v1.11.0.rst

1.11.0 (July 11, 2019)

Changes

• access log: added a new field for downstream TLS session ID to file and gRPC access logger.
• access log: added a new field for route name to file and gRPC access logger.
• access log: added a new field for response code details in :ref:`file access logger<config_access_log_format_response_code_details>` and :ref:`gRPC access logger<envoy_api_field_data.accesslog.v2.HTTPResponseProperties.response_code_details>`.
• access log: added several new variables for exposing information about the downstream TLS connection to :ref:`file access logger<config_access_log_format_response_code_details>` and :ref:`gRPC access logger<envoy_api_field_data.accesslog.v2.AccessLogCommon.tls_properties>`.
• access log: added a new flag for request rejected due to failed strict header check.
• admin: the administration interface now includes a :ref:`/ready endpoint <operations_admin_interface>` for easier readiness checks.
• admin: extend :ref:`/runtime_modify endpoint <operations_admin_interface_runtime_modify>` to support parameters within the request body.
• admin: the :ref:`/listener endpoint <operations_admin_interface_listeners>` now returns :ref:`listeners.proto<envoy_api_msg_admin.v2alpha.Listeners>` which includes listener names and ports.
• admin: added host priority to :http:get:`/clusters` and :http:get:`/clusters?format=json` endpoint response
• admin: the :ref:`/clusters endpoint <operations_admin_interface_clusters>` now shows hostname for each host, useful for DNS based clusters.
• api: track and report requests issued since last load report.
• build: releases are built with Clang and linked with LLD.
• config: added :ref:stats_server_version_override` <envoy_api_field_config.bootstrap.v2.Bootstrap.stats_server_version_override>` in bootstrap, that can be used to override :ref:`server.version statistic <server_statistics>`.
• control-plane: management servers can respond with HTTP 304 to indicate that config is up to date for Envoy proxies polling a :ref:`REST API Config Type <envoy_api_field_core.ApiConfigSource.api_type>`
• csrf: added support for allowlisting additional source origins.
• dns: added support for getting DNS record TTL which is used by STRICT_DNS/LOGICAL_DNS cluster as DNS refresh rate.
• dubbo_proxy: support the :ref:`dubbo proxy filter <config_network_filters_dubbo_proxy>`.
• dynamo_request_parser: adding support for transactions. Adds check for new types of dynamodb operations (TransactWriteItems, TransactGetItems) and awareness for new types of dynamodb errors (IdempotentParameterMismatchException, TransactionCanceledException, TransactionInProgressException).
• eds: added support to specify max time for which endpoints can be used :ref:`gRPC filter <envoy_api_msg_ClusterLoadAssignment.Policy>`.
• eds: removed max limit for load_balancing_weight.
• event: added :ref:`loop duration and poll delay statistics <operations_performance>`.
• ext_authz: added a x-envoy-auth-partial-body metadata header set to false|true indicating if there is a partial body sent in the authorization request message.
• ext_authz: added configurable status code that allows customizing HTTP responses on filter check status errors.
• ext_authz: added option to ext_authz that allows the filter clearing route cache.
• grpc-json: added support for :ref:`auto mapping <envoy_api_field_config.filter.http.transcoder.v2.GrpcJsonTranscoder.auto_mapping>`.
• health check: added :ref:`initial jitter <envoy_api_field_core.HealthCheck.initial_jitter>` to add jitter to the first health check in order to prevent thundering herd on Envoy startup.
• hot restart: stats are no longer shared between hot restart parent/child via shared memory, but rather by RPC. Hot restart version incremented to 11.
• http: added the ability to pass a URL encoded PEM encoded peer certificate chain in the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header.
• http: fixed a bug where large unbufferable responses were not tracked in stats and logs correctly.
• http: fixed a crashing bug where gRPC local replies would cause segfaults when upstream access logging was on.
• http: mitigated a race condition with the :ref:`delayed_close_timeout<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.delayed_close_timeout>` where it could trigger while actively flushing a pending write buffer for a downstream connection.
• http: added support for :ref:`preserve_external_request_id<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.preserve_external_request_id>` that represents whether the x-request-id should not be reset on edge entry inside mesh
• http: changed sendLocalReply to send percent-encoded GrpcMessage.
• http: added a :ref:header_prefix` <envoy_api_field_config.bootstrap.v2.Bootstrap.header_prefix>` configuration option to allow Envoy to send and process x-custom- prefixed headers rather than x-envoy.
• http: added :ref:`dynamic forward proxy <arch_overview_http_dynamic_forward_proxy>` support.
• http: tracking the active stream and dumping state in Envoy crash handlers. This can be disabled by building with --define disable_object_dump_on_signal_trace=disabled
• jwt_authn: make filter's parsing of JWT more flexible, allowing syntax like jwt=eyJhbGciOiJS...ZFnFIw,extra=7,realm=123
• listener: added :ref:`source IP <envoy_api_field_listener.FilterChainMatch.source_prefix_ranges>` and :ref:`source port <envoy_api_field_listener.FilterChainMatch.source_ports>` filter chain matching.
• lua: exposed functions to Lua to verify digital signature.
• original_src filter: added the :ref:`filter<config_http_filters_original_src>`.
• outlier_detector: added configuration :ref:`outlier_detection.split_external_local_origin_errors<envoy_api_field_cluster.OutlierDetection.split_external_local_origin_errors>` to distinguish locally and externally generated errors. See :ref:`arch_overview_outlier_detection` for full details.
• rbac: migrated from v2alpha to v2.
• redis: add support for Redis cluster custom cluster type.
• redis: automatically route commands using cluster slots for Redis cluster.
• redis: added :ref:`prefix routing <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.prefix_routes>` to enable routing commands based on their key's prefix to different upstream.
• redis: added :ref:`request mirror policy <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.Route.request_mirror_policy>` to enable shadow traffic and/or dual writes.
• redis: add support for zpopmax and zpopmin commands.
• redis: added :ref:`max_buffer_size_before_flush <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings.max_buffer_size_before_flush>` to batch commands together until the encoder buffer hits a certain size, and :ref:`buffer_flush_timeout <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings.buffer_flush_timeout>` to control how quickly the buffer is flushed if it is not full.
• redis: added auth support :ref:`downstream_auth_password <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.downstream_auth_password>` for downstream client authentication, and :ref:`auth_password <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProtocolOptions.auth_password>` to configure authentication passwords for upstream server clusters.
• retry: added a retry predicate that :ref:`rejects canary hosts. <envoy_api_field_route.RetryPolicy.retry_host_predicate>`
• router: add support for configuring a :ref:`gRPC timeout offset <envoy_api_field_route.RouteAction.grpc_timeout_offset>` on incoming requests.
• router: added ability to control retry back-off intervals via :ref:`retry policy <envoy_api_msg_route.RetryPolicy.RetryBackOff>`.
• router: added ability to issue a hedged retry in response to a per try timeout via a :ref:`hedge policy <envoy_api_msg_route.HedgePolicy>`.
• router: added a route name field to each http route in route.Route list
• router: added several new variables for exposing information about the downstream TLS connection via :ref:`header formatters <config_http_conn_man_headers_custom_request_headers>`.
• router: per try timeouts will no longer start before the downstream request has been received in full by the router.This ensures that the per try timeout does not account for slow downstreams and that will not start before the global timeout.
• router: added :ref:`RouteAction's auto_host_rewrite_header <envoy_api_field_route.RouteAction.auto_host_rewrite_header>` to allow upstream host header substitution with some other header's value
• router: added support for UPSTREAM_REMOTE_ADDRESS :ref:`header formatter <config_http_conn_man_headers_custom_request_headers>`.
• router: add ability to reject a request that includes invalid values for headers configured in :ref:`strict_check_headers <envoy_api_field_config.filter.http.router.v2.Router.strict_check_headers>`
• runtime: added support for :ref:`flexible layering configuration <envoy_api_field_config.bootstrap.v2.Bootstrap.layered_runtime>`.
• runtime: added support for statically :ref:`specifying the runtime in the bootstrap configuration <envoy_api_field_config.bootstrap.v2.Runtime.base>`.
• runtime: :ref:`Runtime Discovery Service (RTDS) <config_runtime_rtds>` support added to layered runtime configuration.
• sandbox: added :ref:`CSRF sandbox <install_sandboxes_csrf>`.
• server: --define manual_stamp=manual_stamp was added to allow server stamping outside of binary rules. more info in the bazel docs.
• server: added :ref:`server state <statistics>` statistic.
• server: added :ref:`initialization_time_ms<statistics>` statistic.
• subset: added :ref:`list_as_any<envoy_api_field_Cluster.LbSubsetConfig.list_as_any>` option to the subset lb which allows matching metadata against any of the values in a list value on the endpoints.
• tools: added :repo:`proto <test/tools/router_check/validation.proto>` support for :ref:`router check tool <install_tools_route_table_check_tool>` tests.
• tracing: add trace sampling configuration to the route, to override the route level.
• upstream: added :ref:`upstream_cx_pool_overflow <config_cluster_manager_cluster_stats>` for the connection pool circuit breaker.
• upstream: an EDS management server can now force removal of a host that is still passing active health checking by first marking the host as failed via EDS health check and subsequently removing it in a future update. This is a mechanism to work around a race condition in which an EDS implementation may remove a host before it has stopped passing active HC, thus causing the host to become stranded until a future update.
• upstream: added :ref:`an option <envoy_api_field_Cluster.CommonLbConfig.ignore_new_hosts_until_first_hc>` that allows ignoring new hosts for the purpose of load balancing calculations until they have been health checked for the first time.
• upstream: added runtime error checking to prevent setting dns type to STRICT_DNS or LOGICAL_DNS when custom resolver name is specified.
• upstream: added possibility to override fallback_policy per specific selector in :ref:`subset load balancer <arch_overview_load_balancer_subsets>`.
• upstream: the :ref:`logical DNS cluster <arch_overview_service_discovery_types_logical_dns>` now displays the current resolved IP address in admin output instead of 0.0.0.0.

Deprecated

• The --max-stats and --max-obj-name-len flags no longer has any effect.
• Use of :ref:`cluster <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.cluster>` in :ref:`redis_proxy.proto <envoy_api_file_envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto>` is deprecated. Set a :ref:`catch_all_route <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.catch_all_route>` instead.
• Use of :ref:`catch_all_cluster <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.catch_all_cluster>` in :ref:`redis_proxy.proto <envoy_api_file_envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto>` is deprecated. Set a :ref:`catch_all_route <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.catch_all_route>` instead.
• Use of json based schema in router check tool tests. The tests should follow validation :repo:`schema<test/tools/router_check/validation.proto>`.
• Use of the v1 style route configuration for the :ref:`TCP proxy filter <config_network_filters_tcp_proxy>` is now fully replaced with listener :ref:`filter chain matching <envoy_api_msg_listener.FilterChainMatch>`. Use this instead.
• Use of :ref:`runtime <envoy_api_field_config.bootstrap.v2.Bootstrap.runtime>` in :ref:`Bootstrap <envoy_api_msg_config.bootstrap.v2.Bootstrap>`. Use :ref:`layered_runtime <envoy_api_field_config.bootstrap.v2.Bootstrap.layered_runtime>` instead.
• Specifying "deprecated_v1: true" in HTTP and network filter configuration to allow loading JSON configuration is now deprecated and will be removed in a following release. Update any custom filters to use protobuf configuration. A struct can be used for a mostly 1:1 conversion if needed. The envoy.deprecated_features.v1_filter_json_config runtime key can be used to temporarily enable this feature once the deprecation becomes fail by default.