How to Deploy and Monitor Contour Ingress Controller with Envoy on Kubernetes

Introduction

Running large web‑centric workloads on Kubernetes requires efficient L7 traffic management. Envoy, a CNCF‑hosted proxy, has become the core of many cloud‑native ingress solutions, and Contour uses Envoy as its data plane.

Why use Heptio Contour

Simple installation of Envoy.

Integration with Kubernetes object model.

Dynamic Ingress configuration without restarts.

Supports advanced features such as circuit breakers, plugins, observability.

Allows blue‑green deployments via IngressRoute chaining.

Installation steps

Deploy Contour and Envoy as a DaemonSet so each node runs both containers.

Deploy as a Deployment with two Contour instances for high availability.

Deploy as a mixed mode: Contour as Deployment, Envoy as DaemonSet (recommended).

Clone the repository and edit 03‑envoy.yaml to expose the admin address on 0.0.0.0:9001. Change the Envoy Service type to ClusterIP and remove the annotation.

git clone https://github.com/heptio/contour
cd contour/examples/ds-hostnet-split
# edit 03‑envoy.yaml as described
kubectl apply ./

Contour architecture

Contour consists of two components: Envoy: high‑performance reverse proxy. Contour: control plane that generates Envoy configuration from Kubernetes resources.

During pod initialization Contour writes a bootstrap file to a shared volume; Envoy reads it and polls Contour for dynamic configuration via xDS (LDS, RDS, CDS, EDS). Contour watches Ingress, Service, Endpoint objects using client‑go informers and converts them into a directed acyclic graph (DAG) of virtual hosts and routes.

Ingress vs IngressRoute

Ingress is a beta API that relies on annotations for advanced features. IngressRoute is a CRD that extends the API, provides richer routing, multi‑team security, weight‑based load balancing, and validation.

Testing the deployment

Apply the example workload kuard‑ingressroute.yaml, verify pods and services, add kuard.local to /etc/hosts, and access the application through the browser.

Envoy configuration

Envoy’s static resources define clusters for Contour and service‑stats. Dynamic resources (LDS, RDS, CDS, EDS) are fetched from Contour. Example snippets of the JSON configuration are shown.

Monitoring with Prometheus and Grafana

Both Contour and Envoy expose Prometheus metrics. To scrape them with Prometheus‑Operator, create appropriate RBAC rules, label the Contour and Envoy services, and define ServiceMonitor objects. Import the official Grafana dashboard ConfigMap into your Grafana deployment.

Accessing dashboards

After creating IngressRoute objects for Prometheus and Grafana and updating /etc/hosts, the dashboards are reachable at prometheus.sealos.io and grafana.sealos.io.

In production keep the Envoy admin interface bound to 127.0.0.1 instead of 0.0.0.0.