diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 0fd38d4c3db81..53020d881d40f 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -3,41 +3,43 @@ date: Pending behavior_changes: - area: tls-inspector change: | - the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. New stats are introduced for listener, ``downstream_peek_remote_close`` and ``read_error``, in :ref:`listener stats `. + the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. New stats are introduced for listener, + ``downstream_peek_remote_close`` and ``read_error``, in :ref:`listener stats `. - area: config change: | multiple SDS resources of multiple clusters or listeners are sent in a single SDS requests, instead of multiple SDS requests. - This behavioral change can be reverted by setting ``envoy.reloadable_features.combine_sds_requests`` to false. + This behavioral change can be reverted by setting ``envoy.reloadable_features.combine_sds_requests`` to ``false``. - area: stats listener change: | fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from - envoy_listener_myprefix_downstream_cx_overflow{} to envoy_listener_downstream_cx_overflow{envoy_listener_address="myprefix"}. + ``envoy_listener_myprefix_downstream_cx_overflow{}`` to ``envoy_listener_downstream_cx_overflow{envoy_listener_address="myprefix"}``. This does not affect the Prometheus name if ``stat_prefix`` is not set. - area: stats listener change: | fixed metric tag extraction so that ``worker_id`` is properly extracted from the listener stats. This changes the Prometheus name from - envoy_listener_worker_1_downstream_cx_active{envoy_listener_address="0.0.0.0_10000"} to envoy_listener_downstream_cx_active{envoy_listener_address="0.0.0.0_10000", envoy_worker_id="1"} . + ``envoy_listener_worker_1_downstream_cx_active{envoy_listener_address="0.0.0.0_10000"}`` + to ``envoy_listener_downstream_cx_active{envoy_listener_address="0.0.0.0_10000", envoy_worker_id="1"}``. - area: stats server change: | fixed metric tag extraction so that ``worker_id`` is properly extracted fromt the server stats. This changes the Prometheus name from - envoy_server_worker_1_watchdog_miss{} to envoy_server_watchdog_miss{envoy_worker_id="1"}. + ``envoy_server_worker_1_watchdog_miss{}`` to ``envoy_server_watchdog_miss{envoy_worker_id="1"}``. - area: stats thrift_proxy change: | fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from - envoy_thrift_myprefix_request{} to envoy_thrift_request{envoy_thrift_prefix="myprefix"}. + ``envoy_thrift_myprefix_request{}`` to ``envoy_thrift_request{envoy_thrift_prefix="myprefix"}``. - area: stats redis_proxy change: | fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from - envoy_redis_myprefix_command_pttl_latency_sum{} to envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}. + ``envoy_redis_myprefix_command_pttl_latency_sum{}`` to ``envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}``. - area: router change: | updated all HTTP filters to get per-filter config by the :ref:`HTTP filter config name `. If there is no entry referred by the filter config name, the canonical filter name - (e.g., *envoy.filters.http.buffer* for the HTTP buffer filter) will be used for the backwards + (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) will be used for the backwards compatibility. - area: router change: | @@ -53,7 +55,9 @@ minor_behavior_changes: keep downstream connection if the response is completed without underflow. - area: tls change: | - if both :ref:`match_subject_alt_names ` and :ref:`match_typed_subject_alt_names ` are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error. + if both :ref:`match_subject_alt_names ` + and :ref:`match_typed_subject_alt_names ` + are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error. - area: tls change: | removed SHA-1 and RSA key transport cipher suites from the server-side defaults. @@ -63,17 +67,17 @@ minor_behavior_changes: field has been modified to extend the timeout when *any* frame is received on the owning HTTP/2 connection. This negates the effect of head-of-line (HOL) blocking for slow connections. If any frame is received the assumption is that the connection is working. This behavior change - can be reverted by setting ``envoy.reloadable_features.http2_delay_keepalive_timeout`` to false. + can be reverted by setting ``envoy.reloadable_features.http2_delay_keepalive_timeout`` to ``false``. - area: http change: | - changing the behavior for CONNECT and upgrade requests over HTTP/1.1 to not delay close. This behavioral change - can be reverted by setting ``envoy.reloadable_features.no_delay_close_for_upgrades`` to false. + changing the behavior for ``CONNECT`` and upgrade requests over HTTP/1.1 to not delay close. This behavioral change + can be reverted by setting ``envoy.reloadable_features.no_delay_close_for_upgrades`` to ``false``. - area: http change: | the :ref:`dynamo filter ` has been moved to :ref:`contrib images `. - area: http-cache change: | - http cache filter ``getCache`` interface changed from returning a reference to + HTTP cache filter ``getCache`` interface changed from returning a reference to returning a shared_ptr - any third-party implementations of this interface will need to be updated accordingly. See changes to ``simple_http_cache.cc`` and ``simple_http_cache.h`` in `PR21114 `_ for example. @@ -83,34 +87,34 @@ minor_behavior_changes: that loads shared object libraries, such as those installed via luarocks. - area: admin change: | - changed default regex engine for ``/stats?filter=`` from std::regex to RE2, improving + changed default regex engine for ``/stats?filter=`` from ``std::regex`` to RE2, improving filtering speed 20x. - area: skywalking change: | - use request path as operation name of ENTRY/EXIT spans. + use request path as operation name of ``ENTRY``/``EXIT`` spans. - area: skywalking change: | use upstream host address as ``addressUsedAtClient`` in propagation header. - area: dns change: | - allow propagating DNS responses with no records back to callers like strict_dns cluster, + allow propagating DNS responses with no records back to callers like ``strict_dns`` cluster, guarded by ``envoy.reloadable_features.cares_accept_nodata``. - area: local_ratelimit change: | - local_ratelimit will consume tokens of all matched descriptors sorted by tokens per second. + ``local_ratelimit`` will consume tokens of all matched descriptors sorted by tokens per second. This behavioral change can be reverted by setting runtime guard - ``envoy.reloadable_features.http_local_ratelimit_match_all_descriptors`` to false. + ``envoy.reloadable_features.http_local_ratelimit_match_all_descriptors`` to ``false``. - area: router change: | get route config factories by the configuration proto full names by default. This behavior change can be reverted by setting the ``envoy.reloadable_features.get_route_config_factory_by_type`` - runtime flag to false. + runtime flag to ``false``. - area: lua change: | lua ``respond`` api will call ``sendLocalReply`` instead of ``encodeHeaders`` and ``encodeData``. This means that encoder filters will be correctly invoked, including adding configured response headers, etc. This behavioral change can be reverted by setting runtime guard - ``envoy.reloadable_features.lua_respond_with_send_local_reply`` to false. + ``envoy.reloadable_features.lua_respond_with_send_local_reply`` to ``false``. - area: logging change: | changed flag ``--log-format-escaped`` to only log one trailing newline per log line. @@ -123,16 +127,21 @@ minor_behavior_changes: filter state objects with the upstream info explicit via an extra flag in ``setData``. - area: tracers change: | - remove unnecessary "spawnChild" annotations in OpenCensus tracer. + remove unnecessary ``spawnChild`` annotations in OpenCensus tracer. - area: conn pool change: | - changed HTTP/2 connection pooling and the :ref:`ALPN pool ` to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is 1. This behavioral change can be revered by setting ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to false. + changed HTTP/2 connection pooling and the :ref:`ALPN pool ` + to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. + With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, + and then will cache that the effective stream limit is ``1``. This behavioral change can be revered by setting + ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to ``false``. - area: network change: | the :ref:`client ssl auth filter ` has been moved to :ref:`contrib images `. - area: tcp_proxy change: | - added support for command operators in :ref:`TunnelingConfig hostname ` to dynamically set upstream hostname. + added support for command operators in :ref:`TunnelingConfig hostname ` + to dynamically set upstream hostname. bug_fixes: - area: grpc_json_transcoder @@ -141,7 +150,7 @@ bug_fixes: - area: http change: | fixed HTTP/2 CONNECT to be RFC compliant, rather than following the abandoned extended connect draft. - This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.use_rfc_connect`` to false. + This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.use_rfc_connect`` to ``false``. - area: decompression change: | fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were @@ -163,12 +172,12 @@ bug_fixes: access token attached to the request. - area: oauth change: | - fixed CVE-2022-29228: oauth filter calls continueDecoding() from within decodeHeaders(). The + fixed CVE-2022-29228: oauth filter calls ``continueDecoding()`` from within ``decodeHeaders()``. The OAuth filter would try to invoke the remaining filters in the chain after emitting a local - response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. + response, which triggers an ``ASSERT()`` in newer versions and corrupts memory on earlier versions. - area: health_check change: | - fixed CVE-2022-29224: Segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server + fixed CVE-2022-29224: Segfault in ``GrpcHealthCheckerImpl``. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances. - area: runtime @@ -177,10 +186,10 @@ bug_fixes: Runtime singleton status is now guarded by non-inverted ``envoy.restart_features.remove_runtime_singleton``. - area: tcp_proxy change: | - fixed an issue using the cluster wide CONNECT termination so it will successfully proxy payloads. + fixed an issue using the cluster wide ``CONNECT`` termination so it will successfully proxy payloads. - area: upstream change: | - fixed the LOGICAL_DNS and STRICT_DNS clusters to work for IPv6. + fixed the ``LOGICAL_DNS`` and ``STRICT_DNS`` clusters to work for IPv6. - area: aws_lambda change: | fixed the AWS cross account lambda function invocation issue. @@ -223,26 +232,37 @@ removed_config_or_runtime: new_features: - area: lua change: | - added new function :ref:`timestampString ` returning the time since epoch as a string. Supported - resolutions are millisecond and microsecond. + added new function :ref:`timestampString ` + returning the time since epoch as a string. Supported resolutions are millisecond and microsecond. - area: access_log change: | - added formatters for :ref:`UPSTREAM_METADATA` and :ref:`METADATA(UPSTREAM_HOST)`. + added formatters for :ref:`UPSTREAM_METADATA` + and :ref:`METADATA(UPSTREAM_HOST)`. - area: access_log change: | - added new access_log command operators to retrieve upstream connection information change: ``%UPSTREAM_PROTOCOL%``, ``%UPSTREAM_PEER_SUBJECT%``, ``%UPSTREAM_PEER_ISSUER%``, ``%UPSTREAM_TLS_SESSION_ID%``, ``%UPSTREAM_TLS_CIPHER%``, ``%UPSTREAM_TLS_VERSION%``, ``%UPSTREAM_PEER_CERT_V_START%``, ``%UPSTREAM_PEER_CERT_V_END%``, ``%UPSTREAM_PEER_CERT%` and ``%UPSTREAM_FILTER_STATE%``. + added new ``access_log`` command operators to retrieve upstream connection information change: + ``%UPSTREAM_PROTOCOL%``, ``%UPSTREAM_PEER_SUBJECT%``, ``%UPSTREAM_PEER_ISSUER%``, ``%UPSTREAM_TLS_SESSION_ID%``, + ``%UPSTREAM_TLS_CIPHER%``, ``%UPSTREAM_TLS_VERSION%``, ``%UPSTREAM_PEER_CERT_V_START%``, ``%UPSTREAM_PEER_CERT_V_END%``, + ``%UPSTREAM_PEER_CERT%`` and ``%UPSTREAM_FILTER_STATE%``. - area: open_telemetry change: | - added :ref:`resource_attributes ` configuration to OpenTelemetry. + added :ref:`resource_attributes ` + configuration to OpenTelemetry. - area: dns_resolver change: | - added :ref:`include_unroutable_families` to the Apple DNS resolver. + added :ref:`include_unroutable_families` + to the Apple DNS resolver. - area: dns_resolver change: | - added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL ` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here ` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to false. -- area: dns_resolver + added support for multiple addresses. This is most valuable when used in conjunction with + :ref:`ALL ` enabling full happy eyeballs support + for Envoy (see detailed documentation :ref:`here ` but will also result in trying multiple addresses + for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard + ``envoy.restart_features.remove_runtime_singleton`` to ``false``. change: | - added :ref:`GetAddrInfoDnsResolverConfig `, a new DNS resolver that uses the system's getaddrinfo() function to resolve DNS. This was primarily added for use on Android but can also be used in other situations in which the system resolver is desired. + added :ref:`GetAddrInfoDnsResolverConfig `, + a new DNS resolver that uses the system's ``getaddrinfo()`` function to resolve DNS. This was primarily added for use on Android + but can also be used in other situations in which the system resolver is desired. - area: dubbo_proxy change: | added :ref:`dynamic routes discovery ` support to dubbo proxy. @@ -251,25 +271,37 @@ new_features: added support for per-route :ref:`grpc_service `. - area: http change: | - added new :ref:`file_system_buffer ` http filter. + added new :ref:`file_system_buffer ` HTTP filter. - area: http change: | - added a :ref:`send_fully_qualified_url ` configuration option to send absolute URLs for HTTP/1.1. + added a :ref:`send_fully_qualified_url ` configuration option + to send absolute URLs for HTTP/1.1. - area: http change: | - preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers `. + preserve case header formatter support innner formatter on Envoy headers in + :ref:`formatter_type_on_envoy_headers `. - area: http3 change: | - added :ref:`early_data_policy ` extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default extension ` is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy `. Sending early data requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` runtime flags to be set to true. + added :ref:`early_data_policy ` extension to allow upstream HTTP/3 sending + requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host + if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports + TCP fallback, the request may be retried automatically. If the :ref:`default extension ` + is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, + the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy `. + Sending early data requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` + runtime flags to be set to ``true``. - area: listener change: | - added :ref:`dynamic listener filter configuration` for listener filters. This dynamic listener filter configuration is only supported by TCP listeners. + added :ref:`dynamic listener filter configuration ` + for listener filters. This dynamic listener filter configuration is only supported by TCP listeners. - area: redis change: | - added support for multiple passwords to the redis proxy. See :ref:`downstream_auth_passwords `. + added support for multiple passwords to the redis proxy. See + :ref:`downstream_auth_passwords `. - area: thrift change: | - added :ref:`close_downstream_on_upstream_error ` flag to router to control downstream local close. + added :ref:`close_downstream_on_upstream_error ` + flag to router to control downstream local close. - area: thrift change: | added support for access logging for :ref:`Thrift Proxy `. @@ -287,13 +319,16 @@ new_features: introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message. - area: on_demand change: | - :ref:`OnDemand ` got extended to hold configuration for on-demand cluster discovery. A similar message for :ref:`per-route configuration ` is also added. + :ref:`OnDemand ` got extended to hold configuration for on-demand cluster discovery. + A similar message for :ref:`per-route configuration ` is also added. - area: proxy_protcol change: | - added :ref:`allow_requests_without_proxy_protocol` to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag. + added :ref:`allow_requests_without_proxy_protocol` + to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag. - area: udp change: | - added :ref:`udp_packet_packet_writer_config ` config to specify the UDP packet writer factory. + added :ref:`udp_packet_packet_writer_config ` + config to specify the UDP packet writer factory. - area: build change: | enabled building arm64 envoy-distroless and envoy-tools :ref:`docker images `. @@ -305,10 +340,13 @@ new_features: added support for :ref:`HTTP matching input functions ` as descriptor producers. - area: http change: | - added :ref:`cluster_header ` in :ref:`request_mirror_policies ` to allow routing shadow request to the cluster specified in the request_header. + added :ref:`cluster_header ` in + :ref:`request_mirror_policies ` to allow routing shadow request + to the cluster specified in the request_header. - area: upstream change: | - added :ref:`internal upstream transport ` for passing metadata and filter state across the user space sockets and the internal listeners. + added :ref:`internal upstream transport ` + for passing metadata and filter state across the user space sockets and the internal listeners. - area: router change: | added :ref:`keep_empty_value ` to allow keeping empty values in custom headers. @@ -317,7 +355,9 @@ new_features: added :ref:`metadata_match ` support to the dubbo proxy. - area: network change: | - extended conection balancer with :ref:`extend balance `, and added :ref:`Dlb connection balancer ` to use `DLB `_ hardware to balance. + extended conection balancer with :ref:`extend balance `, + and added :ref:`Dlb connection balancer ` to use + `DLB `_ hardware to balance. - area: router change: | added :ref:`stat_prefix ` support to generate route level statistics. @@ -334,19 +374,31 @@ new_features: added :ref:`matcher ` for selecting connections and requests to different actions. - area: http change: | - added :ref:`treat_missing_header_as_empty ` to allow header match rule to treat the header value as empty and apply the match rule when the header is missing. + added :ref:`treat_missing_header_as_empty ` + to allow header match rule to treat the header value as empty and apply the match rule when the header is missing. - area: thrift change: | - added ``validate_clusters`` in :ref:`RouteConfiguration ` to override the default behavior of cluster validation. + added ``validate_clusters`` in :ref:`RouteConfiguration ` + to override the default behavior of cluster validation. - area: admin change: | added compile-time option ``--define=admin_html=disabled`` to disable HTML home page. - area: router change: | - added :ref:`ignore_port_in_host_matching `. When set to true, port number (if any) in host header is ignored during host matching. + added :ref:`ignore_port_in_host_matching `. When set to ``true``, + port number (if any) in host header is ignored during host matching. - area: router change: | - added :ref:`ignore_path_parameters_in_path_matching `. When set to true, path-parameters(`rfc1808 `_) is ignored during path matching. + added :ref:`ignore_path_parameters_in_path_matching `. + When set to ``true``, path-parameters(`rfc1808 `_) is ignored during path matching. + added :ref:`ignore_path_parameters_in_path_matching `. + When set to ``true``, path-parameters(rfc1808) is ignored during path matching. +- area: examples + change: | + fixed issues with documentation/compositions usage of ``docker-compose pull``. +- area: examples + change: | + updated many examples and added dependency checking. deprecated: - area: dubbo_proxy @@ -360,7 +412,8 @@ deprecated: ``envoy.http.stateful_header_formatters.preserve_case``. - area: matching change: | - :ref:`google_re2 ` has been deprecated. A default regex engine can be set using :ref:`default_regex_engine `. + :ref:`google_re2 ` has been deprecated. A default regex engine can be set using + :ref:`default_regex_engine `. - area: redis change: | deprecated :ref:`downstream_auth_password `. Please use