1.14.0 (April 8, 2020)
======================
Changes
-------
* access log: access logger extensions use the "envoy.access_loggers" name space. A mapping
of extension names is available in the :ref:`deprecated <v1.14:deprecated>` documentation.
* access log: added support for ``%DOWNSTREAM_LOCAL_PORT%`` :ref:`access log formatters <v1.14:config_access_log_format>`.
* access log: fixed ``%DOWSTREAM_DIRECT_REMOTE_ADDRESS%`` when used with PROXY protocol listener filter.
* access log: introduced :ref:`connection-level access loggers <v1.14:envoy_api_field_Listener.access_log>`.
* adaptive concurrency: fixed bug that allowed concurrency limits to drop below the configured
minimum.
* adaptive concurrency: minRTT is now triggered when the minimum concurrency is maintained for 5
consecutive sampling intervals.
* admin: added support for displaying ip address subject alternate names in :ref:`certs <v1.14:operations_admin_interface_certs>` end point.
* admin: added :http:post:`/reopen_logs` endpoint to control log rotation.
* api: froze v2 xDS API. New feature development in the API should occur in v3 xDS. While the v2 xDS API has
been deprecated since 1.13.0, it will continue to be supported by Envoy until EOY 2020. See
:ref:`api_supported_versions`.
* aws_lambda: added :ref:`AWS Lambda filter <v1.14:config_http_filters_aws_lambda>` that converts HTTP requests to Lambda
invokes. This effectively makes Envoy act as an egress gateway to AWS Lambda.
* aws_request_signing: a few fixes so that it works with S3.
* config: added stat :ref:`update_time <v1.14:config_cluster_manager_cds>`.
* config: use type URL to select an extension whenever the config type URL (or its previous versions) uniquely identify a typed extension, see :ref:`extension configuration <v1.14:config_overview_extension_configuration>`.
* datasource: added retry policy for remote async data source.
* dns: added support for :ref:`dns_failure_refresh_rate <v1.14:envoy_api_field_config.common.dynamic_forward_proxy.v2alpha.DnsCacheConfig.dns_failure_refresh_rate>` for the :ref:`dns cache <v1.14:envoy_api_msg_config.common.dynamic_forward_proxy.v2alpha.DnsCacheConfig>` to set the DNS refresh rate during failures.
* dns: the STRICT_DNS cluster now only resolves to 0 hosts if DNS resolution successfully returns 0 hosts.
* eds: added :ref:`hostname <v1.14:envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` field for endpoints and :ref:`hostname <v1.14:envoy_v3_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field for endpoint's health check config. This enables auto host rewrite and customizing the host header during health checks for eds endpoints.
* ext_authz: disabled the use of lowercase string matcher for headers matching in HTTP-based ``ext_authz``.
Can be reverted temporarily by setting runtime feature ``envoy.reloadable_features.ext_authz_http_service_enable_case_sensitive_string_matcher`` to false.
* fault: added support for controlling abort faults with :ref:`HTTP header fault configuration <v1.14:config_http_filters_fault_injection_http_header>` to the HTTP fault filter.
* grpc-json: added support for building HTTP request into
`google.api.HttpBody <https://github.com/googleapis/googleapis/blob/master/google/api/httpbody.proto>`_.
* grpc-stats: added option to limit which messages stats are created for.
* http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature ``envoy.reloadable_features.http1_flood_protection``.
* http: added :ref:`headers_with_underscores_action setting <v1.14:envoy_api_field_core.HttpProtocolOptions.headers_with_underscores_action>` to control how client requests with header names containing underscore characters are handled. The options are to allow such headers, reject request or drop headers. The default is to allow headers, preserving existing behavior.
* http: added :ref:`max_stream_duration <v1.14:envoy_api_field_core.HttpProtocolOptions.max_stream_duration>` to specify the duration of existing streams. See :ref:`connection and stream timeouts <v1.14:faq_configuration_timeouts>`.
* http: connection header sanitizing has been modified to always sanitize if there is no upgrade, including when an h2c upgrade attempt has been removed.
* http: fixed a bug that could send extra METADATA frames and underflow memory when encoding METADATA frames on a connection that was dispatching data.
* http: fixing a bug in HTTP/1.0 responses where Connection: keep-alive was not appended for connections which were kept alive.
* http: http filter extensions use the "envoy.filters.http" name space. A mapping
of extension names is available in the :ref:`deprecated <v1.14:deprecated>` documentation.
* http: the runtime feature ``http.connection_manager.log_flood_exception`` is removed and replaced with a connection access log response code.
* http: upgrade parser library, which removes support for "identity" transfer-encoding value.
* listener filters: listener filter extensions use the "envoy.filters.listener" name space. A
mapping of extension names is available in the :ref:`deprecated <v1.14:deprecated>` documentation.
* listeners: added :ref:`listener filter matcher api <v1.14:envoy_api_field_listener.ListenerFilter.filter_disabled>` to disable individual listener filter on matching downstream connections.
* loadbalancing: added support for using hostname for consistent hash loadbalancing via :ref:`consistent_hash_lb_config <v1.14:envoy_api_field_Cluster.CommonLbConfig.consistent_hashing_lb_config>`.
* loadbalancing: added support for :ref:`retry host predicates <v1.14:envoy_api_field_route.RetryPolicy.retry_host_predicate>` in conjunction with consistent hashing load balancers (ring hash and maglev).
* lua: added a parameter to ``httpCall`` that makes it possible to have the call be asynchronous.
* lua: added moonjit support.
* mongo: the stat emitted for queries without a max time set in the :ref:`MongoDB filter <v1.14:config_network_filters_mongo_proxy>` was modified to emit correctly for Mongo v3.2+.
* network filters: added a :ref:`direct response filter <v1.14:config_network_filters_direct_response>`.
* network filters: network filter extensions use the "envoy.filters.network" name space. A mapping
of extension names is available in the :ref:`deprecated <v1.14:deprecated>` documentation.
* rbac: added :ref:`remote_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.remote_ip>` and :ref:`direct_remote_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>` for matching downstream remote IP address.
* rbac: deprecated :ref:`source_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.source_ip>` with :ref:`direct_remote_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>` and :ref:`remote_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.remote_ip>`.
* request_id_extension: added an ability to extend request ID handling at :ref:`HTTP connection manager <v1.14:envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.request_id_extension>`.
* retry: added a retry predicate that :ref:`rejects hosts based on metadata. <v1.14:envoy_api_field_route.RetryPolicy.retry_host_predicate>`.
* router: added ability to set attempt count in downstream response, see :ref:`virtual host's include response
attempt count config <v1.14:envoy_api_field_route.VirtualHost.include_attempt_count_in_response>`.
* router: added additional stats for :ref:`virtual clusters <v1.14:config_http_filters_router_vcluster_stats>`.
* router: added :ref:`auto_san_validation <v1.14:envoy_api_field_core.UpstreamHttpProtocolOptions.auto_san_validation>` to support overrriding SAN validation to transport socket for new upstream connections based on the downstream HTTP host/authority header.
* router: added the ability to match a route based on whether a downstream TLS connection certificate has been
:ref:`validated <v1.14:envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>`.
* router: added support for :ref:`regex_rewrite
<v1.14:envoy_api_field_route.RouteAction.regex_rewrite>` for path rewriting using regular expressions and capture groups.
* router: added support for `%DOWNSTREAM_LOCAL_PORT%` :ref:`header formatter <v1.14:config_http_conn_man_headers_custom_request_headers>`.
* router: don't ignore :ref:`per_try_timeout <v1.14:envoy_api_field_route.RetryPolicy.per_try_timeout>` when the :ref:`global route timeout <v1.14:envoy_api_field_route.RouteAction.timeout>` is disabled.
* router: strip whitespace for :ref:`retry_on <v1.14:envoy_api_field_route.RetryPolicy.retry_on>`, :ref:`grpc-retry-on header <v1.14:config_http_filters_router_x-envoy-retry-grpc-on>` and :ref:`retry-on header <v1.14:config_http_filters_router_x-envoy-retry-on>`.
* runtime: enabling the runtime feature ``envoy.deprecated_features.allow_deprecated_extension_names``
disables the use of deprecated extension names.
* runtime: integer values may now be parsed as booleans.
* sds: added :ref:`GenericSecret <v1.14:envoy_api_msg_auth.GenericSecret>` to support secret of generic type.
* sds: added :ref:`certificate rotation <v1.14:xds_certificate_rotation>` support for certificates in static resources.
* server: the SIGUSR1 access log reopen warning now is logged at info level.
* stat sinks: stat sink extensions use the "envoy.stat_sinks" name space. A mapping of extension
names is available in the :ref:`deprecated <v1.14:deprecated>` documentation.
* thrift_proxy: added router filter stats to docs.
* tls: added configuration to disable stateless TLS session resumption :ref:`disable_stateless_session_resumption <v1.14:envoy_api_field_auth.DownstreamTlsContext.disable_stateless_session_resumption>`.
* tracing: added gRPC service configuration to the OpenCensus Stackdriver and OpenCensus Agent tracers.
* tracing: tracer extensions use the "envoy.tracers" name space. A mapping of extension names is
available in the :ref:`deprecated <v1.14:deprecated>` documentation.
* upstream: added ``upstream_rq_retry_limit_exceeded`` to :ref:`cluster <v1.14:config_cluster_manager_cluster_stats>`, and :ref:`virtual cluster <v1.14:config_http_filters_router_vcluster_stats>` stats.
* upstream: changed load distribution algorithm when all priorities enter :ref:`panic mode <v1.14:arch_overview_load_balancing_panic_threshold>`.
* upstream: combined HTTP/1 and HTTP/2 connection pool code. This means that circuit breaker
limits for both requests and connections apply to both pool types. Also, HTTP/2 now has
the option to limit concurrent requests on a connection, and allow multiple draining
connections. The old behavior is deprecated, but can be used during the deprecation
period by disabling runtime feature ``envoy.reloadable_features.new_http1_connection_pool_behavior`` or
``envoy.reloadable_features.new_http2_connection_pool_behavior`` and then re-configure your clusters or
restart Envoy. The behavior will not switch until the connection pools are recreated. The new
circuit breaker behavior is described :ref:`here <v1.14:arch_overview_circuit_break>`.
* zlib: by default zlib is initialized to use its default strategy (Z_DEFAULT_STRATEGY)
instead of the fixed one (Z_FIXED). The difference is that the use of dynamic
Huffman codes is enabled now resulting in better compression ratio for normal data.
Deprecated
----------
* The previous behavior for upstream connection pool circuit breaking described
`here <https://www.envoyproxy.io/docs/envoy/v1.13.0/intro/arch_overview/upstream/circuit_breaking>`_ has
been deprecated in favor of the new behavior described :ref:`here <v1.14:arch_overview_circuit_break>`.
* Access Logger, Listener Filter, HTTP Filter, Network Filter, Stats Sink, and Tracer names have
been deprecated in favor of the extension name from the envoy build system. Disable the runtime
feature "envoy.deprecated_features.allow_deprecated_extension_names" to disallow the deprecated
names. Use of these extension names generates a log message and increments the
"deprecated_feature_use" metric in stats.
.. csv-table::
:header: Canonical Names, Deprecated Names
:widths: 1, 1
envoy.access_loggers.file, envoy.file_access_log
envoy.access_loggers.http_grpc, envoy.http_grpc_access_log
envoy.access_loggers.tcp_grpc, envoy.tcp_grpc_access_log
envoy.filters.http.buffer, envoy.buffer
envoy.filters.http.cors, envoy.cors
envoy.filters.http.csrf, envoy.csrf
envoy.filters.http.dynamo, envoy.http_dynamo_filter
envoy.filters.http.ext_authz, envoy.ext_authz
envoy.filters.http.fault, envoy.fault
envoy.filters.http.grpc_http1_bridge, envoy.grpc_http1_bridge
envoy.filters.http.grpc_json_transcoder, envoy.grpc_json_transcoder
envoy.filters.http.grpc_web, envoy.grpc_web
envoy.filters.http.gzip, envoy.gzip
envoy.filters.http.health_check, envoy.health_check
envoy.filters.http.ip_tagging, envoy.ip_tagging
envoy.filters.http.lua, envoy.lua
envoy.filters.http.ratelimit, envoy.rate_limit
envoy.filters.http.router, envoy.router
envoy.filters.http.squash, envoy.squash
envoy.filters.listener.http_inspector, envoy.listener.http_inspector
envoy.filters.listener.original_dst, envoy.listener.original_dst
envoy.filters.listener.original_src, envoy.listener.original_src
envoy.filters.listener.proxy_protocol, envoy.listener.proxy_protocol
envoy.filters.listener.tls_inspector, envoy.listener.tls_inspector
envoy.filters.network.client_ssl_auth, envoy.client_ssl_auth
envoy.filters.network.echo, envoy.echo
envoy.filters.network.ext_authz, envoy.ext_authz
envoy.filters.network.http_connection_manager, envoy.http_connection_manager
envoy.filters.network.mongo_proxy, envoy.mongo_proxy
envoy.filters.network.ratelimit, envoy.ratelimit
envoy.filters.network.redis_proxy, envoy.redis_proxy
envoy.filters.network.tcp_proxy, envoy.tcp_proxy
envoy.stat_sinks.dog_statsd, envoy.dog_statsd
envoy.stat_sinks.metrics_service, envoy.metrics_service
envoy.stat_sinks.statsd, envoy.statsd
envoy.tracers.dynamic_ot, envoy.dynamic.ot
envoy.tracers.lightstep, envoy.lightstep
envoy.tracers.zipkin, envoy.zipkin
.. note::
Some renamed filters produce metadata using their filter name as the metadata namespace:
* Mongo Proxy Filter
* Zookeeper Filter
The metadata generated by these filters may be consumed by the following extensions, whose
configurations may need to be adjusted to use the new names.
* Access Loggers
* HTTP and Network Ext Authz filters
* HTTP and Network RBAC filters
* Tracers
* The previous behavior of auto ignoring case in headers matching:
:ref:`allowed_headers <v1.14:envoy_api_field_config.filter.http.ext_authz.v2.AuthorizationRequest.allowed_headers>`,
:ref:`allowed_upstream_headers <v1.14:envoy_api_field_config.filter.http.ext_authz.v2.AuthorizationResponse.allowed_upstream_headers>`,
and :ref:`allowed_client_headers <v1.14:envoy_api_field_config.filter.http.ext_authz.v2.AuthorizationResponse.allowed_client_headers>`
of HTTP-based ``ext_authz`` has been deprecated in favor of explicitly setting the
:ref:`ignore_case <v1.14:envoy_api_field_type.matcher.StringMatcher.ignore_case>` field.
* The ``header_fields``, ``custom_header_fields``, and ``additional_headers`` fields for the route checker
tool have been deprecated in favor of ``request_header_fields``, ``response_header_fields``,
``additional_request_headers``, and ``additional_response_headers``.
* The ``content_length``, ``content_type``, ``disable_on_etag_header`` and ``remove_accept_encoding_header``
fields in :ref:`HTTP Gzip filter config <v1.14:envoy_api_msg_config.filter.http.gzip.v2.Gzip>` have
been deprecated in favor of ``compressor``.
* The statistics counter ``header_gzip`` in :ref:`HTTP Gzip filter <v1.14:config_http_filters_gzip>`
has been deprecated in favor of ``header_compressor_used``.
* Support for the undocumented HTTP/1.1 ``:no-chunks`` pseudo-header has been removed. If an extension
was using this it can achieve the same behavior via the new ``http1StreamEncoderOptions()`` API.
* The grpc_stats filter behavior of by default creating a new stat for every message type seen is deprecated.
The default will switch to only creating a fixed set of stats. The previous behavior can be enabled by enabling
:ref:`stats_for_all_methods <v1.14:envoy_api_field_config.filter.http.grpc_stats.v2alpha.FilterConfig.stats_for_all_methods>`,
and the previous default can be enabled until the end of the deprecation period by enabling runtime feature
``envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default``.
* The :ref:`source_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.source_ip>` field in
`RBAC <https://github.com/envoyproxy/envoy/blob/release/v1.14/api/envoy/config/rbac/v2/rbac.proto>`_ has been deprecated
in favor of :ref:`direct_remote_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>` and
:ref:`remote_ip <v1.14:envoy_api_field_config.rbac.v2.Principal.remote_ip>`.