Releases: projectcontour/contour
Contour v1.30.0
We are delighted to present version v1.30.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Minor Changes
Gateway API: Implement Listener/Route hostname isolation
Gateway API spec update in this GEP. Updates logic on finding intersecting route and Listener hostnames to factor in the other Listeners on a Gateway that the route in question may not actually be attached to. Requests should be "isolated" to the most specific Listener and it's attached routes.
Update examples for monitoring Contour and Envoy
Updates the documentation and examples for deploying a monitoring stack (Prometheus and Grafana) to scrape metrics from Contour and Envoy. Adds a metrics port to the Envoy DaemonSet/Deployment in the example YAMLs to expose port 8002
so that PodMonitor
resources can be used to find metrics endpoints.
Update to Gateway API v1.1.0
Gateway API CRD compatibility has been updated to release v1.1.0.
Notable changes for Contour include:
- The
BackendTLSPolicy
resource has undergone some breaking changes and has been updated to thev1alpha3
API version. This will require any existing users of this policy to uninstall the v1alpha2 version before installing this newer version. GRPCRoute
has graduated to GA and is now in thev1
API version.
Full release notes for this Gateway API release can be found here.
Add Circuit Breaker support for Extension Services
This change enables the user to configure the Circuit breakers for extension services either via the global Contour config or on an individual Extension Service.
NOTE: The PerHostMaxConnections
is now also configurable via the global settings.
Fallback Certificate: Add Global Ext Auth support
Applies Global Auth filters to Fallback certificate
Gateway API: handle Route conflicts with GRPCRoute.Matches
It's possible that multiple GRPCRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:
- The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
- The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.
With above ordering, any GRPCRoute that ranks lower, will be marked with below conditions accordingly:
- If only partial rules under this GRPCRoute are conflicted, it's marked with
Accepted: True
andPartiallyInvalid: true
Conditions and Reason:RuleMatchPartiallyConflict
. - If all the rules under this GRPCRoute are conflicted, it's marked with
Accepted: False
Condition and ReasonRuleMatchConflict
.
(#6566, @lubronzhan)
Other Changes
- Fixes bug where external authorization policy was ignored on HTTPProxy direct response routes. (#6426, @shadialtarsha)
- Updates to Kubernetes 1.30. Supported/tested Kubernetes versions are now 1.28, 1.29, and 1.30. (#6444, @sunjayBhatia)
- Enforce
deny-by-default
approach on theadmin
listener by matching on exact paths and onGET
requests (#6447, @davinci26) - Add support for defining equal-preference cipher groups ([cipher1|cipher2|...]) and permit
ECDHE-ECDSA-CHACHA20-POLY1305
andECDHE-RSA-CHACHA20-POLY1305
to be used separately. (#6461, @tsaarni) - allow
/stats/prometheus
route on theadmin
listener. (#6503, @clayton-gonsalves) - Improve shutdown manager query to the Envoy stats endpoint for active connections by utilizing a regex filter query param. (#6523, @therealak12)
- Updates to Go 1.22.5. See the Go release notes for more information. (#6563, @sunjayBhatia)
- Updates Envoy to v1.31.0. See the Envoy release notes for more information about the content of the release. (#6569, @skriss)
Deprecation and Removal Notices
Contour sample YAML manifests no longer use prometheus.io/
annotations
The annotations for notifying a Prometheus instance on how to scrape metrics from Contour and Envoy pods have been removed from the deployment YAMLs and the Gateway provisioner. The suggested mechanism for doing so now is to use kube-prometheus and the PodMonitor
resource.
xDS server type fields in config file and ContourConfiguration CRD are deprecated
These fields are officially deprecated now that the contour
xDS server implementation is deprecated. They are planned to be removed in the 1.31 release, along with the contour
xDS server implementation.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.30.0 is tested against Kubernetes 1.28 through 1.30.
Community Thanks!
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.29.2
We are delighted to present version v1.29.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Updates Envoy to v1.30.4. See the release notes here.
- Updates Go to v1.22.5. See the release notes here.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.29.2 is tested against Kubernetes 1.27 through 1.29.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.28.6
We are delighted to present version v1.28.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Updates Envoy to v1.29.7. See the release notes here.
- Updates Go to v1.21.12. See the release notes here.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.28.6 is tested against Kubernetes 1.27 through 1.29.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.30.0-rc.1
We are delighted to present version v1.30.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
- Minor Changes
- Other Changes
- Deprecations/Removals
- Installing/Upgrading
- Compatible Kubernetes Versions
- Community Thanks!
Minor Changes
Gateway API: Implement Listener/Route hostname isolation
Gateway API spec update in this GEP.
Updates logic on finding intersecting route and Listener hostnames to factor in the other Listeners on a Gateway that the route in question may not actually be attached to.
Requests should be "isolated" to the most specific Listener and it's attached routes.
Update examples for monitoring Contour and Envoy
Updates the documentation and examples for deploying a monitoring stack (Prometheus and Grafana) to scrape metrics from Contour and Envoy.
Adds a metrics port to the Envoy DaemonSet/Deployment in the example YAMLs to expose port 8002
so that PodMonitor
resources can be used to find metrics endpoints.
Update to Gateway API v1.1.0
Gateway API CRD compatibility has been updated to release v1.1.0.
Notable changes for Contour include:
- The
BackendTLSPolicy
resource has undergone some breaking changes and has been updated to thev1alpha3
API version. This will require any existing users of this policy to uninstall the v1alpha2 version before installing this newer version. GRPCRoute
has graduated to GA and is now in thev1
API version.
Full release notes for this Gateway API release can be found here.
Add Circuit Breaker support for Extension Services
This change enables the user to configure the Circuit breakers for extension services either via the global Contour config or on an individual Extension Service.
NOTE: The PerHostMaxConnections
is now also configurable via the global settings.
Fallback Certificate: Add Global Ext Auth support
Applies Global Auth filters to Fallback certificate
Gateway API: handle Route conflicts with GRPCRoute.Matches
It's possible that multiple GRPCRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:
- The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
- The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.
With above ordering, any GRPCRoute that ranks lower, will be marked with below conditions accordingly:
- If only partial rules under this GRPCRoute are conflicted, it's marked with
Accepted: True
andPartiallyInvalid: true
Conditions and Reason:RuleMatchPartiallyConflict
. - If all the rules under this GRPCRoute are conflicted, it's marked with
Accepted: False
Condition and ReasonRuleMatchConflict
.
(#6566, @lubronzhan)
Other Changes
- Fixes bug where external authorization policy was ignored on HTTPProxy direct response routes. (#6426, @shadialtarsha)
- Updates to Kubernetes 1.30. Supported/tested Kubernetes versions are now 1.28, 1.29, and 1.30. (#6444, @sunjayBhatia)
- Enforce
deny-by-default
approach on theadmin
listener by matching on exact paths and onGET
requests (#6447, @davinci26) - Add support for defining equal-preference cipher groups ([cipher1|cipher2|...]) and permit
ECDHE-ECDSA-CHACHA20-POLY1305
andECDHE-RSA-CHACHA20-POLY1305
to be used separately. (#6461, @tsaarni) - allow
/stats/prometheus
route on theadmin
listener. (#6503, @clayton-gonsalves) - Improve shutdown manager query to the Envoy stats endpoint for active connections by utilizing a regex filter query param. (#6523, @therealak12)
- Updates to Go 1.22.5. See the Go release notes for more information. (#6563, @sunjayBhatia)
- Updates Envoy to v1.31.0. See the Envoy release notes for more information about the content of the release. (#6569, @skriss)
Deprecation and Removal Notices
Contour sample YAML manifests no longer use prometheus.io/
annotations
The annotations for notifying a Prometheus instance on how to scrape metrics from Contour and Envoy pods have been removed from the deployment YAMLs and the Gateway provisioner.
The suggested mechanism for doing so now is to use kube-prometheus and the PodMonitor
resource.
xDS server type fields in config file and ContourConfiguration CRD are deprecated
These fields are officially deprecated now that the contour
xDS server implementation is deprecated.
They are planned to be removed in the 1.31 release, along with the contour
xDS server implementation.
Installing and Upgrading
The simplest way to install v1.30.0-rc.1 is to apply one of the example configurations:
Standalone Contour:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour.yaml
Contour Gateway Provisioner:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour-gateway-provisioner.yaml
Statically provisioned Contour with Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour-gateway.yaml
Compatible Kubernetes Versions
Contour v1.30.0-rc.1 is tested against Kubernetes 1.28 through 1.30.
Community Thanks!
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.29.1
We are delighted to present version v1.29.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.29.1 is tested against Kubernetes 1.27 through 1.29.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.28.5
We are delighted to present version v1.28.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.28.5 is tested against Kubernetes 1.27 through 1.29.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.27.4
We are delighted to present version v1.27.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.27.4 is tested against Kubernetes 1.26 through 1.28.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.29.0
We are delighted to present version v1.29.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Major Changes
Default xDS Server Implementation is now Envoy
As of this release, Contour now uses the envoy
xDS server implementation by default. This xDS server implementation is based on Envoy's go-control-plane project and will eventually be the only supported xDS server implementation in Contour. This change is expected to be transparent to users.
I'm seeing issues after upgrading, how do I revert to the contour xDS server?
If you encounter any issues, you can easily revert to the contour
xDS server with the following configuration:
(if using Contour config file)
server:
xds-server-type: contour
(if using ContourConfiguration CRD)
...
spec:
xdsServer:
type: contour
You will need to restart Contour for the changes to take effect.
Gateway API: Inform on v1 types
Contour no longer informs on v1beta1 resources that have graduated to v1. This includes the "core" resources GatewayClass, Gateway, and HTTPRoute. This means that users should ensure they have updated CRDs to Gateway API v1.0.0 or newer, which introduced the v1 version with compatibility with v1beta1.
Minor Changes
Use EndpointSlices by default
Contour now uses the Kubernetes EndpointSlices API by default to determine the endpoints to configure Envoy, instead of the Endpoints API. Note: if you need to continue using the Endpoints API, you can disable the feature flag via featureFlags: ["useEndpointSlices=false"]
in the Contour config file or ContourConfiguration CRD.
Gateway API: handle Route conflicts with HTTPRoute.Matches
It's possible that multiple HTTPRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:
- The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
- The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.
With above ordering, any HTTPRoute that ranks lower, will be marked with below conditions accordionly
- If only partial rules under this HTTPRoute are conflicted, it's marked with
Accepted: True
andPartiallyInvalid: true
Conditions and Reason:RuleMatchPartiallyConflict
. - If all the rules under this HTTPRoute are conflicted, it's marked with
Accepted: False
Condition and ReasonRuleMatchConflict
.
(#6188, @lubronzhan)
Spawn Upstream Span is now enabled in tracing
As described in Envoy documentations, spawn_upstream_span
should be true when envoy is working as an independent proxy and from now on contour tracing spans will show up as a parent span to upstream spans.
Other Changes
- Fix data race in BackendTLSPolicy status update logic. (#6185, @sunjayBhatia)
- Fix for specifying a health check port with an ExternalName Service. (#6230, @yangyy93)
- Updates the example
envoyproxy/ratelimit
image tag to19f2079f
, for multi-arch support and other improvements. (#6246, @skriss) - In the
envoy
go-control-plane xDS server, use a separate snapshot cache for Endpoints, to minimize the amount of unnecessary xDS traffic generated. (#6250, @skriss) - If there were no relevant resources for Contour in the watched namespaces during the startup of a follower instance of Contour, it did not reach a ready state. (#6295, @tsaarni)
- Added support for enabling circuit breaker statistics tracking. (#6297, @rajatvig)
- Updates to Go 1.22.2. See the Go release notes for more information. (#6327, @skriss)
- Gateway API: add support for HTTPRoute's Timeouts.BackendRequest field. (#6335, @skriss)
- Updates Envoy to v1.30.1. See the v1.30.0 release notes here and the v1.30.1 release notes here. (#6353, @tico88612)
- Gateway API: a timeout value of
0s
disables the timeout. (#6375, @skriss) - Fix provisioner to use separate
--disable-feature
flags on Contour Deployment for each disabled feature. Previously a comma separated list was passed which was incorrect. (#6413, @sunjayBhatia)
Deprecation and Removal Notices
Configuring Contour with a GatewayClass controller name is no longer supported
Contour can no longer be configured with a GatewayClass controller name (gateway.controllerName in the config file or ContourConfiguration CRD), as the config field has been removed. Instead, either use a specific Gateway reference (gateway.gatewayRef), or use the Gateway provisioner.
Contour xDS server implementation is now deprecated
As of this release, the contour
xDS server implementation is now deprecated. Once the go-control-plane based envoy
xDS server has had sufficient production bake time, the contour
implementation will be removed from Contour. Notification of removal will occur at least one release in advance.
Use of Endpoints API is deprecated
Contour now uses the EndpointSlices API by default, and its usage of the Endpoints API is deprecated as of this release. Support for Endpoints, and the associated useEndpointSlices
feature flag, will be removed in a future release.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.29.0 is tested against Kubernetes 1.27 through 1.29.
Community Thanks!
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.28.4
We are delighted to present version v1.28.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Updates Envoy to v1.29.4. See the release notes for v1.29.4 here (#6377).
- Gateway API: an HTTPRoute timeout of
0s
now disables the timeout (#6379). - Gateway provisioner: disabled features are now correctly applied to the Contour controller (#6414).
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.28.4 is tested against Kubernetes 1.27 through 1.29.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.27.3
We are delighted to present version v1.27.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Updates Envoy to v1.28.3. See the release notes for v1.28.3 here.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.27.3 is tested against Kubernetes 1.26 through 1.28.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.