.. _version_history_1.29.0: 1.29.0 (January 16, 2024) ========================== Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **access_log**: Added issuer in certificate_properties to the gRPC access log service(AlS). * **grpc reverse bridge**: Handle empty response bodies in ``grpc_http1_reverse_bridge``. This may cause problems for clients expecting the filter to crash for empty responses. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.grpc_http1_reverse_bridge_handle_empty_response`` to ``false``. * **http**: Flip runtime flag ``envoy.reloadable_features.no_downgrade_to_canonical_name`` to ``true``. Name downgrading in the per filter config searching will be disabled by default. This behavior can be temporarily reverted by setting the flag to ``false`` explicitly. See doc :ref:`Http filter route specific config ` or issue https://github.com/envoyproxy/envoy/issues/29461 for more specific detail and examples. * **http**: Remove the hop by hop TE header from downstream request headers. This change can be temporarily reverted by setting ``envoy.reloadable_features.sanitize_te`` to ``false``. * **http2**: Changes the default value of ``envoy.reloadable_features.http2_use_oghttp2`` to ``true``. This changes the codec used for HTTP/2 requests and responses. This behavior can be reverted by setting the feature to ``false``. * **http2**: Discard the ``Host`` header if the ``:authority`` header was received to bring Envoy into compliance with https://www.rfc-editor.org/rfc/rfc9113#section-8.3.1 This behavioral change can be reverted by setting runtime flag ``envoy.reloadable_features.http2_discard_host_header`` to ``false``. * **listener**: Undeprecated runtime key ``overload.global_downstream_max_connections`` until :ref:`downstream connections monitor ` extension becomes stable. * **stats connection_limit**: Fixed tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from ``envoy_connection_limit_myprefix_limited_connections{}`` to ``envoy_connection_limit_limited_connections{envoy_connection_limit_prefix="myprefix"}``. * **stats dns_filter**: Fixed tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from ``dns_filter_myprefix_local_a_record_answers{}`` to ``dns_filter_local_a_record_answers{envoy.dns_filter_prefix="myprefix"}``. * **stats rbac**: Fixed tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from ``envoy_myprefixrbac_allowed{}`` to ``envoy_rbac_allowed{envoy_rbac_prefix="myprefix"}``. Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **admin**: Switch no admin ``warning`` -> ``info``. * **aws**: Added support to use HTTP async client to fetch the credentials from EC2 instance metadata and ECS task metadata providers instead of libcurl which is deprecated. By default this behavior is disabled. To enable set ``envoy.reloadable_features.use_http_client_to_fetch_aws_credentials`` to ``true``. * **config parsing, http cache filter**: Replaces Protobuf hashing by human-readable string with a dedicated deterministic hashing algorithm. The performance of the hash operation is improved by ``2-10x`` depending on the structure of the message, which is expected to reduce config update time or startup time by 10-25%. The new algorithm is also used for ``http_cache_filter`` hashing, which will effectively cause a one-time cache flush on update for users with a persistent cache. To enable this behavior set ``envoy.restart_features.use_fast_protobuf_hash`` to ``true``. * **generic_proxy**: Update the stats prefix of generic proxy from ```` to ``generic_proxy.``. * **golang**: Remove ``Protocol`` method from ``RequestHeaderMap``. To get the protocol, please use ``GetProperty("request.protocol")`` instead. * **header_mutation**: If per route configuration is configured at multiple levels (route, virtual host, and route table), all specified levels' mutations are applied. Default order is from least to most specific level (i.e. most specific level wins). * **http2**: Flip the runtime guard ``envoy.reloadable_features.defer_processing_backedup_streams`` to be on by default. This feature improves flow control within the proxy by deferring work on the receiving end if the other end is backed up. * **local_rate_limit**: Added new configuration field :ref:`rate_limited_as_resource_exhausted ` to allow for setting if rate limit gRPC response should be ``RESOURCE_EXHAUSTED`` instead of the default ``UNAVAILABLE``. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **DNS**: Fixed a race condition that when multiple requests with the same authority header are sent to Envoy, sometimes some requests may receive ``503`` response with ``no_healthy_upstream`` from Envoy. The fix is guarded by runtime guard ``envoy.reloadable_features.dns_cache_set_first_resolve_complete``, which defaults to ``true``. * **access log**: Fixed a bug where the omit_empty_values field was not honored for access logs specifying formats via text_format_source. * **aws**: Default credentials file location was relying on incorrect ``~`` expansion. This fix now resolves to the correct path by using ``HOME`` environment variable, if the credentials file location is not explicitly specified. * **buffer**: Fixed a bug (https://github.com/envoyproxy/envoy/issues/28760) that the internal listener causes an undefined behavior due to the unintended release of the buffer memory. * **docker**: Updated base image to ``ubuntu:22.04`` to fix Redis memory issue (https://github.com/envoyproxy/envoy/issues/31248). * **dynamic_forward_proxy**: Fixed a bug where the preresolved hostnames specified in the Dynamic Forward Proxy cluster config would not use the normalized hostname as the DNS cache key, which is the same key used for retrieval. This caused cache misses on initial use, even though the host DNS entry was pre-resolved. The fix is guarded by runtime guard ``envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns``, which defaults to ``true``. * **ext_authz**: Fixed a bug to ensure the proper functioning of the ``with_request_body`` feature within the per-route ExtAuthZ filter. * **ext_proc**: Fixed ``content_length`` related issues when body mutation by external processor is enabled. The ``ext_proc`` filter removes the content length header in 1)``STREAMED BodySendMode`` 2) ``BUFFERED_PARTIAL BodySendMode`` and 3) ``BUFFERED BodySendMode + SKIP HeaderSendMode``. This will enable chunked-encoding whenever feasible in HTTP1.1. Besides, ``ext_proc`` filter keep content length header in ``BUFFERED BodySendMode + SEND HeaderSendMode``. It is now external processor's responsibility to set the content length correctly matched to the mutated body. if those two doesn't match, the mutation will be rejected and local reply with error status will be returned. * **grpc**: Fixed a bug in gRPC async client cache which intermittently causes CPU spikes due to busy loop in timer expiration. * **oauth**: Add :ref:`default_expires_in ` configuration setting. The OAuth spec does not dictate that an authorization server must respond with an expiry. Envoy currently fails any OAuth flow if the expiry is not set. This setting allows you to provide a default in this case to ensure the OAuth flow can succeed. * **otlp_stat_sink**: Fixed a bug where histogram bucket counts were wrong. Additionally, the number of buckets is fixed and is now one element larger than the explicit bounds elements, as required by the specification. * **quic**: Fixed a bug in QUIC and HCM interaction which could cause ``use-after-free`` during asynchronous certificates retrieval. The fix is guarded by runtime ``envoy.reloadable_features.quic_fix_filter_manager_uaf``. * **quic**: Fixed a bug in QUIC upstream port migration which could cause use-after-free upon STATELESS_RESET packets. * **redis**: Fixed a bug causing crash if incoming redis key does not match against a ``prefix_route`` and ``catch_all_route`` is not defined. * **tracing**: Fixed a bug that caused the Datadog tracing extension to drop traces that should be kept on account of an extracted sampling decision. * **tracing**: Fixed a bug where Datadog spans tagged as errors would not have the appropriate error property set. * **tracing**: Fixed a bug where child spans produced by the Datadog tracer would have an incorrect operation name. * **upstream**: Fixed a bug that the subset load balancer will always be used even if the subset load balancer config does not contain any subset selector. * **upstream**: Fixed a bug with upstream auto-config with HTTP/3 where certain network configurations would result in zombie streams left in the grid. Guarded by ``envoy.reloadable_features.avoid_zombie_streams``. * **xds**: Fixed a bug (https://github.com/envoyproxy/envoy/issues/27702) that caused ADS initialization to fail on the first attempt and set a back-off retry interval of up to 1 second, if ADS is using an Envoy Cluster for the backend. The issue was fixed to ensure that ADS initialization happens after the Envoy Cluster it depends upon has been properly initialized. ADS that does not depend on an Envoy Cluster (i.e. GoogleGrpc) is not affected by this change. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **access log**: Removed the deprecated ``envoy.reloadable_features.format_ports_as_numbers`` runtime flag and legacy code path. * **grpc**: Removed the deprecated ``envoy.reloadable_features.service_sanitize_non_utf8_strings`` runtime flag and legacy code path. * **http**: Removed ``envoy.reloadable_features.expand_agnostic_stream_lifetime`` and legacy code paths. * **http**: Removed ``envoy.reloadable_features.sanitize_original_path`` and legacy code paths. * **maglev**: Removed ``envoy.reloadable_features.allow_compact_maglev`` and legacy code paths. * **router**: Removed the deprecated ``envoy.reloadable_features.ignore_optional_option_from_hcm_for_route_config`` runtime flag and legacy code path. * **router**: Removed the deprecated ``envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent`` runtime flag and legacy code path. * **upstream**: Removed the deprecated ``envoy.reloadable_features.validate_detailed_override_host_statuses`` runtime flag and legacy code path. New features ------------ * **CEL-attributes**: Added :ref:`attribute ` ``connection.transport_failure_reason`` for looking up connection transport failure reason. * **access_log**: Added new access log command operator ``%EMIT_TIME%`` to get the time when the log entry is emitted. * **access_log**: Added support for ``%CONNECTION_ID%`` command operator for UDP session access log. * **access_log**: Added support for listener metadata in ``%METADATA%`` formatter. * **attributes**: Added support for listener metadata and listener direction in xDS attributes. * **attributes**: Added support for node data in ``%CEL%`` formatter. * **aws**: Added support for AWS common utility to fetch metadata credentials from AWS STS by using ``WebIdentityToken``. To enable you need to set ``envoy.reloadable_features.use_http_client_to_fetch_aws_credentials`` to ``true`` so that web identity credentials provider can use http async client to fetch credentials. Web identity credentials provider cannot use current default libcurl credentials fetcher which is under deprecation and will soon be removed. Web identity credentials provider is not compatible with :ref:`Grpc Credentials AWS IAM ` plugin which can only support deprecated libcurl credentials fetcher, see https://github.com/envoyproxy/envoy/pull/30626. * **aws_request_signing**: Added support for specifying the aws signing algorithm, either ``AWS_SIGV4`` or ``AWS_SIGV4A`` via :ref:`signing_algorithm ` config API. * **composite filter**: Added :ref:`ExtensionConfiguration discovery service` support for :ref:`composite filter `. * **composite filter**: Added composite filter's matched action name to filter state with key ``envoy.extensions.filters.http.composite.matched_actions``. * **compression**: Added qatzip :ref:`compressor `. * **ext_authz**: Forward :ref:`filter_metadata ` selected by :ref:`route_metadata_context_namespaces ` and :ref:`typed_filter_metadata ` selected by :ref:`route_typed_metadata_context_namespaces ` from the metadata of the selected route to external auth service. This metadata propagation is independent from the dynamic metadata from connection and request. * **ext_authz**: New config parameter :ref:`charge_cluster_response_stats ` for not incrementing cluster statistics on ext_authz response. Default ``true``, no behavior change. * **ext_authz_filter**: Added :ref:`with_request_body ` to optionally override the default behavior of sending the request body to the authorization server from the per-route filter. * **filter state**: Added config name of filter sending a local reply in filter state with key ``envoy.filters.network.http_connection_manager.local_reply_owner``. See :ref:`the well-known filter state keys ` for more detail. * **filters**: Added :ref:`the Basic Auth filter `, which can be used to authenticate user credentials in the HTTP Authentication heaer defined in `RFC7617 `_. * **grpc async client**: Added :ref:`max_cached_entry_idle_duration ` to control the cached gRPC client eviction time in the cache. * **grpc_http_bridge**: Added :ref:`ignore_query_parameters ` option for automatically stripping query parameters in request URL path. * **internal_redirects**: Added support to copy headers from the redirect response to the triggered request. See :ref:`response_headers_to_copy`. * **jwt**: The JWT authentication filter supports changing the routes when either the headers or the dynamic metadata are modified. * **jwt**: The JWT filter can now serialize non-primitive custom claims when maping claims to headers. These claims will be serialized as JSON and encoded as Base64. * **lua**: Added Lua extension of router cluster specifier plugin to support selecting cluster dynamically by Lua code. * **ratelimit**: Ratelimit supports optional additional prefix to use when emitting statistics with :ref:`stat_prefix ` configuration flag. * **ratelimit**: Ratelimit supports setting the HTTP status that is returned to the client when the ratelimit server returns an error or cannot be reached with :ref:`status_on_error ` configuration flag. * **rbac filter**: allow listed ``HttpAttributesCelMatchInput`` to be used with the xDS matcher in the RBAC filter. * **redis**: Added support for the ``getdel`` command. * **redis**: Added support for the watch command (aborts multi transactions if watched keys change). * **set_metadata**: Added support for injecting typed and untyped dynamic metadata with this filter, also adds the ability to add multiple namespaces with one filter and config to overwrite existing metadata is opt-in. :ref:`untyped_metadata ` may now be used to configure the ``set_metadata`` filter. * **stateful_session**: Added :ref:`strict mode ` to cookie and header based stateful session. If a destination encoded in :ref:`cookie ` or in :ref:`specified header ` respectively is not available, Envoy will return ``503`` instead of selecting another destination from the cluster. * **stats**: Added :ref:`per_endpoint_stats ` to get some metrics for each endpoint in a cluster. * **stream info**: Added time spent reading request headers to ``DownstreamTiming``. * **tcp_proxy**: Added support to TCP Proxy for recording the latency in ``UpstreamTiming`` from when the first initial connection to the upstream cluster was attempted to when either the connection was successfully established or the filiter failed to initialize any connection to the upstream. * **tracing**: Added support for configuring resource detectors on the OpenTelemetry tracer. * **tracing**: Added support to configure a Dynatrace resource detector for the OpenTelemetry tracer. * **tracing**: Added support to configure a sampler for the OpenTelemetry tracer. * **tracing**: Provide initial span attributes to a sampler used in the OpenTelemetry tracer. * **udp_proxy**: Add :ref:`access log options ` to allow recording an access log entry periodically for the UDP session, and allow recording an access log entry on the connection tunnel created successfully to upstream when UDP tunneling is configured. * **udp_proxy**: Added support for propagating the response headers in :ref:`UdpTunnelingConfig ` and response trailers in :ref:`UdpTunnelingConfig ` to the downstream info filter state. * **upstream**: Implmented API :ref:`drop_overloads` which can be used to drop certain percentage of traffic from Envoy. * **zookeeper**: Added support for emitting per opcode decoder error metrics via :ref:`enable_per_opcode_decoder_error_metrics `. Deprecated ---------- * **set_metadata**: :ref:`metadata_namespace ` and :ref:`value ` are deprecated. Please use the new field :ref:`untyped_metadata ` to configure static metadata to inject. * **wasm**: Wasm-specific configuration attributes are deprecated in favor of ``xds`` attributes.