The following features are in Developer Preview and not currently supported or intended for production use. They are highlighted here to notify users of the important upcoming addition of Gateway API. Limited documentation is available at this time.

The Contour Operator can be installed on OKD to manage Contour, an Ingress Controller that supports Gateway API, an open-source project that exposes Kubernetes resources such as services to external consumers.

Installing Contour Operator

The following features are in Developer Preview and not currently supported or intended for production use. They are highlighted here to notify users of the important upcoming addition of Gateway API. Limited documentation is available at this time.

Install the Contour Operator on OKD to use the Gateway API.

Prerequisites
  • You installed an OKD cluster and the oc command line.

Procedure
  1. Install the Contour Operator:

    $ oc apply -f https://raw.githubusercontent.com/projectcontour/contour-operator/v1.18.0/examples/operator/operator.yaml

    It can take a few minutes for the Contour Operator to become available.

  2. Verify the availability of the Operator:

    $ oc get deployment/contour-operator -n contour-operator
    Example output
    NAME               READY   UP-TO-DATE   AVAILABLE   AGE
    contour-operator   1/1     1            1           12m
  3. Add contour and contour-certgen service accounts to the nonroot security context constraint (SCC):

    The example uses projectcontour by default as the namespace of the contour/contour-certgen service accounts. Replace projectcontour with the namespace used for Contour if you deviate from the example.

    $ oc adm policy add-scc-to-user nonroot system:serviceaccount:projectcontour:contour
    $ oc adm policy add-scc-to-user nonroot system:serviceaccount:projectcontour:contour-certgen

Installing and configuring Contour for Gateway API

The following features are in Developer Preview and not currently supported or intended for production use. They are highlighted here to notify users of the important upcoming addition of Gateway API. Limited documentation is available at this time.

The following guide provides instructions for using the Gateway API with the Contour Operator on OKD.

Prerequisites
  • You installed an OKD cluster and the oc command line.

  • You installed the Contour Operator.

Procedure
  1. Install Contour configured for Gateway API and dependent resources:

    $ oc apply -f https://raw.githubusercontent.com/projectcontour/contour-operator/v1.18.0/examples/gateway/gateway.yaml

    Envoy pods are exposed using a LoadBalancer service. Replace gateway.yaml with gateway-nodeport.yaml to use a NodePort service instead.

  2. Verify that all pods in the namespace where you installed Contour are running:

    $ oc get pods -n projectcontour
    Example output
    NAME                         READY   STATUS      RESTARTS   AGE
    contour-768547cfb8-c2rhn     1/1     Running     0          2m
    contour-768547cfb8-q866f     1/1     Running     0          2m
    contour-certgen-main-rb2h2   0/1     Completed   0          92s
    envoy-d5djm                  2/2     Running     0          2m41s
    envoy-gjwz5                  2/2     Running     0          2m41s
    envoy-hbg6j                  2/2     Running     0          2m41s

    The number of Envoy pods depends on how many worker nodes are in your cluster.

  3. Run a test workload:

    $ oc apply -f https://raw.githubusercontent.com/projectcontour/contour-operator/v1.18.0/examples/gateway/kuard/kuard.yaml
  4. Verify the status of the test workload:

    $ oc get pods,svc,httproute -n projectcontour -l app=kuard
    Example output
    NAME                         READY   STATUS    RESTARTS   AGE
    pod/kuard-798585497b-9mvwh   1/1     Running   0          5s
    pod/kuard-798585497b-kcjnn   1/1     Running   0          5s
    pod/kuard-798585497b-lnhsn   1/1     Running   0          5s
    
    NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
    service/kuard   ClusterIP   10.96.157.48   <none>        80/TCP    5s
    
    NAME                                  HOSTNAMES
    httproute.networking.x-k8s.io/kuard   ["local.projectcontour.io"]

    The application is exposed using an HTTPRoute that routes all HTTP requests for local.projectcontour.io to service kuard.

  5. Curl the application hostname:

    $ export GATEWAY=$(oc -n projectcontour get svc/envoy -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

    Replace hostname in the json path with ip if your cloud provider uses IP addresses instead of hostnames for loadBalancer services.

    $ curl -H "Host: local.projectcontour.io" -s -o /dev/null -w "%{http_code}" "http://$GATEWAY/"

    If running appropriately, a 200 HTTP status code is returned.

  6. Verify that the curl request was serviced by Envoy:

    $ oc logs ds/envoy -c envoy -n projectcontour | grep curl
    Example output
    Found 3 pods, using pod/envoy-g86st
    [2021-02-03T17:17:24.009Z] "GET / HTTP/1.1" 200 - 0 1748 1 1 "10.0.79.141" "curl/7.64.1" "2c53c9ba-46a2-4527-8b41-03ea9041bd2d" "a811b15855e1f428d8a834d0a86c3668-573506534.us-east-2.elb.amazonaws.com" "10.129.2.13:8080"

    The example above defaulted to pod envoy-g86st since the daemonset has three running pods. Use a different Envoy pod if the curl request does not appear in the logs.

Additional resources

For additional details, see: