1.35.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

• aws_iam: As announced in November 2024 (see https://github.com/envoyproxy/envoy/issues/37621), the grpc_credentials/aws_iam extension is being deleted. Any configuration referencing this extension will fail to load.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

• cel: Precompile regexes in cel expressions. This can be disabled by setting the runtime guard envoy.reloadable_features.enable_cel_regex_precompilation to false.

• grpc-json: Make the gRPC JSON transcoder filter’s json print options configurable.

• lua: The metadata() of lua filter now will search the metadata by the filter config name first. And if not found, it will search by the canonical name of the filter envoy.filters.http.lua.

• oauth2: Reset CSRF token when token validation fails during redirection. If the CSRF token cookie is present during the redirection to the authorization server, it will be validated. Previously, if this validation failed, the oauth flow would fail. Now the CSRF token will simply be reset. This fixes the case where an hmac secret change causes a redirect flow, but the CSRF token cookie hasn’t yet expired causing a CSRF token validation failure.

Removed config or runtime

Normally occurs at the end of the deprecation period

• access_log: Removed runtime guard envoy.reloadable_features.sanitize_sni_in_access_log and legacy code paths.

• ext_proc: Removed runtime guard envoy.reloadable_features.ext_proc_timeout_error and legacy code paths.

• http: Removed runtime guard envoy.reloadable_features.internal_authority_header_validator and legacy code paths.

• http: Removed runtime guard envoy_reloadable_features_filter_access_loggers_first and legacy code paths.

• http2: Removed runtime guard envoy.reloadable_features.http2_no_protocol_error_upon_clean_close and legacy code paths.

• lua: Removed runtime guard envoy.reloadable_features.lua_flow_control_while_http_call and legacy code paths.

• quic: Removed runtime guard envoy.reloadable_features.extend_h3_accept_untrusted and legacy code paths.

• quic: Removed runtime guard envoy.reloadable_features.quic_connect_client_udp_sockets and legacy code paths.

• quic: Removed runtime guard envoy.reloadable_features.quic_support_certificate_compression and legacy code paths.

• runtime: Removed runtime guard envoy_reloadable_features_boolean_to_string_fix and legacy code paths.

• sni: Removed runtime guard envoy.reloadable_features.use_route_host_mutation_for_auto_sni_san and legacy code paths.

• tcp_proxy: Removed runtime guard envoy.reloadable_features.tcp_tunneling_send_downstream_fin_on_upstream_trailers and legacy code paths.

• websocket: Removed runtime guard envoy.reloadable_features.switch_protocol_websocket_handshake and legacy code paths.

New features

• ext_authz: Added grpc_status to ExtAuthzLoggingInfo in ext_authz http filter.