Jan 1, 0001

Annotations Reference

Annotations are used in Ingress Controllers to configure features that are not covered by the Kubernetes Ingress API.

Some of the features that have been historically configured via annotations are supported as first-class features in Contour’s HTTPProxy API, which provides a more robust configuration interface over annotations.

However, Contour still supports a number of annotations on the Ingress resources.

Standard Kubernetes Ingress annotations

The following Kubernetes annotations are supported on Ingress objects:

Ingress Class

The Ingress class annotation can be used to specify which Ingress controller should serve a particular Ingress object. This annotation may be specified as the standard kubernetes.io/ingress.class or a Contour-specific projectcontour.io/ingress.class. In both cases, they will behave as follows, by default:

  • If not set, then all Ingress controllers serve the Ingress.
  • If specified as kubernetes.io/ingress.class: contour, then Contour serves the Ingress.
  • If any other value, Contour ignores the Ingress definition.

You can override the default class contour by providing the --ingress-class-name flag to Contour. This can be useful while you are migrating from another controller, or if you need multiple instances of Contour. If you do this, the behavior is as follows:

  • If the annotation is not set, Contour will ignore the Ingress.
  • If the annotation is set to any value other than the one passed to the --ingress-class-name flag, Contour will ignore the Ingress.
  • If the annotation matches the value that you passed to --ingress-class-name flag, Contour will serve the Ingress.

This same logic applies for these annotations on HTTPProxy and IngressRoute (deprecated) objects.

Other annotations

  • ingress.kubernetes.io/force-ssl-redirect: Requires TLS/SSL for the Ingress to Envoy by setting the Envoy virtual host option require_tls.
  • kubernetes.io/ingress.allow-http: Instructs Contour to not create an Envoy HTTP route for the virtual host. The Ingress exists only for HTTPS requests. Specify "false" for Envoy to mark the endpoint as HTTPS only. All other values are ignored.

The ingress.kubernetes.io/force-ssl-redirect annotation takes precedence over kubernetes.io/ingress.allow-http. If they are set to "true" and "false" respectively, Contour will create an Envoy HTTP route for the Virtual host, and set the require_tls virtual host option.

Contour specific Ingress annotations

Contour specific Service annotations

A Kubernetes Service maps to an Envoy Cluster. Envoy clusters have many settings to control specific behaviors. These annotations allow access to some of those settings.

  • projectcontour.io/max-connections: The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.
  • projectcontour.io/max-pending-requests: The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.
  • projectcontour.io/max-requests: The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024
  • projectcontour.io/max-retries: The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 1024. This is independent of the per-Kubernetes Ingress number of retries (projectcontour.io/num-retries) and retry-on (projectcontour.io/retry-on), which control whether retries are attempted and how many times a single request can retry.
  • projectcontour.io/upstream-protocol.{protocol} : The protocol used in the upstream. The annotation value contains a list of port names and/or numbers separated by a comma that must match with the ones defined in the Service definition. For now, just h2, h2c, and tls are supported: contour.heptio.com/upstream-protocol.h2: "443,https". Defaults to Envoy’s default behavior which is http1 in the upstream.
    • The tls protocol allows for requests which terminate at Envoy to proxy via tls to the upstream. Note: This does not validate the upstream certificate.

Contour specific HTTPProxy annotations

Related Content

Ready to try Contour?

Read our getting started documentation.