Releases: projectcontour/contour
Contour v1.10.1
We are delighted to present version 1.10.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Fixes
Contour v1.10.0
We are delighted to present version 1.10.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There have been a bunch of great contributions from our community for this release, thanks to everyone!
Major Changes
Envoy xDS v3 Support
Contour now supports Envoy's xDS v3 protocol in addition to the deprecated v2 protocol. The example YAML has been updated to configure Envoy to use the v3 protocol by default.
When users have an existing Contour installation and wish to upgrade without dropping connections, users should first upgrade Contour to v1.10.0 which will serve both v2 and v3 xDS versions from the same gRPC endpoint. Next, change the Envoy Daemonset or deployment to include --xds-resource-version=v3 as an argument in the envoy-initconfig init container, which tells Envoy to upgrade to the v3 resource version. The usual rollout process will handle draining connections allowing a fleet of Envoy instances to move from the v2 xDS Resource API version gradually to the v3 version.
See the xDS Migration guide for more information: https://projectcontour.io/guides/xds-migration/
Related issues and PRs: #1898, #2930, #3016, #3017, #3068, #3079, #3074, #3087, #3093
Thanks to @stevesloka and @jpeach for their hard work on this upgrade.
Custom JSON fields for Envoy access logs
Contour now supports custom JSON fields in the Envoy access log. Custom fields can be specified in the json-fields config field, using the format <custom-field-name>=<Envoy format string>, where the Envoy format string can contain any Envoy command operator except DYNAMIC_METADATA and FILTER_STATE.
You can read more about this feature in Contour's updated guide to structured logging.
Related issues and PRs: #3059, #3032, #1507
Thanks to @mike1808, @KauzClay, and @XanderStrike for designing and implementing this feature!
Multi-arch Docker images
Contour's Docker images are now multi-architecture, with linux/amd64 and linux/arm64 currently supported. No change is needed by users; the correct architecture will be automatically be pulled for your host.
Related issues and PRs: #3031, #2868
Thanks to @skriss for implementing multi-arch support.
Envoy 1.16
Contour now uses Envoy 1.16.0.
Related issues and PRs: #3029, #3013
Thanks to @yoitsro for this upgrade!
Default minimum TLS version is now 1.2
TLS 1.2 is now the default minimum TLS version for HTTPProxies and Ingresses. It's still possible to use 1.1 if necessary by explicitly specifying it. See the HTTPProxy documentation and Ingress documentation for more information.
Related issues and PRs: #3007, #2777, #3012
Thanks to @skriss for making this change.
RBAC v1
Contour's example YAML now uses rbac.authorization.k8s.io/v1 instead of the deprecated rbac.authorization.k8s.io/v1beta1 version for role-based access control (RBAC) resources. RBAC has been generally available in Kubernetes since v1.8, so this has no effect on the minimum supported Kubernetes version.
Related issues and PRs: #3015, #2991
Thanks to @narahari92 for this upgrade!
Deprecation & Removal Notices
- The
request-timeoutfield has been removed from the config file. This field was moved into the timeouts block, i.e.timeouts.request-timeout, in Contour 1.7. - In Contour 1.11, TLS 1.1 will be disabled by default. Users who require TLS 1.1 will have to enable it via the config file's
tls.minimum-protocol-versionfield, and by specifying it for eachHTTPProxyorIngresswhere it's needed. See the HTTPProxy documentation and Ingress documentation for more information.
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contributors
Assets 2
Contour v1.9.0
We are delighted to present version 1.9.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There's been a bunch of great contributions from our community for this release, thanks to everyone!
External Authorization Support
Contour now supports integrating with external authorization services via the ExtensionService custom resource definition. This new Contour API exposes Envoy’s external auth filter, which allows incoming requests to be checked against the specified authorization service.
Thanks to @jpeach for leading design and implementation of this feature!
Related issues and PRs: #432, #2915, #2886, #2876, #2877, #2871
Backend TLS Client Authentication
Contour now supports optionally specifying a Kubernetes secret that Envoy should present to upstream clusters as a client certificate for TLS, so the upstream services can validate that the connection is coming from Envoy.
Thanks to @tsaarni for leading design and implementation of this feature!
Related issues and PRs: #2338, #2910
Cross-Origin Resource Sharing (CORS) Support
Contour’s HTTPProxy API now supports specifying a CORS policy, which configures Envoy’s CORS filter to allow web applications to request resources from different origins.
Thanks to @aberasarte and @glerchundi for driving the design and implementation of this new feature!
Related issues and PRs: #437, #2890
v1 Custom Resource Definitions
Contour now generates v1 custom resource definitions (CRDs) as part of its example YAML. This enables Contour to take full advantage of the v1 API’s capabilities around validation, defaulting, API documentation via kubectl explain, and more. CRDs became generally available in Kubernetes 1.16 over a year ago.
This change bumps Contour’s minimum supported Kubernetes version to 1.16.
Related issues and PRs: #2916, #2678, #1723, #1978, #2903, #2527
HTTPProxy Conditions
Contour’s HTTPProxy and ExtensionService CRDs now expose Conditions. Each custom resource, when processed by Contour, will have a single Condition, of type Valid, that will have a value of true or false to indicate whether or not the resource is valid. The Valid condition will further have a set of sub-conditions that provide more detail on the reason(s) for the resource’s validity/non-validity.
The existing HTTPProxy status fields currentStatus and description will be retained for backwards compatibility.
Thanks to @youngnick for designing and implementing this feature!
Related issues and PRs: #2962, #2931
Experimental go-control-plane Support
Contour now has experimental support for Envoy’s go-control-plane xDS server implementation. When enabled, this replaces Contour’s custom xDS gRPC server implementation. This feature can be enabled by setting the server.xds-server-type to “envoy” in the Contour config file.
Thanks to @stevesloka for designing and implementing this feature!
Related issues and PRs: #2134, #2850, #2884, #2919
Configurable DNS Lookup Family for ExternalName Services
We’ve added a config file field, cluster.dns-lookup-family, to customize DNS behavior for Kubernetes externalName services. Valid options are auto (default), v4, and v6. Previously, auto was always used, which first looks for an IPv6 address, and falls back to looking for an IPv4 address.
Thanks @stevesloka for debugging this issue and implementing the fix!
Related issues and PRs: #2894, #2873
Timeout Field Validation
Contour now performs validation on all timeout fields/annotations on the HTTPProxy and Ingress APIs. Invalid values will be rejected at creation time where possible, and will otherwise be surfaced to the user as invalid HTTPProxies, or as errors in the Contour log. Previously, Contour would disable the timeout entirely if the configured value was not a valid duration string.
Related issues and PRs: #2728, #2913, #2905
Deprecation Notices
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.8.2
We are delighted to present version 1.8.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
New and improved
Upgraded to Envoy 1.15.1
This Contour release upgrades the default Envoy version from 1.15.0 to 1.15.1. All Contour users should upgrade to this release, which addresses the following security issues:
- CVE-2020-25017 (CVSS score 6.5, Medium): Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurrences of a non-inline header.
Contour 1.8.1
We are releasing a patch release for Contour to address a significant performance improvement recently identified by @mattmoor (Thanks Matt!) All previous versions of Contour are affected, and users should upgrade as soon as they can.
When Contour ingests Kubernetes objects it builds a data model (called "the DAG" internally), and once the data model is built, it is used to update status of HTTPProxy objects and to configure the Envoys.
Previous to this release, when the HTTPProxy status updates were sent, they would block the completion of the DAG run, and thus the programming of Envoy. In addition, the way Contour was sending the updates generated more apiserver traffic that it needed to, and could very easily hit apiserver rate-limiting, causing large groups of status updates to add minutes to the DAG reconcilation time (and thus the Envoy programming time).
This release should produce performance improvements in all Contour installations, but they will probably be most noticeable in big clusters with lots of churn.
Extra Changes included
@mattmoor: Replace uncached Get to fix knative-extensions/net-contour#226 (#2865)
@youngnick: internal/k8s: Change StatusUpdaterHandler channel to buffered (#2867)
Contour 1.8.0 Release Notes
We are delighted to present version 1.8.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There's been a bunch of great contributions from our community for this release, thanks to everyone!
We've also been busy with some big refactors to testing and other internals. The testing changes have come in, but the others should start being landed in the 1.9 timeframe. So this release is a stablisation release. Yay for paying down some tech debt!
Deprecations
Currently Contour supports annotating various objects with either projectcontour.io/<something> or contour.heptio.com/<something>. As of this release, contour.heptio.com annotations are deprecated, will have a warning log, and will be removed in a future release. Please move to using projectcontour.io annotations.
Inclusive Language changes
To ensure our community is as welcoming as possible, we've migrated our main development branch from its old name of master to main. As part of this effort, the auto-built Docker Hub image tag has also been moved from master to main.
Moving forward, we'll be using the guidelines of the Kubernetes Naming working group as a base for our own efforts to stay as inclusive as we can manage.
As part of this work, we've also run some automated checks against our code base using the vale tool, with minimal changes.
New and Improved
- Contour's fix for 421 redirects and SNI now handles misdirected requests case insensitively (#2764)
- There have a been a few improvements to Contour's shutdown behavior: @laurovenancio has fixed some bugs with the
contour shutdowncommand for managing Envoy's shutdown process (#2817 and #2820), and there was a fix to ensure that Ctrl-C will actually shut down Contour when running locally (#2797). - @ffahri added some helpers for retrieving the version of Kubernetes objects, and fixed an erroneous log (#2808).
- @tsaarni added upstream certificate validation for HTTP/2 (#2832).
- Contour now parses its YAML configuration strictly. Thanks @tthebst for PR #2765.
- Some great docs fixes from @derkoe (#2790), @rajat404 (#2804), and @tong101 (#2839).
- @aberasarte had a design proposal for CORS accepted (#1012), after a long and detailed discussion. We're all looking forward to seeing this design implemented.
Thanks to all of our external contributors, this is the most ever in one release! 🥇 🎉
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour 1.8.0
We are delighted to present version 1.8.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
There's been a bunch of great contributions from our community for this release, thanks to everyone!
We've also been busy with some big refactors to testing and other internals. The testing changes have come in, but the others should start being landed in the 1.9 timeframe. So this release is a stablisation release. Yay for paying down some tech debt!
Deprecations
Currently Contour supports annotating various objects with either projectcontour.io/<something> or contour.heptio.com/<something>. As of this release, contour.heptio.com annotations are deprecated, will have a warning log, and will be removed in a future release. Please move to using projectcontour.io annotations.
Inclusive Language changes
To ensure our community is as welcoming as possible, we've migrated our main development branch from its old name of master to main. As part of this effort, the auto-built Docker Hub image tag has also been moved from master to main.
Moving forward, we'll be using the guidelines of the Kubernetes Naming working group as a base for our own efforts to stay as inclusive as we can manage.
As part of this work, we've also run some automated checks against our code base using the vale tool, with minimal changes.
New and Improved
- Contour's fix for 421 redirects and SNI now handles misdirected requests case insensitively (#2764)
- There have a been a few improvements to Contour's shutdown behavior: @laurovenancio has fixed some bugs with the
contour shutdowncommand for managing Envoy's shutdown process (#2817 and #2820), and there was a fix to ensure that Ctrl-C will actually shut down Contour when running locally (#2797). - @ffahri added some helpers for retrieving the version of Kubernetes objects, and fixed an erroneous log (#2808).
- @tsaarni added upstream certificate validation for HTTP/2 (#2832).
- Contour now parses its YAML configuration strictly. Thanks @tthebst for PR #2765.
- Some great docs fixes from @derkoe (#2790), @rajat404 (#2804), and @tong101 (#2839).
- @aberasarte had a design proposal for CORS accepted (#1012), after a long and detailed discussion. We're all looking forward to seeing this design implemented.
Thanks to all of our external contributors, this is the most ever in one release! 🥇 🎉
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour 1.7.0
We are delighted to present version 1.7.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Special thanks to Chad Moon (@moondev) who helped find and debug some issues with fallback certificate support.
New and improved
Upgraded to Envoy 1.15.0
This Contour release upgrades the default Envoy version from 1.14.3 to 1.15.0. All Contour users should upgrade to this release.
Configurable Timeouts
The Contour config file now has a timeouts block that allows various Envoy timeouts to be configured. In particular, the following timeouts are now configurable: request-timeout, connection-idle-timeout, stream-idle-timeout, max-connection-duration, and connection-shutdown-grace-period. See the documentation for more information.
Deprecation Notice: the request-timeout field in the config file is now deprecated and has been replaced by timeouts.request-timeout. The deprecated field will be removed in a future release. If you use this field, you should switch to using timeouts.request-timeout.
(Associated PRs #2726 #2675 #2632 #2661 #2670)
Thanks to @skriss for adding these configuration settings.
Add Conditions to HTTPProxy and TLSCertificateDelegation CRDs
HTTPProxy and TLSCertificateDelegation now each have a Status.Conditions field. These fields are currently left unpopulated. Over time, Contour will use these fields to report significantly more information about the current state of resources.
(Associated PR #2706)
Thanks to @youngnick for designing and implementing this feature.
Fallback Certificate Fixes
Two bugs (#2720, #2733) were found related to the fallback certificate feature which was introduced in v1.5.0. The Envoy secret for the certificate was not being configured, and the http.Router filter was not being configured on the HTTP connection manager. Both issues have been fixed in this release.
Thanks to @moondev for reporting these issues, and to @jpeach for turning around quick fixes!
TCP Keepalives on Listener Sockets
@erwbgy noticed that Contour was not configuring TCP keepalives for the Envoy listener sockets, and contributed a patch to add support for this in #2638. Thanks @erwbgy for the contribution!
Add Conditions to HTTPProxy RetryPolicy
@KevinSnyderCodes added two new fields to RetryPolicy, to better control when Envoy retries requests for a given route. The first, retryOn, allows the user to specify a subset of conditions under which requests should be retried. The second, retriableStatusCodes, enables only a specific set of HTTP response codes to be retried.
Thanks @KevinSnyderCodes for requesting, designing, and implementing this feature!
(Associated PR #2646)
Shutdown Manager Changes
The shutdown manager has been modified to use an Exec preStop hook to trigger the Envoy shutdown sequence.
Thanks @stevesloka for implementing this change.
(Associated PR #2751)
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour 1.6.1
We are delighted to present version 1.6.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
New and improved
Upgraded to Envoy 1.14.3
This Contour release upgrades the default Envoy version from 1.14.2 to 1.14.3. All Contour users should upgrade to this release, which addresses the following security issues:
- CVE-2020-8663 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
- CVE-2020-12603 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames.
- CVE-2020-12604 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream.
- CVE-2020-12605 Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
(Associated PRs: #2595)
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Contour 1.6.0
We are delighted to present version 1.6.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
IngressRoute removal
IngressRoute has been deprecated for some time and is, as of Contour 1.6, removed.
IngressRoute objects are no longer watched by Contour, and the IngressRoute and contour.heptio.com TLSDelegation CRD are no longer installed by our example YAMLs. IngressRoute resources should be converted to HTTPProxy ones before upgrading to Contour 1.6. The IngressRoute and TLSDelegationCRDs should be removed from your clusters.
Please see ir2proxy for your IngressRoute to HTTPProxy conversion needs.
Vale IngressRoute!
New and improved
Controlling served HTTP versions
Contour now has the ability to choose the versions of HTTP that Envoy will respond to.
This has been implemented as a workaround for a browser-specific problem about 421 result codes and blank requests (#2619).
In short, Safari can misroute certain connection-coalesced connections when they are being served from a wildcard certificate with the SNI routing changes introduced under #1493.
Thanks to @primeroz for helping to dig on this one.
Fix ordering problems with HTTPProxy status updates
We moved all status updates to HTTPProxy to the new pattern introduced in Contour 1.5 for address updates, this fixes #2522, #2580, and #2522.
Thanks to @primeroz for logging #2580, and for the help with confirming the fix.
Bootstrap checks for empty TLS files
@shyaamsn noticed that the TLS files used for Envoy bootstrapping could sometimes be empty when using cert-manager to create them. (#2602)
They then contributed a fix in #2607.
Thanks @shyaamsn!
Fix Envoy service status watching
PR #2583 introduced a regression that broke watching the Envoy service for status address updating. Fixed by #2605.
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread
Contour 1.5.1
We are delighted to present version 1.5.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Special thanks to Tim Bart (@pims), who was the release manager for this release.
New and improved
Upgraded to Envoy 1.14.2
This Contour release upgrades the default Envoy version from 1.14.1 to 1.14.2. All Contour users should upgrade to this release, which addresses CVE-2020-11080.
(Associated PRs: #2579)
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread