Bug Fixes

• #3410: fixes an issue where global rate limit policies defined at the virtual host level for TLS-secured HTTPProxies were being ignored
• #3412: fixes an issue where changes to the Envoy load balancer address were not immediately being reflected in HTTPProxies' status.
• #3417: updates Envoy from v1.17.0 to v1.17.1. See the Envoy changelog for details.

We are delighted to present version 1.13.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Gateway API Support

Contour now provides initial support for Gateway API, an open source project to evolve service networking APIs within the Kubernetes ecosystem. Gateway API consists of multiple resources that provide user interfaces to expose Kubernetes applications- Services, Ingress, and more. See the user guide for additional details and to start using Gateway API with Contour.

Related issues and PRs: #3278 #3397 #2809 #3283

Thanks to @stevesloka and @youngnick for designing and implementing this feature.

Global Rate Limiting

There are times when distributed circuit breaking is not very effective and global rate limiting is desired. With global rate limiting, Envoy communicates with an external Rate Limit Service (RLS) over gRPC to make rate limit decisions for requests. For additional details, see the Envoy documentation.

Related issues and PRs: #3178 #3298 #3324

Thanks to @skriss for designing and implementing this feature!

Known Issues: #3409 (global rate limit policies at the virtual host level for TLS vhosts do not take effect).

Configurable Global TLS Cipher Suites

TLS cipher suites used by Envoy listeners can now be configured. The configured cipher suites are validated against Envoy's allowed cipher list. Contour will exit on startup if any invalid cipher suites are present in the config file. If no cipher suites are provided, Contour will use the defaults that exist now.

Related issues and PRs: #2880 #3292 #3304

Configurable Delay Close Timeout

There are situations where Envoy's "delayed_close_timeout" can close connections to a client when data remains to be written. This can happen when a client sets the "Connection: close" header and is slow to read the response. The 'delayed_close_timeout' can now be configured by users who encounter this situation.

Related issues and PRs: #3285 #3316

Thanks to @xtreme-jesse-malone for implementing this feature!

Configurable XffNumTrustedHops

If a user has an external load balancer that terminates TLS, the X-Forwarded-Proto header gets overwritten unless the downstream connection is trusted. XffNumTrustedHops can now be configured to set the number of trusted hops which will allow the headers to be intact already set from downstream.

Related issues and PRs: #3294 #3293

Thanks to @stevesloka for implementing this feature!

ExactBalance Connection Balancer

ExactBalance is a connection balancer implementation that does exact balancing. This means that a lock is held during balancing so that connection counts are nearly exactly balanced between worker threads. With long keep-alive connections, the Envoy listener will use the ExactBalance connection balancer. For additional details, see the Envoy documentation.

Related issues and PRs: #3314

Thanks to @iyacontrol for implementing this feature!

Set SNI for Upstream externalName Clusters

SNI will be set on any TCPProxy.Service which references an externalName type service as well as having the upstream protocol of "tls".

Related issues and PRs: #3291

Thanks to @stevesloka for implementing this feature!

Dynamic Service Headers

Adds support for %CONTOUR_NAMESPACE%, %CONTOUR_SERVICE_NAME% and %CONTOUR_SERVICE_PORT% dynamic variables. These variables will be expanded like the Envoy dynamic variables in #3234. Note: The CONTOUR_ prefix is used to prevent the clashing with a future Envoy dynamic variable. Variables that can't be expanded are passed through literally.

Related issues and PRs: #3269

Thanks to @erwbgy for implementing this feature!

Deprecation & Removal Notices

• The deprecated FileAccessLog.json_format access logging format field is replaced by envoy.extensions.access_loggers.file.v3.FileAccessLog.log_format. See #3210 for additional details.
• The deprecated cluster Http2ProtocolOptions field is replaced with TypedExtensionProtocolOptions. See #3308 for additional details.
• Insecure AES128/256 ciphers are disabled by default. See #3304 for additional details.
• The following Prometheus Gauges have been renamed to make the metric names follow promlint conventions. We encourage operators to have dashboard and alert queries refer to the new names. The old metrics will be removed completely in the next release:

  contour_httpproxy_total -> contour_httpproxy
  contour_httpproxy_invalid_total  -> contour_httpproxy_invalid
  contour_httpproxy_orphaned_total  -> contour_httpproxy_orphaned
  contour_httpproxy_valid_total  -> contour_httpproxy_valid
  contour_httpproxy_root_total  -> contour_httpproxy_root
  

Upgrading

Please consult the upgrade documentation.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For version 1.13, special thanks go out to the following contributors:

• @xtreme-jesse-malone
• @abhide
• @seemiller

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.12.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

There have been a bunch of great contributions from our community for this release, thanks to everyone!

Major Changes

Local Rate Limiting Support

Contour now supports Envoy's local rate limiting, which allows users to define basic rate limits for virtual hosts or routes that are enforced on a per-Envoy basis. See the rate limiting documentation for more information.

Related issues and PRs: #3255 #3251

Thanks to @skriss for implementing this feature!

Header Hash Load Balancing

Contour 1.12 now supports the RequestHash load balancing strategy, which enables load balancing based on request headers. An upstream Endpoint is selected based on the hash of an HTTP request header. Requests that contain a consistent value in a request header will be routed to the same upstream Endpoint.

For more information, including an example HTTPProxy definition, see the Contour documentation.

Related issues and PRs: #3099 #3044 #3282

Thanks to @sunjayBhatia for designing and implementing this feature!

Dynamic Request Headers

Contour 1.12 adds support for including dynamic values in configured request and response headers. Almost all variables supported by Envoy are allowed. This feature can be used to set headers containing information such as the host name of where the Envoy pod is running, the TLS version, etc.

For more information, including a full list of supported variables, see the Contour documentation.

Related issues and PRs: #3234 #3236 #3269

Thanks to @erwbgy for adding this feature!

Reverting some TLS Cipher changes

Contour has been making an effort to remove ciphers marked as "less secure" from the default cipher list given to Envoy. This work has been driven by @tsaarni and @ryanelian and @bascht. However, after the release of 1.11, we had a report of a production outage caused by these changes (#3299, thanks @moderation).

We've decided to revert PRs #3154 and #3237 for version 1.12, until we can fully implement #2880, so that if the default cipher suite breaks something for a user, they can put it back after upgrading until they have a chance to migrate away from the less-secure ciphers.

We're aiming to have #2880 completed in the 1.13 timeframe (the next month).

Envoy 1.17.0

Contour 1.12.0 is compatible with Envoy 1.17.0.

Related issues and PRs: #3245

Thanks to @sunjayBhatia for performing this upgrade!

Configurable allow_chunked_length

Envoy's allow_chunked_length setting is now enabled by default, with a Contour config file toggle to disable it. See the Envoy documentation for more information on the setting, and the Contour config file documentation for information on how to disable it.

Related issues and PRs: #3221 #3248

Thanks to @sunjayBhatia for making this change!

Case-Insensitive Duplicate FQDN Check

Contour's check for duplicate fully-qualified domain names (FQDNs) is now case-insensitive.

Related issues and PRs: #3230 #3231

Thanks to @erwbgy for this fix!

Fix for Rewriting Host Header

We fixed a regression related to rewriting the Host header for externalName services.

Related issues and PRs: #3252

Thanks to @stevesloka for finding and fixing this regression!

Deprecation & Removal Notices

• Contour no longer supports TLS 1.1.

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.11.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

There's been a bunch of great contributions from our community for this release, thanks to everyone!

Contour-Operator

The new Contour Operator provides a method for packaging, deploying, and managing Contour. The operator extends the functionality of the Kubernetes API to create, configure, and manage instances of Contour on behalf of users. It builds upon the basic Kubernetes resource and controller concepts, but includes domain-specific knowledge to automate the entire lifecycle of Contour.

Visit the getting started guide on how to quickly get up and running with the operator.

For more information, see the contour operator repo.

Global TLS minimum to 1.2

The default global minimum TLS version is moved to 1.2 from 1.1.
This forces all HTTPProxies and Ingresses to use at least 1.2.

https://github.com/projectcontour/contour/pull/3112

Envoy v1.16.2

Contour supports Envoy v1.16.2 which resolves various CVEs found in Envoy, please upgrade your clusters!

Envoy XDS Resource Version Support

As mentioned in Contour 1.10 the v2 XDS resource version has been removed from Contour ahead of its removal from Envoy. Please see the XDS Migration Guide for upgrading your instances of Envoy/Contour.

Note: This change applies also to any External Auth servers that may be integrated.

Trigger rebuild for configured secrets

If client certificates, represented in Kubernetes secrets, were changes, Contour did not notice that change and blocked a valid cert rotation path for users. Contour v1.11 adds secret references from the configuration file to the list of secrets that will trigger DAG rebuild. Previously only secrets referred by HTTPProxy and Ingress resources were considered. The result was that secrets were not picked up correctly if they were created after the creation of HTTPProxy or Ingress themselves triggered a rebuild.

https://github.com/projectcontour/contour/pull/3191

Thanks to @tsaarni for the fix and @Zsolt-LazarZsolt for reporting!

Deprecation Notices

⚠️ Contour annotations starting with contour.heptio.com have been removed from documentation for some time. Contour 1.8 marks the official deprecation of these annotations and have been removed in Contour v1.11.0.

Upgrading

Please consult the upgrade documentation.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For version 1.11, special thanks go out to the following contributors:

• @invidian
• @alexbrand
• @danehans
• @shuuji3
• @yoitsro
• @bascht
• @tsaarni
• @georgegoh

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.10.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Fixes

• Upgrades the default Envoy version from 1.16.0 to 1.16.2 for security and bug fixes. See the Envoy 1.16.1 and 1.16.2 changelogs for details.
• Fixes a concurrent map access issue which could lead to Contour crashing/restarting (#3199).

We are delighted to present version 1.10.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

There have been a bunch of great contributions from our community for this release, thanks to everyone!

Major Changes

Envoy xDS v3 Support

Contour now supports Envoy's xDS v3 protocol in addition to the deprecated v2 protocol. The example YAML has been updated to configure Envoy to use the v3 protocol by default.

When users have an existing Contour installation and wish to upgrade without dropping connections, users should first upgrade Contour to v1.10.0 which will serve both v2 and v3 xDS versions from the same gRPC endpoint. Next, change the Envoy Daemonset or deployment to include --xds-resource-version=v3 as an argument in the envoy-initconfig init container, which tells Envoy to upgrade to the v3 resource version. The usual rollout process will handle draining connections allowing a fleet of Envoy instances to move from the v2 xDS Resource API version gradually to the v3 version.

See the xDS Migration guide for more information: https://projectcontour.io/guides/xds-migration/

Related issues and PRs: #1898, #2930, #3016, #3017, #3068, #3079, #3074, #3087, #3093

Thanks to @stevesloka and @jpeach for their hard work on this upgrade.

Custom JSON fields for Envoy access logs

Contour now supports custom JSON fields in the Envoy access log. Custom fields can be specified in the json-fields config field, using the format <custom-field-name>=<Envoy format string>, where the Envoy format string can contain any Envoy command operator except DYNAMIC_METADATA and FILTER_STATE.

You can read more about this feature in Contour's updated guide to structured logging.

Related issues and PRs: #3059, #3032, #1507

Thanks to @Mike1808, @KauzClay, and @XanderStrike for designing and implementing this feature!

Multi-arch Docker images

Contour's Docker images are now multi-architecture, with linux/amd64 and linux/arm64 currently supported. No change is needed by users; the correct architecture will be automatically be pulled for your host.

Related issues and PRs: #3031, #2868

Thanks to @skriss for implementing multi-arch support.

Envoy 1.16

Contour now uses Envoy 1.16.0.

Related issues and PRs: #3029, #3013

Thanks to @yoitsro for this upgrade!

Default minimum TLS version is now 1.2

TLS 1.2 is now the default minimum TLS version for HTTPProxies and Ingresses. It's still possible to use 1.1 if necessary by explicitly specifying it. See the HTTPProxy documentation and Ingress documentation for more information.

Related issues and PRs: #3007, #2777, #3012

Thanks to @skriss for making this change.

RBAC v1

Contour's example YAML now uses rbac.authorization.k8s.io/v1 instead of the deprecated rbac.authorization.k8s.io/v1beta1 version for role-based access control (RBAC) resources. RBAC has been generally available in Kubernetes since v1.8, so this has no effect on the minimum supported Kubernetes version.

Related issues and PRs: #3015, #2991

Thanks to @narahari92 for this upgrade!

Deprecation & Removal Notices

• The request-timeout field has been removed from the config file. This field was moved into the timeouts block, i.e. timeouts.request-timeout, in Contour 1.7.
• In Contour 1.11, TLS 1.1 will be disabled by default. Users who require TLS 1.1 will have to enable it via the config file's tls.minimum-protocol-version field, and by specifying it for each HTTPProxy or Ingress where it's needed. See the HTTPProxy documentation and Ingress documentation for more information.

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.9.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

There's been a bunch of great contributions from our community for this release, thanks to everyone!

External Authorization Support

Contour now supports integrating with external authorization services via the ExtensionService custom resource definition. This new Contour API exposes Envoy’s external auth filter, which allows incoming requests to be checked against the specified authorization service.

Thanks to @jpeach for leading design and implementation of this feature!

Related issues and PRs: #432, #2915, #2886, #2876, #2877, #2871

Backend TLS Client Authentication

Contour now supports optionally specifying a Kubernetes secret that Envoy should present to upstream clusters as a client certificate for TLS, so the upstream services can validate that the connection is coming from Envoy.

Thanks to @tsaarni for leading design and implementation of this feature!

Related issues and PRs: #2338, #2910

Cross-Origin Resource Sharing (CORS) Support

Contour’s HTTPProxy API now supports specifying a CORS policy, which configures Envoy’s CORS filter to allow web applications to request resources from different origins.

Thanks to @aberasarte and @glerchundi for driving the design and implementation of this new feature!

Related issues and PRs: #437, #2890

v1 Custom Resource Definitions

Contour now generates v1 custom resource definitions (CRDs) as part of its example YAML. This enables Contour to take full advantage of the v1 API’s capabilities around validation, defaulting, API documentation via kubectl explain, and more. CRDs became generally available in Kubernetes 1.16 over a year ago.

This change bumps Contour’s minimum supported Kubernetes version to 1.16.

Related issues and PRs: #2916, #2678, #1723, #1978, #2903, #2527

HTTPProxy Conditions

Contour’s HTTPProxy and ExtensionService CRDs now expose Conditions. Each custom resource, when processed by Contour, will have a single Condition, of type Valid, that will have a value of true or false to indicate whether or not the resource is valid. The Valid condition will further have a set of sub-conditions that provide more detail on the reason(s) for the resource’s validity/non-validity.

The existing HTTPProxy status fields currentStatus and description will be retained for backwards compatibility.

Thanks to @youngnick for designing and implementing this feature!

Related issues and PRs: #2962, #2931

Experimental go-control-plane Support

Contour now has experimental support for Envoy’s go-control-plane xDS server implementation. When enabled, this replaces Contour’s custom xDS gRPC server implementation. This feature can be enabled by setting the server.xds-server-type to “envoy” in the Contour config file.

Thanks to @stevesloka for designing and implementing this feature!

Related issues and PRs: #2134, #2850, #2884, #2919

Configurable DNS Lookup Family for ExternalName Services

We’ve added a config file field, cluster.dns-lookup-family, to customize DNS behavior for Kubernetes externalName services. Valid options are auto (default), v4, and v6. Previously, auto was always used, which first looks for an IPv6 address, and falls back to looking for an IPv4 address.

Thanks @stevesloka for debugging this issue and implementing the fix!

Related issues and PRs: #2894, #2873

Timeout Field Validation

Contour now performs validation on all timeout fields/annotations on the HTTPProxy and Ingress APIs. Invalid values will be rejected at creation time where possible, and will otherwise be surfaced to the user as invalid HTTPProxies, or as errors in the Contour log. Previously, Contour would disable the timeout entirely if the configured value was not a valid duration string.

Related issues and PRs: #2728, #2913, #2905

Deprecation Notices

⚠️ In Contour 1.10, we will be deprecating TLS 1.1 and lower. TLS 1.2 will become the default minimum TLS version. TLS 1.1 can still be enabled, but will require explicit configuration. If you need to use TLS 1.1 going forward, you will need to explicitly enable it via the Contour config file, and via the HTTPProxy API’s minimumProtocolVersion field.

⚠️ In Contour 1.10, we will be removing the request-timeout field from the config file. This field was moved into the timeouts block, i.e. timeouts.request-timeout, in Contour 1.7, and all support for the old field will be dropped.

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.8.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

New and improved

Upgraded to Envoy 1.15.1

This Contour release upgrades the default Envoy version from 1.15.0 to 1.15.1. All Contour users should upgrade to this release, which addresses the following security issues:

• CVE-2020-25017 (CVSS score 6.5, Medium): Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurrences of a non-inline header.

We are releasing a patch release for Contour to address a significant performance improvement recently identified by @mattmoor (Thanks Matt!) All previous versions of Contour are affected, and users should upgrade as soon as they can.

When Contour ingests Kubernetes objects it builds a data model (called "the DAG" internally), and once the data model is built, it is used to update status of HTTPProxy objects and to configure the Envoys.

Previous to this release, when the HTTPProxy status updates were sent, they would block the completion of the DAG run, and thus the programming of Envoy. In addition, the way Contour was sending the updates generated more apiserver traffic that it needed to, and could very easily hit apiserver rate-limiting, causing large groups of status updates to add minutes to the DAG reconcilation time (and thus the Envoy programming time).

This release should produce performance improvements in all Contour installations, but they will probably be most noticeable in big clusters with lots of churn.

Extra Changes included

@mattmoor: Replace uncached Get to fix knative-sandbox/net-contour#226 (#2865)

@youngnick: internal/k8s: Change StatusUpdaterHandler channel to buffered (#2867)

Contour 1.8.0 Release Notes

We are delighted to present version 1.8.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

There's been a bunch of great contributions from our community for this release, thanks to everyone!

We've also been busy with some big refactors to testing and other internals. The testing changes have come in, but the others should start being landed in the 1.9 timeframe. So this release is a stablisation release. Yay for paying down some tech debt!

Deprecations

Currently Contour supports annotating various objects with either projectcontour.io/<something> or contour.heptio.com/<something>. As of this release, contour.heptio.com annotations are deprecated, will have a warning log, and will be removed in a future release. Please move to using projectcontour.io annotations.

Inclusive Language changes

To ensure our community is as welcoming as possible, we've migrated our main development branch from its old name of master to main. As part of this effort, the auto-built Docker Hub image tag has also been moved from master to main.

Moving forward, we'll be using the guidelines of the Kubernetes Naming working group as a base for our own efforts to stay as inclusive as we can manage.

As part of this work, we've also run some automated checks against our code base using the vale tool, with minimal changes.

New and Improved

• Contour's fix for 421 redirects and SNI now handles misdirected requests case insensitively (#2764)
• There have a been a few improvements to Contour's shutdown behavior: @laurovenancio has fixed some bugs with the contour shutdown command for managing Envoy's shutdown process (#2817 and #2820), and there was a fix to ensure that Ctrl-C will actually shut down Contour when running locally (#2797).
• @ffahri added some helpers for retrieving the version of Kubernetes objects, and fixed an erroneous log (#2808).
• @tsaarni added upstream certificate validation for HTTP/2 (#2832).
• Contour now parses its YAML configuration strictly. Thanks @tthebst for PR #2765.
• Some great docs fixes from @derkoe (#2790), @rajat404 (#2804), and @tong101 (#2839).
• @aberasarte had a design proposal for CORS accepted (#1012), after a long and detailed discussion. We're all looking forward to seeing this design implemented.

Thanks to all of our external contributors, this is the most ever in one release! 🥇 🎉

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.8.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

There's been a bunch of great contributions from our community for this release, thanks to everyone!

We've also been busy with some big refactors to testing and other internals. The testing changes have come in, but the others should start being landed in the 1.9 timeframe. So this release is a stablisation release. Yay for paying down some tech debt!

Deprecations

Currently Contour supports annotating various objects with either projectcontour.io/<something> or contour.heptio.com/<something>. As of this release, contour.heptio.com annotations are deprecated, will have a warning log, and will be removed in a future release. Please move to using projectcontour.io annotations.

Inclusive Language changes

To ensure our community is as welcoming as possible, we've migrated our main development branch from its old name of master to main. As part of this effort, the auto-built Docker Hub image tag has also been moved from master to main.

Moving forward, we'll be using the guidelines of the Kubernetes Naming working group as a base for our own efforts to stay as inclusive as we can manage.

As part of this work, we've also run some automated checks against our code base using the vale tool, with minimal changes.

New and Improved

• Contour's fix for 421 redirects and SNI now handles misdirected requests case insensitively (#2764)
• There have a been a few improvements to Contour's shutdown behavior: @laurovenancio has fixed some bugs with the contour shutdown command for managing Envoy's shutdown process (#2817 and #2820), and there was a fix to ensure that Ctrl-C will actually shut down Contour when running locally (#2797).
• @ffahri added some helpers for retrieving the version of Kubernetes objects, and fixed an erroneous log (#2808).
• @tsaarni added upstream certificate validation for HTTP/2 (#2832).
• Contour now parses its YAML configuration strictly. Thanks @tthebst for PR #2765.
• Some great docs fixes from @derkoe (#2790), @rajat404 (#2804), and @tong101 (#2839).
• @aberasarte had a design proposal for CORS accepted (#1012), after a long and detailed discussion. We're all looking forward to seeing this design implemented.

Thanks to all of our external contributors, this is the most ever in one release! 🥇 🎉

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.7.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Special thanks to Chad Moon (@moondev) who helped find and debug some issues with fallback certificate support.

New and improved

Upgraded to Envoy 1.15.0

This Contour release upgrades the default Envoy version from 1.14.3 to 1.15.0. All Contour users should upgrade to this release.

Configurable Timeouts

The Contour config file now has a timeouts block that allows various Envoy timeouts to be configured. In particular, the following timeouts are now configurable: request-timeout, connection-idle-timeout, stream-idle-timeout, max-connection-duration, and connection-shutdown-grace-period. See the documentation for more information.

Deprecation Notice: the request-timeout field in the config file is now deprecated and has been replaced by timeouts.request-timeout. The deprecated field will be removed in a future release. If you use this field, you should switch to using timeouts.request-timeout.

(Associated PRs #2726 #2675 #2632 #2661 #2670)

Thanks to @skriss for adding these configuration settings.

Add Conditions to HTTPProxy and TLSCertificateDelegation CRDs

HTTPProxy and TLSCertificateDelegation now each have a Status.Conditions field. These fields are currently left unpopulated. Over time, Contour will use these fields to report significantly more information about the current state of resources.

(Associated PR #2706)

Thanks to @youngnick for designing and implementing this feature.

Fallback Certificate Fixes

Two bugs (#2720, #2733) were found related to the fallback certificate feature which was introduced in v1.5.0. The Envoy secret for the certificate was not being configured, and the http.Router filter was not being configured on the HTTP connection manager. Both issues have been fixed in this release.

(Associated PRs #2723 #2734)

Thanks to @moondev for reporting these issues, and to @jpeach for turning around quick fixes!

TCP Keepalives on Listener Sockets

@erwbgy noticed that Contour was not configuring TCP keepalives for the Envoy listener sockets, and contributed a patch to add support for this in #2638. Thanks @erwbgy for the contribution!

Add Conditions to HTTPProxy RetryPolicy

@KevinSnyderCodes added two new fields to RetryPolicy, to better control when Envoy retries requests for a given route. The first, retryOn, allows the user to specify a subset of conditions under which requests should be retried. The second, retriableStatusCodes, enables only a specific set of HTTP response codes to be retried.

Thanks @KevinSnyderCodes for requesting, designing, and implementing this feature!

(Associated PR #2646)

Shutdown Manager Changes

The shutdown manager has been modified to use an Exec preStop hook to trigger the Envoy shutdown sequence.

Thanks @stevesloka for implementing this change.

(Associated PR #2751)

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

We are delighted to present version 1.6.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

New and improved

Upgraded to Envoy 1.14.3

This Contour release upgrades the default Envoy version from 1.14.2 to 1.14.3. All Contour users should upgrade to this release, which addresses the following security issues:

• CVE-2020-8663 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
• CVE-2020-12603 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames.
• CVE-2020-12604 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream.
• CVE-2020-12605 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.

(Associated PRs: #2595)

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.6.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

IngressRoute removal

IngressRoute has been deprecated for some time and is, as of Contour 1.6, removed.

IngressRoute objects are no longer watched by Contour, and the IngressRoute and contour.heptio.com TLSDelegation CRD are no longer installed by our example YAMLs. IngressRoute resources should be converted to HTTPProxy ones before upgrading to Contour 1.6. The IngressRoute and TLSDelegationCRDs should be removed from your clusters.

Please see ir2proxy for your IngressRoute to HTTPProxy conversion needs.

Vale IngressRoute!

New and improved

Controlling served HTTP versions

Contour now has the ability to choose the versions of HTTP that Envoy will respond to.
This has been implemented as a workaround for a browser-specific problem about 421 result codes and blank requests (#2619).

In short, Safari can misroute certain connection-coalesced connections when they are being served from a wildcard certificate with the SNI routing changes introduced under #1493.

Thanks to @primeroz for helping to dig on this one.

Fix ordering problems with HTTPProxy status updates

We moved all status updates to HTTPProxy to the new pattern introduced in Contour 1.5 for address updates, this fixes #2522, #2580, and #2522.

Thanks to @primeroz for logging #2580, and for the help with confirming the fix.

Bootstrap checks for empty TLS files

@shyaamsn noticed that the TLS files used for Envoy bootstrapping could sometimes be empty when using cert-manager to create them. (#2602)
They then contributed a fix in #2607.

Thanks @shyaamsn!

Fix Envoy service status watching

PR #2583 introduced a regression that broke watching the Envoy service for status address updating. Fixed by #2605.

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.5.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Special thanks to Tim Bart (@pims), who was the release manager for this release.

New and improved

Upgraded to Envoy 1.14.2

This Contour release upgrades the default Envoy version from 1.14.1 to 1.14.2. All Contour users should upgrade to this release, which addresses CVE-2020-11080.

(Associated PRs: #2579)

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.5.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

New and improved

TLS Fallback Certificate Support

The Contour HTTPProxy API now includes better support for TLS clients that don't support SNI by allowing cluster operators to specify a fallback certificate that terminates TLS sessions where no SNI server name is provided. This feature is opt-in since it is incompatible with TLS client certificate validation and allows SNI name bypass, which may be undesirable in some deployments. Access to the fallback certificate is managed with the usual Contour TLS certificate delegation mechanism.

(Associated PRs: #2528, #2477, #2504, #2477. #2535, #2543)

Thanks @stevesloka for designing and implementing this feature.

gRPC Certificate Rotation

The TLS keys and certificates that secure the gRPC session between Envoy and Contour can now be rotated without needing to restart any Pods.

(Associated PRs: #2333, #2555)

Thanks @tsaarni for driving this feature over the last couple of releases, both in the Contour and Envoy projects.

The example Contour deployment now uses certificates that include the CA certificate bundle. This change makes the example deployment compatible with certificates generated by cert-manager.

(Associated PRs: #2547)

HTTPProxy Load Balancer Address Support

Contour now updates the status of HTTPProxy documents with the status.loadBalancer.addresses field. This brings HTTPProxy to parity with Ingress, and makes it easier to program automatic DNS record creating for HTTPProxy objects.

(Associated PRs: #2551)

Thanks @youngnick.

TLS Request Misdirection

Contour now programs Envoy to serve a 421 response when HTTP/2 clients use aggressive wildcard certificate matching to re-use the wrong TLS session. This resolves errors where client requests to multiple HTTPProxy objects that are all served with a wildcard TLS certificate can respond with a 404 error when the Host header in the HTTP request doesn't match the SNI server name that was used to establish the TLS session.

(Associated PRs: #2483)

Multiple Load Balancer Address Support

Contour now supports multiple addresses in the --ingress-status-address flag of the contour serve subcommand. This allows sites that deploy Envoy without an external load balancer to more easily publish all the addresses of the Envoy proxies into DNS.

(Associated PRs: #2542)

Thanks @al45tair for this improvement.

Versioned Deployment YAML

The Contour project now publishes the example deployment YAML for each release version. https://projectcontour.io/quickstart/contour.yaml still serves the YAML for the latest release, but you can pin to a specific version with a URL like https://projectcontour.io/quickstart/v1.5.0/contour.yaml.

(Associated PRs: #2552)

Documentation Improvements

• Improved HTTPProxy API documentation (#2467, #2460)
• Improved TimeoutPolicy API documentation (#2460)
• Improved documentation for proxy protocol support on AWS ELBs (#2480) (thanks @savithruml)
• Miscellaneous documentation improvements (#2500, #2508)

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.4.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

New and improved

TLS Client authentication

This release adds support for configuring HTTPProxy objects to request validation of client certificates, allowing the use of client certificates for client authentication. This closes #1090.

See the documentation for how to use the feature.

(Associated PRs: #2250, #2390, #2410)

Thanks @tsaarni for getting this implemented.

Ingress changes

Ingress class

As described in #2199, previously, when configured to accept a certain ingress.class annotation, Contour would watch objects with that annotation, and also with no annotation. This caused problems in clusters with more than one ingress controller.

As of #2394, having an ingress.class annotation configured now means that only objects that have that have a matching annotation will cause changes in Contour.

Note that this logic change applies to both Ingress and HTTPProxy documents.

#2340 also updated the annotations documentation to make the various behaviour options more clear.

Ingress Status

Contour now has the ability to write a status.loadBalancer.addresses block to Ingress objects. This block is used by services which need to know how to reach an Ingress' backing service from outside the cluster, like external-dns.

There are two ways for Contour to find this information:

• by watching a Service object for the Envoy service, and putting the associated status.loadBalancer block from that Service into all associated Ingress objects. This is what is used in the example deployment.
• Operators can also specify an address on Contour's command line, using the --ingress-status-address flag.

This closes #403, another old outstanding request.

(Associated PRs: #2373, #2386, #2416, #2420)

Separate Health and Metrics listeners

The Contour health and metrics services can now be configured to listen on separate addresses or ports using the new --health-address and --health-port flags. This gives operators the ability to restrict access to Contour's Prometheus metrics.

(Associated PRs: #2407)

Thanks @pickledrick for completing this change.

SNI Improvements

Virtual hosts that are exposed over TLS are now strongly bound to their TLS server name. This is a security improvement that means that clients cannot connect to hostname "A" at the TLS layer and them make HTTP requests for hostname "B".

(Associated PRs: #2381)

When Contour configures an ExternalName service, it now automatically sets the SNI server name used for the proxies HTTP request to match the request's Host header. This improves the compatibility of ExternalName services that proxy to HTTPS resources..

(Associated PRs: #2442)

Configuration documentation

The Contour configuration file is now documented.

Contour Namespace environment variable

In this release, Contour now inspects the CONTOUR_NAMESPACE environment variable. If CONTOUR_NAMESPACE is set, Contour will use this value as the namespace for performing leader election and the namespace for inspecting the Envoy service for load balancer addresses. In either case, explicit configuration values in the configuration file and command-line flags override the environment variable.

Other Improvements

• Contour now has a metric which indicates the currently running version. (#2383) Thanks @pickledrick.
• Contour now also has a command line flag to print the current version (#2399) Thanks @pickledrick
• Add ServiceAccount for Envoy (#2449)
• Add docs search to the site (#2458)
• Add explanation of certgen Job image tag usage (#2424)
• Add github label automation. (#2436)
• Add ingress class filtering to ingress status updating (#2416)
• Add redirect for /docs to latest version (#2419)
• Add the demos and deep dives YouTube link to resources (#2375)
• Changed targetPort for httpbin pods (#2384)
• Fix the PR template with new links and frontmatter (#2382)
• Migrate Service and Ingress to client-go dynamic client (#2373)
• Move CRD informer list generation to k8s (#2352)
• Update hostNetworking docs in site deploy-options (#2405)
• Upgrade Envoy go-control-plane and fix related changes to the spec (#2432)
• Use the downward api to give the default namespace for configuration variables (#2389)
• build: apply standard Docker image labels (#2400)
• build: omit the DWARF symbol table (#2398)
• build: run misspell across the whole repository (#2439)
• build: support older git versions to detect current branch (#2415)
• cmd/contour: remove hard-coded default log fields (#2446)
• doc: document the Contour configuration file (#2445)
• docs: update DCO guidelines in CONTRIBUTING (#2425)
• enable merge_slashes on the httpconnection manager for all listeners so that requests with multiple slashes are merged and processed properly (#2406)
• hack: improve git tag pushing (#2393)
• internal/annotation: Refactor annotations code from internal/dag (#2412)
• internal/assert: Add docs to assert.Equal (#2417)
• internal/contour: add contour version to metrics (#2383)
• internal/contour: inprove routeVisitor readability (#2370)
• internal/dag: improve diagnostics for Secrets errors (#2422)
• internal/health: separate health and metrics services (#2407)
• internal: extract Envoy sort polices (#2379)
• site: add code highlighting (#2440)
• site: remove misleading comment in example deployment (#2377)
• site: update contributing guidelines (#2408)
• site: update slack links (#2444)
• updating the website with Contour maintainers (#2404)
• upgrade Envoy version to v1.14.1 (#2434)
• use sni for clusters when requestHeaderPolicy is set (#2442)

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.3.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Contour users should upgrade to Contour 1.3.0 and Envoy 1.13.1.

New and improved

Contour 1.3.0 includes several new features as well as the usual smattering of fixes and minor improvements.

Removed the --use-extensions-v1beta1-ingress flag

The --use-extensions-v1beta1-ingress flag was removed from the contour serve command. If you have a previous deployment that specifies this command, you must remove it or Contour will fail to start.

PR: #2303
Thanks @davechaney

Renamed the tcpproxy.include field to be singular

The TCPProxy field has only ever supported including a single child document. In order to make this clearer, the includes field is now named include. The includes field is deprecated.

PR: #2201
Thanks @stevesloka

Reject HTTPProxies that lack at least one Service per route

The rule that Route field must reference at least one Service is now enforced.

PR: #2332
Thanks @davecheney

Improved graceful shutdown

Contour now does a better job of gracefully shutting down when it receives SIGINT or SIGTERM.

PR: #2350
Thanks @davecheney

Minor Improvements

• Add "mitre" to the skip list for lint-misspell #2356
• Add Contour Philosophy document #2335
• Add release tooling scripts. #2353
• Add simple debug logging flag #2286
• Fix community meeting times #2343
• Fix the build for units tests. #2361
• Fixes Contour architecture overview docs #2307
• Prepare documentation site for v1.3.0 release. #2362
• Update Envoy dashboard with extra metrics #2324
• api: enforce at least one service entry per route & tcpproxy #2274
• build(deps): bump nokogiri from 1.10.5 to 1.10.8 in /site dependencies #2293
• cmd/contour: change registerEventHandler to new InformerSyncList type #2276
• cmd/contour: connect all informers to the dynamicHandler #2346
• cmd/contour: simplify leadership election setup #2348
• cmd/contour: unify client creation #2339
• cmd/contour: update leadership election logger context #2305
• design: add draft for ingress status loadbalancer support stale #2121
• doc: improve HeaderCondition API documentation #2334
• docs: document the allowed LoadBalancer strategies #2336
• examples/contour: update to Envoy 1.13.1 #2314
• golangci.yml: remove exclude for deleted path #2277
• hack: pin golangci-lint version to v1.23.8 #2341
• internal/contour: further clean up holdoff timer logic #2289
• internal/contour: remove holdoffmaxdelay forced update #2285
• internal/dag,envoy: use constant for ca.crt #2327
• internal/dag: clean up TLS validation errors #2300
• internal/dag: move extension ingress translation to a helper #2301
• internal/k8s: simplify DynamicConverter #2342
• makefile: Add a 'make checkall' target #2292
• site/resources/envoy: add Contour 1.2.1 and Envoy 1.13.1 #2317
• site: Add docs on how to rotate gRPC certs #2282
• site: Remove heptio annotations from documentation #2308
• site: Update the kubernetes tested version to match the kubernetes matrix #2318
• site: correct Tero's GitHub profile link #2322
• site: fix API docs rendering #2329
• site: s/Recommended/Required Envoy #2321
• site: update architecture overview to include a diagram #2328

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

Contour 1.2.1 is patch release for the Contour 1.2 series to address several high severity security issues in Envoy.

Contour 1.2.1 contains no code changes from 1.2.0. This release only tags newer versions of our example and quickstart manifests to reflect the change in Envoy version.

All Contour users should upgrade to Contour 1.2.1 and Envoy 1.13.1.

Envoy 1.13.1

See the Envoy 1.13.1 announcement for details on the vulnerabilities

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.2.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Contour users should upgrade to Contour 1.2.0 and Envoy 1.13.0.

New and improved

Contour 1.2.0 includes several new features as well as the usual smattering of fixes and minor improvements.

Hot-Reload Certificates

Contour now has support for certificate rotation for XDS gRPC interface between Contour and Envoy.
It is achieved by lazily loading certificates and key every time new TLS connection is established by Envoy.

This change addresses only the certificate rotation in Contour (server) and similar support is needed for Envoy (client) to cover the whole use case.

PR: https://github.com/projectcontour/contour/pull/2198

Thanks @tsaarni

Envoy Shutdown Manager

The Envoy process, the data path component of Contour, at times needs to be re-deployed.
This could be due to an upgrade, a change in configuration, or a node-failure forcing a redeployment.

Contour now offers a new sub-command to named envoy shutdown-manager which will assist in an Envoy rollout to minimize connection errors from clients.
The shutdown manager first sends the healthcheck fail request to Envoy and then begins polling the http/https listeners for active connections from the /stats endpoint available on localhost:9001.
When the connections reach zero or a configured parameter, the pod is allowed to be terminated.
If the pods configurable termination grace period seconds is met before the open connections are fully drained, the pod will be terminated.

This new component runs as another container in the Envoy pod.

Design: https://github.com/projectcontour/contour/blob/master/design/envoy-shutdown.md
PR: https://github.com/projectcontour/contour/pull/2227

Thanks @stevesloka

Record EventHandler Operation Metrics

Contour adds some new Prometheus metrics for the various API operations and kinds observed from the Kubernetes informers.
This information is helpful to understand the amount of changes that Contour is processing from a Kubernetes cluster.
This change also includes a sample Grafana dashboard.

% curl -s 127.0.0.1:8000/metrics |  grep eventhandler
# HELP contour_eventhandler_operation_total Total number of eventHandler operations received by operation and object kind
# TYPE contour_eventhandler_operation_total gauge
contour_eventhandler_operation_total{kind="contour.heptio.com/IngressRoutev1beta1",op="onAdd"} 2
contour_eventhandler_operation_total{kind="contour.heptio.com/TLSCertificateDelegationv1beta1",op="onAdd"} 1
contour_eventhandler_operation_total{kind="projectcontour.io/HTTPProxyv1",op="onAdd"} 1
contour_eventhandler_operation_total{kind="unknown",op="onAdd"} 76

PR: https://github.com/projectcontour/contour/pull/2244
PR: https://github.com/projectcontour/contour/pull/2261

Thanks @davecheney, @youngnick

SafeRegex limit raised

Raise the SafeRegex size limit from 1,000 to 1048576.
There is no evidence that this number is sufficient for all possible regex patterns, thus the limit represents the "no limit" limit because it is currently not
possible for envoy to reject a regex entry in a way that Contour can trace back to the original input.

PR: https://github.com/projectcontour/contour/pull/2241

Thanks @davecheney

Minor improvements

• Contour is built with Go 1.13.8
• Update Envoy to 1.13.0
• Envoy go-control-plane updated to v0.9.2
• Upgrade google/go-cmp to version 0.4.0
• Upgrade client-go to v0.17.0
• Contour now utilizes the Dynamic client for CRD resources

Bug fixes

Add HTTPProxy Service.Protocol Validation

Adds an enum validation to limit the values for the service.protocol field.

Note: Users will need to reapply the crd spec to get the validation

PR: https://github.com/projectcontour/contour/pull/2158

Thanks @stevesloka

HTTPProxy requestHeadersPolicy Validation

For an HTTPProxy, a requestHeaderPolicy can only be able to set host header at the HTTProxy.Routes.Service level.

PR: https://github.com/projectcontour/contour/pull/2157

Thanks @stevesloka

Ensure certgen handles already-existing secrets correctly

The cert-gen example job now ensures that the the Job will succeed if the secrets already exist.

PR: https://github.com/projectcontour/contour/pull/2178

Thanks @youngnick

Other changes

• Add Kubernetes Support Matrix
• Update Envoy list of required extensions

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.1.0 to Contour 1.2.0.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.1.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Contour users should upgrade to Contour 1.1.0 and Envoy 1.12.2 as there are some critical vulnerabilities that should be patched.

New and improved

Contour 1.1.0 includes several new features as well as the usual smattering of fixes and minor improvements.

Envoy CVEs

Three CVEs have been addressed by Envoy, the highest security defect is considered 9.0 (critical) severity.

See the Envoy 1.12.2 announcement for details on the vulnerabilities.

As Envoy have not provided fixes for Envoy 1.11 and earlier all Contour users should also upgrade to Envoy 1.12.2.

Prefix Rewrite Support

Prefix rewrite support was removed right before HTTPProxy was released in Contour v1.0.0. Support has now been added back to HTTPProxy and is expressed as a pathRewritePolicy:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: rewrite-example
spec:
  virtualhost:
    fqdn: rewrite.bar.com
  routes:
  - services:
    - name: s1
      port: 80
    conditions:
    - prefix: /v1/api
    pathRewritePolicy:
      replacePrefix:
      - prefix: /v1/api
        replacement: /app/api/v1

Thanks @jpeach

Support for specifying a service's protocol in HTTPProxy

Contour now supports defining what protocol Envoy should use when proxying to an upstream application.
(See design doc: https://github.com/projectcontour/contour/blob/master/design/httpproxy-protocol-selection.md)

A new field has been added to the Service spec which encodes the protocol data. Values for this field are: h2, h2c, and tls.

Note: Previously, that data was extracted from the Kubernetes service annotation projectcontour.io/upstream-protocol.{protocol}.

spec:
  virtualhost:
    fqdn: dashboard.kubernetes.com
    tls:
      secretName: kubernetes-dashboard-tls
  routes:
    - conditions:
      - prefix: /
      services:
        - name: kubernetes-dashboard
          protocol: tls # <--- NEW FIELD
          port: 443

Thanks @mattmoor

Support per-Split header manipulation

Adds support for adding and removing request or response headers for each service target in a Contour HTTPProxy resource.
Manipulating headers are also supported per-Service or per-Route.
Headers can be set or removed from the request or response as follows:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: header-manipulation
  namespace: default
spec:
  virtualhost:
    fqdn: headers.bar.com
  routes:
    - services:
        - name: s1
          port: 80
          requestHeaderPolicy:
            set:
              - name: X-Foo
                value: bar
            remove:
              - X-Baz
          responseHeaderPolicy:
            set:
              - name: X-Service-Name
                value: s1
            remove:
              - X-Internal-Secret

Thanks @mattmoor

Requests to external domains rewrite host via externalName service

To proxy to another resource outside the cluster (e.g. A hosted object store bucket for example), configure that external resource in a service type externalName.
Then define a headerRequestPolicy which replaces the Host header with the value of the external name service defined previously.

See the externalName section of HTTPProxy docs for more details.

Note: The host rewrite only applied to services which target externalNames.

Thanks: @stevesloka

Minor improvements

• Various documentation upgrades to projectcontour.io
• Contour uses SaveRegex now in Envoy configuration
• Contour is built with Go 1.13.5
• Add namespace env var to certgen job. Thanks @dhxgit

Bug fixes

Reject a TCPProxy HTTPProxy without Valid TLS Details

To be a valid HTTPProxy, if the tcpproxy stanza is provided, the HTTPProxy must also feature a virtualhost.tls spec with either passthrough: true, or a valid secretName.

Fixes #1958

Thanks @davecheney

301 Upgrade Insecure Routes Irrespective of TCP Proxying

Clean the HTTPProxy spec.virtualhost.tls validation logic and fix the last issue with HTTPProxy TCPProxy logic.

If a HTTPProxy is using TCP proxying then its secure port is forwarded according to the spec.tcpproxy schema.
The insecure port, port 80 is not tcp forwarded and remains connected to a L7 http connection manager.
Because by definition a HTTPProxy using TCP proxying must supply a valid spec.virtualhost.tls block, our 301 upgrade logic applies.
Thus, after this change, if a route on the insecure listener is not using permitInsecure: true, it will by 301 upgraded.

Fixes #1952

Thanks @davecheney

Reject Certificates without CN or SubjectAltName

Envoy crashes when processing a TLS certificate that does not have SubjectAltNames or a CN field in the Subject, so Contour now rejects any certificate which lacks a Subject CommonName (CN) or SubjectAltName extension.

Upstream Envoy issue: https://github.com/envoyproxy/envoy/issues/9182

Fixes #1965

Thanks @davecheney

Run contour & cert-gen job as non-root

Adds securityContext to Contour & certgen jobs manifest examples to not run as root.

Thanks @surajssd

Cert gen now accepts certificate lifetime argument

A certificate-lifetime argument has been added to the Contour certgen job which allows for a duration in days the certificates used for Envoy<>Contour communication to be valid.

Fixes #2017

Thanks @tsaarni

Other bug fixes

• Contour no longer generates ingress_https route for tcpproxy vhost. Fixes #1954.
• Quickstart can be re-applied to an existing cluster

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.0.1 to Contour 1.1.0.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread