.. _version_history_1.33.0: 1.33.0 (Pending) ================= Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **http**: Added streaming shadow functionality. This allows for streaming the shadow request in parallel with the original request rather than waiting for the original request to complete. This allows shadowing requests larger than the buffer limit, but also means shadowing may take place for requests which are canceled mid-stream. This behavior change can be temporarily reverted by flipping ``envoy.reloadable_features.streaming_shadow`` to false. * **http**: RFC1918 addresses are no longer considered to be internal addresses by default. This addresses a security issue for Envoy's in multi-tenant mesh environments. Please explicit set :ref:`internal_address_config ` to retain the prior behavior. This change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``false``. * **tracing**: Removed support for (long deprecated) opencensus tracing extension. * **wasm**: Remove previously deprecated xDS attributes from ``get_property``, use ``xds`` attributes instead. * **wasm**: The route cache will not be cleared by default if the wasm extension modified the request headers and the ABI version of wasm extension is larger then 0.2.1. Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **access_log**: New implementation of the JSON formatter will be enabled by default. The :ref:`sort_properties ` field will be ignored in the new implementation because the new implementation always sorts properties. And the new implementation will always keep the value type in the JSON output. For example, the duration field will always be rendered as a number instead of a string. This behavior change could be disabled temporarily by setting the runtime ``envoy.reloadable_features.logging_with_fast_json_formatter`` to false. * **csrf**: Increase only the statistics counter ``missing_source_origin`` for requests with a missing source origin. Previously, the ``request_invalid`` counter was also increased for such requests. * **dns**: Patched c-ares to address CVE-2024-25629. * **formatter**: The NaN and Infinity values of float will be serialized to ``null`` and ``"inf"`` respectively in the metadata (``DYNAMIC_METADATA``, ``CLUSTER_METADATA``, etc.) formatter. * **http**: If the :ref:`pack_trace_reason ` is set to false, Envoy will not parse the trace reason from the ``x-request-id`` header to ensure reads and writes of trace reason be consistant. If the :ref:`pack_trace_reason ` is set to true and external ``x-request-id`` value is used, the trace reason in the external request id will not be trusted and will be cleared. * **http**: Local replies now traverse the filter chain if 1xx headers have been sent to the client. This change can be reverted by setting the runtime guard ``envoy.reloadable_features.local_reply_traverses_filter_chain_after_1xx`` to false. * **oauth2**: :ref:`use_refresh_token ` is now enabled by default. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.oauth2_use_refresh_token`` to false. * **oauth2**: Implement the Signed Double-Submit Cookie pattern, as recommended by OWASP, by using the HMAC secret to sign and verify the nonce. * **oauth2**: The ``state`` parameter in the OAuth2 authorization request has been changed to a base64url-encoded JSON object. The JSON object contains the original request URL and a nonce for CSRF prevention. * **quic**: Enable UDP GRO in QUIC client connections by default. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.prefer_quic_client_udp_gro`` to false. * **rate_limit**: add ``WEEK`` to the unit of time for rate limit. * **rds**: When a new RDS provider config is pushed via xDS and the only difference is change to :ref:`initial_fetch_timeout `, the already existing provider will be reused. Envoy will not ask RDS server for routes config because existing provider already has up to date routes config. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.normalize_rds_provider_config`` to false. * **scoped_rds**: The :ref:`route_configuration ` field is supported when the ``ScopedRouteConfiguration`` resource is delivered via SRDS. * **sds**: Relaxed the backing cluster validation for Secret Discovery Service(SDS). Currently, the cluster that supports SDS, needs to be a primary cluster i.e. a non-EDS cluster defined in bootstrap configuration. This change relaxes that restriction i.e. SDS cluster can be a dynamic cluster. This change is enabled by default, and can be reverted by setting the runtime flag ``envoy.restart_features.skip_backing_cluster_check_for_sds`` to ``false``. * **xds**: A minor delta-xDS optimization that avoids copying resources when ingesting them was introduced. No impact to the behavior is expected, but a runtime flag was added as this may impact config-ingestion related extensions (e.g., custom-config-validators, config-tracker), as the order of the elements passed to the callback functions may be different. This change can be temporarily reverted by setting ``envoy.reloadable_features.xds_prevent_resource_copy`` to ``false``. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **DNS**: Fixed bug where setting ``dns_jitter `` to large values caused Envoy Bug to fire. * **OAuth2**: Fixed an issue where ID token and refresh token did not adhere to the :ref:`cookie_domain ` field. * **access_log**: Relaxed the restriction on SNI logging to allow the ``_`` character, even if ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled. * **csrf**: Handle requests that have a "privacy sensitive" / opaque origin (``Origin: null``) as if the request had no origin information. * **golang**: Fixes a crash during Golang GC caused by accessing deleted decoder_callbacks. The bug was introduced in 1.31.0.* **load_balancing**: Fixed default host weight calculation of :ref:`client_side_weighted_round_robin ` to properly handle even number of valid host weights. * **lrs**: Fixes errors stat being incremented and warning log spamming for LoadStatsReporting graceful stream close. * **original_ip_detection custom header extension**: Reverted :ref:`custom header ` extension to its original behavior by disabling automatic XFF header appending that was inadvertently introduced in PR #31831. * **scoped_rds**: Fixes scope key leak and spurious scope key conflicts when an update to an SRDS resource changes the key. * **stats ads grpc**: Fixed metric for ADS disconnection counters using Google GRPC client. This extracts the GRPC client prefix specified in the :ref:`google_grpc ` resource used for ADS, and adds that as a tag ``envoy_google_grpc_client_prefix`` to the Prometheus stats. * **tls**: Support operations on IP SANs when the IP version is not supported by the host operating system, for example an IPv6 SAN can now be used on a host not supporting IPv6 addresses. * **tracers**: Avoid possible overflow when setting span attributes in Dynatrace sampler. * **udp/dynamic_forward_proxy**: Fixed bug where dynamic_forward_proxy udp session filter disabled buffer in filter config instead of disabling buffer for the filter instance. * **validation/tools**: Add back missing extension for ``schema_validator_tool``. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **aws**: Removed runtime flag ``envoy.reloadable_features.use_http_client_to_fetch_aws_credentials``. * **dns**: Removed runtime flag ``envoy.reloadable_features.dns_reresolve_on_eai_again`` and legacy code paths. * **grpc**: Removed runtime guard ``envoy.reloadable_features.validate_grpc_header_before_log_grpc_status``. * **http**: Removed runtime flag ``envoy.reloadable_features.http_route_connect_proxy_by_default`` and legacy code paths. * **http**: Removed runtime flag ``envoy.restart_features.sanitize_te`` and legacy code paths. * **http2**: Removed runtime flag ``envoy.reloadable_features.defer_processing_backedup_streams`` and legacy code paths. * **load balancing**: Removed runtime guard ``envoy.reloadable_features.edf_lb_host_scheduler_init_fix`` and legacy code paths. * **load balancing**: Removed runtime guard ``envoy.reloadable_features.edf_lb_locality_scheduler_init_fix`` and legacy code paths. * **quic**: Removed runtime flag ``envoy.restart_features.quic_handle_certs_with_shared_tls_code`` and legacy code paths. * **router**: Removed runtime guard ``envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request``. * **upstream**: Removed runtime flag ``envoy.reloadable_features.exclude_host_in_eds_status_draining``. * **upstream**: Removed runtime flag ``envoy.restart_features.allow_client_socket_creation_failure`` and legacy code paths. New features ------------ * **CEL-attributes**: Added :ref:`attribute ` ``upstream.cx_pool_ready_duration`` to get the duration from when the upstream request was created to when the upstream connection pool is ready. * **CEL-attributes**: Added :ref:`attribute ` ``upstream.request_attempt_count`` to get the number of times a request is attempted upstream. * **access log**: Added fields for :ref:`DOWNSTREAM_DIRECT_LOCAL_ADDRESS and DOWNSTREAM_DIRECT_LOCAL_ADDRESS_WITHOUT_PORT `. * **access_log**: Added %DOWNSTREAM_LOCAL_EMAIL_SAN%, %DOWNSTREAM_PEER_EMAIL_SAN%, %DOWNSTREAM_LOCAL_OTHERNAME_SAN% and %DOWNSTREAM_PEER_OTHERNAME_SAN% substitution formatters. * **access_log**: Added support for :ref:`%UPSTREAM_HOST_NAME_WITHOUT_PORT% ` for the upstream host identifier without the port value. * **access_log**: Added support for logging upstream connection establishment duration in the :ref:`%COMMON_DURATION% ` access log formatter operator. The following time points were added: ``%US_CX_BEG%``, ``%US_CX_END%``, ``%US_HS_END%``. * **attributes**: added new ``xds.virtual_host_name`` and ``xds.virtual_host_metadata`` attributes support. See :ref:`attributes ` for looking up xDS configuration information. * **aws_request_signing**: Added an optional field :ref:`credential_provider ` to the AWS request signing filter to explicitly specify a source for AWS credentials. * **c-ares**: added nameserver rotation option to c-ares resolver. When enabled via :ref:rotate_nameservers , this performs round-robin selection of the configured nameservers for each resolution to help distribute query load. * **c-ares**: added two new options to c-ares resolver for configuring custom timeouts and tries while resolving DNS queries. Custom timeouts could be configured by specifying :ref:`query_timeout_seconds ` and custom tries could be configured by specifying :ref:`query_tries `. * **ext_authz**: added filter state field latency_us, bytesSent and bytesReceived access for CEL and logging. * **filters**: Added :ref:`the Api Key Auth filter `, which can be used to authenticate requests using an API key. * **filters**: Updatd the ``set_filter_state`` :ref:`filter ` to support per-route overrides. * **grpc-json**: Added a new http filter for :ref:`gRPC to JSON transcoding `. * **health_check**: Added new health check filter stats including total requests, successful/failed checks, cached responses, and cluster health status counters. These stats help track health check behavior and cluster health state. * **http_inspector**: Added default-false ``envoy.reloadable_features.http_inspector_use_balsa_parser`` for HttpInspector to use BalsaParser. * **ip-tagging**: Adds support for specifying an alternate header :ref:`ip_tag_header ` for appending IP tags via ip-tagging filter instead of using the default header ``x-envoy-ip-tags``. * **jwt_authn**: Added :ref:`refetch_jwks_on_kid_mismatch ` to allow filter to refetch JWKS when extracted JWT's KID does not match cached JWKS's KID. * **lua**: Add logging functions to all lua objects. Previously these were only available on the Lua http filter request handle. * **lua**: Added :ref:`downstreamDirectLocalAddress() ` method to the Stream info object API. * **lua**: Added a new ``setUpstreamOverrideHost()`` which could be used to set the given host as the upstream host for the current request. * **lua**: Added ssl :ref:`parsedSubjectPeerCertificate() ` API. * **lua cluster specifier**: Added ability for a Lua script to query clusters for current requests and connections. * **overload**: Added support for scaling :ref:`max connection duration `. This can be used to reduce the max connection duration in response to overload. * **quic**: Added :ref:`QUIC stats debug visitor ` to get more stats from the QUIC transport. * **rbac**: added :ref:`sourced_metadata ` which allows specifying an optional source for the metadata to be matched in addition to the metadata matcher. * **redis**: Added support for UNWATCH command. * **sni_dynamic_forward_proxy**: Added support in SNI dynamic forward proxy for saving the resolved upstream address in the filter state. The state is saved with the key ``envoy.stream.upstream_address``. * **tls**: Added an :ref:`option ` to change the upstream SNI to the configured hostname for the upstream. * **tls**: Added an :ref:`option ` to validate the upstream server certificate SANs against the actual SNI value sent, regardless of the method of configuring SNI. * **tls**: Added support for P-384 and P-521 curves for TLS server certificates. * **tracers**: Set resource ``telemetry.sdk.*`` and scope ``otel.scope.name|version`` attributes for the OpenTelemetry tracer. * **udp_proxy**: Added support for coexistence of dynamic and static clusters in the same udp proxy, so we can use dynamic clusters for some sessions by setting a per-session state object under the key ``envoy.upstream.dynamic_host`` and routing to dynamic cluster, and we can use static clusters for other sessions by setting a per-session state object under the key ``envoy.udp_proxy.cluster`` without setting ``envoy.upstream.dynamic_host``. * **udp_proxy**: Added support for dynamic cluster selection in UDP proxy. The cluster can be set by one of the session filters by setting a per-session state object under the key ``envoy.udp_proxy.cluster``. * **wasm**: Added the wasm vm reload support to reload wasm vm when the wasm vm is failed with runtime errors. See :ref:`failure_policy ` for more details. The ``FAIL_RELOAD`` reload policy will be used by default. * **wasm**: added ``clear_route_cache`` foreign function to clear the route cache. * **xds**: Added support for ADS replacement by invoking ``xdsManager().setAdsConfigSource()`` with a new config source. Deprecated ---------- * **aws_iam**: The :ref:`aws_iam extension ` is deprecated and will be deleted from Envoy in a future release, no later than Envoy 1.35, but possibly sooner. * **rbac**: metadata :ref:`metadata ` is now deprecated in the favor of :ref:`sourced_metadata `.