1.9.0 (December 20, 2018)¶
Changes¶
access log: added
DOWNSTREAM_CONNECTION_TERMINATION
.access log: added a JSON logging mode to output access logs in JSON format.
access log: added dynamic metadata to access log messages streamed over gRPC.
admin:
GET /server_info
now exposes what stage of initialization the server is currently in.admin:
GET /server_info
now responds with a JSON object instead of a single string.admin:
POST /logging
now responds with 200 while there are no params.admin: added host weight to the
GET /clusters?format=json
end point response.admin: added support for displaying command line options in
GET /server_info
end point.admin: added support for displaying subject alternate names in certs end point.
circuit-breaker: added cx_open, rq_pending_open, rq_open and rq_retry_open gauges to expose live state via circuit breakers statistics.
cluster: set a default of 1s for option.
config: added support for rate limiting discovery request calls.
config: removed support for the v1 API.
cors: added invalid/valid stats to filter.
ext-authz: added support for providing per route config - optionally disable the filter and provide context extensions.
fault: removed integer percentage support.
grpc-json: added support for ignoring query parameters.
health check: added logging health check failure events.
health check: added ability to set authority header value for gRPC health check.
http: added HTTP/2 WebSocket proxying via extended CONNECT.
http: added limits to the number and length of header modifications in all fields request_headers_to_add and response_headers_to_add. These limits are very high and should only be used as a last-resort safeguard.
http: added support for a request timeout. The timeout is disabled by default.
http: added support for more gRPC content-type headers in gRPC bridge filter, like application/grpc+proto.
http: augmented the
sendLocalReply
filter API to accept an optionalGrpcStatus
value to override the default HTTP to gRPC status mapping.http: no longer adding whitespace when appending
X-Forwarded-For headers
. Warning: this is not compatible with 1.7.0 builds prior to 9d3a4eb4ac44be9f0651fcc7f87ad98c538b01ee. See #3611 for details.http: no longer close the TCP connection when a HTTP/1 request is retried due to a response with empty body.
listeners: added the ability to match FilterChain using source_type.
listeners: all listener filters are now governed by the listener_filters_timeout setting. The hard coded 15s timeout in the TLS inspector listener filter is superseded by this setting.
load balancer: added a configuration option to specify the number of choices made in P2C.
logging: added missing
[
in log prefix.mongo_proxy: added dynamic metadata.
network: removed the reference to
FilterState
inConnection
in favor ofStreamInfo
.rate-limit: added configuration to specify whether the
GrpcStatus
status returned should beRESOURCE_EXHAUSTED
orUNAVAILABLE
when a gRPC call is rate limited.rate-limit: added rate_limit_service configuration to filters.
rate-limit: removed support for the legacy ratelimit service and made the data-plane-api rls.proto based implementation default.
rate-limit: removed the deprecated cluster_name attribute in rate limit service configuration.
rbac: added dynamic metadata to the network level filter.
rbac: added support for permission matching by requested server name.
redis: static cluster configuration is no longer required. Redis proxy will work with clusters delivered via CDS.
router: added scheme_redirect and port_redirect to define the respective scheme and port rewriting RedirectAction.
router: added ability to configure arbitrary retriable status codes.
router: added ability to set attempt count in upstream requests, see virtual host’s include request attempt count flag.
router: added internal grpc-retry-on policy.
router: added support for enabling upgrades on a per-route basis.
router: added support for not retrying rate limited requests. Rate limit filter now sets the x-envoy-ratelimited header so the rate limited requests that may have been retried earlier will not be retried with this change.
router: per try timeouts now starts when an upstream stream is ready instead of when the request has been fully decoded by Envoy.
router: support configuring a default fraction of mirror traffic via runtime_fraction.
router: when max_grpc_timeout is set, Envoy will now add or update the grpc-timeout header to reflect Envoy’s expected timeout.
sandbox: added cors sandbox.
server: added
SIGINT
(Ctrl-C) handler to gracefully shutdown Envoy likeSIGTERM
.stats: added stats_matcher to the bootstrap config for granular control of stat instantiation.
stream: added
downstreamDirectRemoteAddress
toStreamInfo
.stream: renamed
perRequestState
tofilterState
inStreamInfo
.stream: renamed the
RequestInfo
namespace toStreamInfo
to better match its behaviour within TCP and HTTP implementations.thrift_proxy: introduced thrift rate limiter filter.
tls: added ssl.curves.<curve>, ssl.sigalgs.<sigalg> and ssl.versions.<version> to listener metrics to track TLS algorithms and versions in use.
tls: added support for client-side session resumption.
tls: added support for multiple server TLS certificates.
tls: added support for password encrypted private keys.
tls: added support for CRLs in trusted_ca.
tls: added the ability to build BoringSSL FIPS using
--define boringssl=fips
Bazel option.tls: removed support for ECDSA certificates with curves other than P-256.
tls: removed support for RSA certificates with keys smaller than 2048-bits.
tracing: added support for Datadog tracer.
tracing: added support to the Zipkin tracer for the b3 single header format.
upstream: added scale_locality_weight to enable scaling locality weights by number of hosts removed by subset lb predicates.
upstream: changed how load calculation for priority levels and panic thresholds interact. As long as normalized total health is 100% panic thresholds are disregarded.
upstream: changed the default hash for ring hash from std::hash to xxHash.
upstream: when using active health checking and STRICT_DNS with several addresses that resolve to the same hosts, Envoy will now health check each host independently.
Deprecated¶
api: Use of the v1
REST_LEGACY
ApiConfigSource
is deprecated.filters: Order of execution of the HTTP encoder filter chain has been reversed. Prior to this release cycle it was incorrect, see #4599. In the 1.9.0 release cycle we introduced
bugfix_reverse_encode_order
in http_connection_manager.proto to temporarily support both old and new behaviors. Note this boolean field is deprecated.filters: Order of execution of the network write filter chain has been reversed. Prior to this release cycle it was incorrect, see #4599. In the 1.9.0 release cycle we introduced
bugfix_reverse_write_filter_order
in lds.proto to temporarily support both old and new behaviors. Note this boolean field is deprecated.hcm: Use of buffer filter
max_request_time
is deprecated in favor of the request timeout found in HttpConnectionManager.load_balancing: Use of std::hash in the ring hash load balancer is deprecated.
rate_limiting: Use of
rate_limit_service
configuration in the bootstrap configuration is deprecated.routing: Use of
runtime_key
inRequestMirrorPolicy
, found in route.proto is deprecated. Set theruntime_fraction
field instead.