1.34.0 (Pending)
Minor behavior changes
Changes that may cause incompatibilities for some users, but should not for most
cel: Support extension regex fuctions(e.g.
re.extract
,re.capture`, ``re.captureN
) in CEL.dfp: Setting dns_query_timeout to 0 will disable the the Envoy DNS query timeout and use the underlying DNS implementation timeout.
ext_proc: Ignore request_header_mode field of mode_override when comparing the mode_override against allowed_override_modes as request_header mode override is not applicable.
ext_proc: When mode_override headers/trailers modes have the value
DEFAULT
(unset), no change will be made to the processing mode set in the filter configuration.http2: Sets runtime guard
envoy.reloadable_features.http2_use_oghttp2
to true by default.
Bug fixes
Changes expected to improve the state of the world and are unlikely to have negative effects
dfp: Fixes a bug when loading a DNS cache entry with an empty authority/host header. This fix can be reverted by setting runtime guard
envoy.reloadable_features.dfp_fail_on_empty_host_header
tofalse
.listener: Fixed a bug where socket options specified only on an additional address were not applied unless socket_options on the listener is set. Now additional address socket_options are correctly applied even if the listener has no socket options configured.
oauth2: Fixed OAuth2 credential injector to send scope (if specified) to authorization server when requesting new access token using
client_credentials
flow.original_src filter: Set IP_BIND_ADDRESS_NO_PORT socket option in the original_src filter to prevent port exhaustion caused by the kernel prematurely reserving ephemeral ports. This behavior change can be reverted by setting runtime guard
envoy.reloadable_features.original_src_fix_port_exhaustion
tofalse
.router: Fixed query parameter matcher to properly implement present_match. Previously, the matcher would incorrectly handle
present_match
configurations by treating them as default present checks. This behavior can be temporarily reverted by setting runtime featureenvoy_reloadable_features_enable_new_query_param_present_match_behavior
tofalse
.tcp_proxy: Fixes a bug when TCP is tunneled over HTTP and upstream connection closed before response headers received to the stream. The fix is to run the retry logic in a different event loop iteration to allow cleanup of the closed connection before retrying. This fix can be reverted by setting runtime guard
envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop
tofalse
.
Removed config or runtime
Normally occurs at the end of the deprecation period
access_log: Removed runtime guard
envoy.reloadable_features.upstream_remote_address_use_connection
and legacy code paths.dns: Removed runtime flag
envoy.reloadable_features.dns_details
and legacy code paths.http: Removed runtime guard
envoy.reloadable_features.consistent_header_validation
and legacy code paths.http: Removed runtime guard
envoy.reloadable_features.sanitize_http2_headers_without_nghttp2
and legacy code paths.local_ratelimit: Removed runtime guard
envoy.reloadable_features.no_timer_based_rate_limit_token_bucket
and legacy code paths.runtime: Removed runtime flag
envoy.reloadable_features.reject_invalid_yaml
and legacy code paths.thread_local: Removed runtime guard
envoy.reloadable_features.allow_slot_destroy_on_worker_threads
and legacy code paths.xds: Removed runtime guard
envoy.reloadable_features.xdstp_path_avoid_colon_encoding
and legacy code paths.
New features
attributes: Added attribute
upstream.locality
to obtain upstream locality information.dfp: Added a feature to disable DNS refresh on failure by setting disable_dns_refresh_on_failure to
true
. By enabling this feature, the failed hosts will now be treated as a cache miss.dfp: The DFP cluster will now use the async lookup path to do DNS resolutions for null hosts. This behavioral change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.dfp_cluster_resolves_hosts
to false.dynamic_modules: Added the initial support for shared libraries to be loaded by Envoy at runtime. Please refer to the overview documentation for the feature here.
ext_proc: Adding support for a new body mode:
FULL_DUPLEX_STREAMED
in theext_proc
filter processing_mode.formatter: Added
QUERY_PARAM
support for substitution formatter. See access log formatter for more details.http: Added max_metadata_size to make HTTP/2 metadata limits configurable.
http: Added alpha support for asynchronous load balancing. See load balancing policies overview for more details. Support can be temporarily reverted by setting runtime guard
envoy.reloadable_features.async_host_selection
tofalse
.http: Made the credential injector filter work as an upstream filter.
local_rate_limit: Added support for dynamic token buckets in local rate limit filter for http requests.
lua: Added virtualClusterName() API to the Stream Info Object to get the name of the virtual cluster matched.
oauth2: Add the option to specify SameSite cookie attribute values for oauth2 supported cookies. To specify
SameSite
attribute, choose one of the values fromstrict
,lax
ornone
. If not specified, a default value ofdisabled
will be assigned and there will be noSameSite
value in the cookie attribute. See apply_on_stream_done for more details.proxy_protocol: Added support for injecting custom Type-Length-Value (TLV) entries into the Proxy Protocol v2 header for upstream transport sockets. Custom TLVs can be defined both in the endpoint host’s typed metadata under the
envoy.transport_sockets.proxy_protocol
namespace and at the configuration level via theProxyProtocolConfig
’sadded_tlvs
field. Host-level TLV definitions override config-level entries when the same type is specified, allowing default TLVs to be set globally, while enabling further per-endpoint customizations.redis: Added support for multi-key commands on transactions.
resource_monitors: Added support to monitor container CPU utilization in Linux K8s environment using existing extension.
spiffe: Added trust_bundles to the SPIFFE certificate validator configuration. This field allows specifying a SPIFFE trust bundle mapping as a
DataSource
. If bothtrust_bundles
andtrust_domains
are specified,trust_bundles
takes precedence.tap: Added an UDP extension for tap custom sink.
tcp_proxy: Added support for backoff_options to configure the backoff strategy for TCP proxy retries.
udp_proxy: Added support for outlier detection in UDP proxy. This change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.enable_udp_proxy_outlier_detection
tofalse
.xds: Reporting a locality_stats to LRS server when
rq_issued > 0
, disable by setting runtime guardenvoy.reloadable_features.report_load_with_rq_issued
tofalse
.