Skip to content

Releases: projectcontour/contour

Contour v1.21.3

12 Dec 21:18
@skriss skriss
v1.21.3
59c8f68
Compare
Choose a tag to compare
Contour v1.21.3

We are delighted to present version v1.21.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Changes

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.3 is tested against Kubernetes 1.21 through 1.23.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

skriss
Assets 2
Loading

Contour v1.23.1

06 Dec 18:41
@sunjayBhatia sunjayBhatia
v1.23.1
d7d4012
Compare
Choose a tag to compare
Contour v1.23.1

We are delighted to present version v1.23.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.24.1

Bumps Envoy to security patch version 1.24.1.
See Envoy release notes here.

(#4903, @sunjayBhatia)

Other Changes

  • Various updates to dependencies for security updates, upgrade to Go 1.19.3, and bump go module version to go 1.17. (#4874, #4881, #4883, @sunjayBhatia)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.1 is tested against Kubernetes 1.23 through 1.25.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

sunjayBhatia
Assets 2
Loading

Contour v1.22.2

05 Dec 21:24
@sunjayBhatia sunjayBhatia
v1.22.2
69e4c72
Compare
Choose a tag to compare
Contour v1.22.2

We are delighted to present version v1.22.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.23.3

Bumps Envoy to security patch version 1.23.3.
See Envoy release notes here.

(#4897, @sunjayBhatia)

Other Changes

  • Various updates to dependencies for security updates, upgrade to Go 1.19.3, and bump go module version to go 1.17. (#4882, #4884, @sunjayBhatia)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.2 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

sunjayBhatia
Assets 2
Loading

Contour v1.21.2

02 Dec 00:25
@sunjayBhatia sunjayBhatia
v1.21.2
e566ca0
Compare
Choose a tag to compare
Contour v1.21.2

We are delighted to present version v1.21.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.22.6

Bumps Envoy to security patch version 1.22.6.
See Envoy release notes here.

(#4889, @sunjayBhatia)

Other Changes

  • Various updates to dependencies for security updates, fixes for CI, upgrade to Go 1.18.8, and bump go module version to go 1.17. (#4885, @sunjayBhatia)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.2 is tested against Kubernetes 1.21 through 1.23.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

sunjayBhatia
Assets 2
Loading

Contour v1.23.0

20 Oct 14:57
@sunjayBhatia sunjayBhatia
v1.23.0
4520248
Compare
Choose a tag to compare
Contour v1.23.0

We are delighted to present version v1.23.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Overload Manager

It is now possible to enable Envoy overload manager to avoid traffic disturbances when Envoy process allocates too much heap and is terminated by the Linux out-of-memory manager.
The feature is disabled by default and can be enabled by following instructions here.

(#4597, @tsaarni)

JWT Verification Support

Contour's HTTPProxy now supports configuring Envoy's JSON Web Token (JWT) authentication filter, for verifying JWTs on incoming requests.

A root HTTPProxy can optionally define one or more JWT providers, each of which can define an issuer, audiences, and a JSON Web Key Set (JWKS) to use for verifying JWTs.

JWT providers can then be applied as requirements to routes on the HTTPProxy (or routes on included HTTPProxies), either by setting one provider as the default, or by explicitly specifying a JWT provider to require for a given route.
Individual routes may also opt out of JWT verification if a default provider has been set for the HTTPProxy.

For more information, see:

(#4723, @skriss)

Slow start mode

Slow start mode is a configuration setting that is used to gradually increase the amount of traffic targeted to a newly added upstream endpoint.
This can be useful for example with JVM based applications, that might otherwise get overwhelmed during JIT warm-up period.
For more information see here.

(#4772, @tsaarni)

Minor Changes

HTTPProxy CORS policy supports regex matching on Allowed Origins

The AllowOrigin field of the HTTPProxy CORSPolicy can be configured as a regex to enable more flexibility for users.
More advanced matching can now be performed on the Origin header of HTTP requests, instead of restricting users to allow all origins, or enumerating all possible values.

(#4710, @sunjayBhatia)

Other Changes

  • Transition to default_source_code Lua filter field from deprecated inline_string field for specifying Lua scripts. (#4622, @sunjayBhatia)
  • There are so many EnsureXDeleted in the sub-packages of objects , so unify them to objects/EnsureObjectDelete (#4630, @izturn)
  • Transition to using new bootstrap field default_regex_engine instead of deprecated per-regex match engine selection. (#4652, @sunjayBhatia)
  • Gateway Listeners with Secret references whose namespace is not covered by a ReferenceGrant should have their status reason set to RefNotPermitted. (#4664, @sunjayBhatia)
  • Add a new flag leader-election-namespace for gateway-provisioner (#4669, @izturn)
  • Add Contour log level configurability to ContourDeployment resource. (#4676, @izturn)
  • Add Kubernetes client debug log level configurability to ContourDeployment resource. (#4677, @izturn)
  • add the fields extraVolumes & extraVolumeMounts to crd/ContourDeployment to enable Envoy pods to mount additional volumes (#4680, @izturn)
  • Add Kubernetes annotations configurability to ContourDeployment resource. to enable customize pod annotations for pod/envoy (#4681, @izturn)
  • Add Kubernetes resource labels configurability to ContourDeployment resource. (#4709, @izturn)
  • Add resource requirements configurability to ContourDeployment to enable resource quota for containers. (#4712, @izturn)
  • Gateway API: status-only updates to resources no longer trigger DAG reprocessing and xDS updates. (#4744, @skriss)
  • Gateway API: don't make status update calls to the API server if status has not changed on the resource. (#4745, @skriss)
  • Updates to Gateway API v0.5.1. (#4755, @skriss)
  • Update supported Kubernetes versions to 1.23, 1.24, and 1.25. (#4757, @sunjayBhatia)
  • For Gateway API conformance, when a HTTP request matches multiple rules within a HTTPRoute, precedence is given to the rule that comes first in that HTTPRoute (in list-order). (#4763, @sunjayBhatia)
  • Updates Go to 1.19.2, see release notes here. (#4773, @sunjayBhatia)
  • Update Envoy to v1.24.0. See the Envoy release notes for more information. (#4804, @skriss)

Docs Changes

Deprecation and Removal Notices

Contour v1.20 minor release now out of support

As per Contour's support policy the v1.20 minor release will now no longer be patched for security or critical bug fixes.
Please upgrade to the v1.21 minor release or newer.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.23.0 is tested against Kubernetes 1.23 through 1.25.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

tsaarni, skriss, and 2 other contributors
Assets 2
Loading

Contour v1.23.0-rc.1

30 Sep 19:56
@sunjayBhatia sunjayBhatia
v1.23.0-rc.1
3ec1296
Compare
Choose a tag to compare
Contour v1.23.0-rc.1 Pre-release
Pre-release

We are delighted to present version v1.23.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Overload Manager

It is now possible to enable Envoy overload manager to avoid traffic disturbances when Envoy process allocates too much heap and is terminated by the Linux out-of-memory manager.
The feature is disabled by default and can be enabled by following instructions here.

(#4597, @tsaarni)

JWT Verification Support

Contour's HTTPProxy now supports configuring Envoy's JSON Web Token (JWT) authentication filter, for verifying JWTs on incoming requests.

A root HTTPProxy can optionally define one or more JWT providers, each of which can define an issuer, audiences, and a JSON Web Key Set (JWKS) to use for verifying JWTs.

JWT providers can then be applied as requirements to routes on the HTTPProxy (or routes on included HTTPProxies), either by setting one provider as the default, or by explicitly specifying a JWT provider to require for a given route.
Individual routes may also opt out of JWT verification if a default provider has been set for the HTTPProxy.

For more information, see:

(#4723, @skriss)

Minor Changes

HTTPProxy CORS policy supports regex matching on Allowed Origins

The AllowOrigin field of the HTTPProxy CORSPolicy can be configured as a regex to enable more flexibility for users.
More advanced matching can now be performed on the Origin header of HTTP requests, instead of restricting users to allow all origins, or enumerating all possible values.

(#4710, @sunjayBhatia)

Other Changes

  • Transition to default_source_code Lua filter field from deprecated inline_string field for specifying Lua scripts. (#4622, @sunjayBhatia)
  • There are so many EnsureXDeleted in the sub-packages of objects , so unify them to objects/EnsureObjectDelete (#4630, @izturn)
  • Transition to using new bootstrap field default_regex_engine instead of deprecated per-regex match engine selection. (#4652, @sunjayBhatia)
  • Gateway Listeners with Secret references whose namespace is not covered by a ReferenceGrant should have their status reason set to RefNotPermitted. (#4664, @sunjayBhatia)
  • Add a new flag leader-election-namespace for gateway-provisioner (#4669, @izturn)
  • Add Contour log level configurability to ContourDeployment resource. (#4676, @izturn)
  • Add Kubernetes client debug log level configurability to ContourDeployment resource. (#4677, @izturn)
  • Gateway API: status-only updates to resources no longer trigger DAG reprocessing and xDS updates. (#4744, @skriss)
  • Gateway API: don't make status update calls to the API server if status has not changed on the resource. (#4745, @skriss)
  • Updates to Gateway API v0.5.1. (#4755, @skriss)
  • Update supported Kubernetes versions to 1.23, 1.24, and 1.25. (#4757, @sunjayBhatia)

Docs Changes

Installing and Upgrading

The simplest way to install v1.23.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.23.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.23.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.23.0-rc.1 is tested against Kubernetes 1.23 through 1.25.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

tsaarni, skriss, and 2 other contributors
Assets 2
Loading

Contour v1.22.1

07 Sep 19:23
@skriss skriss
v1.22.1
a34c6d5
Compare
Choose a tag to compare
Contour v1.22.1

We are delighted to present version v1.22.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

Changes

  • Updates Go to 1.19.0, see release notes here. (#4660, @sunjayBhatia)
  • The global connect-timeout configuration value was not taking effect for routes that did not have timeoutPolicy set. (#4690, @tsaarni)
  • Update Envoy to v1.23.1. This fixes an issue where the arm64 variant of the Envoy image was not built properly. See the release notes for additional information. (#4691, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.1 is tested against Kubernetes 1.22 through 1.24.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

tsaarni, skriss, and sunjayBhatia
Assets 2
Loading

Contour v1.22.0

27 Jul 17:55
@skriss skriss
v1.22.0
34b3528
Compare
Choose a tag to compare
Contour v1.22.0

We are delighted to present version v1.22.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Major Changes

Update to Gateway API v0.5.0

Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.

With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).

For more information on the Gateway API v0.5.0 release, see the release blog post.

For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.

(#4617, @skriss)

Minor Changes

Update to Envoy 1.23.0

Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.

(#4621, @skriss)

HTTPProxy Direct Response Policy

HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode, Body. And the StatusCode is required.

It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.

(#4526, @yangyy93)

Validating revocation status of client certificates

It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret is set with the secret name.

(#4592, @tsaarni)

Consolidate access logging and TLS cipher suite validation

Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1 package.
Existing exported elements of the pkg/config package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1.

This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:

  • TLS cipher suite list elements will no longer be allowed to have leading or trailing whitespace
  • The ContourConfiguration CRD field spec.envoy.logging.jsonFields has been renamed to spec.envoy.logging.accessLogJSONFields

(#4626, @sunjayBhatia)

Gateway API: implement HTTP query parameter matching

Contour now implements Gateway API's HTTP query parameter matching.
Only Exact matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale to s1, and a request with a querystring of ?animal=dolphin to s2.

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: httproute-queryparam-matching
spec:
  parentRefs:
  - name: contour-gateway
  rules:
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: whale
    backendRefs:
    - name: s1
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: dolphin
    backendRefs:
    - name: s2

(#4588, @skriss)

Gateway API: update handling of various invalid HTTPRoute/TLSRoute scenarios

Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:

  • Use a 500 response instead of a 404 when a route's backends are invalid
  • The Accepted condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errors
  • Use the upstream reasons InvalidKind and BackendNotFound when a backend is not a Service or not found, respectively

(#4614, @skriss)

Gateway API: enforce correct TLS modes for HTTPS and TLS listener protocols

Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).

(#4631, @skriss)

Bind create label operation for contour's deployment to the struct

There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.

(#4585, @izturn)

Use local variable to replace the long access chain of fields

The access chain of fields is too long, so use local variable to replace them.

(#4586, @izturn)

Other Changes

  • RTDS now serves dynamic runtime configuration layer which is requested by bootstrap configuration. In the future, contents of this runtime configuration will be made configurable by users. (#4387, @sunjayBhatia)
  • internal/envoy: use Envoy's path-based prefix matching instead of regular expressions. (#4477, @mmalecki)
  • Gateway API: compute Listener supported kinds sooner, so it's populated in all cases where it can be computed. (#4523, @skriss)
  • When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
  • Removes the DebugLogLevel and KubernetesDebugLogLevel fields from the ContourConfiguration spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)
  • Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
  • Gateway API: return a 404 instead of a 503 when there are no valid backend refs for an HTTPRoute rule, to match the revised Gateway API spec. (#4545, @skriss)
  • Update supported Kubernetes versions to 1.22, 1.23 and 1.24. (#4546, @skriss)
  • Changes the contour envoy shutdown command's --check-delay default to 0s from 60s, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss)
  • Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)
  • Gateway API: adds support for the "RequestMirror" HTTPRoute filter type at the rule level. (#4557, @sepaper)
  • Gateway API: fixes a bug where routes with multiple parent refs to listeners would not attach to all listeners correctly. (#4558, @skriss)
  • Gateway API: wildcard hostnames can now match more than one DNS label, per kubernetes-sigs/gateway-api#1173. (#4559, @skriss)
  • Gateway API: adds support for ReferenceGrant, which was formerly known as ReferencePolicy. To ease migration, both resources are supported for this release, but ReferencePolicy support will be removed next release. (#4580, @skriss)
  • Envoy will now make requests to gRPC ExtensionServices with a sanitized :authority header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)
  • Gateway API: adds logic to only keep the first HTTP header match with a given name (case-insensitive) for each HTTP route match, per the Gateway API spec. (#4593, @skriss)
  • Gateway API: replace usage of Contour-specific condition types and reasons with upstream Gateway API ones where possible (#4598, @skriss)
  • contour cli commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)
  • Gateway API: sets route parent status correctly when routes attach to specific Listeners. (#4604, @skriss)
  • Updated the list of supported envoy log template keywords. (#4610, @yangyy93)
  • Gateway API: set a Listener condition of Ready: false with reason Invalid when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)
  • Adds support for access log operators introduced in Envoy 1.23.0. See here for more details. (#4627, @sunjayBhatia)

Docs Changes

Deprecation and Removal Notices

Gateway API: ReferencePolicy is deprecated, will be removed next release

Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.

(#4580, @skriss)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.22.0 is tested against Kubernetes 1.22 through 1.24.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [...

Read more

Contributors

tsaarni, mmalecki, and 7 other contributors
Assets 2
Loading

Contour v1.22.0-rc.1

21 Jul 16:10
@skriss skriss
v1.22.0-rc.1
47153ca
Compare
Choose a tag to compare
Contour v1.22.0-rc.1 Pre-release
Pre-release

We are delighted to present version v1.22.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!

Major Changes

Update to Gateway API v0.5.0

Contour now supports Gateway API v0.5.0, including both the v1alpha2 and v1beta1 API versions.

With this update, Contour passes all of the Gateway API v0.5.0 conformance tests, which cover much of the core API surface (but are not yet 100% exhaustive).

For more information on the Gateway API v0.5.0 release, see the release blog post.

For information on getting started with Contour and Gateway API, see the Contour/Gateway API guide.

(#4617, @skriss)

Minor Changes

HTTPProxy Direct Response Policy

HTTPProxy.Route now has a HTTPDirectResponsePolicy which allows for routes to specify a DirectResponsePolicy.
This policy will allow a direct response to be configured for a specific set of Conditions within a single route.
The Policy can be configured with a StatusCode, Body. And the StatusCode is required.

It is important to note that one of route.services or route.requestRedirectPolicy or route.directResponsePolicy must be specified.

(#4526, @yangyy93)

Bind create label operation for contour's deployment to the struct

There are now three places to create the same label(s), so let the operation to be a method of the Contour struct.

(#4585, @izturn)

Use local variable to replace the long access chain of fields

The access chain of fields is too long, so use local variable to replace them.

(#4586, @izturn)

Gateway API: implement HTTP query parameter matching

Contour now implements Gateway API's HTTP query parameter matching.
Only Exact matching is supported.
For example, the following HTTPRoute will send a request with a query string of ?animal=whale to s1, and a request with a querystring of ?animal=dolphin to s2.

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: httproute-queryparam-matching
spec:
  parentRefs:
  - name: contour-gateway
  rules:
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: whale
    backendRefs:
    - name: s1
  - matches:
    - queryParams:
      - type: Exact
        name: animal
        value: dolphin
    backendRefs:
    - name: s2

(#4588, @skriss)

Validating revocation status of client certificates

It is now possible to enable revocation check for client certificates validation.
The CRL files must be provided in advance and configured as opaque Secret.
To enable the feature, httpproxy.spec.virtualhost.tls.clientValidation.crlSecret is set with the secret name.

(#4592, @tsaarni)

Gateway API: update handling of various invalid HTTPRoute/TLSRoute scenarios

Updates the handling of various invalid HTTPRoute/TLSRoute scenarios to be conformant with the Gateway API spec, including:

  • Use a 500 response instead of a 404 when a route's backends are invalid
  • The Accepted condition on a route only describes whether the route attached successfully to its parent, not whether it has any other errors
  • Use the upstream reasons InvalidKind and BackendNotFound when a backend is not a Service or not found, respectively

(#4614, @skriss)

Update to Envoy 1.23.0

Contour now uses Envoy 1.23.0.
See the Envoy changelog for more information on the contents of the release.

(#4621, @skriss)

Consolidate access logging and TLS cipher suite validation

Access log and TLS cipher suite configuration validation logic is now consolidated in the apis/projectcontour/v1alpha1 package.
Existing exported elements of the pkg/config package are left untouched, though implementation logic now lives in apis/projectcontour/v1alpha1.

This should largely be a no-op for users however, as part of this cleanup, a few minor incompatible changes have been made:

  • TLS cipher suite list elements will no longer be allowed to have leading or trailing whitespace
  • The ContourConfiguration CRD field spec.envoy.logging.jsonFields has been renamed to spec.envoy.logging.accessLogJSONFields

(#4626, @sunjayBhatia)

Gateway API: enforce correct TLS modes for HTTPS and TLS listener protocols

Contour now enforces that the correct TLS modes are used for the HTTPS and TLS listener protocols.
For an HTTPS listener, the TLS mode "Terminate" must be used (this is compatible with HTTPRoutes).
For a TLS listener, the TLS mode "Passthrough" must be used (this is compatible with TLSRoutes).

(#4631, @skriss)

Other Changes

  • RTDS now serves dynamic runtime configuration layer which is requested by bootstrap configuration.
    In this future, contents of this runtime configuration will be made configurable by users. (#4387, @sunjayBhatia)
  • internal/envoy: use Envoy's path-based prefix matching instead of regular expressions. (#4477, @mmalecki)
  • Gateway API: compute Listener supported kinds sooner, so it's populated in all cases where it can be computed. (#4523, @skriss)
  • When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
  • Removes the DebugLogLevel and KubernetesDebugLogLevel fields from the ContourConfiguration spec since they were unused and are required to be specified via CLI flag. (#4534, @skriss)
  • Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
  • Gateway API: return a 404 instead of a 503 when there are no valid backend refs for an HTTPRoute rule, to match the revised Gateway API spec. (#4545, @skriss)
  • Update supported Kubernetes versions to 1.22, 1.23 and 1.24. (#4546, @skriss)
  • Changes the contour envoy shutdown command's --check-delay default to 0s from 60s, allowing Envoy pods to shut down more quickly when there are no open connections. (#4548, @skriss)
  • Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)
  • Gateway API: adds support for the "RequestMirror" HTTPRoute filter type at the rule level. (#4557, @sepaper)
  • Gateway API: fixes a bug where routes with multiple parent refs to listeners would not attach to all listeners correctly. (#4558, @skriss)
  • Gateway API: wildcard hostnames can now match more than one DNS label, per kubernetes-sigs/gateway-api#1173. (#4559, @skriss)
  • Gateway API: adds support for ReferenceGrant, which was formerly known as ReferencePolicy. To ease migration, both resources are supported for this release, but ReferencePolicy support will be removed next release. (#4580, @skriss)
  • Envoy will now make requests to gRPC ExtensionServices with a sanitized :authority header, rather than just using the extension cluster name. (#4587, @sunjayBhatia)
  • Gateway API: adds logic to only keep the first HTTP header match with a given name (case-insensitive) for each HTTP route match, per the Gateway API spec. (#4593, @skriss)
  • Gateway API: replace usage of Contour-specific condition types and reasons with upstream Gateway API ones where possible (#4598, @skriss)
  • contour cli commands have been updated with new logging and support for testing incremental (delta) xDS variants. (#4602, @youngnick)
  • Gateway API: sets route parent status correctly when routes attach to specific Listeners. (#4604, @skriss)
  • Updated the list of supported envoy log template keywords. (#4610, @yangyy93)
  • Gateway API: set a Listener condition of Ready: false with reason Invalid when a Listener allows routes from a namespace selector but the selector is invalid. (#4615, @skriss)
  • Adds support for access log operators introduced in Envoy 1.23.0. See here for more details. (#4627, @sunjayBhatia)

Docs Changes

  • Updated SITE_CONTRIBUTION.md to reflect Hugo platform. (#4620, @gary-tai)

Deprecation and Removal Notices

Gateway API: ReferencePolicy is deprecated, will be removed next release

Gateway API has renamed ReferencePolicy to ReferenceGrant in the v0.5.0 release, while retaining the former for one release to ease migration.
Contour currently supports both, but will drop support for ReferencePolicy in the next release.
Users of ReferencePolicies must migrate their resources to ReferenceGrants ahead of the next Contour release.

(#4580, @skriss)

Installing and Upgrading

The simplest way to install v1.22.0-rc.1 is to apply one of the example configurations:

With Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour-gateway.yaml

Without Gateway API:

kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.22.0-rc.1/examples/render/contour.yaml

Compatible Kubernetes Versions

Contour v1.22.0-rc.1 is tested against Kubernetes 1.22 through 1.24.

C...

Read more

Contributors

tsaarni, mmalecki, and 6 other contributors
Assets 2
Loading

Contour v1.21.1

14 Jun 16:12
@sunjayBhatia sunjayBhatia
v1.21.1
5c66ec7
Compare
Choose a tag to compare
Contour v1.21.1

We are delighted to present version v1.21.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

A big thank you to everyone who contributed to the release.

Minor Changes

Bump Envoy to v1.22.2

Bumps Envoy to security patch version 1.22.2.
Envoy CI had a few issues releasing 1.22.1 so a subsequent patch, 1.22.2 was released.
Envoy announcement here.
See Envoy release notes for 1.22.1 here and 1.22.2 here.

(#4573, @sunjayBhatia)

Other Changes

  • When validating secrets, don't log an error for an Opaque secret that doesn't contain a ca.crt key. (#4528, @skriss)
  • Fixes TLS private key validation logic which previously ignored errors for PKCS1 and PKCS8 private keys. (#4544, @sunjayBhatia)
  • Update gopkg.in/yaml.v3 to v3.0.1 to address CVE-2022-28948. (#4551, @tsaarni)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.21.1 is tested against Kubernetes 1.21 through 1.23.

Community Thanks!

We’re immensely grateful for all the community contributions that help make Contour even better!

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contributors

tsaarni, skriss, and sunjayBhatia
Assets 2
Loading