.. _version_history_1.24.0: 1.24.0 (October 19, 2022) ========================== Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **build**: official released binary is now built on Ubuntu 20.04, requires glibc >= 2.30. * **config**: Fixed resource tracking when using the Incremental (Delta-xDS) protocol. The protocol state will be updated after the resources are successfully ingested and an ACK is sent. This behavior change can be reverted by setting the ``envoy.reloadable_features.delta_xds_subscription_state_tracking_fix`` runtime flag to false. * **gcp_authn**: Add GCP Authentication filter which can be used to fetch authentication tokens from Google Compute Engine(GCE) metadata server. * **http**: Envoy no longer adds ``content-length: 0`` header when proxying UPGRADE requests without ``content-length`` and ``transfer-encoding`` headers. This behavior change can be reverted by setting the ``envoy.reloadable_features.http_skip_adding_content_length_to_upgrade`` runtime flag to false. * **http**: For HTTP/2 and HTTP/3 codecs, all clients now continue sending data upstream after receiving an end of the server stream. This supports the server half-close semantics for TCP tunneling with CONNECT as well as bi-directional streaming calls. This behavior change can be reverted by setting the ``envoy.reloadable_features.http_response_half_close`` runtime flag to false. * **original_dst**: ORIGINAL_DST cluster will not attempt to remove and drain the stale hosts during cleanup if they are still used by the connection pools. For HTTP pools, please set :ref:`idle_timeout ` to limit the duration of the upstream connections (the default value is 1h, and the recommended value is 5min). This behavior change can be reverted by setting runtime guard ``envoy.reloadable_features.original_dst_rely_on_idle_timeout``. * **stats http local_rate_limit**: Fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from envoy_http_local_rate_limit_myprefix_rate_limited{} to envoy_http_local_rate_limit_rate_limited{envoy_local_http_ratelimit_prefix="myprefix"}. * **stats network local_rate_limit**: Fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from envoy_local_rate_limit_myprefix_rate_limited{} to envoy_local_rate_limit_rate_limited{envoy_local_ratelimit_prefix="myprefix"}. * **tls**: Change TLS and QUIC transport sockets to support asynchronous cert validation extension. This behavior change can be reverted by setting runtime guard ``envoy.reloadable_features.tls_async_cert_validation`` to false. Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **cache_filter**: added a completion callback to insertHeaders and insertTrailers in cache interface. Any external cache implementation extensions will need to also add this callback, and call it on completion. * **dynamic_forward_proxy**: No longer waiting on DNS responses in the dynamic forward proxy filter if upstream proxying is turned on. This behaviorial change can be reverted by setting runtime guard ``envoy.reloadable_features.skip_dns_lookup_for_proxied_requests`` to false. * **health_check**: support custom health check address via :ref:`health_check_config `. * **http**: changed shadow requests to more closely behave like the requests they are shadowing. This includes matching the upstream logging for the original request, dynamic stats, suppressing Envoy headers, respecting expected request timeout, suppressing grpc request failure code stats and strict header checks. This behaviorial change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.closer_shadow_behavior`` to false. * **http**: changed the filter callback interfaces to make sure that downstream-only functionality is explicit. * **http**: the upstream remote address is now available to downstream filters via the ``upstreamRemoteAddress`` function. * **local_ratelimit**: added :ref:`virtual host level configuration ` support for the local ratelimit filter. * **logging**: changed the ``UPSTREAM_REMOTE_ADDRESS``, ``UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT``, and ``UPSTREAM_REMOTE_PORT`` fields to log based on the actual upstream connection rather than the upstream host. This fixes a bug where the address components were not consistently correct for Happy Eyeballs connections and proxied connections, but also means in cases where the host was selected but a connection was not established, the fields will be absent. This change can be temporarily reverted by setting the runtime guard ``envoy.reloadable_features.correct_remote_address`` to false. * **original_dst**: transparent listener can use original_dst filter without nf_conntrack enabled. * **prometheus_stats**: removed blank line for being compatible with OpenMetrics. * **quic**: changed the timing of QUIC connection writing data in response to incoming packets in non-Windowns platforms. This change can be reverted by setting runtime guard ``envoy.reloadable_features.quic_defer_send_in_response_to_packet`` to false. * **resource_monitors**: changed behavior of the fixed heap monitor to count pages allocated to TCMalloc as free memory if it's not used by Envoy. This change can be reverted temporarily by setting the runtime guard ``envoy.reloadable_features.do_not_count_mapped_pages_as_free`` to true. * **stats**: Default tag extraction rules were changed for ``worker_id`` extraction. Previously, ``worker_`` was removed from the original name during the extraction. This led to the same base stat name for both the per-worker and overall stat. For instance, in prometheus stats, the following stats were produced: :: envoy_listener_downstream_cx_total{} 2. envoy_listener_downstream_cx_total{envoy_worker_id="0"} 1. envoy_listener_downstream_cx_total{envoy_worker_id="1"} 1. This resulted in ``sum(envoy_listener_downstream_cx_total)`` producing 4, even though there are only 2 connections. The new behavior results in stats such as this: :: envoy_listener_downstream_cx_total{} 2. envoy_listener_worker_downstream_cx_total{envoy_worker_id="0"} 1. envoy_listener_worker_downstream_cx_total{envoy_worker_id="1"} 1. * **udp_proxy**: changed behavior of UDP proxy to connect UDP sockets unless ``use_original_src_ip`` is set. This change can be reverted by setting runtime guard ``envoy.reloadable_features.udp_proxy_connect`` to false. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **grpc_transcoder**: fixed a bug where a request with a wrong binding type is not rejected if the request body is empty. * **http**: fixed a bug with internal redirects not being performed for drained connections. * **jwt_authn**: fixed a bug where a negative "exp", "iat", or "nbf" integer in JWT token readed as a large positive value. * **listener**: fixed a bug that doesn't handle of an update for a listener with IPv4-mapped address correctly, and that will lead to a memory leak. * **logger**: added the %j and %_ format support for fine-grain loggers to make it consistant with default loggers. * **router**: fixed edge-case interaction between weighted clusters, cluster headers and (request|response)_headers_to_(add|remove). * **thrift**: fixed the routing decision when thrift filters change the value of the cluster header. * **tls**: fixed a bug where, when runtime guard ``envoy.reloadable_features.tls_async_cert_validation`` is set to false, the wrong TLS alerts would sometimes be sent in response to certificate validation failures. * **transport_socket**: fixed a bug that prevented the tcp stats to be retrieved when running on kernels different than the kernel where Envoy was built. * **upstream**: fixed a bug where custom transport socket hashes might not be respected by wrapper passthrough sockets. This change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.fix_hash_key`` to false. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **auto_config**: removed ``envoy.reloadable_features.correctly_validate_alpn`` and legacy code paths. * **grpc**: remove ``envoy.reloadable_features.enable_grpc_async_client_cache`` and legacy code paths. * **hcm**: removed ``envoy.reloadable_features.handle_stream_reset_during_hcm_encoding`` and legacy code paths. * **http**: removed ``envoy.reloadable_features.http2_allow_capacity_increase_by_settings`` and legacy code paths. * **http**: removed ``envoy.reloadable_features.proxy_120_103`` and legacy code paths. * **http**: removed ``envoy.reloadable_features.sanitize_http_header_referer`` and legacy code paths. * **lightstep**: removed the Lightstep tracer integration, making way for the native OpenTelemetry integration. * **listener**: removed ``envoy.reloadable_features.internal_address`` and legacy code paths. * **router**: removed ``envoy.reloadable_features.update_expected_rq_timeout_on_retry`` and legacy code paths. * **tracing**: removed ``envoy.reloadable_features.update_grpc_response_error_tag`` and legacy code paths. New features ------------ * **access_log**: added downstream handshake timing to connection streamInfo. Can be accessed by custom access loggers. * **access_log**: added support for number values in substitution format string in json_format. * **access_log**: log ``duration``, ``upstream_request_attempt_count``, ``connection_termination_details`` and tls ``ja3`` field in the grpc access log and also log the tls ``sni`` and ``ja3`` field in the grpc access log when envoy is configured as a tls forward proxy. * **access_log**: updated command operator ``%GRPC_STATUS%`` to suppoprt the snake case. * **admin**: added new :ref:`/heap_dump ` endpoint to dump heap profile of Envoy. * **build**: official released binary is now built on Ubuntu 20.04, requires glibc >= 2.30. * **cluster**: added support to override original destination port via setting :ref:`upstream_port_override `. * **compression**: added support for :ref:`choose_first`. * **cors**: added support for cors PNA. This behavioral change can be temporarily reverted by setting runtime guard ``envoy_reloadable_features_cors_private_network_access`` to false. More details refer to https://developer.chrome.com/blog/private-network-access-preflight. * **dns_resolver**: added DNS stats for c-ares DNS resolver. Detailed documentation is available :ref:`here `. * **generic_proxy**: added an new network filter :ref:`generic_proxy filter `. * **grpc_json_transcoder**: added support for newline-delimited streams in :ref:`stream_newline_delimited `. * **grpc_json_transcoder**: added support for parsing enum value case insensitively enabled by the config :ref:`case_insensitive_enum_parsing `. * **grpc_stats**: added support for replacing dots of gRPC service name with underscores in the gRPC stats by the config :ref:`replace_dots_in_grpc_service_name `. * **gzip**: added support for :ref:`max_inflate_ratio`. * **header_formatters**: all access log formatters can be used as custom request/response headers. Custom header's syntax is parsed using access logger's parser and header values are obtained using access log's substitution formatters. This feature can be reversed by setting runtime guard ``envoy.reloadable_features.unified_header_formatter`` to false. * **health check**: added :ref:`method ` support to configure http health check http method. * **health check**: added :ref:`thrift health check ` as a :ref:`custom health check `. * **http**: Added :ref:`HeaderBasedSessionState ` to manage :ref:`StatefulSession State ` via request/response header. * **http**: added ``envoy.reloadable_features.allow_upstream_filters`` for experimental upstream filters. * **http**: added default-false ``envoy.reloadable_features.http1_use_balsa_parser`` for experimental BalsaParser. * **http**: added the expected :ref:`receive ` payload check for HTTP health check. Added :ref:`response_buffer_size ` to configure the maximum HTTP health check response buffer size. * **http**: made the :ref:`admission control ` work as an upstream filter. * **listener**: added multiple listening addresses in single listener. :ref:`listener additional addresses`. * **listener**: allow network filters other than HTTP Connection Manager to be created for QUIC listeners. * **listener**: expose the implementation of :ref:`internal listener ` in xDS API. * **load balancer**: added a new field to subset load balancer config: :ref:`metadata_fallback_policy`. * **lua**: added an alternative function signature to ``httpCall()`` with ``options`` as an argument. This allows to skip sampling the produced trace span by setting ``{["trace_sampled"] = false}`` as the ``options``. And this allows to return multiple header values for same header name by setting ``{["return_duplicate_headers"] = true}`` as the ``options``. * **lua**: added new headers method "setHttp1ReasonPhrase" for lua filter, please see :ref:`lua header wrapper `. * **lua**: added stats for lua filter, please see :ref:`lua filter stats `. * **ratelimit**: add support for :ref:`adding response headers ` to rate-limited responses. * **redis**: added support for quit command to the redis proxy. * **redis**: added support for redis transactions. * **subset load balancer**: added multiple keys or multiple selectors support for :ref:`single host per subset mode `. * **tcp_proxy**: added support for propagating the response headers in :ref:`TunnelingConfig ` to the downstream info filter state. * **thrift**: added stats for downstream connection close to detect SR drop. * **upstream**: added a filter state object to control the destination address in :ref:`ORIGINAL_DST clusters `. * **upstream**: added a new field :ref:`extra_source_addresses ` to the BindConfig, it enables to specify multiple source addresses, and the source address selection is based on target host's address' version. * **zipkin**: added :ref:`split_spans_for_request ` to make Envoy appear as an independent hop for zipkin tracing. Deprecated ---------- * **cors**: deprecated :ref:`cors field of virtual host ` and :ref:`cors field of route action `. Please use :ref:`VirtualHost.typed_per_filter_config`, :ref:`Route.typed_per_filter_config` or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` to configure the CORS HTTP filter by the type :ref:`CorsPolicy in filter `. * **http**: deprecated :ref:`append ` and please use :ref:`append_action ` first. * **router**: deprecated :ref:`total weight ` for weighted clusters. The sum of the :ref:`clusters' weights ` will be used as the total weight.