In a Kubernetes cluster, ingress controllers listen for HTTP requests from outside and map them to user-defined applications inside. As part of rebuilding my personal cluster, I wanted a controller that was well supported by Knative and Linkerd. The former ruled out Traefik, my reflexive choice. I would have used Ambassador, but some of its features require a paid licence. The same goes for Gloo. I eventually selected Contour, supposedly the secondmost-popular Envoy-based controller.

I tested out Linkerd and Contour in a temporary cluster. There was some bad blood between Linkerd’s automatic proxy injection and Contour’s certgen Job. I would have liked to isolate the Job in its own namespace with automatic injection turned off, but it would then require a cluster-wide Role in order to be able to make changes in the final namespace. I could alternatively have created the TLS Secret in Terraform, but I was (needlessly) worried about idempotence.

I eventually split it into two Argo CD Applications: a Kustomize-based certgen stage that contained a Job and a CronJob, and the main stage for Contour itself. I couldn’t tell whether Envoy would automatically update its certificates after the CronJob ran, but my concerns were allayed on Slack.

Funnily enough, although I thought I might end up using net-kourier just for Knative later, I haven’t yet got around to installing either Knative or the Istio-based Kyma.[1] I understand the attraction of serverless, but as a developer running my own cluster, I’m skeptical of its value here.


  1. Since I intend to avoid Istio for as long as humanly possible, this suits me just fine.

Next in series: (#4 in The Death and Rebirth of a Cluster)