Skip to content

@davecheney davecheney released this Sep 26, 2019 · 92 commits to master since this release

VMware is proud to present version 1.0.0-beta.1 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

Contour 1.0.0-beta.1 is the first beta release along the path to Contour 1.0.

The current stable release at this time remains Contour 0.15.0.

New and improved

Contour 1.0.0-beta.1 contains many bug fixes and improvements.


Over a year ago Contour 0.6 introduced a new CRD, IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilising modern web development patterns in multi tenant Kubernetes clusters.

As part of preparations for bring Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.

HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.

For more information, please consult the HTTPProxy documentation.

None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.

IngressRoute deprecation

With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.

The IngressRoute CRD will be supported in its current state until the Contour 1.0.0 release and will be removed shortly after.

For more information please read the IngressRoute to HTTPProxy upgrade guide

Logging changes

By default Envoy emits request logs in its own format. See the Envoy docs for details.

Contour 1.0.0-beta1 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json to your contour serve line, or add accesslog-format: json to your config file.

Please see the documention and design document for more information.

Fixes #624. Thanks @youngnick.

Leadership improvements

Leader election no longer blocks the opening of the xDS serving port. All Contours serve xDS, the leadership will control which Contour writes status updates. This work is ongoing and is documented in #1385.

Leader election now uses a ConfigMap named leader-elect in the projectcontour namespace by default.
This can be changed using the config file.

Because of this, rolling updates will now complete, and the example Contour Deployment has been reverted to the RollingUpdate strategy.

Contour image registry changes

Contour's image registry has moved from to

The v1.0.0-beta.1 tag is only available in

For convenience the :v0.15.0 and :latest tags are available in both repositories. Once Contour 1.0.0 final is release the :latest tag will move to Even if you are remaiing on :latest or :v0.15.0 until the final release of Contour 1.0.0 please update your image locations to or respectively.

GitHub organization changes

Contour's source code has moved from to

GitHub is pretty good about redirecting people for a time, but eventually the organization will go away and redirects will cease. Please update your bookmarks.

Contour namespace changes

Contour's default namespace has changed from heptio-contour to projectcontour.

Deprecated examples/

Several of the examples/ sample manifests have been removed as part of the preparations for the 1.0.0 release.

TLS Passthrough and HTTP redirect

Under certain circumstances it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.

For more information see #910 and #1450.

Per route traffic mirroring

Per route a service can be nominated as a mirror. The mirror service will receive a copy of the read traffic sent to any non mirror service. The mirror traffic is considered read only, any response by the mirror will be discarded.

Fixes #459

Per route idle timeout

Per route idle timeouts can be configured via the HTTPProxy CRD.

Fixes #944

Contour ignores unrelated Secrets

Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations.
This substantially reduces the number of updates processed by Contour.

Fixes #1372

Contour filters Endpoint updates

Contour now supports filtering update notifications in some circumstances. Specifically Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.

Updates #426, #499

Minor improvements

  • The contour binary now executes a graceful shutdown when sent SIGTERM. Thanks @alexbrand. Fixes #1364.
  • Contour now preserves the X-Request-Id header if present. Fixes #1509.
  • Contour's quickstart documentation now references the current stable version of Contour. Fixes #952.
  • Contour will no longer present a secret via SDS if that secret is not referenced by a valid virtualhost. #1165
  • The envoyproxy/go-control-plane package has nbeen upgraded to version 0.9.0. go-control-plane 0.9.0 switches to the google/protobuf library which results in a 4mb smaller binary. Neat.
  • Our CONTRIBUTING documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka.
  • The markup of several of our pages has been corrected to render properly on GitHub. Thanks @sudeeptoroy.
  • Envoy's /healthz endpoint has been replaced with /ready for Pod readiness. Fixes #1277. Thanks @rochacon.
  • IngressRoute objects now forbid * anywhere in the spec.virtualhost.fqdn field. Fixes #1234.
  • Contour is built with Go 1.13.1.

Bug fixes

Contour will no longer serve an a broken TLS virtualhost over HTTP

In the case where an IngressRoute had a missing or invalid TLS secret Contour would serve the IngressRoute over HTTP. Contour now detects the case where a TLS enabled IngressRoute is missing its certificate and will not present the virtualhost over HTTP or HTTPS.

Fixes #1452

Minor bug fixes

  • Contour now rejects IngressRoute and HTTPProxy objects that delegate to another root IngressRoute or HTTPProxy object. Fixes #865.
  • An error where IngressRoute's status is not set when it references an un-delegated TLS cert has been fixed. Fixes #1347.


Please consult the Upgrading document for further information on upgrading from Contour 0.15 to Contour 1.0.0-beta.1

Assets 2
You can’t perform that action at this time.