We are delighted to present version 1.0.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Contour 1.0.0 is the latest stable release. All Contour users should upgrade to 1.0.0.
New and improved
Contour 1.0.0 contains many bug fixes and improvements over 0.15.3, the previous stable release.
Over a year ago Contour 0.6 introduced the IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilizing modern web development patterns in multi-tenant Kubernetes clusters.
As part of preparations for bringing Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.
HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.
HTTPProxy is considered stable and our sincere desire is that future changes will be made in a backward-compatible manner. For more information, please consult the HTTPProxy documentation.
None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.
With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.
While deprecated, IngressRoute CRD will continue to be supported in its current state in Contour 1.0. The plan of record is IngressRoute will be removed in early 2020.
For more information please read the IngressRoute to HTTPProxy upgrade guide
IngressRoute and HTTPProxy status update improvements
IngressRoute and HTTPProxy status updates are now performed by the lead Contour in the deployment. The lead Contour is determined via Kubernetes' standard leader election mechanisms.
If leader election is disabled, all Contours will write status back to the Kubernetes API.
HTTPProxy and IngressRoute OpenAPIv3 schema validation
Contour 1.0.0 includes updated OpenAPIv3 schema validations. These schemas are automatically generated from the CRD documents themselves and should be more complete and consistent than the previous hand-rolled versions.
As part of the continued preparations for the 1.0 release Contour's documentation has been relocated to the https://projectcontour.io website. Specifically;
- The Getting Started documentation has moved to projectcontour.io/getting-started
- Guides and How-to's have moved to projectcontour.io/guides
- Versioned release documentation has moved to projectcontour.io/docs
- Project related and non-versioned documentation has moved to projectcontour.io/resources
Huge thanks to @jpeach for his work re-organizing and copy editing the website content.
Envoy keepalive tuning
Contour 1.0.0 addresses an issue where connections between Contour and Envoy could become stuck half-open (one side thinks the connection is open, the other side doesn't) or half-closed (one side closes the connection, the other side never gets the message).
The common theme was the cluster was using an overlay network which suggested the overlay was timing out long-running TCP connections. Contour 1.0.0 configures various keep alive mechanisms to detect networking issues between Envoy and Contour.
Contour now waits for a full cache
Contour now delays serving traffic to Envoy until each of the API informers caught up to the API server. This change reduces the likelihood that Envoy can connect to a Contour instance in the process of startup and thus observe an incomplete view of the cluster.
networking.k8s.io/v1beta1 Ingress support
Support for the networking.k8s.io/v1beta1.Ingress object has been added.
contour.heptio.com annotations deprecated
As part of the move to the
projectcontour.io namespace, the Heptio branded
contour.heptio.com annotations have been migrated to their respective
projectcontour.io versions. The previous
contour.heptio.com annotations should be considered deprecated. Contour will continue to be supported by these deprecated forms for the moment. They will be removed at some point after Contour 1.0.
Client request timeout
The ability to specify a Contour wide request timeout has been added to the configuration file.
See the configuration file example for more information.
TLS certificate validation
Contour now attempts to validate the contents of a TLS certificate before presenting it to Envoy. This validation only extends to asserting the certificate is well-formed. Expired, incorrect hostname details, or otherwise well-formed but invalid certificates are not rejected. IngressRoutes and HTTPProxys that reference invalid secrets will have their
Status: fields set accordingly.
Contour 1.0.0 requires Envoy 1.11.2.
Structured JSON htaccess logs
By default, Envoy emits request logs in its own format. See the Envoy docs for details.
Contour 1.0.0 adds support for JSON formatted logs. To enable JSON formatted logs, either add
--accesslog-format=json to your
contour serve line, or add
accesslog-format: json to your config file.
Leader election now uses a ConfigMap named
leader-elect in the
projectcontour namespace by default.
This can be changed using the config file.
Contour image registry changes
Contour's image registry has moved from
Please update your image locations to
GitHub organization changes
Contour's source code has moved from
GitHub is pretty good about redirecting people for a time, but eventually, the
github.com/heptio organization will go away and redirects will cease. Please update your bookmarks.
Contour namespace changes
Contour's default namespace has changed from
TLS Passthrough and HTTP redirect
Under certain circumstances, it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.
Per route traffic mirroring
Per route, a service can be nominated as a mirror. The mirror service will receive a copy of the traffic sent to any non-mirror service. The mirrored traffic is considered read only, any response by the mirror will be discarded.
Per route idle timeout
Per route, idle timeouts can be configured via the HTTPProxy CRD.
Contour ignores unrelated Secrets
Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations. This substantially reduces the number of updates processed by Contour.
Contour filters Endpoint updates
Contour now supports filtering update notifications. Specifically, Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.
contourbinary now executes a graceful shutdown when sent SIGTERM. Thanks, @alexbrand. Fixes #1364.
- Contour now preserves the
X-Request-Idheader if present. Fixes #1509.
- Contour's quickstart documentation now references the current stable version of Contour. Fixes #952.
- Contour will no longer present a secret via SDS if that secret is not referenced by a valid virtualhost. #1165
envoyproxy/go-control-planepackage has been upgraded to version 0.9.0.
go-control-plane0.9.0 switches to the
google/protobuflibrary which results in a 4mb smaller binary. Neat.
CONTRIBUTINGdocumentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka.
- The markup of several of our pages has been corrected to render properly on GitHub. Thanks @sudeeptoroy.
/healthzendpoint has been replaced with
/readyfor Pod readiness. Fixes #1277. Thanks @rochacon.
- IngressRoute objects now forbid
*anywhere in the
spec.virtualhost.fqdnfield. Fixes #1234.
make helptarget added. Thanks @jpeach.
prefixconditions must start with a slash. Fixes #1628. Thanks @youngnick.
- Duplicate HTTPProxy
headerconditions are now rejected. Fixes #1559. Thanks @youngnick.
includeblocks with more than one
prefixcondition are now rejected. Fixes #1611. Thanks @stevesloka.
X-Request-Idheader is now no longer removed from incoming requests. Fixes #1487.
includes no longer require a
namespacekey. If no
namespaceis provided, the included HTTPProxy is inferred to be in the same namespace as its parent. Fixes #1574. Thanks @youngnick.
- The ability to write the bootstrap configuration to standard out via
contour bootstrap -- -has been added. Thanks @jpeach.
- Contour now validates that TLS certificates either bare the type
kubernetes.io/tlsor, in the case of upstream validation certificates, contain a non empty
ca.crtkey. Fixes #1697. Thanks @jpeach.
x_trace_idhas been added to the set of JSON loggable fields. Fixes #1734. Thanks @cw-sakamoto!
- Obsolete Heptio branding has been removed from
contour cli. Thanks @jpeach.
- Several of the
examples/sample manifests have been removed as part of the preparations for the 1.0.0 release.
- Contour is built with Go 1.13.3.
- Contour now rejects IngressRoute and HTTPProxy objects that delegate to another root IngressRoute or HTTPProxy object. Fixes #865.
- An error where IngressRoute's status is not set when it references an un-delegated TLS cert has been fixed. Fixes #1347.
- Many documentation updates and improvements. Thanks @stevesloka, @youngnick, @jpeach.
- Ingress, IngressRoute, and HTTPProxy route conditions are now properly ordered. Fixes #1579. Thanks @jpeach.
- Incorrect, and as it turns out superfluous, settings removed from
.travis.yml. Thanks @SDBrett.
- The First Route custom field has been removed from the HTTPProxy CRD. Updates #1567. Thanks @youngnick.
prefixconditions no longer strip trailing slashes. Fixes #1597. Thanks @youngnick.
- TCPProxy support now works with HTTPProxy. Fixes #1626. Thanks @stevesloka.
- HTTPProxy TLSCertificateValidation was broken in beta.1, now it's not. Fixes #1639. Thanks @stevesloka.
- In the case where an IngressRoute had a missing or invalid TLS secret Contour would serve the IngressRoute over HTTP. Contour now detects the case where a TLS enabled IngressRoute is missing its certificate and will not present the virtualhost over HTTP or HTTPS. Fixes #1452
- We have published a supported release version policy. Fixes #1581.
Please consult the Upgrading document for further information on upgrading from Contour 1.5.3 to Contour 1.0.0.
A final special shoutout to @davecheney for all his ongoing guidance, support, and leadership in designing & developing Contour!