.. _version_history_1.12.0: 1.12.0 (October 31, 2019) ========================== Changes ------- * **access log**: added :ref:`buffering <v1.12:envoy_api_field_config.accesslog.v2.CommonGrpcAccessLogConfig.buffer_size_bytes>` and :ref:`periodical flushing <v1.12:envoy_api_field_config.accesslog.v2.CommonGrpcAccessLogConfig.buffer_flush_interval>` support to gRPC access logger. Defaults to 16KB buffer and flushing every 1 second. * **access log**: added DOWNSTREAM_DIRECT_REMOTE_ADDRESS and DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT :ref:`access log formatters <v1.12:config_access_log_format>` and gRPC access logger. * **access log**: added a new flag for :ref:`downstream protocol error <v1.12:envoy_api_field_data.accesslog.v2.ResponseFlags.downstream_protocol_error>`. * **access log**: gRPC Access Log Service (ALS) support added for :ref:`TCP access logs <v1.12:envoy_api_msg_config.accesslog.v2.TcpGrpcAccessLogConfig>`. * **access log**: reintroduced :ref:`filesystem <v1.12:filesystem_stats>` stats and added the ``write_failed`` counter to track failed log writes. * **admin**: added :http:get:`/stats/recentlookups`, :http:post:`/stats/recentlookups/clear`, :http:post:`/stats/recentlookups/disable`, and :http:post:`/stats/recentlookups/enable` endpoints. * **admin**: added ability to configure listener :ref:`socket options <v1.12:envoy_api_field_config.bootstrap.v2.Admin.socket_options>`. * **admin**: added config dump support for Secret Discovery Service :ref:`SecretConfigDump <v1.12:envoy_api_msg_admin.v2alpha.SecretsConfigDump>`. * **admin**: added support for :ref:`draining <v1.12:operations_admin_interface_drain>` listeners via admin interface. * **api**: added :ref:`set_node_on_first_message_only <v1.12:envoy_api_field_core.ApiConfigSource.set_node_on_first_message_only>` option to omit the node identifier from the subsequent discovery requests on the same stream. * **buffer filter**: now populates content-length header if not present. This behavior can be temporarily disabled using the runtime feature ``envoy.reloadable_features.buffer_filter_populate_content_length``. * **build**: official released binary is now PIE so it can be run with ASLR. * **config**: added access log :ref:`extension filter <v1.12:envoy_api_field_config.filter.accesslog.v2.AccessLogFilter.extension_filter>`. * **config**: added async data access for local and remote data sources. * **config**: added stat :ref:`init_fetch_timeout <v1.12:config_cluster_manager_cds>`. * **config**: added support for :option:`--reject-unknown-dynamic-fields`, providing independent control over whether unknown fields are rejected in static and dynamic configuration. By default, unknown fields in static configuration are rejected and are allowed in dynamic configuration. Warnings are logged for the first use of any unknown field and these occurrences are counted in the :ref:`server.static_unknown_fields <v1.12:server_statistics>` and :ref:`server.dynamic_unknown_fields <v1.12:server_statistics>` statistics. * **config**: added support for :ref:`delta xDS <v1.12:arch_overview_dynamic_config_delta>` (including ADS) delivery. * **config**: changed the default value of :ref:`initial_fetch_timeout <v1.12:envoy_api_field_core.ConfigSource.initial_fetch_timeout>` from 0s to 15s. This is a change in behaviour in the sense that Envoy will move to the next initialization phase, even if the first config is not delivered in 15s. Refer to :ref:`initialization process <v1.12:arch_overview_initialization>` for more details. * **config**: enforcing that terminal filters (e.g. HttpConnectionManager for L4, router for L7) be the last in their respective filter chains. * **config**: tls_context in Cluster and FilterChain are deprecated in favor of transport socket. See :ref:`deprecated documentation <v1.12:deprecated>` for more information. * **csrf**: added PATCH to supported methods. * **dns**: added support for configuring :ref:`dns_failure_refresh_rate <v1.12:envoy_api_field_Cluster.dns_failure_refresh_rate>` to set the DNS refresh rate during failures. * **ext_authz**: added :ref:`configurable ability <v1.12:envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.metadata_context_namespaces>` to send dynamic metadata to the ``ext_authz`` service. * **ext_authz**: added :ref:`filter_enabled RuntimeFractionalPercent flag <v1.12:envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.filter_enabled>` to filter. * **ext_authz**: added tracing to the HTTP client. * **ext_authz**: deprecated :ref:`cluster scope stats <v1.12:config_http_filters_ext_authz_stats>` in favour of filter scope stats. * **fault**: added overrides for default runtime keys in :ref:`HTTPFault <v1.12:envoy_api_msg_config.filter.http.fault.v2.HTTPFault>` filter. * **grpc**: added :ref:`AWS IAM grpc credentials extension <v1.12:envoy_api_file_envoy/config/grpc_credential/v2alpha/aws_iam.proto>` for AWS-managed xDS. * **grpc**: added :ref:`gRPC stats filter <v1.12:config_http_filters_grpc_stats>` for collecting stats about gRPC calls and streaming message counts. * **grpc-json**: added support for :ref:`ignoring unknown query parameters <v1.12:envoy_api_field_config.filter.http.transcoder.v2.GrpcJsonTranscoder.ignore_unknown_query_parameters>`. * **grpc-json**: added support for :ref:`the grpc-status-details-bin header <v1.12:envoy_api_field_config.filter.http.transcoder.v2.GrpcJsonTranscoder.convert_grpc_status>`. * **header to metadata**: added :ref:`PROTOBUF_VALUE <v1.12:envoy_api_enum_value_config.filter.http.header_to_metadata.v2.Config.ValueType.PROTOBUF_VALUE>` and :ref:`ValueEncode <v1.12:envoy_api_enum_config.filter.http.header_to_metadata.v2.Config.ValueEncode>` to support protobuf Value and Base64 encoding. * **http**: :ref:`AUTO <v1.12:envoy_api_enum_value_config.filter.network.http_connection_manager.v2.HttpConnectionManager.CodecType.AUTO>` codec protocol inference now requires the H2 magic bytes to be the first bytes transmitted by a downstream client. * **http**: absolute URL support is now on by default. The prior behavior can be reinstated by setting :ref:`allow_absolute_url <v1.12:envoy_api_field_core.Http1ProtocolOptions.allow_absolute_url>` to false. * **http**: added a default one hour idle timeout to upstream and downstream connections. HTTP connections with no streams and no activity will be closed after one hour unless the default idle_timeout is overridden. To disable upstream idle timeouts, set the :ref:`idle_timeout <v1.12:envoy_api_field_core.HttpProtocolOptions.idle_timeout>` to zero in Cluster :ref:`http_protocol_options <v1.12:envoy_api_field_Cluster.common_http_protocol_options>`. To disable downstream idle timeouts, either set :ref:`idle_timeout <v1.12:envoy_api_field_core.HttpProtocolOptions.idle_timeout>` to zero in the HttpConnectionManager :ref:`common_http_protocol_options <v1.12:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.common_http_protocol_options>` or set the deprecated :ref:`connection manager <v1.12:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.idle_timeout>` field to zero. * **http**: added the ability to :ref:`configure max connection duration <v1.12:envoy_api_field_core.HttpProtocolOptions.max_connection_duration>` for downstream connections. * **http**: added the ability to :ref:`merge adjacent slashes <v1.12:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.merge_slashes>` in the path. * **http**: added the ability to configure the behavior of the server response header, via the :ref:`server_header_transformation <v1.12:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.server_header_transformation>` field. * **http**: added the ability to format HTTP/1.1 header keys using :ref:`header_key_format <v1.12:envoy_api_field_core.Http1ProtocolOptions.header_key_format>`. * **http**: added the ability to reject HTTP/1.1 requests with invalid HTTP header values, using the runtime feature ``envoy.reloadable_features.strict_header_validation``. * **http**: changed Envoy to forward existing x-forwarded-proto from upstream trusted proxies. Guarded by ``envoy.reloadable_features.trusted_forwarded_proto`` which defaults true. * **http**: remove h2c upgrade headers for HTTP/1 as h2c upgrades are currently not supported. * **http**: support :ref:`disabling the filter per route <v1.12:envoy_api_msg_config.filter.http.grpc_http1_reverse_bridge.v2alpha1.FilterConfigPerRoute>` in the grpc http1 reverse bridge filter. * **http**: support :ref:`host rewrite <v1.12:envoy_api_msg_config.filter.http.dynamic_forward_proxy.v2alpha.PerRouteConfig>` in the dynamic forward proxy. * **listeners**: added :ref:`HTTP inspector listener filter <v1.12:config_listener_filters_http_inspector>`. * **listeners**: added :ref:`connection balancer <v1.12:envoy_api_field_Listener.connection_balance_config>` configuration for TCP listeners. * **listeners**: added :ref:`continue_on_listener_filters_timeout <v1.12:envoy_api_field_Listener.continue_on_listener_filters_timeout>` to configure whether a listener will still create a connection when listener filters time out. * **listeners**: listeners now close the listening socket as part of the draining stage as soon as workers stop accepting their connections. * **lua**: extended ``dynamicMetadata:set()`` to allow setting complex values. * **lua**: extended ``httpCall()`` and ``respond()`` APIs to accept headers with entry values that can be a string or table of strings. * **metrics_service**: added support for flushing histogram buckets. * **outlier_detector**: added :ref:`support for the grpc-status response header <v1.12:arch_overview_outlier_detection_grpc>` by mapping it to HTTP status. Guarded by envoy.reloadable_features.outlier_detection_support_for_grpc_status which defaults to true. * **performance**: new buffer implementation enabled by default (to disable add "--use-libevent-buffers 1" to the command-line arguments when starting Envoy). * **performance**: stats symbol table implementation (disabled by default; to test it, add "--use-fake-symbol-table 0" to the command-line arguments when starting Envoy). * **rbac**: added conditions to the policy, see :ref:`condition <v1.12:envoy_api_field_config.rbac.v2.Policy.condition>`. * **rbac**: added support for DNS SAN as :ref:`principal_name <v1.12:envoy_api_field_config.rbac.v2.Principal.Authenticated.principal_name>`. * **redis**: added :ref:`enable_command_stats <v1.12:envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings.enable_command_stats>` to enable :ref:`per command statistics <v1.12:arch_overview_redis_cluster_command_stats>` for upstream clusters. * **redis**: added :ref:`read_policy <v1.12:envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings.read_policy>` to allow reading from redis replicas for Redis Cluster deployments. * **redis**: enable_hashtaging is always enabled when the upstream uses open source Redis cluster protocol. * **redis**: fixed a bug where the redis health checker ignored the upstream auth password. * **regex**: introduced new :ref:`RegexMatcher <v1.12:envoy_api_msg_type.matcher.RegexMatcher>` type that provides a safe regex implementation for untrusted user input. This type is now used in all configuration that processes user provided input. See :ref:`deprecated configuration details <v1.12:deprecated>` for more information. * **router**: :ref:`scoped routing <v1.12:arch_overview_http_routing_route_scope>` is supported. * **router**: added :ref:`respect_expected_rq_timeout <v1.12:envoy_api_field_config.filter.http.router.v2.Router.respect_expected_rq_timeout>` that instructs ingress Envoy to respect :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress Envoy, when deriving timeout for upstream cluster. * **router**: added :ref:`rq_retry_skipped_request_not_complete <v1.12:config_http_filters_router_stats>` counter stat to router stats. * **router**: added ability for most specific header mutations to take precedence, see :ref:`route configuration's most specific header mutations wins flag <v1.12:envoy_api_field_RouteConfiguration.most_specific_header_mutations_wins>`. * **router**: added new :ref:`retriable request headers <v1.12:envoy_api_field_route.RetryPolicy.retriable_request_headers>` to retry policies. Retries can now be configured to only trigger on request header match. * **router**: added new :ref:`retriable request headers <v1.12:envoy_api_field_route.Route.per_request_buffer_limit_bytes>` to route configuration, to allow limiting buffering for retries and shadowing. * **router**: added new :ref:`retriable-headers <v1.12:config_http_filters_router_x-envoy-retry-on>` retry policy. Retries can now be configured to trigger by arbitrary response header matching. * **router**: added the ability to match a route based on whether a TLS certificate has been :ref:`presented <v1.12:envoy_api_field_route.RouteMatch.TlsContextMatchOptions.presented>` by the downstream connection. * **router check tool**: added comprehensive coverage reporting. * **router check tool**: added coverage reporting & enforcement. * **router check tool**: added coverage reporting for direct response routes. * **router check tool**: added deprecated field check. * **router check tool**: added flag for only printing results of failed tests. * **router check tool**: added support for outputting missing tests in the detailed coverage report. * **runtime**: allows for the ability to parse boolean values. * **runtime**: allows for the ability to parse integers as double values and vice-versa. * **sds**: added :ref:`session_ticket_keys_sds_secret_config <v1.12:envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys_sds_secret_config>` for loading TLS Session Ticket Encryption Keys using SDS API. * **server**: added :ref:`per-handler listener stats <v1.12:config_listener_stats_per_handler>` and :ref:`per-worker watchdog stats <v1.12:operations_performance_watchdog>` to help diagnosing event loop imbalance and general performance issues. * **server**: added a post initialization lifecycle event, in addition to the existing startup and shutdown events. * **stats**: added unit support to histogram. * **tcp_proxy**: the default :ref:`idle_timeout <v1.12:envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.idle_timeout>` is now 1 hour. * **thrift_proxy**: added support for stripping service name from method when using the multiplexed protocol. * **thrift_proxy**: fixed crashing bug on invalid transport/protocol framing. * **tls**: added verification of IP address SAN fields in certificates against configured SANs in the certificate validation context. * **tracing**: added :ref:`max_path_tag_length <v1.12:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.tracing>` to support customizing the length of the request path included in the extracted `http.url <https://github.com/opentracing/specification/blob/master/semantic_conventions.md#standard-span-tags-and-log-fields>`_ tag. * **tracing**: added support to the Zipkin reporter for sending list of spans as Zipkin JSON v2 and protobuf message over HTTP. certificate validation context. * **tracing**: added tags for gRPC response status and message. * **upstream**: added :ref:`an option <v1.12:envoy_api_field_Cluster.CommonLbConfig.close_connections_on_host_set_change>` that allows draining HTTP, TCP connection pools on cluster membership change. * **upstream**: added :ref:`fail_traffic_on_panic <v1.12:envoy_api_field_Cluster.CommonLbConfig.ZoneAwareLbConfig.fail_traffic_on_panic>` to allow failing all requests to a cluster during panic state. * **upstream**: added :ref:`transport_socket_matches <v1.12:envoy_api_field_Cluster.transport_socket_matches>`, support using different transport socket config when connecting to different upstream endpoints within a cluster. * **upstream**: added network filter chains to upstream connections, see :ref:`filters <v1.12:envoy_api_field_Cluster.filters>`. * **upstream**: added new :ref:`failure-percentage based outlier detection <v1.12:arch_overview_outlier_detection_failure_percentage>` mode. * **upstream**: uses p2c to select hosts for least-requests load balancers if all host weights are the same, even in cases where weights are not equal to 1. * **zookeeper**: parses responses and emits latency stats. Deprecated ---------- * **cluster**: The ``pattern`` and ``method`` fields in :ref:`VirtualCluster <v1.12:envoy_api_msg_route.VirtualCluster>` have been deprecated in favor of the ``headers`` field. * **cors**: The ``allow_origin`` and ``allow_origin_regex`` fields in :ref:`CorsPolicy <v1.12:envoy_api_msg_route.CorsPolicy>` have been deprecated in favor of the ``allow_origin_string_match`` field. * **ext_authz**: Ext_authz filter stats ``ok``, ``error``, ``denied``, ``failure_mode_allowed`` in ``cluster.<route target cluster>.ext_authz.`` namespace is deprecated. Use ``http.<stat_prefix>.ext_authz.`` namespace to access same counters instead. * **grpc**: The use of :ref:`gRPC bridge filter <v1.12:config_http_filters_grpc_bridge>` for gRPC stats has been deprecated in favor of the dedicated :ref:`gRPC stats filter <v1.12:config_http_filters_grpc_stats>`. * **health_check**: The ``use_http2`` field in :ref:`HTTP health checker <v1.12:envoy_api_msg_core.HealthCheck.HttpHealthCheck>` has been deprecated in favor of the ``codec_client_type`` field. * **listener**: The ``operation_name`` field in :ref:`HTTP connection manager <v1.12:envoy_api_msg_config.filter.network.http_connection_manager.v2.HttpConnectionManager>` has been deprecated in favor of the ``traffic_direction`` field in :ref:`Listener <v1.12:envoy_api_msg_Listener>`. The latter takes priority if specified. * **load_balancing**: The ``ORIGINAL_DST_LB`` :ref:`load balancing policy <v1.12:envoy_api_field_Cluster.lb_policy>` is deprecated, use CLUSTER_PROVIDED policy instead when configuring an :ref:`original destination cluster <v1.12:envoy_api_field_Cluster.type>`. * **matching**: The ``regex_match`` field in :ref:`HeaderMatcher <v1.12:envoy_api_msg_route.HeaderMatcher>` has been deprecated in favor of the ``safe_regex_match`` field. * **matching**: The ``regex`` field in :ref:`StringMatcher <v1.12:envoy_api_msg_type.matcher.StringMatcher>` has been deprecated in favor of the ``safe_regex`` field. * **matching**: The ``value`` and ``regex`` fields in :ref:`QueryParameterMatcher <v1.12:envoy_api_msg_route.QueryParameterMatcher>` has been deprecated in favor of the ``string_match`` and ``present_match`` fields. * **options**: The :option:`--allow-unknown-fields` command-line option, use :option:`--allow-unknown-static-fields` instead. * **routing**: The ``regex`` field in :ref:`RouteMatch <v1.12:envoy_api_msg_route.RouteMatch>` has been deprecated in favor of the ``safe_regex`` field. * **tls**: The ``tls_context`` field in :ref:`Filter chain <v1.12:envoy_api_field_listener.FilterChain.tls_context>` message and :ref:`Cluster <v1.12:envoy_api_field_Cluster.tls_context>` message have been deprecated in favor of ``transport_socket`` with name ``envoy.transport_sockets.tls``. The latter takes priority if specified. * **udpa**: Use of ``google.protobuf.Struct`` for extension opaque configs is deprecated. Use ``google.protobuf.Any`` instead or pack ``udpa.type.v1.TypedStruct`` in ``google.protobuf.Any``. * **zipkin**: The use of ``HTTP_JSON_V1`` :ref:`Zipkin collector endpoint version <v1.12:envoy_api_field_config.trace.v2.ZipkinConfig.collector_endpoint_version>` or not explicitly specifying it is deprecated, use ``HTTP_JSON`` or ``HTTP_PROTO`` instead.