forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcurrent.yaml
219 lines (214 loc) · 11.7 KB
/
current.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
date: Pending
behavior_changes:
# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
- area: wasm
change: |
The route cache will not be cleared by default if the wasm extension modified the request headers and
the ABI version of wasm extension is larger then 0.2.1.
- area: wasm
change: |
Remove previously deprecated xDS attributes from ``get_property``, use ``xds`` attributes instead.
- area: http
change: |
RFC1918 addresses are no longer considered to be internal addresses by default. This addresses a security
issue for Envoy's in multi-tenant mesh environments. Please explicit set
:ref:`internal_address_config
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
to retain the prior behavior.
This change can be temporarily reverted by setting runtime guard
``envoy.reloadable_features.explicit_internal_address_config`` to ``false``.
minor_behavior_changes:
# *Changes that may cause incompatibilities for some users, but should not for most*
- area: access_log
change: |
New implementation of the JSON formatter will be enabled by default.
The :ref:`sort_properties <envoy_v3_api_field_config.core.v3.JsonFormatOptions.sort_properties>` field will
be ignored in the new implementation because the new implementation always sorts properties. And the new implementation
will always keep the value type in the JSON output. For example, the duration field will always be rendered as a number
instead of a string.
This behavior change could be disabled temporarily by setting the runtime
``envoy.reloadable_features.logging_with_fast_json_formatter`` to false.
- area: xds
change: |
A minor delta-xDS optimization that avoids copying resources when ingesting them was introduced.
No impact to the behavior is expected, but a runtime flag was added as this may impact config-ingestion
related extensions (e.g., custom-config-validators, config-tracker), as the order of the elements passed
to the callback functions may be different. This change can be temporarily reverted
by setting ``envoy.reloadable_features.xds_prevent_resource_copy`` to ``false``.
- area: formatter
change: |
The NaN and Infinity values of float will be serialized to ``null`` and ``"inf"`` respectively in the
metadata (``DYNAMIC_METADATA``, ``CLUSTER_METADATA``, etc.) formatter.
- area: sds
change: |
Relaxed the backing cluster validation for Secret Discovery Service(SDS). Currently, the cluster that supports SDS,
needs to be a primary cluster i.e. a non-EDS cluster defined in bootstrap configuration. This change relaxes that
restriction i.e. SDS cluster can be a dynamic cluster. This change is enabled by default, and can be reverted by setting
the runtime flag ``envoy.restart_features.skip_backing_cluster_check_for_sds`` to ``false``.
- area: http
change: |
If the :ref:`pack_trace_reason <envoy_v3_api_field_extensions.request_id.uuid.v3.UuidRequestIdConfig.pack_trace_reason>`
is set to false, Envoy will not parse the trace reason from the ``x-request-id`` header to ensure reads and writes of
trace reason be consistant.
If the :ref:`pack_trace_reason <envoy_v3_api_field_extensions.request_id.uuid.v3.UuidRequestIdConfig.pack_trace_reason>`
is set to true and external ``x-request-id`` value is used, the trace reason in the external request id will not
be trusted and will be cleared.
- area: oauth2
change: |
:ref:`use_refresh_token <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Config.use_refresh_token>`
is now enabled by default. This behavioral change can be temporarily reverted by setting runtime guard
``envoy.reloadable_features.oauth2_use_refresh_token`` to false.
- area: quic
change: |
Enable UDP GRO in QUIC client connections by default. This behavior can be reverted by setting
the runtime guard ``envoy.reloadable_features.prefer_quic_client_udp_gro`` to false.
- area: scoped_rds
change: |
The :ref:`route_configuration <envoy_v3_api_field_config.route.v3.ScopedRouteConfiguration.route_configuration>` field
is supported when the ``ScopedRouteConfiguration`` resource is delivered via SRDS.
bug_fixes:
# *Changes expected to improve the state of the world and are unlikely to have negative effects*
- area: tls
change: |
Support operations on IP SANs when the IP version is not supported by the host operating system, for example
an IPv6 SAN can now be used on a host not supporting IPv6 addresses.
- area: scoped_rds
change: |
Fixes scope key leak and spurious scope key conflicts when an update to an SRDS resource changes the key.
- area: stats ads grpc
change: |
Fixed metric for ADS disconnection counters using Google GRPC client. This extracts the GRPC client prefix specified
in the :ref:`google_grpc <envoy_v3_api_field_config.core.v3.GrpcService.google_grpc>` resource used for ADS, and adds
that as a tag ``envoy_google_grpc_client_prefix`` to the Prometheus stats.
- area: access_log
change: |
Relaxed the restriction on SNI logging to allow the ``_`` character, even if
``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
- area: DNS
change: |
Fixed bug where setting ``dns_jitter <envoy_v3_api_field_config.cluster.v3.Cluster.dns_jitter>`` to large values caused Envoy Bug
to fire.
removed_config_or_runtime:
# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
- area: router
change: |
Removed runtime guard ``envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request``.
- area: load balancing
change: |
Removed runtime guard ``envoy.reloadable_features.edf_lb_host_scheduler_init_fix`` and legacy code paths.
- area: load balancing
change: |
Removed runtime guard ``envoy.reloadable_features.edf_lb_locality_scheduler_init_fix`` and legacy code paths.
- area: grpc
change: |
Removed runtime guard ``envoy.reloadable_features.validate_grpc_header_before_log_grpc_status``.
- area: http
change: |
Removed runtime flag ``envoy.reloadable_features.http_route_connect_proxy_by_default`` and legacy code paths.
- area: http2
change: |
Removed runtime flag ``envoy.reloadable_features.defer_processing_backedup_streams`` and legacy code paths.
- area: dns
change: |
Removed runtime flag ``envoy.reloadable_features.dns_reresolve_on_eai_again`` and legacy code paths.
- area: quic
change: |
Removed runtime flag ``envoy.restart_features.quic_handle_certs_with_shared_tls_code`` and legacy code paths.
- area: upstream
change: |
Removed runtime flag ``envoy.restart_features.allow_client_socket_creation_failure`` and legacy code paths.
new_features:
- area: wasm
change: |
Added the wasm vm reload support to reload wasm vm when the wasm vm is failed with runtime errors. See
:ref:`failure_policy <envoy_v3_api_field_extensions.wasm.v3.PluginConfig.failure_policy>` for more details.
The ``FAIL_RELOAD`` reload policy will be used by default.
- area: aws_request_signing
change: |
Added an optional field :ref:`credential_provider
<envoy_v3_api_field_extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.credential_provider>`
to the AWS request signing filter to explicitly specify a source for AWS credentials.
- area: tls
change: |
Added support for P-384 and P-521 curves for TLS server certificates.
- area: tls
change: |
Added an :ref:`option
<envoy_v3_api_field_extensions.transport_sockets.tls.v3.UpstreamTlsContext.auto_host_sni>` to change the upstream
SNI to the configured hostname for the upstream.
- area: tls
change: |
Added an :ref:`option
<envoy_v3_api_field_extensions.transport_sockets.tls.v3.UpstreamTlsContext.auto_sni_san_validation>` to validate
the upstream server certificate SANs against the actual SNI value sent, regardless of the method of configuring SNI.
- area: xds
change: |
Added support for ADS replacement by invoking ``xdsManager().setAdsConfigSource()`` with a new config source.
- area: wasm
change: |
added ``clear_route_cache`` foreign function to clear the route cache.
- area: access_log
change: |
Added %DOWNSTREAM_LOCAL_EMAIL_SAN%, %DOWNSTREAM_PEER_EMAIL_SAN%, %DOWNSTREAM_LOCAL_OTHERNAME_SAN% and
%DOWNSTREAM_PEER_OTHERNAME_SAN% substitution formatters.
- area: access_log
change: |
Added support for logging upstream connection establishment duration in the
:ref:`%COMMON_DURATION% <config_access_log_format_common_duration>` access log
formatter operator. The following time points were added: ``%US_CX_BEG%``,
``%US_CX_END%``, ``%US_HS_END%``.
- area: quic
change: |
Added :ref:`QUIC stats debug visitor <envoy_v3_api_msg_extensions.quic.connection_debug_visitor.quic_stats.v3.Config>` to
get more stats from the QUIC transport.
- area: http_inspector
change: |
Added default-false ``envoy.reloadable_features.http_inspector_use_balsa_parser`` for HttpInspector to use BalsaParser.
- area: overload
change: |
Added support for scaling :ref:`max connection duration
<envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_CONNECTION_MAX>`.
This can be used to reduce the max connection duration in response to overload.
- area: tracers
change: |
Set resource ``telemetry.sdk.*`` and scope ``otel.scope.name|version`` attributes for the OpenTelemetry tracer.
- area: lua
change: |
Added ssl :ref:`parsedSubjectPeerCertificate() <config_http_filters_lua_parsed_name>` API.
- area: lua cluster specifier
change: |
Added ability for a Lua script to query clusters for current requests and connections.
- area: udp_proxy
change: |
Added support for dynamic cluster selection in UDP proxy. The cluster can be set by one of the session filters
by setting a per-session state object under the key ``envoy.udp_proxy.cluster``.
- area: CEL-attributes
change: |
Added :ref:`attribute <arch_overview_attributes>` ``upstream.request_attempt_count``
to get the number of times a request is attempted upstream.
- area: ip-tagging
change: |
Adds support for specifying an alternate header
:ref:`ip_tag_header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.ip_tag_header>`
for appending IP tags via ip-tagging filter instead of using the default header ``x-envoy-ip-tags``.
- area: c-ares
change: |
added two new options to c-ares resolver for configuring custom timeouts and tries while resolving DNS
queries. Custom timeouts could be configured by specifying :ref:`query_timeout_seconds
<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.query_timeout_seconds>` and
custom tries could be configured by specifying :ref:`query_tries
<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.query_tries>`.
- area: rbac
change: |
added :ref:`sourced_metadata <envoy_v3_api_field_config.rbac.v3.Permission.sourced_metadata>` which allows
specifying an optional source for the metadata to be matched in addition to the metadata matcher.
- area: c-ares
change: |
added nameserver rotation option to c-ares resolver. When enabled via :ref:rotate_nameservers
<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.rotate_nameservers>, this
performs round-robin selection of the configured nameservers for each resolution to help distribute query load.
deprecated:
- area: rbac
change: |
metadata :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>` is now deprecated in the
favor of :ref:`sourced_metadata <envoy_v3_api_field_config.rbac.v3.Permission.sourced_metadata>`.