Contour

A Carvel package for Contour, a high performance ingress controller for Kubernetes based on Envoy.

🚀  Getting Started

Prerequisites

• Kubernetes 1.27+

• Carvel kctrl CLI.

• Carvel kapp-controller deployed in your Kubernetes cluster. You can install it with Carvel kapp (recommended choice) or kubectl.

  kapp deploy -a kapp-controller -y \
    -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml

Installation

Add the Kadras package repository to your Kubernetes cluster:

kctrl package repository add -r kadras-packages \
  --url ghcr.io/kadras-io/kadras-packages \
  -n kadras-system --create-namespace

Installation without package repository

The recommended way of installing the Contour package is via the Kadras package repository. If you prefer not using the repository, you can add the package definition directly using kapp or kubectl.

kubectl create namespace kadras-system
kapp deploy -a contour-package -n kadras-system -y \
  -f https://github.com/kadras-io/package-for-contour/releases/latest/download/metadata.yml \
  -f https://github.com/kadras-io/package-for-contour/releases/latest/download/package.yml

Install the Contour package:

kctrl package install -i contour \
  -p contour.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system

Note You can find the ${VERSION} value by retrieving the list of package versions available in the Kadras package repository installed on your cluster.

kctrl package available list -p contour.packages.kadras.io -n kadras-system

Verify the installed packages and their status:

kctrl package installed list -n kadras-system

📙  Documentation

Documentation, tutorials and examples for this package are available in the docs folder. For documentation specific to Contour, check out projectcontour.io.

🎯  Configuration

The Contour package can be customized via a values.yml file.

contour:
  config:
    logFormat: json
    useProxyProtocol: true

Reference the values.yml file from the kctrl command when installing or upgrading the package.

kctrl package install -i contour \
  -p contour.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system \
  --values-file values.yml

Values

The Contour package has the following configurable properties.

Configurable properties

Config	Default	Description
infrastructure_provider	""	The underlying infrastructure provider. Options are local and vsphere. This field is not required, but it enables better validation and defaulting if provided.
namespace	projectcontour	The namespace in which to deploy Contour and Envoy.

Settings for the Contour component.

Config	Default	Description
contour.replicas	2	The number of Contour replicas. In order to enable high availability, it should be greater than 1.
contour.config.logFormat	text	Log output format for Contour. Either text (default) or json.
contour.config.logLevel	info	The Contour log level. Valid options are info and debug.
contour.config.useProxyProtocol	false	Whether to enable PROXY protocol for all Envoy listeners.
contour.configFileContents	""	The YAML contents of the Contour config file. See https://projectcontour.io/docs/latest/configuration/#configuration-file for more information.

Settings for the Envoy component.

Config	Default	Description
envoy.workload.type	DaemonSet	The type of Kubernetes workload that Envoy is deployed as. Options are Deployment or DaemonSet.
envoy.workload.replicas	2	The number of Envoy replicas to deploy when type is set to Deployment.
envoy.workload.hostPorts.enabled	true	Whether to enable host ports. If false, http & https are ignored.
envoy.workload.hostPorts.http	80	If enabled, the host port number to expose Envoy's HTTP listener on.
envoy.workload.hostPorts.https	443	If enabled, the host port number to expose Envoy's HTTPS listener on.
envoy.workload.hostNetwork	false	Whether to enable host networking for the Envoy pods.
envoy.workload.dnsPolicy	ClusterFirst	The DNS policy for the Envoy pods.
envoy.workload.terminationGracePeriodSeconds	300	The termination grace period, in seconds, for the Envoy pods.
envoy.config.logLevel	info	The Envoy log level.
envoy.service.type	LoadBalancer	The type of Kubernetes service to provision for Envoy in case the infrastructure_provider doesn't enforce one already.
envoy.service.loadBalancerIP	""	The desired load balancer IP. If type is not `LoadBalancer', this field is ignored. It is up to the cloud provider whether to honor this request. If not specified, the load balancer IP will be assigned by the cloud provider.
envoy.service.externalTrafficPolicy	Local	The external traffic policy for the Envoy service in case the infrastructure_provider doesn't enforce one already.
envoy.service.annotations	false	Annotations to set on the Envoy service.
envoy.service.nodePorts.http	false	The node port number to expose Envoy's HTTP listener on. If not specified, a node port will be auto-assigned by Kubernetes.
envoy.service.nodePorts.https	false	The node port number to expose Envoy's HTTPS listener on. If not specified, a node port will be auto-assigned by Kubernetes.

TLS configuration to secure the communication between Contour and Envoy.

Config	Default	Description
certificates.useCertManager	false	Whether to use cert-manager to provision TLS certificates for securing the communication between Contour and Envoy. If false, the contour-certgen Job will be used to provision certificates. If true, cert-manager must be installed in the cluster. See: https://github.com/kadras-io/package-for-cert-manager.
certificates.duration	8760h	If using cert-manager, how long the certificates should be valid for. If useCertManager is false, this field is ignored.
certificates.renewBefore	360h	If using cert-manager, how long before expiration the certificates should be renewed. If useCertManager is false, this field is ignored.

🛡️  Security

The security process for reporting vulnerabilities is described in SECURITY.md.

🖊️  License

This project is licensed under the Apache License 2.0. See LICENSE for more information.

🙏  Acknowledgments

This package is inspired by the original Contour package used in the Tanzu Community Edition project before its retirement.