We are delighted to present version v1.30.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Please note that this is pre-release software, and as such we do not recommend installing it in production environments.
Feedback and bug reports are welcome!
- Minor Changes
- Other Changes
- Deprecations/Removals
- Installing/Upgrading
- Compatible Kubernetes Versions
- Community Thanks!
Minor Changes
Gateway API: Implement Listener/Route hostname isolation
Gateway API spec update in this GEP.
Updates logic on finding intersecting route and Listener hostnames to factor in the other Listeners on a Gateway that the route in question may not actually be attached to.
Requests should be "isolated" to the most specific Listener and it's attached routes.
Update examples for monitoring Contour and Envoy
Updates the documentation and examples for deploying a monitoring stack (Prometheus and Grafana) to scrape metrics from Contour and Envoy.
Adds a metrics port to the Envoy DaemonSet/Deployment in the example YAMLs to expose port 8002 so that PodMonitor resources can be used to find metrics endpoints.
Update to Gateway API v1.1.0
Gateway API CRD compatibility has been updated to release v1.1.0.
Notable changes for Contour include:
- The
BackendTLSPolicyresource has undergone some breaking changes and has been updated to thev1alpha3API version. This will require any existing users of this policy to uninstall the v1alpha2 version before installing this newer version. GRPCRoutehas graduated to GA and is now in thev1API version.
Full release notes for this Gateway API release can be found here.
Add Circuit Breaker support for Extension Services
This change enables the user to configure the Circuit breakers for extension services either via the global Contour config or on an individual Extension Service.
NOTE: The PerHostMaxConnections is now also configurable via the global settings.
Fallback Certificate: Add Global Ext Auth support
Applies Global Auth filters to Fallback certificate
Gateway API: handle Route conflicts with GRPCRoute.Matches
It's possible that multiple GRPCRoutes will define the same Match conditions. In this case the following logic is applied to resolve the conflict:
- The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of “2020-09-08 01:02:03” is given precedence over a Route with a creation timestamp of “2020-09-08 01:02:04”.
- The Route appearing first in alphabetical order (namespace/name) for example, foo/bar is given precedence over foo/baz.
With above ordering, any GRPCRoute that ranks lower, will be marked with below conditions accordingly:
- If only partial rules under this GRPCRoute are conflicted, it's marked with
Accepted: TrueandPartiallyInvalid: trueConditions and Reason:RuleMatchPartiallyConflict. - If all the rules under this GRPCRoute are conflicted, it's marked with
Accepted: FalseCondition and ReasonRuleMatchConflict.
(#6566, @lubronzhan)
Other Changes
- Fixes bug where external authorization policy was ignored on HTTPProxy direct response routes. (#6426, @shadialtarsha)
- Updates to Kubernetes 1.30. Supported/tested Kubernetes versions are now 1.28, 1.29, and 1.30. (#6444, @sunjayBhatia)
- Enforce
deny-by-defaultapproach on theadminlistener by matching on exact paths and onGETrequests (#6447, @davinci26) - Add support for defining equal-preference cipher groups ([cipher1|cipher2|...]) and permit
ECDHE-ECDSA-CHACHA20-POLY1305andECDHE-RSA-CHACHA20-POLY1305to be used separately. (#6461, @tsaarni) - allow
/stats/prometheusroute on theadminlistener. (#6503, @clayton-gonsalves) - Improve shutdown manager query to the Envoy stats endpoint for active connections by utilizing a regex filter query param. (#6523, @therealak12)
- Updates to Go 1.22.5. See the Go release notes for more information. (#6563, @sunjayBhatia)
- Updates Envoy to v1.31.0. See the Envoy release notes for more information about the content of the release. (#6569, @skriss)
Deprecation and Removal Notices
Contour sample YAML manifests no longer use prometheus.io/ annotations
The annotations for notifying a Prometheus instance on how to scrape metrics from Contour and Envoy pods have been removed from the deployment YAMLs and the Gateway provisioner.
The suggested mechanism for doing so now is to use kube-prometheus and the PodMonitor resource.
xDS server type fields in config file and ContourConfiguration CRD are deprecated
These fields are officially deprecated now that the contour xDS server implementation is deprecated.
They are planned to be removed in the 1.31 release, along with the contour xDS server implementation.
Installing and Upgrading
The simplest way to install v1.30.0-rc.1 is to apply one of the example configurations:
Standalone Contour:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour.yamlContour Gateway Provisioner:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour-gateway-provisioner.yamlStatically provisioned Contour with Gateway API:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/v1.30.0-rc.1/examples/render/contour-gateway.yamlCompatible Kubernetes Versions
Contour v1.30.0-rc.1 is tested against Kubernetes 1.28 through 1.30.
Community Thanks!
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.