Breaking backward compatibility from v0.6
- Default blue/green deployment mode changed from
podtodeploy. Useingress.kubernetes.io/blue-green-modeannotation to change to the v0.6 behavior. See also the blue/green deployment doc. - Changed default maximum ephemeral DH key size from 1024 to 2048, which might break old TLS clients. Use
ssl-dh-default-max-sizeconfigmap option to change back to 1024 if needed.
Fixes and improvements since v0.6
- Add SSL config on TCP services #192 - doc
- Disable health check of backends #195
- Fix endless loop if SSL/TLS secret does not exist #191
- DNS discovery of backend servers #154 - doc
- Annotations:
ingress.kubernetes.io/use-resolver
- Configmap options:
dns-accepted-payload-sizedns-cluster-domaindns-hold-obsoletedns-hold-validdns-resolversdns-timeout-retry
- Annotations:
- ModSecurity web application firewall #166
- Multi process and multi thread support #172
- Balance mode of blue/green deployment #201 - doc
- Annotations:
ingress.kubernetes.io/blue-green-balanceingress.kubernetes.io/blue-green-mode
- Annotations:
- Add frontend configuration snippet #194 - doc
- Configmap options:
config-frontend
- Configmap options:
- Add support to ingress/spec/backend #212
- Add SSL config on stats endpoint #193 - doc
- Configmap options:
stats-ssl-cert
- Configmap options:
- Add custom http and https port numbers #190
- Configmap options:
http-porthttps-port
- Configmap options:
- Add client cert auth for backend #222 - doc
- Annotations:
ingress.kubernetes.io/secure-crt-secret
- Annotations:
- Add publish-service doc #211 - doc
- Command-line options:
--publish-service
- Command-line options:
- Add option to match URL path on wildcard hostnames #213 - doc
- Configmap options:
strict-host
- Configmap options:
- Add HSTS on default backend #214
Fixes and improvements since v0.6-beta.2
- Fix host match of rate limit on shared frontend - #202
Fixes and improvements since v0.6-beta.1
- Fix redirect https if path changed with rewrite-target - #179
- Fix ssl-passthrough annotation - #183 and #187
Breaking backward compatibility from v0.5
- Usage of header
Hostto match https requests instead of using just sni extension, deprecatinguse-host-on-https- #130 - Multibinder is deprecated, use
reusesocketreload strategy instead - #139 - Dynamic scaling do not reload HAProxy if the number of servers of a backend could be reduced
- Broken CIDR lists -
whitelist-source-rangeandlimit-whitelistannotations - will add at least the valid CIDRs found in the list - #163 - Added
timeout-queueconfigmap option which defaults to5s.timeout-queuedidn't exist before v0.6 and its value inherits from thetimeout-connectconfiguration. Starting on v0.6, changingtimeout-connectwill not changetimeout-queuedefault value.
Fixes and improvements since v0.5
- HAProxy 1.8
- Dynamic cookies on cookie based server affinity
- HTTP/2 support - #129
- Share http/s connections on the same frontend/socket - #130
- Add clear userlist on misconfigured basic auth - #71
- Fix copy endpoints to fullslots - #84
- Equality improvement on dynamic scaling - #138 and #140
- Fix precedence of hosts without wildcard and alias without regex - #149
- Add v1 as a PROXY protocol option on tcp-services - #156
- Fix Lets Encrypt certificate generation - #161
- Add valid CIDRs on whitelists #163
- New annotations:
- Cookie persistence strategy #89 - doc
ingress.kubernetes.io/session-cookie-strategy
- Blue/green deployment #125 - doc
ingress.kubernetes.io/blue-green-deploy
- Load balancing algorithm #144
ingress.kubernetes.io/balance-algorithm
- Connection limits and timeout #148 - doc
ingress.kubernetes.io/maxconn-serveringress.kubernetes.io/maxqueue-serveringress.kubernetes.io/timeout-queue
- CORS #151 - doc
ingress.kubernetes.io/cors-allow-originingress.kubernetes.io/cors-allow-methodsingress.kubernetes.io/cors-allow-headersingress.kubernetes.io/cors-allow-credentialsingress.kubernetes.io/cors-enableingress.kubernetes.io/cors-max-age
- Configuration snippet #155 - doc
ingress.kubernetes.io/config-backend
- Backend servers slot increment #164 - doc
ingress.kubernetes.io/slots-increment
- Cookie persistence strategy #89 - doc
- New configmap options:
- Drain support for NotReady pods on cookie affinity backends #95 - doc
drain-support
- Timeout queue #148 - doc
timeout-queue
- Time to wait for long lived connections to finish before hard-stop a HAProxy process #150 - doc
timeout-stop
- Add option to bypass SSL/TLS redirect #161 - doc
no-tls-redirect-locations
- Add configmap options to listening IP address #162
bind-ip-addr-tcpbind-ip-addr-httpbind-ip-addr-healthzbind-ip-addr-stats
- Drain support for NotReady pods on cookie affinity backends #95 - doc
- New command-line options:
Fixes and improvements since v0.4
- v0.5-beta.1 changelog
- v0.5-beta.2 changelog
- v0.5-beta.3 changelog
Fixes and improvements since v0.5-beta.2
- Fix sync of excluded secrets - #102
- Fix config with long fqdn - #112
- Fix non ssl redirect on default backend - #120
Fixes and improvements since v0.5-beta.1
- Fix reading of txn.path on http-request keywords - #102
Breaking backward compatibility from v0.4
- TLS certificate validation using only SAN extension - common Name (CN) isn't used anymore. Add
--verify-hostname=falsecommand-line option to bypass hostname verification ingress.kubernetes.io/auth-tls-secretannotation cannot reference another namespace without--allow-cross-namespacecommand-line optiontcp-log-formatconfigmap option now customizes log of TCP proxies, usehttps-log-formatinstead to configure log of SNI inspection (https/tcp frontend)
Fixes and improvements since v0.4
- Change from Go 1.8.1 to 1.9.2
- Implement full config of default backend - #73
- Fix removal of TLS if failing to read the secretName - #78
- New annotations:
- Rewrite path support - doc
ingress.kubernetes.io/rewrite-target
- Rate limit support - doc
ingress.kubernetes.io/limit-connectionsingress.kubernetes.io/limit-rpsingress.kubernetes.io/limit-whitelist
- Option to include the X509 certificate on requests with client certificate - doc
ingress.kubernetes.io/auth-tls-cert-header
- HSTS support per host and location - doc
ingress.kubernetes.io/hstsingress.kubernetes.io/hsts-include-subdomainsingress.kubernetes.io/hsts-max-ageingress.kubernetes.io/hsts-preload
- Rewrite path support - doc
- New configmap options:
- Option to add and customize log of SNI inspection - https/tcp frontend - doc
https-log-format
- Option to load the server state between HAProxy reloads - doc
load-server-state
- Custom prefix of client certificate headers - doc
ssl-headers-prefix
- Support of
Hostheader on TLS requests without SNI extension - docuse-host-on-https
- Option to add and customize log of SNI inspection - https/tcp frontend - doc
- New command-line options:
Fixes and improvements since v0.3
- v0.4-beta.1 changelog
- v0.4-beta.2 changelog
Fixes and improvements since v0.4-beta.1
- Fix global
maxconnconfiguration - Add
X-Forwarded-Proto: httpsheader on ssl/tls connections
Fixes and improvements since v0.3
- Add dynamic scaling - doc
- Add monitoring URI - doc
- Add PROXY protocol configmap options - doc
UseProxyProtocolStatsProxyProtocol
- Add log format configmap options - doc
HTTPLogFormatTCPLogFormat
- Add stick session ingress annotations - doc
ingress.kubernetes.io/affinityingress.kubernetes.io/session-cookie-name
- Support for wildcard hostnames
- Better and faster synchronization after resource updates
- Support
k,mandgsuffix onproxy-body-sizeannotation and configmap option - doc - HTTP 495 and 496 error pages on auth TLS errors
- Add TLS error page ingress annotation
ingress.kubernetes.io/auth-tls-error-page
- Add support to SSL/TLS offload outside HAProxy on a configmap option - doc
https-to-http-port
- Add support to host alias on ingress annotation - doc
ingress.kubernetes.io/server-alias
- Fix multibinder goes zombie #51 updating to multibinder 0.0.5
- Add
X-SSLheaders on client authentication with TLSX-SSL-Client-SHA1X-SSL-Client-DNX-SSL-Client-CN
Fixes and improvements since v0.2.1
- v0.3-beta.1 changelog - see notes about backward compatibility
- v0.3-beta.2 changelog
Fixes and improvements since v0.3-beta.1
- Add
haproxyas the default value of--ingress-classparameter - Fix create/remove ingress based on ingress-class annotation
Fixes and improvements since v0.2.1
Breaking backward compatibility:
- Move template to
/etc/haproxy/template/haproxy.tmpl - Now
ingress.kubernetes.io/app-rootonly applies on ingress with root path/
Other changes and improvements:
- Reload strategy with
nativeandmultibinderoptions - Ingress Controller check for update every 2 seconds (was every 10 seconds)
- New ingress resource annotations
ingress.kubernetes.io/proxy-body-sizeingress.kubernetes.io/secure-backendsingress.kubernetes.io/secure-verify-ca-secretingress.kubernetes.io/ssl-passthrough
- New configmap options
balance-algorithmbackend-check-intervalforwardforhstshsts-include-subdomainshsts-max-agehsts-preloadmax-connectionsproxy-body-sizessl-ciphersssl-dh-default-max-sizessl-dh-paramssl-optionsstats-authstats-porttimeout-clienttimeout-client-fintimeout-connecttimeout-http-requesttimeout-keep-alivetimeout-servertimeout-server-fintimeout-tunnel
Fixes and improvements since v0.2
- Fixes #14 (Incorrect
X-Forwarded-Forhandling)
Fixes and improvements since v0.1
- White list source IP range
- Optionally force TLS connection
- Basic (user/passwd) authentication
- Client certificate authentication
- Root context redirect
Initial version with basic functionality
- rules.hosts with paths from Ingress resource
- default and per host certificate
- 302 redirect from http to https if TLS (default or per host) is provided
- syslog-endpoint from configmap