Can Envoy be updated independently in Contour 1.32.1?

[alihasanahmedkhan]

Hi Community,

I'm currently running Contour v1.32.1, which comes bundled with Envoy v1.34.4. However, I've noticed that Envoy v1.35.2 has been released and includes several important CVE fixes and security patches.

Given this:

• Is it supported or recommended to upgrade only Envoy to v1.35.2 while continuing to run Contour v1.32.1?
• What are the risks or challenges in doing so?
• Are there known compatibility issues between Contour 1.32.1 and Envoy 1.35.x?
• If upgrading Envoy independently is not advised, could you clarify why this coupling is important (e.g., xDS compatibility, unsupported APIs, etc.)?

I understand that Contour and Envoy are tightly integrated, but would appreciate guidance or references on the best way to approach this situation—especially in light of security concerns.

Thanks in advance for your help and for the great work on Contour!

[tsaarni]

When the goal is to receive the fixes as quickly as possible, upgrading only Envoy is the fastest option.

Upgrading Envoy from v1.34.4 to the latest patch release in the same track v1.34.6 is safe. It includes the same CVE fixes as the newest release track, without introducing incompatibilities.

Upgrading to new release track like v1.35.2 carries a risk, as it introduces functional changes including some incompatible behavior. While it can be that no changes in Contour are needed, this cannot be guaranteed. If changes in the code are required, most often it is related to xDS changes.

[tsaarni]

Here is a bump in Contour's main branch to Envoy 1.35 #7167 (unreleased at the moment). No functional changes were required. The github.com/envoyproxy/go-control-plane/envoy package was updated as part of it, though it might work without that as well, not sure.

[alihasanahmedkhan]

Hey tsaarni,
It sounds reasonable to me and thanks for the bump.