We are delighted to present version 1.15.1 of Contour Operator, which provides a method for packaging, deploying, and managing Contour.

Fixes

Upgrade to Contour 1.15.1 and Envoy 1.18.3

Upgrades the default Contour version to v1.15.1 & the default Envoy version to 1.18.3 for security and bug fixes. See the Envoy 1.18.3 changelogs for more details.

• CVE-2021-29492 (CVSS score 8.3, High): Envoy versions 1.18.2 and earlier does not decode escaped slash sequences %2F and %5C in HTTP URL paths. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path which would provide an attacker access beyond the scope provided for by the access control policy.

GatewayClass spec.parametersRef is now a required field

gatewayclasses.spec.parametersRef is now a required field when using the operator to manage the GatewayClass, i.e. controller: projectcontour.io/contour-operator. The referent should be namespace-scoped and refer to an instance of the Contour CRD. For example:

kind: GatewayClass
apiVersion: networking.x-k8s.io/v1alpha1
metadata:
  name: example
spec:
  controller: projectcontour.io/contour-operator
  parametersRef:
    group: operator.projectcontour.io
    kind: Contour
    scope: Namespace
    name: contour-gateway-sample
    namespace: contour-operator

This resolves a panic in the Operator when gatewayclasses.spec.parametersRef was not provided.