diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 70002bc7054e8..b0b5c60112803 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -3,33 +3,33 @@ date: Pending behavior_changes: - area: tls-inspector change: | - the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. The new stats are introduced for listener, ``downstream_peek_remote_close`` and ``read_error`` :ref:`listener stats `. + the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. New stats are introduced for listener, ``downstream_peek_remote_close`` and ``read_error``, in :ref:`listener stats `. - area: config change: | - Multiple SDS resources of multiple clusters or listeners are sent in a single SDS requests, instead of multiple SDS requests. + multiple SDS resources of multiple clusters or listeners are sent in a single SDS requests, instead of multiple SDS requests. This behavioral change can be reverted by setting ``envoy.reloadable_features.combine_sds_requests`` to false. - area: stats listener change: | - Fixed metric tag extraction so that :ref:stat_prefix + fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from envoy_listener_myprefix_downstream_cx_overflow{} to envoy_listener_downstream_cx_overflow{envoy_listener_address="myprefix"}. - This does not affect the Prometheus name if stat_prefix is not set. + This does not affect the Prometheus name if ``stat_prefix`` is not set. - area: stats listener change: | - Fixed metric tag extraction so that worker_id is properly extracted from the listener stats. This changes the Prometheus name from + fixed metric tag extraction so that ``worker_id`` is properly extracted from the listener stats. This changes the Prometheus name from envoy_listener_worker_1_downstream_cx_active{envoy_listener_address="0.0.0.0_10000"} to envoy_listener_downstream_cx_active{envoy_listener_address="0.0.0.0_10000", envoy_worker_id="1"} . - area: stats server change: | - Fixed metric tag extraction so that worker_id is properly extracted fromt the server stats. This changes the Prometheus name from + fixed metric tag extraction so that ``worker_id`` is properly extracted fromt the server stats. This changes the Prometheus name from envoy_server_worker_1_watchdog_miss{} to envoy_server_watchdog_miss{envoy_worker_id="1"}. - area: stats thrift_proxy change: | - Fixed metric tag extraction so that :ref:`stat_prefix ` + fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from envoy_thrift_myprefix_request{} to envoy_thrift_request{envoy_thrift_prefix="myprefix"}. - area: stats redis_proxy change: | - Fixed metric tag extraction so that :ref:`stat_prefix ` + fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from envoy_redis_myprefix_command_pttl_latency_sum{} to envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}. - area: tcp_proxy @@ -37,16 +37,13 @@ behavior_changes: added support for command operators in :ref:`TunnelingConfig hostname ` to dynamically set upstream hostname. - area: router change: | - Update all HTTP filters to get per-filter config by the :ref:`HTTP filter config name + updated all HTTP filters to get per-filter config by the :ref:`HTTP filter config name `. If there is no entry referred by the filter config name, the canonical filter name (e.g., *envoy.filters.http.buffer* for the HTTP buffer filter) will be used for the backwards compatibility. minor_behavior_changes: -- area: thrift - change: | - add validate_clusters in :ref:`RouteConfiguration ` to override the default behavior of cluster validation. - area: thrift change: | keep downstream connection if the response is completed without underflow. @@ -62,8 +59,7 @@ minor_behavior_changes: field has been modified to extend the timeout when *any* frame is received on the owning HTTP/2 connection. This negates the effect of head-of-line (HOL) blocking for slow connections. If any frame is received the assumption is that the connection is working. This behavior change - can be reverted by setting the ``envoy.reloadable_features.http2_delay_keepalive_timeout`` runtime - flag to false. + can be reverted by setting ``envoy.reloadable_features.http2_delay_keepalive_timeout`` to false. - area: http change: | changing the behavior for CONNECT and upgrade requests over HTTP/1.1 to not delay close. This behavioral change @@ -77,10 +73,6 @@ minor_behavior_changes: returning a shared_ptr - any third-party implementations of this interface will need to be updated accordingly. See changes to ``simple_http_cache.cc`` and ``simple_http_cache.h`` in `PR21114 `_ for example. -- area: lua - change: | - new function ``timestampString`` returning the time since epoch as a string. Supported - resolutions are millisecond and microsecond. - area: lua change: | export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script @@ -89,9 +81,6 @@ minor_behavior_changes: change: | changed default regex engine for ``/stats?filter=`` from std::regex to RE2, improving filtering speed 20x. -- area: admin - change: | - added compile-time option ``--define=admin_html=disabled`` to disable HTML home page. - area: skywalking change: | use request path as operation name of ENTRY/EXIT spans. @@ -112,11 +101,6 @@ minor_behavior_changes: get route config factories by the configuration proto full names by default. This behavior change can be reverted by setting the ``envoy.reloadable_features.get_route_config_factory_by_type`` runtime flag to false. - change: | - add an ignore_port_in_host_matching config entry in RouteConfiguration. When set to true, port number(if any) in host - header is ignored during host matching. - change: | - add an ignore_path_parameters_in_path_matching config entry in RouteConfiguration. When set to true, path-parameters(rfc1808) is ignored during path matching. - area: lua change: | lua ``respond`` api will call ``sendLocalReply`` instead of ``encodeHeaders`` and ``encodeData``. @@ -136,16 +120,21 @@ minor_behavior_changes: - area: tracers change: | remove unnecessary "spawnChild" annotations in OpenCensus tracer. +- area: conn pool + change: | + changed HTTP/2 connection pooling and the :ref:`ALPN pool ` to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is 1. This behavioral change can be revered by setting ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to false. +- area: network + change: | + the :ref:`client ssl auth filter ` has been moved to :ref:`contrib images `. bug_fixes: - area: grpc_json_transcoder change: | - Response with a error messsage if a proto message is too deep (>64). Before the fix the response is an empty JSON. + respond with a error messsage if a proto message is too deep (>64). Before the fix the response was an empty JSON. - area: http change: | - Fixed HTTP/2 CONNECT to be RFC compliant, rather than following the abandoned extended connect draft. + fixed HTTP/2 CONNECT to be RFC compliant, rather than following the abandoned extended connect draft. This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.use_rfc_connect`` to false. - - area: decompression change: | Fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were @@ -177,17 +166,20 @@ bug_fixes: in certain circumstances. - area: runtime change: | - Fixed a bug where was ``envoy.restart_features.no_runtime_singleton`` was inverted. + fixed a bug where ``envoy.restart_features.no_runtime_singleton`` was inverted. Runtime singleton status is now guarded by non-inverted ``envoy.restart_features.remove_runtime_singleton``. - area: tcp_proxy change: | - Fixed an issue using the cluster wide CONNECT termination so it will successfully proxy payloads. + fixed an issue using the cluster wide CONNECT termination so it will successfully proxy payloads. - area: upstream change: | - Fixed the LOGICAL_DNS and STRICT_DNS clusters to work for IPv6. + fixed the LOGICAL_DNS and STRICT_DNS clusters to work for IPv6. - area: aws_lambda change: | - Fixed the AWS cross account lambda function invocation issue. + fixed the AWS cross account lambda function invocation issue. +- area: tls + change: | + fixed a bug where an expired certificate sets a big number for ``days_until_expiration``. After this fix, ``0`` is set. removed_config_or_runtime: - area: compressor @@ -198,19 +190,16 @@ removed_config_or_runtime: removed ``envoy.reloadable_features.use_dns_ttl`` and legacy code paths. - area: ext_authz change: | - removed ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard and legacy code paths. + removed ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` and legacy code paths. - area: http change: | - deprecated ``envoy.reloadable_features.correct_scheme_and_xfp`` and legacy code paths. + removed ``envoy.reloadable_features.correct_scheme_and_xfp`` and legacy code paths. - area: http change: | - deprecated ``envoy.reloadable_features.validate_connect`` and legacy code paths. + removed ``envoy.reloadable_features.validate_connect`` and legacy code paths. - area: tcp_proxy change: | removed ``envoy.reloadable_features.new_tcp_connection_pool`` and legacy code paths. -- area: tls - change: | - fixed a bug when a certificate is invalid, ``days_until_expiration`` reports a big number. After this fix, when a certificate expires, it reports as ``0``. - area: conn pool change: | removed ``envoy.reloadable_features.conn_pool_delete_when_idle`` and legacy code paths. @@ -219,30 +208,37 @@ removed_config_or_runtime: removed ``envoy.restart_features.no_runtime_singleton`` and replaced with ``envoy.restart_features.remove_runtime_singleton``. new_features: +- area: lua + change: | + added new function ``timestampString`` returning the time since epoch as a string. Supported + resolutions are millisecond and microsecond. - area: access_log change: | added formatters for :ref:`UPSTREAM_METADATA` and :ref:`METADATA(UPSTREAM_HOST)`. - area: access_log change: | added new access_log command operators to retrieve upstream connection information change: ``%UPSTREAM_PROTOCOL%``, ``%UPSTREAM_PEER_SUBJECT%``, ``%UPSTREAM_PEER_ISSUER%``, ``%UPSTREAM_TLS_SESSION_ID%``, ``%UPSTREAM_TLS_CIPHER%``, ``%UPSTREAM_TLS_VERSION%``, ``%UPSTREAM_PEER_CERT_V_START%``, ``%UPSTREAM_PEER_CERT_V_END%``, ``%UPSTREAM_PEER_CERT%` and ``%UPSTREAM_FILTER_STATE%``. +- area: open_telemetry change: | - added configuration for OpenTelemetry :ref:`resource_attributes `. + added :ref:`resource_attributes ` configuration to OpenTelemetry. - area: dns_resolver change: | added :ref:`include_unroutable_families` to the Apple DNS resolver. +- area: dns_resolver change: | added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL ` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here ` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to false. - area: dubbo_proxy change: | - added :ref:`dynamic routes discovery ` support to the dubbo proxy. + added :ref:`dynamic routes discovery ` support to dubbo proxy. - area: ext_proc change: | added support for per-route :ref:`grpc_service `. - area: http change: | added new :ref:`file_system_buffer ` http filter. +- area: http change: | - added a :ref:`configuration option ` to send absolute URLs for HTTP/1.1. + added a :ref:`send_fully_qualified_url ` configuration option to send absolute URLs for HTTP/1.1. - area: http change: | preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers `. @@ -251,13 +247,13 @@ new_features: added :ref:`early_data_policy ` extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default extension ` is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy `. This feature requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` to be turned on. - area: listener change: | - added dynamic listener filter configuration for listener filters. :ref:`dynamic listener filter re-configuration`. This dynamic listener filter configuration is only supported in TCP listeners. + added :ref:`dynamic listener filter re-configuration` for listener filters. This dynamic listener filter configuration is only supported by TCP listeners. - area: redis change: | added support for multiple passwords to the redis proxy. See :ref:`downstream_auth_passwords `. - area: thrift change: | - added flag to router to control downstream local close. :ref:`close_downstream_on_upstream_error `. + added :ref:`close_downstream_on_upstream_error ` flag to router to control downstream local close. - area: thrift change: | added support for access logging. @@ -269,7 +265,7 @@ new_features: added support for propogating connection draining if local replies try to end downstream. - area: thrift change: | - added support onLocalReply to inform filters of local replies. + added onLocalReply support to inform filters of local replies. - area: thrift change: | introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message. @@ -281,7 +277,7 @@ new_features: added :ref:`allow_requests_without_proxy_protocol` to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag. - area: udp change: | - added config to specify the UDP packet writer factory. See :ref:`udp_packet_packet_writer_config `. + added :ref:`udp_packet_packet_writer_config ` config to specify the UDP packet writer factory. - area: build change: | enabled building arm64 envoy-distroless and envoy-tools :ref:`docker images `. @@ -294,9 +290,6 @@ new_features: - area: build change: | official released binary is now built with Clang 14.0.0. -- area: conn pool - change: | - Changed HTTP/2 connection pooling and the :ref:`ALPN pool ` to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is 1. This behavioral change can be revered by setting ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to false. - area: http change: | added :ref:`cluster_header ` in :ref:`request_mirror_policies ` to allow routing shadow request to the cluster specified in the request_header. @@ -318,12 +311,21 @@ new_features: - area: matching change : | added support for matching authenticated inputs in network and HTTP matching data. -- area: network - change: | - the :ref:`client ssl auth filter ` has been moved to :ref:`contrib images `. - area: rbac change: | added :ref:`matcher ` for selecting connections and requests to different actions. +- area: thrift + change: | + added ``validate_clusters`` in :ref:`RouteConfiguration ` to override the default behavior of cluster validation. +- area: admin + change: | + added compile-time option ``--define=admin_html=disabled`` to disable HTML home page. +- area: router + change: | + added :ref:`ignore_port_in_host_matching `. When set to true, port number (if any) in host header is ignored during host matching. +- area: router + change: | + added :ref:`ignore_path_parameters_in_path_matching `. When set to true, path-parameters(rfc1808) is ignored during path matching. deprecated: - area: dubbo_proxy