Contour is a Kubernetes ingress controller using Envoy proxy.
APACHE-2.0 License
Bot releases are hidden (Show)
Published by davecheney almost 5 years ago
Contour 1.0.1 is patch release for the Contour 1.0 series to address several high severity security issues in Envoy.
Contour 1.0.1 contains no code changes from 1.0.0. This release only tags newer versions of our example and quickstart manifests to reflect the change in Envoy version.
All Contour users should upgrade to Contour 1.0.1 and Envoy 1.12.2.
See the Envoy 1.12.2 announcement for details on the vulnerabilities
Please consult the upgrade documentation.
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by davecheney almost 5 years ago
We are delighted to present version 1.0.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Contour 1.0.0 is the latest stable release. All Contour users should upgrade to 1.0.0.
Contour 1.0.0 contains many bug fixes and improvements over 0.15.3, the previous stable release.
Over a year ago Contour 0.6 introduced the IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilizing modern web development patterns in multi-tenant Kubernetes clusters.
As part of preparations for bringing Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.
HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.
HTTPProxy is considered stable and our sincere desire is that future changes will be made in a backward-compatible manner. For more information, please consult the HTTPProxy documentation.
None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.
With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.
While deprecated, IngressRoute CRD will continue to be supported in its current state in Contour 1.0. The plan of record is IngressRoute will be removed in early 2020.
For more information please read the IngressRoute to HTTPProxy upgrade guide
IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.
If leader election is disabled, all Contours will write status back to the Kubernetes API.
Fixes #1425, #1385, and many other issues with status loops over the years.
Contour 1.0.0 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand-rolled versions.
Fixes #513, #1414. Thanks @youngnick
As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the https://projectcontour.io website. Specifically;
Huge thanks to @jpeach for his work re-organizing and copy editing the website content.
Contour 1.0.0 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).
The common theme was the cluster was using an overlay network which suggested the overlay was timing out long-running TCP connections. Contour 1.0.0 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.
Fixes #1744. Thanks, @youngnick, @bgagnon, and @ravilr.
Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This change reduces the likelihood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.
Updates #1280. Thanks, @jpeach and @stevesloka.
Support for the networking.k8s.io/v1beta1.Ingress object has been added.
Fixes #1685
contour.heptio.com
annotations deprecatedAs part of the move to the projectcontour.io
namespace, the Heptio branded contour.heptio.com
annotations have been migrated to their respective projectcontour.io
versions. The previous contour.heptio.com
annotations should be considered deprecated. Contour will continue to be supported by these deprecated forms for the moment. They will be removed at some point after Contour 1.0.
The ability to specify a Contour wide request timeout has been added to the configuration file.
See the configuration file example for more information.
Fixes #1073. Thanks, @youngnick.
Contour now attempts to validate the contents of a TLS certificate before presenting it to Envoy. This validation only extends to asserting the certificate is well-formed. Expired, incorrect hostname details, or otherwise well-formed but invalid certificates are not rejected. IngressRoutes and HTTPProxys that reference invalid secrets will have their Status:
fields set accordingly.
Fixes #1065
Contour 1.0.0 requires Envoy 1.11.2.
See the Envoy 1.11.2 announcement for details.
By default, Envoy emits request logs in its own format. See the Envoy docs for details.
Contour 1.0.0 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json
to your contour serve
line, or add accesslog-format: json
to your config file.
Please see the documention and design document for more information.
Fixes #624. Thanks, @youngnick.
Leader election now uses a ConfigMap named leader-elect
in the projectcontour
namespace by default.
This can be changed using the config file.
Contour's image registry has moved from gcr.io/hepto-images/contour
to docker.io/projectcontour/contour
.
Please update your image locations to docker.io/projectcontour/contour:v1.0.0
.
Contour's source code has moved from github.com/heptio/contour
to github.com/projectcontour/contour
.
GitHub is pretty good about redirecting people for a time, but eventually, the github.com/heptio
organization will go away and redirects will cease. Please update your bookmarks.
Contour's default namespace has changed from heptio-contour
to projectcontour
.
Under certain circumstances, it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.
For more information see #910 and #1450.
Per route, a service can be nominated as a mirror. The mirror service will receive a copy of the traffic sent to any non-mirror service. The mirrored traffic is considered read only, any response by the mirror will be discarded.
Fixes #459
Per route, idle timeouts can be configured via the HTTPProxy CRD.
Fixes #944
Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations. This substantially reduces the number of updates processed by Contour.
Fixes #1372
Contour now supports filtering update notifications. Specifically, Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.
Updates #426, #499
contour
binary now executes a graceful shutdown when sent SIGTERM. Thanks, @alexbrand. Fixes #1364.X-Request-Id
header if present. Fixes #1509.envoyproxy/go-control-plane
package has been upgraded to version 0.9.0. go-control-plane
0.9.0 switches to the google/protobuf
library which results in a 4mb smaller binary. Neat.CONTRIBUTING
documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka./healthz
endpoint has been replaced with /ready
for Pod readiness. Fixes #1277. Thanks @rochacon.*
anywhere in the spec.virtualhost.fqdn
field. Fixes #1234.make help
target added. Thanks @jpeach.prefix
conditions must start with a slash. Fixes #1628. Thanks @youngnick.header
conditions are now rejected. Fixes #1559. Thanks @youngnick.route
or include
blocks with more than one prefix
condition are now rejected. Fixes #1611. Thanks @stevesloka.X-Request-Id
header is now no longer removed from incoming requests. Fixes #1487.HTTPProxy
include
s no longer require a namespace
key. If no namespace
is provided, the included HTTPProxy is inferred to be in the same namespace as its parent. Fixes #1574. Thanks @youngnick.contour bootstrap -- -
has been added. Thanks @jpeach.kubernetes.io/tls
or, in the case of upstream validation certificates, contain a non empty ca.crt
key. Fixes #1697. Thanks @jpeach.x_trace_id
has been added to the set of JSON loggable fields. Fixes #1734. Thanks @cw-sakamoto!contour cli
. Thanks @jpeach.examples/
sample manifests have been removed as part of the preparations for the 1.0.0 release..travis.yml
. Thanks @SDBrett.prefix
conditions no longer strip trailing slashes. Fixes #1597. Thanks @youngnick.Please consult the Upgrading document for further information on upgrading from Contour 1.5.3 to Contour 1.0.0.
A final special shoutout to @davecheney for all his ongoing guidance, support, and leadership in designing & developing Contour!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Published by davecheney almost 5 years ago
VMware is enraptured to present version 1.0.0-rc.2 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!
Contour 1.0.0-rc.2 is the second, and hopefully last, release candidate on the path to Contour 1.0.
The current stable release at this time remains Contour 0.15.3.
Contour 1.0.0-rc.2 contains many bug fixes and improvements over rc.1.
As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the https://projectcontour.io website. Specifically;
Huge thanks to @jpeach for his work re-organising and copy editing the website content.
IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.
If leader election is disabled, all Contours will write status back to the Kubernetes API.
Fixes #1425, #1385, and many other issues with status loops over the years.
Contour 1.0.0-rc.2 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand rolled versions.
Fixes #513, #1414. Thanks @youngnick
Contour 1.0.0-rc.2 now supports TCPProxy delegation. See the relevant section in the HTTPProxy documentation.
Fixes #1655.
Contour 1.0.0-rc.2 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).
The common theme was the cluster was using an overlay network which suggested the overlay was timing out long running TCP connections. Contour 1.0.0-rc.2 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.
This fix is also included in Contour 0.15.3 and later.
Fixes #1744. Thanks @youngnick, @bgagnon, and @ravilr.
Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This changes reduces the likelyhood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.
Updates #1280. Thanks @jpeach and @stevesloka.
contour bootstrap -- -
has been added. Thanks @jpeach.kubernetes.io/tls
or, in the case of upstream validation certificates, contain a non empty ca.crt
key. Fixes #1697. Thanks @jpeach.x_trace_id
has been added to the set of JSON loggable fields. Fixes #1734. Thanks @cw-sakamoto!contour cli
. Thanks @jpeach.Contour 1.0.0-rc.2 improves the TLS certificate validation added in rc.1. Contour is now less likely to reject valid certificates that contain unexpected elliptic curve parameters.
This fix is also included in Contour 0.15.2 and later.
Fixes #1702. With many thanks to @mattalberts for the report and the fix.
.travis.yml
. Thanks @SDBrett.Please consult the Upgrading document for further information on upgrading from Contour 1.0.0-rc.1 to Contour 1.0.0-rc.2.
Published by davecheney almost 5 years ago
Contour 0.15.3 is minor patch release for the Contour 0.15 series.
All Contour users should upgrade to Contour 0.15.3.
Contour 0.15.3 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection but the other side never gets the message).
The common theme was the cluster was using an overlay network which suggested the overlay was timing out long running TCP connections. Contour 0.15.3 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.
Fixes #1744. Thanks @youngnick, @bgagnon, and @ravilr.
If you are already running Contour 0.15.2 the upgrade instructions are as follows:
v0.15.3
.v1.11.2
.If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.
Published by davecheney about 5 years ago
Contour 0.15.2 is minor patch release for the Contour 0.15 series.
All Contour users should upgrade to Contour 0.15.2.
Contour 0.15.2 now validates a wilder set of TLS secrets including those with EC Parameter blocks.
Fixes #1702. Thanks @mattalberts.
Contour 0.15.2 is built using Go 1.13.3.
If you are already running Contour 0.15.0 or 0.15.1 the upgrade instructions are as follows:
v0.15.2
.v1.11.2
.If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.
Published by davecheney about 5 years ago
VMware is ebullient to present version 1.0.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!
Contour 1.0.0-rc.1 is the first release candidate on the path to Contour 1.0.
The current stable release at this time remains Contour 0.15.1.
Contour 1.0.0-rc.1 contains many bug fixes and improvements, and moves the HTTPProxy CRD to v1.
Contour 1.0.0-rc.1 promotes the HTTPProxy CRD to v1. HTTPProxy is now considered stable and our sincere hope is that with the move v1 any changes to the CRD in the future can be made in a backwards compatible manner.
The move from alpha1 to v1 has resulted in changes to per service health checking, load balancing strategy, and per route prefix rewriting.
Please see the upgrading document and HTTPProxy documentation for advice on upgrading HTTPProxy alpha1 CRDs to v1.
HTTPProxy v1 removes prefix rewriting support. The feature as implemented in HTTPProxy alpha1, and IngressRoute before it, was badly designed and it was not possible to address its limitations without a backwards incompatible change. Our intention is to design a more capable prefix rewrite replacement.
Prefix rewrite support continues to exist in the deprecated IngressRoute CRD. We won't be removing IngressRoute support until we have a replacement for prefixRewriting available in HTTPProxy.
Please follow #899 for the status of this issue.
Support for the networking.k8s.io/v1beta1.Ingress object has been added.
Fixes #1685
contour.heptio.com
annotations deprecatedAs part of the move to the projectcontour.io
namespace the Heptio branded contour.heptio.com
annotations have been migrated to their respective projectcontour.io
versions. The previous contour.heptio.com
annotations should be considered deprecated. Contour will continue to be supported these deprecated forms for the moment. They will be removed at some point after Contour 1.0.
The ability to specify a Contour wide request timeout has been added to the configuration file.
See the configuration file example for more information.
Fixes #1073. Thanks @youngnick.
Contour 0.15.1 now attempts to validate the contents of a TLS certificate before presenting it to Envoy.
This validation only extends to asserting the certificate is well formed. Expired, incorrect hostname details, or otherwise well formed but invalid certificates are not rejected. IngressRoutes that reference invalid secrets will have their Status:
fields set accordingly.
Fixes #1065
See the Envoy 1.11.2 announcement for details on the vulnerabilities.
make help
target added. Thanks @jpeach.prefix
conditions must start with a slash. Fixes #1628. Thanks @youngnick.header
conditions are now rejected. Fixes #1559. Thanks @youngnick.route
or include
blocks with more than one prefix
condition are now rejected. Fixes #1611. Thanks @stevesloka.X-Request-Id
header is now no longer removed from incoming requests. Fixes #1487.HTTPProxy
include
s no longer require a namespace
key. If no namespace
is provided, the included HTTPProxy is inferred to be in the same namespace as its parent. Fixes #1574. Thanks @youngnick.prefix
conditions no longer strip trailing slashes. Fixes #1597. Thanks @youngnick.Please consult the Upgrading document for further information on upgrading from Contour 1.0.0-beta.1 to Contour 1.0.0-rc.1.
Published by davecheney about 5 years ago
Contour 0.15.1 is minor patch release for the Contour 0.15 series.
All Contour users should upgrade to Contour 0.15.1 and Envoy 1.11.2.
See the Envoy 1.11.2 announcement for details on the vulnerabilities.
See the upgrading section below for details.
Contour 0.15.1 preseves the X-Request-Id
header if present in the client request.
Fixes #1487
Contour 0.15.1 now attempts to validate the contents of a TLS certificate before presenting it to Envoy.
This validation only extends to asserting the certificate is well formed. Expired, incorrect hostname details, or otherwise well formed but invalid certificates are not rejected. IngressRoutes that reference invalid secrets will have their Status:
fields set accordingly.
Fixes #1065
Contour 0.15.1 is built using Go 1.13.1.
If you are already running Contour 0.15.0 the upgrade instructions are as follows:
v0.15.1
.v1.11.2
.If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.
Published by davecheney about 5 years ago
VMware is proud to present version 1.0.0-beta.1 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!
Contour 1.0.0-beta.1 is the first beta release along the path to Contour 1.0.
The current stable release at this time remains Contour 0.15.0.
Contour 1.0.0-beta.1 contains many bug fixes and improvements.
Over a year ago Contour 0.6 introduced a new CRD, IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilising modern web development patterns in multi tenant Kubernetes clusters.
As part of preparations for bring Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.
HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.
For more information, please consult the HTTPProxy documentation.
None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.
With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.
The IngressRoute CRD will be supported in its current state until the Contour 1.0.0 release and will be removed shortly after.
For more information please read the IngressRoute to HTTPProxy upgrade guide
By default Envoy emits request logs in its own format. See the Envoy docs for details.
Contour 1.0.0-beta1 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json
to your contour serve
line, or add accesslog-format: json
to your config file.
Please see the documention and design document for more information.
Fixes #624. Thanks @youngnick.
Leader election no longer blocks the opening of the xDS serving port. All Contours serve xDS, the leadership will control which Contour writes status updates. This work is ongoing and is documented in #1385.
Leader election now uses a ConfigMap named leader-elect
in the projectcontour
namespace by default.
This can be changed using the config file.
Because of this, rolling updates will now complete, and the example Contour Deployment has been reverted to the RollingUpdate strategy.
Contour's image registry has moved from gcr.io/hepto-images/contour
to docker.io/projectcontour/contour
.
The v1.0.0-beta.1
tag is only available in docker.io/projectcontour/contour
.
For convenience the :v0.15.0
and :latest
tags are available in both repositories. Once Contour 1.0.0 final is release the :latest
tag will move to docker.io/projectcontour/contour
. Even if you are remaiing on :latest
or :v0.15.0
until the final release of Contour 1.0.0 please update your image locations to docker.io/projectcontour/contour:v0.15.0
or docker.io/projectcontour/contour:latest
respectively.
Contour's source code has moved from github.com/heptio/contour
to github.com/projectcontour/contour
.
GitHub is pretty good about redirecting people for a time, but eventually the github.com/heptio
organization will go away and redirects will cease. Please update your bookmarks.
Contour's default namespace has changed from heptio-contour
to projectcontour
.
examples/
Several of the examples/
sample manifests have been removed as part of the preparations for the 1.0.0 release.
Under certain circumstances it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.
For more information see #910 and #1450.
Per route a service can be nominated as a mirror. The mirror service will receive a copy of the read traffic sent to any non mirror service. The mirror traffic is considered read only, any response by the mirror will be discarded.
Fixes #459
Per route idle timeouts can be configured via the HTTPProxy CRD.
Fixes #944
Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations.
This substantially reduces the number of updates processed by Contour.
Fixes #1372
Contour now supports filtering update notifications in some circumstances. Specifically Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.
Updates #426, #499
contour
binary now executes a graceful shutdown when sent SIGTERM. Thanks @alexbrand. Fixes #1364.X-Request-Id
header if present. Fixes #1509.envoyproxy/go-control-plane
package has nbeen upgraded to version 0.9.0. go-control-plane
0.9.0 switches to the google/protobuf
library which results in a 4mb smaller binary. Neat.CONTRIBUTING
documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka./healthz
endpoint has been replaced with /ready
for Pod readiness. Fixes #1277. Thanks @rochacon.*
anywhere in the spec.virtualhost.fqdn
field. Fixes #1234.In the case where an IngressRoute had a missing or invalid TLS secret Contour would serve the IngressRoute over HTTP. Contour now detects the case where a TLS enabled IngressRoute is missing its certificate and will not present the virtualhost over HTTP or HTTPS.
Fixes #1452
Please consult the Upgrading document for further information on upgrading from Contour 0.15 to Contour 1.0.0-beta.1
Published by davecheney about 5 years ago
VMware is proud to present version 0.15 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!
All Contour users should upgrade to Contour 0.15.0 and Envoy 1.11.1 as there are some tasty HTTP/2 vulnerabilities which you really should patch.
Contour 0.15 includes several new features as well as the usual smattering of fixes and minor improvements.
A number of CVEs related to HTTP/2 have been addressed by Envoy.
See the Envoy 1.11.1 announcement for details on the vulnerabilities.
As Envoy have not provided fixes for Envoy 1.10 and earlier all Contour users should also upgrade to Envoy 1.11.1.
Contour 0.15 now supports leader election. In leader election mode only one Contour pod in a deployment, the leader, will open its gRPC endpoint to serve requests from Envoy. All other Contours will continue to watch the API server but will not serve gRPC until they become the leader. Leader election can be used to ensure that all Envoy's take their configuration from a single Contour instance.
Leader election is currently opt in. In future versions of Contour we plan to make leader election mode the default.
For more information please consult the upgrading document.
Thanks @youngnick
In Contour 0.14 support was added for mTLS communication between Contour and Envoy. Contour 0.15 now requires all users to either supply gRPC TLS information, or use contour serve --insecure
to opt out of mTLS.
If you do not supply TLS details or --insecure, contour serve will not start.
For more information please consult the upgrading document.
Thanks @youngnick
Contour 0.15 supports passing configuration to Contour via a configuration file. The configuration file is intended to specify configuration that applies per Contour installation. Per Ingress or per Route configuration continues to be drawn from the objects and CRDs in the Kubernetes API server.
Contour 0.15 supports supplying an installation wide minimum TLS protocol version. This setting can be used by administrators to raise the minimum TLS version used by TLS enabled virtual hosts managed by Contour.
The tls.minimimProtocolVersion
field in the configuration file controls the minimum protocol version used.
permitInsecure
settingContour 0.15 supports disabling the permitInsecure
IngressRoute setting. This setting can be used by administrators to prevent IngressRoute users presenting port 80 as an alternative to HTTPS.
Setting disablePermitInsecure
to true
will cause Contour to ignore the permitInsecure
field on IngressRoute objects.
Fixes #864. Thanks @stevesloka
Contour 0.15 ignores updates to Secret and Service documents that are not referenced by an active Ingress or IngressRoute object. This significantly reduces the number and frequency of configuration updates sent to Envoy.
Updates #499.
In earlier versions of Contour, using the v1.Ingress object, it was possible to present a route which had no active Service if the Service named in the Ingress document was not present. When this occurred Envoy would respond to the route, but always return 503.
Contour 0.15 fixes this bug and will not present routes if their corresponding Service is missing. As a result, if the misconfigured route was the only route present on the virtual host, the virtual host itself will not be presented. If this was the only virtual host configured for a listening port (HTTP or HTTPS) then Contour 0.15 will not open the respective port.
This is not considered a loss of functionality as the only reason this port was open was to present a virtual host whose sole purpose was to return 503 for any request. However, some users may be relying on this functionality for health checking Envoy itself. If this is the case you should consider switching to a readinessProbe
on the Envoy pod itself.
For more discussion see #389
Contour 0.15 fixes a problem where regular expressions in Ingress spec.[]rules.http.[]paths.path
values were interpreted as prefixes. This has likely been broken since at least Contour 0.5 (possibly earlier 😳).
note: IngressRoute does not support regular expression matching, this feature is only present in the Kubernetes Ingress object.
This bug was fixed in Contour 0.14.1.
For more information see #1243.
Thanks @stevesloka
/tmp
is not availableThe glog (now klog) library would attempt to write to disk if not properly initialised. Contour 0.15 properly initialises klog
to prevent this issue caused by this horrendous API footgun.
This bug was fixed in Contour 0.14.2
For more information see #1279.
Thanks to @so0k for the report and @mattalberts for the fix.
preStop
hooks in our examples/
have been corrected to work around the lack of wget
in the Envoy image. Fixes #1254.spec.tcpproxy.port
field. Fixes #1336.Please consult the Upgrading document for further information on upgrading from Contour 0.14 to Contour 0.15.
Published by davecheney about 5 years ago
Contour 0.14.2 is a bug fix and security release for the Contour 0.14 series.
All Contour users should upgrade to Contour 0.14.2.
A number of CVEs related to HTTP/2 have been addressed by Envoy.
See the Envoy 1.11.1 announcement for details on the vulnerabilities.
As Envoy have not provided fixes for Envoy 1.10 and earlier all Contour users should upgrade to Envoy 1.11.1. As Contour and Envoy have a close coupling between versions, all Contour users should upgrade to Contour 0.14.2 at the same time.
See the upgrading section below for details.
A similar set of issues related to HTTP/2 and URL parsing has been addressed in Go 1.12.8
See the Go 1.12.8 announcement for details on the vulnerabilities.
Contour 0.14.2 is built using Go 1.12.8 to mitigate these issues.
/tmp
is not availableThe glog
(now klog
) library would attempt to write to disk if not properly initialised. Contour 0.14.2 properly initialises klog
to prevent this issue. Fixes #1279. Thanks to @so0k for the report and @mattalberts for the fix.
If you are already running Contour 0.14.0, or 0.14.1, the upgrade instructions are as follows:
gcr.io/heptio-images/contour:v0.14.2
.docker.io/envoyproxy/envoy:v1.11.1
.If you are running Contour 0.13.0 or earlier, please see the release notes for the previous release.
Published by davecheney about 5 years ago
Contour 0.14.1 is a bug fix release for the recently release Contour 0.14.0.
All Contour users should upgrade to Contour 0.14.1.
Contour 0.14.1 fixes a problem where regular expressions in Ingress spec.[]rules.http.[]paths.path
values were interpreted as prefixes. This has likely been broken since at least Contour 0.5 (possibly earlier 😳).
note: IngressRoute does not support regular expression matching, this feature is only present in the Kubernetes Ingress object.
This bug is fixed in Contour 0.14.1. All Contour users should upgrade to Contour 0.14.1.
For more information see #1243.
Thanks @stevesloka
If you are already running Contour 0.14.0, there are no specific upgrade instructions save changing the image tag to v0.14.1
.
If you are running Contour 0.13.0 or earlier, please see the release notes for the previous release.
Published by stevesloka over 5 years ago
VMware is proud to present version 0.14 of Contour, our Envoy powered Kubernetes Ingress Controller.
As always, without the help of the many community contributors this release would not have been possible. Thank you!
Contour 0.14 includes several new features as well as the usual smattering of fixes and minor improvements.
Historically the privacy and security of the communication between Envoy and Contour was handled by deploying both containers in the same pod and with traffic passing over the loopback interface. However this is not the only way in which Envoy and Contour can be deployed.
For example, administrators may wish to deploy Envoy in a DaemonSet independent from Contour's Deployment. In this mode the communication between Envoy and Contour did not (until 0.14) require authentication and any process that knew the address of Contour's xDS endpoint could connect and ask for configuration as if it were Envoy.
Contour 0.14 adds the ability to secure the communication between Contour and Envoy and authenticate the clients connecting to a Contour server by using SSL client certificate athentication (sometimes referred to as mTLS).
For more information please refer to the Generating example gRPC TLS certificates documentation and the design document.
Fixes #862. Thanks @youngnick.
Following from the previous enhancement the ds-hostnet-split
example has been enhanced to use mTLS between Envoy and Contour.
This is accomplished via a one shot Job which will generate the CA and certificate material.
For more information refer to the Contour Deployment with Split Pods documentation and the /examples/ds-hostnet-split
sample YAML.
Fixes #881. Thanks @youngnick.
contour serve
configuration can be supplied via configuration fileIn order to support new configuration options for logging in 0.15 contour serve
now takes a -c config.json
flag.
Fixes #1130
glog
has finally been expunged from Contour's dependency list along with the horrible hacks it required. Good riddance.*
in the spec.virtualhost.fqdn
as *
has a special meaning to Envoy which we did not intend to expose. Fixes #1167. Thanks @odacremolbap--envoy-external-http-port
and --envoy-external-https-port
flag have been removed in 0.14.0. There is no replacement, the flags are no longer required and must be removed from your deployment YAML.docker.io/envoyproxy/envoy:v1.10.0
We're aware of the recent release of Envoy 1.11.0, however as Contour 0.14 does not contain any code to activate new features in Envoy 1.11.0 we have opted to stay on Envoy 1.10.0 for Contour 0.14. Upgrading to Envoy 1.11.0 will happen during the Contour 0.15 cycle. See #1242 for more information.Published by stevesloka over 5 years ago
VMware is proud to present version 0.13 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, without the help of the many community contributors, this release would not have been possible. Thank you!
Contour 0.13 includes several new features as well as the usual smattering of fixes and minor improvements.
Session affinity, also known as sticky sessions, is a load balancing strategy whereby a sequence of requests from a single client are consistently routed to the same application backend. Contour 0.13.0 supports session affinity with the strategy: Cookie
key on a per-service basis.
apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
name: httpbin
namespace: default
spec:
virtualhost:
fqdn: httpbin.davecheney.com
routes:
- match: /
services:
- name: httpbin
port: 8080
strategy: Cookie
See the design document and IngressRoute documentation for more information.
Contour now supports proxying traffic to Services which use service.spec.externalName
.
When service.spec.externalName
is defined DNS is used to discover the services' external endpoints.
Both HTTP and TCP ExternalNames are supported.
See the design document and Kubernetes' Service documentation for more information.
Fixes #334. Thanks @stevesloka.
deployment/
YAML examples moved to examples/
Since our 0.1 release Contour has always included in the repository sample YAML for various configurations.
These were always intended to be examples, and this is how the Contour team always perceived them.
However, we did a bad job of communicating this to our user base, which we are now trying to correct.
In operation, nothing has changed with the sample YAML other than it has moved from deployment/
to examples/
to make clear that these are in fact simply examples.
Fixes #1118. Many thanks to @rochacon.
--envoy-external-http-port
and --envoy-external-https-port
flags have been deprecatedDue to a long-standing limitation in Envoy, if Contour was deployed on ports other than the tradition 80 (HTTP), and 443 (HTTPS), operators were required to pass to Envoy, via --envoy-external-http-port
and --envoy-external-https-port
, the non-standard ports that were in use. This was annoying in practice and restricted the use of local development tools like Minikube and Kind.
Contour 0.13.0 introduces a workaround for envoyproxy/envoy#1269, that removes the need to inform Envoy of external ports that will be forwarded to it. In turn, this should make it easier to deploy Contour inside Kind or Minikube clusters.
As they are no longer needed, the --envoy-external-http-port
and --envoy-external-https-port
flags now generate a warning if used and will be removed completely in 0.14.0.
Fixes #210. Thanks @youngnick.
force-ssl-redirect
now takes precidence over the ingress.allow-http
annotationThe behavior when the kubernetes.io/ingress.allow-http
and ingress.kubernetes.io/force-ssl-redirect
were both specified was somewhat surprising. ingress.allow-http: false
meant that no routes were not registered for port 80, even if force-ssl-redirect: true
was set leading to a 404 where a 3xx upgrade to https
was expected.
Contour 0.13.0 now prioritizes force-ssl-redirect
. If this annotation is specified and set to true
, Contour will always register a port 80 route for the ingress, even if ingress.allow-http: false
, so that the forced upgrade can take effect.
Fixes #1023 with many thanks to @ceralena.
Maglev
and RingHash
load balancer strategies no longer supported.RingHash
and Maglev
are two balancing/affinity strategies offered by IngressRoute. However, due to a lack of understanding of how they worked when they were added in Contour 0.6, neither strategy was properly configured and would only result in random behavior.
Without the ability to configure the hash key, which is usually some form of a session cookie, these strategies are not useful and cannot be used correctly.
As such they have been removed from the list of valid strategies.
For their replacement, see the earlier section on Session Affinity.
Fixes #1030 and #1150
Contour 0.13.0 configures an explicit timeout for all idle HTTP and TCP proxy connections. As the definition of idle differs between HTTP and TCP modes the values are different.
Fixes #1045 and #1074. Thanks @mattalberts and @youngnick.
As part of a continuing effort to characterize and reduce the amount of memory used by Envoy, Contour 0.13 contains several improvements and bug fixes intended to reduce Envoy's footprint.
This work will continue in 0.14 and onwards.
Fixes or updates #499, #876, #1096
Huge thanks to @lrouquette, @mattalberts, @phylake, and many more for their assistance.
Contour now understands the IPv6-any address, "::"
, and when used Contour will instruct Envoy to open ports on both IPv4 and IPv6 stacks. For example:
command: ["contour"]
args:
- serve
- --incluster
- --envoy-service-http-port=8080
- --envoy-service-https-port=8443
- "--stats-address=::"
- "--envoy-service-https-address=::"
- "--envoy-service-http-address=::"
This makes it possible to use the same config for ipv4-only and ipv6-only k8s, and enables dual-stack.
Big thanks to @uablrek for improving the story for IPv6 only or dual stack Kubernetes clusters.
CONTRIBUTING
document with some guidelines for commit and PR messages. Fixes #1136. Thanks @youngnick.kubernetes.io/tls
and contains the required tls.crt
and tls.key
elements.Contour 0.13 fixes a problem whereby Envoy could stall during startup if the cluster contains Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.
This fix was also backported to 0.12.1.
For more information see #1091 and #1110.
spec.virtualhost.fqdn
field has been adjusted once more. Fixes #755, #1117. Thanks @youngnick.--envoy-external-http-port
and --envoy-external-https-port
flags are deprecated will be removed in 0.14.0. There is no replacement, the flags are no longer required and should be removed from your deployment YAML.docker.io/envoyproxy/envoy:v1.10.0
Versions of Envoy later than 1.10.0 are not tested and not guaranteed to work with Contour 0.13.0.strategy: Maglev
and strategy: RingHash
load balancer strategies have been removed. They never worked correctly and were functionally equivalent of strategy: Random
. If cookie based routing is required, see the earlier section on Session Affinity.Published by davecheney over 5 years ago
Contour 0.12.1 is a bug fix release for the recently release Contour 0.12.0.
All Contour users should upgrade to Contour 0.12.1.
Contour 0.12.1 fixes a problem whereby Envoy could stall during startup if the cluster containes Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.
This bug is fixed in Contour 0.12.1. All Contour users should upgrade to Contour 0.12.1.
For more information see #1091 and #1110.
If you are already running Contour 0.12.0, there are no specific upgrade instructions save changing the image tag to v0.12.1
.
If you are running Contour 0.11.0 or earlier, please see the release notes for the previous release.
Published by davecheney over 5 years ago
VMware is proud to present version 0.12 of Contour, our Envoy powered Kubernetes Ingress Controller. Again, without the help of the many community contributors, this wouldn't have been possible. Thank you!
Contour 0.12 includes several new features as well as the usual smattering of fixes and minor improvements.
Support for specifying backend timeouts and retries has been added to ingressroute. These are enabled via the timeoutPolicy
and retryPolicy
keys, respectively. eg.
apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
name: request-timeout
namespace: default
spec:
virtualhost:
fqdn: timeout.bar.com
routes:
- match: /
timeoutPolicy:
request: 1s
retryPolicy:
count: 3
perTryTimeout: 150ms
services:
- name: s1
port: 80
If timeoutPolicy
is present then the backend service must complete processing the request in the duration specified. If timeoutPolicy
is present without a request
key, the timeout is inferred to be infinite. If no timeoutPolicy
is present, Envoy will use its default timeout, which is currently 15s.
If retryPolicy
is present and perTryTimeout
is set a requests to backends will be retried after the duration specified up to the total request duration specified in timeoutPolicy
(if present). By default the number of retries is 1, but can be increased with the count
key.
See the design document and ingressroute for more information
Thanks to @rohandvora, @prasoontelang and @stevesloka.
Contour 0.11 added support for enabling TLS communication between Envoy and backend services. Contour 0.12 adds the ability to verify that the backend pod Envoy communicates with is who it says it is. This is achieved in three steps.
contour.heptio.com/upstream-protocol.tls
annotation on the Service document.% kubectl create secret generic my-certificate-authority --from-file=./ca.key
validation
key is created for each service in the matching routeapiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
name: secure-backend
spec:
virtualhost:
fqdn: www.example.com
routes:
- match: /
services:
- name: service
port: 8443
validation:
caSecret: my-certificate-authority
subjectName: backend.example.com
Both the caSecret
and subjectName
keys are required.
See the design document and the ingressroute documentation for more information.
Thanks again to @stevesloka
While not directly user facing Contour 0.12 adds support for Envoy's Secret Discovery Service (SDS) API.
In the future SDS support will aide in reducing the number of configuration changes sent from Contour to Envoy, and will enable secure communication between Contour and Envoy.
Thanks to @vaamarnath and Matt Alberts. Fixes #898.
Contour no longer offers ciphers matching AES128-* or AES256-* as they are considered to be weak. This improves the SSL Lab's score for hosts secured by Contour.
See #1011 for more details
Thanks @yob
The Contour distribution now includes a set of predefined Grafana dashboards. See deployment/grafana and deployment/prometheus for more information.
Thanks @stevesloka, @alexbrand and @rata.
docker.io/envoyproxy/envoy:v1.9.1
Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.12 with an error similar to this, you have not upgraded Envoy to 1.9.1.
[2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}} [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.12.0.Published by davecheney over 5 years ago
VMware is proud to present version 0.11 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, thank you to the many community contributors -- we literally couldn't do it without you!
Contour 0.11 address a path traversal security issue in Envoy 1.9.0. It is recommended that all users upgrade to Contour 0.11 and the corresponding Envoy 1.9.1 release.
Contour 0.11 includes several new features and one important security patch.
Envoy 1.9.0 and earlier are vulnerable to a path normalisation attack. For example, a remote attacker may craft a path with a relative path, e.g. /public/../admin, to bypass access control, e.g. a block on /admin. When deployed with Contour as an ingress controller this means traffic which was intended to be directed via one route may be sent to another via a denormalised request path.
The fix for this attack is available in Envoy 1.9.1, however it is not sufficient to simply upgrade Envoy as path normalisation is currently opt in. Contour 0.11.0 generates the correct configuration to secure Envoy 1.9.1 by requesting path normalisation for all routes.
Fixes #983. Thanks @stevesloka
Contour 0.11 adds the ability to connect to backend Service that require TLS. This is enabled by a new annotation on the Service object:
contour.heptio.com/upstream-protocol.tls: {port,portName}
The question of what L7 protocol a Service's port speaks is a property of the Service, not the Ingress/IngressRoute, hence the annotation is placed on the Service object.
See the Annotation documentation for more information
Note: Envoy does not perform any validation of the certificate presented by the backend Service.
Fixes #406, #569, and #963.
Thanks again to @stevesloka
--v2-config-only
flag has been removed from our sample deployments/
. Thanks @rata. Fixes #971.Several bugs in CRD validation have been fixed during the 0.11 development cycle.
spec.delegations
took only a single item. This is incorrect, spec.delegations
takes a list. The documentation has been corrected and additional CRD validation introduced to reject the previously incorrect YAML. Thanks to @joshrosso for spotting the issue. Fixes #977.spec.tls.secretName
prevented names with a forward slash, /
, from being used. This has been corrected. Thanks @arminbuerkle. Fixes #965.deployment/ds-hostnet-split
example YAML failed to pass validation under newer versions of Kubernetes. This has been fixed. Thanks @stevesloka. Fixes #940.contour serve
documentation has been fixed. Thanks @shivanshu21. Fixes #966.deployment/
artifacts.--v2-config-only
flag has been deprecated in Envoy 1.9.x, and will be removed entirely in Envoy 1.10. Please remove it from your deployments to prevent Envoy failing to start.docker.io/envoyproxy/envoy:v1.9.1
Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.11 with an error similar to this, you have not upgraded Envoy to 1.9.1.
[2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}} [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.11.Published by davecheney over 5 years ago
Heptio is proud to present version 0.10 of Contour, our Envoy powered Kubernetes Ingress Controller. It is recommended that all users upgrade to Contour 0.10.
Contour 0.10 features several new features.
The headline feature for Contour 0.10 is something we call TLS Certificate Delegation. The primary usevcase for TLS Certificate Delegation is enabling an administrator, the owner of a k8s Secret containing a wildcard style--*.mycorp.com
--style TLS certificate, to delegate the permission to reference that certificate by name to another namespace.
In this way, administrators do not need to copy tasty wildcard certificates to each namespaces that wants to use them, instead an Ingress or IngressRoute owner can reference the wildcard certificate by name, assuming the administrator has created the appropriate delegation object.
Certificate delegation is opt in. To find out more about this feature, please refer to the following documents;
Fixes #410
Due to a long standing limitation in Envoy, if Contour is not configured to present Envoy at your cluster's edge on ports other than the traditional 80 and 443, Envoy will reject the traffic because some user agents include that foreign port in the Host:
header.
To address this two new flags have been added to contour serve
, --envoy-external-http-port
and --envoy-external-https-port
. These default to 80 and 443 respectively.
If you have deployed Contour at your edge using non standard port numbers, you should set these two flags to ensure Envoy can correctly route traffic that arrives with trailing port numbers in the Host:
header.
Please see the Upgrading section for information for upgrading from previous incarnations of these flags.
Fixes #610
contour serve --access-log
flag. Fixes #475. Thanks @vaamarnath.The bootstrap configuration file format has changed from YAML to JSON. This change should be invisible to all users. If not, please redeploy Contour using the supplied deployment/
artifacts.
The --envoy-http-port
and --envoy-https-port
flags have been renamed to --envoy-service-http-port
and --envoy-service-https-port
respectively. The values of these flags default to 8080 and 8443 respectively and should match the ports in the heptio-contour/contour
Service document.
Contour 0.10 requires Envoy 1.9.0.
docker.io/envoyproxy/envoy-alpine:v1.9.0
Previous versions of Envoy are not compatible with the configuration generated by Contour 0.10. Versions of Envoy later than 1.9.0 are not tested and not guaranteed to work with Contour 0.10.
Published by davecheney over 5 years ago
Published by davecheney over 5 years ago
Heptio is proud to present version 0.9 of Contour, our Envoy powered Kubernetes Ingress Controller. It is recommended that all users upgrade to Contour 0.9.
Contour 0.9 adds support for terminating the TLS encapsulated TCP session at the backend service, not Contour's edge. Otherwise known as TLS passthrough, this feature allows services running on Kubernetes, which already present a TLS encrypted endpoint, to multiplex incoming connections via a single external IP, their ingress controller's port 443.
Thank you to @glerchundi who drive this feature to completion.
Here is an example from the IngressRoute document showing the TCP passthrough in action:
apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
name: example
namespace: default
spec:
virtualhost:
fqdn: tcp-passthrough.example.com
tls:
passthrough: true
tcpproxy:
services:
- name: tcpservice
port: 8080
routes:
- match: /
services:
- name: dummy
port: 80
Please consult the IngressRoute documentation for more information.
Improvements to this feature we continue in future Contour releases.
docker.io/envoyproxy/envoy-alpine:v1.8.0
Previous versions of Envoy are not compatible with the configuration generated by Contour 0.9. Versions of Envoy later than 1.8.0 are not tested and not guaranteed to work with Contour 0.9.Published by davecheney almost 6 years ago
Heptio is proud to present version 0.8.1 of Contour, our Envoy powered Kubernetes Ingress Controller.
Contour 0.8.1 is a bug fix release for the recently released 0.8.0
spec.routes
entry is no longer required to pass validation.--use-proxy-protocol
documentation has been updated to match the formatting of other examples. Thanks @wadeholler