Upgrade contour to 1.33.0

deepy · deepy · commit 8e9ad6956254 · 2025-09-29T11:41:58.000+02:00
Signed-off-by: Alex Nordlund &lt;deep.alexander@gmail.com&gt;
diff --git a/charts/contour/CHANGELOG.md b/charts/contour/CHANGELOG.md
@@ -1,4 +1,8 @@
 # Changelog
+## 0.2.0
+* Contour upgraded to 1.33.0
+* Envoy upgraded to 1.35.2
+
 ## 0.1.0
 * Forked from [bitnami/charts/contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) version 21.1.0
 * Remove `defaultBackend` functionality
diff --git a/charts/contour/Chart.yaml b/charts/contour/Chart.yaml
@@ -2,7 +2,7 @@ annotations:
   category: Infrastructure
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 1.32.0
+appVersion: 1.33.0
 description: Contour is an open source Kubernetes ingress controller that works by
   deploying the Envoy proxy as a reverse proxy and load balancer.
 home: https://projectcontour.io/
@@ -15,4 +15,4 @@ maintainers:
 name: contour
 sources:
 - https://github.com/projectcontour/helm-charts/tree/main/charts/contour
-version: 0.1.0
+version: 0.2.0
diff --git a/charts/contour/templates/crds/contour-crds.yaml b/charts/contour/templates/crds/contour-crds.yaml
@@ -7,7 +7,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: contourconfigurations.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -1406,7 +1406,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: contourdeployments.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -1625,7 +1625,7 @@ spec:
                         description: |-
                           Claims lists the names of resources, defined in spec.resourceClaims,
                           that are used by this container.
-                          This is an alpha field and requires enabling the
+                          This field depends on the
                           DynamicResourceAllocation feature gate.
                           This field is immutable. It can only be set for containers.
                         items:
@@ -1746,7 +1746,7 @@ spec:
                                   pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
                                   on that node is marked deleted. If the old pod becomes unavailable for any
                                   reason (Ready transitions to false, is evicted, or is drained) an updated
-                                  pod is immediatedly created on that node without considering surge limits.
+                                  pod is immediately created on that node without considering surge limits.
                                   Allowing surge implies the possibility that the resources consumed by the
                                   daemonset on any given node can double if the readiness check fails, and
                                   so resource intensive daemonsets should take into account that they may
@@ -2569,15 +2569,13 @@ spec:
                                         volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
                                         If specified, the CSI driver will create or update the volume with the attributes defined
                                         in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
-                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
-                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
-                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
-                                        will be set by the persistentvolume controller if it exists.
+                                        it can be changed after the claim is created. An empty string or nil value indicates that no
+                                        VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                        this field can be reset to its previous value (including nil) to cancel the modification.
                                         If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                         set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                         exists.
                                         More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
-                                        (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
                                       type: string
                                     volumeMode:
                                       description: |-
@@ -2759,12 +2757,10 @@ spec:
                           description: |-
                             glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
                             Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
-                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
                           properties:
                             endpoints:
-                              description: |-
-                                endpoints is the endpoint name that details Glusterfs topology.
-                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              description: endpoints is the endpoint name that details
+                                Glusterfs topology.
                               type: string
                             path:
                               description: |-
@@ -2841,7 +2837,7 @@ spec:
                           description: |-
                             iscsi represents an ISCSI Disk resource that is attached to a
                             kubelet's host machine and then exposed to the pod.
-                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
                           properties:
                             chapAuthDiscovery:
                               description: chapAuthDiscovery defines whether support
@@ -3260,6 +3256,96 @@ spec:
                                         type: array
                                         x-kubernetes-list-type: atomic
                                     type: object
+                                  podCertificate:
+                                    description: |-
+                                      Projects an auto-rotating credential bundle (private key and certificate
+                                      chain) that the pod can use either as a TLS client or server.
+                                      Kubelet generates a private key and uses it to send a
+                                      PodCertificateRequest to the named signer.  Once the signer approves the
+                                      request and issues a certificate chain, Kubelet writes the key and
+                                      certificate chain to the pod filesystem.  The pod does not start until
+                                      certificates have been issued for each podCertificate projected volume
+                                      source in its spec.
+                                      Kubelet will begin trying to rotate the certificate at the time indicated
+                                      by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                      timestamp.
+                                      Kubelet can write a single file, indicated by the credentialBundlePath
+                                      field, or separate files, indicated by the keyPath and
+                                      certificateChainPath fields.
+                                      The credential bundle is a single file in PEM format.  The first PEM
+                                      entry is the private key (in PKCS#8 format), and the remaining PEM
+                                      entries are the certificate chain issued by the signer (typically,
+                                      signers will return their certificate chain in leaf-to-root order).
+                                      Prefer using the credential bundle format, since your application code
+                                      can read it atomically.  If you use keyPath and certificateChainPath,
+                                      your application must make two separate file reads. If these coincide
+                                      with a certificate rotation, it is possible that the private key and leaf
+                                      certificate you read may not correspond to each other.  Your application
+                                      will need to check for this condition, and re-read until they are
+                                      consistent.
+                                      The named signer controls chooses the format of the certificate it
+                                      issues; consult the signer implementation's documentation to learn how to
+                                      use the certificates it issues.
+                                    properties:
+                                      certificateChainPath:
+                                        description: |-
+                                          Write the certificate chain at this path in the projected volume.
+                                          Most applications should use credentialBundlePath.  When using keyPath
+                                          and certificateChainPath, your application needs to check that the key
+                                          and leaf certificate are consistent, because it is possible to read the
+                                          files mid-rotation.
+                                        type: string
+                                      credentialBundlePath:
+                                        description: |-
+                                          Write the credential bundle at this path in the projected volume.
+                                          The credential bundle is a single file that contains multiple PEM blocks.
+                                          The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                          key.
+                                          The remaining blocks are CERTIFICATE blocks, containing the issued
+                                          certificate chain from the signer (leaf and any intermediates).
+                                          Using credentialBundlePath lets your Pod's application code make a single
+                                          atomic read that retrieves a consistent key and certificate chain.  If you
+                                          project them to separate files, your application code will need to
+                                          additionally check that the leaf certificate was issued to the key.
+                                        type: string
+                                      keyPath:
+                                        description: |-
+                                          Write the key at this path in the projected volume.
+                                          Most applications should use credentialBundlePath.  When using keyPath
+                                          and certificateChainPath, your application needs to check that the key
+                                          and leaf certificate are consistent, because it is possible to read the
+                                          files mid-rotation.
+                                        type: string
+                                      keyType:
+                                        description: |-
+                                          The type of keypair Kubelet will generate for the pod.
+                                          Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                          "ECDSAP521", and "ED25519".
+                                        type: string
+                                      maxExpirationSeconds:
+                                        description: |-
+                                          maxExpirationSeconds is the maximum lifetime permitted for the
+                                          certificate.
+                                          Kubelet copies this value verbatim into the PodCertificateRequests it
+                                          generates for this projection.
+                                          If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                          will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                          value is 7862400 (91 days).
+                                          The signer implementation is then free to issue a certificate with any
+                                          lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                          seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                          `kubernetes.io` signers will never issue certificates with a lifetime
+                                          longer than 24 hours.
+                                        format: int32
+                                        type: integer
+                                      signerName:
+                                        description: Kubelet's generated CSRs will
+                                          be addressed to this signer.
+                                        type: string
+                                    required:
+                                    - keyType
+                                    - signerName
+                                    type: object
                                   secret:
                                     description: secret information about the secret
                                       data to project
@@ -3394,7 +3480,6 @@ spec:
                           description: |-
                             rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
                             Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
-                            More info: https://examples.k8s.io/volumes/rbd/README.md
                           properties:
                             fsType:
                               description: |-
@@ -3841,7 +3926,7 @@ spec:
                         description: |-
                           Claims lists the names of resources, defined in spec.resourceClaims,
                           that are used by this container.
-                          This is an alpha field and requires enabling the
+                          This field depends on the
                           DynamicResourceAllocation feature gate.
                           This field is immutable. It can only be set for containers.
                         items:
@@ -5140,7 +5225,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: extensionservices.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -5620,7 +5705,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: httpproxies.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -8522,7 +8607,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: tlscertificatedelegations.projectcontour.io
 spec:
   preserveUnknownFields: false
diff --git a/charts/contour/values.yaml b/charts/contour/values.yaml
@@ -103,7 +103,7 @@ contour:
   image:
     registry: ghcr.io
     repository: projectcontour/contour
-    tag: v1.32.0
+    tag: v1.33.0
     digest: ""
     ## Specify a imagePullPolicy
     ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -663,7 +663,7 @@ envoy:
   image:
     registry: docker.io
     repository: envoyproxy/envoy
-    tag: v1.34.1
+    tag: v1.35.2
     digest: ""
     ## Specify a imagePullPolicy
     ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
