 Okay, hi everyone. Thanks for joining our contour project update Let's do a couple of quick intros. So my name is Steve Chris. I'm a staff engineer at VMware and I'm a contour maintainer My name is Nigel. I am a senior developer advocate at Intuit and community manager for contour So what is contour? It's an open source ingress controller. It's a control plane for envoy. How many of you all have used contour before? cool If you have used contour and you don't work at VMware, I mean, I'll say all right cool For those of you who are not familiar with what contour does what ingress does in short It helps you get traffic from out into the world From in the world into your Kubernetes clusters. It's not a new project It's been incubating here with the CNCF since 2020 And it is currently used in production at scale at VMware and many other places So it supports HTTP proxy the CRD that was introduced by this project as well as ingress and the Gateway API as that grows. Oh Yeah, a little bit about where it came from. Yeah, so let's let's take a quick look at the timeline of the project So the project was first open-sourced out of Heptio back in 2017. So coming up on six years ago 2019 the V1 of the project was released and this included V1 of the HTTP proxy CRD 2020 was when we were we were donated to the CNCF at the incubate incubating level So we've been a CNCF project for for three years now 2021 we had the the first contour release with Gateway API support So contour maintainers have been involved in in the Gateway API project since the inception of that project and actually one of our Emeritus maintainers Nick Young was a founder a co-founder of Gateway API. So Yeah, 2021 our first release with Gateway API support and we've we've continued to develop that through today Later in 2021 we moved to from a monthly release cycle to a quarterly release cycle. So new releases every three months we also moved to Supporting the the previous three minor releases. So each minor release series now gets nine months of support Which includes critical bug fixes and CVE fixes And then fast forward to today. So coming up in in just another week or two in early May We're gonna have V1.25 out and that will include a bunch of new features that we'll look at in a few minutes So yeah, let's take a take a look at the kind of the typical deployment architecture for contour So contour is an in-cluster ingress controller. It's deployed into your Kubernetes cluster It's comprised of two components, right? So you have the control plane which is really contour itself and then you have the data plane which is Envoy proxy And typically Envoy is deployed into your cluster as a daemon set So you have a replica running on each node. You can also use a deployment for Envoy depending on kind of the scale of your cluster and and your Your needs for your installation there And then the the contour component the control plane component is really responsible for Sitting in the cluster and watching all of your Kubernetes API resources So HDDB proxy gateway API ingress for your routing rules and then also services endpoints secrets For the additional information that's needed to perform routing and then contour is is Translating that information into Envoy configuration into the XDS protocol And sending that out to all the Envoy's in your cluster And then Envoy is really the data plane the data path component of this and so typically it's it's exposed to outside the cluster Through an L4 load balancer you have a single load balancer that's routing traffic from outside of your cluster Into the fleet of Envoy proxies There are a number of other ways that you can expose Envoy to the outside world You can you can use node port services host ports host networking But the most typical way to do this is through a load balancer and then so that that traffic is coming in To the Envoy proxies and then based on the configuration that Contour has provided to Envoy Envoy is making routing decisions and forwarding that traffic to the appropriate back-end I like Nigel said typically based on you know path header query parameter properties and various other things Okay, so why might you choose contour? Well first of all it is based on Envoy how many of you were at the Envoy video yesterday the movie was it good? How was it? Yeah, yeah, awesome. Mostly ringing endorsement the people watching this online. They don't know any different So Envoy proxy is the reverse proxy that console implements as the data path It is a well-established project that came out of Lyft if you went to the video yesterday Then you know quite a lot about it But essentially it is a very widely used cloud native open source Project for doing all of the things that you would need to do for traffic inside of Kubernetes. It's performant. It's observable It's amazing and yeah, you might use contour because it is like this control layer for Envoy and does a really good job of getting ingress and handling networking for your clusters Some of the advanced features Yeah, so contours Over time exposed more and more of the Envoy feature set particularly in the kind of l7 HTTP space so You know if you have simple use cases around just doing path-based routing or or simple routing contours great but if you have more advanced kind of API gateway type features that you require contour can kind of grow in complexity with you as well. So You know any number of things from cookie rewrites to web socket support gRPC and gRPC web support We have support Envoy's local and global rate limiting external authorization so so many different features and I'm not going to go into all of them right now, but But yeah many many different features that you can use and we continue to expose more and more of the Envoy API surface particularly like I said around l7 traffic routing So if you do have a need that contour doesn't already support We'd love to have you show up in the community and and let us know and see if we can get it into the project Yeah, another another great thing about contours that it does support multiple configuration API so You know, we really are able to meet users where they are We know that that everyone has kind of their own preferences and and their own requirements around how to configure routing rules And so, you know first and foremost is contours HTTP proxy CRD and this this one exposes all the features of contour It's it's developed kind of in in collaboration with contour in concert with contour and so exposes all the features It's stable as I mentioned earlier. It's it's v1 And so you have backwards compatibility guarantees, so you don't need to worry about Breaking changes in the API from release to release And yeah, it's great great for simple use cases If you look at some of the basic examples, it's very kind of concise and expressive for for simple use cases But can expand to to give you access to all those advanced features We also support gateway API So as I mentioned, we've been involved with this project for for quite a while and for those of you who aren't familiar I assume most of you are but this is really kind of the next generation upstream service networking API that's been developed out of sig networking and Yeah, it's it's currently in beta most of the core L7 resources are in beta Rapidly approaching GA later this year and so we're looking forward to that and it comes with an ever-growing set of conformance tests so that any implementation of gateway API can run these conformance tests and ensure that they're Implementing the API in the right way. And so we have we've been tracking those conformance tests we've actually been contributing many of those tests as well and We we have a conformant implementation at this point and as the API continues to progress to to GA will will continue to keep up with those conformance tests and Yeah, gateway API is a really great API, you know, it's role-oriented so kind of differentiates between platform operator roles application operator roles and so if that's important to you, it's a it's a great API to use it has a really good breadth of features With extensibility baked into the API. So the core API maybe doesn't have quite all of the features that that HTTP proxy does but there are extension points for implementations to add their own Additional features so definitely a great choice And then contour also supports ingress, right everyone needs to support ingress This isn't something we're putting a lot of Additional development effort into at this point We support the the core spec and some of the common annotations and have some contour specific annotations as well For us, this is you know primarily kind of a migration path if you're using another ingress controller and are interested in contour to be able to easily migrate and then potentially look at a different API from there Yeah, so again, we want to Emphasize that it you can use this right now. It is production ready. People are running it. It is amazing It's used at scale and the last three minor releases I see a lot of the emails come in where folks are reporting Hey, we found a vulnerability and seeing that get patched for your like long-running versions of Contour so yeah, if you are interested, please dig in We also want to emphasize the community for contour the community is In my opinion a big part of what makes the contour community or what makes contour great is like having a community around it So I also want to thank you all for showing up here and being a part of our community If you would like you can pat yourself on the back or give yourself a some applause. No It's not that early. Come on. Give me something. Give me something. Okay. Okay. Yes Thank you all for showing up to this talk for Hearing about us give you updates on contour if you want to connect more with the community There are a lot of ways to do that We have them listed here on the slide including joining us in the Kate's slack workspace We also have this Google group here, which is where we'll be emailing out a lot of the major updates Anything that's coming up when we're having community meetings or we're gonna be rolling out new updates or bug fixes patch releases come out You'll want to join the email list there and then we have various other ways for you to connect with us You can see our amazing metrics of how people are getting involved but We definitely want to emphasize the growth of the community and one of the things that we're working towards is actively seeking more folks to be maintainers on the contour project and it's I think for a lot of people Maintainership sounds like a daunting task and unapproachable at least it did for me And we want to emphasize that it is a path that we are outlining and there are many many ways to get involved We would love for concert to graduate and part of one of the things we're looking for as a health metric is more companies involved in driving the project We have roles outlined in our community slash governance stocks so in the contour github project There's a repo for community and outlined. We have community roles And you can see that one of the biggest things that the easiest ways to get involved involved is by reviewing PRs you Engineers are an opinionated bunch and we would love to hear your opinions in a nice and loving way For all of the features that folks are wanting to add or the issues that people are having You know our golden rule with communities, you know, just try to be the person that you wish you had You know, who would you feel safe coming to with your issues or with your your PRs and be that person for someone else and help them on Their development journey. So right now today you can go review PRs We had a great ContribFest session yesterday or any of you there for that I know Tara was one of our other maintainers anyone else Yeah, well, we had a bunch of new contributors coming and submitting PRs to contour It was amazing to see that community grow and we need you all to help us out with some reviews as well as Community support in the slack channel Benefits of maintenance ship helping to drive the project also helping to see the project be stable longevity grow get bigger And we want to see more folks take an interest in helping to drive the project Our community meeting cadence. We changed up a bit. We found that it was overwhelming What we're going through in the last year and so we took a bit of a break and we're bringing them back And the way they're structured now is to happen a couple weeks after a release to give you time to get hands on As well as to get at the beginning of the release cycle for the next release So if you have ideas that are coming into it that you want to bring in the next contour release You can come to the community meeting give us design docs Give us feedback anything that you're looking for so that we can incorporate those as we are in the engineering cycle For getting the next version of contour out We had a very successful ad hoc meeting in February that came about custom engineers at some places We're like, hey, we haven't seen a community meeting in a while we have things we want to discuss and it ended up being very good lively discussion and Steve is going to talk a bit about some of the Some of the design docs got submitted from the community and some of the features that have been added to contour very recently from community input So yeah, two weeks post release additionally available ad hoc And then we're also starting an initiative to get educational materials for new users as you all aware well aware networking is very hard and People often get lost and so we want to have a place for people to come to learn Networking in a holistic way that's gonna get them from I don't know how ports work to the CNI to now Networking in Kubernetes to configuring Envoy and contour and being networking superstars So as we're developing that educational material we want to hear from you Like what are some of the things that were helpful for you as you were on your learning journey that we can put out as some content for folks to get up to speed on learning Networking and Kubernetes So these are some questions to kind of spur your thinking if you have any feedback. I am open to here I welcome you sharing that with me so that we can work together to make some great material for folks trying to get involved in Networking in the contour all right, so we wanted to highlight some some recent work that has Been merged into contour or as it's soon to be merged and will be in the upcoming release And so I have three features to highlight and what's really exciting about these features is that they were all community driven So these were things that that some of them were in our backlog already some of them were new ideas, but These were things where community members who had a particular need showed up to the community Worked on design docs and then worked on implementation and really saw these features through to completion And so within the span of one release cycle three months. We were able to get these features designed implemented and into the release So the first one we've got here is tracing support with open telemetry So this is a long-standing feature request in contour I think before we close the issue is actually the fourth oldest issue in the repository Number three hundred ninety nine or something like that. So super excited to finally see this come to contour We had been recently kind of waiting for Envoy's open telemetry support to land and to be ready to use We wanted to rally around open telemetry as a standard here And so the contributor who worked on this was yangi 93 They once this supported merged an envoy. They showed up and wrote up a design doc We went through some some rounds of feedback and got that design doc merged and then got an implementation up and So yeah, so you can see here that on the left Tracing is configured within the contour configuration file or a contour configuration CRD if you're using that so you have Kind of a single global tracing configuration for your contour instance You would deploy an open telemetry collector within your cluster and then reference that through an extension service Which if you've used external authorization or rate limiting you're familiar with extension services And then some additional parameters around tags that are added to your traces and various other things and then on the right here I just grabbed an example of a Tracing span that's emitted in kind of the logging format. So You can see that you get the request log to get various information about the host the URL any any sort of headers or parameters and Custom tags are added here as well. So again, super excited to see this land We really appreciate yangi 93 showing up and doing this work and hopefully this is something that that you all can use next up was feature which was external authorization support for HD to be virtual hosts a non TLS terminated virtual hosts. So Contour has supported external authorization for TLS virtual hosts for for quite a while now We've had that support but Because of some technical challenges around how kind of filter chains are configured in Envoy We didn't have support for configuring external auth for for plain HTTP virtual hosts. And so a contributor relatively new contributor Clayton Gonzovis had a need for this feature. They wanted to be able to do external authorization for for for HTTP virtual hosts and so again showed up and Talked with the maintainers about kind of an idea for an implementation path and got a design in place And and was able to get an implementation in in this will ship in 1.25. And so the way this is implemented is that With with TLS virtual hosts, you can configure an external authorization server on the on the root HTTP proxy for the virtual host For plain HTTP virtual hosts What we do is we define a single global external authorization server And so again, this is defined in the contour configuration file or the the contour configuration CRD And so this this global external authorization server then becomes the default server That's used for all of your virtual hosts And so by default it applies both to plain HTTP virtual hosts as well as TLS virtual hosts now If you want to override the external Auth server so use a different server for a particular TLS V host You can still still specify those settings in an individual HTTP proxy and and the proxy level settings will take precedence over the global ones You're also able to disable external auth for any particular root HTTP proxy So yeah, again super excited to have this land it kind of fills a gap in terms of Support for this feature and we're looking forward to to having this be used going forward And then finally we're we're just about to land support for IP allow list and block lists IP filtering and so this work was contributed by E Cordell Again went through the design process This was something we had had in the backlog for quite a while But hadn't been able to to have rise to the top of the priority list But E Cordell had a need for this and so showed up and put the work in and got it got it implemented So this can be configured at either the virtual host or the route level with with route level configuration taking precedence over virtual host You can specify either an allow policy or a deny policy and so an allow policy will allow Only those IPs that are that are specified in the policy Denied policy will deny any IPs that are specified in the policy and so you can you can see on the right here Kind of the envoy configuration for the RBAC filter that's emitted here So yeah, I just wanted to kind of recap and say that we were we were super excited to have all these contributors show up It's this is really kind of what makes contour Great and unique I think is when folks show up who have needs and help us drive the project forward There's only So much that kind of the core maintainer and core contributor team can do but if we have folks show up and kind of help out With their own needs we can get more and more functionality into the project All right, so we want to take a look at the roadmap and and what we have on the docket for the future of the project So first up Is extensibility and this is really around kind of data plane data path extensibility So we have heard for for a long time that folks are interested in having some way to do kind of arbitrary modifications as requests are going through the data path and so we've had requests for Lewis scripting for wasm for Now the external processing filter that Envoy supports And and various other forms of extension of extensibility We've been a little bit hesitant to merge this into the project because it does open open up kind of a whole can of worms and potentially enables users to kind of get themselves into trouble making modifications to requests that They can have adverse impact on the data path But we've heard loud and clear that that folks are really interested in this and need this to be able to support their production use cases So we're taking a New look at this It seems like the community is kind of rallying around the external processing filter that Envoy supports as a good kind of first path to go down for extensibility and that The implementation of it would look very similar to Kind of the extension service and external service Pattern that we use for external off for rate limiting and now for tracing so it's a it's a well established design pattern in contour So we hope that we can get to a design doc get get that in place and At least get some proofs of concept done and and hopefully merge some support for this later in the year Next up we're as I mentioned earlier We're a conformant gateway API implementation and we want to keep up with those those conformance tests and the API spec As it approaches GA this is is definitely important to us to support and so we will we will continue to work on that Next up is is kind of improving our efficiency at scale So contour has already run and at large scale and and probably many of you are running it in large clusters We do think we can make some some additional improvements just in terms of optimizing memory and CPU utilization so that it can be kind of as as efficient as possible, so We have some ideas here for for improvements and we'll look to work on that later in the year Finally we want to Improve the observability of the control plane So Envoy itself has really great observability and and on the data path You are able to take advantage of all the metrics and statistics it emits and contour the control plane has some of that as well But we think we can make some improvements and so when issues pop up having that observability in the control plane itself is Is really helpful for operability? So definitely want to make a push here to to ensure that contour is just kind of as easy to operate as possible and Gives you the most insight into what's going on And finally yeah come come join us and help build out the roadmap. We're definitely open to feature requests ideas for Where to take the project and we would love to get input from folks who are users So yeah, come come join us and help to find the roadmap Yeah, again, please get involved You can go deeper with contour governance and maintenance ship come to our community meetings Keep contributing and let us know how we can support you So for the folks that are users now that want to step up into a more Contributor role want to get back to the community one way to do that is by just letting us know like tell us Hey, I have an interest in this project and I could use a little support I think that one of the things that I wish that Engineers would have told me was that a lot of times features aren't implemented In open-source projects not because they're like super hard, but generally people have different time and priorities So there's a lot of stuff that we can do to support Engineers on their journey to contributing to open source. So please just let us know how we can help you Again, here's how you can find us on the internet like and subscribe And yeah, let us know if you have any questions Yeah, we appreciate you all coming so much. We have a small token of our appreciation here At center stage if you want to come and grab one, but yeah Who has questions? Nobody come on Yes Sorry, I couldn't totally hear the question was do we work together with the w3? We don't work with them. No, we're you know Use Envoy as the data as the data path as the proxy and so we're relying on Envoy's kind of HTTP implementation Another question another question. It's Friday. The conference is almost over. You're about to go home You got an opportunity ask questions put us on the spot You're not gonna take advantage of that for real. It's like that. Okay Okay going one I'm just kidding. Um, well, uh, thank you so much. You can leave feedback for us here on Oh, we have a question. Yes, please my bad back See, I should have kept town. Yeah How are you aligned with the Envoy gateway projects? Yeah, that's a that's a great question. So I think a year ago that project was announced and Contour maintainers the contour team were were part of kind of the founding of that project And so we we help bootstrap it and get it off the ground At this point, you know, we have we have limited capacity as maintainers And so we're primarily focusing on on the needs of our contour users And focus and we see that there's a lot of demand for improvements to the HTTP proxy CRD So that's that's where our focus is right now We think you know long term as the the Envoy gateway project evolves and really reaches kind of a stable mature production state that you know, there's potentially a Possibility to leverage it to kind of replace contours gateway API implementation But I don't think we're there right now You know, we've been we've been working on contours implementation for two years and we feel pretty good about where it is It's stable and we know that we have folks using it in in production environments So I think you know still to be determined exactly how how we end up leveraging that project But we're super excited to see it continue to be developed and to see the community grow around it Thank you Great question y'all gonna make me count again. No, are we good? All right, I'll put the QR code back up. Thank you all so much for coming We'll see you around. Cheers