Supported versions:
Critical fixes:
Unsupported:
Fixes and improvements since v0.11.8:
- Fix change notification of backend shard #835 (jcmoraisjr)
- always deny requests if oauth is misconfigured (#843) ef76e17 (Joao Morais)
- Fix ingress update to an existing backend #847 (jcmoraisjr)
- Fix global config-backend snippet config #856 (jcmoraisjr)
Fixes and improvements since v0.11.7:
- Ensure that configured global ConfigMap exists #804 (jcmoraisjr)
- Add disable-external-name command-line option #816 (jcmoraisjr) - doc
- Command-line options:
--disable-external-name
- Command-line options:
- Add disable-config-keywords command-line options #820 (jcmoraisjr) - doc
- Command-line options:
--disable-config-keywords
- Command-line options:
- build: remove travis-ci configs f38a933 (Joao Morais)
Fixes and improvements since v0.11.6:
- Fix reading of needFullSync status #772 (jcmoraisjr)
- Fix domain validation on secure backend keys #791 (jcmoraisjr)
- Use the port name on DNS resolver template #796 (jcmoraisjr)
- Fix reading of tls secret without crt or key #799 (jcmoraisjr)
- build: move from travis to github actions 19c275c (Joao Morais)
Fixes and improvements since v0.11.5:
- Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
Fixes and improvements since v0.11.4:
- Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
- Fix prefix path type if the path matches a domain #756 (jcmoraisjr)
- Update haproxy from 2.1.11 to 2.1.12 and fixes CVE-2021-3450 (OpenSSL). fd4dd10 (Joao Morais)
Fixes and improvements since v0.11.3:
- Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
- Fix initial weight configuration #742 (jcmoraisjr)
Fixes and improvements since v0.11.2:
- Fix shrinking of prioritized paths #736 (jcmoraisjr)
Fixes and improvements since v0.11.1:
- Clear the crt expire gauge when full sync #717 (jcmoraisjr)
- Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
- Readd haproxy user in the docker image #718 (jcmoraisjr)
- Update embedded haproxy to 2.1.11 76aff6b (Joao Morais)
- Use field converter to remove port from hdr host #729 (jcmoraisjr)
- Add sni and verifyhost to secure connections #730 (jcmoraisjr) - doc
- Configuration keys:
secure-sni
secure-verify-hostname
- Configuration keys:
- Fix path precedence of distinct match types #728 (jcmoraisjr)
Docs:
- Fix prometheus config #723 (jcmoraisjr)
Fixes and improvements since v0.11:
- Use default certificate only if provided SNI isn't found #700 (jcmoraisjr)
Highlights of this version
- HAProxy upgrade from 2.0 to 2.1.
- Negligible IO, CPU usage and reconciliation time, regardless the number of tracked ingress and service objects.
- HAProxy Ingress deployed on noisy (about 10 reconciliations per minute) and big (about 4000 ingress and services) clusters used to use about 90% CPU. HAProxy Ingress v0.11 uses about 2% CPU on such clusters when using backend shards.
- Ingress API upgrade from
extensions/v1beta1
tonetworking.k8s.io/v1beta1
.
Breaking backward compatibility from v0.10
- Kubernetes version 1.14 or newer
- HAProxy Ingress service account need
get
,list
,watch
andupdate
access tonetworking.k8s.io
api group - which was the same permissions granted toextensions/v1beta1
api group. Update your k8s role configuration before deploy v0.11. See an updated version of the deployment manifest. - Major refactor in the haproxy's frontents with the following visible changes:
- Internal proxy names changed, which will impact metric dashboards that use these names
- Internal map file names changed, which will impact configuration snippets that use them
timeout-client
andtimeout-client-fin
are global scoped only - cannot use as an ingress annotation.- Template path changed, see the template doc.
Contributors
- Alexis Dufour (AlexisDuf)
- Colin Deasy (coldeasy)
- Dario Tranchitella (prometherion)
- Eliot Hautefeuille (hileef)
- Joao Morais (jcmoraisjr)
- MartinKirchner (MartinKirchner)
- pawelb (pbabilas)
- Ricardo Katz (rikatz)
- Robert Agbozo (RobertTheProfessional)
- Shagon94 (Shagon94)
- Unichron (Unichron)
New features and improvements:
- Update to haproxy 2.1.4 #542 (jcmoraisjr)
- Converting to cache.Listers #545 (prometherion)
- Sorting imports and code linting #550 (prometherion)
- Change timeout-client(-fin) scope from host to global #552 (jcmoraisjr) - doc
- Configuration keys:
timeout-client
(update)timeout-client-fin
(update)
- Configuration keys:
- Remove frontend group #553 (jcmoraisjr)
- Move backend data and funcs to its own entity #555 (jcmoraisjr)
- Add host lookup with hash table #556 (jcmoraisjr)
- Add backend lookup with hash table #557 (jcmoraisjr)
- Move max body size to the backend #554 (jcmoraisjr)
- Parsing and lookup optimizations #558 (jcmoraisjr)
- Follow gofmt convention #564 (jcmoraisjr)
- Move listers and informers to the new controller #563 (jcmoraisjr)
- Add check interval on tcp service #576 (jcmoraisjr) - doc
- Command-line options:
--tcp-services-configmap
(update)
- Command-line options:
- Add use-forwarded-proto config key #577 (jcmoraisjr) - doc
- Configuration keys:
use-forwarded-proto
- Configuration keys:
- Add headers config key #575 (jcmoraisjr) - doc
- Configuration keys:
headers
- Configuration keys:
- Allow overriding CPU Map #588 (coldeasy) - doc
- Configuration keys:
cpu-map
use-cpu-map
- Configuration keys:
- TCP Services : SSL : Optionally Verify Client #589 (hileef) - doc
- Command-line options:
--tcp-services-configmap
(update)
- Command-line options:
- Add session-cookie-keywords #601 (MartinKirchner) - doc
- Configuration keys:
session-cookie-keywords
- Configuration keys:
- Host scoped cipher options #609 (Unichron) - doc
- Configuration keys:
ssl-cipher-suites
ssl-ciphers
- Configuration keys:
- Update deprecated APIs in Docs #613 (rikatz)
- Improve parsing time on big clusters #571 (jcmoraisjr)
- Add backend-shards command-line option #623 (jcmoraisjr) - doc
- Command-line options:
--backend-shards
- Command-line options:
- Add disable-pod-list command-line option #622 (jcmoraisjr) - doc
- Command-line options:
--disable-pod-list
- Command-line options:
- Log changed objects #625 (jcmoraisjr)
- Optimize haproxy maps building #629 (jcmoraisjr)
- Shrink list of changed hosts and backends #630 (jcmoraisjr)
- Host scope tls-alpn and ssl-options #617 (Unichron)
- Update to haproxy 2.1.8 #635 (jcmoraisjr)
- Partial build of backend maps #637 (jcmoraisjr)
- Update to client-go v0.18.6 #638 (jcmoraisjr)
- Update to go1.13.15 #640 (jcmoraisjr)
- Add support to multiple match types #641 (jcmoraisjr)
- Configuration keys:
path-type
- doc
- Configuration keys:
- Improve backend shrinking #644 (jcmoraisjr)
- Improve time of frontend maps build #647 (jcmoraisjr)
- Move files to /etc, /var/lib or /var/run dirs #654 (jcmoraisjr)
- Add wait-before-update command-line option #658 (jcmoraisjr)
Fixes:
- Fix logging messages #559 (jcmoraisjr)
- Fix server-alias on http/80 #570 (AlexisDuf)
- Fix permission using watch-namespace #578 (jcmoraisjr)
- Fix watch-namespace option #579 (jcmoraisjr)
- Fix cleaning cache of changed objects #626 (jcmoraisjr)
- Configure default crt on ingress parsing phase #634 (jcmoraisjr)
- Add hostname and backend tracking on addIngress #646 (jcmoraisjr)
- Fix sigsegv tracking added ingress #648 (jcmoraisjr)
- Add implicit starting boundary char in regex path match #651 (jcmoraisjr)
- Fix tracking and partial parsing of spec.backend #653 (jcmoraisjr)
- Fix ssl-passthrough counter #656 (jcmoraisjr)
Docs:
Fixes and improvements since v0.11-beta.1:
- Fix rewrite target match #668 (jcmoraisjr)
Fixes and improvements since v0.11-beta.2:
- Implement sort-backends #677 (jcmoraisjr)
- Add --sort-endpoints-by command-line option #678 (jcmoraisjr)
- Configuration keys:
--sort-endpoints-by
- doc
- Configuration keys:
- Fix dynamic update of the default backend #680 (jcmoraisjr)
- Update embedded haproxy to 2.1.9 06f2e65 (Joao Morais)
Fixes and improvements since v0.11-beta.3:
- Fix line too long on backend parsing #683 (jcmoraisjr)
- Fix basic auth backend tracking #688 (jcmoraisjr)
- Allow signer to work with wildcard dns certs #695 (pbabilas)
- Improve certificate validation of acme signer #689 (jcmoraisjr)
- Update haproxy from 2.1.9 to 2.1.10 9763c63 (Joao Morais)
- Allow signer to work with wildcard dns certs #695 (pbabilas)
- Add path scope #705 (jcmoraisjr)
- Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
- Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
- Fix initial weight configuration #742 (jcmoraisjr)
- Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
- Fix backend matches if hostname uses wildcard #752 (jcmoraisjr)
- Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
Fixes and improvements since v0.9.1:
- Implement sort-backends #677 (jcmoraisjr)
Fixes and improvements since v0.9:
- Update HAProxy from 1.9.15 to 1.9.16
- Add service event handler #633
- Configure default crt on ingress parsing phase #634
Docs:
- Typo on configuration keys docs #585
Breaking backward compatibility from v0.8:
- TLS 1.0 and 1.1 was dropped in the default configuration. Several cipher suites was dropped as well, mostly non ephemeral key exchange algorithms. This might break old http clients. See the v0.8 default values in the SSL cipher suite and SSL options docs and adjust the configuration if needed.
- Some default configurations was changed to improve performance of a vanilla deployment, this might cause unexpected behaviour:
- Default
dynamic-scaling
configuration key was changed fromfalse
totrue
- Default
nbthread
configuration key was changed from1
to2
- Default
--reload-strategy
command-line option was changed fromnative
toreusesocket
- Default
Highlights of this version:
- HAProxy upgrade from 1.8 to 1.9
- HTTP/2 support in the backend side
- TLS 1.3 support
- Certificate update using ACME-v2 protocol
- Ability to run as non-root, see the security doc
New features:
- Use one bind per frontend #382
- Update to haproxy 1.9.10 #381
- Add h2 backend proto and use-htx global option #387
- Make sni optional if a certificate is optional and is not provided #392
- Add custom-frontend snippet to http:80 frontend #395
- Join samples using concat #393
- Use 421 response if sni and headers does not match #394
- Add syslog-length configmap option #396 - doc
- Configuration keys:
ingress.kubernetes.io/syslog-length
- Configuration keys:
- Add CRL Support in the TLS Secret for Client Authentication #328
- Add CRL support in the new controller #399
- Add per request deployment group selection - blue/green deployment #402 - doc
- Configuration keys:
ingress.kubernetes.io/blue-green-cookie
ingress.kubernetes.io/blue-green-header
- Configuration keys:
- Sort ingress using creation timestamp #405
- Update default TLS versions and ciphers for client and server connections #403 - doc
- Configuration keys:
ssl-cipher-suites
ssl-cipher-suites-backend
ssl-ciphers-backend
- Configuration keys:
- Update to haproxy 1.9.11 #406
- Add session-cookie-shared #419
- Add dynamic-scaling false option #420
- Improve sorting of internal state #423
- Tuning default thread number and reload strategy #424
- Add leader election #431
- Add work queue #430
- Add forwardfor option - update #437 - doc
- Configuration keys:
ingress.kubernetes.io/forwardfor
- new optionupdate
- Configuration keys:
- Add support for Mod Security DetectionOnly Mode #443 - doc
- Configuration keys:
ingress.kubernetes.io/waf-mode
- Configuration keys:
- Add initial-weight config key #444
- Improve fronting proxy config #434
- Update Go version and use Go mod #439
- Update to haproxy 1.9.12 #446
- Initialize leader election only if needed #447
- Add ip+port bind support for http/https/fronting-proxy #452
- Add failure rate limit on work queue #457
- Customizable goarch #472
- dumb-init added from alpine repo #471
- Add acme v02 support #391
- Configuration keys - doc:
acme-emails
acme-endpoint
acme-expiring
acme-shared
acme-terms-agreed
ingress.kubernetes.io/cert-signer
- Command-line options - doc:
--acme-check-period
--acme-election-id
--acme-fail-initial-duration
--acme-fail-max-duration
--acme-secret-key-name
--acme-server
--acme-token-configmap-name
--acme-track-tls-annotation
- Configuration keys - doc:
- Update to haproxy 1.9.13 #475
- Update dependencies to k8s 1.16.3 #474
- Add 4xx error pages and CORS Preflight as Lua services #481
- Check acme account before retrieving #479
- Improve equality comparison with acme changes #478
- Add security options #484 - doc
- Configuration keys:
use-chroot
use-haproxy-user
- Configuration keys:
Fixes:
- Fix case on requests from 80/http #425
- Fix case on per-path backend requests #427
- Fix cross-namespace command-line option #433
- Fix host match with a port number #436
- Fix hostname match of domains with client cert auth #453
- Fix panic reading empty targetRef from ep #455
- Fix txn.namespace on http requests #463
- Do ssl-redirect only if tls declares the hostname #465
- Fix case on per-path backend maps #466
- Use the found match pattern #468
- Improve response error on sni mismatch #470
- Fix haproxy.cfg permissions #476
Docs:
- docs: update deployment and DaemonSet APIs to apps/v1 #415
- docs: starting version #417
- docs: update deploy and ds api to apps/v1 #422
- docs: defaults for cors-allow-methods and -headers #445
Fixes and improvements since v0.9-beta.1:
- Change unix sockets user to haproxy #504
- Sort tcp services by name and port #506
- Add backend-server-naming key #507 - doc
- Configuration keys:
backend-server-naming
- Configuration keys:
- Add auth-tls-strict configuration key #513 - doc
- Configuration keys:
auth-tls-strict
- Configuration keys:
- Remove haproxy warning filter #514
- Create frontends even without ingress #516
Fixes and improvements since v0.9-beta.2:
- Fix TLS handshake on backend #520
- Update haproxy from 1.9.13 to 1.9.14
- Clear acme work queue on stopped leading #526
- Restart the leader elector when stop leading #532
- Improve certificate sign logs #533
- Fix race on failure rate limit queue #534
Fixes and improvements since v0.9-beta.3:
- Add external call to certificate check #539 - doc
- Update HAProxy from 1.9.14 to 1.9.15, which fixes CVE-2020-11100
Fixes and improvements since v0.9-beta.4:
Fixes and improvements since v0.8.6:
- Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
- Update embedded haproxy to 1.8.28 38f0194 (Joao Morais)
- Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
- Fix initial weight configuration #742 (jcmoraisjr)
- Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
- Fix backend matches if hostname uses wildcard #752 (jcmoraisjr)
- Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
- Update haproxy from 1.8.28 to 1.8.30 91fecdc (Joao Morais)
Fixes and improvements since v0.8.5:
Fixes and improvements since v0.8.4:
Fixes and improvements since v0.8.3:
- Fix server-alias on http/80 #570
Fixes and improvements since v0.8.2:
- Update HAProxy from 1.8.24 to 1.8.25, which fixes CVE-2020-11100
Fixes and improvements since v0.8.1:
- Update HAProxy from 1.8.23 to 1.8.24
Fixes and improvements since v0.8:
- Sort tcp services by name and port #506
- Add backend-server-naming key #507 - doc
- Configuration keys:
backend-server-naming
- Configuration keys:
- Add auth-tls-strict configuration key #513 - doc
- Configuration keys:
auth-tls-strict
- Configuration keys:
- Remove haproxy warning filter #514
- Create frontends even without ingress #516
Breaking backward compatibility from v0.7:
Note: A new configuration parser and HAProxy config builder is in place. Despite declared incompatibility changes listed below, all configuration options and behavior should be preserved. Please file an issue if something changed in the v0.8 controller which is not listed here.
- HAProxy's backend naming convention used for services changed from
<namespace>-<svcname>-<port>
to<namespace>_<svcname>_<port>
in order to avoid ambiguity. This should impact as least logging filters and metrics dashboards. - All the other HAProxy's proxy names changed as well - check your logging filters and metrics dashboards.
nbproc-ssl
global configmap option wasn't reimplemented in v0.8, consider usenbthread
instead.strict-host
global configmap option changed the default value fromtrue
tofalse
. Seestrict-host
doc.dynamic-scaling
configuration key changed the default value fromfalse
totrue
nbthread
configuration key changed the default value from1
to2
reload-strategy
command-line option changed the default value fromnative
toreusesocket
- A missing
--sort-backends
command-line option does not shuffle endpoints anymore
The --v07-controller=true
command-line option can be used to revert to the old controller and behavior. Note that in this case the *-v07.tmpl
templates will be used instead. This option will be removed on v0.10.
Improvements on the new internal representation and converters:
- Main issue #274
- Pull requests part1, part2, part3, part4, part5, part6
- About 80% of the controller was rewritten from scratch. The new code base has more consistent behavior, it's more decoupled, easier to understand, test and evolve, and ready to ingress v2 without breaking compatibility with ingress v1. The new configuration is also a lot faster - the bigger the cluster, the faster the config generated by the v0.8 controller.
- Configmap and annotations: declare annotations with prefix (defaults to
ingress.kubernetes.io
) on services or ingress objects, declare without prefix as a global configmap option. The configmap declaration act as a default value, and service takes precedence in the case of conflict with ingress. - The
mode tcp
frontend will be used only if needed:- Authentication with client certificate is used - this will not be a limitation on v0.9 controller and HAProxy 1.9.x
ssl-passthrough
is used- Conflicting
timeout client
declared as annotations
- Fix HAProxy config parsing of a very long list of whitelist CIDRs or a very long list of overlapping /paths in the same domain
Fixes and improvements since v0.7:
- Fix duplication of ConfigFrontend snippets for DefaultBackend #352
- Fix port retrieval for terminatingPod with named targetPort #331
- Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356
- Configure annotation prefix - doc
- Command-line options:
--annotations-prefix
- Command-line options:
- Agent check #287 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/agent-check-port
ingress.kubernetes.io/agent-check-addr
ingress.kubernetes.io/agent-check-interval
ingress.kubernetes.io/agent-check-send
- Annotations or configmap options (without prefix):
- Health check #287 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/health-check-uri
ingress.kubernetes.io/health-check-addr
ingress.kubernetes.io/health-check-port
ingress.kubernetes.io/health-check-interval
ingress.kubernetes.io/health-check-rise-count
ingress.kubernetes.io/health-check-fall-count
- Annotations or configmap options (without prefix):
- Configure the minimum number of free/empty servers per backend - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/slots-min-free
- Annotations or configmap options (without prefix):
- Add CORS Expose Headers option #268 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/cors-expose-headers
- Annotations or configmap options (without prefix):
- Add SSL Engine options #269 - doc
- Configmap options:
ssl-engine
ssl-mode-async
- Configmap options:
- Add log customizations
- Add TLS ALPN option #307 - doc
- Configmap options:
tls-alpn
- Configmap options:
- Allow hostname/pod name to be used as the cookie value #286 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/session-cookie-dynamic
- Annotations or configmap options (without prefix):
- Allow redispatch when drain-support is enabled #334 - doc
- Configmap options:
drain-support-redispatch
- Configmap options:
- Add snippet for defaults section #335 - doc
- Configmap options:
config-defaults
- Configmap options:
- Add option to wait defined time when SIGTERM received #363 - doc
- Command-line options:
--wait-before-shutdown
- Command-line options:
- Declare a HAProxy var with the k8s namespace #378 - doc
- Annotation or configmap options (without prefix):
ingress.kubernetes.io/var-namespace
- Annotation or configmap options (without prefix):
Fixes and improvements since v0.8-beta.1:
- Fix service port lookup #385
- Change dynamic update default values #388
- Fix port number lookup of terminating pods #389
Fixes and improvements since v0.8-beta.2:
- Make sni optional if a certificate is optional and is not provided #392
- Add custom-frontend to snippet to http:80 frontend #395
Fixes and improvements since v0.8-beta.3:
- Sort ingress using creation timestamp #405
- Add session-cookie-shared #419
- Configuration keys:
session-cookie-shared
- doc
- Configuration keys:
- Add dynamic-scaling false option #420
- Improve sorting of internal state #423
- Tuning default thread number and reload strategy #424
- Fix case on requests from 80/http #425
Fixes and improvements since v0.8-beta.4:
- Update HAProxy from 1.8.20 to 1.8.22
- Fix case on per-path backend requests #427
- Fix implementation of cross-namespace command-line option #433
- Improve fronting proxy config #434
- Configuration keys:
fronting-proxy-port
- doc
- Configuration keys:
- Fix host match with a port number #436
- Add initial-weight config key #444
- Configuration keys:
initial-weight
- doc
- Configuration keys:
- Add ip+port bind support for http/https/fronting-proxy #452
- Fix panic reading empty targetRef from ep #455
Fixes and improvements since v0.8-beta.5:
- Update HAProxy from 1.8.22 to 1.8.23
- Fix txn.namespace on http requests #463
- Do ssl-redirect only if tls declares the hostname #465
- Fix case on per-path backend maps #466
- Fix haproxy.cfg permissions #476
Fixes and improvements since v0.7.5:
- Update HAProxy from 1.8.23 to 1.8.25, which fixes CVE-2020-11100
Fixes and improvements since v0.7.4:
- Update HAProxy from 1.8.22 to 1.8.23
Fixes and improvements since v0.7.3:
- Update HAProxy from 1.8.21 to 1.8.22, which fixes a segmentation fault when using a spoe filter (ModSecurity)
Fixes and improvements since v0.7.2:
- Update HAProxy from 1.8.20 to 1.8.21
- Fix duplication of ConfigFrontend snippets for DefaultBackend #352
- Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356
Fixes and improvements since v0.7.1:
- Update HAProxy from 1.8.19 to 1.8.20
- Fix port retrieval for terminatingPod with named targetPort #331
Fixes and improvements since v0.7:
- Update libssl and libcrypto #318
Breaking backward compatibility from v0.6:
- Default blue/green deployment mode changed from
pod
todeploy
. Useingress.kubernetes.io/blue-green-mode
annotation to change to the v0.6 behavior. See also the blue/green deployment doc. - Changed default maximum ephemeral DH key size from 1024 to 2048, which might break old TLS clients. Use
ssl-dh-default-max-size
configmap option to change back to 1024 if needed. - Behavior of
ingress.kubernetes.io/server-alias
annotation was changed to mimic hostname syntax. Useingress.kubernetes.io/server-alias-regex
instead if need to use regex. See also the server-alias doc
Fixes and improvements since v0.6:
- Add SSL config on TCP services #192 - doc
- Disable health check of backends #195
- Fix endless loop if SSL/TLS secret does not exist #191
- DNS discovery of backend servers #154 - doc
- Annotations:
ingress.kubernetes.io/use-resolver
- Configmap options:
dns-accepted-payload-size
dns-cluster-domain
dns-hold-obsolete
dns-hold-valid
dns-resolvers
dns-timeout-retry
- Annotations:
- ModSecurity web application firewall #166 and #248
- Multi process and multi thread support #172
- Balance mode of blue/green deployment #201 - doc
- Annotations:
ingress.kubernetes.io/blue-green-balance
ingress.kubernetes.io/blue-green-mode
- Annotations:
- Add configuration snippet options #194 and #252 - doc
- Configmap options:
config-frontend
config-global
- Configmap options:
- Add OAuth2 support #239 - doc
- Add support to ingress/spec/backend #212
- Add SSL config on stats endpoint #193 - doc
- Configmap options:
stats-ssl-cert
- Configmap options:
- Add custom http and https port numbers #190
- Configmap options:
http-port
https-port
- Configmap options:
- Add client cert auth for backend #222 - doc
- Annotations:
ingress.kubernetes.io/secure-crt-secret
- Annotations:
- Add publish-service doc #211 - doc
- Command-line options:
--publish-service
- Command-line options:
- Add option to match URL path on wildcard hostnames #213 - doc
- Configmap options:
strict-host
- Configmap options:
- Add HSTS on default backend #214
- Add Sprig template functions #224 - Sprig doc
- Add watch-namespace command-line option #227 - doc
- Command-line options:
--watch-namespace
- Command-line options:
- Add http-port on ssl-passthrough #228 - doc
- Annotations:
ingress.kubernetes.io/ssl-passthrough-http-port
- Annotations:
- Add proxy-protocol annotation #236 - doc
- Annotations:
ingress.kubernetes.io/proxy-protocol
- Annotations:
- Add server-alias-regex annotation #250 - doc
- Annotations:
ingress.kubernetes.io/server-alias-regex
- Annotations:
- Optimize reading of default backend #234
- Add annotation and configmap validations #237
- Fix sort-backends behavior #247
Fixes and improvements since v0.7-beta.1:
- Fix ssl-passthrough (only v0.7) #258
Fixes and improvements since v0.7-beta.2:
- Fix panic if an invalid path is used on ssl-passthrough (only v0.7) #260
- Add ssl-passthrough-http-port validations #261
Fixes and improvements since v0.7-beta.3:
- Update HAProxy from 1.8.14 to 1.8.16 - fix some DNS issues
- Improve optional client cert auth #275
Fixes and improvements since v0.7-beta.4:
- Update HAProxy from 1.8.16 to 1.8.17 - fix CVE-2018-20615 (release notes)
Fixes and improvements since v0.7-beta.5:
- Fix validation of mod security conf #282
Fixes and improvements since v0.7-beta.6:
- Use SRV records on dns resolver if backend port isn’t a valid number #285
- Fix permission of frontend certs dir #293
Fixes and improvements since v0.7-beta.7:
- Update to HAProxy 1.8.19, which fixes some connection aborts on HTTP/2
- Add TLS ALPN extension advertisement #307
- Fix overlapping configs on shared frontend #308
Fixes and improvements since v0.6.3:
- Update HAProxy from 1.8.19 to 1.8.20
- Fix port retrieval for terminatingPod with named targetPort #331
Fixes and improvements since v0.6.2:
- Update libssl and libcrypto #318
Fixes and improvements since v0.6.1:
- Update HAProxy from 1.8.17 to 1.8.19, which fixes some connection aborts on HTTP/2
Fixes and improvements since v0.6:
- Update HAProxy from 1.8.14 to 1.8.17
- Fix some DNS issues
- Fix CVE-2018-20615 (release notes)
Breaking backward compatibility from v0.5:
- Usage of header
Host
to match https requests instead of using just sni extension, deprecatinguse-host-on-https
- #130 - Multibinder is deprecated, use
reusesocket
reload strategy instead - #139 - Dynamic scaling do not reload HAProxy if the number of servers of a backend could be reduced
- Broken CIDR lists -
whitelist-source-range
andlimit-whitelist
annotations - will add at least the valid CIDRs found in the list - #163 - Added
timeout-queue
configmap option which defaults to5s
.timeout-queue
didn't exist before v0.6 and its value inherits from thetimeout-connect
configuration. Starting on v0.6, changingtimeout-connect
will not changetimeout-queue
default value.
Fixes and improvements since v0.5:
- HAProxy 1.8
- Dynamic cookies on cookie based server affinity
- HTTP/2 support - #129
- Share http/s connections on the same frontend/socket - #130
- Add clear userlist on misconfigured basic auth - #71
- Fix copy endpoints to fullslots - #84
- Equality improvement on dynamic scaling - #138 and #140
- Fix precedence of hosts without wildcard and alias without regex - #149
- Add v1 as a PROXY protocol option on tcp-services - #156
- Fix Lets Encrypt certificate generation - #161
- Add valid CIDRs on whitelists #163
- New annotations:
- Cookie persistence strategy #89 - doc
ingress.kubernetes.io/session-cookie-strategy
- Blue/green deployment #125 - doc
ingress.kubernetes.io/blue-green-deploy
- Load balancing algorithm #144
ingress.kubernetes.io/balance-algorithm
- Connection limits and timeout #148 - doc
ingress.kubernetes.io/maxconn-server
ingress.kubernetes.io/maxqueue-server
ingress.kubernetes.io/timeout-queue
- CORS #151 - doc
ingress.kubernetes.io/cors-allow-origin
ingress.kubernetes.io/cors-allow-methods
ingress.kubernetes.io/cors-allow-headers
ingress.kubernetes.io/cors-allow-credentials
ingress.kubernetes.io/cors-enable
ingress.kubernetes.io/cors-max-age
- Configuration snippet #155 - doc
ingress.kubernetes.io/config-backend
- Backend servers slot increment #164 - doc
ingress.kubernetes.io/slots-increment
- Cookie persistence strategy #89 - doc
- New configmap options:
- Drain support for NotReady pods on cookie affinity backends #95 - doc
drain-support
- Timeout queue #148 - doc
timeout-queue
- Time to wait for long lived connections to finish before hard-stop a HAProxy process #150 - doc
timeout-stop
- Add option to bypass SSL/TLS redirect #161 - doc
no-tls-redirect-locations
- Add configmap options to listening IP address #162
bind-ip-addr-tcp
bind-ip-addr-http
bind-ip-addr-healthz
bind-ip-addr-stats
- Drain support for NotReady pods on cookie affinity backends #95 - doc
- New command-line options:
Fixes and improvements since v0.6-beta.1:
- Fix redirect https if path changed with rewrite-target - #179
- Fix ssl-passthrough annotation - #183 and #187
Fixes and improvements since v0.6-beta.2:
- Fix host match of rate limit on shared frontend - #202
Fixes and improvements since v0.6-beta.3:
- Fix permission denied to mkdir on OpenShift - #205
- Fix usage of custom DH params (only v0.6) - #215
- Fix redirect of non TLS hosts (only v0.6) - #231
Fixes and improvements since v0.6-beta.4:
- Fix health check of dynamic reload - #232
- Fix stop/terminate signal of the controller process - #233
Fixes and improvements since v0.6-beta.5:
- Fix SSL redirect if no TLS config is used (only v0.6) - #235
Fixes and improvements since v0.6-beta.6:
- Restrict access of sticky session cookie by client JavaScript code - #251
Fixes and improvements since v0.4
- v0.5-beta.1 changelog
- v0.5-beta.2 changelog
- v0.5-beta.3 changelog
Fixes and improvements since v0.5-beta.2
- Fix sync of excluded secrets - #102
- Fix config with long fqdn - #112
- Fix non ssl redirect on default backend - #120
Fixes and improvements since v0.5-beta.1
- Fix reading of txn.path on http-request keywords - #102
Breaking backward compatibility from v0.4
- TLS certificate validation using only SAN extension - common Name (CN) isn't used anymore. Add
--verify-hostname=false
command-line option to bypass hostname verification ingress.kubernetes.io/auth-tls-secret
annotation cannot reference another namespace without--allow-cross-namespace
command-line optiontcp-log-format
configmap option now customizes log of TCP proxies, usehttps-log-format
instead to configure log of SNI inspection (https/tcp frontend)
Fixes and improvements since v0.4
- Change from Go 1.8.1 to 1.9.2
- Implement full config of default backend - #73
- Fix removal of TLS if failing to read the secretName - #78
- New annotations:
- Rewrite path support - doc
ingress.kubernetes.io/rewrite-target
- Rate limit support - doc
ingress.kubernetes.io/limit-connections
ingress.kubernetes.io/limit-rps
ingress.kubernetes.io/limit-whitelist
- Option to include the X509 certificate on requests with client certificate - doc
ingress.kubernetes.io/auth-tls-cert-header
- HSTS support per host and location - doc
ingress.kubernetes.io/hsts
ingress.kubernetes.io/hsts-include-subdomains
ingress.kubernetes.io/hsts-max-age
ingress.kubernetes.io/hsts-preload
- Rewrite path support - doc
- New configmap options:
- Option to add and customize log of SNI inspection - https/tcp frontend - doc
https-log-format
- Option to load the server state between HAProxy reloads - doc
load-server-state
- Custom prefix of client certificate headers - doc
ssl-headers-prefix
- Support of
Host
header on TLS requests without SNI extension - docuse-host-on-https
- Option to add and customize log of SNI inspection - https/tcp frontend - doc
- New command-line options:
Fixes and improvements since v0.3
- v0.4-beta.1 changelog
- v0.4-beta.2 changelog
Fixes and improvements since v0.4-beta.1
- Fix global
maxconn
configuration - Add
X-Forwarded-Proto: https
header on ssl/tls connections
Fixes and improvements since v0.3
- Add dynamic scaling - doc
- Add monitoring URI - doc
- Add PROXY protocol configmap options - doc
UseProxyProtocol
StatsProxyProtocol
- Add log format configmap options - doc
HTTPLogFormat
TCPLogFormat
- Add stick session ingress annotations - doc
ingress.kubernetes.io/affinity
ingress.kubernetes.io/session-cookie-name
- Support for wildcard hostnames
- Better and faster synchronization after resource updates
- Support
k
,m
andg
suffix onproxy-body-size
annotation and configmap option - doc - HTTP 495 and 496 error pages on auth TLS errors
- Add TLS error page ingress annotation
ingress.kubernetes.io/auth-tls-error-page
- Add support to SSL/TLS offload outside HAProxy on a configmap option - doc
https-to-http-port
- Add support to host alias on ingress annotation - doc
ingress.kubernetes.io/server-alias
- Fix multibinder goes zombie #51 updating to multibinder 0.0.5
- Add
X-SSL
headers on client authentication with TLSX-SSL-Client-SHA1
X-SSL-Client-DN
X-SSL-Client-CN
Fixes and improvements since v0.2.1
- v0.3-beta.1 changelog - see notes about backward compatibility
- v0.3-beta.2 changelog
Fixes and improvements since v0.3-beta.1
- Add
haproxy
as the default value of--ingress-class
parameter - Fix create/remove ingress based on ingress-class annotation
Fixes and improvements since v0.2.1
Breaking backward compatibility:
- Move template to
/etc/haproxy/template/haproxy.tmpl
- Now
ingress.kubernetes.io/app-root
only applies on ingress with root path/
Other changes and improvements:
- Reload strategy with
native
andmultibinder
options - Ingress Controller check for update every 2 seconds (was every 10 seconds)
- New ingress resource annotations
ingress.kubernetes.io/proxy-body-size
ingress.kubernetes.io/secure-backends
ingress.kubernetes.io/secure-verify-ca-secret
ingress.kubernetes.io/ssl-passthrough
- New configmap options
balance-algorithm
backend-check-interval
forwardfor
hsts
hsts-include-subdomains
hsts-max-age
hsts-preload
max-connections
proxy-body-size
ssl-ciphers
ssl-dh-default-max-size
ssl-dh-param
ssl-options
stats-auth
stats-port
timeout-client
timeout-client-fin
timeout-connect
timeout-http-request
timeout-keep-alive
timeout-server
timeout-server-fin
timeout-tunnel
Fixes and improvements since v0.2
- Fixes #14 (Incorrect
X-Forwarded-For
handling)
Fixes and improvements since v0.1
- White list source IP range
- Optionally force TLS connection
- Basic (user/passwd) authentication
- Client certificate authentication
- Root context redirect
Initial version with basic functionality
- rules.hosts with paths from Ingress resource
- default and per host certificate
- 302 redirect from http to https if TLS (default or per host) is provided
- syslog-endpoint from configmap