1.23.0 (July 15, 2022)
Incompatible behavior changes
Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required
config: multiple SDS resources of multiple clusters or listeners are sent in a single SDS requests, instead of multiple SDS requests. This behavioral change can be reverted by setting
envoy.reloadable_features.combine_sds_requests
tofalse
.router: updated all HTTP filters to get per-filter config by the HTTP filter config name. If there is no entry referred by the filter config name, the canonical filter name (e.g.,
envoy.filters.http.buffer
for the HTTP buffer filter) will be used for the backwards compatibility.router: weighted cluster’s total_weight is now optional. If not set, Envoy will no longer validate that all weights add up to 100. The sum of weights across all entries in the clusters array must add up to the total_weight, when it’s greater than 0.
stats listener: fixed metric tag extraction so that stat_prefix is properly extracted. This changes the Prometheus name from
envoy_listener_myprefix_downstream_cx_overflow{}
toenvoy_listener_downstream_cx_overflow{envoy_listener_address="myprefix"}
. This does not affect the Prometheus name ifstat_prefix
is not set.stats listener: fixed metric tag extraction so that
worker_id
is properly extracted from the listener stats. This changes the Prometheus name fromenvoy_listener_worker_1_downstream_cx_active{envoy_listener_address="0.0.0.0_10000"}
toenvoy_listener_downstream_cx_active{envoy_listener_address="0.0.0.0_10000", envoy_worker_id="1"}
.stats redis_proxy: fixed metric tag extraction so that stat_prefix is properly extracted. This changes the Prometheus name from
envoy_redis_myprefix_command_pttl_latency_sum{}
toenvoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}
.stats server: fixed metric tag extraction so that
worker_id
is properly extracted fromt the server stats. This changes the Prometheus name fromenvoy_server_worker_1_watchdog_miss{}
toenvoy_server_watchdog_miss{envoy_worker_id="1"}
.stats thrift_proxy: fixed metric tag extraction so that stat_prefix is properly extracted. This changes the Prometheus name from
envoy_thrift_myprefix_request{}
toenvoy_thrift_request{envoy_thrift_prefix="myprefix"}
.tls-inspector: the listener filter tls inspector’s stats
connection_closed
andread_error
are removed. New stats are introduced for listener,downstream_peek_remote_close
andread_error
, in listener stats.
Minor behavior changes
Changes that may cause incompatibilities for some users, but should not for most
admin: changed default regex engine for
/stats?filter=
fromstd::regex
to RE2, improving filtering speed 20x.conn pool: changed HTTP/2 connection pooling and the ALPN pool to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is
1
. This behavioral change can be revered by settingenvoy.reloadable_features.allow_concurrency_for_alpn_pool
tofalse
.dns: allow propagating DNS responses with no records back to callers like
strict_dns
cluster, guarded byenvoy.reloadable_features.cares_accept_nodata
.filter state: revert to respecting the life time of the filter state objects to be bound to the original stream and make sharing filter state objects with the upstream info explicit via an extra flag in
setData
.http: changing the behavior for
CONNECT
and upgrade requests over HTTP/1.1 to not delay close. This behavioral change can be reverted by settingenvoy.reloadable_features.no_delay_close_for_upgrades
tofalse
.http: the dynamo filter has been moved to contrib images.
http: the behavior of the timeout field has been modified to extend the timeout when any frame is received on the owning HTTP/2 connection. This negates the effect of head-of-line (HOL) blocking for slow connections. If any frame is received the assumption is that the connection is working. This behavior change can be reverted by setting
envoy.reloadable_features.http2_delay_keepalive_timeout
tofalse
.http-cache: HTTP cache filter
getCache
interface changed from returning a reference to returning a shared_ptr - any third-party implementations of this interface will need to be updated accordingly. See changes tosimple_http_cache.cc
andsimple_http_cache.h
in PR21114 for example.local_ratelimit:
local_ratelimit
will consume tokens of all matched descriptors sorted by tokens per second. This behavioral change can be reverted by setting runtime guardenvoy.reloadable_features.http_local_ratelimit_match_all_descriptors
tofalse
.logging: changed category name for access log filter extensions to
envoy.access_loggers.extension_filters
.logging: changed flag
--log-format-escaped
to only log one trailing newline per log line.lua: export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script that loads shared object libraries, such as those installed via luarocks.
lua: lua
respond
api will callsendLocalReply
instead ofencodeHeaders
andencodeData
. This means that encoder filters will be correctly invoked, including adding configured response headers, etc. This behavioral change can be reverted by setting runtime guardenvoy.reloadable_features.lua_respond_with_send_local_reply
tofalse
.network: the client ssl auth filter has been moved to contrib images.
router: get route config factories by the configuration proto full names by default. This behavior change can be reverted by setting the
envoy.reloadable_features.get_route_config_factory_by_type
runtime flag tofalse
.skywalking: use request path as operation name of
ENTRY
/EXIT
spans.skywalking: use upstream host address as
addressUsedAtClient
in propagation header.tcp_proxy: added support for command operators in TunnelingConfig hostname to dynamically set upstream hostname.
thrift: keep downstream connection if the response is completed without underflow.
tls: if both match_subject_alt_names and match_typed_subject_alt_names are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error.
tls: removed SHA-1 and RSA key transport cipher suites from the server-side defaults.
tracers: remove unnecessary
spawnChild
annotations in OpenCensus tracer.
Bug fixes
Changes expected to improve the state of the world and are unlikely to have negative effects
aws_lambda: fixed the AWS cross account lambda function invocation issue.
decompression: fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload size is now limited. This change can be reverted via the
envoy.reloadable_features.enable_compression_bomb_protection
runtime flag.grpc_json_transcoder: respond with a error messsage if a proto message is too deep (>64). Before the fix the response was an empty JSON.
health_check: fixed CVE-2022-29224: Segfault in
GrpcHealthCheckerImpl
. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.http: fixed HTTP/2 CONNECT to be RFC compliant, rather than following the abandoned extended connect draft. This behavioral change can be reverted by setting runtime guard
envoy.reloadable_features.use_rfc_connect
tofalse
.oauth: fixed CVE-2022-29226: oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
oauth: fixed CVE-2022-29228: oauth filter calls
continueDecoding()
from withindecodeHeaders()
. The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers anASSERT()
in newer versions and corrupts memory on earlier versions.router: fixed CVE-2022-29227: Internal redirect crash for requests with body/trailers. Envoy would previously crash in some cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated local reply.
runtime: fixed a bug where
envoy.restart_features.no_runtime_singleton
was inverted. Runtime singleton status is now guarded by non-invertedenvoy.restart_features.remove_runtime_singleton
.tcp_proxy: fixed an issue using the cluster wide
CONNECT
termination so it will successfully proxy payloads.tls: fixed a bug where an expired certificate sets a big number for
days_until_expiration
. After this fix,0
is set.upstream: fixed the
LOGICAL_DNS
andSTRICT_DNS
clusters to work for IPv6.
Removed config or runtime
Normally occurs at the end of the deprecation period
compressor: removed
envoy.reloadable_features.fix_added_trailers
and legacy code paths.conn pool: removed
envoy.reloadable_features.conn_pool_delete_when_idle
and legacy code paths.dns: removed
envoy.reloadable_features.use_dns_ttl
and legacy code paths.ext_authz: removed
envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect
and legacy code paths.http: removed
envoy.reloadable_features.correct_scheme_and_xfp
and legacy code paths.http: removed
envoy.reloadable_features.skip_dispatching_frames_for_closed_connection
and legacy code paths.http: removed
envoy.reloadable_features.validate_connect
and legacy code paths.runtime: removed
envoy.restart_features.no_runtime_singleton
and replaced withenvoy.restart_features.remove_runtime_singleton
.tcp_proxy: removed
envoy.reloadable_features.new_tcp_connection_pool
and legacy code paths.udp listener: removed
envoy.reloadable_features.udp_listener_updates_filter_chain_in_place
and legacy code paths.
New features
access_log: added formatters for UPSTREAM_METADATA and METADATA(UPSTREAM_HOST).
access_log: added new
access_log
command operators to retrieve upstream connection information change:%UPSTREAM_PROTOCOL%
,%UPSTREAM_PEER_SUBJECT%
,%UPSTREAM_PEER_ISSUER%
,%UPSTREAM_TLS_SESSION_ID%
,%UPSTREAM_TLS_CIPHER%
,%UPSTREAM_TLS_VERSION%
,%UPSTREAM_PEER_CERT_V_START%
,%UPSTREAM_PEER_CERT_V_END%
,%UPSTREAM_PEER_CERT%
and%UPSTREAM_FILTER_STATE%
.admin: added compile-time option
--define=admin_html=disabled
to disable HTML home page.build: enabled building arm64 envoy-distroless and envoy-tools docker images.
dns_resolver: added GetAddrInfoDnsResolverConfig, a new DNS resolver that uses the system’s
getaddrinfo()
function to resolve DNS. This was primarily added for use on Android but can also be used in other situations in which the system resolver is desired.dns_resolver: added include_unroutable_families to the Apple DNS resolver.
dns_resolver: added support for multiple addresses. This is most valuable when used in conjunction with ALL enabling full happy eyeballs support for Envoy (see detailed documentation here but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard
envoy.restart_features.remove_runtime_singleton
tofalse
.dubbo_proxy: added dynamic routes discovery support to dubbo proxy.
dubbo_proxy: added metadata_match support to the dubbo proxy.
examples: fixed issues with documentation/compositions usage of
docker-compose pull
.examples: updated many examples and added dependency checking.
ext_proc: added support for per-route grpc_service.
http: added cluster_header in request_mirror_policies to allow routing shadow request to the cluster specified in the request_header.
http: added treat_missing_header_as_empty to allow header match rule to treat the header value as empty and apply the match rule when the header is missing.
http: added a send_fully_qualified_url configuration option to send absolute URLs for HTTP/1.1.
http: added new file_system_buffer HTTP filter.
http: preserve case header formatter support innner formatter on Envoy headers in formatter_type_on_envoy_headers.
http3: added early_data_policy extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the default extension is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their retry_policy. Sending early data requires both
envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3
andenvoy.reloadable_features.http3_sends_early_data
runtime flags to be set totrue
.listener: added dynamic listener filter configuration for listener filters. This dynamic listener filter configuration is only supported by TCP listeners.
lua: added new function timestampString returning the time since epoch as a string. Supported resolutions are millisecond and microsecond.
matching: added support for matching authenticated inputs in network and HTTP matching data.
network: extended conection balancer with extend balance, and added Dlb connection balancer to use DLB hardware to balance.
on_demand: OnDemand got extended to hold configuration for on-demand cluster discovery. A similar message for per-route configuration is also added.
open_telemetry: added resource_attributes configuration to OpenTelemetry.
proxy_protcol: added allow_requests_without_proxy_protocol to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag.
ratelimit: added support for HTTP matching input functions as descriptor producers.
ratelimit: added support for masked_remote_address.
rbac: added matcher for selecting connections and requests to different actions.
redis: added support for multiple passwords to the redis proxy. See downstream_auth_passwords.
router: added INTERNAL_SERVER_ERROR option to return status code 500 when the configured cluster is not found.
router: added ignore_path_parameters_in_path_matching. When set to
true
, path-parameters(rfc1808) is ignored during path matching. added ignore_path_parameters_in_path_matching. When set totrue
, path-parameters(rfc1808) is ignored during path matching.router: added ignore_port_in_host_matching. When set to
true
, port number (if any) in host header is ignored during host matching.router: added keep_empty_value to allow keeping empty values in custom headers.
router: added stat_prefix support to generate route level statistics.
thrift: added close_downstream_on_upstream_error flag to router to control downstream local close.
thrift: added
onLocalReply
support to inform filters of local replies.thrift: added
validate_clusters
in RouteConfiguration to override the default behavior of cluster validation.thrift: added support for access logging for Thrift Proxy.
thrift: added support for preserving header keys. See header_keys_preserve_case.
thrift: added support for propogating connection draining if local replies try to end downstream. Can be enabled by setting the runtime flag
envoy.reloadable_features.thrift_connection_draining
to true.thrift: introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message.
udp: added udp_packet_packet_writer_config config to specify the UDP packet writer factory.
upstream: added internal upstream transport for passing metadata and filter state across the user space sockets and the internal listeners.
Deprecated
dubbo_proxy: deprecated old dubbo route config. Please use multiple route config or DRDS first.
http: deprecated the short name
preserve_case
for the header formatter extension in favor of the fully-qualified nameenvoy.http.stateful_header_formatters.preserve_case
.lua: deprecated inline_code. Please use default_source_code.
matching: google_re2 has been deprecated. A default regex engine can be set using default_regex_engine.
redis: deprecated downstream_auth_password. Please use downstream_auth_passwords.