Skip to content

Contour v0.14.0
Compare
Choose a tag to compare
@stevesloka stevesloka released this 19 Jul 19:00
v0.14.0
413a883

VMware is proud to present version 0.14 of Contour, our Envoy powered Kubernetes Ingress Controller.
As always, without the help of the many community contributors this release would not have been possible. Thank you!

New and improved

Contour 0.14 includes several new features as well as the usual smattering of fixes and minor improvements.

Secure, authenticated, communcation between Envoy and Contour

Historically the privacy and security of the communication between Envoy and Contour was handled by deploying both containers in the same pod and with traffic passing over the loopback interface. However this is not the only way in which Envoy and Contour can be deployed.

For example, administrators may wish to deploy Envoy in a DaemonSet independent from Contour's Deployment. In this mode the communication between Envoy and Contour did not (until 0.14) require authentication and any process that knew the address of Contour's xDS endpoint could connect and ask for configuration as if it were Envoy.

Contour 0.14 adds the ability to secure the communication between Contour and Envoy and authenticate the clients connecting to a Contour server by using SSL client certificate athentication (sometimes referred to as mTLS).

For more information please refer to the Generating example gRPC TLS certificates documentation and the design document.

Fixes #862. Thanks @youngnick.

Split Contour deployment and Envoy daemonset

Following from the previous enhancement the ds-hostnet-split example has been enhanced to use mTLS between Envoy and Contour.
This is accomplished via a one shot Job which will generate the CA and certificate material.

For more information refer to the Contour Deployment with Split Pods documentation and the /examples/ds-hostnet-split sample YAML.

Fixes #881. Thanks @youngnick.

Some contour serve configuration can be supplied via configuration file

In order to support new configuration options for logging in 0.15 contour serve now takes a -c config.json flag.

Fixes #1130

Other improvements

  • Contour no longer creates a broken route if the backend service is missing. Fixes #520. Thanks @stevesloka.
  • The sample grafana graph now report latency metrics in seconds and not milliseconds. Thanks @mwhittington21.
  • Documentation for minikube and kind has been updated. Thanks @stevesloka.
  • glog has finally been expunged from Contour's dependency list along with the horrible hacks it required. Good riddance.
  • Contour is now built with Go 1.12.7.

Bugs fixed

  • Contour no longer permits * in the spec.virtualhost.fqdn as * has a special meaning to Envoy which we did not intend to expose. Fixes #1167. Thanks @odacremolbap
  • A bug which caused Contour to continually send updates to Envoy when an invalid secret was referenced from an Ingress or IngressRoute record has been fixed. Fixes #1206. Thanks @stevesloka.

Upgrading

  • The --envoy-external-http-port and --envoy-external-https-port flag have been removed in 0.14.0. There is no replacement, the flags are no longer required and must be removed from your deployment YAML.
  • Contour 0.14 requires Envoy 1.10.0. 
    docker.io/envoyproxy/envoy:v1.10.0
    We're aware of the recent release of Envoy 1.11.0, however as Contour 0.14 does not contain any code to activate new features in Envoy 1.11.0 we have opted to stay on Envoy 1.10.0 for Contour 0.14. Upgrading to Envoy 1.11.0 will happen during the Contour 0.15 cycle. See #1242 for more information.
    Versions of Envoy later than 1.10.0 are not tested and not guaranteed to work with Contour 0.14.0.
Assets 2
Loading