July 2024 release updates (#6588)

* patch release changelogs
* compatibility matrix and versions.yaml updates
* trivy-scan.yaml update
* dependabot.yml update
* Prepare documentation site for v1.30.0 release.
* Add changelog for v1.30.0 release.
* changelog cleanup

Signed-off-by: Steve Kriss <[email protected]>

Author: skriss

.github/dependabot.yml

@@ -37,7 +37,7 @@ updates:
       - "actions/download-artifact"
 
 # release branch N targets
-- target-branch: release-1.29
+- target-branch: release-1.30
   package-ecosystem: "gomod"
   directory: "/"
   schedule:
@@ -57,7 +57,7 @@ updates:
     k8s-dependencies:
       patterns:
       - "k8s.io/*"
-- target-branch: release-1.29
+- target-branch: release-1.30
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:
@@ -80,7 +80,7 @@ updates:
       - "actions/download-artifact"
 
 # release branch N-1 targets
-- target-branch: release-1.28
+- target-branch: release-1.29
   package-ecosystem: "gomod"
   directory: "/"
   schedule:
@@ -100,7 +100,7 @@ updates:
     k8s-dependencies:
       patterns:
       - "k8s.io/*"
-- target-branch: release-1.28
+- target-branch: release-1.29
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:
@@ -123,7 +123,7 @@ updates:
       - "actions/download-artifact"
 
 # release branch N-2 targets
-- target-branch: release-1.27
+- target-branch: release-1.28
   package-ecosystem: "gomod"
   directory: "/"
   schedule:
@@ -143,7 +143,7 @@ updates:
     k8s-dependencies:
       patterns:
       - "k8s.io/*"
-- target-branch: release-1.27
+- target-branch: release-1.28
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:

.github/workflows/trivy-scan.yaml

@@ -16,9 +16,9 @@ jobs:
       matrix:
         branch:
         - main
+        - release-1.30
         - release-1.29
         - release-1.28
-        - release-1.27
     runs-on: ubuntu-latest
     permissions:
       security-events: write

changelogs/CHANGELOG-v1.28.6.md

@@ -0,0 +1,26 @@
+We are delighted to present version v1.28.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
+
+- [All Changes](#all-changes)
+- [Installing/Upgrading](#installing-and-upgrading)
+- [Compatible Kubernetes Versions](#compatible-kubernetes-versions)
+
+# All Changes
+
+- Updates Envoy to v1.29.7. See the release notes [here](https://www.envoyproxy.io/docs/envoy/v1.29.7/version_history/v1.29/v1.29.7).
+- Updates Go to v1.21.12. See the release notes [here](https://go.dev/doc/devel/release#go1.21.minor).
+
+
+# Installing and Upgrading
+
+For a fresh install of Contour, consult the [getting started documentation](https://projectcontour.io/getting-started/).
+
+To upgrade an existing Contour installation, please consult the [upgrade documentation](https://projectcontour.io/resources/upgrading/).
+
+
+# Compatible Kubernetes Versions
+
+Contour v1.28.6 is tested against Kubernetes 1.27 through 1.29.
+
+
+# Are you a Contour user? We would love to know!
+If you're using Contour and want to add your organization to our adopters list, please visit this [page](https://projectcontour.io/resources/adopters/). If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [GitHub thread](https://github.com/projectcontour/contour/issues/1269).

changelogs/CHANGELOG-v1.29.2.md

@@ -0,0 +1,26 @@
+We are delighted to present version v1.29.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
+
+- [All Changes](#all-changes)
+- [Installing/Upgrading](#installing-and-upgrading)
+- [Compatible Kubernetes Versions](#compatible-kubernetes-versions)
+
+# All Changes
+
+- Updates Envoy to v1.30.4. See the release notes [here](https://www.envoyproxy.io/docs/envoy/v1.30.4/version_history/v1.30/v1.30.4).
+- Updates Go to v1.22.5. See the release notes [here](https://go.dev/doc/devel/release#go1.22.minor).
+
+
+# Installing and Upgrading
+
+For a fresh install of Contour, consult the [getting started documentation](https://projectcontour.io/getting-started/).
+
+To upgrade an existing Contour installation, please consult the [upgrade documentation](https://projectcontour.io/resources/upgrading/).
+
+
+# Compatible Kubernetes Versions
+
+Contour v1.29.2 is tested against Kubernetes 1.27 through 1.29.
+
+
+# Are you a Contour user? We would love to know!
+If you're using Contour and want to add your organization to our adopters list, please visit this [page](https://projectcontour.io/resources/adopters/). If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [GitHub thread](https://github.com/projectcontour/contour/issues/1269).

changelogs/CHANGELOG-v1.30.0.md

@@ -0,0 +1,120 @@
+We are delighted to present version v1.30.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
+
+A big thank you to everyone who contributed to the release.
+
+- [Minor Changes](#minor-changes)
+- [Other Changes](#other-changes)
+- [Deprecations/Removals](#deprecation-and-removal-notices)
+- [Installing/Upgrading](#installing-and-upgrading)
+- [Compatible Kubernetes Versions](#compatible-kubernetes-versions)
+- [Community Thanks!](#community-thanks)
+
+# Minor Changes
+
+## Gateway API: Implement Listener/Route hostname isolation
+
+Gateway API spec update in this [GEP](https://github.com/kubernetes-sigs/gateway-api/pull/2465).
+Updates logic on finding intersecting route and Listener hostnames to factor in the other Listeners on a Gateway that the route in question may not actually be attached to.
+Requests should be "isolated" to the most specific Listener and it's attached routes.
+
+(#6162, @sunjayBhatia)
+
+## Update examples for monitoring Contour and Envoy
+
+Updates the [documentation](https://projectcontour.io/docs/main/guides/prometheus/) and examples for deploying a monitoring stack (Prometheus and Grafana) to scrape metrics from Contour and Envoy.
+Adds a metrics port to the Envoy DaemonSet/Deployment in the example YAMLs to expose port `8002` so that `PodMonitor` resources can be used to find metrics endpoints.
+
+(#6269, @sunjayBhatia)
+
+## Update to Gateway API v1.1.0
+
+Gateway API CRD compatibility has been updated to release v1.1.0.
+
+Notable changes for Contour include:
+- The `BackendTLSPolicy` resource has undergone some breaking changes and has been updated to the `v1alpha3` API version. This will require any existing users of this policy to uninstall the v1alpha2 version before installing this newer version.
+- `GRPCRoute` has graduated to GA and is now in the `v1` API version.
+
+Full release notes for this Gateway API release can be found [here](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.1.0).
+
+(#6398, @sunjayBhatia)
+
+## Add Circuit Breaker support for Extension Services
+
+This change enables the user to configure the Circuit breakers for extension services either via the global Contour config or on an individual Extension Service.
+
+**NOTE**: The `PerHostMaxConnections` is now also configurable via the global settings.
+
+(#6539, @clayton-gonsalves)
+
+## Fallback Certificate: Add Global Ext Auth support
+
+Applies Global Auth filters to Fallback certificate
+
+(#6558, @erikflores7)
+
+## Gateway API: handle Route conflicts with GRPCRoute.Matches
+
+It's possible that multiple GRPCRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:
+
+- The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
+- The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.
+
+With above ordering, any GRPCRoute that ranks lower, will be marked with below conditions accordingly:
+1. If only partial rules under this GRPCRoute are conflicted, it's marked with `Accepted: True` and `PartiallyInvalid: true` Conditions and Reason: `RuleMatchPartiallyConflict`.
+2. If all the rules under this GRPCRoute are conflicted, it's marked with `Accepted: False` Condition and Reason `RuleMatchConflict`.
+
+(#6566, @lubronzhan)
+
+
+# Other Changes
+- Fixes bug where external authorization policy was ignored on HTTPProxy direct response routes. (#6426, @shadialtarsha)
+- Updates to Kubernetes 1.30. Supported/tested Kubernetes versions are now 1.28, 1.29, and 1.30. (#6444, @sunjayBhatia)
+- Enforce `deny-by-default` approach on the `admin` listener by matching on exact paths and on `GET` requests (#6447, @davinci26)
+- Add support for defining equal-preference cipher groups ([cipher1|cipher2|...]) and permit `ECDHE-ECDSA-CHACHA20-POLY1305` and `ECDHE-RSA-CHACHA20-POLY1305` to be used separately. (#6461, @tsaarni)
+- allow `/stats/prometheus` route on the `admin` listener. (#6503, @clayton-gonsalves)
+- Improve shutdown manager query to the Envoy stats endpoint for active connections by utilizing a regex filter query param. (#6523, @therealak12)
+- Updates to Go 1.22.5. See the [Go release notes](https://go.dev/doc/devel/release#go1.22.minor) for more information. (#6563, @sunjayBhatia)
+- Updates Envoy to v1.31.0. See the [Envoy release notes](https://www.envoyproxy.io/docs/envoy/v1.31.0/version_history/v1.31/v1.31.0) for more information about the content of the release. (#6569, @skriss)
+
+# Deprecation and Removal Notices
+
+
+## Contour sample YAML manifests no longer use `prometheus.io/` annotations
+
+The annotations for notifying a Prometheus instance on how to scrape metrics from Contour and Envoy pods have been removed from the deployment YAMLs and the Gateway provisioner.
+The suggested mechanism for doing so now is to use [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus) and the [`PodMonitor`](https://prometheus-operator.dev/docs/operator/design/#podmonitor) resource.
+
+(#6269, @sunjayBhatia)
+
+## xDS server type fields in config file and ContourConfiguration CRD are deprecated
+
+These fields are officially deprecated now that the `contour` xDS server implementation is deprecated.
+They are planned to be removed in the 1.31 release, along with the `contour` xDS server implementation.
+
+(#6561, @skriss)
+
+
+# Installing and Upgrading
+
+For a fresh install of Contour, consult the [getting started documentation](https://projectcontour.io/getting-started/).
+
+To upgrade an existing Contour installation, please consult the [upgrade documentation](https://projectcontour.io/resources/upgrading/).
+
+
+# Compatible Kubernetes Versions
+
+Contour v1.30.0 is tested against Kubernetes 1.28 through 1.30.
+
+# Community Thanks!
+We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
+
+- @clayton-gonsalves
+- @davinci26
+- @erikflores7
+- @lubronzhan
+- @shadialtarsha
+- @therealak12
+
+
+# Are you a Contour user? We would love to know!
+If you're using Contour and want to add your organization to our adopters list, please visit this [page](https://projectcontour.io/resources/adopters/). If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [GitHub thread](https://github.com/projectcontour/contour/issues/1269).

changelogs/unreleased/6162-sunjayBhatia-minor.md

@@ -28,7 +28,7 @@ params:
   github_url: "https://github.com/projectcontour/contour"
   github_raw_url: "https://raw.githubusercontent.com/projectcontour/contour"
   slack_url: "https://kubernetes.slack.com/messages/contour"
-  latest_version: "1.29"
+  latest_version: "1.30"
   use_advanced_docs: true
   docs_right_sidebar: true
   docs_search: true
@@ -38,6 +38,7 @@ params:
   docs_versioning: true
   docs_versions:
   - main
+  - "1.30"
   - "1.29"
   - "1.28"
   - "1.27"

changelogs/unreleased/6269-sunjayBhatia-deprecation.md

@@ -0,0 +1,48 @@
+---
+cascade:
+  layout: docs
+  version: "1.30"
+  branch: release-1.30
+---
+
+## Overview
+Contour is an Ingress controller for Kubernetes that works by deploying the [Envoy proxy][1] as a reverse proxy and load balancer.
+Contour supports dynamic configuration updates out of the box while maintaining a lightweight profile.
+
+## Philosophy
+- Follow an opinionated approach which allows us to better serve most users
+- Design Contour to serve both the cluster administrator and the application developer
+- Use our experience with ingress to define reasonable defaults for both cluster administrators and application developers.
+- Meet users where they are by understanding and adapting Contour to their use cases
+
+See the full [Contour Philosophy][8] page.
+
+## Why Contour?
+Contour bridges other solution gaps in several ways:
+- Dynamically update the ingress configuration with minimal dropped connections
+- Safely support multiple types of ingress config in multi-team Kubernetes clusters
+  - [Ingress/v1][10]
+  - [HTTPProxy (Contour custom resource)][2]
+  - [Gateway API][9]
+- Cleanly integrate with the Kubernetes object model
+
+## Prerequisites
+Contour is tested with Kubernetes clusters running version [1.21 and later][4].
+
+## Get started
+Getting started with Contour is as simple as one command.
+See the [Getting Started][3] document.
+
+## Troubleshooting
+If you encounter issues review the [troubleshooting][5] page, [file an issue][6], or talk to us on the [#contour channel][7] on Kubernetes slack.
+
+[1]: https://www.envoyproxy.io/
+[2]: config/fundamentals.md
+[3]: /getting-started
+[4]: /resources/compatibility-matrix.md
+[5]: /docs/main/troubleshooting
+[6]: https://github.com/projectcontour/contour/issues
+[7]: https://kubernetes.slack.com/messages/contour
+[8]: /resources/philosophy
+[9]: guides/gateway-api
+[10]: /docs/{{< param version >}}/config/ingress