contour

Contour 1.0.1 is patch release for the Contour 1.0 series to address several high severity security issues in Envoy.

Contour 1.0.1 contains no code changes from 1.0.0. This release only tags newer versions of our example and quickstart manifests to reflect the change in Envoy version.

All Contour users should upgrade to Contour 1.0.1 and Envoy 1.12.2.

Envoy 1.12.2

See the Envoy 1.12.2 announcement for details on the vulnerabilities

Upgrading

Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

We are delighted to present version 1.0.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Contour 1.0.0 is the latest stable release. All Contour users should upgrade to 1.0.0.

New and improved

Contour 1.0.0 contains many bug fixes and improvements over 0.15.3, the previous stable release.

HTTPProxy CRD

Over a year ago Contour 0.6 introduced the IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilizing modern web development patterns in multi-tenant Kubernetes clusters.

As part of preparations for bringing Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.

HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.

HTTPProxy is considered stable and our sincere desire is that future changes will be made in a backward-compatible manner. For more information, please consult the HTTPProxy documentation.

None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.

IngressRoute deprecation

With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.

While deprecated, IngressRoute CRD will continue to be supported in its current state in Contour 1.0. The plan of record is IngressRoute will be removed in early 2020.

For more information please read the IngressRoute to HTTPProxy upgrade guide

IngressRoute and HTTPProxy status update improvements

IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.

If leader election is disabled, all Contours will write status back to the Kubernetes API.

Fixes #1425, #1385, and many other issues with status loops over the years.

HTTPProxy and IngressRoute OpenAPIv3 schema validation

Contour 1.0.0 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand-rolled versions.

Fixes #513, #1414. Thanks @youngnick

Website improvements

As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the https://projectcontour.io website. Specifically;

• The Getting Started documentation has moved to projectcontour.io/getting-started
• Guides and How-to's have moved to projectcontour.io/guides
• Versioned release documentation has moved to projectcontour.io/docs
• Project related and non-versioned documentation has moved to projectcontour.io/resources

Huge thanks to @jpeach for his work re-organizing and copy editing the website content.

Envoy keepalive tuning

Contour 1.0.0 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).

The common theme was the cluster was using an overlay network which suggested the overlay was timing out long-running TCP connections. Contour 1.0.0 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.

Fixes #1744. Thanks, @youngnick, @bgagnon, and @ravilr.

Contour now waits for a full cache

Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This change reduces the likelihood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.

Updates #1280. Thanks, @jpeach and @stevesloka.

networking.k8s.io/v1beta1 Ingress support

Support for the networking.k8s.io/v1beta1.Ingress object has been added.

Fixes #1685

contour.heptio.com annotations deprecated

As part of the move to the projectcontour.io namespace, the Heptio branded contour.heptio.com annotations have been migrated to their respective projectcontour.io versions. The previous contour.heptio.com annotations should be considered deprecated. Contour will continue to be supported by these deprecated forms for the moment. They will be removed at some point after Contour 1.0.

Client request timeout

The ability to specify a Contour wide request timeout has been added to the configuration file.

See the configuration file example for more information.

Fixes #1073. Thanks, @youngnick.

TLS certificate validation

Contour now attempts to validate the contents of a TLS certificate before presenting it to Envoy. This validation only extends to asserting the certificate is well-formed. Expired, incorrect hostname details, or otherwise well-formed but invalid certificates are not rejected. IngressRoutes and HTTPProxys that reference invalid secrets will have their Status: fields set accordingly.

Fixes #1065

Envoy 1.11.2

Contour 1.0.0 requires Envoy 1.11.2.

See the Envoy 1.11.2 announcement for details.

Structured JSON htaccess logs

By default, Envoy emits request logs in its own format. See the Envoy docs for details.

Contour 1.0.0 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json to your contour serve line, or add accesslog-format: json to your config file.

Please see the documention and design document for more information.

Fixes #624. Thanks, @youngnick.

Leadership improvements

Leader election now uses a ConfigMap named leader-elect in the projectcontour namespace by default.
This can be changed using the config file.

Contour image registry changes

Contour's image registry has moved from gcr.io/hepto-images/contour to docker.io/projectcontour/contour.
Please update your image locations to docker.io/projectcontour/contour:v1.0.0.

GitHub organization changes

Contour's source code has moved from github.com/heptio/contour to github.com/projectcontour/contour.

GitHub is pretty good about redirecting people for a time, but eventually, the github.com/heptio organization will go away and redirects will cease. Please update your bookmarks.

Contour namespace changes

Contour's default namespace has changed from heptio-contour to projectcontour.

TLS Passthrough and HTTP redirect

Under certain circumstances, it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.

For more information see #910 and #1450.

Per route traffic mirroring

Per route, a service can be nominated as a mirror. The mirror service will receive a copy of the traffic sent to any non-mirror service. The mirrored traffic is considered read only, any response by the mirror will be discarded.

Fixes #459

Per route idle timeout

Per route, idle timeouts can be configured via the HTTPProxy CRD.

Fixes #944

Contour ignores unrelated Secrets

Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations. This substantially reduces the number of updates processed by Contour.

Fixes #1372

Contour filters Endpoint updates

Contour now supports filtering update notifications. Specifically, Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.

Updates #426, #499

Minor improvements

• The contour binary now executes a graceful shutdown when sent SIGTERM. Thanks, @alexbrand. Fixes #1364.
• Contour now preserves the X-Request-Id header if present. Fixes #1509.
• Contour's quickstart documentation now references the current stable version of Contour. Fixes #952.
• Contour will no longer present a secret via SDS if that secret is not referenced by a valid virtualhost. #1165
• The envoyproxy/go-control-plane package has been upgraded to version 0.9.0. go-control-plane 0.9.0 switches to the google/protobuf library which results in a 4mb smaller binary. Neat.
• Our CONTRIBUTING documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka.
• The markup of several of our pages has been corrected to render properly on GitHub. Thanks @sudeeptoroy.
• Envoy's /healthz endpoint has been replaced with /ready for Pod readiness. Fixes #1277. Thanks @rochacon.
• IngressRoute objects now forbid * anywhere in the spec.virtualhost.fqdn field. Fixes #1234.
• make help target added. Thanks @jpeach.
• HTTPProxy prefix conditions must start with a slash. Fixes #1628. Thanks @youngnick.
• Duplicate HTTPProxy header conditions are now rejected. Fixes #1559. Thanks @youngnick.
• HTTPProxy route or include blocks with more than one prefix condition are now rejected. Fixes #1611. Thanks @stevesloka.
• The X-Request-Id header is now no longer removed from incoming requests. Fixes #1487.
• HTTPProxy includes no longer require a namespace key. If no namespace is provided, the included HTTPProxy is inferred to be in the same namespace as its parent. Fixes #1574. Thanks @youngnick.
• The ability to write the bootstrap configuration to standard out via contour bootstrap -- - has been added. Thanks @jpeach.
• Contour now validates that TLS certificates either bare the type kubernetes.io/tls or, in the case of upstream validation certificates, contain a non empty ca.crt key. Fixes #1697. Thanks @jpeach.
• x_trace_id has been added to the set of JSON loggable fields. Fixes #1734. Thanks @cw-sakamoto!
• Obsolete Heptio branding has been removed from contour cli. Thanks @jpeach.
• Several of the examples/ sample manifests have been removed as part of the preparations for the 1.0.0 release.
• Contour is built with Go 1.13.3.

Bug fixes

• Contour now rejects IngressRoute and HTTPProxy objects that delegate to another root IngressRoute or HTTPProxy object. Fixes #865.
• An error where IngressRoute's status is not set when it references an un-delegated TLS cert has been fixed. Fixes #1347.
• Many documentation updates and improvements. Thanks @stevesloka, @youngnick, @jpeach.
• Ingress, IngressRoute, and HTTPProxy route conditions are now properly ordered. Fixes #1579. Thanks @jpeach.
• Incorrect, and as it turns out superfluous, settings removed from .travis.yml. Thanks @SDBrett.
• The First Route custom field has been removed from the HTTPProxy CRD. Updates #1567. Thanks @youngnick.
• prefix conditions no longer strip trailing slashes. Fixes #1597. Thanks @youngnick.
• TCPProxy support now works with HTTPProxy. Fixes #1626. Thanks @stevesloka.
• HTTPProxy TLSCertificateValidation was broken in beta.1, now it's not. Fixes #1639. Thanks @stevesloka.
• In the case where an IngressRoute had a missing or invalid TLS secret Contour would serve the IngressRoute over HTTP. Contour now detects the case where a TLS enabled IngressRoute is missing its certificate and will not present the virtualhost over HTTP or HTTPS. Fixes #1452
• We have published a supported release version policy. Fixes #1581.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.5.3 to Contour 1.0.0.

Special Shout-Out!

A final special shoutout to @davecheney for all his ongoing guidance, support, and leadership in designing & developing Contour!

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

VMware is enraptured to present version 1.0.0-rc.2 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

Contour 1.0.0-rc.2 is the second, and hopefully last, release candidate on the path to Contour 1.0.

The current stable release at this time remains Contour 0.15.3.

New and improved

Contour 1.0.0-rc.2 contains many bug fixes and improvements over rc.1.

Website improvements

As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the https://projectcontour.io website. Specifically;

• The Getting Started documentation has moved to projectcontour.io/getting-started
• Guides and How-to's have moved to projectcontour.io/guides
• Versioned release documentation has moved to projectcontour.io/docs
• Project related and non-versioned documentation has moved to projectcontour.io/resources

Huge thanks to @jpeach for his work re-organising and copy editing the website content.

IngressRoute and HTTPProxy status update improvements

IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.

If leader election is disabled, all Contours will write status back to the Kubernetes API.

Fixes #1425, #1385, and many other issues with status loops over the years.

HTTPProxy and IngressRoute OpenAPIv3 schema validation

Contour 1.0.0-rc.2 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand rolled versions.

Fixes #513, #1414. Thanks @youngnick

TCPProxy delegation

Contour 1.0.0-rc.2 now supports TCPProxy delegation. See the relevant section in the HTTPProxy documentation.

Fixes #1655.

Envoy keepalive tuning

Contour 1.0.0-rc.2 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).

The common theme was the cluster was using an overlay network which suggested the overlay was timing out long running TCP connections. Contour 1.0.0-rc.2 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.

This fix is also included in Contour 0.15.3 and later.

Fixes #1744. Thanks @youngnick, @bgagnon, and @ravilr.

Contour now waits for a full cache.

Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This changes reduces the likelyhood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.

Updates #1280. Thanks @jpeach and @stevesloka.

Minor improvements

• The ability to write the bootstrap configuration to standard out via contour bootstrap -- - has been added. Thanks @jpeach.
• Contour now validates that TLS certificates either bare the type kubernetes.io/tls or, in the case of upstream validation certificates, contain a non empty ca.crt key. Fixes #1697. Thanks @jpeach.
• x_trace_id has been added to the set of JSON loggable fields. Fixes #1734. Thanks @cw-sakamoto!
• Obsolute Heptio branding has been removed from contour cli. Thanks @jpeach.
• Contour is built with Go 1.13.3.

Bug fixes

TLS certificate validation improvements

Contour 1.0.0-rc.2 improves the TLS certificate validation added in rc.1. Contour is now less likely to reject valid certificates that contain unexpected elliptic curve parameters.

This fix is also included in Contour 0.15.2 and later.

Fixes #1702. With many thanks to @mattalberts for the report and the fix.

Minor bug fixes

• Many documentation updates and improvements. Thanks @stevesloka, @youngnick, @jpeach.
• Ingress, IngressRoute, and HTTPProxy route conditions are now properly ordered. Fixes #1579. Thanks @jpeach.
• Incorrect, and as it turns out superflous, settings removed from .travis.yml. Thanks @SDBrett.
• The First Route custom field has been removed from the HTTPProxy CRD. Updates #1567. Thanks @youngnick.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.0.0-rc.1 to Contour 1.0.0-rc.2.

Contour 0.15.3 is minor patch release for the Contour 0.15 series.

All Contour users should upgrade to Contour 0.15.3.

Improvements

Envoy keepalive tuning

Contour 0.15.3 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection but the other side never gets the message).

The common theme was the cluster was using an overlay network which suggested the overlay was timing out long running TCP connections. Contour 0.15.3 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.

Fixes #1744. Thanks @youngnick, @bgagnon, and @ravilr.

Upgrading

If you are already running Contour 0.15.2 the upgrade instructions are as follows:

• Change the Contour image version to v0.15.3.
• Change the Envoy image version to v1.11.2.

If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.

Contour 0.15.2 is minor patch release for the Contour 0.15 series.

All Contour users should upgrade to Contour 0.15.2.

Bug fixes

TLS certificate validation improvements

Contour 0.15.2 now validates a wilder set of TLS secrets including those with EC Parameter blocks.

Fixes #1702. Thanks @mattalberts.

Go 1.13.3

Contour 0.15.2 is built using Go 1.13.3.

Upgrading

If you are already running Contour 0.15.0 or 0.15.1 the upgrade instructions are as follows:

• Change the Contour image version to v0.15.2.
• Change the Envoy image version to v1.11.2.

If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.

VMware is ebullient to present version 1.0.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

Contour 1.0.0-rc.1 is the first release candidate on the path to Contour 1.0.

The current stable release at this time remains Contour 0.15.1.

New and improved

Contour 1.0.0-rc.1 contains many bug fixes and improvements, and moves the HTTPProxy CRD to v1.

HTTPProxy CRD v1

Contour 1.0.0-rc.1 promotes the HTTPProxy CRD to v1. HTTPProxy is now considered stable and our sincere hope is that with the move v1 any changes to the CRD in the future can be made in a backwards compatible manner.

The move from alpha1 to v1 has resulted in changes to per service health checking, load balancing strategy, and per route prefix rewriting.

Please see the upgrading document and HTTPProxy documentation for advice on upgrading HTTPProxy alpha1 CRDs to v1.

Prefix rewrite support removed

HTTPProxy v1 removes prefix rewriting support. The feature as implemented in HTTPProxy alpha1, and IngressRoute before it, was badly designed and it was not possible to address its limitations without a backwards incompatible change. Our intention is to design a more capable prefix rewrite replacement.

Prefix rewrite support continues to exist in the deprecated IngressRoute CRD. We won't be removing IngressRoute support until we have a replacement for prefixRewriting available in HTTPProxy.

Please follow #899 for the status of this issue.

networking.k8s.io/v1beta1 Ingress support

Support for the networking.k8s.io/v1beta1.Ingress object has been added.

Fixes #1685

contour.heptio.com annotations deprecated

As part of the move to the projectcontour.io namespace the Heptio branded contour.heptio.com annotations have been migrated to their respective projectcontour.io versions. The previous contour.heptio.com annotations should be considered deprecated. Contour will continue to be supported these deprecated forms for the moment. They will be removed at some point after Contour 1.0.

Client request timeout

The ability to specify a Contour wide request timeout has been added to the configuration file.

See the configuration file example for more information.

Fixes #1073. Thanks @youngnick.

TLS certificate validation

Contour 0.15.1 now attempts to validate the contents of a TLS certificate before presenting it to Envoy.
This validation only extends to asserting the certificate is well formed. Expired, incorrect hostname details, or otherwise well formed but invalid certificates are not rejected. IngressRoutes that reference invalid secrets will have their Status: fields set accordingly.

Fixes #1065

Envoy 1.11.2

See the Envoy 1.11.2 announcement for details on the vulnerabilities.

Minor improvements

• make help target added. Thanks @jpeach.
• prefix conditions must start with a slash. Fixes #1628. Thanks @youngnick.
• Duplicate HTTPProxy header conditions are now rejected. Fixes #1559. Thanks @youngnick.
• HTTPProxy route or include blocks with more than one prefix condition are now rejected. Fixes #1611. Thanks @stevesloka.
• The X-Request-Id header is now no longer removed from incoming requests. Fixes #1487.
• HTTPProxy includes no longer require a namespace key. If no namespace is provided, the included HTTPProxy is inferred to be in the same namespace as its parent. Fixes #1574. Thanks @youngnick.

Bug fixes

Minor bug fixes

• prefix conditions no longer strip trailing slashes. Fixes #1597. Thanks @youngnick.
• TCPProxy support now works with HTTPProxy. Fixes #1626. Thanks @stevesloka.
• HTTPProxy TLSCertificateValidation was borken in beta.1, now it's not. Fixes #1639. Thanks @stevesloka.
• We have published a supported release version policy. Fixes #1581.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.0.0-beta.1 to Contour 1.0.0-rc.1.

Contour 0.15.1 is minor patch release for the Contour 0.15 series.

All Contour users should upgrade to Contour 0.15.1 and Envoy 1.11.2.

Envoy 1.11.2

See the Envoy 1.11.2 announcement for details on the vulnerabilities.

See the upgrading section below for details.

X-Request-Id

Contour 0.15.1 preseves the X-Request-Id header if present in the client request.

Fixes #1487

TLS certificate validation

Contour 0.15.1 now attempts to validate the contents of a TLS certificate before presenting it to Envoy.
This validation only extends to asserting the certificate is well formed. Expired, incorrect hostname details, or otherwise well formed but invalid certificates are not rejected. IngressRoutes that reference invalid secrets will have their Status: fields set accordingly.

Fixes #1065

Go 1.13.1

Contour 0.15.1 is built using Go 1.13.1.

Upgrading

If you are already running Contour 0.15.0 the upgrade instructions are as follows:

• Change the Contour image version to v0.15.1.
• Change the Envoy image version to v1.11.2.

If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.

VMware is proud to present version 1.0.0-beta.1 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

Contour 1.0.0-beta.1 is the first beta release along the path to Contour 1.0.

The current stable release at this time remains Contour 0.15.0.

New and improved

Contour 1.0.0-beta.1 contains many bug fixes and improvements.

HTTPProxy CRD

Over a year ago Contour 0.6 introduced a new CRD, IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilising modern web development patterns in multi tenant Kubernetes clusters.

As part of preparations for bring Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.

HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.

For more information, please consult the HTTPProxy documentation.

None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.

IngressRoute deprecation

With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.

The IngressRoute CRD will be supported in its current state until the Contour 1.0.0 release and will be removed shortly after.

For more information please read the IngressRoute to HTTPProxy upgrade guide

Logging changes

By default Envoy emits request logs in its own format. See the Envoy docs for details.

Contour 1.0.0-beta1 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json to your contour serve line, or add accesslog-format: json to your config file.

Please see the documention and design document for more information.

Fixes #624. Thanks @youngnick.

Leadership improvements

Leader election no longer blocks the opening of the xDS serving port. All Contours serve xDS, the leadership will control which Contour writes status updates. This work is ongoing and is documented in #1385.

Leader election now uses a ConfigMap named leader-elect in the projectcontour namespace by default.
This can be changed using the config file.

Because of this, rolling updates will now complete, and the example Contour Deployment has been reverted to the RollingUpdate strategy.

Contour image registry changes

Contour's image registry has moved from gcr.io/hepto-images/contour to docker.io/projectcontour/contour.

The v1.0.0-beta.1 tag is only available in docker.io/projectcontour/contour.

For convenience the :v0.15.0 and :latest tags are available in both repositories. Once Contour 1.0.0 final is release the :latest tag will move to docker.io/projectcontour/contour. Even if you are remaiing on :latest or :v0.15.0 until the final release of Contour 1.0.0 please update your image locations to docker.io/projectcontour/contour:v0.15.0 or docker.io/projectcontour/contour:latest respectively.

GitHub organization changes

Contour's source code has moved from github.com/heptio/contour to github.com/projectcontour/contour.

GitHub is pretty good about redirecting people for a time, but eventually the github.com/heptio organization will go away and redirects will cease. Please update your bookmarks.

Contour namespace changes

Contour's default namespace has changed from heptio-contour to projectcontour.

Deprecated examples/

Several of the examples/ sample manifests have been removed as part of the preparations for the 1.0.0 release.

TLS Passthrough and HTTP redirect

Under certain circumstances it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.

For more information see #910 and #1450.

Per route traffic mirroring

Per route a service can be nominated as a mirror. The mirror service will receive a copy of the read traffic sent to any non mirror service. The mirror traffic is considered read only, any response by the mirror will be discarded.

Fixes #459

Per route idle timeout

Per route idle timeouts can be configured via the HTTPProxy CRD.

Fixes #944

Contour ignores unrelated Secrets

Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations.
This substantially reduces the number of updates processed by Contour.

Fixes #1372

Contour filters Endpoint updates

Contour now supports filtering update notifications in some circumstances. Specifically Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.

Updates #426, #499

Minor improvements

• The contour binary now executes a graceful shutdown when sent SIGTERM. Thanks @alexbrand. Fixes #1364.
• Contour now preserves the X-Request-Id header if present. Fixes #1509.
• Contour's quickstart documentation now references the current stable version of Contour. Fixes #952.
• Contour will no longer present a secret via SDS if that secret is not referenced by a valid virtualhost. #1165
• The envoyproxy/go-control-plane package has nbeen upgraded to version 0.9.0. go-control-plane 0.9.0 switches to the google/protobuf library which results in a 4mb smaller binary. Neat.
• Our CONTRIBUTING documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka.
• The markup of several of our pages has been corrected to render properly on GitHub. Thanks @sudeeptoroy.
• Envoy's /healthz endpoint has been replaced with /ready for Pod readiness. Fixes #1277. Thanks @rochacon.
• IngressRoute objects now forbid * anywhere in the spec.virtualhost.fqdn field. Fixes #1234.
• Contour is built with Go 1.13.1.

Bug fixes

Contour will no longer serve an a broken TLS virtualhost over HTTP

In the case where an IngressRoute had a missing or invalid TLS secret Contour would serve the IngressRoute over HTTP. Contour now detects the case where a TLS enabled IngressRoute is missing its certificate and will not present the virtualhost over HTTP or HTTPS.

Fixes #1452

Minor bug fixes

• Contour now rejects IngressRoute and HTTPProxy objects that delegate to another root IngressRoute or HTTPProxy object. Fixes #865.
• An error where IngressRoute's status is not set when it references an un-delegated TLS cert has been fixed. Fixes #1347.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 0.15 to Contour 1.0.0-beta.1

VMware is proud to present version 0.15 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

All Contour users should upgrade to Contour 0.15.0 and Envoy 1.11.1 as there are some tasty HTTP/2 vulnerabilities which you really should patch.

New and improved

Contour 0.15 includes several new features as well as the usual smattering of fixes and minor improvements.

HTTP/2 CVEs

A number of CVEs related to HTTP/2 have been addressed by Envoy.

See the Envoy 1.11.1 announcement for details on the vulnerabilities.

As Envoy have not provided fixes for Envoy 1.10 and earlier all Contour users should also upgrade to Envoy 1.11.1.

Leader election

Contour 0.15 now supports leader election. In leader election mode only one Contour pod in a deployment, the leader, will open its gRPC endpoint to serve requests from Envoy. All other Contours will continue to watch the API server but will not serve gRPC until they become the leader. Leader election can be used to ensure that all Envoy's take their configuration from a single Contour instance.

Leader election is currently opt in. In future versions of Contour we plan to make leader election mode the default.

For more information please consult the upgrading document.

Thanks @youngnick

Opt in, or opt out, of gRPC TLS authentication is now required

In Contour 0.14 support was added for mTLS communication between Contour and Envoy. Contour 0.15 now requires all users to either supply gRPC TLS information, or use contour serve --insecure to opt out of mTLS.

If you do not supply TLS details or --insecure, contour serve will not start.

For more information please consult the upgrading document.

Thanks @youngnick

Contour configuration file

Contour 0.15 supports passing configuration to Contour via a configuration file. The configuration file is intended to specify configuration that applies per Contour installation. Per Ingress or per Route configuration continues to be drawn from the objects and CRDs in the Kubernetes API server.

TLS minimum protocol version

Contour 0.15 supports supplying an installation wide minimum TLS protocol version. This setting can be used by administrators to raise the minimum TLS version used by TLS enabled virtual hosts managed by Contour.

The tls.minimimProtocolVersion field in the configuration file controls the minimum protocol version used.

Disable permitInsecure setting

Contour 0.15 supports disabling the permitInsecure IngressRoute setting. This setting can be used by administrators to prevent IngressRoute users presenting port 80 as an alternative to HTTPS.

Setting disablePermitInsecure to true will cause Contour to ignore the permitInsecure field on IngressRoute objects.

Fixes #864. Thanks @stevesloka

Contour ignores unrelated Secrets and Services

Contour 0.15 ignores updates to Secret and Service documents that are not referenced by an active Ingress or IngressRoute object. This significantly reduces the number and frequency of configuration updates sent to Envoy.

Updates #499.

Contour no longer presents misconfigured routes

In earlier versions of Contour, using the v1.Ingress object, it was possible to present a route which had no active Service if the Service named in the Ingress document was not present. When this occurred Envoy would respond to the route, but always return 503.

Contour 0.15 fixes this bug and will not present routes if their corresponding Service is missing. As a result, if the misconfigured route was the only route present on the virtual host, the virtual host itself will not be presented. If this was the only virtual host configured for a listening port (HTTP or HTTPS) then Contour 0.15 will not open the respective port.

This is not considered a loss of functionality as the only reason this port was open was to present a virtual host whose sole purpose was to return 503 for any request. However, some users may be relying on this functionality for health checking Envoy itself. If this is the case you should consider switching to a readinessProbe on the Envoy pod itself.

For more discussion see #389

Minor improvements

• Contour now reports Envoy's failure to apply a configuration update. Please raise issues if you see ERRORs in your Contour logs. Updates #1176.
• Contour's holdoff timer has been refactored so that it no longer reports a decades long first update event.
• Contour now sets a status message on an IngressRoute that incorrectly combines multiple backends and websockets. Updates #732. Thanks @stevesloka.
• client-go has been upgraded to version 12. Fixes #1213. Thanks @DylanGraham.
• envoyproxy/go-control-plane has been upgraded to v0.8.2. Fixes #1236.
• Contour is built with Go 1.12.9.

Bug fixes

Ingress.Path regular expression support restored

Contour 0.15 fixes a problem where regular expressions in Ingress spec.[]rules.http.[]paths.path values were interpreted as prefixes. This has likely been broken since at least Contour 0.5 (possibly earlier 😳).

note: IngressRoute does not support regular expression matching, this feature is only present in the Kubernetes Ingress object.

This bug was fixed in Contour 0.14.1.
For more information see #1243.

Thanks @stevesloka

Contour crash if /tmp is not available

The glog (now klog) library would attempt to write to disk if not properly initialised. Contour 0.15 properly initialises klog to prevent this issue caused by this horrendous API footgun.

This bug was fixed in Contour 0.14.2
For more information see #1279.

Thanks to @so0k for the report and @mattalberts for the fix.

Other bug fixes

• Contour no longer hangs during shutdown if the gRPC server was not the goroutine triggering the shutdown. Fixes #1361.
• The preStop hooks in our examples/ have been corrected to work around the lack of wget in the Envoy image. Fixes #1254.
• IngressRoute validation has been extended to prevent passing a non integer in the spec.tcpproxy.port field. Fixes #1336.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 0.14 to Contour 0.15.

Contour 0.14.2 is a bug fix and security release for the Contour 0.14 series.

All Contour users should upgrade to Contour 0.14.2.

HTTP/2 CVEs

A number of CVEs related to HTTP/2 have been addressed by Envoy.

See the Envoy 1.11.1 announcement for details on the vulnerabilities.

As Envoy have not provided fixes for Envoy 1.10 and earlier all Contour users should upgrade to Envoy 1.11.1. As Contour and Envoy have a close coupling between versions, all Contour users should upgrade to Contour 0.14.2 at the same time.

See the upgrading section below for details.

Go 1.12.8

A similar set of issues related to HTTP/2 and URL parsing has been addressed in Go 1.12.8

See the Go 1.12.8 announcement for details on the vulnerabilities.

Contour 0.14.2 is built using Go 1.12.8 to mitigate these issues.

Contour crash if /tmp is not available

The glog (now klog) library would attempt to write to disk if not properly initialised. Contour 0.14.2 properly initialises klog to prevent this issue. Fixes #1279. Thanks to @so0k for the report and @mattalberts for the fix.

Upgrading

If you are already running Contour 0.14.0, or 0.14.1, the upgrade instructions are as follows:

• Change the Contour image version to gcr.io/heptio-images/contour:v0.14.2.
• Change the Envoy image version to docker.io/envoyproxy/envoy:v1.11.1.

If you are running Contour 0.13.0 or earlier, please see the release notes for the previous release.

Contour 0.14.1 is a bug fix release for the recently release Contour 0.14.0.

All Contour users should upgrade to Contour 0.14.1.

Bugs fixed (vs Contour 0.14.0)

Contour 0.14.1 fixes a problem where regular expressions in Ingress spec.[]rules.http.[]paths.path values were interpreted as prefixes. This has likely been broken since at least Contour 0.5 (possibly earlier 😳).

note: IngressRoute does not support regular expression matching, this feature is only present in the Kubernetes Ingress object.

This bug is fixed in Contour 0.14.1. All Contour users should upgrade to Contour 0.14.1.

For more information see #1243.

Thanks @stevesloka

Upgrading

If you are already running Contour 0.14.0, there are no specific upgrade instructions save changing the image tag to v0.14.1.

If you are running Contour 0.13.0 or earlier, please see the release notes for the previous release.

VMware is proud to present version 0.14 of Contour, our Envoy powered Kubernetes Ingress Controller.
As always, without the help of the many community contributors this release would not have been possible. Thank you!

New and improved

Contour 0.14 includes several new features as well as the usual smattering of fixes and minor improvements.

Secure, authenticated, communcation between Envoy and Contour

Historically the privacy and security of the communication between Envoy and Contour was handled by deploying both containers in the same pod and with traffic passing over the loopback interface. However this is not the only way in which Envoy and Contour can be deployed.

For example, administrators may wish to deploy Envoy in a DaemonSet independent from Contour's Deployment. In this mode the communication between Envoy and Contour did not (until 0.14) require authentication and any process that knew the address of Contour's xDS endpoint could connect and ask for configuration as if it were Envoy.

Contour 0.14 adds the ability to secure the communication between Contour and Envoy and authenticate the clients connecting to a Contour server by using SSL client certificate athentication (sometimes referred to as mTLS).

For more information please refer to the Generating example gRPC TLS certificates documentation and the design document.

Fixes #862. Thanks @youngnick.

Split Contour deployment and Envoy daemonset

Following from the previous enhancement the ds-hostnet-split example has been enhanced to use mTLS between Envoy and Contour.
This is accomplished via a one shot Job which will generate the CA and certificate material.

For more information refer to the Contour Deployment with Split Pods documentation and the /examples/ds-hostnet-split sample YAML.

Fixes #881. Thanks @youngnick.

Some contour serve configuration can be supplied via configuration file

In order to support new configuration options for logging in 0.15 contour serve now takes a -c config.json flag.

Fixes #1130

Other improvements

• Contour no longer creates a broken route if the backend service is missing. Fixes #520. Thanks @stevesloka.
• The sample grafana graph now report latency metrics in seconds and not milliseconds. Thanks @mwhittington21.
• Documentation for minikube and kind has been updated. Thanks @stevesloka.
• glog has finally been expunged from Contour's dependency list along with the horrible hacks it required. Good riddance.
• Contour is now built with Go 1.12.7.

Bugs fixed

• Contour no longer permits * in the spec.virtualhost.fqdn as * has a special meaning to Envoy which we did not intend to expose. Fixes #1167. Thanks @odacremolbap
• A bug which caused Contour to continually send updates to Envoy when an invalid secret was referenced from an Ingress or IngressRoute record has been fixed. Fixes #1206. Thanks @stevesloka.

Upgrading

• The --envoy-external-http-port and --envoy-external-https-port flag have been removed in 0.14.0. There is no replacement, the flags are no longer required and must be removed from your deployment YAML.
• Contour 0.14 requires Envoy 1.10.0.

  docker.io/envoyproxy/envoy:v1.10.0
  

  We're aware of the recent release of Envoy 1.11.0, however as Contour 0.14 does not contain any code to activate new features in Envoy 1.11.0 we have opted to stay on Envoy 1.10.0 for Contour 0.14. Upgrading to Envoy 1.11.0 will happen during the Contour 0.15 cycle. See #1242 for more information.
  Versions of Envoy later than 1.10.0 are not tested and not guaranteed to work with Contour 0.14.0.

VMware is proud to present version 0.13 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, without the help of the many community contributors, this release would not have been possible. Thank you!

New and improved

Contour 0.13 includes several new features as well as the usual smattering of fixes and minor improvements.

Session Affinity

Session affinity, also known as sticky sessions, is a load balancing strategy whereby a sequence of requests from a single client are consistently routed to the same application backend. Contour 0.13.0 supports session affinity with the strategy: Cookie key on a per-service basis.

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: httpbin
  namespace: default
spec:
  virtualhost:
    fqdn: httpbin.davecheney.com
  routes:
  - match: /
    services:
    - name: httpbin
      port: 8080
      strategy: Cookie

See the design document and IngressRoute documentation for more information.

Service ExternalNames are now supported

Contour now supports proxying traffic to Services which use service.spec.externalName.
When service.spec.externalName is defined DNS is used to discover the services' external endpoints.

Both HTTP and TCP ExternalNames are supported.

See the design document and Kubernetes' Service documentation for more information.

Fixes #334. Thanks @stevesloka.

Sample deployment/ YAML examples moved to examples/

Since our 0.1 release Contour has always included in the repository sample YAML for various configurations.
These were always intended to be examples, and this is how the Contour team always perceived them.
However, we did a bad job of communicating this to our user base, which we are now trying to correct.

In operation, nothing has changed with the sample YAML other than it has moved from deployment/ to examples/ to make clear that these are in fact simply examples.

Fixes #1118. Many thanks to @rochacon.

--envoy-external-http-port and --envoy-external-https-port flags have been deprecated

Due to a long-standing limitation in Envoy, if Contour was deployed on ports other than the tradition 80 (HTTP), and 443 (HTTPS), operators were required to pass to Envoy, via --envoy-external-http-port and --envoy-external-https-port, the non-standard ports that were in use. This was annoying in practice and restricted the use of local development tools like Minikube and Kind.

Contour 0.13.0 introduces a workaround for envoyproxy/envoy#1269, that removes the need to inform Envoy of external ports that will be forwarded to it. In turn, this should make it easier to deploy Contour inside Kind or Minikube clusters.

As they are no longer needed, the --envoy-external-http-port and --envoy-external-https-port flags now generate a warning if used and will be removed completely in 0.14.0.

Fixes #210. Thanks @youngnick.

force-ssl-redirect now takes precidence over the ingress.allow-http annotation

The behavior when the kubernetes.io/ingress.allow-http and ingress.kubernetes.io/force-ssl-redirect were both specified was somewhat surprising. ingress.allow-http: false meant that no routes were not registered for port 80, even if force-ssl-redirect: true was set leading to a 404 where a 3xx upgrade to https was expected.

Contour 0.13.0 now prioritizes force-ssl-redirect. If this annotation is specified and set to true, Contour will always register a port 80 route for the ingress, even if ingress.allow-http: false, so that the forced upgrade can take effect.

Fixes #1023 with many thanks to @ceralena.

Maglev and RingHash load balancer strategies no longer supported.

RingHash and Maglev are two balancing/affinity strategies offered by IngressRoute. However, due to a lack of understanding of how they worked when they were added in Contour 0.6, neither strategy was properly configured and would only result in random behavior.
Without the ability to configure the hash key, which is usually some form of a session cookie, these strategies are not useful and cannot be used correctly.
As such they have been removed from the list of valid strategies.

For their replacement, see the earlier section on Session Affinity.

Fixes #1030 and #1150

HTTP and TCP idle timeouts

Contour 0.13.0 configures an explicit timeout for all idle HTTP and TCP proxy connections. As the definition of idle differs between HTTP and TCP modes the values are different.

• For HTTP an idle timeout of 60 seconds is configured for all connections. After 60 seconds a connection without activity will be closed.
• For TCP proxy idle connections are expected to stay open longer thus the idle timeout is set to 9001 seconds. This value is larger than the default TCP keepalive timeout on most operating systems so the most likely scenario is the operating system will time out the connection before Envoy does. The Envoy idle timeout acts as a second line of defense to avoid leaking file descriptors.

Fixes #1045 and #1074. Thanks @mattalberts and @youngnick.

Envoy memory usage

As part of a continuing effort to characterize and reduce the amount of memory used by Envoy, Contour 0.13 contains several improvements and bug fixes intended to reduce Envoy's footprint.
This work will continue in 0.14 and onwards.

Fixes or updates #499, #876, #1096

Huge thanks to @lrouquette, @mattalberts, @phylake, and many more for their assistance.

IPv6 improvements

Contour now understands the IPv6-any address, "::", and when used Contour will instruct Envoy to open ports on both IPv4 and IPv6 stacks. For example:

command: ["contour"]
args:
- serve
- --incluster
- --envoy-service-http-port=8080
- --envoy-service-https-port=8443
- "--stats-address=::"
- "--envoy-service-https-address=::"
- "--envoy-service-http-address=::"

This makes it possible to use the same config for ipv4-only and ipv6-only k8s, and enables dual-stack.
Big thanks to @uablrek for improving the story for IPv6 only or dual stack Kubernetes clusters.

Other improvements

• Envoy upgraded to 1.10.0. Thanks @stevesloka. Fixes #998.
• IngressRoute now validates that a secret is valid before using it and sets the appropriate status on the IngressRoute object if not. Thanks @stevesloka
• The Envoy's stats listener is now generated programmatically from Contour rather than hardcoded in the bootstrap configuration. Thanks @stevesloka
• Envoy 1.10.0 natively generates statistics in Prometheus format, removing the need for statsd. Fixes #1035, #1086. Thanks @rata and @stevesloka.
• A document outlining the development workflow of the Contour team has been added. It may be informative to interested contributors. We've also updated our CONTRIBUTING document with some guidelines for commit and PR messages. Fixes #1136. Thanks @youngnick.
• Contour now verifies that a TLS secret is of type kubernetes.io/tls and contains the required tls.crt and tls.key elements.

Bugs fixed

Contour 0.13 fixes a problem whereby Envoy could stall during startup if the cluster contains Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.

This fix was also backported to 0.12.1.

For more information see #1091 and #1110.

Additional bug fixes

• The CRD validation for the spec.virtualhost.fqdn field has been adjusted once more. Fixes #755, #1117. Thanks @youngnick.
• A broken link in our Zenhub documentation has been corrected. Fixes #1160. Thanks @paivagustavo.

Upgrading

• The --envoy-external-http-port and --envoy-external-https-port flags are deprecated will be removed in 0.14.0. There is no replacement, the flags are no longer required and should be removed from your deployment YAML.
• Contour 0.13 requires Envoy 1.10.0.

  docker.io/envoyproxy/envoy:v1.10.0
  

  Versions of Envoy later than 1.10.0 are not tested and not guaranteed to work with Contour 0.13.0.
• The strategy: Maglev and strategy: RingHash load balancer strategies have been removed. They never worked correctly and were functionally equivalent of strategy: Random. If cookie based routing is required, see the earlier section on Session Affinity.

Contour 0.12.1 is a bug fix release for the recently release Contour 0.12.0.

All Contour users should upgrade to Contour 0.12.1.

Bugs fixed (vs Contour 0.12.0)

Contour 0.12.1 fixes a problem whereby Envoy could stall during startup if the cluster containes Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.

This bug is fixed in Contour 0.12.1. All Contour users should upgrade to Contour 0.12.1.

For more information see #1091 and #1110.

Upgrading

If you are already running Contour 0.12.0, there are no specific upgrade instructions save changing the image tag to v0.12.1.

If you are running Contour 0.11.0 or earlier, please see the release notes for the previous release.

VMware is proud to present version 0.12 of Contour, our Envoy powered Kubernetes Ingress Controller. Again, without the help of the many community contributors, this wouldn't have been possible. Thank you!

New and improved

Contour 0.12 includes several new features as well as the usual smattering of fixes and minor improvements.

Support for per route backend timeouts and retries

Support for specifying backend timeouts and retries has been added to ingressroute. These are enabled via the timeoutPolicy and retryPolicy keys, respectively. eg.

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: request-timeout
  namespace: default
spec:
  virtualhost:
    fqdn: timeout.bar.com
  routes:
  - match: /
    timeoutPolicy:
      request: 1s
    retryPolicy:
      count: 3
      perTryTimeout: 150ms
    services:
    - name: s1
      port: 80

If timeoutPolicy is present then the backend service must complete processing the request in the duration specified. If timeoutPolicy is present without a request key, the timeout is inferred to be infinite. If no timeoutPolicy is present, Envoy will use its default timeout, which is currently 15s.

If retryPolicy is present and perTryTimeout is set a requests to backends will be retried after the duration specified up to the total request duration specified in timeoutPolicy (if present). By default the number of retries is 1, but can be increased with the count key.

See the design document and ingressroute for more information

Thanks to @rohandvora, @prasoontelang and @stevesloka.

Verification of TLS enabled backends

Contour 0.11 added support for enabling TLS communication between Envoy and backend services. Contour 0.12 adds the ability to verify that the backend pod Envoy communicates with is who it says it is. This is achieved in three steps.

1. The backend Service must use TLS to communicate with Envoy. This is achieved with the contour.heptio.com/upstream-protocol.tls annotation on the Service document.
2. The certificate authority used to issue the TLS certificate the backend service offers should be placed in a Secret in the same namespace as the IngressRoute and the Service. eg.

% kubectl create secret generic my-certificate-authority --from-file=./ca.key

3. An validation key is created for each service in the matching route

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: secure-backend
spec:
  virtualhost:
    fqdn: www.example.com
  routes:
    - match: /
      services:
        - name: service
          port: 8443
          validation:
            caSecret: my-certificate-authority
            subjectName: backend.example.com

Both the caSecret and subjectName keys are required.

See the design document and the ingressroute documentation for more information.

Thanks again to @stevesloka

SDS xDS API

While not directly user facing Contour 0.12 adds support for Envoy's Secret Discovery Service (SDS) API.

In the future SDS support will aide in reducing the number of configuration changes sent from Contour to Envoy, and will enable secure communication between Contour and Envoy.

Thanks to @vaamarnath and Matt Alberts. Fixes #898.

AES128-* and AES256-* removed permitted ciphers list

Contour no longer offers ciphers matching AES128-* or AES256-* as they are considered to be weak. This improves the SSL Lab's score for hosts secured by Contour.

See #1011 for more details

Thanks @yob

Sample grafana dashboard

The Contour distribution now includes a set of predefined Grafana dashboards. See deployment/grafana and deployment/prometheus for more information.

Thanks @stevesloka, @alexbrand and @rata.

Other improvements

• regenerate CRDs. Thanks @unicell. Fixes #993.
• force glog to write to stderr. Thanks @unicell. Updates #959
• copy edit documentation. Thanks @lostllama.
• fix issues regenerating CRDs after the switch to go modules. Thanks @glerchundi. Fixes #996
• Contour now reports how many pending changes have been queued by the holdoff notifier. Thanks Matt Alberts.

Upgrading

• Contour 0.12 requires Envoy 1.9.1.

  docker.io/envoyproxy/envoy:v1.9.1
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.12 with an error similar to this, you have not upgraded Envoy to 1.9.1.

  [2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}}                                [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
  

  Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.12.0.

VMware is proud to present version 0.11 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, thank you to the many community contributors -- we literally couldn't do it without you!

Contour 0.11 address a path traversal security issue in Envoy 1.9.0. It is recommended that all users upgrade to Contour 0.11 and the corresponding Envoy 1.9.1 release.

New and improved

Contour 0.11 includes several new features and one important security patch.

Envoy 1.9.1 and CVE-2019-9901 mitigations

Envoy 1.9.0 and earlier are vulnerable to a path normalisation attack. For example, a remote attacker may craft a path with a relative path, e.g. /public/../admin, to bypass access control, e.g. a block on /admin. When deployed with Contour as an ingress controller this means traffic which was intended to be directed via one route may be sent to another via a denormalised request path.

The fix for this attack is available in Envoy 1.9.1, however it is not sufficient to simply upgrade Envoy as path normalisation is currently opt in. Contour 0.11.0 generates the correct configuration to secure Envoy 1.9.1 by requesting path normalisation for all routes.

Details of the vulnerability

Fixes #983. Thanks @stevesloka

Support of TLS enabled backends

Contour 0.11 adds the ability to connect to backend Service that require TLS. This is enabled by a new annotation on the Service object:

contour.heptio.com/upstream-protocol.tls: {port,portName}

The question of what L7 protocol a Service's port speaks is a property of the Service, not the Ingress/IngressRoute, hence the annotation is placed on the Service object.

See the Annotation documentation for more information

Note: Envoy does not perform any validation of the certificate presented by the backend Service.

Fixes #406, #569, and #963.

Thanks again to @stevesloka

Other improvements

• A design document for adding retry and timeout behaviour to IngressRoute has been merged. Big thank you to @prasoontelang. Updates #815.
• Contour is now built with Go 1.12.1 (1.12.2 was not available at the time of this release). Thanks @avni. Fixes #848
• Upgrade to envoyproxy/go-control-plane v0.6.9. Fixes #933
• Upgrade to k8s.io/client-go v1.12.6. Thanks @vaamarnath. Fixes #934.
• Improve PR contribution templates. Thanks @andrewsykim.
• Contour now uses the shared informer client-go infrastructure. Thanks @andrewsykim.
• Contour has migrated from dep to Go modules for dependency management. Thanks @vaamarnath. Fixes #598.
• Envoy's deprecated --v2-config-only flag has been removed from our sample deployments/. Thanks @rata. Fixes #971.
• Prometheus integration documentation has been updated. Thanks @indradhanush.

Bug fixes

Several bugs in CRD validation have been fixed during the 0.11 development cycle.

• The documentation and validation for TLS Certificate validation (introduced in Contour 0.10) incorrectly suggested that spec.delegations took only a single item. This is incorrect, spec.delegations takes a list. The documentation has been corrected and additional CRD validation introduced to reject the previously incorrect YAML. Thanks to @joshrosso for spotting the issue. Fixes #977.
• A bug in the validation for the Ingressroute spec.tls.secretName prevented names with a forward slash, /, from being used. This has been corrected. Thanks @arminbuerkle. Fixes #965.
• The deployment/ds-hostnet-split example YAML failed to pass validation under newer versions of Kubernetes. This has been fixed. Thanks @stevesloka. Fixes #940.
• A typo in the contour serve documentation has been fixed. Thanks @shivanshu21. Fixes #966.

Upgrading

• Several issues with CRD validation have been fixed in Contour 0.11. Please redeploy Contour using the supplied deployment/ artifacts.
• Envoy's --v2-config-only flag has been deprecated in Envoy 1.9.x, and will be removed entirely in Envoy 1.10. Please remove it from your deployments to prevent Envoy failing to start.
• Contour 0.11 requires Envoy 1.9.1.

  docker.io/envoyproxy/envoy:v1.9.1
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.11 with an error similar to this, you have not upgraded Envoy to 1.9.1.

  [2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}}                                [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
  

  Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.11.

Heptio is proud to present version 0.10 of Contour, our Envoy powered Kubernetes Ingress Controller. It is recommended that all users upgrade to Contour 0.10.

New and improved

Contour 0.10 features several new features.

Wildcard support via TLS Certificate Delegation

The headline feature for Contour 0.10 is something we call TLS Certificate Delegation. The primary usevcase for TLS Certificate Delegation is enabling an administrator, the owner of a k8s Secret containing a wildcard style--*.mycorp.com--style TLS certificate, to delegate the permission to reference that certificate by name to another namespace.

In this way, administrators do not need to copy tasty wildcard certificates to each namespaces that wants to use them, instead an Ingress or IngressRoute owner can reference the wildcard certificate by name, assuming the administrator has created the appropriate delegation object.

Certificate delegation is opt in. To find out more about this feature, please refer to the following documents;

• TLS Certificate delegation design document
• IngressRoute documentation

Fixes #410

Configurable secure and insecure external ports

Due to a long standing limitation in Envoy, if Contour is not configured to present Envoy at your cluster's edge on ports other than the traditional 80 and 443, Envoy will reject the traffic because some user agents include that foreign port in the Host: header.

To address this two new flags have been added to contour serve, --envoy-external-http-port and --envoy-external-https-port. These default to 80 and 443 respectively.

If you have deployed Contour at your edge using non standard port numbers, you should set these two flags to ensure Envoy can correctly route traffic that arrives with trailing port numbers in the Host: header.

Please see the Upgrading section for information for upgrading from previous incarnations of these flags.

Fixes #610

Other improvements

• Contour now supports the PROXY v1 and v2 preamble headers. The former is predominantly used by AWS ELB instances, the latter is used by HA Proxy. Fixes #802
• Upgrade to envoyproxy/go-control-plane v0.6.4.
• Upgrade to k8s.io/client-go v1.11.7.
• Documentation improvements. Thanks @ramnes.
• Addional tests for the contour serve --access-log flag. Fixes #475. Thanks @vaamarnath.

Bug fixes

• Envoy now stops sending traffic to an endpoint that has active health checking enabled. Previously if the endpoint was removed from the cluster, Envoy would continue to send traffic until the health check timeouts fired. Fixes #603. Thanks @stevesloka and @alexbrand.

Upgrading

• The bootstrap configuration file format has changed from YAML to JSON. This change should be invisible to all users. If not, please redeploy Contour using the supplied deployment/ artifacts.

• The --envoy-http-port and --envoy-https-port flags have been renamed to --envoy-service-http-port and --envoy-service-https-port respectively. The values of these flags default to 8080 and 8443 respectively and should match the ports in the heptio-contour/contour Service document.

• Contour 0.10 requires Envoy 1.9.0.

  docker.io/envoyproxy/envoy-alpine:v1.9.0
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.10. Versions of Envoy later than 1.9.0 are not tested and not guaranteed to work with Contour 0.10.

Heptio is proud to present version 0.9 of Contour, our Envoy powered Kubernetes Ingress Controller. It is recommended that all users upgrade to Contour 0.9.

New and improved

Improved support for TCP proxying

Contour 0.9 adds support for terminating the TLS encapsulated TCP session at the backend service, not Contour's edge. Otherwise known as TLS passthrough, this feature allows services running on Kubernetes, which already present a TLS encrypted endpoint, to multiplex incoming connections via a single external IP, their ingress controller's port 443.

Thank you to @glerchundi who drive this feature to completion.

Here is an example from the IngressRoute document showing the TCP passthrough in action:

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: example
  namespace: default
spec:
  virtualhost:
    fqdn: tcp-passthrough.example.com
    tls:
      passthrough: true
  tcpproxy:
    services:
    - name: tcpservice
      port: 8080
  routes:
  - match: /
    services:
    - name: dummy
      port: 80

Please consult the IngressRoute documentation for more information.

Improvements to this feature we continue in future Contour releases.

Other improvements

• Statistics are now reported with a stable name that is not restricted to the 60 character cluster name. Fixes #689. Thanks @pims
• Documentation improvements and fixes. Thanks @samuela, @joshrosso, and @aknuds1
• Contour now records the service port in its status message if the service is found but lacks a matching port. Fixes #858
• Upgrade to Go 1.11.5, including the fix for CVE-2019-6486

Bug fixes

• A feedback loop where Contour would reprocess IngressRoute documents when their status was updated has been fixed. This issue affects all version of Contour where IngressRoute is supported. All Contour IngressRoute users should upgrade to version 0.9 or later. Thanks to @dbason for reporting the issue. See #854 for more information.
• The FQDN validation regex has been relaxed to include numbers in TLDs. Fixes #821. Thanks @PeteE

Upgrading

• Contour 0.9 requires Envoy 1.8.0.

   docker.io/envoyproxy/envoy-alpine:v1.8.0
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.9. Versions of Envoy later than 1.8.0 are not tested and not guaranteed to work with Contour 0.9.

Heptio is proud to present version 0.8.1 of Contour, our Envoy powered Kubernetes Ingress Controller.

Contour 0.8.1 is a bug fix release for the recently released 0.8.0

New and improved

• When using TCP forwarding IngressRoute a dummy spec.routes entry is no longer required to pass validation.
• Contour's holdoff notifier no longer spams stdout with messages about "delaying updates". This significantly reduces log volume from contour processes and improves the signal to noise ratio of Contour's logs.

Bug fixes

• docs: the format of the --use-proxy-protocol documentation has been updated to match the formatting of other examples. Thanks @wadeholler
• docs: a typo in the ingressroute documentation has been fixed. Thanks @jonas