contour - Contour v1.24.1

Published by sunjayBhatia over 1 year ago

We are delighted to present version v1.24.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

Update to Envoy v1.25.1. See the Envoy release notes for more information about the content of the release.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.24.1 is tested against Kubernetes 1.24 through 1.26.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.23.3

Published by sunjayBhatia over 1 year ago

We are delighted to present version v1.23.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

All Changes

Update to Envoy v1.24.2. See the Envoy release notes for more information about the content of the release.
Update to Go v1.19.5. See the Go release notes for more information about the content of the release.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.3 is tested against Kubernetes 1.23 through 1.25.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.22.4

Published by sunjayBhatia over 1 year ago

We are delighted to present version v1.22.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

Update to Envoy v1.23.4. See the Envoy release notes for more information about the content of the release.
Update to Go v1.19.5. See the Go release notes for more information about the content of the release.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.4 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.24.0

Published by sunjayBhatia over 1 year ago

We are delighted to present version v1.24.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Fix handling of duplicate HTTPProxy Include Conditions

Duplicate include conditions are now correctly identified and HTTPProxies are marked with the condition IncludeError and reason DuplicateMatchConditions.
Previously the HTTPProxy processor was only comparing adjacent includes and comparing conditions element by element rather than as a whole, ANDed together.

In addition, the previous behavior when duplicate Include Conditions were identified was to throw out all routes, including valid ones, on the offending HTTPProxy.
Any referenced child HTTPProxies were marked as Orphaned as a result, even if they were included correctly.
With this change, all valid Includes and Route rules are processed and programmed in the data plane, which is a difference in behavior from previous releases.
An Include is deemed to be a duplicate if it has the exact same match Conditions as an Include that precedes it in the list.
Only child HTTPProxies that are referenced by a duplicate Include and not in any other valid Include are marked as Orphaned

Caveat for empty or individual prefix path matches on `/`

A caveat to the above, is that an empty list of include conditions or a set of conditions that only consist of the prefix match on / are not treated as duplicates.

This special case has been added because many users rely on the behavior this enables and many Contour examples demonstrating inclusion actually use it.
For example:

---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: example
spec:
  virtualhost:
    fqdn: foo-example.bar.com
  includes:
  - name: example-child1
  - name: example-child2
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: example-child1
spec:
  routes:
    - conditions:
      - prefix: /
      services:
      - name: s1
        port: 80
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: example-child2
spec:
  routes:
  - conditions:
    - prefix: /foo
    services:
    - name: s2
      port: 80

While the include conditions are equivalent, the resulting routing rules when the child routes are taken into account are distinct.

This special casing is a stop-gap for this release, to ensure we do not break user's configuration that is currently valid and working.

Future changes to inclusion and route duplicate detection

Currently duplicate route conditions are not checked in an HTTPProxy include tree or within an individual HTTPProxy.
This means that you can have routes listed later in the list of routes on an HTTPProxy silently override others.
The same can happen if you have an include tree that generates duplicate routes based on the include conditions and route conditions.

If you are relying on this behavior, changes will be coming in the next Contour release.

We will be submitting a design document to address this as it will be a significant behavior change and encourage the community to weigh in.
The current plan is to fully validate duplicate route match conditions as they are generated from the tree of includes and routes.
There will likely be changes to status conditions set on HTTPRoutes to improve reporting such invalid configuration.

(#4931, #5017, @sunjayBhatia)

Contour supports Gateway API release v0.6.0

See the Gateway API release notes for more detail on the API changes.
This version of the API includes a few changes relevant to Contour users:

The ReferenceGrant resource has been graduated to the v1beta1 API and ReferencePolicy removed from the API
v1alpha2 versions of GatewayClass, Gateway, and HTTPRoute are deprecated
There have been significant changes to status conditions on various resources for consistency:
- Accepted and Programmed conditions have been added to Gateway and Gateway Listener
- The Ready condition has been moved to "extended" conformance, at this moment Contour does not program this condition
- The Scheduled condition has been deprecated on Gateway

(#4944, @sunjayBhatia)

shutdown-manager sidecar container liveness probe removed

The liveness probe has been removed from the Envoy pods' shutdown-manager sidecar container.
This change is to mitigate a problem where when the liveness probe fails, the shutdown-manager container is restarted by itself.
This ultimately has the unintended effect of causing the envoy container to be stuck indefinitely in a "DRAINING" state and not serving traffic.

Overall, not having the liveness probe on the shutdown-manager container is less bad because envoy pods are less likely to get stuck in "DRAINING" indefinitely.
In the worst case, during termination of an Envoy pod (due to upgrade, scaling, etc.), shutdown-manager is truly unresponsive, in which case the envoy container will simply terminate without first draining active connections.
If appropriate (i.e. during an upgrade), a new Envoy pod will then be created and re-added to the set of ready Envoys to load balance traffic to.

(#4967, @skriss)

Minor Changes

Add optional health check port for HTTP health check and TCP health check

HTTPProxy.Route.Service and HTTPProxy.TCPProxy.Service now has an optional HealthPort field which specifies a health check port that is different from the routing port. If not specified, the service Port field is used for healthchecking.

(#4761, @yangyy93)

Secrets not relevant to Contour no longer validated

Contour no longer validates Secrets that are not used by an Ingress, HTTPProxy, Gateway, or Contour global config.
Validation is now performed as needed when a Secret is referenced.
This change also replaces misleading "Secret not found" error conditions with more specific errors when a Secret referenced by one of the above objects does exist, but is not valid.

(#4788, @skriss)

Optional Client Certificate Validation

By default, when client certificate validation is configured, client certificates are required.
However, some applications might support different authentication schemes.
You can now set the httpproxy.spec.virtualhost.tls.clientValidation.optionalClientCertificate field to true. A client certificate will be requested, but the connection is allowed to continue if the client does not provide one.
If a client certificate is sent, it will be verified according to the other properties, which includes disabling validations if httpproxy.spec.virtualhost.tls.clientValidation.skipClientCertValidation is set.

(#4796, @gautierdelorme)

Client Certificate Details Forwarding

HTTPProxy now supports passing certificate data through the x-forwarded-client-cert header to let applications use details from client certificates (e.g. Subject, SAN...).
Since the certificate (or the certificate chain) could exceed the web server header size limit, you have the ability to select what specific part of the certificate to expose in the header through the httpproxy.spec.virtualhost.tls.clientValidation.forwardClientCertificate field.
Read more about the supported values in the Envoy documentation.

(#4797, @gautierdelorme)

Enable configuring Server header transformation

Envoy's treatment of the Server header on responses can now be configured in the Contour config file or ContourConfiguration CRD.
When configured as overwrite, Envoy overwrites any Server header with "envoy".
When configured as append_if_absent, ⁣if a Server header is present, Envoy will pass it through, otherwise, it will set it to "envoy".
When configured as pass_through, Envoy passes through the value of the Server header and does not append a header if none is present.

(#4906, @Vishal-Chdhry)

Added support for `ALL` DNS lookup family.

If ALL is specified, the DNS resolver will perform a lookup for both IPv4 and IPv6 families, and return all resolved addresses. When this is used, Happy Eyeballs will be enabled for upstream connections.

(#4909, @Vishal-Chdhry)

Update Envoy to v1.25.0

Bumps Envoy to version 1.25.0.
See Envoy release notes here.

(#4988, @skriss)

Kubernetes API client queries per second (QPS) and burst now configurable

Contour's Kubernetes API client defaults to allowing 5 requests per second, with a maximum of 10 over a short period.
These settings can now be configured, either by flag or by config file.
The contour serve flags are --kubernetes-client-qps and --kubernetes-client-burst.
The config file fields are kubernetesClientQPS and kubernetesClientBurst.

(#5003, @skriss)

Other Changes

Add (update)Strategy configurability to ContourDeployment resource for components. (#4713, @izturn)
Don't trigger DAG rebuilds for updates/deletes of unrelated Secrets. (#4792, @skriss)
Allow TLS certificate secrets to be of type Opaque as long as they have valid tls.crt and tls.key entries. (#4799, @skriss)
Add Envoy log level configurability to ContourDeployment resource. (#4801, @izturn)
Add Service/Envoy's ExternalTrafficPolicy configurability to ContourDeployment resource. (#4803, @izturn)
Deprecated Envoy xDS APIs from Envoy 1.24.0 are no longer in use, see here for details on their replacements. (#4822, @sunjayBhatia)
Don't trigger DAG rebuilds for updates/deletes of unrelated Services. (#4827, @Vishal-Chdhry)
Fixed bug where ExtensionServices were being updated continuously by Contour (#4846, @Vishal-Chdhry)
Add grpc_status_number to the default JSON access log fields (#4880, @rajatvig)
Implement support for Gateway API HTTPRoute ResponseHeaderModifier filter. (#4908, @sunjayBhatia)
Don't trigger DAG rebuilds/xDS configuration updates for irrelevant HTTPRoutes and TLSRoutes. (#4912, @fangfpeng)
Ensure changes to Services referenced by TLSRoute trigger xDS configuration updates. (#4915, @vmw-yingy)
Supported/tested Kubernetes versions are now 1.24, 1.25, 1.26. (#4937, @skriss)
Sort and ensure the option flags in lexicographic order, fix #2397 (#4958, @izturn)
Gateway API: adds support for the HTTPURLRewrite filter, which allows for rewriting the path or Host header as requests are being forwarded to the backend. (#4962, @skriss)
expose configuration for envoy's RateLimitedAsResourceExhausted (#4971, @vroldanbet)
Gateway API: when provisioning an Envoy NodePortService, use the Listeners' port numbers to populate the Service's node port values. (#4973, @izturn)
Updates to Go 1.19.5. See the Go release notes for more information. (#4980, @skriss)
Improve xDS server logging on connection close to be less verbose by default. Previously all closed connections from Envoy xDS resource subscriptions were logged as errors. (#4993, @sunjayBhatia)
Adds a new summary metric, contour_dagrebuild_seconds, to measure the duration of DAG rebuilds by quantile. (#5009, @skriss)
Fixes a bug where the CLI did not have its Logger initialized which was resulting in a panic. (#5015, @skriss)

Docs Changes

Update FIPS 140-2 in Contour for Go 1.19+. (#4813, @moeyui1)
Added a section to the Deployment Options document describing how to deploy more than one Contour instance in a single cluster. (#4832, @skriss)
Add get involved section in front page of the project contour. (#4847, @theVJagrawal)
Gateway API: change the default controller name from projectcontour.io/projectcontour/contour to projectcontour.io/gateway-controller for static provisioning. (#4966, @izturn)
Guides are now versioned along with the rest of Contour's documentation. You can find them listed in the menu on the left-hand side of https://projectcontour.io/docs. (#4977, @skriss)

Deprecation and Removal Notices

ContourDeployment.Spec.Contour.Replicas and ContourDeployment.Spec.Envoy.Replicas are deprecated

ContourDeployment.Spec.Contour.Replicas is deprecated and has been replaced by ContourDeployment.Spec.Contour.Deployment.Replicas. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.
ContourDeployment.Spec.Envoy.Replicas is deprecated and has been replaced by ContourDeployment.Spec.Envoy.Deployment.Replicas. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.

(#4713, @izturn)

Gateway API: ReferencePolicy no longer supported (use ReferenceGrant instead)

In Gateway API, ReferencePolicy's rename to ReferenceGrant has been fully completed.
Contour now only supports ReferenceGrant, and does not support ReferencePolicy resources in any way.

(#4830, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.24.0 is tested against Kubernetes 1.24 through 1.26.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@Vishal-Chdhry
@fangfpeng
@gautierdelorme
@izturn
@moeyui1
@rajatvig
@theVJagrawal
@vmw-yingy
@vroldanbet
@yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.24.0-rc.1

Published by sunjayBhatia over 1 year ago

We are delighted to present version v1.24.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Minor Changes

Add optional health check port for HTTP health check and TCP health check

HTTPProxy.Route.Service and HTTPProxy.TCPProxy.Service now has an optional HealthPort field which specifies a health check port that is different from the routing port. If not specified, the service Port field is used for healthchecking.

(#4761, @yangyy93)

Secrets not relevant to Contour no longer validated

Contour no longer validates Secrets that are not used by an Ingress, HTTPProxy, Gateway, or Contour global config.
Validation is now performed as needed when a Secret is referenced.
This change also replaces misleading "Secret not found" error conditions with more specific errors when a Secret referenced by one of the above objects does exist, but is not valid.

(#4788, @skriss)

Optional Client Certificate Validation

By default, when client certificate validation is configured, client certificates are required.
However, some applications might support different authentication schemes.
You can now set the httpproxy.spec.virtualhost.tls.clientValidation.optionalClientCertificate field to true. A client certificate will be requested, but the connection is allowed to continue if the client does not provide one.
If a client certificate is sent, it will be verified according to the other properties, which includes disabling validations if httpproxy.spec.virtualhost.tls.clientValidation.skipClientCertValidation is set.

(#4796, @gautierdelorme)

Client Certificate Details Forwarding

HTTPProxy now supports passing certificate data through the x-forwarded-client-cert header to let applications use details from client certificates (e.g. Subject, SAN...).
Since the certificate (or the certificate chain) could exceed the web server header size limit, you have the ability to select what specific part of the certificate to expose in the header through the httpproxy.spec.virtualhost.tls.clientValidation.forwardClientCertificate field.
Read more about the supported values in the Envoy documentation.

(#4797, @gautierdelorme)

Enable configuring Server header transformation

Envoy's treatment of the Server header on responses can now be configured in the Contour config file or ContourConfiguration CRD.
When configured as overwrite, Envoy overwrites any Server header with "envoy".
When configured as append_if_absent, ⁣if a Server header is present, Envoy will pass it through, otherwise, it will set it to "envoy".
When configured as pass_through, Envoy passes through the value of the Server header and does not append a header if none is present.

(#4906, @Vishal-Chdhry)

Added support for `ALL` DNS lookup family.

If ALL is specified, the DNS resolver will perform a lookup for both IPv4 and IPv6 families, and return all resolved addresses. When this is used, Happy Eyeballs will be enabled for upstream connections.

(#4909, @Vishal-Chdhry)

Fix handling of duplicate HTTPProxy Include Conditions

Duplicate include conditions are now correctly identified and HTTPProxies are marked with the condition IncludeError and reason DuplicateMatchConditions.
Previously the HTTPProxy processor was only comparing adjacent includes and comparing conditions element by element rather than as a whole, ANDed together.

In addition, the previous behavior when duplicate Include Conditions were identified was to throw out all routes, including valid ones, on the offending HTTPProxy.
Any referenced child HTTPProxies were marked as Orphaned as a result, even if they were included correctly.
With this change, all valid Includes and Route rules are processed and programmed in the data plane, which is a difference in behavior from previous releases.
An Include is deemed to be a duplicate if it has the exact same match Conditions as an Include that precedes it in the list.
Only child HTTPProxies that are referenced by a duplicate Include and not in any other valid Include are marked as Orphaned

(#4931, @sunjayBhatia)

Contour supports Gateway API release v0.6.0

See the Gateway API release notes for more detail on the API changes.
This version of the API includes a few changes relevant to Contour users:

The ReferenceGrant resource has been graduated to the v1beta1 API and ReferencePolicy removed from the API
v1alpha2 versions of GatewayClass, Gateway, and HTTPRoute are deprecated
There have been significant changes to status conditions on various resources for consistency:
- Accepted and Programmed conditions have been added to Gateway and Gateway Listener
- The Ready condition has been moved to "extended" conformance, at this moment Contour does not program this condition
- The Scheduled condition has been deprecated on Gateway

(#4944, @sunjayBhatia)

shutdown-manager sidecar container liveness probe removed

The liveness probe has been removed from the Envoy pods' shutdown-manager sidecar container.
This change is to mitigate a problem where when the liveness probe fails, the shutdown-manager container is restarted by itself.
This ultimately has the unintended effect of causing the envoy container to be stuck indefinitely in a "DRAINING" state and not serving traffic.

Overall, not having the liveness probe on the shutdown-manager container is less bad because envoy pods are less likely to get stuck in "DRAINING" indefinitely.
In the worst case, during termination of an Envoy pod (due to upgrade, scaling, etc.), shutdown-manager is truly unresponsive, in which case the envoy container will simply terminate without first draining active connections.
If appropriate (i.e. during an upgrade), a new Envoy pod will then be created and re-added to the set of ready Envoys to load balance traffic to.

(#4967, @skriss)

Update Envoy to v1.25.0

Bumps Envoy to version 1.25.0.
See Envoy release notes here.

(#4988, @skriss)

Other Changes

Add (update)Strategy configurability to ContourDeployment resource for components. (#4713, @izturn)
Don't trigger DAG rebuilds for updates/deletes of unrelated Secrets. (#4792, @skriss)
Allow TLS certificate secrets to be of type Opaque as long as they have valid tls.crt and tls.key entries. (#4799, @skriss)
Add Envoy log level configurability to ContourDeployment resource. (#4801, @izturn)
Add Service/Envoy's ExternalTrafficPolicy configurability to ContourDeployment resource. (#4803, @izturn)
Deprecated Envoy xDS APIs from Envoy 1.24.0 are no longer in use, see here for details on their replacements. (#4822, @sunjayBhatia)
Don't trigger DAG rebuilds for updates/deletes of unrelated Services. (#4827, @Vishal-Chdhry)
Fixed bug where ExtensionServices were being updated continuously by Contour (#4846, @Vishal-Chdhry)
Add grpc_status_number to the default JSON access log fields (#4880, @rajatvig)
Implement support for Gateway API HTTPRoute ResponseHeaderModifier filter. (#4908, @sunjayBhatia)
Don't trigger DAG rebuilds/xDS configuration updates for irrelevant HTTPRoutes and TLSRoutes. (#4912, @fangfpeng)
Ensure changes to Services referenced by TLSRoute trigger xDS configuration updates. (#4915, @vmw-yingy)
Supported/tested Kubernetes versions are now 1.24, 1.25, 1.26. (#4937, @skriss)
Sort and ensure the option flags in lexicographic order, fix #2397 (#4958, @izturn)
Gateway API: adds support for the HTTPURLRewrite filter, which allows for rewriting the path or Host header as requests are being forwarded to the backend. (#4962, @skriss)
expose configuration for envoy's RateLimitedAsResourceExhausted (#4971, @vroldanbet)
Gateway API: when provisioning an Envoy NodePortService, use the Listeners' port numbers to populate the Service's node port values. (#4973, @izturn)
Updates to Go 1.19.5. See the Go release notes for more information. (#4980, @skriss)
Improve xDS server logging on connection close to be less verbose by default. Previously all closed connections from Envoy xDS resource subscriptions were logged as errors. (#4993, @sunjayBhatia)

Docs Changes

Update FIPS 140-2 in Contour for Go 1.19+. (#4813, @moeyui1)
Added a section to the Deployment Options document describing how to deploy more than one Contour instance in a single cluster. (#4832, @skriss)
Add get involved section in front page of the project contour. (#4847, @theVJagrawal)
Gateway API: change the default controller name from projectcontour.io/projectcontour/contour to projectcontour.io/gateway-controller for static provisioning. (#4966, @izturn)
Guides are now versioned along with the rest of Contour's documentation. You can find them listed in the menu on the left-hand side of https://projectcontour.io/docs. (#4977, @skriss)

Deprecation and Removal Notices

ContourDeployment.Spec.Contour.Replicas and ContourDeployment.Spec.Envoy.Replicas are deprecated

ContourDeployment.Spec.Contour.Replicas is deprecated and has been replaced by ContourDeployment.Spec.Contour.Deployment.Replicas. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.
ContourDeployment.Spec.Envoy.Replicas is deprecated and has been replaced by ContourDeployment.Spec.Envoy.Deployment.Replicas. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.

(#4713, @izturn)

Gateway API: ReferencePolicy no longer supported (use ReferenceGrant instead)

In Gateway API, ReferencePolicy's rename to ReferenceGrant has been fully completed.
Contour now only supports ReferenceGrant, and does not support ReferencePolicy resources in any way.

(#4830, @skriss)

Installing and Upgrading

The simplest way to install v1.24.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.24.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.24.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.24.0-rc.1 is tested against Kubernetes 1.24 through 1.26.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@Vishal-Chdhry
@fangfpeng
@gautierdelorme
@izturn
@moeyui1
@rajatvig
@theVJagrawal
@vmw-yingy
@vroldanbet
@yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.23.2

Published by skriss almost 2 years ago

We are delighted to present version v1.23.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Changes

Updates Go to 1.19.4, see release notes here. (#4924, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.2 is tested against Kubernetes 1.23 through 1.25.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.22.3

Published by skriss almost 2 years ago

We are delighted to present version v1.22.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Changes

Updates Go to 1.19.4, see release notes here. (#4925, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.3 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.21.3

Published by skriss almost 2 years ago

We are delighted to present version v1.21.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Changes

Updates Go to 1.18.9, see release notes here. (#4926, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.3 is tested against Kubernetes 1.21 through 1.23.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.23.1

Published by sunjayBhatia almost 2 years ago

We are delighted to present version v1.23.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.24.1

Bumps Envoy to security patch version 1.24.1.
See Envoy release notes here.

(#4903, @sunjayBhatia)

Other Changes

Various updates to dependencies for security updates, upgrade to Go 1.19.3, and bump go module version to go 1.17. (#4874, #4881, #4883, @sunjayBhatia)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.1 is tested against Kubernetes 1.23 through 1.25.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.22.2

Published by sunjayBhatia almost 2 years ago

We are delighted to present version v1.22.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.23.3

Bumps Envoy to security patch version 1.23.3.
See Envoy release notes here.

(#4897, @sunjayBhatia)

Other Changes

Various updates to dependencies for security updates, upgrade to Go 1.19.3, and bump go module version to go 1.17. (#4882, #4884, @sunjayBhatia)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.2 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.21.2

Published by sunjayBhatia almost 2 years ago

We are delighted to present version v1.21.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.22.6

Bumps Envoy to security patch version 1.22.6.
See Envoy release notes here.

(#4889, @sunjayBhatia)

Other Changes

Various updates to dependencies for security updates, fixes for CI, upgrade to Go 1.18.8, and bump go module version to go 1.17. (#4885, @sunjayBhatia)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.2 is tested against Kubernetes 1.21 through 1.23.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.23.0

Published by sunjayBhatia almost 2 years ago

We are delighted to present version v1.23.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Overload Manager

It is now possible to enable Envoy overload manager to avoid traffic disturbances when Envoy process allocates too much heap and is terminated by the Linux out-of-memory manager.
The feature is disabled by default and can be enabled by following instructions here.

(#4597, @tsaarni)

JWT Verification Support

Contour's HTTPProxy now supports configuring Envoy's JSON Web Token (JWT) authentication filter, for verifying JWTs on incoming requests.

A root HTTPProxy can optionally define one or more JWT providers, each of which can define an issuer, audiences, and a JSON Web Key Set (JWKS) to use for verifying JWTs.

JWT providers can then be applied as requirements to routes on the HTTPProxy (or routes on included HTTPProxies), either by setting one provider as the default, or by explicitly specifying a JWT provider to require for a given route.
Individual routes may also opt out of JWT verification if a default provider has been set for the HTTPProxy.

For more information, see:

(#4723, @skriss)

Slow start mode

Slow start mode is a configuration setting that is used to gradually increase the amount of traffic targeted to a newly added upstream endpoint.
This can be useful for example with JVM based applications, that might otherwise get overwhelmed during JIT warm-up period.
For more information see here.

(#4772, @tsaarni)

Minor Changes

HTTPProxy CORS policy supports regex matching on Allowed Origins

The AllowOrigin field of the HTTPProxy CORSPolicy can be configured as a regex to enable more flexibility for users.
More advanced matching can now be performed on the Origin header of HTTP requests, instead of restricting users to allow all origins, or enumerating all possible values.

(#4710, @sunjayBhatia)

Other Changes

Transition to default_source_code Lua filter field from deprecated inline_string field for specifying Lua scripts. (#4622, @sunjayBhatia)
There are so many EnsureXDeleted in the sub-packages of objects , so unify them to objects/EnsureObjectDelete (#4630, @izturn)
Transition to using new bootstrap field default_regex_engine instead of deprecated per-regex match engine selection. (#4652, @sunjayBhatia)
Gateway Listeners with Secret references whose namespace is not covered by a ReferenceGrant should have their status reason set to RefNotPermitted. (#4664, @sunjayBhatia)
Add a new flag leader-election-namespace for gateway-provisioner (#4669, @izturn)
Add Contour log level configurability to ContourDeployment resource. (#4676, @izturn)
Add Kubernetes client debug log level configurability to ContourDeployment resource. (#4677, @izturn)
add the fields extraVolumes & extraVolumeMounts to crd/ContourDeployment to enable Envoy pods to mount additional volumes (#4680, @izturn)
Add Kubernetes annotations configurability to ContourDeployment resource. to enable customize pod annotations for pod/envoy (#4681, @izturn)
Add Kubernetes resource labels configurability to ContourDeployment resource. (#4709, @izturn)
Add resource requirements configurability to ContourDeployment to enable resource quota for containers. (#4712, @izturn)
Gateway API: status-only updates to resources no longer trigger DAG reprocessing and xDS updates. (#4744, @skriss)
Gateway API: don't make status update calls to the API server if status has not changed on the resource. (#4745, @skriss)
Updates to Gateway API v0.5.1. (#4755, @skriss)
Update supported Kubernetes versions to 1.23, 1.24, and 1.25. (#4757, @sunjayBhatia)
For Gateway API conformance, when a HTTP request matches multiple rules within a HTTPRoute, precedence is given to the rule that comes first in that HTTPRoute (in list-order). (#4763, @sunjayBhatia)
Updates Go to 1.19.2, see release notes here. (#4773, @sunjayBhatia)
Update Envoy to v1.24.0. See the Envoy release notes for more information. (#4804, @skriss)

Docs Changes

Added guide for configuring gRPC routes. (#4725, @sunjayBhatia)

Deprecation and Removal Notices

Contour v1.20 minor release now out of support

As per Contour's support policy the v1.20 minor release will now no longer be patched for security or critical bug fixes.
Please upgrade to the v1.21 minor release or newer.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.0 is tested against Kubernetes 1.23 through 1.25.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@izturn

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.23.0-rc.1

Published by sunjayBhatia about 2 years ago

We are delighted to present version v1.23.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Overload Manager

It is now possible to enable Envoy overload manager to avoid traffic disturbances when Envoy process allocates too much heap and is terminated by the Linux out-of-memory manager.
The feature is disabled by default and can be enabled by following instructions here.

(#4597, @tsaarni)

JWT Verification Support

Contour's HTTPProxy now supports configuring Envoy's JSON Web Token (JWT) authentication filter, for verifying JWTs on incoming requests.

A root HTTPProxy can optionally define one or more JWT providers, each of which can define an issuer, audiences, and a JSON Web Key Set (JWKS) to use for verifying JWTs.

JWT providers can then be applied as requirements to routes on the HTTPProxy (or routes on included HTTPProxies), either by setting one provider as the default, or by explicitly specifying a JWT provider to require for a given route.
Individual routes may also opt out of JWT verification if a default provider has been set for the HTTPProxy.

For more information, see:

(#4723, @skriss)

Minor Changes

HTTPProxy CORS policy supports regex matching on Allowed Origins

The AllowOrigin field of the HTTPProxy CORSPolicy can be configured as a regex to enable more flexibility for users.
More advanced matching can now be performed on the Origin header of HTTP requests, instead of restricting users to allow all origins, or enumerating all possible values.

(#4710, @sunjayBhatia)

Other Changes

Transition to default_source_code Lua filter field from deprecated inline_string field for specifying Lua scripts. (#4622, @sunjayBhatia)
There are so many EnsureXDeleted in the sub-packages of objects , so unify them to objects/EnsureObjectDelete (#4630, @izturn)
Transition to using new bootstrap field default_regex_engine instead of deprecated per-regex match engine selection. (#4652, @sunjayBhatia)
Gateway Listeners with Secret references whose namespace is not covered by a ReferenceGrant should have their status reason set to RefNotPermitted. (#4664, @sunjayBhatia)
Add a new flag leader-election-namespace for gateway-provisioner (#4669, @izturn)
Add Contour log level configurability to ContourDeployment resource. (#4676, @izturn)
Add Kubernetes client debug log level configurability to ContourDeployment resource. (#4677, @izturn)
Gateway API: status-only updates to resources no longer trigger DAG reprocessing and xDS updates. (#4744, @skriss)
Gateway API: don't make status update calls to the API server if status has not changed on the resource. (#4745, @skriss)
Updates to Gateway API v0.5.1. (#4755, @skriss)
Update supported Kubernetes versions to 1.23, 1.24, and 1.25. (#4757, @sunjayBhatia)

Docs Changes

Added guide for configuring gRPC routes. (#4725, @sunjayBhatia)

Installing and Upgrading

The simplest way to install v1.23.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.23.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.23.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.23.0-rc.1 is tested against Kubernetes 1.23 through 1.25.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@izturn

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.22.1

Published by skriss about 2 years ago

We are delighted to present version v1.22.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Changes

Updates Go to 1.19.0, see release notes here. (#4660, @sunjayBhatia)
The global connect-timeout configuration value was not taking effect for routes that did not have timeoutPolicy set. (#4690, @tsaarni)
Update Envoy to v1.23.1. This fixes an issue where the arm64 variant of the Envoy image was not built properly. See the release notes for additional information. (#4691, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.1 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.22.0

Published by skriss about 2 years ago

We are delighted to present version v1.22.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Update to Gateway API v0.5.0

Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.

With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).

For more information on the Gateway API v0.5.0 release, see the release blog post.

For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.

(#4617, @skriss)

Minor Changes

Update to Envoy 1.23.0

Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.

(#4621, @skriss)

HTTPProxy Direct Response Policy

HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode, Body. And the StatusCode is required.

It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.

(#4526, @yangyy93)

Validating revocation status of client certificates

It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret is set with the secret name.

(#4592, @tsaarni)

Consolidate access logging and TLS cipher suite validation

Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1 package.
Existing exported elements of the pkg/config package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1.

This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:

TLS cipher suite list elements will no longer be allowed to have leading or trailing whitespace
The ContourConfiguration CRD field spec.envoy.logging.jsonFields has been renamed to spec.envoy.logging.accessLogJSONFields

(#4626, @sunjayBhatia)

Gateway API: implement HTTP query parameter matching

Contour now implements Gateway API's HTTP query parameter matching.
Only Exact matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale to s1, and a request with a querystring of ?animal=dolphin to s2.

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: httproute-queryparam-matching
spec:
  parentRefs:
  - name: contour-gateway
  rules:
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: whale
    backendRefs:
    - name: s1
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: dolphin
    backendRefs:
    - name: s2

(#4588, @skriss)

Gateway API: update handling of various invalid HTTPRoute/TLSRoute scenarios

Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:

Use a 500 response instead of a 404 when a route's backends are invalid
The Accepted condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errors
Use the upstream reasons InvalidKind and BackendNotFound when a backend is not a Service or not found, respectively

(#4614, @skriss)

Gateway API: enforce correct TLS modes for HTTPS and TLS listener protocols

Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).

(#4631, @skriss)

Bind create label operation for contour's deployment to the struct

There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.

(#4585, @izturn)

Use local variable to replace the long access chain of fields

The access chain of fields is too long, so use local variable to replace them.

(#4586, @izturn)

Other Changes

RTDS now serves dynamic runtime configuration layer which is requested by bootstrap configuration. In the future, contents of this runtime configuration will be made configurable by users. (#4387, @sunjayBhatia)
internal/envoy: use Envoy's path-based prefix matching instead of regular expressions. (#4477, @mmalecki)
Gateway API: compute Listener supported kinds sooner, so it's populated in all cases where it can be computed. (#4523, @skriss)
When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
Removes the DebugLogLevel and KubernetesDebugLogLevel fields from the ContourConfiguration spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)
Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
Gateway API: return a 404 instead of a 503 when there are no valid backend refs for an HTTPRoute rule, to match the revised Gateway API spec. (#4545, @skriss)
Update supported Kubernetes versions to 1.22, 1.23 and 1.24. (#4546, @skriss)
Changes the contour envoy shutdown command's --check-delay default to 0s from 60s, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss)
Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)
Gateway API: adds support for the "RequestMirror" HTTPRoute filter type at the rule level. (#4557, @sepaper)
Gateway API: fixes a bug where routes with multiple parent refs to listeners would not attach to all listeners correctly. (#4558, @skriss)
Gateway API: wildcard hostnames can now match more than one DNS label, per https://github.com/kubernetes-sigs/gateway-api/pull/1173. (#4559, @skriss)
Gateway API: adds support for ReferenceGrant, which was formerly known as ReferencePolicy. To ease migration, both resources are supported for this release, but ReferencePolicy support will be removed next release. (#4580, @skriss)
Envoy will now make requests to gRPC ExtensionServices with a sanitized :authority header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)
Gateway API: adds logic to only keep the first HTTP header match with a given name (case-insensitive) for each HTTP route match, per the Gateway API spec. (#4593, @skriss)
Gateway API: replace usage of Contour-specific condition types and reasons with upstream Gateway API ones where possible (#4598, @skriss)
contour cli commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)
Gateway API: sets route parent status correctly when routes attach to specific Listeners. (#4604, @skriss)
Updated the list of supported envoy log template keywords. (#4610, @yangyy93)
Gateway API: set a Listener condition of Ready: false with reason Invalid when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)
Adds support for access log operators introduced in Envoy 1.23.0. See here for more details. (#4627, @sunjayBhatia)

Docs Changes

Updated SITE_CONTRIBUTION.md to reflect Hugo platform. (#4620, @gary-tai)
Remove grey banner from main website page. (#4635, @gary-tai)

Deprecation and Removal Notices

Gateway API: ReferencePolicy is deprecated, will be removed next release

Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.

(#4580, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.0 is tested against Kubernetes 1.22 through 1.24.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@gary-tai
@izturn
@mmalecki
@sejongk
@yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.22.0-rc.1

Published by skriss about 2 years ago

We are delighted to present version v1.22.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Update to Gateway API v0.5.0

Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.

With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).

For more information on the Gateway API v0.5.0 release, see the release blog post.

For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.

(#4617, @skriss)

Minor Changes

HTTPProxy Direct Response Policy

HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode, Body. And the StatusCode is required.

It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.

(#4526, @yangyy93)

Bind create label operation for contour's deployment to the struct

There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.

(#4585, @izturn)

Use local variable to replace the long access chain of fields

The access chain of fields is too long, so use local variable to replace them.

(#4586, @izturn)

Gateway API: implement HTTP query parameter matching

Contour now implements Gateway API's HTTP query parameter matching.
Only Exact matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale to s1, and a request with a querystring of ?animal=dolphin to s2.

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: httproute-queryparam-matching
spec:
  parentRefs:
  - name: contour-gateway
  rules:
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: whale
    backendRefs:
    - name: s1
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: dolphin
    backendRefs:
    - name: s2

(#4588, @skriss)

Validating revocation status of client certificates

It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret is set with the secret name.

(#4592, @tsaarni)

Gateway API: update handling of various invalid HTTPRoute/TLSRoute scenarios

Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:

Use a 500 response instead of a 404 when a route's backends are invalid
The Accepted condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errors
Use the upstream reasons InvalidKind and BackendNotFound when a backend is not a Service or not found, respectively

(#4614, @skriss)

Update to Envoy 1.23.0

Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.

(#4621, @skriss)

Consolidate access logging and TLS cipher suite validation

Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1 package.
Existing exported elements of the pkg/config package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1.

This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:

TLS cipher suite list elements will no longer be allowed to have leading or trailing whitespace
The ContourConfiguration CRD field spec.envoy.logging.jsonFields has been renamed to spec.envoy.logging.accessLogJSONFields

(#4626, @sunjayBhatia)

Gateway API: enforce correct TLS modes for HTTPS and TLS listener protocols

Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).

(#4631, @skriss)

Other Changes

RTDS now serves dynamic runtime configuration layer which is requested by bootstrap configuration.
In this future, contents of this runtime configuration will be made configurable by users. (#4387, @sunjayBhatia)
internal/envoy: use Envoy's path-based prefix matching instead of regular expressions. (#4477, @mmalecki)
Gateway API: compute Listener supported kinds sooner, so it's populated in all cases where it can be computed. (#4523, @skriss)
When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
Removes the DebugLogLevel and KubernetesDebugLogLevel fields from the ContourConfiguration spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)
Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
Gateway API: return a 404 instead of a 503 when there are no valid backend refs for an HTTPRoute rule, to match the revised Gateway API spec. (#4545, @skriss)
Update supported Kubernetes versions to 1.22, 1.23 and 1.24. (#4546, @skriss)
Changes the contour envoy shutdown command's --check-delay default to 0s from 60s, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss)
Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)
Gateway API: adds support for the "RequestMirror" HTTPRoute filter type at the rule level. (#4557, @sepaper)
Gateway API: fixes a bug where routes with multiple parent refs to listeners would not attach to all listeners correctly. (#4558, @skriss)
Gateway API: wildcard hostnames can now match more than one DNS label, per https://github.com/kubernetes-sigs/gateway-api/pull/1173. (#4559, @skriss)
Gateway API: adds support for ReferenceGrant, which was formerly known as ReferencePolicy. To ease migration, both resources are supported for this release, but ReferencePolicy support will be removed next release. (#4580, @skriss)
Envoy will now make requests to gRPC ExtensionServices with a sanitized :authority header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)
Gateway API: adds logic to only keep the first HTTP header match with a given name (case-insensitive) for each HTTP route match, per the Gateway API spec. (#4593, @skriss)
Gateway API: replace usage of Contour-specific condition types and reasons with upstream Gateway API ones where possible (#4598, @skriss)
contour cli commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)
Gateway API: sets route parent status correctly when routes attach to specific Listeners. (#4604, @skriss)
Updated the list of supported envoy log template keywords. (#4610, @yangyy93)
Gateway API: set a Listener condition of Ready: false with reason Invalid when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)
Adds support for access log operators introduced in Envoy 1.23.0. See here for more details. (#4627, @sunjayBhatia)

Docs Changes

Updated SITE_CONTRIBUTION.md to reflect Hugo platform. (#4620, @gary-tai)

Deprecation and Removal Notices

Gateway API: ReferencePolicy is deprecated, will be removed next release

Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.

(#4580, @skriss)

Installing and Upgrading

The simplest way to install v1.22.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.22.0-rc.1 is tested against Kubernetes 1.22 through 1.24.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@gary-tai
@izturn
@mmalecki
@sepaper
@yangyy93

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.21.1

Published by sunjayBhatia over 2 years ago

We are delighted to present version v1.21.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.22.2

Bumps Envoy to security patch version 1.22.2.
Envoy CI had a few issues releasing 1.22.1 so a subsequent patch, 1.22.2 was released.
Envoy announcement here.
See Envoy release notes for 1.22.1 here and 1.22.2 here.

(#4573, @sunjayBhatia)

Other Changes

When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.1 is tested against Kubernetes 1.21 through 1.23.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better!

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.20.2

Published by sunjayBhatia over 2 years ago

We are delighted to present version v1.20.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.21.3

Bumps Envoy to security patch version 1.21.3.
Envoy announcement here.
See Envoy release notes here.

(#4569, @sunjayBhatia)

Other Changes

When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.20.2 is tested against Kubernetes 1.21 through 1.23.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better!

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.21.0

Published by skriss over 2 years ago

We are delighted to present version v1.21.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Contour leader election resource RBAC moved to namespaced Role

Previously, in our example deployment YAML, RBAC for Contour access to resources used for leader election was contained in a ClusterRole, meaning that Contour required cluster-wide access to ConfigMap resources. This release also requires Contour access to Events and Leases which would require cluster-wide access (see this PR).

In this release, we have moved the RBAC rules for leader election resources to a namespaced Role in the example Contour deployment. This change should limit Contour's default required access footprint. A corresponding namespaced RoleBinding has been added as well.

Required actions

If you are using the example deployment YAML to deploy Contour, be sure to examine and re-apply the resources in examples/contour/02-rbac.yaml and examples/contour/02-role-contour.yaml. If you have deployed Contour in a namespace other than the example projectcontour, be sure to modify the contour Role and contour-rolebinding RoleBinding resources accordingly. Similarly, if you are using the --leader-election-resource-namespace flag to customize where Contour's leader election resources reside, you must customize the new Role and RoleBinding accordingly.

(#4204, @sunjayBhatia)

Container Images Now Exclusively Published on GitHub Container Registry (GHCR)

Contour's container images are now exclusively published on GHCR. They are no longer being pushed to Docker Hub (past images have been left on Docker Hub for posterity.)

(#4314, @skriss)

Adds a `contour gateway-provisioner` command and deployment manifest for dynamically provisioning Gateways

Contour now has an optional Gateway provisioner, that watches for Gateway custom resources and provisions Contour + Envoy instances for them. The provisioner is implemented as a new subcommand on the contour binary, contour gateway-provisioner. The examples/gateway-provisioner directory contains the YAML manifests needed to run the provisioner as a Deployment in-cluster.

By default, the Gateway provisioner will process all GatewayClasses that have a controller string of projectcontour.io/gateway-controller, along with all Gateways for them.

The Gateway provisioner is useful for users who want to dynamically provision Contour + Envoy instances based on the Gateway CRD.
It is also necessary in order to have a fully conformant Gateway API implementation.

(#4415, @skriss)

Minor Changes

Configurable access log level

The verbosity of HTTP and HTTPS access logs can now be configured to one of: info (default), error, disabled. The verbosity level is set with accesslog-level field in the configuration file or spec.envoy.logging.accessLogLevel field in ContourConfiguration.

(#4331, @tsaarni)

Leader election now only uses Lease object

Contour now only uses the Lease object to coordinate leader election. RBAC in example manifests has been updated accordingly.

Note: Upgrading to this version of Contour will explicitly require you to upgrade to Contour v1.20.0 first to ensure proper migration of leader election coordination resources.

(#4332, @sunjayBhatia)

Re-increase maximum allowed regex program size

Regex patterns Contour configures in Envoy (for path matching etc.) currently have a limited "program size" (approximate cost) of 100. This was inadvertently set back to the Envoy default, from the intended 1048576 (2^20) when moving away from using deprecated API fields. Note: regex program size is a feature of the regex library Envoy uses, Google RE2.

This limit has now been reset to the intended value and an additional program size warning threshold of 1000 has been configured.

Operators concerned with performance implications of allowing large regex programs can monitor Envoy memory usage and regex statistics. Envoy offers two statistics for monitoring regex program size, re2.program_size and re2.exceeded_warn_level. See this documentation for more detail. Future versions of Contour may allow configuration of regex program size thresholds via RTDS (Runtime Discovery Service).

(#4379, @sunjayBhatia)

Gateway API: support for processing a specific Gateway

Contour can now optionally process a specific named Gateway and associated routes. This is an alternate way to configure Contour, vs. the existing mode of specifying a GatewayClass controller string and having Contour process the first GatewayClass and associated Gateway for that controller string. This new configuration option can be specified via:

gateway:
  gatewayRef:
    namespace: gateway-namespace
    name: gateway-name

(#4410, @skriss)

Gateway provisioner: add support for more than one Gateway/Contour instance per namespace

The Gateway provisioner now supports having more than one Gateway/Contour instance per namespace. All resource names now include a -<gateway-name> suffix to avoid conflicts (cluster-scoped resources also include the namespace as part of the resource name). Contour instances are always provisioned in the namespace of the Gateway custom resource itself.

(#4426, @skriss)

Gateway provisioner: generate xDS TLS certs directly

The Gateway provisioner now generates xDS TLS certificates directly, rather than using a "certgen" job to trigger certificate generation. This simplifies operations and reduces the RBAC permissions that the provisioner requires. Certificates will still be rotated each time the provisioner is upgraded to a new version.

(#4432, @skriss)

Gateway provisioner: support requesting a specific address

The Gateway provisioner now supports requesting a specific Gateway address, via the Gateway's spec.addresses field. Only one address is supported, and it must be either an IPAddress or Hostname type. The value of this address will be used to set the provisioned Envoy service's spec.loadBalancerIP field. If for any reason, the requested address is not assigned to the Gateway, the Gateway will have a condition of "Ready: false" with a reason of AddressesNotAssigned.

If no address is requested, no value will be specified in the provisioned Envoy service's spec.loadBalancerIP field, and an address will be assigned by the load balancer provider.

(#4443, @skriss)

All ContourConfiguration CRD fields are now optional

To better manage configuration defaults, all ContourConfiguration CRD fields are now optional without defaults. Instead, Contour itself will apply defaults to any relevant fields that have not been specified by the user when it starts up, similarly to how processing of the Contour ConfigMap works today. The default values that Contour uses are documented in the ContourConfiguration CRD's API documentation.

(#4451, @skriss)

ContourDeployment CRD now supports additional options

The ContourDeployment CRD, which can be used as parameters for a Contour-controlled GatewayClass, now supports additional options for customizing your Contour/Envoy installations:

Contour deployment replica count
Contour deployment node placement settings (node selectors and/or tolerations)
Envoy workload type (daemonset or deployment)
Envoy replica count (if using a deployment)
Envoy service type and annotations
Envoy node placement settings (node selectors and/or tolerations)

(#4472, @skriss)

Query parameter hash based load balancing

Contour users can now configure their load balancing policies on HTTPProxy resources to hash the query parameter on a request to ensure consistent routing to a backend service instance.

See this page for more details on this feature.

Credit to @pkit for implementing this feature!

(#4508, @sunjayBhatia)

Other Changes

Allow the contour --ingress-class-name value to be a comma-separated list of classes to match against. Contour will process Ingress and HTTPProxy objects with any of the specified ingress classes. (Note that the alpha ContourConfiguration CRD has also been changed to use a ClassNames array field instead of a scalar ClassName field.) (#4109, @erwbgy)
Don't check for or log errors for unsupported annotations on objects that Contour doesn't care about (e.g. ingresses for a different class than Contour's). (#4304, @skriss)
Explicitly disable controller-runtime manager metrics and health listeners. (#4312, @sunjayBhatia)
Removed code duplication for the secret validation in the dag package. (#4316, @alessandroargentieri)
Node labels in localhost:6060/debug/dag troubleshooting API are sanitized by html-escaping user fields. (#4323, @kb000)
Upstream TCP connection timeout is now configurable in configuration file and in ContourConfiguration. (#4326, @tsaarni)
Drops RBAC and caching for the networking.k8s.io/IngressClass resource as it's not used by Contour. (#4329, @skriss)
Fixed a bug where upstream TLS SNI (HTTProxy.spec.routes.requestHeadersPolicy Host key) and protocol fields might not take effect when e.g. two HTTPProxies were otherwise equal but differed only on those fields. (#4350, @tsaarni)
New field HTTPProxy.spec.routes.timeoutPolicy.idleConnection was added. The field sets timeout for how long the upstream connection will be kept idle between requests before disconnecting it. (#4356, @tsaarni)
Update github.com/prometheus/client_golang to v1.11.1 to address CVE-2022-21698. (#4361, @tsaarni)
Envoy's merge_slashes option that enables
a non-standard path transformation option to replace multiple consecutive slashes in an URL path with a single slash can now be disabled by setting the DisableMergeSlashes option in the Contour config file or ContourConfiguration custom resource. (#4363, @mszabo-wikia)
Updates Envoy to v1.21.1. See the Envoy changelog for details. (#4365, @skriss)
Add base implementation for RTDS (Runtime Discovery Service). This will be used to enable dynamic configuration of Envoy Runtime settings. (#4380, @sunjayBhatia)
Ensure controller-runtime logging is properly configured to log to Contour's logrus Logger instance. (#4391, @sunjayBhatia)
Adds an optional --name-prefix flag to the contour certgen command which, if specified, will be added as a prefix to the names of the generated Kubernetes secrets (e.g. myprefix-contourcert and myprefix-envoycert). (#4394, @skriss)
Moved all usages of header_match and exact_match with string_match (#4397, @rajatvig)
Use the protocol field from the Cluster when performing the health check (#4398, @rajatvig)
Removed the hack for ImagePullPolicy for certgen (#4402, @rajatvig)
internal/envoy: Enable gzip compression for grpc-web content types. (#4403, @bourquep)
In the example manifests, leave imagePullPolicy as Always on main branch and only change to IfNotPresent on release branches/release-tagged manifests. (#4406, @rajatvig)
Upgrade to Go 1.18.0. (#4412, @skriss)
Add grpc_stats filter for Envoy
Add the ability to log "grpc_status" to the Envoy access log (#4424, @rajatvig)
Gateway provisioner: set the GatewayClass "Accepted" condition based on the validity of its parametersRef, if it has one. Also only reconciles Gateways for GatewayClasses with "Accepted: true". (#4440, @skriss)
The Gateway provisioner now provisions a ContourConfiguration resource instead of a ConfigMap for describing Contour's configuration. (#4454, @skriss)
Uses the ContourConfigurationSpec defined as part of a GatewayClass's ContourDeployment parameters when provisioning a ContourConfiguration for a Gateway. (#4459, @skriss)
Gateway API: set appropriate conditions on Listeners if they don't specify the same port as other Listeners for their protocol group (i.e. HTTP, or HTTPS/TLS) or don't have a unique hostname within their group. (#4462, @skriss)
Add a example to show how to do blue-green deployment under Gateway-API mode (#4466, @izturn)
Fix improper use of OriginalIPDetectionFilter in HTTPConnectionManager. Reverts back to XffNumTrustedHops setting which was un-deprecated in Envoy 1.20. (#4470, @sunjayBhatia)
Gateway provisioner: change default controller name to projectcontour.io/gateway-controller. (#4474, @skriss)
Gateway API: when an HTTPRoute or TLSRoute has a cross-namespace backend ref that's not permitted by a ReferencePolicy, set the reason for the ResolvedRefs: false condition to RefNotPermitted instead of Degraded. (#4482, @skriss)
Add support for Contour to produce logs in JSON format by specifying --log-format=json command line switch. (#4486, @tsaarni)
Use typed config for all Envoy extensions in place of well-known names or internal type URL constants, for consistency and forwards-compatibility. (#4487, @skriss)
Updates to Envoy 1.22.0. See the Envoy release notes for more information. (#4488, @skriss)
Updates Gateway API to v0.4.3 and adds the Gateway API validating webhook to Contour's Gateway API example YAML. (#4489, @skriss)
Gateway API: adjusts logic for finding intersecting hostnames between a Listener and a Route to ignore non-matching hosts rather than reporting an error for them. (#4505, @skriss)
Upgrade to Go 1.18.1. (#4509, @sunjayBhatia)
Remove ContourConfiguration kubebuilder enum validations, and add equivalent validations in Contour code. (#4511, @skriss)
Gateway API: fixes a bug where a route would be marked "Accepted: false" with reason "NoIntersectingHostnames" if it did not have intersecting hostnames with every Listener. Now, as long as the route's hostnames intersect with at least one Listener, it's accepted. (#4512, @skriss)

Docs Changes

The AWS NLB deployment guide has been updated, and the annotations service.beta.kubernetes.io/aws-load-balancer-type has been change to external. It should now work correctly with the given YAMLs. (#4347, @yankay)
Added documentation for HTTPProxy request redirection. (#4367, @sunjayBhatia)
Add pathType field to Ingress resource. (#4446, @lou-lan)

Deprecation and Removal Notices

Remove leader election configuration from configuration file

Leader election configuration via configuration file was deprecated in Contour v1.20.0.
Configuration of leader election lease details and resource must now be done via command line flag.

(#4340, @sunjayBhatia)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.0 is tested against Kubernetes 1.21 through 1.23.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@alessandroargentieri
@bourquep
@erwbgy
@izturn
@kb000
@lou-lan
@mszabo-wikia
@rajatvig
@yankay

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour - Contour v1.21.0-rc.1

Published by sunjayBhatia over 2 years ago

We are delighted to present version v1.21.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Contour leader election resource RBAC moved to namespaced Role

Previously, in our example deployment YAML, RBAC for Contour access to resources used for leader election was contained in a ClusterRole, meaning that Contour required cluster-wide access to ConfigMap resources.
This release also requires Contour access to Events and Leases which would require cluster-wide access (see this PR).

In this release, we have moved the RBAC rules for leader election resources to a namespaced Role in the example Contour deployment.
This change should limit Contour's default required access footprint.
A corresponding namespaced RoleBinding has been added as well.

Required actions

If you are using the example deployment YAML to deploy Contour, be sure to examine and re-apply the resources in examples/contour/02-rbac.yaml and examples/contour/02-role-contour.yaml.
If you have deployed Contour in a namespace other than the example projectcontour, be sure to modify the contour Role and contour-rolebinding RoleBinding resources accordingly.
Similarly, if you are using the --leader-election-resource-namespace flag to customize where Contour's leader election resources reside, you must customize the new Role and RoleBinding accordingly.

(#4204, @sunjayBhatia)

Container Images Now Exclusively Published on GitHub Container Registry (GHCR)

Contour's container images are now exclusively published on GHCR. They are no longer being pushed to Docker Hub (past images have been left on Docker Hub for posterity.)

(#4314, @skriss)

Adds a `contour gateway-provisioner` command and deployment manifest for dynamically provisioning Gateways

Contour now has an optional Gateway provisioner, that watches for Gateway custom resources and provisions Contour + Envoy instances for them.
The provisioner is implemented as a new subcommand on the contour binary, contour gateway-provisioner.
The examples/gateway-provisioner directory contains the YAML manifests needed to run the provisioner as a Deployment in-cluster.

By default, the Gateway provisioner will process all GatewayClasses that have a controller string of projectcontour.io/gateway-provisioner, along with all Gateways for them.

The Gateway provisioner is useful for users who want to dynamically provision Contour + Envoy instances based on the Gateway CRD.
It is also necessary in order to have a fully conformant Gateway API implementation.

(#4415, @skriss)

Minor Changes

Configurable access log level

The verbosity of HTTP and HTTPS access logs can now be configured to one of: info (default), error, disabled.
The verbosity level is set with accesslog-level field in the configuration file or spec.envoy.logging.accessLogLevel field in ContourConfiguration.

(#4331, @tsaarni)

Leader election now only uses Lease object

Contour now only uses the Lease object to coordinate leader election.
RBAC in example manifests has been updated accordingly.

Note: Upgrading to this version of Contour will explicitly require you to upgrade to Contour v1.20.0 first to ensure proper migration of leader election coordination resources.

(#4332, @sunjayBhatia)

Re-increase maximum allowed regex program size

Regex patterns Contour configures in Envoy (for path matching etc.) currently have a limited "program size" (approximate cost) of 100.
This was inadvertently set back to the Envoy default, from the intended 1048576 (2^20) when moving away from using deprecated API fields.
Note: regex program size is a feature of the regex library Envoy uses, Google RE2.

This limit has now been reset to the intended value and an additional program size warning threshold of 1000 has been configured.

Operators concerned with performance implications of allowing large regex programs can monitor Envoy memory usage and regex statistics.
Envoy offers two statistics for monitoring regex program size, re2.program_size and re2.exceeded_warn_level.
See this documentation for more detail.
Future versions of Contour may allow configuration of regex program size thresholds via RTDS (Runtime Discovery Service).

(#4379, @sunjayBhatia)

Gateway API: support for processing a specific Gateway

Contour can now optionally process a specific named Gateway and associated routes.
This is an alternate way to configure Contour, vs. the existing mode of specifying a GatewayClass controller string and having Contour process the first GatewayClass and associated Gateway for that controller string.
This new configuration option can be specified via:

gateway:
  gatewayRef:
    namespace: gateway-namespace
    name: gateway-name

(#4410, @skriss)

Gateway provisioner: add support for more than one Gateway/Contour instance per namespace

The Gateway provisioner now supports having more than one Gateway/Contour instance per namespace.
All resource names now include a -<gateway-name> suffix to avoid conflicts (cluster-scoped resources also include the namespace as part of the resource name).
Contour instances are always provisioned in the namespace of the Gateway custom resource itself.

(#4426, @skriss)

Gateway provisioner: generate xDS TLS certs directly

The Gateway provisioner now generates xDS TLS certificates directly, rather than using a "certgen" job to trigger certificate generation.
This simplifies operations and reduces the RBAC permissions that the provisioner requires.
Certificates will still be rotated each time the provisioner is upgraded to a new version.

(#4432, @skriss)

Gateway provisioner: support requesting a specific address

The Gateway provisioner now supports requesting a specific Gateway address, via the Gateway's spec.addresses field.
Only one address is supported, and it must be either an IPAddress or Hostname type.
The value of this address will be used to set the provisioned Envoy service's spec.loadBalancerIP field.
If for any reason, the requested address is not assigned to the Gateway, the Gateway will have a condition of "Ready: false" with a reason of AddressesNotAssigned.

If no address is requested, no value will be specified in the provisioned Envoy service's spec.loadBalancerIP field, and an address will be assigned by the load balancer provider.

(#4443, @skriss)

All ContourConfiguration CRD fields are now optional

To better manage configuration defaults, all ContourConfiguration CRD fields are now optional without defaults.
Instead, Contour itself will apply defaults to any relevant fields that have not been specified by the user when it starts up, similarly to how processing of the Contour ConfigMap works today.
The default values that Contour uses are documented in the ContourConfiguration CRD's API documentation.

(#4451, @skriss)

ContourDeployment CRD now supports additional options

The ContourDeployment CRD, which can be used as parameters for a Contour-controlled GatewayClass, now supports additional options for customizing your Contour/Envoy installations:

Contour deployment replica count
Contour deployment node placement settings (node selectors and/or tolerations)
Envoy workload type (daemonset or deployment)
Envoy replica count (if using a deployment)
Envoy service type and annotations
Envoy node placement settings (node selectors and/or tolerations)

(#4472, @skriss)

Other Changes

Allow the contour --ingress-class-name value to be a comma-separated list of classes to match against. Contour will process Ingress and HTTPProxy objects with any of the specified ingress classes. (Note that the alpha ContourConfiguration CRD has also been changed to use a ClassNames array field instead of a scalar ClassName field.) (#4109, @erwbgy)
Don't check for or log errors for unsupported annotations on objects that Contour doesn't care about (e.g. ingresses for a different class than Contour's). (#4304, @skriss)
Explicitly disable controller-runtime manager metrics and health listeners. (#4312, @sunjayBhatia)
Removed code duplication for the secret validation in the dag package. (#4316, @alessandroargentieri)
Node labels in localhost:6060/debug/dag troubleshooting API are sanitized by html-escaping user fields. (#4323, @kb000)
Upstream TCP connection timeout is now configurable in configuration file and in ContourConfiguration. (#4326, @tsaarni)
Drops RBAC and caching for the networking.k8s.io/IngressClass resource as it's not used by Contour. (#4329, @skriss)
Fixed a bug where upstream TLS SNI (HTTProxy.spec.routes.requestHeadersPolicy Host key) and protocol fields might not take effect when e.g. two HTTPProxies were otherwise equal but differed only on those fields. (#4350, @tsaarni)
New field HTTPProxy.spec.routes.timeoutPolicy.idleConnection was added. The field sets timeout for how long the upstream connection will be kept idle between requests before disconnecting it. (#4356, @tsaarni)
Update github.com/prometheus/client_golang to v1.11.1 to address CVE-2022-21698. (#4361, @tsaarni)
Envoy's merge_slashes option that enables
a non-standard path transformation option to replace multiple consecutive slashes in an URL path with a single slash can now be disabled by setting the DisableMergeSlashes option in the Contour config file or ContourConfiguration custom resource. (#4363, @mszabo-wikia)
Updates Envoy to v1.21.1. See the Envoy changelog for details. (#4365, @skriss)
Add base implementation for RTDS (Runtime Discovery Service). This will be used to enable dynamic configuration of Envoy Runtime settings. (#4380, @sunjayBhatia)
Ensure controller-runtime logging is properly configured to log to Contour's logrus Logger instance. (#4391, @sunjayBhatia)
Adds an optional --name-prefix flag to the contour certgen command which, if specified, will be added as a prefix to the names of the generated Kubernetes secrets (e.g. myprefix-contourcert and myprefix-envoycert). (#4394, @skriss)
Moved all usages of header_match and exact_match with string_match (#4397, @rajatvig)
Use the protocol field from the Cluster when performing the health check (#4398, @rajatvig)
Removed the hack for ImagePullPolicy for certgen (#4402, @rajatvig)
internal/envoy: Enable gzip compression for grpc-web content types. (#4403, @bourquep)
In the example manifests, leave imagePullPolicy as Always on main branch and only change to IfNotPresent on release branches/release-tagged manifests. (#4406, @rajatvig)
Upgrade to Go 1.18.0. (#4412, @skriss)
Add grpc_stats filter for Envoy and add the ability to log "grpc_status" to the Envoy access log (#4424, @rajatvig)
Gateway provisioner: set the GatewayClass "Accepted" condition based on the validity of its parametersRef, if it has one. Also only reconciles Gateways for GatewayClasses with "Accepted: true". (#4440, @skriss)
The Gateway provisioner now provisions a ContourConfiguration resource instead of a ConfigMap for describing Contour's configuration. (#4454, @skriss)
Uses the ContourConfigurationSpec defined as part of a GatewayClass's ContourDeployment parameters when provisioning a ContourConfiguration for a Gateway. (#4459, @skriss)
Gateway API: set appropriate conditions on Listeners if they don't specify the same port as other Listeners for their protocol group (i.e. HTTP, or HTTPS/TLS) or don't have a unique hostname within their group. (#4462, @skriss)
Add a example to show how to do blue-green deployment under Gateway-API mode (#4466, @izturn)
Fix improper use of OriginalIPDetectionFilter in HTTPConnectionManager. Reverts back to XffNumTrustedHops setting which was un-deprecated in Envoy 1.20. (#4470, @sunjayBhatia)
Gateway provisioner: change default controller name to projectcontour.io/gateway-controller. (#4474, @skriss)
Gateway API: when an HTTPRoute or TLSRoute has a cross-namespace backend ref that's not permitted by a ReferencePolicy, set the reason for the ResolvedRefs: false condition to RefNotPermitted instead of Degraded. (#4482, @skriss)
Use typed config for all Envoy extensions in place of well-known names or internal type URL constants, for consistency and forwards-compatibility. (#4487, @skriss)
Updates to Envoy 1.22.0. See the Envoy release notes for more information. (#4488, @skriss)

Docs Changes

The AWS NLB deployment guide has been updated, and the annotations service.beta.kubernetes.io/aws-load-balancer-type has been change to external. It should now work correctly with the given YAMLs. (#4347, @yankay)
Added documentation for HTTPProxy request redirection. (#4367, @sunjayBhatia)
Add pathType field to Ingress resource. (#4446, @lou-lan)

Deprecation and Removal Notices

Remove leader election configuration from configuration file

Leader election configuration via configuration file was deprecated in Contour v1.20.0.
Configuration of leader election lease details and resource must now be done via command line flag.

(#4340, @sunjayBhatia)

Installing

The simplest way to install v1.21.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://github.com/projectcontour/contour/blob/v1.21.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://github.com/projectcontour/contour/blob/v1.21.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.21.0-rc.1 is tested against Kubernetes 1.21 through 1.23.

Documentation

Documentation corresponding to v1.21.0-rc.1 can be found at https://projectcontour.io/docs/main/.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

@alessandroargentieri
@bourquep
@erwbgy
@izturn
@kb000
@lou-lan
@mszabo-wikia
@rajatvig
@yankay

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

contour

All Changes

Installing and Upgrading

Compatible Kubernetes Versions

Are you a Contour user? We would love to know!

All Changes

Installing and Upgrading

Compatible Kubernetes Versions

Are you a Contour user? We would love to know!

All Changes

Installing and Upgrading

Compatible Kubernetes Versions

Are you a Contour user? We would love to know!

Major Changes

Fix handling of duplicate HTTPProxy Include Conditions

Caveat for empty or individual prefix path matches on /

Future changes to inclusion and route duplicate detection

Contour supports Gateway API release v0.6.0

shutdown-manager sidecar container liveness probe removed

Minor Changes

Add optional health check port for HTTP health check and TCP health check

Secrets not relevant to Contour no longer validated

Optional Client Certificate Validation

Client Certificate Details Forwarding

Enable configuring Server header transformation

Added support for ALL DNS lookup family.

Update Envoy to v1.25.0

Kubernetes API client queries per second (QPS) and burst now configurable

Other Changes

Docs Changes

Deprecation and Removal Notices

ContourDeployment.Spec.Contour.Replicas and ContourDeployment.Spec.Envoy.Replicas are deprecated

Gateway API: ReferencePolicy no longer supported (use ReferenceGrant instead)

Installing and Upgrading

Compatible Kubernetes Versions

Community Thanks!

Are you a Contour user? We would love to know!

Minor Changes

Add optional health check port for HTTP health check and TCP health check

Secrets not relevant to Contour no longer validated

Optional Client Certificate Validation

Client Certificate Details Forwarding

Enable configuring Server header transformation

Added support for ALL DNS lookup family.

Fix handling of duplicate HTTPProxy Include Conditions

Contour supports Gateway API release v0.6.0

shutdown-manager sidecar container liveness probe removed

Update Envoy to v1.25.0

Other Changes

Docs Changes

Deprecation and Removal Notices

ContourDeployment.Spec.Contour.Replicas and ContourDeployment.Spec.Envoy.Replicas are deprecated

Gateway API: ReferencePolicy no longer supported (use ReferenceGrant instead)

Installing and Upgrading

Compatible Kubernetes Versions

Community Thanks!

Are you a Contour user? We would love to know!

Changes

Installing and Upgrading

Compatible Kubernetes Versions

Are you a Contour user? We would love to know!

Changes

Installing and Upgrading

Compatible Kubernetes Versions

Are you a Contour user? We would love to know!

Changes

Installing and Upgrading

Compatible Kubernetes Versions

Are you a Contour user? We would love to know!

Minor Changes

Bump Envoy to v1.24.1

Other Changes

Installing and Upgrading

Compatible Kubernetes Versions

Are you a Contour user? We would love to know!

Minor Changes

Bump Envoy to v1.23.3

Other Changes

Installing and Upgrading

Compatible Kubernetes Versions

Caveat for empty or individual prefix path matches on `/`

Added support for `ALL` DNS lookup family.

Added support for `ALL` DNS lookup family.