Contour is a Kubernetes ingress controller using Envoy proxy.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by skriss over 3 years ago
HTTPProxies
were being ignoredHTTPProxies'
status.Published by stevesloka over 3 years ago
We are delighted to present version 1.13.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Contour now provides initial support for Gateway API, an open source project to evolve service networking APIs within the Kubernetes ecosystem. Gateway API consists of multiple resources that provide user interfaces to expose Kubernetes applications- Services, Ingress, and more. See the user guide for additional details and to start using Gateway API with Contour.
Related issues and PRs: #3278 #3397 #2809 #3283
Thanks to @stevesloka and @youngnick for designing and implementing this feature.
There are times when distributed circuit breaking is not very effective and global rate limiting is desired. With global rate limiting, Envoy communicates with an external Rate Limit Service (RLS) over gRPC to make rate limit decisions for requests. For additional details, see the Envoy documentation.
Related issues and PRs: #3178 #3298 #3324
Thanks to @skriss for designing and implementing this feature!
Known Issues: #3409 (global rate limit policies at the virtual host level for TLS vhosts do not take effect).
TLS cipher suites used by Envoy listeners can now be configured. The configured cipher suites are validated against Envoy's allowed cipher list. Contour will exit on startup if any invalid cipher suites are present in the config file. If no cipher suites are provided, Contour will use the defaults that exist now.
Related issues and PRs: #2880 #3292 #3304
There are situations where Envoy's "delayed_close_timeout" can close connections to a client when data remains to be written. This can happen when a client sets the "Connection: close" header and is slow to read the response. The 'delayed_close_timeout' can now be configured by users who encounter this situation.
Related issues and PRs: #3285 #3316
Thanks to @xtreme-jesse-malone for implementing this feature!
If a user has an external load balancer that terminates TLS, the X-Forwarded-Proto header gets overwritten unless the downstream connection is trusted. XffNumTrustedHops can now be configured to set the number of trusted hops which will allow the headers to be intact already set from downstream.
Related issues and PRs: #3294 #3293
Thanks to @stevesloka for implementing this feature!
ExactBalance is a connection balancer implementation that does exact balancing. This means that a lock is held during balancing so that connection counts are nearly exactly balanced between worker threads. With long keep-alive connections, the Envoy listener will use the ExactBalance connection balancer. For additional details, see the Envoy documentation.
Related issues and PRs: #3314
Thanks to @iyacontrol for implementing this feature!
SNI will be set on any TCPProxy.Service which references an externalName type service as well as having the upstream protocol of "tls".
Related issues and PRs: #3291
Thanks to @stevesloka for implementing this feature!
Adds support for %CONTOUR_NAMESPACE%, %CONTOUR_SERVICE_NAME% and %CONTOUR_SERVICE_PORT% dynamic variables. These variables will be expanded like the Envoy dynamic variables in #3234. Note: The CONTOUR_ prefix is used to prevent the clashing with a future Envoy dynamic variable. Variables that can't be expanded are passed through literally.
Related issues and PRs: #3269
Thanks to @erwbgy for implementing this feature!
FileAccessLog.json_format
access logging format field is replaced by envoy.extensions.access_loggers.file.v3.FileAccessLog.log_format
. See #3210 for additional details.Http2ProtocolOptions
field is replaced with TypedExtensionProtocolOptions
. See #3308 for additional details.contour_httpproxy_total -> contour_httpproxy
contour_httpproxy_invalid_total -> contour_httpproxy_invalid
contour_httpproxy_orphaned_total -> contour_httpproxy_orphaned
contour_httpproxy_valid_total -> contour_httpproxy_valid
contour_httpproxy_root_total -> contour_httpproxy_root
Please consult the upgrade documentation.
We’re immensely grateful for all the community contributions that help make Contour even better! For version 1.13, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss over 3 years ago
We are delighted to present version 1.12.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There have been a bunch of great contributions from our community for this release, thanks to everyone!
Contour now supports Envoy's local rate limiting, which allows users to define basic rate limits for virtual hosts or routes that are enforced on a per-Envoy basis. See the rate limiting documentation for more information.
Related issues and PRs: #3255 #3251
Thanks to @skriss for implementing this feature!
Contour 1.12 now supports the RequestHash
load balancing strategy, which enables load balancing based on request headers. An upstream Endpoint is selected based on the hash of an HTTP request header. Requests that contain a consistent value in a request header will be routed to the same upstream Endpoint.
For more information, including an example HTTPProxy
definition, see the Contour documentation.
Related issues and PRs: #3099 #3044 #3282
Thanks to @sunjayBhatia for designing and implementing this feature!
Contour 1.12 adds support for including dynamic values in configured request and response headers. Almost all variables supported by Envoy are allowed. This feature can be used to set headers containing information such as the host name of where the Envoy pod is running, the TLS version, etc.
For more information, including a full list of supported variables, see the Contour documentation.
Related issues and PRs: #3234 #3236 #3269
Thanks to @erwbgy for adding this feature!
Contour has been making an effort to remove ciphers marked as "less secure" from the default cipher list given to Envoy. This work has been driven by @tsaarni and @ryanelian and @bascht. However, after the release of 1.11, we had a report of a production outage caused by these changes (#3299, thanks @moderation).
We've decided to revert PRs #3154 and #3237 for version 1.12, until we can fully implement #2880, so that if the default cipher suite breaks something for a user, they can put it back after upgrading until they have a chance to migrate away from the less-secure ciphers.
We're aiming to have #2880 completed in the 1.13 timeframe (the next month).
Contour 1.12.0 is compatible with Envoy 1.17.0.
Related issues and PRs: #3245
Thanks to @sunjayBhatia for performing this upgrade!
Envoy's allow_chunked_length
setting is now enabled by default, with a Contour config file toggle to disable it. See the Envoy documentation for more information on the setting, and the Contour config file documentation for information on how to disable it.
Related issues and PRs: #3221 #3248
Thanks to @sunjayBhatia for making this change!
Contour's check for duplicate fully-qualified domain names (FQDNs) is now case-insensitive.
Related issues and PRs: #3230 #3231
Thanks to @erwbgy for this fix!
We fixed a regression related to rewriting the Host
header for externalName
services.
Related issues and PRs: #3252
Thanks to @stevesloka for finding and fixing this regression!
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by stevesloka almost 4 years ago
We are delighted to present version 1.11.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There's been a bunch of great contributions from our community for this release, thanks to everyone!
The new Contour Operator provides a method for packaging, deploying, and managing Contour. The operator extends the functionality of the Kubernetes API to create, configure, and manage instances of Contour on behalf of users. It builds upon the basic Kubernetes resource and controller concepts, but includes domain-specific knowledge to automate the entire lifecycle of Contour.
Visit the getting started guide on how to quickly get up and running with the operator.
For more information, see the contour operator repo.
The default global minimum TLS version is moved to 1.2 from 1.1.
This forces all HTTPProxies and Ingresses to use at least 1.2.
https://github.com/projectcontour/contour/pull/3112
Contour supports Envoy v1.16.2 which resolves various CVEs found in Envoy, please upgrade your clusters!
As mentioned in Contour 1.10 the v2
XDS resource version has been removed from Contour ahead of its removal from Envoy. Please see the XDS Migration Guide for upgrading your instances of Envoy/Contour.
Note: This change applies also to any External Auth servers that may be integrated.
If client certificates, represented in Kubernetes secrets, were changes, Contour did not notice that change and blocked a valid cert rotation path for users. Contour v1.11 adds secret references from the configuration file to the list of secrets that will trigger DAG rebuild. Previously only secrets referred by HTTPProxy and Ingress resources were considered. The result was that secrets were not picked up correctly if they were created after the creation of HTTPProxy or Ingress themselves triggered a rebuild.
https://github.com/projectcontour/contour/pull/3191
Thanks to @tsaarni for the fix and @Zsolt-LazarZsolt for reporting!
⚠️ Contour annotations starting with contour.heptio.com
have been removed from documentation for some time. Contour 1.8 marks the official deprecation of these annotations and have been removed in Contour v1.11.0.
Please consult the upgrade documentation.
We’re immensely grateful for all the community contributions that help make Contour even better! For version 1.11, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by skriss almost 4 years ago
We are delighted to present version 1.10.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Published by skriss almost 4 years ago
We are delighted to present version 1.10.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There have been a bunch of great contributions from our community for this release, thanks to everyone!
Contour now supports Envoy's xDS v3 protocol in addition to the deprecated v2 protocol. The example YAML has been updated to configure Envoy to use the v3 protocol by default.
When users have an existing Contour installation and wish to upgrade without dropping connections, users should first upgrade Contour to v1.10.0 which will serve both v2 and v3 xDS versions from the same gRPC endpoint. Next, change the Envoy Daemonset or deployment to include --xds-resource-version=v3
as an argument in the envoy-initconfig
init container, which tells Envoy to upgrade to the v3
resource version. The usual rollout process will handle draining connections allowing a fleet of Envoy instances to move from the v2 xDS Resource API version gradually to the v3 version.
See the xDS Migration guide for more information: https://projectcontour.io/guides/xds-migration/
Related issues and PRs: #1898, #2930, #3016, #3017, #3068, #3079, #3074, #3087, #3093
Thanks to @stevesloka and @jpeach for their hard work on this upgrade.
Contour now supports custom JSON fields in the Envoy access log. Custom fields can be specified in the json-fields
config field, using the format <custom-field-name>=<Envoy format string>
, where the Envoy format string can contain any Envoy command operator except DYNAMIC_METADATA
and FILTER_STATE
.
You can read more about this feature in Contour's updated guide to structured logging.
Related issues and PRs: #3059, #3032, #1507
Thanks to @Mike1808, @KauzClay, and @XanderStrike for designing and implementing this feature!
Contour's Docker images are now multi-architecture, with linux/amd64
and linux/arm64
currently supported. No change is needed by users; the correct architecture will be automatically be pulled for your host.
Related issues and PRs: #3031, #2868
Thanks to @skriss for implementing multi-arch support.
Contour now uses Envoy 1.16.0.
Related issues and PRs: #3029, #3013
Thanks to @yoitsro for this upgrade!
TLS 1.2 is now the default minimum TLS version for HTTPProxies
and Ingresses
. It's still possible to use 1.1 if necessary by explicitly specifying it. See the HTTPProxy documentation and Ingress documentation for more information.
Related issues and PRs: #3007, #2777, #3012
Thanks to @skriss for making this change.
Contour's example YAML now uses rbac.authorization.k8s.io/v1
instead of the deprecated rbac.authorization.k8s.io/v1beta1
version for role-based access control (RBAC) resources. RBAC has been generally available in Kubernetes since v1.8, so this has no effect on the minimum supported Kubernetes version.
Related issues and PRs: #3015, #2991
Thanks to @narahari92 for this upgrade!
request-timeout
field has been removed from the config file. This field was moved into the timeouts block, i.e. timeouts.request-timeout
, in Contour 1.7.tls.minimum-protocol-version
field, and by specifying it for each HTTPProxy
or Ingress
where it's needed. See the HTTPProxy documentation and Ingress documentation for more information.Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by stevesloka about 4 years ago
We are delighted to present version 1.9.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There's been a bunch of great contributions from our community for this release, thanks to everyone!
Contour now supports integrating with external authorization services via the ExtensionService custom resource definition. This new Contour API exposes Envoy’s external auth filter, which allows incoming requests to be checked against the specified authorization service.
Thanks to @jpeach for leading design and implementation of this feature!
Related issues and PRs: #432, #2915, #2886, #2876, #2877, #2871
Contour now supports optionally specifying a Kubernetes secret that Envoy should present to upstream clusters as a client certificate for TLS, so the upstream services can validate that the connection is coming from Envoy.
Thanks to @tsaarni for leading design and implementation of this feature!
Related issues and PRs: #2338, #2910
Contour’s HTTPProxy API now supports specifying a CORS policy, which configures Envoy’s CORS filter to allow web applications to request resources from different origins.
Thanks to @aberasarte and @glerchundi for driving the design and implementation of this new feature!
Related issues and PRs: #437, #2890
Contour now generates v1 custom resource definitions (CRDs) as part of its example YAML. This enables Contour to take full advantage of the v1 API’s capabilities around validation, defaulting, API documentation via kubectl explain
, and more. CRDs became generally available in Kubernetes 1.16 over a year ago.
This change bumps Contour’s minimum supported Kubernetes version to 1.16.
Related issues and PRs: #2916, #2678, #1723, #1978, #2903, #2527
Contour’s HTTPProxy and ExtensionService CRDs now expose Conditions. Each custom resource, when processed by Contour, will have a single Condition, of type Valid, that will have a value of true or false to indicate whether or not the resource is valid. The Valid condition will further have a set of sub-conditions that provide more detail on the reason(s) for the resource’s validity/non-validity.
The existing HTTPProxy status fields currentStatus
and description
will be retained for backwards compatibility.
Thanks to @youngnick for designing and implementing this feature!
Related issues and PRs: #2962, #2931
Contour now has experimental support for Envoy’s go-control-plane xDS server implementation. When enabled, this replaces Contour’s custom xDS gRPC server implementation. This feature can be enabled by setting the server.xds-server-type to “envoy” in the Contour config file.
Thanks to @stevesloka for designing and implementing this feature!
Related issues and PRs: #2134, #2850, #2884, #2919
We’ve added a config file field, cluster.dns-lookup-family, to customize DNS behavior for Kubernetes externalName services. Valid options are auto (default), v4, and v6. Previously, auto was always used, which first looks for an IPv6 address, and falls back to looking for an IPv4 address.
Thanks @stevesloka for debugging this issue and implementing the fix!
Related issues and PRs: #2894, #2873
Contour now performs validation on all timeout fields/annotations on the HTTPProxy and Ingress APIs. Invalid values will be rejected at creation time where possible, and will otherwise be surfaced to the user as invalid HTTPProxies, or as errors in the Contour log. Previously, Contour would disable the timeout entirely if the configured value was not a valid duration string.
Related issues and PRs: #2728, #2913, #2905
⚠️ In Contour 1.10, we will be deprecating TLS 1.1 and lower. TLS 1.2 will become the default minimum TLS version. TLS 1.1 can still be enabled, but will require explicit configuration. If you need to use TLS 1.1 going forward, you will need to explicitly enable it via the Contour config file, and via the HTTPProxy API’s minimumProtocolVersion field.
⚠️ In Contour 1.10, we will be removing the request-timeout field from the config file. This field was moved into the timeouts block, i.e. timeouts.request-timeout, in Contour 1.7, and all support for the old field will be dropped.
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by stevesloka about 4 years ago
We are delighted to present version 1.8.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
This Contour release upgrades the default Envoy version from 1.15.0 to 1.15.1. All Contour users should upgrade to this release, which addresses the following security issues:
Published by youngnick about 4 years ago
We are releasing a patch release for Contour to address a significant performance improvement recently identified by @mattmoor (Thanks Matt!) All previous versions of Contour are affected, and users should upgrade as soon as they can.
When Contour ingests Kubernetes objects it builds a data model (called "the DAG" internally), and once the data model is built, it is used to update status of HTTPProxy objects and to configure the Envoys.
Previous to this release, when the HTTPProxy status updates were sent, they would block the completion of the DAG run, and thus the programming of Envoy. In addition, the way Contour was sending the updates generated more apiserver traffic that it needed to, and could very easily hit apiserver rate-limiting, causing large groups of status updates to add minutes to the DAG reconcilation time (and thus the Envoy programming time).
This release should produce performance improvements in all Contour installations, but they will probably be most noticeable in big clusters with lots of churn.
@mattmoor: Replace uncached Get to fix knative-sandbox/net-contour#226 (#2865)
@youngnick: internal/k8s: Change StatusUpdaterHandler channel to buffered (#2867)
We are delighted to present version 1.8.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There's been a bunch of great contributions from our community for this release, thanks to everyone!
We've also been busy with some big refactors to testing and other internals. The testing changes have come in, but the others should start being landed in the 1.9 timeframe. So this release is a stablisation release. Yay for paying down some tech debt!
Currently Contour supports annotating various objects with either projectcontour.io/<something>
or contour.heptio.com/<something>
. As of this release, contour.heptio.com
annotations are deprecated, will have a warning log, and will be removed in a future release. Please move to using projectcontour.io
annotations.
To ensure our community is as welcoming as possible, we've migrated our main development branch from its old name of master
to main
. As part of this effort, the auto-built Docker Hub image tag has also been moved from master
to main
.
Moving forward, we'll be using the guidelines of the Kubernetes Naming working group as a base for our own efforts to stay as inclusive as we can manage.
As part of this work, we've also run some automated checks against our code base using the vale tool, with minimal changes.
contour shutdown
command for managing Envoy's shutdown process (#2817 and #2820), and there was a fix to ensure that Ctrl-C will actually shut down Contour when running locally (#2797).Thanks to all of our external contributors, this is the most ever in one release! 🥇 🎉
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by youngnick about 4 years ago
We are delighted to present version 1.8.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There's been a bunch of great contributions from our community for this release, thanks to everyone!
We've also been busy with some big refactors to testing and other internals. The testing changes have come in, but the others should start being landed in the 1.9 timeframe. So this release is a stablisation release. Yay for paying down some tech debt!
Currently Contour supports annotating various objects with either projectcontour.io/<something>
or contour.heptio.com/<something>
. As of this release, contour.heptio.com
annotations are deprecated, will have a warning log, and will be removed in a future release. Please move to using projectcontour.io
annotations.
To ensure our community is as welcoming as possible, we've migrated our main development branch from its old name of master
to main
. As part of this effort, the auto-built Docker Hub image tag has also been moved from master
to main
.
Moving forward, we'll be using the guidelines of the Kubernetes Naming working group as a base for our own efforts to stay as inclusive as we can manage.
As part of this work, we've also run some automated checks against our code base using the vale tool, with minimal changes.
contour shutdown
command for managing Envoy's shutdown process (#2817 and #2820), and there was a fix to ensure that Ctrl-C will actually shut down Contour when running locally (#2797).Thanks to all of our external contributors, this is the most ever in one release! 🥇 🎉
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by jpeach about 4 years ago
We are delighted to present version 1.7.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Special thanks to Chad Moon (@moondev) who helped find and debug some issues with fallback certificate support.
This Contour release upgrades the default Envoy version from 1.14.3 to 1.15.0. All Contour users should upgrade to this release.
The Contour config file now has a timeouts
block that allows various Envoy timeouts to be configured. In particular, the following timeouts are now configurable: request-timeout
, connection-idle-timeout
, stream-idle-timeout
, max-connection-duration
, and connection-shutdown-grace-period
. See the documentation for more information.
Deprecation Notice: the request-timeout
field in the config file is now deprecated and has been replaced by timeouts.request-timeout
. The deprecated field will be removed in a future release. If you use this field, you should switch to using timeouts.request-timeout
.
(Associated PRs #2726 #2675 #2632 #2661 #2670)
Thanks to @skriss for adding these configuration settings.
HTTPProxy
and TLSCertificateDelegation
now each have a Status.Conditions
field. These fields are currently left unpopulated. Over time, Contour will use these fields to report significantly more information about the current state of resources.
(Associated PR #2706)
Thanks to @youngnick for designing and implementing this feature.
Two bugs (#2720, #2733) were found related to the fallback certificate feature which was introduced in v1.5.0. The Envoy secret for the certificate was not being configured, and the http.Router
filter was not being configured on the HTTP connection manager. Both issues have been fixed in this release.
(Associated PRs #2723 #2734)
Thanks to @moondev for reporting these issues, and to @jpeach for turning around quick fixes!
@erwbgy noticed that Contour was not configuring TCP keepalives for the Envoy listener sockets, and contributed a patch to add support for this in #2638. Thanks @erwbgy for the contribution!
@KevinSnyderCodes added two new fields to RetryPolicy, to better control when Envoy retries requests for a given route. The first, retryOn
, allows the user to specify a subset of conditions under which requests should be retried. The second, retriableStatusCodes
, enables only a specific set of HTTP response codes to be retried.
Thanks @KevinSnyderCodes for requesting, designing, and implementing this feature!
(Associated PR #2646)
The shutdown manager has been modified to use an Exec preStop
hook to trigger the Envoy shutdown sequence.
Thanks @stevesloka for implementing this change.
(Associated PR #2751)
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Published by jpeach over 4 years ago
We are delighted to present version 1.6.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
This Contour release upgrades the default Envoy version from 1.14.2 to 1.14.3. All Contour users should upgrade to this release, which addresses the following security issues:
(Associated PRs: #2595)
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by jpeach over 4 years ago
We are delighted to present version 1.6.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
IngressRoute has been deprecated for some time and is, as of Contour 1.6, removed.
IngressRoute objects are no longer watched by Contour, and the IngressRoute and contour.heptio.com
TLSDelegation CRD are no longer installed by our example YAMLs. IngressRoute resources should be converted to HTTPProxy ones before upgrading to Contour 1.6. The IngressRoute and TLSDelegationCRDs should be removed from your clusters.
Please see ir2proxy for your IngressRoute to HTTPProxy conversion needs.
Vale IngressRoute!
Contour now has the ability to choose the versions of HTTP that Envoy will respond to.
This has been implemented as a workaround for a browser-specific problem about 421 result codes and blank requests (#2619).
In short, Safari can misroute certain connection-coalesced connections when they are being served from a wildcard certificate with the SNI routing changes introduced under #1493.
Thanks to @primeroz for helping to dig on this one.
We moved all status updates to HTTPProxy to the new pattern introduced in Contour 1.5 for address updates, this fixes #2522, #2580, and #2522.
Thanks to @primeroz for logging #2580, and for the help with confirming the fix.
@shyaamsn noticed that the TLS files used for Envoy bootstrapping could sometimes be empty when using cert-manager to create them. (#2602)
They then contributed a fix in #2607.
Thanks @shyaamsn!
PR #2583 introduced a regression that broke watching the Envoy service for status address updating. Fixed by #2605.
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by jpeach over 4 years ago
We are delighted to present version 1.5.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Special thanks to Tim Bart (@pims), who was the release manager for this release.
This Contour release upgrades the default Envoy version from 1.14.1 to 1.14.2. All Contour users should upgrade to this release, which addresses CVE-2020-11080.
(Associated PRs: #2579)
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by jpeach over 4 years ago
We are delighted to present version 1.5.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
The Contour HTTPProxy API now includes better support for TLS clients that don't support SNI by allowing cluster operators to specify a fallback certificate that terminates TLS sessions where no SNI server name is provided. This feature is opt-in since it is incompatible with TLS client certificate validation and allows SNI name bypass, which may be undesirable in some deployments. Access to the fallback certificate is managed with the usual Contour TLS certificate delegation mechanism.
(Associated PRs: #2528, #2477, #2504, #2477. #2535, #2543)
Thanks @stevesloka for designing and implementing this feature.
The TLS keys and certificates that secure the gRPC session between Envoy and Contour can now be rotated without needing to restart any Pods.
(Associated PRs: #2333, #2555)
Thanks @tsaarni for driving this feature over the last couple of releases, both in the Contour and Envoy projects.
The example Contour deployment now uses certificates that include the CA certificate bundle. This change makes the example deployment compatible with certificates generated by cert-manager.
(Associated PRs: #2547)
Contour now updates the status of HTTPProxy
documents with the status.loadBalancer.addresses
field. This brings HTTPProxy
to parity with Ingress, and makes it easier to program automatic DNS record creating for HTTPProxy
objects.
(Associated PRs: #2551)
Thanks @youngnick.
Contour now programs Envoy to serve a 421 response when HTTP/2 clients use aggressive wildcard certificate matching to re-use the wrong TLS session. This resolves errors where client requests to multiple HTTPProxy
objects that are all served with a wildcard TLS certificate can respond with a 404 error when the Host header in the HTTP request doesn't match the SNI server name that was used to establish the TLS session.
(Associated PRs: #2483)
Contour now supports multiple addresses in the --ingress-status-address
flag of the contour serve
subcommand. This allows sites that deploy Envoy without an external load balancer to more easily publish all the addresses of the Envoy proxies into DNS.
(Associated PRs: #2542)
Thanks @al45tair for this improvement.
The Contour project now publishes the example deployment YAML for each release version. https://projectcontour.io/quickstart/contour.yaml still serves the YAML for the latest release, but you can pin to a specific version with a URL like https://projectcontour.io/quickstart/v1.5.0/contour.yaml.
(Associated PRs: #2552)
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by jpeach over 4 years ago
We are delighted to present version 1.4.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
This release adds support for configuring HTTPProxy objects to request validation of client certificates, allowing the use of client certificates for client authentication. This closes #1090.
See the documentation for how to use the feature.
(Associated PRs: #2250, #2390, #2410)
Thanks @tsaarni for getting this implemented.
As described in #2199, previously, when configured to accept a certain ingress.class
annotation, Contour would watch objects with that annotation, and also with no annotation. This caused problems in clusters with more than one ingress controller.
As of #2394, having an ingress.class
annotation configured now means that only objects that have that have a matching annotation will cause changes in Contour.
Note that this logic change applies to both Ingress and HTTPProxy documents.
#2340 also updated the annotations documentation to make the various behaviour options more clear.
Contour now has the ability to write a status.loadBalancer.addresses
block to Ingress objects. This block is used by services which need to know how to reach an Ingress' backing service from outside the cluster, like external-dns.
There are two ways for Contour to find this information:
status.loadBalancer
block from that Service into all associated Ingress objects. This is what is used in the example deployment.--ingress-status-address
flag.This closes #403, another old outstanding request.
(Associated PRs: #2373, #2386, #2416, #2420)
The Contour health and metrics services can now be configured to listen on separate addresses or ports using the new --health-address
and --health-port
flags. This gives operators the ability to restrict access to Contour's Prometheus metrics.
(Associated PRs: #2407)
Thanks @pickledrick for completing this change.
Virtual hosts that are exposed over TLS are now strongly bound to their TLS server name. This is a security improvement that means that clients cannot connect to hostname "A" at the TLS layer and them make HTTP requests for hostname "B".
(Associated PRs: #2381)
When Contour configures an ExternalName service, it now automatically sets the SNI server name used for the proxies HTTP request to match the request's Host header. This improves the compatibility of ExternalName services that proxy to HTTPS resources..
(Associated PRs: #2442)
The Contour configuration file is now documented.
In this release, Contour now inspects the CONTOUR_NAMESPACE
environment variable. If CONTOUR_NAMESPACE
is set, Contour will use this value as the namespace for performing leader election and the namespace for inspecting the Envoy service for load balancer addresses. In either case, explicit configuration values in the configuration file and command-line flags override the environment variable.
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by jpeach over 4 years ago
We are delighted to present version 1.3.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Contour users should upgrade to Contour 1.3.0 and Envoy 1.13.1.
Contour 1.3.0 includes several new features as well as the usual smattering of fixes and minor improvements.
--use-extensions-v1beta1-ingress
flagThe --use-extensions-v1beta1-ingress
flag was removed from the contour serve
command. If you have a previous deployment that specifies this command, you must remove it or Contour will fail to start.
PR: #2303
Thanks @davechaney
tcpproxy.include
field to be singularThe TCPProxy field has only ever supported including a single child document. In order to make this clearer, the includes
field is now named include
. The includes
field is deprecated.
PR: #2201
Thanks @stevesloka
The rule that Route field must reference at least one Service is now enforced.
PR: #2332
Thanks @davecheney
Contour now does a better job of gracefully shutting down when it receives SIGINT or SIGTERM.
PR: #2350
Thanks @davecheney
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by davecheney over 4 years ago
Contour 1.2.1 is patch release for the Contour 1.2 series to address several high severity security issues in Envoy.
Contour 1.2.1 contains no code changes from 1.2.0. This release only tags newer versions of our example and quickstart manifests to reflect the change in Envoy version.
All Contour users should upgrade to Contour 1.2.1 and Envoy 1.13.1.
See the Envoy 1.13.1 announcement for details on the vulnerabilities
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by youngnick over 4 years ago
We are delighted to present version 1.2.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Contour users should upgrade to Contour 1.2.0 and Envoy 1.13.0.
Contour 1.2.0 includes several new features as well as the usual smattering of fixes and minor improvements.
Contour now has support for certificate rotation for XDS gRPC interface between Contour and Envoy.
It is achieved by lazily loading certificates and key every time new TLS connection is established by Envoy.
This change addresses only the certificate rotation in Contour (server) and similar support is needed for Envoy (client) to cover the whole use case.
PR: https://github.com/projectcontour/contour/pull/2198
Thanks @tsaarni
The Envoy process, the data path component of Contour, at times needs to be re-deployed.
This could be due to an upgrade, a change in configuration, or a node-failure forcing a redeployment.
Contour now offers a new sub-command to named envoy shutdown-manager
which will assist in an Envoy rollout to minimize connection errors from clients.
The shutdown manager first sends the healthcheck fail request to Envoy and then begins polling the http/https listeners for active connections from the /stats endpoint available on localhost:9001.
When the connections reach zero or a configured parameter, the pod is allowed to be terminated.
If the pods configurable termination grace period seconds is met before the open connections are fully drained, the pod will be terminated.
This new component runs as another container in the Envoy pod.
Design: https://github.com/projectcontour/contour/blob/master/design/envoy-shutdown.md
PR: https://github.com/projectcontour/contour/pull/2227
Thanks @stevesloka
Contour adds some new Prometheus metrics for the various API operations and kinds observed from the Kubernetes informers.
This information is helpful to understand the amount of changes that Contour is processing from a Kubernetes cluster.
This change also includes a sample Grafana dashboard.
% curl -s 127.0.0.1:8000/metrics | grep eventhandler
# HELP contour_eventhandler_operation_total Total number of eventHandler operations received by operation and object kind
# TYPE contour_eventhandler_operation_total gauge
contour_eventhandler_operation_total{kind="contour.heptio.com/IngressRoutev1beta1",op="onAdd"} 2
contour_eventhandler_operation_total{kind="contour.heptio.com/TLSCertificateDelegationv1beta1",op="onAdd"} 1
contour_eventhandler_operation_total{kind="projectcontour.io/HTTPProxyv1",op="onAdd"} 1
contour_eventhandler_operation_total{kind="unknown",op="onAdd"} 76
PR: https://github.com/projectcontour/contour/pull/2244
PR: https://github.com/projectcontour/contour/pull/2261
Thanks @davecheney, @youngnick
Raise the SafeRegex size limit from 1,000 to 1048576.
There is no evidence that this number is sufficient for all possible regex patterns, thus the limit represents the "no limit" limit because it is currently not
possible for envoy to reject a regex entry in a way that Contour can trace back to the original input.
PR: https://github.com/projectcontour/contour/pull/2241
Thanks @davecheney
Adds an enum validation to limit the values for the service.protocol field.
Note: Users will need to reapply the crd spec to get the validation
PR: https://github.com/projectcontour/contour/pull/2158
Thanks @stevesloka
For an HTTPProxy, a requestHeaderPolicy can only be able to set host header at the HTTProxy.Routes.Service level.
PR: https://github.com/projectcontour/contour/pull/2157
Thanks @stevesloka
The cert-gen example job now ensures that the the Job will succeed if the secrets already exist.
PR: https://github.com/projectcontour/contour/pull/2178
Thanks @youngnick
Please consult the Upgrading document for further information on upgrading from Contour 1.1.0 to Contour 1.2.0.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by stevesloka almost 5 years ago
We are delighted to present version 1.1.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Contour users should upgrade to Contour 1.1.0 and Envoy 1.12.2 as there are some critical vulnerabilities that should be patched.
Contour 1.1.0 includes several new features as well as the usual smattering of fixes and minor improvements.
Three CVEs have been addressed by Envoy, the highest security defect is considered 9.0 (critical) severity.
See the Envoy 1.12.2 announcement for details on the vulnerabilities.
As Envoy have not provided fixes for Envoy 1.11 and earlier all Contour users should also upgrade to Envoy 1.12.2.
Prefix rewrite support was removed right before HTTPProxy was released in Contour v1.0.0. Support has now been added back to HTTPProxy and is expressed as a pathRewritePolicy
:
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: rewrite-example
spec:
virtualhost:
fqdn: rewrite.bar.com
routes:
- services:
- name: s1
port: 80
conditions:
- prefix: /v1/api
pathRewritePolicy:
replacePrefix:
- prefix: /v1/api
replacement: /app/api/v1
Thanks @jpeach
Contour now supports defining what protocol Envoy should use when proxying to an upstream application.
(See design doc: https://github.com/projectcontour/contour/blob/master/design/httpproxy-protocol-selection.md)
A new field has been added to the Service
spec which encodes the protocol data. Values for this field are: h2
, h2c
, and tls
.
Note: Previously, that data was extracted from the Kubernetes service annotation projectcontour.io/upstream-protocol.{protocol}
.
spec:
virtualhost:
fqdn: dashboard.kubernetes.com
tls:
secretName: kubernetes-dashboard-tls
routes:
- conditions:
- prefix: /
services:
- name: kubernetes-dashboard
protocol: tls # <--- NEW FIELD
port: 443
Thanks @mattmoor
Adds support for adding and removing request or response headers for each service target in a Contour HTTPProxy resource.
Manipulating headers are also supported per-Service or per-Route.
Headers can be set or removed from the request or response as follows:
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: header-manipulation
namespace: default
spec:
virtualhost:
fqdn: headers.bar.com
routes:
- services:
- name: s1
port: 80
requestHeaderPolicy:
set:
- name: X-Foo
value: bar
remove:
- X-Baz
responseHeaderPolicy:
set:
- name: X-Service-Name
value: s1
remove:
- X-Internal-Secret
Thanks @mattmoor
To proxy to another resource outside the cluster (e.g. A hosted object store bucket for example), configure that external resource in a service type externalName.
Then define a headerRequestPolicy which replaces the Host header with the value of the external name service defined previously.
See the externalName section of HTTPProxy docs for more details.
Note: The host rewrite only applied to services which target externalNames.
Thanks: @stevesloka
To be a valid HTTPProxy, if the tcpproxy stanza is provided, the HTTPProxy must also feature a virtualhost.tls spec with either passthrough: true, or a valid secretName.
Fixes #1958
Thanks @davecheney
Clean the HTTPProxy spec.virtualhost.tls validation logic and fix the last issue with HTTPProxy TCPProxy logic.
If a HTTPProxy is using TCP proxying then its secure port is forwarded according to the spec.tcpproxy schema.
The insecure port, port 80 is not tcp forwarded and remains connected to a L7 http connection manager.
Because by definition a HTTPProxy using TCP proxying must supply a valid spec.virtualhost.tls block, our 301 upgrade logic applies.
Thus, after this change, if a route on the insecure listener is not using permitInsecure: true, it will by 301 upgraded.
Fixes #1952
Thanks @davecheney
Envoy crashes when processing a TLS certificate that does not have SubjectAltNames or a CN field in the Subject, so Contour now rejects any certificate which lacks a Subject CommonName (CN) or SubjectAltName extension.
Upstream Envoy issue: https://github.com/envoyproxy/envoy/issues/9182
Fixes #1965
Thanks @davecheney
Adds securityContext
to Contour & certgen jobs manifest examples to not run as root.
Thanks @surajssd
A certificate-lifetime
argument has been added to the Contour certgen job which allows for a duration in days the certificates used for Envoy<>Contour communication to be valid.
Fixes #2017
Thanks @tsaarni
Please consult the Upgrading document for further information on upgrading from Contour 1.0.1 to Contour 1.1.0.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread