CHANGELOG-v0.14.md

CHANGELOG v0.14 branch

• Major improvements
• Upgrade notes - read before upgrade from v0.13!
• Contributors
• v0.14.0-alpha.2
  • Reference
  • Release notes
  • Improvements
  • Fixes
• v0.14.0-alpha.1
  • Reference
  • Improvements
  • Fixes

Major improvements

Highlights of this version

• Embedded HAProxy upgrade from 2.3 to 2.4.
• Partial Gateway API v1alpha2 support, see the Gateway API getting started page.
• Option to customize the response payload for any of the status codes managed by HAProxy or HAProxy Ingress, see the HTTP Responses configuration key documentation.
• Option to run the embedded HAProxy as Master Worker. Running HAProxy as Master Worker enables worker-max-reloads option without the need to configure as an external deployment, enables HAProxy logging to stdout, and also has a better management of the running process. This option is not enabled by default, see the master worker documentation for further information.
• HAProxy Ingress can now be easily launched in the development environment with the help of the --local-filesystem-prefix command-line option. See also the command-line option documentation and the new make variables and targets in the README file.

Upgrade notes

Breaking backward compatibility from v0.13:

• Default auth-tls-strict configuration key value changed from false to true. This update will change the behavior of misconfigured client auth configurations: when false misconfigured mTLS send requests to the backend without any authentication, when true misconfigured mTLS will always fail the request. See also the auth TLS documentation.
• Default --watch-gateway command-line option changed from false to true. On v0.13 this option can only be enabled if the Gateway API CRDs are installed, otherwise the controller would refuse to start. Since v0.14 the controller will always check if the CRDs are installed. This will change the behavior on clusters that has Gateway API resources and doesn't declare the command-line option: v0.13 would ignore the resources and v0.14 would find and apply them. See also the watch gateway documentation.
• All the response payload managed by the controller using Lua script was rewritten in a backward compatible behavior, however deployments that overrides the services.lua script might break. See the HTTP Responses documentation on how to customize HTTP responses using controller's configuration keys.
• Two frontends changed their names, which can break deployments that uses the frontend name on metrics, logging, or in the config-proxy global configuration key. Frontends changed are: _front_https, changed its name to _front_https__local if at least one ssl-passthrough is configured, and _front__auth, changed its default value to _front__auth__local. These changes were made to make the metric's dashboad consistent despite the ssl-passthrough configuration. See the new metrics example page and update your dashboard if using HAProxy Ingress' one.

Contributors

• Ameya Lokare (juggernaut)
• Andrew Rodland (arodland)
• ironashram (ironashram)
• Joao Morais (jcmoraisjr)
• Maël Valais (maelvls)
• Manuel Rüger (mrueg)
• Marvin Rösch (PaleoCrafter)
• Mateusz Kubaczyk (mkubaczyk)
• Michał Zielonka (michal800106)
• Neil Seward (sealneaward)
• paul (toothbrush)
• Roman Gherta (rgherta)
• ssanders1449 (ssanders1449)
• Wojciech Chojnowski (DCkQ6)

v0.14.0-alpha.2

Reference (a2)

• Release date: 2022-04-07
• Helm chart: --version 0.14.0-alpha.2 --devel
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-alpha.2
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0-alpha.2
• Embedded HAProxy version: 2.4.15
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.14.0-alpha.2

Release notes (a2)

This is the second and last alpha release of v0.14, which fixes the following issues:

• The configured service was not being selected if the incoming path doesn't finish with a slash, the host is not declared in the ingress resource (using default host), the path type is Prefix, and the pattern is a single slash.
• Marvin Rösch fixed a delay of 5 seconds to connect to a server using a TCP service. Such delay happens whenever a host is used in the ingress resource and the SSL offload is made by HAProxy.

Other visible improvements include:

• Add compatibility with HAProxy 2.5 deployed as external/sidecar. Version 2.5 changed the lay out of the show proc command of the master API.
• Add the ability to overwrite any of the HAProxy generated response payloads, see the HTTP Response documentation
• Add ssl-fingerprint-sha2-bits configuration key which adds a HTTP header with the SHA-2 fingerprint of client certificates.
• Update to the latest version of golang 1.17, client-go v0.23 and haproxy 2.4

There is also a few other internal and non visible improvements. First beta version should be tagged within a week or so, after finish some exploratory tests.

Improvements (a2)

New features and improvements since v0.14.0-alpha.1:

• Replace glog with klog/v2 #904 (mrueg)
• Remove initial whitespaces from haproxy template #910 (ironashram)
• Add haproxy 2.5 support for external haproxy #905 (jcmoraisjr)
• Add ssl-fingerprint-sha2-bits configuration key #911 (jcmoraisjr) - doc
  • Configuration keys:
    • ssl-fingerprint-sha2-bits
• Add http-response configuration keys #915 (jcmoraisjr) - doc
  • Configuration keys:
    • http-response-<code>
    • http-response-prometheus-root
• update embedded haproxy from 2.4.12 to 2.4.15 c29ddf5 (Joao Morais)
• update client-go from v0.23.3 to v0.23.5 a507389 (Joao Morais)
• update golang from 1.17.6 to 1.17.8 5b78816 (Joao Morais)

Fixes (a2)

• Fix match of prefix pathtype if using default host #908 (jcmoraisjr)
• Only inspect SSL handshake for SNI routing for SSL passthrough #914 (PaleoCrafter)
• Fix reload failure detection on 2.5+ #916 (jcmoraisjr)

v0.14.0-alpha.1

Reference (a1)

• Release date: 2022-02-13
• Helm chart: --version 0.14.0-alpha.1 --devel
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.14.0-alpha.1
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.14.0-alpha.1
• Embedded HAProxy version: 2.4.12

Improvements (a1)

New features and improvements since v0.13-beta.1:

• update client-go from v0.20.7 to v0.21.1 9e8f75b (Joao Morais)
• update gateway api from v0.2.0 to v0.3.0 97abfa9 (Joao Morais)
• update golang from 1.15.13 to 1.16.15 2f48838 (Joao Morais)
• update embedded haproxy from 2.3.10 to 2.4.0 23e2418 (Joao Morais)
• Stable IDs for consistent-hash load balancing #801 (arodland) - doc
  • Configuration keys:
    • assign-backend-server-id
• Ensure that configured global ConfigMap exists #804 (jcmoraisjr)
• Update auth-request.lua script #809 (jcmoraisjr)
• Add log of reload error on every reconciliation #811 (jcmoraisjr)
• Add disable-external-name command-line option #816 (jcmoraisjr) - doc
  • Command-line options:
    • --disable-external-name
• Add reload interval command-line option #815 (jcmoraisjr) - doc
  • Command-line options:
    • --reload-interval
• Updates to the help output of command-line options #814 (jcmoraisjr)
• Add disable-config-keywords command-line options #820 (jcmoraisjr) - doc
  • Command-line options:
    • --disable-config-keywords
• Change nbthread to use all CPUs by default #821 (jcmoraisjr)
• Option to use client and master socket in keep alive mode #824 (jcmoraisjr)
• Add close-sessions-duration config key #827 (jcmoraisjr)
  • Configuration keys:
    • close-sessions-duration - doc
  • Command-line options:
    • --track-old-instances - doc
• Add arm64 build #836 (jcmoraisjr)
• Feature/allowlist behind reverse proxy #846 (DCkQ6) - doc
  • Configuration keys:
    • allowlist-source-header
• Refactor tracker to an abstract implementation #850 (jcmoraisjr)
• Add read and write timeout to the unix socket #855 (jcmoraisjr)
• Add --ingress-class-precedence to allow IngressClass taking precedence over annotation #857 (mkubaczyk) - doc
  • Command-line options:
    • --ingress-class-precedence
• Add acme-preferred-chain config key #864 (jcmoraisjr) - doc
  • Configuration keys:
    • acme-preferred-chain
• Add new target platforms #870 (jcmoraisjr)
• Add local deployment configuration #878 (jcmoraisjr)
• Add master-worker mode on embedded haproxy #880 (jcmoraisjr)
• Add session-cookie-domain configuration key #889 (jcmoraisjr) - doc
  • Configuration keys:
    • session-cookie-domain
• Upgrade crypto dependency #895 (rgherta)
• Bump dependencies #874 (mrueg)
• Add auth-tls configurations to tcp services #883 (jcmoraisjr)
• Change auth-tls-strict from false to true #885 (jcmoraisjr)
• Check by default if gateway api crds are installed #898 (jcmoraisjr)
• Add starting implementation of Gateway API v1alpha2 #900 (jcmoraisjr)
• update embedded haproxy from 2.4.0 to 2.4.12 93adbb9 (Joao Morais)

Fixes (a1)

• Fix backend match if no ingress use host match #802 (jcmoraisjr)
• Reload haproxy if a backend server cannot be found #810 (jcmoraisjr)
• Fix auth-url parsing if hostname misses a dot #818 (jcmoraisjr)
• Always deny requests of failed auth configurations #819 (jcmoraisjr)
• Gateway API: when using v1alpha1, certificateRef.group now accepts "core" #833 (maelvls)
• Fix set ssl cert end-of-command #828 (jcmoraisjr)
• Fix dynamic update of frontend crt #829 (jcmoraisjr)
• Fix change notification of backend shard #835 (jcmoraisjr)
• Fix ingress update to an existing backend #847 (jcmoraisjr)
• Fix endpoint update of configmap based tcp services #842 (jcmoraisjr)
• Fix config parsing on misconfigured auth external #844 (jcmoraisjr)
• Fix validation if ca is used with crt and key #845 (jcmoraisjr)
• Fix global config-backend snippet config #856 (jcmoraisjr)
• Fix global config-backend snippet config #856 (jcmoraisjr)
• Remove setting vary origin header always when multiple origins are set #861 (michal800106)
• Fix error message on secret/cm update failure #863 (jcmoraisjr)
• Fix typo: s/distict/distinct #867 (juggernaut)
• Add disableKeywords only if defined #876 (jcmoraisjr)
• Add match method on all var() sample fetch method #879 (jcmoraisjr)
• Fix sni sample fetch on ssl decyphered tcp conns #884 (jcmoraisjr)
• Fix docker-build target name #896 (rgherta)

Other

• docs: Add all command-line options to list. #806 (toothbrush)
• docs: update haproxy doc link to 2.2 13bdd7c (Joao Morais)
• docs: add section for AuditLog sidecar for ModSecurity daemonset #825 (sealneaward)
• docs: changing NodeSelector to ClusterIP service for ModSecurity #826 (sealneaward)
• docs: add a faq #837 (jcmoraisjr)
• docs: add modsec resource limits to controls V2 memory consumption #841 (sealneaward)
• Add golangci-lint and fix issues found by it #868 (mrueg)
• docs: include tuning of free backend slots in performance suggestions #891 (ssanders1449)
• docs: update haproxy doc link to 2.4 #886 (jcmoraisjr)