Bitnami package for Contour

Contour is an open source Kubernetes ingress controller that works by deploying the Envoy proxy as a reverse proxy and load balancer.

Overview of Contour

Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.

TL;DR

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository.

Introduction

Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.

This chart bootstraps a Contour Ingress Controller Deployment and a Envoy Proxy Daemonset on a Kubernetes cluster using the Helm package manager.

Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters.

Prerequisites

  • Kubernetes 1.23+
  • Helm 3.8.0+
  • An Operator for ServiceType: LoadBalancer like MetalLB

Installing the Chart

To install the chart with the release name my-release:

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

These commands deploy contour on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Tip: List all releases using helm list or helm ls --all-namespaces

Configuration and installation details

Resource requests and limits

Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.

To make this process easier, the chart contains the resourcesPreset values, which automatically sets the resources section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcePreset is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

To configure Contour please look into the configuration section Contour Configuration.

Example Quickstart Contour Confiuration

configInline:
  # should contour expect to be running inside a k8s cluster
  # incluster: true
  #
  # path to kubeconfig (if not running inside a k8s cluster)
  # kubeconfig: /path/to/.kube/config
  #
  # Client request timeout to be passed to Envoy
  # as the connection manager request_timeout.
  # Defaults to 0, which Envoy interprets as disabled.
  # Note that this is the timeout for the whole request,
  # not an idle timeout.
  # request-timeout: 0s
  # disable ingressroute permitInsecure field
  disablePermitInsecure: false
  tls:
    #   minimum TLS version that Contour will negotiate
    #   minimum-protocol-version: "1.1"
    # Defines the Kubernetes name/namespace matching a secret to use
    # as the fallback certificate when requests which don't match the
    # SNI defined for a vhost.
    fallback-certificate:
  #   name: fallback-secret-name
  #   namespace: projectcontour
  # The following config shows the defaults for the leader election.
  # leaderelection:
  #   configmap-name: leader-elect
  #   configmap-namespace: projectcontour
  ### Logging options
  # Default setting
  accesslog-format: envoy
  # To enable JSON logging in Envoy
  # accesslog-format: json
  # The default fields that will be logged are specified below.
  # To customise this list, just add or remove entries.
  # The canonical list is available at
  # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
  # json-fields:
  #   - "@timestamp"
  #   - "authority"
  #   - "bytes_received"
  #   - "bytes_sent"
  #   - "downstream_local_address"
  #   - "downstream_remote_address"
  #   - "duration"
  #   - "method"
  #   - "path"
  #   - "protocol"
  #   - "request_id"
  #   - "requested_server_name"
  #   - "response_code"
  #   - "response_flags"
  #   - "uber_trace_id"
  #   - "upstream_cluster"
  #   - "upstream_host"
  #   - "upstream_local_address"
  #   - "upstream_service_time"
  #   - "user_agent"
  #   - "x_forwarded_for"
  #
  # default-http-versions:
  # - "HTTP/2"
  # - "HTTP/1.1"
  #
  # The following shows the default proxy timeout settings.
  # timeouts:
  #   request-timeout: infinity
  #   connection-idle-timeout: 60s
  #   stream-idle-timeout: 5m
  #   max-connection-duration: infinity
  #   connection-shutdown-grace-period: 5s

Deploying Contour with an AWS NLB

By default, Contour is launched with an AWS Classic ELB. To launch contour backed by a NLB, please set these settings:

envoy:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX

  containerPorts:
    http: 80
    https: 80

Setting Pod’s affinity

This chart allows you to set your custom affinity using the XXX.affinity parameter(s). Find more information about Pod’s affinity in the kubernetes documentation.

As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the XXX.podAffinityPreset, XXX.podAntiAffinityPreset, or XXX.nodeAffinityPreset parameters.

Parameters

Global parameters

Name Description Value
global.imageRegistry Global Docker image registry ""
global.imagePullSecrets Global Docker registry secret names as an array []
global.defaultStorageClass Global default StorageClass for Persistent Volume(s) ""
global.storageClass DEPRECATED: use global.defaultStorageClass instead ""
global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) auto

Common parameters

Name Description Value
nameOverride String to partially override contour.fullname include (will maintain the release name) ""
fullnameOverride String to fully override contour.fullname template ""
namespaceOverride String to fully override common.names.namespace ""
kubeVersion Force target Kubernetes version (using Helm capabilities if not set) ""
extraDeploy Array of extra objects to deploy with the release []
commonLabels Labels to add to all deployed objects {}
commonAnnotations Annotations to add to all deployed objects {}
diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) false
diagnosticMode.command Command to override all containers in the deployment []
diagnosticMode.args Args to override all containers in the deployment []

Contour parameters

Name Description Value
existingConfigMap Specifies the name of an externally-defined ConfigMap to use as the configuration (this is mutually exclusive with configInline) ""
configInline Specifies Contour’s configuration directly in YAML format {}
contour.enabled Contour Deployment creation. true
contour.image.registry Contour image registry REGISTRY_NAME
contour.image.repository Contour image name REPOSITORY_NAME/contour
contour.image.digest Contour image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag ""
contour.image.pullPolicy Contour Image pull policy IfNotPresent
contour.image.pullSecrets Contour Image pull secrets []
contour.image.debug Enable image debug mode false
contour.contourConfigName Contour Deployment with ContourConfiguration CRD. contour
contour.configPath Contour Deployment with configmap. true
contour.replicaCount Number of Contour Pod replicas 1
contour.priorityClassName Priority class assigned to the pods ""
contour.schedulerName Name of the k8s scheduler (other than default) ""
contour.terminationGracePeriodSeconds In seconds, time the given to the Contour pod needs to terminate gracefully ""
contour.topologySpreadConstraints Topology Spread Constraints for pod assignment []
contour.containerPorts.xds Set xds port inside Contour pod 8001
contour.containerPorts.metrics Set metrics port inside Contour pod 8000
contour.automountServiceAccountToken Mount Service Account token in pod true
contour.hostAliases Add deployment host aliases []
contour.updateStrategy Strategy to use to update Pods {}
contour.extraArgs Extra arguments passed to Contour container []
contour.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production). nano
contour.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) {}
contour.manageCRDs Manage the creation, upgrade and deletion of Contour CRDs. true
contour.envoyServiceNamespace Namespace of the envoy service to inspect for Ingress status details. ""
contour.envoyServiceName Name of the envoy service to inspect for Ingress status details. ""
contour.leaderElectionResourceName Name of the contour (Lease) leader election will lease. ""
contour.ingressStatusAddress Address to set in Ingress object status. It is exclusive with envoyServiceName and envoyServiceNamespace. ""
contour.podAffinityPreset Contour Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard ""
contour.podAntiAffinityPreset Contour Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard soft
contour.podLabels Extra labels for Contour pods {}
contour.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup. {}
contour.customLivenessProbe Override default liveness probe {}
contour.customReadinessProbe Override default readiness probe {}
contour.customStartupProbe Override default startup probe {}
contour.nodeAffinityPreset.type Contour Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard ""
contour.nodeAffinityPreset.key Contour Node label key to match Ignored if affinity is set. ""
contour.nodeAffinityPreset.values Contour Node label values to match. Ignored if affinity is set. []
contour.command Override default command []
contour.args Override default args []
contour.affinity Affinity for Contour pod assignment {}
contour.nodeSelector Node labels for Contour pod assignment {}
contour.tolerations Tolerations for Contour pod assignment []
contour.podAnnotations Contour Pod annotations {}
contour.serviceAccount.create Create a serviceAccount for the Contour pod true
contour.serviceAccount.name Use the serviceAccount with the specified name, a name is generated using the fullname template ""
contour.serviceAccount.automountServiceAccountToken Automount service account token for the server service account false
contour.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if create is true. {}
contour.podSecurityContext.enabled Default backend Pod securityContext true
contour.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy Always
contour.podSecurityContext.sysctls Set kernel settings using the sysctl interface []
contour.podSecurityContext.supplementalGroups Set filesystem extra groups []
contour.podSecurityContext.fsGroup Set Default backend Pod’s Security Context fsGroup 1001
contour.containerSecurityContext.enabled Enabled contour containers’ Security Context true
contour.containerSecurityContext.seLinuxOptions Set SELinux options in container {}
contour.containerSecurityContext.runAsUser Set contour containers’ Security Context runAsUser 1001
contour.containerSecurityContext.runAsGroup Set contour containers’ Security Context runAsGroup 1001
contour.containerSecurityContext.runAsNonRoot Set contour containers’ Security Context runAsNonRoot true
contour.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod’s Security Conte true
contour.containerSecurityContext.privileged Set contour container’s Security Context privileged false
contour.containerSecurityContext.allowPrivilegeEscalation Set contour container’s Security Context allowPrivilegeEscalation false
contour.containerSecurityContext.capabilities.drop List of capabilities to be dropped ["ALL"]
contour.containerSecurityContext.seccompProfile.type Set container’s Security Context seccomp profile RuntimeDefault
contour.livenessProbe.enabled Enable/disable the Liveness probe true
contour.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated 120
contour.livenessProbe.periodSeconds How often to perform the probe 20
contour.livenessProbe.timeoutSeconds When the probe times out 5
contour.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 6
contour.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
contour.readinessProbe.enabled Enable/disable the readiness probe true
contour.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated 15
contour.readinessProbe.periodSeconds How often to perform the probe 10
contour.readinessProbe.timeoutSeconds When the probe times out 5
contour.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 3
contour.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
contour.startupProbe.enabled Enable/disable the startup probe false
contour.startupProbe.initialDelaySeconds Delay before startup probe is initiated 15
contour.startupProbe.periodSeconds How often to perform the probe 10
contour.startupProbe.timeoutSeconds When the probe times out 5
contour.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 3
contour.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
contour.certgen.serviceAccount.create Create a serviceAccount for the Contour pod true
contour.certgen.serviceAccount.name Use the serviceAccount with the specified name, a name is generated using the fullname template ""
contour.certgen.serviceAccount.automountServiceAccountToken Automount service account token for the server service account false
contour.certgen.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if create is true. {}
contour.certgen.certificateLifetime Generated certificate lifetime (in days). 365
contour.certgen.automountServiceAccountToken Mount Service Account token in pod true
contour.certgen.networkPolicy.enabled Specifies whether a NetworkPolicy should be created true
contour.certgen.networkPolicy.allowExternal Don’t require server label for connections true
contour.certgen.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. true
contour.certgen.networkPolicy.kubeAPIServerPorts List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) []
contour.certgen.networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy []
contour.certgen.networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy []
contour.certgen.networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces {}
contour.certgen.networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces {}
contour.tlsExistingSecret Name of the existingSecret to be use in Contour deployment. If it is not nil contour.certgen will be disabled. ""
contour.service.type Service type ClusterIP
contour.service.ports.xds Contour service xds port 8001
contour.service.ports.metrics Contour service xds port 8000
contour.service.nodePorts.xds Node port for HTTP ""
contour.service.clusterIP Contour service Cluster IP ""
contour.service.loadBalancerIP Contour service Load Balancer IP ""
contour.service.loadBalancerSourceRanges Contour service Load Balancer sources []
contour.service.loadBalancerClass Contour service Load Balancer Class ""
contour.service.externalTrafficPolicy Contour service external traffic policy Cluster
contour.service.annotations Additional custom annotations for Contour service {}
contour.service.extraPorts Extra port to expose on Contour service []
contour.service.sessionAffinity Session Affinity for Kubernetes service, can be “None” or “ClientIP” None
contour.service.sessionAffinityConfig Additional settings for the sessionAffinity {}
contour.networkPolicy.enabled Specifies whether a NetworkPolicy should be created true
contour.networkPolicy.allowExternal Don’t require server label for connections true
contour.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. true
contour.networkPolicy.kubeAPIServerPorts List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) []
contour.networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy []
contour.networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy []
contour.networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces {}
contour.networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces {}
contour.initContainers Attach additional init containers to Contour pods []
contour.sidecars Add additional sidecar containers to the Contour pods []
contour.extraVolumes Array to add extra volumes []
contour.extraVolumeMounts Array to add extra mounts (normally used with extraVolumes) []
contour.extraEnvVars Array containing extra env vars to be added to all Contour containers []
contour.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Contour containers ""
contour.extraEnvVarsSecret Secret containing extra env vars to be added to all Contour containers ""
contour.ingressClass.name Name of the ingress class to route through this controller. ""
contour.ingressClass.create Whether to create or not the IngressClass resource true
contour.ingressClass.default Mark IngressClass resource as default for cluster true
contour.debug Enable Contour debug log level false
contour.logFormat Set contour log-format. Default text, either text or json. text
contour.kubernetesDebug Contour kubernetes debug log level, Default 0, minimum 0, maximum 9. 0
contour.rootNamespaces Restrict Contour to searching these namespaces for root ingress routes. ""
contour.overloadManager.enabled Enable Overload Manager false
contour.overloadManager.maxHeapBytes Overload Manager’s maximum heap size in bytes 2147483648
contour.pdb.create Enable Pod Disruption Budget configuration true
contour.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled ""
contour.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled ""

Envoy parameters

Name Description Value
envoy.enabled Envoy Proxy creation true
envoy.image.registry Envoy Proxy image registry REGISTRY_NAME
envoy.image.repository Envoy Proxy image repository REPOSITORY_NAME/envoy
envoy.image.digest Envoy Proxy image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag ""
envoy.image.pullPolicy Envoy image pull policy IfNotPresent
envoy.image.pullSecrets Envoy image pull secrets []
envoy.priorityClassName Priority class assigned to the pods ""
envoy.schedulerName Name of the k8s scheduler (other than default) ""
envoy.topologySpreadConstraints Topology Spread Constraints for pod assignment []
envoy.extraArgs Extra arguments passed to Envoy container []
envoy.automountServiceAccountToken Mount Service Account token in pod false
envoy.hostAliases Add deployment host aliases []
envoy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production). nano
envoy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) {}
envoy.command Override default command []
envoy.args Override default args []
envoy.shutdownManager.enabled Contour shutdownManager sidecar true
envoy.shutdownManager.extraArgs Extra arguments passed to shutdown container []
envoy.shutdownManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production). nano
envoy.shutdownManager.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) {}
envoy.shutdownManager.containerPorts.http Specify Port for shutdown container 8090
envoy.shutdownManager.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup. {}
envoy.shutdownManager.containerSecurityContext.enabled Enabled envoy shutdownManager containers’ Security Context true
envoy.shutdownManager.containerSecurityContext.seLinuxOptions Set SELinux options in container {}
envoy.shutdownManager.containerSecurityContext.runAsUser Set envoy shutdownManager containers’ Security Context runAsUser 1001
envoy.shutdownManager.containerSecurityContext.runAsGroup Set contour containers’ Security Context runAsGroup 1001
envoy.shutdownManager.containerSecurityContext.runAsNonRoot Set envoy shutdownManager containers’ Security Context runAsNonRoot true
envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod’s Security Conte true
envoy.shutdownManager.containerSecurityContext.privileged Set envoy.shutdownManager container’s Security Context privileged false
envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation Set envoy shutdownManager container’s Security Context allowPrivilegeEscalation false
envoy.shutdownManager.containerSecurityContext.capabilities.drop List of capabilities to be dropped ["ALL"]
envoy.shutdownManager.containerSecurityContext.seccompProfile.type Set container’s Security Context seccomp profile RuntimeDefault
envoy.shutdownManager.livenessProbe.enabled Enable livenessProbe true
envoy.shutdownManager.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe 120
envoy.shutdownManager.livenessProbe.periodSeconds Period seconds for livenessProbe 20
envoy.shutdownManager.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe 5
envoy.shutdownManager.livenessProbe.failureThreshold Failure threshold for livenessProbe 6
envoy.shutdownManager.livenessProbe.successThreshold Success threshold for livenessProbe 1
envoy.shutdownManager.readinessProbe.enabled Enable/disable the readiness probe true
envoy.shutdownManager.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated 10
envoy.shutdownManager.readinessProbe.periodSeconds How often to perform the probe 3
envoy.shutdownManager.readinessProbe.timeoutSeconds When the probe times out 1
envoy.shutdownManager.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 3
envoy.shutdownManager.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
envoy.shutdownManager.startupProbe.enabled Enable/disable the startup probe false
envoy.shutdownManager.startupProbe.initialDelaySeconds Delay before startup probe is initiated 15
envoy.shutdownManager.startupProbe.periodSeconds How often to perform the probe 10
envoy.shutdownManager.startupProbe.timeoutSeconds When the probe times out 5
envoy.shutdownManager.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 3
envoy.shutdownManager.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
envoy.shutdownManager.customLivenessProbe Override default liveness probe {}
envoy.shutdownManager.customReadinessProbe Override default readiness probe {}
envoy.shutdownManager.customStartupProbe Override default startup probe {}
envoy.initConfig.containerSecurityContext.enabled Enabled envoy initConfig containers’ Security Context true
envoy.initConfig.containerSecurityContext.seLinuxOptions Set SELinux options in container {}
envoy.initConfig.containerSecurityContext.runAsUser Set envoy initConfig containers’ Security Context runAsUser 1001
envoy.initConfig.containerSecurityContext.runAsGroup Set envoy initConfig containers’ Security Context runAsUser 1001
envoy.initConfig.containerSecurityContext.runAsNonRoot Set envoy initConfig containers’ Security Context runAsNonRoot true
envoy.initConfig.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod’s Security Conte true
envoy.initConfig.containerSecurityContext.privileged Set contraller container’s Security Context privileged false
envoy.initConfig.containerSecurityContext.allowPrivilegeEscalation Set contraller container’s Security Context allowPrivilegeEscalation false
envoy.initConfig.containerSecurityContext.capabilities.drop List of capabilities to be dropped ["ALL"]
envoy.initConfig.containerSecurityContext.seccompProfile.type Set container’s Security Context seccomp profile RuntimeDefault
envoy.kind Install as deployment or daemonset daemonset
envoy.replicaCount Desired number of Controller pods 1
envoy.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup. {}
envoy.updateStrategy Strategy to use to update Pods {}
envoy.minReadySeconds The minimum number of seconds for which a newly created Pod should be ready 0
envoy.revisionHistoryLimit The number of old history to retain to allow rollback 10
envoy.autoscaling.enabled Enable autoscaling for Controller false
envoy.autoscaling.minReplicas Minimum number of Controller replicas 1
envoy.autoscaling.maxReplicas Maximum number of Controller replicas 11
envoy.autoscaling.targetCPU Target CPU utilization percentage ""
envoy.autoscaling.targetMemory Target Memory utilization percentage ""
envoy.autoscaling.behavior HPA Behavior {}
envoy.podAffinityPreset Envoy Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard ""
envoy.podAntiAffinityPreset Envoy Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard ""
envoy.nodeAffinityPreset.type Envoy Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard ""
envoy.nodeAffinityPreset.key Envoy Node label key to match Ignored if affinity is set. ""
envoy.nodeAffinityPreset.values Envoy Node label values to match. Ignored if affinity is set. []
envoy.affinity Affinity for Envoy pod assignment {}
envoy.nodeSelector Node labels for Envoy pod assignment {}
envoy.tolerations Tolerations for Envoy pod assignment []
envoy.podAnnotations Envoy Pod annotations {}
envoy.podLabels Extra labels for Envoy pods {}
envoy.podSecurityContext.enabled Envoy Pod securityContext true
envoy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy Always
envoy.podSecurityContext.supplementalGroups Set filesystem extra groups []
envoy.podSecurityContext.fsGroup User ID for the for the mounted volumes 0
envoy.podSecurityContext.sysctls Array of sysctl options to allow []
envoy.containerSecurityContext.enabled Enabled envoy containers’ Security Context true
envoy.containerSecurityContext.seLinuxOptions Set SELinux options in container {}
envoy.containerSecurityContext.runAsUser Set envoy containers’ Security Context runAsUser 1001
envoy.containerSecurityContext.runAsGroup Set envoy containers’ Security Context runAsGroup 1001
envoy.containerSecurityContext.runAsNonRoot Set envoy containers’ Security Context runAsNonRoot true
envoy.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod’s Security Conte true
envoy.containerSecurityContext.privileged Set envoy container’s Security Context privileged false
envoy.containerSecurityContext.allowPrivilegeEscalation Set envoy container’s Security Context allowPrivilegeEscalation false
envoy.containerSecurityContext.capabilities.drop List of capabilities to be dropped ["ALL"]
envoy.containerSecurityContext.seccompProfile.type Set container’s Security Context seccomp profile RuntimeDefault
envoy.hostNetwork Envoy Pod host network access false
envoy.dnsPolicy Envoy Pod Dns Policy’s DNS Policy ClusterFirst
envoy.tlsExistingSecret Name of the existingSecret to be use in Envoy deployment ""
envoy.serviceAccount.create Specifies whether a ServiceAccount should be created true
envoy.serviceAccount.name The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template ""
envoy.serviceAccount.automountServiceAccountToken Whether to auto mount API credentials for a service account false
envoy.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if create is true. {}
envoy.livenessProbe.enabled Enable livenessProbe true
envoy.livenessProbe.port LivenessProbe port 8002
envoy.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe 120
envoy.livenessProbe.periodSeconds Period seconds for livenessProbe 20
envoy.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe 5
envoy.livenessProbe.failureThreshold Failure threshold for livenessProbe 6
envoy.livenessProbe.successThreshold Success threshold for livenessProbe 1
envoy.readinessProbe.enabled Enable/disable the readiness probe true
envoy.readinessProbe.port ReadinessProbe port 8002
envoy.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated 10
envoy.readinessProbe.periodSeconds How often to perform the probe 3
envoy.readinessProbe.timeoutSeconds When the probe times out 1
envoy.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 3
envoy.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
envoy.startupProbe.enabled Enable/disable the startup probe false
envoy.startupProbe.port StartupProbe port 8002
envoy.startupProbe.initialDelaySeconds Delay before startup probe is initiated 15
envoy.startupProbe.periodSeconds How often to perform the probe 10
envoy.startupProbe.timeoutSeconds When the probe times out 5
envoy.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 3
envoy.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
envoy.customLivenessProbe Override default liveness probe {}
envoy.customReadinessProbe Override default readiness probe {}
envoy.customStartupProbe Override default startup probe {}
envoy.terminationGracePeriodSeconds Envoy termination grace period in seconds 300
envoy.logLevel Envoy log level info
envoy.service.name envoy service name ""
envoy.service.multiAz.enabled enables the rendering of the multiple services false
envoy.service.multiAz.zones defines different zones their annotations and loadBalancerIPs []
envoy.service.targetPorts Map the controller service HTTP/HTTPS port {}
envoy.service.type Type of Envoy service to create LoadBalancer
envoy.service.externalTrafficPolicy Envoy Service external cluster policy. If envoy.service.type is NodePort or LoadBalancer Local
envoy.service.labels Labels to add to te envoy service {}
envoy.service.clusterIP Internal envoy cluster service IP ""
envoy.service.externalIPs Envoy service external IP addresses []
envoy.service.loadBalancerIP IP address to assign to load balancer (if supported) ""
envoy.service.loadBalancerSourceRanges List of IP CIDRs allowed access to load balancer (if supported) []
envoy.service.loadBalancerClass Envoy service Load Balancer Class ""
envoy.service.ipFamilyPolicy , support SingleStack, PreferDualStack and RequireDualStack ""
envoy.service.ipFamilies List of IP families (e.g. IPv4, IPv6) assigned to the service. []
envoy.service.annotations Annotations for Envoy service {}
envoy.service.ports.http Sets service http port 80
envoy.service.ports.https Sets service https port 443
envoy.service.ports.metrics Sets service metrics port 8002
envoy.service.nodePorts.http HTTP Port. If envoy.service.type is NodePort and this is non-empty ""
envoy.service.nodePorts.https HTTPS Port. If envoy.service.type is NodePort and this is non-empty ""
envoy.service.extraPorts Extra ports to expose (normally used with the sidecar value) []
envoy.service.sessionAffinity Session Affinity for Kubernetes service, can be “None” or “ClientIP” None
envoy.service.sessionAffinityConfig Additional settings for the sessionAffinity {}
envoy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created true
envoy.networkPolicy.allowExternal Don’t require server label for connections true
envoy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. true
envoy.networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy []
envoy.networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy []
envoy.networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces {}
envoy.networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces {}
envoy.useHostPort.http Enable/disable hostPort for TCP/80 false
envoy.useHostPort.https Enable/disable hostPort TCP/443 false
envoy.useHostPort.metrics Enable/disable hostPort for TCP/8002 false
envoy.useHostIP Enable/disable hostIP false
envoy.hostPorts.http Sets hostPort http port 80
envoy.hostPorts.https Sets hostPort https port 443
envoy.hostPorts.metrics Sets hostPort metrics port 8002
envoy.hostIPs.http Sets hostIP http IP 127.0.0.1
envoy.hostIPs.https Sets hostIP https IP 127.0.0.1
envoy.hostIPs.metrics Sets hostIP metrics IP 127.0.0.1
envoy.containerPorts.http Sets http port inside Envoy pod (change this to >1024 to run envoy as a non-root user) 8080
envoy.containerPorts.https Sets https port inside Envoy pod (change this to >1024 to run envoy as a non-root user) 8443
envoy.containerPorts.metrics Sets metrics port inside Envoy pod (change this to >1024 to run envoy as a non-root user) 8002
envoy.initContainers Attach additional init containers to Envoy pods []
envoy.sidecars Add additional sidecar containers to the Envoy pods []
envoy.extraVolumes Array to add extra volumes []
envoy.extraVolumeMounts Array to add extra mounts (normally used with extraVolumes) []
envoy.extraEnvVars Array containing extra env vars to be added to all Envoy containers []
envoy.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Envoy containers ""
envoy.extraEnvVarsSecret Secret containing extra env vars to be added to all Envoy containers ""
envoy.pdb.create Enable Pod Disruption Budget configuration true
envoy.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled ""
envoy.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled ""

Default backend parameters

Name Description Value
defaultBackend.enabled Enable a default backend based on NGINX false
defaultBackend.image.registry Default backend image registry REGISTRY_NAME
defaultBackend.image.repository Default backend image name REPOSITORY_NAME/nginx
defaultBackend.image.digest Default backend image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag ""
defaultBackend.image.pullPolicy Image pull policy IfNotPresent
defaultBackend.image.pullSecrets Specify docker-registry secret names as an array []
defaultBackend.extraArgs Additional command line arguments to pass to NGINX container {}
defaultBackend.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup. {}
defaultBackend.extraEnvVars Array containing extra env vars to be added to all Contour containers []
defaultBackend.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Contour containers ""
defaultBackend.extraEnvVarsSecret Secret containing extra env vars to be added to all Contour containers ""
defaultBackend.extraVolumes Array to add extra volumes []
defaultBackend.extraVolumeMounts Array to add extra mounts (normally used with extraVolumes) []
defaultBackend.initContainers Attach additional init containers to the http backend pods []
defaultBackend.sidecars Add additional sidecar containers to the default backend []
defaultBackend.containerPorts.http Set http port inside Contour pod 8001
defaultBackend.updateStrategy Strategy to use to update Pods {}
defaultBackend.command Override default command []
defaultBackend.args Override default args []
defaultBackend.hostAliases Add deployment host aliases []
defaultBackend.replicaCount Desired number of default backend pods 1
defaultBackend.podSecurityContext.enabled Default backend Pod securityContext true
defaultBackend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy Always
defaultBackend.podSecurityContext.sysctls Set kernel settings using the sysctl interface []
defaultBackend.podSecurityContext.supplementalGroups Set filesystem extra groups []
defaultBackend.podSecurityContext.fsGroup Set Default backend Pod’s Security Context fsGroup 1001
defaultBackend.containerSecurityContext.enabled Enabled defaultBackend containers’ Security Context true
defaultBackend.containerSecurityContext.seLinuxOptions Set SELinux options in container {}
defaultBackend.containerSecurityContext.runAsUser Set defaultBackend containers’ Security Context runAsUser 1001
defaultBackend.containerSecurityContext.runAsGroup Set defaultBackend containers’ Security Context runAsGroup 1001
defaultBackend.containerSecurityContext.runAsNonRoot Set defaultBackend containers’ Security Context runAsNonRoot true
defaultBackend.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod’s Security Conte true
defaultBackend.containerSecurityContext.privileged Set defaultBackend container’s Security Context privileged false
defaultBackend.containerSecurityContext.allowPrivilegeEscalation Set defaultBackend container’s Security Context allowPrivilegeEscalation false
defaultBackend.containerSecurityContext.capabilities.drop List of capabilities to be dropped ["ALL"]
defaultBackend.containerSecurityContext.seccompProfile.type Set container’s Security Context seccomp profile RuntimeDefault
defaultBackend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production). nano
defaultBackend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) {}
defaultBackend.livenessProbe.enabled Enable livenessProbe true
defaultBackend.livenessProbe.httpGet Path, port and scheme for the livenessProbe {}
defaultBackend.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe 30
defaultBackend.livenessProbe.periodSeconds Period seconds for livenessProbe 10
defaultBackend.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe 5
defaultBackend.livenessProbe.failureThreshold Failure threshold for livenessProbe 3
defaultBackend.livenessProbe.successThreshold Success threshold for livenessProbe 1
defaultBackend.readinessProbe.enabled Enable readinessProbe true
defaultBackend.readinessProbe.httpGet Path, port and scheme for the readinessProbe {}
defaultBackend.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe 0
defaultBackend.readinessProbe.periodSeconds Period seconds for readinessProbe 5
defaultBackend.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe 5
defaultBackend.readinessProbe.failureThreshold Failure threshold for readinessProbe 6
defaultBackend.readinessProbe.successThreshold Success threshold for readinessProbe 1
defaultBackend.startupProbe.enabled Enable/disable the startup probe false
defaultBackend.startupProbe.initialDelaySeconds Delay before startup probe is initiated 15
defaultBackend.startupProbe.periodSeconds How often to perform the probe 10
defaultBackend.startupProbe.timeoutSeconds When the probe times out 5
defaultBackend.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. 3
defaultBackend.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. 1
defaultBackend.customLivenessProbe Override default liveness probe, it overrides the default one (evaluated as a template) {}
defaultBackend.customReadinessProbe Override default readiness probe, it overrides the default one (evaluated as a template) {}
defaultBackend.customStartupProbe Override default startup probe {}
defaultBackend.podLabels Extra labels for Controller pods {}
defaultBackend.podAnnotations Annotations for Controller pods {}
defaultBackend.priorityClassName Priority class assigned to the pods ""
defaultBackend.schedulerName Name of the k8s scheduler (other than default) ""
defaultBackend.terminationGracePeriodSeconds In seconds, time the given to the default backend pod needs to terminate gracefully 60
defaultBackend.topologySpreadConstraints Topology Spread Constraints for pod assignment []
defaultBackend.podAffinityPreset Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard ""
defaultBackend.podAntiAffinityPreset Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard soft
defaultBackend.nodeAffinityPreset.type Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard ""
defaultBackend.nodeAffinityPreset.key Node label key to match. Ignored if affinity is set. ""
defaultBackend.nodeAffinityPreset.values Node label values to match. Ignored if affinity is set. []
defaultBackend.affinity Affinity for pod assignment. Evaluated as a template. {}
defaultBackend.nodeSelector Node labels for pod assignment. Evaluated as a template. {}
defaultBackend.tolerations Tolerations for pod assignment. Evaluated as a template. []
defaultBackend.service.type Service type ClusterIP
defaultBackend.service.ports.http Service port 80
defaultBackend.service.annotations Annotations to add to the service {}
defaultBackend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created true
defaultBackend.networkPolicy.allowExternal Don’t require server label for connections true
defaultBackend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. true
defaultBackend.networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy []
defaultBackend.networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy []
defaultBackend.networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces {}
defaultBackend.networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces {}
defaultBackend.pdb.create Enable Pod Disruption Budget configuration true
defaultBackend.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled ""
defaultBackend.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled ""
ingress.enabled Ingress configuration enabled false
ingress.apiVersion Force Ingress API version (automatically detected if not set) ""
ingress.certManager Add annotations for cert-manager false
ingress.annotations Annotations to be added to the web ingress. {}
ingress.hostname Hostname for the Ingress object contour.local
ingress.path The Path to Concourse /
ingress.rulesOverride Ingress rules override []
ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm false
ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) ""
ingress.extraPaths Add additional arbitrary paths that may need to be added to the ingress under the main host. []
ingress.tls TLS configuration. false
ingress.pathType Ingress Path type ImplementationSpecific
ingress.extraHosts The list of additional hostnames to be covered with this ingress record. []
ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. []
ingress.secrets If you’re providing your own certificates, please use this to add the certificates as secrets []
ingress.extraRules Additional rules to be covered with this ingress record []

Metrics parameters

Name Description Value
metrics.serviceMonitor.namespace Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart) ""
metrics.serviceMonitor.enabled Specify if a servicemonitor will be deployed for prometheus-operator. false
metrics.serviceMonitor.jobLabel Specify the jobLabel to use for the prometheus-operator app.kubernetes.io/name
metrics.serviceMonitor.interval Specify the scrape interval if not specified use default prometheus scrapeIntervall, the Prometheus default scrape interval is used. ""
metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics. []
metrics.serviceMonitor.relabelings Specify general relabeling. []
metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint false
metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended ""
metrics.serviceMonitor.selector Specify honorLabels parameter to add the scrape endpoint {}
metrics.serviceMonitor.labels Extra labels for the ServiceMonitor {}
metrics.prometheusRule.enabled Creates a Prometheus Operator prometheusRule false
metrics.prometheusRule.namespace Namespace for the prometheusRule Resource (defaults to the Release Namespace) ""
metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRule will be discovered by Prometheus {}
metrics.prometheusRule.rules Prometheus Rule definitions []

Other parameters

Name Description Value
rbac.create Create the RBAC roles for API accessibility true
rbac.rules Custom RBAC rules to set []
tlsExistingSecret Name of the existingSecret to be use in both contour and envoy. If it is not nil contour.certgen will be disabled. ""

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-release \
  --set envoy.readinessProbe.successThreshold=5 \
    oci://REGISTRY_NAME/REPOSITORY_NAME/contour

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

The above command sets the envoy.readinessProbe.successThreshold to 5.

Troubleshooting

Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.

Upgrading

Please carefully read through the guide “Upgrading Contour” at https://projectcontour.io/resources/upgrading/.

To 15.0.0

This major bump changes the following security defaults:

  • runAsGroup is changed from 0 to 1001
  • readOnlyRootFilesystem is set to true
  • resourcesPreset is changed from none to the minimum size working in our test suites (NOTE: resourcesPreset is not meant for production usage, but resources adapted to your use case).
  • global.compatibility.openshift.adaptSecurityContext is changed from disabled to auto.
  • envoy.useHostPort.* are changed from true to false.
  • Added missing liveness and readiness probes in components like shutdown-manager

This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.

To 14.0.0

This major release adds support for Kubernetes PSA restricted mode out of the box. In order to do so, hostNetwork is disabled by default in envoy. In order to maintain hostNetwork in your current installation set envoy.useHostNetwork=true.

To 7.0.0

This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository.

Affected values:

  • prometheus renamed as metrics.
  • serviceMonitor.labels renamed as serviceMonitor.selector.
  • service.port renamed as service.ports.xds.
  • service.nodePort renamed as service.nodePorts.xds.
  • contour.updateStrategy and worker.updateStrategy changed from String type (previously default to ‘rollingUpdate’) to Object type, allowing users to configure other updateStrategy parameters, similar to other charts.

To 6.0.0

This version updates the chart to use Contour’s latest release, 1.19.0. Among other features, this new version introduces support for new kinds of CRDs: ContourConfiguration and ContourDeployment. For further information on new features, please refer to the official release notes for this version.

Additionally, exisiting CRDs have been syncronised with the official Contour repository

Considerations when upgrading to this version

If you are installing a fresh chart, you can ignore this section.

If you are upgrading from 5.x of this Helm chart, this is a breaking change as the new CRDs will not overwrite the existing ones. Therefore, you will need to delete the CRDs and let the chart recreate them. Make sure to back up any existing CRs (kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml) unless you have other ways of recreating them.

To 5.2.0

This version bumps the Envoy container from 1.17.X to 1.19.X; this Envoy version is officially supported by Contour since 1.18.0, see https://github.com/projectcontour/contour/releases/tag/v1.18.0

To 5.0.0

In this version it was synchronized CRD with the official Contour repository

Considerations when upgrading to 5.0.0

If you are installing a fresh chart, you can ignore this section.

If you are upgrading from 4.x of this Helm chart, this is a breaking change as the new CRDs will not overwrite the existing ones. Therefore, you will need to delete the CRDs and let the chart recreate them. Make sure to back up any existing CRs (kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml) unless you have other ways of recreating them.

To 4.0.0

The 4.0 version of this chart introduces changes to handle Contour CRD upgrades. While Helm 3.x introduced the crd folder to place CRDs, Helm explicitly does not handle the CRD upgrade scenario.

What changes were introduced in 4.0.0?

  • The resources directory was added that contains all the Contour CRDs, which are imported by the templates/00-crds.yaml manifest on installation and upgrade.
  • If you do not wish for this chart to manage Contour CRDs, set the flag contour.manageCRDs to false when running Helm.

Considerations when upgrading to 4.0.0

If you are installing a fresh chart, or if you are upgrading from a 4.x version of this chart, you can ignore this section.

If you are upgrading from 3.x of this Helm chart, this is a breaking change as the new CRDs will not overwrite the existing ones. Therefore, you will need to delete the CRDs and let the chart recreate them. Make sure to back up any existing CRs (kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml) unless you have other ways of recreating them.

If required, back up your existing Custom Resources:

kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml

Delete the existing Contour CRDs. Note that this step will also delete the associated CRs and impact availability until the upgrade is complete and the backup restored:

kubectl delete extensionservices.projectcontour.io
kubectl delete httpproxies.projectcontour.io
kubectl delete tlscertificatedelegations.projectcontour.io

Upgrade the Contour chart with the release name my-release:

helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

If you made a backup earlier, restore the objects:

kubectl apply -f backup.yaml

To 3.0.0

On November 13, 2020, Helm v2 support was formally finished, this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.

What changes were introduced in 3.0.0?

  • Previous versions of this Helm Chart use apiVersion: v1 (installable by both Helm 2 and 3), this Helm Chart was updated to apiVersion: v2 (installable by Helm 3 only). Here you can find more information about the apiVersion field.
  • Move dependency information from the requirements.yaml to the Chart.yaml
  • After running helm dependency update, a Chart.lock file is generated containing the same structure used in the previous requirements.lock
  • The different fields present in the Chart.yaml file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts

Considerations when upgrading to 3.0.0

  • If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn’t face any issues
  • If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn’t support Helm v2 anymore
  • If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the official Helm documentation about migrating from Helm v2 to v3

Useful links

To 2.0.0

Most important changes are:

  • Using helm hooks to generate new TLS certificates for gRPC calls between Contour and Envoy. This enables us to use the same container image for the contour controller and the certgen job without upgrade issues due to JobSpec immutability.
  • Rename parameter contour.createCustomResource to contour.installCRDs
  • Sync CRDs with upstream project examples. Please remember that helm does not touch existing CRDs. As of today, the most reliable way to update the CRDs is, to do it outside helm (Use --skip-crds when using helm v3 and --set contour.installCRDs=false when using helm v2). Read Upgrading Contour and execute the following kubectl command before helm upgrade:
kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/release-{{version}}/examples/contour/01-crds.yaml

This version also introduces bitnami/common, a library chart as a dependency. More documentation about this new utility could be found here. Please, make sure that you have updated the chart dependencies before executing any upgrade.

License

Copyright © 2024 Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

check-circle-line exclamation-circle-line close-line
Scroll to top icon