release: prepare for v1.14.0 (#10699)

Signed-off-by: Matt Klein <[email protected]>

GOVERNANCE.md

@@ -79,13 +79,15 @@ or you can subscribe to the iCal feed [here](https://app.opsgenie.com/webcal/get
 * Begin marshalling the ongoing PR flow in this repo. Ask maintainers to hold off merging any
   particularly risky PRs until after the release is tagged. This is because we aim for master to be
   at release candidate quality at all times.
-* Do a final check of the [release notes](docs/root/intro/version_history.rst) and make any needed
-  corrections.
-* Switch the [VERSION](VERSION) from a "dev" variant to a final variant. E.g., "1.6.0-dev" to
-  "1.6.0". Also remove the "Pending" tags and add dates to the top of the [release notes](docs/root/intro/version_history.rst)
-  and [deprecated log](docs/root/intro/deprecated.rst). Get a review and merge.
-* **Wait for tests to pass on
-  [master](https://circleci.com/gh/envoyproxy/envoy/tree/master).**
+* Do a final check of the [release notes](docs/root/intro/version_history.rst):
+  * Make any needed corrections (grammar, punctuation, formatting, etc.).
+  * Check to see if any security/stable version release notes are duplicated in
+    the major version release notes. These should not be duplicated.
+  * Remove the "Pending" tags and add dates to the top of the [release notes](docs/root/intro/version_history.rst)
+    and [deprecated log](docs/root/intro/deprecated.rst).
+  * Switch the [VERSION](VERSION) from a "dev" variant to a final variant. E.g., "1.6.0-dev" to
+    "1.6.0".
+  * Get a review and merge.
 * Create a [tagged release](https://github.com/envoyproxy/envoy/releases). The release should
   start with "v" and be followed by the version number. E.g., "v1.6.0". **This must match the
   [VERSION](VERSION).**

VERSION

@@ -1 +1 @@
-1.14.0-dev
+1.14.0

docs/root/intro/deprecated.rst

@@ -10,8 +10,8 @@ The following features have been DEPRECATED and will be removed in the specified
 A logged warning is expected for each deprecated item that is in deprecation window.
 Deprecated items below are listed in chronological order.
 
-1.14.0 (Pending)
-================
+1.14.0 (April 8, 2020)
+======================
 * The previous behavior for upstream connection pool circuit breaking described
   `here <https://www.envoyproxy.io/docs/envoy/v1.13.0/intro/arch_overview/upstream/circuit_breaking>`_ has
   been deprecated in favor of the new behavior described :ref:`here <arch_overview_circuit_break>`.

docs/root/intro/version_history.rst

@@ -1,17 +1,17 @@
 Version history
 ---------------
 
-1.14.0 (Pending)
-================
+1.14.0 (April 8, 2020)
+======================
 * access log: access logger extensions use the "envoy.access_loggers" name space. A mapping
   of extension names is available in the :ref:`deprecated <deprecated>` documentation.
-* access log: added support for DOWNSTREAM_LOCAL_PORT :ref:`access log formatters <config_access_log_format>`.
-* access log: fix %DOWSTREAM_DIRECT_REMOTE_ADDRESS% when used with PROXY protocol listener filter
-* access log: introduce :ref:`connection-level access loggers<envoy_api_field_Listener.access_log>`.
+* access log: added support for `%DOWNSTREAM_LOCAL_PORT%` :ref:`access log formatters <config_access_log_format>`.
+* access log: fixed `%DOWSTREAM_DIRECT_REMOTE_ADDRESS%` when used with PROXY protocol listener filter.
+* access log: introduced :ref:`connection-level access loggers<envoy_api_field_Listener.access_log>`.
 * adaptive concurrency: fixed bug that allowed concurrency limits to drop below the configured
   minimum.
 * adaptive concurrency: minRTT is now triggered when the minimum concurrency is maintained for 5
-  consecutive sampling intervals
+  consecutive sampling intervals.
 * admin: added support for displaying ip address subject alternate names in :ref:`certs<operations_admin_interface_certs>` end point.
 * admin: added :http:post:`/reopen_logs` endpoint to control log rotation.
 * api: froze v2 xDS API. New feature development in the API should occur in v3 xDS. While the v2 xDS API has
@@ -20,7 +20,6 @@ Version history
 * aws_lambda: added :ref:`AWS Lambda filter <config_http_filters_aws_lambda>` that converts HTTP requests to Lambda
   invokes. This effectively makes Envoy act as an egress gateway to AWS Lambda.
 * aws_request_signing: a few fixes so that it works with S3.
-* buffer: force copy when appending small slices to OwnedImpl buffer to avoid fragmentation.
 * config: added stat :ref:`update_time <config_cluster_manager_cds>`.
 * config: use type URL to select an extension whenever the config type URL (or its previous versions) uniquely identify a typed extension, see :ref:`extension configuration <config_overview_extension_configuration>`.
 * datasource: added retry policy for remote async data source.
@@ -32,8 +31,8 @@ Version history
 * fault: added support for controlling abort faults with :ref:`HTTP header fault configuration <config_http_filters_fault_injection_http_header>` to the HTTP fault filter.
 * grpc-json: added support for building HTTP request into
   `google.api.HttpBody <https://github.com/googleapis/googleapis/blob/master/google/api/httpbody.proto>`_.
-* grpc-stats: add options to limit which messages stats are created for.
-* http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature `envoy.reloadable_features.http1_flood_protection`
+* grpc-stats: added option to limit which messages stats are created for.
+* http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature `envoy.reloadable_features.http1_flood_protection`.
 * http: added :ref:`headers_with_underscores_action setting <envoy_api_field_core.HttpProtocolOptions.headers_with_underscores_action>` to control how client requests with header names containing underscore characters are handled. The options are to allow such headers, reject request or drop headers. The default is to allow headers, preserving existing behavior.
 * http: added :ref:`max_stream_duration <envoy_api_field_core.HttpProtocolOptions.max_stream_duration>` to specify the duration of existing streams. See :ref:`connection and stream timeouts <faq_configuration_timeouts>`.
 * http: connection header sanitizing has been modified to always sanitize if there is no upgrade, including when an h2c upgrade attempt has been removed.
@@ -46,7 +45,6 @@ Version history
 * listener filters: listener filter extensions use the "envoy.filters.listener" name space. A
   mapping of extension names is available in the :ref:`deprecated <deprecated>` documentation.
 * listeners: added :ref:`listener filter matcher api <envoy_api_field_listener.ListenerFilter.filter_disabled>` to disable individual listener filter on matching downstream connections.
-* listeners: fixed issue where :ref:`TLS inspector listener filter <config_listener_filters_tls_inspector>` could have been bypassed by a client using only TLS 1.3.
 * loadbalancing: added support for using hostname for consistent hash loadbalancing via :ref:`consistent_hash_lb_config <envoy_api_field_Cluster.CommonLbConfig.consistent_hashing_lb_config>`.
 * loadbalancing: added support for :ref:`retry host predicates <envoy_api_field_route.RetryPolicy.retry_host_predicate>` in conjunction with consistent hashing load balancers (ring hash and maglev).
 * lua: added a parameter to `httpCall` that makes it possible to have the call be asynchronous.
@@ -55,11 +53,10 @@ Version history
 * network filters: added a :ref:`direct response filter <config_network_filters_direct_response>`.
 * network filters: network filter extensions use the "envoy.filters.network" name space. A mapping
   of extension names is available in the :ref:`deprecated <deprecated>` documentation.
-* rbac: added :ref:`url_path <envoy_api_field_config.rbac.v2.Permission.url_path>` for matching URL path without the query and fragment string.
 * rbac: added :ref:`remote_ip <envoy_api_field_config.rbac.v2.Principal.remote_ip>` and :ref:`direct_remote_ip <envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>` for matching downstream remote IP address.
 * rbac: deprecated :ref:`source_ip <envoy_api_field_config.rbac.v2.Principal.source_ip>` with :ref:`direct_remote_ip <envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>` and :ref:`remote_ip <envoy_api_field_config.rbac.v2.Principal.remote_ip>`.
-* request_id_extension: add an ability to extend request ID handling at :ref:`HTTP connection manager<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.request_id_extension>`.
-* retry: added a retry predicate that :ref:`rejects hosts based on metadata. <envoy_api_field_route.RetryPolicy.retry_host_predicate>`
+* request_id_extension: added an ability to extend request ID handling at :ref:`HTTP connection manager<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.request_id_extension>`.
+* retry: added a retry predicate that :ref:`rejects hosts based on metadata. <envoy_api_field_route.RetryPolicy.retry_host_predicate>`.
 * router: added ability to set attempt count in downstream response, see :ref:`virtual host's include response
   attempt count config <envoy_api_field_route.VirtualHost.include_attempt_count_in_response>`.
 * router: added additional stats for :ref:`virtual clusters <config_http_filters_router_vcluster_stats>`.
@@ -68,20 +65,19 @@ Version history
   :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>`.
 * router: added support for :ref:`regex_rewrite
   <envoy_api_field_route.RouteAction.regex_rewrite>` for path rewriting using regular expressions and capture groups.
-* router: added support for DOWNSTREAM_LOCAL_PORT :ref:`header formatter <config_http_conn_man_headers_custom_request_headers>`.
+* router: added support for `%DOWNSTREAM_LOCAL_PORT%` :ref:`header formatter <config_http_conn_man_headers_custom_request_headers>`.
 * router: don't ignore :ref:`per_try_timeout <envoy_api_field_route.RetryPolicy.per_try_timeout>` when the :ref:`global route timeout <envoy_api_field_route.RouteAction.timeout>` is disabled.
 * router: strip whitespace for :ref:`retry_on <envoy_api_field_route.RetryPolicy.retry_on>`, :ref:`grpc-retry-on header <config_http_filters_router_x-envoy-retry-grpc-on>` and :ref:`retry-on header <config_http_filters_router_x-envoy-retry-on>`.
-* runtime: enabling the runtime feature "envoy.deprecated_features.allow_deprecated_extension_names"
+* runtime: enabling the runtime feature `envoy.deprecated_features.allow_deprecated_extension_names`
   disables the use of deprecated extension names.
 * runtime: integer values may now be parsed as booleans.
 * sds: added :ref:`GenericSecret <envoy_api_msg_auth.GenericSecret>` to support secret of generic type.
 * sds: added :ref:`certificate rotation <xds_certificate_rotation>` support for certificates in static resources.
-* sds: fix the SDS vulnerability that TLS validation context (e.g., subject alt name or hash) cannot be effectively validated in some cases.
 * server: the SIGUSR1 access log reopen warning now is logged at info level.
 * stat sinks: stat sink extensions use the "envoy.stat_sinks" name space. A mapping of extension
   names is available in the :ref:`deprecated <deprecated>` documentation.
-* thrift_proxy: add router filter stats to docs.
-* tls: added configuration to disable stateless TLS session resumption :ref:`disable_stateless_session_resumption <envoy_api_field_auth.DownstreamTlsContext.disable_stateless_session_resumption>`
+* thrift_proxy: added router filter stats to docs.
+* tls: added configuration to disable stateless TLS session resumption :ref:`disable_stateless_session_resumption <envoy_api_field_auth.DownstreamTlsContext.disable_stateless_session_resumption>`.
 * tracing: added gRPC service configuration to the OpenCensus Stackdriver and OpenCensus Agent tracers.
 * tracing: tracer extensions use the "envoy.tracers" name space. A mapping of extension names is
   available in the :ref:`deprecated <deprecated>` documentation.
@@ -91,12 +87,12 @@ Version history
   limits for both requests and connections apply to both pool types. Also, HTTP/2 now has
   the option to limit concurrent requests on a connection, and allow multiple draining
   connections. The old behavior is deprecated, but can be used during the deprecation
-  period by disabling runtime feature "envoy.reloadable_features.new_http1_connection_pool_behavior" or
-  "envoy.reloadable_features.new_http2_connection_pool_behavior" and then re-configure your clusters or
+  period by disabling runtime feature `envoy.reloadable_features.new_http1_connection_pool_behavior` or
+  `envoy.reloadable_features.new_http2_connection_pool_behavior` and then re-configure your clusters or
   restart Envoy. The behavior will not switch until the connection pools are recreated. The new
   circuit breaker behavior is described :ref:`here <arch_overview_circuit_break>`.
 * zlib: by default zlib is initialized to use its default strategy (Z_DEFAULT_STRATEGY)
-  instead of the fixed one (Z_FIXED). The difference is that the use of dynammic
+  instead of the fixed one (Z_FIXED). The difference is that the use of dynamic
   Huffman codes is enabled now resulting in better compression ratio for normal data.
 
 1.13.1 (March 3, 2020)