We are delighted to present version v1.27.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Fix bug with algorithm used to sort Envoy regex/prefix path rules

Envoy greedy matches routes and as a result the order route matches are presented to Envoy is important. Contour attempts to produce consistent routing tables so that the most specific route matches are given preference. This is done to facilitate consistency when using HTTPProxy inclusion and provide a uniform user experience for route matching to be inline with Ingress and Gateway API Conformance.

This changes fixes the sorting algorithm used for Prefix and Regex based path matching. Previously the algorithm lexicographically sorted based on the path match string instead of sorting them based on the length of the Prefix|Regex. i.e. Longer prefix/regexes will be sorted first in order to give preference to more specific routes, then lexicographic sorting for things of the same length.

Note that for prefix matching, this change is not expected to change the relative ordering of more specific prefixes vs. less specific ones when the more specific prefix match string has the less specific one as a prefix, e.g. /foo/bar will continue to sort before /foo. However, relative ordering of other combinations of prefix matches may change per the above description.

How to update safely

Caution is advised if you update Contour and you are operating large routing tables. We advise you to:

1. Deploy a duplicate Contour installation that parses the same CRDs
2. Port-forward to the Envoy admin interface docs
3. Access http://127.0.0.1:9001/config_dump and compare the configuration of Envoy. In particular the routes and their order. The prefix routes might be changing in order, so if they are you need to verify that the route matches as expected.

(#5752, @davinci26)

Minor Changes

Specific routes can now opt out of the virtual host's global rate limit policy

Setting rateLimitPolicy.global.disabled flag to true on a specific route now disables the global rate limit policy inherited from the virtual host for that route.

Sample Configurations

In the example below, /foo route is opted out from the global rate limit policy defined by the virtualhost.

httpproxy.yaml

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: echo
spec:
  virtualhost:
    fqdn: local.projectcontour.io
    rateLimitPolicy:
      global:
        descriptors:
          - entries:
            - remoteAddress: {}
            - genericKey:
                key: vhost
                value: local.projectcontour.io
  routes:
    - conditions:
        - prefix: /
      services:
        - name: ingress-conformance-echo
          port: 80
    - conditions:
        - prefix: /foo
      rateLimitPolicy:
        global:
          disabled: true
      services:
        - name: ingress-conformance-echo
          port: 80

(#5657, @shadialtarsha)

Contour now waits for the cache sync before starting the DAG rebuild and XDS server

Before this, we only waited for informer caches to sync but didn't wait for delivering the events to subscribed handlers.
Now contour waits for the initial list of Kubernetes objects to be cached and processed by handlers (using the returned HasSynced methods)
and then starts building its DAG and serving XDS.

(#5672, @therealak12)

HTTPProxy: Allow Host header rewrite with dynamic headers.

This Change allows the host header to be rewritten on requests using dynamic headers on the only route level.

Example

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: dynamic-host-header-rewrite
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      - prefix: /
      services:
        - name: s1
          port: 80
    - requestHeaderPolicy:
        set:
        - name: host
          value: "%REQ(x-rewrite-header)%"

(#5678, @clayton-gonsalves)

Add Kubernetes Endpoint Slice support

This change optionally enables Contour to consume the kubernetes endpointslice API to determine the endpoints to configure Envoy with.
Note: This change is off by default and is gated by the feature flag useEndpointSlices.

This feature will be enabled by default in a future version on Contour once it has had sufficient bake time in production environments.

(#5745, @clayton-gonsalves)

Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy v1.27.1 mitigates CVE-2023-44487 with some default runtime settings, however the http.max_requests_per_io_cycle does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  max-requests-per-io-cycle: 10

(Note this can be used in addition to the existing Listener configuration field listener.max-requests-per-connection which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

See the Envoy release notes for more details.

(#5827, @sunjayBhatia)

HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  http2-max-concurrent-streams: 50

(#5850, @sunjayBhatia)

Other Changes

• Add flags: --incluster, --kubeconfig for enable run the gateway-provisioner in or out of the cluster. (#5686, @izturn)
• Gateway provisioner: Add the overloadMaxHeapSize configuration option to contourDeployment to allow adding overloadManager configuration when generating envoy's initial configuration file. (#5699, @yangyy93)
• Drops the Gateway API webhook from example manifests and testing since validations are now implemented in Common Expression Language (CEL). (#5735, @skriss)
• Gateway API: set Listeners' ResolvedRefs condition to true by default. (#5804, @skriss)
• Updates to Go 1.21.3. See the Go release notes for more information. (#5841, @sunjayBhatia)
• Updates Envoy to v1.28.0. See the release notes here. (#5870, @skriss)

Docs Changes

• Switch to documenting the Gateway API release semantic version instead of API versions in versions.yaml and the compatibility matrix, to provide more information about features available with each release. (#5871, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.27.0 is tested against Kubernetes 1.26 through 1.28.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @clayton-gonsalves
• @davinci26
• @izturn
• @shadialtarsha
• @therealak12
• @yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.27.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Fix bug with algorithm used to sort Envoy regex/prefix path rules

Envoy greedy matches routes and as a result the order route matches are presented to Envoy is important. Contour attempts to produce consistent routing tables so that the most specific route matches are given preference. This is done to facilitate consistency when using HTTPProxy inclusion and provide a uniform user experience for route matching to be inline with Ingress and Gateway API Conformance.

This changes fixes the sorting algorithm used for Prefix and Regex based path matching. Previously the algorithm lexicographically sorted based on the path match string instead of sorting them based on the length of the Prefix|Regex. i.e. Longer prefix/regexes will be sorted first in order to give preference to more specific routes, then lexicographic sorting for things of the same length.

Note that for prefix matching, this change is not expected to change the relative ordering of more specific prefixes vs. less specific ones when the more specific prefix match string has the less specific one as a prefix, e.g. /foo/bar will continue to sort before /foo. However, relative ordering of other combinations of prefix matches may change per the above description.

How to update safely

Caution is advised if you update Contour and you are operating large routing tables. We advise you to:

1. Deploy a duplicate Contour installation that parses the same CRDs
2. Port-forward to the Envoy admin interface docs
3. Access http://127.0.0.1:9001/config_dump and compare the configuration of Envoy. In particular the routes and their order. The prefix routes might be changing in order, so if they are you need to verify that the route matches as expected.

(#5752, @davinci26)

Minor Changes

Specific routes can now opt out of the virtual host's global rate limit policy

Setting rateLimitPolicy.global.disabled flag to true on a specific route now disables the global rate limit policy inherited from the virtual host for that route.

Sample Configurations

In the example below, /foo route is opted out from the global rate limit policy defined by the virtualhost.

httpproxy.yaml

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: echo
spec:
  virtualhost:
    fqdn: local.projectcontour.io
    rateLimitPolicy:
      global:
        descriptors:
          - entries:
            - remoteAddress: {}
            - genericKey:
                key: vhost
                value: local.projectcontour.io
  routes:
    - conditions:
        - prefix: /
      services:
        - name: ingress-conformance-echo
          port: 80
    - conditions:
        - prefix: /foo
      rateLimitPolicy:
        global:
          disabled: true
      services:
        - name: ingress-conformance-echo
          port: 80

(#5657, @shadialtarsha)

Contour now waits for the cache sync before starting the DAG rebuild and XDS server

Before this, we only waited for informer caches to sync but didn't wait for delivering the events to subscribed handlers.
Now contour waits for the initial list of Kubernetes objects to be cached and processed by handlers (using the returned HasSynced methods)
and then starts building its DAG and serving XDS.

(#5672, @therealak12)

HTTPProxy: Allow Host header rewrite with dynamic headers.

This Change allows the host header to be rewritten on requests using dynamic headers on the only route level.

Example

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: dynamic-host-header-rewrite
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      - prefix: /
      services:
        - name: s1
          port: 80
    - requestHeaderPolicy:
        set:
        - name: host
          value: "%REQ(x-rewrite-header)%"

(#5678, @clayton-gonsalves)

Add Kubernetes Endpoint Slice support

This change optionally enables Contour to consume the kubernetes endpointslice API to determine the endpoints to configure Envoy with.
Note: This change is off by default and is gated by the feature flag useEndpointSlices.

This feature will be enabled by default in a future version on Contour once it has had sufficient bake time in production environments.

(#5745, @clayton-gonsalves)

Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy v1.27.1 mitigates CVE-2023-44487 with some default runtime settings, however the http.max_requests_per_io_cycle does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  max-requests-per-io-cycle: 10

(Note this can be used in addition to the existing Listener configuration field listener.max-requests-per-connection which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

See the Envoy release notes for more details.

(#5827, @sunjayBhatia)

HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  http2-max-concurrent-streams: 50

(#5850, @sunjayBhatia)

Other Changes

• Add flags: --incluster, --kubeconfig for enable run the gateway-provisioner in or out of the cluster. (#5686, @izturn)
• Gateway provisioner: Add the overloadMaxHeapSize configuration option to contourDeployment to allow adding overloadManager configuration when generating envoy's initial configuration file. (#5699, @yangyy93)
• Drops the Gateway API webhook from example manifests and testing since validations are now implemented in Common Expression Language (CEL). (#5735, @skriss)
• Gateway API: set Listeners' ResolvedRefs condition to true by default. (#5804, @skriss)
• Updates to Go 1.21.3. See the Go release notes for more information. (#5841, @sunjayBhatia)
• Updates Envoy to v1.28.0. See the release notes here. (#5870, @skriss)

Docs Changes

• Switch to documenting the Gateway API release semantic version instead of API versions in versions.yaml and the compatibility matrix, to provide more information about features available with each release. (#5871, @skriss)

Deprecation and Removal Notices

Installing and Upgrading

The simplest way to install v1.27.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.27.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.27.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.27.0-rc.1 is tested against Kubernetes 1.26 through 1.28.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @clayton-gonsalves
• @davinci26
• @izturn
• @shadialtarsha
• @therealak12
• @yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.26.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

This release includes various dependency bumps and fixes for CVE-2023-44487, including:

• Updates Envoy to v1.27.2. See the release notes for v1.27.1 here and v1.27.2 here.
• Update to Go v1.20.10. See the Go release notes for more information.

Additional mitigations have been added for CVE-2023-44487 in the form of new configuration fields:

Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy mitigates CVE-2023-44487 with some default runtime settings, however the http.max_requests_per_io_cycle does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  max-requests-per-io-cycle: 10

(Note this can be used in addition to the existing Listener configuration field listener.max-requests-per-connection which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  http2-max-concurrent-streams: 50

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.26.1 is tested against Kubernetes 1.26 through 1.28.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.25.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

This release includes various dependency bumps and fixes for CVE-2023-44487, including:

• Update to Envoy v1.26.6. See the release notes for v1.26.5 here and v1.26.6 here.
• Update to Go v1.20.10. See the Go release notes for more information.

Additional mitigations have been added for CVE-2023-44487 in the form of new configuration fields:

Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy mitigates CVE-2023-44487 with some default runtime settings, however the http.max_requests_per_io_cycle does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  max-requests-per-io-cycle: 10

(Note this can be used in addition to the existing Listener configuration field listener.max-requests-per-connection which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  http2-max-concurrent-streams: 50

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.25.3 is tested against Kubernetes 1.25 through 1.27.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.24.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

This release includes various dependency bumps and fixes for CVE-2023-44487, including:

• Update to Envoy v1.25.11. See the release notes for v1.25.10 here and v1.25.11 here.
• Update to Go v1.20.10. See the Go release notes for more information.

Additional mitigations have been added for CVE-2023-44487 in the form of new configuration fields:

Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy mitigates CVE-2023-44487 with some default runtime settings, however the http.max_requests_per_io_cycle does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  max-requests-per-io-cycle: 10

(Note this can be used in addition to the existing Listener configuration field listener.max-requests-per-connection which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

listener:
  http2-max-concurrent-streams: 50

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.24.6 is tested against Kubernetes 1.24 through 1.26.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.26.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

• Major Changes
• Minor Changes
• Other Changes
• Docs Changes
• Deprecations/Removals
• Installing/Upgrading
• Compatible Kubernetes Versions
• Community Thanks!

Major Changes

Support for Gateway Listeners on more than two ports

Contour now supports Gateway Listeners with many different ports.
Previously, Contour only allowed a single port for HTTP, and a single port for HTTPS/TLS.

As an example, the following Gateway, with two HTTP ports and two HTTPS ports, is now fully supported:

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: contour
spec:
  gatewayClassName: contour
  listeners:
    - name: http-1
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: Same
    - name: http-2
      protocol: HTTP
      port: 81
      allowedRoutes:
        namespaces:
          from: Same
    - name: https-1
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        mode: Terminate
        certificateRefs:
        - name: tls-cert-1
    - name: https-2
      protocol: HTTPS
      port: 444
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        mode: Terminate
        certificateRefs:
        - name: tls-cert-2

If you are using the Contour Gateway Provisioner, ports for all valid Listeners will automatically be exposed via the Envoy service, and will update when any Listener changes are made.
If you are using static provisioning, you must keep the Service definition in sync with the Gateway spec manually.

Note that if you are using the Contour Gateway Provisioner along with HTTPProxy or Ingress for routing, then your Gateway must have exactly one HTTP Listener and one HTTPS Listener.
For this case, Contour supports a custom HTTPS Listener protocol value, to avoid having to specify TLS details in the Listener (since they're specified in the HTTPProxy or Ingress instead):

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: contour-with-httpproxy
spec:
  gatewayClassName: contour
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All
    - name: https
      protocol: projectcontour.io/https
      port: 443
      allowedRoutes:
        namespaces:
          from: All

(#5160, @skriss)

Minor Changes

Contour now outputs metrics about status update load

Metrics on status update counts and duration are now output by the xDS server.
This should enable deployments at scale to diagnose delays in status updates and possibly tune the --kubernetes-client-qps and --kubernetes-client-burst flags.

(#5037, @sunjayBhatia)

Watching specific namespaces

The contour serve command takes a new optional flag, --watch-namespaces, that can
be used to restrict the namespaces where the Contour instance watches for resources.
Consequently, resources in other namespaces will not be known to Contour and will not
be acted upon.

You can watch a single or multiple namespaces, and you can further restrict the root
namespaces with --root-namespaces just like before. Root namespaces must be a subset
of the namespaces being watched, for example:

--watch-namespaces=my-admin-namespace,my-app-namespace --root-namespaces=my-admin-namespace

If the --watch-namespaces flag is not used, then all namespaces will be watched by default.

(#5214, @nsimons)

HTTPProxy: Implement Regex Path Matching and Regex Header Matching.

This Change Adds 2 features to HTTPProxy

1. Regex based path matching.
2. Regex based header matching.

Path Matching

In addition to prefix and exact, HTTPProxy now also support regex.

Root Proxies

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: root-regex-match
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      # matches
      # - /list/1234
      # - /list/
      # - /list/foobar
      # and so on and so forth
      - regex: /list/.*
      services:
        - name: s1
          port: 80
    - conditions:
      # matches
      # - /admin/dev
      # - /admin/prod
      - regex: /admin/(prod|dev)
      services:
        - name: s2
          port: 80

Inclusion

Root

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: root-regex-match
spec:
  fqdn: local.projectcontour.io
  includes:
  - name: child-regex-match
    conditions:
    - prefix: /child
  routes:
    - conditions:
      - prefix: /
      services:
        - name: s1
          port: 80

Included

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: child-regex-match
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      # matches
      # - /child/list/1234
      # - /child/list/
      # - /child/list/foobar
      # and so on and so forth
      - regex: /list/.*
      services:
        - name: s1
          port: 80
    - conditions:
      # matches
      # - /child/admin/dev
      # - /child/admin/prod
      - regex: /admin/(prod|dev)
      services:
        - name: s2
          port: 80
    - conditions:
      # matches
      # - /child/bar/stats
      # - /child/foo/stats
      # and so on and so forth
      - regex: /.*/stats
      services:
        - name: s3
          port: 80

Header Regex Matching

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: httpproxy-header-matching
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      - queryParam:
          # matches header `x-header` with value of `dev-value` or `prod-value`
           name: x-header
          regex: (dev|prod)-value
      services:
        - name: s4
          port: 80

(#5319, @clayton-gonsalves)

Adds critical level for access logging

New critical access log level was introduced to reduce the volume of logs for busy installations. Critical level produces access logs for response status >= 500.

(#5360, @davinci26)

Default Global RateLimit Policy

This Change adds the ability to define a default global rate limit policy in the Contour configuration
to be used as a global rate limit policy by all HTTPProxy objects.
HTTPProxy object can decide to opt out and disable this feature using disabled config.

Sample Configurations

contour.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: contour
  namespace: projectcontour
data:
  contour.yaml: |
    rateLimitService:
      extensionService: projectcontour/ratelimit
      domain: contour
      failOpen: false
      defaultGlobalRateLimitPolicy:
        descriptors:
          - entries:
              - remoteAddress: {}
          - entries:
              - genericKey:
                  value: foo

(#5363, @shadialtarsha)

Contour supports setting the MaxRequestsPerConnection

Support setting of MaxRequestsPerConnection on listeners or clusters via the contour configuration.

(#5417, @clayton-gonsalves)

Failures to automatically set GOMAXPROCS are no longer fatal

In some (particularly local development) environments the automaxprocs library fails due to the cgroup namespace setup.
This failure is no longer fatal for Contour.
Contour will now simply log the error and continue with the automatic GOMAXPROCS detection ignored.

(#5427, @sunjayBhatia)

Routes with HTTP Method matching have higher precedence

For conformance with Gateway API v0.7.1+, routes that utilize HTTP method matching now have an explicit precedence over routes with header/query matches.
See the Gateway API documentation for a description of this precedence order.

This change applies not only to HTTPRoute but also HTTPProxy method matches (implemented in configuration via a header match on the :method header).

(#5434, @sunjayBhatia)

Host header including port is passed through unmodified to backend

Previously Contour would strip any port from the Host header in a downstream request for convenience in routing.
This resulted in backends not receiving the Host header with a port.
We no longer do this, for conformance with Gateway API (this change also applies to HTTPProxy and Ingress configuration).

(#5437, @sunjayBhatia)

Gateway API: add TCPRoute support

Contour now supports Gateway API's TCPRoute resource.
This route type provides simple TCP forwarding for traffic received on a given Listener port.

This is a simple example of a Gateway and TCPRoute configuration:

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: contour
  namespace: projectcontour
spec:
  gatewayClassName: contour
  listeners:
    - name: tcp-listener
      protocol: TCP
      port: 10000
      allowedRoutes:
        namespaces:
          from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: echo-1
  namespace: default
spec:
  parentRefs:
  - namespace: projectcontour
    name: contour
    sectionName: tcp-listener
  rules:
  - backendRefs:
    - name: s1
      port: 80

(#5471, @skriss)

Gateway API: Support TLS termination with TLSRoute and TCPRoute

Contour now supports using TLSRoute and TCPRoute in combination with TLS termination.
To use this feature, create a Gateway with a Listener like the following:

- name: tls-listener
  protocol: TLS
  port: 5000
  tls:
    mode: Terminate
    certificateRefs:
    - name: tls-cert-secret
  allowedRoutes:
    namespaces:
      from: All
---

It is then possible to attach either 1+ TLSRoutes, or a single TCPRoute, to this Listener.
If using TLSRoute, traffic can be routed to a different backend based on SNI.
If using TCPRoute, all traffic is forwarded to the backend referenced in the route.

(#5481, @skriss)

Allow setting of per_connection_buffer_limit_bytes value for Clusters

Allow changing per_connection_buffer_limit_bytes for all Clusters. Default is not set to keep compatibility with existing configurations. Envoy recommends setting to 32KiB for Edge proxies.

(#5493, @rajatvig)

Allow setting of per_connection_buffer_limit_bytes value for Listeners

Allow changing per_connection_buffer_limit_bytes for Listeners. Default is not set to keep compatibility with existing configurations.
Envoy recommends setting to 32KiB for Edge proxies.

(#5513, @rajatvig)

Fix order of Global ExtAuth and Global Ratelimit

This ensures that the order of execution of extauth and global ratelimit is the same across HTTP and HTTPS virtualhosts, which is Auth goes first then Global ratelimit. (#5559, @clayton-gonsalves)

Adds support for case-insensitive header matching

Adds support for IgnoreCase in route header matching condition. This brings parity to matching capabilities of query param.

(#5567, @davinci26)

Adds support for treating missing headers as empty when they are not present as part of header matching

TreatMissingAsEmpty specifies if the header match rule specified header does not exist, this header value will be treated as empty. Defaults to false.
Unlike the underlying Envoy implementation this is only supported for negative matches (e.g. NotContains, NotExact).

(#5584, @davinci26)

Adding support for multiple gateway-api RequestMirror filters within the same HTTP or GRPC rule

Currently, Contour supports a single RequestMirror filter per rule in HTTPRoute or GRPCRoute.
Envoy however, supports more than one mirror backend using request_mirror_policies

This PR adds support for multiple gateway-api RequestMirror filters within the same HTTP or GRPC rule.

(#5652, @LiorLieberman)

Support Gateway API v0.8.0

Contour now supports Gateway API v0.8.0, keeping up to date with conformance and API changes.
This release mainly contains refinements to status conditions, conformance test additions, and the addition of CEL validation for Gateway API CRDs.
The previous version of Contour supported Gateway API v0.6.2 and there have been multiple releases in the interim.
See v0.7.0 release notes, v0.7.1 release notes , and v0.8.0 release notes for more detail on the content of these releases.

(#5726, @sunjayBhatia)

Other Changes

• Additional metrics generated by controller-runtime are now included in Prometheus metrics output by Contour. These include metrics around API Server requests, leader election, and individual resource controllers. (#5006, @sunjayBhatia)
• Gateway provisioner: add a container port to the Envoy daemonset/deployment for the metrics port. (#5101, @izturn)
• Add Kubernetes annotations configurability to ContourDeployment resource. to enable customize pod annotations for pod/contour (#5346, @izturn)
• Add configuration for socket options to support DSCP marking for outbound IP packets, for both IPv4 (TOS field) and IPv6 (Traffic Class field). (#5352, @tsaarni)
• Gateway API: Add ipFamilyPolicy field to ContourDeployment.spec.envoy.networkPublishing to control dual-stack-ness of the generated service. (#5386, @Jean-Daniel)
• Gateway provisioner: set the default resource requirements for containers: shutdown-manager & envoy-initconfig (#5425, @izturn)
• DAG rebuild fixes: Update of CRL Secret did not trigger reload when it was not co-located in the same Secret with CA certificate, update of TLS Secret did not trigger reload when using Ingress.spec.tls.secretName with certificate delegation and projectcontour.io/tls-cert-namespace annotation. (#5463, @tsaarni)
• Certgen job name in example deployment manifest is now generated using pattern contour-certgen-v1-26-0 instead of contour-certgen-v1.26.0 to follow Kubernetes pod naming rules. (#5484, @tsaarni)
• Service change now triggers update for GRPCRoute. (#5485, @yanggangtony)
• HTTPProxy: support fractional mirroring to a service by specifying mirror: true and a weight of 1-100. See the traffic mirroring docs for more information. (#5516, @hshamji)
• Gateway API: enable websockets upgrade by default. (#5524, @skriss)
• HTTPProxy: HTTP health checks can now be configured to treat response codes other than 200 as healthy. See HTTPProxy Health Checking and HTTPHealthCheckPolicy reference docs for more information. (#5528, @skriss)
• Refactor the handling of cross-namespace references and improve documentation. (#5529, @tsaarni)
• The maximum TLS version on Envoy Listeners can be configured. Valid options are TLS versions 1.2 and 1.3 with a default of 1.3. (#5533, @izturn)
• Contour can now include the kind, namespace and name of the relevant HTTPProxy/Ingress/HTTPRoute in Envoy's access logs. See the access logging docs for more information. (#5534, @skriss)
• Updates Envoy to v1.27.0. See the release notes here. (#5594, @skriss)
• Gateway provisioner: Expose all Envoy service IPs and Hostname in Gateway.Status.Addresses. Only the first IP was exposed before, even for dual-stack service. (#5651, @Jean-Daniel)
• Updates to Go 1.20.7. See the Go release notes for more information. (#5663, @sunjayBhatia)
• Add included HTTPProxy namespace and name to status condition error message when a root HTTPProxy includes another root. (#5670, @HeavenTonight)
• Gateway provisioner: add a base-id to the Envoy daemonset/deployment to solve the (potential) shared memory regions conflict (#5677, @izturn)
• Updates to Kubernetes 1.28. Supported/tested Kubernetes versions are now 1.26, 1.27 and 1.28. (#5700, @skriss)
• Updates external auth examples and manifests to use the new contour-authserver registry and version, ghcr.io/projectcontour/contour-authserver:v4. (#5725, @skriss)

Docs Changes

• Update FIPS build documentation for changes to Envoy 1.26. Updates guide versions for 1.25 and main. (#5415, @sunjayBhatia)
• Collapses the documentation for 1.21 and 1.20 into a single set per minor version, and removes older docs from the website dropdown. (#5432, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.26.0 is tested against Kubernetes 1.26 through 1.28.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @HeavenTonight
• @Jean-Daniel
• @LiorLieberman
• @clayton-gonsalves
• @davinci26
• @hshamji
• @izturn
• @nsimons
• @rajatvig
• @shadialtarsha
• @yanggangtony

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.26.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

• Major Changes
• Minor Changes
• Other Changes
• Docs Changes
• Deprecations/Removals
• Installing/Upgrading
• Compatible Kubernetes Versions
• Community Thanks!

Major Changes

Support for Gateway Listeners on more than two ports

Contour now supports Gateway Listeners with many different ports.
Previously, Contour only allowed a single port for HTTP, and a single port for HTTPS/TLS.

As an example, the following Gateway, with two HTTP ports and two HTTPS ports, is now fully supported:

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: contour
spec:
  gatewayClassName: contour
  listeners:
    - name: http-1
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: Same
    - name: http-2
      protocol: HTTP
      port: 81
      allowedRoutes:
        namespaces:
          from: Same
    - name: https-1
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        mode: Terminate
        certificateRefs:
        - name: tls-cert-1
    - name: https-2
      protocol: HTTPS
      port: 444
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        mode: Terminate
        certificateRefs:
        - name: tls-cert-2

If you are using the Contour Gateway Provisioner, ports for all valid Listeners will automatically be exposed via the Envoy service, and will update when any Listener changes are made.
If you are using static provisioning, you must keep the Service definition in sync with the Gateway spec manually.

Note that if you are using the Contour Gateway Provisioner along with HTTPProxy or Ingress for routing, then your Gateway must have exactly one HTTP Listener and one HTTPS Listener.
For this case, Contour supports a custom HTTPS Listener protocol value, to avoid having to specify TLS details in the Listener (since they're specified in the HTTPProxy or Ingress instead):

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: contour-with-httpproxy
spec:
  gatewayClassName: contour
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All
    - name: https
      protocol: projectcontour.io/https
      port: 443
      allowedRoutes:
        namespaces:
          from: All

(#5160, @skriss)

Minor Changes

Contour now outputs metrics about status update load

Metrics on status update counts and duration are now output by the xDS server.
This should enable deployments at scale to diagnose delays in status updates and possibly tune the --kubernetes-client-qps and --kubernetes-client-burst flags.

(#5037, @sunjayBhatia)

Watching specific namespaces

The contour serve command takes a new optional flag, --watch-namespaces, that can
be used to restrict the namespaces where the Contour instance watches for resources.
Consequently, resources in other namespaces will not be known to Contour and will not
be acted upon.

You can watch a single or multiple namespaces, and you can further restrict the root
namespaces with --root-namespaces just like before. Root namespaces must be a subset
of the namespaces being watched, for example:

--watch-namespaces=my-admin-namespace,my-app-namespace --root-namespaces=my-admin-namespace

If the --watch-namespaces flag is not used, then all namespaces will be watched by default.

(#5214, @nsimons)

HTTPProxy: Implement Regex Path Matching and Regex Header Matching.

This Change Adds 2 features to HTTPProxy

1. Regex based path matching.
2. Regex based header matching.

Path Matching

In addition to prefix and exact, HTTPProxy now also support regex.

Root Proxies

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: root-regex-match
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      # matches
      # - /list/1234
      # - /list/
      # - /list/foobar
      # and so on and so forth
      - regex: /list/.*
      services:
        - name: s1
          port: 80
    - conditions:
      # matches
      # - /admin/dev
      # - /admin/prod
      - regex: /admin/(prod|dev)
      services:
        - name: s2
          port: 80

Inclusion

Root

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: root-regex-match
spec:
  fqdn: local.projectcontour.io
  includes:
  - name: child-regex-match
    conditions:
    - prefix: /child
  routes:
    - conditions:
      - prefix: /
      services:
        - name: s1
          port: 80

Included

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: child-regex-match
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      # matches
      # - /child/list/1234
      # - /child/list/
      # - /child/list/foobar
      # and so on and so forth
      - regex: /list/.*
      services:
        - name: s1
          port: 80
    - conditions:
      # matches
      # - /child/admin/dev
      # - /child/admin/prod
      - regex: /admin/(prod|dev)
      services:
        - name: s2
          port: 80
    - conditions:
      # matches
      # - /child/bar/stats
      # - /child/foo/stats
      # and so on and so forth
      - regex: /.*/stats
      services:
        - name: s3
          port: 80

Header Regex Matching

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: httpproxy-header-matching
spec:
  fqdn: local.projectcontour.io
  routes:
    - conditions:
      - queryParam:
          # matches header `x-header` with value of `dev-value` or `prod-value`
           name: x-header
          regex: (dev|prod)-value
      services:
        - name: s4
          port: 80

(#5319, @clayton-gonsalves)

Support Gateway API v0.7.1

Contour now supports Gateway API v0.7.1, keeping up to date with conformance and API changes.
This release mainly contains refinements to status conditions and conformance test additions.
See v0.7.0 release notes and v0.7.1 release notes .

(#5353, @sunjayBhatia)

Adds critical level for access logging

New critical access log level was introduced to reduce the volume of logs for busy installations. Critical level produces access logs for response status >= 500.

(#5360, @davinci26)

Default Global RateLimit Policy

This Change adds the ability to define a default global rate limit policy in the Contour configuration
to be used as a global rate limit policy by all HTTPProxy objects.
HTTPProxy object can decide to opt out and disable this feature using disabled config.

Sample Configurations

contour.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: contour
  namespace: projectcontour
data:
  contour.yaml: |
    rateLimitService:
      extensionService: projectcontour/ratelimit
      domain: contour
      failOpen: false
      defaultGlobalRateLimitPolicy:
        descriptors:
          - entries:
              - remoteAddress: {}
          - entries:
              - genericKey:
                  value: foo

(#5363, @shadialtarsha)

Contour supports setting the MaxRequestsPerConnection

Support setting of MaxRequestsPerConnection on listeners or clusters via the contour configuration.

(#5417, @clayton-gonsalves)

Failures to automatically set GOMAXPROCS are no longer fatal

In some (particularly local development) environments the automaxprocs library fails due to the cgroup namespace setup.
This failure is no longer fatal for Contour.
Contour will now simply log the error and continue with the automatic GOMAXPROCS detection ignored.

(#5427, @sunjayBhatia)

Routes with HTTP Method matching have higher precedence

For conformance with Gateway API v0.7.1+, routes that utilize HTTP method matching now have an explicit precedence over routes with header/query matches.
See the Gateway API documentation for a description of this precedence order.

This change applies not only to HTTPRoute but also HTTPProxy method matches (implemented in configuration via a header match on the :method header).

(#5434, @sunjayBhatia)

Host header including port is passed through unmodified to backend

Previously Contour would strip any port from the Host header in a downstream request for convenience in routing.
This resulted in backends not receiving the Host header with a port.
We no longer do this, for conformance with Gateway API (this change also applies to HTTPProxy and Ingress configuration).

(#5437, @sunjayBhatia)

Gateway API: add TCPRoute support

Contour now supports Gateway API's TCPRoute resource.
This route type provides simple TCP forwarding for traffic received on a given Listener port.

This is a simple example of a Gateway and TCPRoute configuration:

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: contour
  namespace: projectcontour
spec:
  gatewayClassName: contour
  listeners:
    - name: tcp-listener
      protocol: TCP
      port: 10000
      allowedRoutes:
        namespaces:
          from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: echo-1
  namespace: default
spec:
  parentRefs:
  - namespace: projectcontour
    name: contour
    sectionName: tcp-listener
  rules:
  - backendRefs:
    - name: s1
      port: 80

(#5471, @skriss)

Gateway API: Support TLS termination with TLSRoute and TCPRoute

Contour now supports using TLSRoute and TCPRoute in combination with TLS termination.
To use this feature, create a Gateway with a Listener like the following:

- name: tls-listener
  protocol: TLS
  port: 5000
  tls:
    mode: Terminate
    certificateRefs:
    - name: tls-cert-secret
  allowedRoutes:
    namespaces:
      from: All
---

It is then possible to attach either 1+ TLSRoutes, or a single TCPRoute, to this Listener.
If using TLSRoute, traffic can be routed to a different backend based on SNI.
If using TCPRoute, all traffic is forwarded to the backend referenced in the route.

(#5481, @skriss)

Allow setting of per_connection_buffer_limit_bytes value for Clusters

Allow changing per_connection_buffer_limit_bytes for all Clusters. Default is not set to keep compatibility with existing configurations. Envoy recommends setting to 32KiB for Edge proxies.

(#5493, @rajatvig)

Allow setting of per_connection_buffer_limit_bytes value for Listeners

Allow changing per_connection_buffer_limit_bytes for Listeners. Default is not set to keep compatibility with existing configurations.
Envoy recommends setting to 32KiB for Edge proxies.

(#5513, @rajatvig)

Adds support for case-insensitive header matching

Adds support for IgnoreCase in route header matching condition. This brings parity to matching capabilities of query param.

(#5567, @davinci26)

Adds support for treating missing headers as empty when they are not present as part of header matching

TreatMissingAsEmpty specifies if the header match rule specified header does not exist, this header value will be treated as empty. Defaults to false.
Unlike the underlying Envoy implementation this is only supported for negative matches (e.g. NotContains, NotExact).

(#5584, @davinci26)

Fix order of Global ExtAuth and Global Ratelimit

This ensures that the order of execution of extauth and global ratelimit is the same across HTTP and HTTPS virtualhosts, which is Auth goes first then Global ratelimit.

(#5559, @clayton-gonsalves)

Other Changes

• Additional metrics generated by controller-runtime are now included in Prometheus metrics output by Contour. These include metrics around API Server requests, leader election, and individual resource controllers. (#5006, @sunjayBhatia)
• Gateway provisioner: add a container port to the Envoy daemonset/deployment for the metrics port. (#5101, @izturn)
• Add Kubernetes annotations configurability to ContourDeployment resource. to enable customize pod annotations for pod/contour (#5346, @izturn)
• Gateway API: Add ipFamilyPolicy field to ContourDeployment.spec.envoy.networkPublishing to control dual-stack-ness of the generated service. (#5386, @Jean-Daniel)
• Gateway provisioner: set the default resource requirements for containers: shutdown-manager & envoy-initconfig (#5425, @izturn)
• DAG rebuild fixes: Update of CRL Secret did not trigger reload when it was not co-located in the same Secret with CA certificate, update of TLS Secret did not trigger reload when using Ingress.spec.tls.secretName with certificate delegation and projectcontour.io/tls-cert-namespace annotation. (#5463, @tsaarni)
• Certgen job name in example deployment manifest is now generated using pattern contour-certgen-v1-26-0 instead of contour-certgen-v1.26.0 to follow Kubernetes pod naming rules. (#5484, @tsaarni)
• Service change now triggers update for GRPCRoute. (#5485, @yanggangtony)
• HTTPProxy: support fractional mirroring to a service by specifying mirror: true and a weight of 1-100. See the traffic mirroring docs for more information. (#5516, @hshamji)
• Gateway API: enable websockets upgrade by default. (#5524, @skriss)
• HTTPProxy: HTTP health checks can now be configured to treat response codes other than 200 as healthy. See HTTPProxy Health Checking and HTTPHealthCheckPolicy reference docs for more information. (#5528, @skriss)
• Refactor the handling of cross-namespace references and improve documentation. (#5529, @tsaarni)
• Contour can now include the kind, namespace and name of the relevant HTTPProxy/Ingress/HTTPRoute in Envoy's access logs. See the access logging docs for more information. (#5534, @skriss)
• Updates to Go 1.20.6. See the Go release notes for more information. (#5555, @skriss)
• Updates Envoy to v1.27.0. See the release notes here. (#5594, @skriss)

Docs Changes

• Update FIPS build documentation for changes to Envoy 1.26. Updates guide versions for 1.25 and main. (#5415, @sunjayBhatia)
• Collapses the documentation for 1.21 and 1.20 into a single set per minor version, and removes older docs from the website dropdown. (#5432, @skriss)

Installing and Upgrading

The simplest way to install v1.26.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.26.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.26.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.26.0-rc.1 is tested against Kubernetes 1.25 through 1.27.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @Jean-Daniel
• @clayton-gonsalves
• @davinci26
• @hshamji
• @izturn
• @nsimons
• @rajatvig
• @shadialtarsha
• @yanggangtony

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.25.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Bumps client-go to v1.26.7. This ensures better compatibility with Kubernetes v1.27 clusters. See this upstream issue for more context on why this change is required. Many thanks to @chrism417 for bringing this to our attention.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.25.2 is tested against Kubernetes 1.25 through 1.27.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.25.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Update to Envoy v1.26.4. See the Envoy release notes for more information about the content of the release.
• Update to Go v1.20.6. See the Go release notes for more information.
• Failure to automatically set GOMAXPROCS using the automaxprocs library is no longer fatal. Contour will now simply log the error and continue with the automatic GOMAXPROCS detection ignored.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.25.1 is tested against Kubernetes 1.25 through 1.27.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.24.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Update to Envoy v1.25.9. See the Envoy release notes for more information about the content of the release.
• Update to Go v1.19.11. See the Go release notes for more information.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.24.5 is tested against Kubernetes 1.24 through 1.26.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.23.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Update to Envoy v1.24.10. See the Envoy release notes for more information about the content of the release including details on the addressed CVEs.
• Update to Go v1.19.11. See the Go release notes for more information.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.6 is tested against Kubernetes 1.23 through 1.25.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.25.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

IP Filter Support

Contour's HTTPProxy now supports configuring Envoy's RBAC filter for allowing or denying requests by IP.

An HTTPProxy can optionally include one or more IP filter rules, which define CIDR ranges to allow or deny requests based on origin IP. Filters can indicate whether the direct IP should be used or whether a reported IP from PROXY or X-Forwarded-For should be used instead. If the latter, Contour's numTrustedHops setting will be respected when determining the source IP. Filters defined at the VirtualHost level apply to all routes, unless overridden by a route-specific filter.

For more information, see:

• HTTPProxy API documentation
• IPFilterPolicy API documentation
• Envoy RBAC filter documentation

(#5008, @ecordell)

Add Tracing Support

Contour now supports exporting tracing data to OpenTelemetry

The Contour configuration file and ContourConfiguration CRD will be extended with a new optional tracing section. This configuration block, if present, will enable tracing and will define the trace properties needed to generate and export trace data.

Contour supports the following configurations

• Custom service name, the default is contour.
• Custom sampling rate, the default is 100.
• Custom the maximum length of the request path, the default is 256.
• Customize span tags from literal and request headers.
• Customize whether to include the pod's hostname and namespace.

(#5043, @yangyy93)

Minor Changes

Add support for Global External Authorization for HTTPProxy.

Contour now supports external authorization for all hosts by setting the config as part of the contourConfig like so:

globalExtAuth:
  extensionService: projectcontour-auth/htpasswd
  failOpen: false
  authPolicy:
    context:
      header1: value1
      header2: value2
  responseTimeout: 1s

Individual hosts can also override or opt out of this global configuration.
You can read more about this feature in detail in the guide.

(#4994, @clayton-gonsalves)

HTTPProxy: Add support for exact path match condition

HttpProxy conditions block now also supports exact path match condition.

(#5000, @arjunsalyan)

HTTPProxy: Internal Redirect support

Contour now supports specifying an internalRedirectPolicy on a Route to handle 3xx redirects internally, that is capturing a configurable 3xx redirect response, synthesizing a new request, sending it to the upstream specified by the new route match, and returning the redirected response as the response to the original request.

(#5010, @Jean-Daniel)

HTTPProxy: implement HTTP query parameter matching

Contour now implements HTTP query parameter matching for HTTPProxy resource-based routes. It supports Exact, Prefix, Suffix, Regex and Contains string matching conditions together with the IgnoreCase modifier and also the Present matching condition. For example, the following HTTPProxy will route requests based on the configured condition examples for the given query parameter search:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: httpproxy-queryparam-matching
spec:
  routes:
    - conditions:
      - queryParam:
          # will match e.g. '?search=example' as is
          name: search
          exact: example
      services:
        - name: s1
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=prefixthis' or any string value prefixed by `prefix` (case insensitive)
          name: search
          prefix: PreFix
          ignoreCase: true
      services:
        - name: s2
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=thispostfix' or any string value suffixed by `postfix` (case sensitive)
          name: search
          suffix: postfix
      services:
        - name: s3
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=regularexp123' or any string value matching the given regular expression
          name: search
          regex: ^regular.*
      services:
        - name: s4
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=somethinginsideanother' or any string value containing the substring 'inside' (case sensitive)
          name: search
          contains: inside
      services:
        - name: s5
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=' or any string value given to the named parameter
          name: search
          present: true
      services:
        - name: s6
          port: 80

(#5036, @relu)

Allow Disabling Features

The contour serve command takes a new optional flag, --disable-feature, that allows disabling certain features.

The flag is used to disable the informer for a custom resource, effectively making the corresponding CRD optional in the cluster. You can provide the flag multiple times.

Current options include extensionservices and the experimental Gateway API features tlsroutes and grpcroutes.

For example, to disable ExtensionService CRD, use the flag as follows: --disable-feature=extensionservices.

(#5080, @nsimons)

Gateway API: support GRPCRoute

Contour now implements GRPCRoute (https://gateway-api.sigs.k8s.io/api-types/grpcroute/). The "core conformance" parts of the spec are implemented. See https://projectcontour.io/docs/1.25/guides/grpc/#gateway-api-configuration on how to use GRPCRoute.

(#5114, @fangfpeng)

Other Changes

• Add AllowPrivateNetwork to CORSPolicy for support Access-Control-Allow-Private-Network. (#5034, @lvyanru8200)
• Optimize processing of HTTPProxy, Secret and other objects by avoiding full object comparison. This reduces CPU usage during object updates. (#5064, @tsaarni)
• Gateway API: support the path field on the HTTPRoute RequestRedirect filter. (#5068, @skriss)
• Optimized the memory usage when handling Secrets in Kubernetes client informer cache. (#5099, @tsaarni)
• Adds a new gauge metric, contour_dag_cache_object, to indicate the total number of items that are currently in the DAG cache. (#5109, @izturn)
• Gateway API: for routes, replace use of custom NotImplemented condition with the upstream Accepted: false condition with reason UnsupportedValue to match the spec. (#5125, @skriss)
• %REQ() operator in request/response header policies now properly supports HTTP/2 pseudo-headers, header fallbacks, and truncating header values. (#5130, @sunjayBhatia)
• Gateway API: for routes, always set ResolvedRefs condition, even if true to match the spec. (#5131, @izturn)
• Set 502 response if include references another root. (#5157, @liangyuanpeng)
• Update to support Gateway API v0.6.2, which includes updated conformance tests. See release notes here. (#5194, @sunjayBhatia)
• HTTPProxy: support Host header rewrites per-service. (#5195, @fangfpeng)
• Contour now sets GOMAXPROCS to match the number of CPUs available to the container which results in lower and more stable CPU usage under high loads and where the container and node CPU counts differ significantly.
  This is the default behavior but can be overridden by specifying GOMAXPROCS to a fixed value as an environment variable. (#5211, @rajatvig)
• Gateway API: Contour now always sets the Accepted condition on Gateway Listeners. If there is a specific validation error of top-level fields (port, protocol, etc.) the status is set to False, otherwise it is set to True. (#5220, @sunjayBhatia)
• Gateway API: Envoy containers manifests should use value from envoy.health.port and envoy.metrics.port if they are defined in ContourDeployment.spec.runtimeSettings. (#5233, @Jean-Daniel)
• Gateway API: support regex path/header match for HTTPRoute and regex header match for GRPCRoute. (#5239, @fangfpeng)
• Fix HTTPProxy duplicate include detection. If we have multiple distinct includes on the same path but different headers or query parameters, duplicates of any include conditions after the first were not detected. (#5296, @sunjayBhatia)
• Gateway API: support regular expressions in HTTPRoute query param match type. (#5310, @padlar)
• Supported/tested Kubernetes versions are now 1.25, 1.26, 1.27. (#5318, @skriss)
• Updates Envoy to v1.26.1. See the v1.26.0 and v1.26.1 changelogs for details. (#5320, @skriss)
• Updates to Go 1.20.4. See the Go release notes for more information. (#5347, @skriss)

Docs Changes

• Upgrade algolia docsearch to v3 on the docs website (#5129, @pnbrown)
• Updates Steve Kriss as Tech Lead and moves Nick Young to Emeritus Maintainer (#5151, @pnbrown)
• Move to a single set of docs per minor release, e.g. 1.24, 1.23 and 1.22. (#5163, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.25.0 is tested against Kubernetes 1.25 through 1.27.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, we would like to give a special shoutout to the folks who joined our ContribFest at KubeCon EU 2023:

• @padlar
• @IdanAtias
• @owayss
• @shayyxi
• @bhavaniMiro
• @umutkocasarac

We'd also like to thank the other contributors to this release:

• @Jean-Daniel
• @arjunsalyan
• @clayton-gonsalves
• @ecordell
• @fangfpeng
• @izturn
• @liangyuanpeng
• @lvyanru8200
• @nsimons
• @pnbrown
• @rajatvig
• @relu
• @yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.24.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Fix for bug in HTTPProxy duplicate include detection that caused memory usage spikes when root HTTPProxies with a large number of includes using header match conditions are present.
• Update to Envoy v1.25.6. See the Envoy release notes for more information about the content of the release.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.24.4 is tested against Kubernetes 1.24 through 1.26.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.25.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

IP Filter Support

Contour's HTTPProxy now supports configuring Envoy's RBAC filter for allowing or denying requests by IP.

An HTTPProxy can optionally include one or more IP filter rules, which define CIDR ranges to allow or deny requests based on origin IP.
Filters can indicate whether the direct IP should be used or whether a reported IP from PROXY or X-Forwarded-For should be used instead.
If the latter, Contour's numTrustedHops setting will be respected when determining the source IP.
Filters defined at the VirtualHost level apply to all routes, unless overridden by a route-specific filter.

For more information, see:

• HTTPProxy API documentation
• IPFilterPolicy API documentation
• Envoy RBAC filter documentation

(#5008, @ecordell)

Add Tracing Support

Contour now supports exporting tracing data to OpenTelemetry

The Contour configuration file and ContourConfiguration CRD will be extended with a new optional tracing section. This configuration block, if present, will enable tracing and will define the trace properties needed to generate and export trace data.

Contour supports the following configurations

• Custom service name, the default is contour.
• Custom sampling rate, the default is 100.
• Custom the maximum length of the request path, the default is 256.
• Customize span tags from literal and request headers.
• Customize whether to include the pod's hostname and namespace.

(#5043, @yangyy93)

Minor Changes

Add support for Global External Authorization for HTTPProxy.

Contour now supports external authorization for all hosts by setting the config as part of the contourConfig like so:

globalExtAuth:
  extensionService: projectcontour-auth/htpasswd
  failOpen: false
  authPolicy:
    context:
      header1: value1
      header2: value2
  responseTimeout: 1s

Individual hosts can also override or opt out of this global configuration.
You can read more about this feature in detail in the guide.

(#4994, @clayton-gonsalves)

HTTPProxy: Add support for exact path match condition

HttpProxy conditions block now also supports exact path match condition.

(#5000, @arjunsalyan)

HTTPProxy: Internal Redirect support

Contour now supports specifying an internalRedirectPolicy on a Route to handle 3xx redirects internally, that is capturing a configurable 3xx redirect response, synthesizing a new request,
sending it to the upstream specified by the new route match,
and returning the redirected response as the response to the original request.

(#5010, @Jean-Daniel)

HTTPProxy: implement HTTP query parameter matching

Contour now implements HTTP query parameter matching for HTTPProxy
resource-based routes. It supports Exact, Prefix, Suffix, Regex and
Contains string matching conditions together with the IgnoreCase modifier
and also the Present matching condition.
For example, the following HTTPProxy will route requests based on the configured
condition examples for the given query parameter search:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: httpproxy-queryparam-matching
spec:
  routes:
    - conditions:
      - queryParam:
          # will match e.g. '?search=example' as is
          name: search
          exact: example
      services:
        - name: s1
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=prefixthis' or any string value prefixed by `prefix` (case insensitive)
          name: search
          prefix: PreFix
          ignoreCase: true
      services:
        - name: s2
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=thispostfix' or any string value suffixed by `postfix` (case sensitive)
          name: search
          suffix: postfix
      services:
        - name: s3
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=regularexp123' or any string value matching the given regular expression
          name: search
          regex: ^regular.*
      services:
        - name: s4
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=somethinginsideanother' or any string value containing the substring 'inside' (case sensitive)
          name: search
          contains: inside
      services:
        - name: s5
          port: 80
    - conditions:
      - queryParam:
          # will match e.g. '?search=' or any string value given to the named parameter
          name: search
          present: true
      services:
        - name: s6
          port: 80

(#5036, @relu)

Allow Disabling Features

The contour serve command takes a new optional flag, --disable-feature, that allows disabling
certain features.

The flag is used to disable the informer for a custom resource, effectively making the corresponding
CRD optional in the cluster. You can provide the flag multiple times.

Current options include extensionservices and the experimental Gateway API features tlsroutes and
grpcroutes.

For example, to disable ExtensionService CRD, use the flag as follows: --disable-feature=extensionservices.

(#5080, @nsimons)

Gateway API: support the GRPCRoute

Contour now implements GRPCRoute (https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
The "core conformance" parts of the spec are implemented.
See https://projectcontour.io/docs/v1.25.0/guides/grpc/#gateway-api-configuration
on how to use GRPCRoute.

(#5114, @fangfpeng)

Other Changes

• Add AllowPrivateNetwork to CORSPolicy for support Access-Control-Allow-Private-Network. (#5034, @lvyanru8200)
• Optimize processing of HTTPProxy, Secret and other objects by avoiding full object comparison. This reduces CPU usage during object updates. (#5064, @tsaarni)
• Gateway API: support the path field on the HTTPRoute RequestRedirect filter. (#5068, @skriss)
• Optimized the memory usage when handling Secrets in Kubernetes client informer cache. (#5099, @tsaarni)
• Adds a new gauge metric, contour_dag_cache_object, to indicate the total number of items that are currently in the DAG cache. (#5109, @izturn)
• Gateway API: for routes, replace use of custom NotImplemented condition with the upstream Accepted: false condition with reason UnsupportedValue to match the spec. (#5125, @skriss)
• %REQ() operator in request/response header policies now properly supports HTTP/2 pseudo-headers, header fallbacks, and truncating header values. (#5130, @sunjayBhatia)
• Gateway API: for routes, always set ResolvedRefs condition, even if true to match the spec. (#5131, @izturn)
• Set 502 response if include references another root. (#5157, @liangyuanpeng)
• Update to support Gateway API v0.6.2, which includes updated conformance tests. See release notes here. (#5194, @sunjayBhatia)
• HTTPProxy: support Host header rewrites per-service. (#5195, @fangfpeng)
• Contour now sets GOMAXPROCS to match the number of CPUs available to the container which results in lower and more stable CPU usage under high loads and where the container and node CPU counts differ significantly.
  This is the default behavior but can be overridden by specifying GOMAXPROCS to a fixed value as an environment variable. (#5211, @rajatvig)
• Gateway API: Contour now always sets the Accepted condition on Gateway Listeners. If there is a specific validation error of top-level fields (port, protocol, etc.) the status is set to False, otherwise it is set to True. (#5220, @sunjayBhatia)
• Gateway API: Envoy containers manifests should use value from envoy.health.port and envoy.metrics.port if they are defined in ContourDeployment.spec.runtimeSettings. (#5233, @Jean-Daniel)
• Gateway API: support regex path/header match for HTTPRoute and regex header match for GRPCRoute. (#5239, @fangfpeng)
• Updates to Go 1.20.3. See the Go release notes for more information. (#5254, @sunjayBhatia)
• Fix HTTPProxy duplicate include detection. If we have multiple distinct includes on the same path but different headers or query parameters, duplicates of any include conditions after the first were not detected. (#5296, @sunjayBhatia)
• Gateway API: support regular expressions in HTTPRoute query param match type. (#5310, @padlar)
• Supported/tested Kubernetes versions are now 1.25, 1.26, 1.27. (#5318, @skriss)
• Updates Envoy to v1.26.1. See the v1.26.0 and v1.26.1 changelogs for details. (#5320, @skriss)

Docs Changes

• Upgrade algolia docsearch to v3 on the docs website (#5129, @pnbrown)
• Updates Steve Kriss as Tech Lead and moves Nick Young to Emeritus Maintainer (#5151, @pnbrown)
• Move to a single set of docs per minor release, e.g. 1.24, 1.23 and 1.22. (#5163, @skriss)

Installing and Upgrading

The simplest way to install v1.25.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.25.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.25.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.25.0-rc.1 is tested against Kubernetes 1.25 through 1.27.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

• @Jean-Daniel
• @arjunsalyan
• @clayton-gonsalves
• @ecordell
• @fangfpeng
• @izturn
• @liangyuanpeng
• @lvyanru8200
• @nsimons
• @padlar
• @pnbrown
• @rajatvig
• @relu
• @yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.24.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Update to Envoy v1.25.4. See the Envoy release notes for more information about the content of the release and details on the addressed CVEs can be found here.
• Update to Go v1.19.8. See the Go release notes for more information.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.24.3 is tested against Kubernetes 1.24 through 1.26.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.23.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Update to Envoy v1.24.5. See the Envoy release notes for more information about the content of the release and details on the addressed CVEs can be found here.
• Update to Go v1.19.8. See the Go release notes for more information.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.5 is tested against Kubernetes 1.23 through 1.25.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.22.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Update to Envoy v1.23.7. See the Envoy release notes for more information about the content of the release and details on the addressed CVEs can be found here.
• Update to Go v1.19.8. See the Go release notes for more information.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.6 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.22.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Update to Envoy v1.23.5. See the Envoy release notes for more information about the content of the release.
• Update to Go v1.19.7. See the Go release notes for more information.
• Update to golang.org/x/[email protected].
• Update to golang.org/x/[email protected].

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.5 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.23.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Update to Envoy v1.24.3. See the Envoy release notes for more information about the content of the release.
• Update to Go v1.19.7. See the Go release notes for more information.
• Update to golang.org/x/[email protected].
• Update to golang.org/x/[email protected].

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.4 is tested against Kubernetes 1.23 through 1.25.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version v1.24.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

• Update to Envoy v1.25.2. See the Envoy release notes for more information about the content of the release.
• Update to Go v1.19.7. See the Go release notes for more information.
• Update to golang.org/x/[email protected].
• Update to golang.org/x/[email protected].

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.24.2 is tested against Kubernetes 1.24 through 1.26.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.