Documentation

Introduction

Configuration

Deployment

Guides

Troubleshooting

Resources

Security

Contribute

Contour Configuration Reference

Serve Flags
Configuration File
Environment Variables
Bootstrap Config File

Overview

There are various ways to configure Contour, flags, the configuration file, as well as environment variables. Contour has a precedence of configuration for contour serve, meaning anything configured in the config file is overridden by environment vars which are overridden by cli flags.

Serve Flags

The contour serve command is the main command which is used to watch for Kubernetes resource and process them into Envoy configuration which is then streamed to any Envoy via its xDS gRPC connection. There are a number of flags that can be passed to this command which further configures how Contour operates. Many of these flags are mirrored in the Contour Configuration File.

Flag Name	Description
`--config-path`	Path to base configuration
`--contour-config-name`	Name of the ContourConfiguration resource to use
`--incluster`	Use in cluster configuration
`--kubeconfig=</path/to/file>`	Path to kubeconfig (if not in running inside a cluster)
`--xds-address=<ipaddr>`	xDS gRPC API address
`--xds-port=<port>`	xDS gRPC API port
`--stats-address=<ipaddr>`	Envoy /stats interface address
`--stats-port=<port>`	Envoy /stats interface port
`--debug-http-address=<address>`	Address the debug http endpoint will bind to.
`--debug-http-port=<port>`	Port the debug http endpoint will bind to
`--http-address=<ipaddr>`	Address the metrics HTTP endpoint will bind to
`--http-port=<port>`	Port the metrics HTTP endpoint will bind to.
`--health-address=<ipaddr>`	Address the health HTTP endpoint will bind to
`--health-port=<port>`	Port the health HTTP endpoint will bind to
`--contour-cafile=</path/to/file\|CONTOUR_CERT_FILE>`	CA bundle file name for serving gRPC with TLS
`--contour-cert-file=</path/to/file\|CONTOUR_CERT_FILE>`	Contour certificate file name for serving gRPC over TLS
`--contour-key-file=</path/to/file\|CONTOUR_KEY_FILE>`	Contour key file name for serving gRPC over TLS
`--insecure`	Allow serving without TLS secured gRPC
`--root-namespaces=<ns,ns>`	Restrict contour to searching these namespaces for root ingress routes
`--ingress-class-name=<name>`	Contour IngressClass name (comma-separated list allowed)
`--ingress-status-address=<address>`	Address to set in Ingress object status
`--envoy-http-access-log=</path/to/file>`	Envoy HTTP access log
`--envoy-https-access-log=</path/to/file>`	Envoy HTTPS access log
`--envoy-service-http-address=<ipaddr>`	Kubernetes Service address for HTTP requests
`--envoy-service-https-address=<ipaddr>`	Kubernetes Service address for HTTPS requests
`--envoy-service-http-port=<port>`	Kubernetes Service port for HTTP requests
`--envoy-service-https-port=<port>`	Kubernetes Service port for HTTPS requests
`--envoy-service-name=<name>`	Name of the Envoy service to inspect for Ingress status details.
`--envoy-service-namespace=<namespace>`	Envoy Service Namespace
`--use-proxy-protocol`	Use PROXY protocol for all listeners
`--accesslog-format=<envoy\|json>`	Format for Envoy access logs
`--disable-leader-election`	Disable leader election mechanism
`--leader-election-lease-duration`	The duration of the leadership lease.
`--leader-election-renew-deadline`	The duration leader will retry refreshing leadership before giving up.
`--leader-election-retry-period`	The interval which Contour will attempt to acquire leadership lease.
`--leader-election-resource-name`	The name of the resource (Lease) leader election will lease.
`--leader-election-resource-namespace`	The namespace of the resource (Lease) leader election will lease.
`-d, --debug`	Enable debug logging
`--kubernetes-debug=<log level>`	Enable Kubernetes client debug logging
`--log-format=<text\|json>`	Log output format for Contour. Either text (default) or json.

Configuration File

A configuration file can be passed to the --config-path argument of the contour serve command to specify additional configuration to Contour. In most deployments, this file is passed to Contour via a ConfigMap which is mounted as a volume to the Contour pod.

The Contour configuration file is optional. In its absence, Contour will operate with reasonable defaults. Where Contour settings can also be specified with command-line flags, the command-line value takes precedence over the configuration file.

Field Name	Type	Default	Description
accesslog-format	string	`envoy`	This key sets the global access log format for Envoy. Valid options are `envoy` or `json`.
accesslog-format-string	string	None	If present, this specifies custom access log format for Envoy. See Envoy documentation for more information about the syntax. This field only has effect if `accesslog-format` is `envoy`
accesslog-level	string	`info`	This field specifies the verbosity level of the access log. Valid options are `info`, `error` and `disabled`.
debug	boolean	`false`	Enables debug logging.
default-http-versions	string array	`HTTP/1.1` `HTTP/2`	This array specifies the HTTP versions that Contour should program Envoy to serve. HTTP versions are specified as strings of the form “HTTP/x”, where “x” represents the version number.
disableAllowChunkedLength	boolean	`false`	If this field is true, Contour will disable the RFC-compliant Envoy behavior to strip the `Content-Length` header if `Transfer-Encoding: chunked` is also set. This is an emergency off-switch to revert back to Envoy’s default behavior in case of failures.
disableMergeSlashes	boolean	`false`	This field disables Envoy’s non-standard
merge_slashes path transformation behavior that strips duplicate slashes from request URL paths.
disablePermitInsecure	boolean	`false`	If this field is true, Contour will ignore `PermitInsecure` field in HTTPProxy documents.
envoy-service-name	string	`envoy`	This sets the service name that will be inspected for address details to be applied to Ingress objects.
envoy-service-namespace	string	`projectcontour`	This sets the namespace of the service that will be inspected for address details to be applied to Ingress objects. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value.
ingress-status-address	string	None	If present, this specifies the address that will be copied into the Ingress status for each Ingress that Contour manages. It is exclusive with `envoy-service-name` and `envoy-service-namespace`.
incluster	boolean	`false`	This field specifies that Contour is running in a Kubernetes cluster and should use the in-cluster client access configuration.
json-fields	string array	fields	This is the list the field names to include in the JSON access log format. This field only has effect if `accesslog-format` is `json`.
kubeconfig	string	`$HOME/.kube/config`	Path to a Kubernetes kubeconfig file for when Contour is executed outside a cluster.
policy	PolicyConfig		The default policy configuration.
tls	TLS		The default TLS configuration.
timeouts	TimeoutConfig		The timeout configuration.
cluster	ClusterConfig		The cluster configuration.
network	NetworkConfig		The network configuration.
listener	ListenerConfig		The listener configuration.
server	ServerConfig		The server configuration for `contour serve` command.
gateway	GatewayConfig		The gateway-api Gateway configuration.
rateLimitService	RateLimitServiceConfig		The rate limit service configuration.
enableExternalNameService	boolean	`false`	Enable ExternalName Service processing. Enabling this has security implications. Please see the advisory for more details.
metrics	MetricsParameters		The metrics configuration

TLS Configuration

The TLS configuration block can be used to configure default values for how Contour should provision TLS hosts.

Field Name	Type	Default	Description
minimum-protocol-version	string	`1.2`	This field specifies the minimum TLS protocol version that is allowed. Valid options are `1.2` (default) and `1.3`. Any other value defaults to TLS 1.2.
fallback-certificate			Fallback certificate configuration.
envoy-client-certificate			Client certificate configuration for Envoy.
cipher-suites	[]string	See config package documentation	This field specifies the TLS ciphers to be supported by TLS listeners when negotiating TLS 1.2. This parameter should only be used by advanced users. Note that this is ignored when TLS 1.3 is in use. The set of ciphers that are allowed is a superset of those supported by default in stock, non-FIPS Envoy builds and FIPS builds as specified here. Custom ciphers not accepted by Envoy in a standard build are not supported.

Fallback Certificate

Field Name	Type	Default	Description
name	string	`""`	This field specifies the name of the Kubernetes secret to use as the fallback certificate.
namespace	string	`""`	This field specifies the namespace of the Kubernetes secret to use as the fallback certificate.

Envoy Client Certificate

Field Name	Type	Default	Description
name	string	`""`	This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service.
namespace	string	`""`	This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service.

Timeout Configuration

The timeout configuration block can be used to configure various timeouts for the proxies. All fields are optional; Contour/Envoy defaults apply if a field is not specified.

Field Name	Type	Default	Description
request-timeout	string	none*	This field specifies the default request timeout. Note that this is a timeout for the entire request, not an idle timeout. Must be a valid Go duration string, or omitted or set to `infinity` to disable the timeout entirely. See the Envoy documentation for more information. Note: A value of `0s` previously disabled this timeout entirely. This is no longer the case. Use `infinity` or omit this field to disable the timeout.
connection-idle-timeout	string	`60s`	This field defines how long the proxy should wait while there are no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating an HTTP connection. The timeout applies to downstream connections only. Must be a valid Go duration string, or `infinity` to disable the timeout entirely. See the Envoy documentation for more information.
stream-idle-timeout	string	`5m`*	This field defines how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. Must be a valid Go duration string, or `infinity` to disable the timeout entirely. See the Envoy documentation for more information.
max-connection-duration	string	none*	This field defines the maximum period of time after an HTTP connection has been established from the client to the proxy before it is closed by the proxy, regardless of whether there has been activity or not. Must be a valid Go duration string, or omitted or set to `infinity` for no max duration. See the Envoy documentation for more information.
delayed-close-timeout	string	`1s`*	Note: this is an advanced setting that should not normally need to be tuned. This field defines how long envoy will wait, once connection close processing has been initiated, for the downstream peer to close the connection before Envoy closes the socket associated with the connection. Setting this timeout to ‘infinity’ will disable it. See the Envoy documentation for more information.
connection-shutdown-grace-period	string	`5s`*	This field defines how long the proxy will wait between sending an initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. During this grace period, the proxy will continue to respond to new streams. After the final GOAWAY frame has been sent, the proxy will refuse new streams. Must be a valid Go duration string. See the Envoy documentation for more information.
connect-timeout	string	`2s`	This field defines how long the proxy will wait for the upstream connection to be established.

This is Envoy’s default setting value and is not explicitly configured by Contour.

Cluster Configuration

The cluster configuration block can be used to configure various parameters for Envoy clusters.

Field Name	Type	Default	Description
dns-lookup-family	string	auto	This field specifies the dns-lookup-family to use for upstream requests to externalName type Kubernetes services from an HTTPProxy route. Values are: `auto`, `v4,` v6`

Network Configuration

The network configuration block can be used to configure various parameters network connections.

Field Name	Type	Default	Description
num-trusted-hops	int	0	Configures the number of additional ingress proxy hops from the right side of the x-forwarded-for HTTP header to trust.
admin-port	int	9001	Configures the Envoy Admin read-only listener on Envoy. Set to `0` to disable.

Listener Configuration

The listener configuration block can be used to configure various parameters for Envoy listener.

Field Name	Type	Default	Description
connection-balancer	string	`""`	This field specifies the listener connection balancer. If the value is `exact`, the listener will use the exact connection balancer to balance connections between threads in a single Envoy process. See the Envoy documentation for more information.

Server Configuration

The server configuration block can be used to configure various settings for the contour serve command.

Field Name	Type	Default	Description
xds-server-type	string	contour	This field specifies the xDS Server to use. Options are `contour` or `envoy`.

Gateway Configuration

The gateway configuration block is used to configure which gateway-api Gateway Contour should configure:

Field Name	Type	Default	Description
controllerName	string		Gateway Class controller name (i.e. projectcontour.io/projectcontour/contour). If set, Contour will reconcile the oldest GatewayClass, and its oldest Gateway, with this controller string. Only one of `controllerName` or `gatewayRef` must be set.
gatewayRef	NamespacedName		Gateway namespace and name. If set, Contour will reconcile this specific Gateway. Only one of `controllerName` or `gatewayRef` must be set.

Gateway Ref

Field Name	Type	Default	Description
name	string	`""`	This field specifies the name of the specific Gateway to reconcile.
namespace	string	`""`	This field specifies the namespace of the specific Gateway to reconcile.

Policy Configuration

The Policy configuration block can be used to configure default policy values that are set if not overridden by the user.

The request-headers field is used to rewrite headers on a HTTP request, and the response-headers field is used to rewrite headers on a HTTP response.

Field Name	Type	Default	Description
request-headers	HeaderPolicy	none	The default request headers set or removed on all service routes if not overridden in the object
response-headers	HeaderPolicy	none	The default response headers set or removed on all service routes if not overridden in the object
applyToIngress	Boolean	false	Whether the global policy should apply to Ingress objects

HeaderPolicy

The set field sets an HTTP header value, creating it if it doesn’t already exist but not overwriting it if it does. The remove field removes an HTTP header.

Field Name	Type	Default	Description
set	map[string]string	none	Map of headers to set on all service routes if not overridden in the object
remove	[]string	none	List of headers to remove on all service routes if not overridden in the object

Note: the values of entries in the set and remove fields can be overridden in HTTPProxy objects but it is not possible to remove these entries.

Rate Limit Service Configuration

The rate limit service configuration block is used to configure an optional global rate limit service:

Field Name	Type	Default	Description
extensionService	string		This field identifies the extension service defining the rate limit service, formatted as /.
domain	string	contour	This field defines the rate limit domain value to pass to the rate limit service. Acts as a container for a set of rate limit definitions within the RLS.
failOpen	bool	false	This field defines whether to allow requests to proceed when the rate limit service fails to respond with a valid rate limit decision within the timeout defined on the extension service.
enableXRateLimitHeaders	bool	false	This field defines whether to include the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF Internet-Draft https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html), on responses to clients when the Rate Limit Service is consulted for a request.

Metrics Configuration

MetricsParameters holds configurable parameters for Contour and Envoy metrics.

Field Name	Type	Default	Description
contour	MetricsServerParameters		Metrics Server Parameters for Contour.
envoy	MetricsServerParameters		Metrics Server Parameters for Envoy.

Metrics Server Parameters

MetricsServerParameters holds configurable parameters for Contour and Envoy metrics. Metrics are served over HTTPS if server-certificate-path and server-key-path are set. Metrics and health endpoints cannot have the same port number when metrics are served over HTTPS.

Field Name	Type	Default	Description
address	string	0.0.0.0	Address that metrics server will bind to.
port	int	8000 (Contour), 8002 (Envoy)	Port that metrics server will bind to.
server-certificate-path	string	none	Optional path to the server certificate file.
server-key-path	string	none	Optional path to the server private key file.
ca-certificate-path	string	none	Optional path to the CA certificate file used to verify client certificates.

Configuration Example

The following is an example ConfigMap with configuration file included:

apiVersion: v1
kind: ConfigMap
metadata:
  name: contour
  namespace: projectcontour
data:
  contour.yaml: |
    #
    # server:
    #   determine which XDS Server implementation to utilize in Contour.
    #   xds-server-type: contour
    #
    # specify the gateway-api Gateway Contour should configure
    # gateway:
    #   controllerName: projectcontour.io/projectcontour/contour
    #
    # should contour expect to be running inside a k8s cluster
    # incluster: true
    #
    # path to kubeconfig (if not running inside a k8s cluster)
    # kubeconfig: /path/to/.kube/config
    #
    # Disable RFC-compliant behavior to strip "Content-Length" header if
    # "Tranfer-Encoding: chunked" is also set.
    # disableAllowChunkedLength: false
    # Disable HTTPProxy permitInsecure field
    disablePermitInsecure: false
    tls:
    # minimum TLS version that Contour will negotiate
    # minimum-protocol-version: "1.2"
    # TLS ciphers to be supported by Envoy TLS listeners when negotiating
    # TLS 1.2.
    # cipher-suites:
    # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
    # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
    # - 'ECDHE-ECDSA-AES256-GCM-SHA384'
    # - 'ECDHE-RSA-AES256-GCM-SHA384'
    # Defines the Kubernetes name/namespace matching a secret to use
    # as the fallback certificate when requests which don't match the
    # SNI defined for a vhost.
      fallback-certificate:
    #   name: fallback-secret-name
    #   namespace: projectcontour
      envoy-client-certificate:
    #   name: envoy-client-cert-secret-name
    #   namespace: projectcontour
    ### Logging options
    # Default setting
    accesslog-format: envoy
    # The default access log format is defined by Envoy but it can be customized by setting following variable.
    # accesslog-format-string: "...\n"
    # To enable JSON logging in Envoy
    # accesslog-format: json
    # accesslog-level: info
    # The default fields that will be logged are specified below.
    # To customise this list, just add or remove entries.
    # The canonical list is available at
    # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
    # json-fields:
    #   - "@timestamp"
    #   - "authority"
    #   - "bytes_received"
    #   - "bytes_sent"
    #   - "downstream_local_address"
    #   - "downstream_remote_address"
    #   - "duration"
    #   - "method"
    #   - "path"
    #   - "protocol"
    #   - "request_id"
    #   - "requested_server_name"
    #   - "response_code"
    #   - "response_flags"
    #   - "uber_trace_id"
    #   - "upstream_cluster"
    #   - "upstream_host"
    #   - "upstream_local_address"
    #   - "upstream_service_time"
    #   - "user_agent"
    #   - "x_forwarded_for"
    #
    # default-http-versions:
    # - "HTTP/2"
    # - "HTTP/1.1"
    #
    # The following shows the default proxy timeout settings.
    # timeouts:
    #   request-timeout: infinity
    #   connection-idle-timeout: 60s
    #   stream-idle-timeout: 5m
    #   max-connection-duration: infinity
    #   connection-shutdown-grace-period: 5s
    #
    # Envoy cluster settings.
    # cluster:
    #   configure the cluster dns lookup family
    #   valid options are: auto (default), v4, v6
    #   dns-lookup-family: auto
    #
    # network:
    #   Configure the number of additional ingress proxy hops from the
    #   right side of the x-forwarded-for HTTP header to trust.
    #   num-trusted-hops: 0
    #   Configure the port used to access the Envoy Admin interface.
    #   admin-port: 9001
    #
    # Configure an optional global rate limit service.
    # rateLimitService:
    #   Identifies the extension service defining the rate limit service,
    #   formatted as <namespace>/<name>.
    #   extensionService: projectcontour/ratelimit
    #   Defines the rate limit domain to pass to the rate limit service.
    #   Acts as a container for a set of rate limit definitions within
    #   the RLS.
    #   domain: contour
    #   Defines whether to allow requests to proceed when the rate limit
    #   service fails to respond with a valid rate limit decision within
    #   the timeout defined on the extension service.
    #   failOpen: false
    # Defines whether to include the X-RateLimit headers X-RateLimit-Limit,
    # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF
    # Internet-Draft linked below), on responses to clients when the Rate
    # Limit Service is consulted for a request.
    # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html
    #   enableXRateLimitHeaders: false
    #
    # Global Policy settings.
    # policy:
    #   # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself)
    #   request-headers:
    #     set:
    #       # example: the hostname of the Envoy instance that proxied the request
    #       X-Envoy-Hostname: %HOSTNAME%
    #       # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for
    #       l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT%
    #   # default headers to set on all responses (unless set/removed on the HTTPProxy object itself)
    #   response-headers:
    #     set:
    #       # example: Envoy flags that provide additional details about the response or connection
    #       X-Envoy-Response-Flags: %RESPONSE_FLAGS%
    #   Whether or not the policy settings should apply to ingress objects
    #   applyToIngress: true
    #
    # metrics:
    #  contour:
    #    address: 0.0.0.0
    #    port: 8000
    #    server-certificate-path: /path/to/server-cert.pem
    #    server-key-path: /path/to/server-private-key.pem
    #    ca-certificate-path: /path/to/root-ca-for-client-validation.pem
    #  envoy:
    #    address: 0.0.0.0
    #    port: 8002
    #    server-certificate-path: /path/to/server-cert.pem
    #    server-key-path: /path/to/server-private-key.pem
    #    ca-certificate-path: /path/to/root-ca-for-client-validation.pem

Note: The default example contour includes this file for easy deployment of Contour.

Environment Variables

CONTOUR_NAMESPACE

If present, the value of the CONTOUR_NAMESPACE environment variable is used as:

The value for the contour bootstrap --namespace flag unless otherwise specified.
The value for the contour certgen --namespace flag unless otherwise specified.
The value for the contour serve --envoy-service-namespace flag unless otherwise specified.
The value for the contour serve --leader-election-resource-namespace flag unless otherwise specified.

The CONTOUR_NAMESPACE environment variable is set via the Downward API in the Contour example manifests.

Bootstrap Config File

The bootstrap configuration file is generated by an initContainer in the Envoy daemonset which runs the contour bootstrap command to generate the file. This configuration file configures the Envoy container to connect to Contour and receive configuration via xDS.

The next section outlines all the available flags that can be passed to the contour bootstrap command which are used to customize the configuration file to match the environment in which Envoy is deployed.

Flags

There are flags that can be passed to contour bootstrap that help configure how Envoy connects to Contour:

Flag	Default	Description
–resources-dir	""	Directory where resource files will be written.
–admin-address	/admin/admin.sock	Path to Envoy admin unix domain socket.
–admin-port (Deprecated)	9001	Deprecated: Port is now configured as a Contour flag.
–xds-address	127.0.0.1	Address to connect to Contour xDS server on.
–xds-port	8001	Port to connect to Contour xDS server on.
–envoy-cafile	""	CA filename for Envoy secure xDS gRPC communication.
–envoy-cert-file	""	Client certificate filename for Envoy secure xDS gRPC communication.
–envoy-key-file	""	Client key filename for Envoy secure xDS gRPC communication.
–namespace	projectcontour	Namespace the Envoy container will run, also configured via ENV variable “CONTOUR_NAMESPACE”. Namespace is used as part of the metric names on static resources defined in the bootstrap configuration file.
–xds-resource-version	v3	Currently, the only valid xDS API resource version is `v3`.
–dns-lookup-family	auto	Defines what DNS Resolution Policy to use for Envoy -> Contour cluster name lookup. Either v4, v6 or auto.
–log-format	text	Log output format for Contour. Either text or json.