changelogs/CHANGELOG-v1.19.0.md
We are delighted to present version 1.19.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
Moves the Envoy admin interface to use a unix socket by creating a new Envoy listener to expose read only information from Envoy admin page over port 9001 (by default).
This change helps to mitigate a Contour CVE which could possibly allow for an ExternalName service to serve the Envoy Admin interface when not desired.
Also updates shutdown-manager to use new unix socket to begin Envoy draining procedure.
Enable setting headers on all routes on ingress objects by allowing headers to be configured in the Contour config and applied to PolicyConfig.applyToIngress: true.
Example:
policy:
# Default headers to set on all requests
request-headers:
set:
X-Envoy-Hostname: %HOSTNAME%
applyToIngress: true
Starts pushing container images to GHCR in addition to Docker Hub. Images will be pushed to both registries for a period of time, until the Docker Hub push is removed.
Going forward, the examples & quickstart will utilize the GHCR registry with images like: ghcr.io/projectcontour/contour.
Envoy no longer need to run as root but runs as nobody.
The shutdown-ready file path is now configurable, to allow user to optionally set a path that is writable by setting the --ready-file flag on the shutdown-manager.
Contour now enables users to customize attributes on HTTP Set-Cookie response headers.
Application specific cookies and cookies generated by Contour's "cookie" load balancing strategy can be rewritten either per HTTPProxy Route or Service.
Users can choose to rewrite the Path, Domain, Secure, and SameSite attributes of the Set-Cookie header currently.
These attributes may be things an application may not be able to accurately set, without prior knowledge of how the application is deployed.
For example, if Contour is in use to rewrite the path or hostname of a request before it reaches an application backend, the application may not be able to accurately set the Path and Domain attributes in a Set-Cookie response header.
This feature can be used to apply security settings to ensure browsers treat generated cookies appropriately.
The SameSite and Secure attributes are currently not set by Envoy when it generates the X-Contour-Session-Affinity, but with this feature, users can customize this cookie further.
Future iterations of this feature may provide cookie rewriting configuration directly as part of the cookie load balancing strategy configuration.
Some more documentation and example configuration can be found here. Also see Contour's CRD API reference for more details.
Contour uses a set of flags on the contour serve command as well as a configuration file represented as in a Kubernetes Configmap for further configuration of Contour & Envoy.
It has been difficult to manage the contents of that file (e.g. yaml in a configmap) along with having no way of properly validating that configuration, so Contour has introduced
a new ContourConfiguration CRD which refactors the current config file along with any missing flags into a new object.
This new config is in an Alpha state while we verify the format of the configuration file along with its validation.
Contour will continue to support the current configuration file for some time, but looking ahead to the roadmap, ContourConfiguration will be the new way to configure Contour.
Additional details around the design of this change can be read in the design doc: https://github.com/projectcontour/contour/blob/main/design/configuration-crd.md
Contour now requires:
Add support for weighted ForwardTos in TLSRoute rules. Per spec, weights default to 1 if unspecified, and weights of 0 mean no traffic is forwarded to the backend.
Adds alt tags for better web accessibility.
Thanks @johnnycase for contributing this!
Adds site formatting for projectcontour.io to have new "warning", "note", "info", and "tip" notices.
Thanks @gary-tai for contributing this!
Updates the security process should a new security advisory be discovered with Contour.
Adds a Security document outlining Contour's threat model and how to report security issues.
Updates Go modules, KinD images, and kubectl version to support Kubernetes 1.22.
Updates the Code of Conduct to use the CNCF template.
Thanks @mzrithm for contributing this!
Please consult the upgrade documentation.
Contour v1.19.0 is tested against Kubernetes 1.20 through 1.22
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.