forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
current.yaml
160 lines (153 loc) · 9.57 KB
/
current.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
date: Pending
behavior_changes:
- area: tls-inspector
change: |
the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. The new stats are introduced for listener, ``downstream_peek_remote_close`` and ``read_error`` :ref:`listener stats <config_listener_stats>`.
minor_behavior_changes:
- area: thrift
change: |
add validate_clusters in :ref:`RouteConfiguration <envoy_v3_api_msg_extensions.filters.network.thrift_proxy.v3.RouteConfiguration>` to override the default behavior of cluster validation.
- area: tls
change: |
if both :ref:`match_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>` and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error.
- area: tls
change: |
removed SHA-1 and RSA key transport cipher suites from the server-side defaults.
- area: http
change: |
the behavior of the :ref:`timeout <envoy_v3_api_field_config.core.v3.KeepaliveSettings.timeout>`
field has been modified to extend the timeout when *any* frame is received on the owning HTTP/2
connection. This negates the effect of head-of-line (HOL) blocking for slow connections. If
any frame is received the assumption is that the connection is working. This behavior change
can be reverted by setting the ``envoy.reloadable_features.http2_delay_keepalive_timeout`` runtime
flag to false.
- area: http-cache
change: |
http cache filter ``getCache`` interface changed from returning a reference to
returning a shared_ptr - any third-party implementations of this interface will need to be
updated accordingly. See changes to ``simple_http_cache.cc`` and ``simple_http_cache.h`` in
`PR21114 <https://github.com/envoyproxy/envoy/pull/21114>`_ for example.
- area: lua
change: |
export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script
that loads shared object libraries, such as those installed via luarocks.
- area: admin
change: |
changed default regex engine for /stats?filter= from std::regex to RE2, improving filtering speed
20x.
- area: skywalking
change: |
use request path as operation name of ENTRY/EXIT spans.
- area: skywalking
change: |
use upstream host address as ``addressUsedAtClient`` in propagation header.
- area: dns
change: |
allow propagating DNS responses with no records back to callers like strict_dns cluster,
guarded by ``envoy.reloadable_features.cares_accept_nodata``.
- area: local_ratelimit
change: |
local_ratelimit will consume tokens of all matched descriptors sorted by tokens per second.
This behavioral change can be reverted by setting runtime guard
envoy.reloadable_features.http_local_ratelimit_match_all_descriptors to false.
- area: router
change: |
get route config factories by the configuration proto full names by default. This behavior change
can be reverted by setting the ``envoy.reloadable_features.get_route_config_factory_by_type``
runtime flag to false.
bug_fixes:
- area: runtime
change: |
Fixed a bug where was ``envoy.restart_features.no_runtime_singleton`` was inverted.
Runtime singleton status is now guarded by non-inverted ``envoy.restart_features.remove_runtime_singleton``.
- area: tcp_proxy
change: |
Fixed an issue using the cluster wide CONNECT termination so it will successfully proxy payloads.
removed_config_or_runtime:
- area: compressor
change: |
removed ``envoy.reloadable_features.fix_added_trailers`` and legacy code paths.
- area: dns
change: |
removed ``envoy.reloadable_features.use_dns_ttl`` and legacy code paths.
- area: ext_authz
change: |
removed ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard and legacy code paths.
- area: http
change: |
deprecated ``envoy.reloadable_features.correct_scheme_and_xfp`` and legacy code paths.
- area: http
change: |
deprecated ``envoy.reloadable_features.validate_connect`` and legacy code paths.
- area: tcp_proxy
change: |
removed ``envoy.reloadable_features.new_tcp_connection_pool`` and legacy code paths.
- area: tls
change: |
fixed a bug when a certificate is invalid, ``days_until_expiration`` reports a big number. After this fix, when a certificate expires, it reports as ``0``.
- area: conn pool
change: |
removed ``envoy.reloadable_features.conn_pool_delete_when_idle`` and legacy code paths.
- area: runtime
change: |
removed ``envoy.restart_features.no_runtime_singleton`` and replaced with ``envoy.restart_features.remove_runtime_singleton``.
new_features:
- area: access_log
change: |
added new access_log command operators to retrieve upstream connection information change: ``%UPSTREAM_PROTOCOL%``, ``%UPSTREAM_PEER_SUBJECT%``, ``%UPSTREAM_PEER_ISSUER%``, ``%UPSTREAM_TLS_SESSION_ID%``, ``%UPSTREAM_TLS_CIPHER%``, ``%UPSTREAM_TLS_VERSION%``, ``%UPSTREAM_PEER_CERT_V_START%``, ``%UPSTREAM_PEER_CERT_V_END%`` and ``%UPSTREAM_PEER_CERT%``.
- area: dns_resolver
change: |
added :ref:`include_unroutable_families<envoy_v3_api_field_extensions.network.dns_resolver.apple.v3.AppleDnsResolverConfig.include_unroutable_families>` to the Apple DNS resolver.
change: |
added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL <envoy_v3_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.ALL>` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here <arch_overview_conn_pool>` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to false.
- area: dubbo_proxy
change: |
added :ref:`dynamic routes discovery <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>` support to the dubbo proxy.
- area: ext_proc
change: |
added support for per-route :ref:`grpc_service <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExtProcOverrides.grpc_service>`.
- area: http
change: |
added new :ref:`file_system_buffer <config_http_filters_file_system_buffer>` http filter.
- area: http
change: |
preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers <envoy_v3_api_field_extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig.formatter_type_on_envoy_headers>`.
- area: thrift
change: |
added flag to router to control downstream local close. :ref:`close_downstream_on_upstream_error <envoy_v3_api_field_extensions.filters.network.thrift_proxy.router.v3.Router.close_downstream_on_upstream_error>`.
- area: thrift
change: |
added support for access logging.
- area: thrift
change: |
introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message.
- area: on_demand
change: |
:ref:`OnDemand <envoy_v3_api_msg_extensions.filters.http.on_demand.v3.OnDemand>` got extended to hold configuration for on-demand cluster discovery. A similar message for :ref:`per-route configuration <envoy_v3_api_msg_extensions.filters.http.on_demand.v3.PerRouteConfig>` is also added.
- area: proxy_protcol
change: |
added :ref:`allow_requests_without_proxy_protocol<envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.allow_requests_without_proxy_protocol>` to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag.
- area: build
change: |
enabled building arm64 envoy-distroless and envoy-tools :ref:`docker images <install_binaries>`.
- area: ratelimit
change: |
added support for :ref:`masked_remote_address <envoy_v3_api_field_config.route.v3.RateLimit.Action.masked_remote_address>`.
- area: ratelimit
change: |
added support for :ref:`HTTP matching input functions <arch_overview_matching_api>` as descriptor producers.
- area: build
change: |
official released binary is now built with Clang 14.0.0.
- area: conn pool
change: |
Changed HTTP/2 connection pooling and the :ref:`ALPN pool <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.auto_config>` to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is 1. This behavioral change can be revered by setting ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to false.
- area: http
change: |
added :ref:`cluster_header <envoy_v3_api_field_config.route.v3.RouteAction.RequestMirrorPolicy.cluster_header>` in :ref:`request_mirror_policies <envoy_v3_api_field_config.route.v3.RouteAction.request_mirror_policies>` to allow routing shadow request to the cluster specified in the request_header.
deprecated:
- area: dubbo_proxy
change: |
deprecated :ref:`old dubbo route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.route_config>`. Please use
:ref:`multiple route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.multiple_route_config>` or
:ref:`multiple route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>` first.