forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
current.yaml
195 lines (187 loc) · 12.2 KB
/
current.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
date: Pending
behavior_changes:
- area: tls-inspector
change: |
the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. The new stats are introduced for listener, ``downstream_peek_remote_close`` and ``read_error`` :ref:`listener stats <config_listener_stats>`.
minor_behavior_changes:
- area: thrift
change: |
add validate_clusters in :ref:`RouteConfiguration <envoy_v3_api_msg_extensions.filters.network.thrift_proxy.v3.RouteConfiguration>` to override the default behavior of cluster validation.
- area: tls
change: |
if both :ref:`match_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>` and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error.
- area: tls
change: |
removed SHA-1 and RSA key transport cipher suites from the server-side defaults.
- area: http
change: |
the behavior of the :ref:`timeout <envoy_v3_api_field_config.core.v3.KeepaliveSettings.timeout>`
field has been modified to extend the timeout when *any* frame is received on the owning HTTP/2
connection. This negates the effect of head-of-line (HOL) blocking for slow connections. If
any frame is received the assumption is that the connection is working. This behavior change
can be reverted by setting the ``envoy.reloadable_features.http2_delay_keepalive_timeout`` runtime
flag to false.
- area: http-cache
change: |
http cache filter ``getCache`` interface changed from returning a reference to
returning a shared_ptr - any third-party implementations of this interface will need to be
updated accordingly. See changes to ``simple_http_cache.cc`` and ``simple_http_cache.h`` in
`PR21114 <https://github.com/envoyproxy/envoy/pull/21114>`_ for example.
- area: lua
change: |
export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script
that loads shared object libraries, such as those installed via luarocks.
- area: admin
change: |
changed default regex engine for /stats?filter= from std::regex to RE2, improving filtering speed
20x.
- area: skywalking
change: |
use request path as operation name of ENTRY/EXIT spans.
- area: skywalking
change: |
use upstream host address as ``addressUsedAtClient`` in propagation header.
- area: dns
change: |
allow propagating DNS responses with no records back to callers like strict_dns cluster,
guarded by ``envoy.reloadable_features.cares_accept_nodata``.
- area: local_ratelimit
change: |
local_ratelimit will consume tokens of all matched descriptors sorted by tokens per second.
This behavioral change can be reverted by setting runtime guard
``envoy.reloadable_features.http_local_ratelimit_match_all_descriptors`` to false.
- area: router
change: |
get route config factories by the configuration proto full names by default. This behavior change
can be reverted by setting the ``envoy.reloadable_features.get_route_config_factory_by_type``
runtime flag to false.
change: |
add an ignore_port_in_host_matching config entry in RouteConfiguration. When set to true, port number(if any) in host
header is ignored during host matching.
- area: lua
change: |
lua ``respond`` api will call ``sendLocalReply`` instead of ``encodeHeaders`` and ``encodeData``.
This means that encoder filters will be correctly invoked, including adding configured response
headers, etc. This behavioral change can be reverted by setting runtime guard
``envoy.reloadable_features.lua_respond_with_send_local_reply`` to false.
bug_fixes:
- area: runtime
change: |
Fixed a bug where was ``envoy.restart_features.no_runtime_singleton`` was inverted.
Runtime singleton status is now guarded by non-inverted ``envoy.restart_features.remove_runtime_singleton``.
- area: tcp_proxy
change: |
Fixed an issue using the cluster wide CONNECT termination so it will successfully proxy payloads.
- area: listener
change: |
Fixed metric tag extraction so that :ref:`stat_prefix <envoy_v3_api_field_config.listener.v3.Listener.stat_prefix>`
is properly extracted.
- area: upstream
change: |
Fixed the LOGICAL_DNS and STRICT_DNS clusters to work for IPv6.
removed_config_or_runtime:
- area: compressor
change: |
removed ``envoy.reloadable_features.fix_added_trailers`` and legacy code paths.
- area: dns
change: |
removed ``envoy.reloadable_features.use_dns_ttl`` and legacy code paths.
- area: ext_authz
change: |
removed ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard and legacy code paths.
- area: http
change: |
deprecated ``envoy.reloadable_features.correct_scheme_and_xfp`` and legacy code paths.
- area: http
change: |
deprecated ``envoy.reloadable_features.validate_connect`` and legacy code paths.
- area: tcp_proxy
change: |
removed ``envoy.reloadable_features.new_tcp_connection_pool`` and legacy code paths.
- area: tls
change: |
fixed a bug when a certificate is invalid, ``days_until_expiration`` reports a big number. After this fix, when a certificate expires, it reports as ``0``.
- area: conn pool
change: |
removed ``envoy.reloadable_features.conn_pool_delete_when_idle`` and legacy code paths.
- area: runtime
change: |
removed ``envoy.restart_features.no_runtime_singleton`` and replaced with ``envoy.restart_features.remove_runtime_singleton``.
new_features:
- area: access_log
change: |
added new access_log command operators to retrieve upstream connection information change: ``%UPSTREAM_PROTOCOL%``, ``%UPSTREAM_PEER_SUBJECT%``, ``%UPSTREAM_PEER_ISSUER%``, ``%UPSTREAM_TLS_SESSION_ID%``, ``%UPSTREAM_TLS_CIPHER%``, ``%UPSTREAM_TLS_VERSION%``, ``%UPSTREAM_PEER_CERT_V_START%``, ``%UPSTREAM_PEER_CERT_V_END%``, ``%UPSTREAM_PEER_CERT%` and ``%UPSTREAM_FILTER_STATE%``.
- area: dns_resolver
change: |
added :ref:`include_unroutable_families<envoy_v3_api_field_extensions.network.dns_resolver.apple.v3.AppleDnsResolverConfig.include_unroutable_families>` to the Apple DNS resolver.
change: |
added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL <envoy_v3_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.ALL>` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here <arch_overview_conn_pool>` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to false.
- area: dubbo_proxy
change: |
added :ref:`dynamic routes discovery <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>` support to the dubbo proxy.
- area: ext_proc
change: |
added support for per-route :ref:`grpc_service <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExtProcOverrides.grpc_service>`.
- area: http
change: |
added new :ref:`file_system_buffer <config_http_filters_file_system_buffer>` http filter.
- area: http
change: |
preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers <envoy_v3_api_field_extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig.formatter_type_on_envoy_headers>`.
- area: http3
change: |
added :ref:`early_data_policy <envoy_v3_api_field_config.route.v3.RouteAction.early_data_policy>` extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default extension <envoy_v3_api_msg_extensions.early_data.v3.DefaultEarlyDataPolicy>` is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy <envoy_v3_api_field_config.route.v3.RouteAction.retry_policy>`. This feature requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` to be turned on.
- area: thrift
change: |
added flag to router to control downstream local close. :ref:`close_downstream_on_upstream_error <envoy_v3_api_field_extensions.filters.network.thrift_proxy.router.v3.Router.close_downstream_on_upstream_error>`.
- area: thrift
change: |
added support for access logging.
- area: thrift
change: |
added support for preserving header keys.
- area: thrift
change: |
added support onLocalReply to inform filters of local replies.
- area: thrift
change: |
introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message.
- area: on_demand
change: |
:ref:`OnDemand <envoy_v3_api_msg_extensions.filters.http.on_demand.v3.OnDemand>` got extended to hold configuration for on-demand cluster discovery. A similar message for :ref:`per-route configuration <envoy_v3_api_msg_extensions.filters.http.on_demand.v3.PerRouteConfig>` is also added.
- area: proxy_protcol
change: |
added :ref:`allow_requests_without_proxy_protocol<envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.allow_requests_without_proxy_protocol>` to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag.
- area: udp
change: |
added config to specify the UDP packet writer factory. See :ref:`udp_packet_packet_writer_config <envoy_v3_api_field_config.listener.v3.UdpListenerConfig.udp_packet_packet_writer_config>`.
- area: build
change: |
enabled building arm64 envoy-distroless and envoy-tools :ref:`docker images <install_binaries>`.
- area: ratelimit
change: |
added support for :ref:`masked_remote_address <envoy_v3_api_field_config.route.v3.RateLimit.Action.masked_remote_address>`.
- area: ratelimit
change: |
added support for :ref:`HTTP matching input functions <arch_overview_matching_api>` as descriptor producers.
- area: build
change: |
official released binary is now built with Clang 14.0.0.
- area: conn pool
change: |
Changed HTTP/2 connection pooling and the :ref:`ALPN pool <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.auto_config>` to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is 1. This behavioral change can be revered by setting ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to false.
- area: http
change: |
added :ref:`cluster_header <envoy_v3_api_field_config.route.v3.RouteAction.RequestMirrorPolicy.cluster_header>` in :ref:`request_mirror_policies <envoy_v3_api_field_config.route.v3.RouteAction.request_mirror_policies>` to allow routing shadow request to the cluster specified in the request_header.
- area: router
change:
added :ref:`keep_empty_value <envoy_v3_api_field_config.core.v3.HeaderValueOption.keep_empty_value>` to allow keeping empty values in custom headers.
- area: dubbo_proxy
change: |
added :ref:`metadata_match <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.RouteAction.metadata_match>` support to the dubbo proxy.
deprecated:
- area: dubbo_proxy
change: |
deprecated :ref:`old dubbo route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.route_config>`. Please use
:ref:`multiple route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.multiple_route_config>` or
:ref:`multiple route config <envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>` first.