Heptio Contour v0.6.0 is out


#1

Contour 0.6.0

After several months hard work we are proud to bring you Contour 0.6.0.

New in this release

Here is a brief overview of the changes since Contour 0.5.0.

IngressRoute beta v1

The Ingress object was added to Kubernetes in version 1.1 to describe properties of a cluster-wide reverse HTTP proxy.
Since that time, the Ingress object has not progressed beyond the beta stage, and its stagnation inspired an explosion of annotations to express missing properties of HTTP routing.

The goal of the IngressRoute Custom Resource Definition (CRD) is to expand upon the functionality of the Ingress API to allow for a richer user experience as well as solve shortcomings in the original design.

Key IngressRoute Benefits

  • Safely supports multi-team Kubernetes clusters, with the ability to limit which Namespaces may configure virtual hosts and TLS credentials.
  • Enables delegation of routing configuration for a path or domain to another Namespace.
  • Accepts multiple services within a single route and load balances traffic across them.
  • Natively allows defining service weighting and load balancing strategy without annotations.
  • Validation of IngressRoute objects at creation time and status reporting for post-creation validity.

See docs/ingressroute.md for more details.

Huge thanks to @stevesloka and @alexbrand who lead this work.

Rewritten Kubernetes to Envoy translator

Contour 0.6 features a completely rewritten Kubernetes to Envoy translation layer.
The translation layer was rewritten to support the new Ingressroute object alongside the current Ingress object.
The new translation layer works by constructing an in memory graph of the relationships between various Kubernetes API objects then uses this graph to produce the various xDS data sets required for Envoy.
In doing so a number of long standing issues where Clusters were duplicated or Services present in the Envoy configuration without matching routes have been resolved.

Additionally the new translator adds a short delay between sending updates to Envoy.
This delay allows multiple Kubernetes events to be coalesced into a single Envoy update which, while reducing the overhead of high update rates, should also avoid presenting temporarily incomplete configurations to Envoy.
The hold-off delay is currently no greater than 200ms after each update.
If updates have been continually delayed, say by a constant stream of messages, Envoy will receive an update from Contour at least once per second.

Websocket support

A new annotation, contour.heptio.com/websocket-routes allows Ingress authors to denote which paths in their Ingress object should be treated as Websocket enabled.
For example, this Ingress fragment:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    contour.heptio.com/websocket-routes: "/ws1,/ws2"
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: www
          servicePort: 8080
      - path: /ws1
        backend: 
          serviceName: websocket
          servicePort: 8080
      - path: /ws2
        backend:
          serviceName: www
          servicePort: 8080

Indicates that the Services referenced by paths /ws1 and /ws2 should be treated according to the Websocket protocol.
Thanks @glerchundi.

xDS filers are now supported

The xDS protocol supports watching only a specific set of resources.
This is now supported in Contour 0.6 and significantly reduces the amount of data transmitted between Contour and Envoy in response to changes in the Kubernetes API.

In addition, contour cli now supports an additional fourth parameter to allow the caller to watch a subset of resources.

Fixes #316

TLS minimum protocol version annotation

Contour supports a new Service annotation, contour.heptio.com/tls-minimum-protocol-version which is used to raise the minimum TLS version that will be used to communicate between Envoy and the Kubernetes Service.
By default, TLS version 1.1 will be used.

Thanks to @zxvdr.

Minor improvements

  • Contour now uses client-go 1.10.
  • Contour exposes a /debug/pprof endpoint for use with go tool pprof. See the troubleshooting documentation for more information.
  • HTTP and HTTPS access logs can now be redirected to an arbitrary file. Thanks @zxvdr. Fixes #333.
  • contour.heptio.com/upstream-protocol.h2c annotation is now supported.
  • Contour now accepts HTTP/1.1 requests with Host: headers that contain a trailing :80 or :443 port number. Thanks to @mattalberts. Fixes #390.
  • Contour now exports Prometheus metrics on port :8001.
  • Documentation for deploying Contour on clusters that are not RBAC enabled has been removed.
  • The Contour docker image has been rebased to Alpine 3.8.