As of this writing we're still concluding T403663 for the 1.26 -> 1.29 bump, but in parallel we can start planning the next step, 1.29 -> 1.32.
Release notes of potential interest (1.30, 1.31, 1.32):
Config changes post-upgrade
- (1.30.0) listener: deprecated runtime key overload.global_downstream_max_connections in favor of downstream connections monitor.
We noted this in the last upgrade but left it unchanged because, even though the old thing was deprecated, the new thing wasn't ready yet. The "work in progress" warning was removed from the downstream connections monitor docs as of 1.30, so we'll go ahead and switch to it.
(This wouldn't allow actually changing the value at runtime, at least until we can do so via xDS message, but I believe we aren't taking advantage of that anywhere.)
Tracing updates
Not counting the "New feature" entries, and not counting anything where I could determine it wouldn't cause any compatibility issues for us. The remaining items are to verify with tracing experts that we don't need to make any changes.
- (1.32.0) tracers: Set status code based on gRPC status code for OpenTelemetry tracers (previously unset).
- (1.31.0) tracers: Set status code for OpenTelemetry tracers (previously unset).
- (1.31.0) tracing: Fix an issue where span id is missing from OpenTelemetry access log entries.
- (1.30.0) tracers: use unary RPC calls for OpenTelemetry trace exports, rather than client-side streaming connections.
HTTP/1 and HTTP/2 parser changes
Probably no effect, especially since our Envoys receive no untrusted traffic, but documenting in case of edge-case behavior changes. (Note the net effect again is that oghttp2 is off by default, as it was previously.)
- (1.32.0) http2: Changed the default value of envoy.reloadable_features.http2_use_oghttp2 to false. This changes the codec used for HTTP/2 requests and responses to address to address stability concerns. This behavior can be reverted by setting the feature to true.
- (1.31.0) http2: Changes the default value of envoy.reloadable_features.http2_use_oghttp2 to true. This changes the codec used for HTTP/2 requests and responses. This behavior can be reverted by setting the feature to false.
- (1.30.0) http: Enable obsolete line folding in BalsaParser (for behavior parity with http-parser, the previously used HTTP/1 parser).
This update also fixes the following security issues:
Fixed in 1.33.1 /1.32.4 /1.31.6 /1.30.10:
Envoy crashes when HTTP ext_proc processes local replies (CVE-2025-30157)
https://github.com/envoyproxy/envoy/security/advisories/GHSA-cf3q-gqg7-3fm9
Fixed in 1.34.1 / 1.33.3 / 1.32.6 / 1.31.8:
Bypass of RBAC uri_template permission (CVE-2025-46821)
https://github.com/envoyproxy/envoy/security/advisories/GHSA-c7cm-838g-6g67
Fixed in 1.35.2 / 1.34.6 / 1.33.8 / 1.32.11:
Use after free in DNS cache (CVE-2025-54588)
https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw
oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag (CVE-2025-55162)
https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh