changelogs/CHANGELOG-v1.31.0.md
We are delighted to present version v1.31.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
A big thank you to everyone who contributed to the release.
Global external authorization can now be disabled by default and enabled by overriding the vhost and route level auth policies.
This is achieved by setting the globalExtAuth.authPolicy.disabled in the configuration file or ContourConfiguration CRD to true, and setting the authPolicy.disabled to false in the vhost and route level auth policies.
The final authorization state is determined by the most specific policy applied at the route level.
When external authorization is enabled, no authorization check will be performed for HTTP to HTTPS redirection. Previously, external authorization was checked before redirection, which could result in a 401 Unauthorized error instead of a 301 Moved Permanently status code.
(#6661, @SamMHD)
Introduces an envoy bootstrap flag to enable the global downstream connection limit overload manager resource monitors.
The new flag can be passed as an integer flag to the contour bootstrap subcommand, overload-downstream-max-conn.
contour bootstrap --help
INFO[0000] maxprocs: Leaving GOMAXPROCS=10: CPU quota undefined
usage: contour bootstrap [<flags>] <path>
Generate bootstrap configuration.
Flags:
-h, --[no-]help Show context-sensitive help (also try --help-long and --help-man).
--log-format=text Log output format for Contour. Either text or json.
--admin-address="/admin/admin.sock"
Path to Envoy admin unix domain socket.
--admin-port=ADMIN-PORT DEPRECATED: Envoy admin interface port.
--dns-lookup-family=DNS-LOOKUP-FAMILY
Defines what DNS Resolution Policy to use for Envoy -> Contour cluster name lookup. Either v4, v6, auto, or all.
--envoy-cafile=ENVOY-CAFILE
CA Filename for Envoy secure xDS gRPC communication. ($ENVOY_CAFILE)
--envoy-cert-file=ENVOY-CERT-FILE
Client certificate filename for Envoy secure xDS gRPC communication. ($ENVOY_CERT_FILE)
--envoy-key-file=ENVOY-KEY-FILE
Client key filename for Envoy secure xDS gRPC communication. ($ENVOY_KEY_FILE)
--namespace="projectcontour"
The namespace the Envoy container will run in. ($CONTOUR_NAMESPACE)
--overload-downstream-max-conn=OVERLOAD-DOWNSTREAM-MAX-CONN
Defines the Envoy global downstream connection limit
--overload-max-heap=OVERLOAD-MAX-HEAP
Defines the maximum heap size in bytes until overload manager stops accepting new connections.
--resources-dir=RESOURCES-DIR
Directory where configuration files will be written to.
--xds-address=XDS-ADDRESS xDS gRPC API address.
--xds-port=XDS-PORT xDS gRPC API port.
--xds-resource-version="v3"
The versions of the xDS resources to request from Contour.
Args:
<path> Configuration file ('-' for standard output).
As part of this change, we also set the ignore_global_conn_limit flag to true on the existing admin listeners such
that envoy remains live, ready, and serving stats even though it is rejecting downstream connections.
To add some flexibility for health checks, in addition to adding a new bootstrap flag, there is a new configuration option for the envoy health config to enforce the envoy overload manager actions, namely rejecting requests. This "advanced" configuration gives the operator the ability to configure readiness and liveness to handle taking pods out of the pool of pods that can serve traffic.
(#6794, @seth-epps)
Gateway API CRD compatibility has been updated to release v1.2.1.
Full release notes for Gateway API v1.2.0 can be found here, and v1.2.1 here.
compression.algorithm field in the configuration file or the spec.envoy.listener.compression.algorithm field in the ContourConfiguration CRD. The available values are gzip (default), brotli, zstd, and disabled. (#6546, @chaosbox)--watch-namespaces flag. (#6614, @tsaarni)reset-before-request, envoy-ratelimited and http3-post-connect-failure for httpproxy.spec.routes.retryPolicy.retryOn, see Envoy documentation for more details. (#6772, @tsaarni)HTTPProxy.spec.routes.requestRedirectPolicy.statusCode now supports 303, 307 and 308 redirect status codes in addition to 301 and 302. (#6789, @billyjs)strip-trailing-host-dot which defines if trailing dot of the host should be removed from host/authority header before any processing of request by HTTP filters or routing. (#6792, @saley89)contour xDS server are removedContour now uses a go-control-plane-based xDS server.
The legacy contour xDS server that pre-dates go-control-plane has been removed.
Since there is now only one supported xDS server, the config fields for selecting an xDS server implementation have been removed.
(#6568, @skriss)
As of v1.29.0, Contour has used the Kubernetes EndpointSlices API by default to determine the endpoints to configure Envoy with, instead of the Endpoints API.
The Endpoints API is also deprecated in upstream Kubernetes as of v1.33 (see announcement here).
EndpointSlice support is now stable in Contour and the remaining Endpoint handling code, along with the associated useEndpointSlices feature flag, has been removed.
This should be a no-op change for most users, only affecting those that opted into continuing to use the Endpoints API and possibly also disabled EndpointSlice mirroring of Endpoints.
(#7008, @sunjayBhatia)
For a fresh install of Contour, consult the getting started documentation.
To upgrade an existing Contour installation, please consult the upgrade documentation.
Contour v1.31.0 is tested against Kubernetes 1.30 through 1.32.
We’re immensely grateful for all the community contributions that help make Contour even better! For this release, special thanks go out to the following contributors:
If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.