Supported versions:
Critical fixes:
Unsupported:
Fixes and improvements since v0.11.8:
- Fix change notification of backend shard #835 (jcmoraisjr)
- always deny requests if oauth is misconfigured (#843) ef76e17 (Joao Morais)
- Fix ingress update to an existing backend #847 (jcmoraisjr)
- Fix global config-backend snippet config #856 (jcmoraisjr)
Fixes and improvements since v0.11.7:
- Ensure that configured global ConfigMap exists #804 (jcmoraisjr)
- Add disable-external-name command-line option #816 (jcmoraisjr) - doc
- Command-line options:
--disable-external-name
- Command-line options:
- Add disable-config-keywords command-line options #820 (jcmoraisjr) - doc
- Command-line options:
--disable-config-keywords
- Command-line options:
- build: remove travis-ci configs f38a933 (Joao Morais)
Fixes and improvements since v0.11.6:
- Fix reading of needFullSync status #772 (jcmoraisjr)
- Fix domain validation on secure backend keys #791 (jcmoraisjr)
- Use the port name on DNS resolver template #796 (jcmoraisjr)
- Fix reading of tls secret without crt or key #799 (jcmoraisjr)
- build: move from travis to github actions 19c275c (Joao Morais)
Fixes and improvements since v0.11.5:
- Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
Fixes and improvements since v0.11.4:
- Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
- Fix prefix path type if the path matches a domain #756 (jcmoraisjr)
- Update haproxy from 2.1.11 to 2.1.12 and fixes CVE-2021-3450 (OpenSSL). fd4dd10 (Joao Morais)
Fixes and improvements since v0.11.3:
- Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
- Fix initial weight configuration #742 (jcmoraisjr)
Fixes and improvements since v0.11.2:
- Fix shrinking of prioritized paths #736 (jcmoraisjr)
Fixes and improvements since v0.11.1:
- Clear the crt expire gauge when full sync #717 (jcmoraisjr)
- Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
- Readd haproxy user in the docker image #718 (jcmoraisjr)
- Update embedded haproxy to 2.1.11 76aff6b (Joao Morais)
- Use field converter to remove port from hdr host #729 (jcmoraisjr)
- Add sni and verifyhost to secure connections #730 (jcmoraisjr) - doc
- Configuration keys:
secure-snisecure-verify-hostname
- Configuration keys:
- Fix path precedence of distinct match types #728 (jcmoraisjr)
Docs:
- Fix prometheus config #723 (jcmoraisjr)
Fixes and improvements since v0.11:
- Use default certificate only if provided SNI isn't found #700 (jcmoraisjr)
Highlights of this version
- HAProxy upgrade from 2.0 to 2.1.
- Negligible IO, CPU usage and reconciliation time, regardless the number of tracked ingress and service objects.
- HAProxy Ingress deployed on noisy (about 10 reconciliations per minute) and big (about 4000 ingress and services) clusters used to use about 90% CPU. HAProxy Ingress v0.11 uses about 2% CPU on such clusters when using backend shards.
- Ingress API upgrade from
extensions/v1beta1tonetworking.k8s.io/v1beta1.
Breaking backward compatibility from v0.10
- Kubernetes version 1.14 or newer
- HAProxy Ingress service account need
get,list,watchandupdateaccess tonetworking.k8s.ioapi group - which was the same permissions granted toextensions/v1beta1api group. Update your k8s role configuration before deploy v0.11. See an updated version of the deployment manifest. - Major refactor in the haproxy's frontends with the following visible changes:
- Internal proxy names changed, which will impact metric dashboards that use these names
- Internal map file names changed, which will impact configuration snippets that use them
timeout-clientandtimeout-client-finare global scoped only - cannot use as an ingress annotation.- Template path changed, see the template doc.
Contributors
- Alexis Dufour (AlexisDuf)
- Colin Deasy (coldeasy)
- Dario Tranchitella (prometherion)
- Eliot Hautefeuille (hileef)
- Joao Morais (jcmoraisjr)
- MartinKirchner (MartinKirchner)
- pawelb (pbabilas)
- Ricardo Katz (rikatz)
- Robert Agbozo (RobertTheProfessional)
- Shagon94 (Shagon94)
- Unichron (Unichron)
New features and improvements:
- Update to haproxy 2.1.4 #542 (jcmoraisjr)
- Converting to cache.Listers #545 (prometherion)
- Sorting imports and code linting #550 (prometherion)
- Change timeout-client(-fin) scope from host to global #552 (jcmoraisjr) - doc
- Configuration keys:
timeout-client(update)timeout-client-fin(update)
- Configuration keys:
- Remove frontend group #553 (jcmoraisjr)
- Move backend data and funcs to its own entity #555 (jcmoraisjr)
- Add host lookup with hash table #556 (jcmoraisjr)
- Add backend lookup with hash table #557 (jcmoraisjr)
- Move max body size to the backend #554 (jcmoraisjr)
- Parsing and lookup optimizations #558 (jcmoraisjr)
- Follow gofmt convention #564 (jcmoraisjr)
- Move listers and informers to the new controller #563 (jcmoraisjr)
- Add check interval on tcp service #576 (jcmoraisjr) - doc
- Command-line options:
--tcp-services-configmap(update)
- Command-line options:
- Add use-forwarded-proto config key #577 (jcmoraisjr) - doc
- Configuration keys:
use-forwarded-proto
- Configuration keys:
- Add headers config key #575 (jcmoraisjr) - doc
- Configuration keys:
headers
- Configuration keys:
- Allow overriding CPU Map #588 (coldeasy) - doc
- Configuration keys:
cpu-mapuse-cpu-map
- Configuration keys:
- TCP Services : SSL : Optionally Verify Client #589 (hileef) - doc
- Command-line options:
--tcp-services-configmap(update)
- Command-line options:
- Add session-cookie-keywords #601 (MartinKirchner) - doc
- Configuration keys:
session-cookie-keywords
- Configuration keys:
- Host scoped cipher options #609 (Unichron) - doc
- Configuration keys:
ssl-cipher-suitesssl-ciphers
- Configuration keys:
- Update deprecated APIs in Docs #613 (rikatz)
- Improve parsing time on big clusters #571 (jcmoraisjr)
- Add backend-shards command-line option #623 (jcmoraisjr) - doc
- Command-line options:
--backend-shards
- Command-line options:
- Add disable-pod-list command-line option #622 (jcmoraisjr) - doc
- Command-line options:
--disable-pod-list
- Command-line options:
- Log changed objects #625 (jcmoraisjr)
- Optimize haproxy maps building #629 (jcmoraisjr)
- Shrink list of changed hosts and backends #630 (jcmoraisjr)
- Host scope tls-alpn and ssl-options #617 (Unichron)
- Update to haproxy 2.1.8 #635 (jcmoraisjr)
- Partial build of backend maps #637 (jcmoraisjr)
- Update to client-go v0.18.6 #638 (jcmoraisjr)
- Update to go1.13.15 #640 (jcmoraisjr)
- Add support to multiple match types #641 (jcmoraisjr)
- Configuration keys:
path-type- doc
- Configuration keys:
- Improve backend shrinking #644 (jcmoraisjr)
- Improve time of frontend maps build #647 (jcmoraisjr)
- Move files to /etc, /var/lib or /var/run dirs #654 (jcmoraisjr)
- Add wait-before-update command-line option #658 (jcmoraisjr)
Fixes:
- Fix logging messages #559 (jcmoraisjr)
- Fix server-alias on http/80 #570 (AlexisDuf)
- Fix permission using watch-namespace #578 (jcmoraisjr)
- Fix watch-namespace option #579 (jcmoraisjr)
- Fix cleaning cache of changed objects #626 (jcmoraisjr)
- Configure default crt on ingress parsing phase #634 (jcmoraisjr)
- Add hostname and backend tracking on addIngress #646 (jcmoraisjr)
- Fix sigsegv tracking added ingress #648 (jcmoraisjr)
- Add implicit starting boundary char in regex path match #651 (jcmoraisjr)
- Fix tracking and partial parsing of spec.backend #653 (jcmoraisjr)
- Fix ssl-passthrough counter #656 (jcmoraisjr)
Docs:
Fixes and improvements since v0.11-beta.1:
- Fix rewrite target match #668 (jcmoraisjr)
Fixes and improvements since v0.11-beta.2:
- Implement sort-backends #677 (jcmoraisjr)
- Add --sort-endpoints-by command-line option #678 (jcmoraisjr)
- Configuration keys:
--sort-endpoints-by- doc
- Configuration keys:
- Fix dynamic update of the default backend #680 (jcmoraisjr)
- Update embedded haproxy to 2.1.9 06f2e65 (Joao Morais)
Fixes and improvements since v0.11-beta.3:
- Fix line too long on backend parsing #683 (jcmoraisjr)
- Fix basic auth backend tracking #688 (jcmoraisjr)
- Allow signer to work with wildcard dns certs #695 (pbabilas)
- Improve certificate validation of acme signer #689 (jcmoraisjr)
- Update haproxy from 2.1.9 to 2.1.10 9763c63 (Joao Morais)
- Allow signer to work with wildcard dns certs #695 (pbabilas)
- Add path scope #705 (jcmoraisjr)
- Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
- Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
- Fix initial weight configuration #742 (jcmoraisjr)
- Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
- Fix backend matches if hostname uses wildcard #752 (jcmoraisjr)
- Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
Fixes and improvements since v0.9.1:
- Implement sort-backends #677 (jcmoraisjr)
Fixes and improvements since v0.9:
- Update HAProxy from 1.9.15 to 1.9.16
- Add service event handler #633
- Configure default crt on ingress parsing phase #634
Docs:
- Typo on configuration keys docs #585
Breaking backward compatibility from v0.8:
- TLS 1.0 and 1.1 was dropped in the default configuration. Several cipher suites was dropped as well, mostly non ephemeral key exchange algorithms. This might break old http clients. See the v0.8 default values in the SSL cipher suite and SSL options docs and adjust the configuration if needed.
- Some default configurations was changed to improve performance of a vanilla deployment, this might cause unexpected behaviour:
- Default
dynamic-scalingconfiguration key was changed fromfalsetotrue - Default
nbthreadconfiguration key was changed from1to2 - Default
--reload-strategycommand-line option was changed fromnativetoreusesocket
- Default
Highlights of this version:
- HAProxy upgrade from 1.8 to 1.9
- HTTP/2 support in the backend side
- TLS 1.3 support
- Certificate update using ACME-v2 protocol
- Ability to run as non-root, see the security doc
New features:
- Use one bind per frontend #382
- Update to haproxy 1.9.10 #381
- Add h2 backend proto and use-htx global option #387
- Make sni optional if a certificate is optional and is not provided #392
- Add custom-frontend snippet to http:80 frontend #395
- Join samples using concat #393
- Use 421 response if sni and headers does not match #394
- Add syslog-length configmap option #396 - doc
- Configuration keys:
ingress.kubernetes.io/syslog-length
- Configuration keys:
- Add CRL Support in the TLS Secret for Client Authentication #328
- Add CRL support in the new controller #399
- Add per request deployment group selection - blue/green deployment #402 - doc
- Configuration keys:
ingress.kubernetes.io/blue-green-cookieingress.kubernetes.io/blue-green-header
- Configuration keys:
- Sort ingress using creation timestamp #405
- Update default TLS versions and ciphers for client and server connections #403 - doc
- Configuration keys:
ssl-cipher-suitesssl-cipher-suites-backendssl-ciphers-backend
- Configuration keys:
- Update to haproxy 1.9.11 #406
- Add session-cookie-shared #419
- Add dynamic-scaling false option #420
- Improve sorting of internal state #423
- Tuning default thread number and reload strategy #424
- Add leader election #431
- Add work queue #430
- Add forwardfor option - update #437 - doc
- Configuration keys:
ingress.kubernetes.io/forwardfor- new optionupdate
- Configuration keys:
- Add support for Mod Security DetectionOnly Mode #443 - doc
- Configuration keys:
ingress.kubernetes.io/waf-mode
- Configuration keys:
- Add initial-weight config key #444
- Improve fronting proxy config #434
- Update Go version and use Go mod #439
- Update to haproxy 1.9.12 #446
- Initialize leader election only if needed #447
- Add ip+port bind support for http/https/fronting-proxy #452
- Add failure rate limit on work queue #457
- Customizable goarch #472
- dumb-init added from alpine repo #471
- Add acme v02 support #391
- Configuration keys - doc:
acme-emailsacme-endpointacme-expiringacme-sharedacme-terms-agreedingress.kubernetes.io/cert-signer
- Command-line options - doc:
--acme-check-period--acme-election-id--acme-fail-initial-duration--acme-fail-max-duration--acme-secret-key-name--acme-server--acme-token-configmap-name--acme-track-tls-annotation
- Configuration keys - doc:
- Update to haproxy 1.9.13 #475
- Update dependencies to k8s 1.16.3 #474
- Add 4xx error pages and CORS Preflight as Lua services #481
- Check acme account before retrieving #479
- Improve equality comparison with acme changes #478
- Add security options #484 - doc
- Configuration keys:
use-chrootuse-haproxy-user
- Configuration keys:
Fixes:
- Fix case on requests from 80/http #425
- Fix case on per-path backend requests #427
- Fix cross-namespace command-line option #433
- Fix host match with a port number #436
- Fix hostname match of domains with client cert auth #453
- Fix panic reading empty targetRef from ep #455
- Fix txn.namespace on http requests #463
- Do ssl-redirect only if tls declares the hostname #465
- Fix case on per-path backend maps #466
- Use the found match pattern #468
- Improve response error on sni mismatch #470
- Fix haproxy.cfg permissions #476
Docs:
- docs: update deployment and DaemonSet APIs to apps/v1 #415
- docs: starting version #417
- docs: update deploy and ds api to apps/v1 #422
- docs: defaults for cors-allow-methods and -headers #445
Fixes and improvements since v0.9-beta.1:
- Change unix sockets user to haproxy #504
- Sort tcp services by name and port #506
- Add backend-server-naming key #507 - doc
- Configuration keys:
backend-server-naming
- Configuration keys:
- Add auth-tls-strict configuration key #513 - doc
- Configuration keys:
auth-tls-strict
- Configuration keys:
- Remove haproxy warning filter #514
- Create frontends even without ingress #516
Fixes and improvements since v0.9-beta.2:
- Fix TLS handshake on backend #520
- Update haproxy from 1.9.13 to 1.9.14
- Clear acme work queue on stopped leading #526
- Restart the leader elector when stop leading #532
- Improve certificate sign logs #533
- Fix race on failure rate limit queue #534
Fixes and improvements since v0.9-beta.3:
- Add external call to certificate check #539 - doc
- Update HAProxy from 1.9.14 to 1.9.15, which fixes CVE-2020-11100
Fixes and improvements since v0.9-beta.4:
Fixes and improvements since v0.8.6:
- Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
- Update embedded haproxy to 1.8.28 38f0194 (Joao Morais)
- Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
- Fix initial weight configuration #742 (jcmoraisjr)
- Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
- Fix backend matches if hostname uses wildcard #752 (jcmoraisjr)
- Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
- Update haproxy from 1.8.28 to 1.8.30 91fecdc (Joao Morais)
Fixes and improvements since v0.8.5:
Fixes and improvements since v0.8.4:
Fixes and improvements since v0.8.3:
- Fix server-alias on http/80 #570
Fixes and improvements since v0.8.2:
- Update HAProxy from 1.8.24 to 1.8.25, which fixes CVE-2020-11100
Fixes and improvements since v0.8.1:
- Update HAProxy from 1.8.23 to 1.8.24
Fixes and improvements since v0.8:
- Sort tcp services by name and port #506
- Add backend-server-naming key #507 - doc
- Configuration keys:
backend-server-naming
- Configuration keys:
- Add auth-tls-strict configuration key #513 - doc
- Configuration keys:
auth-tls-strict
- Configuration keys:
- Remove haproxy warning filter #514
- Create frontends even without ingress #516
Breaking backward compatibility from v0.7:
Note: A new configuration parser and HAProxy config builder is in place. Despite declared incompatibility changes listed below, all configuration options and behavior should be preserved. Please file an issue if something changed in the v0.8 controller which is not listed here.
- HAProxy's backend naming convention used for services changed from
<namespace>-<svcname>-<port>to<namespace>_<svcname>_<port>in order to avoid ambiguity. This should impact as least logging filters and metrics dashboards. - All the other HAProxy's proxy names changed as well - check your logging filters and metrics dashboards.
nbproc-sslglobal configmap option wasn't reimplemented in v0.8, consider usenbthreadinstead.strict-hostglobal configmap option changed the default value fromtruetofalse. Seestrict-hostdoc.dynamic-scalingconfiguration key changed the default value fromfalsetotruenbthreadconfiguration key changed the default value from1to2reload-strategycommand-line option changed the default value fromnativetoreusesocket- A missing
--sort-backendscommand-line option does not shuffle endpoints anymore
The --v07-controller=true command-line option can be used to revert to the old controller and behavior. Note that in this case the *-v07.tmpl templates will be used instead. This option will be removed on v0.10.
Improvements on the new internal representation and converters:
- Main issue #274
- Pull requests part1, part2, part3, part4, part5, part6
- About 80% of the controller was rewritten from scratch. The new code base has more consistent behavior, it's more decoupled, easier to understand, test and evolve, and ready to ingress v2 without breaking compatibility with ingress v1. The new configuration is also a lot faster - the bigger the cluster, the faster the config generated by the v0.8 controller.
- Configmap and annotations: declare annotations with prefix (defaults to
ingress.kubernetes.io) on services or ingress objects, declare without prefix as a global configmap option. The configmap declaration act as a default value, and service takes precedence in the case of conflict with ingress. - The
mode tcpfrontend will be used only if needed:- Authentication with client certificate is used - this will not be a limitation on v0.9 controller and HAProxy 1.9.x
ssl-passthroughis used- Conflicting
timeout clientdeclared as annotations
- Fix HAProxy config parsing of a very long list of whitelist CIDRs or a very long list of overlapping /paths in the same domain
Fixes and improvements since v0.7:
- Fix duplication of ConfigFrontend snippets for DefaultBackend #352
- Fix port retrieval for terminatingPod with named targetPort #331
- Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356
- Configure annotation prefix - doc
- Command-line options:
--annotations-prefix
- Command-line options:
- Agent check #287 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/agent-check-portingress.kubernetes.io/agent-check-addringress.kubernetes.io/agent-check-intervalingress.kubernetes.io/agent-check-send
- Annotations or configmap options (without prefix):
- Health check #287 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/health-check-uriingress.kubernetes.io/health-check-addringress.kubernetes.io/health-check-portingress.kubernetes.io/health-check-intervalingress.kubernetes.io/health-check-rise-countingress.kubernetes.io/health-check-fall-count
- Annotations or configmap options (without prefix):
- Configure the minimum number of free/empty servers per backend - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/slots-min-free
- Annotations or configmap options (without prefix):
- Add CORS Expose Headers option #268 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/cors-expose-headers
- Annotations or configmap options (without prefix):
- Add SSL Engine options #269 - doc
- Configmap options:
ssl-enginessl-mode-async
- Configmap options:
- Add log customizations
- Add TLS ALPN option #307 - doc
- Configmap options:
tls-alpn
- Configmap options:
- Allow hostname/pod name to be used as the cookie value #286 - doc
- Annotations or configmap options (without prefix):
ingress.kubernetes.io/session-cookie-dynamic
- Annotations or configmap options (without prefix):
- Allow redispatch when drain-support is enabled #334 - doc
- Configmap options:
drain-support-redispatch
- Configmap options:
- Add snippet for defaults section #335 - doc
- Configmap options:
config-defaults
- Configmap options:
- Add option to wait defined time when SIGTERM received #363 - doc
- Command-line options:
--wait-before-shutdown
- Command-line options:
- Declare a HAProxy var with the k8s namespace #378 - doc
- Annotation or configmap options (without prefix):
ingress.kubernetes.io/var-namespace
- Annotation or configmap options (without prefix):
Fixes and improvements since v0.8-beta.1:
- Fix service port lookup #385
- Change dynamic update default values #388
- Fix port number lookup of terminating pods #389
Fixes and improvements since v0.8-beta.2:
- Make sni optional if a certificate is optional and is not provided #392
- Add custom-frontend to snippet to http:80 frontend #395
Fixes and improvements since v0.8-beta.3:
- Sort ingress using creation timestamp #405
- Add session-cookie-shared #419
- Configuration keys:
session-cookie-shared- doc
- Configuration keys:
- Add dynamic-scaling false option #420
- Improve sorting of internal state #423
- Tuning default thread number and reload strategy #424
- Fix case on requests from 80/http #425
Fixes and improvements since v0.8-beta.4:
- Update HAProxy from 1.8.20 to 1.8.22
- Fix case on per-path backend requests #427
- Fix implementation of cross-namespace command-line option #433
- Improve fronting proxy config #434
- Configuration keys:
fronting-proxy-port- doc
- Configuration keys:
- Fix host match with a port number #436
- Add initial-weight config key #444
- Configuration keys:
initial-weight- doc
- Configuration keys:
- Add ip+port bind support for http/https/fronting-proxy #452
- Fix panic reading empty targetRef from ep #455
Fixes and improvements since v0.8-beta.5:
- Update HAProxy from 1.8.22 to 1.8.23
- Fix txn.namespace on http requests #463
- Do ssl-redirect only if tls declares the hostname #465
- Fix case on per-path backend maps #466
- Fix haproxy.cfg permissions #476
Fixes and improvements since v0.7.5:
- Update HAProxy from 1.8.23 to 1.8.25, which fixes CVE-2020-11100
Fixes and improvements since v0.7.4:
- Update HAProxy from 1.8.22 to 1.8.23
Fixes and improvements since v0.7.3:
- Update HAProxy from 1.8.21 to 1.8.22, which fixes a segmentation fault when using a spoe filter (ModSecurity)
Fixes and improvements since v0.7.2:
- Update HAProxy from 1.8.20 to 1.8.21
- Fix duplication of ConfigFrontend snippets for DefaultBackend #352
- Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356
Fixes and improvements since v0.7.1:
- Update HAProxy from 1.8.19 to 1.8.20
- Fix port retrieval for terminatingPod with named targetPort #331
Fixes and improvements since v0.7:
- Update libssl and libcrypto #318
Breaking backward compatibility from v0.6:
- Default blue/green deployment mode changed from
podtodeploy. Useingress.kubernetes.io/blue-green-modeannotation to change to the v0.6 behavior. See also the blue/green deployment doc. - Changed default maximum ephemeral DH key size from 1024 to 2048, which might break old TLS clients. Use
ssl-dh-default-max-sizeconfigmap option to change back to 1024 if needed. - Behavior of
ingress.kubernetes.io/server-aliasannotation was changed to mimic hostname syntax. Useingress.kubernetes.io/server-alias-regexinstead if need to use regex. See also the server-alias doc
Fixes and improvements since v0.6:
- Add SSL config on TCP services #192 - doc
- Disable health check of backends #195
- Fix endless loop if SSL/TLS secret does not exist #191
- DNS discovery of backend servers #154 - doc
- Annotations:
ingress.kubernetes.io/use-resolver
- Configmap options:
dns-accepted-payload-sizedns-cluster-domaindns-hold-obsoletedns-hold-validdns-resolversdns-timeout-retry
- Annotations:
- ModSecurity web application firewall #166 and #248
- Multi process and multi thread support #172
- Balance mode of blue/green deployment #201 - doc
- Annotations:
ingress.kubernetes.io/blue-green-balanceingress.kubernetes.io/blue-green-mode
- Annotations:
- Add configuration snippet options #194 and #252 - doc
- Configmap options:
config-frontendconfig-global
- Configmap options:
- Add OAuth2 support #239 - doc
- Add support to ingress/spec/backend #212
- Add SSL config on stats endpoint #193 - doc
- Configmap options:
stats-ssl-cert
- Configmap options:
- Add custom http and https port numbers #190
- Configmap options:
http-porthttps-port
- Configmap options:
- Add client cert auth for backend #222 - doc
- Annotations:
ingress.kubernetes.io/secure-crt-secret
- Annotations:
- Add publish-service doc #211 - doc
- Command-line options:
--publish-service
- Command-line options:
- Add option to match URL path on wildcard hostnames #213 - doc
- Configmap options:
strict-host
- Configmap options:
- Add HSTS on default backend #214
- Add Sprig template functions #224 - Sprig doc
- Add watch-namespace command-line option #227 - doc
- Command-line options:
--watch-namespace
- Command-line options:
- Add http-port on ssl-passthrough #228 - doc
- Annotations:
ingress.kubernetes.io/ssl-passthrough-http-port
- Annotations:
- Add proxy-protocol annotation #236 - doc
- Annotations:
ingress.kubernetes.io/proxy-protocol
- Annotations:
- Add server-alias-regex annotation #250 - doc
- Annotations:
ingress.kubernetes.io/server-alias-regex
- Annotations:
- Optimize reading of default backend #234
- Add annotation and configmap validations #237
- Fix sort-backends behavior #247
Fixes and improvements since v0.7-beta.1:
- Fix ssl-passthrough (only v0.7) #258
Fixes and improvements since v0.7-beta.2:
- Fix panic if an invalid path is used on ssl-passthrough (only v0.7) #260
- Add ssl-passthrough-http-port validations #261
Fixes and improvements since v0.7-beta.3:
- Update HAProxy from 1.8.14 to 1.8.16 - fix some DNS issues
- Improve optional client cert auth #275
Fixes and improvements since v0.7-beta.4:
- Update HAProxy from 1.8.16 to 1.8.17 - fix CVE-2018-20615 (release notes)
Fixes and improvements since v0.7-beta.5:
- Fix validation of mod security conf #282
Fixes and improvements since v0.7-beta.6:
- Use SRV records on dns resolver if backend port isn’t a valid number #285
- Fix permission of frontend certs dir #293
Fixes and improvements since v0.7-beta.7:
- Update to HAProxy 1.8.19, which fixes some connection aborts on HTTP/2
- Add TLS ALPN extension advertisement #307
- Fix overlapping configs on shared frontend #308
Fixes and improvements since v0.6.3:
- Update HAProxy from 1.8.19 to 1.8.20
- Fix port retrieval for terminatingPod with named targetPort #331
Fixes and improvements since v0.6.2:
- Update libssl and libcrypto #318
Fixes and improvements since v0.6.1:
- Update HAProxy from 1.8.17 to 1.8.19, which fixes some connection aborts on HTTP/2
Fixes and improvements since v0.6:
- Update HAProxy from 1.8.14 to 1.8.17
- Fix some DNS issues
- Fix CVE-2018-20615 (release notes)
Breaking backward compatibility from v0.5:
- Usage of header
Hostto match https requests instead of using just sni extension, deprecatinguse-host-on-https- #130 - Multibinder is deprecated, use
reusesocketreload strategy instead - #139 - Dynamic scaling do not reload HAProxy if the number of servers of a backend could be reduced
- Broken CIDR lists -
whitelist-source-rangeandlimit-whitelistannotations - will add at least the valid CIDRs found in the list - #163 - Added
timeout-queueconfigmap option which defaults to5s.timeout-queuedidn't exist before v0.6 and its value inherits from thetimeout-connectconfiguration. Starting on v0.6, changingtimeout-connectwill not changetimeout-queuedefault value.
Fixes and improvements since v0.5:
- HAProxy 1.8
- Dynamic cookies on cookie based server affinity
- HTTP/2 support - #129
- Share http(s) connections on the same frontend/socket - #130
- Add clear userlist on misconfigured basic auth - #71
- Fix copy endpoints to fullslots - #84
- Equality improvement on dynamic scaling - #138 and #140
- Fix precedence of hosts without wildcard and alias without regex - #149
- Add v1 as a PROXY protocol option on tcp-services - #156
- Fix Lets Encrypt certificate generation - #161
- Add valid CIDRs on whitelists #163
- New annotations:
- Cookie persistence strategy #89 - doc
ingress.kubernetes.io/session-cookie-strategy
- Blue/green deployment #125 - doc
ingress.kubernetes.io/blue-green-deploy
- Load balancing algorithm #144
ingress.kubernetes.io/balance-algorithm
- Connection limits and timeout #148 - doc
ingress.kubernetes.io/maxconn-serveringress.kubernetes.io/maxqueue-serveringress.kubernetes.io/timeout-queue
- CORS #151 - doc
ingress.kubernetes.io/cors-allow-originingress.kubernetes.io/cors-allow-methodsingress.kubernetes.io/cors-allow-headersingress.kubernetes.io/cors-allow-credentialsingress.kubernetes.io/cors-enableingress.kubernetes.io/cors-max-age
- Configuration snippet #155 - doc
ingress.kubernetes.io/config-backend
- Backend servers slot increment #164 - doc
ingress.kubernetes.io/slots-increment
- Cookie persistence strategy #89 - doc
- New configmap options:
- Drain support for NotReady pods on cookie affinity backends #95 - doc
drain-support
- Timeout queue #148 - doc
timeout-queue
- Time to wait for long lived connections to finish before hard-stop a HAProxy process #150 - doc
timeout-stop
- Add option to bypass SSL/TLS redirect #161 - doc
no-tls-redirect-locations
- Add configmap options to listening IP address #162
bind-ip-addr-tcpbind-ip-addr-httpbind-ip-addr-healthzbind-ip-addr-stats
- Drain support for NotReady pods on cookie affinity backends #95 - doc
- New command-line options:
Fixes and improvements since v0.6-beta.1:
- Fix redirect https if path changed with rewrite-target - #179
- Fix ssl-passthrough annotation - #183 and #187
Fixes and improvements since v0.6-beta.2:
- Fix host match of rate limit on shared frontend - #202
Fixes and improvements since v0.6-beta.3:
- Fix permission denied to mkdir on OpenShift - #205
- Fix usage of custom DH params (only v0.6) - #215
- Fix redirect of non TLS hosts (only v0.6) - #231
Fixes and improvements since v0.6-beta.4:
- Fix health check of dynamic reload - #232
- Fix stop/terminate signal of the controller process - #233
Fixes and improvements since v0.6-beta.5:
- Fix SSL redirect if no TLS config is used (only v0.6) - #235
Fixes and improvements since v0.6-beta.6:
- Restrict access of sticky session cookie by client JavaScript code - #251
Fixes and improvements since v0.4
- v0.5-beta.1 changelog
- v0.5-beta.2 changelog
- v0.5-beta.3 changelog
Fixes and improvements since v0.5-beta.2
- Fix sync of excluded secrets - #102
- Fix config with long fqdn - #112
- Fix non ssl redirect on default backend - #120
Fixes and improvements since v0.5-beta.1
- Fix reading of txn.path on http-request keywords - #102
Breaking backward compatibility from v0.4
- TLS certificate validation using only SAN extension - common Name (CN) isn't used anymore. Add
--verify-hostname=falsecommand-line option to bypass hostname verification ingress.kubernetes.io/auth-tls-secretannotation cannot reference another namespace without--allow-cross-namespacecommand-line optiontcp-log-formatconfigmap option now customizes log of TCP proxies, usehttps-log-formatinstead to configure log of SNI inspection (https/tcp frontend)
Fixes and improvements since v0.4
- Change from Go 1.8.1 to 1.9.2
- Implement full config of default backend - #73
- Fix removal of TLS if failing to read the secretName - #78
- New annotations:
- Rewrite path support - doc
ingress.kubernetes.io/rewrite-target
- Rate limit support - doc
ingress.kubernetes.io/limit-connectionsingress.kubernetes.io/limit-rpsingress.kubernetes.io/limit-whitelist
- Option to include the X509 certificate on requests with client certificate - doc
ingress.kubernetes.io/auth-tls-cert-header
- HSTS support per host and location - doc
ingress.kubernetes.io/hstsingress.kubernetes.io/hsts-include-subdomainsingress.kubernetes.io/hsts-max-ageingress.kubernetes.io/hsts-preload
- Rewrite path support - doc
- New configmap options:
- Option to add and customize log of SNI inspection - https/tcp frontend - doc
https-log-format
- Option to load the server state between HAProxy reloads - doc
load-server-state
- Custom prefix of client certificate headers - doc
ssl-headers-prefix
- Support of
Hostheader on TLS requests without SNI extension - docuse-host-on-https
- Option to add and customize log of SNI inspection - https/tcp frontend - doc
- New command-line options:
Fixes and improvements since v0.3
- v0.4-beta.1 changelog
- v0.4-beta.2 changelog
Fixes and improvements since v0.4-beta.1
- Fix global
maxconnconfiguration - Add
X-Forwarded-Proto: httpsheader on ssl/tls connections
Fixes and improvements since v0.3
- Add dynamic scaling - doc
- Add monitoring URI - doc
- Add PROXY protocol configmap options - doc
UseProxyProtocolStatsProxyProtocol
- Add log format configmap options - doc
HTTPLogFormatTCPLogFormat
- Add stick session ingress annotations - doc
ingress.kubernetes.io/affinityingress.kubernetes.io/session-cookie-name
- Support for wildcard hostnames
- Better and faster synchronization after resource updates
- Support
k,mandgsuffix onproxy-body-sizeannotation and configmap option - doc - HTTP 495 and 496 error pages on auth TLS errors
- Add TLS error page ingress annotation
ingress.kubernetes.io/auth-tls-error-page
- Add support to SSL/TLS offload outside HAProxy on a configmap option - doc
https-to-http-port
- Add support to host alias on ingress annotation - doc
ingress.kubernetes.io/server-alias
- Fix multibinder goes zombie #51 updating to multibinder 0.0.5
- Add
X-SSLheaders on client authentication with TLSX-SSL-Client-SHA1X-SSL-Client-DNX-SSL-Client-CN
Fixes and improvements since v0.2.1
- v0.3-beta.1 changelog - see notes about backward compatibility
- v0.3-beta.2 changelog
Fixes and improvements since v0.3-beta.1
- Add
haproxyas the default value of--ingress-classparameter - Fix create/remove ingress based on ingress-class annotation
Fixes and improvements since v0.2.1
Breaking backward compatibility:
- Move template to
/etc/haproxy/template/haproxy.tmpl - Now
ingress.kubernetes.io/app-rootonly applies on ingress with root path/
Other changes and improvements:
- Reload strategy with
nativeandmultibinderoptions - Ingress Controller check for update every 2 seconds (was every 10 seconds)
- New ingress resource annotations
ingress.kubernetes.io/proxy-body-sizeingress.kubernetes.io/secure-backendsingress.kubernetes.io/secure-verify-ca-secretingress.kubernetes.io/ssl-passthrough
- New configmap options
balance-algorithmbackend-check-intervalforwardforhstshsts-include-subdomainshsts-max-agehsts-preloadmax-connectionsproxy-body-sizessl-ciphersssl-dh-default-max-sizessl-dh-paramssl-optionsstats-authstats-porttimeout-clienttimeout-client-fintimeout-connecttimeout-http-requesttimeout-keep-alivetimeout-servertimeout-server-fintimeout-tunnel
Fixes and improvements since v0.2
- Fixes #14 (Incorrect
X-Forwarded-Forhandling)
Fixes and improvements since v0.1
- White list source IP range
- Optionally force TLS connection
- Basic (user/passwd) authentication
- Client certificate authentication
- Root context redirect
Initial version with basic functionality
- rules.hosts with paths from Ingress resource
- default and per host certificate
- 302 redirect from http to https if TLS (default or per host) is provided
- syslog-endpoint from configmap