1.10.0 (Apr 5, 2019) ==================== Changes ------- * access log: added a new flag for upstream retry count exceeded. * access log: added a :ref:`gRPC filter <v1.10:envoy_api_msg_config.filter.accesslog.v2.GrpcStatusFilter>` to allow filtering on gRPC status. * access log: added a new flag for stream idle timeout. * access log: added a new field for upstream transport failure reason in :ref:`file access logger <v1.10:config_access_log_format_upstream_transport_failure_reason>` and :ref:`gRPC access logger <v1.10:envoy_api_field_data.accesslog.v2.AccessLogCommon.upstream_transport_failure_reason>` for HTTP access logs. * access log: added new fields for downstream x509 information (URI sans and subject) to file and gRPC access logger. * admin: the admin server can now be accessed via HTTP/2 (prior knowledge). * admin: changed HTTP response status code from 400 to 405 when attempting to GET a POST-only route (such as /quitquitquit). * buffer: fix vulnerabilities when allocation fails. * build: releases are built with GCC-7 and linked with LLD. * build: dev docker images :ref:`have been split <v1.10:install_binaries>` from tagged images for easier discoverability in Docker Hub. Additionally, we now build images for point releases. * config: added support of using google.protobuf.Any in opaque configs for extensions. * config: logging warnings when deprecated fields are in use. * config: removed deprecated --v2-config-only from command line config. * config: removed deprecated_v1 sds_config from :ref:`Bootstrap config <v1.10:config_overview_v2_bootstrap>`. * config: removed the deprecated_v1 config option from :ref:`ring hash <v1.10:envoy_api_msg_Cluster.RingHashLbConfig>`. * config: removed REST_LEGACY as a valid :ref:`ApiType <v1.10:envoy_api_field_core.ApiConfigSource.api_type>`. * config: finish cluster warming only when a named response i.e. ClusterLoadAssignment associated to the cluster being warmed comes in the EDS response. This is a behavioural change from the current implementation where warming of cluster completes on missing load assignments also. * config: use Envoy cpuset size to set the default number or worker threads if :option:`--cpuset-threads` is enabled. * config: added support for :ref:`initial_fetch_timeout <v1.10:envoy_api_field_core.ConfigSource.initial_fetch_timeout>`. The timeout is disabled by default. * cors: added :ref:`filter_enabled & shadow_enabled RuntimeFractionalPercent flags <v1.10:cors-runtime>` to filter. * csrf: added * ext_authz: added support for buffering request body. * ext_authz: migrated from v2alpha to v2 and improved docs. * ext_authz: added a configurable option to make the gRPC service cross-compatible with V2Alpha. Note that this feature is already deprecated. It should be used for a short time, and only when transitioning from alpha to V2 release version. * ext_authz: migrated from v2alpha to v2 and improved the documentation. * ext_authz: authorization request and response configuration has been separated into two distinct objects: :ref:`authorization request <v1.10:envoy_api_field_config.filter.http.ext_authz.v2.HttpService.authorization_request>` and :ref:`authorization response <v1.10:envoy_api_field_config.filter.http.ext_authz.v2.HttpService.authorization_response>`. In addition, :ref:`client headers <v1.10:envoy_api_field_config.filter.http.ext_authz.v2.AuthorizationResponse.allowed_client_headers>` and :ref:`upstream headers <v1.10:envoy_api_field_config.filter.http.ext_authz.v2.AuthorizationResponse.allowed_upstream_headers>` replaces the previous *allowed_authorization_headers* object. All the control header lists now support :ref:`string matcher <v1.10:envoy_api_msg_type.matcher.StringMatcher>` instead of standard string. * fault: added the :ref:`max_active_faults <v1.10:envoy_api_field_config.filter.http.fault.v2.HTTPFault.max_active_faults>` setting, as well as :ref:`statistics <v1.10:config_http_filters_fault_injection_stats>` for the number of active faults and the number of faults the overflowed. * fault: added :ref:`response rate limit <v1.10:envoy_api_field_config.filter.http.fault.v2.HTTPFault.response_rate_limit>` fault injection. * fault: added :ref:`HTTP header fault configuration <v1.10:config_http_filters_fault_injection_http_header>` to the HTTP fault filter. * governance: extending Envoy deprecation policy from 1 release (0-3 months) to 2 releases (3-6 months). * health check: expected response codes in http health checks are now :ref:`configurable <v1.10:envoy_api_msg_core.HealthCheck.HttpHealthCheck>`. * http: added new grpc_http1_reverse_bridge filter for converting gRPC requests into HTTP/1.1 requests. * http: fixed a bug where Content-Length:0 was added to HTTP/1 204 responses. * http: added :ref:`max request headers size <v1.10:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.max_request_headers_kb>`. The default behaviour is unchanged. * http: added modifyDecodingBuffer/modifyEncodingBuffer to allow modifying the buffered request/response data. * http: added encodeComplete/decodeComplete. These are invoked at the end of the stream, after all data has been encoded/decoded respectively. Default implementation is a no-op. * outlier_detection: added support for :ref:`outlier detection event protobuf-based logging <v1.10:arch_overview_outlier_detection_logging>`. * mysql: added a MySQL proxy filter that is capable of parsing SQL queries over MySQL wire protocol. Refer to :ref:`MySQL proxy <v1.10:config_network_filters_mysql_proxy>` for more details. * performance: new buffer implementation (disabled by default; to test it, add "--use-libevent-buffers 0" to the command-line arguments when starting Envoy). * jwt_authn: added :ref:`filter_state_rules <v1.10:envoy_api_field_config.filter.http.jwt_authn.v2alpha.jwtauthentication.rules>` to allow specifying requirements from filterState by other filters. * ratelimit: removed deprecated rate limit configuration from bootstrap. * redis: added :ref:`hashtagging <v1.10:envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings.enable_hashtagging>` to guarantee a given key's upstream. * redis: added :ref:`latency stats <v1.10:config_network_filters_redis_proxy_per_command_stats>` for commands. * redis: added :ref:`success and error stats <v1.10:config_network_filters_redis_proxy_per_command_stats>` for commands. * redis: migrate hash function for host selection to `MurmurHash2 <https://sites.google.com/site/murmurhash>`_ from std::hash. MurmurHash2 is compatible with std::hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled on Linux and not macOS. * redis: added :ref:`latency_in_micros <v1.10:envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.latency_in_micros>` to specify the redis commands stats time unit in microseconds. * router: added ability to configure a :ref:`retry policy <v1.10:envoy_api_msg_route.RetryPolicy>` at the virtual host level. * router: added reset reason to response body when upstream reset happens. After this change, the response body will be of the form `upstream connect error or disconnect/reset before headers. reset reason:` * router: added :ref:`rq_reset_after_downstream_response_started <v1.10:config_http_filters_router_stats>` counter stat to router stats. * router: added per-route configuration of :ref:`internal redirects <v1.10:envoy_api_field_route.RouteAction.internal_redirect_action>`. * router: removed deprecated route-action level headers_to_add/remove. * router: made :ref:`max retries header <v1.10:config_http_filters_router_x-envoy-max-retries>` take precedence over the number of retries in route and virtual host retry policies. * router: added support for prefix wildcards in :ref:`virtual host domains <v1.10:envoy_api_field_route.VirtualHost.domains>` * stats: added support for histograms in prometheus * stats: added usedonly flag to prometheus stats to only output metrics which have been updated at least once. * stats: added gauges tracking remaining resources before circuit breakers open. * tap: added new alpha :ref:`HTTP tap filter <v1.10:config_http_filters_tap>`. * tls: enabled TLS 1.3 on the server-side (non-FIPS builds). * upstream: add hash_function to specify the hash function for :ref:`ring hash <v1.10:envoy_api_msg_Cluster.RingHashLbConfig>` as either xxHash or `murmurHash2 <https://sites.google.com/site/murmurhash>`_. MurmurHash2 is compatible with std::hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled on Linux and not macOS. * upstream: added :ref:`degraded health value <v1.10:arch_overview_load_balancing_degraded>` which allows routing to certain hosts only when there are insufficient healthy hosts available. * upstream: add cluster factory to allow creating and registering :ref:`custom cluster type <v1.10:arch_overview_service_discovery_types_custom>`. * upstream: added a :ref:`circuit breaker <v1.10:arch_overview_circuit_break_cluster_maximum_connection_pools>` to limit the number of concurrent connection pools in use. * tracing: added :ref:`verbose <v1.10:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.tracing>` to support logging annotations on spans. * upstream: added support for host weighting and :ref:`locality weighting <v1.10:arch_overview_load_balancing_locality_weighted_lb>` in the :ref:`ring hash load balancer <v1.10:arch_overview_load_balancing_types_ring_hash>`, and added a :ref:`maximum_ring_size <v1.10:envoy_api_field_Cluster.RingHashLbConfig.maximum_ring_size>` config parameter to strictly bound the ring size. * zookeeper: added a ZooKeeper proxy filter that parses ZooKeeper messages (requests/responses/events). Refer to :ref:`ZooKeeper proxy <v1.10:config_network_filters_zookeeper_proxy>` for more details. * upstream: added configuration option to select any host when the fallback policy fails. * upstream: stopped incrementing upstream_rq_total for HTTP/1 conn pool when request is circuit broken. Deprecated ---------- * Use of `use_alpha` in :ref:`Ext-Authz Authorization Service <v1.10:envoy_api_file_envoy/service/auth/v2/external_auth.proto>` is deprecated. It should be used for a short time, and only when transitioning from alpha to V2 release version. * Use of ``enabled`` in ``CorsPolicy``, found in :ref:`route.proto <v1.10:envoy_api_file_envoy/api/v2/route/route.proto>`. Set the ``filter_enabled`` field instead. * Use of the ``type`` field in the ``FaultDelay`` message (found in :ref:`fault.proto <v1.10:envoy_api_file_envoy/config/filter/fault/v2/fault.proto>`) has been deprecated. It was never used and setting it has no effect. It will be removed in the following release.