# Contour — High-Performance Kubernetes Ingress Controller Using Envoy > Route traffic into Kubernetes clusters with Contour. Built on Envoy proxy, it provides a powerful HTTPProxy CRD for advanced routing, TLS delegation, and rate limiting beyond standard Ingress. ## Install Save as a script file and run: # Contour — High-Performance Kubernetes Ingress Controller Using Envoy ## Quick Use ```bash # Install with kubectl kubectl apply -f https://projectcontour.io/quickstart/contour.yaml # Or with Helm helm repo add bitnami https://charts.bitnami.com/bitnami helm install contour bitnami/contour -n projectcontour --create-namespace # Verify pods are running kubectl get pods -n projectcontour ``` ## Introduction Contour is a Kubernetes ingress controller that uses Envoy proxy as its data plane. Maintained by the CNCF as an incubating project, it extends the standard Kubernetes Ingress resource with a custom HTTPProxy CRD that supports advanced routing features like weighted traffic splitting, header-based routing, TLS certificate delegation across namespaces, and per-route rate limiting. It is designed for multi-team clusters where different namespaces need independent control over their ingress configuration. ## What Contour Does - Watches Kubernetes Ingress and HTTPProxy resources and programs Envoy dynamically via xDS - Provides the HTTPProxy CRD for features beyond standard Ingress: traffic splitting, retries, timeouts - Delegates TLS certificates across namespaces so platform teams manage certs centrally - Supports Gateway API resources as an alternative to Ingress and HTTPProxy - Runs Envoy as a DaemonSet or Deployment for flexible deployment topologies ## Architecture Overview Contour runs as a Kubernetes Deployment that watches the API server for Ingress, HTTPProxy, and Gateway API resources. It compiles routing rules into Envoy xDS configuration and serves it to Envoy instances over gRPC. Envoy handles the actual traffic — TLS termination, routing, load balancing, and health checking. Contour and Envoy communicate via the contour-xds gRPC stream. The separation means Contour restarts do not interrupt traffic, and Envoy can be scaled independently. ## Self-Hosting & Configuration - Deploy Contour and Envoy together via the quickstart YAML or Helm chart - Configure global settings in a ContourConfiguration CRD or contour.yaml ConfigMap - Define routes using HTTPProxy resources with conditions, services, and TLS settings - Enable rate limiting by deploying a global rate limit service and referencing it in HTTPProxy - Use TLS certificate delegation to share wildcard certs from a central namespace ## Key Features - HTTPProxy CRD supports weighted routing, header matching, path rewriting, and retries per route - TLS certificate delegation lets platform teams manage certs without granting namespace access - Envoy data plane provides HTTP/2, gRPC, WebSocket, and TCP proxying out of the box - Gateway API support future-proofs ingress configuration with the emerging Kubernetes standard - Root-to-leaf HTTPProxy inclusion enables multi-team route delegation safely ## Comparison with Similar Tools - **NGINX Ingress** — config via annotations; Contour uses a typed CRD for safer configuration - **Istio Gateway** — full service mesh; Contour is a focused ingress controller without sidecar overhead - **Traefik** — auto-discovery with providers; Contour is Kubernetes-native with deeper Envoy integration - **Emissary** — also Envoy-based; Contour has broader CNCF community support and simpler CRDs ## FAQ **Q: Does Contour support the Gateway API?** A: Yes. Contour implements GatewayClass, Gateway, and HTTPRoute resources alongside its own HTTPProxy CRD. **Q: How is Contour different from raw Envoy?** A: Contour is the control plane that configures Envoy automatically from Kubernetes resources. You define routes in YAML; Contour programs Envoy via xDS. **Q: Can I migrate from NGINX Ingress?** A: Yes. Contour supports standard Ingress resources, so existing NGINX Ingress manifests work. You can then migrate to HTTPProxy for advanced features. **Q: Does Contour support TCP/UDP proxying?** A: Contour supports TCP proxying via HTTPProxy and Gateway API TCPRoute. UDP proxying is not supported. ## Sources - https://github.com/projectcontour/contour - https://projectcontour.io/docs/ --- Source: https://tokrepo.com/en/workflows/e916ebd5-3939-11f1-9bc6-00163e2b0d79 Author: Script Depot