We are delighted to present version 1.5.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
New and improved
TLS Fallback Certificate Support
The Contour HTTPProxy API now includes better support for TLS clients that don’t support SNI by allowing cluster operators to specify a fallback certificate that terminates TLS sessions where no SNI server name is provided. This feature is opt-in since it is incompatible with TLS client certificate validation and allows SNI name bypass, which may be undesirable in some deployments. Access to the fallback certificate is managed with the usual Contour TLS certificate delegation mechanism.
(Associated PRs: #2528, #2477, #2504, #2477. #2535, #2543)
Thanks @stevesloka for designing and implementing this feature.
gRPC Certificate Rotation
The TLS keys and certificates that secure the gRPC session between Envoy and Contour can now be rotated without needing to restart any Pods.
(Associated PRs: #2333, #2555)
Thanks @tsaarni for driving this feature over the last couple of releases, both in the Contour and Envoy projects.
The example Contour deployment now uses certificates that include the CA certificate bundle. This change makes the example deployment compatible with certificates generated by cert-manager.
(Associated PRs: #2547)
HTTPProxy Load Balancer Address Support
Contour now updates the status of
HTTPProxy documents with the
status.loadBalancer.addresses field. This brings
HTTPProxy to parity with Ingress, and makes it easier to program automatic DNS record creating for
(Associated PRs: #2551)
TLS Request Misdirection
Contour now programs Envoy to serve a 421 response when HTTP/2 clients use aggressive wildcard certificate matching to re-use the wrong TLS session. This resolves errors where client requests to multiple
HTTPProxy objects that are all served with a wildcard TLS certificate can respond with a 404 error when the Host header in the HTTP request doesn’t match the SNI server name that was used to establish the TLS session.
(Associated PRs: #2483)
Multiple Load Balancer Address Support
Contour now supports multiple addresses in the
--ingress-status-address flag of the
contour serve subcommand. This allows sites that deploy Envoy without an external load balancer to more easily publish all the addresses of the Envoy proxies into DNS.
(Associated PRs: #2542)
Thanks @al45tair for this improvement.
Versioned Deployment YAML
The Contour project now publishes the example deployment YAML for each release version. https://projectcontour.io/quickstart/contour.yaml still serves the YAML for the latest release, but you can pin to a specific version with a URL like https://projectcontour.io/quickstart/v1.5.0/contour.yaml.
(Associated PRs: #2552)
- Improved HTTPProxy API documentation (#2467, #2460)
- Improved TimeoutPolicy API documentation (#2460)
- Improved documentation for proxy protocol support on AWS ELBs (#2480) (thanks @savithruml)
- Miscellaneous documentation improvements (#2500, #2508)
Please consult the upgrade documentation.
Are you a Contour user? We would love to know!
If you’re using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread