We are delighted to present version v1.30.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Gateway API: Implement Listener/Route hostname isolation

Gateway API spec update in this GEP. Updates logic on finding intersecting route and Listener hostnames to factor in the other Listeners on a Gateway that the route in question may not actually be attached to. Requests should be "isolated" to the most specific Listener and it's attached routes.

(#6162, @sunjayBhatia)

Update examples for monitoring Contour and Envoy

Updates the documentation and examples for deploying a monitoring stack (Prometheus and Grafana) to scrape metrics from Contour and Envoy. Adds a metrics port to the Envoy DaemonSet/Deployment in the example YAMLs to expose port 8002 so that PodMonitor resources can be used to find metrics endpoints.

(#6269, @sunjayBhatia)

Update to Gateway API v1.1.0

Gateway API CRD compatibility has been updated to release v1.1.0.

Notable changes for Contour include:

• The BackendTLSPolicy resource has undergone some breaking changes and has been updated to the v1alpha3 API version. This will require any existing users of this policy to uninstall the v1alpha2 version before installing this newer version.
• GRPCRoute has graduated to GA and is now in the v1 API version.

Full release notes for this Gateway API release can be found here.

(#6398, @sunjayBhatia)

Add Circuit Breaker support for Extension Services

This change enables the user to configure the Circuit breakers for extension services either via the global Contour config or on an individual Extension Service.

NOTE: The PerHostMaxConnections is now also configurable via the global settings.

(#6539, @clayton-gonsalves)

Fallback Certificate: Add Global Ext Auth support

Applies Global Auth filters to Fallback certificate

(#6558, @erikflores7)

Gateway API: handle Route conflicts with GRPCRoute.Matches

It's possible that multiple GRPCRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:

• The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
• The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.

With above ordering, any GRPCRoute that ranks lower, will be marked with below conditions accordingly:

1. If only partial rules under this GRPCRoute are conflicted, it's marked with Accepted: True and PartiallyInvalid: true Conditions and Reason: RuleMatchPartiallyConflict.
2. If all the rules under this GRPCRoute are conflicted, it's marked with Accepted: False Condition and Reason RuleMatchConflict.

(#6566, @lubronzhan)

Other Changes

• Fixes bug where external authorization policy was ignored on HTTPProxy direct response routes. (#6426, @shadialtarsha)
• Updates to Kubernetes 1.30. Supported/tested Kubernetes versions are now 1.28, 1.29, and 1.30. (#6444, @sunjayBhatia)
• Enforce deny-by-default approach on the admin listener by matching on exact paths and on GET requests (#6447, @davinci26)
• Add support for defining equal-preference cipher groups ([cipher1|cipher2|...]) and permit ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305 to be used separately. (#6461, @tsaarni)
• allow /stats/prometheus route on the admin listener. (#6503, @clayton-gonsalves)
• Improve shutdown manager query to the Envoy stats endpoint for active connections by utilizing a regex filter query param. (#6523, @therealak12)
• Updates to Go 1.22.5. See the Go release notes for more information. (#6563, @sunjayBhatia)
• Updates Envoy to v1.31.0. See the Envoy release notes for more information about the content of the release. (#6569, @skriss)

Deprecation and Removal Notices

Contour sample YAML manifests no longer use prometheus.io/ annotations

The annotations for notifying a Prometheus instance on how to scrape metrics from Contour and Envoy pods have been removed from the deployment YAMLs and the Gateway provisioner. The suggested mechanism for doing so now is to use kube-prometheus and the PodMonitor resource.

(#6269, @sunjayBhatia)

xDS server type fields in config file and ContourConfiguration CRD are deprecated

These fields are officially deprecated now that the contour xDS server implementation is deprecated. They are planned to be removed in the 1.31 release, along with the contour xDS server implementation.

(#6561, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.30.0 is tested against Kubernetes 1.28 through 1.30.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @clayton-gonsalves
• @davinci26
• @erikflores7
• @lubronzhan
• @shadialtarsha
• @therealak12

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.29.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.30.4. See the release notes here.
• Updates Go to v1.22.5. See the release notes here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.29.2 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.29.7. See the release notes here.
• Updates Go to v1.21.12. See the release notes here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.28.6 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.30.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

• Minor Changes
• Other Changes
• Deprecations/Removals
• Installing/Upgrading
• Compatible Kubernetes Versions
• Community Thanks!

Minor Changes

Gateway API: Implement Listener/Route hostname isolation

Gateway API spec update in this GEP.
Updates logic on finding intersecting route and Listener hostnames to factor in the other Listeners on a Gateway that the route in question may not actually be attached to.
Requests should be "isolated" to the most specific Listener and it's attached routes.

(#6162, @sunjayBhatia)

Update examples for monitoring Contour and Envoy

Updates the documentation and examples for deploying a monitoring stack (Prometheus and Grafana) to scrape metrics from Contour and Envoy.
Adds a metrics port to the Envoy DaemonSet/Deployment in the example YAMLs to expose port 8002 so that PodMonitor resources can be used to find metrics endpoints.

(#6269, @sunjayBhatia)

Update to Gateway API v1.1.0

Gateway API CRD compatibility has been updated to release v1.1.0.

Notable changes for Contour include:

• The BackendTLSPolicy resource has undergone some breaking changes and has been updated to the v1alpha3 API version. This will require any existing users of this policy to uninstall the v1alpha2 version before installing this newer version.
• GRPCRoute has graduated to GA and is now in the v1 API version.

Full release notes for this Gateway API release can be found here.

(#6398, @sunjayBhatia)

Add Circuit Breaker support for Extension Services

This change enables the user to configure the Circuit breakers for extension services either via the global Contour config or on an individual Extension Service.

NOTE: The PerHostMaxConnections is now also configurable via the global settings.

(#6539, @clayton-gonsalves)

Fallback Certificate: Add Global Ext Auth support

Applies Global Auth filters to Fallback certificate

(#6558, @erikflores7)

Gateway API: handle Route conflicts with GRPCRoute.Matches

It's possible that multiple GRPCRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:

• The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
• The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.

With above ordering, any GRPCRoute that ranks lower, will be marked with below conditions accordingly:

1. If only partial rules under this GRPCRoute are conflicted, it's marked with Accepted: True and PartiallyInvalid: true Conditions and Reason: RuleMatchPartiallyConflict.
2. If all the rules under this GRPCRoute are conflicted, it's marked with Accepted: False Condition and Reason RuleMatchConflict.

(#6566, @lubronzhan)

Other Changes

• Fixes bug where external authorization policy was ignored on HTTPProxy direct response routes. (#6426, @shadialtarsha)
• Updates to Kubernetes 1.30. Supported/tested Kubernetes versions are now 1.28, 1.29, and 1.30. (#6444, @sunjayBhatia)
• Enforce deny-by-default approach on the admin listener by matching on exact paths and on GET requests (#6447, @davinci26)
• Add support for defining equal-preference cipher groups ([cipher1|cipher2|...]) and permit ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305 to be used separately. (#6461, @tsaarni)
• allow /stats/prometheus route on the admin listener. (#6503, @clayton-gonsalves)
• Improve shutdown manager query to the Envoy stats endpoint for active connections by utilizing a regex filter query param. (#6523, @therealak12)
• Updates to Go 1.22.5. See the Go release notes for more information. (#6563, @sunjayBhatia)
• Updates Envoy to v1.31.0. See the Envoy release notes for more information about the content of the release. (#6569, @skriss)

Deprecation and Removal Notices

Contour sample YAML manifests no longer use prometheus.io/ annotations

The annotations for notifying a Prometheus instance on how to scrape metrics from Contour and Envoy pods have been removed from the deployment YAMLs and the Gateway provisioner.
The suggested mechanism for doing so now is to use kube-prometheus and the PodMonitor resource.

(#6269, @sunjayBhatia)

xDS server type fields in config file and ContourConfiguration CRD are deprecated

These fields are officially deprecated now that the contour xDS server implementation is deprecated.
They are planned to be removed in the 1.31 release, along with the contour xDS server implementation.

(#6561, @skriss)

Installing and Upgrading

The simplest way to install v1.30.0-rc.1 is to apply one of the example configurations:

Standalone Contour:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour.yaml

Contour Gateway Provisioner:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour-gateway-provisioner.yaml

Statically provisioned Contour with Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour-gateway.yaml

Compatible Kubernetes Versions

Contour v1.30.0-rc.1 is tested against Kubernetes 1.28 through 1.30.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @clayton-gonsalves
• @davinci26
• @erikflores7
• @lubronzhan
• @shadialtarsha
• @therealak12

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.29.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Updates Envoy to v1.30.2. See the release notes for v1.30.2 here (#6484).

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.29.1 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Updates Envoy to v1.29.5. See the release notes for v1.29.5 here (#6485).

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.28.5 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.27.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Updates Envoy to v1.28.4. See the release notes for v1.28.4 here (#6486).

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.27.4 is tested against Kubernetes 1.26 through 1.28.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.29.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Default xDS Server Implementation is now Envoy

As of this release, Contour now uses the envoy xDS server implementation by default. This xDS server implementation is based on Envoy's go-control-plane project and will eventually be the only supported xDS server implementation in Contour. This change is expected to be transparent to users.

I'm seeing issues after upgrading, how do I revert to the contour xDS server?

If you encounter any issues, you can easily revert to the contour xDS server with the following configuration:

(if using Contour config file)

server:
  xds-server-type: contour

(if using ContourConfiguration CRD)

...
spec:
  xdsServer:
    type: contour

You will need to restart Contour for the changes to take effect.

(#6146, @skriss)

Gateway API: Inform on v1 types

Contour no longer informs on v1beta1 resources that have graduated to v1. This includes the "core" resources GatewayClass, Gateway, and HTTPRoute. This means that users should ensure they have updated CRDs to Gateway API v1.0.0 or newer, which introduced the v1 version with compatibility with v1beta1.

(#6153, @sunjayBhatia)

Minor Changes

Use EndpointSlices by default

Contour now uses the Kubernetes EndpointSlices API by default to determine the endpoints to configure Envoy, instead of the Endpoints API. Note: if you need to continue using the Endpoints API, you can disable the feature flag via featureFlags: ["useEndpointSlices=false"] in the Contour config file or ContourConfiguration CRD.

(#6149, @izturn)

Gateway API: handle Route conflicts with HTTPRoute.Matches

It's possible that multiple HTTPRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:

• The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
• The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.

With above ordering, any HTTPRoute that ranks lower, will be marked with below conditions accordionly

1. If only partial rules under this HTTPRoute are conflicted, it's marked with Accepted: True and PartiallyInvalid: true Conditions and Reason: RuleMatchPartiallyConflict.
2. If all the rules under this HTTPRoute are conflicted, it's marked with Accepted: False Condition and Reason RuleMatchConflict.

(#6188, @lubronzhan)

Spawn Upstream Span is now enabled in tracing

As described in Envoy documentations, spawn_upstream_span should be true when envoy is working as an independent proxy and from now on contour tracing spans will show up as a parent span to upstream spans.

(#6271, @SamMHD)

Other Changes

• Fix data race in BackendTLSPolicy status update logic. (#6185, @sunjayBhatia)
• Fix for specifying a health check port with an ExternalName Service. (#6230, @yangyy93)
• Updates the example envoyproxy/ratelimit image tag to 19f2079f, for multi-arch support and other improvements. (#6246, @skriss)
• In the envoy go-control-plane xDS server, use a separate snapshot cache for Endpoints, to minimize the amount of unnecessary xDS traffic generated. (#6250, @skriss)
• If there were no relevant resources for Contour in the watched namespaces during the startup of a follower instance of Contour, it did not reach a ready state. (#6295, @tsaarni)
• Added support for enabling circuit breaker statistics tracking. (#6297, @rajatvig)
• Updates to Go 1.22.2. See the Go release notes for more information. (#6327, @skriss)
• Gateway API: add support for HTTPRoute's Timeouts.BackendRequest field. (#6335, @skriss)
• Updates Envoy to v1.30.1. See the v1.30.0 release notes here and the v1.30.1 release notes here. (#6353, @tico88612)
• Gateway API: a timeout value of 0s disables the timeout. (#6375, @skriss)
• Fix provisioner to use separate --disable-feature flags on Contour Deployment for each disabled feature. Previously a comma separated list was passed which was incorrect. (#6413, @sunjayBhatia)

Deprecation and Removal Notices

Configuring Contour with a GatewayClass controller name is no longer supported

Contour can no longer be configured with a GatewayClass controller name (gateway.controllerName in the config file or ContourConfiguration CRD), as the config field has been removed. Instead, either use a specific Gateway reference (gateway.gatewayRef), or use the Gateway provisioner.

(#6145, @skriss)

Contour xDS server implementation is now deprecated

As of this release, the contour xDS server implementation is now deprecated. Once the go-control-plane based envoy xDS server has had sufficient production bake time, the contour implementation will be removed from Contour. Notification of removal will occur at least one release in advance.

(#6146, @skriss)

Use of Endpoints API is deprecated

Contour now uses the EndpointSlices API by default, and its usage of the Endpoints API is deprecated as of this release. Support for Endpoints, and the associated useEndpointSlices feature flag, will be removed in a future release.

(#6149, @izturn)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.29.0 is tested against Kubernetes 1.27 through 1.29.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @SamMHD
• @izturn
• @lubronzhan
• @rajatvig
• @tico88612
• @yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.29.4. See the release notes for v1.29.4 here (#6377).
• Gateway API: an HTTPRoute timeout of 0s now disables the timeout (#6379).
• Gateway provisioner: disabled features are now correctly applied to the Contour controller (#6414).

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.28.4 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.27.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.28.3. See the release notes for v1.28.3 here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.27.3 is tested against Kubernetes 1.26 through 1.28.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.29.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Default xDS Server Implementation is now Envoy

As of this release, Contour now uses the envoy xDS server implementation by default. This xDS server implementation is based on Envoy's go-control-plane project and will eventually be the only supported xDS server implementation in Contour. This change is expected to be transparent to users.

I'm seeing issues after upgrading, how to I revert to the contour xDS server?

If you encounter any issues, you can easily revert to the contour xDS server with the following configuration:

(if using Contour config file)

server:
  xds-server-type: contour

(if using ContourConfiguration CRD

...
spec:
  xdsServer:
    type: contour

You will need to restart Contour for the changes to take effect.

(#6146, @skriss)

Gateway API: Inform on v1 types

Contour no longer informs on v1beta1 resources that have graduated to v1. This includes the "core" resources GatewayClass, Gateway, and HTTPRoute. This means that users should ensure they have updated CRDs to Gateway API v1.0.0 or newer, which introduced the v1 version with compatibility with v1beta1.

(#6153, @sunjayBhatia)

Minor Changes

Use EndpointSlices by default

Contour now uses the Kubernetes EndpointSlices API by default to determine the endpoints to configure Envoy, instead of the Endpoints API. Note: if you need to continue using the Endpoints API, you can disable the feature flag via featureFlags: ["useEndpointSlices=false"] in the Contour config file or ContourConfiguration CRD.

(#6149, @izturn)

Gateway API: handle Route conflicts with HTTPRoute.Matches

It's possible that multiple HTTPRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:

• The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
• The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.

With above ordering, any HTTPRoute that ranks lower, will be marked with below conditions accordionly

1. If only partial rules under this HTTPRoute are conflicted, it's marked with Accepted: True and PartiallyInvalid: true Conditions and Reason: RuleMatchPartiallyConflict.
2. If all the rules under this HTTPRoute are conflicted, it's marked with Accepted: False Condition and Reason RuleMatchConflict.

(#6188, @lubronzhan)

Spawn Upstream Span is now enabled in tracing

As described in Envoy documentations, spawn_upstream_span should be true when envoy is working as an independent proxy and from now on contour tracing spans will show up as a parent span to upstream spans.

(#6271, @SamMHD)

Other Changes

• Fix data race in BackendTLSPolicy status update logic. (#6185, @sunjayBhatia)
• Fix for specifying a health check port with an ExternalName Service. (#6230, @yangyy93)
• Updates the example envoyproxy/ratelimit image tag to 19f2079f, for multi-arch support and other improvements. (#6246, @skriss)
• In the envoy go-control-plane xDS server, use a separate snapshot cache for Endpoints, to minimize the amount of unnecessary xDS traffic generated. (#6250, @skriss)
• If there were no relevant resources for Contour in the watched namespaces during the startup of a follower instance of Contour, it did not reach a ready state. (#6295, @tsaarni)
• Added support for enabling circuit breaker statistics tracking. (#6297, @rajatvig)
• Updates to Go 1.22.2. See the Go release notes for more information. (#6327, @skriss)
• Gateway API: add support for HTTPRoute's Timeouts.BackendRequest field. (#6335, @skriss)
• Updates Envoy to v1.30.1. See the v1.30.0 release notes here and the v1.30.1 release notes here. (#6353, @tico88612)
• Gateway API: a timeout value of 0s disables the timeout. (#6375, @skriss)

Deprecation and Removal Notices

Configuring Contour with a GatewayClass controller name is no longer supported

Contour can no longer be configured with a GatewayClass controller name (gateway.controllerName in the config file or ContourConfiguration CRD), as the config field has been removed. Instead, either use a specific Gateway reference (gateway.gatewayRef), or use the Gateway provisioner.

(#6145, @skriss)

Contour xDS server implementation is now deprecated

As of this release, the contour xDS server implementation is now deprecated. Once the go-control-plane based envoy xDS server has had sufficient production bake time, the contour implementation will be removed from Contour. Notification of removal will occur at least one release in advance.

(#6146, @skriss)

Use of Endpoints API is deprecated

Contour now uses the EndpointSlices API by default, and its usage of the Endpoints API is deprecated as of this release. Support for Endpoints, and the associated useEndpointSlices feature flag, will be removed in a future release.

(#6149, @izturn)

Installing and Upgrading

The simplest way to install v1.29.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.29.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.29.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.29.0-rc.1 is tested against Kubernetes 1.27 through 1.29.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @SamMHD
• @izturn
• @lubronzhan
• @rajatvig
• @tico88612
• @yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

Update Envoy to v1.29.3

See the release notes for v1.29.3 here.

Note that this Envoy version retains the hop-by-hop TE header when set to trailers, fixing a regression seen in v1.29.0-v1.29.2 for HTTP/2, particularly gRPC. However, this version of Contour continues to set the envoy.reloadable_features.sanitize_te Envoy runtime setting to false to ensure seamless upgrades. This runtime setting will be removed in Contour v1.29.0.

Update Go to v1.21.9

See the release notes for v1.21.9 here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.28.3 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.27.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.28.2. See the release notes for v1.28.2 here.
• Updates Go to v1.21.9. See the release notes for v1.21.9 here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.27.2 is tested against Kubernetes 1.26 through 1.28.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.26.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.27.4. See the release notes for v1.27.4 here.
• Updates Go to v1.20.14. See the release notes for v1.20.14 here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.26.3 is tested against Kubernetes 1.26 through 1.28.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

Update Envoy to v1.29.2

See the release notes here.

Note that this Envoy version reverts the HTTP/2 codec back to nghttp2 from oghttp2.

Disable Envoy removing TE header

As of version v1.29.0, Envoy removes the hop-by-hop TE header.
However, this causes issues with HTTP/2, particularly gRPC, with implementations expecting the header to be present (and set to trailers).
Contour disables this via Envoy runtime setting and reverts to the v1.28.x and prior behavior of allowing the header to be proxied.

Once this Envoy PR that enables the TE header including trailers to be forwarded is backported to a release or a new minor is cut, Contour will no longer set the aforementioned runtime key.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.28.2 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Fix data race in BackendTLSPolicy status update logic.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.28.1 is tested against Kubernetes 1.27 through 1.29.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.27.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.28.1. See the release notes for v1.28.1 here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.27.1 is tested against Kubernetes 1.26 through 1.28.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.26.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Updates Envoy to v1.27.3. See the release notes for v1.27.3 here.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.26.2 is tested against Kubernetes 1.26 through 1.28.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

• Major Changes
• Minor Changes
• Other Changes
• Docs Changes
• Deprecations/Removals
• Installing/Upgrading
• Compatible Kubernetes Versions
• Community Thanks!

Major Changes

Upstream TLS now supports TLS 1.3 and TLS parameters can be configured

The default maximum TLS version for upstream connections is now 1.3, instead of the Envoy default of 1.2.

In a similar way to how Contour users can configure Min/Max TLS version and
Cipher Suites for Envoy's listeners, users can now specify the
same information for upstream connections. In the ContourConfiguration, this is
available under spec.envoy.cluster.upstreamTLS. The equivalent config file
parameter is cluster.upstream-tls.

(#5828, @KauzClay)

Update to Gateway API 1.0

Contour now uses Gateway API 1.0, which graduates the core resources GatewayClass, Gateway and HTTPRoute to the v1 API version.

For backwards compatibility, this version of Contour continues to watch for v1beta1 versions of these resources, to ease the migration process for users.
However, future versions of Contour will move to watching for v1 versions of these resources.
Note that if you are using Gateway API 1.0 and the v1 API group, the resources you create will also be available from the API server as v1beta1 resources so Contour will correctly reconcile them as well.

(#5898, @skriss)

Support for Gateway API BackendTLSPolicy

The BackendTLSPolicy CRD can now be used with HTTPRoute to configure a Contour gateway to connect to a backend Service with TLS. This will give users the ability to use Gateway API to configure their routes to securely connect to backends that use TLS with Contour.

The BackendTLSPolicy spec requires you to specify a targetRef, which can currently only be a Kubernetes Service within the same namespace as the BackendTLSPolicy. The targetRef is what Service should be watched to apply the BackendTLSPolicy to. A SectionName can also be configured to the port name of a Service to reference a specific section of the Service.

The spec also requires you to specify caCertRefs, which can either be a ConfigMap or Secret with a ca.crt key in the data map containing a PEM-encoded TLS certificate. The CA certificates referenced will be configured to be used by the gateway to perform TLS to the backend Service. You will also need to specify a Hostname, which will be used to configure the SNI the gateway will use for the connection.

See Gateway API's GEP-1897 for the proposal for BackendTLSPolicy.

(#6119, @flawedmatrix, @christianang)

Minor Changes

JWT Authentication happens before External Authorization

Fixes a bug where when the external authorization filter and JWT authentication filter were both configured, the external authorization filter was executed before the JWT authentication filter. Now, JWT authentication happens before external authorization when they are both configured.

(#5840, @izturn)

Allow Multiple SANs in Upstream Validation section of HTTPProxy

This change introduces a max length of 250 characters to the field subjectName in the UpstreamValidation block.

Allow multiple SANs in Upstream Validation by adding a new field subjectNames to the UpstreamValidtion block. This will exist side by side with the previous subjectName field. Using CEL validation, we can enforce that when both are present, the first entry in subjectNames must match the value of subjectName.

(#5849, @KauzClay)

Gateway API Backend Protocol Selection

For Gateway API, Contour now enables end-users to specify backend protocols by setting the backend Service's ServicePort.AppProtocol parameter. The accepted values are kubernetes.io/h2c and kubernetes.io/ws. Note that websocket upgrades are already enabled by default for Gateway API. If AppProtocol is set, any other configurations, such as the annotation: projectcontour.io/upstream-protocol.{protocol} will be disregarded.

(#5934, @izturn)

Gateway API: support HTTPRoute request timeouts

Contour now enables end-users to specify request timeouts by setting the HTTPRouteRule.Timeouts.Request parameter. Note that BackendRequest is not yet implemented because without Gateway API support for retries, it's functionally equivalent to Request.

(#5997, @izturn)

Support for Global Circuit Breaker Policy

The way circuit-breaker-annotations work currently is that when not present they are being defaulted to Envoy defaults. The Envoy defaults can be quite low for larger clusters with more traffic so if a user accidentally deletes them or unset them this cause an issue. With this change we are providing contour administrators the ability to provide global defaults that are good. In that case even if the user forgets to set them or deletes them they can have the safety net of good defaults. They can be configured via cluster.circuit-breakers or via `ContourConfiguration`` CRD in spec.envoy.cluster.circuitBreakers

(#6013, @davinci26)

Allow setting connection limit per listener

Adds a listeners.max-connections-per-listener config option to Contour config file and spec.envoy.listener.maxConnectionsPerListener to the ContourConfiguration CRD.

Setting the max connection limit per listener field limits the number of active connections to a listener. The default, if unset, is unlimited.

(#6058, @flawedmatrix, @christianang)

Upstream TLS validation and client certificate for TCPProxy

TCPProxy now supports validating server certificate and using client certificate for upstream TLS connections.
Set httpproxy.spec.tcpproxy.services.validation.caSecret and subjectName to enable optional validation and tls.envoy-client-certificate configuration file field or ContourConfiguration.spec.envoy.clientCertificate to set the optional client certificate.

(#6079, @tsaarni)

Remove Contour container readiness probe initial delay

The Contour Deployment Contour server container previously had its readiness probe initialDelaySeconds field set to 15.
This has been removed from the example YAML manifests and Gateway Provisioner generated Contour Deployment since as of PR #5672 Contour's xDS server will not start or serve any configuration (and the readiness probe will not succeed) until the existing state of the cluster is synced.
In clusters with few resources this will improve the Contour Deployment's update/rollout time as initial startup time should be low.

(#6099, @sunjayBhatia)

Add anti-affinity rule for envoy deployed by provisioner

The envoy deployment created by the gateway provisioner now includes a default anti-affinity rule. The anti-affinity rule in the example envoy deployment manifest is also updated to preferredDuringSchedulingIgnoredDuringExecution to be consistent with the contour deployment and the gateway provisioner anti-affinity rule.

(#6148, @lubronzhan)

Add DisabledFeatures to ContourDeployment for gateway provisioner

A new flag DisabledFeatures is added to ContourDeployment so that user can configure contour which is deployed by the provisioner to skip reconciling CRDs which are specified inside the flag.

Accepted values are grpcroutes|tlsroutes|extensionservices|backendtlspolicies.

(#6152, @lubronzhan)

Other Changes

• For Gateway API v1.0, the successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route's ParentRefs field. (#5961, @izturn)
• Gateway API: adds support for Gateway infrastructure labels and annotations``. (#5968, @skriss)
• Gateway API: add the gateway.networking.k8s.io/gateway-name label to generated resources. (#5969, @skriss)
• Fixes a bug with the envoy xDS server where at startup, xDS configuration would not be generated and served until a subsequent configuration change. (#5972, @skriss)
• Envoy: Adds support for setting per-host circuit breaker max-connections threshold using a new service-level annotation: projectcontour.io/per-host-max-connections. (#6016, @relu)
• Updates to Kubernetes 1.29. Supported/tested Kubernetes versions are now 1.27, 1.28 and 1.29. (#6031, @skriss)
• Remove static base runtime layer from bootstrap (#6063, @lubronzhan)
• Updates to Go 1.21.6. See the Go release notes for more information. (#6070, @sunjayBhatia)
• Allow gatewayProvisioner to create contour that only watch limited namespaces of resources (#6073, @lubronzhan)
• Access Log: Contour excludes empty fields in Envoy JSON based access logs by default. (#6077, @abbas-gheydi)
• Updates HTTP filter names to match between the HTTP connection manager and per-filter config on virtual hosts/routes, and to use canonical names. (#6124, @skriss)
• Gateway API provisioner now checks gateway.networking.k8s.io/bundle-version annotation on Gateway CRDs and sets SupportedVersion status condition on GatewayClass if annotation value matches supported Gateway API version. Best-effort support is provided if version does not match. (#6147, @sunjayBhatia)
• For Gateway API, add "Accepted" condition to BackendTLSPolicy. If the condition is true the BackendTLSPolicy was accepted by the Gateway and if false a reason will be stated on the policy as to why it wasn't accepted. (#6151, @christianang)
• Updates Envoy to v1.29.1. See the release notes here. (#6164, @sunjayBhatia)

Docs Changes

• Document that Gateway names should be 63 characters or shorter to avoid issues with generating dependent resources when using the Gateway provisioner. (#6143, @skriss)
• Add troubleshooting guide for general app traffic errors. (#6161, @sunjayBhatia)

Deprecation and Removal Notices

Deprecate subjectName field on UpstreamValidation

The subjectName field is being deprecated in favor of subjectNames, which is
an list of subjectNames. subjectName will continue to behave as it has. If
using subjectNames, the first entry in subjectNames must match the value of
subjectName. this will be enforced by CEL validation.

(#5849, @KauzClay)

ContourDeployment.Spec.ResourceLabels is deprecated

The ContourDeployment.Spec.ResourceLabels field is now deprecated. You should use Gateway.Spec.Infrastructure.Labels instead. The ResourceLabels field will be removed in a future release.

(#5968, @skriss)

Configuring Contour with a GatewayClass controller name is deprecated

Contour should no longer be configured with a GatewayClass controller name (gateway.controllerName in the config file or ContourConfiguration CRD).
Instead, either use a specific Gateway reference (gateway.gatewayRef), or use the Gateway provisioner.
gateway.controllerName will be removed in a future release.

(#6144, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.28.0 is tested against Kubernetes 1.27 through 1.29.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @KauzClay
• @abbas-gheydi
• @christianang
• @davinci26
• @flawedmatrix
• @izturn
• @lubronzhan
• @relu

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.28.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

• Major Changes
• Minor Changes
• Other Changes
• Docs Changes
• Deprecations/Removals
• Installing/Upgrading
• Compatible Kubernetes Versions
• Community Thanks!

Major Changes

Upstream TLS now supports TLS 1.3 and TLS parameters can be configured

The default maximum TLS version for upstream connections is now 1.3, instead of the Envoy default of 1.2.

In a similar way to how Contour users can configure Min/Max TLS version and
Cipher Suites for Envoy's listeners, users can now specify the
same information for upstream connections. In the ContourConfiguration, this is
available under spec.envoy.cluster.upstreamTLS. The equivalent config file
parameter is cluster.upstream-tls.

(#5828, @KauzClay)

Update to Gateway API 1.0

Contour now uses Gateway API 1.0, which graduates the core resources GatewayClass, Gateway and HTTPRoute to the v1 API version.

For backwards compatibility, this version of Contour continues to watch for v1beta1 versions of these resources, to ease the migration process for users.
However, future versions of Contour will move to watching for v1 versions of these resources.
Note that if you are using Gateway API 1.0 and the v1 API group, the resources you create will also be available from the API server as v1beta1 resources so Contour will correctly reconcile them as well.

(#5898, @skriss)

Support for Gateway API BackendTLSPolicy

The BackendTLSPolicy CRD can now be used with HTTPRoute to configure a Contour gateway to connect to a backend Service with TLS. This will give users the ability to use Gateway API to configure their routes to securely connect to backends that use TLS with Contour.

The BackendTLSPolicy spec requires you to specify a targetRef, which can currently only be a Kubernetes Service within the same namespace as the BackendTLSPolicy. The targetRef is what Service should be watched to apply the BackendTLSPolicy to. A SectionName can also be configured to the port name of a Service to reference a specific section of the Service.

The spec also requires you to specify caCertRefs, which can either be a ConfigMap or Secret with a ca.crt key in the data map containing a PEM-encoded TLS certificate. The CA certificates referenced will be configured to be used by the gateway to perform TLS to the backend Service. You will also need to specify a Hostname, which will be used to configure the SNI the gateway will use for the connection.

See Gateway API's GEP-1897 for the proposal for BackendTLSPolicy.

(#6119, @flawedmatrix and @christianang)

Minor Changes

JWT Authentication happens before External Authorization

Fixes a bug where when the external authorization filter and JWT authentication filter were both configured, the external authorization filter was executed before the JWT authentication filter. Now, JWT authentication happens before external authorization when they are both configured.

(#5840, @izturn)

Allow Multiple SANs in Upstream Validation section of HTTPProxy

This change introduces a max length of 250 characters to the field subjectName in the UpstreamValidation block.

Allow multiple SANs in Upstream Validation by adding a new field subjectNames to the UpstreamValidtion block. This will exist side by side with the previous subjectName field. Using CEL validation, we can enforce that when both are present, the first entry in subjectNames must match the value of subjectName.

(#5849, @KauzClay)

Gateway API Backend Protocol Selection

For Gateway API, Contour now enables end-users to specify backend protocols by setting the backend Service's ServicePort.AppProtocol parameter. The accepted values are kubernetes.io/h2c and kubernetes.io/ws. Note that websocket upgrades are already enabled by default for Gateway API. If AppProtocol is set, any other configurations, such as the annotation: projectcontour.io/upstream-protocol.{protocol} will be disregarded.

(#5934, @izturn)

Gateway API: support HTTPRoute request timeouts

Contour now enables end-users to specify request timeouts by setting the HTTPRouteRule.Timeouts.Request parameter. Note that BackendRequest is not yet implemented because without Gateway API support for retries, it's functionally equivalent to Request.

(#5997, @izturn)

Support for Global Circuit Breaker Policy

The way circuit-breaker-annotations work currently is that when not present they are being defaulted to Envoy defaults. The Envoy defaults can be quite low for larger clusters with more traffic so if a user accidentally deletes them or unset them this cause an issue. With this change we are providing contour administrators the ability to provide global defaults that are good. In that case even if the user forgets to set them or deletes them they can have the safety net of good defaults. They can be configured via cluster.circuit-breakers or via `ContourConfiguration`` CRD in spec.envoy.cluster.circuitBreakers

(#6013, @davinci26)

Allow setting connection limit per listener

Adds a listeners.max-connections-per-listener config option to Contour config file and spec.envoy.listener.maxConnectionsPerListener to the ContourConfiguration CRD.

Setting the max connection limit per listener field limits the number of active connections to a listener. The default, if unset, is unlimited.

(#6058, @flawedmatrix)

Upstream TLS validation and client certificate for TCPProxy

TCPProxy now supports validating server certificate and using client certificate for upstream TLS connections.
Set httpproxy.spec.tcpproxy.services.validation.caSecret and subjectName to enable optional validation and tls.envoy-client-certificate configuration file field or ContourConfiguration.spec.envoy.clientCertificate to set the optional client certificate.

(#6079, @tsaarni)

Remove Contour container readiness probe initial delay

The Contour Deployment Contour server container previously had its readiness probe initialDelaySeconds field set to 15.
This has been removed from the example YAML manifests and Gateway Provisioner generated Contour Deployment since as of PR #5672 Contour's xDS server will not start or serve any configuration (and the readiness probe will not succeed) until the existing state of the cluster is synced.
In clusters with few resources this will improve the Contour Deployment's update/rollout time as initial startup time should be low.

(#6099, @sunjayBhatia)

Other Changes

• For Gateway API v1.0, the successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route's ParentRefs field. (#5961, @izturn)
• Gateway API: adds support for Gateway infrastructure labels and annotations``. (#5968, @skriss)
• Gateway API: add the gateway.networking.k8s.io/gateway-name label to generated resources. (#5969, @skriss)
• Fixes a bug with the envoy xDS server where at startup, xDS configuration would not be generated and served until a subsequent configuration change. (#5972, @skriss)
• Envoy: Adds support for setting per-host circuit breaker max-connections threshold using a new service-level annotation: projectcontour.io/per-host-max-connections. (#6016, @relu)
• Updates to Kubernetes 1.29. Supported/tested Kubernetes versions are now 1.27, 1.28 and 1.29. (#6031, @skriss)
• Remove static base runtime layer from bootstrap (#6063, @lubronzhan)
• Updates to Go 1.21.6. See the Go release notes for more information. (#6070, @sunjayBhatia)
• Allow gatewayProvisioner to create contour that only watch limited namespaces of resources (#6073, @lubronzhan)
• Access Log: Contour excludes empty fields in Envoy JSON based access logs by default. (#6077, @abbas-gheydi)
• Updates Envoy to v1.29.0. See the release notes here. (#6123, @skriss)
• Updates HTTP filter names to match between the HTTP connection manager and per-filter config on virtual hosts/routes, and to use canonical names. (#6124, @skriss)
• Gateway API provisioner now checks gateway.networking.k8s.io/bundle-version annotation on Gateway CRDs and sets SupportedVersion status condition on GatewayClass if annotation value matches supported Gateway API version. Best-effort support is provided if version does not match. (#6147, @sunjayBhatia)

Docs Changes

• Document that Gateway names should be 63 characters or shorter to avoid issues with generating dependent resources when using the Gateway provisioner. (#6143, @skriss)

Deprecation and Removal Notices

Deprecate subjectName field on UpstreamValidation

The subjectName field is being deprecated in favor of subjectNames, which is
an list of subjectNames. subjectName will continue to behave as it has. If
using subjectNames, the first entry in subjectNames must match the value of
subjectName. this will be enforced by CEL validation.

(#5849, @KauzClay)

The ContourDeployment.Spec.ResourceLabels field is now deprecated. You should use Gateway.Spec.Infrastructure.Labels instead. The ResourceLabels field will be removed in a future release.

(#5968, @skriss)

Configuring Contour with a GatewayClass controller name is deprecated

Contour should no longer be configured with a GatewayClass controller name (gateway.controllerName in the config file or ContourConfiguration CRD).
Instead, either use a specific Gateway reference (gateway.gatewayRef), or use the Gateway provisioner.
gateway.controllerName will be removed in a future release.

(#6144, @skriss)

Installing and Upgrading

The simplest way to install v1.28.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.28.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.28.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.28.0-rc.1 is tested against Kubernetes 1.27 through 1.29.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @KauzClay
• @abbas-gheydi
• @davinci26
• @flawedmatrix
• @christianang
• @izturn
• @lubronzhan
• @relu

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.