docs: updating changelog pre release - part2 #22205
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -32,9 +32,6 @@ behavior_changes: | |
| fixed metric tag extraction so that :ref:`stat_prefix <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.stat_prefix>` | ||
| is properly extracted. This changes the Prometheus name from | ||
| envoy_redis_myprefix_command_pttl_latency_sum{} to envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}. | ||
| - area: router | ||
| change: | | ||
| updated all HTTP filters to get per-filter config by the :ref:`HTTP filter config name | ||
|
|
@@ -44,7 +41,7 @@ behavior_changes: | |
| compatibility. | ||
| - area: router | ||
| change: | | ||
| weighted cluster's :ref:`total_weight <envoy_v3_api_field_config.route.v3.WeightedCluster.total_weight>` is now | ||
| optional. If not set, Envoy will no longer validate that all weights add up to 100. The sum of | ||
| :ref:`weights <envoy_v3_api_field_config.route.v3.WeightedCluster.ClusterWeight.weight>` | ||
| across all entries in the clusters array must add up to the | ||
|
|
@@ -133,6 +130,9 @@ minor_behavior_changes: | |
| - area: network | ||
| change: | | ||
| the :ref:`client ssl auth filter <config_network_filters_client_ssl_auth>` has been moved to :ref:`contrib images <install_contrib>`. | ||
| - area: tcp_proxy | ||
| change: | | ||
| added support for command operators in :ref:`TunnelingConfig hostname <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.hostname>` to dynamically set upstream hostname. | ||
|
|
||
| bug_fixes: | ||
| - area: grpc_json_transcoder | ||
|
|
@@ -144,31 +144,31 @@ bug_fixes: | |
| This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.use_rfc_connect`` to false. | ||
| - area: decompression | ||
| change: | | ||
| fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were | ||
| susceptible to memory inflation in takes in which specially crafted payloads could cause a | ||
| large amount of memory usage by Envoy. The max inflation payload size is now limited. | ||
| This change can be reverted via the ``envoy.reloadable_features.enable_compression_bomb_protection`` | ||
| runtime flag. | ||
| - area: router | ||
| change: | | ||
| fixed CVE-2022-29227: Internal redirect crash for requests with body/trailers. Envoy would | ||
| previously crash in some cases when processing internal redirects for requests with bodies or | ||
| trailers if the redirect prompts an Envoy-generated local reply. | ||
| - area: oauth | ||
| change: | | ||
| fixed CVE-2022-29226: oauth filter allows trivial bypass. The OAuth filter implementation does | ||
| not include a mechanism for validating access tokens, so by design when the HMAC signed cookie | ||
| is missing a full authentication flow should be triggered. However, the current implementation | ||
| assumes that access tokens are always validated thus allowing access in the presence of any | ||
| access token attached to the request. | ||
| - area: oauth | ||
| change: | | ||
| fixed CVE-2022-29228: oauth filter calls continueDecoding() from within decodeHeaders(). The | ||
| OAuth filter would try to invoke the remaining filters in the chain after emitting a local | ||
| response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. | ||
| - area: health_check | ||
| change: | | ||
| fixed CVE-2022-29224: Segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server | ||
| that is health checked using gRPC health checking can crash Envoy via a null pointer dereference | ||
| in certain circumstances. | ||
| - area: runtime | ||
|
|
@@ -213,11 +213,17 @@ removed_config_or_runtime: | |
| - area: runtime | ||
| change: | | ||
| removed ``envoy.restart_features.no_runtime_singleton`` and replaced with ``envoy.restart_features.remove_runtime_singleton``. | ||
| - area: udp listener | ||
| change: | | ||
| removed ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place`` and legacy code paths. | ||
| - area: http | ||
| change: | | ||
| removed ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` and legacy code paths. | ||
|
|
||
| new_features: | ||
| - area: lua | ||
| change: | | ||
| added new function :ref:`timestampString <config_http_filters_lua_stream_handle_api_timestamp_string>` returning the time since epoch as a string. Supported | ||
| resolutions are millisecond and microsecond. | ||
| - area: access_log | ||
| change: | | ||
|
|
@@ -234,6 +240,7 @@ new_features: | |
| - area: dns_resolver | ||
| change: | | ||
| added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL <envoy_v3_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.ALL>` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here <arch_overview_conn_pool>` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to false. | ||
| - area: dns_resolver | ||
| change: | | ||
| added :ref:`GetAddrInfoDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig>`, a new DNS resolver that uses the system's getaddrinfo() function to resolve DNS. This was primarily added for use on Android but can also be used in other situations in which the system resolver is desired. | ||
| - area: dubbo_proxy | ||
|
|
@@ -253,10 +260,10 @@ new_features: | |
| preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers <envoy_v3_api_field_extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig.formatter_type_on_envoy_headers>`. | ||
| - area: http3 | ||
| change: | | ||
| added :ref:`early_data_policy <envoy_v3_api_field_config.route.v3.RouteAction.early_data_policy>` extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default extension <envoy_v3_api_msg_extensions.early_data.v3.DefaultEarlyDataPolicy>` is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy <envoy_v3_api_field_config.route.v3.RouteAction.retry_policy>`. Sending early data requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` runtime flags to be set to true. | ||
| - area: listener | ||
| change: | | ||
| added :ref:`dynamic listener filter configuration<envoy_v3_api_field_config.listener.v3.ListenerFilter.config_discovery>` for listener filters. This dynamic listener filter configuration is only supported by TCP listeners. | ||
| - area: redis | ||
| change: | | ||
| added support for multiple passwords to the redis proxy. See :ref:`downstream_auth_passwords <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_passwords>`. | ||
|
|
@@ -265,16 +272,16 @@ new_features: | |
| added :ref:`close_downstream_on_upstream_error <envoy_v3_api_field_extensions.filters.network.thrift_proxy.router.v3.Router.close_downstream_on_upstream_error>` flag to router to control downstream local close. | ||
| - area: thrift | ||
| change: | | ||
| added support for access logging for :ref:`Thrift Proxy <config_network_filters_thrift_proxy>`. | ||
| - area: thrift | ||
| change: | | ||
| added support for preserving header keys. See :ref:`header_keys_preserve_case <envoy_v3_api_field_extensions.filters.network.thrift_proxy.v3.ThriftProxy.header_keys_preserve_case>`. | ||
| - area: thrift | ||
| change: | | ||
| added support for propogating connection draining if local replies try to end downstream. Can be enabled by setting the runtime flag ``envoy.reloadable_features.thrift_connection_draining`` to true. | ||
| - area: thrift | ||
| change: | | ||
| added ``onLocalReply`` support to inform filters of local replies. | ||
| - area: thrift | ||
| change: | | ||
| introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message. | ||
|
|
@@ -296,17 +303,14 @@ new_features: | |
| - area: ratelimit | ||
| change: | | ||
| added support for :ref:`HTTP matching input functions <arch_overview_matching_api>` as descriptor producers. | ||
| - area: http | ||
| change: | | ||
| added :ref:`cluster_header <envoy_v3_api_field_config.route.v3.RouteAction.RequestMirrorPolicy.cluster_header>` in :ref:`request_mirror_policies <envoy_v3_api_field_config.route.v3.RouteAction.request_mirror_policies>` to allow routing shadow request to the cluster specified in the request_header. | ||
| - area: upstream | ||
| change: | | ||
| added :ref:`internal upstream transport <envoy_v3_api_msg_extensions.transport_sockets.internal_upstream.v3.InternalUpstreamTransport>` for passing metadata and filter state across the user space sockets and the internal listeners. | ||
| - area: router | ||
|
Contributor
There was a problem hiding this comment. cc @phlax we should ideally catch this one in CI |
||
| change: | | ||
| added :ref:`keep_empty_value <envoy_v3_api_field_config.core.v3.HeaderValueOption.keep_empty_value>` to allow keeping empty values in custom headers. | ||
| - area: dubbo_proxy | ||
| change: | | ||
|
|
@@ -319,7 +323,7 @@ new_features: | |
| added :ref:`stat_prefix <envoy_v3_api_field_config.route.v3.Route.stat_prefix>` support to generate route level statistics. | ||
| - area: router | ||
| change: | | ||
| added :ref:`INTERNAL_SERVER_ERROR option | ||
| <envoy_v3_api_enum_value_config.route.v3.RouteAction.ClusterNotFoundResponseCode.INTERNAL_SERVER_ERROR>` to return | ||
| status code 500 when the configured cluster is not found. | ||
| - area: matching | ||
|
|
@@ -339,30 +343,26 @@ new_features: | |
| added :ref:`ignore_port_in_host_matching <envoy_v3_api_field_config.route.v3.RouteConfiguration.ignore_port_in_host_matching>`. When set to true, port number (if any) in host header is ignored during host matching. | ||
| - area: router | ||
| change: | | ||
| added :ref:`ignore_path_parameters_in_path_matching <envoy_v3_api_field_config.route.v3.RouteConfiguration.ignore_path_parameters_in_path_matching>`. When set to true, path-parameters(`rfc1808 <https://datatracker.ietf.org/doc/html/rfc1808>`_) is ignored during path matching. | ||
|
|
||
| deprecated: | ||
| - area: dubbo_proxy | ||
| change: | | ||
| deprecated :ref:`old dubbo route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.route_config>`. Please use | ||
| :ref:`multiple route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.multiple_route_config>` or | ||
| :ref:`DRDS <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>` first. | ||
| - area: http | ||
| change: | | ||
| deprecated the short name ``preserve_case`` for the header formatter extension in favor of the fully-qualified name | ||
| ``envoy.http.stateful_header_formatters.preserve_case``. | ||
| - area: matching | ||
| change: | | ||
| :ref:`google_re2 <envoy_v3_api_field_type.matcher.v3.RegexMatcher.google_re2>` has been deprecated. A default regex engine can be set using :ref:`default_regex_engine <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.default_regex_engine>`. | ||
| - area: redis | ||
| change: | | ||
| deprecated :ref:`downstream_auth_password <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_password>`. Please use | ||
| :ref:`downstream_auth_passwords <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_passwords>`. | ||
| - area: lua | ||
| change: | | ||
| deprecated :ref:`inline_code <envoy_v3_api_field_extensions.filters.http.lua.v3.Lua.inline_code>`. Please use | ||
| :ref:`default_source_code <envoy_v3_api_field_extensions.filters.http.lua.v3.Lua.default_source_code>`. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added support for command operators in :ref:`TunnelingConfig hostname
doesn't seem like a backwards incompatible change