Update to 1 36 5

api/envoy/extensions/clusters/redis/v3/redis_cluster.proto

@@ -54,7 +54,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //           redirect_refresh_threshold: 10
 // [#extension: envoy.clusters.redis]
 
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message RedisClusterConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.cluster.redis.RedisClusterConfig";
@@ -83,4 +83,14 @@ message RedisClusterConfig {
   // If not set, this defaults to 0, which disables the topology refresh due to degraded or
   // unhealthy host.
   uint32 host_degraded_refresh_threshold = 6;
+
+  // Enable zone discovery via INFO command. When enabled, the cluster will
+  // send INFO command to each node to discover its availability_zone field,
+  // which is then used for zone-aware routing.
+  //
+  // Note: This feature currently works with Valkey only. Valkey exposes
+  // availability_zone in its INFO response. Standard Redis does not support this field.
+  //
+  // If not set, this defaults to false.
+  google.protobuf.BoolValue enable_zone_discovery = 7;
 }

api/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto

@@ -33,7 +33,7 @@ message RedisProxy {
       "envoy.config.filter.network.redis_proxy.v2.RedisProxy";
 
   // Redis connection pool settings.
-  // [#next-free-field: 11]
+  // [#next-free-field: 13]
   message ConnPoolSettings {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings";
@@ -60,6 +60,23 @@ message RedisProxy {
       // Read from any node of the cluster. A random node is selected among the primary and
       // replicas, healthy nodes have precedent over unhealthy nodes.
       ANY = 4;
+
+      // Read from replicas in the same availability zone as the Envoy proxy. If no replicas
+      // are available in the same zone, fall back to any replica. If no replicas are available
+      // at all, fall back to the primary.
+      //
+      // Note: Zone discovery currently works with Valkey only. Valkey exposes availability_zone
+      // in its INFO response. Standard Redis does not support this field.
+      //
+      // The client zone is determined from Envoy's node.locality.zone.
+      AZ_AFFINITY = 5;
+
+      // Similar to AZ_AFFINITY, but also considers the primary node for same-zone routing.
+      // Priority order: replicas in same zone -> primary in same zone -> any replica -> primary.
+      // This is useful when reducing cross-zone traffic is more important than read distribution.
+      //
+      // Note: Zone discovery currently works with Valkey only.
+      AZ_AFFINITY_REPLICAS_AND_PRIMARY = 6;
     }
 
     // Per-operation timeout in milliseconds. The timer starts when the first
@@ -134,6 +151,37 @@ message RedisProxy {
     // storm to busy redis server. This config is a protection to rate limit reconnection rate.
     // If not set, there will be no rate limiting on the reconnection.
     ConnectionRateLimit connection_rate_limit = 10;
+
+    // Enable per-shard statistics for tracking hot shard usage. When enabled, the following
+    // statistics will be emitted per upstream host (shard):
+    //
+    // * ``upstream_rq_total``: Total requests to this shard
+    // * ``upstream_rq_success``: Successful requests to this shard
+    // * ``upstream_rq_failure``: Failed requests to this shard
+    // * ``upstream_rq_active``: Active requests to this shard (gauge)
+    //
+    // The statistics will be emitted under the scope:
+    // ``cluster.<cluster_name>.shard.<host_address>.*``
+    //
+    // .. note::
+    //   Enabling this option may significantly increase metric cardinality in large clusters
+    //   with many shards. Use with caution in production environments.
+    bool enable_per_shard_stats = 11;
+
+    // Enable per-shard latency histogram for tracking request latency per upstream host (shard).
+    // When enabled, the following histogram will be emitted per shard:
+    //
+    // * ``upstream_rq_time``: Request latency histogram in microseconds
+    //
+    // The histogram will be emitted under the scope:
+    // ``cluster.<cluster_name>.shard.<host_address>.upstream_rq_time``
+    //
+    // This option requires ``enable_per_shard_stats`` to be enabled.
+    //
+    // .. note::
+    //   Enabling this option may significantly increase metric cardinality in large clusters
+    //   with many shards. Use with caution in production environments.
+    bool enable_per_shard_latency_stats = 12;
   }
 
   message PrefixRoutes {

changelogs/current.yaml

@@ -13,5 +13,19 @@ removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 
 new_features:
+- area: redis
+  change: |
+    Added zone-aware routing support for Redis Cluster proxy. New read policies
+    :ref:`AZ_AFFINITY <envoy_v3_api_enum_value_extensions.filters.network.redis_proxy.v3.RedisProxy.ConnPoolSettings.ReadPolicy.AZ_AFFINITY>`
+    and :ref:`AZ_AFFINITY_REPLICAS_AND_PRIMARY <envoy_v3_api_enum_value_extensions.filters.network.redis_proxy.v3.RedisProxy.ConnPoolSettings.ReadPolicy.AZ_AFFINITY_REPLICAS_AND_PRIMARY>`
+    route read requests to replicas in the same availability zone. Zone discovery is enabled via
+    :ref:`enable_zone_discovery <envoy_v3_api_field_extensions.clusters.redis.v3.RedisClusterConfig.enable_zone_discovery>`.
+    Note: This feature currently works with Valkey only.
+- area: tls
+  change: |
+    Added TLS certificate compression support (RFC 8879) with brotli, zstd, and zlib algorithms.
+    Compression reduces TLS handshake size, especially beneficial for QUIC where the ServerHello
+    needs to fit in the initial response. Enable via runtime guard
+    ``envoy.reloadable_features.tls_support_certificate_compression`` (defaults to ``false``).
 
 deprecated:

docs/root/_include/ssl_stats.rst

@@ -19,3 +19,6 @@
    sigalgs.<sigalg>, Counter, Total successful TLS connections that used signature algorithm <sigalg>
    versions.<version>, Counter, Total successful TLS connections that used protocol version <version>
    was_key_usage_invalid, Counter, Total successful TLS connections that used an `invalid keyUsage extension <https://github.com/google/boringssl/blob/6f13380d27835e70ec7caf807da7a1f239b10da6/ssl/internal.h#L3117>`_. (This is not available in BoringSSL FIPS yet due to `issue #28246 <https://github.com/envoyproxy/envoy/issues/28246>`_)
+   certificate_compression.<algo>.compressed, Counter, Total certificates compressed using algorithm <algo> (brotli/zstd/zlib). Requires runtime flag ``envoy.reloadable_features.tls_support_certificate_compression``.
+   certificate_compression.<algo>.total_uncompressed_bytes, Counter, Total bytes of certificates before compression using algorithm <algo>
+   certificate_compression.<algo>.total_compressed_bytes, Counter, Total bytes of certificates after compression using algorithm <algo>

docs/root/intro/arch_overview/other_protocols/redis.rst

@@ -228,6 +228,7 @@ For details on each command's usage see the official
   SISMEMBER, Set
   SMEMBERS, Set
   SPOP, Set
+  SPUBLISH Pubsub
   SRANDMEMBER, Set
   SREM, Set
   SCAN, Generic
@@ -238,8 +239,11 @@ For details on each command's usage see the official
   SINTERSTORE, Set
   SMISMEMBER, Set
   SMOVE, Set
+  SSUBSCRIBE Pubsub
+  SUBSCRIBE, Pubsub
   SUNION, Set
   SUNIONSTORE, Set
+  SUNSUBSCRIBE Pubsub
   WATCH, String
   UNWATCH, String
   ZADD, Sorted Set

source/common/formatter/http_specific_formatter.cc

@@ -182,6 +182,37 @@ TraceIDFormatter::formatWithContext(const HttpFormatterContext& context,
   return trace_id;
 }
 
+namespace {
+// Determines if the request is being traced based on stream info.
+// This is equivalent to TracerUtility::shouldTraceRequest but inlined
+// to avoid dependency on tracer_lib.
+bool isTraced(const StreamInfo::StreamInfo& stream_info) {
+  if (stream_info.healthCheck()) {
+    return false;
+  }
+  switch (stream_info.traceReason()) {
+  case Tracing::Reason::ClientForced:
+  case Tracing::Reason::ServiceForced:
+  case Tracing::Reason::Sampling:
+    return true;
+  default:
+    return false;
+  }
+}
+} // namespace
+
+absl::optional<std::string>
+TraceSampledFormatter::formatWithContext(const HttpFormatterContext&,
+                                         const StreamInfo::StreamInfo& stream_info) const {
+  return isTraced(stream_info) ? "true" : "false";
+}
+
+Protobuf::Value
+TraceSampledFormatter::formatValueWithContext(const HttpFormatterContext&,
+                                              const StreamInfo::StreamInfo& stream_info) const {
+  return ValueUtil::stringValue(isTraced(stream_info) ? "true" : "false");
+}
+
 GrpcStatusFormatter::Format GrpcStatusFormatter::parseFormat(absl::string_view format) {
   if (format.empty() || format == "CAMEL_STRING") {
     return GrpcStatusFormatter::CamelString;
@@ -454,6 +485,11 @@ BuiltInHttpCommandParser::getKnownFormatters() {
          [](absl::string_view, absl::optional<size_t>) {
            return std::make_unique<TraceIDFormatter>();
          }}},
+       {"TRACE_SAMPLED",
+        {CommandSyntaxChecker::COMMAND_ONLY,
+         [](absl::string_view, absl::optional<size_t>) {
+           return std::make_unique<TraceSampledFormatter>();
+         }}},
        {"QUERY_PARAM",
         {CommandSyntaxChecker::PARAMS_REQUIRED | CommandSyntaxChecker::LENGTH_ALLOWED,
          [](absl::string_view format, absl::optional<size_t> max_length) {

source/common/formatter/http_specific_formatter.h

@@ -149,6 +149,20 @@ class TraceIDFormatter : public FormatterProvider {
                                          const StreamInfo::StreamInfo& stream_info) const override;
 };
 
+/**
+ * FormatterProvider for trace sampled status.
+ * Uses Envoy's internal tracing decision (stream_info.traceReason()).
+ * Works at trace origin (e.g., Istio Ingress Gateway) where no incoming traceparent header exists.
+ */
+class TraceSampledFormatter : public FormatterProvider {
+public:
+  absl::optional<std::string>
+  formatWithContext(const HttpFormatterContext& context,
+                    const StreamInfo::StreamInfo& stream_info) const override;
+  Protobuf::Value formatValueWithContext(const HttpFormatterContext& context,
+                                         const StreamInfo::StreamInfo& stream_info) const override;
+};
+
 class GrpcStatusFormatter : public FormatterProvider, HeaderFormatter {
 public:
   enum Format {

source/common/quic/BUILD

@@ -525,6 +525,7 @@ envoy_cc_library(
         "//envoy/server:transport_socket_config_interface",
         "//envoy/ssl:context_config_interface",
         "//source/common/common:assert_lib",
+        "//source/common/network:raw_buffer_socket_lib",
         "//source/common/network:transport_socket_options_lib",
         "//source/common/tls:server_context_config_lib",
         "//source/common/tls:server_context_lib",
@@ -704,13 +705,8 @@ envoy_cc_library(
 
 envoy_cc_library(
     name = "cert_compression_lib",
-    srcs = envoy_select_enable_http3(["cert_compression.cc"]),
     hdrs = envoy_select_enable_http3(["cert_compression.h"]),
-    external_deps = ["ssl"],
     deps = envoy_select_enable_http3([
-        "//bazel/foreign_cc:zlib",
-        "//source/common/common:assert_lib",
-        "//source/common/common:logger_lib",
-        "//source/common/runtime:runtime_lib",
+        "//source/common/tls:cert_compression_lib",
     ]),
 )

source/common/quic/active_quic_listener.cc

@@ -65,7 +65,8 @@ ActiveQuicListener::ActiveQuicListener(
       absl::string_view(reinterpret_cast<char*>(random_seed_), sizeof(random_seed_)),
       quic::QuicRandom::GetInstance(),
       proof_source_factory.createQuicProofSource(
-          listen_socket_, listener_config.filterChainManager(), stats_, dispatcher.timeSource()),
+          listen_socket_, listener_config.filterChainManager(), stats_, dispatcher.timeSource(),
+          listener_config.listenerScope()),
       quic::KeyExchangeSource::Default());
   auto connection_helper = std::make_unique<EnvoyQuicConnectionHelper>(dispatcher_);
   crypto_config_->AddDefaultConfig(random, connection_helper->GetClock(),