diff --git a/docs/conf.py b/docs/conf.py index 627225f98e58..901d90c191bd 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -106,7 +106,7 @@ def _config(key): # Only lookup intersphinx for explicitly prefixed in cross-references # This makes docs versioning work -intersphinx_disabled_domains = ['std'] +intersphinx_disabled_reftypes = ['*'] # Setup global substitutions if 'pre-release' in release_level: diff --git a/docs/root/version_history/v1.19.3.rst b/docs/root/version_history/v1.19.3.rst index 44ed3847fb00..e6fe92e6e446 100644 --- a/docs/root/version_history/v1.19.3.rst +++ b/docs/root/version_history/v1.19.3.rst @@ -14,7 +14,7 @@ Bug Fixes * data plane: fix crash when internal redirect selects a route configured with direct response or redirect actions. * jwt_authn: fixed the crash when a CONNECT request is sent to JWT filter configured with regex match on the Host header. -* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. +* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. Removed Config or Runtime ------------------------- diff --git a/docs/root/version_history/v1.20.0.rst b/docs/root/version_history/v1.20.0.rst index 1378e06c09ab..f0db312e62ac 100644 --- a/docs/root/version_history/v1.20.0.rst +++ b/docs/root/version_history/v1.20.0.rst @@ -32,21 +32,21 @@ Incompatible Behavior Changes point forward. * config: the ``--bootstrap-version`` CLI flag has been removed, Envoy has only been able to accept v3 bootstrap configurations since 1.18.0. -* contrib: the :ref:`squash filter ` has been moved to - :ref:`contrib images `. -* contrib: the :ref:`kafka broker filter ` has been moved to - :ref:`contrib images `. -* contrib: the :ref:`RocketMQ proxy filter ` has been moved to - :ref:`contrib images `. -* contrib: the :ref:`Postgres proxy filter ` has been moved to - :ref:`contrib images `. -* contrib: the :ref:`MySQL proxy filter ` has been moved to - :ref:`contrib images `. -* dns_filter: :ref:`dns_filter ` +* contrib: the :ref:`squash filter ` has been moved to + :ref:`contrib images `. +* contrib: the :ref:`kafka broker filter ` has been moved to + :ref:`contrib images `. +* contrib: the :ref:`RocketMQ proxy filter ` has been moved to + :ref:`contrib images `. +* contrib: the :ref:`Postgres proxy filter ` has been moved to + :ref:`contrib images `. +* contrib: the :ref:`MySQL proxy filter ` has been moved to + :ref:`contrib images `. +* dns_filter: :ref:`dns_filter ` protobuf fields have been renumbered to restore compatibility with Envoy 1.18, breaking compatibility with Envoy 1.19.0 and 1.19.1. The new field numbering allows control planes supporting Envoy 1.18 to gracefully upgrade to - :ref:`dns_resolution_config `, + :ref:`dns_resolution_config `, provided they skip over Envoy 1.19.0 and 1.19.1. Control planes upgrading from Envoy 1.19.0 and 1.19.1 will need to vendor the corresponding protobuf definitions to ensure that the @@ -73,7 +73,7 @@ Minor Behavior Changes `here `_ for more information. Some APIs that are known to be implicitly not work-in-progress have been force migrated and are individually indicated elsewhere in the release notes. A server-wide ``wip_protos`` counter has - also been added in :ref:`server statistics ` to track this. + also been added in :ref:`server statistics ` to track this. * ext_authz: fixed skipping authentication when returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. * grpc: gRPC async client can be cached and shared across filter instances in the same thread, this feature is turned off by default, can be turned on by setting runtime guard ``envoy.reloadable_features.enable_grpc_async_client_cache`` to true. * http: correct the use of the ``x-forwarded-proto`` header and the ``:scheme`` header. Where they differ @@ -86,12 +86,12 @@ Minor Behavior Changes ``envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled``. This runtime guard must only be set to false when existing non-compliant traffic relies on #fragment in URI. When this option is enabled, Envoy request authorization extensions may be bypassed. This override and its associated behavior will be decommissioned after the standard deprecation period. -* http: set the default :ref:`lazy headermap threshold ` to 3, +* http: set the default :ref:`lazy headermap threshold ` to 3, which defines the minimal number of headers in a request/response/trailers required for using a dictionary in addition to the list. Setting the ``envoy.http.headermap.lazy_map_min_size`` runtime feature to a non-negative number will override the default value. * http: stop processing pending H/2 frames if connection transitioned to a closed state. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` to false. -* listener: added the :ref:`enable_reuse_port ` +* listener: added the :ref:`enable_reuse_port ` field and changed the default for ``reuse_port`` from false to true, as the feature is now well supported on the majority of production Linux kernels in use. The default change is aware of the hot restart, as otherwise, the change would not be backward compatible between restarts. This means @@ -103,7 +103,7 @@ Minor Behavior Changes information. * listener: destroy per network filter chain stats when a network filter chain is removed during the listener in-place update. * quic: enables IETF connection migration. This feature requires a stable UDP packet routine in the L4 load balancer with the same first-4-bytes in connection id. It can be turned off by setting runtime guard ``envoy.reloadable_features.FLAGS_quic_reloadable_flag_quic_connection_migration_use_new_cid_v2`` to false. -* thrift_proxy: allow Framed and Header transport combinations to perform :ref:`payload passthrough `. +* thrift_proxy: allow Framed and Header transport combinations to perform :ref:`payload passthrough `. Bug Fixes --------- @@ -112,14 +112,14 @@ Bug Fixes * access log: fix ``%UPSTREAM_CLUSTER%`` when used in http upstream access logs. Previously, it was always logging as an unset value. * aws request signer: fix the AWS Request Signer extension to correctly normalize the path and query string to be signed according to AWS' guidelines, so that the hash on the server side matches. See `AWS SigV4 documentation `_. * cluster: delete pools when they're idle to fix unbounded memory use when using PROXY protocol upstream with tcp_proxy. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.conn_pool_delete_when_idle`` runtime guard to false. -* cluster: finish cluster warming even if hosts are removed before health check initialization. This only affected clusters with :ref:`ignore_health_on_host_removal `. +* cluster: finish cluster warming even if hosts are removed before health check initialization. This only affected clusters with :ref:`ignore_health_on_host_removal `. * compressor: fix a bug where if trailers were added and a subsequent filter paused the filter chain, the request could be stalled. This behavior can be reverted by setting ``envoy.reloadable_features.fix_added_trailers`` to false. -* dynamic forward proxy: fixing a validation bug where san and sni checks were not applied setting :ref:`http_protocol_options ` via :ref:`typed_extension_protocol_options `. +* dynamic forward proxy: fixing a validation bug where san and sni checks were not applied setting :ref:`http_protocol_options ` via :ref:`typed_extension_protocol_options `. * ext_authz: fix the ext_authz filter to correctly merge multiple same headers using the ',' as separator in the check request to the external authorization service. -* ext_authz: fix the use of ``append`` field of :ref:`response_headers_to_add ` to set or append encoded response headers from a gRPC auth server. +* ext_authz: fix the use of ``append`` field of :ref:`response_headers_to_add ` to set or append encoded response headers from a gRPC auth server. * ext_authz: fix the HTTP ext_authz filter to respond with ``403 Forbidden`` when a gRPC auth server sends a denied check response with an empty HTTP status code. * ext_authz: the network ext_authz filter now correctly sets dynamic metadata returned by the authorization service for non-OK responses. This behavior now matches the http ext_authz filter. -* hcm: remove deprecation for :ref:`xff_num_trusted_hops ` and forbid mixing ip detection extensions with old related knobs. +* hcm: remove deprecation for :ref:`xff_num_trusted_hops ` and forbid mixing ip detection extensions with old related knobs. * http: limit use of deferred resets in the http2 codec to server-side connections. Use of deferred reset for client connections can result in incorrect behavior and performance problems. * listener: fixed an issue on Windows where connections are not handled by all worker threads. * lua: fix ``BodyBuffer`` setting a Lua string and printing Lua string containing hex characters. Previously, ``BodyBuffer`` setting a Lua string or printing strings with hex characters will be truncated. @@ -127,7 +127,7 @@ Bug Fixes Removed Config or Runtime ------------------------- -*Normally occurs at the end of the* :ref:`deprecation period ` +*Normally occurs at the end of the* :ref:`deprecation period ` * http: removed ``envoy.reloadable_features.http_upstream_wait_connect_response`` runtime guard and legacy code paths. * http: removed ``envoy.reloadable_features.allow_preconnect`` runtime guard and legacy code paths. @@ -138,52 +138,52 @@ Removed Config or Runtime New Features ------------ -* access_log: added :ref:`METADATA` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). -* bootstrap: added :ref:`inline_headers ` in the bootstrap to make custom inline headers bootstrap configurable. -* contrib: added new :ref:`contrib images ` which contain contrib extensions. -* dns: added :ref:`V4_PREFERRED ` option to return V6 addresses only if V4 addresses are not available. -* ext_authz: added :ref:`dynamic_metadata_from_headers ` to support emitting dynamic metadata from headers returned by an external authorization service via HTTP. -* grpc reverse bridge: added a new :ref:`option ` to support streaming response bodies when withholding gRPC frames from the upstream. -* grpc_json_transcoder: added support to unescape '+' in query parameters to space with a new config field :ref:`query_param_unescape_plus `. -* http: added cluster_header in :ref:`weighted_clusters ` to allow routing to the weighted cluster specified in the request_header. -* http: added :ref:`alternate_protocols_cache_options ` for enabling HTTP/3 connections to servers which advertise HTTP/3 support via `HTTP Alternative Services `_ and caching the advertisements to disk. -* http: added :ref:`string_match ` in the header matcher. -* http: added :ref:`x-envoy-upstream-stream-duration-ms ` that allows configuring the max stream duration via a request header. -* http: added support for :ref:`max_requests_per_connection ` for both upstream and downstream connections. -* http: sanitizing the referer header as documented :ref:`here `. This feature can be temporarily turned off by setting runtime guard ``envoy.reloadable_features.sanitize_http_header_referer`` to false. +* access_log: added :ref:`METADATA ` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). +* bootstrap: added :ref:`inline_headers ` in the bootstrap to make custom inline headers bootstrap configurable. +* contrib: added new :ref:`contrib images ` which contain contrib extensions. +* dns: added :ref:`V4_PREFERRED ` option to return V6 addresses only if V4 addresses are not available. +* ext_authz: added :ref:`dynamic_metadata_from_headers ` to support emitting dynamic metadata from headers returned by an external authorization service via HTTP. +* grpc reverse bridge: added a new :ref:`option ` to support streaming response bodies when withholding gRPC frames from the upstream. +* grpc_json_transcoder: added support to unescape '+' in query parameters to space with a new config field :ref:`query_param_unescape_plus `. +* http: added cluster_header in :ref:`weighted_clusters ` to allow routing to the weighted cluster specified in the request_header. +* http: added :ref:`alternate_protocols_cache_options ` for enabling HTTP/3 connections to servers which advertise HTTP/3 support via `HTTP Alternative Services `_ and caching the advertisements to disk. +* http: added :ref:`string_match ` in the header matcher. +* http: added :ref:`x-envoy-upstream-stream-duration-ms ` that allows configuring the max stream duration via a request header. +* http: added support for :ref:`max_requests_per_connection ` for both upstream and downstream connections. +* http: sanitizing the referer header as documented :ref:`here `. This feature can be temporarily turned off by setting runtime guard ``envoy.reloadable_features.sanitize_http_header_referer`` to false. * http: validating outgoing HTTP/2 CONNECT requests to ensure that if ``:path`` is set that ``:protocol`` is present. This behavior can be temporarily turned off by setting runtime guard ``envoy.reloadable_features.validate_connect`` to false. -* jwt_authn: added support for :ref:`Jwt Cache ` and its size can be specified by :ref:`jwt_cache_size `. -* jwt_authn: added support for extracting JWTs from request cookies using :ref:`from_cookies `. -* jwt_authn: added support for setting the extracted headers from a successfully verified JWT using :ref:`header_in_metadata ` to dynamic metadata. +* jwt_authn: added support for :ref:`Jwt Cache ` and its size can be specified by :ref:`jwt_cache_size `. +* jwt_authn: added support for extracting JWTs from request cookies using :ref:`from_cookies `. +* jwt_authn: added support for setting the extracted headers from a successfully verified JWT using :ref:`header_in_metadata ` to dynamic metadata. * listener: new listener metric ``downstream_cx_transport_socket_connect_timeout`` to track transport socket timeouts. -* lua: added ``header:getAtIndex()`` and ``header:getNumValues()`` methods to :ref:`header object ` for retrieving the value of a header at certain index and get the total number of values for a given header. -* matcher: added :ref:`invert ` for inverting the match result in the metadata matcher. -* overload: add a new overload action that resets streams using a lot of memory. To enable the tracking of allocated bytes in buffers that a stream is using we need to configure the minimum threshold for tracking via :ref:`buffer_factory_config `. We have an overload action ``Envoy::Server::OverloadActionNameValues::ResetStreams`` that takes advantage of the tracking to reset the most expensive stream first. -* rbac: added :ref:`destination_port_range ` for matching range of destination ports. -* rbac: added :ref:`matcher` along with extension category ``extension_category_envoy.rbac.matchers`` for custom RBAC permission matchers. Added reference implementation for matchers :ref:`envoy.rbac.matchers.upstream_ip_port `. -* route config: added :ref:`dynamic_metadata ` for routing based on dynamic metadata. -* router: added retry options predicate extensions configured via :ref:`retry_options_predicates. ` These extensions allow modification of requests between retries at the router level. There are not currently any built-in extensions that implement this extension point. -* router: added :ref:`per_try_idle_timeout ` timeout configuration. -* router: added an optional :ref:`override_auto_sni_header ` to support setting SNI value from an arbitrary header other than host/authority. -* sxg_filter: added filter to transform response to SXG package to :ref:`contrib images `. This can be enabled by setting :ref:`SXG ` configuration. -* thrift_proxy: added support for :ref:`mirroring requests `. +* lua: added ``header:getAtIndex()`` and ``header:getNumValues()`` methods to :ref:`header object ` for retrieving the value of a header at certain index and get the total number of values for a given header. +* matcher: added :ref:`invert ` for inverting the match result in the metadata matcher. +* overload: add a new overload action that resets streams using a lot of memory. To enable the tracking of allocated bytes in buffers that a stream is using we need to configure the minimum threshold for tracking via :ref:`buffer_factory_config `. We have an overload action ``Envoy::Server::OverloadActionNameValues::ResetStreams`` that takes advantage of the tracking to reset the most expensive stream first. +* rbac: added :ref:`destination_port_range ` for matching range of destination ports. +* rbac: added :ref:`matcher ` along with extension category ``extension_category_envoy.rbac.matchers`` for custom RBAC permission matchers. Added reference implementation for matchers :ref:`envoy.rbac.matchers.upstream_ip_port `. +* route config: added :ref:`dynamic_metadata ` for routing based on dynamic metadata. +* router: added retry options predicate extensions configured via :ref:`retry_options_predicates. ` These extensions allow modification of requests between retries at the router level. There are not currently any built-in extensions that implement this extension point. +* router: added :ref:`per_try_idle_timeout ` timeout configuration. +* router: added an optional :ref:`override_auto_sni_header ` to support setting SNI value from an arbitrary header other than host/authority. +* sxg_filter: added filter to transform response to SXG package to :ref:`contrib images `. This can be enabled by setting :ref:`SXG ` configuration. +* thrift_proxy: added support for :ref:`mirroring requests `. * udp: allows updating filter chain in-place through LDS, which is supported by Quic listener. Such listener config will be rejected in other connection-less UDP listener implementations. It can be reverted by ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place``. * udp: disallow L4 filter chain in config which configures connection-less UDP listener. It can be reverted by ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place``. -* upstream: added support for :ref:`slow start mode `, which allows to progresively increase traffic for new endpoints. -* upstream: extended :ref:`Round Robin load balancer configuration ` with :ref:`slow start ` support. -* upstream: extended :ref:`Least Request load balancer configuration ` with :ref:`slow start ` support. +* upstream: added support for :ref:`slow start mode `, which allows to progresively increase traffic for new endpoints. +* upstream: extended :ref:`Round Robin load balancer configuration ` with :ref:`slow start ` support. +* upstream: extended :ref:`Least Request load balancer configuration ` with :ref:`slow start ` support. * windows: added a new container image based on Windows Nanoserver 2022. * xray: request direction (``ingress`` or ``egress``) is recorded as X-Ray trace segment's annotation by name ``direction``. Deprecated ---------- -* api: the :ref:`matcher ` field has been deprecated in favor of - :ref:`matcher ` in order to break a build dependency. -* cluster: :ref:`max_requests_per_connection ` is deprecated in favor of :ref:`max_requests_per_connection `. -* http: the HeaderMatcher fields :ref:`exact_match `, :ref:`safe_regex_match `, - :ref:`prefix_match `, :ref:`suffix_match ` and - :ref:`contains_match ` are deprecated by :ref:`string_match `. -* listener: :ref:`reuse_port ` has been - deprecated in favor of :ref:`enable_reuse_port `. +* api: the :ref:`matcher ` field has been deprecated in favor of + :ref:`matcher ` in order to break a build dependency. +* cluster: :ref:`max_requests_per_connection ` is deprecated in favor of :ref:`max_requests_per_connection `. +* http: the HeaderMatcher fields :ref:`exact_match `, :ref:`safe_regex_match `, + :ref:`prefix_match `, :ref:`suffix_match ` and + :ref:`contains_match ` are deprecated by :ref:`string_match `. +* listener: :ref:`reuse_port ` has been + deprecated in favor of :ref:`enable_reuse_port `. At the same time, the default has been changed from false to true. See above for more information. diff --git a/docs/root/version_history/v1.20.1.rst b/docs/root/version_history/v1.20.1.rst index 5ee3ba7bc0c2..74b061eaa66c 100644 --- a/docs/root/version_history/v1.20.1.rst +++ b/docs/root/version_history/v1.20.1.rst @@ -23,7 +23,7 @@ Bug Fixes Removed Config or Runtime ------------------------- -*Normally occurs at the end of the* :ref:`deprecation period ` +*Normally occurs at the end of the* :ref:`deprecation period ` New Features ------------ diff --git a/docs/root/version_history/v1.20.2.rst b/docs/root/version_history/v1.20.2.rst index ad8dc61a21d4..a9eef38b41d4 100644 --- a/docs/root/version_history/v1.20.2.rst +++ b/docs/root/version_history/v1.20.2.rst @@ -15,20 +15,26 @@ Bug Fixes * data plane: fix crash when internal redirect selects a route configured with direct response or redirect actions. * jwt_authn: fixed the crash when a CONNECT request is sent to JWT filter configured with regex match on the Host header. -* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. +* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. * upstream: fix stack overflow when a cluster with large number of idle connections is removed. Removed Config or Runtime ------------------------- -*Normally occurs at the end of the* :ref:`deprecation period ` +*Normally occurs at the end of the* :ref:`deprecation period ` New Features ------------ -+* tls: added support for :ref:`match_typed_subject_alt_names ` for subject alternative names to enforce specifying the subject alternative name type for the matcher to prevent matching against an unintended type in the certificate. +.. + TODO(phlax): These links/refs have been set to v1.21 due to v1.20.2 not building/publishing - update once v1.20.3 lands + ++* tls: added support for :ref:`match_typed_subject_alt_names ` for subject alternative names to enforce specifying the subject alternative name type for the matcher to prevent matching against an unintended type in the certificate. Deprecated ---------- -+* tls: :ref:`match_subject_alt_names ` has been deprecated in favor of the :ref:`match_typed_subject_alt_names `. +.. + TODO(phlax): These links/refs have been set to v1.21 due to v1.20.2 not building/publishing - update once v1.20.3 lands + ++* tls: :ref:`match_subject_alt_names ` has been deprecated in favor of the :ref:`match_typed_subject_alt_names `. diff --git a/docs/root/version_history/v1.21.0.rst b/docs/root/version_history/v1.21.0.rst index e63d73ae4a31..9cfd6194e678 100644 --- a/docs/root/version_history/v1.21.0.rst +++ b/docs/root/version_history/v1.21.0.rst @@ -5,21 +5,21 @@ Incompatible Behavior Changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* -* auto_config: :ref:`auto_config ` now verifies that any transport sockets configured via :ref:`transport_socket_matches ` support ALPN. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.correctly_validate_alpn`` to false. -* xds: ``*`` became a reserved name for a wildcard resource that can be subscribed to and unsubscribed from at any time. This is a requirement for implementing the on-demand xDSes (like on-demand CDS) that can subscribe to specific resources next to their wildcard subscription. If such xDS is subscribed to both wildcard resource and to other specific resource, then in stream reconnection scenario, the xDS will not send an empty initial request, but a request containing ``*`` for wildcard subscription and the rest of the resources the xDS is subscribed to. If the xDS is only subscribed to wildcard resource, it will try to send a legacy wildcard request. This behavior implements the recent changes in :ref:`xDS protocol ` and can be temporarily reverted by setting the ``envoy.restart_features.explicit_wildcard_resource`` runtime guard to false. +* auto_config: :ref:`auto_config ` now verifies that any transport sockets configured via :ref:`transport_socket_matches ` support ALPN. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.correctly_validate_alpn`` to false. +* xds: ``*`` became a reserved name for a wildcard resource that can be subscribed to and unsubscribed from at any time. This is a requirement for implementing the on-demand xDSes (like on-demand CDS) that can subscribe to specific resources next to their wildcard subscription. If such xDS is subscribed to both wildcard resource and to other specific resource, then in stream reconnection scenario, the xDS will not send an empty initial request, but a request containing ``*`` for wildcard subscription and the rest of the resources the xDS is subscribed to. If the xDS is only subscribed to wildcard resource, it will try to send a legacy wildcard request. This behavior implements the recent changes in :ref:`xDS protocol ` and can be temporarily reverted by setting the ``envoy.restart_features.explicit_wildcard_resource`` runtime guard to false. Minor Behavior Changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* -* bandwidth_limit: added :ref:`response trailers ` when request or response delay are enforced. -* bandwidth_limit: added :ref:`bandwidth limit stats ` *request_enforced* and *response_enforced*. -* dns: now respecting the returned DNS TTL for resolved hosts, rather than always relying on the hard-coded :ref:`dns_refresh_rate. `. This behavior can be temporarily reverted by setting the runtime guard ``envoy.reloadable_features.use_dns_ttl`` to false. +* bandwidth_limit: added :ref:`response trailers ` when request or response delay are enforced. +* bandwidth_limit: added :ref:`bandwidth limit stats ` *request_enforced* and *response_enforced*. +* dns: now respecting the returned DNS TTL for resolved hosts, rather than always relying on the hard-coded :ref:`dns_refresh_rate. `. This behavior can be temporarily reverted by setting the runtime guard ``envoy.reloadable_features.use_dns_ttl`` to false. * ext_authz: the ext_authz span was always getting sampled, even if the parent span was not; now the ext_authz span follows the parent's sampling status. -* http: directly responding with only a 1xx http status code isn't valid, and is now refused as invalid :ref:`direct_response ` config. +* http: directly responding with only a 1xx http status code isn't valid, and is now refused as invalid :ref:`direct_response ` config. * http: envoy will now proxy 102 and 103 headers from upstream, though as with 100s only the first 1xx response headers will be sent. This behavioral change by can temporarily reverted by setting runtime guard ``envoy.reloadable_features.proxy_102_103`` to false. * http: usage of the experimental matching API is no longer guarded behind a feature flag, as the corresponding protobuf fields have been marked as WIP. -* http: when a downstream connection hits a configured ``max_requests_per_connection``, it will send an HTTP/2 "shutdown notification" (GOAWAY frame with max stream ID) and go to a default grace period of 5000 milliseconds (5 seconds) if :ref:`drain_timeout ` is not specified. During this grace period, envoy will continue to accept new streams. After the grace period, a final GOAWAY is sent and envoy will start refusing new streams. However before the bugfix, during the grace period, every time a new stream is received, envoy would restart the drain which caused the grace period to be extended and so making it longer than the configured drain timeout. +* http: when a downstream connection hits a configured ``max_requests_per_connection``, it will send an HTTP/2 "shutdown notification" (GOAWAY frame with max stream ID) and go to a default grace period of 5000 milliseconds (5 seconds) if :ref:`drain_timeout ` is not specified. During this grace period, envoy will continue to accept new streams. After the grace period, a final GOAWAY is sent and envoy will start refusing new streams. However before the bugfix, during the grace period, every time a new stream is received, envoy would restart the drain which caused the grace period to be extended and so making it longer than the configured drain timeout. * json: switching from rapidjson to nlohmann/json. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.remove_legacy_json`` to false. * listener: destroy per network filter chain stats when a network filter chain is removed during the listener in place update. * router: take elapsed time into account when setting the ``x-envoy-expected-rq-timeout-ms header`` for retries, and never send a value that's longer than the request timeout. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.update_expected_rq_timeout_on_retry`` to false. @@ -36,11 +36,11 @@ Bug Fixes * listener: fixed issue where more than one listener could listen on the same port if using reuse port, thus randomly accepting connections on different listeners. This configuration is now rejected. * tcp: fixing a log error where errors both from the kernel and the transport were not handled gracefully. * thrift_proxy: do not close downstream connections when an upstream connection overflow happens. -* thrift_proxy: fix the thrift_proxy connection manager to correctly report success/error response metrics when performing :ref:`payload passthrough `. +* thrift_proxy: fix the thrift_proxy connection manager to correctly report success/error response metrics when performing :ref:`payload passthrough `. Removed Config or Runtime ------------------------- -*Normally occurs at the end of the* :ref:`deprecation period ` +*Normally occurs at the end of the* :ref:`deprecation period ` * compression: removed ``envoy.reloadable_features.enable_compression_without_content_length_header`` runtime guard and legacy code paths. * grpc-web: removed ``envoy.reloadable_features.grpc_web_fix_non_proto_encoded_response_handling`` and legacy code paths. @@ -61,44 +61,44 @@ Removed Config or Runtime New Features ------------ -* access log: added :ref:`custom_tags ` to annotate log entries with custom tags. -* access log: added :ref:`grpc_stream_retry_policy ` to the gRPC logger to reconnect when a connection fails to be established. -* access_log: added :ref:`METADATA` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). +* access log: added :ref:`custom_tags ` to annotate log entries with custom tags. +* access log: added :ref:`grpc_stream_retry_policy ` to the gRPC logger to reconnect when a connection fails to be established. +* access_log: added :ref:`METADATA ` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). * access_log: added a CEL extension filter to enable filtering of access logs based on Envoy attribute expressions. * access_log: added new access_log command operator ``%UPSTREAM_REQUEST_ATTEMPT_COUNT%`` to retrieve the number of times given request got attempted upstream. * access_log: added new access_log command operator ``%VIRTUAL_CLUSTER_NAME%`` to retrieve the matched Virtual Cluster name. * api: added support for *xds.type.v3.TypedStruct* in addition to the now-deprecated *udpa.type.v1.TypedStruct* proto message, which is a wrapper proto used to encode typed JSON data in a *google.protobuf.Any* field. -* aws_request_signing_filter: added :ref:`match_excluded_headers ` to the signing filter to optionally exclude request headers from signing. -* bootstrap: added :ref:`typed_dns_resolver_config ` in the bootstrap to support DNS resolver as an extension. -* cluster: added :ref:`typed_dns_resolver_config ` in the cluster to support DNS resolver as an extension. -* config: added :ref:`environment_variable ` to the :ref:`DataSource `. -* decompressor: added :ref:`ignore_no_transform_header ` to run decompression regardless of the value of the *no-transform* cache control header. -* dns: added :ref:`ALL ` option to return both IPv4 and IPv6 addresses. -* dns_cache: added :ref:`typed_dns_resolver_config ` in the dns_cache to support DNS resolver as an extension. -* dns_filter: added :ref:`typed_dns_resolver_config ` in the dns_filter to support DNS resolver as an extension. -* dns_resolver: added :ref:`CaresDnsResolverConfig` to support c-ares DNS resolver as an extension. -* dns_resolver: added :ref:`use_resolvers_as_fallback` to the c-ares DNS resolver. -* dns_resolver: added :ref:`filter_unroutable_families` to the c-ares DNS resolver. -* dns_resolver: added :ref:`AppleDnsResolverConfig` to support apple DNS resolver as an extension. -* ext_authz: added :ref:`query_parameters_to_set ` and :ref:`query_parameters_to_remove ` for adding and removing query string parameters when using a gRPC authorization server. -* grpc_http_bridge: added :ref:`upgrade_protobuf_to_grpc ` option for automatically framing protobuf payloads as gRPC requests. -* grpc_json_transcoder: added support for matching unregistered custom verb :ref:`match_unregistered_custom_verb `. +* aws_request_signing_filter: added :ref:`match_excluded_headers ` to the signing filter to optionally exclude request headers from signing. +* bootstrap: added :ref:`typed_dns_resolver_config ` in the bootstrap to support DNS resolver as an extension. +* cluster: added :ref:`typed_dns_resolver_config ` in the cluster to support DNS resolver as an extension. +* config: added :ref:`environment_variable ` to the :ref:`DataSource `. +* decompressor: added :ref:`ignore_no_transform_header ` to run decompression regardless of the value of the *no-transform* cache control header. +* dns: added :ref:`ALL ` option to return both IPv4 and IPv6 addresses. +* dns_cache: added :ref:`typed_dns_resolver_config ` in the dns_cache to support DNS resolver as an extension. +* dns_filter: added :ref:`typed_dns_resolver_config ` in the dns_filter to support DNS resolver as an extension. +* dns_resolver: added :ref:`CaresDnsResolverConfig ` to support c-ares DNS resolver as an extension. +* dns_resolver: added :ref:`use_resolvers_as_fallback ` to the c-ares DNS resolver. +* dns_resolver: added :ref:`filter_unroutable_families ` to the c-ares DNS resolver. +* dns_resolver: added :ref:`AppleDnsResolverConfig ` to support apple DNS resolver as an extension. +* ext_authz: added :ref:`query_parameters_to_set ` and :ref:`query_parameters_to_remove ` for adding and removing query string parameters when using a gRPC authorization server. +* grpc_http_bridge: added :ref:`upgrade_protobuf_to_grpc ` option for automatically framing protobuf payloads as gRPC requests. +* grpc_json_transcoder: added support for matching unregistered custom verb :ref:`match_unregistered_custom_verb `. * http: added support for ``%REQUESTED_SERVER_NAME%`` to extract SNI as a custom header. * http: added support for ``%VIRTUAL_CLUSTER_NAME%`` to extract the matched Virtual Cluster name as a custom header. -* http: added support for :ref:`retriable health check status codes `. +* http: added support for :ref:`retriable health check status codes `. * http: added timing information about upstream connection and encryption establishment to stream info. These can currently be accessed via custom access loggers. -* http: added support for :ref:`forwarding HTTP1 reason phrase `. -* listener: added API for extensions to access :ref:`typed_filter_metadata ` configured in the listener's :ref:`metadata ` field. -* listener: added support for :ref:`MPTCP ` (multipath TCP). -* listener: added support for opting out listeners from the globally set downstream connection limit via :ref:`ignore_global_conn_limit `. +* http: added support for :ref:`forwarding HTTP1 reason phrase `. +* listener: added API for extensions to access :ref:`typed_filter_metadata ` configured in the listener's :ref:`metadata ` field. +* listener: added support for :ref:`MPTCP ` (multipath TCP). +* listener: added support for opting out listeners from the globally set downstream connection limit via :ref:`ignore_global_conn_limit `. * matcher: added support for *xds.type.matcher.v3.IPMatcher* IP trie matching. -* oauth filter: added :ref:`cookie_names ` to allow overriding (default) cookie names (``BearerToken``, ``OauthHMAC``, and ``OauthExpires``) set by the filter. +* oauth filter: added :ref:`cookie_names ` to allow overriding (default) cookie names (``BearerToken``, ``OauthHMAC``, and ``OauthExpires``) set by the filter. * oauth filter: setting ``IdToken`` and ``RefreshToken`` cookies if they are provided by Identity provider along with ``AccessToken``. * perf: added support for `Perfetto `_ performance tracing. -* router: added support for the :ref:`config_http_conn_man_headers_x-forwarded-host` header. -* stateful session http filter: added :ref:`stateful session http filter `. +* router: added support for the :ref:`v1.21:config_http_conn_man_headers_x-forwarded-host` header. +* stateful session http filter: added :ref:`stateful session http filter `. * stats: added text_readouts query parameter to prometheus stats to return gauges made from text readouts. -* tcp: added a :ref:`FilterState ` :ref:`hash policy `, used by :ref:`TCP proxy ` to allow hashing load balancer algorithms to hash on objects in filter state. +* tcp: added a :ref:`FilterState ` :ref:`hash policy `, used by :ref:`TCP proxy ` to allow hashing load balancer algorithms to hash on objects in filter state. * tcp_proxy: added support to populate upstream http connect header values from stream info. * thrift_proxy: add header to metadata filter for turning headers into dynamic metadata. * thrift_proxy: add upstream response zone metrics in the form ``cluster.cluster_name.zone.local_zone.upstream_zone.thrift.upstream_resp_success``. @@ -106,21 +106,21 @@ New Features * thrift_proxy: add host level success/error metrics where success is a reply of type success and error is any other response to a call. * thrift_proxy: support header flags. * thrift_proxy: support subset lb when using request or route metadata. -* tls: added support for :ref:`match_typed_subject_alt_names ` for subject alternative names to enforce specifying the subject alternative name type for the matcher to prevent matching against an unintended type in the certificate. -* tls: added support for only verifying the leaf CRL in the certificate chain with :ref:`only_verify_leaf_cert_crl `. -* tls: support loading certificate chain and private key via :ref:`pkcs12 `. -* tls_inspector filter: added :ref:`enable_ja3_fingerprinting ` to create JA3 fingerprint hash from Client Hello message. -* transport_socket: added :ref:`envoy.transport_sockets.tcp_stats ` which generates additional statistics gathered from the OS TCP stack. +* tls: added support for :ref:`match_typed_subject_alt_names ` for subject alternative names to enforce specifying the subject alternative name type for the matcher to prevent matching against an unintended type in the certificate. +* tls: added support for only verifying the leaf CRL in the certificate chain with :ref:`only_verify_leaf_cert_crl `. +* tls: support loading certificate chain and private key via :ref:`pkcs12 `. +* tls_inspector filter: added :ref:`enable_ja3_fingerprinting ` to create JA3 fingerprint hash from Client Hello message. +* transport_socket: added :ref:`envoy.transport_sockets.tcp_stats ` which generates additional statistics gathered from the OS TCP stack. * udp: add support for multiple listener filters. -* udp_proxy: added :ref:`use_per_packet_load_balancing ` option to enable per packet load balancing (selection of upstream host on each data chunk). -* upstream: added the ability to :ref:`configure max connection duration ` for upstream clusters. -* vcl_socket_interface: added VCL socket interface extension for fd.io VPP integration to :ref:`contrib images `. This can be enabled via :ref:`VCL ` configuration. +* udp_proxy: added :ref:`use_per_packet_load_balancing ` option to enable per packet load balancing (selection of upstream host on each data chunk). +* upstream: added the ability to :ref:`configure max connection duration ` for upstream clusters. +* vcl_socket_interface: added VCL socket interface extension for fd.io VPP integration to :ref:`contrib images `. This can be enabled via :ref:`VCL ` configuration. * xds: re-introduced unified delta and sotw xDS multiplexers that share most of the implementation. Added a new runtime config ``envoy.reloadable_features.unified_mux`` (disabled by default) that when enabled, switches xDS to use unified multiplexers. Deprecated ---------- -* bootstrap: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. -* cluster: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. -* dns_cache: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. -* tls: :ref:`match_subject_alt_names ` has been deprecated in favor of the :ref:`match_typed_subject_alt_names `. -* dns_filter: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. +* bootstrap: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. +* cluster: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. +* dns_cache: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. +* tls: :ref:`match_subject_alt_names ` has been deprecated in favor of the :ref:`match_typed_subject_alt_names `. +* dns_filter: :ref:`dns_resolution_config ` is deprecated in favor of :ref:`typed_dns_resolver_config `. diff --git a/docs/root/version_history/v1.21.1.rst b/docs/root/version_history/v1.21.1.rst index 0547399a852b..e450c3cf0f69 100644 --- a/docs/root/version_history/v1.21.1.rst +++ b/docs/root/version_history/v1.21.1.rst @@ -16,12 +16,12 @@ Bug Fixes * data plane: fix crash when internal redirect selects a route configured with direct response or redirect actions. * jwt_authn: fixed the crash when a CONNECT request is sent to JWT filter configured with regex match on the Host header. -* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. +* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. * upstream: fix stack overflow when a cluster with large number of idle connections is removed. Removed Config or Runtime ------------------------- -*Normally occurs at the end of the* :ref:`deprecation period ` +*Normally occurs at the end of the* :ref:`deprecation period ` New Features ------------ diff --git a/docs/root/version_history/v1.22.0.rst b/docs/root/version_history/v1.22.0.rst index 84e464142bfd..07286ed4c1f2 100644 --- a/docs/root/version_history/v1.22.0.rst +++ b/docs/root/version_history/v1.22.0.rst @@ -5,8 +5,8 @@ Incompatible Behavior Changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* -* sip-proxy: change API by replacing ``own_domain`` with :ref:`local_services `. -* tls: set TLS v1.2 as the default minimal version for servers. Users can still explicitly opt-in to 1.0 and 1.1 using :ref:`tls_minimum_protocol_version `. +* sip-proxy: change API by replacing ``own_domain`` with :ref:`local_services `. +* tls: set TLS v1.2 as the default minimal version for servers. Users can still explicitly opt-in to 1.0 and 1.1 using :ref:`tls_minimum_protocol_version `. Minor Behavior Changes ---------------------- @@ -21,7 +21,7 @@ Minor Behavior Changes * dynamic_forward_proxy: if a DNS resolution fails, failing immediately with a specific resolution error, rather than finishing up all local filters and failing to select an upstream host. * ecds: changed to use ``http_filter`` stat prefix as the metrics root for ECDS subscriptions. This behavior can be temporarily reverted by setting ``envoy.reloadable_features.top_level_ecds_stats`` to false. * ext_authz: added requested server name in ext_authz network filter for auth review. -* ext_authz: forward :ref:`typed_filter_metadata ` selected by :ref:`typed_metadata_context_namespaces ` to external auth service. +* ext_authz: forward :ref:`typed_filter_metadata ` selected by :ref:`typed_metadata_context_namespaces ` to external auth service. * file: changed disk based files to truncate files which are not being appended to. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.append_or_truncate`` to false. * grpc: flip runtime guard ``envoy.reloadable_features.enable_grpc_async_client_cache`` to be default enabled. async grpc client created through ``getOrCreateRawAsyncClient`` will be cached by default. * health_checker: exposing ``initial_metadata`` to GrpcHealthCheck in a way similar to ``request_headers_to_add`` of HttpHealthCheck. @@ -30,17 +30,17 @@ Minor Behavior Changes * http: changed the http status code to 504 from 408 if the request times out after the request is completed. This behavior can be temporarily reverted by setting the runtime guard ``envoy.reloadable_features.override_request_timeout_by_gateway_timeout`` to false. * http: lazy disable downstream connection reading in the HTTP/1 codec to reduce unnecessary system calls. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.http1_lazy_read_disable`` to false. * http: now the max concurrent streams of http2 connection can not only be adjusted down according to the SETTINGS frame but also can be adjusted up. Of course, it can not exceed the configured upper bounds. This fix is guarded by ``envoy.reloadable_features.http2_allow_capacity_increase_by_settings``. -* http: respecting ``content-type`` in :ref:`headers_to_add ` even when the response body is modified. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.allow_adding_content_type_in_local_replies`` to false. +* http: respecting ``content-type`` in :ref:`headers_to_add ` even when the response body is modified. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.allow_adding_content_type_in_local_replies`` to false. * http: when writing custom filters, ``injectEncodedDataToFilterChain`` and ``injectDecodedDataToFilterChain`` now trigger sending of headers if they were not yet sent due to ``StopIteration``. Previously, calling one of the inject functions in that state would trigger an assertion. See issue #19891 for more details. -* listener: the :ref:`ipv4_compat ` flag can only be set on Ipv6 address and Ipv4-mapped Ipv6 address. A runtime guard is added ``envoy.reloadable_features.strict_check_on_ipv4_compat`` and the default is true. +* listener: the :ref:`ipv4_compat ` flag can only be set on Ipv6 address and Ipv4-mapped Ipv6 address. A runtime guard is added ``envoy.reloadable_features.strict_check_on_ipv4_compat`` and the default is true. * network: add a new ConnectionEvent ``ConnectedZeroRtt`` which may be raised by QUIC connections to allow early data to be sent before the handshake finishes. This event is ignored at callsites which is only reachable for TCP connections in the Envoy core code. Any extensions which depend on ConnectionEvent enum value should audit their usage of it to make sure this new event is handled appropriately. * oauth2: disable chunked transfer encoding in the token request to be compatible with Azure AD (login.microsoftonline.com). * perf: tls contexts are now tracked without scan based garbage collection greatly improving the performance on secret update. -* ratelimit: the :ref:`header_value_match ` config now supports custom descriptor keys. +* ratelimit: the :ref:`header_value_match ` config now supports custom descriptor keys. * router: record upstream request timeouts for all cases and not just for those requests which are awaiting headers. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.do_not_await_headers_on_upstream_timeout_to_emit_stats`` to false. * runtime: deprecated runtime flags set via configuration files or xDS will now ENVOY_BUG, rather than silently resulting in unexpected behavior on the data plane by no longer applying removed code paths. * runtime: removed global runtime as Envoy default. This behavioral change can be reverted by setting runtime guard ``envoy.restart_features.no_runtime_singleton`` to false. -* sip-proxy: add customized affinity support by adding :ref:`tra_service_config ` and :ref:`customized_affinity `. +* sip-proxy: add customized affinity support by adding :ref:`tra_service_config ` and :ref:`customized_affinity `. * sip-proxy: add support for the ``503`` response code. When there is something wrong occurred, send ``503 Service Unavailable`` back to downstream. * stateful session http filter: only enable cookie based session state when request path matches the configured cookie path. * tracing: set tracing error tag for grpc non-ok response code only when it is a upstream error. Client error will not be tagged as a grpc error. This fix is guarded by ``envoy.reloadable_features.update_grpc_response_error_tag``. @@ -54,18 +54,18 @@ Bug Fixes * data plane: fix error handling where writing to a socket failed while under the stack of processing. This should only effect HTTP/3. This behavioral change can be reverted by setting ``envoy.reloadable_features.allow_upstream_inline_write`` to false. * eds: fix the eds cluster update by allowing update on the locality of the cluster endpoints. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.support_locality_update_on_eds_cluster_endpoints`` to false. * hot restart: fixed a bug where an incorrect fd was passed to child when a tcp listener and a udp listener listen to the same address because socket type was not used to find the matching listener for a url. -* http: fixed a bug where ``%RESPONSE_CODE_DETAILS%`` was not set correctly in :ref:`request_headers_to_add `. +* http: fixed a bug where ``%RESPONSE_CODE_DETAILS%`` was not set correctly in :ref:`request_headers_to_add `. * http: fixed a bug where ``100-continue`` comparison in the ``Expect`` request header field was case sensitive. This RFC compliant behavior can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.http_100_continue_case_insensitive`` to false. -* jwt_authn: fixed a bug where a JWT with empty "iss" is passed even the field :ref:`issuer ` is specified. If the "issuer" field is specified, "iss" in the JWT should match it. +* jwt_authn: fixed a bug where a JWT with empty "iss" is passed even the field :ref:`issuer ` is specified. If the "issuer" field is specified, "iss" in the JWT should match it. * jwt_authn: fixed the crash when a CONNECT request is sent to JWT filter configured with regex match on the Host header. -* router: fixed mirror policy :ref:`runtime_fraction ` to +* router: fixed mirror policy :ref:`runtime_fraction ` to correctly allow reading from a fractional percent value stored in runtime in all cases. Previously it would only do this if the default numerator was above 0, otherwise it would use the integer variant with a default of 0. The default of 0 is retained, but runtime lookup will happen in all cases and recognize a stored fractional percent. -* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. +* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. * tls: fix a bug while matching a certificate SAN with an exact value in ``match_typed_subject_alt_names`` of a listener where wildcard ``*`` character is not the only character of the dns label. Example, ``baz*.example.net`` and ``*baz.example.net`` and ``b*z.example.net`` will match ``baz1.example.net`` and ``foobaz.example.net`` and ``buzz.example.net``, respectively. -* upstream: added cluster slow start config :ref:`min_weight_percent ` field to avoid too big EDF deadline which cause slow start endpoints receiving no traffic, default 10%. This fix is related to `issue #19526 `_. +* upstream: added cluster slow start config :ref:`min_weight_percent ` field to avoid too big EDF deadline which cause slow start endpoints receiving no traffic, default 10%. This fix is related to `issue #19526 `_. * upstream: fix stack overflow when a cluster with large number of idle connections is removed. * xds: fix a crash that occurs when Envoy receives a discovery response without ``control_plane`` field. * xds: fix the wildcard resource versions that are sent upon reconnection when using delta-xds mode. @@ -76,7 +76,7 @@ Bug Fixes Removed Config or Runtime ------------------------- -*Normally occurs at the end of the* :ref:`deprecation period ` +*Normally occurs at the end of the* :ref:`deprecation period ` * access_log: removed ``envoy.reloadable_features.unquote_log_string_values`` and legacy code paths. * grpc_bridge_filter: removed ``envoy.reloadable_features.grpc_bridge_stats_disabled`` and legacy code paths. @@ -105,71 +105,71 @@ New Features * access_log: added TCP proxy upstream and downstream byte logging. This can be accessed through the ``%DOWNSTREAM_WIRE_BYTES_SENT%``, ``%DOWNSTREAM_WIRE_BYTES_RECEIVED%``, ``%UPSTREAM_WIRE_BYTES_SENT%``, and ``%UPSTREAM_WIRE_BYTES_RECEIVED%`` access_log command operatrors. * access_log: make consistent access_log format fields ``%(DOWN|DIRECT_DOWN|UP)STREAM_(LOCAL|REMOTE)_*%`` to provide all combinations of local & remote addresses for upstream & downstream connections. * admin: :http:post:`/logging` now accepts ``/logging?paths=name1:level1,name2:level2,...`` to change multiple log levels at once. -* cluster: added support for per host limits in :ref:`circuit breakers settings `. Currently only :ref:`max_connections ` is supported. -* cluster: added support to restore original destination address from any desired header via setting :ref:`http_header_name `. -* cluster: support :ref:`override host status restriction `. -* compression: add zstd :ref:`compressor ` and :ref:`decompressor `. -* config: added new file based xDS configuration via :ref:`path_config_source `. - :ref:`watched_directory ` can +* cluster: added support for per host limits in :ref:`circuit breakers settings `. Currently only :ref:`max_connections ` is supported. +* cluster: added support to restore original destination address from any desired header via setting :ref:`http_header_name `. +* cluster: support :ref:`override host status restriction `. +* compression: add zstd :ref:`compressor ` and :ref:`decompressor `. +* config: added new file based xDS configuration via :ref:`path_config_source `. + :ref:`watched_directory ` can be used to setup an independent watch for when to reload the file path, for example when using Kubernetes ConfigMaps to deliver configuration. See the linked documentation for more information. -* config: added new :ref:`custom config validators ` to dynamically verify config updates. +* config: added new :ref:`custom config validators ` to dynamically verify config updates. * cors: add dynamic support for headers ``access-control-allow-methods`` and ``access-control-allow-headers`` in cors. -* dns: added :ref:`dns_min_refresh_rate ` +* dns: added :ref:`dns_min_refresh_rate ` to the DNS cache implementation to configure the minimum DNS refresh rate, regardless of returned TTL. This was previously hard coded to 5s and defaults to 5s if unset. -* gcp authentication http filter: added :ref:`gcp authentication http filter `. -* http: added ``random_value_specifier`` in :ref:`weighted_clusters ` to allow random value to be specified from configuration proto. -* http: added ``request_mirror_policies`` to higher levels (i.e., :ref:`request_mirror_policies ` in :ref:`RouteConfiguration ` and :ref:`request_mirror_policies ` in :ref:`VirtualHost `) which applies to :ref:`request_mirror_policies ` in all routes underneath without configured mirror policies. -* http: added support for :ref:`cidr_ranges ` for configuring list of CIDR ranges that are considered internal. -* http: added support for :ref:`proxy_status_config ` for configuring `Proxy-Status `_ HTTP response header fields. +* gcp authentication http filter: added :ref:`gcp authentication http filter `. +* http: added ``random_value_specifier`` in :ref:`weighted_clusters ` to allow random value to be specified from configuration proto. +* http: added ``request_mirror_policies`` to higher levels (i.e., :ref:`request_mirror_policies ` in :ref:`RouteConfiguration ` and :ref:`request_mirror_policies ` in :ref:`VirtualHost `) which applies to :ref:`request_mirror_policies ` in all routes underneath without configured mirror policies. +* http: added support for :ref:`cidr_ranges ` for configuring list of CIDR ranges that are considered internal. +* http: added support for :ref:`proxy_status_config ` for configuring `Proxy-Status `_ HTTP response header fields. * http: make consistent custom header format fields ``%(DOWN|DIRECT_DOWN|UP)STREAM_(LOCAL|REMOTE)_*%`` to provide all combinations of local & remote addresses for upstream & downstream connections. * http2: adds the new runtime feature ``envoy.reloadable_features.http2_use_oghttp2``, disabled by default, that guards use of a new HTTP/2 implementation. * http2: re-enabled the HTTP/2 wrapper API. This should be a transparent change that does not affect functionality. Any behavior changes can be reverted by setting the ``envoy.reloadable_features.http2_new_codec_wrapper`` runtime feature to false. -* http3: add :ref:`enable_early_data ` to turn on/off downstream early data support. -* http3: downstream HTTP/3 support is now GA! Upstream HTTP/3 also GA for specific deployments. See :ref:`here ` for details. +* http3: add :ref:`enable_early_data ` to turn on/off downstream early data support. +* http3: downstream HTTP/3 support is now GA! Upstream HTTP/3 also GA for specific deployments. See :ref:`here ` for details. * http3: supports upstream HTTP/3 retries. Automatically retry `0-RTT safe requests `_ if they are rejected because they are sent `too early `_. And automatically retry 0-RTT safe requests if connect attempt fails later on and the cluster is configured with TCP fallback. And add retry on ``http3-post-connect-failure`` policy which allows retry of failed HTTP/3 requests with TCP fallback even after handshake if the cluster is configured with TCP fallback. This feature is guarded by ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3``. -* listener: implement :ref:`matching API ` for selecting filter chains. -* local_ratelimit: added support for sharing the rate limiter between multiple network filter chains or listeners via :ref:`share_key `. +* listener: implement :ref:`matching API ` for selecting filter chains. +* local_ratelimit: added support for sharing the rate limiter between multiple network filter chains or listeners via :ref:`share_key `. * local_ratelimit: added support for ``X-RateLimit-*`` headers as defined in `draft RFC `_. * matching: the matching API can now express a match tree that will always match by omitting a matcher at the top level. -* outlier_detection: :ref:`max_ejection_time_jitter` configuration added to allow adding a random value to the ejection time to prevent 'thundering herd' scenarios. Defaults to 0 so as to not break or change the behavior of existing deployments. -* ratelimit: added :ref:`rate_limited_status ` to support return a custom HTTP response status code to the downstream client when the request has been rate limited. -* ratelimit: network rate limiter supports runtime value substitution using stream info and substitution formatting via :ref:`Network Rate Limiter `. +* outlier_detection: :ref:`max_ejection_time_jitter ` configuration added to allow adding a random value to the ejection time to prevent 'thundering herd' scenarios. Defaults to 0 so as to not break or change the behavior of existing deployments. +* ratelimit: added :ref:`rate_limited_status ` to support return a custom HTTP response status code to the downstream client when the request has been rate limited. +* ratelimit: network rate limiter supports runtime value substitution using stream info and substitution formatting via :ref:`Network Rate Limiter `. * redis: support for hostnames returned in ``cluster_slots`` response is now available. -* router: added :ref:`path_separated_prefix ` to make route creation more efficient. +* router: added :ref:`path_separated_prefix ` to make route creation more efficient. * schema_validator_tool: added ``bootstrap`` checking to the - :ref:`schema validator check tool `. + :ref:`schema validator check tool `. * schema_validator_tool: added ``--fail-on-deprecated`` and ``--fail-on-wip`` to the - :ref:`schema validator check tool ` to allow failing + :ref:`schema validator check tool ` to allow failing the check if either deprecated or work-in-progress fields are used. * schema_validator_tool: fixed linking of all extensions into the - :ref:`schema validator check tool ` so that all typed + :ref:`schema validator check tool ` so that all typed configurations can be properly verified. * schema_validator_tool: the - :ref:`schema validator check tool ` will now recurse + :ref:`schema validator check tool ` will now recurse into all sub messages, including Any messages, and perform full validation (deprecation, work-in-progress, PGV, etc.). Previously only top-level messages were fully validated. * stats: histogram_buckets query parameter added to stats endpoint to change histogram output to show buckets. -* tap: added support for buffering an arbitrary number of tapped traces before returning to the client via a new :ref:`buffered admin sink `. -* tcp_proxy: added support for on demand cluster. If the :ref:`on_demand ` is set and the destination cluster is not present, a delta CDS request will be sent and the tcp proxy flow will be resumed after that cds response. +* tap: added support for buffering an arbitrary number of tapped traces before returning to the client via a new :ref:`buffered admin sink `. +* tcp_proxy: added support for on demand cluster. If the :ref:`on_demand ` is set and the destination cluster is not present, a delta CDS request will be sent and the tcp proxy flow will be resumed after that cds response. * thrift: add support for connection draining. This can be enabled by setting the runtime guard ``envoy.reloadable_features.thrift_connection_draining`` to true. * thrift: added support for dynamic routing through aggregated discovery service. -* tls: add support for tls key log :ref:`key_log`. -* tools: the project now ships a :ref:`tools docker image ` which contains tools +* tls: add support for tls key log :ref:`key_log `. +* tools: the project now ships a :ref:`tools docker image ` which contains tools useful in support systems such as CI, CD, etc. The - :ref:`schema validator check tool ` has been added + :ref:`schema validator check tool ` has been added to the tools image. -* udp_proxy: added :ref:`matcher ` to support matching and routing to different clusters. -* udp_proxy: added support for :ref:`access_log `. +* udp_proxy: added :ref:`matcher ` to support matching and routing to different clusters. +* udp_proxy: added support for :ref:`access_log `. Deprecated ---------- -* config: deprecated :ref:`path ` in favor of - :ref:`path_config_source ` +* config: deprecated :ref:`path ` in favor of + :ref:`path_config_source ` * http: deprecated ``envoy.http.headermap.lazy_map_min_size``. If you are using this config knob you can revert this temporarily by setting ``envoy.reloadable_features.deprecate_global_ints`` to true but you MUST file an upstream issue to ensure this feature remains available. * http: removing support for long-deprecated old style filter names, e.g. envoy.router, envoy.lua. * re2: removed undocumented histograms ``re2.program_size`` and ``re2.exceeded_warn_level``. * thrift: deprecated TTwitter protocol since we believe it's not used and it's causing significant maintenance burden. -* udp_proxy: deprecated :ref:`cluster ` in favor of :ref:`matcher `. +* udp_proxy: deprecated :ref:`cluster ` in favor of :ref:`matcher `.