Contour 1.5.0

We are delighted to present version 1.5.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

New and improved

TLS Fallback Certificate Support

The Contour HTTPProxy API now includes better support for TLS clients that don't support SNI by allowing cluster operators to specify a fallback certificate that terminates TLS sessions where no SNI server name is provided. This feature is opt-in since it is incompatible with TLS client certificate validation and allows SNI name bypass, which may be undesirable in some deployments. Access to the fallback certificate is managed with the usual Contour TLS certificate delegation mechanism.

(Associated PRs: #2528, #2477, #2504, #2477. #2535, #2543)

Thanks @stevesloka for designing and implementing this feature.

gRPC Certificate Rotation

The TLS keys and certificates that secure the gRPC session between Envoy and Contour can now be rotated without needing to restart any Pods.

(Associated PRs: #2333, #2555)

Thanks @tsaarni for driving this feature over the last couple of releases, both in the Contour and Envoy projects.

The example Contour deployment now uses certificates that include the CA certificate bundle. This change makes the example deployment compatible with certificates generated by cert-manager.

(Associated PRs: #2547)

HTTPProxy Load Balancer Address Support

Contour now updates the status of HTTPProxy documents with the status.loadBalancer.addresses field. This brings HTTPProxy to parity with Ingress, and makes it easier to program automatic DNS record creating for HTTPProxy objects.

(Associated PRs: #2551)

Thanks @youngnick.

TLS Request Misdirection

Contour now programs Envoy to serve a 421 response when HTTP/2 clients use aggressive wildcard certificate matching to re-use the wrong TLS session. This resolves errors where client requests to multiple HTTPProxy objects that are all served with a wildcard TLS certificate can respond with a 404 error when the Host header in the HTTP request doesn't match the SNI server name that was used to establish the TLS session.

(Associated PRs: #2483)

Multiple Load Balancer Address Support

Contour now supports multiple addresses in the --ingress-status-address flag of the contour serve subcommand. This allows sites that deploy Envoy without an external load balancer to more easily publish all the addresses of the Envoy proxies into DNS.

(Associated PRs: #2542)

Thanks @al45tair for this improvement.

Versioned Deployment YAML

The Contour project now publishes the example deployment YAML for each release version. https://projectcontour.io/quickstart/contour.yaml still serves the YAML for the latest release, but you can pin to a specific version with a URL like https://projectcontour.io/quickstart/v1.5.0/contour.yaml.

(Associated PRs: #2552)

Documentation Improvements

• Improved HTTPProxy API documentation (#2467, #2460)
• Improved TimeoutPolicy API documentation (#2460)
• Improved documentation for proxy protocol support on AWS ELBs (#2480) (thanks @savithruml)
• Miscellaneous documentation improvements (#2500, #2508)

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.4.0

We are delighted to present version 1.4.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

New and improved

TLS Client authentication

This release adds support for configuring HTTPProxy objects to request validation of client certificates, allowing the use of client certificates for client authentication. This closes #1090.

See the documentation for how to use the feature.

(Associated PRs: #2250, #2390, #2410)

Thanks @tsaarni for getting this implemented.

Ingress changes

Ingress class

As described in #2199, previously, when configured to accept a certain ingress.class annotation, Contour would watch objects with that annotation, and also with no annotation. This caused problems in clusters with more than one ingress controller.

As of #2394, having an ingress.class annotation configured now means that only objects that have that have a matching annotation will cause changes in Contour.

Note that this logic change applies to both Ingress and HTTPProxy documents.

#2340 also updated the annotations documentation to make the various behaviour options more clear.

Ingress Status

Contour now has the ability to write a status.loadBalancer.addresses block to Ingress objects. This block is used by services which need to know how to reach an Ingress' backing service from outside the cluster, like external-dns.

There are two ways for Contour to find this information:

• by watching a Service object for the Envoy service, and putting the associated status.loadBalancer block from that Service into all associated Ingress objects. This is what is used in the example deployment.
• Operators can also specify an address on Contour's command line, using the --ingress-status-address flag.

This closes #403, another old outstanding request.

(Associated PRs: #2373, #2386, #2416, #2420)

Separate Health and Metrics listeners

The Contour health and metrics services can now be configured to listen on separate addresses or ports using the new --health-address and --health-port flags. This gives operators the ability to restrict access to Contour's Prometheus metrics.

(Associated PRs: #2407)

Thanks @pickledrick for completing this change.

SNI Improvements

Virtual hosts that are exposed over TLS are now strongly bound to their TLS server name. This is a security improvement that means that clients cannot connect to hostname "A" at the TLS layer and them make HTTP requests for hostname "B".

(Associated PRs: #2381)

When Contour configures an ExternalName service, it now automatically sets the SNI server name used for the proxies HTTP request to match the request's Host header. This improves the compatibility of ExternalName services that proxy to HTTPS resources..

(Associated PRs: #2442)

Configuration documentation

The Contour configuration file is now documented.

Contour Namespace environment variable

In this release, Contour now inspects the CONTOUR_NAMESPACE environment variable. If CONTOUR_NAMESPACE is set, Contour will use this value as the namespace for performing leader election and the namespace for inspecting the Envoy service for load balancer addresses. In either case, explicit configuration values in the configuration file and command-line flags override the environment variable.

Other Improvements

• Contour now has a metric which indicates the currently running version. (#2383) Thanks @pickledrick.
• Contour now also has a command line flag to print the current version (#2399) Thanks @pickledrick
• Add ServiceAccount for Envoy (#2449)
• Add docs search to the site (#2458)
• Add explanation of certgen Job image tag usage (#2424)
• Add github label automation. (#2436)
• Add ingress class filtering to ingress status updating (#2416)
• Add redirect for /docs to latest version (#2419)
• Add the demos and deep dives YouTube link to resources (#2375)
• Changed targetPort for httpbin pods (#2384)
• Fix the PR template with new links and frontmatter (#2382)
• Migrate Service and Ingress to client-go dynamic client (#2373)
• Move CRD informer list generation to k8s (#2352)
• Update hostNetworking docs in site deploy-options (#2405)
• Upgrade Envoy go-control-plane and fix related changes to the spec (#2432)
• Use the downward api to give the default namespace for configuration variables (#2389)
• build: apply standard Docker image labels (#2400)
• build: omit the DWARF symbol table (#2398)
• build: run misspell across the whole repository (#2439)
• build: support older git versions to detect current branch (#2415)
• cmd/contour: remove hard-coded default log fields (#2446)
• doc: document the Contour configuration file (#2445)
• docs: update DCO guidelines in CONTRIBUTING (#2425)
• enable merge_slashes on the httpconnection manager for all listeners so that requests with multiple slashes are merged and processed properly (#2406)
• hack: improve git tag pushing (#2393)
• internal/annotation: Refactor annotations code from internal/dag (#2412)
• internal/assert: Add docs to assert.Equal (#2417)
• internal/contour: add contour version to metrics (#2383)
• internal/contour: inprove routeVisitor readability (#2370)
• internal/dag: improve diagnostics for Secrets errors (#2422)
• internal/health: separate health and metrics services (#2407)
• internal: extract Envoy sort polices (#2379)
• site: add code highlighting (#2440)
• site: remove misleading comment in example deployment (#2377)
• site: update contributing guidelines (#2408)
• site: update slack links (#2444)
• updating the website with Contour maintainers (#2404)
• upgrade Envoy version to v1.14.1 (#2434)
• use sni for clusters when requestHeaderPolicy is set (#2442)

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.3.0

We are delighted to present version 1.3.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Contour users should upgrade to Contour 1.3.0 and Envoy 1.13.1.

New and improved

Contour 1.3.0 includes several new features as well as the usual smattering of fixes and minor improvements.

Removed the --use-extensions-v1beta1-ingress flag

The --use-extensions-v1beta1-ingress flag was removed from the contour serve command. If you have a previous deployment that specifies this command, you must remove it or Contour will fail to start.

PR: #2303
Thanks @davechaney

Renamed the tcpproxy.include field to be singular

The TCPProxy field has only ever supported including a single child document. In order to make this clearer, the includes field is now named include. The includes field is deprecated.

PR: #2201
Thanks @stevesloka

Reject HTTPProxies that lack at least one Service per route

The rule that Route field must reference at least one Service is now enforced.

PR: #2332
Thanks @davecheney

Improved graceful shutdown

Contour now does a better job of gracefully shutting down when it receives SIGINT or SIGTERM.

PR: #2350
Thanks @davecheney

Minor Improvements

• Add "mitre" to the skip list for lint-misspell #2356
• Add Contour Philosophy document #2335
• Add release tooling scripts. #2353
• Add simple debug logging flag #2286
• Fix community meeting times #2343
• Fix the build for units tests. #2361
• Fixes Contour architecture overview docs #2307
• Prepare documentation site for v1.3.0 release. #2362
• Update Envoy dashboard with extra metrics #2324
• api: enforce at least one service entry per route & tcpproxy #2274
• build(deps): bump nokogiri from 1.10.5 to 1.10.8 in /site dependencies #2293
• cmd/contour: change registerEventHandler to new InformerSyncList type #2276
• cmd/contour: connect all informers to the dynamicHandler #2346
• cmd/contour: simplify leadership election setup #2348
• cmd/contour: unify client creation #2339
• cmd/contour: update leadership election logger context #2305
• design: add draft for ingress status loadbalancer support stale #2121
• doc: improve HeaderCondition API documentation #2334
• docs: document the allowed LoadBalancer strategies #2336
• examples/contour: update to Envoy 1.13.1 #2314
• golangci.yml: remove exclude for deleted path #2277
• hack: pin golangci-lint version to v1.23.8 #2341
• internal/contour: further clean up holdoff timer logic #2289
• internal/contour: remove holdoffmaxdelay forced update #2285
• internal/dag,envoy: use constant for ca.crt #2327
• internal/dag: clean up TLS validation errors #2300
• internal/dag: move extension ingress translation to a helper #2301
• internal/k8s: simplify DynamicConverter #2342
• makefile: Add a 'make checkall' target #2292
• site/resources/envoy: add Contour 1.2.1 and Envoy 1.13.1 #2317
• site: Add docs on how to rotate gRPC certs #2282
• site: Remove heptio annotations from documentation #2308
• site: Update the kubernetes tested version to match the kubernetes matrix #2318
• site: correct Tero's GitHub profile link #2322
• site: fix API docs rendering #2329
• site: s/Recommended/Required Envoy #2321
• site: update architecture overview to include a diagram #2328

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.2.1

Contour 1.2.1 is patch release for the Contour 1.2 series to address several high severity security issues in Envoy.

Contour 1.2.1 contains no code changes from 1.2.0. This release only tags newer versions of our example and quickstart manifests to reflect the change in Envoy version.

All Contour users should upgrade to Contour 1.2.1 and Envoy 1.13.1.

Envoy 1.13.1

See the Envoy 1.13.1 announcement for details on the vulnerabilities

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.2.0

We are delighted to present version 1.2.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Contour users should upgrade to Contour 1.2.0 and Envoy 1.13.0.

New and improved

Contour 1.2.0 includes several new features as well as the usual smattering of fixes and minor improvements.

Hot-Reload Certificates

Contour now has support for certificate rotation for XDS gRPC interface between Contour and Envoy.
It is achieved by lazily loading certificates and key every time new TLS connection is established by Envoy.

This change addresses only the certificate rotation in Contour (server) and similar support is needed for Envoy (client) to cover the whole use case.

PR: #2198

Thanks @tsaarni

Envoy Shutdown Manager

The Envoy process, the data path component of Contour, at times needs to be re-deployed.
This could be due to an upgrade, a change in configuration, or a node-failure forcing a redeployment.

Contour now offers a new sub-command to named envoy shutdown-manager which will assist in an Envoy rollout to minimize connection errors from clients.
The shutdown manager first sends the healthcheck fail request to Envoy and then begins polling the http/https listeners for active connections from the /stats endpoint available on localhost:9001.
When the connections reach zero or a configured parameter, the pod is allowed to be terminated.
If the pods configurable termination grace period seconds is met before the open connections are fully drained, the pod will be terminated.

This new component runs as another container in the Envoy pod.

Design: https://github.com/projectcontour/contour/blob/master/design/envoy-shutdown.md
PR: #2227

Thanks @stevesloka

Record EventHandler Operation Metrics

Contour adds some new Prometheus metrics for the various API operations and kinds observed from the Kubernetes informers.
This information is helpful to understand the amount of changes that Contour is processing from a Kubernetes cluster.
This change also includes a sample Grafana dashboard.

% curl -s 127.0.0.1:8000/metrics |  grep eventhandler
# HELP contour_eventhandler_operation_total Total number of eventHandler operations received by operation and object kind
# TYPE contour_eventhandler_operation_total gauge
contour_eventhandler_operation_total{kind="contour.heptio.com/IngressRoutev1beta1",op="onAdd"} 2
contour_eventhandler_operation_total{kind="contour.heptio.com/TLSCertificateDelegationv1beta1",op="onAdd"} 1
contour_eventhandler_operation_total{kind="projectcontour.io/HTTPProxyv1",op="onAdd"} 1
contour_eventhandler_operation_total{kind="unknown",op="onAdd"} 76

PR: #2244
PR: #2261

Thanks @davecheney, @youngnick

SafeRegex limit raised

Raise the SafeRegex size limit from 1,000 to 1048576.
There is no evidence that this number is sufficient for all possible regex patterns, thus the limit represents the "no limit" limit because it is currently not
possible for envoy to reject a regex entry in a way that Contour can trace back to the original input.

PR: #2241

Thanks @davecheney

Minor improvements

• Contour is built with Go 1.13.8
• Update Envoy to 1.13.0
• Envoy go-control-plane updated to v0.9.2
• Upgrade google/go-cmp to version 0.4.0
• Upgrade client-go to v0.17.0
• Contour now utilizes the Dynamic client for CRD resources

Bug fixes

Add HTTPProxy Service.Protocol Validation

Adds an enum validation to limit the values for the service.protocol field.

Note: Users will need to reapply the crd spec to get the validation

PR: #2158

Thanks @stevesloka

HTTPProxy requestHeadersPolicy Validation

For an HTTPProxy, a requestHeaderPolicy can only be able to set host header at the HTTProxy.Routes.Service level.

PR: #2157

Thanks @stevesloka

Ensure certgen handles already-existing secrets correctly

The cert-gen example job now ensures that the the Job will succeed if the secrets already exist.

PR: #2178

Thanks @youngnick

Other changes

• Add Kubernetes Support Matrix
• Update Envoy list of required extensions

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.1.0 to Contour 1.2.0.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.1.0

We are delighted to present version 1.1.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Contour users should upgrade to Contour 1.1.0 and Envoy 1.12.2 as there are some critical vulnerabilities that should be patched.

New and improved

Contour 1.1.0 includes several new features as well as the usual smattering of fixes and minor improvements.

Envoy CVEs

Three CVEs have been addressed by Envoy, the highest security defect is considered 9.0 (critical) severity.

See the Envoy 1.12.2 announcement for details on the vulnerabilities.

As Envoy have not provided fixes for Envoy 1.11 and earlier all Contour users should also upgrade to Envoy 1.12.2.

Prefix Rewrite Support

Prefix rewrite support was removed right before HTTPProxy was released in Contour v1.0.0. Support has now been added back to HTTPProxy and is expressed as a pathRewritePolicy:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: rewrite-example
spec:
  virtualhost:
    fqdn: rewrite.bar.com
  routes:
  - services:
    - name: s1
      port: 80
    conditions:
    - prefix: /v1/api
    pathRewritePolicy:
      replacePrefix:
      - prefix: /v1/api
        replacement: /app/api/v1

Thanks @jpeach

Support for specifying a service's protocol in HTTPProxy

Contour now supports defining what protocol Envoy should use when proxying to an upstream application.
(See design doc: https://github.com/projectcontour/contour/blob/master/design/httpproxy-protocol-selection.md)

A new field has been added to the Service spec which encodes the protocol data. Values for this field are: h2, h2c, and tls.

Note: Previously, that data was extracted from the Kubernetes service annotation projectcontour.io/upstream-protocol.{protocol}.

spec:
  virtualhost:
    fqdn: dashboard.kubernetes.com
    tls:
      secretName: kubernetes-dashboard-tls
  routes:
    - conditions:
      - prefix: /
      services:
        - name: kubernetes-dashboard
          protocol: tls # <--- NEW FIELD
          port: 443

Thanks @mattmoor

Support per-Split header manipulation

Adds support for adding and removing request or response headers for each service target in a Contour HTTPProxy resource.
Manipulating headers are also supported per-Service or per-Route.
Headers can be set or removed from the request or response as follows:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: header-manipulation
  namespace: default
spec:
  virtualhost:
    fqdn: headers.bar.com
  routes:
    - services:
        - name: s1
          port: 80
          requestHeaderPolicy:
            set:
              - name: X-Foo
                value: bar
            remove:
              - X-Baz
          responseHeaderPolicy:
            set:
              - name: X-Service-Name
                value: s1
            remove:
              - X-Internal-Secret

Thanks @mattmoor

Requests to external domains rewrite host via externalName service

To proxy to another resource outside the cluster (e.g. A hosted object store bucket for example), configure that external resource in a service type externalName.
Then define a headerRequestPolicy which replaces the Host header with the value of the external name service defined previously.

See the externalName section of HTTPProxy docs for more details.

Note: The host rewrite only applied to services which target externalNames.

Thanks: @stevesloka

Minor improvements

• Various documentation upgrades to projectcontour.io
• Contour uses SaveRegex now in Envoy configuration
• Contour is built with Go 1.13.5
• Add namespace env var to certgen job. Thanks @dhxgit

Bug fixes

Reject a TCPProxy HTTPProxy without Valid TLS Details

To be a valid HTTPProxy, if the tcpproxy stanza is provided, the HTTPProxy must also feature a virtualhost.tls spec with either passthrough: true, or a valid secretName.

Fixes #1958

Thanks @davecheney

301 Upgrade Insecure Routes Irrespective of TCP Proxying

Clean the HTTPProxy spec.virtualhost.tls validation logic and fix the last issue with HTTPProxy TCPProxy logic.

If a HTTPProxy is using TCP proxying then its secure port is forwarded according to the spec.tcpproxy schema.
The insecure port, port 80 is not tcp forwarded and remains connected to a L7 http connection manager.
Because by definition a HTTPProxy using TCP proxying must supply a valid spec.virtualhost.tls block, our 301 upgrade logic applies.
Thus, after this change, if a route on the insecure listener is not using permitInsecure: true, it will by 301 upgraded.

Fixes #1952

Thanks @davecheney

Reject Certificates without CN or SubjectAltName

Envoy crashes when processing a TLS certificate that does not have SubjectAltNames or a CN field in the Subject, so Contour now rejects any certificate which lacks a Subject CommonName (CN) or SubjectAltName extension.

Upstream Envoy issue: envoyproxy/envoy#9182

Fixes #1965

Thanks @davecheney

Run contour & cert-gen job as non-root

Adds securityContext to Contour & certgen jobs manifest examples to not run as root.

Thanks @surajssd

Cert gen now accepts certificate lifetime argument

A certificate-lifetime argument has been added to the Contour certgen job which allows for a duration in days the certificates used for Envoy<>Contour communication to be valid.

Fixes #2017

Thanks @tsaarni

Other bug fixes

• Contour no longer generates ingress_https route for tcpproxy vhost. Fixes #1954.
• Quickstart can be re-applied to an existing cluster

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.0.1 to Contour 1.1.0.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.0.1

Contour 1.0.1 is patch release for the Contour 1.0 series to address several high severity security issues in Envoy.

Contour 1.0.1 contains no code changes from 1.0.0. This release only tags newer versions of our example and quickstart manifests to reflect the change in Envoy version.

All Contour users should upgrade to Contour 1.0.1 and Envoy 1.12.2.

Envoy 1.12.2

See the Envoy 1.12.2 announcement for details on the vulnerabilities

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.0.0

We are delighted to present version 1.0.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Contour 1.0.0 is the latest stable release. All Contour users should upgrade to 1.0.0.

New and improved

Contour 1.0.0 contains many bug fixes and improvements over 0.15.3, the previous stable release.

HTTPProxy CRD

Over a year ago Contour 0.6 introduced the IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilizing modern web development patterns in multi-tenant Kubernetes clusters.

As part of preparations for bringing Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.

HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.

HTTPProxy is considered stable and our sincere desire is that future changes will be made in a backward-compatible manner. For more information, please consult the HTTPProxy documentation.

None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.

IngressRoute deprecation

With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.

While deprecated, IngressRoute CRD will continue to be supported in its current state in Contour 1.0. The plan of record is IngressRoute will be removed in early 2020.

For more information please read the IngressRoute to HTTPProxy upgrade guide

IngressRoute and HTTPProxy status update improvements

IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.

If leader election is disabled, all Contours will write status back to the Kubernetes API.

Fixes #1425, #1385, and many other issues with status loops over the years.

HTTPProxy and IngressRoute OpenAPIv3 schema validation

Contour 1.0.0 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand-rolled versions.

Fixes #513, #1414. Thanks @youngnick

Website improvements

As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the https://projectcontour.io website. Specifically;

• The Getting Started documentation has moved to projectcontour.io/getting-started
• Guides and How-to's have moved to projectcontour.io/guides
• Versioned release documentation has moved to projectcontour.io/docs
• Project related and non-versioned documentation has moved to projectcontour.io/resources

Huge thanks to @jpeach for his work re-organizing and copy editing the website content.

Envoy keepalive tuning

Contour 1.0.0 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).

The common theme was the cluster was using an overlay network which suggested the overlay was timing out long-running TCP connections. Contour 1.0.0 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.

Fixes #1744. Thanks, @youngnick, @bgagnon, and @ravilr.

Contour now waits for a full cache

Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This change reduces the likelihood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.

Updates #1280. Thanks, @jpeach and @stevesloka.

networking.k8s.io/v1beta1 Ingress support

Support for the networking.k8s.io/v1beta1.Ingress object has been added.

Fixes #1685

contour.heptio.com annotations deprecated

As part of the move to the projectcontour.io namespace, the Heptio branded contour.heptio.com annotations have been migrated to their respective projectcontour.io versions. The previous contour.heptio.com annotations should be considered deprecated. Contour will continue to be supported by these deprecated forms for the moment. They will be removed at some point after Contour 1.0.

Client request timeout

The ability to specify a Contour wide request timeout has been added to the configuration file.

See the configuration file example for more information.

Fixes #1073. Thanks, @youngnick.

TLS certificate validation

Contour now attempts to validate the contents of a TLS certificate before presenting it to Envoy. This validation only extends to asserting the certificate is well-formed. Expired, incorrect hostname details, or otherwise well-formed but invalid certificates are not rejected. IngressRoutes and HTTPProxys that reference invalid secrets will have their Status: fields set accordingly.

Fixes #1065

Envoy 1.11.2

Contour 1.0.0 requires Envoy 1.11.2.

See the Envoy 1.11.2 announcement for details.

Structured JSON htaccess logs

By default, Envoy emits request logs in its own format. See the Envoy docs for details.

Contour 1.0.0 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json to your contour serve line, or add accesslog-format: json to your config file.

Please see the documention and design document for more information.

Fixes #624. Thanks, @youngnick.

Leadership improvements

Leader election now uses a ConfigMap named leader-elect in the projectcontour namespace by default.
This can be changed using the config file.

Contour image registry changes

Contour's image registry has moved from gcr.io/hepto-images/contour to docker.io/projectcontour/contour.
Please update your image locations to docker.io/projectcontour/contour:v1.0.0.

GitHub organization changes

Contour's source code has moved from github.com/heptio/contour to github.com/projectcontour/contour.

GitHub is pretty good about redirecting people for a time, but eventually, the github.com/heptio organization will go away and redirects will cease. Please update your bookmarks.

Contour namespace changes

Contour's default namespace has changed from heptio-contour to projectcontour.

TLS Passthrough and HTTP redirect

Under certain circumstances, it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.

For more information see #910 and #1450.

Per route traffic mirroring

Per route, a service can be nominated as a mirror. The mirror service will receive a copy of the traffic sent to any non-mirror service. The mirrored traffic is considered read only, any response by the mirror will be discarded.

Fixes #459

Per route idle timeout

Per route, idle timeouts can be configured via the HTTPProxy CRD.

Fixes #944

Contour ignores unrelated Secrets

Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations. This substantially reduces the number of updates processed by Contour.

Fixes #1372

Contour filters Endpoint updates

Contour now supports filtering update notifications. Specifically, Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.

Updates #426, #499

Minor improvements

• The contour binary now executes a graceful shutdown when sent SIGTERM. Thanks, @alexbrand. Fixes #1364.
• Contour now preserves the X-Request-Id header if present. Fixes #1509.
• Contour's quickstart documentation now references the current stable version of Contour. Fixes #952.
• Contour will no longer present a secret via SDS if that secret is not referenced by a valid virtualhost. #1165
• The envoyproxy/go-control-plane package has been upgraded to version 0.9.0. go-control-plane 0.9.0 switches to the google/protobuf library which results in a 4mb smaller binary. Neat.
• Our CONTRIBUTING documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka.
• The markup of several of our pages has been corrected to render properly on GitHub. Thanks @sudeeptoroy.
• Envoy's /healthz endpoint has been replaced with /ready for Pod readiness. Fixes #1277. Thanks @rochacon.
• IngressRoute objects now forbid * anywhere in the spec.virtualhost.fqdn field. Fixes #1234.
• make help target added. Thanks @jpeach.
• HTTPProxy prefix conditions must start with a slash. Fixes #1628. Thank...

Contour 1.0.0-rc.2

VMware is enraptured to present version 1.0.0-rc.2 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

Contour 1.0.0-rc.2 is the second, and hopefully last, release candidate on the path to Contour 1.0.

The current stable release at this time remains Contour 0.15.3.

New and improved

Contour 1.0.0-rc.2 contains many bug fixes and improvements over rc.1.

Website improvements

As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the https://projectcontour.io website. Specifically;

• The Getting Started documentation has moved to projectcontour.io/getting-started
• Guides and How-to's have moved to projectcontour.io/guides
• Versioned release documentation has moved to projectcontour.io/docs
• Project related and non-versioned documentation has moved to projectcontour.io/resources

Huge thanks to @jpeach for his work re-organising and copy editing the website content.

IngressRoute and HTTPProxy status update improvements

IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.

If leader election is disabled, all Contours will write status back to the Kubernetes API.

Fixes #1425, #1385, and many other issues with status loops over the years.

HTTPProxy and IngressRoute OpenAPIv3 schema validation

Contour 1.0.0-rc.2 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand rolled versions.

Fixes #513, #1414. Thanks @youngnick

TCPProxy delegation

Contour 1.0.0-rc.2 now supports TCPProxy delegation. See the relevant section in the HTTPProxy documentation.

Fixes #1655.

Envoy keepalive tuning

Contour 1.0.0-rc.2 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).

The common theme was the cluster was using an overlay network which suggested the overlay was timing out long running TCP connections. Contour 1.0.0-rc.2 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.

This fix is also included in Contour 0.15.3 and later.

Fixes #1744. Thanks @youngnick, @bgagnon, and @ravilr.

Contour now waits for a full cache.

Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This changes reduces the likelyhood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.

Updates #1280. Thanks @jpeach and @stevesloka.

Minor improvements

• The ability to write the bootstrap configuration to standard out via contour bootstrap -- - has been added. Thanks @jpeach.
• Contour now validates that TLS certificates either bare the type kubernetes.io/tls or, in the case of upstream validation certificates, contain a non empty ca.crt key. Fixes #1697. Thanks @jpeach.
• x_trace_id has been added to the set of JSON loggable fields. Fixes #1734. Thanks @cw-sakamoto!
• Obsolute Heptio branding has been removed from contour cli. Thanks @jpeach.
• Contour is built with Go 1.13.3.

Bug fixes

TLS certificate validation improvements

Contour 1.0.0-rc.2 improves the TLS certificate validation added in rc.1. Contour is now less likely to reject valid certificates that contain unexpected elliptic curve parameters.

This fix is also included in Contour 0.15.2 and later.

Fixes #1702. With many thanks to @mattalberts for the report and the fix.

Minor bug fixes

• Many documentation updates and improvements. Thanks @stevesloka, @youngnick, @jpeach.
• Ingress, IngressRoute, and HTTPProxy route conditions are now properly ordered. Fixes #1579. Thanks @jpeach.
• Incorrect, and as it turns out superflous, settings removed from .travis.yml. Thanks @SDBrett.
• The First Route custom field has been removed from the HTTPProxy CRD. Updates #1567. Thanks @youngnick.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.0.0-rc.1 to Contour 1.0.0-rc.2.

Contour 0.15.3

Contour 0.15.3 is minor patch release for the Contour 0.15 series.

All Contour users should upgrade to Contour 0.15.3.

Improvements

Envoy keepalive tuning

Contour 0.15.3 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection but the other side never gets the message).

The common theme was the cluster was using an overlay network which suggested the overlay was timing out long running TCP connections. Contour 0.15.3 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.

Fixes #1744. Thanks @youngnick, @bgagnon, and @ravilr.

Upgrading

If you are already running Contour 0.15.2 the upgrade instructions are as follows:

• Change the Contour image version to v0.15.3.
• Change the Envoy image version to v1.11.2.

If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.