github projectcontour/contour v1.5.0
Contour 1.5.0
on GitHub

We are delighted to present version 1.5.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

New and improved

TLS Fallback Certificate Support

The Contour HTTPProxy API now includes better support for TLS clients that don’t support SNI by allowing cluster operators to specify a fallback certificate that terminates TLS sessions where no SNI server name is provided. This feature is opt-in since it is incompatible with TLS client certificate validation and allows SNI name bypass, which may be undesirable in some deployments. Access to the fallback certificate is managed with the usual Contour TLS certificate delegation mechanism.

(Associated PRs: #2528, #2477, #2504, #2477. #2535, #2543)

Thanks @stevesloka for designing and implementing this feature.

gRPC Certificate Rotation

The TLS keys and certificates that secure the gRPC session between Envoy and Contour can now be rotated without needing to restart any Pods.

(Associated PRs: #2333, #2555)

Thanks @tsaarni for driving this feature over the last couple of releases, both in the Contour and Envoy projects.

The example Contour deployment now uses certificates that include the CA certificate bundle. This change makes the example deployment compatible with certificates generated by cert-manager.

(Associated PRs: #2547)

HTTPProxy Load Balancer Address Support

Contour now updates the status of HTTPProxy documents with the status.loadBalancer.addresses field. This brings HTTPProxy to parity with Ingress, and makes it easier to program automatic DNS record creating for HTTPProxy objects.

(Associated PRs: #2551)

Thanks @youngnick.

TLS Request Misdirection

Contour now programs Envoy to serve a 421 response when HTTP/2 clients use aggressive wildcard certificate matching to re-use the wrong TLS session. This resolves errors where client requests to multiple HTTPProxy objects that are all served with a wildcard TLS certificate can respond with a 404 error when the Host header in the HTTP request doesn’t match the SNI server name that was used to establish the TLS session.

(Associated PRs: #2483)

Multiple Load Balancer Address Support

Contour now supports multiple addresses in the --ingress-status-address flag of the contour serve subcommand. This allows sites that deploy Envoy without an external load balancer to more easily publish all the addresses of the Envoy proxies into DNS.

(Associated PRs: #2542)

Thanks @al45tair for this improvement.

Versioned Deployment YAML

The Contour project now publishes the example deployment YAML for each release version. still serves the YAML for the latest release, but you can pin to a specific version with a URL like

(Associated PRs: #2552)

Documentation Improvements

  • Improved HTTPProxy API documentation (#2467, #2460)
  • Improved TimeoutPolicy API documentation (#2460)
  • Improved documentation for proxy protocol support on AWS ELBs (#2480) (thanks @savithruml)
  • Miscellaneous documentation improvements (#2500, #2508)


Please consult the upgrade documentation.

Are you a Contour user? We would love to know!

If you’re using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread

2 months ago