Skip to content

Latest commit

 

History

History
1147 lines (884 loc) · 63.7 KB

CHANGELOG.md

File metadata and controls

1147 lines (884 loc) · 63.7 KB

CHANGELOG

Supported versions:

Critical fixes:

Unsupported:

v0.11.9

Fixes and improvements since v0.11.8:

  • Fix change notification of backend shard #835 (jcmoraisjr)
  • always deny requests if oauth is misconfigured (#843) ef76e17 (Joao Morais)
  • Fix ingress update to an existing backend #847 (jcmoraisjr)
  • Fix global config-backend snippet config #856 (jcmoraisjr)

v0.11.8

Fixes and improvements since v0.11.7:

  • Ensure that configured global ConfigMap exists #804 (jcmoraisjr)
  • Add disable-external-name command-line option #816 (jcmoraisjr) - doc
    • Command-line options:
      • --disable-external-name
  • Add disable-config-keywords command-line options #820 (jcmoraisjr) - doc
    • Command-line options:
      • --disable-config-keywords
  • build: remove travis-ci configs f38a933 (Joao Morais)

v0.11.7

Fixes and improvements since v0.11.6:

  • Fix reading of needFullSync status #772 (jcmoraisjr)
  • Fix domain validation on secure backend keys #791 (jcmoraisjr)
  • Use the port name on DNS resolver template #796 (jcmoraisjr)
  • Fix reading of tls secret without crt or key #799 (jcmoraisjr)
  • build: move from travis to github actions 19c275c (Joao Morais)

v0.11.6

Fixes and improvements since v0.11.5:

  • Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)

v0.11.5

Fixes and improvements since v0.11.4:

  • Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
  • Fix prefix path type if the path matches a domain #756 (jcmoraisjr)
  • Update haproxy from 2.1.11 to 2.1.12 and fixes CVE-2021-3450 (OpenSSL). fd4dd10 (Joao Morais)

v0.11.4

Fixes and improvements since v0.11.3:

  • Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
  • Fix initial weight configuration #742 (jcmoraisjr)

v0.11.3

Fixes and improvements since v0.11.2:

  • Fix shrinking of prioritized paths #736 (jcmoraisjr)

v0.11.2

Fixes and improvements since v0.11.1:

  • Clear the crt expire gauge when full sync #717 (jcmoraisjr)
  • Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
  • Readd haproxy user in the docker image #718 (jcmoraisjr)
  • Update embedded haproxy to 2.1.11 76aff6b (Joao Morais)
  • Use field converter to remove port from hdr host #729 (jcmoraisjr)
  • Add sni and verifyhost to secure connections #730 (jcmoraisjr) - doc
    • Configuration keys:
      • secure-sni
      • secure-verify-hostname
  • Fix path precedence of distinct match types #728 (jcmoraisjr)

Docs:

  • Fix prometheus config #723 (jcmoraisjr)

v0.11.1

Fixes and improvements since v0.11:

  • Use default certificate only if provided SNI isn't found #700 (jcmoraisjr)

v0.11

Highlights of this version

  • HAProxy upgrade from 2.0 to 2.1.
  • Negligible IO, CPU usage and reconciliation time, regardless the number of tracked ingress and service objects.
    • HAProxy Ingress deployed on noisy (about 10 reconciliations per minute) and big (about 4000 ingress and services) clusters used to use about 90% CPU. HAProxy Ingress v0.11 uses about 2% CPU on such clusters when using backend shards.
  • Ingress API upgrade from extensions/v1beta1 to networking.k8s.io/v1beta1.

Breaking backward compatibility from v0.10

  • Kubernetes version 1.14 or newer
  • HAProxy Ingress service account need get, list, watch and update access to networking.k8s.io api group - which was the same permissions granted to extensions/v1beta1 api group. Update your k8s role configuration before deploy v0.11. See an updated version of the deployment manifest.
  • Major refactor in the haproxy's frontents with the following visible changes:
    • Internal proxy names changed, which will impact metric dashboards that use these names
    • Internal map file names changed, which will impact configuration snippets that use them
  • timeout-client and timeout-client-fin are global scoped only - cannot use as an ingress annotation.
  • Template path changed, see the template doc.

Contributors

v0.11-beta.1

New features and improvements:

  • Update to haproxy 2.1.4 #542 (jcmoraisjr)
  • Converting to cache.Listers #545 (prometherion)
  • Sorting imports and code linting #550 (prometherion)
  • Change timeout-client(-fin) scope from host to global #552 (jcmoraisjr) - doc
    • Configuration keys:
      • timeout-client (update)
      • timeout-client-fin (update)
  • Remove frontend group #553 (jcmoraisjr)
  • Move backend data and funcs to its own entity #555 (jcmoraisjr)
  • Add host lookup with hash table #556 (jcmoraisjr)
  • Add backend lookup with hash table #557 (jcmoraisjr)
  • Move max body size to the backend #554 (jcmoraisjr)
  • Parsing and lookup optimizations #558 (jcmoraisjr)
  • Follow gofmt convention #564 (jcmoraisjr)
  • Move listers and informers to the new controller #563 (jcmoraisjr)
  • Add check interval on tcp service #576 (jcmoraisjr) - doc
    • Command-line options:
      • --tcp-services-configmap (update)
  • Add use-forwarded-proto config key #577 (jcmoraisjr) - doc
    • Configuration keys:
      • use-forwarded-proto
  • Add headers config key #575 (jcmoraisjr) - doc
    • Configuration keys:
      • headers
  • Allow overriding CPU Map #588 (coldeasy) - doc
    • Configuration keys:
      • cpu-map
      • use-cpu-map
  • TCP Services : SSL : Optionally Verify Client #589 (hileef) - doc
    • Command-line options:
      • --tcp-services-configmap (update)
  • Add session-cookie-keywords #601 (MartinKirchner) - doc
    • Configuration keys:
      • session-cookie-keywords
  • Host scoped cipher options #609 (Unichron) - doc
    • Configuration keys:
      • ssl-cipher-suites
      • ssl-ciphers
  • Update deprecated APIs in Docs #613 (rikatz)
  • Improve parsing time on big clusters #571 (jcmoraisjr)
  • Add backend-shards command-line option #623 (jcmoraisjr) - doc
    • Command-line options:
      • --backend-shards
  • Add disable-pod-list command-line option #622 (jcmoraisjr) - doc
    • Command-line options:
      • --disable-pod-list
  • Log changed objects #625 (jcmoraisjr)
  • Optimize haproxy maps building #629 (jcmoraisjr)
  • Shrink list of changed hosts and backends #630 (jcmoraisjr)
  • Host scope tls-alpn and ssl-options #617 (Unichron)
    • Configuration keys:
      • ssl-options-backend - doc
      • ssl-options-host - doc
      • tls-alpn - doc
  • Update to haproxy 2.1.8 #635 (jcmoraisjr)
  • Partial build of backend maps #637 (jcmoraisjr)
  • Update to client-go v0.18.6 #638 (jcmoraisjr)
  • Update to go1.13.15 #640 (jcmoraisjr)
  • Add support to multiple match types #641 (jcmoraisjr)
    • Configuration keys:
      • path-type - doc
  • Improve backend shrinking #644 (jcmoraisjr)
  • Improve time of frontend maps build #647 (jcmoraisjr)
  • Move files to /etc, /var/lib or /var/run dirs #654 (jcmoraisjr)
  • Add wait-before-update command-line option #658 (jcmoraisjr)

Fixes:

  • Fix logging messages #559 (jcmoraisjr)
  • Fix server-alias on http/80 #570 (AlexisDuf)
  • Fix permission using watch-namespace #578 (jcmoraisjr)
  • Fix watch-namespace option #579 (jcmoraisjr)
  • Fix cleaning cache of changed objects #626 (jcmoraisjr)
  • Configure default crt on ingress parsing phase #634 (jcmoraisjr)
  • Add hostname and backend tracking on addIngress #646 (jcmoraisjr)
  • Fix sigsegv tracking added ingress #648 (jcmoraisjr)
  • Add implicit starting boundary char in regex path match #651 (jcmoraisjr)
  • Fix tracking and partial parsing of spec.backend #653 (jcmoraisjr)
  • Fix ssl-passthrough counter #656 (jcmoraisjr)

Docs:

  • Fixed typos #580 (Shagon94)
  • Typo on configuration keys docs #585 (RobertTheProfessional)

v0.11-beta.2

Fixes and improvements since v0.11-beta.1:

  • Fix rewrite target match #668 (jcmoraisjr)

v0.11-beta.3

Fixes and improvements since v0.11-beta.2:

  • Implement sort-backends #677 (jcmoraisjr)
  • Add --sort-endpoints-by command-line option #678 (jcmoraisjr)
    • Configuration keys:
      • --sort-endpoints-by - doc
  • Fix dynamic update of the default backend #680 (jcmoraisjr)
  • Update embedded haproxy to 2.1.9 06f2e65 (Joao Morais)

v0.11-beta.4

Fixes and improvements since v0.11-beta.3:

  • Fix line too long on backend parsing #683 (jcmoraisjr)
  • Fix basic auth backend tracking #688 (jcmoraisjr)
  • Allow signer to work with wildcard dns certs #695 (pbabilas)
  • Improve certificate validation of acme signer #689 (jcmoraisjr)
  • Update haproxy from 2.1.9 to 2.1.10 9763c63 (Joao Morais)

v0.9.3

  • Allow signer to work with wildcard dns certs #695 (pbabilas)
  • Add path scope #705 (jcmoraisjr)
  • Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
  • Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
  • Fix initial weight configuration #742 (jcmoraisjr)
  • Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
  • Fix backend matches if hostname uses wildcard #752 (jcmoraisjr)
  • Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)

v0.9.2

Fixes and improvements since v0.9.1:

  • Implement sort-backends #677 (jcmoraisjr)

v0.9.1

Fixes and improvements since v0.9:

  • Update HAProxy from 1.9.15 to 1.9.16
  • Add service event handler #633
  • Configure default crt on ingress parsing phase #634

Docs:

  • Typo on configuration keys docs #585

v0.9

v0.9-beta.1

Breaking backward compatibility from v0.8:

  • TLS 1.0 and 1.1 was dropped in the default configuration. Several cipher suites was dropped as well, mostly non ephemeral key exchange algorithms. This might break old http clients. See the v0.8 default values in the SSL cipher suite and SSL options docs and adjust the configuration if needed.
  • Some default configurations was changed to improve performance of a vanilla deployment, this might cause unexpected behaviour:
    • Default dynamic-scaling configuration key was changed from false to true
    • Default nbthread configuration key was changed from 1 to 2
    • Default --reload-strategy command-line option was changed from native to reusesocket

Highlights of this version:

  • HAProxy upgrade from 1.8 to 1.9
  • HTTP/2 support in the backend side
  • TLS 1.3 support
  • Certificate update using ACME-v2 protocol
  • Ability to run as non-root, see the security doc

New features:

  • Use one bind per frontend #382
  • Update to haproxy 1.9.10 #381
  • Add h2 backend proto and use-htx global option #387
    • Configuration keys:
      • ingress.kubernetes.io/backend-protocol - doc
      • use-htx - doc
  • Make sni optional if a certificate is optional and is not provided #392
  • Add custom-frontend snippet to http:80 frontend #395
  • Join samples using concat #393
  • Use 421 response if sni and headers does not match #394
  • Add syslog-length configmap option #396 - doc
    • Configuration keys:
      • ingress.kubernetes.io/syslog-length
  • Add CRL Support in the TLS Secret for Client Authentication #328
  • Add CRL support in the new controller #399
    • Configuration keys:
      • ingress.kubernetes.io/auth-tls-secret - new optional file ca.crl - doc
      • ingress.kubernetes.io/secure-verify-ca-secret - new optional file ca.crl - doc
  • Add per request deployment group selection - blue/green deployment #402 - doc
    • Configuration keys:
      • ingress.kubernetes.io/blue-green-cookie
      • ingress.kubernetes.io/blue-green-header
  • Sort ingress using creation timestamp #405
  • Update default TLS versions and ciphers for client and server connections #403 - doc
    • Configuration keys:
      • ssl-cipher-suites
      • ssl-cipher-suites-backend
      • ssl-ciphers-backend
  • Update to haproxy 1.9.11 #406
  • Add session-cookie-shared #419
  • Add dynamic-scaling false option #420
  • Improve sorting of internal state #423
  • Tuning default thread number and reload strategy #424
  • Add leader election #431
  • Add work queue #430
  • Add forwardfor option - update #437 - doc
    • Configuration keys:
      • ingress.kubernetes.io/forwardfor - new option update
  • Add support for Mod Security DetectionOnly Mode #443 - doc
    • Configuration keys:
      • ingress.kubernetes.io/waf-mode
  • Add initial-weight config key #444
  • Improve fronting proxy config #434
  • Update Go version and use Go mod #439
  • Update to haproxy 1.9.12 #446
  • Initialize leader election only if needed #447
  • Add ip+port bind support for http/https/fronting-proxy #452
  • Add failure rate limit on work queue #457
  • Customizable goarch #472
  • dumb-init added from alpine repo #471
  • Add acme v02 support #391
    • Configuration keys - doc:
      • acme-emails
      • acme-endpoint
      • acme-expiring
      • acme-shared
      • acme-terms-agreed
      • ingress.kubernetes.io/cert-signer
    • Command-line options - doc:
      • --acme-check-period
      • --acme-election-id
      • --acme-fail-initial-duration
      • --acme-fail-max-duration
      • --acme-secret-key-name
      • --acme-server
      • --acme-token-configmap-name
      • --acme-track-tls-annotation
  • Update to haproxy 1.9.13 #475
  • Update dependencies to k8s 1.16.3 #474
  • Add 4xx error pages and CORS Preflight as Lua services #481
  • Check acme account before retrieving #479
  • Improve equality comparison with acme changes #478
  • Add security options #484 - doc
    • Configuration keys:
      • use-chroot
      • use-haproxy-user

Fixes:

  • Fix case on requests from 80/http #425
  • Fix case on per-path backend requests #427
  • Fix cross-namespace command-line option #433
  • Fix host match with a port number #436
  • Fix hostname match of domains with client cert auth #453
  • Fix panic reading empty targetRef from ep #455
  • Fix txn.namespace on http requests #463
  • Do ssl-redirect only if tls declares the hostname #465
  • Fix case on per-path backend maps #466
  • Use the found match pattern #468
  • Improve response error on sni mismatch #470
  • Fix haproxy.cfg permissions #476

Docs:

  • docs: update deployment and DaemonSet APIs to apps/v1 #415
  • docs: starting version #417
  • docs: update deploy and ds api to apps/v1 #422
  • docs: defaults for cors-allow-methods and -headers #445

v0.9-beta.2

Fixes and improvements since v0.9-beta.1:

  • Change unix sockets user to haproxy #504
  • Sort tcp services by name and port #506
  • Add backend-server-naming key #507 - doc
    • Configuration keys:
      • backend-server-naming
  • Add auth-tls-strict configuration key #513 - doc
    • Configuration keys:
      • auth-tls-strict
  • Remove haproxy warning filter #514
  • Create frontends even without ingress #516

v0.9-beta.3

Fixes and improvements since v0.9-beta.2:

  • Fix TLS handshake on backend #520
  • Update haproxy from 1.9.13 to 1.9.14
  • Clear acme work queue on stopped leading #526
  • Restart the leader elector when stop leading #532
  • Improve certificate sign logs #533
  • Fix race on failure rate limit queue #534

v0.9-beta.4

Fixes and improvements since v0.9-beta.3:

  • Add external call to certificate check #539 - doc
  • Update HAProxy from 1.9.14 to 1.9.15, which fixes CVE-2020-11100

v0.9-post-beta.4 (match v0.9)

Fixes and improvements since v0.9-beta.4:

  • Fix logging messages #559
  • Fix server-alias on http/80 #570

v0.8.7

Fixes and improvements since v0.8.6:

  • Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
  • Update embedded haproxy to 1.8.28 38f0194 (Joao Morais)
  • Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
  • Fix initial weight configuration #742 (jcmoraisjr)
  • Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
  • Fix backend matches if hostname uses wildcard #752 (jcmoraisjr)
  • Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
  • Update haproxy from 1.8.28 to 1.8.30 91fecdc (Joao Morais)

v0.8.6

Fixes and improvements since v0.8.5:

  • Implement sort-backends #677 (jcmoraisjr)
  • Update embedded haproxy to 1.8.26 8ac9051 (Joao Morais)

v0.8.5

Fixes and improvements since v0.8.4:

  • Add service event handler #633
  • Configure default crt on ingress parsing phase #634

v0.8.4

Fixes and improvements since v0.8.3:

  • Fix server-alias on http/80 #570

v0.8.3

Fixes and improvements since v0.8.2:

  • Update HAProxy from 1.8.24 to 1.8.25, which fixes CVE-2020-11100

v0.8.2

Fixes and improvements since v0.8.1:

  • Update HAProxy from 1.8.23 to 1.8.24

v0.8.1

Fixes and improvements since v0.8:

  • Sort tcp services by name and port #506
  • Add backend-server-naming key #507 - doc
    • Configuration keys:
      • backend-server-naming
  • Add auth-tls-strict configuration key #513 - doc
    • Configuration keys:
      • auth-tls-strict
  • Remove haproxy warning filter #514
  • Create frontends even without ingress #516

v0.8

v0.8-beta.1

Breaking backward compatibility from v0.7:

Note: A new configuration parser and HAProxy config builder is in place. Despite declared incompatibility changes listed below, all configuration options and behavior should be preserved. Please file an issue if something changed in the v0.8 controller which is not listed here.

  • HAProxy's backend naming convention used for services changed from <namespace>-<svcname>-<port> to <namespace>_<svcname>_<port> in order to avoid ambiguity. This should impact as least logging filters and metrics dashboards.
  • All the other HAProxy's proxy names changed as well - check your logging filters and metrics dashboards.
  • nbproc-ssl global configmap option wasn't reimplemented in v0.8, consider use nbthread instead.
  • strict-host global configmap option changed the default value from true to false. See strict-host doc.
  • dynamic-scaling configuration key changed the default value from false to true
  • nbthread configuration key changed the default value from 1 to 2
  • reload-strategy command-line option changed the default value from native to reusesocket
  • A missing --sort-backends command-line option does not shuffle endpoints anymore

The --v07-controller=true command-line option can be used to revert to the old controller and behavior. Note that in this case the *-v07.tmpl templates will be used instead. This option will be removed on v0.10.

Improvements on the new internal representation and converters:

  • Main issue #274
  • Pull requests part1, part2, part3, part4, part5, part6
  • About 80% of the controller was rewritten from scratch. The new code base has more consistent behavior, it's more decoupled, easier to understand, test and evolve, and ready to ingress v2 without breaking compatibility with ingress v1. The new configuration is also a lot faster - the bigger the cluster, the faster the config generated by the v0.8 controller.
  • Configmap and annotations: declare annotations with prefix (defaults to ingress.kubernetes.io) on services or ingress objects, declare without prefix as a global configmap option. The configmap declaration act as a default value, and service takes precedence in the case of conflict with ingress.
  • The mode tcp frontend will be used only if needed:
    • Authentication with client certificate is used - this will not be a limitation on v0.9 controller and HAProxy 1.9.x
    • ssl-passthrough is used
    • Conflicting timeout client declared as annotations
  • Fix HAProxy config parsing of a very long list of whitelist CIDRs or a very long list of overlapping /paths in the same domain

Fixes and improvements since v0.7:

  • Fix duplication of ConfigFrontend snippets for DefaultBackend #352
  • Fix port retrieval for terminatingPod with named targetPort #331
  • Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356
  • Configure annotation prefix - doc
    • Command-line options:
      • --annotations-prefix
  • Agent check #287 - doc
    • Annotations or configmap options (without prefix):
      • ingress.kubernetes.io/agent-check-port
      • ingress.kubernetes.io/agent-check-addr
      • ingress.kubernetes.io/agent-check-interval
      • ingress.kubernetes.io/agent-check-send
  • Health check #287 - doc
    • Annotations or configmap options (without prefix):
      • ingress.kubernetes.io/health-check-uri
      • ingress.kubernetes.io/health-check-addr
      • ingress.kubernetes.io/health-check-port
      • ingress.kubernetes.io/health-check-interval
      • ingress.kubernetes.io/health-check-rise-count
      • ingress.kubernetes.io/health-check-fall-count
  • Configure the minimum number of free/empty servers per backend - doc
    • Annotations or configmap options (without prefix):
      • ingress.kubernetes.io/slots-min-free
  • Add CORS Expose Headers option #268 - doc
    • Annotations or configmap options (without prefix):
      • ingress.kubernetes.io/cors-expose-headers
  • Add SSL Engine options #269 - doc
    • Configmap options:
      • ssl-engine
      • ssl-mode-async
  • Add log customizations
  • Add TLS ALPN option #307 - doc
    • Configmap options:
      • tls-alpn
  • Allow hostname/pod name to be used as the cookie value #286 - doc
    • Annotations or configmap options (without prefix):
      • ingress.kubernetes.io/session-cookie-dynamic
  • Allow redispatch when drain-support is enabled #334 - doc
    • Configmap options:
      • drain-support-redispatch
  • Add snippet for defaults section #335 - doc
    • Configmap options:
      • config-defaults
  • Add option to wait defined time when SIGTERM received #363 - doc
    • Command-line options:
      • --wait-before-shutdown
  • Declare a HAProxy var with the k8s namespace #378 - doc
    • Annotation or configmap options (without prefix):
      • ingress.kubernetes.io/var-namespace

v0.8-beta.2

Fixes and improvements since v0.8-beta.1:

  • Fix service port lookup #385
  • Change dynamic update default values #388
  • Fix port number lookup of terminating pods #389

v0.8-beta.3

Fixes and improvements since v0.8-beta.2:

  • Make sni optional if a certificate is optional and is not provided #392
  • Add custom-frontend to snippet to http:80 frontend #395

v0.8-beta.4

Fixes and improvements since v0.8-beta.3:

  • Sort ingress using creation timestamp #405
  • Add session-cookie-shared #419
    • Configuration keys:
      • session-cookie-shared - doc
  • Add dynamic-scaling false option #420
  • Improve sorting of internal state #423
  • Tuning default thread number and reload strategy #424
  • Fix case on requests from 80/http #425

v0.8-beta.5

Fixes and improvements since v0.8-beta.4:

  • Update HAProxy from 1.8.20 to 1.8.22
  • Fix case on per-path backend requests #427
  • Fix implementation of cross-namespace command-line option #433
  • Improve fronting proxy config #434
    • Configuration keys:
      • fronting-proxy-port - doc
  • Fix host match with a port number #436
  • Add initial-weight config key #444
    • Configuration keys:
      • initial-weight - doc
  • Add ip+port bind support for http/https/fronting-proxy #452
    • Configuration keys:
      • bind-fronting-proxy - doc
      • bind-http - doc
      • bind-https - doc
  • Fix panic reading empty targetRef from ep #455

v0.8-post-beta.5 (match v0.8)

Fixes and improvements since v0.8-beta.5:

  • Update HAProxy from 1.8.22 to 1.8.23
  • Fix txn.namespace on http requests #463
  • Do ssl-redirect only if tls declares the hostname #465
  • Fix case on per-path backend maps #466
  • Fix haproxy.cfg permissions #476

v0.7.6

Fixes and improvements since v0.7.5:

  • Update HAProxy from 1.8.23 to 1.8.25, which fixes CVE-2020-11100

v0.7.5

Fixes and improvements since v0.7.4:

  • Update HAProxy from 1.8.22 to 1.8.23

v0.7.4

Fixes and improvements since v0.7.3:

  • Update HAProxy from 1.8.21 to 1.8.22, which fixes a segmentation fault when using a spoe filter (ModSecurity)

v0.7.3

Fixes and improvements since v0.7.2:

  • Update HAProxy from 1.8.20 to 1.8.21
  • Fix duplication of ConfigFrontend snippets for DefaultBackend #352
  • Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356

v0.7.2

Fixes and improvements since v0.7.1:

  • Update HAProxy from 1.8.19 to 1.8.20
  • Fix port retrieval for terminatingPod with named targetPort #331

v0.7.1

Fixes and improvements since v0.7:

  • Update libssl and libcrypto #318

v0.7

v0.7-beta.1

Breaking backward compatibility from v0.6:

  • Default blue/green deployment mode changed from pod to deploy. Use ingress.kubernetes.io/blue-green-mode annotation to change to the v0.6 behavior. See also the blue/green deployment doc.
  • Changed default maximum ephemeral DH key size from 1024 to 2048, which might break old TLS clients. Use ssl-dh-default-max-size configmap option to change back to 1024 if needed.
  • Behavior of ingress.kubernetes.io/server-alias annotation was changed to mimic hostname syntax. Use ingress.kubernetes.io/server-alias-regex instead if need to use regex. See also the server-alias doc

Fixes and improvements since v0.6:

  • Add SSL config on TCP services #192 - doc
  • Disable health check of backends #195
  • Fix endless loop if SSL/TLS secret does not exist #191
  • DNS discovery of backend servers #154 - doc
    • Annotations:
      • ingress.kubernetes.io/use-resolver
    • Configmap options:
      • dns-accepted-payload-size
      • dns-cluster-domain
      • dns-hold-obsolete
      • dns-hold-valid
      • dns-resolvers
      • dns-timeout-retry
  • ModSecurity web application firewall #166 and #248
    • Template file - doc
    • Annotations:
      • ingress.kubernetes.io/waf - doc
    • Configmap options:
      • modsecurity-endpoints - doc
      • modsecurity-timeout-hello - doc
      • modsecurity-timeout-idle - doc
      • modsecurity-timeout-processing - doc
  • Multi process and multi thread support #172
    • Configmap options:
      • nbproc-ssl - doc
      • nbthread - doc
  • Balance mode of blue/green deployment #201 - doc
    • Annotations:
      • ingress.kubernetes.io/blue-green-balance
      • ingress.kubernetes.io/blue-green-mode
  • Add configuration snippet options #194 and #252 - doc
    • Configmap options:
      • config-frontend
      • config-global
  • Add OAuth2 support #239 - doc
  • Add support to ingress/spec/backend #212
  • Add SSL config on stats endpoint #193 - doc
    • Configmap options:
      • stats-ssl-cert
  • Add custom http and https port numbers #190
    • Configmap options:
      • http-port
      • https-port
  • Add client cert auth for backend #222 - doc
    • Annotations:
      • ingress.kubernetes.io/secure-crt-secret
  • Add publish-service doc #211 - doc
    • Command-line options:
      • --publish-service
  • Add option to match URL path on wildcard hostnames #213 - doc
    • Configmap options:
      • strict-host
  • Add HSTS on default backend #214
  • Add Sprig template functions #224 - Sprig doc
  • Add watch-namespace command-line option #227 - doc
    • Command-line options:
      • --watch-namespace
  • Add http-port on ssl-passthrough #228 - doc
    • Annotations:
      • ingress.kubernetes.io/ssl-passthrough-http-port
  • Add proxy-protocol annotation #236 - doc
    • Annotations:
      • ingress.kubernetes.io/proxy-protocol
  • Add server-alias-regex annotation #250 - doc
    • Annotations:
      • ingress.kubernetes.io/server-alias-regex
  • Optimize reading of default backend #234
  • Add annotation and configmap validations #237
  • Fix sort-backends behavior #247

v0.7-beta.2

Fixes and improvements since v0.7-beta.1:

  • Fix ssl-passthrough (only v0.7) #258

v0.7-beta.3

Fixes and improvements since v0.7-beta.2:

  • Fix panic if an invalid path is used on ssl-passthrough (only v0.7) #260
  • Add ssl-passthrough-http-port validations #261

v0.7-beta.4

Fixes and improvements since v0.7-beta.3:

  • Update HAProxy from 1.8.14 to 1.8.16 - fix some DNS issues
  • Improve optional client cert auth #275

v0.7-beta.5

Fixes and improvements since v0.7-beta.4:

  • Update HAProxy from 1.8.16 to 1.8.17 - fix CVE-2018-20615 (release notes)

v0.7-beta.6

Fixes and improvements since v0.7-beta.5:

  • Fix validation of mod security conf #282

v0.7-beta.7

Fixes and improvements since v0.7-beta.6:

  • Use SRV records on dns resolver if backend port isn’t a valid number #285
  • Fix permission of frontend certs dir #293

v0.7-beta.8

Fixes and improvements since v0.7-beta.7:

  • Update to HAProxy 1.8.19, which fixes some connection aborts on HTTP/2
  • Add TLS ALPN extension advertisement #307
  • Fix overlapping configs on shared frontend #308

v0.6.4

Fixes and improvements since v0.6.3:

  • Update HAProxy from 1.8.19 to 1.8.20
  • Fix port retrieval for terminatingPod with named targetPort #331

v0.6.3

Fixes and improvements since v0.6.2:

  • Update libssl and libcrypto #318

v0.6.2

Fixes and improvements since v0.6.1:

  • Update HAProxy from 1.8.17 to 1.8.19, which fixes some connection aborts on HTTP/2

v0.6.1

Fixes and improvements since v0.6:

  • Update HAProxy from 1.8.14 to 1.8.17

v0.6

v0.6-beta.1

Breaking backward compatibility from v0.5:

  • Usage of header Host to match https requests instead of using just sni extension, deprecating use-host-on-https - #130
  • Multibinder is deprecated, use reusesocket reload strategy instead - #139
  • Dynamic scaling do not reload HAProxy if the number of servers of a backend could be reduced
  • Broken CIDR lists - whitelist-source-range and limit-whitelist annotations - will add at least the valid CIDRs found in the list - #163
  • Added timeout-queue configmap option which defaults to 5s. timeout-queue didn't exist before v0.6 and its value inherits from the timeout-connect configuration. Starting on v0.6, changing timeout-connect will not change timeout-queue default value.

Fixes and improvements since v0.5:

  • HAProxy 1.8
  • Dynamic cookies on cookie based server affinity
  • HTTP/2 support - #129
  • Share http/s connections on the same frontend/socket - #130
  • Add clear userlist on misconfigured basic auth - #71
  • Fix copy endpoints to fullslots - #84
  • Equality improvement on dynamic scaling - #138 and #140
  • Fix precedence of hosts without wildcard and alias without regex - #149
  • Add v1 as a PROXY protocol option on tcp-services - #156
  • Fix Lets Encrypt certificate generation - #161
  • Add valid CIDRs on whitelists #163
  • New annotations:
    • Cookie persistence strategy #89 - doc
      • ingress.kubernetes.io/session-cookie-strategy
    • Blue/green deployment #125 - doc
      • ingress.kubernetes.io/blue-green-deploy
    • Load balancing algorithm #144
      • ingress.kubernetes.io/balance-algorithm
    • Connection limits and timeout #148 - doc
      • ingress.kubernetes.io/maxconn-server
      • ingress.kubernetes.io/maxqueue-server
      • ingress.kubernetes.io/timeout-queue
    • CORS #151 - doc
      • ingress.kubernetes.io/cors-allow-origin
      • ingress.kubernetes.io/cors-allow-methods
      • ingress.kubernetes.io/cors-allow-headers
      • ingress.kubernetes.io/cors-allow-credentials
      • ingress.kubernetes.io/cors-enable
      • ingress.kubernetes.io/cors-max-age
    • Configuration snippet #155 - doc
      • ingress.kubernetes.io/config-backend
    • Backend servers slot increment #164 - doc
      • ingress.kubernetes.io/slots-increment
  • New configmap options:
    • Drain support for NotReady pods on cookie affinity backends #95 - doc
      • drain-support
    • Timeout queue #148 - doc
      • timeout-queue
    • Time to wait for long lived connections to finish before hard-stop a HAProxy process #150 - doc
      • timeout-stop
    • Add option to bypass SSL/TLS redirect #161 - doc
      • no-tls-redirect-locations
    • Add configmap options to listening IP address #162
      • bind-ip-addr-tcp
      • bind-ip-addr-http
      • bind-ip-addr-healthz
      • bind-ip-addr-stats
  • New command-line options:
    • Maximum timestamped config files #123 - doc
      • --max-old-config-files

v0.6-beta.2

Fixes and improvements since v0.6-beta.1:

  • Fix redirect https if path changed with rewrite-target - #179
  • Fix ssl-passthrough annotation - #183 and #187

v0.6-beta.3

Fixes and improvements since v0.6-beta.2:

  • Fix host match of rate limit on shared frontend - #202

v0.6-beta.4

Fixes and improvements since v0.6-beta.3:

  • Fix permission denied to mkdir on OpenShift - #205
  • Fix usage of custom DH params (only v0.6) - #215
  • Fix redirect of non TLS hosts (only v0.6) - #231

v0.6-beta.5

Fixes and improvements since v0.6-beta.4:

  • Fix health check of dynamic reload - #232
  • Fix stop/terminate signal of the controller process - #233

v0.6-beta.6

Fixes and improvements since v0.6-beta.5:

  • Fix SSL redirect if no TLS config is used (only v0.6) - #235

v0.6-post-beta.6 (match v0.6)

Fixes and improvements since v0.6-beta.6:

  • Restrict access of sticky session cookie by client JavaScript code - #251

v0.5

Fixes and improvements since v0.4

v0.5-beta.3

Fixes and improvements since v0.5-beta.2

  • Fix sync of excluded secrets - #102
  • Fix config with long fqdn - #112
  • Fix non ssl redirect on default backend - #120

v0.5-beta.2

Fixes and improvements since v0.5-beta.1

  • Fix reading of txn.path on http-request keywords - #102

v0.5-beta.1

Breaking backward compatibility from v0.4

  • TLS certificate validation using only SAN extension - common Name (CN) isn't used anymore. Add --verify-hostname=false command-line option to bypass hostname verification
  • ingress.kubernetes.io/auth-tls-secret annotation cannot reference another namespace without --allow-cross-namespace command-line option
  • tcp-log-format configmap option now customizes log of TCP proxies, use https-log-format instead to configure log of SNI inspection (https/tcp frontend)

Fixes and improvements since v0.4

  • Change from Go 1.8.1 to 1.9.2
  • Implement full config of default backend - #73
  • Fix removal of TLS if failing to read the secretName - #78
  • New annotations:
    • Rewrite path support - doc
      • ingress.kubernetes.io/rewrite-target
    • Rate limit support - doc
      • ingress.kubernetes.io/limit-connections
      • ingress.kubernetes.io/limit-rps
      • ingress.kubernetes.io/limit-whitelist
    • Option to include the X509 certificate on requests with client certificate - doc
      • ingress.kubernetes.io/auth-tls-cert-header
    • HSTS support per host and location - doc
      • ingress.kubernetes.io/hsts
      • ingress.kubernetes.io/hsts-include-subdomains
      • ingress.kubernetes.io/hsts-max-age
      • ingress.kubernetes.io/hsts-preload
  • New configmap options:
    • Option to add and customize log of SNI inspection - https/tcp frontend - doc
      • https-log-format
    • Option to load the server state between HAProxy reloads - doc
      • load-server-state
    • Custom prefix of client certificate headers - doc
      • ssl-headers-prefix
    • Support of Host header on TLS requests without SNI extension - doc
      • use-host-on-https
  • New command-line options:
    • Custom rate limit of HAProxy reloads - doc
      • --rate-limit-update
    • Support of loading secrets between another namespaces - doc
      • --allow-cross-namespace
    • TCP services - doc
      • --tcp-services-configmap
    • Option to skip X509 certificate verification of the hostname - doc
      • --verify-hostname

v0.4

Fixes and improvements since v0.3

v0.4-beta.2

Fixes and improvements since v0.4-beta.1

  • Fix global maxconn configuration
  • Add X-Forwarded-Proto: https header on ssl/tls connections

v0.4-beta.1

Fixes and improvements since v0.3

  • Add dynamic scaling - doc
  • Add monitoring URI - doc
  • Add PROXY protocol configmap options - doc
    • UseProxyProtocol
    • StatsProxyProtocol
  • Add log format configmap options - doc
    • HTTPLogFormat
    • TCPLogFormat
  • Add stick session ingress annotations - doc
    • ingress.kubernetes.io/affinity
    • ingress.kubernetes.io/session-cookie-name
  • Support for wildcard hostnames
  • Better and faster synchronization after resource updates
  • Support k, m and g suffix on proxy-body-size annotation and configmap option - doc
  • HTTP 495 and 496 error pages on auth TLS errors
  • Add TLS error page ingress annotation
    • ingress.kubernetes.io/auth-tls-error-page
  • Add support to SSL/TLS offload outside HAProxy on a configmap option - doc
    • https-to-http-port
  • Add support to host alias on ingress annotation - doc
    • ingress.kubernetes.io/server-alias
  • Fix multibinder goes zombie #51 updating to multibinder 0.0.5
  • Add X-SSL headers on client authentication with TLS
    • X-SSL-Client-SHA1
    • X-SSL-Client-DN
    • X-SSL-Client-CN

v0.3

Fixes and improvements since v0.2.1

v0.3-beta.2

Fixes and improvements since v0.3-beta.1

  • Add haproxy as the default value of --ingress-class parameter
  • Fix create/remove ingress based on ingress-class annotation

v0.3-beta.1

Fixes and improvements since v0.2.1

Breaking backward compatibility:

  • Move template to /etc/haproxy/template/haproxy.tmpl
  • Now ingress.kubernetes.io/app-root only applies on ingress with root path /

Other changes and improvements:

  • Reload strategy with native and multibinder options
  • Ingress Controller check for update every 2 seconds (was every 10 seconds)
  • New ingress resource annotations
    • ingress.kubernetes.io/proxy-body-size
    • ingress.kubernetes.io/secure-backends
    • ingress.kubernetes.io/secure-verify-ca-secret
    • ingress.kubernetes.io/ssl-passthrough
  • New configmap options
    • balance-algorithm
    • backend-check-interval
    • forwardfor
    • hsts
    • hsts-include-subdomains
    • hsts-max-age
    • hsts-preload
    • max-connections
    • proxy-body-size
    • ssl-ciphers
    • ssl-dh-default-max-size
    • ssl-dh-param
    • ssl-options
    • stats-auth
    • stats-port
    • timeout-client
    • timeout-client-fin
    • timeout-connect
    • timeout-http-request
    • timeout-keep-alive
    • timeout-server
    • timeout-server-fin
    • timeout-tunnel

v0.2.1

Fixes and improvements since v0.2

  • Fixes #14 (Incorrect X-Forwarded-For handling)

v0.2

Fixes and improvements since v0.1

  • White list source IP range
  • Optionally force TLS connection
  • Basic (user/passwd) authentication
  • Client certificate authentication
  • Root context redirect

v0.1

Initial version with basic functionality

  • rules.hosts with paths from Ingress resource
  • default and per host certificate
  • 302 redirect from http to https if TLS (default or per host) is provided
  • syslog-endpoint from configmap