1.35.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • aws_iam: As announced in November 2024 (see https://github.com/envoyproxy/envoy/issues/37621), the grpc_credentials/aws_iam extension is being deleted. Any configuration referencing this extension will fail to load.

  • build: Removed the clang-libstdc++ toolchain setup as this is no longer used or tested by the project. Consolidated clang and gcc toolchains which can be used with --config=clang or --config=gcc. These use libc++ and libstdc++ respectively.

  • prefix_match_map: prefix_match_map now continues to search for a match with shorter prefix if a longer match does not find an action. This brings it in line with the behavior of matcher_list. This change can temporarily be reverted by setting the runtime guard envoy.reloadable_features.prefix_map_matcher_resume_after_subtree_miss to false. If the old behavior is desired more permanently, this can be achieved in config by setting an on_no_match action that responds with 404 for each subtree.

  • server: Envoy will automatically raise the soft limit on the file descriptors to the hard limit. This behavior can be reverted using the runtime guard envoy_restart_features_raise_file_limits.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • aws: AwsCredentialProvider now supports all defined credential providers, allowing complete customisation of the credential provider chain when using AWS request signing extension.

  • cel: Precompile regexes in CEL expressions. This can be disabled by setting the runtime guard envoy.reloadable_features.enable_cel_regex_precompilation to false.

  • dns: Allow getaddrinfo to be configured to run by a thread pool, controlled by num_resolver_threads.

  • ext_proc: If ext_proc server sends spurious response message to Envoy, Envoy now performs fail-open or fail-close action based on failure_mode_allow configuration. This change can be reverted by setting the runtime guard envoy.reloadable_features.ext_proc_fail_close_spurious_resp to false.

  • filters: Credential injector filter is no longer a work in progress field.

  • geoip: The lookup for asn information is fetched from asn_db if asn_db_path is defined and from isb_db if asn_db_path is not defined.

  • grpc-json: Make the gRPC JSON transcoder filter’s JSON print options configurable.

  • grpc-json-transcoding: Add SSE style message framing for streamed responses in gRPC JSON transcoder filter.

  • http: response_headers_to_add and response_headers_to_remove will also be applied to the local responses from the envoy.filters.http.router filter.

  • http3: Validate HTTP/3 pseudo headers. Can be disabled by setting envoy.restart_features.validate_http3_pseudo_headers to false.

  • lua: The metadata() of lua filter now will search the metadata by the filter config name first. And if not found, it will search by the canonical name of the filter envoy.filters.http.lua.

  • oauth2: Reset CSRF token when token validation fails during redirection. If the CSRF token cookie is present during the redirection to the authorization server, it will be validated. Previously, if this validation failed, the OAuth flow would fail. Now the CSRF token will simply be reset. This fixes the case where an HMAC secret change causes a redirect flow, but the CSRF token cookie hasn’t yet expired causing a CSRF token validation failure.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • config_validation: Fixed an bug where the config validation server will crash when the configuration contains %CEL% or %METADATA% substitution formatter.

  • conn_pool: Fixed an issue that could lead to insufficient connections for current pending requests. If a connection starts draining while it has negative unused capacity (which happens if an HTTP/2 SETTINGS frame reduces allowed concurrency to below the current number of requests), that connection’s unused capacity will be included in total pool capacity even though it is unusable because it is draining. This can result in not enough connections being established for current pending requests. This is most problematic for long-lived requests (such as streaming gRPC requests or long-poll requests) because a connection could be in the draining state for a long time.

  • conn_pool: Fixed an issue that could lead to too many connections when using AutoHttpConfig if the established connection is http/2 and Envoy predicted it would have lower concurrent capacity.

  • hcm: Fixes a bug where the lifetime of the HttpConnectionManager’s ActiveStream can be out of sync with the lifetime of the codec stream.

  • quic: Fixes a bug in Envoy’s HTTP/3-to-HTTP/1 proxying when a transfer-encoding header is incorrectly appended. Protected by runtime guard envoy.reloadable_features.quic_signal_headers_only_to_http1_backend.

  • tls: Fixes a bug where empty trusted CA file or inline string is accepted and causes Envoy to successfully validate any certificate chain. This fix addresses this issue by rejecting such configuration with empty value. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.reject_empty_trusted_ca_file to false.

  • tls_inspector: Fixes a bug where the TLS inspector filter would not correctly report client_hello_too_large stat for too big client hello messages i.e bigger than 16kb.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • access_log: Removed runtime guard envoy.reloadable_features.sanitize_sni_in_access_log and legacy code paths.

  • ext_proc: Removed runtime guard envoy.reloadable_features.ext_proc_timeout_error and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.internal_authority_header_validator and legacy code paths.

  • http: Removed runtime guard envoy_reloadable_features_filter_access_loggers_first and legacy code paths.

  • http2: Removed runtime guard envoy.reloadable_features.http2_no_protocol_error_upon_clean_close and legacy code paths.

  • logging: Removed runtime guard envoy.reloadable_features.logging_with_fast_json_formatter and legacy code paths.

  • lua: Removed runtime guard envoy.reloadable_features.lua_flow_control_while_http_call and legacy code paths.

  • quic: Removed runtime guard envoy.reloadable_features.extend_h3_accept_untrusted and legacy code paths.

  • quic: Removed runtime guard envoy.reloadable_features.quic_connect_client_udp_sockets and legacy code paths.

  • quic: Removed runtime guard envoy.reloadable_features.quic_support_certificate_compression and legacy code paths.

  • runtime: Removed runtime guard envoy_reloadable_features_boolean_to_string_fix and legacy code paths.

  • sni: Removed runtime guard envoy.reloadable_features.use_route_host_mutation_for_auto_sni_san and legacy code paths.

  • tcp_proxy: Removed runtime guard envoy.reloadable_features.tcp_tunneling_send_downstream_fin_on_upstream_trailers and legacy code paths.

  • websocket: Removed runtime guard envoy.reloadable_features.switch_protocol_websocket_handshake and legacy code paths.

New features

  • api_key_auth: Added forwarding configuration to the API Key Auth filter, which allows forwarding the authenticated client identity using a custom header, and also offers the option to remove the API key from the request before forwarding.

  • aws: Implementation of IAM Roles Anywhere support in the AWS common components, providing this capability to the AWS Lambda and AWS Request Signing extensions.

  • build: Upgraded Envoy to build with C++20; Envoy developers can use C++20 features now.

  • ext_authz: Added grpc_status to ExtAuthzLoggingInfo in ext_authz HTTP filter.

  • ext_proc: The failure_mode_allow setting may now be overridden on a per-route basis.

  • http: Add response trailers mutations and request trailers mutations to Header Mutation Filter for adding/removing trailers from the request and the response.

  • http: Added x-envoy-original-host that is used to record the original host header value before it is mutated by the router filter.

  • load shed point: Added load shed point envoy.load_shed_points.connection_pool_new_connection in the connection pool, and it will not create new connections when Envoy is under pressure, and the pending downstream requests will be cancelled.

  • load_balancing: Added Override Host Load Balancing policy. See load balancing policies overview for more details.

  • local_ratelimit: local_ratelimit will return x-ratelimit-reset header when the rate limit is exceeded.

  • lua: Added a new dynamicTypedMetadata() on connectionStreamInfo() which could be used to access the typed metadata from network filters, such as the Proxy Protocol, etc.

  • lua: Added a new dynamicTypedMetadata() on streamInfo() which could be used to access the typed metadata from HTTP filters, such as the Set Metadata filter, etc.

  • lua: Added support for accessing filter context. See filterContext() for more details.

  • matcher: added support for ServerNameMatcher trie-based matching.

  • oauth2: Added end_session_endpoint to the oauth2 filter to support OIDC RP initiated logout. This field is only used when openid is in the auth_scopes field. If configured, the OAuth2 filter will redirect users to this endpoint when they access the signout_path. This allows users to be logged out of the Authorization server.

  • oauth2: Added configurable csrf_token_expires_in and code_verifier_token_expires_in fields to the oauth2 filter. Both default to 600s (10 minutes) if not specified, keeping backward compatibility.

  • postgres: added support for requiring downstream SSL.

  • ratelimit: Added a new failure_mode_deny_percent field of type Envoy::Runtime::FractionalPercent attached to the rate limit filter to configure the failure mode for rate limit service errors in runtime. It acts as an override for the existing failure_mode_deny field in the filter config.

  • rbac filter: Allow listed FilterStateInput to be used with the xDS matcher in the HTTP RBAC filter.

  • rbac filter: Allow listed FilterStateInput to be used with the xDS matcher in the Network RBAC filter.

  • redis: Added support for scan and info.

  • redis: redis_proxy filter now supports AWS IAM Authentication.

  • resource_monitors: Added new cgroup memory resource monitor that reads memory usage/limit from cgroup v1/v2 subsystems and calculates memory pressure, with configurable max_memory_bytes limit existing extension.

  • router: Added matcher based router cluster specifier plugin to support selecting cluster dynamically based on a matcher tree. See matcher cluster specifier plugin for more details.

  • router: Added new refreshRouteCluster() method to stream filter callbacks to support refreshing the route cluster and need not to update the route cache. See http route mutation for more details.

  • socket: Added network_namespace_filepath to SocketAddress. Currently only used by listeners.

  • stateful_session: Supports envelope stateful session extension to keep the existing session header value from upstream server. See mode for more details.

  • tls: Added new metric for emitting seconds since UNIX epoch of expirations of TLS and CA certificates. They are rooted at cluster.<cluster_name>.ssl.certificate.<cert_name>. and at listener.<address>.ssl.certificate.<cert_name>. namespace.

  • tls_inspector filter: Added enable_ja4_fingerprinting to create a JA4 fingerprint hash from the Client Hello message.

  • transport tap: Add counter in transport tap for streaming and buffer trace. streamed trace can sent tapped message based on configured size.

  • url_template: Included the asterisk * in the match pattern when using the * or ** operators in the URL template. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.uri_template_match_on_asterisk to false.