Envoy
v1.38.0Networking & MessagingEnvoy v1.38 is a massive release with several breaking changes requiring immediate action — RSA key usage enforcement, BoringSSL build flag changes, and tcp_proxy config validation are the top priorities before upgrading.
breakingAudit TLS configs before upgrading — RSA key usage now enforced
enforce_rsa_key_usage defaults to true starting this release and will be removed entirely next release, making it permanent. Any upstream TLS connection where the certificate's key usage doesn't match the negotiated cipher will be rejected. Before upgrading, audit your upstream certificate configurations. Test in staging first — silent failures in prod will be connection resets, not helpful error messages.
securityPatch CVE-2026-27135 by upgrading to v1.38
This release includes the nghttp2 patch for CVE-2026-27135, which affects HTTP/2 header field handling. If you're running Envoy as an HTTP/2 gateway or proxy, this is a direct exposure. Prioritize upgrading clusters that terminate or proxy HTTP/2 traffic. RBAC header matcher also received a fix preventing concatenation-based bypass attacks — another reason to treat this upgrade as security-relevant.
breakingUpdate BoringSSL FIPS build pipelines before building v1.38
The --define=boringssl=fips Bazel flag is gone. CI/CD pipelines or Dockerfiles that build Envoy with FIPS mode will fail silently or error out. Replace with --config=boringssl-fips. If you're consuming official binaries rather than building from source, this doesn't affect you directly, but verify your supply-chain tooling if you maintain custom builds.
enhancementOpenTelemetry metrics over HTTP — drop the collector sidecar
The OTel stat sink can now push metrics directly via OTLP/HTTP without requiring a collector sidecar. If you're running otel-collector as a DaemonSet purely for Envoy metrics forwarding, you can simplify that architecture. Evaluate whether direct OTLP/HTTP export to your backend (Grafana Cloud, Honeycomb, etc.) reduces operational overhead in your environment.
主な変更 (6)
- enforce_rsa_key_usage now defaults to true on upstream TLS contexts — connections using mismatched RSA key usage will fail
- BoringSSL FIPS build flag changed from --define=boringssl=fips to --config=boringssl-fips, breaking existing build pipelines
- tcp_proxy requires explicit max_early_data_bytes for non-IMMEDIATE upstream_connect_mode, failing validation at startup if missing
- CVE-2026-27135 patched in nghttp2 HTTP/2 header handling
- OAuth2 token encryption is now on by default; opt-out requires explicit disable_token_encryption flag
- Dynamic modules gain significant new extension points including tracers, TLS validators, and custom LB policies with ABI forward-compatibility to v1.39