- Major improvements
- Upgrade notes - read before upgrade from v0.13!
- Contributors
- v0.14.2
- v0.14.1
- v0.14.0
- v0.14.0-beta.3
- v0.14.0-beta.2
- v0.14.0-beta.1
- v0.14.0-alpha.2
- v0.14.0-alpha.1
Highlights of this version
- Embedded HAProxy upgrade from 2.3 to 2.4.
- Partial Gateway API v1alpha2 support, see the Gateway API getting started page.
- Coraza added as a Web Application Firewall (WAF) backend option, see the example page.
- Option to customize the response payload for any of the status codes managed by HAProxy or HAProxy Ingress, see the HTTP Responses configuration key documentation.
- Option to run the embedded HAProxy as Master Worker. Running HAProxy as Master Worker enables worker-max-reloads option without the need to configure as an external deployment, enables HAProxy logging to stdout, and also has a better management of the running process. This option is not enabled by default, see the master worker documentation for further information.
- HAProxy Ingress can now be easily launched in the development environment with the help of the
--local-filesystem-prefix
command-line option. See also the command-line option documentation and the newmake
variables and targets in the README file.
Breaking backward compatibility from v0.13:
- Default
auth-tls-strict
configuration key value changed fromfalse
totrue
. This update will change the behavior of misconfigured client auth configurations: whenfalse
misconfigured mTLS send requests to the backend without any authentication, whentrue
misconfigured mTLS will always fail the request. See also the auth TLS documentation. auth-tls-verify-client
, when configured asoptional_no_ca
, used to validate client certificates against the configured CA bundle. This happens on controller versions from v0.8 to v0.13. Since v0.14optional_no_ca
will bypass certificate validation. Changeauth-tls-verify-client
tooptional
in order to preserve the old behavior.- Default
--watch-gateway
command-line option changed fromfalse
totrue
. On v0.13 this option can only be enabled if the Gateway API CRDs are installed, otherwise the controller would refuse to start. Since v0.14 the controller will always check if the CRDs are installed. This will change the behavior on clusters that has Gateway API resources and doesn't declare the command-line option: v0.13 would ignore the resources and v0.14 would find and apply them. See also the watch gateway documentation. - All the response payload managed by the controller using Lua script was rewritten in a backward compatible behavior, however deployments that overrides the
services.lua
script might break. See the HTTP Responses documentation on how to customize HTTP responses using controller's configuration keys. - Two frontends changed their names, which can break deployments that uses the frontend name on metrics, logging, or in the
config-proxy
global configuration key. Frontends changed are:_front_https
, changed its name to_front_https__local
if at least one ssl-passthrough is configured, and_front__auth
, changed its default value to_front__auth__local
. These changes were made to make the metric's dashboard consistent despite the ssl-passthrough configuration. See the new metrics example page and update your dashboard if using HAProxy Ingress' one.
- Ameya Lokare (juggernaut)
- Andrej Baran (andrejbaran)
- Andrew Rodland (arodland)
- Joao Morais (jcmoraisjr)
- Josh Soref (jsoref)
- Karan Chaudhary (lafolle)
- Mac Chaffee (mac-chaffee)
- Maël Valais (maelvls)
- Manuel Rüger (mrueg)
- Marvin Rösch (PaleoCrafter)
- Mateusz Kubaczyk (mkubaczyk)
- Michał Zielonka (michal800106)
- Michele Palazzi (ironashram)
- Neil Seward (sealneaward)
- paul (toothbrush)
- Roman Gherta (rgherta)
- ssanders1449 (ssanders1449)
- Wojciech Chojnowski (DCkQ6)
- wolf-cosmose (wolf-cosmose)
- Release date:
2023-02-14
- Helm chart:
--version 0.14.2
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.2
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.2
- Embedded HAProxy version:
2.4.22
- GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.2
This release fixes CVE-2023-25725 on HAProxy. See HAProxy's release notes regarding the issue and a possible work around: https://www.mail-archive.com/[email protected]/msg43229.html
Dependencies:
- Embedded HAProxy version was updated from 2.4.21 to 2.4.22.
New features and improvements since v0.14.1
:
- update dependencies 0efcd77 (Joao Morais)
- update embedded haproxy from 2.4.21 to 2.4.22 a8c942b (Joao Morais)
- Release date:
2023-02-10
- Helm chart:
--version 0.14.1
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.1
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.1
- Embedded HAProxy version:
2.4.21
- GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.1
This release fixes the following issues:
- Service resources accept annotations just like ingress ones. However services annotated with path scoped annotations, like
haproxy-ingress.github.io/cors-enable
andhaproxy-ingress.github.io/auth-url
, were applying the configuration to just one of the paths pointing the service. So, consideringdomain.local/path1
anddomain.local/path2
pointing tosvc1
, an annotation added tosvc1
would only be applied to one of the paths. - A wrong named port configured on the external auth was being silently ignored. This update adds this information in the documentation and also adds a warning in the log. See auth external documentation.
Other notable changes include:
- Mutual TLS authentication (mTLS, Auth TLS) was being skipped on v0.14 if all the domains that configure mTLS are configured with
optional_no_ca
.
Dependencies:
- Embedded HAProxy version was updated from 2.4.20 to 2.4.21.
- Go updated from 1.18.9 to 1.18.10.
- Client-go updated from v0.23.15 to v0.23.16.
New features and improvements since v0.14.0
:
- Fix path scoped annotation on service resources #984 (jcmoraisjr)
- Fix mTLS when all hosts are optional_no_ca #977 (jcmoraisjr)
- Add warning if auth external svc isnt found #982 (jcmoraisjr)
- update embedded haproxy from 2.4.20 to 2.4.21 2b503d6 (Joao Morais)
- update go from 1.18.9 to 1.18.10 717eea3 (Joao Morais)
- update dependencies a8da9b8 (Joao Morais)
- Release date:
2022-12-26
- Helm chart:
--version 0.14.0
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.0
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.0
- Embedded HAProxy version:
2.4.20
- GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0
This is the first v0.14 release graduated as GA, which adds these major improvements since v0.13:
- Coraza Web Application Firewall (WAF) support, see the example page here.
- Customization of all HAProxy generated response payload, see the documentation here.
- Gateway API support improvement - although we're not fully compliant yet, see the documentation here.
The following improvements have been made since the last beta version:
- Michele Palazzi added a new configuration snippet that allows to add customized configurations before any builtin frontend logic.
- Ability to configure mutual TLS authentication without validating the client certificate. This adds a breaking backward compatibility from v0.13:
auth-tls-verify-client
configured asoptional_no_ca
used to make client certificate validation, now that validation is bypassed.
Dependencies:
- Embedded HAProxy version was updated from 2.4.19 to 2.4.20.
- Golang updated from 1.17.13 to 1.18.9
- Client-go updated from v0.23.14 to v0.23.15.
New features and improvements since v0.14.0-beta.3
:
- Move CustomFrontend before any http-req in haproxy template #951 (ironashram) doc
- Configuration keys:
config-frontend-early
config-frontend-late
- Configuration keys:
- Make optional_no_ca bypass proxy side validations #976 (jcmoraisjr)
- Release date:
2022-12-10
- Helm chart:
--version 0.14.0-beta.3 --devel
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-beta.3
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.0-beta.3
- Embedded HAProxy version:
2.4.19
- GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-beta.3
This is the third and last beta version of the v0.14 release branch. It fixed some minor issues:
- Embedded Acme signer can now sign certificates for hosts used on redirects
auth-headers-*
configuration keys, from Auth External, used to break the HAProxy configuration if declared empty. Now an empty value makes none of the headers being copied.
Other visible improvements include:
- Andrej Baran added support for Load Server State on external HAProxy
- Mac Chaffee added Coraza WAF support, see the example page on how to configure it.
- Zap added as an optional logger sink, which adds the ability to control a few more logging options. See the logging command-line options doc.
Dependencies:
- Embedded HAProxy version was updated from 2.4.18 to 2.4.19.
- Client-go updated from v0.23.10 to v0.23.14.
New features and improvements since v0.14.0-beta.2
:
- Change klog.Fatal to klog.Exit #955 (jcmoraisjr)
- Enable Load Server State feature for external haproxy #957 (andrejbaran)
- Add Zap as a logger sink option #967 (jcmoraisjr) - doc
- Command-line options:
--log-zap
--log-dev
--log-caller
--log-enable-stacktrace
--log-encoder
--log-encode-time
- Command-line options:
- Allow ability to customize modsecurity args #948 (mac-chaffee) - doc
- Configuration keys:
modsecurity-args
- Configuration keys:
- Coraza support #964 (mac-chaffee) - doc
- Configuration keys:
modsecurity-use-coraza
- Configuration keys:
- Fix host redirects when acme is enabled #971 (jcmoraisjr)
- Makes auth-headers not copying on empty string #972 (jcmoraisjr)
- Release date:
2022-09-07
- Helm chart:
--version 0.14.0-beta.2 --devel
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-beta.2
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.0-beta.2
- Embedded HAProxy version:
2.4.18
- GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-beta.2
This is the second beta release of the v0.14 version, which fixes a small regression added in v0.8. Up to version v0.7 HAProxy Ingress accepted services of type External Name without port declaration, in this case the same port number configured in the ingress resource was used to configure the backend. Since the v0.8 refactor, a port configuration became mandatory in the service resource. This update brings the v0.7 behavior again, so services of type External Name have port declaration optional.
Other visible improvements include:
- Image generation now updates OS dependencies added by the upstream image, which avoids to release images with known vulnerabilities
- Manuel Rüger updated some old and deprecated dependency versions
Dependencies:
- Embedded HAProxy version was updated from 2.4.17 to 2.4.18.
- Golang updated from 1.17.11 to 1.17.13.
- Client-go updated from v0.23.8 to v0.23.10.
New features and improvements since v0.14.0-beta.1
:
- Documents the expected format for --configmap key #940 (lafolle)
- Add apk upgrade on container building #941 (jcmoraisjr)
- Update client-go from v0.23.8 to v0.23.9 and indirect dependencies #943 (jcmoraisjr)
- Migrate to new versions / off deprecated packages. #945 (mrueg)
- update client-go from v0.23.9 to v0.23.10 e290714 (Joao Morais)
- update embedded haproxy from 2.4.17 to 2.4.18 d2a88db (Joao Morais)
- update golang from 1.17.11 to 1.17.13 0de7ef6 (Joao Morais)
- Fix go lint issues #942 (jcmoraisjr)
- Add support for service external name without port #946 (jcmoraisjr)
- Release date:
2022-07-03
- Helm chart:
--version 0.14.0-beta.1 --devel
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-beta.1
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.0-beta.1
- Embedded HAProxy version:
2.4.17
- GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-beta.1
This is the first beta release of the v0.14 version, which fixes some issues from the previous tag:
- A possible typecast failure reported by monkeymorgan was fixed, which could happen on outages of the apiserver and some resources are removed from the api before the controller starts to watch the api again.
- A lock was added before checking for expiring certificates when the embedded acme client is configured. This lock prevents the check routine to read the internal model while another thread is modifying it to apply a configuration change.
- The external HAProxy now starts without a readiness endpoint configured. This avoids adding a just deployed controller as available before it has been properly configured. Starting liveness was raised in the helm chart, so that huge environments have time enough to start.
Other visible improvements include:
- Josh Soref fixed a lot of typos in the documentation and comments.
- wolf-cosmose implemented a regex based Cors Allow Origin option.
- Metrics example now uses Prometheus Operator and the service monitor provided by the helm chart.
- Some internal frontend names were changed to allow consistent metrics despite the ssl-passthrough configuration, see the upgrade notes.
Dependencies:
- Embedded HAProxy version was updated from 2.4.15 to 2.4.17.
- Golang updated from 1.17.8 to 1.17.11.
- Client-go updated from v0.23.5 to v0.23.8.
New features and improvements since v0.14.0-alpha.2
:
- Change metrics example to use servicemonitor #919 (jcmoraisjr)
- Add suffix to name of local frontend proxies #922 (jcmoraisjr)
- Spelling #928 (jsoref)
- Add cors-allow-origin-regex annotation #927 (wolf-cosmose) - doc
- Configuration keys:
cors-allow-origin-regex
- Configuration keys:
- update embedded haproxy from 2.4.15 to 2.4.17 1958457 (Joao Morais)
- update golang from 1.17.8 to 1.17.11 801a425 (Joao Morais)
- update client-go from v0.23.5 to v0.23.8 200f885 (Joao Morais)
- Check type assertion on all informers #934 (jcmoraisjr)
- Add lock before call acmeCheck() #935 (jcmoraisjr)
- Remove readiness endpoint from starting config #937 (jcmoraisjr)
- Release date:
2022-04-07
- Helm chart:
--version 0.14.0-alpha.2 --devel
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-alpha.2
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.0-alpha.2
- Embedded HAProxy version:
2.4.15
- GitHub release:
https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-alpha.2
This is the second and last alpha release of v0.14, which fixes the following issues:
- The configured service was not being selected if the incoming path doesn't finish with a slash, the host is not declared in the ingress resource (using default host), the path type is Prefix, and the pattern is a single slash.
- Marvin Rösch fixed a delay of 5 seconds to connect to a server using a TCP service. Such delay happens whenever a host is used in the ingress resource and the SSL offload is made by HAProxy.
Other visible improvements include:
- Add compatibility with HAProxy 2.5 deployed as external/sidecar. Version 2.5 changed the lay out of the
show proc
command of the master API. - Add the ability to overwrite any of the HAProxy generated response payloads, see the HTTP Response documentation
- Add
ssl-fingerprint-sha2-bits
configuration key which adds a HTTP header with the SHA-2 fingerprint of client certificates. - Update to the latest version of golang 1.17, client-go v0.23 and haproxy 2.4
There is also a few other internal and non visible improvements. First beta version should be tagged within a week or so, after finish some exploratory tests.
New features and improvements since v0.14.0-alpha.1
:
- Replace glog with klog/v2 #904 (mrueg)
- Remove initial whitespaces from haproxy template #910 (ironashram)
- Add haproxy 2.5 support for external haproxy #905 (jcmoraisjr)
- Add ssl-fingerprint-sha2-bits configuration key #911 (jcmoraisjr) - doc
- Configuration keys:
ssl-fingerprint-sha2-bits
- Configuration keys:
- Add http-response configuration keys #915 (jcmoraisjr) - doc
- Configuration keys:
http-response-<code>
http-response-prometheus-root
- Configuration keys:
- update embedded haproxy from 2.4.12 to 2.4.15 c29ddf5 (Joao Morais)
- update client-go from v0.23.3 to v0.23.5 a507389 (Joao Morais)
- update golang from 1.17.6 to 1.17.8 5b78816 (Joao Morais)
- Fix match of prefix pathtype if using default host #908 (jcmoraisjr)
- Only inspect SSL handshake for SNI routing for SSL passthrough #914 (PaleoCrafter)
- Fix reload failure detection on 2.5+ #916 (jcmoraisjr)
- Release date:
2022-02-13
- Helm chart:
--version 0.14.0-alpha.1 --devel
- Image (Quay):
quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-alpha.1
- Image (Docker Hub):
jcmoraisjr/haproxy-ingress:v0.14.0-alpha.1
- Embedded HAProxy version:
2.4.12
New features and improvements since v0.13-beta.1
:
- update client-go from v0.20.7 to v0.21.1 9e8f75b (Joao Morais)
- update gateway api from v0.2.0 to v0.3.0 97abfa9 (Joao Morais)
- update golang from 1.15.13 to 1.16.15 2f48838 (Joao Morais)
- update embedded haproxy from 2.3.10 to 2.4.0 23e2418 (Joao Morais)
- Stable IDs for consistent-hash load balancing #801 (arodland) - doc
- Configuration keys:
assign-backend-server-id
- Configuration keys:
- Ensure that configured global ConfigMap exists #804 (jcmoraisjr)
- Update auth-request.lua script #809 (jcmoraisjr)
- Add log of reload error on every reconciliation #811 (jcmoraisjr)
- Add disable-external-name command-line option #816 (jcmoraisjr) - doc
- Command-line options:
--disable-external-name
- Command-line options:
- Add reload interval command-line option #815 (jcmoraisjr) - doc
- Command-line options:
--reload-interval
- Command-line options:
- Updates to the help output of command-line options #814 (jcmoraisjr)
- Add disable-config-keywords command-line options #820 (jcmoraisjr) - doc
- Command-line options:
--disable-config-keywords
- Command-line options:
- Change nbthread to use all CPUs by default #821 (jcmoraisjr)
- Option to use client and master socket in keep alive mode #824 (jcmoraisjr)
- Add close-sessions-duration config key #827 (jcmoraisjr)
- Add arm64 build #836 (jcmoraisjr)
- Feature/allowlist behind reverse proxy #846 (DCkQ6) - doc
- Configuration keys:
allowlist-source-header
- Configuration keys:
- Refactor tracker to an abstract implementation #850 (jcmoraisjr)
- Add read and write timeout to the unix socket #855 (jcmoraisjr)
- Add --ingress-class-precedence to allow IngressClass taking precedence over annotation #857 (mkubaczyk) - doc
- Command-line options:
--ingress-class-precedence
- Command-line options:
- Add acme-preferred-chain config key #864 (jcmoraisjr) - doc
- Configuration keys:
acme-preferred-chain
- Configuration keys:
- Add new target platforms #870 (jcmoraisjr)
- Add local deployment configuration #878 (jcmoraisjr)
- Add master-worker mode on embedded haproxy #880 (jcmoraisjr)
- Add session-cookie-domain configuration key #889 (jcmoraisjr) - doc
- Configuration keys:
session-cookie-domain
- Configuration keys:
- Upgrade crypto dependency #895 (rgherta)
- Bump dependencies #874 (mrueg)
- Add auth-tls configurations to tcp services #883 (jcmoraisjr)
- Change auth-tls-strict from false to true #885 (jcmoraisjr)
- Check by default if gateway api crds are installed #898 (jcmoraisjr)
- Add starting implementation of Gateway API v1alpha2 #900 (jcmoraisjr)
- update embedded haproxy from 2.4.0 to 2.4.12 93adbb9 (Joao Morais)
- Fix backend match if no ingress use host match #802 (jcmoraisjr)
- Reload haproxy if a backend server cannot be found #810 (jcmoraisjr)
- Fix auth-url parsing if hostname misses a dot #818 (jcmoraisjr)
- Always deny requests of failed auth configurations #819 (jcmoraisjr)
- Gateway API: when using v1alpha1, certificateRef.group now accepts "core" #833 (maelvls)
- Fix set ssl cert end-of-command #828 (jcmoraisjr)
- Fix dynamic update of frontend crt #829 (jcmoraisjr)
- Fix change notification of backend shard #835 (jcmoraisjr)
- Fix ingress update to an existing backend #847 (jcmoraisjr)
- Fix endpoint update of configmap based tcp services #842 (jcmoraisjr)
- Fix config parsing on misconfigured auth external #844 (jcmoraisjr)
- Fix validation if ca is used with crt and key #845 (jcmoraisjr)
- Fix global config-backend snippet config #856 (jcmoraisjr)
- Fix global config-backend snippet config #856 (jcmoraisjr)
- Remove setting vary origin header always when multiple origins are set #861 (michal800106)
- Fix error message on secret/cm update failure #863 (jcmoraisjr)
- Fix typo: distinct #867 (juggernaut)
- Add disableKeywords only if defined #876 (jcmoraisjr)
- Add match method on all var() sample fetch method #879 (jcmoraisjr)
- Fix sni sample fetch on ssl deciphered tcp conns #884 (jcmoraisjr)
- Fix docker-build target name #896 (rgherta)
- docs: Add all command-line options to list. #806 (toothbrush)
- docs: update haproxy doc link to 2.2 13bdd7c (Joao Morais)
- docs: add section for AuditLog sidecar for ModSecurity daemonset #825 (sealneaward)
- docs: changing NodeSelector to ClusterIP service for ModSecurity #826 (sealneaward)
- docs: add a faq #837 (jcmoraisjr)
- docs: add modsec resource limits to controls V2 memory consumption #841 (sealneaward)
- Add golangci-lint and fix issues found by it #868 (mrueg)
- docs: include tuning of free backend slots in performance suggestions #891 (ssanders1449)
- docs: update haproxy doc link to 2.4 #886 (jcmoraisjr)