changelogs/1.15.0.yaml

date: July 7, 2020

behavior_changes:
- area: build
  change: |
    official released binary is now built on Ubuntu 18.04, requires glibc >= 2.27.
- area: client_ssl_auth
  change: |
    the ``auth_ip_white_list`` stat has been renamed to
    :ref:`auth_ip_allowlist <config_network_filters_client_ssl_auth_stats>`.
- area: header to metadata
  change: |
    on_header_missing rules with empty values are now rejected (they were skipped before).
- area: router
  change: |
    path_redirect now keeps query string by default. This behavior may be reverted by setting runtime feature ``envoy.reloadable_features.preserve_query_string_in_path_redirects`` to false.
- area: tls
  change: |
    fixed a bug where wilcard matching for "\*.foo.com" also matched domains of the form "a.b.foo.com". This behavior can be temporarily reverted by setting runtime feature ``envoy.reloadable_features.fix_wildcard_matching`` to false.

minor_behavior_changes:
- area: access loggers
  change: |
    applied existing buffer limits to access logs, as well as :ref:`stats <config_access_log_stats>` for logged / dropped logs. This can be reverted temporarily by setting runtime feature ``envoy.reloadable_features.disallow_unbounded_access_logs`` to false.
- area: build
  change: |
    runs as non-root inside Docker containers. Existing behaviour can be restored by setting the environment variable ``ENVOY_UID`` to ``0``. ``ENVOY_UID`` and ``ENVOY_GID`` can be used to set the envoy user's ``uid`` and ``gid`` respectively.
- area: health check
  change: |
    in the health check filter the :ref:`percentage of healthy servers in upstream clusters <envoy_api_field_config.filter.http.health_check.v2.HealthCheck.cluster_min_healthy_percentages>` is now interpreted as an integer.
- area: hot restart
  change: |
    added the option :option:`--use-dynamic-base-id` to select an unused base ID at startup and the option :option:`--base-id-path` to write the base id to a file (for reuse with later hot restarts).
- area: http
  change: |
    changed early error path for HTTP/1.1 so that responses consistently flow through the http connection manager, and the http filter chains. This behavior may be temporarily reverted by setting runtime feature ``envoy.reloadable_features.early_errors_via_hcm`` to false.
- area: http
  change: |
    fixed several bugs with applying correct connection close behavior across the http connection manager, health checker, and connection pool. This behavior may be temporarily reverted by setting runtime feature ``envoy.reloadable_features.fix_connection_close`` to false.
- area: http
  change: |
    fixed a bug where the upgrade header was not cleared on responses to non-upgrade requests.
    Can be reverted temporarily by setting runtime feature ``envoy.reloadable_features.fix_upgrade_response`` to false.
- area: http
  change: |
    stopped overwriting ``date`` response headers. Responses without a ``date`` header will still have the header properly set. This behavior can be temporarily reverted by setting ``envoy.reloadable_features.preserve_upstream_date`` to false.
- area: http
  change: |
    stopped adding a synthetic path to CONNECT requests, meaning unconfigured CONNECT requests will now return 404 instead of 403. This behavior can be temporarily reverted by setting ``envoy.reloadable_features.stop_faking_paths`` to false.
- area: http
  change: |
    stopped allowing upstream 1xx or 204 responses with Transfer-Encoding or non-zero Content-Length headers. Content-Length of 0 is allowed, but stripped. This behavior can be temporarily reverted by setting ``envoy.reloadable_features.strict_1xx_and_204_response_headers`` to false.
- area: http
  change: |
    upstream connections will now automatically set ALPN when this value is not explicitly set elsewhere (e.g. on the upstream TLS config). This behavior may be temporarily reverted by setting runtime feature ``envoy.reloadable_features.http_default_alpn`` to false.
- area: listener
  change: |
    fixed a bug where when a static listener fails to be added to a worker, the listener was not removed from the active listener list.
- area: router
  change: |
    extended to allow retries of streaming or incomplete requests. This removes stat ``rq_retry_skipped_request_not_complete``.
- area: router
  change: |
    extended to allow retries by default when upstream responds with :ref:`x-envoy-overloaded <config_http_filters_router_x-envoy-overloaded_set>`.

bug_fixes:
- area: adaptive concurrency
  change: |
    fixed a minRTT calculation bug where requests started before the concurrency
    limit was pinned to the minimum would skew the new minRTT value if the replies arrived after the
    start of the new minRTT window.
- area: buffer
  change: |
    fixed CVE-2020-12603 by avoiding fragmentation, and tracking of HTTP/2 data and control frames in the output buffer.
- area: grpc-json
  change: |
    fixed a bug when in trailers only gRPC response (e.g. error) HTTP status code is not being re-written.
- area: http
  change: |
    fixed a bug in the grpc_http1_reverse_bridge filter where header-only requests were forwarded with a non-zero content length.
- area: http
  change: |
    fixed a bug where in some cases slash was moved from path to query string when :ref:`merging of adjacent slashes <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.merge_slashes>` is enabled.
- area: http
  change: |
    fixed CVE-2020-12604 by changing :ref:`stream_idle_timeout <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.stream_idle_timeout>`
    to also defend against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.
- area: http
  change: |
    fixed CVE-2020-12605 by including request URL in request header size computation, and rejecting partial headers that exceed configured limits.
- area: http
  change: |
    fixed several bugs with applying correct connection close behavior across the http connection manager, health checker, and connection pool. This behavior may be temporarily reverted by setting runtime feature ``envoy.reloadable_features.fix_connection_close`` to false.
- area: listener
  change: |
    fixed CVE-2020-8663 by adding runtime support for :ref:`per-listener limits <config_listeners_runtime>` on active/accepted connections.
- area: overload management
  change: |
    fixed CVE-2020-8663 by adding runtime support for :ref:`global limits <config_overload_manager>` on active/accepted connections.
- area: prometheus stats
  change: |
    fixed the sort order of output lines to comply with the standard.
- area: udp
  change: |
    the :ref:`reuse_port <envoy_api_field_Listener.reuse_port>` listener option must now be
    specified for UDP listeners if concurrency is > 1. This previously crashed so is considered a
    bug fix.
- area: upstream
  change: |
    fixed a bug where Envoy would panic when receiving a GRPC SERVICE_UNKNOWN status on the health check.

removed_config_or_runtime:
- area: http
  change: |
    removed legacy connection pool code and their runtime features: ``envoy.reloadable_features.new_http1_connection_pool_behavior`` and
    ``envoy.reloadable_features.new_http2_connection_pool_behavior``.

new_features:
- area: access loggers
  change: |
    added file access logger config :ref:`log_format <envoy_v3_api_field_extensions.access_loggers.file.v3.FileAccessLog.log_format>`.
- area: access loggers
  change: |
    added GRPC_STATUS operator on logging format.
- area: access loggers
  change: |
    added gRPC access logger config added :ref:`API version <envoy_v3_api_field_extensions.access_loggers.grpc.v3.CommonGrpcAccessLogConfig.transport_api_version>` to explicitly set the version of gRPC service endpoint and message to be used.
- area: access loggers
  change: |
    extended specifier for FilterStateFormatter to output :ref:`unstructured log string <config_access_log_format_filter_state>`.
- area: admin
  change: |
    added support for dumping EDS config at :ref:`/config_dump?include_eds <operations_admin_interface_config_dump_include_eds>`.
- area: aggregate cluster
  change: |
    made route :ref:`retry_priority <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_priority>` predicates work with :ref:`this cluster type <envoy_v3_api_msg_extensions.clusters.aggregate.v3.ClusterConfig>`.
- area: build
  change: |
    official released binary is now built on Ubuntu 18.04, requires glibc >= 2.27.
- area: build
  change: |
    official released binary is now built with Clang 10.0.0.
- area: cluster
  change: |
    added an extension point for configurable :ref:`upstreams <envoy_v3_api_field_config.cluster.v3.Cluster.upstream_config>`.
- area: compressor
  change: |
    exposed generic :ref:`compressor <config_http_filters_compressor>` filter to users.
- area: config
  change: |
    added :ref:`identifier <config_cluster_manager_cds>` stat that reflects control plane identifier.
- area: config
  change: |
    added :ref:`version_text <config_cluster_manager_cds>` stat that reflects xDS version.
- area: decompressor
  change: |
    exposed generic :ref:`decompressor <config_http_filters_decompressor>` filter to users.
- area: dynamic forward proxy
  change: |
    added :ref:`SNI based dynamic forward proxy <config_network_filters_sni_dynamic_forward_proxy>` support.
- area: dynamic forward proxy
  change: |
    added configurable :ref:`circuit breakers <dns_cache_circuit_breakers>` for resolver on DNS cache.
    This behavior can be temporarily disabled by the runtime feature ``envoy.reloadable_features.enable_dns_cache_circuit_breakers``.
    If this runtime feature is disabled, the upstream circuit breakers for the cluster will be used even if the :ref:`DNS Cache circuit breakers <dns_cache_circuit_breakers>` are configured.
- area: dynamic forward proxy
  change: |
    added :ref:`allow_insecure_cluster_options <envoy_v3_api_field_extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig.allow_insecure_cluster_options>` to allow disabling of auto_san_validation and auto_sni.
- area: ext_authz filter
  change: |
    added :ref:`v2 deny_at_disable <envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.deny_at_disable>`, :ref:`v3 deny_at_disable <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.deny_at_disable>`. This allows force denying protected paths while filter gets disabled, by setting this key to true.
- area: ext_authz filter
  change: |
    added API version field for both :ref:`HTTP <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.transport_api_version>`
    and :ref:`Network <envoy_v3_api_field_extensions.filters.network.ext_authz.v3.ExtAuthz.transport_api_version>` filters to explicitly set the version of gRPC service endpoint and message to be used.
- area: ext_authz filter
  change: |
    added :ref:`v3 allowed_upstream_headers_to_append <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_upstream_headers_to_append>` to allow appending multiple header entries (returned by the authorization server) with the same key to the original request headers.
- area: fault
  change: |
    added support for controlling the percentage of requests that abort, delay and response rate limits faults
    are applied to using :ref:`HTTP headers <config_http_filters_fault_injection_http_header>` to the HTTP fault filter.
- area: fault
  change: |
    added support for specifying grpc_status code in abort faults using
    :ref:`HTTP header <config_http_filters_fault_injection_http_header>` or abort fault configuration in HTTP fault filter.
- area: filter
  change: |
    added ``upstream_rq_time`` stats to the GPRC stats filter.
    Disabled by default and can be enabled via :ref:`enable_upstream_stats <envoy_v3_api_field_extensions.filters.http.grpc_stats.v3.FilterConfig.enable_upstream_stats>`.
- area: grpc
  change: |
    added support for Google gRPC :ref:`custom channel arguments <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.channel_args>`.
- area: grpc-json
  change: |
    added support for streaming response using
    `google.api.HttpBody <https://github.com/googleapis/googleapis/blob/master/google/api/httpbody.proto>`_.
- area: grpc-json
  change: |
    send a ``x-envoy-original-method`` header to grpc services.
- area: gzip filter
  change: |
    added option to set zlib's next output buffer size.
- area: hds
  change: |
    updated to allow to explicitly set the API version of gRPC service endpoint and message to be used.
- area: header to metadata
  change: |
    added support for regex substitutions on header values.
- area: health checks
  change: |
    allowed configuring health check transport sockets by specifying :ref:`transport socket match criteria <envoy_v3_api_field_config.core.v3.HealthCheck.transport_socket_match_criteria>`.
- area: http
  change: |
    added :ref:`local_reply config <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.local_reply_config>` to http_connection_manager to customize :ref:`local reply <config_http_conn_man_local_reply>`.
- area: http
  change: |
    added :ref:`stripping port from host header <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.strip_matching_host_port>` support.
- area: http
  change: |
    added support for proxying CONNECT requests, terminating CONNECT requests, and converting raw TCP streams into HTTP/2 CONNECT requests. See :ref:`upgrade documentation <arch_overview_upgrades>` for details.
- area: listener
  change: |
    added in place filter chain update flow for tcp listener update which doesn't close connections if the corresponding network filter chain is equivalent during the listener update.
    Can be disabled by setting runtime feature ``envoy.reloadable_features.listener_in_place_filterchain_update`` to false.
    Also added additional draining filter chain stat for :ref:`listener manager <config_listener_manager_stats>` to track the number of draining filter chains and the number of in place update attempts.
- area: logger
  change: |
    added ``--log-format-prefix-with-location`` command line option to prefix '%v' with file path and line number.
- area: lrs
  change: |
    added new ``envoy_api_field_service.load_stats.v2.LoadStatsResponse.send_all_clusters`` field
    in LRS response, which allows management servers to avoid explicitly listing all clusters it is
    interested in; behavior is allowed based on new ``envoy.lrs.supports_send_all_clusters`` capability
    in :ref:`client_features <envoy_v3_api_field_config.core.v3.Node.client_features>` field.
- area: lrs
  change: |
    updated to allow to explicitly set the API version of gRPC service endpoint and message to be used.
- area: lua
  change: |
    added :ref:`per route config <envoy_v3_api_msg_extensions.filters.http.lua.v3.LuaPerRoute>` for Lua filter.
- area: lua
  change: |
    added tracing to the ``httpCall()`` API.
- area: metrics service
  change: |
    added :ref:`API version <envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.transport_api_version>` to explicitly set the version of gRPC service endpoint and message to be used.
- area: network filters
  change: |
    added a :ref:`postgres proxy filter <config_network_filters_postgres_proxy>`.
- area: network filters
  change: |
    added a :ref:`rocketmq proxy filter <config_network_filters_rocketmq_proxy>`.
- area: performance
  change: |
    enabled stats symbol table implementation by default. To disable it, add
    ``--use-fake-symbol-table 1`` to the command-line arguments when starting Envoy.
- area: ratelimit
  change: |
    added support for use of dynamic metadata :ref:`dynamic_metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>` as a ratelimit action.
- area: ratelimit
  change: |
    added :ref:`API version <envoy_v3_api_field_config.ratelimit.v3.RateLimitServiceConfig.transport_api_version>` to explicitly set the version of gRPC service endpoint and message to be used.
- area: ratelimit
  change: |
    support specifying dynamic overrides in rate limit descriptors using :ref:`limit override <envoy_v3_api_field_config.route.v3.RateLimit.limit>` config.
- area: redis
  change: |
    added acl support :ref:`downstream_auth_username <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_username>` for downstream client ACL authentication, and :ref:`auth_username <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProtocolOptions.auth_username>` to configure authentication usernames for upstream Redis 6+ server clusters with ACL enabled.
- area: regex
  change: |
    added support for enforcing max program size via runtime and stats to monitor program size for :ref:`Google RE2 <envoy_v3_api_field_type.matcher.v3.RegexMatcher.GoogleRE2.max_program_size>`.
- area: request_id
  change: |
    added to :ref:`always_set_request_id_in_response setting <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.always_set_request_id_in_response>`
    to set :ref:`x-request-id <config_http_conn_man_headers_x-request-id>` header in response even if
    tracing is not forced.
- area: router
  change: |
    added more fine grained internal redirect configs to the :ref:`internal_redirect_policy
    <envoy_v3_api_field_config.route.v3.RouteAction.internal_redirect_policy>` field.
- area: router
  change: |
    added regex substitution support for header based hashing.
- area: router
  change: |
    added support for RESPONSE_FLAGS and RESPONSE_CODE_DETAILS :ref:`header formatters
    <config_http_conn_man_headers_custom_request_headers>`.
- area: router
  change: |
    allow Rate Limiting Service to be called in case of missing request header for a descriptor if the :ref:`skip_if_absent <envoy_v3_api_field_config.route.v3.RateLimit.Action.RequestHeaders.skip_if_absent>` field is set to true.
- area: runtime
  change: |
    added new gauge :ref:`deprecated_feature_seen_since_process_start <runtime_stats>` that gets reset across hot restarts.
- area: server
  change: |
    added the option :option:`--drain-strategy` to enable different drain strategies for DrainManager::drainClose().
- area: server
  change: |
    added :ref:`server.envoy_bug_failures <server_statistics>` statistic to count ENVOY_BUG failures.
- area: stats
  change: |
    added the option to :ref:`report counters as deltas <envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.report_counters_as_deltas>` to the metrics service stats sink.
- area: tracing
  change: |
    made tracing configuration fully dynamic and every HTTP connection manager
    can now have a separate :ref:`tracing provider <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider>`.
- area: udp
  change: |
    upgraded :ref:`udp_proxy <config_udp_listener_filters_udp_proxy>` filter to v3 and promoted it out of alpha.

deprecated:
- area: tracing
  change: |
    Tracing provider configuration as part of :ref:`bootstrap config <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.tracing>`
    has been deprecated in favor of configuration as part of :ref:`HTTP connection manager
    <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider>`.
- area: compression
  change: |
    The :ref:`HTTP Gzip filter <config_http_filters_gzip>` has been deprecated in favor of
    :ref:`Compressor <config_http_filters_compressor>`.
- area: matching
  change: |
    The - change: |
      :ref:`GoogleRE2.max_program_size <envoy_v3_api_field_type.matcher.v3.RegexMatcher.GoogleRE2.max_program_size>`
      field is now deprecated. Management servers are expected to validate regexp program sizes
      instead of expecting the client to do it. Alternatively, the max program size can be enforced by Envoy via runtime.
- area: routing
  change: |
    The :ref:`internal_redirect_action <envoy_v3_api_field_config.route.v3.RouteAction.internal_redirect_action>`
    field and :ref:`max_internal_redirects <envoy_v3_api_field_config.route.v3.RouteAction.max_internal_redirects>` field
    are now deprecated. This changes the implemented default cross scheme redirect behavior.
    All cross scheme redirects are disallowed by default. To restore
    the previous behavior, set allow_cross_scheme_redirect=true and use
    :ref:`safe_cross_scheme <envoy_v3_api_msg_extensions.internal_redirect.safe_cross_scheme.v3.SafeCrossSchemeConfig>`,
    in :ref:`predicates <envoy_v3_api_field_config.route.v3.InternalRedirectPolicy.predicates>`.
- area: logging
  change: |
    File access logger fields :ref:`format <envoy_v3_api_field_extensions.access_loggers.file.v3.FileAccessLog.format>`, :ref:`json_format <envoy_v3_api_field_extensions.access_loggers.file.v3.FileAccessLog.json_format>` and :ref:`typed_json_format <envoy_v3_api_field_extensions.access_loggers.file.v3.FileAccessLog.typed_json_format>` are deprecated in favor of :ref:`log_format <envoy_v3_api_field_extensions.access_loggers.file.v3.FileAccessLog.log_format>`.
- area: xds
  change: |
    A warning is now logged when v2 xDS api is used. This behavior can be temporarily disabled by setting ``envoy.reloadable_features.enable_deprecated_v2_api_warning`` to ``false``.
- area: dns
  change: |
    Using cluster circuit breakers for DNS Cache is now deprecated in favor of :ref:`DNS cache circuit breakers <dns_cache_circuit_breakers>`. This behavior can be temporarily disabled by setting ``envoy.reloadable_features.enable_dns_cache_circuit_breakers`` to ``false``.