1.23.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • tls-inspector: the listener filter tls inspector’s stats connection_closed and read_error are removed. The new stats are introduced for listener, downstream_peek_remote_close and read_error listener stats.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • thrift: add validate_clusters in RouteConfiguration to override the default behavior of cluster validation.

  • admin: changed default regex engine for /stats?filter= from std::regex to RE2, improving filtering speed 20x.

  • dns: allow propagating DNS responses with no records back to callers like strict_dns cluster, guarded by envoy.reloadable_features.cares_accept_nodata.

  • tls: if both match_subject_alt_names and match_typed_subject_alt_names are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error.

  • tls: removed SHA-1 and RSA key transport cipher suites from the server-side defaults.

  • http: the behavior of the timeout field has been modified to extend the timeout when any frame is received on the owning HTTP/2 connection. This negates the effect of head-of-line (HOL) blocking for slow connections. If any frame is received the assumption is that the connection is working. This behavior change can be reverted by setting the envoy.reloadable_features.http2_delay_keepalive_timeout runtime flag to false.

  • http-cache: http cache filter getCache interface changed from returning a reference to returning a shared_ptr - any third-party implementations of this interface will need to be updated accordingly. See changes to simple_http_cache.cc and simple_http_cache.h in PR21114 for example.

  • lua: export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script that loads shared object libraries, such as those installed via luarocks.

  • local_ratelimit: local_ratelimit will consume tokens of all matched descriptors sorted by tokens per second. This behavioral change can be reverted by setting runtime guard envoy.reloadable_features.http_local_ratelimit_match_all_descriptors to false.

  • router: get route config factories by the configuration proto full names by default. This behavior change can be reverted by setting the envoy.reloadable_features.get_route_config_factory_by_type runtime flag to false.

  • skywalking: use request path as operation name of ENTRY/EXIT spans.

  • skywalking: use upstream host address as addressUsedAtClient in propagation header.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • runtime: Fixed a bug where was envoy.restart_features.no_runtime_singleton was inverted. Runtime singleton status is now guarded by non-inverted envoy.restart_features.remove_runtime_singleton.

  • tcp_proxy: Fixed an issue using the cluster wide CONNECT termination so it will successfully proxy payloads.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • compressor: removed envoy.reloadable_features.fix_added_trailers and legacy code paths.

  • dns: removed envoy.reloadable_features.use_dns_ttl and legacy code paths.

  • ext_authz: removed envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect runtime guard and legacy code paths.

  • http: deprecated envoy.reloadable_features.correct_scheme_and_xfp and legacy code paths.

  • http: deprecated envoy.reloadable_features.validate_connect and legacy code paths.

  • tcp_proxy: removed envoy.reloadable_features.new_tcp_connection_pool and legacy code paths.

  • tls: fixed a bug when a certificate is invalid, days_until_expiration reports a big number. After this fix, when a certificate expires, it reports as 0.

  • conn pool: removed envoy.reloadable_features.conn_pool_delete_when_idle and legacy code paths.

  • runtime: removed envoy.restart_features.no_runtime_singleton and replaced with envoy.restart_features.remove_runtime_singleton.

New features

  • access_log: added new access_log command operators to retrieve upstream connection information change: %UPSTREAM_PROTOCOL%, %UPSTREAM_PEER_SUBJECT%, %UPSTREAM_PEER_ISSUER%, %UPSTREAM_TLS_SESSION_ID%, %UPSTREAM_TLS_CIPHER%, %UPSTREAM_TLS_VERSION%, %UPSTREAM_PEER_CERT_V_START%, %UPSTREAM_PEER_CERT_V_END% and %UPSTREAM_PEER_CERT%.

  • dns_resolver: added support for multiple addresses. This is most valuable when used in conjunction with ALL enabling full happy eyeballs support for Envoy (see detailed documentation here but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard envoy.restart_features.remove_runtime_singleton to false.

  • dubbo_proxy: added dynamic routes discovery support to the dubbo proxy.

  • ext_proc: added support for per-route grpc_service.

  • http: added new file_system_buffer http filter.

  • build: enabled building arm64 envoy-distroless and envoy-tools docker images.

  • http: preserve case header formatter support innner formatter on Envoy headers in formatter_type_on_envoy_headers.

  • on_demand: OnDemand got extended to hold configuration for on-demand cluster discovery. A similar message for per-route configuration is also added.

  • conn pool: Changed HTTP/2 connection pooling and the ALPN pool to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is 1. This behavioral change can be revered by setting envoy.reloadable_features.allow_concurrency_for_alpn_pool to false.

  • proxy_protcol: added allow_requests_without_proxy_protocol to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag.

  • http: added cluster_header in request_mirror_policies to allow routing shadow request to the cluster specified in the request_header.

  • thrift: added flag to router to control downstream local close. close_downstream_on_upstream_error.

  • ratelimit: added support for HTTP matching input functions as descriptor producers.

  • ratelimit: added support for masked_remote_address.

  • thrift: added support for access logging.

  • thrift: introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message.

  • build: official released binary is now built with Clang 14.0.0.

Deprecated