Skip to content

Releases: projectcontour/contour

Contour v1.22.0

27 Jul 17:55
Compare
Choose a tag to compare

We are delighted to present version v1.22.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Update to Gateway API v0.5.0

Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.

With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).

For more information on the Gateway API v0.5.0 release, see the release blog post.

For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.

(#4617, @skriss)

Minor Changes

Update to Envoy 1.23.0

Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.

(#4621, @skriss)

HTTPProxy Direct Response Policy

HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode, Body. And the StatusCode is required.

It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.

(#4526, @yangyy93)

Validating revocation status of client certificates

It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret is set with the secret name.

(#4592, @tsaarni)

Consolidate access logging and TLS cipher suite validation

Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1 package.
Existing exported elements of the pkg/config package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1.

This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:

  • TLS cipher suite list elements will no longer be allowed to have leading or trailing whitespace
  • The ContourConfiguration CRD field spec.envoy.logging.jsonFields has been renamed to spec.envoy.logging.accessLogJSONFields

(#4626, @sunjayBhatia)

Gateway API: implement HTTP query parameter matching

Contour now implements Gateway API's HTTP query parameter matching.
Only Exact matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale to s1, and a request with a querystring of ?animal=dolphin to s2.

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: httproute-queryparam-matching
spec:
  parentRefs:
  - name: contour-gateway
  rules:
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: whale
    backendRefs:
    - name: s1
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: dolphin
    backendRefs:
    - name: s2

(#4588, @skriss)

Gateway API: update handling of various invalid HTTPRoute/TLSRoute scenarios

Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:

  • Use a 500 response instead of a 404 when a route's backends are invalid
  • The Accepted condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errors
  • Use the upstream reasons InvalidKind and BackendNotFound when a backend is not a Service or not found, respectively

(#4614, @skriss)

Gateway API: enforce correct TLS modes for HTTPS and TLS listener protocols

Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).

(#4631, @skriss)

Bind create label operation for contour's deployment to the struct

There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.

(#4585, @izturn)

Use local variable to replace the long access chain of fields

The access chain of fields is too long, so use local variable to replace them.

(#4586, @izturn)

Other Changes

  • RTDS now serves dynamic runtime configuration layer which is requested by bootstrap configuration. In the future, contents of this runtime configuration will be made configurable by users. (#4387, @sunjayBhatia)
  • internal/envoy: use Envoy's path-based prefix matching instead of regular expressions. (#4477, @mmalecki)
  • Gateway API: compute Listener supported kinds sooner, so it's populated in all cases where it can be computed. (#4523, @skriss)
  • When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
  • Removes the DebugLogLevel and KubernetesDebugLogLevel fields from the ContourConfiguration spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)
  • Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
  • Gateway API: return a 404 instead of a 503 when there are no valid backend refs for an HTTPRoute rule, to match the revised Gateway API spec. (#4545, @skriss)
  • Update supported Kubernetes versions to 1.22, 1.23 and 1.24. (#4546, @skriss)
  • Changes the contour envoy shutdown command's --check-delay default to 0s from 60s, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss)
  • Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)
  • Gateway API: adds support for the "RequestMirror" HTTPRoute filter type at the rule level. (#4557, @sepaper)
  • Gateway API: fixes a bug where routes with multiple parent refs to listeners would not attach to all listeners correctly. (#4558, @skriss)
  • Gateway API: wildcard hostnames can now match more than one DNS label, per kubernetes-sigs/gateway-api#1173. (#4559, @skriss)
  • Gateway API: adds support for ReferenceGrant, which was formerly known as ReferencePolicy. To ease migration, both resources are supported for this release, but ReferencePolicy support will be removed next release. (#4580, @skriss)
  • Envoy will now make requests to gRPC ExtensionServices with a sanitized :authority header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)
  • Gateway API: adds logic to only keep the first HTTP header match with a given name (case-insensitive) for each HTTP route match, per the Gateway API spec. (#4593, @skriss)
  • Gateway API: replace usage of Contour-specific condition types and reasons with upstream Gateway API ones where possible (#4598, @skriss)
  • contour cli commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)
  • Gateway API: sets route parent status correctly when routes attach to specific Listeners. (#4604, @skriss)
  • Updated the list of supported envoy log template keywords. (#4610, @yangyy93)
  • Gateway API: set a Listener condition of Ready: false with reason Invalid when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)
  • Adds support for access log operators introduced in Envoy 1.23.0. See here for more details. (#4627, @sunjayBhatia)

Docs Changes

Deprecation and Removal Notices

Gateway API: ReferencePolicy is deprecated, will be removed next release

Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.

(#4580, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.0 is tested against Kubernetes 1.22 through 1.24.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [...

Read more

Contour v1.22.0-rc.1

21 Jul 16:10
Compare
Choose a tag to compare
Contour v1.22.0-rc.1 Pre-release
Pre-release

We are delighted to present version v1.22.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Update to Gateway API v0.5.0

Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.

With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).

For more information on the Gateway API v0.5.0 release, see the release blog post.

For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.

(#4617, @skriss)

Minor Changes

HTTPProxy Direct Response Policy

HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode, Body. And the StatusCode is required.

It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.

(#4526, @yangyy93)

Bind create label operation for contour's deployment to the struct

There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.

(#4585, @izturn)

Use local variable to replace the long access chain of fields

The access chain of fields is too long, so use local variable to replace them.

(#4586, @izturn)

Gateway API: implement HTTP query parameter matching

Contour now implements Gateway API's HTTP query parameter matching.
Only Exact matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale to s1, and a request with a querystring of ?animal=dolphin to s2.

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: httproute-queryparam-matching
spec:
  parentRefs:
  - name: contour-gateway
  rules:
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: whale
    backendRefs:
    - name: s1
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: dolphin
    backendRefs:
    - name: s2

(#4588, @skriss)

Validating revocation status of client certificates

It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret is set with the secret name.

(#4592, @tsaarni)

Gateway API: update handling of various invalid HTTPRoute/TLSRoute scenarios

Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:

  • Use a 500 response instead of a 404 when a route's backends are invalid
  • The Accepted condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errors
  • Use the upstream reasons InvalidKind and BackendNotFound when a backend is not a Service or not found, respectively

(#4614, @skriss)

Update to Envoy 1.23.0

Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.

(#4621, @skriss)

Consolidate access logging and TLS cipher suite validation

Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1 package.
Existing exported elements of the pkg/config package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1.

This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:

  • TLS cipher suite list elements will no longer be allowed to have leading or trailing whitespace
  • The ContourConfiguration CRD field spec.envoy.logging.jsonFields has been renamed to spec.envoy.logging.accessLogJSONFields

(#4626, @sunjayBhatia)

Gateway API: enforce correct TLS modes for HTTPS and TLS listener protocols

Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).

(#4631, @skriss)

Other Changes

  • RTDS now serves dynamic runtime configuration layer which is requested by bootstrap configuration.
    In this future, contents of this runtime configuration will be made configurable by users. (#4387, @sunjayBhatia)
  • internal/envoy: use Envoy's path-based prefix matching instead of regular expressions. (#4477, @mmalecki)
  • Gateway API: compute Listener supported kinds sooner, so it's populated in all cases where it can be computed. (#4523, @skriss)
  • When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
  • Removes the DebugLogLevel and KubernetesDebugLogLevel fields from the ContourConfiguration spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)
  • Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
  • Gateway API: return a 404 instead of a 503 when there are no valid backend refs for an HTTPRoute rule, to match the revised Gateway API spec. (#4545, @skriss)
  • Update supported Kubernetes versions to 1.22, 1.23 and 1.24. (#4546, @skriss)
  • Changes the contour envoy shutdown command's --check-delay default to 0s from 60s, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss)
  • Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)
  • Gateway API: adds support for the "RequestMirror" HTTPRoute filter type at the rule level. (#4557, @sepaper)
  • Gateway API: fixes a bug where routes with multiple parent refs to listeners would not attach to all listeners correctly. (#4558, @skriss)
  • Gateway API: wildcard hostnames can now match more than one DNS label, per kubernetes-sigs/gateway-api#1173. (#4559, @skriss)
  • Gateway API: adds support for ReferenceGrant, which was formerly known as ReferencePolicy. To ease migration, both resources are supported for this release, but ReferencePolicy support will be removed next release. (#4580, @skriss)
  • Envoy will now make requests to gRPC ExtensionServices with a sanitized :authority header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)
  • Gateway API: adds logic to only keep the first HTTP header match with a given name (case-insensitive) for each HTTP route match, per the Gateway API spec. (#4593, @skriss)
  • Gateway API: replace usage of Contour-specific condition types and reasons with upstream Gateway API ones where possible (#4598, @skriss)
  • contour cli commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)
  • Gateway API: sets route parent status correctly when routes attach to specific Listeners. (#4604, @skriss)
  • Updated the list of supported envoy log template keywords. (#4610, @yangyy93)
  • Gateway API: set a Listener condition of Ready: false with reason Invalid when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)
  • Adds support for access log operators introduced in Envoy 1.23.0. See here for more details. (#4627, @sunjayBhatia)

Docs Changes

  • Updated SITE_CONTRIBUTION.md to reflect Hugo platform. (#4620, @gary-tai)

Deprecation and Removal Notices

Gateway API: ReferencePolicy is deprecated, will be removed next release

Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.

(#4580, @skriss)

Installing and Upgrading

The simplest way to install v1.22.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.22.0-rc.1 is tested against Kubernetes 1.22 through 1.24.

C...

Read more

Contour v1.21.1

14 Jun 16:12
Compare
Choose a tag to compare

We are delighted to present version v1.21.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.22.2

Bumps Envoy to security patch version 1.22.2.
Envoy CI had a few issues releasing 1.22.1 so a subsequent patch, 1.22.2 was released.
Envoy announcement here.
See Envoy release notes for 1.22.1 here and 1.22.2 here.

(#4573, @sunjayBhatia)

Other Changes

  • When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
  • Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
  • Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.1 is tested against Kubernetes 1.21 through 1.23.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better!

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.20.2

14 Jun 16:07
Compare
Choose a tag to compare

We are delighted to present version v1.20.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.21.3

Bumps Envoy to security patch version 1.21.3.
Envoy announcement here.
See Envoy release notes here.

(#4569, @sunjayBhatia)

Other Changes

  • When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
  • Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
  • Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.20.2 is tested against Kubernetes 1.21 through 1.23.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better!

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.21.0

09 May 18:06
Compare
Choose a tag to compare

We are delighted to present version v1.21.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Contour leader election resource RBAC moved to namespaced Role

Previously, in our example deployment YAML, RBAC for Contour access to resources used for leader election was contained in a ClusterRole, meaning that Contour required cluster-wide access to ConfigMap resources. This release also requires Contour access to Events and Leases which would require cluster-wide access (see this PR).

In this release, we have moved the RBAC rules for leader election resources to a namespaced Role in the example Contour deployment. This change should limit Contour's default required access footprint. A corresponding namespaced RoleBinding has been added as well.

Required actions

If you are using the example deployment YAML to deploy Contour, be sure to examine and re-apply the resources in examples/contour/02-rbac.yaml and examples/contour/02-role-contour.yaml. If you have deployed Contour in a namespace other than the example projectcontour, be sure to modify the contour Role and contour-rolebinding RoleBinding resources accordingly. Similarly, if you are using the --leader-election-resource-namespace flag to customize where Contour's leader election resources reside, you must customize the new Role and RoleBinding accordingly.

(#4204, @sunjayBhatia)

Container Images Now Exclusively Published on GitHub Container Registry (GHCR)

Contour's container images are now exclusively published on GHCR. They are no longer being pushed to Docker Hub (past images have been left on Docker Hub for posterity.)

(#4314, @skriss)

Adds a contour gateway-provisioner command and deployment manifest for dynamically provisioning Gateways

Contour now has an optional Gateway provisioner, that watches for Gateway custom resources and provisions Contour + Envoy instances for them. The provisioner is implemented as a new subcommand on the contour binary, contour gateway-provisioner. The examples/gateway-provisioner directory contains the YAML manifests needed to run the provisioner as a Deployment in-cluster.

By default, the Gateway provisioner will process all GatewayClasses that have a controller string of projectcontour.io/gateway-controller, along with all Gateways for them.

The Gateway provisioner is useful for users who want to dynamically provision Contour + Envoy instances based on the Gateway CRD.
It is also necessary in order to have a fully conformant Gateway API implementation.

(#4415, @skriss)

Minor Changes

Configurable access log level

The verbosity of HTTP and HTTPS access logs can now be configured to one of: info (default), error, disabled. The verbosity level is set with accesslog-level field in the configuration file or spec.envoy.logging.accessLogLevel field in ContourConfiguration.

(#4331, @tsaarni)

Leader election now only uses Lease object

Contour now only uses the Lease object to coordinate leader election. RBAC in example manifests has been updated accordingly.

Note: Upgrading to this version of Contour will explicitly require you to upgrade to Contour v1.20.0 first to ensure proper migration of leader election coordination resources.

(#4332, @sunjayBhatia)

Re-increase maximum allowed regex program size

Regex patterns Contour configures in Envoy (for path matching etc.) currently have a limited "program size" (approximate cost) of 100. This was inadvertently set back to the Envoy default, from the intended 1048576 (2^20) when moving away from using deprecated API fields. Note: regex program size is a feature of the regex library Envoy uses, Google RE2.

This limit has now been reset to the intended value and an additional program size warning threshold of 1000 has been configured.

Operators concerned with performance implications of allowing large regex programs can monitor Envoy memory usage and regex statistics. Envoy offers two statistics for monitoring regex program size, re2.program_size and re2.exceeded_warn_level. See this documentation for more detail. Future versions of Contour may allow configuration of regex program size thresholds via RTDS (Runtime Discovery Service).

(#4379, @sunjayBhatia)

Gateway API: support for processing a specific Gateway

Contour can now optionally process a specific named Gateway and associated routes. This is an alternate way to configure Contour, vs. the existing mode of specifying a GatewayClass controller string and having Contour process the first GatewayClass and associated Gateway for that controller string. This new configuration option can be specified via:

gateway:
  gatewayRef:
    namespace: gateway-namespace
    name: gateway-name

(#4410, @skriss)

Gateway provisioner: add support for more than one Gateway/Contour instance per namespace

The Gateway provisioner now supports having more than one Gateway/Contour instance per namespace. All resource names now include a -<gateway-name> suffix to avoid conflicts (cluster-scoped resources also include the namespace as part of the resource name). Contour instances are always provisioned in the namespace of the Gateway custom resource itself.

(#4426, @skriss)

Gateway provisioner: generate xDS TLS certs directly

The Gateway provisioner now generates xDS TLS certificates directly, rather than using a "certgen" job to trigger certificate generation. This simplifies operations and reduces the RBAC permissions that the provisioner requires. Certificates will still be rotated each time the provisioner is upgraded to a new version.

(#4432, @skriss)

Gateway provisioner: support requesting a specific address

The Gateway provisioner now supports requesting a specific Gateway address, via the Gateway's spec.addresses field. Only one address is supported, and it must be either an IPAddress or Hostname type. The value of this address will be used to set the provisioned Envoy service's spec.loadBalancerIP field. If for any reason, the requested address is not assigned to the Gateway, the Gateway will have a condition of "Ready: false" with a reason of AddressesNotAssigned.

If no address is requested, no value will be specified in the provisioned Envoy service's spec.loadBalancerIP field, and an address will be assigned by the load balancer provider.

(#4443, @skriss)

All ContourConfiguration CRD fields are now optional

To better manage configuration defaults, all ContourConfiguration CRD fields are now optional without defaults. Instead, Contour itself will apply defaults to any relevant fields that have not been specified by the user when it starts up, similarly to how processing of the Contour ConfigMap works today. The default values that Contour uses are documented in the ContourConfiguration CRD's API documentation.

(#4451, @skriss)

ContourDeployment CRD now supports additional options

The ContourDeployment CRD, which can be used as parameters for a Contour-controlled GatewayClass, now supports additional options for customizing your Contour/Envoy installations:

  • Contour deployment replica count
  • Contour deployment node placement settings (node selectors and/or tolerations)
  • Envoy workload type (daemonset or deployment)
  • Envoy replica count (if using a deployment)
  • Envoy service type and annotations
  • Envoy node placement settings (node selectors and/or tolerations)

(#4472, @skriss)

Query parameter hash based load balancing

Contour users can now configure their load balancing policies on HTTPProxy resources to hash the query parameter on a request to ensure consistent routing to a backend service instance.

See this page for more details on this feature.

Credit to @pkit for implementing this feature!

(#4508, @sunjayBhatia)

Other Changes

  • Allow the contour --ingress-class-name value to be a comma-separated list of classes to match against. Contour will process Ingress and HTTPProxy objects with any of the specified ingress classes. (Note that the alpha ContourConfiguration CRD has also been changed to use a ClassNames array field instead of a scalar ClassName field.) (#4109, @erwbgy)
  • Don't check for or log errors for unsupported annotations on objects that Contour doesn't care about (e.g. ingresses for a different class than Contour's). (#4304, @skriss)
  • Explicitly disable controller-runtime manager metrics and health listeners. (#4312, @sunjayBhatia)
  • Removed code duplication for the secret validation in the dag package. (#4316, @alessandroargentieri)
  • Node labels in localhost:6060/debug/dag troubleshooting API are sanitized by html-escaping user fields. (#4323, @kb000)
  • Upstream TCP connection timeout is now configurable in configuration file and in [ContourConfiguration](https...
Read more

Contour v1.21.0-rc.1

28 Apr 15:17
dcbe217
Compare
Choose a tag to compare
Contour v1.21.0-rc.1 Pre-release
Pre-release

We are delighted to present version v1.21.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Contour leader election resource RBAC moved to namespaced Role

Previously, in our example deployment YAML, RBAC for Contour access to resources used for leader election was contained in a ClusterRole, meaning that Contour required cluster-wide access to ConfigMap resources.
This release also requires Contour access to Events and Leases which would require cluster-wide access (see this PR).

In this release, we have moved the RBAC rules for leader election resources to a namespaced Role in the example Contour deployment.
This change should limit Contour's default required access footprint.
A corresponding namespaced RoleBinding has been added as well.

Required actions

If you are using the example deployment YAML to deploy Contour, be sure to examine and re-apply the resources in examples/contour/02-rbac.yaml and examples/contour/02-role-contour.yaml.
If you have deployed Contour in a namespace other than the example projectcontour, be sure to modify the contour Role and contour-rolebinding RoleBinding resources accordingly.
Similarly, if you are using the --leader-election-resource-namespace flag to customize where Contour's leader election resources reside, you must customize the new Role and RoleBinding accordingly.

(#4204, @sunjayBhatia)

Container Images Now Exclusively Published on GitHub Container Registry (GHCR)

Contour's container images are now exclusively published on GHCR. They are no longer being pushed to Docker Hub (past images have been left on Docker Hub for posterity.)

(#4314, @skriss)

Adds a contour gateway-provisioner command and deployment manifest for dynamically provisioning Gateways

Contour now has an optional Gateway provisioner, that watches for Gateway custom resources and provisions Contour + Envoy instances for them.
The provisioner is implemented as a new subcommand on the contour binary, contour gateway-provisioner.
The examples/gateway-provisioner directory contains the YAML manifests needed to run the provisioner as a Deployment in-cluster.

By default, the Gateway provisioner will process all GatewayClasses that have a controller string of projectcontour.io/gateway-provisioner, along with all Gateways for them.

The Gateway provisioner is useful for users who want to dynamically provision Contour + Envoy instances based on the Gateway CRD.
It is also necessary in order to have a fully conformant Gateway API implementation.

(#4415, @skriss)

Minor Changes

Configurable access log level

The verbosity of HTTP and HTTPS access logs can now be configured to one of: info (default), error, disabled.
The verbosity level is set with accesslog-level field in the configuration file or spec.envoy.logging.accessLogLevel field in ContourConfiguration.

(#4331, @tsaarni)

Leader election now only uses Lease object

Contour now only uses the Lease object to coordinate leader election.
RBAC in example manifests has been updated accordingly.

Note: Upgrading to this version of Contour will explicitly require you to upgrade to Contour v1.20.0 first to ensure proper migration of leader election coordination resources.

(#4332, @sunjayBhatia)

Re-increase maximum allowed regex program size

Regex patterns Contour configures in Envoy (for path matching etc.) currently have a limited "program size" (approximate cost) of 100.
This was inadvertently set back to the Envoy default, from the intended 1048576 (2^20) when moving away from using deprecated API fields.
Note: regex program size is a feature of the regex library Envoy uses, Google RE2.

This limit has now been reset to the intended value and an additional program size warning threshold of 1000 has been configured.

Operators concerned with performance implications of allowing large regex programs can monitor Envoy memory usage and regex statistics.
Envoy offers two statistics for monitoring regex program size, re2.program_size and re2.exceeded_warn_level.
See this documentation for more detail.
Future versions of Contour may allow configuration of regex program size thresholds via RTDS (Runtime Discovery Service).

(#4379, @sunjayBhatia)

Gateway API: support for processing a specific Gateway

Contour can now optionally process a specific named Gateway and associated routes.
This is an alternate way to configure Contour, vs. the existing mode of specifying a GatewayClass controller string and having Contour process the first GatewayClass and associated Gateway for that controller string.
This new configuration option can be specified via:

gateway:
  gatewayRef:
    namespace: gateway-namespace
    name: gateway-name

(#4410, @skriss)

Gateway provisioner: add support for more than one Gateway/Contour instance per namespace

The Gateway provisioner now supports having more than one Gateway/Contour instance per namespace.
All resource names now include a -<gateway-name> suffix to avoid conflicts (cluster-scoped resources also include the namespace as part of the resource name).
Contour instances are always provisioned in the namespace of the Gateway custom resource itself.

(#4426, @skriss)

Gateway provisioner: generate xDS TLS certs directly

The Gateway provisioner now generates xDS TLS certificates directly, rather than using a "certgen" job to trigger certificate generation.
This simplifies operations and reduces the RBAC permissions that the provisioner requires.
Certificates will still be rotated each time the provisioner is upgraded to a new version.

(#4432, @skriss)

Gateway provisioner: support requesting a specific address

The Gateway provisioner now supports requesting a specific Gateway address, via the Gateway's spec.addresses field.
Only one address is supported, and it must be either an IPAddress or Hostname type.
The value of this address will be used to set the provisioned Envoy service's spec.loadBalancerIP field.
If for any reason, the requested address is not assigned to the Gateway, the Gateway will have a condition of "Ready: false" with a reason of AddressesNotAssigned.

If no address is requested, no value will be specified in the provisioned Envoy service's spec.loadBalancerIP field, and an address will be assigned by the load balancer provider.

(#4443, @skriss)

All ContourConfiguration CRD fields are now optional

To better manage configuration defaults, all ContourConfiguration CRD fields are now optional without defaults.
Instead, Contour itself will apply defaults to any relevant fields that have not been specified by the user when it starts up, similarly to how processing of the Contour ConfigMap works today.
The default values that Contour uses are documented in the ContourConfiguration CRD's API documentation.

(#4451, @skriss)

ContourDeployment CRD now supports additional options

The ContourDeployment CRD, which can be used as parameters for a Contour-controlled GatewayClass, now supports additional options for customizing your Contour/Envoy installations:

  • Contour deployment replica count
  • Contour deployment node placement settings (node selectors and/or tolerations)
  • Envoy workload type (daemonset or deployment)
  • Envoy replica count (if using a deployment)
  • Envoy service type and annotations
  • Envoy node placement settings (node selectors and/or tolerations)

(#4472, @skriss)

Other Changes

  • Allow the contour --ingress-class-name value to be a comma-separated list of classes to match against. Contour will process Ingress and HTTPProxy objects with any of the specified ingress classes. (Note that the alpha ContourConfiguration CRD has also been changed to use a ClassNames array field instead of a scalar ClassName field.) (#4109, @erwbgy)
  • Don't check for or log errors for unsupported annotations on objects that Contour doesn't care about (e.g. ingresses for a different class than Contour's). (#4304, @skriss)
  • Explicitly disable controller-runtime manager metrics and health listeners. (#4312, @sunjayBhatia)
  • Removed code duplication for the secret validation in the dag package. (#4316, @alessandroargentieri)
  • Node labels in localhost:6060/debug/dag troubleshooting API are sanitized by html-escaping user fields. (#4323, @kb000)
  • Upstream TCP connection timeout is now configurable in configuration file and in ContourConfiguration. (#4326, @tsaarni)
  • Drops RBAC and caching for the networking.k8s.io/IngressClass resource as it's not used by Contour. (#4329, @skriss)
  • Fixed a bug where upstream TLS SNI (`HTTProxy.spe...
Read more

Contour v1.20.1

24 Feb 22:00
Compare
Choose a tag to compare

We are delighted to present version v1.20.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Changes

  • Fixed a bug where upstream TLS SNI (HTTProxy.spec.routes.requestHeadersPolicy Host key) and protocol fields might not take effect when e.g. two HTTPProxies were otherwise equal but differed only on those fields. (#4350, @tsaarni)
  • Update github.com/prometheus/client_golang to v1.11.1 to address CVE-2022-21698. (#4361, @tsaarni)
  • Updates Envoy to v1.21.1. See the Envoy changelog for details. (#4365, @skriss)

Docs Changes

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.20.1 is tested against Kubernetes 1.21 through 1.23.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.20.0

31 Jan 15:22
4856853
Compare
Choose a tag to compare

We are delighted to present version v1.20.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Gateway API v1alpha2 support

Contour now exclusively supports Gateway API v1alpha2, the latest available version.
This version of Gateway API has a number of breaking changes, which are detailed in the Gateway API changelog.
Contour currently supports a single GatewayClass and associated Gateway, and HTTPRoutes and TLSRoutes that attach to the Gateway. TCPRoute and UDPRoute are not supported.
For a list of other functionality that remains to be implemented, see Contour's area/gateway-api label.

As part of this change, support for Gateway API v1alpha1 has been dropped, and any v1alpha1 resources will not be automatically converted to v1alpha2 resources because the API has moved to a different API group (from networking.x-k8s.io to gateway.networking.k8s.io).

(#4047, @skriss)

xDS management connection between Contour and Envoy set to TLSv1.3

The minimum accepted TLS version for Contour xDS server is changed from TLSv1.2 to TLSv1.3.
Previously in Contour 1.19, the maximum accepted TLS version for Envoy xDS client was increased to TLSv1.3 which allows it to connect to Contour xDS server using TLSv1.3.

If upgrading from a version prior to Contour 1.19, the old Envoys will be unable to connect to new Contour until also Envoys are upgraded.
Until that, old Envoys are unable to receive new configuration data.

For further information, see Contour architecture and xDS API in Envoy documentation.

(#4065, @tsaarni)

Minor Changes

Metrics over HTTPS

Both Envoy and Contour metrics can now be served over HTTPS.
Server can alternatively also require client to present certificate which is validated against configured CA certificate.
This feature makes it possible to limit the visibility of metrics to authorized clients.

(#3707, @tsaarni)

Performance improvement for processing configuration

The performance of Contour's configuration processing has been made more efficient, particularly for clusters with large numbers (i.e. >1k) of HTTPProxies and/or Ingresses.
This means that there should be less of a delay between creating/updating an HTTPProxy/Ingress in Kubernetes, and having it reflected in Envoy's configuration.

(#4099, @skriss)

Allow retry policy, num retries to be zero

The field, NumRetries (e.g. count), in the RetryPolicy allows for a zero to be
specified, however Contour's internal logic would see that as "undefined"
and set it back to the Envoy default of 1. This would never allow the value of
zero to be set. Users can set the value to be -1 which will represent disabling
the retry count. If not specified or set to zero, then the Envoy default value
of 1 is used.

(#4117, @stevesloka)

Gateway API: implement PathPrefix matching

Contour now implements Gateway API v1alpha2's "path prefix" matching for HTTPRoutes.
This is now the only native form of prefix matching supported by Gateway API, and is a change from v1alpha1.
Path prefix matching means that the prefix specified in an HTTPRoute rule must match entire segments of a request's path in order to match it, rather than just be a string prefix.
For example, the prefix /foo would match a request for the path /foo/bar but not /foobar.
For more information, see the Gateway API documentation.

(#4119, @skriss)

Add Envoy Deployment Example

The examples now include a way to deploy Envoy as a Deployment vs a Daemonset.
This can assist in allowing Envoy to drain connections cleanly when the Kubernetes cluster size is scaled down.

(#4126, @stevesloka)

Default status on HTTPProxy resources

When a new HTTPProxy is created, if Contour isn't yet running or
functioning properly, then no status is set on the resource.
Defaults of "NotReconciled/Waiting for controller" are now applied
to any new object until an instance of Contour accepts the
object and updates the status.

(#4133, @stevesloka)

Gateway API: support ReferencePolicy

Contour now supports the ReferencePolicy CRD in Gateway API v1alpha2.
ReferencePolicy enables certain cross-namespace references to be allowed in Gateway API.
The primary use case is to enable routes (e.g. HTTPRoutes, TLSRoutes) to reference backend Services in different namespaces.
When Contour processes a route that references a service in a different namespace, it will check for a ReferencePolicy that applies to the route and service, and if one exists, it will allow the reference.

(#4138, @skriss)

Source IP hash based load balancing

Contour users can now configure their load balancing policies on HTTPProxy resources to hash the source IP of a client to ensure consistent routing to a backend service instance. Using this feature combined with header value hashing can implement advanced request routing and session affinity. Note that if you are using a load balancer to front your Envoy deployment, you will need to ensure it preserves client source IP addresses to ensure this feature is effective.

See this page for more details on this feature.

(#4141, @sunjayBhatia)

Gateway API: set Gateway Listener status fields

Contour now sets the .status.listeners.supportedKinds and .status.listeners.attachedRoutes fields on Gateways for Gateway API.
The first describes the list of route groups/kinds that the listener supports, and the second captures the total number of routes that are successfully attached to the listener.

(#4160, @skriss)

TLS Certificate validation updates

Contour now allows non-server certificates that do not have a CN or SAN set, which mostly fixes
#2372 and #3889.

TLS documentation has been updated to make the rules for Secrets holding TLS information clearer.

Those rules are:

For certificates that identify a server, they must:

  • be kubernetes.io/tls type
  • contain tls.crt, and tls.key keys with the server certificate and key respectively.
  • have the first certificate in the tls.crt bundle have a CN or SAN field set.

They may:

  • have the tls.crt key contain a certificate chain, as long as the first certificate in the chain is the server certificate.
  • add a ca.crt key that contains a Certificate Authority (CA) certificate or certificates.

Certificates in the certificate chain that are not server certificates do not need to have a CN or SAN.

For CA secrets, they must:

  • be Opaque type
  • contain only a ca.crt key, not tls.crt or tls.key

The ca.crt key may contain one or more CA certificates, that do not need to have a CN or SAN.

(#4165, @youngnick)

HTTPProxy TCPProxy service weights are now applied

Previously, Contour did not apply any service weights defined in an HTTPProxy's TCPProxy, and all services were equally weighted.
Now, if those weights are defined, they are applied so traffic is weighted appropriately across the services.
Note that if no TCPProxy service weights are defined, traffic continues to be equally spread across all services.

(#4169, @skriss)

Leader Election Configuration

contour serve leader election configuration via config file has been deprecated.
The preferred way to configure leader election parameters is now via command line flags.
See here for more detail on the new leader election flags.

Note: If you are using the v1alpha1 ContourConfiguration CRD, leader election configuration has been removed from that CRD as well.
Leader election configuration is not something that will be dynamically configurable once Contour implements configuration reloading via that CRD.

(#4171, @sunjayBhatia)

Set Gateway listener conditions

Contour now sets various Gateway listener conditions as it processes them, including the "Ready", "Detached", and "ResolvedRefs" condition types, to provide more visibility to the user as to whether their listeners are defined correctly or not.

(#4186, @skriss)

HTTP Request Redirect Policy

HTTPProxy.Route now has a HTTPRequestRedirectPolicy which allows for routes to specify a RequestRedirectPolicy.
This policy will allow a redirect to be configured for a specific set of Conditions within a single route.
The policy can be configured with a Hostname, StatusCode, Scheme, and Port.

Additionally, Services on a Route are now optional when a request redirect is defined.

(#4201, @stevesloka)

Transition to controller-runtime managed leader election

Contour now utilizes controller-runtime Manager based leader election and coordination of subroutines.
With this change, Contour is also transitioning away from using a ConfigMap for leader election.
In this release, Contour now uses a combination of ConfigMap and Lease object.
A future release will remove usage of the ConfigMap resource for leader election.

This change should be a no-op for most users, however be sure to re-apply the relevant parts of your deployment for RBAC to ensure Contour has access to Lease and Event objects (this would be the ClusterRole in the provided example YAML).

(#4202, ...

Read more

v1.20.0-beta.1

08 Dec 20:27
Compare
Choose a tag to compare
v1.20.0-beta.1 Pre-release
Pre-release

We are delighted to present the first beta for Contour v1.20.0, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Gateway API v1alpha2 support

Contour now exclusively supports Gateway API v1alpha2, the latest available version.
This version of Gateway API has a number of breaking changes, which are detailed in the Gateway API changelog.
Contour currently supports a single GatewayClass and associated Gateway, and HTTPRoutes and TLSRoutes that attach to the Gateway. TCPRoute and UDPRoute are not supported.
For a list of other functionality that remains to be implemented, see Contour's area/gateway-api label.

As part of this change, support for Gateway API v1alpha1 has been dropped, and any v1alpha1 resources will not be automatically converted to v1alpha2 resources because the API has moved to a different API group (from networking.x-k8s.io to gateway.networking.k8s.io).

To get started, see the Contour & Gateway API (v1alpha2) guide.

(#4047, @skriss)

xDS management connection between Contour and Envoy set to TLSv1.3

The minimum accepted TLS version for Contour xDS server is changed from TLSv1.2 to TLSv1.3.
Previously in Contour 1.19, the maximum accepted TLS version for Envoy xDS client was increased to TLSv1.3 which allows it to connect to Contour xDS server using TLSv1.3.

If upgrading from a version prior to Contour 1.19, the old Envoys will be unable to connect to new Contour until also Envoys are upgraded.
Until that, old Envoys are unable to receive new configuration data.

For further information, see Contour architecture and xDS API in Envoy documentation.

(#4065, @tsaarni)

Minor Changes

Metrics over HTTPS

Both Envoy and Contour metrics can now be served over HTTPS.
Server can alternatively also require client to present certificate which is validated against configured CA certificate.
This feature makes it possible to limit the visibility of metrics to authorized clients.

(#3707, @tsaarni)

Performance improvement for processing configuration

The performance of Contour's configuration processing has been made more efficient, particularly for clusters with large numbers (i.e. >1k) of HTTPProxies and/or Ingresses.
This means that there should be less of a delay between creating/updating an HTTPProxy/Ingress in Kubernetes, and having it reflected in Envoy's configuration.

(#4099, @skriss)

Allow retry policy, num retries to be zero

The field, NumRetries (e.g. count), in the RetryPolicy allows for a zero to be
specified, however Contour's internal logic would see that as "undefined"
and set it back to the Envoy default of 1. This would never allow the value of
zero to be set. Users can set the value to be -1 which will represent disabling
the retry count. If not specified or set to zero, then the Envoy default value
of 1 is used.

(#4117, @stevesloka)

Gateway API: implement PathPrefix matching

Contour now implements Gateway API v1alpha2's "path prefix" matching for HTTPRoutes.
This is now the only native form of prefix matching supported by Gateway API, and is a change from v1alpha1.
Path prefix matching means that the prefix specified in an HTTPRoute rule must match entire segments of a request's path in order to match it, rather than just be a string prefix.
For example, the prefix /foo would match a request for the path /foo/bar but not /foobar.
For more information, see the Gateway API documentation.

(#4119, @skriss)

Gateway API: support ReferencePolicy

Contour now supports the ReferencePolicy CRD in Gateway API v1alpha2.
ReferencePolicy enables certain cross-namespace references to be allowed in Gateway API.
The primary use case is to enable routes (e.g. HTTPRoutes, TLSRoutes) to reference backend Services in different namespaces.
When Contour processes a route that references a service in a different namespace, it will check for a ReferencePolicy that applies to the route and service, and if one exists, it will allow the reference.

(#4138, @skriss)

Gateway API: set Gateway Listener status fields

Contour now sets the .status.listeners.supportedKinds and .status.listeners.attachedRoutes fields on Gateways for Gateway API.
The first describes the list of route groups/kinds that the listener supports, and the second captures the total number of routes that are successfully attached to the listener.

(#4160, @skriss)

Set Gateway listener conditions

Contour now sets various Gateway listener conditions as it processes them, including the "Ready", "Detached", and "ResolvedRefs" condition types, to provide more visibility to the user as to whether their listeners are defined correctly or not.

(#4186, @skriss)

Default status on HTTPProxy resources

When a new HTTPProxy is created, if Contour isn't yet running or
functioning properly, then no status is set on the resource.
Defaults of "NotReconciled/Waiting for controller" are now applied
to any new object until an instance of Contour accepts the
object and updates the status.

(#4133, @stevesloka)

Source IP hash based load balancing

Contour users can now configure their load balancing policies on HTTPProxy resources to hash the source IP of a client to ensure consistent routing to a backend service instance. Using this feature combined with header value hashing can implement advanced request routing and session affinity. Note that if you are using a load balancer to front your Envoy deployment, you will need to ensure it preserves client source IP addresses to ensure this feature is effective.

See this page for more details on this feature.

(#4141, @sunjayBhatia)

TLS Certificate validation updates

Contour now allows non-server certificates that do not have a CN or SAN set, which mostly fixes
#2372 and #3889.

TLS documentation has been updated to make the rules for Secrets holding TLS information clearer.

Those rules are:

For certificates that identify a server, they must:

  • be kubernetes.io/tls type
  • contain tls.crt, and tls.key keys with the server certificate and key respectively.
  • have the first certificate in the tls.crt bundle have a CN or SAN field set.

They may:

  • have the tls.crt key contain a certificate chain, as long as the first certificate in the chain is the server certificate.
  • add a ca.crt key that contains a Certificate Authority (CA) certificate or certificates.

Certificates in the certificate chain that are not server certificates do not need to have a CN or SAN.

For CA secrets, they must:

  • be Opaque type
  • contain only a ca.crt key, not tls.crt or tls.key

The ca.crt key may contain one or more CA certificates, that do not need to have a CN or SAN.

(#4165, @youngnick)

HTTPProxy TCPProxy service weights are now applied

Previously, Contour did not apply any service weights defined in an HTTPProxy's TCPProxy, and all services were equally weighted.
Now, if those weights are defined, they are applied so traffic is weighted appropriately across the services.
Note that if no TCPProxy service weights are defined, traffic continues to be equally spread across all services.

(#4169, @skriss)

Leader Election Configuration

contour serve leader election configuration via config file has been deprecated.
The preferred way to configure leader election parameters is now via command line flags.
See here for more detail on the new leader election flags.

Note: If you are using the v1alpha1 ContourConfiguration CRD, leader election configuration has been removed from that CRD as well.
Leader election configuration is not something that will be dynamically configurable once Contour implements configuration reloading via that CRD.

(#4171, @sunjayBhatia)

Transition to controller-runtime managed leader election

Contour now utilizes controller-runtime Manager based leader election and coordination of subroutines.
With this change, Contour is also transitioning away from using a ConfigMap for leader election.
In this release, Contour now uses a combination of ConfigMap and Lease object.
A future release will remove usage of the ConfigMap resource for leader election.

This change should be a no-op for most users, however be sure to re-apply the relevant parts of your deployment for RBAC to ensure Contour has access to Lease and Event objects (this would be the ClusterRole in the provided example YAML).

(#4202, @sunjayBhatia)

HTTP Request Redirect Policy

HTTPProxy.Route now has a HTTPRequestRedirectPolicy which allows for routes to specify a RequestRedirectPolicy.
This policy will allow a redirect to be configured for a specific set of Conditions within a single route.
The policy can be configured with a Hostname, StatusCode, Scheme, and Port.

Additionally, Services on a Route are now optional when a request redirect is defined.

(#4201, @stevesloka)

Other Changes

...

Read more

Contour v1.18.3

18 Nov 23:10
Compare
Choose a tag to compare

We are delighted to present version 1.18.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

This is a backport release to 1.18, bringing the below change in.

Updates

Allow retry policy, num retries to be disabled

The field, NumRetries (e.g. count), in the RetryPolicy allows for a zero to be
specified, however Contour's internal logic would see that as "undefined"
and set it back to the Envoy default of 1. This would never allow the value of
zero to be set. Users can set the value to be -1 which will represent disabling
the retry count. If not specified or set to zero, then the Envoy default value
of 1 is used.