Skip to content

@davecheney davecheney released this Nov 1, 2019 · 28 commits to master since this release

We are delighted to present version 1.0.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Contour 1.0.0 is the latest stable release. All Contour users should upgrade to 1.0.0.

New and improved

Contour 1.0.0 contains many bug fixes and improvements over 0.15.3, the previous stable release.


Over a year ago Contour 0.6 introduced the IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilizing modern web development patterns in multi-tenant Kubernetes clusters.

As part of preparations for bringing Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.

HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.

HTTPProxy is considered stable and our sincere desire is that future changes will be made in a backward-compatible manner. For more information, please consult the HTTPProxy documentation.

None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.

IngressRoute deprecation

With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.

While deprecated, IngressRoute CRD will continue to be supported in its current state in Contour 1.0. The plan of record is IngressRoute will be removed in early 2020.

For more information please read the IngressRoute to HTTPProxy upgrade guide

IngressRoute and HTTPProxy status update improvements

IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.

If leader election is disabled, all Contours will write status back to the Kubernetes API.

Fixes #1425, #1385, and many other issues with status loops over the years.

HTTPProxy and IngressRoute OpenAPIv3 schema validation

Contour 1.0.0 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand-rolled versions.

Fixes #513, #1414. Thanks @youngnick

Website improvements

As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the website. Specifically;

Huge thanks to @jpeach for his work re-organizing and copy editing the website content.

Envoy keepalive tuning

Contour 1.0.0 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).

The common theme was the cluster was using an overlay network which suggested the overlay was timing out long-running TCP connections. Contour 1.0.0 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.

Fixes #1744. Thanks, @youngnick, @bgagnon, and @ravilr.

Contour now waits for a full cache

Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This change reduces the likelihood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.

Updates #1280. Thanks, @jpeach and @stevesloka. Ingress support

Support for the object has been added.

Fixes #1685 annotations deprecated

As part of the move to the namespace, the Heptio branded annotations have been migrated to their respective versions. The previous annotations should be considered deprecated. Contour will continue to be supported by these deprecated forms for the moment. They will be removed at some point after Contour 1.0.

Client request timeout

The ability to specify a Contour wide request timeout has been added to the configuration file.

See the configuration file example for more information.

Fixes #1073. Thanks, @youngnick.

TLS certificate validation

Contour now attempts to validate the contents of a TLS certificate before presenting it to Envoy. This validation only extends to asserting the certificate is well-formed. Expired, incorrect hostname details, or otherwise well-formed but invalid certificates are not rejected. IngressRoutes and HTTPProxys that reference invalid secrets will have their Status: fields set accordingly.

Fixes #1065

Envoy 1.11.2

Contour 1.0.0 requires Envoy 1.11.2.

See the Envoy 1.11.2 announcement for details.

Structured JSON htaccess logs

By default, Envoy emits request logs in its own format. See the Envoy docs for details.

Contour 1.0.0 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json to your contour serve line, or add accesslog-format: json to your config file.

Please see the documention and design document for more information.

Fixes #624. Thanks, @youngnick.

Leadership improvements

Leader election now uses a ConfigMap named leader-elect in the projectcontour namespace by default.
This can be changed using the config file.

Contour image registry changes

Contour's image registry has moved from to
Please update your image locations to

GitHub organization changes

Contour's source code has moved from to

GitHub is pretty good about redirecting people for a time, but eventually, the organization will go away and redirects will cease. Please update your bookmarks.

Contour namespace changes

Contour's default namespace has changed from heptio-contour to projectcontour.

TLS Passthrough and HTTP redirect

Under certain circumstances, it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.

For more information see #910 and #1450.

Per route traffic mirroring

Per route, a service can be nominated as a mirror. The mirror service will receive a copy of the traffic sent to any non-mirror service. The mirrored traffic is considered read only, any response by the mirror will be discarded.

Fixes #459

Per route idle timeout

Per route, idle timeouts can be configured via the HTTPProxy CRD.

Fixes #944

Contour ignores unrelated Secrets

Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations. This substantially reduces the number of updates processed by Contour.

Fixes #1372

Contour filters Endpoint updates

Contour now supports filtering update notifications. Specifically, Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.

Updates #426, #499

Minor improvements

  • The contour binary now executes a graceful shutdown when sent SIGTERM. Thanks, @alexbrand. Fixes #1364.
  • Contour now preserves the X-Request-Id header if present. Fixes #1509.
  • Contour's quickstart documentation now references the current stable version of Contour. Fixes #952.
  • Contour will no longer present a secret via SDS if that secret is not referenced by a valid virtualhost. #1165
  • The envoyproxy/go-control-plane package has been upgraded to version 0.9.0. go-control-plane 0.9.0 switches to the google/protobuf library which results in a 4mb smaller binary. Neat.
  • Our CONTRIBUTING documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka.
  • The markup of several of our pages has been corrected to render properly on GitHub. Thanks @sudeeptoroy.
  • Envoy's /healthz endpoint has been replaced with /ready for Pod readiness. Fixes #1277. Thanks @rochacon.
  • IngressRoute objects now forbid * anywhere in the spec.virtualhost.fqdn field. Fixes #1234.
  • make help target added. Thanks @jpeach.
  • HTTPProxy prefix conditions must start with a slash. Fixes #1628. Thanks @youngnick.
  • Duplicate HTTPProxy header conditions are now rejected. Fixes #1559. Thanks @youngnick.
  • HTTPProxy route or include blocks with more than one prefix condition are now rejected. Fixes #1611. Thanks @stevesloka.
  • The X-Request-Id header is now no longer removed from incoming requests. Fixes #1487.
  • HTTPProxy includes no longer require a namespace key. If no namespace is provided, the included HTTPProxy is inferred to be in the same namespace as its parent. Fixes #1574. Thanks @youngnick.
  • The ability to write the bootstrap configuration to standard out via contour bootstrap -- - has been added. Thanks @jpeach.
  • Contour now validates that TLS certificates either bare the type or, in the case of upstream validation certificates, contain a non empty ca.crt key. Fixes #1697. Thanks @jpeach.
  • x_trace_id has been added to the set of JSON loggable fields. Fixes #1734. Thanks @cw-sakamoto!
  • Obsolete Heptio branding has been removed from contour cli. Thanks @jpeach.
  • Several of the examples/ sample manifests have been removed as part of the preparations for the 1.0.0 release.
  • Contour is built with Go 1.13.3.

Bug fixes

  • Contour now rejects IngressRoute and HTTPProxy objects that delegate to another root IngressRoute or HTTPProxy object. Fixes #865.
  • An error where IngressRoute's status is not set when it references an un-delegated TLS cert has been fixed. Fixes #1347.
  • Many documentation updates and improvements. Thanks @stevesloka, @youngnick, @jpeach.
  • Ingress, IngressRoute, and HTTPProxy route conditions are now properly ordered. Fixes #1579. Thanks @jpeach.
  • Incorrect, and as it turns out superfluous, settings removed from .travis.yml. Thanks @SDBrett.
  • The First Route custom field has been removed from the HTTPProxy CRD. Updates #1567. Thanks @youngnick.
  • prefix conditions no longer strip trailing slashes. Fixes #1597. Thanks @youngnick.
  • TCPProxy support now works with HTTPProxy. Fixes #1626. Thanks @stevesloka.
  • HTTPProxy TLSCertificateValidation was broken in beta.1, now it's not. Fixes #1639. Thanks @stevesloka.
  • In the case where an IngressRoute had a missing or invalid TLS secret Contour would serve the IngressRoute over HTTP. Contour now detects the case where a TLS enabled IngressRoute is missing its certificate and will not present the virtualhost over HTTP or HTTPS. Fixes #1452
  • We have published a supported release version policy. Fixes #1581.


Please consult the Upgrading document for further information on upgrading from Contour 1.5.3 to Contour 1.0.0.

Special Shout-Out!

A final special shoutout to @davecheney for all his ongoing guidance, support, and leadership in designing & developing Contour!

Assets 2
You can’t perform that action at this time.