Contour
Contour is a high-performance, cloud-native ingress controller for Kubernetes, built on Envoy Proxy. It is widely used in AWS, Azure, GCP, and hybrid environments for advanced HTTP/HTTPS routing, TLS termination, and integration with the Gateway API. Contour supports both traditional Ingress and modern Gateway API resources, making it a flexible choice for DevOps teams.
Installation Options
Option 1: YAML (Quick Start)
Install Contour and Envoy using the official YAML manifest:
kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
Verify the Contour pods are ready:
kubectl get pods -n projectcontour -o wide
You should see:
2 Contour pods (Running, 1/1 Ready)
1+ Envoy pods (Running, 2/2 Ready)
Option 2: Helm (Recommended for Production)
Install with Helm for versioned, repeatable deployments:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
helm install my-release bitnami/contour --namespace projectcontour --create-namespace
Verify Contour and Envoy:
kubectl -n projectcontour get po,svc
You should see:
pod/my-release-contour-contour (Running, 1/1 Ready)
pod/my-release-contour-envoy (Running, 2/2 Ready)
service/my-release-contour, service/my-release-contour-envoy
Option 3: Contour Gateway Provisioner (Gateway API)
Provision Contour+Envoy dynamically using the Gateway API:
kubectl apply -f https://projectcontour.io/quickstart/contour-gateway-provisioner.yaml
Verify the deployment:
kubectl -n projectcontour get deployments
Create a GatewayClass and Gateway:
# GatewayClass
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
name: contour
spec:
controllerName: projectcontour.io/gateway-controller
---
# Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: contour
namespace: projectcontour
spec:
gatewayClassName: contour
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
Apply with:
kubectl apply -f gateway.yaml
Verify Gateway and pods:
kubectl -n projectcontour get gateways
kubectl -n projectcontour get pods
Real-Life Example: Exposing a Web Application
1. Deploy a Sample App (httpbin)
kubectl apply -f https://projectcontour.io/examples/httpbin.yaml
Verify resources:
kubectl get po,svc,ing -l app=httpbin
You should see:
3 pods/httpbin (Running, 1/1 Ready)
1 service/httpbin (port 80)
1 Ingress (port 80)
2. Set IngressClass (if using Helm)
kubectl patch ingress httpbin -p '{"spec":{"ingressClassName": "contour"}}'
3. Port-Forward to Envoy (for local testing)
# YAML install
kubectl -n projectcontour port-forward service/envoy 8888:80
# Helm install
kubectl -n projectcontour port-forward service/my-release-contour-envoy 8888:80
# Gateway provisioner
kubectl -n projectcontour port-forward service/envoy-contour 8888:80
4. Test the Application
In a browser or with curl:
curl http://local.projectcontour.io:8888/
You should see the httpbin home page.
Best Practices
Use Helm for production and GitOps workflows
Store all manifests and Helm values in Git
Use Gateway API for future-proof, flexible routing
Monitor Contour and Envoy with Prometheus/Grafana
Restrict external access with network policies and firewalls
References
Tip: Integrate Contour with CI/CD (GitHub Actions, ArgoCD, Flux) for automated ingress and API gateway management in multi-cloud environments.
Last updated