CHANGELOG

v0.10

Highlights of this version:

HAProxy upgrade from 1.9 to 2.0
Metrics:
- HAProxy's internal Prometheus exporter, see the doc
- HAProxy Ingress exporter for Prometheus
- HAProxy Ingress dashboard for Grafana, see the metrics example

v0.10-snapshot.1

Update to haproxy 2.0.11 #414
Remove v0.7 controller #483
Add frontend to the internal prometheus exporter #486
- Configuration keys:
  - bind-ip-addr-prometheus - doc
  - prometheus-port - doc
Defaults to not create prometheus listener #491
Metric collector and exporter #487 - doc
- Command-line options:
  - --healthz-port
  - --profiling
  - --stats-collect-processing-period

v0.10-snapshot.2

Change unix sockets user to haproxy #504
Add CN label in the cert_expire metric #501

v0.10-snapshot.3

Sort tcp services by name and port #506
Add backend-server-naming key #507 - doc
- Configuration keys:
  - backend-server-naming
Add ssl-redirect-code global config key #511 - doc
- Configuration keys:
  - ssl-redirect-code
Add modsecurity timeout connect/server #512 - doc
- Configuration keys:
  - modsecurity-timeout-connect
  - modsecurity-timeout-server
Add ssl-fingerprint-lower config key #515 - doc
- Configuration keys:
  - ssl-fingerprint-lower
Remove haproxy warning filter #514
Create frontends even without ingress #516
Add auth-tls-strict configuration key #513 - doc
- Configuration keys:
  - auth-tls-strict
Update to haproxy 2.0.12 #518

v0.9

v0.9-beta.1

Breaking backward compatibility from v0.8:

TLS 1.0 and 1.1 was dropped in the default configuration. Several cipher suites was dropped as well, mostly non ephemeral key exchange algorithms. This might break old http clients. See the v0.8 default values in the SSL cipher suite and SSL options docs and adjust the configuration if needed.
Some default configurations was changed to improve performance of a vanilla deployment, this might cause unexpected behaviour:
- Default dynamic-scaling configuration key was changed from false to true
- Default nbthread configuration key was changed from 1 to 2
- Default --reload-strategy command-line option was changed from native to reusesocket

Highlights of this version:

HAProxy upgrade from 1.8 to 1.9
HTTP/2 support in the backend side
TLS 1.3 support
Certificate update using ACME-v2 protocol
Hability to run as non-root, see the security doc

New features:

Use one bind per frontend #382
Update to haproxy 1.9.10 #381
Add h2 backend proto and use-htx global option #387
- Configuration keys:
  - ingress.kubernetes.io/backend-protocol - doc
  - use-htx - doc
Make sni optional if a certificate is optional and is not provided #392
Add custom-frontend snippet to http:80 frontend #395
Join samples using concat #393
Use 421 response if sni and headers does not match #394
Add syslog-length configmap option #396 - doc
- Configuration keys:
  - ingress.kubernetes.io/syslog-length
Add CRL Support in the TLS Secret for Client Authentication #328
Add CRL support in the new controller #399
- Configuration keys:
  - ingress.kubernetes.io/auth-tls-secret - new optional file ca.crl - doc
  - ingress.kubernetes.io/secure-verify-ca-secret - new optional file ca.crl - doc
Add per request deployment group selection - blue/green deployment #402 - doc
- Configuration keys:
  - ingress.kubernetes.io/blue-green-cookie
  - ingress.kubernetes.io/blue-green-header
Sort ingress using creation timestamp #405
Update default TLS versions and ciphers for client and server connections #403 - doc
- Configuration keys:
  - ssl-cipher-suites
  - ssl-cipher-suites-backend
  - ssl-ciphers-backend
Update to haproxy 1.9.11 #406
Add session-cookie-shared #419
Add dynamic-scaling false option #420
Improve sorting of internal state #423
Tuning default thread number and reload strategy #424
Add leader election #431
Add work queue #430
Add forwardfor option - update #437 - doc
- Configuration keys:
  - ingress.kubernetes.io/forwardfor - new option update
Add support for Mod Security DetectionOnly Mode #443 - doc
- Configuration keys:
  - ingress.kubernetes.io/waf-mode
Add initial-weight config key #444
Improve fronting proxy config #434
Update Go version and use Go mod #439
Update to haproxy 1.9.12 #446
Initialize leader election only if needed #447
Add ip+port bind support for http/https/fronting-proxy #452
Add failure rate limit on work queue #457
Customizeable goarch #472
dumb-init added from alpine repo #471
Add acme v02 support #391
- Configuration keys - doc:
  - acme-emails
  - acme-endpoint
  - acme-expiring
  - acme-shared
  - acme-terms-agreed
  - ingress.kubernetes.io/cert-signer
- Command-line options - doc:
  - --acme-check-period
  - --acme-election-id
  - --acme-fail-initial-duration
  - --acme-fail-max-duration
  - --acme-secret-key-name
  - --acme-server
  - --acme-token-configmap-name
  - --acme-track-tls-annotation
Update to haproxy 1.9.13 #475
Update dependencies to k8s 1.16.3 #474
Add 4xx error pages and CORS Preflight as Lua services #481
Check acme account before retrieving #479
Improve equality comparison with acme changes #478
Add security options #484 - doc
- Configuration keys:
  - use-chroot
  - use-haproxy-user

Fixes:

Fix case on requests from 80/http #425
Fix case on per-path backend requests #427
Fix cross-namespace command-line option #433
Fix host match with a port number #436
Fix hostname match of domains with client cert auth #453
Fix panic reading empty targetRef from ep #455
Fix txn.namespace on http requests #463
Do ssl-redirect only if tls declares the hostname #465
Fix case on per-path backend maps #466
Use the found match pattern #468
Improve response error on sni mismatch #470
Fix haproxy.cfg permissions #476

Docs:

docs: update deployment and DaemonSet APIs to apps/v1 #415
docs: starting version #417
docs: update deploy and ds api to apps/v1 #422
docs: defaults for cors-allow-methods and -headers #445

v0.9-beta.2

Fixes and improvements since v0.9-beta.1:

Change unix sockets user to haproxy #504
Sort tcp services by name and port #506
Add backend-server-naming key #507 - doc
- Configuration keys:
  - backend-server-naming
Add auth-tls-strict configuration key #513 - doc
- Configuration keys:
  - auth-tls-strict
Remove haproxy warning filter #514
Create frontends even without ingress #516

v0.8.1

Fixes and improvements since v0.8:

Sort tcp services by name and port #506
Add backend-server-naming key #507 - doc
- Configuration keys:
  - backend-server-naming
Add auth-tls-strict configuration key #513 - doc
- Configuration keys:
  - auth-tls-strict
Remove haproxy warning filter #514
Create frontends even without ingress #516

v0.8

v0.8-beta.1

Breaking backward compatibility from v0.7:

Note: A new configuration parser and HAProxy config builder is in place. Despite declared incompatibility changes listed below, all configuration options and behavior should be preserved. Please file an issue if something changed in the v0.8 controller which is not listed here.

HAProxy's backend naming convention used for services changed from <namespace>-<svcname>-<port> to <namespace>_<svcname>_<port> in order to avoid ambiguity. This should impact as least logging filters and metrics dashboards.
All the other HAProxy's proxy names changed as well - check your logging filters and metrics dasboards.
nbproc-ssl global configmap option wasn't reimplemented in v0.8, consider use nbthread instead.
strict-host global configmap option changed the default value from true to false. See strict-host doc.
dynamic-scaling configuration key changed the default value from false to true
nbthread configuration key changed the default value from 1 to 2
reload-strategy command-line option changed the default value from native to reusesocket

The --v07-controller=true command-line option can be used to revert to the old controller and behavior. Note that in this case the *-v07.tmpl templates will be used instead. This option will be removed on v0.10.

Improvements on the new internal representation and converters:

Main issue #274
Pull requests part1, part2, part3, part4, part5, part6
About 80% of the controller was rewritten from scratch. The new code base has more consistent behavior, it's more decoupled, easier to understand, test and evolve, and ready to ingress v2 without breaking compatibility with ingress v1. The new configuration is also a lot faster - the bigger the cluster, the faster the config generated by the v0.8 controller.
Configmap and annotations: declare annotations with prefix (defaults to ingress.kubernetes.io) on services or ingress objects, declare without prefix as a global configmap option. The configmap declaration act as a default value, and service takes precedence in the case of conflict with ingress.
The mode tcp frontend will be used only if needed:
- Authentication with client certificate is used - this will not be a limitation on v0.9 controller and HAProxy 1.9.x
- ssl-passthrough is used
- Conflicting timeout client declared as annotations
Fix HAProxy config parsing of a very long list of whitelist CIDRs or a very long list of overlaping /paths in the same domain

Fixes and improvements since v0.7:

Fix duplication of ConfigFrontend snippets for DefaultBackend #352
Fix port retrieval for terminatingPod with named targetPort #331
Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356
Configure annotation prefix - doc
- Command-line options:
  - --annotations-prefix
Agent check #287 - doc
- Annotations or configmap options (without prefix):
  - ingress.kubernetes.io/agent-check-port
  - ingress.kubernetes.io/agent-check-addr
  - ingress.kubernetes.io/agent-check-interval
  - ingress.kubernetes.io/agent-check-send
Health check #287 - doc
- Annotations or configmap options (without prefix):
  - ingress.kubernetes.io/health-check-uri
  - ingress.kubernetes.io/health-check-addr
  - ingress.kubernetes.io/health-check-port
  - ingress.kubernetes.io/health-check-interval
  - ingress.kubernetes.io/health-check-rise-count
  - ingress.kubernetes.io/health-check-fall-count
Configure the minimum number of free/empty servers per backend - doc
- Annotations or configmap options (without prefix):
  - ingress.kubernetes.io/slots-min-free
Add CORS Expose Headers option #268 - doc
- Annotations or configmap options (without prefix):
  - ingress.kubernetes.io/cors-expose-headers
Add SSL Engine options #269 - doc
- Configmap options:
  - ssl-engine
  - ssl-mode-async
Add log customizations
- Configmap options:
  - syslog-format #278 - doc
  - syslog-tag #288 - doc
Add TLS ALPN option #307 - doc
- Configmap options:
  - tls-alpn
Allow hostname/pod name to be used as the cookie value #286 - doc
- Annotations or configmap options (without prefix):
  - ingress.kubernetes.io/session-cookie-dynamic
Allow redispatch when drain-support is enabled #334 - doc
- Configmap options:
  - drain-support-redispatch
Add snippet for defaults section #335 - doc
- Configmap options:
  - config-defaults
Add option to wait defined time when SIGTERM received #363 - doc
- Command-line options:
  - --wait-before-shutdown
Declare a HAProxy var with the k8s namespace #378 - doc
- Annotation or configmap options (without prefix):
  - ingress.kubernetes.io/var-namespace

v0.8-beta.2

Fixes and improvements since v0.8-beta.1:

Fix service port lookup #385
Change dynamic update default values #388
Fix port number lookup of terminating pods #389

v0.8-beta.3

Fixes and improvements since v0.8-beta.2:

Make sni optional if a certificate is optional and is not provided #392
Add custom-frontend to snippet to http:80 frontend #395

v0.8-beta.4

Fixes and improvements since v0.8-beta.3:

Sort ingress using creation timestamp #405
Add session-cookie-shared #419
- Configuration keys:
  - session-cookie-shared - doc
Add dynamic-scaling false option #420
Improve sorting of internal state #423
Tuning default thread number and reload strategy #424
Fix case on requests from 80/http #425

v0.8-beta.5

Fixes and improvements since v0.8-beta.4:

Update HAProxy from 1.8.20 to 1.8.22
Fix case on per-path backend requests #427
Fix implementation of cross-namespace command-line option #433
Improve fronting proxy config #434
- Configuration keys:
  - fronting-proxy-port - doc
Fix host match with a port number #436
Add initial-weight config key #444
- Configuration keys:
  - initial-weight - doc
Add ip+port bind support for http/https/fronting-proxy #452
- Configuration keys:
  - bind-fronting-proxy - doc
  - bind-http - doc
  - bind-https - doc
Fix panic reading empty targetRef from ep #455

v0.8-post-beta.5 (match v0.8)

Fixes and improvements since v0.8-beta.5:

Update HAProxy from 1.8.22 to 1.8.23
Fix txn.namespace on http requests #463
Do ssl-redirect only if tls declares the hostname #465
Fix case on per-path backend maps #466
Fix haproxy.cfg permissions #476

v0.7.5

Fixes and improvements since v0.7.4:

Update HAProxy from 1.8.22 to 1.8.23

v0.7.4

Fixes and improvements since v0.7.3:

Update HAProxy from 1.8.21 to 1.8.22, which fixes a segmentation fault when using a spoe filter (ModSecurity)

v0.7.3

Fixes and improvements since v0.7.2:

Update HAProxy from 1.8.20 to 1.8.21
Fix duplication of ConfigFrontend snippets for DefaultBackend #352
Disable HTTP Basic Auth on CORS pre-flight OPTIONS request #356

v0.7.2

Fixes and improvements since v0.7.1:

Update HAProxy from 1.8.19 to 1.8.20
Fix port retrieval for terminatingPod with named targetPort #331

v0.7.1

Fixes and improvements since v0.7:

Update libssl and libcrypto #318

v0.7

v0.7-beta.1

Breaking backward compatibility from v0.6:

Default blue/green deployment mode changed from pod to deploy. Use ingress.kubernetes.io/blue-green-mode annotation to change to the v0.6 behavior. See also the blue/green deployment doc.
Changed default maximum ephemeral DH key size from 1024 to 2048, which might break old TLS clients. Use ssl-dh-default-max-size configmap option to change back to 1024 if needed.
Behavior of ingress.kubernetes.io/server-alias annotation was changed to mimic hostname syntax. Use ingress.kubernetes.io/server-alias-regex instead if need to use regex. See also the server-alias doc

Fixes and improvements since v0.6:

Add SSL config on TCP services #192 - doc
Disable health check of backends #195
Fix endless loop if SSL/TLS secret does not exist #191
DNS discovery of backend servers #154 - doc
- Annotations:
  - ingress.kubernetes.io/use-resolver
- Configmap options:
  - dns-accepted-payload-size
  - dns-cluster-domain
  - dns-hold-obsolete
  - dns-hold-valid
  - dns-resolvers
  - dns-timeout-retry
ModSecurity web application firewall #166 and #248
- Template file - doc
- Annotations:
  - ingress.kubernetes.io/waf - doc
- Configmap options:
  - modsecurity-endpoints - doc
  - modsecurity-timeout-hello - doc
  - modsecurity-timeout-idle - doc
  - modsecurity-timeout-processing - doc
Multi process and multi thread support #172
- Configmap options:
  - nbproc-ssl - doc
  - nbthread - doc
Balance mode of blue/green deployment #201 - doc
- Annotations:
  - ingress.kubernetes.io/blue-green-balance
  - ingress.kubernetes.io/blue-green-mode
Add configuration snippet options #194 and #252 - doc
- Configmap options:
  - config-frontend
  - config-global
Add OAuth2 support #239 - doc
Add support to ingress/spec/backend #212
Add SSL config on stats endpoint #193 - doc
- Configmap options:
  - stats-ssl-cert
Add custom http and https port numbers #190
- Configmap options:
  - http-port
  - https-port
Add client cert auth for backend #222 - doc
- Annotations:
  - ingress.kubernetes.io/secure-crt-secret
Add publish-service doc #211 - doc
- Command-line options:
  - --publish-service
Add option to match URL path on wildcard hostnames #213 - doc
- Configmap options:
  - strict-host
Add HSTS on default backend #214
Add Sprig template functions #224 - Sprig doc
Add watch-namespace command-line option #227 - doc
- Command-line options:
  - --watch-namespace
Add http-port on ssl-passthrough #228 - doc
- Annotations:
  - ingress.kubernetes.io/ssl-passthrough-http-port
Add proxy-protocol annotation #236 - doc
- Annotations:
  - ingress.kubernetes.io/proxy-protocol
Add server-alias-regex annotation #250 - doc
- Annotations:
  - ingress.kubernetes.io/server-alias-regex
Optimize reading of default backend #234
Add annotation and configmap validations #237
Fix sort-backends behavior #247

v0.7-beta.2

Fixes and improvements since v0.7-beta.1:

Fix ssl-passthrought (only v0.7) #258

v0.7-beta.3

Fixes and improvements since v0.7-beta.2:

Fix panic if an invalid path is used on ssl-passthrough (only v0.7) #260
Add ssl-passthrough-http-port validations #261

v0.7-beta.4

Fixes and improvements since v0.7-beta.3:

Update HAProxy from 1.8.14 to 1.8.16 - fix some DNS issues
Improve optional client cert auth #275

v0.7-beta.5

Fixes and improvements since v0.7-beta.4:

Update HAProxy from 1.8.16 to 1.8.17 - fix CVE-2018-20615 (release notes)

v0.7-beta.6

Fixes and improvements since v0.7-beta.5:

Fix validation of mod security conf #282

v0.7-beta.7

Fixes and improvements since v0.7-beta.6:

Use SRV records on dns resolver if backend port isn’t a valid number #285
Fix permission of frontend certs dir #293

v0.7-beta.8

Fixes and improvements since v0.7-beta.7:

Update to HAProxy 1.8.19, which fixes some connection aborts on HTTP/2
Add TLS ALPN extension advertisement #307
Fix overlapping configs on shared frontend #308

v0.6.4

Fixes and improvements since v0.6.3:

Update HAProxy from 1.8.19 to 1.8.20
Fix port retrieval for terminatingPod with named targetPort #331

v0.6.3

Fixes and improvements since v0.6.2:

Update libssl and libcrypto #318

v0.6.2

Fixes and improvements since v0.6.1:

Update HAProxy from 1.8.17 to 1.8.19, which fixes some connection aborts on HTTP/2

v0.6.1

Fixes and improvements since v0.6:

Update HAProxy from 1.8.14 to 1.8.17
- Fix some DNS issues
- Fix CVE-2018-20615 (release notes)

v0.6

v0.6-beta.1

Breaking backward compatibility from v0.5:

Usage of header Host to match https requests instead of using just sni extension, deprecating use-host-on-https - #130
Multibinder is deprecated, use reusesocket reload strategy instead - #139
Dynamic scaling do not reload HAProxy if the number of servers of a backend could be reduced
Broken CIDR lists - whitelist-source-range and limit-whitelist annotations - will add at least the valid CIDRs found in the list - #163
Added timeout-queue configmap option which defaults to 5s. timeout-queue didn't exist before v0.6 and its value inherits from the timeout-connect configuration. Starting on v0.6, changing timeout-connect will not change timeout-queue default value.

Fixes and improvements since v0.5:

HAProxy 1.8
Dynamic cookies on cookie based server affinity
HTTP/2 support - #129
Share http/s connections on the same frontend/socket - #130
Add clear userlist on misconfigured basic auth - #71
Fix copy endpoints to fullslots - #84
Equality improvement on dynamic scaling - #138 and #140
Fix precedence of hosts without wildcard and alias without regex - #149
Add v1 as a PROXY protocol option on tcp-services - #156
Fix Lets Encrypt certificate generation - #161
Add valid CIDRs on whitelists #163
New annotations:
- Cookie persistence strategy #89 - doc
  - ingress.kubernetes.io/session-cookie-strategy
- Blue/green deployment #125 - doc
  - ingress.kubernetes.io/blue-green-deploy
- Load balancing algorithm #144
  - ingress.kubernetes.io/balance-algorithm
- Connection limits and timeout #148 - doc
  - ingress.kubernetes.io/maxconn-server
  - ingress.kubernetes.io/maxqueue-server
  - ingress.kubernetes.io/timeout-queue
- CORS #151 - doc
  - ingress.kubernetes.io/cors-allow-origin
  - ingress.kubernetes.io/cors-allow-methods
  - ingress.kubernetes.io/cors-allow-headers
  - ingress.kubernetes.io/cors-allow-credentials
  - ingress.kubernetes.io/cors-enable
  - ingress.kubernetes.io/cors-max-age
- Configuration snippet #155 - doc
  - ingress.kubernetes.io/config-backend
- Backend servers slot increment #164 - doc
  - ingress.kubernetes.io/slots-increment
New configmap options:
- Drain support for NotReady pods on cookie affinity backends #95 - doc
  - drain-support
- Timeout queue #148 - doc
  - timeout-queue
- Time to wait for long lived connections to finish before hard-stop a HAProxy process #150 - doc
  - timeout-stop
- Add option to bypass SSL/TLS redirect #161 - doc
  - no-tls-redirect-locations
- Add configmap options to listening IP address #162
  - bind-ip-addr-tcp
  - bind-ip-addr-http
  - bind-ip-addr-healthz
  - bind-ip-addr-stats
New command-line options:
- Maximum timestamped config files #123 - doc
  - --max-old-config-files

v0.6-beta.2

Fixes and improvements since v0.6-beta.1:

Fix redirect https if path changed with rewrite-target - #179
Fix ssl-passthrough annotation - #183 and #187

v0.6-beta.3

Fixes and improvements since v0.6-beta.2:

Fix host match of rate limit on shared frontend - #202

v0.6-beta.4

Fixes and improvements since v0.6-beta.3:

Fix permission denied to mkdir on OpenShift - #205
Fix usage of custom DH params (only v0.6) - #215
Fix redirect of non TLS hosts (only v0.6) - #231

v0.6-beta.5

Fixes and improvements since v0.6-beta.4:

Fix health check of dynamic reload - #232
Fix stop/terminate signal of the controller process - #233

v0.6-beta.6

Fixes and improvements since v0.6-beta.5:

Fix SSL redirect if no TLS config is used (only v0.6) - #235

v0.6-post-beta.6 (match v0.6)

Fixes and improvements since v0.6-beta.6:

Restrict access of sticky session cookie by client Javascript code - #251

v0.5

Fixes and improvements since v0.4

v0.5-beta.1 changelog
v0.5-beta.2 changelog
v0.5-beta.3 changelog

v0.5-beta.3

Fixes and improvements since v0.5-beta.2

Fix sync of excluded secrets - #102
Fix config with long fqdn - #112
Fix non ssl redirect on default backend - #120

v0.5-beta.2

Fixes and improvements since v0.5-beta.1

Fix reading of txn.path on http-request keywords - #102

v0.5-beta.1

Breaking backward compatibility from v0.4

TLS certificate validation using only SAN extension - common Name (CN) isn't used anymore. Add --verify-hostname=false command-line option to bypass hostname verification
ingress.kubernetes.io/auth-tls-secret annotation cannot reference another namespace without --allow-cross-namespace command-line option
tcp-log-format configmap option now customizes log of TCP proxies, use https-log-format instead to configure log of SNI inspection (https/tcp frontend)