1.32.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • http: Added HTTP1-safe option for max_connection_duration in HttpConnectionManager. When enabled, max_connection_duration will only drain downstream HTTP1 connections by adding the Connection:close response header; it will never cause the HttpConnectionManager to close the connection itself. Defaults to off (“unsafe” – check #34356) and is configurable via http1_safe_max_connection_duration.

  • stats scoped_rds: Added new tag extraction so that scoped rds stats have their :ref:’scope_route_config_name <envoy_v3_api_msg_config/route/v3/scoped_route>’ and stat prefix extracted.

  • tracing: Removed support for (long deprecated) opentracing. See issue 27401 for details.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • command line options: --enable-fine-grain-logging and --component-log-level were incompatible in that one would make the other ineffective. Setting both options at once is now an error, to reduce potential confusion.

  • http3: HTTP/3 alt-svc headers will now be respected from IP-address-based hostnames. This change is guarded by runtime guard envoy.reloadable_features.allow_alt_svc_for_ips.

  • http3: The ACCEPT_UNTRUSTED option now works more consistently for HTTP/3 requests. This change is guarded by envoy.reloadable_features.extend_h3_accept_untrusted.

  • lua: When Lua script executes httpCall, backpressure is exercised when receiving body from downstream client. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.lua_flow_control_while_http_call to false.

  • sni: When computing SNI and SAN value for the auto-sni and auto-san verification feature, route host manipulations are now taken into account. This behavior can be reverted by setting the runtime guard envoy_reloadable_features_use_route_host_mutation_for_auto_sni_san to false.

  • tcp: Added support for connection_pool_per_downstream_connection flag in tcp connection pool.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • c-ares: Applying a C-ares patch to fix DNS resoultion by the Google gRPC library.

  • dns: The DNS filter no longer returns FORMERR if a message has an ID of 0.

  • ext_proc: Add runtime guard for timeout error code 504 Gateway Timeout that is returned to downstream. If runtime flag envoy.reloadable_features.ext_proc_timeout_error is set to false, old error code 500 Internal Server Error will be returned.

  • quic: Fixes access log formatter %CONNECTION_ID% for QUIC connections.

  • websocket: Fixed a bug where the websocket upgrade filter would not take into account per-filter configs.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • DNS: Removed envoy.reloadable_features.dns_cache_set_first_resolve_complete runtime flag and legacy code paths.

  • dynamic forward proxy: Removed envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns runtime flag and legacy code paths.

  • ext_proc: Removed runtime flag envoy_reloadable_features_immediate_response_use_filter_mutation_rule and legacy code path.

  • ext_proc: Removed runtime flag envoy_reloadable_features_send_header_raw_value and legacy code path.

  • grpc reverse bridge: Removed envoy.reloadable_features.grpc_http1_reverse_bridge_change_http_status runtime flag and legacy code paths.

  • grpc reverse bridge: Removed envoy.reloadable_features.grpc_http1_reverse_bridge_handle_empty_response runtime flag and legacy code paths.

  • http: Removed runtime flag envoy.reloadable_features.abort_filter_chain_on_stream_reset and legacy code path.

  • http: Removed runtime flag envoy.reloadable_features.http1_connection_close_header_in_redirect and legacy code paths.

  • http: Removed runtime flag envoy.reloadable_features.no_downgrade_to_canonical_name and legacy code path.

  • quic: Removed envoy.reloadable_features.quic_fix_filter_manager_uaf runtime flag and legacy code paths.

  • stateful_session: Removed envoy.reloadable_features.stateful_session_encode_ttl_in_cookie runtime flag and legacy code paths.

  • tls: Removed runtime flag envoy.reloadable_features.ssl_transport_failure_reason_format.

  • udp: Removed envoy.restart_features.udp_read_normalize_addresses runtime flag and legacy code paths.

  • upstream: Removed runtime flag envoy.reloadable_features.avoid_zombie_streams and legacy code paths.

  • upstream: Removed runtime flag envoy.reloadable_features.upstream_allow_connect_with_2xx and legacy code paths.

  • upstream flow control: Removed envoy.reloadable_features.upstream_wait_for_response_headers_before_disabling_read runtime flag and legacy code paths.

New features

  • access_log: Added new access log command operators %START_TIME_LOCAL% and %EMIT_TIME_LOCAL%, similar to %START_TIME% and %EMIT_TIME%, but use local time zone.

  • access_log: added %UPSTREAM_CLUSTER_RAW% access log formatter to log the original upstream cluster name, regardless of whether alt_stat_name is set.

  • dns: Prefer using IPv6 address when addresses from both families are available. Can be reverted by setting envoy.reloadable_features.prefer_ipv6_dns_on_macos to false.

  • ext_authz: Added config field filter_metadata for injecting arbitrary data to the filter state for logging.

  • formatter: Added full feature absl::FormatTime() support to the DateFormatter. This allows the timepoint formatters (like %START_TIME%) to use %E#S, %E*S, %E#f and %E*f to format the subsecond part of the timepoint.

  • grpc_field_extraction: Added map<string, string> support: Target fields of type map<string, string> can be extracted and added to dynamic metadata.

  • http_11_proxy: Added the option to configure the transport socket via locality or endpoint metadata.

  • jwt_authn: Added missing implementation to jwt_authn matchers to allow glob pattern matching.

  • matching: Added dynamic metadata matcher support Dynamic metadata input and Dynamic metadata input matcher.

  • ratelimit: Added the ability to modify hits_addend by setting by setting filter state value envoy.ratelimit.hits_addend to the desired value.

  • rbac: Added delay_deny to support deny connection after the configured duration.

  • redis: Added support for publish.

  • sockets: Added socket type field for specifying a socket type to apply the socket option to under SocketOption. If not specified, the socket option will be applied to all socket types.

  • tls: Added prefer_client_ciphers to support enabling client cipher preference instead of server’s for TLS handshakes.

  • tls: Added an extension point custom_tls_certificate_selector to allow overriding TLS certificate selection behavior. An extension can select certificate base on the incoming SNI, in both sync and async mode.