github.com/projectcontour/contour@v1.28.2/site/content/posts/2020-10-07-contour_v190.md (about) 1 --- 2 title: Announcing Contour v1.9.0 3 image: /img/posts/contourauth.png 4 excerpt: This blog post covers External Authorization and Cross-Origin Resource Sharing (CORS) Support in Contour v1.9.0. 5 author_name: Steve Sloka 6 author_avatar: /img/contributors/steve-sloka.png 7 categories: [kubernetes] 8 # Tag should match author to drive author pages 9 tags: ['Contour Team'] 10 date: 2020-10-07 11 slug: contour_v190 12 --- 13 14 Contour continues to add new features to help you better manage ingress operations in a cluster. Our latest feature release, Contour 1.9.0, now includes support for external authorization allowing requests to be validated against an authorization server. Contour now also supports presenting a client certificate for TLS for validation to backend services as well as moves to v1 Custom Resource Definitions (CRDs). 15 16 ## External Authorization Support 17 Incoming requests to your ingress resources can now be authorized by utilizing Contour’s new external authorization support. Contour now enables the external authorization network filter in Envoy which calls an external authorization service to check if the incoming request is authorized or not. If the request is deemed unauthorized by the network filter then the connection will be closed. 18 19 Support for this new feature relies on a new Custom Resource Definition (CRD) named ExtensionService. This new API describes how Envoy should connect to the external authorization server. 20 21  22 23 ### Sequence of Events for External Auth: 24 1. Deploy an External Authorization Service to your cluster: This service talks to your Authorization Provider and determines if the request should be authorized or not. 25 2. Create an `ExtensionService` CRD: This CRD allows the External Authorization Service created in the previous step to be available so that Contour can configure Envoy with that gRPC endpoint. 26 3. Create HTTPProxy resource: The VirtualHost in the ingress object references the ExternalService CRD linking that virtual host to the authorization service. 27 4. On every client request, Envoy sends an authorization check to the External Auth Service to determine authorization. 28 29 ## Demo 30 Here's a quick video demonstration walking through the setup and configuration of External Authorization with Contour. 31 32 {{< youtube wm_eWO4mZYs >}} 33 34 If you'd like to follow along with the demo in your own environment, here are the files used: 35 ``` 36 https://projectcontour.io/examples/authdemo/01-prereq.yaml 37 https://projectcontour.io/examples/authdemo/02-auth-deployment.yaml 38 https://projectcontour.io/examples/authdemo/02-certsjob.yaml 39 https://projectcontour.io/examples/authdemo/03-secret.yaml 40 https://projectcontour.io/examples/authdemo/04-extensionservice.yaml 41 https://projectcontour.io/examples/authdemo/04-samplapp.yaml 42 https://projectcontour.io/examples/authdemo/05-proxy.yaml 43 https://projectcontour.io/examples/authdemo/06-proxy-auth.yaml 44 ``` 45 46 ## Cross-Origin Resource Sharing (CORS) Support 47 Contour’s HTTPProxy API now supports specifying a [CORS policy](https://projectcontour.io/docs/v1.9.0/httpproxy/#cors-policy), which configures Envoy’s [CORS filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/cors_filter) to allow web applications to request resources from different origins. 48 49 CORS uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin (domain, protocol, or port) from its own. 50 51 In this example, cross-domain requests will be allowed for any domain (note the * value): 52 53 ```yaml 54 apiVersion: projectcontour.io/v1 55 kind: HTTPProxy 56 spec: 57 virtualhost: 58 fqdn: local.projectcontour.io 59 corsPolicy: 60 allowCredentials: true 61 allowOrigin: 62 - "*" # allows any origin 63 allowMethods: 64 - GET 65 - POST 66 - OPTIONS 67 allowHeaders: 68 - authorization 69 - cache-control 70 exposeHeaders: 71 - Content-Length 72 - Content-Range 73 maxAge: "10m" # preflight requests can be cached for 10 minutes. 74 routes: 75 - conditions: 76 - prefix: / 77 services: 78 - name: s1 79 port: 80 80 ``` 81 82 Thanks to @aberasarte and @glerchundi for driving the design and implementation of this new feature! 83 84 ## Backend TLS Client Authentication 85 Contour now supports optionally specifying a Kubernetes secret that Envoy should present to upstream clusters as a client certificate for TLS, so the upstream services can validate that the connection is coming from Envoy. 86 87 Thanks to @tsaarni for leading design and implementation of this feature! 88 89 ## v1 Custom Resource Definitions 90 Contour now generates v1 custom resource definitions (CRDs) as part of its example YAML. 91 This enables Contour to take full advantage of the v1 API’s capabilities around validation, defaulting, API documentation via `kubectl explain`, and more. 92 CRDs became [generally available in Kubernetes 1.16](https://kubernetes.io/blog/2019/09/18/kubernetes-1-16-release-announcement/#custom-resources-reach-general-availability) over a year ago. 93 94 This change bumps Contour’s minimum supported Kubernetes version to 1.16. 95 96 ## Community Thanks! 97 We’re immensely grateful for all the community contributions that help make Contour even better! For version 1.9, special thanks go out to the following contributors: 98 - [@aberasarte](https://github.com/aberasarte) 99 - [@bgagnon](https://github.com/bgagnon) 100 - [@glerchundi](https://github.com/glerchundi) 101 - [@mattmoor](https://github.com/mattmoor) 102 - [@ShaileshSurya](https://github.com/ShaileshSurya) 103 - [@tong101](https://github.com/tong101) 104 - [@tsaarni](https://github.com/tsaarni) 105 - [@zianke](https://github.com/zianke)