We are delighted to present version 1.4.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Contour users should upgrade to Contour 1.4.0 and Envoy 1.14.1.
Check out the release notes here (and reproduced below).
This release adds support for configuring HTTPProxy objects to request validation of client certificates, allowing the use of client certificates for client authentication. This closes #1090.
See the documentation for how to use the feature.
(Associated PRs: #2250, #2390, #2410.)
Thanks @tsaarni for getting this implemented.
As described in #2199, previously, when configured to accept a certain ingress.class
annotation, Contour would watch objects with that annotation, and also with no annotation. This caused problems in clusters with more than one ingress controller.
As of #2394, having an ingress.class
annotation configured now means that only objects that have that have a matching annotation will cause changes in Contour.
Note that this logic change applies to both Ingress and HTTPProxy documents.
Contour now has the ability to write a status.loadBalancer.addresses
block to Ingress objects. This block is used by services which need to know how to reach an Ingress’ backing service from outside the cluster, like external-dns.
There are two ways for Contour to find this information:
status.loadBalancer
block from that Service into all associated Ingress objects. This is what is used in the example deployment.--ingress-status-address
flag.This closes #403, another old outstanding request.
(Associated PRs: #2373, #2386, #2416, 2420)
The Contour health and metrics services can now be configured to listen on separate addresses or ports using the new --health-address
and --health-port
flags. This gives operators the ability to restrict access to Contour’s Prometheus metrics.
(Associated PRs: #2407)
Thanks @pickledrick for completing this change.
Virtual hosts that are exposed over TLS are now strongly bound to their TLS server name. This is a security improvement that means that clients cannot connect to hostname “A” at the TLS layer and them make HTTP requests for hostname “B”.
(Associated PRs: #2381)
When Contour configures an ExternalName service, it now automatically sets the SNI server name used for the proxies HTTP request to match the request’s Host header. This improves the compatibility of ExternalName services that proxy to HTTPS resources..
(Associated PRs: #2442)
The Contour configuration file is now documented.
In this release, Contour now inspects the CONTOUR_NAMESPACE
environment variable. If CONTOUR_NAMESPACE
is set, Contour will use this value as the namespace for performing leader election and the namespace for inspecting the Envoy service for load balancer addresses. In either case, explicit configuration values in the configuration file and command-line flags override the environment variable.
Please consult the upgrade documentation.
If you’re using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread