forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcurrent.yaml
212 lines (206 loc) · 10.3 KB
/
current.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
date: Pending
behavior_changes:
# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
- area: tracing
change: |
Removed support for (long deprecated) opentracing. See `issue 27401
<https://github.com/envoyproxy/envoy/issues/27401>`_ for details.
- area: golang
change: |
Change ``OnLogDownstreamStart``, ``OnLogDownstreamPeriodic`` and ``OnLog`` methods so that user can get the request/response's
headers and trailers when producing access log.
- area: http
change: |
Added HTTP1-safe option for :ref:`max_connection_duration
<envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_connection_duration>` in
HttpConnectionManager. When enabled, ``max_connection_duration`` will only drain downstream
HTTP1 connections by adding the Connection:close response header; it will never cause the
HttpConnectionManager to close the connection itself. Defaults to off ("unsafe" -- check
\#34356) and is configurable via :ref:`http1_safe_max_connection_duration
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http1_safe_max_connection_duration>`.
- area: eds
change: |
Enabling caching caching of EDS assignments when used with ADS by default (introduced in Envoy v1.28).
Prior to this change, Envoy required that EDS assignments were sent after an EDS cluster was updated.
If no EDS assignment was received for the cluster, it ended up with an empty assignment.
Following this change, after a cluster update, Envoy waits for an EDS assignment until
:ref:`initial_fetch_timeout <envoy_v3_api_field_config.core.v3.ConfigSource.initial_fetch_timeout>` times out, and will then apply
the cached assignment and finish updating the warmed cluster. This change temporarily disabled by setting
the runtime flag ``envoy.restart_features.use_eds_cache_for_ads`` to ``false``.
- area: stats scoped_rds
change: |
Added new tag extraction so that scoped rds stats have their :ref:'scope_route_config_name
<envoy_v3_api_msg_config/route/v3/scoped_route>' and stat prefix extracted.
minor_behavior_changes:
# *Changes that may cause incompatibilities for some users, but should not for most*
- area: command line options
change: |
:option:`--enable-fine-grain-logging` and :option:`--component-log-level` were incompatible in that one
would make the other ineffective. Setting both options at once is now an error, to reduce potential confusion.
- area: tcp
change: |
Added support for :ref:`connection_pool_per_downstream_connection
<envoy_v3_api_field_config.cluster.v3.Cluster.connection_pool_per_downstream_connection>` flag in tcp connection pool.
- area: http3
change: |
The ACCEPT_UNTRUSTED option now works more consistently for HTTP/3 requests. This change is
guarded by ``envoy.reloadable_features.extend_h3_accept_untrusted``.
- area: http3
change: |
HTTP/3 alt-svc headers will now be respected from IP-address-based hostnames. This change is
guarded by runtime guard ``envoy.reloadable_features.allow_alt_svc_for_ips``.
- area: lua
change: |
When Lua script executes httpCall, backpressure is exercised when receiving body from downstream client. This behavior can be reverted
by setting the runtime guard ``envoy.reloadable_features.lua_flow_control_while_http_call`` to false.
- area: sni
change: |
When computing SNI and SAN value for the auto-sni and auto-san verification feature,
route host manipulations are now taken into account. This behavior can be reverted
by setting the runtime guard ``envoy_reloadable_features_use_route_host_mutation_for_auto_sni_san`` to false.
bug_fixes:
# *Changes expected to improve the state of the world and are unlikely to have negative effects*
- area: dns
change: |
The DNS filter no longer returns FORMERR if a message has an ID of 0.
- area: quic
change: |
Fixes access log formatter %CONNECTION_ID% for QUIC connections.
- area: c-ares
change: |
Applying a C-ares patch to fix DNS resoultion by the Google gRPC library.
- area: websocket
change: |
Fixed a bug where the websocket upgrade filter would not take into account per-filter configs.
- area: ext_proc
change: |
Add runtime guard for timeout error code 504 Gateway Timeout that is returned to downstream. If runtime flag
``envoy.reloadable_features.ext_proc_timeout_error`` is set to false, old error code 500 Internal Server Error will be returned.
- area: rbac
change: |
RBAC will now allow stat prefixes configured in per-route config to override the base config's
stat prefix.
removed_config_or_runtime:
# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
- area: upstream
change: |
Removed runtime flag ``envoy.reloadable_features.avoid_zombie_streams`` and legacy code paths.
- area: ext_proc
change: |
Removed runtime flag ``envoy_reloadable_features_immediate_response_use_filter_mutation_rule`` and legacy code
path.
- area: ext_proc
change: |
Removed runtime flag ``envoy_reloadable_features_send_header_raw_value`` and legacy code path.
- area: http
change: |
Removed runtime flag ``envoy.reloadable_features.no_downgrade_to_canonical_name`` and legacy code
path.
- area: DNS
change: |
Removed ``envoy.reloadable_features.dns_cache_set_first_resolve_complete`` runtime flag and legacy code paths.
- area: tls
change: |
Removed runtime flag ``envoy.reloadable_features.ssl_transport_failure_reason_format``.
- area: http
change: |
Removed runtime flag ``envoy.reloadable_features.abort_filter_chain_on_stream_reset`` and legacy
code path.
- area: http
change: |
Removed runtime flag ``envoy.reloadable_features.http1_connection_close_header_in_redirect`` and
legacy code paths.
- area: grpc reverse bridge
change: |
Removed ``envoy.reloadable_features.grpc_http1_reverse_bridge_handle_empty_response`` runtime
flag and legacy code paths.
- area: grpc reverse bridge
change: |
Removed ``envoy.reloadable_features.grpc_http1_reverse_bridge_change_http_status`` runtime flag
and legacy code paths.
- area: stateful_session
change: |
Removed ``envoy.reloadable_features.stateful_session_encode_ttl_in_cookie`` runtime flag and legacy code paths.
- area: quic
change: |
Removed ``envoy.reloadable_features.quic_fix_filter_manager_uaf`` runtime flag and legacy code paths.
- area: udp
change: |
Removed ``envoy.restart_features.udp_read_normalize_addresses`` runtime flag and legacy code paths.
- area: upstream
change: |
Removed runtime flag ``envoy.reloadable_features.upstream_allow_connect_with_2xx`` and legacy code paths.
- area: upstream flow control
change: |
Removed ``envoy.reloadable_features.upstream_wait_for_response_headers_before_disabling_read`` runtime flag
and legacy code paths.
- area: dynamic forward proxy
change: |
Removed ``envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns`` runtime flag and legacy code paths.
new_features:
- area: redis
change: |
Added support for publish.
- area: jwt_authn
change: |
Added missing implementation to jwt_authn matchers to allow glob pattern matching.
- area: tls
change: |
Added :ref:`prefer_client_ciphers
<envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.prefer_client_ciphers>`
to support enabling client cipher preference instead of server's for TLS handshakes.
- area: ext_authz
change: |
Added config field
:ref:`filter_metadata <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.filter_metadata>`
for injecting arbitrary data to the filter state for logging.
- area: access_log
change: |
added %UPSTREAM_CLUSTER_RAW% access log formatter to log the original upstream cluster name, regardless of whether
``alt_stat_name`` is set.
- area: formatter
change: |
Added full feature absl::FormatTime() support to the DateFormatter. This allows the timepoint formatters (like
``%START_TIME%``) to use ``%E#S``, ``%E*S``, ``%E#f`` and ``%E*f`` to format the subsecond part of the timepoint.
- area: http_11_proxy
change: |
Added the option to configure the transport socket via locality or endpoint metadata.
- area: sockets
change: |
Added socket ``type`` field for specifying a socket type to apply the socket option to under :ref:`SocketOption
<envoy_v3_api_msg_config.core.v3.SocketOption>`. If not specified, the socket option will be applied to all socket
types.
- area: tls
change: |
Added an extension point :ref:`custom_tls_certificate_selector
<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.custom_tls_certificate_selector>`
to allow overriding TLS certificate selection behavior.
An extension can select certificate base on the incoming SNI, in both sync and async mode.
- area: access log
change: |
Added support for :ref:`%DOWNSTREAM_PEER_CHAIN_FINGERPRINTS_1% <config_access_log_format_response_flags>`,
``%DOWNSTREAM_PEER_CHAIN_FINGERPRINTS_256``, and ``%DOWNSTREAM_PEER_CHAIN_SERIALS%``, as access log formatters.
- area: matching
change: |
Added dynamic metadata matcher support :ref:`Dynamic metadata input <extension_envoy.matching.inputs.dynamic_metadata>`
and :ref:`Dynamic metadata input matcher <extension_envoy.matching.matchers.metadata_matcher>`.
- area: ratelimit
change: |
Added the ability to modify :ref:`hits_addend <envoy_v3_api_field_service.ratelimit.v3.RateLimitRequest.hits_addend>`
by setting by setting filter state value ``envoy.ratelimit.hits_addend`` to the desired value.
- area: access_log
change: |
Added new access log command operators ``%START_TIME_LOCAL%`` and ``%EMIT_TIME_LOCAL%``,
similar to ``%START_TIME%`` and ``%EMIT_TIME%``, but use local time zone.
- area: dns
change: |
Prefer using IPv6 address when addresses from both families are available.
Can be reverted by setting ``envoy.reloadable_features.prefer_ipv6_dns_on_macos`` to false.
- area: grpc_field_extraction
change: |
Added ``map<string, string>`` support: Target fields of type ``map<string, string>`` can be extracted and added to dynamic metadata.
- area: rbac
change: |
Added :ref:`delay_deny <envoy_v3_api_msg_extensions.filters.network.rbac.v3.RBAC>` to support deny connection after
the configured duration.
deprecated: