After several months hard work we are proud to bring you Contour 0.6.0.
New in this release
Here is a brief overview of the changes since Contour 0.5.0.
IngressRoute beta v1
The Ingress object was added to Kubernetes in version 1.1 to describe properties of a cluster-wide reverse HTTP proxy.
Since that time, the Ingress object has not progressed beyond the beta stage, and its stagnation inspired an explosion of annotations to express missing properties of HTTP routing.
The goal of the
IngressRoute Custom Resource Definition (CRD) is to expand upon the functionality of the Ingress API to allow for a richer user experience as well as solve shortcomings in the original design.
Key IngressRoute Benefits
- Safely supports multi-team Kubernetes clusters, with the ability to limit which Namespaces may configure virtual hosts and TLS credentials.
- Enables delegation of routing configuration for a path or domain to another Namespace.
- Accepts multiple services within a single route and load balances traffic across them.
- Natively allows defining service weighting and load balancing strategy without annotations.
- Validation of IngressRoute objects at creation time and status reporting for post-creation validity.
See docs/ingressroute.md for more details.
Rewritten Kubernetes to Envoy translator
Contour 0.6 features a completely rewritten Kubernetes to Envoy translation layer.
The translation layer was rewritten to support the new Ingressroute object alongside the current Ingress object.
The new translation layer works by constructing an in memory graph of the relationships between various Kubernetes API objects then uses this graph to produce the various xDS data sets required for Envoy.
In doing so a number of long standing issues where Clusters were duplicated or Services present in the Envoy configuration without matching routes have been resolved.
Additionally the new translator adds a short delay between sending updates to Envoy.
This delay allows multiple Kubernetes events to be coalesced into a single Envoy update which, while reducing the overhead of high update rates, should also avoid presenting temporarily incomplete configurations to Envoy.
The hold-off delay is currently no greater than 200ms after each update.
If updates have been continually delayed, say by a constant stream of messages, Envoy will receive an update from Contour at least once per second.
A new annotation,
contour.heptio.com/websocket-routes allows Ingress authors to denote which paths in their Ingress object should be treated as Websocket enabled.
For example, this Ingress fragment:
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: contour.heptio.com/websocket-routes: "/ws1,/ws2" spec: rules: - host: example.com http: paths: - path: / backend: serviceName: www servicePort: 8080 - path: /ws1 backend: serviceName: websocket servicePort: 8080 - path: /ws2 backend: serviceName: www servicePort: 8080
Indicates that the Services referenced by paths
/ws2 should be treated according to the Websocket protocol.
xDS filers are now supported
The xDS protocol supports watching only a specific set of resources.
This is now supported in Contour 0.6 and significantly reduces the amount of data transmitted between Contour and Envoy in response to changes in the Kubernetes API.
contour cli now supports an additional fourth parameter to allow the caller to watch a subset of resources.
TLS minimum protocol version annotation
Contour supports a new Service annotation,
contour.heptio.com/tls-minimum-protocol-version which is used to raise the minimum TLS version that will be used to communicate between Envoy and the Kubernetes Service.
By default, TLS version 1.1 will be used.
Thanks to @zxvdr.
- Contour now uses client-go 1.10.
- Contour exposes a
/debug/pprofendpoint for use with
go tool pprof. See the troubleshooting documentation for more information.
- HTTP and HTTPS access logs can now be redirected to an arbitrary file. Thanks @zxvdr. Fixes #333.
contour.heptio.com/upstream-protocol.h2cannotation is now supported.
- Contour now accepts HTTP/1.1 requests with
Host:headers that contain a trailing
:443port number. Thanks to @mattalberts. Fixes #390.
- Contour now exports Prometheus metrics on port :8001.
- Documentation for deploying Contour on clusters that are not RBAC enabled has been removed.
- The Contour docker image has been rebased to Alpine 3.8.