github.com/projectcontour/contour@v1.28.2/site/content/guides/ingressroute-to-httpproxy.md (about) 1 --- 2 title: Migrating from IngressRoute to HTTPProxy 3 layout: page 4 --- 5 6 This document describes the differences between IngressRoute and HTTPProxy. 7 It is intended for Contour users who have existing IngressRoute resources they wish to migrate to HTTPProxy. 8 It is not intended a comprehensive documentation of HTTPProxy, for that please see the [`HTTPProxy` documentation][1]. 9 10 _Note: IngressRoute has been removed from Contour in v1.6._ 11 12 ## The easy way 13 14 The simplest way to migrate from IngressRoute to HTTPProxy is to use the `ir2proxy` tool. 15 Installation instructions are available at [its github repo](https://github.com/projectcontour/ir2proxy). 16 It's installable either by homebrew or downloading the binary. 17 18 This tool can automatically migrate most IngressRoutes to HTTPProxies. 19 However, due to the behavior changes around the move from delegation to inclusion, not all IngressRoutes can be translated without manual intervention. 20 The tool will tell you when manual intervention is required. 21 22 23 ## Manual conversion notes 24 25 ### Group, Version and Kind changes 26 27 `HTTPProxy` has moved to the `projectcontour.io` group. 28 The version is `v1`, with all the guarantees a GA API implies. 29 30 31 Before: 32 33 ```yaml 34 apiVersion: contour.heptio.com/v1beta1 35 kind: IngressRoute 36 ``` 37 After: 38 39 ```yaml 40 apiVersion: projectcontour.io/v1 41 kind: HTTPProxy 42 ``` 43 44 ### TLS secrets 45 46 No change. 47 48 Before: 49 50 ```yaml 51 apiVersion: contour.heptio.com/v1beta1 52 kind: IngressRoute 53 metadata: 54 name: tls-example 55 namespace: default 56 spec: 57 virtualhost: 58 fqdn: example.com 59 tls: 60 secretName: tlssecret 61 ``` 62 63 After: 64 65 ```yaml 66 apiVersion: projectcontour.io/v1 67 kind: HTTPProxy 68 metadata: 69 name: tls-example 70 namespace: default 71 spec: 72 virtualhost: 73 fqdn: example.com 74 tls: 75 secretName: tlssecret 76 ``` 77 78 #### TLS Minimum protocol version 79 80 No change. 81 82 ```yaml 83 apiVersion: projectcontour.io/v1 84 kind: HTTPProxy 85 metadata: 86 name: tls-example 87 namespace: default 88 spec: 89 virtualhost: 90 fqdn: example.com 91 tls: 92 secretName: tlssecret 93 minimumProtocolVersion: "1.3" 94 ``` 95 96 #### Upstream TLS validation 97 98 No change. 99 100 ```yaml 101 apiVersion: projectcontour.io/v1 102 kind: HTTPProxy 103 metadata: 104 name: secure-backend 105 spec: 106 virtualhost: 107 fqdn: www.example.com 108 routes: 109 - match: / 110 services: 111 - name: service 112 port: 8443 113 validation: 114 caSecret: my-certificate-authority 115 subjectName: backend.example.com 116 ``` 117 118 #### TLS Certificate Delegation 119 120 The group and version of the TLSCertificateDelegation CRD have changed. 121 `contour.heptio.com/v1beta1.TLSCertificateDelegation` has been removed. 122 123 Before: 124 125 ```yaml 126 apiVersion: contour.heptio.com/v1beta1 127 kind: TLSCertificateDelegation 128 metadata: 129 name: example-com-wildcard 130 namespace: www-admin 131 spec: 132 delegations: 133 - secretName: example-com-wildcard 134 targetNamespaces: 135 - example-com 136 ``` 137 After: 138 139 ```yaml 140 apiVersion: projectcontour.io/v1 141 kind: TLSCertificateDelegation 142 metadata: 143 name: example-com-wildcard 144 namespace: www-admin 145 spec: 146 delegations: 147 - secretName: example-com-wildcard 148 targetNamespaces: 149 - example-com 150 ``` 151 152 ### Routing 153 154 HTTPProxy offers additional ways to match incoming requests to routes. 155 This document covers the conversion between the routing offered in IngressRoute and HTTPProxy. 156 For a broader discussion of HTTPProxy routing, see the [HTTPProxy documentation][1]. 157 158 Before: 159 160 ```yaml 161 apiVersion: contour.heptio.com/v1beta1 162 kind: IngressRoute 163 metadata: 164 name: multiple-paths 165 namespace: default 166 spec: 167 virtualhost: 168 fqdn: multi-path.bar.com 169 routes: 170 - match: / # matches everything else 171 services: 172 - name: s1 173 port: 80 174 - match: /blog # matches `multi-path.bar.com/blog` or `multi-path.bar.com/blog/*` 175 services: 176 - name: s2 177 port: 80 178 ``` 179 180 After: 181 182 ```yaml 183 apiVersion: projectcontour.io/v1 184 kind: HTTPProxy 185 metadata: 186 name: multiple-paths 187 namespace: default 188 spec: 189 virtualhost: 190 fqdn: multi-path.bar.com 191 routes: 192 - conditions: 193 - prefix: / # matches everything else 194 services: 195 - name: s1 196 port: 80 197 - conditions: 198 - prefix: /blog # matches `multi-path.bar.com/blog` or `multi-path.bar.com/blog/*` 199 services: 200 - name: s2 201 port: 80 202 ``` 203 204 #### Multiple services 205 206 No change. 207 208 #### Upstream weighting 209 210 No change. 211 212 #### Response timeout 213 214 `routes.timeoutPolicy.request` has been renamed to `routes.timeoutPolicy.response` to more accurately reflect is the timeout for the response. 215 216 Before: 217 218 ```yaml 219 apiVersion: contour.heptio.com/v1beta1 220 kind: IngressRoute 221 metadata: 222 name: request-timeout 223 namespace: default 224 spec: 225 virtualhost: 226 fqdn: timeout.bar.com 227 routes: 228 - match: / 229 timeoutPolicy: 230 request: 1s 231 services: 232 - name: s1 233 port: 80 234 ``` 235 236 After: 237 238 ```yaml 239 apiVersion: projectcontour.io/v1 240 kind: HTTPProxy 241 metadata: 242 name: request-timeout 243 namespace: default 244 spec: 245 virtualhost: 246 fqdn: timeout.bar.com 247 routes: 248 - conditions: 249 - prefix: / 250 timeoutPolicy: 251 response: 1s 252 services: 253 - name: s1 254 port: 80 255 ``` 256 257 #### Prefix rewriting 258 259 Prefix rewriting is supported in HTTPProxy. 260 261 Before: 262 ```yaml 263 apiVersion: contour.heptio.com/v1beta1 264 kind: IngressRoute 265 metadata: 266 name: app 267 namespace: default 268 spec: 269 virtualhost: 270 fqdn: app.example.com 271 routes: 272 - match: / 273 services: 274 - name: app 275 port: 80 276 - match: /service2 277 prefixRewrite: "/" # Setting this rewrites the request from `/service2` to `/` 278 services: 279 - name: app-service 280 port: 80 281 ``` 282 283 After: 284 ```yaml 285 apiVersion: projectcontour.io/v1 286 kind: HTTPProxy 287 metadata: 288 name: app 289 namespace: default 290 spec: 291 virtualhost: 292 fqdn: app.example.com 293 routes: 294 - conditions: 295 - prefix: "/" 296 services: 297 - name: app 298 port: 80 299 - conditions: 300 - prefix: "/service2" 301 pathRewritePolicy: 302 replacePrefix: 303 - replacement: / # app-service will see client requests to `/service2` coming in to `/` 304 services: 305 - name: app-service 306 port: 80 307 ``` 308 309 ### Load balancing strategies 310 311 Per service load balancing strategy has moved to a per route strategy that applies to all services for that route. 312 313 Before: 314 315 ```yaml 316 apiVersion: contour.heptio.com/v1beta1 317 kind: IngressRoute 318 metadata: 319 name: lb-strategy 320 namespace: default 321 spec: 322 virtualhost: 323 fqdn: strategy.bar.com 324 routes: 325 - match: / 326 services: 327 - name: s1-strategy 328 port: 80 329 strategy: WeightedLeastRequest 330 - name: s2-strategy 331 port: 80 332 strategy: WeightedLeastRequest 333 ``` 334 335 After: 336 337 ```yaml 338 apiVersion: projectcontour.io/v1 339 kind: HTTPProxy 340 metadata: 341 name: lb-strategy 342 namespace: default 343 spec: 344 virtualhost: 345 fqdn: strategy.bar.com 346 routes: 347 - services: 348 - name: s1-strategy 349 port: 80 350 - name: s2-strategy 351 port: 80 352 loadBalancerStrategy: 353 strategy: WeightedLeastRequest 354 ``` 355 356 ### Session affinity 357 358 See above. 359 360 ### Per upstream health check 361 362 Per service health check has moved to a per route health check that applies to all services for that route. 363 364 Before: 365 366 ```yaml 367 apiVersion: contour.heptio.com/v1beta1 368 kind: IngressRoute 369 metadata: 370 name: health-check 371 namespace: default 372 spec: 373 virtualhost: 374 fqdn: health.bar.com 375 routes: 376 - match: / 377 services: 378 - name: s1-health 379 port: 80 380 healthCheck: 381 path: /healthy 382 intervalSeconds: 5 383 timeoutSeconds: 2 384 unhealthyThresholdCount: 3 385 healthyThresholdCount: 5 386 - name: s2-health # no health-check defined for this service 387 port: 80 388 ``` 389 390 After: 391 392 ```yaml 393 apiVersion: projectcontour.io/v1 394 kind: HTTPProxy 395 metadata: 396 name: health-check 397 namespace: default 398 spec: 399 virtualhost: 400 fqdn: health.bar.com 401 routes: 402 - conditions: 403 - prefix: / 404 healthCheckPolicy: 405 path: /healthy 406 intervalSeconds: 5 407 timeoutSeconds: 2 408 unhealthyThresholdCount: 3 409 healthyThresholdCount: 5 410 services: 411 - name: s1-health 412 port: 80 413 - name: s2-health 414 port: 80 415 ``` 416 417 ### Websocket support 418 419 No change. 420 421 ### External name support 422 423 No change. 424 425 ## IngressRoute delegation 426 427 IngressRoute delegation has been replaced with HTTPProxy inclusion. 428 Functionally inclusion is similar to delegation. 429 In both scenarios the routes from one document are combined with those of the parent. 430 431 The key difference between IngressRoute's delegation and HTTPProxy's inclusion is the former has the appearance of being scoped by the path of the route of which it was attached. 432 As we explored the design of the next revision of IngressRoute the tight coupling of the properties of an incoming HTTP request; its path, its IP address, its headers, and so on--fundamentally run time concepts--with the inclusion of some configuration from another IngressRoute--which is definitely a configuration time concept--lead us to unanswerable questions like "what does it mean to delegate to an IngressRoute via a header". 433 434 This Gordian Knot was severed by decoupling the inclusion of one document into its parent from the facility to place restrictions on what route matching conditions could be specified in that document. 435 The former we call _inclusion_, the latter are known as _conditions_. 436 This section discusses conversion from delegation to inclusion, please see the [HTTPProxy documentation][1] for a discussion of conditions. 437 438 Before: 439 440 ```yaml 441 # root.ingressroute.yaml 442 apiVersion: contour.heptio.com/v1beta1 443 kind: IngressRoute 444 metadata: 445 name: delegation-root 446 namespace: default 447 spec: 448 virtualhost: 449 fqdn: root.bar.com 450 routes: 451 - match: / 452 services: 453 - name: s1 454 port: 80 455 - match: /service2 456 delegate: 457 name: www 458 namespace: www 459 --- 460 # service2.ingressroute.yaml 461 apiVersion: contour.heptio.com/v1beta1 462 kind: IngressRoute 463 metadata: 464 name: www 465 namespace: www 466 spec: 467 routes: 468 - match: /service2 469 services: 470 - name: s2 471 port: 80 472 - match: /service2/blog 473 services: 474 - name: blog 475 port: 80 476 ``` 477 478 After: 479 480 ```yaml 481 apiVersion: projectcontour.io/v1 482 kind: HTTPProxy 483 metadata: 484 name: delegation-root 485 namespace: default 486 spec: 487 virtualhost: 488 fqdn: root.bar.com 489 includes: 490 - conditions: 491 - prefix: /service2 492 name: www 493 namespace: www 494 routes: 495 - conditions: 496 - prefix: / 497 services: 498 - name: s1 499 port: 80 500 --- 501 apiVersion: projectcontour.io/v1 502 kind: HTTPProxy 503 metadata: 504 name: www 505 namespace: www 506 spec: 507 routes: 508 - conditions: 509 - prefix: / # matches /service2 510 services: 511 - name: s2 512 port: 80 513 - conditions: 514 - prefix: /blog # matches /service2/blog 515 services: 516 - name: blog 517 port: 80 518 ``` 519 520 ### Virtualhost aliases 521 522 No change. 523 524 ### Inclusion across namespaces 525 526 As above. No change. 527 528 ### Orphaned HTTPProxies 529 530 No change. 531 Orphaned status will be reported on _child_ HTTPProxy objects that are not included by any _root_ HTTPProxy records. 532 533 ### Restricted root namespaces 534 535 The `--ingressroute-root-namespace` flag has been renamed to `--root-namespaces` for obvious reasons. 536 The old name has been removed. 537 See the [upgrading documentation]({% link _resources/upgrading.md %}) for more information on upgrading Contour. 538 539 ### TCP Proxying 540 541 No change. 542 543 ### TLS Termination 544 545 No change. 546 547 ### TLS Passthrough 548 549 No change. 550 551 ### Status reporting 552 553 Status reporting on HTTPProxy objects is similar in scope and function to IngressRoute status. 554 555 [1]: /docs/{{< param latest_version >}}/httpproxy