1.14.0 (April 8, 2020)

Changes

  • access log: access logger extensions use the “envoy.access_loggers” name space. A mapping of extension names is available in the deprecated documentation.

  • access log: added support for %DOWNSTREAM_LOCAL_PORT% access log formatters.

  • access log: fixed %DOWSTREAM_DIRECT_REMOTE_ADDRESS% when used with PROXY protocol listener filter.

  • access log: introduced connection-level access loggers.

  • adaptive concurrency: fixed bug that allowed concurrency limits to drop below the configured minimum.

  • adaptive concurrency: minRTT is now triggered when the minimum concurrency is maintained for 5 consecutive sampling intervals.

  • admin: added support for displaying ip address subject alternate names in certs end point.

  • admin: added POST /reopen_logs endpoint to control log rotation.

  • api: froze v2 xDS API. New feature development in the API should occur in v3 xDS. While the v2 xDS API has been deprecated since 1.13.0, it will continue to be supported by Envoy until EOY 2020. See Supported API versions.

  • aws_lambda: added AWS Lambda filter that converts HTTP requests to Lambda invokes. This effectively makes Envoy act as an egress gateway to AWS Lambda.

  • aws_request_signing: a few fixes so that it works with S3.

  • config: added stat update_time.

  • config: use type URL to select an extension whenever the config type URL (or its previous versions) uniquely identify a typed extension, see extension configuration.

  • datasource: added retry policy for remote async data source.

  • dns: added support for dns_failure_refresh_rate for the dns cache to set the DNS refresh rate during failures.

  • dns: the STRICT_DNS cluster now only resolves to 0 hosts if DNS resolution successfully returns 0 hosts.

  • eds: added hostname field for endpoints and hostname field for endpoint’s health check config. This enables auto host rewrite and customizing the host header during health checks for eds endpoints.

  • ext_authz: disabled the use of lowercase string matcher for headers matching in HTTP-based ext_authz. Can be reverted temporarily by setting runtime feature envoy.reloadable_features.ext_authz_http_service_enable_case_sensitive_string_matcher to false.

  • fault: added support for controlling abort faults with HTTP header fault configuration to the HTTP fault filter.

  • grpc-json: added support for building HTTP request into google.api.HttpBody.

  • grpc-stats: added option to limit which messages stats are created for.

  • http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature envoy.reloadable_features.http1_flood_protection.

  • http: added headers_with_underscores_action setting to control how client requests with header names containing underscore characters are handled. The options are to allow such headers, reject request or drop headers. The default is to allow headers, preserving existing behavior.

  • http: added max_stream_duration to specify the duration of existing streams. See connection and stream timeouts.

  • http: connection header sanitizing has been modified to always sanitize if there is no upgrade, including when an h2c upgrade attempt has been removed.

  • http: fixed a bug that could send extra METADATA frames and underflow memory when encoding METADATA frames on a connection that was dispatching data.

  • http: fixing a bug in HTTP/1.0 responses where Connection: keep-alive was not appended for connections which were kept alive.

  • http: http filter extensions use the “envoy.filters.http” name space. A mapping of extension names is available in the deprecated documentation.

  • http: the runtime feature http.connection_manager.log_flood_exception is removed and replaced with a connection access log response code.

  • http: upgrade parser library, which removes support for “identity” transfer-encoding value.

  • listener filters: listener filter extensions use the “envoy.filters.listener” name space. A mapping of extension names is available in the deprecated documentation.

  • listeners: added listener filter matcher api to disable individual listener filter on matching downstream connections.

  • loadbalancing: added support for using hostname for consistent hash loadbalancing via consistent_hash_lb_config.

  • loadbalancing: added support for retry host predicates in conjunction with consistent hashing load balancers (ring hash and maglev).

  • lua: added a parameter to httpCall that makes it possible to have the call be asynchronous.

  • lua: added moonjit support.

  • mongo: the stat emitted for queries without a max time set in the MongoDB filter was modified to emit correctly for Mongo v3.2+.

  • network filters: added a direct response filter.

  • network filters: network filter extensions use the “envoy.filters.network” name space. A mapping of extension names is available in the deprecated documentation.

  • rbac: added remote_ip and direct_remote_ip for matching downstream remote IP address.

  • rbac: deprecated source_ip with direct_remote_ip and remote_ip.

  • request_id_extension: added an ability to extend request ID handling at HTTP connection manager.

  • retry: added a retry predicate that rejects hosts based on metadata..

  • router: added ability to set attempt count in downstream response, see virtual host’s include response attempt count config.

  • router: added additional stats for virtual clusters.

  • router: added auto_san_validation to support overrriding SAN validation to transport socket for new upstream connections based on the downstream HTTP host/authority header.

  • router: added the ability to match a route based on whether a downstream TLS connection certificate has been validated.

  • router: added support for regex_rewrite for path rewriting using regular expressions and capture groups.

  • router: added support for %DOWNSTREAM_LOCAL_PORT% header formatter.

  • router: don’t ignore per_try_timeout when the global route timeout is disabled.

  • router: strip whitespace for retry_on, grpc-retry-on header and retry-on header.

  • runtime: enabling the runtime feature envoy.deprecated_features.allow_deprecated_extension_names disables the use of deprecated extension names.

  • runtime: integer values may now be parsed as booleans.

  • sds: added GenericSecret to support secret of generic type.

  • sds: added certificate rotation support for certificates in static resources.

  • server: the SIGUSR1 access log reopen warning now is logged at info level.

  • stat sinks: stat sink extensions use the “envoy.stat_sinks” name space. A mapping of extension names is available in the deprecated documentation.

  • thrift_proxy: added router filter stats to docs.

  • tls: added configuration to disable stateless TLS session resumption disable_stateless_session_resumption.

  • tracing: added gRPC service configuration to the OpenCensus Stackdriver and OpenCensus Agent tracers.

  • tracing: tracer extensions use the “envoy.tracers” name space. A mapping of extension names is available in the deprecated documentation.

  • upstream: added upstream_rq_retry_limit_exceeded to cluster, and virtual cluster stats.

  • upstream: changed load distribution algorithm when all priorities enter panic mode.

  • upstream: combined HTTP/1 and HTTP/2 connection pool code. This means that circuit breaker limits for both requests and connections apply to both pool types. Also, HTTP/2 now has the option to limit concurrent requests on a connection, and allow multiple draining connections. The old behavior is deprecated, but can be used during the deprecation period by disabling runtime feature envoy.reloadable_features.new_http1_connection_pool_behavior or envoy.reloadable_features.new_http2_connection_pool_behavior and then re-configure your clusters or restart Envoy. The behavior will not switch until the connection pools are recreated. The new circuit breaker behavior is described here.

  • zlib: by default zlib is initialized to use its default strategy (Z_DEFAULT_STRATEGY) instead of the fixed one (Z_FIXED). The difference is that the use of dynamic Huffman codes is enabled now resulting in better compression ratio for normal data.

Deprecated

  • The previous behavior for upstream connection pool circuit breaking described here has been deprecated in favor of the new behavior described here.

  • Access Logger, Listener Filter, HTTP Filter, Network Filter, Stats Sink, and Tracer names have been deprecated in favor of the extension name from the envoy build system. Disable the runtime feature “envoy.deprecated_features.allow_deprecated_extension_names” to disallow the deprecated names. Use of these extension names generates a log message and increments the “deprecated_feature_use” metric in stats.

    Canonical Names

    Deprecated Names

    envoy.access_loggers.file

    envoy.file_access_log

    envoy.access_loggers.http_grpc

    envoy.http_grpc_access_log

    envoy.access_loggers.tcp_grpc

    envoy.tcp_grpc_access_log

    envoy.filters.http.buffer

    envoy.buffer

    envoy.filters.http.cors

    envoy.cors

    envoy.filters.http.csrf

    envoy.csrf

    envoy.filters.http.dynamo

    envoy.http_dynamo_filter

    envoy.filters.http.ext_authz

    envoy.ext_authz

    envoy.filters.http.fault

    envoy.fault

    envoy.filters.http.grpc_http1_bridge

    envoy.grpc_http1_bridge

    envoy.filters.http.grpc_json_transcoder

    envoy.grpc_json_transcoder

    envoy.filters.http.grpc_web

    envoy.grpc_web

    envoy.filters.http.gzip

    envoy.gzip

    envoy.filters.http.health_check

    envoy.health_check

    envoy.filters.http.ip_tagging

    envoy.ip_tagging

    envoy.filters.http.lua

    envoy.lua

    envoy.filters.http.ratelimit

    envoy.rate_limit

    envoy.filters.http.router

    envoy.router

    envoy.filters.http.squash

    envoy.squash

    envoy.filters.listener.http_inspector

    envoy.listener.http_inspector

    envoy.filters.listener.original_dst

    envoy.listener.original_dst

    envoy.filters.listener.original_src

    envoy.listener.original_src

    envoy.filters.listener.proxy_protocol

    envoy.listener.proxy_protocol

    envoy.filters.listener.tls_inspector

    envoy.listener.tls_inspector

    envoy.filters.network.client_ssl_auth

    envoy.client_ssl_auth

    envoy.filters.network.echo

    envoy.echo

    envoy.filters.network.ext_authz

    envoy.ext_authz

    envoy.filters.network.http_connection_manager

    envoy.http_connection_manager

    envoy.filters.network.mongo_proxy

    envoy.mongo_proxy

    envoy.filters.network.ratelimit

    envoy.ratelimit

    envoy.filters.network.redis_proxy

    envoy.redis_proxy

    envoy.filters.network.tcp_proxy

    envoy.tcp_proxy

    envoy.stat_sinks.dog_statsd

    envoy.dog_statsd

    envoy.stat_sinks.metrics_service

    envoy.metrics_service

    envoy.stat_sinks.statsd

    envoy.statsd

    envoy.tracers.dynamic_ot

    envoy.dynamic.ot

    envoy.tracers.lightstep

    envoy.lightstep

    envoy.tracers.zipkin

    envoy.zipkin

    Note

    Some renamed filters produce metadata using their filter name as the metadata namespace:

    • Mongo Proxy Filter

    • Zookeeper Filter

    The metadata generated by these filters may be consumed by the following extensions, whose configurations may need to be adjusted to use the new names.

    • Access Loggers

    • HTTP and Network Ext Authz filters

    • HTTP and Network RBAC filters

    • Tracers

  • The previous behavior of auto ignoring case in headers matching: allowed_headers, allowed_upstream_headers, and allowed_client_headers of HTTP-based ext_authz has been deprecated in favor of explicitly setting the ignore_case field.

  • The header_fields, custom_header_fields, and additional_headers fields for the route checker tool have been deprecated in favor of request_header_fields, response_header_fields, additional_request_headers, and additional_response_headers.

  • The content_length, content_type, disable_on_etag_header and remove_accept_encoding_header fields in HTTP Gzip filter config have been deprecated in favor of compressor.

  • The statistics counter header_gzip in HTTP Gzip filter has been deprecated in favor of header_compressor_used.

  • Support for the undocumented HTTP/1.1 :no-chunks pseudo-header has been removed. If an extension was using this it can achieve the same behavior via the new http1StreamEncoderOptions() API.

  • The grpc_stats filter behavior of by default creating a new stat for every message type seen is deprecated. The default will switch to only creating a fixed set of stats. The previous behavior can be enabled by enabling stats_for_all_methods, and the previous default can be enabled until the end of the deprecation period by enabling runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default.

  • The source_ip field in RBAC has been deprecated in favor of direct_remote_ip and remote_ip.