Contour 1.4 has been released.
Nick Young
We are delighted to present version 1.4.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
All Contour users should upgrade to Contour 1.4.0 and Envoy 1.14.1.
Check out the release notes here (and reproduced below).
New and improved
TLS Client authentication
This release adds support for configuring HTTPProxy objects to request validation of client certificates, allowing the use of client certificates for client authentication. This closes #1090.
See the documentation for how to use the feature.
(Associated PRs: #2250, #2390, #2410.)
Thanks @tsaarni for getting this implemented.
Ingress changes
Ingress class
As described in #2199, previously, when configured to accept a certain ingress.class annotation, Contour would watch objects with that annotation, and also with no annotation. This caused problems in clusters with more than one ingress controller.
As of #2394, having an ingress.class annotation configured now means that only objects that have that have a matching annotation will cause changes in Contour.
Note that this logic change applies to both Ingress and HTTPProxy documents.
2340 also updated the annotations documentation to make the various behaviour options more clear.
Ingress Status
Contour now has the ability to write a status.loadBalancer.addresses block to Ingress objects. This block is used by services which need to know how to reach an Ingress’ backing service from outside the cluster, like external-dns.
There are two ways for Contour to find this information:
- by watching a Service object for the Envoy service, and putting the associated
status.loadBalancerblock from that Service into all associated Ingress objects. This is what is used in the example deployment. - Operators can also specify an address on Contour’s command line, using the
--ingress-status-addressflag.
This closes #403, another old outstanding request.
(Associated PRs: #2373, #2386, #2416, 2420)
Separate Health and Metrics listeners
The Contour health and metrics services can now be configured to listen on separate addresses or ports using the new --health-address and --health-port flags. This gives operators the ability to restrict access to Contour’s Prometheus metrics.
(Associated PRs: #2407)
Thanks @pickledrick for completing this change.
SNI Improvements
Virtual hosts that are exposed over TLS are now strongly bound to their TLS server name. This is a security improvement that means that clients cannot connect to hostname “A” at the TLS layer and them make HTTP requests for hostname “B”.
(Associated PRs: #2381)
When Contour configures an ExternalName service, it now automatically sets the SNI server name used for the proxies HTTP request to match the request’s Host header. This improves the compatibility of ExternalName services that proxy to HTTPS resources..
(Associated PRs: #2442)
Configuration documentation
The Contour configuration file is now documented.
Contour Namespace environment variable
In this release, Contour now inspects the CONTOUR_NAMESPACE environment variable. If CONTOUR_NAMESPACE is set, Contour will use this value as the namespace for performing leader election and the namespace for inspecting the Envoy service for load balancer addresses. In either case, explicit configuration values in the configuration file and command-line flags override the environment variable.
Other Improvements
- Contour now has a metric which indicates the currently running version. (#2383) Thanks @pickledrick.
- Contour now also has a command line flag to print the current version (#2399) Thanks @pickledrick
- Add ServiceAccount for Envoy (#2449)
- Add docs search to the site (#2458)
- Add explanation of certgen Job image tag usage (#2424)
- Add github label automation. (#2436)
- Add ingress class filtering to ingress status updating (#2416)
- Add redirect for /docs to latest version (#2419)
- Add the demos and deep dives YouTube link to resources (#2375)
- Changed targetPort for httpbin pods (#2384)
- Fix the PR template with new links and frontmatter (#2382)
- Migrate Service and Ingress to client-go dynamic client (#2373)
- Move CRD informer list generation to k8s (#2352)
- Update hostNetworking docs in site deploy-options (#2405)
- Upgrade Envoy go-control-plane and fix related changes to the spec (#2432)
- Use the downward api to give the default namespace for configuration variables (#2389)
- build: apply standard Docker image labels (#2400)
- build: omit the DWARF symbol table (#2398)
- build: run misspell across the whole repository (#2439)
- build: support older git versions to detect current branch (#2415)
- cmd/contour: remove hard-coded default log fields (#2446)
- doc: document the Contour configuration file (#2445)
- docs: update DCO guidelines in CONTRIBUTING (#2425)
- enable merge_slashes on the httpconnection manager for all listeners so that requests with multiple slashes are merged and processed properly (#2406)
- hack: improve git tag pushing (#2393)
- internal/annotation: Refactor annotations code from internal/dag (#2412)
- internal/assert: Add docs to assert.Equal (#2417)
- internal/contour: add contour version to metrics (#2383)
- internal/contour: inprove routeVisitor readability (#2370)
- internal/dag: improve diagnostics for Secrets errors (#2422)
- internal/health: separate health and metrics services (#2407)
- internal: extract Envoy sort polices (#2379)
- site: add code highlighting (#2440)
- site: remove misleading comment in example deployment (#2377)
- site: update contributing guidelines (#2408)
- site: update slack links (#2444)
- updating the website with Contour maintainers (#2404)
- upgrade Envoy version to v1.14.1 (#2434)
- use sni for clusters when requestHeaderPolicy is set (#2442)
Upgrading
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you’re using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread