Contour

Contour is a high-performance, cloud-native ingress controller for Kubernetes, built on Envoy Proxy. It is widely used in AWS, Azure, GCP, and hybrid environments for advanced HTTP/HTTPS routing, TLS termination, and integration with the Gateway API. Contour supports both traditional Ingress and modern Gateway API resources, making it a flexible choice for DevOps teams.


Installation Options

Option 1: YAML (Quick Start)

Install Contour and Envoy using the official YAML manifest:

kubectl apply -f https://projectcontour.io/quickstart/contour.yaml

Verify the Contour pods are ready:

kubectl get pods -n projectcontour -o wide

You should see:

  • 2 Contour pods (Running, 1/1 Ready)

  • 1+ Envoy pods (Running, 2/2 Ready)

Install with Helm for versioned, repeatable deployments:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
helm install my-release bitnami/contour --namespace projectcontour --create-namespace

Verify Contour and Envoy:

kubectl -n projectcontour get po,svc

You should see:

  • pod/my-release-contour-contour (Running, 1/1 Ready)

  • pod/my-release-contour-envoy (Running, 2/2 Ready)

  • service/my-release-contour, service/my-release-contour-envoy

Option 3: Contour Gateway Provisioner (Gateway API)

Provision Contour+Envoy dynamically using the Gateway API:

kubectl apply -f https://projectcontour.io/quickstart/contour-gateway-provisioner.yaml

Verify the deployment:

kubectl -n projectcontour get deployments

Create a GatewayClass and Gateway:

# GatewayClass
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: contour
spec:
  controllerName: projectcontour.io/gateway-controller
---
# Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: contour
  namespace: projectcontour
spec:
  gatewayClassName: contour
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All

Apply with:

kubectl apply -f gateway.yaml

Verify Gateway and pods:

kubectl -n projectcontour get gateways
kubectl -n projectcontour get pods

Real-Life Example: Exposing a Web Application

1. Deploy a Sample App (httpbin)

kubectl apply -f https://projectcontour.io/examples/httpbin.yaml

Verify resources:

kubectl get po,svc,ing -l app=httpbin

You should see:

  • 3 pods/httpbin (Running, 1/1 Ready)

  • 1 service/httpbin (port 80)

  • 1 Ingress (port 80)

2. Set IngressClass (if using Helm)

kubectl patch ingress httpbin -p '{"spec":{"ingressClassName": "contour"}}'

3. Port-Forward to Envoy (for local testing)

# YAML install
kubectl -n projectcontour port-forward service/envoy 8888:80
# Helm install
kubectl -n projectcontour port-forward service/my-release-contour-envoy 8888:80
# Gateway provisioner
kubectl -n projectcontour port-forward service/envoy-contour 8888:80

4. Test the Application

In a browser or with curl:

curl http://local.projectcontour.io:8888/

You should see the httpbin home page.


Best Practices

  • Use Helm for production and GitOps workflows

  • Store all manifests and Helm values in Git

  • Use Gateway API for future-proof, flexible routing

  • Monitor Contour and Envoy with Prometheus/Grafana

  • Restrict external access with network policies and firewalls


References

Tip: Integrate Contour with CI/CD (GitHub Actions, ArgoCD, Flux) for automated ingress and API gateway management in multi-cloud environments.

Last updated