forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path1.12.0.yaml
377 lines (375 loc) · 20.7 KB
/
1.12.0.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
date: October 31, 2019
changes:
- area: access log
change: |
added a new flag for :ref:`downstream protocol error <envoy_api_field_data.accesslog.v2.ResponseFlags.downstream_protocol_error>`.
- area: access log
change: |
added :ref:`buffering <envoy_api_field_config.accesslog.v2.CommonGrpcAccessLogConfig.buffer_size_bytes>` and :ref:`periodical flushing <envoy_api_field_config.accesslog.v2.CommonGrpcAccessLogConfig.buffer_flush_interval>` support to gRPC access logger. Defaults to 16KB buffer and flushing every 1 second.
- area: access log
change: |
added DOWNSTREAM_DIRECT_REMOTE_ADDRESS and DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT :ref:`access log formatters <config_access_log_format>` and gRPC access logger.
- area: access log
change: |
gRPC Access Log Service (ALS) support added for :ref:`TCP access logs <envoy_api_msg_config.accesslog.v2.TcpGrpcAccessLogConfig>`.
- area: access log
change: |
reintroduced :ref:`filesystem <filesystem_stats>` stats and added the ``write_failed`` counter to track failed log writes.
- area: admin
change: |
added ability to configure listener :ref:`socket options <envoy_api_field_config.bootstrap.v2.Admin.socket_options>`.
- area: admin
change: |
added config dump support for Secret Discovery Service :ref:`SecretConfigDump <envoy_api_msg_admin.v2alpha.SecretsConfigDump>`.
- area: admin
change: |
added support for :ref:`draining <operations_admin_interface_drain>` listeners via admin interface.
- area: admin
change: |
added :http:get:`/stats/recentlookups`, :http:post:`/stats/recentlookups/clear`, :http:post:`/stats/recentlookups/disable`, and :http:post:`/stats/recentlookups/enable` endpoints.
- area: api
change: |
added :ref:`set_node_on_first_message_only <envoy_api_field_core.ApiConfigSource.set_node_on_first_message_only>` option to omit the node identifier from the subsequent discovery requests on the same stream.
- area: buffer filter
change: |
now populates content-length header if not present. This behavior can be temporarily disabled using the runtime feature ``envoy.reloadable_features.buffer_filter_populate_content_length``.
- area: build
change: |
official released binary is now PIE so it can be run with ASLR.
- area: config
change: |
added support for :ref:`delta xDS <arch_overview_dynamic_config_delta>` (including ADS) delivery.
- area: config
change: |
enforcing that terminal filters (e.g. HttpConnectionManager for L4, router for L7) be the last in their respective filter chains.
- area: config
change: |
added access log :ref:`extension filter <envoy_api_field_config.filter.accesslog.v2.AccessLogFilter.extension_filter>`.
- area: config
change: |
added support for :option:`--reject-unknown-dynamic-fields`, providing independent control
over whether unknown fields are rejected in static and dynamic configuration. By default, unknown
fields in static configuration are rejected and are allowed in dynamic configuration. Warnings
are logged for the first use of any unknown field and these occurrences are counted in the
:ref:`server.static_unknown_fields <server_statistics>` and :ref:`server.dynamic_unknown_fields
<server_statistics>` statistics.
- area: config
change: |
added async data access for local and remote data sources.
- area: config
change: |
changed the default value of :ref:`initial_fetch_timeout <envoy_api_field_core.ConfigSource.initial_fetch_timeout>` from 0s to 15s. This is a change in behaviour in the sense that Envoy will move to the next initialization phase, even if the first config is not delivered in 15s. Refer to :ref:`initialization process <arch_overview_initialization>` for more details.
- area: config
change: |
added stat :ref:`init_fetch_timeout <config_cluster_manager_cds>`.
- area: config
change: |
tls_context in Cluster and FilterChain are deprecated in favor of transport socket. See :ref:`deprecated documentation <deprecated>` for more information.
- area: csrf
change: |
added PATCH to supported methods.
- area: dns
change: |
added support for configuring :ref:`dns_failure_refresh_rate <envoy_api_field_Cluster.dns_failure_refresh_rate>` to set the DNS refresh rate during failures.
- area: ext_authz
change: |
added :ref:`configurable ability <envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.metadata_context_namespaces>` to send dynamic metadata to the ``ext_authz`` service.
- area: ext_authz
change: |
added :ref:`filter_enabled RuntimeFractionalPercent flag <envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.filter_enabled>` to filter.
- area: ext_authz
change: |
added tracing to the HTTP client.
- area: ext_authz
change: |
deprecated :ref:`cluster scope stats <config_http_filters_ext_authz_stats>` in favour of filter scope stats.
- area: fault
change: |
added overrides for default runtime keys in :ref:`HTTPFault <envoy_api_msg_config.filter.http.fault.v2.HTTPFault>` filter.
- area: grpc
change: |
added :ref:`AWS IAM grpc credentials extension <envoy_api_file_envoy/config/grpc_credential/v2alpha/aws_iam.proto>` for AWS-managed xDS.
- area: grpc
change: |
added :ref:`gRPC stats filter <config_http_filters_grpc_stats>` for collecting stats about gRPC calls and streaming message counts.
- area: grpc-json
change: |
added support for :ref:`ignoring unknown query parameters <envoy_api_field_config.filter.http.transcoder.v2.GrpcJsonTranscoder.ignore_unknown_query_parameters>`.
- area: grpc-json
change: |
added support for :ref:`the grpc-status-details-bin header <envoy_api_field_config.filter.http.transcoder.v2.GrpcJsonTranscoder.convert_grpc_status>`.
- area: header to metadata
change: |
added :ref:`PROTOBUF_VALUE <envoy_api_enum_value_config.filter.http.header_to_metadata.v2.Config.ValueType.PROTOBUF_VALUE>` and :ref:`ValueEncode <envoy_api_enum_config.filter.http.header_to_metadata.v2.Config.ValueEncode>` to support protobuf Value and Base64 encoding.
- area: http
change: |
added a default one hour idle timeout to upstream and downstream connections. HTTP connections with no streams and no activity will be closed after one hour unless the default idle_timeout is overridden. To disable upstream idle timeouts, set the :ref:`idle_timeout <envoy_api_field_core.HttpProtocolOptions.idle_timeout>` to zero in Cluster :ref:`http_protocol_options <envoy_api_field_Cluster.common_http_protocol_options>`. To disable downstream idle timeouts, either set :ref:`idle_timeout <envoy_api_field_core.HttpProtocolOptions.idle_timeout>` to zero in the HttpConnectionManager :ref:`common_http_protocol_options <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.common_http_protocol_options>` or set the deprecated :ref:`connection manager <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.idle_timeout>` field to zero.
- area: http
change: |
added the ability to format HTTP/1.1 header keys using :ref:`header_key_format <envoy_api_field_core.Http1ProtocolOptions.header_key_format>`.
- area: http
change: |
added the ability to reject HTTP/1.1 requests with invalid HTTP header values, using the runtime feature ``envoy.reloadable_features.strict_header_validation``.
- area: http
change: |
changed Envoy to forward existing x-forwarded-proto from upstream trusted proxies. Guarded by ``envoy.reloadable_features.trusted_forwarded_proto`` which defaults true.
- area: http
change: |
added the ability to configure the behavior of the server response header, via the :ref:`server_header_transformation <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.server_header_transformation>` field.
- area: http
change: |
added the ability to :ref:`merge adjacent slashes <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.merge_slashes>` in the path.
- area: http
change: |
:ref:`AUTO <envoy_api_enum_value_config.filter.network.http_connection_manager.v2.HttpConnectionManager.CodecType.AUTO>` codec protocol inference now requires the H2 magic bytes to be the first bytes transmitted by a downstream client.
- area: http
change: |
remove h2c upgrade headers for HTTP/1 as h2c upgrades are currently not supported.
- area: http
change: |
absolute URL support is now on by default. The prior behavior can be reinstated by setting :ref:`allow_absolute_url <envoy_api_field_core.Http1ProtocolOptions.allow_absolute_url>` to false.
- area: http
change: |
support :ref:`host rewrite <envoy_api_msg_config.filter.http.dynamic_forward_proxy.v2alpha.PerRouteConfig>` in the dynamic forward proxy.
- area: http
change: |
support :ref:`disabling the filter per route <envoy_api_msg_config.filter.http.grpc_http1_reverse_bridge.v2alpha1.FilterConfigPerRoute>` in the grpc http1 reverse bridge filter.
- area: http
change: |
added the ability to :ref:`configure max connection duration <envoy_api_field_core.HttpProtocolOptions.max_connection_duration>` for downstream connections.
- area: listeners
change: |
added :ref:`continue_on_listener_filters_timeout <envoy_api_field_Listener.continue_on_listener_filters_timeout>` to configure whether a listener will still create a connection when listener filters time out.
- area: listeners
change: |
added :ref:`HTTP inspector listener filter <config_listener_filters_http_inspector>`.
- area: listeners
change: |
added :ref:`connection balancer <envoy_api_field_Listener.connection_balance_config>`
configuration for TCP listeners.
- area: listeners
change: |
listeners now close the listening socket as part of the draining stage as soon as workers stop accepting their connections.
- area: lua
change: |
extended ``httpCall()`` and ``respond()`` APIs to accept headers with entry values that can be a string or table of strings.
- area: lua
change: |
extended ``dynamicMetadata:set()`` to allow setting complex values.
- area: metrics_service
change: |
added support for flushing histogram buckets.
- area: outlier_detector
change: |
added :ref:`support for the grpc-status response header <arch_overview_outlier_detection_grpc>` by mapping it to HTTP status. Guarded by envoy.reloadable_features.outlier_detection_support_for_grpc_status which defaults to true.
- area: performance
change: |
new buffer implementation enabled by default (to disable add "--use-libevent-buffers 1" to the command-line arguments when starting Envoy).
- area: performance
change: |
stats symbol table implementation (disabled by default; to test it, add "--use-fake-symbol-table 0" to the command-line arguments when starting Envoy).
- area: rbac
change: |
added support for DNS SAN as :ref:`principal_name <envoy_api_field_config.rbac.v2.Principal.Authenticated.principal_name>`.
- area: redis
change: |
added :ref:`enable_command_stats <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings.enable_command_stats>` to enable :ref:`per command statistics <arch_overview_redis_cluster_command_stats>` for upstream clusters.
- area: redis
change: |
added :ref:`read_policy <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings.read_policy>` to allow reading from redis replicas for Redis Cluster deployments.
- area: redis
change: |
fixed a bug where the redis health checker ignored the upstream auth password.
- area: redis
change: |
enable_hashtaging is always enabled when the upstream uses open source Redis cluster protocol.
- area: regex
change: |
introduced new :ref:`RegexMatcher <envoy_api_msg_type.matcher.RegexMatcher>` type that
provides a safe regex implementation for untrusted user input. This type is now used in all
configuration that processes user provided input. See :ref:`deprecated configuration details
<deprecated>` for more information.
- area: rbac
change: |
added conditions to the policy, see :ref:`condition <envoy_api_field_config.rbac.v2.Policy.condition>`.
- area: router
change: |
added :ref:`rq_retry_skipped_request_not_complete <config_http_filters_router_stats>` counter stat to router stats.
- area: router
change: |
:ref:`scoped routing <arch_overview_http_routing_route_scope>` is supported.
- area: router
change: |
added new :ref:`retriable-headers <config_http_filters_router_x-envoy-retry-on>` retry policy. Retries can now be configured to trigger by arbitrary response header matching.
- area: router
change: |
added ability for most specific header mutations to take precedence, see :ref:`route configuration's most specific
header mutations wins flag <envoy_api_field_RouteConfiguration.most_specific_header_mutations_wins>`.
- area: router
change: |
added :ref:`respect_expected_rq_timeout <envoy_api_field_config.filter.http.router.v2.Router.respect_expected_rq_timeout>` that instructs ingress Envoy to respect :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress Envoy, when deriving timeout for upstream cluster.
- area: router
change: |
added new :ref:`retriable request headers <envoy_api_field_route.Route.per_request_buffer_limit_bytes>` to route configuration, to allow limiting buffering for retries and shadowing.
- area: router
change: |
added new :ref:`retriable request headers <envoy_api_field_route.RetryPolicy.retriable_request_headers>` to retry policies. Retries can now be configured to only trigger on request header match.
- area: router
change: |
added the ability to match a route based on whether a TLS certificate has been
:ref:`presented <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.presented>` by the
downstream connection.
- area: router check tool
change: |
added coverage reporting & enforcement.
- area: router check tool
change: |
added comprehensive coverage reporting.
- area: router check tool
change: |
added deprecated field check.
- area: router check tool
change: |
added flag for only printing results of failed tests.
- area: router check tool
change: |
added support for outputting missing tests in the detailed coverage report.
- area: router check tool
change: |
added coverage reporting for direct response routes.
- area: runtime
change: |
allows for the ability to parse boolean values.
- area: runtime
change: |
allows for the ability to parse integers as double values and vice-versa.
- area: sds
change: |
added :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys_sds_secret_config>` for loading TLS Session Ticket Encryption Keys using SDS API.
- area: server
change: |
added a post initialization lifecycle event, in addition to the existing startup and shutdown events.
- area: server
change: |
added :ref:`per-handler listener stats <config_listener_stats_per_handler>` and
:ref:`per-worker watchdog stats <operations_performance_watchdog>` to help diagnosing event
loop imbalance and general performance issues.
- area: stats
change: |
added unit support to histogram.
- area: tcp_proxy
change: |
the default :ref:`idle_timeout
<envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.idle_timeout>` is now 1 hour.
- area: thrift_proxy
change: |
fixed crashing bug on invalid transport/protocol framing.
- area: thrift_proxy
change: |
added support for stripping service name from method when using the multiplexed protocol.
- area: tls
change: |
added verification of IP address SAN fields in certificates against configured SANs in the certificate validation context.
- area: tracing
change: |
added support to the Zipkin reporter for sending list of spans as Zipkin JSON v2 and protobuf message over HTTP.
certificate validation context.
- area: tracing
change: |
added tags for gRPC response status and message.
- area: tracing
change: |
added :ref:`max_path_tag_length <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.tracing>` to support customizing the length of the request path included in the extracted `http.url <https://github.com/opentracing/specification/blob/master/semantic_conventions.md#standard-span-tags-and-log-fields>`_ tag.
- area: upstream
change: |
added :ref:`an option <envoy_api_field_Cluster.CommonLbConfig.close_connections_on_host_set_change>` that allows draining HTTP, TCP connection pools on cluster membership change.
- area: upstream
change: |
added :ref:`transport_socket_matches <envoy_api_field_Cluster.transport_socket_matches>`, support using different transport socket config when connecting to different upstream endpoints within a cluster.
- area: upstream
change: |
added network filter chains to upstream connections, see :ref:`filters <envoy_api_field_Cluster.filters>`.
- area: upstream
change: |
added new :ref:`failure-percentage based outlier detection <arch_overview_outlier_detection_failure_percentage>` mode.
- area: upstream
change: |
uses p2c to select hosts for least-requests load balancers if all host weights are the same, even in cases where weights are not equal to 1.
- area: upstream
change: |
added :ref:`fail_traffic_on_panic <envoy_api_field_Cluster.CommonLbConfig.ZoneAwareLbConfig.fail_traffic_on_panic>` to allow failing all requests to a cluster during panic state.
- area: zookeeper
change: |
parses responses and emits latency stats.
deprecated:
- area: load_balancing
change: |
The ``ORIGINAL_DST_LB`` :ref:`load balancing policy <envoy_api_field_Cluster.lb_policy>` is
deprecated, use CLUSTER_PROVIDED policy instead when configuring an :ref:`original destination
cluster <envoy_api_field_Cluster.type>`.
- area: matching
change: |
The ``regex`` field in :ref:`StringMatcher <envoy_api_msg_type.matcher.StringMatcher>` has been
deprecated in favor of the ``safe_regex`` field.
- area: routing
change: |
The ``regex`` field in :ref:`RouteMatch <envoy_api_msg_route.RouteMatch>` has been
deprecated in favor of the ``safe_regex`` field.
- area: cors
change: |
The ``allow_origin`` and ``allow_origin_regex`` fields in :ref:`CorsPolicy
<envoy_api_msg_route.CorsPolicy>` have been deprecated in favor of the
``allow_origin_string_match`` field.
- area: cluster
change: |
The ``pattern`` and ``method`` fields in :ref:`VirtualCluster <envoy_api_msg_route.VirtualCluster>`
have been deprecated in favor of the ``headers`` field.
- area: matching
change: |
The ``regex_match`` field in :ref:`HeaderMatcher <envoy_api_msg_route.HeaderMatcher>` has been
deprecated in favor of the ``safe_regex_match`` field.
- area: matching
change: |
The ``value`` and ``regex`` fields in :ref:`QueryParameterMatcher
<envoy_api_msg_route.QueryParameterMatcher>` has been deprecated in favor of the ``string_match``
and ``present_match`` fields.
- area: options
change: |
The :option:`--allow-unknown-fields` command-line option,
use :option:`--allow-unknown-static-fields` instead.
- area: zipkin
change: |
The use of ``HTTP_JSON_V1`` :ref:`Zipkin collector endpoint version
<envoy_api_field_config.trace.v2.ZipkinConfig.collector_endpoint_version>` or not explicitly
specifying it is deprecated, use ``HTTP_JSON`` or ``HTTP_PROTO`` instead.
- area: listener
change: |
The ``operation_name`` field in :ref:`HTTP connection manager
<envoy_api_msg_config.filter.network.http_connection_manager.v2.HttpConnectionManager>`
has been deprecated in favor of the ``traffic_direction`` field in
:ref:`Listener <envoy_api_msg_Listener>`. The latter takes priority if
specified.
- area: tls
change: |
The ``tls_context`` field in :ref:`Filter chain <envoy_api_field_listener.FilterChain.tls_context>` message
and :ref:`Cluster <envoy_api_field_Cluster.tls_context>` message have been deprecated in favor of
``transport_socket`` with name ``envoy.transport_sockets.tls``. The latter takes priority if specified.
- area: health_check
change: |
The ``use_http2`` field in
:ref:`HTTP health checker <envoy_api_msg_core.HealthCheck.HttpHealthCheck>` has been deprecated in
favor of the ``codec_client_type`` field.
- area: grpc
change: |
The use of :ref:`gRPC bridge filter <config_http_filters_grpc_bridge>` for
gRPC stats has been deprecated in favor of the dedicated :ref:`gRPC stats
filter <config_http_filters_grpc_stats>`.
- area: ext_authz
change: |
Ext_authz filter stats ``ok``, ``error``, ``denied``, ``failure_mode_allowed`` in
``cluster.<route target cluster>.ext_authz.`` namespace is deprecated.
Use ``http.<stat_prefix>.ext_authz.`` namespace to access same counters instead.
- area: udpa
change: |
Use of ``google.protobuf.Struct`` for extension opaque configs is deprecated. Use ``google.protobuf.Any`` instead or pack
``udpa.type.v1.TypedStruct`` in ``google.protobuf.Any``.