This morning we released a new version of Heptio Contour, Contour 0.3. As a refresher, Contour is an ingress controller for Kubernetes that makes it easy to deploy and manage Envoy as an incoming load balancer.

As the previous Contour release was way back in November 2017, we wanted to take a little time to introduce you to the new features of Contour 0.3.

Contour now supports TLS

This is the big feature we’ve been working on since November. Contour now supports HTTPS ingress objects using TLS.

TLS support is enabled by adding the TLS stanza to your Ingress object along with the hostname that matches your web site’s SSL certificate, and the name of the secret object that contains the TLS certificate.

A full example of serving a secure website using TLS would look something like this:

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: heptio

namespace: default

annotations:

ingress.kubernetes.io/force-ssl-redirect: “true”

spec:

rules:

- host: heptio.com

http:

paths:

- backend:

serviceName: website

servicePort: 8080

tls:

- hosts:

- heptio.com

secretName: heptio-ssl-cert

We’ve also added support for some of the popular HTTPS related annotations like kubernetes.io/ingress.allow-http: "false" which removes the ingress configuration from port 80, and ingress.kubernetes.io/force-ssl-redirect: "true" which will send unconditional 301 redirect to the HTTPS version of your site.

We’re continuing to add support for more popular annotations in Contour 0.4 and beyond.

gRPC support is now on by default

The second big feature is Contour now uses Envoy’s gRPC API by default. This is good news because new features in Envoy require that the management server (this is the role Contour plays with Envoy) supports the gRPC API.

If you have an existing Contour deployment, you can find the details of how to upgrade your manifests in the upgrading documentation. We’ve also updated the quick start examples in the README file and our deployment examples to reflect the change to enable the gRPC API.

We’re planning on removing the old REST API entirely in Contour 0.4, so you should update your manifests to use Envoy’s new YAML configuration syntax today.

Contour 0.3 is the first open source project to ship with the gRPC API and the first project to use Envoy’s TLS support.

Streaming configuration

When we added gRPC support in Contour 0.2 we said that, as well as enabling features like SNI support, it’s also more efficient. However, even though Contour 0.2 supported gRPC streaming, the streaming operation relied on a periodic timer (sorry about that, we did say it was in beta).

In Contour 0.3 this is now fixed and all polling has been removed. Changes now flow from the Kubernetes API to Contour to Envoy immediately, and only when needed. Once your cluster reaches a steady state there is no traffic flow from Contour to Envoy.

… and much more

There are lots of other smaller features that have been added to make Contour 0.3 easier to configure and use, such as the ability to configure the ports that Envoy will listen on, which should help avoid port conflicts if you’re deploying Contour using host-based networking.

You can read more about the new features and download Contour 0.3 over at the release page on GitHub.