-
Notifications
You must be signed in to change notification settings - Fork 4.8k
/
1.19.0.yaml
426 lines (420 loc) · 24 KB
/
1.19.0.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
date: July 13, 2021
behavior_changes:
- area: grpc_bridge_filter
change: |
the filter no longer collects grpc stats in favor of the existing grpc stats filter. The behavior can be reverted by
changing runtime key ``envoy.reloadable_features.grpc_bridge_stats_disabled``.
- area: tracing
change: |
update Apache SkyWalking tracer version to be compatible with 8.4.0 data collect protocol. This change will introduce
incompatibility with SkyWalking 8.3.0.
minor_behavior_changes:
- area: access_log
change: |
added new access_log command operator ``%REQUEST_TX_DURATION%``.
- area: access_log
change: |
removed extra quotes on metadata string values. This behavior can be temporarily reverted by setting
``envoy.reloadable_features.unquote_log_string_values`` to false.
- area: admission control
change: |
added :ref:`max_rejection_probability
<envoy_v3_api_field_extensions.filters.http.admission_control.v3alpha.AdmissionControl.max_rejection_probability>` which
defaults to 80%, which means that the upper limit of the default rejection probability of the filter is changed from
100% to 80%.
- area: aws_request_signing
change: |
requests are now buffered by default to compute signatures which include the payload hash, making the filter compatible
with most AWS services. Previously, requests were never buffered, which only produced correct signatures for requests
without a body, or for requests to S3, ES or Glacier, which used the literal string ``UNSIGNED-PAYLOAD``. Buffering can
be now be disabled in favor of using unsigned payloads with compatible services via the new ``use_unsigned_payload``
filter option (default false).
- area: cache filter
change: |
serve HEAD requests from cache.
- area: cluster
change: |
added default value of 5 seconds for :ref:`connect_timeout
<envoy_v3_api_field_config.cluster.v3.Cluster.connect_timeout>`.
- area: dns
change: |
changed apple resolver implementation to not reuse the UDS to the local DNS daemon.
- area: dns cache
change: |
the new :ref:`dns_query_timeout
<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_query_timeout>` option has a default
of 5s. See below for more information.
- area: http
change: |
disable the integration between :ref:`ExtensionWithMatcher
<envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` and HTTP filters by default to reflect its
experimental status. This feature can be enabled by setting ``envoy.reloadable_features.experimental_matching_api`` to
true.
- area: http
change: |
replaced setting ``envoy.reloadable_features.strict_1xx_and_204_response_headers`` with settings
``envoy.reloadable_features.require_strict_1xx_and_204_response_headers`` (require upstream 1xx or 204 responses to not
have Transfer-Encoding or non-zero Content-Length headers) and
``envoy.reloadable_features.send_strict_1xx_and_204_response_headers`` (do not send 1xx or 204 responses with these
headers). Both are true by default.
- area: http
change: |
stop sending the transfer-encoding header for 304. This behavior can be temporarily reverted by setting
``envoy.reloadable_features.no_chunked_encoding_header_for_304`` to false.
- area: http
change: |
the behavior of the ``present_match`` in route header matcher changed. The value of ``present_match`` was ignored in the
past. The new behavior is ``present_match`` is performed when the value is true. An absent match performed when the
value is false. Please reference :ref:`present_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.present_match>`.
- area: listener
change: |
respect the :ref:`connection balance config <envoy_v3_api_field_config.listener.v3.Listener.connection_balance_config>`
defined within the listener where the sockets are redirected to. Clear that field to restore the previous behavior.
- area: listener
change: |
when balancing across active listeners and wildcard matching is used, the behavior has been changed to return the
listener that matches the IP family type associated with the listener's socket address. Any unexpected behavioral
changes can be reverted by setting runtime guard ``envoy.reloadable_features.listener_wildcard_match_ip_family`` to
false.
- area: tcp
change: |
switched to the new connection pool by default. Any unexpected behavioral changes can be reverted by setting runtime
guard ``envoy.reloadable_features.new_tcp_connection_pool`` to false.
- area: udp
change: |
limit each UDP listener to read maximum 6000 packets per event loop. This behavior can be temporarily reverted by
setting ``envoy.reloadable_features.udp_per_event_loop_read_limit`` to false.
bug_fixes:
- area: aws_lambda
change: |
if ``payload_passthrough`` is set to ``false``, the downstream response content-type header will now be set from the
content-type entry in the JSON response's headers map, if present.
- area: cluster
change: |
fixed the :ref:`cluster stats <config_cluster_manager_cluster_stats_request_response_sizes>` histograms by moving the
accounting into the router filter. This means that we now properly compute the number of bytes sent as well as handling
retries which were previously ignored.
- area: hot_restart
change: |
fix double counting of ``server.seconds_until_first_ocsp_response_expiring`` and
``server.days_until_first_cert_expiring`` during hot-restart. This stat was only incorrect until the parent process
terminated.
- area: http
change: |
fix erroneous handling of invalid nghttp2 frames with the ``NGHTTP2_ERR_REFUSED_STREAM`` error. Prior to the fix, Envoy
would close the entire connection when nghttp2 triggered the invalid frame callback for the said error. The fix will
cause Envoy to terminate just the refused stream and retain the connection. This behavior can be temporarily reverted by
setting the ``envoy.reloadable_features.http2_consume_stream_refused_errors`` runtime guard to false.
- area: http
change: |
port stripping now works for CONNECT requests, though the port will be restored if the CONNECT request is sent upstream.
This behavior can be temporarily reverted by setting ``envoy.reloadable_features.strip_port_from_connect`` to false.
- area: jwt_authn
change: |
unauthorized responses now correctly include a ``www-authenticate`` header.
- area: listener
change: |
fix a crash which could happen when a filter chain only listener update is followed by listener removal or a full
listener update.
- area: validation
change: |
fix an issue that causes TAP sockets to panic during config validation mode.
- area: xray
change: |
fix the default sampling rate for AWS X-Ray tracer extension to be 5% as opposed to 50%.
- area: zipkin
change: |
fix timestamp serialization in annotations. A prior bug fix exposed an issue with timestamps being serialized as
strings.
removed_config_or_runtime:
- area: event
change: |
removed ``envoy.reloadable_features.activate_timers_next_event_loop`` runtime guard and legacy code path.
- area: gzip
change: |
removed legacy HTTP Gzip filter and runtime guard ``envoy.deprecated_features.allow_deprecated_gzip_http_filter``.
- area: http
change: |
removed ``envoy.reloadable_features.allow_500_after_100`` runtime guard and the legacy code path.
- area: http
change: |
removed ``envoy.reloadable_features.always_apply_route_header_rules`` runtime guard and legacy code path.
- area: http
change: |
removed ``envoy.reloadable_features.hcm_stream_error_on_invalid_message`` for disabling closing HTTP/1.1 connections on
error. Connection-closing can still be disabled by setting the HTTP/1 configuration
:ref:`override_stream_error_on_invalid_http_message
<envoy_v3_api_field_config.core.v3.Http1ProtocolOptions.override_stream_error_on_invalid_http_message>`.
- area: http
change: |
removed ``envoy.reloadable_features.http_set_copy_replace_all_headers`` runtime guard and legacy code paths.
- area: http
change: |
removed ``envoy.reloadable_features.overload_manager_disable_keepalive_drain_http2``; Envoy will now always send GOAWAY
to HTTP2 downstreams when the :ref:`disable_keepalive <config_overload_manager_overload_actions>` overload action is
active.
- area: http
change: |
removed ``envoy.reloadable_features.http_match_on_all_headers`` runtime guard and legacy code paths.
- area: http
change: |
removed ``envoy.reloadable_features.unify_grpc_handling`` runtime guard and legacy code paths.
- area: tls
change: |
removed ``envoy.reloadable_features.tls_use_io_handle_bio`` runtime guard and legacy code path.
new_features:
- area: access_log
change: |
added the new response flag for :ref:`overload manager termination
<envoy_v3_api_field_data.accesslog.v3.ResponseFlags.overload_manager>`. The response flag will be set when the http
stream is terminated by overload manager.
- area: admission control
change: |
added :ref:`rps_threshold
<envoy_v3_api_field_extensions.filters.http.admission_control.v3alpha.AdmissionControl.rps_threshold>` option that when
average RPS of the sampling window is below this threshold, the filter will not throttle requests. Added
:ref:`max_rejection_probability
<envoy_v3_api_field_extensions.filters.http.admission_control.v3alpha.AdmissionControl.max_rejection_probability>`
option to set an upper limit on the probability of rejection.
- area: bandwidth_limit
change: |
added new :ref:`HTTP bandwidth limit filter <config_http_filters_bandwidth_limit>`.
- area: bootstrap
change: |
added :ref:`dns_resolution_config <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.dns_resolution_config>` to aggregate
all of the DNS resolver configuration in a single message. By setting ``no_default_search_domain`` to true the DNS
resolver will not use the default search domains. By setting the ``resolvers`` the external DNS servers to be used for
external DNS queries can be specified.
- area: cluster
change: |
added :ref:`dns_resolution_config <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolution_config>` to aggregate all
of the DNS resolver configuration in a single message. By setting ``no_default_search_domain`` to true the DNS resolver
will not use the default search domains.
- area: cluster
change: |
added :ref:`host_rewrite_literal
<envoy_v3_api_field_config.route.v3.WeightedCluster.ClusterWeight.host_rewrite_literal>` to WeightedCluster.
- area: cluster
change: |
added :ref:`wait_for_warm_on_init <envoy_v3_api_field_config.cluster.v3.Cluster.wait_for_warm_on_init>`, which allows
cluster readiness to not block on cluster warm-up. It is true by default, which preserves existing behavior. Currently,
only applicable for DNS-based clusters.
- area: composite filter
change: |
can now be used with filters that also add an access logger, such as the WASM filter.
- area: config
change: |
added stat :ref:`config_reload_time_ms <subscription_statistics>`.
- area: connection_limit
change: |
added new :ref:`Network connection limit filter <config_network_filters_connection_limit>`.
- area: crash support
change: |
restore crash context when continuing to processing requests or responses as a result of an asynchronous callback that
invokes a filter directly. This is unlike the call stacks that go through the various network layers, to eventually
reach the filter. For a concrete example see: ``Envoy::Extensions::HttpFilters::Cache::CacheFilter::getHeaders`` which
posts a callback on the dispatcher that will invoke the filter directly.
- area: dns cache
change: |
added :ref:`preresolve_hostnames
<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.preresolve_hostnames>` option to the DNS
cache config. This option allows hostnames to be preresolved into the cache upon cache creation. This might provide
performance improvement, in the form of cache hits, for hostnames that are going to be resolved during steady state and
are known at config load time.
- area: dns cache
change: |
added :ref:`dns_query_timeout
<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_query_timeout>` option to the DNS
cache config. This option allows explicitly controlling the timeout of underlying queries independently of the
underlying DNS platform implementation. Coupled with success and failure retry policies the use of this timeout will
lead to more deterministic DNS resolution times.
- area: dns resolver
change: |
added ``DnsResolverOptions`` protobuf message to reconcile all of the DNS lookup option flags. By setting the
configuration option :ref:`use_tcp_for_dns_lookups
<envoy_v3_api_field_config.core.v3.DnsResolverOptions.use_tcp_for_dns_lookups>` as true we can make the underlying dns
resolver library to make only TCP queries to the DNS servers and by setting the configuration option
:ref:`no_default_search_domain <envoy_v3_api_field_config.core.v3.DnsResolverOptions.no_default_search_domain>` as true
the DNS resolver library will not use the default search domains.
- area: dns resolver
change: |
added ``DnsResolutionConfig`` to combine :ref:`dns_resolver_options
<envoy_v3_api_field_config.core.v3.DnsResolutionConfig.dns_resolver_options>` and :ref:`resolvers
<envoy_v3_api_field_config.core.v3.DnsResolutionConfig.resolvers>` in a single protobuf message. The field ``resolvers``
can be specified with a list of DNS resolver addresses. If specified, DNS client library will perform resolution via the
underlying DNS resolvers. Otherwise, the default system resolvers (e.g., /etc/resolv.conf) will be used.
- area: dns_filter
change: |
added :ref:`dns_resolution_config
<envoy_v3_api_field_extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ClientContextConfig.dns_resolution_config>`
to aggregate all of the DNS resolver configuration in a single message. By setting the configuration option
``use_tcp_for_dns_lookups`` to true we can make dns filter's external resolvers to answer queries using TCP only, by
setting the configuration option ``no_default_search_domain`` as true the DNS resolver will not use the default search
domains. And by setting the configuration ``resolvers`` we can specify the external DNS servers to be used for external
DNS query which replaces the pre-existing alpha api field ``upstream_resolvers``.
- area: dynamic_forward_proxy
change: |
added :ref:`dns_resolution_config
<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_resolution_config>` option to the DNS
cache config in order to aggregate all of the DNS resolver configuration in a single message. By setting one such
configuration option ``no_default_search_domain`` as true the DNS resolver will not use the default search domains. And
by setting the configuration ``resolvers`` we can specify the external DNS servers to be used for external DNS query
instead of the system default resolvers.
- area: ext_authz_filter
change: |
added :ref:`bootstrap_metadata_labels_key
<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.bootstrap_metadata_labels_key>` option to configure
labels of destination service.
- area: http
change: |
added new field ``is_optional`` to ``extensions.filters.network.http_connection_manager.v3.HttpFilter``. When set to
``true``, unsupported http filters will be ignored by envoy. This is also same with unsupported http filter in the typed
per filter config. For more information, please reference :ref:`HttpFilter
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.is_optional>`.
- area: http
change: |
added :ref:`scheme options
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scheme_header_transformation>`
for adding or overwriting scheme.
- area: http
change: |
added :ref:`stripping trailing host dot from host header
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.strip_trailing_host_dot>`
support.
- area: http
change: |
added support for :ref:`original IP detection extensions
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`.
Two initial extensions were added, the :ref:`custom header
<envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig>` extension and the
:ref:`xff <envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig>` extension.
- area: http
change: |
added a new option to upstream HTTP/2 :ref:`keepalive
<envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.connection_keepalive>` to send a PING ahead of a new stream if
the connection has been idle for a sufficient duration.
- area: http
change: |
added the ability to :ref:`unescape slash sequences
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_with_escaped_slashes_action>`
in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By
default this feature is disabled. The default behavior can be overridden through
:ref:`http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action>`
runtime variable. This action can be selectively enabled for a portion of requests by setting the
:ref:`http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled>`
runtime variable.
- area: http
change: |
added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options
<envoy_v3_api_field_config.listener.v3.UdpListenerConfig.quic_options>` for downstream and the new
http3_protocol_options in :ref:`http_protocol_options
<envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` for upstream HTTP/3.
- area: http
change: |
raise max configurable max_request_headers_kb limit to 8192 KiB (8MiB) from 96 KiB in http connection manager.
- area: input matcher
change: |
added a new input matcher that :ref:`matches an IP address against a list of CIDR ranges
<envoy_v3_api_file_envoy/extensions/matching/input_matchers/ip/v3/ip.proto>`.
- area: jwt_authn
change: |
added support to fetch remote jwks asynchronously specified by :ref:`async_fetch
<envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.RemoteJwks.async_fetch>`.
- area: jwt_authn
change: |
added support to add padding in the forwarded JWT payload specified by :ref:`pad_forward_payload_header
<envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.pad_forward_payload_header>`.
- area: listener
change: |
added ability to change an existing listener's address.
- area: listener
change: |
added filter chain match support for :ref:`direct source address
<envoy_v3_api_field_config.listener.v3.FilterChainMatch.direct_source_prefix_ranges>`.
- area: local_rate_limit_filter
change: |
added support for locally rate limiting http requests on a per connection basis. This can be enabled by setting the
:ref:`local_rate_limit_per_downstream_connection
<envoy_v3_api_field_extensions.filters.http.local_ratelimit.v3.LocalRateLimit.local_rate_limit_per_downstream_connection>`
field to true.
- area: metric service
change: |
added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels
<envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.emit_tags_as_labels>` field to true.
- area: proxy protocol
change: |
added support for generating the header while using the :ref:`HTTP connection manager <config_http_conn_man>`. This is
done using the :ref:`Proxy Protocol Transport Socket <extension_envoy.transport_sockets.upstream_proxy_protocol>` on
upstream clusters. This feature is currently affected by a memory leak `issue
<https://github.com/envoyproxy/envoy/issues/16682>`_.
- area: req_without_query
change: |
added access log formatter extension implementing command operator :ref:`REQ_WITHOUT_QUERY
<envoy_v3_api_msg_extensions.formatter.req_without_query.v3.ReqWithoutQuery>` to log the request path, while excluding
the query string.
- area: router
change: |
added option ``suppress_grpc_request_failure_code_stats`` to :ref:`the router
<envoy_v3_api_msg_extensions.filters.http.router.v3.Router>` to allow users to exclude incrementing HTTP status code
stats on gRPC requests.
- area: stats
change: |
added native :ref:`Graphite-formatted tag
<envoy_v3_api_msg_extensions.stat_sinks.graphite_statsd.v3.GraphiteStatsdSink>` support.
- area: tcp
change: |
added support for :ref:`preconnecting <envoy_v3_api_msg_config.cluster.v3.Cluster.PreconnectPolicy>`. Preconnecting is
off by default, but recommended for clusters serving latency-sensitive traffic.
- area: thrift_proxy
change: |
added per upstream metrics within the :ref:`thrift router
<envoy_v3_api_msg_extensions.filters.network.thrift_proxy.router.v3.Router>` for request and response size histograms.
- area: thrift_proxy
change: |
added support for :ref:`outlier detection <arch_overview_outlier_detection>`.
- area: tls
change: |
allow dual ECDSA/RSA certs via SDS. Previously, SDS only supported a single certificate per context, and dual cert was
only supported via non-SDS.
- area: tracing
change: |
add option :ref:`use_request_id_for_trace_sampling
<envoy_v3_api_field_extensions.request_id.uuid.v3.UuidRequestIdConfig.use_request_id_for_trace_sampling>` which allows
configuring whether to perform sampling based on :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` or not.
- area: udp_proxy
change: |
added :ref:`key <envoy_v3_api_msg_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.HashPolicy>` as another hash policy
to support hash based routing on any given key.
- area: windows container image
change: |
added user, EnvoyUser which is part of the Network Configuration Operators group to the container image.
deprecated:
- area: bootstrap
change: |
the field :ref:`use_tcp_for_dns_lookups <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.use_tcp_for_dns_lookups>` is
deprecated in favor of :ref:`dns_resolution_config
<envoy_v3_api_field_config.bootstrap.v3.Bootstrap.dns_resolution_config>` which aggregates all of the DNS resolver
configuration in a single message.
- area: cluster
change: |
the fields :ref:`use_tcp_for_dns_lookups <envoy_v3_api_field_config.cluster.v3.Cluster.use_tcp_for_dns_lookups>` and
:ref:`dns_resolvers <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolvers>` are deprecated in favor of
:ref:`dns_resolution_config <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolution_config>` which aggregates all
of the DNS resolver configuration in a single message.
- area: dns_filter
change: |
the field :ref:`known_suffixes <envoy_v3_api_field_data.dns.v3.DnsTable.known_suffixes>` is deprecated. The internal
data management of the filter has changed and the filter no longer uses the known_suffixes field.
- area: dynamic_forward_proxy
change: |
the field :ref:`use_tcp_for_dns_lookups
<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.use_tcp_for_dns_lookups>` is deprecated in
favor of :ref:`dns_resolution_config
<envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_resolution_config>` which aggregates
all of the DNS resolver configuration in a single message.
- area: http
change: |
:ref:`xff_num_trusted_hops
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.xff_num_trusted_hops>`
is deprecated in favor of :ref:`original IP detection extensions
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`.