1.33.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

• http: RFC1918 addresses are no longer considered to be internal addresses by default. This addresses a security issue for Envoy’s in multi-tenant mesh environments. Please explicit set internal_address_config to retain the prior behavior. This change can be temporarily reverted by setting runtime guard envoy.reloadable_features.explicit_internal_address_config to false.

• wasm: Remove previously deprecated xDS attributes from get_property, use xds attributes instead.

• wasm: The route cache will not be cleared by default if the wasm extension modified the request headers and the ABI version of wasm extension is larger then 0.2.1.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

• access_log: New implementation of the JSON formatter will be enabled by default. The sort_properties field will be ignored in the new implementation because the new implementation always sorts properties. And the new implementation will always keep the value type in the JSON output. For example, the duration field will always be rendered as a number instead of a string. This behavior change could be disabled temporarily by setting the runtime envoy.reloadable_features.logging_with_fast_json_formatter to false.

• formatter: The NaN and Infinity values of float will be serialized to null and "inf" respectively in the metadata (DYNAMIC_METADATA, CLUSTER_METADATA, etc.) formatter.

• http: If the pack_trace_reason is set to false, Envoy will not parse the trace reason from the x-request-id header to ensure reads and writes of trace reason be consistant. If the pack_trace_reason is set to true and external x-request-id value is used, the trace reason in the external request id will not be trusted and will be cleared.

• oauth2: use_refresh_token is now enabled by default. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.oauth2_use_refresh_token to false.

• quic: Enable UDP GRO in QUIC client connections by default. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.prefer_quic_client_udp_gro to false.

• scoped_rds: The route_configuration field is supported when the ScopedRouteConfiguration resource is delivered via SRDS.

• sds: Relaxed the backing cluster validation for Secret Discovery Service(SDS). Currently, the cluster that supports SDS, needs to be a primary cluster i.e. a non-EDS cluster defined in bootstrap configuration. This change relaxes that restriction i.e. SDS cluster can be a dynamic cluster. This change is enabled by default, and can be reverted by setting the runtime flag envoy.restart_features.skip_backing_cluster_check_for_sds to false.

• xds: A minor delta-xDS optimization that avoids copying resources when ingesting them was introduced. No impact to the behavior is expected, but a runtime flag was added as this may impact config-ingestion related extensions (e.g., custom-config-validators, config-tracker), as the order of the elements passed to the callback functions may be different. This change can be temporarily reverted by setting envoy.reloadable_features.xds_prevent_resource_copy to false.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

• DNS: Fixed bug where setting dns_jitter <envoy_v3_api_field_config.cluster.v3.Cluster.dns_jitter> to large values caused Envoy Bug to fire.

• access_log: Relaxed the restriction on SNI logging to allow the _ character, even if envoy.reloadable_features.sanitize_sni_in_access_log is enabled.

• scoped_rds: Fixes scope key leak and spurious scope key conflicts when an update to an SRDS resource changes the key.

• stats ads grpc: Fixed metric for ADS disconnection counters using Google GRPC client. This extracts the GRPC client prefix specified in the google_grpc resource used for ADS, and adds that as a tag envoy_google_grpc_client_prefix to the Prometheus stats.

• tls: Support operations on IP SANs when the IP version is not supported by the host operating system, for example an IPv6 SAN can now be used on a host not supporting IPv6 addresses.

Removed config or runtime

Normally occurs at the end of the deprecation period

• dns: Removed runtime flag envoy.reloadable_features.dns_reresolve_on_eai_again and legacy code paths.

• grpc: Removed runtime guard envoy.reloadable_features.validate_grpc_header_before_log_grpc_status.

• http: Removed runtime flag envoy.reloadable_features.http_route_connect_proxy_by_default and legacy code paths.

• http2: Removed runtime flag envoy.reloadable_features.defer_processing_backedup_streams and legacy code paths.

• load balancing: Removed runtime guard envoy.reloadable_features.edf_lb_host_scheduler_init_fix and legacy code paths.

• load balancing: Removed runtime guard envoy.reloadable_features.edf_lb_locality_scheduler_init_fix and legacy code paths.

• quic: Removed runtime flag envoy.restart_features.quic_handle_certs_with_shared_tls_code and legacy code paths.

• router: Removed runtime guard envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request.

• upstream: Removed runtime flag envoy.restart_features.allow_client_socket_creation_failure and legacy code paths.

New features

• CEL-attributes: Added attribute upstream.request_attempt_count to get the number of times a request is attempted upstream.

• access_log: Added %DOWNSTREAM_LOCAL_EMAIL_SAN%, %DOWNSTREAM_PEER_EMAIL_SAN%, %DOWNSTREAM_LOCAL_OTHERNAME_SAN% and %DOWNSTREAM_PEER_OTHERNAME_SAN% substitution formatters.

• access_log: Added support for logging upstream connection establishment duration in the %COMMON_DURATION% access log formatter operator. The following time points were added: %US_CX_BEG%, %US_CX_END%, %US_HS_END%.

• aws_request_signing: Added an optional field credential_provider to the AWS request signing filter to explicitly specify a source for AWS credentials.

• c-ares: added nameserver rotation option to c-ares resolver. When enabled via :ref:rotate_nameservers <envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.rotate_nameservers>, this performs round-robin selection of the configured nameservers for each resolution to help distribute query load.

• c-ares: added two new options to c-ares resolver for configuring custom timeouts and tries while resolving DNS queries. Custom timeouts could be configured by specifying query_timeout_seconds and custom tries could be configured by specifying query_tries.

• http_inspector: Added default-false envoy.reloadable_features.http_inspector_use_balsa_parser for HttpInspector to use BalsaParser.

• ip-tagging: Adds support for specifying an alternate header ip_tag_header for appending IP tags via ip-tagging filter instead of using the default header x-envoy-ip-tags.

• lua: Added ssl parsedSubjectPeerCertificate() API.

• lua cluster specifier: Added ability for a Lua script to query clusters for current requests and connections.

• overload: Added support for scaling max connection duration. This can be used to reduce the max connection duration in response to overload.

• quic: Added QUIC stats debug visitor to get more stats from the QUIC transport.

• rbac: added sourced_metadata which allows specifying an optional source for the metadata to be matched in addition to the metadata matcher.

• tls: Added an option to change the upstream SNI to the configured hostname for the upstream.

• tls: Added an option to validate the upstream server certificate SANs against the actual SNI value sent, regardless of the method of configuring SNI.

• tls: Added support for P-384 and P-521 curves for TLS server certificates.

• tracers: Set resource telemetry.sdk.* and scope otel.scope.name|version attributes for the OpenTelemetry tracer.

• udp_proxy: Added support for dynamic cluster selection in UDP proxy. The cluster can be set by one of the session filters by setting a per-session state object under the key envoy.udp_proxy.cluster.

• wasm: Added the wasm vm reload support to reload wasm vm when the wasm vm is failed with runtime errors. See failure_policy for more details. The FAIL_RELOAD reload policy will be used by default.

• wasm: added clear_route_cache foreign function to clear the route cache.

• xds: Added support for ADS replacement by invoking xdsManager().setAdsConfigSource() with a new config source.

Deprecated

• rbac: metadata metadata is now deprecated in the favor of sourced_metadata.