This topic provides reference information for the Contour with Envoy package.
About Contour and Envory
Contour (https://projectcontour.io/) is a Kubernetes ingress controller that includes the Envoy reverse HTTP proxy. Contour with Envoy is commonly used with other packages, such as ExternalDNS, Prometheus, and Harbor.
To install the Contour package on a TKG cluster, refer to the following topics:
Contour Components
The Contour package includes the Contour ingress controller and the Envoy reverse HTTP proxy. These components are installed as containers. The containers are pulled from the public registry specified in the package repository.
| Container | Resource Type | Replicas | Description |
|---|---|---|---|
| Envoy | DaemonSet | 3 | High performance reverse proxy |
| Contour | Deployment | 2 | Management and configuration server for Envoy |
Contour Data Values
Below is an example contour-data-values.yaml.
The only customization is that the Envoy service is of type LoadBalancer (the default is NodePort). This means that the Envoy service will be accessible from outside of the cluster for ingress.
infrastructure_provider: vsphere
namespace: tanzu-system-ingress
contour:
configFileContents: {}
useProxyProtocol: false
replicas: 2
pspNames: "vmware-system-restricted"
logLevel: info
envoy:
service:
type: LoadBalancer
annotations: {}
nodePorts:
http: null
https: null
externalTrafficPolicy: Cluster
disableWait: false
hostPorts:
enable: true
http: 80
https: 443
hostNetwork: false
terminationGracePeriodSeconds: 300
logLevel: info
pspNames: null
certificates:
duration: 8760h
renewBefore: 360h
Contour Configuration
The Contour package configuration values are set in
contour-data-values.yaml. The table lists and describes the available parameters.
| Parameter | Description | Type | Default |
|---|---|---|---|
| infrastructure_provider | Infrastructure Provider. Supported Values: vsphere, aws, azure | string | Mandatory parameter |
| contour.namespace | Namespace where contour will be deployed | string | tanzu-system-ingress |
| contour.config.requestTimeout | Client request timeout to be passed to Envoy | time.Duration | 0s (See section below for details) |
| contour.config.server.xdsServerType | XDS Server type to use: Supported Values: contour or envoy | string | Null |
| contour.config.tls.minimumProtocolVersion | Minimum TLS version that Contour will negotiate | string | 1.1 |
| contour.config.tls.fallbackCertificate.name | Name of secret containing fallback certificate for requests that don’t match SNI defined for a vhost | string | Null |
| contour.config.tls.fallbackCertificate.namespace | Namespace of secret containing fallback certificate | string | Null |
| contour.config.tls.envoyClientCertificate.name | Name of the secret to use as client certificate, private key for TLS connection to backend service | string | Null |
| contour.config.tls.envoyClientCertificate.namespace | Namespace of the secret to use as client certificate, private key for TLS connection to backend service | string | Null |
| contour.config.leaderelection.configmapName | Name of configmap to be used for contour leaderelection | string | leader-elect |
| contour.config.leaderelection.configmapNamespace | Namespace of contour leaderelection configmap | string | tanzu-system-ingress |
| contour.config.disablePermitInsecure | Disables ingressroute permitInsecure field | boolean | false |
| contour.config.accesslogFormat | Access log format | string | envoy |
| contour.config.jsonFields | Fields that will be logged | array of strings | envoy package doc |
| contour.config.useProxyProtocol | https://projectcontour.io/guides/proxy-proto/ | boolean | false |
| contour.config.defaultHTTPVersions | HTTP versions that Contour should program Envoy to serve | array of strings | "HTTP/1.1 HTTP2" |
| contour.config.timeouts.requestTimeout | The timeout for an entire request | time.Duration | Null (timeout is disabled) |
| contour.config.timeouts.connectionIdleTimeout | The time to wait before terminating an idle connection | time.Duration | 60s |
| contour.config.timeouts.streamIdleTimeout | The time to wait before terminating an request or stream with no activity | time.Duration | 5m |
| contour.config.timeouts.maxConnectionDuration | The time to wait before terminating an connection irrespective of activity or not | time.Duration | Null (timeout is disabled) |
| contour.config.timeouts.ConnectionShutdownGracePeriod | The time to wait between sending an initial and final GOAWAY | time.Duration | 5s |
| contour.config.cluster.dnsLookupFamily | dns-lookup-family to use for upstream requests to externalName type services from an HTTPProxy route | string | Null (Supported Values: auto, v4, v6) |
| contour.config.debug | Turn on contour debugging | boolean | false |
| contour.config.ingressStatusAddress | The address to set on status of every Ingress resource | string | Null |
| contour.certificate.duration | Duration for contour certificate | time.Duration | 8760h |
| contour.certificate.renewBefore | Duration before contour certificate should be renewed | time.Duration | 360h |
| contour.deployment.replicas | No of contour replicas | integer | 2 |
| contour.image.repository | Location of the repository with the Contour image. The default is the public VMware registry. Change this value if you are using a private repository (e.g., air-gapped environment). | string | projects.registry.vmware.com/tkg |
| contour.image.name | Name of contour image | string | contour |
| contour.image.tag | Contour image tag. This value may need to be updated if you are upgrading the Contour version. | string | v1.11.0_vmware.1 |
| contour.image.pullPolicy | Contour image pull policy | string | IfNotPresent |
| envoy.image.repository | Location of the repository with the Envoy image. The default is the public VMware registry. Change this value if you are using a private repository (e.g., air-gapped environment). | string | projects.registry.vmware.com/tkg |
| envoy.image.name | Name of envoy image | string | envoy |
| envoy.image.tag | Envoy image tag. This value may need to be updated if you upgrading the Envoy version. | string |
|
| envoy.image.pullPolicy | Envoy image pull policy | string | IfNotPresent |
| envoy.hostPort.enable | Flag to expose envoy ports on host | boolean | true |
| envoy.hostPort.http | Envoy HTTP host port | integer | 80 |
| envoy.hostPort.https | Envoy HTTPS host port | integer | 443 |
| envoy.service.type | Type of service to expose envoy. Supported Values: ClusterIP, NodePort, LoadBalancer | string | Mandatory parameter for vSphere: NodePort or LoadBalancer, AWS: LoadBalancer, Azure: LoadBalancer |
| envoy.service.annotations | Envoy service annotations | Map (Key-values) | Empty Map |
| envoy.service.externalTrafficPolicy | External traffic policy of envoy service. Supported Values: Local, Cluster | string | Cluster |
| envoy.service.nodePort.http | Desired nodePort for service of type NodePort used for http requests | integer | Null - Kubernetes assigns a dynamic node port |
| envoy.service.nodePort.https | Desired nodePort for service of type NodePort used for HTTPS requests | integer | Null - Kubernetes assigns a dynamic node port |
| envoy.deployment.hostNetwork | Run envoy on hostNetwork | boolean | false |
| envoy.service.aws.LBType | AWS LB type to be used for exposing envoy service. Supported Values: classic, nlb | string | classic |
| envoy.loglevel | Log level to use for envoy | string | info |
Route Timeout for File Downloads
The parameter contour.config.requestTimeout defines the Contour route timeout duration. The default value is 0s. If you are using Contour for file transfer, you may need to adjust this value.
According to the Contour documentation, a timeout value of 0s directs Contour to use the Envoy timeout. According to the Envoy documentation, Envoy has a 15 second default timeout. In addition, Envoy expects the entire request-response operation to be completed within the timeout interval.
This means that with the default Contour timeout setting of 0s, file transfer must complete within 15 seconds. For large file transfers, this may not be enough time. To disable the default Envoy timeout, set the contour.config.requestTimeout value to 0.
