Releases: projectcontour/contour
Contour v1.24.6
We are delighted to present version v1.24.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
This release includes various dependency bumps and fixes for CVE-2023-44487, including:
- Update to Envoy v1.25.11. See the release notes for v1.25.10 here and v1.25.11 here.
- Update to Go v1.20.10. See the Go release notes for more information.
Additional mitigations have been added for CVE-2023-44487 in the form of new configuration fields:
Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487
Envoy mitigates CVE-2023-44487 with some default runtime settings, however the http.max_requests_per_io_cycle does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.
The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:
listener:
max-requests-per-io-cycle: 10
(Note this can be used in addition to the existing Listener configuration field listener.max-requests-per-connection which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)
HTTP/2 max concurrent streams is configurable
This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.
The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:
listener:
http2-max-concurrent-streams: 50
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.24.6 is tested against Kubernetes 1.24 through 1.26.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.26.0
We are delighted to present version v1.26.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
- Major Changes
- Minor Changes
- Other Changes
- Docs Changes
- Deprecations/Removals
- Installing/Upgrading
- Compatible Kubernetes Versions
- Community Thanks!
Major Changes
Support for Gateway Listeners on more than two ports
Contour now supports Gateway Listeners with many different ports.
Previously, Contour only allowed a single port for HTTP, and a single port for HTTPS/TLS.
As an example, the following Gateway, with two HTTP ports and two HTTPS ports, is now fully supported:
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: contour
spec:
gatewayClassName: contour
listeners:
- name: http-1
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
- name: http-2
protocol: HTTP
port: 81
allowedRoutes:
namespaces:
from: Same
- name: https-1
protocol: HTTPS
port: 443
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- name: tls-cert-1
- name: https-2
protocol: HTTPS
port: 444
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- name: tls-cert-2If you are using the Contour Gateway Provisioner, ports for all valid Listeners will automatically be exposed via the Envoy service, and will update when any Listener changes are made.
If you are using static provisioning, you must keep the Service definition in sync with the Gateway spec manually.
Note that if you are using the Contour Gateway Provisioner along with HTTPProxy or Ingress for routing, then your Gateway must have exactly one HTTP Listener and one HTTPS Listener.
For this case, Contour supports a custom HTTPS Listener protocol value, to avoid having to specify TLS details in the Listener (since they're specified in the HTTPProxy or Ingress instead):
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: contour-with-httpproxy
spec:
gatewayClassName: contour
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: projectcontour.io/https
port: 443
allowedRoutes:
namespaces:
from: AllMinor Changes
Contour now outputs metrics about status update load
Metrics on status update counts and duration are now output by the xDS server.
This should enable deployments at scale to diagnose delays in status updates and possibly tune the --kubernetes-client-qps and --kubernetes-client-burst flags.
Watching specific namespaces
The contour serve command takes a new optional flag, --watch-namespaces, that can
be used to restrict the namespaces where the Contour instance watches for resources.
Consequently, resources in other namespaces will not be known to Contour and will not
be acted upon.
You can watch a single or multiple namespaces, and you can further restrict the root
namespaces with --root-namespaces just like before. Root namespaces must be a subset
of the namespaces being watched, for example:
--watch-namespaces=my-admin-namespace,my-app-namespace --root-namespaces=my-admin-namespace
If the --watch-namespaces flag is not used, then all namespaces will be watched by default.
HTTPProxy: Implement Regex Path Matching and Regex Header Matching.
This Change Adds 2 features to HTTPProxy
- Regex based path matching.
- Regex based header matching.
Path Matching
In addition to prefix and exact, HTTPProxy now also support regex.
Root Proxies
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: root-regex-match
spec:
fqdn: local.projectcontour.io
routes:
- conditions:
# matches
# - /list/1234
# - /list/
# - /list/foobar
# and so on and so forth
- regex: /list/.*
services:
- name: s1
port: 80
- conditions:
# matches
# - /admin/dev
# - /admin/prod
- regex: /admin/(prod|dev)
services:
- name: s2
port: 80Inclusion
Root
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: root-regex-match
spec:
fqdn: local.projectcontour.io
includes:
- name: child-regex-match
conditions:
- prefix: /child
routes:
- conditions:
- prefix: /
services:
- name: s1
port: 80Included
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: child-regex-match
spec:
fqdn: local.projectcontour.io
routes:
- conditions:
# matches
# - /child/list/1234
# - /child/list/
# - /child/list/foobar
# and so on and so forth
- regex: /list/.*
services:
- name: s1
port: 80
- conditions:
# matches
# - /child/admin/dev
# - /child/admin/prod
- regex: /admin/(prod|dev)
services:
- name: s2
port: 80
- conditions:
# matches
# - /child/bar/stats
# - /child/foo/stats
# and so on and so forth
- regex: /.*/stats
services:
- name: s3
port: 80Header Regex Matching
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: httpproxy-header-matching
spec:
fqdn: local.projectcontour.io
routes:
- conditions:
- queryParam:
# matches header `x-header` with value of `dev-value` or `prod-value`
name: x-header
regex: (dev|prod)-value
services:
- name: s4
port: 80Adds critical level for access logging
New critical access log level was introduced to reduce the volume of logs for busy installations. Critical level produces access logs for response status >= 500.
(#5360, @davinci26)
Default Global RateLimit Policy
This Change adds the ability to define a default global rate limit policy in the Contour configuration
to be used as a global rate limit policy by all HTTPProxy objects.
HTTPProxy object can decide to opt out and disable this feature using disabled config.
Sample Configurations
contour.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: contour
namespace: projectcontour
data:
contour.yaml: |
rateLimitService:
extensionService: projectcontour/ratelimit
domain: contour
failOpen: false
defaultGlobalRateLimitPolicy:
descriptors:
- entries:
- remoteAddress: {}
- entries:
- genericKey:
value: fooContour supports setting the MaxRequestsPerConnection
Support setting of MaxRequestsPerConnection on listeners or clusters via the contour configuration.
Failures to automatically set GOMAXPROCS are no longer fatal
In some (particularly local development) environments the automaxprocs library fails due to the cgroup namespace setup.
This failure is no longer fatal for Contour.
Contour will now simply log the error and continue with the automatic GOMAXPROCS detection ignored.
Routes with HTTP Method matching have higher precedence
For conformance with Gateway API v0.7.1+, routes that utilize HTTP method matching now have an explicit precedence over routes with header/query matches.
See the Gateway API documentation for a description of this precedence order.
This change applies not only to HTTPRoute but also HTTPProxy method matches (implemented in configuration via a header match on the :method header).
Host header including port is passed through unmodified to backend
Previously Contour would strip any port from the Host header in a downstream request for convenience in routing.
This resulted in backends not receiving the Host header with a port.
We no longer do this, for conformance with Gateway API (this change also applies to HTTPProxy and Ingress configuration).
Gateway API: add TCPRoute support
Contour now supports Gateway API's TCPRoute resource.
This route type provides simple TCP forwarding for traffic received on a given Listener port.
This is a simple example of a Gateway and TCPRoute configuration:
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: contour
namespace: projectcontour
spec:
gatewayClassName: contour
listeners:
- name: tcp-listener
protocol: TCP
port: 10000
allowedRoutes:
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: echo-1
namespace: default
spec:
parentRefs:
- namespace: projectcontour
name: contour
sectionName: tcp-listener
rules:
- backendRefs:
- name: s1
port: 80Contributors
Assets 2
Contour v1.26.0-rc.1
We are delighted to present version v1.26.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
- Major Changes
- Minor Changes
- Other Changes
- Docs Changes
- Deprecations/Removals
- Installing/Upgrading
- Compatible Kubernetes Versions
- Community Thanks!
Major Changes
Support for Gateway Listeners on more than two ports
Contour now supports Gateway Listeners with many different ports.
Previously, Contour only allowed a single port for HTTP, and a single port for HTTPS/TLS.
As an example, the following Gateway, with two HTTP ports and two HTTPS ports, is now fully supported:
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: contour
spec:
gatewayClassName: contour
listeners:
- name: http-1
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
- name: http-2
protocol: HTTP
port: 81
allowedRoutes:
namespaces:
from: Same
- name: https-1
protocol: HTTPS
port: 443
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- name: tls-cert-1
- name: https-2
protocol: HTTPS
port: 444
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- name: tls-cert-2If you are using the Contour Gateway Provisioner, ports for all valid Listeners will automatically be exposed via the Envoy service, and will update when any Listener changes are made.
If you are using static provisioning, you must keep the Service definition in sync with the Gateway spec manually.
Note that if you are using the Contour Gateway Provisioner along with HTTPProxy or Ingress for routing, then your Gateway must have exactly one HTTP Listener and one HTTPS Listener.
For this case, Contour supports a custom HTTPS Listener protocol value, to avoid having to specify TLS details in the Listener (since they're specified in the HTTPProxy or Ingress instead):
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: contour-with-httpproxy
spec:
gatewayClassName: contour
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: projectcontour.io/https
port: 443
allowedRoutes:
namespaces:
from: AllMinor Changes
Contour now outputs metrics about status update load
Metrics on status update counts and duration are now output by the xDS server.
This should enable deployments at scale to diagnose delays in status updates and possibly tune the --kubernetes-client-qps and --kubernetes-client-burst flags.
Watching specific namespaces
The contour serve command takes a new optional flag, --watch-namespaces, that can
be used to restrict the namespaces where the Contour instance watches for resources.
Consequently, resources in other namespaces will not be known to Contour and will not
be acted upon.
You can watch a single or multiple namespaces, and you can further restrict the root
namespaces with --root-namespaces just like before. Root namespaces must be a subset
of the namespaces being watched, for example:
--watch-namespaces=my-admin-namespace,my-app-namespace --root-namespaces=my-admin-namespace
If the --watch-namespaces flag is not used, then all namespaces will be watched by default.
HTTPProxy: Implement Regex Path Matching and Regex Header Matching.
This Change Adds 2 features to HTTPProxy
- Regex based path matching.
- Regex based header matching.
Path Matching
In addition to prefix and exact, HTTPProxy now also support regex.
Root Proxies
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: root-regex-match
spec:
fqdn: local.projectcontour.io
routes:
- conditions:
# matches
# - /list/1234
# - /list/
# - /list/foobar
# and so on and so forth
- regex: /list/.*
services:
- name: s1
port: 80
- conditions:
# matches
# - /admin/dev
# - /admin/prod
- regex: /admin/(prod|dev)
services:
- name: s2
port: 80Inclusion
Root
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: root-regex-match
spec:
fqdn: local.projectcontour.io
includes:
- name: child-regex-match
conditions:
- prefix: /child
routes:
- conditions:
- prefix: /
services:
- name: s1
port: 80Included
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: child-regex-match
spec:
fqdn: local.projectcontour.io
routes:
- conditions:
# matches
# - /child/list/1234
# - /child/list/
# - /child/list/foobar
# and so on and so forth
- regex: /list/.*
services:
- name: s1
port: 80
- conditions:
# matches
# - /child/admin/dev
# - /child/admin/prod
- regex: /admin/(prod|dev)
services:
- name: s2
port: 80
- conditions:
# matches
# - /child/bar/stats
# - /child/foo/stats
# and so on and so forth
- regex: /.*/stats
services:
- name: s3
port: 80Header Regex Matching
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: httpproxy-header-matching
spec:
fqdn: local.projectcontour.io
routes:
- conditions:
- queryParam:
# matches header `x-header` with value of `dev-value` or `prod-value`
name: x-header
regex: (dev|prod)-value
services:
- name: s4
port: 80Support Gateway API v0.7.1
Contour now supports Gateway API v0.7.1, keeping up to date with conformance and API changes.
This release mainly contains refinements to status conditions and conformance test additions.
See v0.7.0 release notes and v0.7.1 release notes .
Adds critical level for access logging
New critical access log level was introduced to reduce the volume of logs for busy installations. Critical level produces access logs for response status >= 500.
(#5360, @davinci26)
Default Global RateLimit Policy
This Change adds the ability to define a default global rate limit policy in the Contour configuration
to be used as a global rate limit policy by all HTTPProxy objects.
HTTPProxy object can decide to opt out and disable this feature using disabled config.
Sample Configurations
contour.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: contour
namespace: projectcontour
data:
contour.yaml: |
rateLimitService:
extensionService: projectcontour/ratelimit
domain: contour
failOpen: false
defaultGlobalRateLimitPolicy:
descriptors:
- entries:
- remoteAddress: {}
- entries:
- genericKey:
value: fooContour supports setting the MaxRequestsPerConnection
Support setting of MaxRequestsPerConnection on listeners or clusters via the contour configuration.
Failures to automatically set GOMAXPROCS are no longer fatal
In some (particularly local development) environments the automaxprocs library fails due to the cgroup namespace setup.
This failure is no longer fatal for Contour.
Contour will now simply log the error and continue with the automatic GOMAXPROCS detection ignored.
Routes with HTTP Method matching have higher precedence
For conformance with Gateway API v0.7.1+, routes that utilize HTTP method matching now have an explicit precedence over routes with header/query matches.
See the Gateway API documentation for a description of this precedence order.
This change applies not only to HTTPRoute but also HTTPProxy method matches (implemented in configuration via a header match on the :method header).
Host header including port is passed through unmodified to backend
Previously Contour would strip any port from the Host header in a downstream request for convenience in routing.
This resulted in backends not receiving the Host header with a port.
We no longer do this, for conformance with Gateway API (this change also applies to HTTPProxy and Ingress configuration).
Gateway API: add TCPRoute support
Contour now supports Gateway API's TCPRoute resource.
This route type provides simple TCP forwarding for traffic received on a given Listener port.
This is a simple example of a Gateway and TCPRoute configuration:
...
Contributors
Assets 2
Contour v1.25.2
We are delighted to present version v1.25.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Bumps client-go to v1.26.7. This ensures better compatibility with Kubernetes v1.27 clusters. See this upstream issue for more context on why this change is required. Many thanks to @chrism417 for bringing this to our attention.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.25.2 is tested against Kubernetes 1.25 through 1.27.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contributors
Assets 2
Contour v1.25.1
We are delighted to present version v1.25.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Update to Envoy v1.26.4. See the Envoy release notes for more information about the content of the release.
- Update to Go v1.20.6. See the Go release notes for more information.
- Failure to automatically set GOMAXPROCS using the automaxprocs library is no longer fatal. Contour will now simply log the error and continue with the automatic GOMAXPROCS detection ignored.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.25.1 is tested against Kubernetes 1.25 through 1.27.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.24.5
We are delighted to present version v1.24.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Update to Envoy v1.25.9. See the Envoy release notes for more information about the content of the release.
- Update to Go v1.19.11. See the Go release notes for more information.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.24.5 is tested against Kubernetes 1.24 through 1.26.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.23.6
We are delighted to present version v1.23.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Update to Envoy v1.24.10. See the Envoy release notes for more information about the content of the release including details on the addressed CVEs.
- Update to Go v1.19.11. See the Go release notes for more information.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.23.6 is tested against Kubernetes 1.23 through 1.25.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.
Contour v1.25.0
We are delighted to present version v1.25.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Major Changes
IP Filter Support
Contour's HTTPProxy now supports configuring Envoy's RBAC filter for allowing or denying requests by IP.
An HTTPProxy can optionally include one or more IP filter rules, which define CIDR ranges to allow or deny requests based on origin IP. Filters can indicate whether the direct IP should be used or whether a reported IP from PROXY or X-Forwarded-For should be used instead. If the latter, Contour's numTrustedHops setting will be respected when determining the source IP. Filters defined at the VirtualHost level apply to all routes, unless overridden by a route-specific filter.
For more information, see:
Add Tracing Support
Contour now supports exporting tracing data to OpenTelemetry
The Contour configuration file and ContourConfiguration CRD will be extended with a new optional tracing section. This configuration block, if present, will enable tracing and will define the trace properties needed to generate and export trace data.
Contour supports the following configurations
- Custom service name, the default is
contour. - Custom sampling rate, the default is
100. - Custom the maximum length of the request path, the default is
256. - Customize span tags from literal and request headers.
- Customize whether to include the pod's hostname and namespace.
Minor Changes
Add support for Global External Authorization for HTTPProxy.
Contour now supports external authorization for all hosts by setting the config as part of the contourConfig like so:
globalExtAuth:
extensionService: projectcontour-auth/htpasswd
failOpen: false
authPolicy:
context:
header1: value1
header2: value2
responseTimeout: 1sIndividual hosts can also override or opt out of this global configuration.
You can read more about this feature in detail in the guide.
HTTPProxy: Add support for exact path match condition
HttpProxy conditions block now also supports exact path match condition.
HTTPProxy: Internal Redirect support
Contour now supports specifying an internalRedirectPolicy on a Route to handle 3xx redirects internally, that is capturing a configurable 3xx redirect response, synthesizing a new request, sending it to the upstream specified by the new route match, and returning the redirected response as the response to the original request.
HTTPProxy: implement HTTP query parameter matching
Contour now implements HTTP query parameter matching for HTTPProxy resource-based routes. It supports Exact, Prefix, Suffix, Regex and Contains string matching conditions together with the IgnoreCase modifier and also the Present matching condition. For example, the following HTTPProxy will route requests based on the configured condition examples for the given query parameter search:
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: httpproxy-queryparam-matching
spec:
routes:
- conditions:
- queryParam:
# will match e.g. '?search=example' as is
name: search
exact: example
services:
- name: s1
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=prefixthis' or any string value prefixed by `prefix` (case insensitive)
name: search
prefix: PreFix
ignoreCase: true
services:
- name: s2
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=thispostfix' or any string value suffixed by `postfix` (case sensitive)
name: search
suffix: postfix
services:
- name: s3
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=regularexp123' or any string value matching the given regular expression
name: search
regex: ^regular.*
services:
- name: s4
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=somethinginsideanother' or any string value containing the substring 'inside' (case sensitive)
name: search
contains: inside
services:
- name: s5
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=' or any string value given to the named parameter
name: search
present: true
services:
- name: s6
port: 80Allow Disabling Features
The contour serve command takes a new optional flag, --disable-feature, that allows disabling certain features.
The flag is used to disable the informer for a custom resource, effectively making the corresponding CRD optional in the cluster. You can provide the flag multiple times.
Current options include extensionservices and the experimental Gateway API features tlsroutes and grpcroutes.
For example, to disable ExtensionService CRD, use the flag as follows: --disable-feature=extensionservices.
Gateway API: support GRPCRoute
Contour now implements GRPCRoute (https://gateway-api.sigs.k8s.io/api-types/grpcroute/). The "core conformance" parts of the spec are implemented. See https://projectcontour.io/docs/1.25/guides/grpc/#gateway-api-configuration on how to use GRPCRoute.
(#5114, @fangfpeng)
Other Changes
- Add
AllowPrivateNetworktoCORSPolicyfor support Access-Control-Allow-Private-Network. (#5034, @lvyanru8200) - Optimize processing of HTTPProxy, Secret and other objects by avoiding full object comparison. This reduces CPU usage during object updates. (#5064, @tsaarni)
- Gateway API: support the
pathfield on the HTTPRoute RequestRedirect filter. (#5068, @skriss) - Optimized the memory usage when handling Secrets in Kubernetes client informer cache. (#5099, @tsaarni)
- Adds a new gauge metric,
contour_dag_cache_object, to indicate the total number of items that are currently in the DAG cache. (#5109, @izturn) - Gateway API: for routes, replace use of custom
NotImplementedcondition with the upstreamAccepted: falsecondition with reasonUnsupportedValueto match the spec. (#5125, @skriss) %REQ()operator in request/response header policies now properly supports HTTP/2 pseudo-headers, header fallbacks, and truncating header values. (#5130, @sunjayBhatia)- Gateway API: for routes, always set ResolvedRefs condition, even if true to match the spec. (#5131, @izturn)
- Set 502 response if include references another root. (#5157, @liangyuanpeng)
- Update to support Gateway API v0.6.2, which includes updated conformance tests. See release notes here. (#5194, @sunjayBhatia)
- HTTPProxy: support Host header rewrites per-service. (#5195, @fangfpeng)
- Contour now sets
GOMAXPROCSto match the number of CPUs available to the container which results in lower and more stable CPU usage under high loads and where the container and node CPU counts differ significantly.
This is the default behavior but can be overridden by specifyingGOMAXPROCSto a fixed value as an environment variable. (#5211, @rajatvig) - Gateway API: Contour now always sets the Accepted condition on Gateway Listeners. If there is a specific validation error of top-level fields (port, protocol, etc.) the status is set to False, otherwise it is set to True. (#5220, @sunjayBhatia)
- Gateway API: Envoy containers manifests should use value from
envoy.health.portandenvoy.metrics.portif they are defined inContourDeployment.spec.runtimeSettings. (#5233, @Jean-Daniel) - Gateway API: support regex path/header match for HTTPRoute and regex header match for GRPCRoute. (#5239, @fangfpeng)
- Fix HTTPProxy duplicate include detection. If we have multiple distinct includes on the same path but different headers or query parameters, duplicates of any include conditions after the first were not detected. (#5296, @sunjayBhatia)
- Gateway API: support regular expressions in HTTPRoute query param match type. (#5310, @padlar)
- Supported/tested Kubernetes versions are now 1.25, 1.26, 1.27. (#5318, @skriss)
- Updates Envoy to v1.26.1. See the v1.26.0 and v1.26.1 changelogs for details. (#5320, @skriss)
- Updates to Go 1.20.4. See the Go release notes for more information. (#5347, @skriss)
Docs Changes
- Upgrade algolia docsearch to v3 on the docs website (#5129, @pnbrown)
- Updates Steve Kriss as Tech Lead and moves Nick Young to Emeritus Maintainer (#5151, @pnbrown)
- Move to a single set of docs per minor release, e.g. 1.24, 1.23 and 1.22. (#5163, @skriss)
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the [upgrade documentation](...
Contributors
Assets 2
Contour v1.25.0-rc.1
We are delighted to present version v1.25.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
Major Changes
IP Filter Support
Contour's HTTPProxy now supports configuring Envoy's RBAC filter for allowing or denying requests by IP.
An HTTPProxy can optionally include one or more IP filter rules, which define CIDR ranges to allow or deny requests based on origin IP.
Filters can indicate whether the direct IP should be used or whether a reported IP from PROXY or X-Forwarded-For should be used instead.
If the latter, Contour's numTrustedHops setting will be respected when determining the source IP.
Filters defined at the VirtualHost level apply to all routes, unless overridden by a route-specific filter.
For more information, see:
Add Tracing Support
Contour now supports exporting tracing data to OpenTelemetry
The Contour configuration file and ContourConfiguration CRD will be extended with a new optional tracing section. This configuration block, if present, will enable tracing and will define the trace properties needed to generate and export trace data.
Contour supports the following configurations
- Custom service name, the default is
contour. - Custom sampling rate, the default is
100. - Custom the maximum length of the request path, the default is
256. - Customize span tags from literal and request headers.
- Customize whether to include the pod's hostname and namespace.
Minor Changes
Add support for Global External Authorization for HTTPProxy.
Contour now supports external authorization for all hosts by setting the config as part of the contourConfig like so:
globalExtAuth:
extensionService: projectcontour-auth/htpasswd
failOpen: false
authPolicy:
context:
header1: value1
header2: value2
responseTimeout: 1sIndividual hosts can also override or opt out of this global configuration.
You can read more about this feature in detail in the guide.
HTTPProxy: Add support for exact path match condition
HttpProxy conditions block now also supports exact path match condition.
HTTPProxy: Internal Redirect support
Contour now supports specifying an internalRedirectPolicy on a Route to handle 3xx redirects internally, that is capturing a configurable 3xx redirect response, synthesizing a new request,
sending it to the upstream specified by the new route match,
and returning the redirected response as the response to the original request.
HTTPProxy: implement HTTP query parameter matching
Contour now implements HTTP query parameter matching for HTTPProxy
resource-based routes. It supports Exact, Prefix, Suffix, Regex and
Contains string matching conditions together with the IgnoreCase modifier
and also the Present matching condition.
For example, the following HTTPProxy will route requests based on the configured
condition examples for the given query parameter search:
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: httpproxy-queryparam-matching
spec:
routes:
- conditions:
- queryParam:
# will match e.g. '?search=example' as is
name: search
exact: example
services:
- name: s1
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=prefixthis' or any string value prefixed by `prefix` (case insensitive)
name: search
prefix: PreFix
ignoreCase: true
services:
- name: s2
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=thispostfix' or any string value suffixed by `postfix` (case sensitive)
name: search
suffix: postfix
services:
- name: s3
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=regularexp123' or any string value matching the given regular expression
name: search
regex: ^regular.*
services:
- name: s4
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=somethinginsideanother' or any string value containing the substring 'inside' (case sensitive)
name: search
contains: inside
services:
- name: s5
port: 80
- conditions:
- queryParam:
# will match e.g. '?search=' or any string value given to the named parameter
name: search
present: true
services:
- name: s6
port: 80Allow Disabling Features
The contour serve command takes a new optional flag, --disable-feature, that allows disabling
certain features.
The flag is used to disable the informer for a custom resource, effectively making the corresponding
CRD optional in the cluster. You can provide the flag multiple times.
Current options include extensionservices and the experimental Gateway API features tlsroutes and
grpcroutes.
For example, to disable ExtensionService CRD, use the flag as follows: --disable-feature=extensionservices.
Gateway API: support the GRPCRoute
Contour now implements GRPCRoute (https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
The "core conformance" parts of the spec are implemented.
See https://projectcontour.io/docs/v1.25.0/guides/grpc/#gateway-api-configuration
on how to use GRPCRoute.
(#5114, @fangfpeng)
Other Changes
- Add
AllowPrivateNetworktoCORSPolicyfor support Access-Control-Allow-Private-Network. (#5034, @lvyanru8200) - Optimize processing of HTTPProxy, Secret and other objects by avoiding full object comparison. This reduces CPU usage during object updates. (#5064, @tsaarni)
- Gateway API: support the
pathfield on the HTTPRoute RequestRedirect filter. (#5068, @skriss) - Optimized the memory usage when handling Secrets in Kubernetes client informer cache. (#5099, @tsaarni)
- Adds a new gauge metric,
contour_dag_cache_object, to indicate the total number of items that are currently in the DAG cache. (#5109, @izturn) - Gateway API: for routes, replace use of custom
NotImplementedcondition with the upstreamAccepted: falsecondition with reasonUnsupportedValueto match the spec. (#5125, @skriss) %REQ()operator in request/response header policies now properly supports HTTP/2 pseudo-headers, header fallbacks, and truncating header values. (#5130, @sunjayBhatia)- Gateway API: for routes, always set ResolvedRefs condition, even if true to match the spec. (#5131, @izturn)
- Set 502 response if include references another root. (#5157, @liangyuanpeng)
- Update to support Gateway API v0.6.2, which includes updated conformance tests. See release notes here. (#5194, @sunjayBhatia)
- HTTPProxy: support Host header rewrites per-service. (#5195, @fangfpeng)
- Contour now sets
GOMAXPROCSto match the number of CPUs available to the container which results in lower and more stable CPU usage under high loads and where the container and node CPU counts differ significantly.
This is the default behavior but can be overridden by specifyingGOMAXPROCSto a fixed value as an environment variable. (#5211, @rajatvig) - Gateway API: Contour now always sets the Accepted condition on Gateway Listeners. If there is a specific validation error of top-level fields (port, protocol, etc.) the status is set to False, otherwise it is set to True. (#5220, @sunjayBhatia)
- Gateway API: Envoy containers manifests should use value from
envoy.health.portandenvoy.metrics.portif they are defined inContourDeployment.spec.runtimeSettings. (#5233, @Jean-Daniel) - Gateway API: support regex path/header match for HTTPRoute and regex header match for GRPCRoute. (#5239, @fangfpeng)
- Updates to Go 1.20.3. See the Go release notes for more information. (#5254, @sunjayBhatia)
- Fix HTTPProxy duplicate include detection. If we have multiple distinct includes on the same path but different headers or query parameters, duplicates of any include conditions after the first were not detected. (#5296, @sunjayBhatia)
- Gateway API: support regular expressions in HTTPRoute query param match type. (#5310, @padlar)
- Supported/tested Kubernetes versions are now 1.25, 1.26, 1.27. (#5318, @skriss)
- Updates Envoy to v1.26.1. See the v1.26.0 and v1.26.1 changelogs for details. (#5320, @skriss)
Docs Changes
- Upgrade algolia docsearch to v3 on the docs website (#5129, @pnbrown)
- Updates Steve Kriss as Tech Lead and moves Nick Young to Emeritus Maintainer (#5151, @pnbrown)
- Move to a single set of docs per minor release, e.g. 1.24, 1.23 and 1.22. (#5163, @skriss)
Installing and Upgrading
Th...
Contributors
Assets 2
Contour v1.24.4
We are delighted to present version v1.24.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Changes
- Fix for bug in HTTPProxy duplicate include detection that caused memory usage spikes when root HTTPProxies with a large number of includes using header match conditions are present.
- Update to Envoy v1.25.6. See the Envoy release notes for more information about the content of the release.
Installing and Upgrading
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Compatible Kubernetes Versions
Contour v1.24.4 is tested against Kubernetes 1.24 through 1.26.
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.