Contour v0.13.0

VMware is proud to present version 0.13 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, without the help of the many community contributors, this release would not have been possible. Thank you!

New and improved

Contour 0.13 includes several new features as well as the usual smattering of fixes and minor improvements.

Session Affinity

Session affinity, also known as sticky sessions, is a load balancing strategy whereby a sequence of requests from a single client are consistently routed to the same application backend. Contour 0.13.0 supports session affinity with the strategy: Cookie key on a per-service basis.

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: httpbin
  namespace: default
spec:
  virtualhost:
    fqdn: httpbin.davecheney.com
  routes:
  - match: /
    services:
    - name: httpbin
      port: 8080
      strategy: Cookie

See the design document and IngressRoute documentation for more information.

Service ExternalNames are now supported

Contour now supports proxying traffic to Services which use service.spec.externalName.
When service.spec.externalName is defined DNS is used to discover the services' external endpoints.

Both HTTP and TCP ExternalNames are supported.

See the design document and Kubernetes' Service documentation for more information.

Fixes #334. Thanks @stevesloka.

Sample deployment/ YAML examples moved to examples/

Since our 0.1 release Contour has always included in the repository sample YAML for various configurations.
These were always intended to be examples, and this is how the Contour team always perceived them.
However, we did a bad job of communicating this to our user base, which we are now trying to correct.

In operation, nothing has changed with the sample YAML other than it has moved from deployment/ to examples/ to make clear that these are in fact simply examples.

Fixes #1118. Many thanks to @rochacon.

--envoy-external-http-port and --envoy-external-https-port flags have been deprecated

Due to a long-standing limitation in Envoy, if Contour was deployed on ports other than the tradition 80 (HTTP), and 443 (HTTPS), operators were required to pass to Envoy, via --envoy-external-http-port and --envoy-external-https-port, the non-standard ports that were in use. This was annoying in practice and restricted the use of local development tools like Minikube and Kind.

Contour 0.13.0 introduces a workaround for envoyproxy/envoy#1269, that removes the need to inform Envoy of external ports that will be forwarded to it. In turn, this should make it easier to deploy Contour inside Kind or Minikube clusters.

As they are no longer needed, the --envoy-external-http-port and --envoy-external-https-port flags now generate a warning if used and will be removed completely in 0.14.0.

Fixes #210. Thanks @youngnick.

force-ssl-redirect now takes precidence over the ingress.allow-http annotation

The behavior when the kubernetes.io/ingress.allow-http and ingress.kubernetes.io/force-ssl-redirect were both specified was somewhat surprising. ingress.allow-http: false meant that no routes were not registered for port 80, even if force-ssl-redirect: true was set leading to a 404 where a 3xx upgrade to https was expected.

Contour 0.13.0 now prioritizes force-ssl-redirect. If this annotation is specified and set to true, Contour will always register a port 80 route for the ingress, even if ingress.allow-http: false, so that the forced upgrade can take effect.

Fixes #1023 with many thanks to @ceralena.

Maglev and RingHash load balancer strategies no longer supported.

RingHash and Maglev are two balancing/affinity strategies offered by IngressRoute. However, due to a lack of understanding of how they worked when they were added in Contour 0.6, neither strategy was properly configured and would only result in random behavior.
Without the ability to configure the hash key, which is usually some form of a session cookie, these strategies are not useful and cannot be used correctly.
As such they have been removed from the list of valid strategies.

For their replacement, see the earlier section on Session Affinity.

Fixes #1030 and #1150

HTTP and TCP idle timeouts

Contour 0.13.0 configures an explicit timeout for all idle HTTP and TCP proxy connections. As the definition of idle differs between HTTP and TCP modes the values are different.

• For HTTP an idle timeout of 60 seconds is configured for all connections. After 60 seconds a connection without activity will be closed.
• For TCP proxy idle connections are expected to stay open longer thus the idle timeout is set to 9001 seconds. This value is larger than the default TCP keepalive timeout on most operating systems so the most likely scenario is the operating system will time out the connection before Envoy does. The Envoy idle timeout acts as a second line of defense to avoid leaking file descriptors.

Fixes #1045 and #1074. Thanks @mattalberts and @youngnick.

Envoy memory usage

As part of a continuing effort to characterize and reduce the amount of memory used by Envoy, Contour 0.13 contains several improvements and bug fixes intended to reduce Envoy's footprint.
This work will continue in 0.14 and onwards.

Fixes or updates #499, #876, #1096

Huge thanks to @lrouquette, @mattalberts, @phylake, and many more for their assistance.

IPv6 improvements

Contour now understands the IPv6-any address, "::", and when used Contour will instruct Envoy to open ports on both IPv4 and IPv6 stacks. For example:

command: ["contour"]
args:
- serve
- --incluster
- --envoy-service-http-port=8080
- --envoy-service-https-port=8443
- "--stats-address=::"
- "--envoy-service-https-address=::"
- "--envoy-service-http-address=::"

This makes it possible to use the same config for ipv4-only and ipv6-only k8s, and enables dual-stack.
Big thanks to @uablrek for improving the story for IPv6 only or dual stack Kubernetes clusters.

Other improvements

• Envoy upgraded to 1.10.0. Thanks @stevesloka. Fixes #998.
• IngressRoute now validates that a secret is valid before using it and sets the appropriate status on the IngressRoute object if not. Thanks @stevesloka
• The Envoy's stats listener is now generated programmatically from Contour rather than hardcoded in the bootstrap configuration. Thanks @stevesloka
• Envoy 1.10.0 natively generates statistics in Prometheus format, removing the need for statsd. Fixes #1035, #1086. Thanks @rata and @stevesloka.
• A document outlining the development workflow of the Contour team has been added. It may be informative to interested contributors. We've also updated our CONTRIBUTING document with some guidelines for commit and PR messages. Fixes #1136. Thanks @youngnick.
• Contour now verifies that a TLS secret is of type kubernetes.io/tls and contains the required tls.crt and tls.key elements.

Bugs fixed

Contour 0.13 fixes a problem whereby Envoy could stall during startup if the cluster contains Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.

This fix was also backported to 0.12.1.

For more information see #1091 and #1110.

Additional bug fixes

• The CRD validation for the spec.virtualhost.fqdn field has been adjusted once more. Fixes #755, #1117. Thanks @youngnick.
• A broken link in our Zenhub documentation has been corrected. Fixes #1160. Thanks @paivagustavo.

Upgrading

• The --envoy-external-http-port and --envoy-external-https-port flags are deprecated will be removed in 0.14.0. There is no replacement, the flags are no longer required and should be removed from your deployment YAML.
• Contour 0.13 requires Envoy 1.10.0.

  docker.io/envoyproxy/envoy:v1.10.0
  

  Versions of Envoy later than 1.10.0 are not tested and not guaranteed to work with Contour 0.13.0.
• The strategy: Maglev and strategy: RingHash load balancer strategies have been removed. They never worked correctly and were functionally equivalent of strategy: Random. If cookie based routing is required, see the earlier section on Session Affinity.

Contour v0.12.1

Contour 0.12.1 is a bug fix release for the recently release Contour 0.12.0.

All Contour users should upgrade to Contour 0.12.1.

Bugs fixed (vs Contour 0.12.0)

Contour 0.12.1 fixes a problem whereby Envoy could stall during startup if the cluster containes Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.

This bug is fixed in Contour 0.12.1. All Contour users should upgrade to Contour 0.12.1.

For more information see #1091 and #1110.

Upgrading

If you are already running Contour 0.12.0, there are no specific upgrade instructions save changing the image tag to v0.12.1.

If you are running Contour 0.11.0 or earlier, please see the release notes for the previous release.

Contour v0.12.0

VMware is proud to present version 0.12 of Contour, our Envoy powered Kubernetes Ingress Controller. Again, without the help of the many community contributors, this wouldn't have been possible. Thank you!

New and improved

Contour 0.12 includes several new features as well as the usual smattering of fixes and minor improvements.

Support for per route backend timeouts and retries

Support for specifying backend timeouts and retries has been added to ingressroute. These are enabled via the timeoutPolicy and retryPolicy keys, respectively. eg.

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: request-timeout
  namespace: default
spec:
  virtualhost:
    fqdn: timeout.bar.com
  routes:
  - match: /
    timeoutPolicy:
      request: 1s
    retryPolicy:
      count: 3
      perTryTimeout: 150ms
    services:
    - name: s1
      port: 80

If timeoutPolicy is present then the backend service must complete processing the request in the duration specified. If timeoutPolicy is present without a request key, the timeout is inferred to be infinite. If no timeoutPolicy is present, Envoy will use its default timeout, which is currently 15s.

If retryPolicy is present and perTryTimeout is set a requests to backends will be retried after the duration specified up to the total request duration specified in timeoutPolicy (if present). By default the number of retries is 1, but can be increased with the count key.

See the design document and ingressroute for more information

Thanks to @rohandvora, @prasoontelang and @stevesloka.

Verification of TLS enabled backends

Contour 0.11 added support for enabling TLS communication between Envoy and backend services. Contour 0.12 adds the ability to verify that the backend pod Envoy communicates with is who it says it is. This is achieved in three steps.

1. The backend Service must use TLS to communicate with Envoy. This is achieved with the contour.heptio.com/upstream-protocol.tls annotation on the Service document.
2. The certificate authority used to issue the TLS certificate the backend service offers should be placed in a Secret in the same namespace as the IngressRoute and the Service. eg.

% kubectl create secret generic my-certificate-authority --from-file=./ca.key

3. An validation key is created for each service in the matching route

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: secure-backend
spec:
  virtualhost:
    fqdn: www.example.com
  routes:
    - match: /
      services:
        - name: service
          port: 8443
          validation:
            caSecret: my-certificate-authority
            subjectName: backend.example.com

Both the caSecret and subjectName keys are required.

See the design document and the ingressroute documentation for more information.

Thanks again to @stevesloka

SDS xDS API

While not directly user facing Contour 0.12 adds support for Envoy's Secret Discovery Service (SDS) API.

In the future SDS support will aide in reducing the number of configuration changes sent from Contour to Envoy, and will enable secure communication between Contour and Envoy.

Thanks to @vaamarnath and Matt Alberts. Fixes #898.

AES128-* and AES256-* removed permitted ciphers list

Contour no longer offers ciphers matching AES128-* or AES256-* as they are considered to be weak. This improves the SSL Lab's score for hosts secured by Contour.

See #1011 for more details

Thanks @yob

Sample grafana dashboard

The Contour distribution now includes a set of predefined Grafana dashboards. See deployment/grafana and deployment/prometheus for more information.

Thanks @stevesloka, @alexbrand and @rata.

Other improvements

• regenerate CRDs. Thanks @unicell. Fixes #993.
• force glog to write to stderr. Thanks @unicell. Updates #959
• copy edit documentation. Thanks @lostllama.
• fix issues regenerating CRDs after the switch to go modules. Thanks @glerchundi. Fixes #996
• Contour now reports how many pending changes have been queued by the holdoff notifier. Thanks Matt Alberts.

Upgrading

• Contour 0.12 requires Envoy 1.9.1.

  docker.io/envoyproxy/envoy:v1.9.1
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.12 with an error similar to this, you have not upgraded Envoy to 1.9.1.

  [2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}}                                [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
  

  Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.12.0.

Contour v0.11.0

VMware is proud to present version 0.11 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, thank you to the many community contributors -- we literally couldn't do it without you!

Contour 0.11 address a path traversal security issue in Envoy 1.9.0. It is recommended that all users upgrade to Contour 0.11 and the corresponding Envoy 1.9.1 release.

New and improved

Contour 0.11 includes several new features and one important security patch.

Envoy 1.9.1 and CVE-2019-9901 mitigations

Envoy 1.9.0 and earlier are vulnerable to a path normalisation attack. For example, a remote attacker may craft a path with a relative path, e.g. /public/../admin, to bypass access control, e.g. a block on /admin. When deployed with Contour as an ingress controller this means traffic which was intended to be directed via one route may be sent to another via a denormalised request path.

The fix for this attack is available in Envoy 1.9.1, however it is not sufficient to simply upgrade Envoy as path normalisation is currently opt in. Contour 0.11.0 generates the correct configuration to secure Envoy 1.9.1 by requesting path normalisation for all routes.

Details of the vulnerability

Fixes #983. Thanks @stevesloka

Support of TLS enabled backends

Contour 0.11 adds the ability to connect to backend Service that require TLS. This is enabled by a new annotation on the Service object:

contour.heptio.com/upstream-protocol.tls: {port,portName}

The question of what L7 protocol a Service's port speaks is a property of the Service, not the Ingress/IngressRoute, hence the annotation is placed on the Service object.

See the Annotation documentation for more information

Note: Envoy does not perform any validation of the certificate presented by the backend Service.

Fixes #406, #569, and #963.

Thanks again to @stevesloka

Other improvements

• A design document for adding retry and timeout behaviour to IngressRoute has been merged. Big thank you to @prasoontelang. Updates #815.
• Contour is now built with Go 1.12.1 (1.12.2 was not available at the time of this release). Thanks @avni. Fixes #848
• Upgrade to envoyproxy/go-control-plane v0.6.9. Fixes #933
• Upgrade to k8s.io/client-go v1.12.6. Thanks @vaamarnath. Fixes #934.
• Improve PR contribution templates. Thanks @andrewsykim.
• Contour now uses the shared informer client-go infrastructure. Thanks @andrewsykim.
• Contour has migrated from dep to Go modules for dependency management. Thanks @vaamarnath. Fixes #598.
• Envoy's deprecated --v2-config-only flag has been removed from our sample deployments/. Thanks @rata. Fixes #971.
• Prometheus integration documentation has been updated. Thanks @indradhanush.

Bug fixes

Several bugs in CRD validation have been fixed during the 0.11 development cycle.

• The documentation and validation for TLS Certificate validation (introduced in Contour 0.10) incorrectly suggested that spec.delegations took only a single item. This is incorrect, spec.delegations takes a list. The documentation has been corrected and additional CRD validation introduced to reject the previously incorrect YAML. Thanks to @joshrosso for spotting the issue. Fixes #977.
• A bug in the validation for the Ingressroute spec.tls.secretName prevented names with a forward slash, /, from being used. This has been corrected. Thanks @arminbuerkle. Fixes #965.
• The deployment/ds-hostnet-split example YAML failed to pass validation under newer versions of Kubernetes. This has been fixed. Thanks @stevesloka. Fixes #940.
• A typo in the contour serve documentation has been fixed. Thanks @shivanshu21. Fixes #966.

Upgrading

• Several issues with CRD validation have been fixed in Contour 0.11. Please redeploy Contour using the supplied deployment/ artifacts.
• Envoy's --v2-config-only flag has been deprecated in Envoy 1.9.x, and will be removed entirely in Envoy 1.10. Please remove it from your deployments to prevent Envoy failing to start.
• Contour 0.11 requires Envoy 1.9.1.

  docker.io/envoyproxy/envoy:v1.9.1
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.11 with an error similar to this, you have not upgraded Envoy to 1.9.1.

  [2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}}                                [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
  

  Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.11.

Contour v0.10.0

Heptio is proud to present version 0.10 of Contour, our Envoy powered Kubernetes Ingress Controller. It is recommended that all users upgrade to Contour 0.10.

New and improved

Contour 0.10 features several new features.

Wildcard support via TLS Certificate Delegation

The headline feature for Contour 0.10 is something we call TLS Certificate Delegation. The primary usevcase for TLS Certificate Delegation is enabling an administrator, the owner of a k8s Secret containing a wildcard style--*.mycorp.com--style TLS certificate, to delegate the permission to reference that certificate by name to another namespace.

In this way, administrators do not need to copy tasty wildcard certificates to each namespaces that wants to use them, instead an Ingress or IngressRoute owner can reference the wildcard certificate by name, assuming the administrator has created the appropriate delegation object.

Certificate delegation is opt in. To find out more about this feature, please refer to the following documents;

• TLS Certificate delegation design document
• IngressRoute documentation

Fixes #410

Configurable secure and insecure external ports

Due to a long standing limitation in Envoy, if Contour is not configured to present Envoy at your cluster's edge on ports other than the traditional 80 and 443, Envoy will reject the traffic because some user agents include that foreign port in the Host: header.

To address this two new flags have been added to contour serve, --envoy-external-http-port and --envoy-external-https-port. These default to 80 and 443 respectively.

If you have deployed Contour at your edge using non standard port numbers, you should set these two flags to ensure Envoy can correctly route traffic that arrives with trailing port numbers in the Host: header.

Please see the Upgrading section for information for upgrading from previous incarnations of these flags.

Fixes #610

Other improvements

• Contour now supports the PROXY v1 and v2 preamble headers. The former is predominantly used by AWS ELB instances, the latter is used by HA Proxy. Fixes #802
• Upgrade to envoyproxy/go-control-plane v0.6.4.
• Upgrade to k8s.io/client-go v1.11.7.
• Documentation improvements. Thanks @ramnes.
• Addional tests for the contour serve --access-log flag. Fixes #475. Thanks @vaamarnath.

Bug fixes

• Envoy now stops sending traffic to an endpoint that has active health checking enabled. Previously if the endpoint was removed from the cluster, Envoy would continue to send traffic until the health check timeouts fired. Fixes #603. Thanks @stevesloka and @alexbrand.

Upgrading

• The bootstrap configuration file format has changed from YAML to JSON. This change should be invisible to all users. If not, please redeploy Contour using the supplied deployment/ artifacts.

• The --envoy-http-port and --envoy-https-port flags have been renamed to --envoy-service-http-port and --envoy-service-https-port respectively. The values of these flags default to 8080 and 8443 respectively and should match the ports in the heptio-contour/contour Service document.

• Contour 0.10 requires Envoy 1.9.0.

  docker.io/envoyproxy/envoy-alpine:v1.9.0
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.10. Versions of Envoy later than 1.9.0 are not tested and not guaranteed to work with Contour 0.10.

Contour v0.10.0 release candidate 1

v0.10.0-rc.1

contour 0.10.0 release candidate 1

Contour v0.9.0

Heptio is proud to present version 0.9 of Contour, our Envoy powered Kubernetes Ingress Controller. It is recommended that all users upgrade to Contour 0.9.

New and improved

Improved support for TCP proxying

Contour 0.9 adds support for terminating the TLS encapsulated TCP session at the backend service, not Contour's edge. Otherwise known as TLS passthrough, this feature allows services running on Kubernetes, which already present a TLS encrypted endpoint, to multiplex incoming connections via a single external IP, their ingress controller's port 443.

Thank you to @glerchundi who drive this feature to completion.

Here is an example from the IngressRoute document showing the TCP passthrough in action:

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: example
  namespace: default
spec:
  virtualhost:
    fqdn: tcp-passthrough.example.com
    tls:
      passthrough: true
  tcpproxy:
    services:
    - name: tcpservice
      port: 8080
  routes:
  - match: /
    services:
    - name: dummy
      port: 80

Please consult the IngressRoute documentation for more information.

Improvements to this feature we continue in future Contour releases.

Other improvements

• Statistics are now reported with a stable name that is not restricted to the 60 character cluster name. Fixes #689. Thanks @pims
• Documentation improvements and fixes. Thanks @samuela, @joshrosso, and @aknuds1
• Contour now records the service port in its status message if the service is found but lacks a matching port. Fixes #858
• Upgrade to Go 1.11.5, including the fix for CVE-2019-6486

Bug fixes

• A feedback loop where Contour would reprocess IngressRoute documents when their status was updated has been fixed. This issue affects all version of Contour where IngressRoute is supported. All Contour IngressRoute users should upgrade to version 0.9 or later. Thanks to @dbason for reporting the issue. See #854 for more information.
• The FQDN validation regex has been relaxed to include numbers in TLDs. Fixes #821. Thanks @PeteE

Upgrading

• Contour 0.9 requires Envoy 1.8.0.

   docker.io/envoyproxy/envoy-alpine:v1.8.0
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.9. Versions of Envoy later than 1.8.0 are not tested and not guaranteed to work with Contour 0.9.

Contour v0.8.1

Heptio is proud to present version 0.8.1 of Contour, our Envoy powered Kubernetes Ingress Controller.

Contour 0.8.1 is a bug fix release for the recently released 0.8.0

New and improved

• When using TCP forwarding IngressRoute a dummy spec.routes entry is no longer required to pass validation.
• Contour's holdoff notifier no longer spams stdout with messages about "delaying updates". This significantly reduces log volume from contour processes and improves the signal to noise ratio of Contour's logs.

Bug fixes

• docs: the format of the --use-proxy-protocol documentation has been updated to match the formatting of other examples. Thanks @wadeholler
• docs: a typo in the ingressroute documentation has been fixed. Thanks @jonas

Contour v0.8.0

Heptio is proud to present version 0.8 of Contour, our Envoy powered Kubernetes Ingress Controller.

New and improved

Contour 0.8 includes early support for TCP proxying of TLS encrypted traffic. Currently, TCP sessions must be encrypted with TLS. This is necessary so that Envoy can use SNI to route the incoming request to the correct service.

Here is an example IngressRoute document showing the TCP proxying in action:

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: example
  namespace: default
spec:
  virtualhost:
    fqdn: tcp.example.com
    tls:
      secretName: secret
  tcpproxy:
    services:
    - name: tcpservice
      port: 8080
    - name: otherservice
      port: 9999
      weight: 20
  routes:
  - match: /
    services:
    - name: kuard
      port: 80

Please consult the IngressRoute documentation for more information.

Improvements to this feature we continue throughout the 0.8 and 0.9 series.

Bug fixes

• The missing Service definition for the deployment/ds-host-net example has been re-added.

Contour v0.7.0

Heptio is proud to present version 0.7 of Contour, our Envoy powered Kubernetes Ingress Controller.

New and improved

• Support for rewriting a request prefix has been added to IngressRoute. See https://github.com/heptio/contour/blob/master/docs/ingressroute.md#prefix-rewrite-support for more information. Thanks @stevesloka
• Support for contour.heptio.com/ingress.class has been added to IngressRoute. If the contour.heptio.com/ingress.class: production annotation is present on an IngressRoute object it will only be processed by Contour containers running with the flag --ingress-class-name=production. Thanks @amoskyler. Fixes #720
• All incoming HTTP requests are now timestamped by Envoy with an X-Request-Start : header. This header is understood by New Relic and datadog to time the end-to-end latency of a request. Thanks @yob. Fixes #646
• Support for TLS/1.3 is now enabled for all incoming requests. Thanks @chromefire. Fixes #672
• Gzip compression has been enabled for all responses. Thanks @yob. Fixes #310.
• Envoy has been upgraded to 1.7.0. Older version of Envoy are not compatible with Contour 0.7.0. Please see the Upgrading section for more information.
• Support for HTTP/1.0 requests has been added. Fixes #537
• Envoy now exposes a /healthz endpoint on port 8002 for use with the kubelet's readiness probe. Thanks @stevesloka. Fixes #695

Bugs fixed (since 0.6.1)

• k8s.io/client-go has been upgraded to v8.0.0 (Kubernetes v1.11.3).
• envoyproxy/go-control-plane has been upgraded to v0.6.0.
• AWS NLB documentation and example deployments have been updated for the service.beta.kubernetes.io/aws-load-balancer-type: nlb anotation added in Kubernetes 1.9.
• A bug affecting deployments which explicitly set the contour bootstrap --stats-address flag has been fixed. Thanks @josebiro. Fixes #742

Upgrade instructions

Due to a change in the xDS wire format Contour 0.7.0 requires Envoy 1.7.0. Earlier versions of Envoy will not work with Contour 0.7.0. Please ensure you upgrade your Deployments or Daemonsets to use this Envoy image

docker.io/envoyproxy/envoy-alpine:v1.7.0

If desired you can upgrade your Envoy container first, then your Contour container. This will cause Envoy to emit warnings like these

[2018-10-25 23:15:43.382][1][warning][misc] source/common/config/utility.cc:94] Setting a cluster name for API config source type envoy::api::v2::core::ConfigSource::GRPC is deprecated

When running against Contour 0.6.1. These warnings will cease once Contour is upgraded to 0.7.0.