Skip to content

@davecheney davecheney released this Aug 23, 2019 · 313 commits to master since this release

VMware is proud to present version 0.15 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

All Contour users should upgrade to Contour 0.15.0 and Envoy 1.11.1 as there are some tasty HTTP/2 vulnerabilities which you really should patch.

New and improved

Contour 0.15 includes several new features as well as the usual smattering of fixes and minor improvements.


A number of CVEs related to HTTP/2 have been addressed by Envoy.

See the Envoy 1.11.1 announcement for details on the vulnerabilities.

As Envoy have not provided fixes for Envoy 1.10 and earlier all Contour users should also upgrade to Envoy 1.11.1.

Leader election

Contour 0.15 now supports leader election. In leader election mode only one Contour pod in a deployment, the leader, will open its gRPC endpoint to serve requests from Envoy. All other Contours will continue to watch the API server but will not serve gRPC until they become the leader. Leader election can be used to ensure that all Envoy's take their configuration from a single Contour instance.

Leader election is currently opt in. In future versions of Contour we plan to make leader election mode the default.

For more information please consult the upgrading document.

Thanks @youngnick

Opt in, or opt out, of gRPC TLS authentication is now required

In Contour 0.14 support was added for mTLS communication between Contour and Envoy. Contour 0.15 now requires all users to either supply gRPC TLS information, or use contour serve --insecure to opt out of mTLS.

If you do not supply TLS details or --insecure, contour serve will not start.

For more information please consult the upgrading document.

Thanks @youngnick

Contour configuration file

Contour 0.15 supports passing configuration to Contour via a configuration file. The configuration file is intended to specify configuration that applies per Contour installation. Per Ingress or per Route configuration continues to be drawn from the objects and CRDs in the Kubernetes API server.

TLS minimum protocol version

Contour 0.15 supports supplying an installation wide minimum TLS protocol version. This setting can be used by administrators to raise the minimum TLS version used by TLS enabled virtual hosts managed by Contour.

The tls.minimimProtocolVersion field in the configuration file controls the minimum protocol version used.

Disable permitInsecure setting

Contour 0.15 supports disabling the permitInsecure IngressRoute setting. This setting can be used by administrators to prevent IngressRoute users presenting port 80 as an alternative to HTTPS.

Setting disablePermitInsecure to true will cause Contour to ignore the permitInsecure field on IngressRoute objects.

Fixes #864. Thanks @stevesloka

Contour ignores unrelated Secrets and Services

Contour 0.15 ignores updates to Secret and Service documents that are not referenced by an active Ingress or IngressRoute object. This significantly reduces the number and frequency of configuration updates sent to Envoy.

Updates #499.

Contour no longer presents misconfigured routes

In earlier versions of Contour, using the v1.Ingress object, it was possible to present a route which had no active Service if the Service named in the Ingress document was not present. When this occurred Envoy would respond to the route, but always return 503.

Contour 0.15 fixes this bug and will not present routes if their corresponding Service is missing. As a result, if the misconfigured route was the only route present on the virtual host, the virtual host itself will not be presented. If this was the only virtual host configured for a listening port (HTTP or HTTPS) then Contour 0.15 will not open the respective port.

This is not considered a loss of functionality as the only reason this port was open was to present a virtual host whose sole purpose was to return 503 for any request. However, some users may be relying on this functionality for health checking Envoy itself. If this is the case you should consider switching to a readinessProbe on the Envoy pod itself.

For more discussion see #389

Minor improvements

  • Contour now reports Envoy's failure to apply a configuration update. Please raise issues if you see ERRORs in your Contour logs. Updates #1176.
  • Contour's holdoff timer has been refactored so that it no longer reports a decades long first update event.
  • Contour now sets a status message on an IngressRoute that incorrectly combines multiple backends and websockets. Updates #732. Thanks @stevesloka.
  • client-go has been upgraded to version 12. Fixes #1213. Thanks @DylanGraham.
  • envoyproxy/go-control-plane has been upgraded to v0.8.2. Fixes #1236.
  • Contour is built with Go 1.12.9.

Bug fixes

Ingress.Path regular expression support restored

Contour 0.15 fixes a problem where regular expressions in Ingress spec.[]rules.http.[]paths.path values were interpreted as prefixes. This has likely been broken since at least Contour 0.5 (possibly earlier 😳).

note: IngressRoute does not support regular expression matching, this feature is only present in the Kubernetes Ingress object.

This bug was fixed in Contour 0.14.1.
For more information see #1243.

Thanks @stevesloka

Contour crash if /tmp is not available

The glog (now klog) library would attempt to write to disk if not properly initialised. Contour 0.15 properly initialises klog to prevent this issue caused by this horrendous API footgun.

This bug was fixed in Contour 0.14.2
For more information see #1279.

Thanks to @so0k for the report and @mattalberts for the fix.

Other bug fixes

  • Contour no longer hangs during shutdown if the gRPC server was not the goroutine triggering the shutdown. Fixes #1361.
  • The preStop hooks in our examples/ have been corrected to work around the lack of wget in the Envoy image. Fixes #1254.
  • IngressRoute validation has been extended to prevent passing a non integer in the spec.tcpproxy.port field. Fixes #1336.


Please consult the Upgrading document for further information on upgrading from Contour 0.14 to Contour 0.15.

Assets 2
You can’t perform that action at this time.