Skip to content

Latest commit

 

History

History
493 lines (380 loc) · 33.6 KB

CHANGELOG-v0.14.md

File metadata and controls

493 lines (380 loc) · 33.6 KB

CHANGELOG v0.14 branch

Major improvements

Highlights of this version

  • Embedded HAProxy upgrade from 2.3 to 2.4.
  • Partial Gateway API v1alpha2 support, see the Gateway API getting started page.
  • Coraza added as a Web Application Firewall (WAF) backend option, see the example page.
  • Option to customize the response payload for any of the status codes managed by HAProxy or HAProxy Ingress, see the HTTP Responses configuration key documentation.
  • Option to run the embedded HAProxy as Master Worker. Running HAProxy as Master Worker enables worker-max-reloads option without the need to configure as an external deployment, enables HAProxy logging to stdout, and also has a better management of the running process. This option is not enabled by default, see the master worker documentation for further information.
  • HAProxy Ingress can now be easily launched in the development environment with the help of the --local-filesystem-prefix command-line option. See also the command-line option documentation and the new make variables and targets in the README file.

Upgrade notes

Breaking backward compatibility from v0.13:

  • Default auth-tls-strict configuration key value changed from false to true. This update will change the behavior of misconfigured client auth configurations: when false misconfigured mTLS send requests to the backend without any authentication, when true misconfigured mTLS will always fail the request. See also the auth TLS documentation.
  • auth-tls-verify-client, when configured as optional_no_ca, used to validate client certificates against the configured CA bundle. This happens on controller versions from v0.8 to v0.13. Since v0.14 optional_no_ca will bypass certificate validation. Change auth-tls-verify-client to optional in order to preserve the old behavior.
  • Default --watch-gateway command-line option changed from false to true. On v0.13 this option can only be enabled if the Gateway API CRDs are installed, otherwise the controller would refuse to start. Since v0.14 the controller will always check if the CRDs are installed. This will change the behavior on clusters that has Gateway API resources and doesn't declare the command-line option: v0.13 would ignore the resources and v0.14 would find and apply them. See also the watch gateway documentation.
  • All the response payload managed by the controller using Lua script was rewritten in a backward compatible behavior, however deployments that overrides the services.lua script might break. See the HTTP Responses documentation on how to customize HTTP responses using controller's configuration keys.
  • Two frontends changed their names, which can break deployments that uses the frontend name on metrics, logging, or in the config-proxy global configuration key. Frontends changed are: _front_https, changed its name to _front_https__local if at least one ssl-passthrough is configured, and _front__auth, changed its default value to _front__auth__local. These changes were made to make the metric's dashboard consistent despite the ssl-passthrough configuration. See the new metrics example page and update your dashboard if using HAProxy Ingress' one.

Contributors

v0.14.2

Reference (r2)

  • Release date: 2023-02-14
  • Helm chart: --version 0.14.2
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.2
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.2
  • Embedded HAProxy version: 2.4.22
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.2

Release notes (r2)

This release fixes CVE-2023-25725 on HAProxy. See HAProxy's release notes regarding the issue and a possible work around: https://www.mail-archive.com/[email protected]/msg43229.html

Dependencies:

  • Embedded HAProxy version was updated from 2.4.21 to 2.4.22.

Fixes and improvements (r2)

New features and improvements since v0.14.1:

  • update dependencies 0efcd77 (Joao Morais)
  • update embedded haproxy from 2.4.21 to 2.4.22 a8c942b (Joao Morais)

v0.14.1

Reference (r1)

  • Release date: 2023-02-10
  • Helm chart: --version 0.14.1
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.1
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.1
  • Embedded HAProxy version: 2.4.21
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.1

Release notes (r1)

This release fixes the following issues:

  • Service resources accept annotations just like ingress ones. However services annotated with path scoped annotations, like haproxy-ingress.github.io/cors-enable and haproxy-ingress.github.io/auth-url, were applying the configuration to just one of the paths pointing the service. So, considering domain.local/path1 and domain.local/path2 pointing to svc1, an annotation added to svc1 would only be applied to one of the paths.
  • A wrong named port configured on the external auth was being silently ignored. This update adds this information in the documentation and also adds a warning in the log. See auth external documentation.

Other notable changes include:

  • Mutual TLS authentication (mTLS, Auth TLS) was being skipped on v0.14 if all the domains that configure mTLS are configured with optional_no_ca.

Dependencies:

  • Embedded HAProxy version was updated from 2.4.20 to 2.4.21.
  • Go updated from 1.18.9 to 1.18.10.
  • Client-go updated from v0.23.15 to v0.23.16.

Fixes and improvements (r1)

New features and improvements since v0.14.0:

  • Fix path scoped annotation on service resources #984 (jcmoraisjr)
  • Fix mTLS when all hosts are optional_no_ca #977 (jcmoraisjr)
  • Add warning if auth external svc isnt found #982 (jcmoraisjr)
  • update embedded haproxy from 2.4.20 to 2.4.21 2b503d6 (Joao Morais)
  • update go from 1.18.9 to 1.18.10 717eea3 (Joao Morais)
  • update dependencies a8da9b8 (Joao Morais)

v0.14.0

Reference (r0)

  • Release date: 2022-12-26
  • Helm chart: --version 0.14.0
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0
  • Embedded HAProxy version: 2.4.20
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0

Release notes (r0)

This is the first v0.14 release graduated as GA, which adds these major improvements since v0.13:

  • Coraza Web Application Firewall (WAF) support, see the example page here.
  • Customization of all HAProxy generated response payload, see the documentation here.
  • Gateway API support improvement - although we're not fully compliant yet, see the documentation here.

The following improvements have been made since the last beta version:

  • Michele Palazzi added a new configuration snippet that allows to add customized configurations before any builtin frontend logic.
  • Ability to configure mutual TLS authentication without validating the client certificate. This adds a breaking backward compatibility from v0.13: auth-tls-verify-client configured as optional_no_ca used to make client certificate validation, now that validation is bypassed.

Dependencies:

  • Embedded HAProxy version was updated from 2.4.19 to 2.4.20.
  • Golang updated from 1.17.13 to 1.18.9
  • Client-go updated from v0.23.14 to v0.23.15.

Fixes and improvements (r0)

New features and improvements since v0.14.0-beta.3:

  • Move CustomFrontend before any http-req in haproxy template #951 (ironashram) doc
    • Configuration keys:
      • config-frontend-early
      • config-frontend-late
  • Make optional_no_ca bypass proxy side validations #976 (jcmoraisjr)

v0.14.0-beta.3

Reference (b3)

  • Release date: 2022-12-10
  • Helm chart: --version 0.14.0-beta.3 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-beta.3
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0-beta.3
  • Embedded HAProxy version: 2.4.19
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-beta.3

Release notes (b3)

This is the third and last beta version of the v0.14 release branch. It fixed some minor issues:

  • Embedded Acme signer can now sign certificates for hosts used on redirects
  • auth-headers-* configuration keys, from Auth External, used to break the HAProxy configuration if declared empty. Now an empty value makes none of the headers being copied.

Other visible improvements include:

  • Andrej Baran added support for Load Server State on external HAProxy
  • Mac Chaffee added Coraza WAF support, see the example page on how to configure it.
  • Zap added as an optional logger sink, which adds the ability to control a few more logging options. See the logging command-line options doc.

Dependencies:

  • Embedded HAProxy version was updated from 2.4.18 to 2.4.19.
  • Client-go updated from v0.23.10 to v0.23.14.

Improvements (b3)

New features and improvements since v0.14.0-beta.2:

  • Change klog.Fatal to klog.Exit #955 (jcmoraisjr)
  • Enable Load Server State feature for external haproxy #957 (andrejbaran)
  • Add Zap as a logger sink option #967 (jcmoraisjr) - doc
    • Command-line options:
      • --log-zap
      • --log-dev
      • --log-caller
      • --log-enable-stacktrace
      • --log-encoder
      • --log-encode-time
  • Allow ability to customize modsecurity args #948 (mac-chaffee) - doc
    • Configuration keys:
      • modsecurity-args
  • Coraza support #964 (mac-chaffee) - doc
    • Configuration keys:
      • modsecurity-use-coraza

Fixes (b3)

  • Fix host redirects when acme is enabled #971 (jcmoraisjr)
  • Makes auth-headers not copying on empty string #972 (jcmoraisjr)

v0.14.0-beta.2

Reference (b2)

  • Release date: 2022-09-07
  • Helm chart: --version 0.14.0-beta.2 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-beta.2
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0-beta.2
  • Embedded HAProxy version: 2.4.18
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-beta.2

Release notes (b2)

This is the second beta release of the v0.14 version, which fixes a small regression added in v0.8. Up to version v0.7 HAProxy Ingress accepted services of type External Name without port declaration, in this case the same port number configured in the ingress resource was used to configure the backend. Since the v0.8 refactor, a port configuration became mandatory in the service resource. This update brings the v0.7 behavior again, so services of type External Name have port declaration optional.

Other visible improvements include:

  • Image generation now updates OS dependencies added by the upstream image, which avoids to release images with known vulnerabilities
  • Manuel Rüger updated some old and deprecated dependency versions

Dependencies:

  • Embedded HAProxy version was updated from 2.4.17 to 2.4.18.
  • Golang updated from 1.17.11 to 1.17.13.
  • Client-go updated from v0.23.8 to v0.23.10.

Improvements (b2)

New features and improvements since v0.14.0-beta.1:

  • Documents the expected format for --configmap key #940 (lafolle)
  • Add apk upgrade on container building #941 (jcmoraisjr)
  • Update client-go from v0.23.8 to v0.23.9 and indirect dependencies #943 (jcmoraisjr)
  • Migrate to new versions / off deprecated packages. #945 (mrueg)
  • update client-go from v0.23.9 to v0.23.10 e290714 (Joao Morais)
  • update embedded haproxy from 2.4.17 to 2.4.18 d2a88db (Joao Morais)
  • update golang from 1.17.11 to 1.17.13 0de7ef6 (Joao Morais)

Fixes (b2)

  • Fix go lint issues #942 (jcmoraisjr)
  • Add support for service external name without port #946 (jcmoraisjr)

v0.14.0-beta.1

Reference (b1)

  • Release date: 2022-07-03
  • Helm chart: --version 0.14.0-beta.1 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-beta.1
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0-beta.1
  • Embedded HAProxy version: 2.4.17
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-beta.1

Release notes (b1)

This is the first beta release of the v0.14 version, which fixes some issues from the previous tag:

  • A possible typecast failure reported by monkeymorgan was fixed, which could happen on outages of the apiserver and some resources are removed from the api before the controller starts to watch the api again.
  • A lock was added before checking for expiring certificates when the embedded acme client is configured. This lock prevents the check routine to read the internal model while another thread is modifying it to apply a configuration change.
  • The external HAProxy now starts without a readiness endpoint configured. This avoids adding a just deployed controller as available before it has been properly configured. Starting liveness was raised in the helm chart, so that huge environments have time enough to start.

Other visible improvements include:

  • Josh Soref fixed a lot of typos in the documentation and comments.
  • wolf-cosmose implemented a regex based Cors Allow Origin option.
  • Metrics example now uses Prometheus Operator and the service monitor provided by the helm chart.
  • Some internal frontend names were changed to allow consistent metrics despite the ssl-passthrough configuration, see the upgrade notes.

Dependencies:

  • Embedded HAProxy version was updated from 2.4.15 to 2.4.17.
  • Golang updated from 1.17.8 to 1.17.11.
  • Client-go updated from v0.23.5 to v0.23.8.

Improvements (b1)

New features and improvements since v0.14.0-alpha.2:

  • Change metrics example to use servicemonitor #919 (jcmoraisjr)
  • Add suffix to name of local frontend proxies #922 (jcmoraisjr)
  • Spelling #928 (jsoref)
  • Add cors-allow-origin-regex annotation #927 (wolf-cosmose) - doc
    • Configuration keys:
      • cors-allow-origin-regex
  • update embedded haproxy from 2.4.15 to 2.4.17 1958457 (Joao Morais)
  • update golang from 1.17.8 to 1.17.11 801a425 (Joao Morais)
  • update client-go from v0.23.5 to v0.23.8 200f885 (Joao Morais)

Fixes (b1)

  • Check type assertion on all informers #934 (jcmoraisjr)
  • Add lock before call acmeCheck() #935 (jcmoraisjr)
  • Remove readiness endpoint from starting config #937 (jcmoraisjr)

v0.14.0-alpha.2

Reference (a2)

  • Release date: 2022-04-07
  • Helm chart: --version 0.14.0-alpha.2 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-alpha.2
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0-alpha.2
  • Embedded HAProxy version: 2.4.15
  • GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-alpha.2

Release notes (a2)

This is the second and last alpha release of v0.14, which fixes the following issues:

  • The configured service was not being selected if the incoming path doesn't finish with a slash, the host is not declared in the ingress resource (using default host), the path type is Prefix, and the pattern is a single slash.
  • Marvin Rösch fixed a delay of 5 seconds to connect to a server using a TCP service. Such delay happens whenever a host is used in the ingress resource and the SSL offload is made by HAProxy.

Other visible improvements include:

  • Add compatibility with HAProxy 2.5 deployed as external/sidecar. Version 2.5 changed the lay out of the show proc command of the master API.
  • Add the ability to overwrite any of the HAProxy generated response payloads, see the HTTP Response documentation
  • Add ssl-fingerprint-sha2-bits configuration key which adds a HTTP header with the SHA-2 fingerprint of client certificates.
  • Update to the latest version of golang 1.17, client-go v0.23 and haproxy 2.4

There is also a few other internal and non visible improvements. First beta version should be tagged within a week or so, after finish some exploratory tests.

Improvements (a2)

New features and improvements since v0.14.0-alpha.1:

  • Replace glog with klog/v2 #904 (mrueg)
  • Remove initial whitespaces from haproxy template #910 (ironashram)
  • Add haproxy 2.5 support for external haproxy #905 (jcmoraisjr)
  • Add ssl-fingerprint-sha2-bits configuration key #911 (jcmoraisjr) - doc
    • Configuration keys:
      • ssl-fingerprint-sha2-bits
  • Add http-response configuration keys #915 (jcmoraisjr) - doc
    • Configuration keys:
      • http-response-<code>
      • http-response-prometheus-root
  • update embedded haproxy from 2.4.12 to 2.4.15 c29ddf5 (Joao Morais)
  • update client-go from v0.23.3 to v0.23.5 a507389 (Joao Morais)
  • update golang from 1.17.6 to 1.17.8 5b78816 (Joao Morais)

Fixes (a2)

  • Fix match of prefix pathtype if using default host #908 (jcmoraisjr)
  • Only inspect SSL handshake for SNI routing for SSL passthrough #914 (PaleoCrafter)
  • Fix reload failure detection on 2.5+ #916 (jcmoraisjr)

v0.14.0-alpha.1

Reference (a1)

  • Release date: 2022-02-13
  • Helm chart: --version 0.14.0-alpha.1 --devel
  • Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-alpha.1
  • Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0-alpha.1
  • Embedded HAProxy version: 2.4.12

Improvements (a1)

New features and improvements since v0.13-beta.1:

  • update client-go from v0.20.7 to v0.21.1 9e8f75b (Joao Morais)
  • update gateway api from v0.2.0 to v0.3.0 97abfa9 (Joao Morais)
  • update golang from 1.15.13 to 1.16.15 2f48838 (Joao Morais)
  • update embedded haproxy from 2.3.10 to 2.4.0 23e2418 (Joao Morais)
  • Stable IDs for consistent-hash load balancing #801 (arodland) - doc
    • Configuration keys:
      • assign-backend-server-id
  • Ensure that configured global ConfigMap exists #804 (jcmoraisjr)
  • Update auth-request.lua script #809 (jcmoraisjr)
  • Add log of reload error on every reconciliation #811 (jcmoraisjr)
  • Add disable-external-name command-line option #816 (jcmoraisjr) - doc
    • Command-line options:
      • --disable-external-name
  • Add reload interval command-line option #815 (jcmoraisjr) - doc
    • Command-line options:
      • --reload-interval
  • Updates to the help output of command-line options #814 (jcmoraisjr)
  • Add disable-config-keywords command-line options #820 (jcmoraisjr) - doc
    • Command-line options:
      • --disable-config-keywords
  • Change nbthread to use all CPUs by default #821 (jcmoraisjr)
  • Option to use client and master socket in keep alive mode #824 (jcmoraisjr)
  • Add close-sessions-duration config key #827 (jcmoraisjr)
    • Configuration keys:
      • close-sessions-duration - doc
    • Command-line options:
      • --track-old-instances - doc
  • Add arm64 build #836 (jcmoraisjr)
  • Feature/allowlist behind reverse proxy #846 (DCkQ6) - doc
    • Configuration keys:
      • allowlist-source-header
  • Refactor tracker to an abstract implementation #850 (jcmoraisjr)
  • Add read and write timeout to the unix socket #855 (jcmoraisjr)
  • Add --ingress-class-precedence to allow IngressClass taking precedence over annotation #857 (mkubaczyk) - doc
    • Command-line options:
      • --ingress-class-precedence
  • Add acme-preferred-chain config key #864 (jcmoraisjr) - doc
    • Configuration keys:
      • acme-preferred-chain
  • Add new target platforms #870 (jcmoraisjr)
  • Add local deployment configuration #878 (jcmoraisjr)
  • Add master-worker mode on embedded haproxy #880 (jcmoraisjr)
  • Add session-cookie-domain configuration key #889 (jcmoraisjr) - doc
    • Configuration keys:
      • session-cookie-domain
  • Upgrade crypto dependency #895 (rgherta)
  • Bump dependencies #874 (mrueg)
  • Add auth-tls configurations to tcp services #883 (jcmoraisjr)
  • Change auth-tls-strict from false to true #885 (jcmoraisjr)
  • Check by default if gateway api crds are installed #898 (jcmoraisjr)
  • Add starting implementation of Gateway API v1alpha2 #900 (jcmoraisjr)
  • update embedded haproxy from 2.4.0 to 2.4.12 93adbb9 (Joao Morais)

Fixes (a1)

  • Fix backend match if no ingress use host match #802 (jcmoraisjr)
  • Reload haproxy if a backend server cannot be found #810 (jcmoraisjr)
  • Fix auth-url parsing if hostname misses a dot #818 (jcmoraisjr)
  • Always deny requests of failed auth configurations #819 (jcmoraisjr)
  • Gateway API: when using v1alpha1, certificateRef.group now accepts "core" #833 (maelvls)
  • Fix set ssl cert end-of-command #828 (jcmoraisjr)
  • Fix dynamic update of frontend crt #829 (jcmoraisjr)
  • Fix change notification of backend shard #835 (jcmoraisjr)
  • Fix ingress update to an existing backend #847 (jcmoraisjr)
  • Fix endpoint update of configmap based tcp services #842 (jcmoraisjr)
  • Fix config parsing on misconfigured auth external #844 (jcmoraisjr)
  • Fix validation if ca is used with crt and key #845 (jcmoraisjr)
  • Fix global config-backend snippet config #856 (jcmoraisjr)
  • Fix global config-backend snippet config #856 (jcmoraisjr)
  • Remove setting vary origin header always when multiple origins are set #861 (michal800106)
  • Fix error message on secret/cm update failure #863 (jcmoraisjr)
  • Fix typo: distinct #867 (juggernaut)
  • Add disableKeywords only if defined #876 (jcmoraisjr)
  • Add match method on all var() sample fetch method #879 (jcmoraisjr)
  • Fix sni sample fetch on ssl deciphered tcp conns #884 (jcmoraisjr)
  • Fix docker-build target name #896 (rgherta)

Other

  • docs: Add all command-line options to list. #806 (toothbrush)
  • docs: update haproxy doc link to 2.2 13bdd7c (Joao Morais)
  • docs: add section for AuditLog sidecar for ModSecurity daemonset #825 (sealneaward)
  • docs: changing NodeSelector to ClusterIP service for ModSecurity #826 (sealneaward)
  • docs: add a faq #837 (jcmoraisjr)
  • docs: add modsec resource limits to controls V2 memory consumption #841 (sealneaward)
  • Add golangci-lint and fix issues found by it #868 (mrueg)
  • docs: include tuning of free backend slots in performance suggestions #891 (ssanders1449)
  • docs: update haproxy doc link to 2.4 #886 (jcmoraisjr)