VMware is proud to present version 0.12 of Contour, our Envoy powered Kubernetes Ingress Controller. Again, without the help of the many community contributors, this wouldn't have been possible. Thank you!

New and improved

Contour 0.12 includes several new features as well as the usual smattering of fixes and minor improvements.

Support for per route backend timeouts and retries

Support for specifying backend timeouts and retries has been added to ingressroute. These are enabled via the timeoutPolicy and retryPolicy keys, respectively. eg.

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: request-timeout
  namespace: default
spec:
  virtualhost:
    fqdn: timeout.bar.com
  routes:
  - match: /
    timeoutPolicy:
      request: 1s
    retryPolicy:
      count: 3
      perTryTimeout: 150ms
    services:
    - name: s1
      port: 80

If timeoutPolicy is present then the backend service must complete processing the request in the duration specified. If timeoutPolicy is present without a request key, the timeout is inferred to be infinite. If no timeoutPolicy is present, Envoy will use its default timeout, which is currently 15s.

If retryPolicy is present and perTryTimeout is set a requests to backends will be retried after the duration specified up to the total request duration specified in timeoutPolicy (if present). By default the number of retries is 1, but can be increased with the count key.

See the design document and ingressroute for more information

Thanks to @rohandvora, @prasoontelang and @stevesloka.

Verification of TLS enabled backends

Contour 0.11 added support for enabling TLS communication between Envoy and backend services. Contour 0.12 adds the ability to verify that the backend pod Envoy communicates with is who it says it is. This is achieved in three steps.

1. The backend Service must use TLS to communicate with Envoy. This is achieved with the contour.heptio.com/upstream-protocol.tls annotation on the Service document.
2. The certificate authority used to issue the TLS certificate the backend service offers should be placed in a Secret in the same namespace as the IngressRoute and the Service. eg.

% kubectl create secret generic my-certificate-authority --from-file=./ca.key

3. An validation key is created for each service in the matching route

apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: secure-backend
spec:
  virtualhost:
    fqdn: www.example.com
  routes:
    - match: /
      services:
        - name: service
          port: 8443
          validation:
            caSecret: my-certificate-authority
            subjectName: backend.example.com

Both the caSecret and subjectName keys are required.

See the design document and the ingressroute documentation for more information.

Thanks again to @stevesloka

SDS xDS API

While not directly user facing Contour 0.12 adds support for Envoy's Secret Discovery Service (SDS) API.

In the future SDS support will aide in reducing the number of configuration changes sent from Contour to Envoy, and will enable secure communication between Contour and Envoy.

Thanks to @vaamarnath and Matt Alberts. Fixes #898.

AES128-* and AES256-* removed permitted ciphers list

Contour no longer offers ciphers matching AES128-* or AES256-* as they are considered to be weak. This improves the SSL Lab's score for hosts secured by Contour.

See #1011 for more details

Thanks @yob

Sample grafana dashboard

The Contour distribution now includes a set of predefined Grafana dashboards. See deployment/grafana and deployment/prometheus for more information.

Thanks @stevesloka, @alexbrand and @rata.

Other improvements

• regenerate CRDs. Thanks @unicell. Fixes #993.
• force glog to write to stderr. Thanks @unicell. Updates #959
• copy edit documentation. Thanks @lostllama.
• fix issues regenerating CRDs after the switch to go modules. Thanks @glerchundi. Fixes #996
• Contour now reports how many pending changes have been queued by the holdoff notifier. Thanks Matt Alberts.

Upgrading

• Contour 0.12 requires Envoy 1.9.1.

  docker.io/envoyproxy/envoy:v1.9.1
  

  Previous versions of Envoy are not compatible with the configuration generated by Contour 0.11. If Envoy fails to start after upgrading Contour to 0.12 with an error similar to this, you have not upgraded Envoy to 1.9.1.

  [2019-04-08 01:54:58.396][000001][critical][main] [source/server/server.cc:86] error initializing configuration '/config/contour.json': Unable to parse JSON as proto (INVALID_ARGUMENT:normalize_path: Cannot find field.): {"codec_type":"AUTO","http_filters":[{"name":"envoy.health_check","config":{"headers":[{"name":":path","exact_match":"/healthz"}],"pass_through_mode":"false"}},{"name":"envoy.router"}],"stat_prefix":"stats","normalize_path":true,"route_config":{"virtual_hosts":{"routes":[{"match":{"prefix":"/stats"},"route":{"cluster":"service_stats"}}],"domains":["*"],"name":"backend"}}}                                [2019-04-08 01:54:58.397][000001][info][main] [source/server/server.cc:507] exiting
  

  Versions of Envoy later than 1.9.1 are not tested and not guaranteed to work with Contour 0.12.0.