[release/main] repo: Release v1.36.0 (#41499)

**Summary of changes**:

* HTTP:
- Changed default HTTP/2 max concurrent streams from unlimited to 1024,
initial stream window from 256MiB to 16MiB, and connection window from
256MiB to 24MiB for improved memory safety.
- Added HTTP/1.1 proxy transport RFC 9110 compliant ``CONNECT`` requests
with ``Host`` header by default.
- Enhanced route refresh to trigger tracing refresh, applying new
route's sampling and decoration to active spans.
- Added support for decompressed HTTP header bytes tracking in access
logs.
- Added stream flush timeout configuration independent of stream idle
timeout.
  - Added header removal based on header key matching patterns.
  - Added per-route compressor library override support.
- Added ``upstream_rq_per_cx`` histogram for connection reuse
monitoring.

* Security & TLS:
- Fixed TLS inspector regression that closed plain text connections when
reading >16KB at once.
- Fixed use-after-free in DNS cache when ``Host`` header is modified
between filters.
- Fixed listener socket creation failures in different Linux network
namespaces.

* Load Balancing & Networking:
- Moved locality weighted round robin structures out of ``HostSetImpl``
into separate classes.
- Added support for weighted cluster hash policies for consistent
session affinity.
- Fixed client-side weighted round robin load balancer priority
iteration issues.
- Added network namespace filepath support to socket addresses for
containerized environments.
- Enhanced network namespace input matching for RBAC and filter chain
selection.

* External Processing & Authentication:
- Re-enabled ``fail_open`` + ``FULL_DUPLEX_STREAMED`` configuration
combination.
- Added per-route gRPC service override and retry policy support for
ext_authz.
- Added configurable HTTP status codes on ext_proc errors and TLS alerts
on network ext_authz denials.
- Added OAuth2 token encryption disable option for trusted environments.
  - Enhanced header count validation after mutations in ext_authz.

* Observability & Stats:
- Added support for removing unused metrics from memory with
configurable eviction intervals.
- Added stateful session filter statistics for routing outcome
monitoring.
  - Added upstream connection recording option to HTTP tap filter.
  - Added GeoIP database build timestamp tracking.
  - Added OAuth2 response code details for ``401`` local responses.

* Dynamic Modules & Extensions:
- Added logging ABI for modules to emit logs in standard Envoy logging
stream.
- Added support for counters, gauges, histograms in dynamic modules API.
- Added new Redis commands including ``COPY``, ``RPOPLPUSH``, ``SMOVE``,
``SUNION``, and others.
- Added reverse tunnel support for NAT/firewall traversal
(experimental).

* Runtime & Configuration:
- Enhanced rate limit filter with substitution formatter support at
stream complete phase.
- Added OTLP stat sink resource attributes and custom metric
conversions.
  - Added support for request payloads in HTTP health checks.

* Notable Fixes:
  - Fixed TCP proxy idle timeout handling for new connections.
- Fixed UDP proxy crash during ``SIGTERM`` with active tunneling
sessions.
  - Fixed HTTP/3 access log skipping for half-closed streams.
- Fixed premature stream resets causing recursive draining and potential
stack overflow.
  - Fixed OAuth2 cookie handling in pass-through matcher configurations.

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.0
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.36.0/
**Release notes**:

https://www.envoyproxy.io/docs/envoy/v1.36.0/version_history/v1.36/v1.36.0
**Full changelog**:
    v1.35.0...v1.36.0

Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>

Author: publish-envoy[bot]

VERSION.txt

@@ -1 +1 @@
-1.36.0-dev
+1.36.0

changelogs/current.yaml

@@ -1,4 +1,4 @@
-date: Pending
+date: October 14, 2025
 
 behavior_changes:
 - area: http_11_proxy
@@ -47,7 +47,6 @@ behavior_changes:
     behavior change for existing users of Zone Aware LBs.
 
 minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
 - area: tap
   change: |
     Previously, streamed trace buffered data was only flushed when it reached the configured size.
@@ -129,7 +128,6 @@ minor_behavior_changes:
     Take into account connection-level metadata under the ``envoy.lb`` namespace when computing subset load balancing matches.
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: tcp_proxy
   change: |
     Fixed a bug where when a downstream TCP connection is created and the upstream connection is not fully established, no idle timeout
@@ -221,7 +219,6 @@ bug_fixes:
     Fixed the distroless image to ensure nonroot.
 
 removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 - area: router
   change: |
     Removed runtime guard ``envoy.reloadable_features.shadow_policy_inherit_trace_sampling`` and legacy code paths.
@@ -656,5 +653,3 @@ new_features:
     This header provides information on whether the response was compressed and, if not, the reason why compression was skipped.
     Enabling this feature updates the order of conditions checked within the :ref:`compressor filter <config_http_filters_compressor>`
     to emit the most appropriate status reason.
-
-deprecated: