Contour is a Kubernetes ingress controller using Envoy proxy.
APACHE-2.0 License
Bot releases are hidden (Show)
Published by sunjayBhatia over 1 year ago
We are delighted to present version v1.24.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.24.1 is tested against Kubernetes 1.24 through 1.26.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia over 1 year ago
We are delighted to present version v1.23.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.23.3 is tested against Kubernetes 1.23 through 1.25.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia over 1 year ago
We are delighted to present version v1.22.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.22.4 is tested against Kubernetes 1.22 through 1.24.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia over 1 year ago
We are delighted to present version v1.24.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Duplicate include conditions are now correctly identified and HTTPProxies are marked with the condition IncludeError
and reason DuplicateMatchConditions
.
Previously the HTTPProxy processor was only comparing adjacent includes and comparing conditions element by element rather than as a whole, ANDed together.
In addition, the previous behavior when duplicate Include Conditions were identified was to throw out all routes, including valid ones, on the offending HTTPProxy.
Any referenced child HTTPProxies were marked as Orphaned
as a result, even if they were included correctly.
With this change, all valid Includes and Route rules are processed and programmed in the data plane, which is a difference in behavior from previous releases.
An Include is deemed to be a duplicate if it has the exact same match Conditions as an Include that precedes it in the list.
Only child HTTPProxies that are referenced by a duplicate Include and not in any other valid Include are marked as Orphaned
/
A caveat to the above, is that an empty list of include conditions or a set of conditions that only consist of the prefix match on /
are not treated as duplicates.
This special case has been added because many users rely on the behavior this enables and many Contour examples demonstrating inclusion actually use it.
For example:
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: example
spec:
virtualhost:
fqdn: foo-example.bar.com
includes:
- name: example-child1
- name: example-child2
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: example-child1
spec:
routes:
- conditions:
- prefix: /
services:
- name: s1
port: 80
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: example-child2
spec:
routes:
- conditions:
- prefix: /foo
services:
- name: s2
port: 80
While the include conditions are equivalent, the resulting routing rules when the child routes are taken into account are distinct.
This special casing is a stop-gap for this release, to ensure we do not break user's configuration that is currently valid and working.
Currently duplicate route conditions are not checked in an HTTPProxy include tree or within an individual HTTPProxy.
This means that you can have routes listed later in the list of routes on an HTTPProxy silently override others.
The same can happen if you have an include tree that generates duplicate routes based on the include conditions and route conditions.
If you are relying on this behavior, changes will be coming in the next Contour release.
We will be submitting a design document to address this as it will be a significant behavior change and encourage the community to weigh in.
The current plan is to fully validate duplicate route match conditions as they are generated from the tree of includes and routes.
There will likely be changes to status conditions set on HTTPRoutes to improve reporting such invalid configuration.
(#4931, #5017, @sunjayBhatia)
See the Gateway API release notes for more detail on the API changes.
This version of the API includes a few changes relevant to Contour users:
(#4944, @sunjayBhatia)
The liveness probe has been removed from the Envoy pods' shutdown-manager sidecar container.
This change is to mitigate a problem where when the liveness probe fails, the shutdown-manager container is restarted by itself.
This ultimately has the unintended effect of causing the envoy container to be stuck indefinitely in a "DRAINING" state and not serving traffic.
Overall, not having the liveness probe on the shutdown-manager container is less bad because envoy pods are less likely to get stuck in "DRAINING" indefinitely.
In the worst case, during termination of an Envoy pod (due to upgrade, scaling, etc.), shutdown-manager is truly unresponsive, in which case the envoy container will simply terminate without first draining active connections.
If appropriate (i.e. during an upgrade), a new Envoy pod will then be created and re-added to the set of ready Envoys to load balance traffic to.
(#4967, @skriss)
HTTPProxy.Route.Service and HTTPProxy.TCPProxy.Service now has an optional HealthPort
field which specifies a health check port that is different from the routing port. If not specified, the service Port
field is used for healthchecking.
(#4761, @yangyy93)
Contour no longer validates Secrets that are not used by an Ingress, HTTPProxy, Gateway, or Contour global config.
Validation is now performed as needed when a Secret is referenced.
This change also replaces misleading "Secret not found" error conditions with more specific errors when a Secret referenced by one of the above objects does exist, but is not valid.
(#4788, @skriss)
By default, when client certificate validation is configured, client certificates are required.
However, some applications might support different authentication schemes.
You can now set the httpproxy.spec.virtualhost.tls.clientValidation.optionalClientCertificate
field to true
. A client certificate will be requested, but the connection is allowed to continue if the client does not provide one.
If a client certificate is sent, it will be verified according to the other properties, which includes disabling validations if httpproxy.spec.virtualhost.tls.clientValidation.skipClientCertValidation
is set.
(#4796, @gautierdelorme)
HTTPProxy now supports passing certificate data through the x-forwarded-client-cert
header to let applications use details from client certificates (e.g. Subject, SAN...).
Since the certificate (or the certificate chain) could exceed the web server header size limit, you have the ability to select what specific part of the certificate to expose in the header through the httpproxy.spec.virtualhost.tls.clientValidation.forwardClientCertificate
field.
Read more about the supported values in the Envoy documentation.
(#4797, @gautierdelorme)
Envoy's treatment of the Server header on responses can now be configured in the Contour config file or ContourConfiguration CRD.
When configured as overwrite
, Envoy overwrites any Server header with "envoy".
When configured as append_if_absent
, if a Server header is present, Envoy will pass it through, otherwise, it will set it to "envoy".
When configured as pass_through
, Envoy passes through the value of the Server header and does not append a header if none is present.
(#4906, @Vishal-Chdhry)
ALL
DNS lookup family.If ALL
is specified, the DNS resolver will perform a lookup for both IPv4 and IPv6 families, and return all resolved addresses. When this is used, Happy Eyeballs will be enabled for upstream connections.
(#4909, @Vishal-Chdhry)
Bumps Envoy to version 1.25.0.
See Envoy release notes here.
(#4988, @skriss)
Contour's Kubernetes API client defaults to allowing 5 requests per second, with a maximum of 10 over a short period.
These settings can now be configured, either by flag or by config file.
The contour serve
flags are --kubernetes-client-qps
and --kubernetes-client-burst
.
The config file fields are kubernetesClientQPS
and kubernetesClientBurst
.
(#5003, @skriss)
Opaque
as long as they have valid tls.crt
and tls.key
entries. (#4799, @skriss)grpc_status_number
to the default JSON access log fields (#4880, @rajatvig)NodePortService
, use the Listeners' port numbers to populate the Service's node port values. (#4973, @izturn)contour_dagrebuild_seconds
, to measure the duration of DAG rebuilds by quantile. (#5009, @skriss)projectcontour.io/projectcontour/contour
to projectcontour.io/gateway-controller
for static provisioning. (#4966, @izturn)ContourDeployment.Spec.Contour.Replicas
is deprecated and has been replaced by ContourDeployment.Spec.Contour.Deployment.Replicas
. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.
ContourDeployment.Spec.Envoy.Replicas
is deprecated and has been replaced by ContourDeployment.Spec.Envoy.Deployment.Replicas
. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.
(#4713, @izturn)
In Gateway API, ReferencePolicy's rename to ReferenceGrant has been fully completed.
Contour now only supports ReferenceGrant, and does not support ReferencePolicy resources in any way.
(#4830, @skriss)
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.24.0 is tested against Kubernetes 1.24 through 1.26.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia over 1 year ago
We are delighted to present version v1.24.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
HTTPProxy.Route.Service and HTTPProxy.TCPProxy.Service now has an optional HealthPort
field which specifies a health check port that is different from the routing port. If not specified, the service Port
field is used for healthchecking.
(#4761, @yangyy93)
Contour no longer validates Secrets that are not used by an Ingress, HTTPProxy, Gateway, or Contour global config.
Validation is now performed as needed when a Secret is referenced.
This change also replaces misleading "Secret not found" error conditions with more specific errors when a Secret referenced by one of the above objects does exist, but is not valid.
(#4788, @skriss)
By default, when client certificate validation is configured, client certificates are required.
However, some applications might support different authentication schemes.
You can now set the httpproxy.spec.virtualhost.tls.clientValidation.optionalClientCertificate
field to true
. A client certificate will be requested, but the connection is allowed to continue if the client does not provide one.
If a client certificate is sent, it will be verified according to the other properties, which includes disabling validations if httpproxy.spec.virtualhost.tls.clientValidation.skipClientCertValidation
is set.
(#4796, @gautierdelorme)
HTTPProxy now supports passing certificate data through the x-forwarded-client-cert
header to let applications use details from client certificates (e.g. Subject, SAN...).
Since the certificate (or the certificate chain) could exceed the web server header size limit, you have the ability to select what specific part of the certificate to expose in the header through the httpproxy.spec.virtualhost.tls.clientValidation.forwardClientCertificate
field.
Read more about the supported values in the Envoy documentation.
(#4797, @gautierdelorme)
Envoy's treatment of the Server header on responses can now be configured in the Contour config file or ContourConfiguration CRD.
When configured as overwrite
, Envoy overwrites any Server header with "envoy".
When configured as append_if_absent
, if a Server header is present, Envoy will pass it through, otherwise, it will set it to "envoy".
When configured as pass_through
, Envoy passes through the value of the Server header and does not append a header if none is present.
(#4906, @Vishal-Chdhry)
ALL
DNS lookup family.If ALL
is specified, the DNS resolver will perform a lookup for both IPv4 and IPv6 families, and return all resolved addresses. When this is used, Happy Eyeballs will be enabled for upstream connections.
(#4909, @Vishal-Chdhry)
Duplicate include conditions are now correctly identified and HTTPProxies are marked with the condition IncludeError
and reason DuplicateMatchConditions
.
Previously the HTTPProxy processor was only comparing adjacent includes and comparing conditions element by element rather than as a whole, ANDed together.
In addition, the previous behavior when duplicate Include Conditions were identified was to throw out all routes, including valid ones, on the offending HTTPProxy.
Any referenced child HTTPProxies were marked as Orphaned
as a result, even if they were included correctly.
With this change, all valid Includes and Route rules are processed and programmed in the data plane, which is a difference in behavior from previous releases.
An Include is deemed to be a duplicate if it has the exact same match Conditions as an Include that precedes it in the list.
Only child HTTPProxies that are referenced by a duplicate Include and not in any other valid Include are marked as Orphaned
(#4931, @sunjayBhatia)
See the Gateway API release notes for more detail on the API changes.
This version of the API includes a few changes relevant to Contour users:
(#4944, @sunjayBhatia)
The liveness probe has been removed from the Envoy pods' shutdown-manager sidecar container.
This change is to mitigate a problem where when the liveness probe fails, the shutdown-manager container is restarted by itself.
This ultimately has the unintended effect of causing the envoy container to be stuck indefinitely in a "DRAINING" state and not serving traffic.
Overall, not having the liveness probe on the shutdown-manager container is less bad because envoy pods are less likely to get stuck in "DRAINING" indefinitely.
In the worst case, during termination of an Envoy pod (due to upgrade, scaling, etc.), shutdown-manager is truly unresponsive, in which case the envoy container will simply terminate without first draining active connections.
If appropriate (i.e. during an upgrade), a new Envoy pod will then be created and re-added to the set of ready Envoys to load balance traffic to.
(#4967, @skriss)
Bumps Envoy to version 1.25.0.
See Envoy release notes here.
(#4988, @skriss)
Opaque
as long as they have valid tls.crt
and tls.key
entries. (#4799, @skriss)grpc_status_number
to the default JSON access log fields (#4880, @rajatvig)NodePortService
, use the Listeners' port numbers to populate the Service's node port values. (#4973, @izturn)projectcontour.io/projectcontour/contour
to projectcontour.io/gateway-controller
for static provisioning. (#4966, @izturn)ContourDeployment.Spec.Contour.Replicas
is deprecated and has been replaced by ContourDeployment.Spec.Contour.Deployment.Replicas
. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.
ContourDeployment.Spec.Envoy.Replicas
is deprecated and has been replaced by ContourDeployment.Spec.Envoy.Deployment.Replicas
. Users should switch to using the new field. The deprecated field will be removed in a future release. See #4713 for additional details.
(#4713, @izturn)
In Gateway API, ReferencePolicy's rename to ReferenceGrant has been fully completed.
Contour now only supports ReferenceGrant, and does not support ReferencePolicy resources in any way.
(#4830, @skriss)
The simplest way to install v1.24.0-rc.1 is to apply one of the example configurations:
With Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.24.0-rc.1/examples/render/contour-gateway.yaml
Without Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.24.0-rc.1/examples/render/contour.yaml
Contour v1.24.0-rc.1 is tested against Kubernetes 1.24 through 1.26.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss almost 2 years ago
We are delighted to present version v1.23.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.23.2 is tested against Kubernetes 1.23 through 1.25.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss almost 2 years ago
We are delighted to present version v1.22.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.22.3 is tested against Kubernetes 1.22 through 1.24.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss almost 2 years ago
We are delighted to present version v1.21.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.21.3 is tested against Kubernetes 1.21 through 1.23.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia almost 2 years ago
We are delighted to present version v1.23.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Bumps Envoy to security patch version 1.24.1.
See Envoy release notes here.
(#4903, @sunjayBhatia)
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.23.1 is tested against Kubernetes 1.23 through 1.25.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia almost 2 years ago
We are delighted to present version v1.22.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Bumps Envoy to security patch version 1.23.3.
See Envoy release notes here.
(#4897, @sunjayBhatia)
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.22.2 is tested against Kubernetes 1.22 through 1.24.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia almost 2 years ago
We are delighted to present version v1.21.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Bumps Envoy to security patch version 1.22.6.
See Envoy release notes here.
(#4889, @sunjayBhatia)
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.21.2 is tested against Kubernetes 1.21 through 1.23.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia almost 2 years ago
We are delighted to present version v1.23.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
It is now possible to enable Envoy overload manager to avoid traffic disturbances when Envoy process allocates too much heap and is terminated by the Linux out-of-memory manager.
The feature is disabled by default and can be enabled by following instructions here.
(#4597, @tsaarni)
Contour's HTTPProxy now supports configuring Envoy's JSON Web Token (JWT) authentication filter, for verifying JWTs on incoming requests.
A root HTTPProxy can optionally define one or more JWT providers, each of which can define an issuer, audiences, and a JSON Web Key Set (JWKS) to use for verifying JWTs.
JWT providers can then be applied as requirements to routes on the HTTPProxy (or routes on included HTTPProxies), either by setting one provider as the default, or by explicitly specifying a JWT provider to require for a given route.
Individual routes may also opt out of JWT verification if a default provider has been set for the HTTPProxy.
For more information, see:
(#4723, @skriss)
Slow start mode is a configuration setting that is used to gradually increase the amount of traffic targeted to a newly added upstream endpoint.
This can be useful for example with JVM based applications, that might otherwise get overwhelmed during JIT warm-up period.
For more information see here.
(#4772, @tsaarni)
The AllowOrigin field of the HTTPProxy CORSPolicy can be configured as a regex to enable more flexibility for users.
More advanced matching can now be performed on the Origin
header of HTTP requests, instead of restricting users to allow all origins, or enumerating all possible values.
(#4710, @sunjayBhatia)
default_source_code
Lua filter field from deprecated inline_string
field for specifying Lua scripts. (#4622, @sunjayBhatia)default_regex_engine
instead of deprecated per-regex match engine selection. (#4652, @sunjayBhatia)leader-election-namespace
for gateway-provisioner (#4669, @izturn)As per Contour's support policy the v1.20 minor release will now no longer be patched for security or critical bug fixes.
Please upgrade to the v1.21 minor release or newer.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.23.0 is tested against Kubernetes 1.23 through 1.25.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia about 2 years ago
We are delighted to present version v1.23.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
It is now possible to enable Envoy overload manager to avoid traffic disturbances when Envoy process allocates too much heap and is terminated by the Linux out-of-memory manager.
The feature is disabled by default and can be enabled by following instructions here.
(#4597, @tsaarni)
Contour's HTTPProxy now supports configuring Envoy's JSON Web Token (JWT) authentication filter, for verifying JWTs on incoming requests.
A root HTTPProxy can optionally define one or more JWT providers, each of which can define an issuer, audiences, and a JSON Web Key Set (JWKS) to use for verifying JWTs.
JWT providers can then be applied as requirements to routes on the HTTPProxy (or routes on included HTTPProxies), either by setting one provider as the default, or by explicitly specifying a JWT provider to require for a given route.
Individual routes may also opt out of JWT verification if a default provider has been set for the HTTPProxy.
For more information, see:
(#4723, @skriss)
The AllowOrigin field of the HTTPProxy CORSPolicy can be configured as a regex to enable more flexibility for users.
More advanced matching can now be performed on the Origin
header of HTTP requests, instead of restricting users to allow all origins, or enumerating all possible values.
(#4710, @sunjayBhatia)
default_source_code
Lua filter field from deprecated inline_string
field for specifying Lua scripts. (#4622, @sunjayBhatia)default_regex_engine
instead of deprecated per-regex match engine selection. (#4652, @sunjayBhatia)leader-election-namespace
for gateway-provisioner (#4669, @izturn)The simplest way to install v1.23.0-rc.1 is to apply one of the example configurations:
With Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.23.0-rc.1/examples/render/contour-gateway.yaml
Without Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.23.0-rc.1/examples/render/contour.yaml
Contour v1.23.0-rc.1 is tested against Kubernetes 1.23 through 1.25.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss about 2 years ago
We are delighted to present version v1.22.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.22.1 is tested against Kubernetes 1.22 through 1.24.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss about 2 years ago
We are delighted to present version v1.22.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.
With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).
For more information on the Gateway API v0.5.0 release, see the release blog post.
For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.
(#4617, @skriss)
Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.
(#4621, @skriss)
HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode
, Body
. And the StatusCode
is required.
It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.
(#4526, @yangyy93)
It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret
is set with the secret name.
(#4592, @tsaarni)
Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1
package.
Existing exported elements of the pkg/config
package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1
.
This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:
spec.envoy.logging.jsonFields
has been renamed to spec.envoy.logging.accessLogJSONFields
(#4626, @sunjayBhatia)
Contour now implements Gateway API's HTTP query parameter matching.
Only Exact
matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale
to s1
, and a request with a querystring of ?animal=dolphin
to s2
.
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: httproute-queryparam-matching
spec:
parentRefs:
- name: contour-gateway
rules:
- matches:
- queryParams:
- type: Exact
name: animal
value: whale
backendRefs:
- name: s1
- matches:
- queryParams:
- type: Exact
name: animal
value: dolphin
backendRefs:
- name: s2
(#4588, @skriss)
Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:
Accepted
condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errorsInvalidKind
and BackendNotFound
when a backend is not a Service or not found, respectively(#4614, @skriss)
Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).
(#4631, @skriss)
There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.
(#4585, @izturn)
The access chain of fields is too long, so use local variable to replace them.
(#4586, @izturn)
ca.crt
key. (#4528, @skriss)DebugLogLevel
and KubernetesDebugLogLevel
fields from the ContourConfiguration
spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)contour envoy shutdown
command's --check-delay
default to 0s
from 60s
, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss):authority
header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)contour cli
commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)Ready: false
with reason Invalid
when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.
(#4580, @skriss)
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.22.0 is tested against Kubernetes 1.22 through 1.24.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss about 2 years ago
We are delighted to present version v1.22.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.
With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).
For more information on the Gateway API v0.5.0 release, see the release blog post.
For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.
(#4617, @skriss)
HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode
, Body
. And the StatusCode
is required.
It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.
(#4526, @yangyy93)
There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.
(#4585, @izturn)
The access chain of fields is too long, so use local variable to replace them.
(#4586, @izturn)
Contour now implements Gateway API's HTTP query parameter matching.
Only Exact
matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale
to s1
, and a request with a querystring of ?animal=dolphin
to s2
.
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: httproute-queryparam-matching
spec:
parentRefs:
- name: contour-gateway
rules:
- matches:
- queryParams:
- type: Exact
name: animal
value: whale
backendRefs:
- name: s1
- matches:
- queryParams:
- type: Exact
name: animal
value: dolphin
backendRefs:
- name: s2
(#4588, @skriss)
It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret
is set with the secret name.
(#4592, @tsaarni)
Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:
Accepted
condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errorsInvalidKind
and BackendNotFound
when a backend is not a Service or not found, respectively(#4614, @skriss)
Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.
(#4621, @skriss)
Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1
package.
Existing exported elements of the pkg/config
package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1
.
This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:
spec.envoy.logging.jsonFields
has been renamed to spec.envoy.logging.accessLogJSONFields
(#4626, @sunjayBhatia)
Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).
(#4631, @skriss)
ca.crt
key. (#4528, @skriss)DebugLogLevel
and KubernetesDebugLogLevel
fields from the ContourConfiguration
spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)contour envoy shutdown
command's --check-delay
default to 0s
from 60s
, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss):authority
header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)contour cli
commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)Ready: false
with reason Invalid
when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.
(#4580, @skriss)
The simplest way to install v1.22.0-rc.1 is to apply one of the example configurations:
With Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour-gateway.yaml
Without Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour.yaml
Contour v1.22.0-rc.1 is tested against Kubernetes 1.22 through 1.24.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia over 2 years ago
We are delighted to present version v1.21.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Bumps Envoy to security patch version 1.22.2.
Envoy CI had a few issues releasing 1.22.1 so a subsequent patch, 1.22.2 was released.
Envoy announcement here.
See Envoy release notes for 1.22.1 here and 1.22.2 here.
(#4573, @sunjayBhatia)
ca.crt
key. (#4528, @skriss)For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.21.1 is tested against Kubernetes 1.21 through 1.23.
We’re immensely grateful for all the community contributions that help make Contour even better!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia over 2 years ago
We are delighted to present version v1.20.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Bumps Envoy to security patch version 1.21.3.
Envoy announcement here.
See Envoy release notes here.
(#4569, @sunjayBhatia)
ca.crt
key. (#4528, @skriss)For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.20.2 is tested against Kubernetes 1.21 through 1.23.
We’re immensely grateful for all the community contributions that help make Contour even better!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss over 2 years ago
We are delighted to present version v1.21.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Previously, in our example deployment YAML, RBAC for Contour access to resources used for leader election was contained in a ClusterRole, meaning that Contour required cluster-wide access to ConfigMap resources. This release also requires Contour access to Events and Leases which would require cluster-wide access (see this PR).
In this release, we have moved the RBAC rules for leader election resources to a namespaced Role in the example Contour deployment. This change should limit Contour's default required access footprint. A corresponding namespaced RoleBinding has been added as well.
If you are using the example deployment YAML to deploy Contour, be sure to examine and re-apply the resources in examples/contour/02-rbac.yaml
and examples/contour/02-role-contour.yaml
. If you have deployed Contour in a namespace other than the example projectcontour
, be sure to modify the contour
Role and contour-rolebinding
RoleBinding resources accordingly. Similarly, if you are using the --leader-election-resource-namespace
flag to customize where Contour's leader election resources reside, you must customize the new Role and RoleBinding accordingly.
(#4204, @sunjayBhatia)
Contour's container images are now exclusively published on GHCR. They are no longer being pushed to Docker Hub (past images have been left on Docker Hub for posterity.)
(#4314, @skriss)
contour gateway-provisioner
command and deployment manifest for dynamically provisioning GatewaysContour now has an optional Gateway provisioner, that watches for Gateway
custom resources and provisions Contour + Envoy instances for them. The provisioner is implemented as a new subcommand on the contour
binary, contour gateway-provisioner
. The examples/gateway-provisioner
directory contains the YAML manifests needed to run the provisioner as a Deployment in-cluster.
By default, the Gateway provisioner will process all GatewayClasses
that have a controller string of projectcontour.io/gateway-controller
, along with all Gateways for them.
The Gateway provisioner is useful for users who want to dynamically provision Contour + Envoy instances based on the Gateway
CRD.
It is also necessary in order to have a fully conformant Gateway API implementation.
(#4415, @skriss)
The verbosity of HTTP and HTTPS access logs can now be configured to one of: info
(default), error
, disabled
. The verbosity level is set with accesslog-level
field in the configuration file or spec.envoy.logging.accessLogLevel
field in ContourConfiguration
.
(#4331, @tsaarni)
Contour now only uses the Lease object to coordinate leader election. RBAC in example manifests has been updated accordingly.
Note: Upgrading to this version of Contour will explicitly require you to upgrade to Contour v1.20.0 first to ensure proper migration of leader election coordination resources.
(#4332, @sunjayBhatia)
Regex patterns Contour configures in Envoy (for path matching etc.) currently have a limited "program size" (approximate cost) of 100. This was inadvertently set back to the Envoy default, from the intended 1048576 (2^20) when moving away from using deprecated API fields. Note: regex program size is a feature of the regex library Envoy uses, Google RE2.
This limit has now been reset to the intended value and an additional program size warning threshold of 1000 has been configured.
Operators concerned with performance implications of allowing large regex programs can monitor Envoy memory usage and regex statistics. Envoy offers two statistics for monitoring regex program size, re2.program_size
and re2.exceeded_warn_level
. See this documentation for more detail. Future versions of Contour may allow configuration of regex program size thresholds via RTDS (Runtime Discovery Service).
(#4379, @sunjayBhatia)
Contour can now optionally process a specific named Gateway
and associated routes. This is an alternate way to configure Contour, vs. the existing mode of specifying a GatewayClass
controller string and having Contour process the first GatewayClass
and associated Gateway
for that controller string. This new configuration option can be specified via:
gateway:
gatewayRef:
namespace: gateway-namespace
name: gateway-name
(#4410, @skriss)
The Gateway provisioner now supports having more than one Gateway/Contour instance per namespace. All resource names now include a -<gateway-name>
suffix to avoid conflicts (cluster-scoped resources also include the namespace as part of the resource name). Contour instances are always provisioned in the namespace of the Gateway custom resource itself.
(#4426, @skriss)
The Gateway provisioner now generates xDS TLS certificates directly, rather than using a "certgen" job to trigger certificate generation. This simplifies operations and reduces the RBAC permissions that the provisioner requires. Certificates will still be rotated each time the provisioner is upgraded to a new version.
(#4432, @skriss)
The Gateway provisioner now supports requesting a specific Gateway address, via the Gateway's spec.addresses
field. Only one address is supported, and it must be either an IPAddress
or Hostname
type. The value of this address will be used to set the provisioned Envoy service's spec.loadBalancerIP
field. If for any reason, the requested address is not assigned to the Gateway, the Gateway will have a condition of "Ready: false" with a reason of AddressesNotAssigned
.
If no address is requested, no value will be specified in the provisioned Envoy service's spec.loadBalancerIP
field, and an address will be assigned by the load balancer provider.
(#4443, @skriss)
To better manage configuration defaults, all ContourConfiguration
CRD fields are now optional without defaults. Instead, Contour itself will apply defaults to any relevant fields that have not been specified by the user when it starts up, similarly to how processing of the Contour ConfigMap
works today. The default values that Contour uses are documented in the ContourConfiguration
CRD's API documentation.
(#4451, @skriss)
The ContourDeployment
CRD, which can be used as parameters for a Contour-controlled GatewayClass
, now supports additional options for customizing your Contour/Envoy installations:
(#4472, @skriss)
Contour users can now configure their load balancing policies on HTTPProxy
resources to hash the query parameter on a request to ensure consistent routing to a backend service instance.
See this page for more details on this feature.
Credit to @pkit for implementing this feature!
(#4508, @sunjayBhatia)
localhost:6060/debug/dag
troubleshooting API are sanitized by html-escaping user fields. (#4323, @kb000)ContourConfiguration
. (#4326, @tsaarni)networking.k8s.io/IngressClass
resource as it's not used by Contour. (#4329, @skriss)HTTProxy.spec.routes.requestHeadersPolicy
Host
key) and protocol fields might not take effect when e.g. two HTTPProxies
were otherwise equal but differed only on those fields. (#4350, @tsaarni)HTTPProxy.spec.routes.timeoutPolicy.idleConnection
was added. The field sets timeout for how long the upstream connection will be kept idle between requests before disconnecting it. (#4356, @tsaarni)merge_slashes
option that enablesDisableMergeSlashes
option in the Contour config file or ContourConfiguration custom resource. (#4363, @mszabo-wikia)--name-prefix
flag to the contour certgen
command which, if specified, will be added as a prefix to the names of the generated Kubernetes secrets (e.g. myprefix-contourcert
and myprefix-envoycert
). (#4394, @skriss)imagePullPolicy
as Always
on main branch and only change to IfNotPresent
on release branches/release-tagged manifests. (#4406, @rajatvig)ContourConfiguration
resource instead of a ConfigMap
for describing Contour's configuration. (#4454, @skriss)ContourConfigurationSpec
defined as part of a GatewayClass's
ContourDeployment
parameters when provisioning a ContourConfiguration
for a Gateway
. (#4459, @skriss)projectcontour.io/gateway-controller
. (#4474, @skriss)HTTPRoute
or TLSRoute
has a cross-namespace backend ref that's not permitted by a ReferencePolicy
, set the reason for the ResolvedRefs: false
condition to RefNotPermitted
instead of Degraded
. (#4482, @skriss)--log-format=json
command line switch. (#4486, @tsaarni)ContourConfiguration
kubebuilder enum validations, and add equivalent validations in Contour code. (#4511, @skriss)service.beta.kubernetes.io/aws-load-balancer-type
has been change to external
. It should now work correctly with the given YAMLs. (#4347, @yankay)pathType
field to Ingress resource. (#4446, @lou-lan)Leader election configuration via configuration file was deprecated in Contour v1.20.0.
Configuration of leader election lease details and resource must now be done via command line flag.
(#4340, @sunjayBhatia)
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.21.0 is tested against Kubernetes 1.21 through 1.23.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by sunjayBhatia over 2 years ago
We are delighted to present version v1.21.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
Previously, in our example deployment YAML, RBAC for Contour access to resources used for leader election was contained in a ClusterRole, meaning that Contour required cluster-wide access to ConfigMap resources.
This release also requires Contour access to Events and Leases which would require cluster-wide access (see this PR).
In this release, we have moved the RBAC rules for leader election resources to a namespaced Role in the example Contour deployment.
This change should limit Contour's default required access footprint.
A corresponding namespaced RoleBinding has been added as well.
If you are using the example deployment YAML to deploy Contour, be sure to examine and re-apply the resources in examples/contour/02-rbac.yaml
and examples/contour/02-role-contour.yaml
.
If you have deployed Contour in a namespace other than the example projectcontour
, be sure to modify the contour
Role and contour-rolebinding
RoleBinding resources accordingly.
Similarly, if you are using the --leader-election-resource-namespace
flag to customize where Contour's leader election resources reside, you must customize the new Role and RoleBinding accordingly.
(#4204, @sunjayBhatia)
Contour's container images are now exclusively published on GHCR. They are no longer being pushed to Docker Hub (past images have been left on Docker Hub for posterity.)
(#4314, @skriss)
contour gateway-provisioner
command and deployment manifest for dynamically provisioning GatewaysContour now has an optional Gateway provisioner, that watches for Gateway
custom resources and provisions Contour + Envoy instances for them.
The provisioner is implemented as a new subcommand on the contour
binary, contour gateway-provisioner
.
The examples/gateway-provisioner
directory contains the YAML manifests needed to run the provisioner as a Deployment in-cluster.
By default, the Gateway provisioner will process all GatewayClasses
that have a controller string of projectcontour.io/gateway-provisioner
, along with all Gateways for them.
The Gateway provisioner is useful for users who want to dynamically provision Contour + Envoy instances based on the Gateway
CRD.
It is also necessary in order to have a fully conformant Gateway API implementation.
(#4415, @skriss)
The verbosity of HTTP and HTTPS access logs can now be configured to one of: info
(default), error
, disabled
.
The verbosity level is set with accesslog-level
field in the configuration file or spec.envoy.logging.accessLogLevel
field in ContourConfiguration
.
(#4331, @tsaarni)
Contour now only uses the Lease object to coordinate leader election.
RBAC in example manifests has been updated accordingly.
Note: Upgrading to this version of Contour will explicitly require you to upgrade to Contour v1.20.0 first to ensure proper migration of leader election coordination resources.
(#4332, @sunjayBhatia)
Regex patterns Contour configures in Envoy (for path matching etc.) currently have a limited "program size" (approximate cost) of 100.
This was inadvertently set back to the Envoy default, from the intended 1048576 (2^20) when moving away from using deprecated API fields.
Note: regex program size is a feature of the regex library Envoy uses, Google RE2.
This limit has now been reset to the intended value and an additional program size warning threshold of 1000 has been configured.
Operators concerned with performance implications of allowing large regex programs can monitor Envoy memory usage and regex statistics.
Envoy offers two statistics for monitoring regex program size, re2.program_size
and re2.exceeded_warn_level
.
See this documentation for more detail.
Future versions of Contour may allow configuration of regex program size thresholds via RTDS (Runtime Discovery Service).
(#4379, @sunjayBhatia)
Contour can now optionally process a specific named Gateway
and associated routes.
This is an alternate way to configure Contour, vs. the existing mode of specifying a GatewayClass
controller string and having Contour process the first GatewayClass
and associated Gateway
for that controller string.
This new configuration option can be specified via:
gateway:
gatewayRef:
namespace: gateway-namespace
name: gateway-name
(#4410, @skriss)
The Gateway provisioner now supports having more than one Gateway/Contour instance per namespace.
All resource names now include a -<gateway-name>
suffix to avoid conflicts (cluster-scoped resources also include the namespace as part of the resource name).
Contour instances are always provisioned in the namespace of the Gateway custom resource itself.
(#4426, @skriss)
The Gateway provisioner now generates xDS TLS certificates directly, rather than using a "certgen" job to trigger certificate generation.
This simplifies operations and reduces the RBAC permissions that the provisioner requires.
Certificates will still be rotated each time the provisioner is upgraded to a new version.
(#4432, @skriss)
The Gateway provisioner now supports requesting a specific Gateway address, via the Gateway's spec.addresses
field.
Only one address is supported, and it must be either an IPAddress
or Hostname
type.
The value of this address will be used to set the provisioned Envoy service's spec.loadBalancerIP
field.
If for any reason, the requested address is not assigned to the Gateway, the Gateway will have a condition of "Ready: false" with a reason of AddressesNotAssigned
.
If no address is requested, no value will be specified in the provisioned Envoy service's spec.loadBalancerIP
field, and an address will be assigned by the load balancer provider.
(#4443, @skriss)
To better manage configuration defaults, all ContourConfiguration
CRD fields are now optional without defaults.
Instead, Contour itself will apply defaults to any relevant fields that have not been specified by the user when it starts up, similarly to how processing of the Contour ConfigMap
works today.
The default values that Contour uses are documented in the ContourConfiguration
CRD's API documentation.
(#4451, @skriss)
The ContourDeployment
CRD, which can be used as parameters for a Contour-controlled GatewayClass
, now supports additional options for customizing your Contour/Envoy installations:
(#4472, @skriss)
localhost:6060/debug/dag
troubleshooting API are sanitized by html-escaping user fields. (#4323, @kb000)ContourConfiguration
. (#4326, @tsaarni)networking.k8s.io/IngressClass
resource as it's not used by Contour. (#4329, @skriss)HTTProxy.spec.routes.requestHeadersPolicy
Host
key) and protocol fields might not take effect when e.g. two HTTPProxies
were otherwise equal but differed only on those fields. (#4350, @tsaarni)HTTPProxy.spec.routes.timeoutPolicy.idleConnection
was added. The field sets timeout for how long the upstream connection will be kept idle between requests before disconnecting it. (#4356, @tsaarni)merge_slashes
option that enablesDisableMergeSlashes
option in the Contour config file or ContourConfiguration custom resource. (#4363, @mszabo-wikia)--name-prefix
flag to the contour certgen
command which, if specified, will be added as a prefix to the names of the generated Kubernetes secrets (e.g. myprefix-contourcert
and myprefix-envoycert
). (#4394, @skriss)imagePullPolicy
as Always
on main branch and only change to IfNotPresent
on release branches/release-tagged manifests. (#4406, @rajatvig)ContourConfiguration
resource instead of a ConfigMap
for describing Contour's configuration. (#4454, @skriss)ContourConfigurationSpec
defined as part of a GatewayClass's
ContourDeployment
parameters when provisioning a ContourConfiguration
for a Gateway
. (#4459, @skriss)projectcontour.io/gateway-controller
. (#4474, @skriss)HTTPRoute
or TLSRoute
has a cross-namespace backend ref that's not permitted by a ReferencePolicy
, set the reason for the ResolvedRefs: false
condition to RefNotPermitted
instead of Degraded
. (#4482, @skriss)service.beta.kubernetes.io/aws-load-balancer-type
has been change to external
. It should now work correctly with the given YAMLs. (#4347, @yankay)pathType
field to Ingress resource. (#4446, @lou-lan)Leader election configuration via configuration file was deprecated in Contour v1.20.0.
Configuration of leader election lease details and resource must now be done via command line flag.
(#4340, @sunjayBhatia)
The simplest way to install v1.21.0-rc.1 is to apply one of the example configurations:
With Gateway API:
kubectl apply -f https://github.com/projectcontour/contour/blob/v1.21.0-rc.1/examples/render/contour-gateway.yaml
Without Gateway API:
kubectl apply -f https://github.com/projectcontour/contour/blob/v1.21.0-rc.1/examples/render/contour.yaml
Contour v1.21.0-rc.1 is tested against Kubernetes 1.21 through 1.23.
Documentation corresponding to v1.21.0-rc.1
can be found at https://projectcontour.io/docs/main/.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.