- HTTPProxy Fundamentals
- Ingress v1 Support
- Virtual Hosts
- Inclusion and Delegation
- TLS Termination
- Upstream TLS
- Request Routing
- External Service Routing
- Request Rewriting
- Upstream Health Checks
- Client Authorization
- TLS Delegation
- Rate Limiting
- Access logging
- Cookie Rewriting
- Overload Manager
- JWT Verification
- Annotations Reference
- Slow Start Mode
- API Reference
- Deployment Options
- Contour Configuration
- Upgrading Contour
- Enabling TLS between Envoy and Contour
- Redeploy Envoy
- Deploying Contour on AWS with NLB
- AWS Network Load Balancer TLS Termination with Contour
- Deploying HTTPS services with Contour and cert-manager
- External Authorization Support
- FIPS 140-2 in Contour
- Using Gatekeeper with Contour
- Using Gateway API with Contour
- Global Rate Limiting
- Configuring ingress to gRPC services with Contour
- Health Checking
- How to enable structured JSON logging
- Creating a Contour-compatible kind cluster
- Collecting Metrics with Prometheus
- How to Configure PROXY Protocol v1/v2 Support
- Contour/Envoy Resource Limits
- Envoy Administration Access
- Contour Debug Logging
- Envoy Debug Logging
- Visualize the Contour Graph
- Show Contour xDS Resources
- Profiling Contour
- Contour Operator
- Support Policy
- Compatibility Matrix
- Contour Deprecation Policy
- Release Process
- Frequently Asked Questions
Contour Configuration Reference
There are various ways to configure Contour, flags, the configuration file, as well as environment variables. Contour has a precedence of configuration for contour serve, meaning anything configured in the config file is overridden by environment vars which are overridden by cli flags.
contour serve command is the main command which is used to watch for Kubernetes resource and process them into Envoy configuration which is then streamed to any Envoy via its xDS gRPC connection.
There are a number of flags that can be passed to this command which further configures how Contour operates.
Many of these flags are mirrored in the
Contour Configuration File.
|Path to base configuration|
|Name of the ContourConfiguration resource to use|
|Use in cluster configuration|
|Path to kubeconfig (if not in running inside a cluster)|
|xDS gRPC API address|
|xDS gRPC API port|
|Envoy /stats interface address|
|Envoy /stats interface port|
|Address the debug http endpoint will bind to.|
|Port the debug http endpoint will bind to|
|Address the metrics HTTP endpoint will bind to|
|Port the metrics HTTP endpoint will bind to.|
|Address the health HTTP endpoint will bind to|
|Port the health HTTP endpoint will bind to|
|CA bundle file name for serving gRPC with TLS|
|Contour certificate file name for serving gRPC over TLS|
|Contour key file name for serving gRPC over TLS|
|Allow serving without TLS secured gRPC|
|Restrict contour to searching these namespaces for root ingress routes|
|Contour IngressClass name (comma-separated list allowed)|
|Address to set in Ingress object status|
|Envoy HTTP access log|
|Envoy HTTPS access log|
|Kubernetes Service address for HTTP requests|
|Kubernetes Service address for HTTPS requests|
|Kubernetes Service port for HTTP requests|
|Kubernetes Service port for HTTPS requests|
|Name of the Envoy service to inspect for Ingress status details.|
|Envoy Service Namespace|
|Use PROXY protocol for all listeners|
|Format for Envoy access logs|
|Disable leader election mechanism|
|The duration of the leadership lease.|
|The duration leader will retry refreshing leadership before giving up.|
|The interval which Contour will attempt to acquire leadership lease.|
|The name of the resource (Lease) leader election will lease.|
|The namespace of the resource (Lease) leader election will lease.|
|Enable debug logging|
|Enable Kubernetes client debug logging|
|Log output format for Contour. Either text (default) or json.|
A configuration file can be passed to the
--config-path argument of the
contour serve command to specify additional configuration to Contour.
In most deployments, this file is passed to Contour via a ConfigMap which is mounted as a volume to the Contour pod.
The Contour configuration file is optional. In its absence, Contour will operate with reasonable defaults. Where Contour settings can also be specified with command-line flags, the command-line value takes precedence over the configuration file.
|accesslog-format||string||This key sets the global
access log format for Envoy. Valid options are |
|accesslog-format-string||string||None||If present, this specifies custom access log format for Envoy. See
Envoy documentation for more information about the syntax. This field only has effect if |
|accesslog-level||string||This field specifies the verbosity level of the access log. Valid options are |
|debug||boolean||Enables debug logging.|
|default-http-versions||string array||This array specifies the HTTP versions that Contour should program Envoy to serve. HTTP versions are specified as strings of the form “HTTP/x”, where “x” represents the version number.|
|disableAllowChunkedLength||boolean||If this field is true, Contour will disable the RFC-compliant Envoy behavior to strip the |
|disableMergeSlashes||boolean||This field disables Envoy’s non-standard|
|merge_slashes path transformation behavior that strips duplicate slashes from request URL paths.|
|disablePermitInsecure||boolean||If this field is true, Contour will ignore |
|envoy-service-name||string||This sets the service name that will be inspected for address details to be applied to Ingress objects.|
|envoy-service-namespace||string||This sets the namespace of the service that will be inspected for address details to be applied to Ingress objects. If the |
|ingress-status-address||string||None||If present, this specifies the address that will be copied into the Ingress status for each Ingress that Contour manages. It is exclusive with |
|incluster||boolean||This field specifies that Contour is running in a Kubernetes cluster and should use the in-cluster client access configuration.|
|json-fields||string array||fields||This is the list the field names to include in the JSON
access log format. This field only has effect if |
|kubeconfig||string||Path to a Kubernetes kubeconfig file for when Contour is executed outside a cluster.|
|leaderelection||leaderelection||The leader election configuration.|
|policy||PolicyConfig||The default policy configuration.|
|tls||TLS||The default TLS configuration.|
|timeouts||TimeoutConfig||The timeout configuration.|
|cluster||ClusterConfig||The cluster configuration.|
|network||NetworkConfig||The network configuration.|
|listener||ListenerConfig||The listener configuration.|
server configuration for |
|gateway||GatewayConfig||The gateway-api Gateway configuration.|
|rateLimitService||RateLimitServiceConfig||The rate limit service configuration.|
|enableExternalNameService||boolean||Enable ExternalName Service processing. Enabling this has security implications. Please see the advisory for more details.|
|metrics||MetricsParameters||The metrics configuration|
The TLS configuration block can be used to configure default values for how Contour should provision TLS hosts.
|minimum-protocol-version||string||This field specifies the minimum TLS protocol version that is allowed. Valid options are |
|fallback-certificate||Fallback certificate configuration.|
|envoy-client-certificate||Client certificate configuration for Envoy.|
|cipher-suites||string||See config package documentation||This field specifies the TLS ciphers to be supported by TLS listeners when negotiating TLS 1.2. This parameter should only be used by advanced users. Note that this is ignored when TLS 1.3 is in use. The set of ciphers that are allowed is a superset of those supported by default in stock, non-FIPS Envoy builds and FIPS builds as specified here. Custom ciphers not accepted by Envoy in a standard build are not supported.|
|name||string||This field specifies the name of the Kubernetes secret to use as the fallback certificate.|
|namespace||string||This field specifies the namespace of the Kubernetes secret to use as the fallback certificate.|
Envoy Client Certificate
|name||string||This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service.|
|namespace||string||This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service.|
Leader Election Configuration
The leader election configuration block configures how a deployment with more than one Contour pod elects a leader.
The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents.
In the vast majority of deployments, only the
configmap-namespace fields should require any configuration.
Note: Configuring leader election via the configuration file is deprecated, please use the
contour serve command line flags instead.
|configmap-name||string||The name of the ConfigMap that Contour leader election will lease.|
|configmap-namespace||string||The namespace of the ConfigMap that Contour leader election will lease. If the |
|lease-duration||duration||The duration of the leadership lease.|
|renew-deadline||duration||The length of time that the leader will retry refreshing leadership before giving up.|
|retry-period||duration||The interval at which Contour will attempt to the acquire leadership lease.|
The timeout configuration block can be used to configure various timeouts for the proxies. All fields are optional; Contour/Envoy defaults apply if a field is not specified.
|request-timeout||string||none*||This field specifies the default request timeout. Note that this is a timeout for the entire request, not an idle timeout. Must be a
valid Go duration string, or omitted or set to |
Note: A value of
|connection-idle-timeout||string||This field defines how long the proxy should wait while there are no active requests (for HTTP/1.1) or streams (for HTTP/2) before terminating an HTTP connection. The timeout applies to downstream connections only. Must be a
valid Go duration string, or |
|stream-idle-timeout||string||This field defines how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2). Timeout will not trigger while HTTP/1.1 connection is idle between two consecutive requests. Must be a
valid Go duration string, or |
|max-connection-duration||string||none*||This field defines the maximum period of time after an HTTP connection has been established from the client to the proxy before it is closed by the proxy, regardless of whether there has been activity or not. Must be a
valid Go duration string, or omitted or set to |
|delayed-close-timeout||string||Note: this is an advanced setting that should not normally need to be tuned.|
This field defines how long envoy will wait, once connection close processing has been initiated, for the downstream peer to close the connection before Envoy closes the socket associated with the connection. Setting this timeout to ‘infinity’ will disable it. See the Envoy documentation for more information.
|connection-shutdown-grace-period||string||This field defines how long the proxy will wait between sending an initial GOAWAY frame and a second, final GOAWAY frame when terminating an HTTP/2 connection. During this grace period, the proxy will continue to respond to new streams. After the final GOAWAY frame has been sent, the proxy will refuse new streams. Must be a valid Go duration string. See the Envoy documentation for more information.|
|connect-timeout||string||This field defines how long the proxy will wait for the upstream connection to be established.|
This is Envoy’s default setting value and is not explicitly configured by Contour.
The cluster configuration block can be used to configure various parameters for Envoy clusters.
|dns-lookup-family||string||auto||This field specifies the dns-lookup-family to use for upstream requests to externalName type Kubernetes services from an HTTPProxy route. Values are: |
The network configuration block can be used to configure various parameters network connections.
|num-trusted-hops||int||0||Configures the number of additional ingress proxy hops from the right side of the x-forwarded-for HTTP header to trust.|
|admin-port||int||9001||Configures the Envoy Admin read-only listener on Envoy. Set to |
The listener configuration block can be used to configure various parameters for Envoy listener.
|connection-balancer||string||This field specifies the listener connection balancer. If the value is |
The server configuration block can be used to configure various settings for the
contour serve command.
|xds-server-type||string||contour||This field specifies the xDS Server to use. Options are |
The gateway configuration block is used to configure which gateway-api Gateway Contour should configure:
|controllerName||string||Gateway Class controller name (i.e. projectcontour.io/projectcontour/contour). If set, Contour will reconcile the oldest GatewayClass, and its oldest Gateway, with this controller string. Only one of |
|gatewayRef||NamespacedName||Gateway namespace and name. If set, Contour will reconcile this specific Gateway. Only one of |
|name||string||This field specifies the name of the specific Gateway to reconcile.|
|namespace||string||This field specifies the namespace of the specific Gateway to reconcile.|
The Policy configuration block can be used to configure default policy values that are set if not overridden by the user.
request-headers field is used to rewrite headers on a HTTP request, and
response-headers field is used to rewrite headers on a HTTP response.
|request-headers||HeaderPolicy||none||The default request headers set or removed on all service routes if not overridden in the object|
|response-headers||HeaderPolicy||none||The default response headers set or removed on all service routes if not overridden in the object|
|applyToIngress||Boolean||false||Whether the global policy should apply to Ingress objects|
set field sets an HTTP header value, creating it if it doesn’t already exist but not overwriting it if it does.
remove field removes an HTTP header.
|set||map[string]string||none||Map of headers to set on all service routes if not overridden in the object|
|remove||string||none||List of headers to remove on all service routes if not overridden in the object|
Note: the values of entries in the
remove fields can be overridden in HTTPProxy objects but it it not possible to remove these entries.
Rate Limit Service Configuration
The rate limit service configuration block is used to configure an optional global rate limit service:
|extensionService||string||This field identifies the extension service defining the rate limit service, formatted as |
|domain||string||contour||This field defines the rate limit domain value to pass to the rate limit service. Acts as a container for a set of rate limit definitions within the RLS.|
|failOpen||bool||false||This field defines whether to allow requests to proceed when the rate limit service fails to respond with a valid rate limit decision within the timeout defined on the extension service.|
|enableXRateLimitHeaders||bool||false||This field defines whether to include the X-RateLimit headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF Internet-Draft https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html), on responses to clients when the Rate Limit Service is consulted for a request.|
MetricsParameters holds configurable parameters for Contour and Envoy metrics.
|contour||MetricsServerParameters||Metrics Server Parameters for Contour.|
|envoy||MetricsServerParameters||Metrics Server Parameters for Envoy.|
Metrics Server Parameters
MetricsServerParameters holds configurable parameters for Contour and Envoy metrics.
Metrics are served over HTTPS if
server-key-path are set.
Metrics and health endpoints cannot have the same port number when metrics are served over HTTPS.
|address||string||0.0.0.0||Address that metrics server will bind to.|
|port||int||8000 (Contour), 8002 (Envoy)||Port that metrics server will bind to.|
|server-certificate-path||string||none||Optional path to the server certificate file.|
|server-key-path||string||none||Optional path to the server private key file.|
|ca-certificate-path||string||none||Optional path to the CA certificate file used to verify client certificates.|
The following is an example ConfigMap with configuration file included:
apiVersion: v1 kind: ConfigMap metadata: name: contour namespace: projectcontour data: contour.yaml: | # # server: # determine which XDS Server implementation to utilize in Contour. # xds-server-type: contour # # specify the gateway-api Gateway Contour should configure # gateway: # controllerName: projectcontour.io/projectcontour/contour # # should contour expect to be running inside a k8s cluster # incluster: true # # path to kubeconfig (if not running inside a k8s cluster) # kubeconfig: /path/to/.kube/config # # Disable RFC-compliant behavior to strip "Content-Length" header if # "Tranfer-Encoding: chunked" is also set. # disableAllowChunkedLength: false # Disable HTTPProxy permitInsecure field disablePermitInsecure: false tls: # minimum TLS version that Contour will negotiate # minimum-protocol-version: "1.2" # TLS ciphers to be supported by Envoy TLS listeners when negotiating # TLS 1.2. # cipher-suites: # - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' # - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' # - 'ECDHE-ECDSA-AES256-GCM-SHA384' # - 'ECDHE-RSA-AES256-GCM-SHA384' # Defines the Kubernetes name/namespace matching a secret to use # as the fallback certificate when requests which don't match the # SNI defined for a vhost. fallback-certificate: # name: fallback-secret-name # namespace: projectcontour envoy-client-certificate: # name: envoy-client-cert-secret-name # namespace: projectcontour ### Logging options # Default setting accesslog-format: envoy # The default access log format is defined by Envoy but it can be customized by setting following variable. # accesslog-format-string: "...\n" # To enable JSON logging in Envoy # accesslog-format: json # accesslog-level: info # The default fields that will be logged are specified below. # To customise this list, just add or remove entries. # The canonical list is available at # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields # json-fields: # - "@timestamp" # - "authority" # - "bytes_received" # - "bytes_sent" # - "downstream_local_address" # - "downstream_remote_address" # - "duration" # - "method" # - "path" # - "protocol" # - "request_id" # - "requested_server_name" # - "response_code" # - "response_flags" # - "uber_trace_id" # - "upstream_cluster" # - "upstream_host" # - "upstream_local_address" # - "upstream_service_time" # - "user_agent" # - "x_forwarded_for" # # default-http-versions: # - "HTTP/2" # - "HTTP/1.1" # # The following shows the default proxy timeout settings. # timeouts: # request-timeout: infinity # connection-idle-timeout: 60s # stream-idle-timeout: 5m # max-connection-duration: infinity # connection-shutdown-grace-period: 5s # # Envoy cluster settings. # cluster: # configure the cluster dns lookup family # valid options are: auto (default), v4, v6 # dns-lookup-family: auto # # network: # Configure the number of additional ingress proxy hops from the # right side of the x-forwarded-for HTTP header to trust. # num-trusted-hops: 0 # Configure the port used to access the Envoy Admin interface. # admin-port: 9001 # # Configure an optional global rate limit service. # rateLimitService: # Identifies the extension service defining the rate limit service, # formatted as <namespace>/<name>. # extensionService: projectcontour/ratelimit # Defines the rate limit domain to pass to the rate limit service. # Acts as a container for a set of rate limit definitions within # the RLS. # domain: contour # Defines whether to allow requests to proceed when the rate limit # service fails to respond with a valid rate limit decision within # the timeout defined on the extension service. # failOpen: false # Defines whether to include the X-RateLimit headers X-RateLimit-Limit, # X-RateLimit-Remaining, and X-RateLimit-Reset (as defined by the IETF # Internet-Draft linked below), on responses to clients when the Rate # Limit Service is consulted for a request. # ref. https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html # enableXRateLimitHeaders: false # # Global Policy settings. # policy: # # Default headers to set on all requests (unless set/removed on the HTTPProxy object itself) # request-headers: # set: # # example: the hostname of the Envoy instance that proxied the request # X-Envoy-Hostname: %HOSTNAME% # # example: add a l5d-dst-override header to instruct Linkerd what service the request is destined for # l5d-dst-override: %CONTOUR_SERVICE_NAME%.%CONTOUR_NAMESPACE%.svc.cluster.local:%CONTOUR_SERVICE_PORT% # # default headers to set on all responses (unless set/removed on the HTTPProxy object itself) # response-headers: # set: # # example: Envoy flags that provide additional details about the response or connection # X-Envoy-Response-Flags: %RESPONSE_FLAGS% # Whether or not the policy settings should apply to ingress objects # applyToIngress: true # # metrics: # contour: # address: 0.0.0.0 # port: 8000 # server-certificate-path: /path/to/server-cert.pem # server-key-path: /path/to/server-private-key.pem # ca-certificate-path: /path/to/root-ca-for-client-validation.pem # envoy: # address: 0.0.0.0 # port: 8002 # server-certificate-path: /path/to/server-cert.pem # server-key-path: /path/to/server-private-key.pem # ca-certificate-path: /path/to/root-ca-for-client-validation.pem
Note: The default example
contour includes this
file for easy deployment of Contour.
If present, the value of the
CONTOUR_NAMESPACE environment variable is used as:
- The value for the
contour bootstrap --namespaceflag unless otherwise specified.
- The value for the
contour certgen --namespaceflag unless otherwise specified.
- The value for the
contour serve --envoy-service-namespaceflag unless otherwise specified.
- The value for the
contour serve --leader-election-resource-namespaceflag unless otherwise specified.
Bootstrap Config File
The bootstrap configuration file is generated by an initContainer in the Envoy daemonset which runs the
contour bootstrap command to generate the file.
This configuration file configures the Envoy container to connect to Contour and receive configuration via xDS.
The next section outlines all the available flags that can be passed to the
contour bootstrap command which are used to customize
the configuration file to match the environment in which Envoy is deployed.
There are flags that can be passed to
contour bootstrap that help configure how Envoy
connects to Contour:
|""||Directory where resource files will be written.|
|/admin/admin.sock||Path to Envoy admin unix domain socket.|
|9001||Deprecated: Port is now configured as a Contour flag.|
|127.0.0.1||Address to connect to Contour xDS server on.|
|8001||Port to connect to Contour xDS server on.|
|""||CA filename for Envoy secure xDS gRPC communication.|
|""||Client certificate filename for Envoy secure xDS gRPC communication.|
|""||Client key filename for Envoy secure xDS gRPC communication.|
|projectcontour||Namespace the Envoy container will run, also configured via ENV variable “CONTOUR_NAMESPACE”. Namespace is used as part of the metric names on static resources defined in the bootstrap configuration file.|
|v3||Currently, the only valid xDS API resource version is |
|auto||Defines what DNS Resolution Policy to use for Envoy -> Contour cluster name lookup. Either v4, v6 or auto.|
|text||Log output format for Contour. Either text or json.|
|""||Defines the maximum heap size in bytes until Envoy overload manager stops accepting new connections.|