Change8

v1.37.0

Breaking Changes
📦 envoyView on GitHub →
3 breaking27 features🐛 2 fixes1 deprecations🔧 5 symbols

Summary

This release introduces significant expansion to the dynamic module ecosystem, adds new filters for network and request modification, and brings performance optimizations to HTTP/2 and resource utilization. Several breaking changes affect default reset behavior and API scrubber responses.

⚠️ Breaking Changes

  • Default HTTP reset code changed from NO_ERROR to INTERNAL_ERROR. Consumers relying on NO_ERROR for HTTP resets must update their expectations.
  • Reset behavior now ignores upstream protocol errors by default. Consumers needing to react to upstream protocol errors must configure this behavior explicitly.
  • Proto API Scrubber now returns 404 Not Found instead of 403 Forbidden for blocked methods. Update authorization logic that expects 403.

Migration Steps

  1. If you rely on the default HTTP reset code being NO_ERROR, update your configuration or expectations to handle INTERNAL_ERROR.
  2. If you rely on upstream protocol errors triggering specific logic, ensure this logic is re-enabled as it is now ignored by default.
  3. Update OpenTelemetry access log configuration to use explicit 'http_service' or 'grpc_service' instead of the deprecated 'common_config' field.
  4. Update authorization logic that expects 403 Forbidden from Proto API Scrubber for blocked methods to expect 404 Not Found.

✨ New Features

  • Added support for network, listener, UDP listener, and access logger filters in dynamic modules.
  • Introduced streaming HTTP callouts to HTTP filters.
  • Enhanced ABI for streaming body manipulation and header operations.
  • Added global module loading and improved module search path handling.
  • Container-aware CPU detection for improved resource utilization in containerized environments.
  • HTTP/2 performance optimizations including reduced allocations for well-known headers.
  • Enhanced cookie matching in route configuration.
  • Added vhost header customization and forward client cert matching via xDS matcher.
  • New transform filter for request/response body modification.
  • New MCP (Model Context Protocol) filter and router for agentic network.
  • Network-layer geoip filter for non-HTTP geolocation.
  • Postgres Inspector listener filter for PostgreSQL traffic routing.
  • Proto API Scrubber filter is now production-ready with comprehensive metrics.
  • Enhanced ext_authz with error response support and improved header handling.
  • On-demand certificate fetching via SDS.
  • Support for filter chains and named filter chains.
  • Improved scalability through filter chain reuse across match actions.
  • New stats-based access logger.
  • Process-level rate limiting for access logs.
  • Enhanced OTLP stats sink with metric dropping support.
  • Added execution counters and improved tracing support across filters.
  • Cluster-level retry policies, hash policies, and request mirroring.
  • Composite cluster extension for retry-aware cluster selection.
  • Substitution formatting for direct response bodies and descriptor values.
  • Improved QUIC path migration using QUICHE logic.
  • Enhanced TCP proxy with upstream connect mode and early data buffering.
  • Added MaxMind Country database support for geoip.

🐛 Bug Fixes

  • Fixed multiple memory leaks and crashes in HTTP/2, Lua, and connection handling.
  • Better TLS certificate validation failure messages in access logs.

Affected Symbols

HTTP filterProto API Scrubberext_authzOpenTelemetry access logTCP proxy

⚡ Deprecations

  • OpenTelemetry access log 'common_config' field is deprecated in favor of explicit 'http_service'/'grpc_service' configuration.