1.34.0 (Pending)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • cel: Support extension regex fuctions(e.g. re.extract, re.capture`, ``re.captureN) in CEL.

  • dfp: Setting dns_query_timeout to 0 will disable the the Envoy DNS query timeout and use the underlying DNS implementation timeout.

  • ext_proc: Ignore request_header_mode field of mode_override when comparing the mode_override against allowed_override_modes as request_header mode override is not applicable.

  • ext_proc: When mode_override headers/trailers modes have the value DEFAULT (unset), no change will be made to the processing mode set in the filter configuration.

  • http2: Sets runtime guard envoy.reloadable_features.http2_use_oghttp2 to true by default.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • dfp: Fixes a bug when loading a DNS cache entry with an empty authority/host header. This fix can be reverted by setting runtime guard envoy.reloadable_features.dfp_fail_on_empty_host_header to false.

  • listener: Fixed a bug where socket options specified only on an additional address were not applied unless socket_options on the listener is set. Now additional address socket_options are correctly applied even if the listener has no socket options configured.

  • oauth2: Fixed OAuth2 credential injector to send scope (if specified) to authorization server when requesting new access token using client_credentials flow.

  • original_src filter: Set IP_BIND_ADDRESS_NO_PORT socket option in the original_src filter to prevent port exhaustion caused by the kernel prematurely reserving ephemeral ports. This behavior change can be reverted by setting runtime guard envoy.reloadable_features.original_src_fix_port_exhaustion to false.

  • router: Fixed query parameter matcher to properly implement present_match. Previously, the matcher would incorrectly handle present_match configurations by treating them as default present checks. This behavior can be temporarily reverted by setting runtime feature envoy_reloadable_features_enable_new_query_param_present_match_behavior to false.

  • tcp_proxy: Fixes a bug when TCP is tunneled over HTTP and upstream connection closed before response headers received to the stream. The fix is to run the retry logic in a different event loop iteration to allow cleanup of the closed connection before retrying. This fix can be reverted by setting runtime guard envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop to false.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • access_log: Removed runtime guard envoy.reloadable_features.upstream_remote_address_use_connection and legacy code paths.

  • dns: Removed runtime flag envoy.reloadable_features.dns_details and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.consistent_header_validation and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.sanitize_http2_headers_without_nghttp2 and legacy code paths.

  • local_ratelimit: Removed runtime guard envoy.reloadable_features.no_timer_based_rate_limit_token_bucket and legacy code paths.

  • runtime: Removed runtime flag envoy.reloadable_features.reject_invalid_yaml and legacy code paths.

  • thread_local: Removed runtime guard envoy.reloadable_features.allow_slot_destroy_on_worker_threads and legacy code paths.

  • xds: Removed runtime guard envoy.reloadable_features.xdstp_path_avoid_colon_encoding and legacy code paths.

New features

  • attributes: Added attribute upstream.locality to obtain upstream locality information.

  • dfp: Added a feature to disable DNS refresh on failure by setting disable_dns_refresh_on_failure to true. By enabling this feature, the failed hosts will now be treated as a cache miss.

  • dfp: The DFP cluster will now use the async lookup path to do DNS resolutions for null hosts. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.dfp_cluster_resolves_hosts to false.

  • dynamic_modules: Added the initial support for shared libraries to be loaded by Envoy at runtime. Please refer to the overview documentation for the feature here.

  • ext_proc: Adding support for a new body mode: FULL_DUPLEX_STREAMED in the ext_proc filter processing_mode.

  • formatter: Added QUERY_PARAM support for substitution formatter. See access log formatter for more details.

  • http: Added max_metadata_size to make HTTP/2 metadata limits configurable.

  • http: Added alpha support for asynchronous load balancing. See load balancing policies overview for more details. Support can be temporarily reverted by setting runtime guard envoy.reloadable_features.async_host_selection to false.

  • http: Made the credential injector filter work as an upstream filter.

  • local_rate_limit: Added support for dynamic token buckets in local rate limit filter for http requests.

  • lua: Added virtualClusterName() API to the Stream Info Object to get the name of the virtual cluster matched.

  • oauth2: Add the option to specify SameSite cookie attribute values for oauth2 supported cookies. To specify SameSite attribute, choose one of the values from strict, lax or none. If not specified, a default value of disabled will be assigned and there will be no SameSite value in the cookie attribute. See apply_on_stream_done for more details.

  • proxy_protocol: Added support for injecting custom Type-Length-Value (TLV) entries into the Proxy Protocol v2 header for upstream transport sockets. Custom TLVs can be defined both in the endpoint host’s typed metadata under the envoy.transport_sockets.proxy_protocol namespace and at the configuration level via the ProxyProtocolConfig’s added_tlvs field. Host-level TLV definitions override config-level entries when the same type is specified, allowing default TLVs to be set globally, while enabling further per-endpoint customizations.

  • redis: Added support for multi-key commands on transactions.

  • resource_monitors: Added support to monitor container CPU utilization in Linux K8s environment using existing extension.

  • spiffe: Added trust_bundles to the SPIFFE certificate validator configuration. This field allows specifying a SPIFFE trust bundle mapping as a DataSource. If both trust_bundles and trust_domains are specified, trust_bundles takes precedence.

  • tap: Added an UDP extension for tap custom sink.

  • tcp_proxy: Added support for backoff_options to configure the backoff strategy for TCP proxy retries.

  • udp_proxy: Added support for outlier detection in UDP proxy. This change can be temporarily reverted by setting runtime guard envoy.reloadable_features.enable_udp_proxy_outlier_detection to false.

  • xds: Reporting a locality_stats to LRS server when rq_issued > 0, disable by setting runtime guard envoy.reloadable_features.report_load_with_rq_issued to false.