Contour 0.15.2

Contour 0.15.2 is minor patch release for the Contour 0.15 series.

All Contour users should upgrade to Contour 0.15.2.

Bug fixes

TLS certificate validation improvements

Contour 0.15.2 now validates a wilder set of TLS secrets including those with EC Parameter blocks.

Fixes #1702. Thanks @mattalberts.

Go 1.13.3

Contour 0.15.2 is built using Go 1.13.3.

Upgrading

If you are already running Contour 0.15.0 or 0.15.1 the upgrade instructions are as follows:

• Change the Contour image version to v0.15.2.
• Change the Envoy image version to v1.11.2.

If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.

Contour 1.0.0-rc.1

VMware is ebullient to present version 1.0.0-rc.1 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

Contour 1.0.0-rc.1 is the first release candidate on the path to Contour 1.0.

The current stable release at this time remains Contour 0.15.1.

New and improved

Contour 1.0.0-rc.1 contains many bug fixes and improvements, and moves the HTTPProxy CRD to v1.

HTTPProxy CRD v1

Contour 1.0.0-rc.1 promotes the HTTPProxy CRD to v1. HTTPProxy is now considered stable and our sincere hope is that with the move v1 any changes to the CRD in the future can be made in a backwards compatible manner.

The move from alpha1 to v1 has resulted in changes to per service health checking, load balancing strategy, and per route prefix rewriting.

Please see the upgrading document and HTTPProxy documentation for advice on upgrading HTTPProxy alpha1 CRDs to v1.

Prefix rewrite support removed

HTTPProxy v1 removes prefix rewriting support. The feature as implemented in HTTPProxy alpha1, and IngressRoute before it, was badly designed and it was not possible to address its limitations without a backwards incompatible change. Our intention is to design a more capable prefix rewrite replacement.

Prefix rewrite support continues to exist in the deprecated IngressRoute CRD. We won't be removing IngressRoute support until we have a replacement for prefixRewriting available in HTTPProxy.

Please follow #899 for the status of this issue.

networking.k8s.io/v1beta1 Ingress support

Support for the networking.k8s.io/v1beta1.Ingress object has been added.

Fixes #1685

contour.heptio.com annotations deprecated

As part of the move to the projectcontour.io namespace the Heptio branded contour.heptio.com annotations have been migrated to their respective projectcontour.io versions. The previous contour.heptio.com annotations should be considered deprecated. Contour will continue to be supported these deprecated forms for the moment. They will be removed at some point after Contour 1.0.

Client request timeout

The ability to specify a Contour wide request timeout has been added to the configuration file.

See the configuration file example for more information.

Fixes #1073. Thanks @youngnick.

TLS certificate validation

Contour 0.15.1 now attempts to validate the contents of a TLS certificate before presenting it to Envoy.
This validation only extends to asserting the certificate is well formed. Expired, incorrect hostname details, or otherwise well formed but invalid certificates are not rejected. IngressRoutes that reference invalid secrets will have their Status: fields set accordingly.

Fixes #1065

Envoy 1.11.2

See the Envoy 1.11.2 announcement for details on the vulnerabilities.

Minor improvements

• make help target added. Thanks @jpeach.
• prefix conditions must start with a slash. Fixes #1628. Thanks @youngnick.
• Duplicate HTTPProxy header conditions are now rejected. Fixes #1559. Thanks @youngnick.
• HTTPProxy route or include blocks with more than one prefix condition are now rejected. Fixes #1611. Thanks @stevesloka.
• The X-Request-Id header is now no longer removed from incoming requests. Fixes #1487.
• HTTPProxy includes no longer require a namespace key. If no namespace is provided, the included HTTPProxy is inferred to be in the same namespace as its parent. Fixes #1574. Thanks @youngnick.

Bug fixes

Minor bug fixes

• prefix conditions no longer strip trailing slashes. Fixes #1597. Thanks @youngnick.
• TCPProxy support now works with HTTPProxy. Fixes #1626. Thanks @stevesloka.
• HTTPProxy TLSCertificateValidation was borken in beta.1, now it's not. Fixes #1639. Thanks @stevesloka.
• We have published a supported release version policy. Fixes #1581.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 1.0.0-beta.1 to Contour 1.0.0-rc.1.

Contour 0.15.1

Contour 0.15.1 is minor patch release for the Contour 0.15 series.

All Contour users should upgrade to Contour 0.15.1 and Envoy 1.11.2.

Envoy 1.11.2

See the Envoy 1.11.2 announcement for details on the vulnerabilities.

See the upgrading section below for details.

X-Request-Id

Contour 0.15.1 preseves the X-Request-Id header if present in the client request.

Fixes #1487

TLS certificate validation

Contour 0.15.1 now attempts to validate the contents of a TLS certificate before presenting it to Envoy.
This validation only extends to asserting the certificate is well formed. Expired, incorrect hostname details, or otherwise well formed but invalid certificates are not rejected. IngressRoutes that reference invalid secrets will have their Status: fields set accordingly.

Fixes #1065

Go 1.13.1

Contour 0.15.1 is built using Go 1.13.1.

Upgrading

If you are already running Contour 0.15.0 the upgrade instructions are as follows:

• Change the Contour image version to v0.15.1.
• Change the Envoy image version to v1.11.2.

If you are running Contour 0.15.0 or earlier, please see the upgrade documentation.

Contour 1.0.0 beta 1

VMware is proud to present version 1.0.0-beta.1 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

Contour 1.0.0-beta.1 is the first beta release along the path to Contour 1.0.

The current stable release at this time remains Contour 0.15.0.

New and improved

Contour 1.0.0-beta.1 contains many bug fixes and improvements.

HTTPProxy CRD

Over a year ago Contour 0.6 introduced a new CRD, IngressRoute. IngressRoute was our attempt to address the issues preventing Kubernetes developers from utilising modern web development patterns in multi tenant Kubernetes clusters.

As part of preparations for bring Contour to 1.0 IngressRoute has been renamed to HTTPProxy. This name reflects both the procedural changes necessitated by the Heptio acquisition and the desire to clarify Contour's role in the crowded Kubernetes networking space.

HTTPProxy brings with it two new concepts--inclusion and conditions--both of which, like the transition from IngressRoute to HTTPProxy, represent evolutions of the delegation model and our limited support for prefix based matching.

For more information, please consult the HTTPProxy documentation.

None of this work would have been possible without the dedication of @stevesloka. Thank you does not sufficiently capture the amount of effort Steve has dedicated to this feature.

IngressRoute deprecation

With the introduction of HTTPProxy, IngressRoute CRD is now marked as deprecated.

The IngressRoute CRD will be supported in its current state until the Contour 1.0.0 release and will be removed shortly after.

For more information please read the IngressRoute to HTTPProxy upgrade guide

Logging changes

By default Envoy emits request logs in its own format. See the Envoy docs for details.

Contour 1.0.0-beta1 adds support for JSON formatted logs. To enable JSON formatted logs, either add --accesslog-format=json to your contour serve line, or add accesslog-format: json to your config file.

Please see the documention and design document for more information.

Fixes #624. Thanks @youngnick.

Leadership improvements

Leader election no longer blocks the opening of the xDS serving port. All Contours serve xDS, the leadership will control which Contour writes status updates. This work is ongoing and is documented in #1385.

Leader election now uses a ConfigMap named leader-elect in the projectcontour namespace by default.
This can be changed using the config file.

Because of this, rolling updates will now complete, and the example Contour Deployment has been reverted to the RollingUpdate strategy.

Contour image registry changes

Contour's image registry has moved from gcr.io/hepto-images/contour to docker.io/projectcontour/contour.

The v1.0.0-beta.1 tag is only available in docker.io/projectcontour/contour.

For convenience the :v0.15.0 and :latest tags are available in both repositories. Once Contour 1.0.0 final is release the :latest tag will move to docker.io/projectcontour/contour. Even if you are remaiing on :latest or :v0.15.0 until the final release of Contour 1.0.0 please update your image locations to docker.io/projectcontour/contour:v0.15.0 or docker.io/projectcontour/contour:latest respectively.

GitHub organization changes

Contour's source code has moved from github.com/heptio/contour to github.com/projectcontour/contour.

GitHub is pretty good about redirecting people for a time, but eventually the github.com/heptio organization will go away and redirects will cease. Please update your bookmarks.

Contour namespace changes

Contour's default namespace has changed from heptio-contour to projectcontour.

Deprecated examples/

Several of the examples/ sample manifests have been removed as part of the preparations for the 1.0.0 release.

TLS Passthrough and HTTP redirect

Under certain circumstances it is now possible to combine TLS passthrough on port 443 with port 80 served from the same service. The use case for this feature is the application on port 80 can provide a helpful message when the service on port 443 does not speak HTTPS.

For more information see #910 and #1450.

Per route traffic mirroring

Per route a service can be nominated as a mirror. The mirror service will receive a copy of the read traffic sent to any non mirror service. The mirror traffic is considered read only, any response by the mirror will be discarded.

Fixes #459

Per route idle timeout

Per route idle timeouts can be configured via the HTTPProxy CRD.

Fixes #944

Contour ignores unrelated Secrets

Contour now ignores Secrets which are not related to Ingress, IngressRoute, HTTPProxy, or TLSCertificateDelegation operations.
This substantially reduces the number of updates processed by Contour.

Fixes #1372

Contour filters Endpoint updates

Contour now supports filtering update notifications in some circumstances. Specifically Envoy's EDS watches will no longer fire unless the specific EDS entry requested is updated. This should significantly reduce the number of spurious EDS updates send to Envoy.

Updates #426, #499

Minor improvements

• The contour binary now executes a graceful shutdown when sent SIGTERM. Thanks @alexbrand. Fixes #1364.
• Contour now preserves the X-Request-Id header if present. Fixes #1509.
• Contour's quickstart documentation now references the current stable version of Contour. Fixes #952.
• Contour will no longer present a secret via SDS if that secret is not referenced by a valid virtualhost. #1165
• The envoyproxy/go-control-plane package has nbeen upgraded to version 0.9.0. go-control-plane 0.9.0 switches to the google/protobuf library which results in a 4mb smaller binary. Neat.
• Our CONTRIBUTING documentation has been updated to encourage contributors to squash their commits. Thanks @stevesloka.
• The markup of several of our pages has been corrected to render properly on GitHub. Thanks @sudeeptoroy.
• Envoy's /healthz endpoint has been replaced with /ready for Pod readiness. Fixes #1277. Thanks @rochacon.
• IngressRoute objects now forbid * anywhere in the spec.virtualhost.fqdn field. Fixes #1234.
• Contour is built with Go 1.13.1.

Bug fixes

Contour will no longer serve an a broken TLS virtualhost over HTTP

In the case where an IngressRoute had a missing or invalid TLS secret Contour would serve the IngressRoute over HTTP. Contour now detects the case where a TLS enabled IngressRoute is missing its certificate and will not present the virtualhost over HTTP or HTTPS.

Fixes #1452

Minor bug fixes

• Contour now rejects IngressRoute and HTTPProxy objects that delegate to another root IngressRoute or HTTPProxy object. Fixes #865.
• An error where IngressRoute's status is not set when it references an un-delegated TLS cert has been fixed. Fixes #1347.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 0.15 to Contour 1.0.0-beta.1

Contour v0.15.0

VMware is proud to present version 0.15 of Contour, our layer 7 HTTP reverse proxy for Kuberentes clusters. As always, without the help of the many community contributors this release would not have been possible. Thank you!

All Contour users should upgrade to Contour 0.15.0 and Envoy 1.11.1 as there are some tasty HTTP/2 vulnerabilities which you really should patch.

New and improved

Contour 0.15 includes several new features as well as the usual smattering of fixes and minor improvements.

HTTP/2 CVEs

A number of CVEs related to HTTP/2 have been addressed by Envoy.

See the Envoy 1.11.1 announcement for details on the vulnerabilities.

As Envoy have not provided fixes for Envoy 1.10 and earlier all Contour users should also upgrade to Envoy 1.11.1.

Leader election

Contour 0.15 now supports leader election. In leader election mode only one Contour pod in a deployment, the leader, will open its gRPC endpoint to serve requests from Envoy. All other Contours will continue to watch the API server but will not serve gRPC until they become the leader. Leader election can be used to ensure that all Envoy's take their configuration from a single Contour instance.

Leader election is currently opt in. In future versions of Contour we plan to make leader election mode the default.

For more information please consult the upgrading document.

Thanks @youngnick

Opt in, or opt out, of gRPC TLS authentication is now required

In Contour 0.14 support was added for mTLS communication between Contour and Envoy. Contour 0.15 now requires all users to either supply gRPC TLS information, or use contour serve --insecure to opt out of mTLS.

If you do not supply TLS details or --insecure, contour serve will not start.

For more information please consult the upgrading document.

Thanks @youngnick

Contour configuration file

Contour 0.15 supports passing configuration to Contour via a configuration file. The configuration file is intended to specify configuration that applies per Contour installation. Per Ingress or per Route configuration continues to be drawn from the objects and CRDs in the Kubernetes API server.

TLS minimum protocol version

Contour 0.15 supports supplying an installation wide minimum TLS protocol version. This setting can be used by administrators to raise the minimum TLS version used by TLS enabled virtual hosts managed by Contour.

The tls.minimimProtocolVersion field in the configuration file controls the minimum protocol version used.

Disable permitInsecure setting

Contour 0.15 supports disabling the permitInsecure IngressRoute setting. This setting can be used by administrators to prevent IngressRoute users presenting port 80 as an alternative to HTTPS.

Setting disablePermitInsecure to true will cause Contour to ignore the permitInsecure field on IngressRoute objects.

Fixes #864. Thanks @stevesloka

Contour ignores unrelated Secrets and Services

Contour 0.15 ignores updates to Secret and Service documents that are not referenced by an active Ingress or IngressRoute object. This significantly reduces the number and frequency of configuration updates sent to Envoy.

Updates #499.

Contour no longer presents misconfigured routes

In earlier versions of Contour, using the v1.Ingress object, it was possible to present a route which had no active Service if the Service named in the Ingress document was not present. When this occurred Envoy would respond to the route, but always return 503.

Contour 0.15 fixes this bug and will not present routes if their corresponding Service is missing. As a result, if the misconfigured route was the only route present on the virtual host, the virtual host itself will not be presented. If this was the only virtual host configured for a listening port (HTTP or HTTPS) then Contour 0.15 will not open the respective port.

This is not considered a loss of functionality as the only reason this port was open was to present a virtual host whose sole purpose was to return 503 for any request. However, some users may be relying on this functionality for health checking Envoy itself. If this is the case you should consider switching to a readinessProbe on the Envoy pod itself.

For more discussion see #389

Minor improvements

• Contour now reports Envoy's failure to apply a configuration update. Please raise issues if you see ERRORs in your Contour logs. Updates #1176.
• Contour's holdoff timer has been refactored so that it no longer reports a decades long first update event.
• Contour now sets a status message on an IngressRoute that incorrectly combines multiple backends and websockets. Updates #732. Thanks @stevesloka.
• client-go has been upgraded to version 12. Fixes #1213. Thanks @DylanGraham.
• envoyproxy/go-control-plane has been upgraded to v0.8.2. Fixes #1236.
• Contour is built with Go 1.12.9.

Bug fixes

Ingress.Path regular expression support restored

Contour 0.15 fixes a problem where regular expressions in Ingress spec.[]rules.http.[]paths.path values were interpreted as prefixes. This has likely been broken since at least Contour 0.5 (possibly earlier 😳).

note: IngressRoute does not support regular expression matching, this feature is only present in the Kubernetes Ingress object.

This bug was fixed in Contour 0.14.1.
For more information see #1243.

Thanks @stevesloka

Contour crash if /tmp is not available

The glog (now klog) library would attempt to write to disk if not properly initialised. Contour 0.15 properly initialises klog to prevent this issue caused by this horrendous API footgun.

This bug was fixed in Contour 0.14.2
For more information see #1279.

Thanks to @so0k for the report and @mattalberts for the fix.

Other bug fixes

• Contour no longer hangs during shutdown if the gRPC server was not the goroutine triggering the shutdown. Fixes #1361.
• The preStop hooks in our examples/ have been corrected to work around the lack of wget in the Envoy image. Fixes #1254.
• IngressRoute validation has been extended to prevent passing a non integer in the spec.tcpproxy.port field. Fixes #1336.

Upgrading

Please consult the Upgrading document for further information on upgrading from Contour 0.14 to Contour 0.15.

Contour v0.14.2

Contour 0.14.2 is a bug fix and security release for the Contour 0.14 series.

All Contour users should upgrade to Contour 0.14.2.

HTTP/2 CVEs

A number of CVEs related to HTTP/2 have been addressed by Envoy.

See the Envoy 1.11.1 announcement for details on the vulnerabilities.

As Envoy have not provided fixes for Envoy 1.10 and earlier all Contour users should upgrade to Envoy 1.11.1. As Contour and Envoy have a close coupling between versions, all Contour users should upgrade to Contour 0.14.2 at the same time.

See the upgrading section below for details.

Go 1.12.8

A similar set of issues related to HTTP/2 and URL parsing has been addressed in Go 1.12.8

See the Go 1.12.8 announcement for details on the vulnerabilities.

Contour 0.14.2 is built using Go 1.12.8 to mitigate these issues.

Contour crash if /tmp is not available

The glog (now klog) library would attempt to write to disk if not properly initialised. Contour 0.14.2 properly initialises klog to prevent this issue. Fixes #1279. Thanks to @so0k for the report and @mattalberts for the fix.

Upgrading

If you are already running Contour 0.14.0, or 0.14.1, the upgrade instructions are as follows:

• Change the Contour image version to gcr.io/heptio-images/contour:v0.14.2.
• Change the Envoy image version to docker.io/envoyproxy/envoy:v1.11.1.

If you are running Contour 0.13.0 or earlier, please see the release notes for the previous release.

Contour v0.14.1

Contour 0.14.1 is a bug fix release for the recently release Contour 0.14.0.

All Contour users should upgrade to Contour 0.14.1.

Bugs fixed (vs Contour 0.14.0)

Contour 0.14.1 fixes a problem where regular expressions in Ingress spec.[]rules.http.[]paths.path values were interpreted as prefixes. This has likely been broken since at least Contour 0.5 (possibly earlier 😳).

note: IngressRoute does not support regular expression matching, this feature is only present in the Kubernetes Ingress object.

This bug is fixed in Contour 0.14.1. All Contour users should upgrade to Contour 0.14.1.

For more information see #1243.

Thanks @stevesloka

Upgrading

If you are already running Contour 0.14.0, there are no specific upgrade instructions save changing the image tag to v0.14.1.

If you are running Contour 0.13.0 or earlier, please see the release notes for the previous release.

Contour v0.14.0

VMware is proud to present version 0.14 of Contour, our Envoy powered Kubernetes Ingress Controller.
As always, without the help of the many community contributors this release would not have been possible. Thank you!

New and improved

Contour 0.14 includes several new features as well as the usual smattering of fixes and minor improvements.

Secure, authenticated, communcation between Envoy and Contour

Historically the privacy and security of the communication between Envoy and Contour was handled by deploying both containers in the same pod and with traffic passing over the loopback interface. However this is not the only way in which Envoy and Contour can be deployed.

For example, administrators may wish to deploy Envoy in a DaemonSet independent from Contour's Deployment. In this mode the communication between Envoy and Contour did not (until 0.14) require authentication and any process that knew the address of Contour's xDS endpoint could connect and ask for configuration as if it were Envoy.

Contour 0.14 adds the ability to secure the communication between Contour and Envoy and authenticate the clients connecting to a Contour server by using SSL client certificate athentication (sometimes referred to as mTLS).

For more information please refer to the Generating example gRPC TLS certificates documentation and the design document.

Fixes #862. Thanks @youngnick.

Split Contour deployment and Envoy daemonset

Following from the previous enhancement the ds-hostnet-split example has been enhanced to use mTLS between Envoy and Contour.
This is accomplished via a one shot Job which will generate the CA and certificate material.

For more information refer to the Contour Deployment with Split Pods documentation and the /examples/ds-hostnet-split sample YAML.

Fixes #881. Thanks @youngnick.

Some contour serve configuration can be supplied via configuration file

In order to support new configuration options for logging in 0.15 contour serve now takes a -c config.json flag.

Fixes #1130

Other improvements

• Contour no longer creates a broken route if the backend service is missing. Fixes #520. Thanks @stevesloka.
• The sample grafana graph now report latency metrics in seconds and not milliseconds. Thanks @mwhittington21.
• Documentation for minikube and kind has been updated. Thanks @stevesloka.
• glog has finally been expunged from Contour's dependency list along with the horrible hacks it required. Good riddance.
• Contour is now built with Go 1.12.7.

Bugs fixed

• Contour no longer permits * in the spec.virtualhost.fqdn as * has a special meaning to Envoy which we did not intend to expose. Fixes #1167. Thanks @odacremolbap
• A bug which caused Contour to continually send updates to Envoy when an invalid secret was referenced from an Ingress or IngressRoute record has been fixed. Fixes #1206. Thanks @stevesloka.

Upgrading

• The --envoy-external-http-port and --envoy-external-https-port flag have been removed in 0.14.0. There is no replacement, the flags are no longer required and must be removed from your deployment YAML.
• Contour 0.14 requires Envoy 1.10.0.

  docker.io/envoyproxy/envoy:v1.10.0
  

  We're aware of the recent release of Envoy 1.11.0, however as Contour 0.14 does not contain any code to activate new features in Envoy 1.11.0 we have opted to stay on Envoy 1.10.0 for Contour 0.14. Upgrading to Envoy 1.11.0 will happen during the Contour 0.15 cycle. See #1242 for more information.
  Versions of Envoy later than 1.10.0 are not tested and not guaranteed to work with Contour 0.14.0.

Contour v0.13.0

VMware is proud to present version 0.13 of Contour, our Envoy powered Kubernetes Ingress Controller. As always, without the help of the many community contributors, this release would not have been possible. Thank you!

New and improved

Contour 0.13 includes several new features as well as the usual smattering of fixes and minor improvements.

Session Affinity

Session affinity, also known as sticky sessions, is a load balancing strategy whereby a sequence of requests from a single client are consistently routed to the same application backend. Contour 0.13.0 supports session affinity with the strategy: Cookie key on a per-service basis.

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: httpbin
  namespace: default
spec:
  virtualhost:
    fqdn: httpbin.davecheney.com
  routes:
  - match: /
    services:
    - name: httpbin
      port: 8080
      strategy: Cookie

See the design document and IngressRoute documentation for more information.

Service ExternalNames are now supported

Contour now supports proxying traffic to Services which use service.spec.externalName.
When service.spec.externalName is defined DNS is used to discover the services' external endpoints.

Both HTTP and TCP ExternalNames are supported.

See the design document and Kubernetes' Service documentation for more information.

Fixes #334. Thanks @stevesloka.

Sample deployment/ YAML examples moved to examples/

Since our 0.1 release Contour has always included in the repository sample YAML for various configurations.
These were always intended to be examples, and this is how the Contour team always perceived them.
However, we did a bad job of communicating this to our user base, which we are now trying to correct.

In operation, nothing has changed with the sample YAML other than it has moved from deployment/ to examples/ to make clear that these are in fact simply examples.

Fixes #1118. Many thanks to @rochacon.

--envoy-external-http-port and --envoy-external-https-port flags have been deprecated

Due to a long-standing limitation in Envoy, if Contour was deployed on ports other than the tradition 80 (HTTP), and 443 (HTTPS), operators were required to pass to Envoy, via --envoy-external-http-port and --envoy-external-https-port, the non-standard ports that were in use. This was annoying in practice and restricted the use of local development tools like Minikube and Kind.

Contour 0.13.0 introduces a workaround for envoyproxy/envoy#1269, that removes the need to inform Envoy of external ports that will be forwarded to it. In turn, this should make it easier to deploy Contour inside Kind or Minikube clusters.

As they are no longer needed, the --envoy-external-http-port and --envoy-external-https-port flags now generate a warning if used and will be removed completely in 0.14.0.

Fixes #210. Thanks @youngnick.

force-ssl-redirect now takes precidence over the ingress.allow-http annotation

The behavior when the kubernetes.io/ingress.allow-http and ingress.kubernetes.io/force-ssl-redirect were both specified was somewhat surprising. ingress.allow-http: false meant that no routes were not registered for port 80, even if force-ssl-redirect: true was set leading to a 404 where a 3xx upgrade to https was expected.

Contour 0.13.0 now prioritizes force-ssl-redirect. If this annotation is specified and set to true, Contour will always register a port 80 route for the ingress, even if ingress.allow-http: false, so that the forced upgrade can take effect.

Fixes #1023 with many thanks to @ceralena.

Maglev and RingHash load balancer strategies no longer supported.

RingHash and Maglev are two balancing/affinity strategies offered by IngressRoute. However, due to a lack of understanding of how they worked when they were added in Contour 0.6, neither strategy was properly configured and would only result in random behavior.
Without the ability to configure the hash key, which is usually some form of a session cookie, these strategies are not useful and cannot be used correctly.
As such they have been removed from the list of valid strategies.

For their replacement, see the earlier section on Session Affinity.

Fixes #1030 and #1150

HTTP and TCP idle timeouts

Contour 0.13.0 configures an explicit timeout for all idle HTTP and TCP proxy connections. As the definition of idle differs between HTTP and TCP modes the values are different.

• For HTTP an idle timeout of 60 seconds is configured for all connections. After 60 seconds a connection without activity will be closed.
• For TCP proxy idle connections are expected to stay open longer thus the idle timeout is set to 9001 seconds. This value is larger than the default TCP keepalive timeout on most operating systems so the most likely scenario is the operating system will time out the connection before Envoy does. The Envoy idle timeout acts as a second line of defense to avoid leaking file descriptors.

Fixes #1045 and #1074. Thanks @mattalberts and @youngnick.

Envoy memory usage

As part of a continuing effort to characterize and reduce the amount of memory used by Envoy, Contour 0.13 contains several improvements and bug fixes intended to reduce Envoy's footprint.
This work will continue in 0.14 and onwards.

Fixes or updates #499, #876, #1096

Huge thanks to @lrouquette, @mattalberts, @phylake, and many more for their assistance.

IPv6 improvements

Contour now understands the IPv6-any address, "::", and when used Contour will instruct Envoy to open ports on both IPv4 and IPv6 stacks. For example:

command: ["contour"]
args:
- serve
- --incluster
- --envoy-service-http-port=8080
- --envoy-service-https-port=8443
- "--stats-address=::"
- "--envoy-service-https-address=::"
- "--envoy-service-http-address=::"

This makes it possible to use the same config for ipv4-only and ipv6-only k8s, and enables dual-stack.
Big thanks to @uablrek for improving the story for IPv6 only or dual stack Kubernetes clusters.

Other improvements

• Envoy upgraded to 1.10.0. Thanks @stevesloka. Fixes #998.
• IngressRoute now validates that a secret is valid before using it and sets the appropriate status on the IngressRoute object if not. Thanks @stevesloka
• The Envoy's stats listener is now generated programmatically from Contour rather than hardcoded in the bootstrap configuration. Thanks @stevesloka
• Envoy 1.10.0 natively generates statistics in Prometheus format, removing the need for statsd. Fixes #1035, #1086. Thanks @rata and @stevesloka.
• A document outlining the development workflow of the Contour team has been added. It may be informative to interested contributors. We've also updated our CONTRIBUTING document with some guidelines for commit and PR messages. Fixes #1136. Thanks @youngnick.
• Contour now verifies that a TLS secret is of type kubernetes.io/tls and contains the required tls.crt and tls.key elements.

Bugs fixed

Contour 0.13 fixes a problem whereby Envoy could stall during startup if the cluster contains Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.

This fix was also backported to 0.12.1.

For more information see #1091 and #1110.

Additional bug fixes

• The CRD validation for the spec.virtualhost.fqdn field has been adjusted once more. Fixes #755, #1117. Thanks @youngnick.
• A broken link in our Zenhub documentation has been corrected. Fixes #1160. Thanks @paivagustavo.

Upgrading

• The --envoy-external-http-port and --envoy-external-https-port flags are deprecated will be removed in 0.14.0. There is no replacement, the flags are no longer required and should be removed from your deployment YAML.
• Contour 0.13 requires Envoy 1.10.0.

  docker.io/envoyproxy/envoy:v1.10.0
  

  Versions of Envoy later than 1.10.0 are not tested and not guaranteed to work with Contour 0.13.0.
• The strategy: Maglev and strategy: RingHash load balancer strategies have been removed. They never worked correctly and were functionally equivalent of strategy: Random. If cookie based routing is required, see the earlier section on Session Affinity.

Contour v0.12.1

Contour 0.12.1 is a bug fix release for the recently release Contour 0.12.0.

All Contour users should upgrade to Contour 0.12.1.

Bugs fixed (vs Contour 0.12.0)

Contour 0.12.1 fixes a problem whereby Envoy could stall during startup if the cluster containes Services with no active pods. This situation is commonly encountered when a Service's Deployment has been scaled to zero replicas.

This bug is fixed in Contour 0.12.1. All Contour users should upgrade to Contour 0.12.1.

For more information see #1091 and #1110.

Upgrading

If you are already running Contour 0.12.0, there are no specific upgrade instructions save changing the image tag to v0.12.1.

If you are running Contour 0.11.0 or earlier, please see the release notes for the previous release.