TLS support

Contour supports HTTPS (TLS/SSL) ingress by integrating Envoy’s SNI support. Certificates must be provisioned which are saved as Kubernetes secrets and get passed to Envoy. A common way to implement this is to use JetStack’s Cert Manager.

Enabling TLS support

Enabling TLS support requires Contour version 0.3 or later. You must also add an entry for port 443 to your contour service object.

Configuring TLS with Contour on an ELB

If you deploy behind an AWS Elastic Load Balancer, see EC2 ELB PROXY protocol support for special instructions.

TLS SNI name matching

Envoy SNI name matching during TLS handshake is case-sensitive. For example, for a cert with common name foo.bar.com, requests to Foo.bar.com would not match. Similarly, for cert with wildcard name *.bar.com, only requests to lower case name will match. Here is the known issue reported on Envoy.