1.27.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

• build: Moved the subset, ring_hash, and maglev LB code into extensions. If you use these load balancers and override extensions_build_config.bzl you will need to include them explicitly.

• build: Moved xDS code extensions. If you use the xDS and override extensions_build_config.bzl you will need to include the new config_subscriptions explicitly.

• http: When append_x_forwarded_host is enabled for a given route action it is now only appended iff it is different from the last value in the list. This resolves issues where a retry caused the same value to be appended multiple times. This behavioral change can be temporarily reverted by setting runtime guard envoy_reloadable_features_append_xfh_idempotent to false.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

• aws: Added support for fetching credentials from the AWS credentials file, which only happens if credentials cannot be fetched from environment variables. This behavioral change can be reverted by setting runtime guard envoy.reloadable_features.enable_aws_credentials_file to false.

• connection pool: Increase granularity mapping connection pool failures to specific stream failure reasons to make it more transparent why the stream is reset when a connection pool’s connection fails.

• custom response: The filter now traverses matchers from most specific to least specific per filter config till a match is found for the response.

• dns: Changing the DNS cache to use host:port as the cache key rather than host. This allows a downstream DFP filter to serve both secure and insecure clusters. This behavioral change can be reverted by setting runtime flag envoy.reloadable_features.dfp_mixed_scheme to false.

• ext_proc: Filter metadata containing ext proc stats has been moved from ext-proc-logging-info to a namespace corresponding to the name of the ext_proc filter.

• ext_proc: When clear_route_cache is set, ext_proc will check for header mutations beforce clearing the route cache. Failures due to this check will be counted under the clear_route_cache_ignored stat.

• http cookies: Changed internal format of http cookie to protobuf and added expiry timestamp. Processing expired cookie results in selection of a new upstream host and sending a new cookie to the client. Previous format of the cookie is still accepted, but is planned to be obsoleted in the future. This behavior change can be reverted by setting envoy.reloadable_features.stateful_session_encode_ttl_in_cookie to false.

• http1: Allowing mixed case schemes in absolute urls (e.g. HtTp://www.google.com). Mixed case schemes will be normalized to the lower cased equivalents before being forwarded upstream. This behavior can be reverted by setting runtime flag envoy.reloadable_features.allow_absolute_url_with_mixed_scheme to false.

• http1: The HTTP1 server-side codec no longer considers encoding 1xx headers as starting the response. This allows the codec to raise protocol errors, sending detailed local replies instead of just closing the connection. This behavior can be reverted by setting runtime flag envoy.reloadable_features.http1_allow_codec_error_response_after_1xx_headers to false.

• overload manager: Changed behavior of the overload manager to error on unknown overload manager actions. Prior it would silently fail. This change can be reverted temporarily by setting the runtime guard envoy.reloadable_features.overload_manager_error_unknown_action to false.

• resource_monitors: Changed behavior of the fixed heap monitor to count unused mapped pages as free memory. This change can be reverted temporarily by setting the runtime guard envoy.reloadable_features.count_unused_mapped_pages_as_free to false.

• router: Added check for existing metadata before setting metadata due to ‘auto_sni’, ‘auto_san_validation’, or ‘override_auto_sni_header’ to prevent triggering ENVOY_BUG when an earlier filter has set the metadata.

• stats: Added new type of gauge with type hidden. These stats are hidden from admin/stats-sinks but can shown with a query-parameter of /stats?hidden=include or /stats?hidden=showonly.

• uhv: Allow malformed URL encoded triplets in the default header validator. This behavior can be reverted by setting runtime flag envoy.reloadable_features.uhv_allow_malformed_url_encoding to false, in which case requests with malformed URL encoded triplets in path are rejected. This setting is only applicable when the Unversal Header Validator is enabled and has no effect otherwise.

• uhv: Preserve case of %-encoded triplets in the default header validator. This behavior can be reverted by setting runtime flag envoy.reloadable_features.uhv_preserve_url_encoded_case to false, in which case %-encoded triplets are normalized to uppercase characters. This setting is only applicable when the Unversal Header Validator is enabled and has no effect otherwise.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

• boringssl: Fixed the crash that occurs when contrib is compiled with boringssl=fips defined.

• dependency: update C-ares -> 1.91.1 to resolve:

  • CVE-2023-31130.

  • CVE-2023-31147.

  • CVE-2023-31124.

  • CVE-2023-32067.

• dependency: update Wasmtime and related deps -> 9.0.3 to resolve CVE-2023-30624.

• ext_authz: Fix a bug where the ext_authz filter will ignore the request body when the pack_as_bytes is set to true and HTTP authorization service is configured.

• http: The is_optional field of HTTP filter can only be used for configuration loading of HTTP filter and will be ignored for loading of route or virtual host level filter config. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.ignore_optional_option_from_hcm_for_route_config to false. You can also use route/virtual host optional flag as a replacement of the feature.

• logging: Do not display GRPC_STATUS_NUMBER for non gRPC requests. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.validate_grpc_header_before_log_grpc_status to false.

• oauth2: The Max-Age attribute of Set-Cookie HTTP response header was being assigned a value representing Seconds Since the Epoch, causing cookies to expire in ~53 years. This was fixed an now it is being assinged a value representing the number of seconds until the cookie expires. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.oauth_use_standard_max_age_value to false.

• oauth2: The httpOnly attribute for Set-Cookie for tokens in HTTP response header was missing, causing tokens to be accessible from the JavaScript making the apps vulnerable. This was fixed now by marking the cookie as httpOnly. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.oauth_make_token_cookie_httponly to false.

• router: Fixed the bug that updating scope_key_builder of SRDS config doesn’t work and multiple HCM share the same scope_key_builder.

• tls: Fix build FIPS compliance when using both FIPS mode and Wasm extensions (--define boringssl=fips and --define wasm=v8).

Removed config or runtime

Normally occurs at the end of the deprecation period

• config: removed runtime key envoy.reloadable_features.delta_xds_subscription_state_tracking_fix and legacy code paths.

• header_formatters: removed runtime key envoy.reloadable_features.unified_header_formatter and legacy code paths.

• http: removed runtime key envoy.reloadable_features.allow_upstream_filters and legacy code paths.

• http: removed runtime key envoy.reloadable_features.closer_shadow_behavior and legacy code paths.

• http: removed runtime key envoy.reloadable_features.http_response_half_close and legacy code paths.

• http: removed runtime key envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled and legacy code paths.

• logging: removed runtime key envoy.reloadable_features.correct_remote_address and legacy code paths.

• quic: removed runtime key envoy.reloadable_features.quic_defer_send_in_response_to_packet and legacy code paths.

• tls: remove runtime key envoy.reloadable_features.tls_async_cert_validation and legacy code paths.

• udp: removed runtime key envoy.reloadable_features.udp_proxy_connect and legacy code paths.

• upstream: removed runtime key envoy.reloadable_features.fix_hash_key and legacy code paths.

New features

• access_log: (QUIC only) Added support for %BYTES_RETRANSMITTED% and %PACKETS_RETRANSMITTED%.

• access_log: added %ACCESS_LOG_TYPE% substitution string, to help distinguishing between access log records and when they are being recorded. Please refer to the access log configuration documentation for more information.

• access_log: added CEL access log formatter to print CEL expression.

• access_log: added access log filter log_type_filter to filter access log records based on the type of the record.

• access_log: added additional HCM access log option flush_log_on_tunnel_successfully_established. Enabling this option will write a log to all access loggers when HTTP tunnels (e.g. Websocket and CONNECT) are successfully established.

• admin: Adds a new admin stats html bucket-mode detailed to generate all recorded buckets and summary percentiles.

• application_logs: Added bootstrap option application_log_format to enable setting application log format as JSON structure.

• dynamic_forward_proxy: added sub_clusters_config to enable independent sub cluster for each host:port, with STRICT_DNS cluster type.

• ext_proc: forward_rules to only allow headers matchinging the forward rules to be forwarded to the external processing server.

• ext_proc: added new configuration field allow_mode_override If set to true, the filter config processing_mode can be overridden by the mode_override in the response message from the external processing server. If not set, the mode_override API in the response message will be ignored.

• ext_proc: added new configuration field disable_clear_route_cache to force the ext_proc filter from clearing the route cache. Failures to clear from setting this field will be counted under the clear_route_cache_disabled stat.

• ext_proc: added new field filter_metadata <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExtProc.filter_metadata to aid in logging. Metadata will be stored in StreamInfo filter metadata under a namespace corresponding to the name of the ext proc filter.

• fault: added new field envoy.extensions.filters.http.fault.v3.HTTPFault.filter_metadata to aid in logging. Metadata will be stored in StreamInfo dynamic metadata under a namespace corresponding to the name of the fault filter.

• http: Add support to the route/virtual host level is_optional field. A route/virtual host level per filter config can be marked as optional, which means that if the filter fails to load, the configuration will no be rejected.

• http: added Runtime feature envoy.reloadable_features.max_request_headers_size_kb to override the default value of max request headers size.

• http: added support for configuring additional cookie attributes.

• load shed point: added load shed point envoy.load_shed_points.http1_server_abort_dispatch that rejects HTTP1 server processing of requests.

• load shed point: added load shed point envoy.load_shed_points.http2_server_go_away_on_dispatch that sends GOAWAY for HTTP2 server processing of requests. When a GOAWAY frame is submitted by this the counter http2.goaway_sent will be incremented.

• load shed point: added load shed point envoy.load_shed_points.http_connection_manager_decode_headers that rejects new http streams by sending a local reply.

• matchers: Added RuntimeFraction input matcher. It allows matching hash of the input on a runtime key.

• matching: added CEL(Common Expression Language) matcher support CEL data input and CEL input matcher.

• ratelimit: added new configuration field domain to allow for setting rate limit domains on a per-route basis.

• redis_proxy: added new configuration field key_formatter to format redis key. The field supports using %KEY% as a formatter command for substituting the redis key as part of the substitution formatter expression.

• redis_proxy: added new field connection_rate_limit to limit reconnection rate to redis server to avoid reconnection storm.

• stat_sinks: Added envoy.stat_sinks.open_telemetry stats_sink, that supports flushing metrics by the OTLP protocol, for supported Open Telemetry collectors.

• tls: Added support for hot-reloading CRL file when the file changes on disk. This works with dynamic secrets when CertificateValidationContext is delivered via SDS.

• tls_inspector: added histogram bytes_processed which records the number of bytes of the tls_inspector processed while analyzing for tls usage. In cases where the connection uses tls this records the tls client hello size. In cases where the connection doesn’t use tls this records the amount of bytes the tls_inspector processed until it realized the connection was not using tls.

• upstream: Added cluster provided extension to suppport the load balancer policy.

Deprecated

• access_log: deprecated (1.25.0) intermediate_log_entry in favour of access_log_type.

• health_check: deprecated the HealthCheck event_log_path in favor of HealthCheck event_logger extension.