Contour supports HTTPS (TLS/SSL) ingress by integrating Envoy’s SNI support. Certificates must be provisioned which are saved as Kubernetes secrets and get passed to Envoy. A common way to implement this is to use JetStack’s Cert Manager.
Enabling TLS support requires Contour version 0.3 or later. You must also add an entry for port 443 to your
contour service object.
If you deploy behind an AWS Elastic Load Balancer, see EC2 ELB PROXY protocol support for special instructions.
Envoy SNI name matching during TLS handshake is case-sensitive. For example, for a cert with common name foo.bar.com, requests to Foo.bar.com would not match. Similarly, for cert with wildcard name *.bar.com, only requests to lower case name will match. Here is the known issue reported on Envoy.