ``envoy.reloadable_features.lua_respond_with_send_local_reply`` and legacy code path.
- area: http3
change: |
removed ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and legacy code paths.
- area: http
change: |
removed ``envoy.reloadable_features.http_skip_adding_content_length_to_upgrade`` and legacy code paths.
- area: http3
change: |
removed ``envoy.reloadable_features.http3_sends_early_data`` and legacy code paths.
- area: dns
change: |
removed ``envoy.reloadable_features.cares_accept_nodata`` and legacy code paths.
- area: http3
change: |
removed ``envoy.reloadable_features.postpone_h3_client_connect_to_next_loop`` and legacy code paths.
new_features:
- area: access_log
change: |
enhanced observability into local close for :ref:`%RESPONSE_CODE_DETAILS% <config_http_conn_man_details>`.
- area: oauth filter
change: |
extended :ref:`cookie_names <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Credentials.cookie_names>` to allow overriding (default) cookie names (``IdToken``, ``RefreshToken``) set by the filter.
- area: tracing
change: |
allow :ref:`grpc_service <envoy_v3_api_field_config.trace.v3.OpenTelemetryConfig.grpc_service>` to be optional. This enables a means to disable collection of traces.
- area: upstream
change: |
Optimized implementation of RingHash load balancer using a shard algorithm. This can be disabled by setting the runtime guard ``envoy_reloadable_features_shard_ringhash`` to false.
- area: upstream
change: |
added :ref:`ring hash extension <envoy_v3_api_msg_extensions.load_balancing_policies.ring_hash.v3.RingHash>` to suppport the :ref:`load balancer policy <envoy_v3_api_field_config.cluster.v3.Cluster.load_balancing_policy>`.
- area: upstream
change: |
added :ref:`maglev extension <envoy_v3_api_msg_extensions.load_balancing_policies.maglev.v3.Maglev>` to suppport the :ref:`load balancer policy <envoy_v3_api_field_config.cluster.v3.Cluster.load_balancing_policy>`.
- area: maglev
change: |
added ``envoy.reloadable_features.allow_compact_maglev`` to allow the use of a more compact maglev load balancer representation. This can be reverted by setting ``envoy.reloadable_features.allow_compact_maglev`` to false.
- area: router
change: |
support route info in upstream access log.
- area: lua
change: |
added an new option to the options of lua ``httpCall``. This allows to skip adding ``x-forwarded-for`` by setting ``{["send_xff"] = false}`` as the ``options``.
- area: ratelimit
change: |
added local rate limit listener filter to enable rate limit before TLS handshake and filter matching.
- area: proxy_protocol
change: |
added the support :ref:`pass_through_tlvs for listener <envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.pass_through_tlvs>`
and :ref:`pass_through_tlvs for upsteam <envoy_v3_api_field_config.core.v3.ProxyProtocolConfig.pass_through_tlvs>`.
They can control which Proxy Protocol V2 TLVs can be passed through by listener and upstream separately.
- area: tcp_proxy
change: |
added support for propagating the response trailers in :ref:`TunnelingConfig <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.propagate_response_trailers>` to the downstream info filter state.
- area: sni_dynamic_forward_proxy
change: |
added an option to dynamically set the host used by the SNI dynamic forward proxy filter, by setting a filter state object under the key ``envoy.upstream.dynamic_host``.
- area: access_log
change: |
added support for :ref:`%DOWNSTREAM_TRANSPORT_FAILURE_REASON% <config_access_log_format_downstream_transport_failure_reason>` as a log command operator about why listener may have failed due to a transport socket error,
including TLS handshake failures.
added the field :ref:`downstream_transport_failure_reason <envoy_v3_api_field_data.accesslog.v3.AccessLogCommon.downstream_transport_failure_reason>` for common usage as well.
- area: generic_proxy
change: |
added :ref:`tracing support <envoy_v3_api_field_extensions.filters.network.generic_proxy.v3.GenericProxy.tracing>` for the generic proxy.
- area: jwt_authn
change: |
added :ref:`failed_status_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.failed_status_in_metadata>` to support setting the JWT
authentication failure status code and message in dynamic metadata.
- area: http filter
change: |
added :ref:`header mutation http filter <config_http_filters_header_mutation>` which adds the ability to modify request and response headers in any position of HTTP filter chain.
- area: matching
change: |
added :ref:`Filter State Input <envoy_v3_api_msg_extensions.matching.common_inputs.network.v3.FilterStateInput>` for matching based on filter state objects.
- area: http
change: |
make adding ProxyProtocolFilterState in the HCM optional.
- area: sni_dynamic_forward_proxy
change: |
added an option to dynamically set the port used by the SNI dynamic forward proxy filter, by setting a filter state object under the key ``envoy.upstream.dynamic_port``.
- area: route
change: |
support dynamic clusters for :ref:`VirtualHost.matcher <envoy_v3_api_field_config.route.v3.VirtualHost.matcher>`.
- area: route
change: |
support route callback after route matches for :ref:`VirtualHost.matcher <envoy_v3_api_field_config.route.v3.VirtualHost.matcher>`.
- area: tcp_proxy
change: |
added an option to dynamically disable TCP tunneling even if set in the filter config, by setting a filter state object for the key ``envoy.tcp_proxy.disable_tunneling``.
- area: tcp_proxy
change: |
add :ref:`flush access log on connected <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.flush_access_log_on_connected>` to allow recording an access log entry
on the connection open event. This option does not require periodic access logging enabled, and the other way around.
- area: http
change: |
add :ref:`periodic access logging <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log_flush_interval>`
to http access logs for long-lived requests (Websockets, CONNECT, etc). :ref:`%DURATION% <config_access_log_format_duration>` will
be empty for mid-request logs. Enabling this may affect access loggers and filters that register as access loggers that expect to be called only once.
- area: redis_health_check
change: |
added :ref:`exists_failure <config_health_checkers_redis>` stat to indicate health check failures caused by EXISTS check failure.
- area: redis
change: |
added :ref:`wait_for_warm_on_init <envoy_v3_api_field_config.cluster.v3.Cluster.wait_for_warm_on_init>` support for :ref:`Redis Cluster<arch_overview_redis>`.
deprecated:
- area: ext_authz
change: |
deprecated (1.25.0) :ref:`ext_authz.v3.AuthorizationRequest.allowed_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationRequest.allowed_headers>` in favour
of :ref:`ext_authz.v3.ExtAuthz.allowed_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.allowed_headers>`.