1.25.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • build: moved the strict_dns, original_dst, logical_dns, static, and eds clusters to extensions. If you use these clusters and override extensions_build_config.bzl you will now need to include it explicitly.

  • build: removed the cares and apple resolvers as required extensions. Envoy now only creates DNS resolvers when necessary (e.g. for logical DNS cluster) so does not require cares to always be included. If your Envoys do DNS resolution and you override extensions_build_config you will need to include cares explicitly.

  • listener: Previously a listener update with different enable_reuse_port value will be ignored. Now, this kind of update will be rejected. The runtime flag envoy.reloadable_features.enable_update_listener_socket_options can be used for revert this behavior.

  • listener: Previously a listener update with different transparent, freebind, tcp_fast_open_queue_length or socket_options was ignored. Now, when those fields are updated, a new socket will be created for the listener and the new value of those fields applied to it. This only happens when enable_reuse_port is true. Otherwise if those fields change the update is rejected. New runtime flag envoy.reloadable_features.enable_update_listener_socket_options can be used for revert this behavior.

  • loadbalancing: When active HC is enabled per cluster, slow start calculation now starts after first passing HC. Cluster membership duration condition is dropped from slow start calculation. Endpoint can now re-enter slow start if active HC is configured per cluster, on each “unhealthy -> healthy” state transition.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • cache_filter: add a completion callback to updateHeaders interface. Any external cache implementations will need to update to match this new interface. See changes to simple_http_cache in PR#23666 for example.

  • cache_filter: api path of work-in-progress extension changed from api/extensions/cache/simple_http_cache to api/extensions/http/cache/simple_http_cache, and source code moved, to match extension category.

  • http filters: change StreamEncoderFilter::encode1xxHeaders to use its own enum class Http::Filter1xxHeadersStatus. Previously we shared the same enum class for general headers, but the implementation did not support most of them. We also fixed StreamEncoderFilter::encode1xxHeaders to send local replies without trailing 1xx headers afterward.

  • jwt_authn: adjust the refetch time for remote_jwks async_fetch feature. For a good fetch, refetch 5 seconds before jwks cache duration. For a failed fetch, refetch time can be specified by failed_refetch_duration with default 1 second.

  • oauth2: Requests which match the passthrough header now have their own metric oauth_passthrough and aren’t included in oauth_success anymore.

  • rate_limit: add MONTH and YEAR to the unit of time for rate limit.

  • router: Virtual cluster statistics are no longer created for routes without any virtual_clusters. Previously statistics for a catch all virtual cluster were created, but never updated.

  • tls: added support for intermediate CA as trusted ca. The peer certificate issued by an intermediate CA will be trusted by building valid partial chain. In old days, it can not be verified without trusting its ancestor root CA and building a full chain. trust_ca. This change can be reverted via the envoy.reloadable_features.enable_intermediate_ca.

  • upstream: detailed health status is used for override host selection. This behavior can be reverted by setting runtime flag envoy.reloadable_features.validate_detailed_override_host_statuses to false.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • aws_lambda: fix a bug when PerRouteConfig is defined and was routing to a target cluster’s AWS Lambda endpoint in a region that is different from the region obtained in arn of aws_lambda http_filter configuration then the authorization header included in the request towards AWS Lambda was not signed with the region specified in PerRouteConfig.

  • generic_proxy: fixed a bug that encoder filters and decoder filters of generic proxy will be executed in the same order. The encoder filters’ execuate order should be the reverse of decoder filters’ in the generic proxy.

  • grpc_json_transcoder: fix a bug when using http2, request body has google.api.HttpBody and the size is < 16KB, it will cause EOF from the backend grpc server.

  • http: fixed a bug where Utility::PercentEncoding::encode() encodes some characters incorrectly because it was treating the value as negative.

  • jwt_authn: fix a bug that jwt_cache breaks the provider_and_audiences JWT requirement.

  • oauth2: fixed a bug when passthrough header was matched, envoy would always remove the authorization header. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.oauth_header_passthrough_fix to false.

  • quic: reject configs that specify require_client_certificate with QUIC since clients certificates are currently unsupported in QUIC. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.reject_require_client_certificate_with_quic to false.

  • router: fixed a bug that incorrectly rewrote the path when using regex_rewrite for redirects matched on prefix.

  • upstream: fixed a bug that only coarse health status is used for override host selection.

  • upstream: fixed a bug when specify both a single address in bootstrap and cluster upstream binding config but with a different IP version. It should be allowed but it is rejected.

  • validation: fixed a crash which could happen when optional engine_type is not provided in regex.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • ecds: removed envoy.reloadable_features.top_level_ecds_stats and legacy code paths.

  • eds: removed envoy.reloadable_features.support_locality_update_on_eds_cluster_endpoints and legacy code paths.

  • http: removed envoy.reloadable_features.allow_adding_content_type_in_local_replies and legacy code paths.

  • http: removed envoy.reloadable_features.allow_upstream_inline_write and legacy code paths.

  • http: removed envoy.reloadable_features.append_or_truncate and legacy code paths.

  • http: removed envoy.reloadable_features.deprecate_global_ints and legacy code paths.

  • http: removed envoy.reloadable_features.http_100_continue_case_insensitive and legacy code paths. removed envoy.reloadable_features.override_request_timeout_by_gateway_timeout and legacy code paths.

  • http: removed envoy.reloadable_features.skip_delay_close and legacy code paths.

  • http: removed envoy.reloadable_features.use_new_codec_wrapper and legacy code paths. removed envoy.reloadable_features.append_to_accept_content_encoding_only_once and legacy code paths. removed envoy.reloadable_features.http1_lazy_read_disable and legacy code paths.

  • listener: removed envoy.reloadable_features.strict_check_on_ipv4_compat and legacy code paths.

  • router: removed envoy.reloadable_features.do_not_await_headers_on_upstream_timeout_to_emit_stats and legacy code paths.

New features

  • access_log: added a new field intermediate_log_entry to detect if the gRPC log entry is an intermediate log entry or not and added support to flush TCP log entries periodly according to the configured inteval.

  • access_log: added support for %STREAM_ID% for stream unique identifier.

  • build: added an option --define=library_autolink=disabled to disable autolinking libraries.

  • ext_authz: added support to allowlist headers included in the check request to gRPC authorization server (previously only available for HTTP authorization server). Pre-existing field allowed_headers is deprecated in favour of the new field allowed_headers.

  • gcp_authn: added support for configuring header that holds token fetched from GCE metadata server in new field token_header.

  • generic_proxy: added dubbo codec support to the generic_proxy filter.

  • generic_proxy: added generic rds support.

  • generic_proxy: added drain support to generic proxy to doing graceful closes on connections when possible.

  • health_check: added an optional bool flag disable_active_health_check to disable the active health check for the endpoint.

  • http: added append_x_forwarded_port to append the x-forwarded-port header to HTTP upstream requests.

  • http: allowing the dynamic forward proxy cluster to allow_coalesced_connections for HTTP/2 and HTTP/3 connections.

  • jwt_authn: added support for copying jwt claims to http headers.

  • listener: added continueFilterChain() and dispatcher() methods to the ListenerFilterCallback. This allows listener filters to continue listener filter iteration after stopping iteration e.g. if the listener filter depends on an async process.

  • listener: added a new field socket_options to the AdditionalAddress, allowing specifying discrete socket options for each listen address.

  • matching: support filter chain selection based on the dynamic metadata and the filter state using formatter actions.

  • mobile: started merging the Envoy mobile library into the main Envoy repo.

  • postgres: added support for upstream SSL.

  • redis: extended cluster support by adding a dns_cache_config option that can be used to resolve hostnames returned by MOVED/ASK responses.

  • router: added RouteList to support route list in VirtualHost.matcher.

  • tcp_proxy: added new config post_path field to specifiy a custom path for HTTP tunneling with POST method.

  • thrift: added payload to metadata filter which matches a given payload field’s value would be extracted and attached to the request as dynamic metadata.

  • thrift_proxy: added envoy.reloadable_features.thrift_allow_negative_field_ids to support negative field ids for legacy thrift service.

  • tls: added support for SNI-based cert selection in tls downstream transport socket. Detailed documentation is available cert selection. New config option full_scan_certs_on_sni_mismatch is introduced to disable or enable full scan when no cert matches to SNI, defaults to false. New runtime flag envoy.reloadable_features.no_full_scan_certs_on_sni_mismatch can be used for override the default value.

  • tracing: added support for setting the hostname used when sending spans to a Datadog collector using the collector_hostname field.

  • udp_proxy: added support for proxy_access_log.

  • upstream: added a new field socket_options to the ExtraSourceAddress, allowing specifying discrete socket options for each source address.

  • upstream: allow configuring cluster bind config and cluster manager bind config without specifying a source_address. This allows setting socket options when using the default unspecified bind address is desired.