CHANGELOG-v0.12.md

CHANGELOG v0.12 branch

• Major improvements
• Upgrade notes - read before upgrade from v0.11!
• Contributors
• v0.12.10
  • Reference
  • Release notes
  • Fixes and improvements
• v0.12.9
  • Reference
  • Release notes
  • Fixes and improvements
• v0.12.8
  • Reference
  • Release notes
  • Fixes and improvements
• v0.12.7
  • Reference
  • Release notes
  • Fixes and improvements
• v0.12.6
  • Reference
  • Release notes
  • Fixes and improvements
• v0.12.5
  • Reference
  • Fixes and improvements
• v0.12.4
  • Reference
  • Fixes and improvements
• v0.12.3
  • Reference
  • Fixes and improvements
• v0.12.2
  • Reference
  • Fixes and improvements
• v0.12.1
  • Reference
  • Fixes and improvements
• v0.12
  • Reference
  • Fixes and improvements
• v0.12-beta.2
  • Reference
  • Fixes and improvements
• v0.12-beta.1
  • Reference
  • Improvements
  • Fixes
• v0.12-snapshot.3
  • Reference
  • Improvements
  • Fixes
• v0.12-snapshot.2
  • Reference
  • Improvements
  • Fixes
• v0.12-snapshot.1
  • Reference
  • Improvements
  • Fixes

Major improvements

Highlights of this version

• HAProxy upgrade from 2.1 to 2.2.
• IngressClass resource support.
• Ability to configure and run an external haproxy, version 2.0 or above, on a sidecar container.

Upgrade notes

Breaking backward compatibility from v0.11

• Kubernetes version 1.18 or newer.
• Ingress resources without kubernetes.io/ingress.class annotation was listened by default up to v0.11, now they are not. This will change the final configuration of clusters that 1) have Ingress resources without the class annotation and without the ingressClassName field, and 2) does not declare the --ignore-ingress-without-class command-line option. Add the command-line option --watch-ingress-without-class to bring back the default v0.11 behavior. See the class matter documentation.
• HAProxy Ingress service account needs get, list and watch access to the ingressclass resource from the networking.k8s.io api group.
• The default backend configured with --default-backend-service does not have a fixed name _default_backend anymore, but instead a dynamic name based on the namespace, service name and listening port number of the target service, as any other backend. This will break configuration snippets that uses the old name.

Contributors

• Joao Morais (jcmoraisjr)
• Max Verigin (griever989)
• paul (toothbrush)
• pawelb (pbabilas)
• Ricardo Katz (rikatz)

v0.12.10

Reference (r10)

• Release date: 2021-09-16
• Helm chart: --version 0.12.10
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.10
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.10
• Embedded HAProxy version: 2.2.17
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12.10

Release notes (r10)

This release fixes a regression introduced in #820: a globally configured config-backend snippet wasn't being applied in the final configuration. Annotation based snippets weren't impacted.

Fixes and improvements (r10)

Fixes and improvements since v0.12.9:

• Fix global config-backend snippet config #856 (jcmoraisjr)

v0.12.9

Reference (r9)

• Release date: 2021-09-08
• Helm chart: --version 0.12.9
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.9
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.9
• Embedded HAProxy version: 2.2.17

Release notes (r9)

This release updates the embedded HAProxy version from 2.2.16 to 2.2.17, which fixes a HAProxy's vulnerability with the Content-Length HTTP header. CVE-2021-40346 was assigned. The following announce from the HAProxy's mailing list has the details and possible workaround: https://www.mail-archive.com/[email protected]/msg41114.html

Some controller issues were fixed as well:

• A misconfigured oauth (e.g. a missing service name) was allowing requests to reach the backend instead of deny the requests.
• An ingress resource configuration could not be applied if an ingress resource starts to reference a service that was already being referenced by another ingress;

Fixes and improvements (r9)

Fixes and improvements since v0.12.8:

• always deny requests if oauth is misconfigured (#843) c075258 (Joao Morais)
• fix ingress update to an existing backend 8119212 (Joao Morais)
• update embedded haproxy from 2.2.16 to 2.2.17 ac9ccf0 (Joao Morais)
• update client-go from v0.19.13 to v0.19.14 6dd9de1 (Joao Morais)

v0.12.8

Reference (r8)

• Release date: 2021-08-17
• Helm chart: --version 0.12.8
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.8
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.8
• Embedded HAProxy version: 2.2.16

Release notes (r8)

This release updates the embedded HAProxy version from 2.2.15 to 2.2.16, which fixes some HAProxy's HTTP/2 vulnerabilities. A malicious request can abuse the H2 :method pseudo-header to forge malformed HTTP/1 requests, which can be accepted by some vulnerable backend servers. The following announce from the HAProxy's mailing list has the details: https://www.mail-archive.com/[email protected]/msg41041.html

Fixes and improvements (r8)

Fixes and improvements since v0.12.7:

• update embedded haproxy from 2.2.15 to 2.2.16 dd07840 (Joao Morais)

v0.12.7

Reference (r7)

• Release date: 2021-08-10
• Helm chart: --version 0.12.7
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.7
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.7
• Embedded HAProxy version: 2.2.15

Release notes (r7)

This release fixes a failure in the synchronization between the in memory HAProxy model and the state of the running HAProxy instance. The internal model reflects how HAProxy should be configured based on ingress resources. The states can be out of sync when new empty slots are added to backends that wasn't in edit state, and only affects sharded backends (--backend-shards > 0).

The embedded HAProxy version was updated from 2.2.14 to 2.2.15.

Fixes and improvements (r7)

Fixes and improvements since v0.12.6:

• Fix change notification of backend shard #835 (jcmoraisjr)
• update embedded haproxy from 2.2.14 to 2.2.15 ab0566b (Joao Morais)
• update client-go from v0.19.12 to v0.19.13 c94936c (Joao Morais)

v0.12.6

Reference (r6)

• Release date: 2021-07-11
• Helm chart: --version 0.12.6
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.6
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.6
• Embedded HAProxy version: 2.2.14

Release notes (r6)

This release improves the synchronization between HAProxy state and the in memory model that reflects that state. The controller used to trust that a state change sent to the admin socket is properly applied. Now every HAProxy response is parsed and the controller will enforce a reload if it doesn’t recognize the change as a valid one.

Some new security options were added as well: --disable-external-name can be used to not allow backend server discovery using an external domain, and --disable-config-keywords can be used to partially or completely disable configuration snippets via ingress or service annotations.

A warning will be emitted if the configured global ConfigMap does not exist. This used to be ignored, and v0.12 will only log this misconfiguration to preserve backward compatibility.

Paul improved the command-line documentation, adding some undocumented options that the controller supports.

Fixes and improvements (r6)

Fixes and improvements since v0.12.5:

• Ensure that configured global ConfigMap exists #804 (jcmoraisjr)
• Reload haproxy if a backend server cannot be found #810 (jcmoraisjr)
• Add disable-external-name command-line option #816 (jcmoraisjr) - doc
  • Command-line options:
    • --disable-external-name
• docs: Add all command-line options to list. #806 (toothbrush)
• Add disable-config-keywords command-line options #820 (jcmoraisjr) - doc
  • Command-line options:
    • --disable-config-keywords
• docs: update haproxy doc link to 2.2 986d754 (Joao Morais)
• build: remove travis-ci configs 0d134de (Joao Morais)
• update client-go from 0.19.11 to 0.19.12 aee8cd2 (Joao Morais)

v0.12.5

Reference (r5)

• Release date: 2021-06-20
• Helm chart: --version 0.12.5
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.5
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.5
• Embedded HAProxy version: 2.2.14
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12.5

Fixes and improvements (r5)

Fixes and improvements since v0.12.4:

• Fix backend match if no ingress use host match #802 (jcmoraisjr)

v0.12.4

Reference (r4)

• Release date: 2021-06-17
• Helm chart: --version 0.12.4
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.4
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.4
• Embedded HAProxy version: 2.2.14
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12.4

Fixes and improvements (r4)

Fixes and improvements since v0.12.3:

• Fix reading of needFullSync status #772 (jcmoraisjr)
• Fix per path filter of default host rules #777 (jcmoraisjr)
• Add option to disable API server warnings #789 (jcmoraisjr) - doc
  • Command-line options:
    • --disable-api-warnings
• Fix domain validation on secure backend keys #791 (jcmoraisjr)
• Add ssl-always-add-https config key #793 (jcmoraisjr) - doc
  • Configuration keys:
    • ssl-always-add-https
• Use the port name on DNS resolver template #796 (jcmoraisjr)
• Fix reading of tls secret without crt or key #799 (jcmoraisjr)
• update embedded haproxy from 2.2.13 to 2.2.14 aa0a234 (Joao Morais)
• update client-go from 0.19.0 to 0.19.11 b0b30c8 (Joao Morais)

Other

• build: move from travis to github actions 1e137dc (Joao Morais)

v0.12.3

Reference (r3)

• Release date: 2021-04-16
• Helm chart: --version 0.12.3
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.3
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.3
• Embedded HAProxy version: 2.2.13
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12.3

Fixes and improvements (r3)

Fixes and improvements since v0.12.2:

• Fix default host if configured as ssl-passthrough #764 (jcmoraisjr)
• Update embedded haproxy from 2.2.11 to 2.2.13 7394764 (Joao Morais)

v0.12.2

Reference (r2)

• Release date: 2021-03-27
• Helm chart: --version 0.12.2
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.2
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.2
• Embedded HAProxy version: 2.2.11
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12.2

Fixes and improvements (r2)

Fixes and improvements since v0.12.1:

• Fix incorrect reload if endpoint list grows #746 (jcmoraisjr)
• Fix prefix path type if the path matches a domain #756 (jcmoraisjr)
• Update go from 1.14.(latest) to 1.14.15 0ad978d (Joao Morais)
• Update embedded haproxy from 2.2.9 to 2.2.11 and fixes CVE-2021-3450 (OpenSSL). 9d12c69 (Joao Morais)

v0.12.1

Reference (r1)

• Release date: 2021-02-28
• Helm chart: --version 0.12.1
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12.1
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12.1
• Embedded HAProxy version: 2.2.9
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12.1

Fixes and improvements (r1)

Fixes and improvements since v0.12:

• Improve crt validation with ssl_c_verify #743 (jcmoraisjr)
• Remove unix socket before start acme server #740 (jcmoraisjr)
• Read the whole input when the response fills the buffer #739 (jcmoraisjr)
• Fix initial weight configuration #742 (jcmoraisjr)

v0.12

Reference (r0)

• Release date: 2021-02-19
• Helm chart: --version 0.12.0
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12
• Embedded HAProxy version: 2.2.9
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12

Fixes and improvements (r0)

Fixes and improvements since v0.12-beta.2:

• Add support for native redirection of default backend #731 (rikatz) - doc
  • Configuration keys:
    • default-backend-redirect
    • default-backend-redirect-code
• Fix shrinking of prioritized paths #736 (jcmoraisjr)
• Update haproxy from 2.2.8 to 2.2.9 a84aaa8 (Joao Morais)

v0.12-beta.2

Reference (b2)

• Release date: 2021-02-02
• Helm chart: --version 0.12.0-beta.2 --devel
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12-beta.2
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12-beta.2
• Embedded HAProxy version: 2.2.8
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12-beta.2

Fixes and improvements (b2)

Fixes and improvements since v0.12-beta.1

• Use field converter to remove port from hdr host #729 (jcmoraisjr)
• Add sni and verifyhost to secure connections #730 (jcmoraisjr) - doc
  • Configuration keys:
    • secure-sni
    • secure-verify-hostname
• Fix path precedence of distinct match types #728 (jcmoraisjr)

v0.12-beta.1

Reference (b1)

• Release date: 2021-01-17
• Helm chart: --version 0.12.0-beta.1 --devel
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12-beta.1
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12-beta.1
• Embedded HAProxy version: 2.2.8
• GitHub release: https://github.com/jcmoraisjr/haproxy-ingress/releases/tag/v0.12-beta.1

Improvements (b1)

New features and improvements since v0.12-snapshot.3:

• Readd haproxy user in the docker image #718 (jcmoraisjr)
• Create state file only if load-server-state is enabled #721 (jcmoraisjr)
• Add deny access list and exception ip/cidr #722 (jcmoraisjr) - doc
  • Configuration keys:
    • allowlist-source-range
    • denylist-source-range
• Update embedded haproxy from 2.2.6 to 2.2.8 ba3f80b (Joao Morais)

Fixes (b1)

• Fix reload failure if admin socket refuses connection #719 (jcmoraisjr)
• Clear the crt expire gauge when full sync #717 (jcmoraisjr)
• Fix first conciliation if external haproxy is not running #720 (jcmoraisjr)

Docs

• Fix prometheus config #723 (jcmoraisjr)

v0.12-snapshot.3

Reference (s3)

• Release date: 2020-12-13
• Helm chart: --version 0.12.0-snapshot.3 --devel
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12-snapshot.3
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12-snapshot.3
• Embedded HAProxy version: 2.2.6

Improvements (s3)

New features and improvements since v0.12-snapshot.2:

• Add SameSite cookie attribute #707 (jcmoraisjr) - doc
  • Configuration keys:
    • session-cookie-same-site
• Independently configure rules and TLS #702 (jcmoraisjr)
• Change oauth2 to path scope #704 (jcmoraisjr) - doc
• Update haproxy from 2.2.5 to 2.2.6 b34edd0 (Joao Morais)

Fixes (s3)

• Use default certificate only if provided SNI isn't found #700 (jcmoraisjr)
• Only notifies ConfigMap updates if data changes #703 (jcmoraisjr)

Docs

• Add path scope #705 (jcmoraisjr)

v0.12-snapshot.2

Reference (s2)

• Release date: 2020-11-18
• Helm chart: --version 0.12.0-snapshot.2 --devel
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12-snapshot.2
• Embedded HAProxy version: 2.2.5

Improvements (s2)

New features and improvements since v0.12-snapshot.1:

• Update go from 1.14.8 to 1.14.(latest) 3c8b444 (Joao Morais)
• Add worker-max-reloads config option #692 (jcmoraisjr)
  • Configuration keys:
    • worker-max-reloads - doc
• Update haproxy from 2.2.4 to 2.2.5 ac87843 (Joao Morais)
• Add ingress class support #694 (jcmoraisjr)
  • Configuration keys:
    • Class matter, Strategies and Scope sections of the Configuration keys doc
  • Command-line options:
    • --controller-class - doc
    • --watch-ingress-without-class - doc

Fixes (s2)

• Fix line too long on backend parsing #683 (jcmoraisjr)
• Fix basic auth backend tracking #688 (jcmoraisjr)
• Allow signer to work with wildcard dns certs #695 (pbabilas)
• Improve certificate validation of acme signer #689 (jcmoraisjr)

v0.12-snapshot.1

Reference (s1)

• Release date: 2020-10-20
• Helm chart: --version 0.12.0-snapshot.1 --devel
• Image (Quay): quay.io/jcmoraisjr/haproxy-ingress:v0.12-snapshot.1
• Image (Docker Hub): jcmoraisjr/haproxy-ingress:v0.12-snapshot.1
• Embedded HAProxy version: 2.2.4

Improvements (s1)

New features and improvements since v0.11-beta.1:

• Update to go1.14.8 #659 (jcmoraisjr)
• Update to client-go v0.19.0 #660 (jcmoraisjr)
• Update to haproxy 2.2.3 #661 (jcmoraisjr)
• Add path-type-order global config #662 (jcmoraisjr) - doc
  • Configuration keys:
    • path-type-order
• Add better handling for cookie affinity with preserve option #667 (griever989) - doc
  • Configuration keys:
    • session-cookie-preserve
    • session-cookie-value-strategy
• Add abstract per path config reader #663 (jcmoraisjr)
• Add option to run an external haproxy instance #666 (jcmoraisjr)
  • Configuration keys:
    • external-has-lua - doc
    • groupname - doc
    • master-exit-on-failure - doc
    • username - doc
  • Command-line options:
    • --master-socket - doc
• Convert ssl-redirect to the new per path config #670 (jcmoraisjr)
• Add --sort-endpoints-by command-line option #678 (jcmoraisjr)
  • Configuration keys:
    • --sort-endpoints-by - doc
• Update embedded haproxy to 2.2.4 4ff2f55 (Joao Morais)
• Configure default backend to not change backend ID #681 (jcmoraisjr)

Fixes (s1)

• Fix rewrite target match #668 (jcmoraisjr)
• Log socket response only if message is not empty #675 (jcmoraisjr)
• Improve old and new backend comparison #676 (jcmoraisjr)
• Implement sort-backends #677 (jcmoraisjr)
• Fix dynamic update of the default backend #680 (jcmoraisjr)

Other

• Adds a GH Action to close stale issues #615 (rikatz)